From 9abf25977312a56787ce3affee7ba023a241261d Mon Sep 17 00:00:00 2001 From: Jan Dittberner Date: Fri, 18 Aug 2023 15:03:06 +0200 Subject: [PATCH] Add kernel and certificate checks --- global-templates/commands.conf | 53 ++++++++++++++++++++++++++++++++++ global-templates/services.conf | 28 ++++++++++++++++++ master/hosts.conf | 13 +++++++++ 3 files changed, 94 insertions(+) diff --git a/global-templates/commands.conf b/global-templates/commands.conf index 4f35be6..4a9a73a 100644 --- a/global-templates/commands.conf +++ b/global-templates/commands.conf @@ -1,5 +1,58 @@ // vim: set ft=icinga2 et sw=2 ts=2 si ai: +/* +* Checks the validity of a custom CA certificate (like a Icinga or Puppet CA). +*/ +object CheckCommand "custom_ca_cert" { + command = [ PluginContribDir + "/check_ssl_cert" ] + + arguments = [ + "-f" = { + value = "$ssl_cert_file$" + description = "Local file path (works with -H localhost only)" + } + "-s" = { + set_if = "$ssl_cert_selfsigned$" + description = "Allow self-signed certificate" + } + "-A" = { + set_if = "$ssl_cert_noauth$" + description = "Ignore authority warnings (expiration only)" + } + "--ignore-maximum-validity" = { + set_if = "$ssl_cert_ignore_maximum_validity$" + description = "Ignore the certificate maximum validity" + } + "--allow-empty-san" = { + set_if = "$ssl_allow_empty_san$" + description = "Allow certificates without Subject Alternative Names (SANs)" + } + "-w" = { + value = "$ssl_cert_warn$" + description = "Minimum number of days a certificate has to be valid" + } + "-c" = { + value = "$ssl_cert_critical$" + description = "Minimum number of days a certificate has to be valid to issue a critical status" + } + ] + + vars.ssl_cert_selfsigned = true + vars.ssl_cert_noauth = true + vars.ssl_cert_ignore_maximum_validity = true + vars.ssl_cert_allow_empty_san = true + vars.ssl_cert_warn = 90 + vars.ssl_cert_critical = 30 +} + +/* +* Local command to check whether the current kernel is the latest installed +* kernel. +*/ +object CheckCommand "kernel_status" { + command = [ LocalPluginDir + "/check_kernel_status" ] +} + /* * Checks a local PostgreSQL database. You need to grant the given user * (normally nagios, which is what Icinga is running as) privileges to connect diff --git a/global-templates/services.conf b/global-templates/services.conf index dfbf61a..d0b768d 100644 --- a/global-templates/services.conf +++ b/global-templates/services.conf @@ -12,6 +12,26 @@ apply Service "apt" { assign where host.vars.osfamily == "Debian" } +apply Service "certificate " for (name => config in host.vars.x509_certs) { + import "generic-service" + + check_command = "check_ssl_cert" + check_interval = 6h + retry_interval = 15m + + vars += config +} + +apply Service "ca-certificate " for (name => config in host.vars.ca_certs) { + import "generic-service" + + check_command = "custom_ca_cert" + check_interval = 1d + retry_interval = 6h + + vars += config +} + apply Service "disk " for (disk => config in host.vars.disks) { import "generic-service" @@ -36,6 +56,14 @@ apply Service "icinga" { assign where host.name == NodeName } +apply Service "kernel-status" { + import "generic-service" + + check_command = "kernel_status" + + assign where !host.vars.is_container +} + apply Service "load" { import "generic-service" diff --git a/master/hosts.conf b/master/hosts.conf index 07b82cd..bf4be09 100644 --- a/master/hosts.conf +++ b/master/hosts.conf @@ -8,6 +8,8 @@ object Host "beholder" { address = "127.0.0.1" address6 = "::1" + vars.is_container = false + vars.disks["/"] = { disk_partitions = "/" } @@ -111,4 +113,15 @@ object Host "beholder" { pgsql_database = "icingadb" pgsql_query = "SELECT COUNT(*) FROM host" } + + vars.x509_certs["monitoring client"] = { + ssl_cert_address = "localhost" + ssl_cert_file = "/etc/ssl/public/beholder-client.crt.pem" + ssl_cert_ignore_sct = true + ssl_cert_warn = 30 + } + + vars.ca_certs["Icinga"] = { + ssl_cert_file = "/var/lib/icinga2/ca/ca.crt" + } }