cloud-mu 3.5.0 → 3.6.3

Sign up to get free protection for your applications and to get access to all the features.
Files changed (245) hide show
  1. checksums.yaml +4 -4
  2. data/Berksfile +5 -2
  3. data/Berksfile.lock +135 -0
  4. data/ansible/roles/mu-base/README.md +33 -0
  5. data/ansible/roles/mu-base/defaults/main.yml +2 -0
  6. data/ansible/roles/mu-base/files/check_apm.cfg +1 -0
  7. data/ansible/roles/mu-base/files/check_apm.sh +18 -0
  8. data/ansible/roles/mu-base/files/check_disk.cfg +1 -0
  9. data/ansible/roles/mu-base/files/check_elastic_shards.cfg +1 -0
  10. data/ansible/roles/mu-base/files/check_elastic_shards.sh +12 -0
  11. data/ansible/roles/mu-base/files/check_logstash.cfg +1 -0
  12. data/ansible/roles/mu-base/files/check_logstash.sh +14 -0
  13. data/ansible/roles/mu-base/files/check_mem.cfg +1 -0
  14. data/ansible/roles/mu-base/files/check_updates.cfg +1 -0
  15. data/ansible/roles/mu-base/files/logrotate.conf +35 -0
  16. data/ansible/roles/mu-base/files/nrpe-apm-sudo +1 -0
  17. data/ansible/roles/mu-base/files/nrpe-elasticshards-sudo +2 -0
  18. data/ansible/roles/mu-base/handlers/main.yml +5 -0
  19. data/ansible/roles/mu-base/meta/main.yml +53 -0
  20. data/ansible/roles/mu-base/tasks/main.yml +113 -0
  21. data/ansible/roles/mu-base/templates/nrpe.cfg.j2 +231 -0
  22. data/ansible/roles/mu-base/tests/inventory +2 -0
  23. data/ansible/roles/mu-base/tests/test.yml +5 -0
  24. data/ansible/roles/mu-base/vars/main.yml +1 -0
  25. data/ansible/roles/mu-compliance/README.md +33 -0
  26. data/ansible/roles/mu-compliance/defaults/main.yml +2 -0
  27. data/ansible/roles/mu-compliance/files/U_MS_Windows_Server_2016_V2R1_STIG_SCAP_1-2_Benchmark.xml +15674 -0
  28. data/ansible/roles/mu-compliance/files/U_MS_Windows_Server_2019_V2R1_STIG_SCAP_1-2_Benchmark.xml +17553 -0
  29. data/ansible/roles/mu-compliance/handlers/main.yml +2 -0
  30. data/ansible/roles/mu-compliance/meta/main.yml +53 -0
  31. data/ansible/roles/mu-compliance/tasks/main.yml +45 -0
  32. data/ansible/roles/mu-compliance/tests/inventory +2 -0
  33. data/ansible/roles/mu-compliance/tests/test.yml +5 -0
  34. data/ansible/roles/mu-compliance/vars/main.yml +4 -0
  35. data/ansible/roles/mu-elastic/README.md +51 -0
  36. data/ansible/roles/mu-elastic/defaults/main.yml +2 -0
  37. data/ansible/roles/mu-elastic/files/jvm.options +93 -0
  38. data/ansible/roles/mu-elastic/handlers/main.yml +10 -0
  39. data/ansible/roles/mu-elastic/meta/main.yml +52 -0
  40. data/ansible/roles/mu-elastic/tasks/main.yml +186 -0
  41. data/ansible/roles/mu-elastic/templates/elasticsearch.yml.j2 +110 -0
  42. data/ansible/roles/mu-elastic/templates/kibana.yml.j2 +131 -0
  43. data/ansible/roles/mu-elastic/templates/password_set.expect.j2 +19 -0
  44. data/ansible/roles/mu-elastic/tests/inventory +2 -0
  45. data/ansible/roles/mu-elastic/tests/test.yml +5 -0
  46. data/ansible/roles/mu-elastic/vars/main.yml +2 -0
  47. data/ansible/roles/mu-logstash/README.md +51 -0
  48. data/ansible/roles/mu-logstash/defaults/main.yml +2 -0
  49. data/ansible/roles/mu-logstash/files/02-beats-input.conf +5 -0
  50. data/ansible/roles/mu-logstash/files/10-rails-filter.conf +16 -0
  51. data/ansible/roles/mu-logstash/files/jvm.options +84 -0
  52. data/ansible/roles/mu-logstash/files/logstash.yml +304 -0
  53. data/ansible/roles/mu-logstash/handlers/main.yml +20 -0
  54. data/ansible/roles/mu-logstash/meta/main.yml +52 -0
  55. data/ansible/roles/mu-logstash/tasks/main.yml +254 -0
  56. data/ansible/roles/mu-logstash/templates/20-cloudtrail.conf.j2 +28 -0
  57. data/ansible/roles/mu-logstash/templates/30-elasticsearch-output.conf.j2 +19 -0
  58. data/ansible/roles/mu-logstash/templates/apm-server.yml.j2 +33 -0
  59. data/ansible/roles/mu-logstash/templates/heartbeat.yml.j2 +29 -0
  60. data/ansible/roles/mu-logstash/templates/nginx/apm.conf.j2 +25 -0
  61. data/ansible/roles/mu-logstash/templates/nginx/default.conf.j2 +56 -0
  62. data/ansible/roles/mu-logstash/templates/nginx/elastic.conf.j2 +27 -0
  63. data/ansible/roles/mu-logstash/tests/inventory +2 -0
  64. data/ansible/roles/mu-logstash/tests/test.yml +5 -0
  65. data/ansible/roles/mu-logstash/vars/main.yml +2 -0
  66. data/ansible/roles/mu-rdp/README.md +33 -0
  67. data/ansible/roles/mu-rdp/meta/main.yml +53 -0
  68. data/ansible/roles/mu-rdp/tasks/main.yml +9 -0
  69. data/ansible/roles/mu-rdp/tests/inventory +2 -0
  70. data/ansible/roles/mu-rdp/tests/test.yml +5 -0
  71. data/ansible/roles/mu-windows/tasks/main.yml +3 -0
  72. data/bin/mu-ansible-secret +1 -1
  73. data/bin/mu-aws-setup +4 -3
  74. data/bin/mu-azure-setup +5 -5
  75. data/bin/mu-configure +25 -17
  76. data/bin/mu-firewall-allow-clients +1 -0
  77. data/bin/mu-gcp-setup +3 -3
  78. data/bin/mu-load-config.rb +1 -0
  79. data/bin/mu-node-manage +66 -33
  80. data/bin/mu-self-update +2 -2
  81. data/bin/mu-upload-chef-artifacts +6 -1
  82. data/bin/mu-user-manage +1 -1
  83. data/cloud-mu.gemspec +25 -23
  84. data/cookbooks/firewall/CHANGELOG.md +417 -224
  85. data/cookbooks/firewall/LICENSE +202 -0
  86. data/cookbooks/firewall/README.md +153 -126
  87. data/cookbooks/firewall/TODO.md +6 -0
  88. data/cookbooks/firewall/attributes/firewalld.rb +7 -0
  89. data/cookbooks/firewall/attributes/iptables.rb +3 -3
  90. data/cookbooks/firewall/chefignore +115 -0
  91. data/cookbooks/firewall/libraries/helpers.rb +5 -0
  92. data/cookbooks/firewall/libraries/helpers_firewalld.rb +1 -1
  93. data/cookbooks/firewall/libraries/helpers_firewalld_dbus.rb +72 -0
  94. data/cookbooks/firewall/libraries/helpers_iptables.rb +3 -3
  95. data/cookbooks/firewall/libraries/helpers_nftables.rb +170 -0
  96. data/cookbooks/firewall/libraries/helpers_ufw.rb +7 -0
  97. data/cookbooks/firewall/libraries/helpers_windows.rb +8 -9
  98. data/cookbooks/firewall/libraries/provider_firewall_firewalld.rb +9 -9
  99. data/cookbooks/firewall/libraries/provider_firewall_iptables.rb +7 -7
  100. data/cookbooks/firewall/libraries/provider_firewall_iptables_ubuntu.rb +12 -8
  101. data/cookbooks/firewall/libraries/provider_firewall_iptables_ubuntu1404.rb +13 -9
  102. data/cookbooks/firewall/libraries/provider_firewall_rule.rb +1 -1
  103. data/cookbooks/firewall/libraries/provider_firewall_ufw.rb +5 -5
  104. data/cookbooks/firewall/libraries/provider_firewall_windows.rb +4 -4
  105. data/cookbooks/firewall/libraries/resource_firewall_rule.rb +3 -3
  106. data/cookbooks/firewall/metadata.json +40 -1
  107. data/cookbooks/firewall/metadata.rb +15 -0
  108. data/cookbooks/firewall/recipes/default.rb +7 -7
  109. data/cookbooks/firewall/recipes/disable_firewall.rb +1 -1
  110. data/cookbooks/firewall/recipes/firewalld.rb +87 -0
  111. data/cookbooks/firewall/renovate.json +18 -0
  112. data/cookbooks/firewall/resources/firewalld.rb +28 -0
  113. data/cookbooks/firewall/resources/firewalld_config.rb +39 -0
  114. data/cookbooks/firewall/resources/firewalld_helpers.rb +106 -0
  115. data/cookbooks/firewall/resources/firewalld_icmptype.rb +88 -0
  116. data/cookbooks/firewall/resources/firewalld_ipset.rb +104 -0
  117. data/cookbooks/firewall/resources/firewalld_policy.rb +115 -0
  118. data/cookbooks/firewall/resources/firewalld_service.rb +98 -0
  119. data/cookbooks/firewall/resources/firewalld_zone.rb +118 -0
  120. data/cookbooks/firewall/resources/nftables.rb +71 -0
  121. data/cookbooks/firewall/resources/nftables_rule.rb +113 -0
  122. data/cookbooks/mu-activedirectory/Berksfile +1 -1
  123. data/cookbooks/mu-activedirectory/metadata.rb +1 -1
  124. data/cookbooks/mu-firewall/metadata.rb +2 -2
  125. data/cookbooks/mu-master/Berksfile +4 -3
  126. data/cookbooks/mu-master/attributes/default.rb +5 -2
  127. data/cookbooks/mu-master/files/default/check_elastic.sh +761 -0
  128. data/cookbooks/mu-master/files/default/check_kibana.rb +45 -0
  129. data/cookbooks/mu-master/libraries/mu.rb +24 -0
  130. data/cookbooks/mu-master/metadata.rb +5 -5
  131. data/cookbooks/mu-master/recipes/default.rb +31 -20
  132. data/cookbooks/mu-master/recipes/firewall-holes.rb +5 -0
  133. data/cookbooks/mu-master/recipes/init.rb +58 -19
  134. data/cookbooks/mu-master/recipes/update_nagios_only.rb +251 -178
  135. data/cookbooks/mu-master/templates/default/nagios.conf.erb +5 -11
  136. data/cookbooks/mu-master/templates/default/web_app.conf.erb +3 -0
  137. data/cookbooks/mu-php54/Berksfile +1 -1
  138. data/cookbooks/mu-php54/metadata.rb +2 -2
  139. data/cookbooks/mu-tools/Berksfile +2 -3
  140. data/cookbooks/mu-tools/attributes/default.rb +3 -4
  141. data/cookbooks/mu-tools/files/amazon/etc/bashrc +90 -0
  142. data/cookbooks/mu-tools/files/amazon/etc/login.defs +292 -0
  143. data/cookbooks/mu-tools/files/amazon/etc/profile +77 -0
  144. data/cookbooks/mu-tools/files/amazon/etc/security/limits.conf +63 -0
  145. data/cookbooks/mu-tools/files/amazon/etc/sysconfig/init +19 -0
  146. data/cookbooks/mu-tools/files/amazon/etc/sysctl.conf +82 -0
  147. data/cookbooks/mu-tools/files/amazon-2023/etc/login.defs +294 -0
  148. data/cookbooks/mu-tools/files/default/logrotate.conf +35 -0
  149. data/cookbooks/mu-tools/files/default/nrpe_conf_d.pp +0 -0
  150. data/cookbooks/mu-tools/libraries/helper.rb +21 -9
  151. data/cookbooks/mu-tools/metadata.rb +4 -4
  152. data/cookbooks/mu-tools/recipes/apply_security.rb +3 -2
  153. data/cookbooks/mu-tools/recipes/aws_api.rb +23 -5
  154. data/cookbooks/mu-tools/recipes/base_repositories.rb +4 -1
  155. data/cookbooks/mu-tools/recipes/gcloud.rb +56 -56
  156. data/cookbooks/mu-tools/recipes/nagios.rb +1 -1
  157. data/cookbooks/mu-tools/recipes/nrpe.rb +20 -2
  158. data/cookbooks/mu-tools/recipes/rsyslog.rb +12 -1
  159. data/cookbooks/mu-tools/recipes/set_local_fw.rb +1 -1
  160. data/data_bags/nagios_services/apm_backend_connect.json +5 -0
  161. data/data_bags/nagios_services/apm_listen.json +5 -0
  162. data/data_bags/nagios_services/elastic_shards.json +5 -0
  163. data/data_bags/nagios_services/logstash.json +5 -0
  164. data/data_bags/nagios_services/rhel7_updates.json +8 -0
  165. data/extras/image-generators/AWS/centos7.yaml +1 -0
  166. data/extras/image-generators/AWS/rhel7.yaml +21 -0
  167. data/extras/image-generators/AWS/win2k12r2.yaml +1 -0
  168. data/extras/image-generators/AWS/win2k16.yaml +1 -0
  169. data/extras/image-generators/AWS/win2k19.yaml +1 -0
  170. data/extras/list-stock-amis +0 -0
  171. data/extras/ruby_rpm/muby.spec +8 -5
  172. data/extras/vault_tools/export_vaults.sh +1 -1
  173. data/extras/vault_tools/recreate_vaults.sh +0 -0
  174. data/extras/vault_tools/test_vaults.sh +0 -0
  175. data/install/deprecated-bash-library.sh +1 -1
  176. data/install/installer +4 -2
  177. data/modules/mommacat.ru +3 -1
  178. data/modules/mu/adoption.rb +1 -1
  179. data/modules/mu/cloud/dnszone.rb +2 -2
  180. data/modules/mu/cloud/machine_images.rb +26 -25
  181. data/modules/mu/cloud/resource_base.rb +213 -182
  182. data/modules/mu/cloud/server_pool.rb +1 -1
  183. data/modules/mu/cloud/ssh_sessions.rb +7 -5
  184. data/modules/mu/cloud/wrappers.rb +2 -2
  185. data/modules/mu/cloud.rb +1 -1
  186. data/modules/mu/config/bucket.rb +1 -1
  187. data/modules/mu/config/function.rb +6 -1
  188. data/modules/mu/config/loadbalancer.rb +24 -2
  189. data/modules/mu/config/ref.rb +12 -0
  190. data/modules/mu/config/role.rb +1 -1
  191. data/modules/mu/config/schema_helpers.rb +42 -9
  192. data/modules/mu/config/server.rb +43 -27
  193. data/modules/mu/config/tail.rb +19 -10
  194. data/modules/mu/config.rb +6 -5
  195. data/modules/mu/defaults/AWS.yaml +78 -114
  196. data/modules/mu/deploy.rb +9 -2
  197. data/modules/mu/groomer.rb +12 -4
  198. data/modules/mu/groomers/ansible.rb +104 -20
  199. data/modules/mu/groomers/chef.rb +15 -6
  200. data/modules/mu/master.rb +9 -4
  201. data/modules/mu/mommacat/daemon.rb +4 -2
  202. data/modules/mu/mommacat/naming.rb +1 -2
  203. data/modules/mu/mommacat/storage.rb +7 -2
  204. data/modules/mu/mommacat.rb +33 -6
  205. data/modules/mu/providers/aws/database.rb +161 -8
  206. data/modules/mu/providers/aws/dnszone.rb +11 -6
  207. data/modules/mu/providers/aws/endpoint.rb +81 -6
  208. data/modules/mu/providers/aws/firewall_rule.rb +254 -172
  209. data/modules/mu/providers/aws/function.rb +65 -3
  210. data/modules/mu/providers/aws/loadbalancer.rb +39 -28
  211. data/modules/mu/providers/aws/log.rb +2 -1
  212. data/modules/mu/providers/aws/role.rb +25 -7
  213. data/modules/mu/providers/aws/server.rb +36 -12
  214. data/modules/mu/providers/aws/server_pool.rb +237 -127
  215. data/modules/mu/providers/aws/storage_pool.rb +7 -1
  216. data/modules/mu/providers/aws/user.rb +1 -1
  217. data/modules/mu/providers/aws/userdata/linux.erb +6 -2
  218. data/modules/mu/providers/aws/userdata/windows.erb +7 -5
  219. data/modules/mu/providers/aws/vpc.rb +49 -25
  220. data/modules/mu/providers/aws.rb +13 -8
  221. data/modules/mu/providers/azure/container_cluster.rb +1 -1
  222. data/modules/mu/providers/azure/loadbalancer.rb +2 -2
  223. data/modules/mu/providers/azure/server.rb +5 -2
  224. data/modules/mu/providers/azure/userdata/linux.erb +1 -1
  225. data/modules/mu/providers/azure.rb +11 -8
  226. data/modules/mu/providers/cloudformation/dnszone.rb +1 -1
  227. data/modules/mu/providers/google/container_cluster.rb +15 -2
  228. data/modules/mu/providers/google/folder.rb +2 -1
  229. data/modules/mu/providers/google/function.rb +130 -4
  230. data/modules/mu/providers/google/habitat.rb +2 -1
  231. data/modules/mu/providers/google/loadbalancer.rb +407 -160
  232. data/modules/mu/providers/google/role.rb +16 -3
  233. data/modules/mu/providers/google/server.rb +5 -1
  234. data/modules/mu/providers/google/user.rb +25 -18
  235. data/modules/mu/providers/google/userdata/linux.erb +1 -1
  236. data/modules/mu/providers/google/vpc.rb +53 -7
  237. data/modules/mu/providers/google.rb +39 -39
  238. data/modules/mu.rb +8 -8
  239. data/modules/tests/elk.yaml +46 -0
  240. data/test/mu-master-test/controls/all_in_one.rb +1 -1
  241. metadata +207 -112
  242. data/cookbooks/firewall/CONTRIBUTING.md +0 -2
  243. data/cookbooks/firewall/MAINTAINERS.md +0 -19
  244. data/cookbooks/firewall/libraries/matchers.rb +0 -30
  245. data/extras/image-generators/AWS/rhel71.yaml +0 -17
@@ -0,0 +1,231 @@
1
+ #############################################################################
2
+ # Sample NRPE Config File
3
+ # Written by: Ethan Galstad (nagios@nagios.org)
4
+ #
5
+ # Last Modified: 11-23-2007
6
+ #
7
+ # NOTES:
8
+ # This is a sample configuration file for the NRPE daemon. It needs to be
9
+ # located on the remote host that is running the NRPE daemon, not the host
10
+ # from which the check_nrpe client is being executed.
11
+ #############################################################################
12
+
13
+
14
+ # LOG FACILITY
15
+ # The syslog facility that should be used for logging purposes.
16
+
17
+ log_facility=daemon
18
+
19
+
20
+
21
+ # PID FILE
22
+ # The name of the file in which the NRPE daemon should write it's process ID
23
+ # number. The file is only written if the NRPE daemon is started by the root
24
+ # user and is running in standalone mode.
25
+
26
+ pid_file=/var/run/nrpe/nrpe.pid
27
+
28
+
29
+
30
+ # PORT NUMBER
31
+ # Port number we should wait for connections on.
32
+ # NOTE: This must be a non-priviledged port (i.e. > 1024).
33
+ # NOTE: This option is ignored if NRPE is running under either inetd or xinetd
34
+
35
+ server_port=5666
36
+
37
+
38
+
39
+ # SERVER ADDRESS
40
+ # Address that nrpe should bind to in case there are more than one interface
41
+ # and you do not want nrpe to bind on all interfaces.
42
+ # NOTE: This option is ignored if NRPE is running under either inetd or xinetd
43
+
44
+ #server_address=
45
+
46
+
47
+
48
+ # NRPE USER
49
+ # This determines the effective user that the NRPE daemon should run as.
50
+ # You can either supply a username or a UID.
51
+ #
52
+ # NOTE: This option is ignored if NRPE is running under either inetd or xinetd
53
+
54
+ nrpe_user=nrpe
55
+
56
+
57
+
58
+ # NRPE GROUP
59
+ # This determines the effective group that the NRPE daemon should run as.
60
+ # You can either supply a group name or a GID.
61
+ #
62
+ # NOTE: This option is ignored if NRPE is running under either inetd or xinetd
63
+
64
+ nrpe_group=nrpe
65
+
66
+
67
+
68
+ # ALLOWED HOST ADDRESSES
69
+ # This is an optional comma-delimited list of IP address or hostnames
70
+ # that are allowed to talk to the NRPE daemon. Network addresses with a bit mask
71
+ # (i.e. 192.168.1.0/24) are also supported. Hostname wildcards are not currently
72
+ # supported.
73
+ #
74
+ # Note: The daemon only does rudimentary checking of the client's IP
75
+ # address. I would highly recommend adding entries in your /etc/hosts.allow
76
+ # file to allow only the specified host to connect to the port
77
+ # you are running this daemon on.
78
+ #
79
+ # NOTE: This option is ignored if NRPE is running under either inetd or xinetd
80
+
81
+ allowed_hosts={{ mu_deployment['mu_all_ips'] | join(",") }}
82
+
83
+ # COMMAND ARGUMENT PROCESSING
84
+ # This option determines whether or not the NRPE daemon will allow clients
85
+ # to specify arguments to commands that are executed. This option only works
86
+ # if the daemon was configured with the --enable-command-args configure script
87
+ # option.
88
+ #
89
+ # *** ENABLING THIS OPTION IS A SECURITY RISK! ***
90
+ # Read the SECURITY file for information on some of the security implications
91
+ # of enabling this variable.
92
+ #
93
+ # Values: 0=do not allow arguments, 1=allow command arguments
94
+
95
+ dont_blame_nrpe=0
96
+
97
+
98
+
99
+ # BASH COMMAND SUBTITUTION
100
+ # This option determines whether or not the NRPE daemon will allow clients
101
+ # to specify arguments that contain bash command substitutions of the form
102
+ # $(...). This option only works if the daemon was configured with both
103
+ # the --enable-command-args and --enable-bash-command-substitution configure
104
+ # script options.
105
+ #
106
+ # *** ENABLING THIS OPTION IS A HIGH SECURITY RISK! ***
107
+ # Read the SECURITY file for information on some of the security implications
108
+ # of enabling this variable.
109
+ #
110
+ # Values: 0=do not allow bash command substitutions,
111
+ # 1=allow bash command substitutions
112
+
113
+ allow_bash_command_substitution=0
114
+
115
+
116
+
117
+ # COMMAND PREFIX
118
+ # This option allows you to prefix all commands with a user-defined string.
119
+ # A space is automatically added between the specified prefix string and the
120
+ # command line from the command definition.
121
+ #
122
+ # *** THIS EXAMPLE MAY POSE A POTENTIAL SECURITY RISK, SO USE WITH CAUTION! ***
123
+ # Usage scenario:
124
+ # Execute restricted commmands using sudo. For this to work, you need to add
125
+ # the nagios user to your /etc/sudoers. An example entry for alllowing
126
+ # execution of the plugins from might be:
127
+ #
128
+ # nagios ALL=(ALL) NOPASSWD: /usr/lib/nagios/plugins/
129
+ #
130
+ # This lets the nagios user run all commands in that directory (and only them)
131
+ # without asking for a password. If you do this, make sure you don't give
132
+ # random users write access to that directory or its contents!
133
+
134
+ #command_prefix=/usr/bin/sudo
135
+
136
+
137
+
138
+ # DEBUGGING OPTION
139
+ # This option determines whether or not debugging messages are logged to the
140
+ # syslog facility.
141
+ # Values: 0=debugging off, 1=debugging on
142
+
143
+ debug=0
144
+
145
+
146
+
147
+ # COMMAND TIMEOUT
148
+ # This specifies the maximum number of seconds that the NRPE daemon will
149
+ # allow plugins to finish executing before killing them off.
150
+
151
+ command_timeout=60
152
+
153
+
154
+
155
+ # CONNECTION TIMEOUT
156
+ # This specifies the maximum number of seconds that the NRPE daemon will
157
+ # wait for a connection to be established before exiting. This is sometimes
158
+ # seen where a network problem stops the SSL being established even though
159
+ # all network sessions are connected. This causes the nrpe daemons to
160
+ # accumulate, eating system resources. Do not set this too low.
161
+
162
+ connection_timeout=300
163
+
164
+
165
+
166
+ # WEEK RANDOM SEED OPTION
167
+ # This directive allows you to use SSL even if your system does not have
168
+ # a /dev/random or /dev/urandom (on purpose or because the necessary patches
169
+ # were not applied). The random number generator will be seeded from a file
170
+ # which is either a file pointed to by the environment valiable $RANDFILE
171
+ # or $HOME/.rnd. If neither exists, the pseudo random number generator will
172
+ # be initialized and a warning will be issued.
173
+ # Values: 0=only seed from /dev/[u]random, 1=also seed from weak randomness
174
+
175
+ #allow_weak_random_seed=1
176
+
177
+
178
+
179
+ # INCLUDE CONFIG FILE
180
+ # This directive allows you to include definitions from an external config file.
181
+
182
+ #include=<somefile.cfg>
183
+
184
+
185
+
186
+ # COMMAND DEFINITIONS
187
+ # Command definitions that this daemon will run. Definitions
188
+ # are in the following format:
189
+ #
190
+ # command[<command_name>]=<command_line>
191
+ #
192
+ # When the daemon receives a request to return the results of <command_name>
193
+ # it will execute the command specified by the <command_line> argument.
194
+ #
195
+ # Unlike Nagios, the command line cannot contain macros - it must be
196
+ # typed exactly as it should be executed.
197
+ #
198
+ # Note: Any plugins that are used in the command lines must reside
199
+ # on the machine that this daemon is running on! The examples below
200
+ # assume that you have plugins installed in a /usr/local/nagios/libexec
201
+ # directory. Also note that you will have to modify the definitions below
202
+ # to match the argument format the plugins expect. Remember, these are
203
+ # examples only!
204
+
205
+
206
+ # The following examples use hardcoded command arguments...
207
+
208
+ command[check_users]=/usr/lib64/nagios/plugins/check_users -w 5 -c 10
209
+ command[check_load]=/usr/lib64/nagios/plugins/check_load -w 15,10,5 -c 30,25,20
210
+ command[check_zombie_procs]=/usr/lib64/nagios/plugins/check_procs -w 5 -c 10 -s Z
211
+ command[check_total_procs]=/usr/lib64/nagios/plugins/check_procs -w 150 -c 200
212
+ command[check_disk]=/usr/lib64/nagios/plugins/check_disk -w 15% -c 5% -X nfs -X nfs4
213
+
214
+
215
+ # The following examples allow user-supplied arguments and can
216
+ # only be used if the NRPE daemon was compiled with support for
217
+ # command arguments *AND* the dont_blame_nrpe directive in this
218
+ # config file is set to '1'. This poses a potential security risk, so
219
+ # make sure you read the SECURITY file before doing this.
220
+
221
+ #command[check_users]=/usr/lib64/nagios/plugins/check_users -w $ARG1$ -c $ARG2$
222
+ #command[check_load]=/usr/lib64/nagios/plugins/check_load -w $ARG1$ -c $ARG2$
223
+ #command[check_procs]=/usr/lib64/nagios/plugins/check_procs -w $ARG1$ -c $ARG2$ -s $ARG3$
224
+
225
+
226
+
227
+ # INCLUDE CONFIG DIRECTORY
228
+ # This directive allows you to include definitions from config files (with a
229
+ # .cfg extension) in one or more directories (with recursion).
230
+
231
+ include_dir=/etc/nagios/nrpe.d/
@@ -0,0 +1,2 @@
1
+ localhost
2
+
@@ -0,0 +1,5 @@
1
+ ---
2
+ - hosts: localhost
3
+ remote_user: root
4
+ roles:
5
+ - mu-compliance
@@ -0,0 +1 @@
1
+ ---
@@ -0,0 +1,33 @@
1
+ Role Name
2
+ =========
3
+
4
+ Hardening
5
+
6
+ Requirements
7
+ ------------
8
+
9
+ Windows host with internet connectivity and no other major services running.
10
+
11
+ License
12
+ -------
13
+
14
+ Copyright:: Copyright (c) 2021 eGlobalTech, Inc., all rights reserved
15
+
16
+ Licensed under the BSD-3 license (the "License");
17
+ you may not use this file except in compliance with the License.
18
+ You may obtain a copy of the License in the root of the project or at
19
+
20
+ http://egt-labs.com/mu/LICENSE.html
21
+
22
+ Unless required by applicable law or agreed to in writing, software
23
+ distributed under the License is distributed on an "AS IS" BASIS,
24
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
25
+ See the License for the specific language governing permissions and
26
+ limitations under the License.
27
+
28
+ Author Information
29
+ ------------------
30
+
31
+ Current developers: John Stange
32
+
33
+ egt-labs-admins@egt-labs.com
@@ -0,0 +1,2 @@
1
+ ---
2
+ # defaults file for mu-windows