RubyGems - cloud-mu - Versions diffs - 3.5.0 → 3.6.3 - Mend

cloud-mu 3.5.0 → 3.6.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (245) hide show

checksums.yaml +4 -4
data/Berksfile +5 -2
data/Berksfile.lock +135 -0
data/ansible/roles/mu-base/README.md +33 -0
data/ansible/roles/mu-base/defaults/main.yml +2 -0
data/ansible/roles/mu-base/files/check_apm.cfg +1 -0
data/ansible/roles/mu-base/files/check_apm.sh +18 -0
data/ansible/roles/mu-base/files/check_disk.cfg +1 -0
data/ansible/roles/mu-base/files/check_elastic_shards.cfg +1 -0
data/ansible/roles/mu-base/files/check_elastic_shards.sh +12 -0
data/ansible/roles/mu-base/files/check_logstash.cfg +1 -0
data/ansible/roles/mu-base/files/check_logstash.sh +14 -0
data/ansible/roles/mu-base/files/check_mem.cfg +1 -0
data/ansible/roles/mu-base/files/check_updates.cfg +1 -0
data/ansible/roles/mu-base/files/logrotate.conf +35 -0
data/ansible/roles/mu-base/files/nrpe-apm-sudo +1 -0
data/ansible/roles/mu-base/files/nrpe-elasticshards-sudo +2 -0
data/ansible/roles/mu-base/handlers/main.yml +5 -0
data/ansible/roles/mu-base/meta/main.yml +53 -0
data/ansible/roles/mu-base/tasks/main.yml +113 -0
data/ansible/roles/mu-base/templates/nrpe.cfg.j2 +231 -0
data/ansible/roles/mu-base/tests/inventory +2 -0
data/ansible/roles/mu-base/tests/test.yml +5 -0
data/ansible/roles/mu-base/vars/main.yml +1 -0
data/ansible/roles/mu-compliance/README.md +33 -0
data/ansible/roles/mu-compliance/defaults/main.yml +2 -0
data/ansible/roles/mu-compliance/files/U_MS_Windows_Server_2016_V2R1_STIG_SCAP_1-2_Benchmark.xml +15674 -0
data/ansible/roles/mu-compliance/files/U_MS_Windows_Server_2019_V2R1_STIG_SCAP_1-2_Benchmark.xml +17553 -0
data/ansible/roles/mu-compliance/handlers/main.yml +2 -0
data/ansible/roles/mu-compliance/meta/main.yml +53 -0
data/ansible/roles/mu-compliance/tasks/main.yml +45 -0
data/ansible/roles/mu-compliance/tests/inventory +2 -0
data/ansible/roles/mu-compliance/tests/test.yml +5 -0
data/ansible/roles/mu-compliance/vars/main.yml +4 -0
data/ansible/roles/mu-elastic/README.md +51 -0
data/ansible/roles/mu-elastic/defaults/main.yml +2 -0
data/ansible/roles/mu-elastic/files/jvm.options +93 -0
data/ansible/roles/mu-elastic/handlers/main.yml +10 -0
data/ansible/roles/mu-elastic/meta/main.yml +52 -0
data/ansible/roles/mu-elastic/tasks/main.yml +186 -0
data/ansible/roles/mu-elastic/templates/elasticsearch.yml.j2 +110 -0
data/ansible/roles/mu-elastic/templates/kibana.yml.j2 +131 -0
data/ansible/roles/mu-elastic/templates/password_set.expect.j2 +19 -0
data/ansible/roles/mu-elastic/tests/inventory +2 -0
data/ansible/roles/mu-elastic/tests/test.yml +5 -0
data/ansible/roles/mu-elastic/vars/main.yml +2 -0
data/ansible/roles/mu-logstash/README.md +51 -0
data/ansible/roles/mu-logstash/defaults/main.yml +2 -0
data/ansible/roles/mu-logstash/files/02-beats-input.conf +5 -0
data/ansible/roles/mu-logstash/files/10-rails-filter.conf +16 -0
data/ansible/roles/mu-logstash/files/jvm.options +84 -0
data/ansible/roles/mu-logstash/files/logstash.yml +304 -0
data/ansible/roles/mu-logstash/handlers/main.yml +20 -0
data/ansible/roles/mu-logstash/meta/main.yml +52 -0
data/ansible/roles/mu-logstash/tasks/main.yml +254 -0
data/ansible/roles/mu-logstash/templates/20-cloudtrail.conf.j2 +28 -0
data/ansible/roles/mu-logstash/templates/30-elasticsearch-output.conf.j2 +19 -0
data/ansible/roles/mu-logstash/templates/apm-server.yml.j2 +33 -0
data/ansible/roles/mu-logstash/templates/heartbeat.yml.j2 +29 -0
data/ansible/roles/mu-logstash/templates/nginx/apm.conf.j2 +25 -0
data/ansible/roles/mu-logstash/templates/nginx/default.conf.j2 +56 -0
data/ansible/roles/mu-logstash/templates/nginx/elastic.conf.j2 +27 -0
data/ansible/roles/mu-logstash/tests/inventory +2 -0
data/ansible/roles/mu-logstash/tests/test.yml +5 -0
data/ansible/roles/mu-logstash/vars/main.yml +2 -0
data/ansible/roles/mu-rdp/README.md +33 -0
data/ansible/roles/mu-rdp/meta/main.yml +53 -0
data/ansible/roles/mu-rdp/tasks/main.yml +9 -0
data/ansible/roles/mu-rdp/tests/inventory +2 -0
data/ansible/roles/mu-rdp/tests/test.yml +5 -0
data/ansible/roles/mu-windows/tasks/main.yml +3 -0
data/bin/mu-ansible-secret +1 -1
data/bin/mu-aws-setup +4 -3
data/bin/mu-azure-setup +5 -5
data/bin/mu-configure +25 -17
data/bin/mu-firewall-allow-clients +1 -0
data/bin/mu-gcp-setup +3 -3
data/bin/mu-load-config.rb +1 -0
data/bin/mu-node-manage +66 -33
data/bin/mu-self-update +2 -2
data/bin/mu-upload-chef-artifacts +6 -1
data/bin/mu-user-manage +1 -1
data/cloud-mu.gemspec +25 -23
data/cookbooks/firewall/CHANGELOG.md +417 -224
data/cookbooks/firewall/LICENSE +202 -0
data/cookbooks/firewall/README.md +153 -126
data/cookbooks/firewall/TODO.md +6 -0
data/cookbooks/firewall/attributes/firewalld.rb +7 -0
data/cookbooks/firewall/attributes/iptables.rb +3 -3
data/cookbooks/firewall/chefignore +115 -0
data/cookbooks/firewall/libraries/helpers.rb +5 -0
data/cookbooks/firewall/libraries/helpers_firewalld.rb +1 -1
data/cookbooks/firewall/libraries/helpers_firewalld_dbus.rb +72 -0
data/cookbooks/firewall/libraries/helpers_iptables.rb +3 -3
data/cookbooks/firewall/libraries/helpers_nftables.rb +170 -0
data/cookbooks/firewall/libraries/helpers_ufw.rb +7 -0
data/cookbooks/firewall/libraries/helpers_windows.rb +8 -9
data/cookbooks/firewall/libraries/provider_firewall_firewalld.rb +9 -9
data/cookbooks/firewall/libraries/provider_firewall_iptables.rb +7 -7
data/cookbooks/firewall/libraries/provider_firewall_iptables_ubuntu.rb +12 -8
data/cookbooks/firewall/libraries/provider_firewall_iptables_ubuntu1404.rb +13 -9
data/cookbooks/firewall/libraries/provider_firewall_rule.rb +1 -1
data/cookbooks/firewall/libraries/provider_firewall_ufw.rb +5 -5
data/cookbooks/firewall/libraries/provider_firewall_windows.rb +4 -4
data/cookbooks/firewall/libraries/resource_firewall_rule.rb +3 -3
data/cookbooks/firewall/metadata.json +40 -1
data/cookbooks/firewall/metadata.rb +15 -0
data/cookbooks/firewall/recipes/default.rb +7 -7
data/cookbooks/firewall/recipes/disable_firewall.rb +1 -1
data/cookbooks/firewall/recipes/firewalld.rb +87 -0
data/cookbooks/firewall/renovate.json +18 -0
data/cookbooks/firewall/resources/firewalld.rb +28 -0
data/cookbooks/firewall/resources/firewalld_config.rb +39 -0
data/cookbooks/firewall/resources/firewalld_helpers.rb +106 -0
data/cookbooks/firewall/resources/firewalld_icmptype.rb +88 -0
data/cookbooks/firewall/resources/firewalld_ipset.rb +104 -0
data/cookbooks/firewall/resources/firewalld_policy.rb +115 -0
data/cookbooks/firewall/resources/firewalld_service.rb +98 -0
data/cookbooks/firewall/resources/firewalld_zone.rb +118 -0
data/cookbooks/firewall/resources/nftables.rb +71 -0
data/cookbooks/firewall/resources/nftables_rule.rb +113 -0
data/cookbooks/mu-activedirectory/Berksfile +1 -1
data/cookbooks/mu-activedirectory/metadata.rb +1 -1
data/cookbooks/mu-firewall/metadata.rb +2 -2
data/cookbooks/mu-master/Berksfile +4 -3
data/cookbooks/mu-master/attributes/default.rb +5 -2
data/cookbooks/mu-master/files/default/check_elastic.sh +761 -0
data/cookbooks/mu-master/files/default/check_kibana.rb +45 -0
data/cookbooks/mu-master/libraries/mu.rb +24 -0
data/cookbooks/mu-master/metadata.rb +5 -5
data/cookbooks/mu-master/recipes/default.rb +31 -20
data/cookbooks/mu-master/recipes/firewall-holes.rb +5 -0
data/cookbooks/mu-master/recipes/init.rb +58 -19
data/cookbooks/mu-master/recipes/update_nagios_only.rb +251 -178
data/cookbooks/mu-master/templates/default/nagios.conf.erb +5 -11
data/cookbooks/mu-master/templates/default/web_app.conf.erb +3 -0
data/cookbooks/mu-php54/Berksfile +1 -1
data/cookbooks/mu-php54/metadata.rb +2 -2
data/cookbooks/mu-tools/Berksfile +2 -3
data/cookbooks/mu-tools/attributes/default.rb +3 -4
data/cookbooks/mu-tools/files/amazon/etc/bashrc +90 -0
data/cookbooks/mu-tools/files/amazon/etc/login.defs +292 -0
data/cookbooks/mu-tools/files/amazon/etc/profile +77 -0
data/cookbooks/mu-tools/files/amazon/etc/security/limits.conf +63 -0
data/cookbooks/mu-tools/files/amazon/etc/sysconfig/init +19 -0
data/cookbooks/mu-tools/files/amazon/etc/sysctl.conf +82 -0
data/cookbooks/mu-tools/files/amazon-2023/etc/login.defs +294 -0
data/cookbooks/mu-tools/files/default/logrotate.conf +35 -0
data/cookbooks/mu-tools/files/default/nrpe_conf_d.pp +0 -0
data/cookbooks/mu-tools/libraries/helper.rb +21 -9
data/cookbooks/mu-tools/metadata.rb +4 -4
data/cookbooks/mu-tools/recipes/apply_security.rb +3 -2
data/cookbooks/mu-tools/recipes/aws_api.rb +23 -5
data/cookbooks/mu-tools/recipes/base_repositories.rb +4 -1
data/cookbooks/mu-tools/recipes/gcloud.rb +56 -56
data/cookbooks/mu-tools/recipes/nagios.rb +1 -1
data/cookbooks/mu-tools/recipes/nrpe.rb +20 -2
data/cookbooks/mu-tools/recipes/rsyslog.rb +12 -1
data/cookbooks/mu-tools/recipes/set_local_fw.rb +1 -1
data/data_bags/nagios_services/apm_backend_connect.json +5 -0
data/data_bags/nagios_services/apm_listen.json +5 -0
data/data_bags/nagios_services/elastic_shards.json +5 -0
data/data_bags/nagios_services/logstash.json +5 -0
data/data_bags/nagios_services/rhel7_updates.json +8 -0
data/extras/image-generators/AWS/centos7.yaml +1 -0
data/extras/image-generators/AWS/rhel7.yaml +21 -0
data/extras/image-generators/AWS/win2k12r2.yaml +1 -0
data/extras/image-generators/AWS/win2k16.yaml +1 -0
data/extras/image-generators/AWS/win2k19.yaml +1 -0
data/extras/list-stock-amis +0 -0
data/extras/ruby_rpm/muby.spec +8 -5
data/extras/vault_tools/export_vaults.sh +1 -1
data/extras/vault_tools/recreate_vaults.sh +0 -0
data/extras/vault_tools/test_vaults.sh +0 -0
data/install/deprecated-bash-library.sh +1 -1
data/install/installer +4 -2
data/modules/mommacat.ru +3 -1
data/modules/mu/adoption.rb +1 -1
data/modules/mu/cloud/dnszone.rb +2 -2
data/modules/mu/cloud/machine_images.rb +26 -25
data/modules/mu/cloud/resource_base.rb +213 -182
data/modules/mu/cloud/server_pool.rb +1 -1
data/modules/mu/cloud/ssh_sessions.rb +7 -5
data/modules/mu/cloud/wrappers.rb +2 -2
data/modules/mu/cloud.rb +1 -1
data/modules/mu/config/bucket.rb +1 -1
data/modules/mu/config/function.rb +6 -1
data/modules/mu/config/loadbalancer.rb +24 -2
data/modules/mu/config/ref.rb +12 -0
data/modules/mu/config/role.rb +1 -1
data/modules/mu/config/schema_helpers.rb +42 -9
data/modules/mu/config/server.rb +43 -27
data/modules/mu/config/tail.rb +19 -10
data/modules/mu/config.rb +6 -5
data/modules/mu/defaults/AWS.yaml +78 -114
data/modules/mu/deploy.rb +9 -2
data/modules/mu/groomer.rb +12 -4
data/modules/mu/groomers/ansible.rb +104 -20
data/modules/mu/groomers/chef.rb +15 -6
data/modules/mu/master.rb +9 -4
data/modules/mu/mommacat/daemon.rb +4 -2
data/modules/mu/mommacat/naming.rb +1 -2
data/modules/mu/mommacat/storage.rb +7 -2
data/modules/mu/mommacat.rb +33 -6
data/modules/mu/providers/aws/database.rb +161 -8
data/modules/mu/providers/aws/dnszone.rb +11 -6
data/modules/mu/providers/aws/endpoint.rb +81 -6
data/modules/mu/providers/aws/firewall_rule.rb +254 -172
data/modules/mu/providers/aws/function.rb +65 -3
data/modules/mu/providers/aws/loadbalancer.rb +39 -28
data/modules/mu/providers/aws/log.rb +2 -1
data/modules/mu/providers/aws/role.rb +25 -7
data/modules/mu/providers/aws/server.rb +36 -12
data/modules/mu/providers/aws/server_pool.rb +237 -127
data/modules/mu/providers/aws/storage_pool.rb +7 -1
data/modules/mu/providers/aws/user.rb +1 -1
data/modules/mu/providers/aws/userdata/linux.erb +6 -2
data/modules/mu/providers/aws/userdata/windows.erb +7 -5
data/modules/mu/providers/aws/vpc.rb +49 -25
data/modules/mu/providers/aws.rb +13 -8
data/modules/mu/providers/azure/container_cluster.rb +1 -1
data/modules/mu/providers/azure/loadbalancer.rb +2 -2
data/modules/mu/providers/azure/server.rb +5 -2
data/modules/mu/providers/azure/userdata/linux.erb +1 -1
data/modules/mu/providers/azure.rb +11 -8
data/modules/mu/providers/cloudformation/dnszone.rb +1 -1
data/modules/mu/providers/google/container_cluster.rb +15 -2
data/modules/mu/providers/google/folder.rb +2 -1
data/modules/mu/providers/google/function.rb +130 -4
data/modules/mu/providers/google/habitat.rb +2 -1
data/modules/mu/providers/google/loadbalancer.rb +407 -160
data/modules/mu/providers/google/role.rb +16 -3
data/modules/mu/providers/google/server.rb +5 -1
data/modules/mu/providers/google/user.rb +25 -18
data/modules/mu/providers/google/userdata/linux.erb +1 -1
data/modules/mu/providers/google/vpc.rb +53 -7
data/modules/mu/providers/google.rb +39 -39
data/modules/mu.rb +8 -8
data/modules/tests/elk.yaml +46 -0
data/test/mu-master-test/controls/all_in_one.rb +1 -1
metadata +207 -112
data/cookbooks/firewall/CONTRIBUTING.md +0 -2
data/cookbooks/firewall/MAINTAINERS.md +0 -19
data/cookbooks/firewall/libraries/matchers.rb +0 -30
data/extras/image-generators/AWS/rhel71.yaml +0 -17

data/cookbooks/mu-master/recipes/update_nagios_only.rb CHANGED Viewed

@@ -16,227 +16,300 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
-include_recipe "mu-nagios::server_source"
-include_recipe "mu-nagios"
+include_recipe "nagios::server_source"
+include_recipe "nagios"
 include_recipe 'mu-master::firewall-holes'
-if $MU_CFG.has_key?('ldap')
-  include_recipe 'chef-vault'
-  bind_creds = chef_vault_item($MU_CFG['ldap']['bind_creds']['vault'], $MU_CFG['ldap']['bind_creds']['item'])
-  node.normal['nagios']['server_auth_method'] = "ldap"
-  node.normal['nagios']['ldap_bind_dn'] = bind_creds[$MU_CFG['ldap']['bind_creds']['username_field']]
-  node.normal['nagios']['ldap_bind_password'] = bind_creds[$MU_CFG['ldap']['bind_creds']['password_field']]
-  if $MU_CFG['ldap']['type'] == "Active Directory"
-    node.normal['nagios']['ldap_url'] = "ldap://#{$MU_CFG['ldap']['dcs'].first}/#{$MU_CFG['ldap']['base_dn']}?sAMAccountName?sub?(objectClass=*)"
-  else
-    node.normal['nagios']['ldap_url'] = "ldap://#{$MU_CFG['ldap']['dcs'].first}/#{$MU_CFG['ldap']['base_dn']}?uid?sub?(objectClass=*)"
-    node.normal['nagios']['ldap_group_attribute'] = "memberUid"
-    node.normal['nagios']['ldap_group_attribute_is_dn'] = "Off"
-# Trying to use SSL seems to cause mod_ldap to die without logging any errors,
-# currently. Probably an Apache bug? XXX
-#    node.normal['nagios'][:ldap_trusted_global_cert] = "CA_BASE64 #{$MU_CFG['ssl']['chain']}"
-#    node.normal['nagios'][:ldap_trusted_mode] = "SSL"
-  end
-  node.normal['nagios']['server_auth_require'] = "ldap-group #{$MU_CFG['ldap']['user_group_dn']}"
-  node.normal['nagios']['ldap_authoritative'] = "On"
-  node.save
-end
+log "#{node['recipes']}"
-# XXX The Nagios init script from source is buggy; config test always fails
-# when invoked via "service nagios start," which is what the cookbook does.
-# This at least keeps it from trashing our Chef runs.
-file "/etc/sysconfig/nagios" do
-  content "checkconfig=\"false\"\n"
-  mode 0600
+# Define this so it's present for solo runs of this recipe
+if !node['recipes'].include?("mu-master::default") or node['update_nagios_only']
+  service 'apache2' do
+    extend Apache2::Cookbook::Helpers
+    service_name lazy { apache_platform_service_name }
+    supports restart: true, status: true, reload: true
+    action :enable
+  end
 end
-include_recipe "mu-nagios"
-# scrub our old stuff if it's around
-["nagios_fifo", "nagios_more_selinux"].each { |policy|
-  execute "/usr/sbin/semodule -r #{policy}" do
-    only_if "/usr/sbin/semodule -l | egrep '^#{policy}(\t|$)'"
+if $MU_CFG['disable_nagios']
+  log "Ignoring Nagios setup per Mu config"
+else
+  if $MU_CFG.has_key?('ldap')
+    include_recipe 'chef-vault'
+    bind_creds = chef_vault_item($MU_CFG['ldap']['bind_creds']['vault'], $MU_CFG['ldap']['bind_creds']['item'])
+    node.normal['nagios']['server_auth_method'] = "ldap"
+    node.normal['nagios']['ldap_bind_dn'] = bind_creds[$MU_CFG['ldap']['bind_creds']['username_field']]
+    node.normal['nagios']['ldap_bind_password'] = bind_creds[$MU_CFG['ldap']['bind_creds']['password_field']]
+    if $MU_CFG['ldap']['type'] == "Active Directory"
+      node.normal['nagios']['ldap_url'] = "ldap://#{$MU_CFG['ldap']['dcs'].first}/#{$MU_CFG['ldap']['base_dn']}?sAMAccountName?sub?(objectClass=*)"
+    else
+      node.normal['nagios']['ldap_url'] = "ldap://#{$MU_CFG['ldap']['dcs'].first}/#{$MU_CFG['ldap']['base_dn']}?uid?sub?(objectClass=*)"
+      node.normal['nagios']['ldap_group_attribute'] = "memberUid"
+      node.normal['nagios']['ldap_group_attribute_is_dn'] = "Off"
+  # Trying to use SSL seems to cause mod_ldap to die without logging any errors,
+  # currently. Probably an Apache bug? XXX
+  #    node.normal['nagios'][:ldap_trusted_global_cert] = "CA_BASE64 #{$MU_CFG['ssl']['chain']}"
+  #    node.normal['nagios'][:ldap_trusted_mode] = "SSL"
+    end
+    node.normal['nagios']['server_auth_require'] = "ldap-group #{$MU_CFG['ldap']['user_group_dn']}"
+    node.normal['nagios']['ldap_authoritative'] = "On"
+    node.save
+  end
+  # XXX The Nagios init script from source is buggy; config test always fails
+  # when invoked via "service nagios start," which is what the cookbook does.
+  # This at least keeps it from trashing our Chef runs.
+  file "/etc/sysconfig/nagios" do
+    content "checkconfig=\"false\"\n"
+    mode 0600
   end
-}
+  include_recipe "nagios"
-nagios_policies = ["nagios_selinux"]
+  # scrub our old stuff if it's around
+  ["nagios_fifo", "nagios_more_selinux"].each { |policy|
+    execute "/usr/sbin/semodule -r #{policy}" do
+      only_if "/usr/sbin/semodule -l | egrep '^#{policy}(\t|$)'"
+    end
+  }
-if platform_family?("rhel") and node['platform_version'].to_i == 7
-  nagios_policies << "nagios_selinux_7"
-end
+  nagios_policies = ["nagios_selinux"]
-# Restart Nagios inelegantly, because the standard service resource doesn't
-# seem to work reliably on CentOS 7 or RHEL 7. May be an issue with the nagios
-# community cookbook? Maybe it doesn't do systemctl correctly?
-bash "RHEL7-family Nagios restart" do
-  code <<-EOH
-    /bin/systemctl stop nagios.service
-    /bin/pkill -u nagios
-    /bin/rm -f /var/run/nagios/nagios.pid
-    /bin/systemctl start nagios.service
-  EOH
-  action :nothing
-end
+  if platform_family?("rhel") and node['platform_version'].to_i == 7
+    nagios_policies << "nagios_selinux_7"
+  end
-nagios_policies.each { |policy|
-  execute "/usr/sbin/semodule -r #{policy}" do
+  # Restart Nagios inelegantly, because the standard service resource doesn't
+  # seem to work reliably on CentOS 7 or RHEL 7. May be an issue with the nagios
+  # community cookbook? Maybe it doesn't do systemctl correctly?
+  bash "RHEL7-family Nagios restart" do
+    code <<-EOH
+      /bin/systemctl stop nagios.service
+      /bin/pkill -u nagios
+      /bin/rm -f /var/run/nagios/nagios.pid
+      /bin/systemctl start nagios.service
+    EOH
     action :nothing
-    only_if "/usr/sbin/semodule -l | egrep '^#{policy}(\t|$)'"
   end
-  cookbook_file "#{policy}.pp" do
-    path "#{Chef::Config[:file_cache_path]}/#{policy}.pp"
-    notifies :run, "execute[/usr/sbin/semodule -r #{policy}]", :immediately
+  nagios_policies.each { |policy|
+    execute "/usr/sbin/semodule -r #{policy}" do
+      action :nothing
+      only_if "/usr/sbin/semodule -l | egrep '^#{policy}(\t|$)'"
+    end
+    cookbook_file "#{policy}.pp" do
+      path "#{Chef::Config[:file_cache_path]}/#{policy}.pp"
+      notifies :run, "execute[/usr/sbin/semodule -r #{policy}]", :immediately
+    end
+    execute "Add Nagios-related SELinux policies: #{policy}" do
+      command "/usr/sbin/semodule -i #{policy}.pp"
+      cwd Chef::Config[:file_cache_path]
+      not_if "/usr/sbin/semodule -l | egrep '^#{policy}(\t|$)'"
+      notifies :reload, "service[apache2]", :delayed
+      notifies :restart, "service[nrpe]", :delayed
+      if platform_family?("rhel") and node['platform_version'].to_i >= 7
+        notifies :run, "bash[RHEL7-family Nagios restart]", :delayed
+      else
+        notifies :reload, "service[nagios]", :delayed
+      end
+    end
+  }
+  # Workaround for minor Nagios (cookbook?) bug. It looks for this at the wrong
+  # URL at the moment, so copy it where it's actually looking.
+  if File.exist?("/usr/lib/cgi-bin/nagios/statusjson.cgi")
+    remote_file "/usr/lib/cgi-bin/statusjson.cgi" do
+      source "file:///usr/lib/cgi-bin/nagios/statusjson.cgi"
+      mode 0755
+      owner "root"
+      group "nagios"
+    end
   end
-  execute "Add Nagios-related SELinux policies: #{policy}" do
-    command "/usr/sbin/semodule -i #{policy}.pp"
-    cwd Chef::Config[:file_cache_path]
-    not_if "/usr/sbin/semodule -l | egrep '^#{policy}(\t|$)'"
-    notifies :reload, "service[apache2]", :delayed
-    notifies :restart, "service[nrpe]", :delayed
+  # ... the nagios cookbook is bafflingly inconsistent
+  directory "/usr/lib/cgi-bin/nagios" do
+    mode 0755
+    owner "root"
+    group "nagios"
+  end
+  Dir.glob("/usr/lib/cgi-bin/*.cgi").each { |script|
+    shortname = script.gsub(/.*?\/([^\/]+)$/, '\1')
+    remote_file "/usr/lib/cgi-bin/nagios/#{shortname}" do
+      source "file:///#{script}"
+      mode 0755
+      owner "root"
+      group "nagios"
+    end
+  }
+  # Fish up any non-Chef hosts, which otherwise won't appear in Chef's
+  # inventory, and tell Nagios about them.
+  non_chef = {}
+  baskets.each_pair { |deploy_id, basket|
+    if basket["servers"]
+      basket["servers"].each { |server|
+        next if server["groomer"] == "Chef"
+        next if server.has_key?("monitor") and !server["monitor"]
+        non_chef[deploy_id] ||= []
+        non_chef[deploy_id] << server
+      }
+    end
+    if basket["server_pools"]
+      basket["server_pools"].each { |pool|
+        next if pool["groomer"] == "Chef"
+        next if pool.has_key?("monitor") and !pool["monitor"]
+        non_chef[deploy_id] ||= []
+        non_chef[deploy_id] << pool
+      }
+    end
+  }
+  deploy_metadata = deployments()
+  non_chef.each_pair { |deploy_id, servers|
+    servers.each { |server_blob|
+      servername = server_blob["name"]
+      platform = server_blob["platform"] =~ /^win/ ? "windows" : "linux"
+      deploy_metadata[deploy_id]['servers'][servername].each_pair { |mu_name, server|
+        nagios_host mu_name do
+          options(
+            "hostgroups" => ([platform] + server["run_list"] + ["mu-node"] + [deploy_metadata[deploy_id]["environment"]]).join(","),
+            "address" => server["private_ip_address"]
+          )
+        end
+      }
+    }
+  }
+  ["/usr/lib/nagios", "/etc/nagios", "/etc/nagios3", "/var/www/html/docs"].each { |dir|
+    if Dir.exist?(dir)
+      execute "chcon -R -h -t httpd_sys_content_t #{dir}" do
+        not_if "ls -aZ #{dir} | grep ':httpd_sys_content_t:'"
+        returns [0, 1]
+        notifies :reload, "service[apache2]", :delayed
+      end
+    end
+  }
+  ["/usr/lib/cgi-bin"].each { |cgidir|
+    if Dir.exist?(cgidir)
+      execute "chcon -R -t httpd_sys_script_exec_t #{cgidir}" do
+        not_if "ls -aZ #{cgidir} | grep ':httpd_sys_script_exec_t:'"
+        notifies :reload, "service[apache2]", :delayed
+      end
+    end
+  }
+  if File.exist?("/usr/lib64/nagios/plugins/check_nagios")
+    execute "chcon -R -h system_u:object_r:nagios_unconfined_plugin_exec_t /usr/lib64/nagios/plugins/check_nagios" do
+      not_if "ls -aZ /usr/lib64/nagios/plugins/check_nagios | grep 'object_r:nagios_'"
+    end
+  end
+  # execute "chgrp apache /var/log/nagios"
+  ["/etc/nagios/conf.d/", "/etc/nagios/*.cfg", "/var/run/nagios.pid"].each { |dir|
+    execute "/sbin/restorecon -R #{dir}" do
+      not_if "ls -aZ #{dir} | grep ':nagios_etc_t:'"
+      only_if { ::File.exist?(dir) }
+    end
+  }
+  execute "/sbin/restorecon -R /var/log/nagios"
+  # The Nagios cookbook currently screws up this setting, so work around it.
+  execute "sed -i s/^interval_length=.*/interval_length=1/ || echo 'interval_length=1' >> /etc/nagios/nagios.cfg" do
+    not_if "grep '^interval_length=1$' /etc/nagios/nagios.cfg"
     if platform_family?("rhel") and node['platform_version'].to_i >= 7
       notifies :run, "bash[RHEL7-family Nagios restart]", :delayed
     else
       notifies :reload, "service[nagios]", :delayed
     end
   end
-}
-# Workaround for minor Nagios (cookbook?) bug. It looks for this at the wrong
-# URL at the moment, so copy it where it's actually looking.
-if File.exist?("/usr/lib/cgi-bin/nagios/statusjson.cgi")
-  remote_file "/usr/lib/cgi-bin/statusjson.cgi" do
-    source "file:///usr/lib/cgi-bin/nagios/statusjson.cgi"
+  package "nagios-plugins-nrpe"
+  package "nagios-plugins-disk"
+  include_recipe "mu-tools::nrpe"
+  cookbook_file "/usr/lib64/nagios/plugins/check_mem" do
+    source "check_mem.pl"
     mode 0755
     owner "root"
-    group "nagios"
+    notifies :restart, "service[nrpe]", :delayed
   end
-end
-# ... the nagios cookbook is bafflingly inconsistent
-directory "/usr/lib/cgi-bin/nagios" do
-  mode 0755
-  owner "root"
-  group "nagios"
-end
-Dir.glob("/usr/lib/cgi-bin/*.cgi").each { |script|
-  shortname = script.gsub(/.*?\/([^\/]+)$/, '\1')
-  remote_file "/usr/lib/cgi-bin/nagios/#{shortname}" do
-    source "file:///#{script}"
+  cookbook_file "/usr/lib64/nagios/plugins/check_elastic" do
+    source "check_elastic.sh"
     mode 0755
     owner "root"
-    group "nagios"
   end
-}
-["/usr/lib/nagios", "/etc/nagios", "/etc/nagios3", "/var/www/html/docs"].each { |dir|
-  if Dir.exist?(dir)
-    execute "chcon -R -h -t httpd_sys_content_t #{dir}" do
-      not_if "ls -aZ #{dir} | grep ':httpd_sys_content_t:'"
-      returns [0, 1]
-      notifies :reload, "service[apache2]", :delayed
-    end
+  cookbook_file "/usr/lib64/nagios/plugins/check_kibana" do
+    source "check_kibana.rb"
+    mode 0755
+    owner "root"
   end
-}
-["/usr/lib/cgi-bin"].each { |cgidir|
-  if Dir.exist?(cgidir)
-    execute "chcon -R -t httpd_sys_script_exec_t #{cgidir}" do
-      not_if "ls -aZ #{cgidir} | grep ':httpd_sys_script_exec_t:'"
-      notifies :reload, "service[apache2]", :delayed
-    end
-  end
-}
-if File.exist?("/usr/lib64/nagios/plugins/check_nagios")
-  execute "chcon -R -h system_u:object_r:nagios_unconfined_plugin_exec_t /usr/lib64/nagios/plugins/check_nagios" do
-    not_if "ls -aZ /usr/lib64/nagios/plugins/check_nagios | grep 'object_r:nagios_'"
+  nagios_command "check_elastic" do
+    options 'command_line' => %Q{$USER1$/check_elastic -H $HOSTADDRESS$ -t master -S -u $ARG1$ -p $ARG2$}
   end
-end
-# execute "chgrp apache /var/log/nagios"
-["/etc/nagios/conf.d/", "/etc/nagios/*.cfg", "/var/run/nagios.pid"].each { |dir|
-  execute "/sbin/restorecon -R #{dir}" do
-    not_if "ls -aZ #{dir} | grep ':nagios_etc_t:'"
-    only_if { ::File.exist?(dir) }
+  nagios_command "check_kibana" do
+    options 'command_line' => %Q{$USER1$/check_kibana -h $HOSTADDRESS$ -u $ARG1$ -p $ARG2$ --port $ARG3$ --basepath $ARG4$}
   end
-}
-execute "/sbin/restorecon -R /var/log/nagios"
-# The Nagios cookbook currently screws up this setting, so work around it.
-execute "sed -i s/^interval_length=.*/interval_length=1/ || echo 'interval_length=1' >> /etc/nagios/nagios.cfg" do
-  not_if "grep '^interval_length=1$' /etc/nagios/nagios.cfg"
-  if platform_family?("rhel") and node['platform_version'].to_i >= 7
-    notifies :run, "bash[RHEL7-family Nagios restart]", :delayed
-  else
-    notifies :reload, "service[nagios]", :delayed
+  file "/etc/sysconfig/nrpe" do
+    content "NRPE_SSL_OPT=\"\"\n"
   end
-end
-package "nagios-plugins-nrpe"
-package "nagios-plugins-disk"
-include_recipe "mu-tools::nrpe"
-cookbook_file "/usr/lib64/nagios/plugins/check_mem" do
-  source "check_mem.pl"
-  mode 0755
-  owner "root"
-  notifies :restart, "service[nrpe]", :delayed
-end
-file "/etc/sysconfig/nrpe" do
-  content "NRPE_SSL_OPT=\"\"\n"
-end
-#Sometimes doesn’t exist on the first run
-directory "/opt/mu/var/nagios_user_home" do
-  owner "nagios"
-	group "nagios"
-	mode 0700
-end
+  # Sometimes doesn't exist on the first run
+  directory "/opt/mu/var/nagios_user_home" do
+    owner "nagios"
+  	group "nagios"
+  	mode 0700
+  end
-directory "/opt/mu/var/nagios_user_home/.ssh" do
-  owner "nagios"
-	group "nagios"
-	mode 0711
-end
-file "/opt/mu/var/nagios_user_home/.ssh/known_hosts" do
-  owner "nagios"
-	group "nagios"
-	mode 0600
-end
-file "/opt/mu/var/nagios_user_home/.ssh/known_hosts2" do
-  owner "nagios"
-	group "nagios"
-	mode 0600
-end
+  directory "/opt/mu/var/nagios_user_home/.ssh" do
+    owner "nagios"
+  	group "nagios"
+  	mode 0711
+  end
+  file "/opt/mu/var/nagios_user_home/.ssh/known_hosts" do
+    owner "nagios"
+  	group "nagios"
+  	mode 0600
+  end
+  file "/opt/mu/var/nagios_user_home/.ssh/known_hosts2" do
+    owner "nagios"
+  	group "nagios"
+  	mode 0600
+  end
-nrpe_check "check_mem" do
-  command "#{node['nrpe']['plugin_dir']}/check_mem"
-  warning_condition '80'
-  critical_condition '95'
-  action :add
-end
+  nrpe_check "check_mem" do
+    command "#{node['nrpe']['plugin_dir']}/check_mem"
+    warning_condition '80'
+    critical_condition '95'
+    action :add
+  end
-nagios_command 'host_notify_by_email' do
-  options 'command_line' => '/usr/bin/printf "%b" "$LONGDATETIME$\n\n$HOSTALIAS$ $NOTIFICATIONTYPE$ $HOSTSTATE$ ('+$MU_CFG['hostname']+')\n\n$HOSTOUTPUT$\n\nLogin: ssh://$HOSTNAME$" | ' + node['nagios']['server']['mail_command'] + ' -s "$NOTIFICATIONTYPE$ - $HOSTALIAS$ $HOSTSTATE$! ('+$MU_CFG['hostname']+')" $CONTACTEMAIL$'
-end
+  nagios_command 'host_notify_by_email' do
+    options 'command_line' => '/usr/bin/printf "%b" "$LONGDATETIME$\n\n$HOSTALIAS$ $NOTIFICATIONTYPE$ $HOSTSTATE$ ('+$MU_CFG['hostname']+')\n\n$HOSTOUTPUT$\n\nLogin: ssh://$HOSTNAME$" | ' + node['nagios']['server']['mail_command'] + ' -s "$NOTIFICATIONTYPE$ - $HOSTALIAS$ $HOSTSTATE$! ('+$MU_CFG['hostname']+')" $CONTACTEMAIL$'
+  end
-nagios_command 'service_notify_by_email' do
-  options 'command_line' => '/usr/bin/printf "%b" "$LONGDATETIME$ - $SERVICEDESC$ $SERVICESTATE$ ('+$MU_CFG['hostname']+')\n\n$HOSTALIAS$  $NOTIFICATIONTYPE$\n\n$SERVICEOUTPUT$\n\nLogin: ssh://$HOSTNAME$" | ' + node['nagios']['server']['mail_command'] + ' -s "** $NOTIFICATIONTYPE$ - $HOSTALIAS$ - $SERVICEDESC$ - $SERVICESTATE$ ('+$MU_CFG['hostname']+')" $CONTACTEMAIL$'
-end
+  nagios_command 'service_notify_by_email' do
+    options 'command_line' => '/usr/bin/printf "%b" "$LONGDATETIME$ - $SERVICEDESC$ $SERVICESTATE$ ('+$MU_CFG['hostname']+')\n\n$HOSTALIAS$  $NOTIFICATIONTYPE$\n\n$SERVICEOUTPUT$\n\nLogin: ssh://$HOSTNAME$" | ' + node['nagios']['server']['mail_command'] + ' -s "** $NOTIFICATIONTYPE$ - $HOSTALIAS$ - $SERVICEDESC$ - $SERVICESTATE$ ('+$MU_CFG['hostname']+')" $CONTACTEMAIL$'
+  end
-nagios_command 'host_notify_by_sms_email' do
-  options 'command_line' => '/usr/bin/printf "%b" "$HOSTALIAS$ $NOTIFICATIONTYPE$ $HOSTSTATE$ ('+$MU_CFG['hostname']+')\n\n$HOSTOUTPUT$" | ' + node['nagios']['server']['mail_command'] + ' -s "$HOSTALIAS$ $HOSTSTATE$! ('+$MU_CFG['hostname']+')" $CONTACTPAGER$'
-end
+  nagios_command 'host_notify_by_sms_email' do
+    options 'command_line' => '/usr/bin/printf "%b" "$HOSTALIAS$ $NOTIFICATIONTYPE$ $HOSTSTATE$ ('+$MU_CFG['hostname']+')\n\n$HOSTOUTPUT$" | ' + node['nagios']['server']['mail_command'] + ' -s "$HOSTALIAS$ $HOSTSTATE$! ('+$MU_CFG['hostname']+')" $CONTACTPAGER$'
+  end
-nagios_command 'service_notify_by_sms_email' do
-  options 'command_line' => '/usr/bin/printf "%b" "$SERVICEDESC$ $NOTIFICATIONTYPE$ $SERVICESTATE$ ('+$MU_CFG['hostname']+')\n\n$SERVICEOUTPUT$" | ' + node['nagios']['server']['mail_command'] + ' -s "$HOSTALIAS$ $SERVICEDESC$ $SERVICESTATE$! ('+$MU_CFG['hostname']+')" $CONTACTPAGER$'
-end
+  nagios_command 'service_notify_by_sms_email' do
+    options 'command_line' => '/usr/bin/printf "%b" "$SERVICEDESC$ $NOTIFICATIONTYPE$ $SERVICESTATE$ ('+$MU_CFG['hostname']+')\n\n$SERVICEOUTPUT$" | ' + node['nagios']['server']['mail_command'] + ' -s "$HOSTALIAS$ $SERVICEDESC$ $SERVICESTATE$! ('+$MU_CFG['hostname']+')" $CONTACTPAGER$'
+  end
-execute "chgrp nrpe /etc/nagios/nrpe.d/*"
-execute "/sbin/restorecon /etc/nagios/nrpe.cfg" do
-  if platform_family?("rhel") and node['platform_version'].to_i >= 7
-    notifies :run, "bash[RHEL7-family Nagios restart]", :delayed
+  execute "chgrp nrpe /etc/nagios/nrpe.d/*"
+  execute "/sbin/restorecon /etc/nagios/nrpe.cfg" do
+    if platform_family?("rhel") and node['platform_version'].to_i >= 7
+      notifies :run, "bash[RHEL7-family Nagios restart]", :delayed
+    end
   end
+  include_recipe "mu-master::init" # gem permission fixes, mainly
 end
-include_recipe "mu-master::init" # gem permission fixes, mainly

data/cookbooks/mu-master/templates/default/nagios.conf.erb CHANGED Viewed

@@ -35,19 +35,13 @@
      SetHandler application/x-httpd-php
   </FilesMatch>
-<% if @https -%>
   SSLEngine On
-  SSLProtocol <%= node['nagios']['ssl_protocols'] %>
-<% if node['nagios']['ssl_ciphers'] != nil -%>
-  SSLCipherSuite <%= node['nagios']['ssl_ciphers'] %>
-<% end -%>
-  SSLCertificateFile <%= @ssl_cert_file %>
-<% if node['nagios']['ssl_cert_chain_file'] %>
-  SSLCertificateChainFile <%= node['nagios']['ssl_cert_chain_file'] %>
-<% end -%>
-  SSLCertificateKeyFile <%= @ssl_cert_key %>
+  SSLCertificateFile <%= $MU_CFG['ssl']['cert'] %>
+  SSLCertificateKeyFile <%= $MU_CFG['ssl']['key'] %>
+<% if $MU_CFG['ssl'].has_key?("chain") and !$MU_CFG['ssl']['chain'].empty? %>
+  SSLCertificateChainFile <%= $MU_CFG['ssl']['chain'] %>
+<% end %>
-<% end -%>
 <% case node['nagios']['server_auth_method'] -%>
 <% when "openid" -%>
   <Location />

data/cookbooks/mu-master/templates/default/web_app.conf.erb CHANGED Viewed

@@ -20,6 +20,9 @@
   ProxyPreserveHost on
   AllowEncodedSlashes off
+  SSLProxyCheckPeerName off
+  SSLProxyCheckPeerCN off
+  ProxyAddHeaders off
   # Scratchpad, the Mu secret-sharer
   ProxyPass /scratchpad https://localhost:<%= MU.mommaCatPort.to_s %>/scratchpad

data/cookbooks/mu-php54/Berksfile CHANGED Viewed

@@ -9,4 +9,4 @@ cookbook 'mu-utility'
 # Supermarket Cookbooks
 cookbook 'simple_iptables', '~> 0.8.0'
 cookbook 'mysql', '~> 8.5.1'
-cookbook 'yum-epel', '~> 3.2.0'
+cookbook 'yum-epel', '~> 5.0.8'

data/cookbooks/mu-php54/metadata.rb CHANGED Viewed

@@ -16,5 +16,5 @@ end
 depends 'mu-utility'
 depends 'simple_iptables', '~> 0.8.0'
 depends 'mysql', '~> 8.5.1'
-depends 'yum-epel', '~> 3.2.0'
-depends 'apache2', '< 6.0.0'
+depends 'yum-epel', '~> 5.0.8'
+depends 'apache2', '~> 9.0.3'

data/cookbooks/mu-tools/Berksfile CHANGED Viewed

@@ -4,19 +4,18 @@ source chef_repo: ".."
 metadata
 # Mu Cookbooks
-cookbook 'mu-nagios' , '~> 8.2.0', git: "https://github.com/cloudamatic/mu-nagios.git"
 cookbook "mu-utility"
 cookbook "mu-splunk"
 cookbook "mu-firewall"
 cookbook "mu-activedirectory"
 # Supermarket Cookbooks
+cookbook "nagios"
 cookbook "oracle-instantclient", '~> 1.1.0'
 cookbook "database", '~> 6.1.1'
 cookbook "postgresql", '~> 7.1.0'
 cookbook "java", '~> 2.2.0'
 cookbook "windows", '~> 5.1.1'
 cookbook "chef-vault", '~> 3.1.1'
-cookbook "poise-python", '~> 1.7.0'
-cookbook "yum-epel", '~> 3.2.0'
+cookbook "yum-epel", '~> 5.0.8'
 cookbook 'selinux', '~> 3.0.0'

data/cookbooks/mu-tools/attributes/default.rb CHANGED Viewed

@@ -141,10 +141,9 @@ default['application_attributes']['var_log_audit']['mount_directory'] = "/var/lo
 default['banner']['path'] = "etc/BANNER-FEDERAL"
 # firewalld support in the firewall cookbook is too stupid to breathe
-default['firewall']['redhat7_iptables'] = true
-#if node['platform'] == 'amazon'
-#  override['firewall']['redhat7_iptables'] = true
-#end
+if !(node['platform_family'] == 'amazon' and node['platform_version'].to_i == 2023)
+  default['firewall']['redhat7_iptables'] = true
+end
 # We probably don't want to set java defaults here. This may cause issues with attribute precedence when other cookbooks try to install a different version of Java (JDK 7 is not supported/patched)
 # if platform_family?("windows")