Good : full update

2025-04-25 08:46:09 +02:00
parent f9723e6b9c
commit 193689ed13
64 changed files with 6 additions and 2674 deletions
--- a/modules/monitoring.sh
+++ b/modules/monitoring.sh
@ -0,0 +1,297 @@
+#!/bin/bash
+# =============================================================================
+# Monitoring configuration module (SNMP and NRPE)
+# =============================================================================
+
+# Set script directory
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+
+# Source common functions and variables
+source "./common.sh"
+
+# Function to configure SNMP
+configure_snmp() {
+  log_message "INFO" "Configuring SNMP monitoring"
+  
+  # Install SNMP if not already installed
+  if ! is_package_installed "snmpd"; then
+    log_message "INFO" "Installing SNMP"
+    apt-get install -y snmpd snmp
+    
+    if [ $? -ne 0 ]; then
+      log_message "ERROR" "Failed to install SNMP"
+      return 1
+    fi
+  else
+    log_message "INFO" "SNMP is already installed"
+  fi
+  
+  # Configure SNMP
+  local snmpd_conf="/etc/snmp/snmpd.conf"
+  
+  log_message "INFO" "Creating SNMP configuration"
+  backup_file "$snmpd_conf"
+  
+  cat > "$snmpd_conf" << EOF
+# SNMP Configuration
+# Generated by security hardening script
+
+# Listen on localhost and specific network interface
+agentAddress udp:127.0.0.1:161,udp:161
+
+# Information about this host
+sysLocation    "Server Room"
+sysContact     admin@example.com
+sysName        $(hostname)
+sysDescr       "Linux $(uname -r) on $(uname -m)"
+
+# Authentication (replace with your own values)
+# Format: user_name security_name auth_protocol auth_passphrase priv_protocol priv_passphrase
+createUser authOnlyUser  MD5 "auth_pass_phrase"
+createUser authPrivUser  SHA "auth_pass_phrase" DES "priv_pass_phrase"
+
+# Grant access to SNMPv3 users
+rouser   authOnlyUser auth
+rouser   authPrivUser priv
+
+# Views
+view    systemonly   included    .1.3.6.1.2.1.1
+view    systemonly   included    .1.3.6.1.2.1.25.1
+
+# Grant only system information to SNMPv3 users
+access  grpAuthOnlyUser  ""      usm     auth    nopriv  exact   systemonly  none    none
+access  grpAuthPrivUser  ""      usm     auth    priv    exact   systemonly  none    none
+
+# Additional monitoring
+# Load averages
+extend load    /bin/cat   /proc/loadavg
+# Disk space
+extend dfspace /bin/df    -P
+
+# Disable older SNMP versions (only allow SNMPv3)
+disableSnmpv1d yes
+disableSnmpv2cd yes
+
+# Logging
+authtrapenable 1
+EOF
+
+  log_message "SUCCESS" "SNMP configuration created at $snmpd_conf"
+  
+  # Create SNMP client configuration example
+  local snmp_client_conf="/root/snmp-client-example.txt"
+  
+  log_message "INFO" "Creating SNMP client configuration example"
+  
+  cat > "$snmp_client_conf" << EOF
+# SNMP Client Configuration Example
+# Generated by security hardening script
+
+# Add the following to your SNMP client configuration to connect to this server
+
+# SNMPv3 with authentication
+# Replace SERVER_IP with the IP address of this server
+snmpwalk -v 3 -u authOnlyUser -a MD5 -A "auth_pass_phrase" SERVER_IP
+
+# SNMPv3 with authentication and privacy
+# Replace SERVER_IP with the IP address of this server
+snmpwalk -v 3 -u authPrivUser -a SHA -A "auth_pass_phrase" -x DES -X "priv_pass_phrase" SERVER_IP
+EOF
+
+  log_message "SUCCESS" "SNMP client configuration example created at $snmp_client_conf"
+  
+  # Restart SNMP service
+  log_message "INFO" "Restarting SNMP service"
+  service enable snmpd
+  service restart snmpd
+  
+  if [ $? -eq 0 ]; then
+    log_message "SUCCESS" "SNMP service restarted successfully"
+  else
+    log_message "ERROR" "Failed to restart SNMP service"
+    return 1
+  fi
+}
+
+# Function to configure NRPE
+configure_nrpe() {
+  log_message "INFO" "Configuring NRPE monitoring"
+  
+  # Install NRPE if not already installed
+  if ! is_package_installed "nagios-nrpe-server"; then
+    log_message "INFO" "Installing NRPE and monitoring plugins"
+    apt-get install -y nagios-nrpe-server nagios-plugins nagios-nrpe-plugin
+    
+    if [ $? -ne 0 ]; then
+      log_message "ERROR" "Failed to install NRPE"
+      return 1
+    fi
+  else
+    log_message "INFO" "NRPE is already installed"
+  fi
+  
+  # Configure NRPE
+  local nrpe_conf="/etc/nagios/nrpe.conf"
+  
+  log_message "INFO" "Creating NRPE configuration"
+  backup_file "$nrpe_conf"
+  
+  cat > "$nrpe_conf" << EOF
+# NRPE Configuration
+# Generated by security hardening script
+
+# Log facility to use
+log_facility=daemon
+
+# Log level
+debug=0
+
+# Run as this user
+nrpe_user=nagios
+nrpe_group=nagios
+
+# NRPE port
+server_port=5666
+
+# NRPE server address (listen on all interfaces)
+server_address=0.0.0.0
+
+# Allow connections from these monitoring servers (replace with your Nagios server IP)
+allowed_hosts=127.0.0.1,NAGIOS_SERVER_IP
+
+# Connection restrictions
+dont_blame_nrpe=0
+allow_bash_command_substitution=0
+
+# Command timeout
+command_timeout=60
+connection_timeout=300
+
+# SSL/TLS options
+ssl_version=TLSv1.2+
+use_ssl=1
+
+# Command definitions
+
+# Basic system checks
+command[check_users]=/usr/lib/nagios/plugins/check_users -w 5 -c 10
+command[check_load]=/usr/lib/nagios/plugins/check_load -w 15,10,5 -c 30,25,20
+command[check_disk]=/usr/lib/nagios/plugins/check_disk -w 20% -c 10% -p /
+command[check_zombie_procs]=/usr/lib/nagios/plugins/check_procs -w 5 -c 10 -s Z
+command[check_total_procs]=/usr/lib/nagios/plugins/check_procs -w 150 -c 200
+command[check_mem]=/usr/lib/nagios/plugins/check_mem -w 80 -c 90
+
+# Network checks
+command[check_ssh]=/usr/lib/nagios/plugins/check_ssh -p 2222 localhost
+command[check_http]=/usr/lib/nagios/plugins/check_http localhost
+command[check_ping]=/usr/lib/nagios/plugins/check_ping -H 8.8.8.8 -w 100.0,20% -c 500.0,60%
+
+# Service checks
+command[check_ntp]=/usr/lib/nagios/plugins/check_ntp_time -H pool.ntp.org -w 0.5 -c 1
+EOF
+
+  log_message "SUCCESS" "NRPE configuration created at $nrpe_conf"
+  
+  # Install memory check plugin if it doesn't exist
+  if [ ! -f "/usr/lib/nagios/plugins/check_mem" ]; then
+    log_message "INFO" "Installing memory check plugin for NRPE"
+    
+    cat > "/usr/lib/nagios/plugins/check_mem" << 'EOF'
+#!/bin/bash
+# Check memory usage plugin for Nagios
+
+# Defaults
+WARNING=80
+CRITICAL=90
+
+# Process arguments
+while getopts "w:c:" opt; do
+  case $opt in
+    w) WARNING=$OPTARG ;;
+    c) CRITICAL=$OPTARG ;;
+    *) echo "Usage: $0 -w warning_percent -c critical_percent"; exit 3 ;;
+  esac
+done
+
+# Get memory information
+MEM_TOTAL=$(free -m | grep "Mem:" | awk '{print $2}')
+MEM_FREE=$(free -m | grep "Mem:" | awk '{print $4+$6+$7}')
+MEM_USED=$((MEM_TOTAL - MEM_FREE))
+MEM_PERCENT=$((MEM_USED * 100 / MEM_TOTAL))
+
+# Perform check
+if [ $MEM_PERCENT -ge $CRITICAL ]; then
+  echo "CRITICAL - Memory usage: $MEM_PERCENT% ($MEM_USED MB of $MEM_TOTAL MB) | memory=$MEM_PERCENT%;$WARNING;$CRITICAL;0;100"
+  exit 2
+elif [ $MEM_PERCENT -ge $WARNING ]; then
+  echo "WARNING - Memory usage: $MEM_PERCENT% ($MEM_USED MB of $MEM_TOTAL MB) | memory=$MEM_PERCENT%;$WARNING;$CRITICAL;0;100"
+  exit 1
+else
+  echo "OK - Memory usage: $MEM_PERCENT% ($MEM_USED MB of $MEM_TOTAL MB) | memory=$MEM_PERCENT%;$WARNING;$CRITICAL;0;100"
+  exit 0
+fi
+EOF
+
+    chmod +x "/usr/lib/nagios/plugins/check_mem"
+    log_message "SUCCESS" "Memory check plugin installed for NRPE"
+  fi
+  
+  # Create NRPE setup documentation
+  local nrpe_doc="/root/nrpe-setup-documentation.txt"
+  
+  log_message "INFO" "Creating NRPE setup documentation"
+  
+  cat > "$nrpe_doc" << EOF
+# NRPE Setup Documentation
+# Generated by security hardening script
+
+To complete the NRPE setup:
+
+1. Edit the NRPE configuration file: $nrpe_conf
+   - Replace "NAGIOS_SERVER_IP" with the IP address of your Nagios server
+   - Add any additional custom commands you need
+
+2. Restart the NRPE service:
+   systemctl restart nagios-nrpe-server
+
+3. On your Nagios server, add this host with commands like:
+   check_nrpe -H SERVER_IP -c check_load
+   check_nrpe -H SERVER_IP -c check_disk
+   check_nrpe -H SERVER_IP -c check_mem
+
+4. Remember to open port 5666 in the firewall if you need to connect from a remote Nagios server:
+   ufw allow 5666/tcp
+
+5. Available commands:
+   - check_users: Checks number of logged-in users
+   - check_load: Checks system load
+   - check_disk: Checks disk usage
+   - check_zombie_procs: Checks for zombie processes
+   - check_total_procs: Checks total number of processes
+   - check_mem: Checks memory usage
+   - check_ssh: Checks SSH service
+   - check_http: Checks HTTP service
+   - check_ping: Checks network connectivity
+   - check_ntp: Checks NTP synchronization
+EOF
+
+  log_message "SUCCESS" "NRPE setup documentation created at $nrpe_doc"
+  
+  # Restart NRPE service
+  log_message "INFO" "Restarting NRPE service"
+  service enable nagios-nrpe-server
+  service restart nagios-nrpe-server
+  
+  if [ $? -eq 0 ]; then
+    log_message "SUCCESS" "NRPE service restarted successfully"
+  else
+    log_message "ERROR" "Failed to restart NRPE service"
+    return 1
+  fi
+}
+
+# Main execution for monitoring
+configure_snmp
+configure_nrpe
+
+log_message "SUCCESS" "Monitoring configuration completed"