cloud-mu 3.5.0 → 3.6.3
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/Berksfile +5 -2
- data/Berksfile.lock +135 -0
- data/ansible/roles/mu-base/README.md +33 -0
- data/ansible/roles/mu-base/defaults/main.yml +2 -0
- data/ansible/roles/mu-base/files/check_apm.cfg +1 -0
- data/ansible/roles/mu-base/files/check_apm.sh +18 -0
- data/ansible/roles/mu-base/files/check_disk.cfg +1 -0
- data/ansible/roles/mu-base/files/check_elastic_shards.cfg +1 -0
- data/ansible/roles/mu-base/files/check_elastic_shards.sh +12 -0
- data/ansible/roles/mu-base/files/check_logstash.cfg +1 -0
- data/ansible/roles/mu-base/files/check_logstash.sh +14 -0
- data/ansible/roles/mu-base/files/check_mem.cfg +1 -0
- data/ansible/roles/mu-base/files/check_updates.cfg +1 -0
- data/ansible/roles/mu-base/files/logrotate.conf +35 -0
- data/ansible/roles/mu-base/files/nrpe-apm-sudo +1 -0
- data/ansible/roles/mu-base/files/nrpe-elasticshards-sudo +2 -0
- data/ansible/roles/mu-base/handlers/main.yml +5 -0
- data/ansible/roles/mu-base/meta/main.yml +53 -0
- data/ansible/roles/mu-base/tasks/main.yml +113 -0
- data/ansible/roles/mu-base/templates/nrpe.cfg.j2 +231 -0
- data/ansible/roles/mu-base/tests/inventory +2 -0
- data/ansible/roles/mu-base/tests/test.yml +5 -0
- data/ansible/roles/mu-base/vars/main.yml +1 -0
- data/ansible/roles/mu-compliance/README.md +33 -0
- data/ansible/roles/mu-compliance/defaults/main.yml +2 -0
- data/ansible/roles/mu-compliance/files/U_MS_Windows_Server_2016_V2R1_STIG_SCAP_1-2_Benchmark.xml +15674 -0
- data/ansible/roles/mu-compliance/files/U_MS_Windows_Server_2019_V2R1_STIG_SCAP_1-2_Benchmark.xml +17553 -0
- data/ansible/roles/mu-compliance/handlers/main.yml +2 -0
- data/ansible/roles/mu-compliance/meta/main.yml +53 -0
- data/ansible/roles/mu-compliance/tasks/main.yml +45 -0
- data/ansible/roles/mu-compliance/tests/inventory +2 -0
- data/ansible/roles/mu-compliance/tests/test.yml +5 -0
- data/ansible/roles/mu-compliance/vars/main.yml +4 -0
- data/ansible/roles/mu-elastic/README.md +51 -0
- data/ansible/roles/mu-elastic/defaults/main.yml +2 -0
- data/ansible/roles/mu-elastic/files/jvm.options +93 -0
- data/ansible/roles/mu-elastic/handlers/main.yml +10 -0
- data/ansible/roles/mu-elastic/meta/main.yml +52 -0
- data/ansible/roles/mu-elastic/tasks/main.yml +186 -0
- data/ansible/roles/mu-elastic/templates/elasticsearch.yml.j2 +110 -0
- data/ansible/roles/mu-elastic/templates/kibana.yml.j2 +131 -0
- data/ansible/roles/mu-elastic/templates/password_set.expect.j2 +19 -0
- data/ansible/roles/mu-elastic/tests/inventory +2 -0
- data/ansible/roles/mu-elastic/tests/test.yml +5 -0
- data/ansible/roles/mu-elastic/vars/main.yml +2 -0
- data/ansible/roles/mu-logstash/README.md +51 -0
- data/ansible/roles/mu-logstash/defaults/main.yml +2 -0
- data/ansible/roles/mu-logstash/files/02-beats-input.conf +5 -0
- data/ansible/roles/mu-logstash/files/10-rails-filter.conf +16 -0
- data/ansible/roles/mu-logstash/files/jvm.options +84 -0
- data/ansible/roles/mu-logstash/files/logstash.yml +304 -0
- data/ansible/roles/mu-logstash/handlers/main.yml +20 -0
- data/ansible/roles/mu-logstash/meta/main.yml +52 -0
- data/ansible/roles/mu-logstash/tasks/main.yml +254 -0
- data/ansible/roles/mu-logstash/templates/20-cloudtrail.conf.j2 +28 -0
- data/ansible/roles/mu-logstash/templates/30-elasticsearch-output.conf.j2 +19 -0
- data/ansible/roles/mu-logstash/templates/apm-server.yml.j2 +33 -0
- data/ansible/roles/mu-logstash/templates/heartbeat.yml.j2 +29 -0
- data/ansible/roles/mu-logstash/templates/nginx/apm.conf.j2 +25 -0
- data/ansible/roles/mu-logstash/templates/nginx/default.conf.j2 +56 -0
- data/ansible/roles/mu-logstash/templates/nginx/elastic.conf.j2 +27 -0
- data/ansible/roles/mu-logstash/tests/inventory +2 -0
- data/ansible/roles/mu-logstash/tests/test.yml +5 -0
- data/ansible/roles/mu-logstash/vars/main.yml +2 -0
- data/ansible/roles/mu-rdp/README.md +33 -0
- data/ansible/roles/mu-rdp/meta/main.yml +53 -0
- data/ansible/roles/mu-rdp/tasks/main.yml +9 -0
- data/ansible/roles/mu-rdp/tests/inventory +2 -0
- data/ansible/roles/mu-rdp/tests/test.yml +5 -0
- data/ansible/roles/mu-windows/tasks/main.yml +3 -0
- data/bin/mu-ansible-secret +1 -1
- data/bin/mu-aws-setup +4 -3
- data/bin/mu-azure-setup +5 -5
- data/bin/mu-configure +25 -17
- data/bin/mu-firewall-allow-clients +1 -0
- data/bin/mu-gcp-setup +3 -3
- data/bin/mu-load-config.rb +1 -0
- data/bin/mu-node-manage +66 -33
- data/bin/mu-self-update +2 -2
- data/bin/mu-upload-chef-artifacts +6 -1
- data/bin/mu-user-manage +1 -1
- data/cloud-mu.gemspec +25 -23
- data/cookbooks/firewall/CHANGELOG.md +417 -224
- data/cookbooks/firewall/LICENSE +202 -0
- data/cookbooks/firewall/README.md +153 -126
- data/cookbooks/firewall/TODO.md +6 -0
- data/cookbooks/firewall/attributes/firewalld.rb +7 -0
- data/cookbooks/firewall/attributes/iptables.rb +3 -3
- data/cookbooks/firewall/chefignore +115 -0
- data/cookbooks/firewall/libraries/helpers.rb +5 -0
- data/cookbooks/firewall/libraries/helpers_firewalld.rb +1 -1
- data/cookbooks/firewall/libraries/helpers_firewalld_dbus.rb +72 -0
- data/cookbooks/firewall/libraries/helpers_iptables.rb +3 -3
- data/cookbooks/firewall/libraries/helpers_nftables.rb +170 -0
- data/cookbooks/firewall/libraries/helpers_ufw.rb +7 -0
- data/cookbooks/firewall/libraries/helpers_windows.rb +8 -9
- data/cookbooks/firewall/libraries/provider_firewall_firewalld.rb +9 -9
- data/cookbooks/firewall/libraries/provider_firewall_iptables.rb +7 -7
- data/cookbooks/firewall/libraries/provider_firewall_iptables_ubuntu.rb +12 -8
- data/cookbooks/firewall/libraries/provider_firewall_iptables_ubuntu1404.rb +13 -9
- data/cookbooks/firewall/libraries/provider_firewall_rule.rb +1 -1
- data/cookbooks/firewall/libraries/provider_firewall_ufw.rb +5 -5
- data/cookbooks/firewall/libraries/provider_firewall_windows.rb +4 -4
- data/cookbooks/firewall/libraries/resource_firewall_rule.rb +3 -3
- data/cookbooks/firewall/metadata.json +40 -1
- data/cookbooks/firewall/metadata.rb +15 -0
- data/cookbooks/firewall/recipes/default.rb +7 -7
- data/cookbooks/firewall/recipes/disable_firewall.rb +1 -1
- data/cookbooks/firewall/recipes/firewalld.rb +87 -0
- data/cookbooks/firewall/renovate.json +18 -0
- data/cookbooks/firewall/resources/firewalld.rb +28 -0
- data/cookbooks/firewall/resources/firewalld_config.rb +39 -0
- data/cookbooks/firewall/resources/firewalld_helpers.rb +106 -0
- data/cookbooks/firewall/resources/firewalld_icmptype.rb +88 -0
- data/cookbooks/firewall/resources/firewalld_ipset.rb +104 -0
- data/cookbooks/firewall/resources/firewalld_policy.rb +115 -0
- data/cookbooks/firewall/resources/firewalld_service.rb +98 -0
- data/cookbooks/firewall/resources/firewalld_zone.rb +118 -0
- data/cookbooks/firewall/resources/nftables.rb +71 -0
- data/cookbooks/firewall/resources/nftables_rule.rb +113 -0
- data/cookbooks/mu-activedirectory/Berksfile +1 -1
- data/cookbooks/mu-activedirectory/metadata.rb +1 -1
- data/cookbooks/mu-firewall/metadata.rb +2 -2
- data/cookbooks/mu-master/Berksfile +4 -3
- data/cookbooks/mu-master/attributes/default.rb +5 -2
- data/cookbooks/mu-master/files/default/check_elastic.sh +761 -0
- data/cookbooks/mu-master/files/default/check_kibana.rb +45 -0
- data/cookbooks/mu-master/libraries/mu.rb +24 -0
- data/cookbooks/mu-master/metadata.rb +5 -5
- data/cookbooks/mu-master/recipes/default.rb +31 -20
- data/cookbooks/mu-master/recipes/firewall-holes.rb +5 -0
- data/cookbooks/mu-master/recipes/init.rb +58 -19
- data/cookbooks/mu-master/recipes/update_nagios_only.rb +251 -178
- data/cookbooks/mu-master/templates/default/nagios.conf.erb +5 -11
- data/cookbooks/mu-master/templates/default/web_app.conf.erb +3 -0
- data/cookbooks/mu-php54/Berksfile +1 -1
- data/cookbooks/mu-php54/metadata.rb +2 -2
- data/cookbooks/mu-tools/Berksfile +2 -3
- data/cookbooks/mu-tools/attributes/default.rb +3 -4
- data/cookbooks/mu-tools/files/amazon/etc/bashrc +90 -0
- data/cookbooks/mu-tools/files/amazon/etc/login.defs +292 -0
- data/cookbooks/mu-tools/files/amazon/etc/profile +77 -0
- data/cookbooks/mu-tools/files/amazon/etc/security/limits.conf +63 -0
- data/cookbooks/mu-tools/files/amazon/etc/sysconfig/init +19 -0
- data/cookbooks/mu-tools/files/amazon/etc/sysctl.conf +82 -0
- data/cookbooks/mu-tools/files/amazon-2023/etc/login.defs +294 -0
- data/cookbooks/mu-tools/files/default/logrotate.conf +35 -0
- data/cookbooks/mu-tools/files/default/nrpe_conf_d.pp +0 -0
- data/cookbooks/mu-tools/libraries/helper.rb +21 -9
- data/cookbooks/mu-tools/metadata.rb +4 -4
- data/cookbooks/mu-tools/recipes/apply_security.rb +3 -2
- data/cookbooks/mu-tools/recipes/aws_api.rb +23 -5
- data/cookbooks/mu-tools/recipes/base_repositories.rb +4 -1
- data/cookbooks/mu-tools/recipes/gcloud.rb +56 -56
- data/cookbooks/mu-tools/recipes/nagios.rb +1 -1
- data/cookbooks/mu-tools/recipes/nrpe.rb +20 -2
- data/cookbooks/mu-tools/recipes/rsyslog.rb +12 -1
- data/cookbooks/mu-tools/recipes/set_local_fw.rb +1 -1
- data/data_bags/nagios_services/apm_backend_connect.json +5 -0
- data/data_bags/nagios_services/apm_listen.json +5 -0
- data/data_bags/nagios_services/elastic_shards.json +5 -0
- data/data_bags/nagios_services/logstash.json +5 -0
- data/data_bags/nagios_services/rhel7_updates.json +8 -0
- data/extras/image-generators/AWS/centos7.yaml +1 -0
- data/extras/image-generators/AWS/rhel7.yaml +21 -0
- data/extras/image-generators/AWS/win2k12r2.yaml +1 -0
- data/extras/image-generators/AWS/win2k16.yaml +1 -0
- data/extras/image-generators/AWS/win2k19.yaml +1 -0
- data/extras/list-stock-amis +0 -0
- data/extras/ruby_rpm/muby.spec +8 -5
- data/extras/vault_tools/export_vaults.sh +1 -1
- data/extras/vault_tools/recreate_vaults.sh +0 -0
- data/extras/vault_tools/test_vaults.sh +0 -0
- data/install/deprecated-bash-library.sh +1 -1
- data/install/installer +4 -2
- data/modules/mommacat.ru +3 -1
- data/modules/mu/adoption.rb +1 -1
- data/modules/mu/cloud/dnszone.rb +2 -2
- data/modules/mu/cloud/machine_images.rb +26 -25
- data/modules/mu/cloud/resource_base.rb +213 -182
- data/modules/mu/cloud/server_pool.rb +1 -1
- data/modules/mu/cloud/ssh_sessions.rb +7 -5
- data/modules/mu/cloud/wrappers.rb +2 -2
- data/modules/mu/cloud.rb +1 -1
- data/modules/mu/config/bucket.rb +1 -1
- data/modules/mu/config/function.rb +6 -1
- data/modules/mu/config/loadbalancer.rb +24 -2
- data/modules/mu/config/ref.rb +12 -0
- data/modules/mu/config/role.rb +1 -1
- data/modules/mu/config/schema_helpers.rb +42 -9
- data/modules/mu/config/server.rb +43 -27
- data/modules/mu/config/tail.rb +19 -10
- data/modules/mu/config.rb +6 -5
- data/modules/mu/defaults/AWS.yaml +78 -114
- data/modules/mu/deploy.rb +9 -2
- data/modules/mu/groomer.rb +12 -4
- data/modules/mu/groomers/ansible.rb +104 -20
- data/modules/mu/groomers/chef.rb +15 -6
- data/modules/mu/master.rb +9 -4
- data/modules/mu/mommacat/daemon.rb +4 -2
- data/modules/mu/mommacat/naming.rb +1 -2
- data/modules/mu/mommacat/storage.rb +7 -2
- data/modules/mu/mommacat.rb +33 -6
- data/modules/mu/providers/aws/database.rb +161 -8
- data/modules/mu/providers/aws/dnszone.rb +11 -6
- data/modules/mu/providers/aws/endpoint.rb +81 -6
- data/modules/mu/providers/aws/firewall_rule.rb +254 -172
- data/modules/mu/providers/aws/function.rb +65 -3
- data/modules/mu/providers/aws/loadbalancer.rb +39 -28
- data/modules/mu/providers/aws/log.rb +2 -1
- data/modules/mu/providers/aws/role.rb +25 -7
- data/modules/mu/providers/aws/server.rb +36 -12
- data/modules/mu/providers/aws/server_pool.rb +237 -127
- data/modules/mu/providers/aws/storage_pool.rb +7 -1
- data/modules/mu/providers/aws/user.rb +1 -1
- data/modules/mu/providers/aws/userdata/linux.erb +6 -2
- data/modules/mu/providers/aws/userdata/windows.erb +7 -5
- data/modules/mu/providers/aws/vpc.rb +49 -25
- data/modules/mu/providers/aws.rb +13 -8
- data/modules/mu/providers/azure/container_cluster.rb +1 -1
- data/modules/mu/providers/azure/loadbalancer.rb +2 -2
- data/modules/mu/providers/azure/server.rb +5 -2
- data/modules/mu/providers/azure/userdata/linux.erb +1 -1
- data/modules/mu/providers/azure.rb +11 -8
- data/modules/mu/providers/cloudformation/dnszone.rb +1 -1
- data/modules/mu/providers/google/container_cluster.rb +15 -2
- data/modules/mu/providers/google/folder.rb +2 -1
- data/modules/mu/providers/google/function.rb +130 -4
- data/modules/mu/providers/google/habitat.rb +2 -1
- data/modules/mu/providers/google/loadbalancer.rb +407 -160
- data/modules/mu/providers/google/role.rb +16 -3
- data/modules/mu/providers/google/server.rb +5 -1
- data/modules/mu/providers/google/user.rb +25 -18
- data/modules/mu/providers/google/userdata/linux.erb +1 -1
- data/modules/mu/providers/google/vpc.rb +53 -7
- data/modules/mu/providers/google.rb +39 -39
- data/modules/mu.rb +8 -8
- data/modules/tests/elk.yaml +46 -0
- data/test/mu-master-test/controls/all_in_one.rb +1 -1
- metadata +207 -112
- data/cookbooks/firewall/CONTRIBUTING.md +0 -2
- data/cookbooks/firewall/MAINTAINERS.md +0 -19
- data/cookbooks/firewall/libraries/matchers.rb +0 -30
- data/extras/image-generators/AWS/rhel71.yaml +0 -17
@@ -16,227 +16,300 @@
|
|
16
16
|
# See the License for the specific language governing permissions and
|
17
17
|
# limitations under the License.
|
18
18
|
|
19
|
-
include_recipe "
|
20
|
-
include_recipe "
|
19
|
+
include_recipe "nagios::server_source"
|
20
|
+
include_recipe "nagios"
|
21
21
|
include_recipe 'mu-master::firewall-holes'
|
22
22
|
|
23
|
-
|
24
|
-
include_recipe 'chef-vault'
|
25
|
-
bind_creds = chef_vault_item($MU_CFG['ldap']['bind_creds']['vault'], $MU_CFG['ldap']['bind_creds']['item'])
|
26
|
-
node.normal['nagios']['server_auth_method'] = "ldap"
|
27
|
-
node.normal['nagios']['ldap_bind_dn'] = bind_creds[$MU_CFG['ldap']['bind_creds']['username_field']]
|
28
|
-
node.normal['nagios']['ldap_bind_password'] = bind_creds[$MU_CFG['ldap']['bind_creds']['password_field']]
|
29
|
-
if $MU_CFG['ldap']['type'] == "Active Directory"
|
30
|
-
node.normal['nagios']['ldap_url'] = "ldap://#{$MU_CFG['ldap']['dcs'].first}/#{$MU_CFG['ldap']['base_dn']}?sAMAccountName?sub?(objectClass=*)"
|
31
|
-
else
|
32
|
-
node.normal['nagios']['ldap_url'] = "ldap://#{$MU_CFG['ldap']['dcs'].first}/#{$MU_CFG['ldap']['base_dn']}?uid?sub?(objectClass=*)"
|
33
|
-
node.normal['nagios']['ldap_group_attribute'] = "memberUid"
|
34
|
-
node.normal['nagios']['ldap_group_attribute_is_dn'] = "Off"
|
35
|
-
# Trying to use SSL seems to cause mod_ldap to die without logging any errors,
|
36
|
-
# currently. Probably an Apache bug? XXX
|
37
|
-
# node.normal['nagios'][:ldap_trusted_global_cert] = "CA_BASE64 #{$MU_CFG['ssl']['chain']}"
|
38
|
-
# node.normal['nagios'][:ldap_trusted_mode] = "SSL"
|
39
|
-
end
|
40
|
-
node.normal['nagios']['server_auth_require'] = "ldap-group #{$MU_CFG['ldap']['user_group_dn']}"
|
41
|
-
node.normal['nagios']['ldap_authoritative'] = "On"
|
42
|
-
node.save
|
43
|
-
end
|
23
|
+
log "#{node['recipes']}"
|
44
24
|
|
45
|
-
#
|
46
|
-
|
47
|
-
|
48
|
-
|
49
|
-
|
50
|
-
|
25
|
+
# Define this so it's present for solo runs of this recipe
|
26
|
+
if !node['recipes'].include?("mu-master::default") or node['update_nagios_only']
|
27
|
+
service 'apache2' do
|
28
|
+
extend Apache2::Cookbook::Helpers
|
29
|
+
service_name lazy { apache_platform_service_name }
|
30
|
+
supports restart: true, status: true, reload: true
|
31
|
+
action :enable
|
32
|
+
end
|
51
33
|
end
|
52
|
-
include_recipe "mu-nagios"
|
53
34
|
|
54
|
-
|
55
|
-
|
56
|
-
|
57
|
-
|
35
|
+
if $MU_CFG['disable_nagios']
|
36
|
+
log "Ignoring Nagios setup per Mu config"
|
37
|
+
else
|
38
|
+
if $MU_CFG.has_key?('ldap')
|
39
|
+
include_recipe 'chef-vault'
|
40
|
+
bind_creds = chef_vault_item($MU_CFG['ldap']['bind_creds']['vault'], $MU_CFG['ldap']['bind_creds']['item'])
|
41
|
+
node.normal['nagios']['server_auth_method'] = "ldap"
|
42
|
+
node.normal['nagios']['ldap_bind_dn'] = bind_creds[$MU_CFG['ldap']['bind_creds']['username_field']]
|
43
|
+
node.normal['nagios']['ldap_bind_password'] = bind_creds[$MU_CFG['ldap']['bind_creds']['password_field']]
|
44
|
+
if $MU_CFG['ldap']['type'] == "Active Directory"
|
45
|
+
node.normal['nagios']['ldap_url'] = "ldap://#{$MU_CFG['ldap']['dcs'].first}/#{$MU_CFG['ldap']['base_dn']}?sAMAccountName?sub?(objectClass=*)"
|
46
|
+
else
|
47
|
+
node.normal['nagios']['ldap_url'] = "ldap://#{$MU_CFG['ldap']['dcs'].first}/#{$MU_CFG['ldap']['base_dn']}?uid?sub?(objectClass=*)"
|
48
|
+
node.normal['nagios']['ldap_group_attribute'] = "memberUid"
|
49
|
+
node.normal['nagios']['ldap_group_attribute_is_dn'] = "Off"
|
50
|
+
# Trying to use SSL seems to cause mod_ldap to die without logging any errors,
|
51
|
+
# currently. Probably an Apache bug? XXX
|
52
|
+
# node.normal['nagios'][:ldap_trusted_global_cert] = "CA_BASE64 #{$MU_CFG['ssl']['chain']}"
|
53
|
+
# node.normal['nagios'][:ldap_trusted_mode] = "SSL"
|
54
|
+
end
|
55
|
+
node.normal['nagios']['server_auth_require'] = "ldap-group #{$MU_CFG['ldap']['user_group_dn']}"
|
56
|
+
node.normal['nagios']['ldap_authoritative'] = "On"
|
57
|
+
node.save
|
58
|
+
end
|
59
|
+
|
60
|
+
# XXX The Nagios init script from source is buggy; config test always fails
|
61
|
+
# when invoked via "service nagios start," which is what the cookbook does.
|
62
|
+
# This at least keeps it from trashing our Chef runs.
|
63
|
+
file "/etc/sysconfig/nagios" do
|
64
|
+
content "checkconfig=\"false\"\n"
|
65
|
+
mode 0600
|
58
66
|
end
|
59
|
-
|
67
|
+
include_recipe "nagios"
|
60
68
|
|
61
|
-
|
69
|
+
# scrub our old stuff if it's around
|
70
|
+
["nagios_fifo", "nagios_more_selinux"].each { |policy|
|
71
|
+
execute "/usr/sbin/semodule -r #{policy}" do
|
72
|
+
only_if "/usr/sbin/semodule -l | egrep '^#{policy}(\t|$)'"
|
73
|
+
end
|
74
|
+
}
|
62
75
|
|
63
|
-
|
64
|
-
nagios_policies << "nagios_selinux_7"
|
65
|
-
end
|
76
|
+
nagios_policies = ["nagios_selinux"]
|
66
77
|
|
67
|
-
|
68
|
-
|
69
|
-
|
70
|
-
bash "RHEL7-family Nagios restart" do
|
71
|
-
code <<-EOH
|
72
|
-
/bin/systemctl stop nagios.service
|
73
|
-
/bin/pkill -u nagios
|
74
|
-
/bin/rm -f /var/run/nagios/nagios.pid
|
75
|
-
/bin/systemctl start nagios.service
|
76
|
-
EOH
|
77
|
-
action :nothing
|
78
|
-
end
|
78
|
+
if platform_family?("rhel") and node['platform_version'].to_i == 7
|
79
|
+
nagios_policies << "nagios_selinux_7"
|
80
|
+
end
|
79
81
|
|
80
|
-
|
81
|
-
|
82
|
+
# Restart Nagios inelegantly, because the standard service resource doesn't
|
83
|
+
# seem to work reliably on CentOS 7 or RHEL 7. May be an issue with the nagios
|
84
|
+
# community cookbook? Maybe it doesn't do systemctl correctly?
|
85
|
+
bash "RHEL7-family Nagios restart" do
|
86
|
+
code <<-EOH
|
87
|
+
/bin/systemctl stop nagios.service
|
88
|
+
/bin/pkill -u nagios
|
89
|
+
/bin/rm -f /var/run/nagios/nagios.pid
|
90
|
+
/bin/systemctl start nagios.service
|
91
|
+
EOH
|
82
92
|
action :nothing
|
83
|
-
only_if "/usr/sbin/semodule -l | egrep '^#{policy}(\t|$)'"
|
84
93
|
end
|
85
|
-
|
86
|
-
|
87
|
-
|
94
|
+
|
95
|
+
nagios_policies.each { |policy|
|
96
|
+
execute "/usr/sbin/semodule -r #{policy}" do
|
97
|
+
action :nothing
|
98
|
+
only_if "/usr/sbin/semodule -l | egrep '^#{policy}(\t|$)'"
|
99
|
+
end
|
100
|
+
cookbook_file "#{policy}.pp" do
|
101
|
+
path "#{Chef::Config[:file_cache_path]}/#{policy}.pp"
|
102
|
+
notifies :run, "execute[/usr/sbin/semodule -r #{policy}]", :immediately
|
103
|
+
end
|
104
|
+
execute "Add Nagios-related SELinux policies: #{policy}" do
|
105
|
+
command "/usr/sbin/semodule -i #{policy}.pp"
|
106
|
+
cwd Chef::Config[:file_cache_path]
|
107
|
+
not_if "/usr/sbin/semodule -l | egrep '^#{policy}(\t|$)'"
|
108
|
+
notifies :reload, "service[apache2]", :delayed
|
109
|
+
notifies :restart, "service[nrpe]", :delayed
|
110
|
+
if platform_family?("rhel") and node['platform_version'].to_i >= 7
|
111
|
+
notifies :run, "bash[RHEL7-family Nagios restart]", :delayed
|
112
|
+
else
|
113
|
+
notifies :reload, "service[nagios]", :delayed
|
114
|
+
end
|
115
|
+
end
|
116
|
+
}
|
117
|
+
|
118
|
+
# Workaround for minor Nagios (cookbook?) bug. It looks for this at the wrong
|
119
|
+
# URL at the moment, so copy it where it's actually looking.
|
120
|
+
if File.exist?("/usr/lib/cgi-bin/nagios/statusjson.cgi")
|
121
|
+
remote_file "/usr/lib/cgi-bin/statusjson.cgi" do
|
122
|
+
source "file:///usr/lib/cgi-bin/nagios/statusjson.cgi"
|
123
|
+
mode 0755
|
124
|
+
owner "root"
|
125
|
+
group "nagios"
|
126
|
+
end
|
88
127
|
end
|
89
|
-
|
90
|
-
|
91
|
-
|
92
|
-
|
93
|
-
|
94
|
-
|
128
|
+
|
129
|
+
# ... the nagios cookbook is bafflingly inconsistent
|
130
|
+
directory "/usr/lib/cgi-bin/nagios" do
|
131
|
+
mode 0755
|
132
|
+
owner "root"
|
133
|
+
group "nagios"
|
134
|
+
end
|
135
|
+
Dir.glob("/usr/lib/cgi-bin/*.cgi").each { |script|
|
136
|
+
shortname = script.gsub(/.*?\/([^\/]+)$/, '\1')
|
137
|
+
remote_file "/usr/lib/cgi-bin/nagios/#{shortname}" do
|
138
|
+
source "file:///#{script}"
|
139
|
+
mode 0755
|
140
|
+
owner "root"
|
141
|
+
group "nagios"
|
142
|
+
end
|
143
|
+
}
|
144
|
+
|
145
|
+
# Fish up any non-Chef hosts, which otherwise won't appear in Chef's
|
146
|
+
# inventory, and tell Nagios about them.
|
147
|
+
non_chef = {}
|
148
|
+
baskets.each_pair { |deploy_id, basket|
|
149
|
+
if basket["servers"]
|
150
|
+
basket["servers"].each { |server|
|
151
|
+
next if server["groomer"] == "Chef"
|
152
|
+
next if server.has_key?("monitor") and !server["monitor"]
|
153
|
+
non_chef[deploy_id] ||= []
|
154
|
+
non_chef[deploy_id] << server
|
155
|
+
}
|
156
|
+
end
|
157
|
+
if basket["server_pools"]
|
158
|
+
basket["server_pools"].each { |pool|
|
159
|
+
next if pool["groomer"] == "Chef"
|
160
|
+
next if pool.has_key?("monitor") and !pool["monitor"]
|
161
|
+
non_chef[deploy_id] ||= []
|
162
|
+
non_chef[deploy_id] << pool
|
163
|
+
}
|
164
|
+
end
|
165
|
+
}
|
166
|
+
deploy_metadata = deployments()
|
167
|
+
non_chef.each_pair { |deploy_id, servers|
|
168
|
+
servers.each { |server_blob|
|
169
|
+
servername = server_blob["name"]
|
170
|
+
platform = server_blob["platform"] =~ /^win/ ? "windows" : "linux"
|
171
|
+
deploy_metadata[deploy_id]['servers'][servername].each_pair { |mu_name, server|
|
172
|
+
nagios_host mu_name do
|
173
|
+
options(
|
174
|
+
"hostgroups" => ([platform] + server["run_list"] + ["mu-node"] + [deploy_metadata[deploy_id]["environment"]]).join(","),
|
175
|
+
"address" => server["private_ip_address"]
|
176
|
+
)
|
177
|
+
end
|
178
|
+
}
|
179
|
+
}
|
180
|
+
}
|
181
|
+
|
182
|
+
["/usr/lib/nagios", "/etc/nagios", "/etc/nagios3", "/var/www/html/docs"].each { |dir|
|
183
|
+
if Dir.exist?(dir)
|
184
|
+
execute "chcon -R -h -t httpd_sys_content_t #{dir}" do
|
185
|
+
not_if "ls -aZ #{dir} | grep ':httpd_sys_content_t:'"
|
186
|
+
returns [0, 1]
|
187
|
+
notifies :reload, "service[apache2]", :delayed
|
188
|
+
end
|
189
|
+
end
|
190
|
+
}
|
191
|
+
|
192
|
+
["/usr/lib/cgi-bin"].each { |cgidir|
|
193
|
+
if Dir.exist?(cgidir)
|
194
|
+
execute "chcon -R -t httpd_sys_script_exec_t #{cgidir}" do
|
195
|
+
not_if "ls -aZ #{cgidir} | grep ':httpd_sys_script_exec_t:'"
|
196
|
+
notifies :reload, "service[apache2]", :delayed
|
197
|
+
end
|
198
|
+
end
|
199
|
+
}
|
200
|
+
if File.exist?("/usr/lib64/nagios/plugins/check_nagios")
|
201
|
+
execute "chcon -R -h system_u:object_r:nagios_unconfined_plugin_exec_t /usr/lib64/nagios/plugins/check_nagios" do
|
202
|
+
not_if "ls -aZ /usr/lib64/nagios/plugins/check_nagios | grep 'object_r:nagios_'"
|
203
|
+
end
|
204
|
+
end
|
205
|
+
|
206
|
+
# execute "chgrp apache /var/log/nagios"
|
207
|
+
["/etc/nagios/conf.d/", "/etc/nagios/*.cfg", "/var/run/nagios.pid"].each { |dir|
|
208
|
+
execute "/sbin/restorecon -R #{dir}" do
|
209
|
+
not_if "ls -aZ #{dir} | grep ':nagios_etc_t:'"
|
210
|
+
only_if { ::File.exist?(dir) }
|
211
|
+
end
|
212
|
+
}
|
213
|
+
|
214
|
+
execute "/sbin/restorecon -R /var/log/nagios"
|
215
|
+
|
216
|
+
# The Nagios cookbook currently screws up this setting, so work around it.
|
217
|
+
execute "sed -i s/^interval_length=.*/interval_length=1/ || echo 'interval_length=1' >> /etc/nagios/nagios.cfg" do
|
218
|
+
not_if "grep '^interval_length=1$' /etc/nagios/nagios.cfg"
|
95
219
|
if platform_family?("rhel") and node['platform_version'].to_i >= 7
|
96
220
|
notifies :run, "bash[RHEL7-family Nagios restart]", :delayed
|
97
221
|
else
|
98
222
|
notifies :reload, "service[nagios]", :delayed
|
99
223
|
end
|
100
224
|
end
|
101
|
-
}
|
102
225
|
|
103
|
-
|
104
|
-
|
105
|
-
|
106
|
-
|
107
|
-
|
226
|
+
package "nagios-plugins-nrpe"
|
227
|
+
package "nagios-plugins-disk"
|
228
|
+
include_recipe "mu-tools::nrpe"
|
229
|
+
|
230
|
+
cookbook_file "/usr/lib64/nagios/plugins/check_mem" do
|
231
|
+
source "check_mem.pl"
|
108
232
|
mode 0755
|
109
233
|
owner "root"
|
110
|
-
|
234
|
+
notifies :restart, "service[nrpe]", :delayed
|
111
235
|
end
|
112
|
-
end
|
113
236
|
|
114
|
-
|
115
|
-
|
116
|
-
mode 0755
|
117
|
-
owner "root"
|
118
|
-
group "nagios"
|
119
|
-
end
|
120
|
-
Dir.glob("/usr/lib/cgi-bin/*.cgi").each { |script|
|
121
|
-
shortname = script.gsub(/.*?\/([^\/]+)$/, '\1')
|
122
|
-
remote_file "/usr/lib/cgi-bin/nagios/#{shortname}" do
|
123
|
-
source "file:///#{script}"
|
237
|
+
cookbook_file "/usr/lib64/nagios/plugins/check_elastic" do
|
238
|
+
source "check_elastic.sh"
|
124
239
|
mode 0755
|
125
240
|
owner "root"
|
126
|
-
group "nagios"
|
127
241
|
end
|
128
|
-
}
|
129
242
|
|
130
|
-
|
131
|
-
|
132
|
-
|
133
|
-
|
134
|
-
returns [0, 1]
|
135
|
-
notifies :reload, "service[apache2]", :delayed
|
136
|
-
end
|
243
|
+
cookbook_file "/usr/lib64/nagios/plugins/check_kibana" do
|
244
|
+
source "check_kibana.rb"
|
245
|
+
mode 0755
|
246
|
+
owner "root"
|
137
247
|
end
|
138
|
-
}
|
139
248
|
|
140
|
-
|
141
|
-
|
142
|
-
execute "chcon -R -t httpd_sys_script_exec_t #{cgidir}" do
|
143
|
-
not_if "ls -aZ #{cgidir} | grep ':httpd_sys_script_exec_t:'"
|
144
|
-
notifies :reload, "service[apache2]", :delayed
|
145
|
-
end
|
146
|
-
end
|
147
|
-
}
|
148
|
-
if File.exist?("/usr/lib64/nagios/plugins/check_nagios")
|
149
|
-
execute "chcon -R -h system_u:object_r:nagios_unconfined_plugin_exec_t /usr/lib64/nagios/plugins/check_nagios" do
|
150
|
-
not_if "ls -aZ /usr/lib64/nagios/plugins/check_nagios | grep 'object_r:nagios_'"
|
249
|
+
nagios_command "check_elastic" do
|
250
|
+
options 'command_line' => %Q{$USER1$/check_elastic -H $HOSTADDRESS$ -t master -S -u $ARG1$ -p $ARG2$}
|
151
251
|
end
|
152
|
-
end
|
153
252
|
|
154
|
-
|
155
|
-
|
156
|
-
execute "/sbin/restorecon -R #{dir}" do
|
157
|
-
not_if "ls -aZ #{dir} | grep ':nagios_etc_t:'"
|
158
|
-
only_if { ::File.exist?(dir) }
|
253
|
+
nagios_command "check_kibana" do
|
254
|
+
options 'command_line' => %Q{$USER1$/check_kibana -h $HOSTADDRESS$ -u $ARG1$ -p $ARG2$ --port $ARG3$ --basepath $ARG4$}
|
159
255
|
end
|
160
|
-
}
|
161
|
-
|
162
|
-
execute "/sbin/restorecon -R /var/log/nagios"
|
163
256
|
|
164
|
-
|
165
|
-
|
166
|
-
not_if "grep '^interval_length=1$' /etc/nagios/nagios.cfg"
|
167
|
-
if platform_family?("rhel") and node['platform_version'].to_i >= 7
|
168
|
-
notifies :run, "bash[RHEL7-family Nagios restart]", :delayed
|
169
|
-
else
|
170
|
-
notifies :reload, "service[nagios]", :delayed
|
257
|
+
file "/etc/sysconfig/nrpe" do
|
258
|
+
content "NRPE_SSL_OPT=\"\"\n"
|
171
259
|
end
|
172
|
-
end
|
173
|
-
|
174
|
-
package "nagios-plugins-nrpe"
|
175
|
-
package "nagios-plugins-disk"
|
176
|
-
include_recipe "mu-tools::nrpe"
|
177
|
-
|
178
|
-
cookbook_file "/usr/lib64/nagios/plugins/check_mem" do
|
179
|
-
source "check_mem.pl"
|
180
|
-
mode 0755
|
181
|
-
owner "root"
|
182
|
-
notifies :restart, "service[nrpe]", :delayed
|
183
|
-
end
|
184
|
-
|
185
|
-
file "/etc/sysconfig/nrpe" do
|
186
|
-
content "NRPE_SSL_OPT=\"\"\n"
|
187
|
-
end
|
188
260
|
|
189
|
-
#Sometimes doesn
|
190
|
-
directory "/opt/mu/var/nagios_user_home" do
|
191
|
-
|
192
|
-
|
193
|
-
|
194
|
-
end
|
261
|
+
# Sometimes doesn't exist on the first run
|
262
|
+
directory "/opt/mu/var/nagios_user_home" do
|
263
|
+
owner "nagios"
|
264
|
+
group "nagios"
|
265
|
+
mode 0700
|
266
|
+
end
|
195
267
|
|
196
|
-
directory "/opt/mu/var/nagios_user_home/.ssh" do
|
197
|
-
|
198
|
-
|
199
|
-
|
200
|
-
end
|
201
|
-
file "/opt/mu/var/nagios_user_home/.ssh/known_hosts" do
|
202
|
-
|
203
|
-
|
204
|
-
|
205
|
-
end
|
206
|
-
file "/opt/mu/var/nagios_user_home/.ssh/known_hosts2" do
|
207
|
-
|
208
|
-
|
209
|
-
|
210
|
-
end
|
268
|
+
directory "/opt/mu/var/nagios_user_home/.ssh" do
|
269
|
+
owner "nagios"
|
270
|
+
group "nagios"
|
271
|
+
mode 0711
|
272
|
+
end
|
273
|
+
file "/opt/mu/var/nagios_user_home/.ssh/known_hosts" do
|
274
|
+
owner "nagios"
|
275
|
+
group "nagios"
|
276
|
+
mode 0600
|
277
|
+
end
|
278
|
+
file "/opt/mu/var/nagios_user_home/.ssh/known_hosts2" do
|
279
|
+
owner "nagios"
|
280
|
+
group "nagios"
|
281
|
+
mode 0600
|
282
|
+
end
|
211
283
|
|
212
284
|
|
213
|
-
nrpe_check "check_mem" do
|
214
|
-
|
215
|
-
|
216
|
-
|
217
|
-
|
218
|
-
end
|
285
|
+
nrpe_check "check_mem" do
|
286
|
+
command "#{node['nrpe']['plugin_dir']}/check_mem"
|
287
|
+
warning_condition '80'
|
288
|
+
critical_condition '95'
|
289
|
+
action :add
|
290
|
+
end
|
219
291
|
|
220
|
-
nagios_command 'host_notify_by_email' do
|
221
|
-
|
222
|
-
end
|
292
|
+
nagios_command 'host_notify_by_email' do
|
293
|
+
options 'command_line' => '/usr/bin/printf "%b" "$LONGDATETIME$\n\n$HOSTALIAS$ $NOTIFICATIONTYPE$ $HOSTSTATE$ ('+$MU_CFG['hostname']+')\n\n$HOSTOUTPUT$\n\nLogin: ssh://$HOSTNAME$" | ' + node['nagios']['server']['mail_command'] + ' -s "$NOTIFICATIONTYPE$ - $HOSTALIAS$ $HOSTSTATE$! ('+$MU_CFG['hostname']+')" $CONTACTEMAIL$'
|
294
|
+
end
|
223
295
|
|
224
|
-
nagios_command 'service_notify_by_email' do
|
225
|
-
|
226
|
-
end
|
296
|
+
nagios_command 'service_notify_by_email' do
|
297
|
+
options 'command_line' => '/usr/bin/printf "%b" "$LONGDATETIME$ - $SERVICEDESC$ $SERVICESTATE$ ('+$MU_CFG['hostname']+')\n\n$HOSTALIAS$ $NOTIFICATIONTYPE$\n\n$SERVICEOUTPUT$\n\nLogin: ssh://$HOSTNAME$" | ' + node['nagios']['server']['mail_command'] + ' -s "** $NOTIFICATIONTYPE$ - $HOSTALIAS$ - $SERVICEDESC$ - $SERVICESTATE$ ('+$MU_CFG['hostname']+')" $CONTACTEMAIL$'
|
298
|
+
end
|
227
299
|
|
228
|
-
nagios_command 'host_notify_by_sms_email' do
|
229
|
-
|
230
|
-
end
|
300
|
+
nagios_command 'host_notify_by_sms_email' do
|
301
|
+
options 'command_line' => '/usr/bin/printf "%b" "$HOSTALIAS$ $NOTIFICATIONTYPE$ $HOSTSTATE$ ('+$MU_CFG['hostname']+')\n\n$HOSTOUTPUT$" | ' + node['nagios']['server']['mail_command'] + ' -s "$HOSTALIAS$ $HOSTSTATE$! ('+$MU_CFG['hostname']+')" $CONTACTPAGER$'
|
302
|
+
end
|
231
303
|
|
232
|
-
nagios_command 'service_notify_by_sms_email' do
|
233
|
-
|
234
|
-
end
|
304
|
+
nagios_command 'service_notify_by_sms_email' do
|
305
|
+
options 'command_line' => '/usr/bin/printf "%b" "$SERVICEDESC$ $NOTIFICATIONTYPE$ $SERVICESTATE$ ('+$MU_CFG['hostname']+')\n\n$SERVICEOUTPUT$" | ' + node['nagios']['server']['mail_command'] + ' -s "$HOSTALIAS$ $SERVICEDESC$ $SERVICESTATE$! ('+$MU_CFG['hostname']+')" $CONTACTPAGER$'
|
306
|
+
end
|
235
307
|
|
236
|
-
execute "chgrp nrpe /etc/nagios/nrpe.d/*"
|
237
|
-
execute "/sbin/restorecon /etc/nagios/nrpe.cfg" do
|
238
|
-
|
239
|
-
|
308
|
+
execute "chgrp nrpe /etc/nagios/nrpe.d/*"
|
309
|
+
execute "/sbin/restorecon /etc/nagios/nrpe.cfg" do
|
310
|
+
if platform_family?("rhel") and node['platform_version'].to_i >= 7
|
311
|
+
notifies :run, "bash[RHEL7-family Nagios restart]", :delayed
|
312
|
+
end
|
240
313
|
end
|
314
|
+
include_recipe "mu-master::init" # gem permission fixes, mainly
|
241
315
|
end
|
242
|
-
include_recipe "mu-master::init" # gem permission fixes, mainly
|
@@ -35,19 +35,13 @@
|
|
35
35
|
SetHandler application/x-httpd-php
|
36
36
|
</FilesMatch>
|
37
37
|
|
38
|
-
<% if @https -%>
|
39
38
|
SSLEngine On
|
40
|
-
|
41
|
-
|
42
|
-
|
43
|
-
|
44
|
-
|
45
|
-
<% if node['nagios']['ssl_cert_chain_file'] %>
|
46
|
-
SSLCertificateChainFile <%= node['nagios']['ssl_cert_chain_file'] %>
|
47
|
-
<% end -%>
|
48
|
-
SSLCertificateKeyFile <%= @ssl_cert_key %>
|
39
|
+
SSLCertificateFile <%= $MU_CFG['ssl']['cert'] %>
|
40
|
+
SSLCertificateKeyFile <%= $MU_CFG['ssl']['key'] %>
|
41
|
+
<% if $MU_CFG['ssl'].has_key?("chain") and !$MU_CFG['ssl']['chain'].empty? %>
|
42
|
+
SSLCertificateChainFile <%= $MU_CFG['ssl']['chain'] %>
|
43
|
+
<% end %>
|
49
44
|
|
50
|
-
<% end -%>
|
51
45
|
<% case node['nagios']['server_auth_method'] -%>
|
52
46
|
<% when "openid" -%>
|
53
47
|
<Location />
|
@@ -4,19 +4,18 @@ source chef_repo: ".."
|
|
4
4
|
metadata
|
5
5
|
|
6
6
|
# Mu Cookbooks
|
7
|
-
cookbook 'mu-nagios' , '~> 8.2.0', git: "https://github.com/cloudamatic/mu-nagios.git"
|
8
7
|
cookbook "mu-utility"
|
9
8
|
cookbook "mu-splunk"
|
10
9
|
cookbook "mu-firewall"
|
11
10
|
cookbook "mu-activedirectory"
|
12
11
|
|
13
12
|
# Supermarket Cookbooks
|
13
|
+
cookbook "nagios"
|
14
14
|
cookbook "oracle-instantclient", '~> 1.1.0'
|
15
15
|
cookbook "database", '~> 6.1.1'
|
16
16
|
cookbook "postgresql", '~> 7.1.0'
|
17
17
|
cookbook "java", '~> 2.2.0'
|
18
18
|
cookbook "windows", '~> 5.1.1'
|
19
19
|
cookbook "chef-vault", '~> 3.1.1'
|
20
|
-
cookbook "
|
21
|
-
cookbook "yum-epel", '~> 3.2.0'
|
20
|
+
cookbook "yum-epel", '~> 5.0.8'
|
22
21
|
cookbook 'selinux', '~> 3.0.0'
|
@@ -141,10 +141,9 @@ default['application_attributes']['var_log_audit']['mount_directory'] = "/var/lo
|
|
141
141
|
|
142
142
|
default['banner']['path'] = "etc/BANNER-FEDERAL"
|
143
143
|
# firewalld support in the firewall cookbook is too stupid to breathe
|
144
|
-
|
145
|
-
|
146
|
-
|
147
|
-
#end
|
144
|
+
if !(node['platform_family'] == 'amazon' and node['platform_version'].to_i == 2023)
|
145
|
+
default['firewall']['redhat7_iptables'] = true
|
146
|
+
end
|
148
147
|
|
149
148
|
# We probably don't want to set java defaults here. This may cause issues with attribute precedence when other cookbooks try to install a different version of Java (JDK 7 is not supported/patched)
|
150
149
|
# if platform_family?("windows")
|