#!/bin/bash
# =============================================================================
# Monitoring configuration module (SNMP and NRPE)
# =============================================================================

# Set script directory
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"

# Source common functions and variables
source "./common.sh"
source "./custom/custom_snmp"
source "./custom/custom_monitoring"

# Function to configure SNMP
configure_snmp() {
  log_message "INFO" "Configuring SNMP monitoring"
  
  # Install SNMP if not already installed
  if ! is_package_installed "snmpd"; then
    log_message "INFO" "Installing SNMP"
    apt-get install -y snmpd snmp
    
    if [ $? -ne 0 ]; then
      log_message "ERROR" "Failed to install SNMP"
      return 1
    fi
  else
    log_message "INFO" "SNMP is already installed"
  fi
  
  # Configure SNMP
  local snmpd_conf="/etc/snmp/snmpd.conf"
  
  log_message "INFO" "Creating SNMP configuration"
  backup_file "$snmpd_conf"
  
  cat > "$snmpd_conf" << EOF
# SNMP Configuration
# Generated by security hardening script

# SECTION: Agent Operating Mode
# This section defines how the agent will operate when it is running.

# master: Should the agent operate as a master agent or not.
# Currently, the only supported master agent type for this token is "agentx".
master  agentx

# Listen on localhost and specific network interface
agentAddress 127.0.0.1,[::1],$SNMP_AGENTADDRESS

# Information about this host
sysLocation    "$SNMP_SYSLOCATION"
sysContact     $SNMP_SYSCONTACT
sysName        $SNMP_SYSDESCR
sysDescr       "$SNMP_SYSDESCR"

# sysservices: The proper value for the sysServices object.
sysServices    72

# Authentication (replace with your own values)
# Format: user_name security_name auth_protocol auth_passphrase priv_protocol priv_passphrase
#createUser authOnlyUser  MD5 "auth_pass_phrase"
#createUser authPrivUser  SHA "auth_pass_phrase" DES "priv_pass_phrase"

# Grant access to SNMPv3 users
#rouser   authOnlyUser auth
#rouser   authPrivUser priv
rouser   authPrivUser authpriv -V systemonly

# Views
view    systemonly   included    .1.3.6.1.2.1.1
view    systemonly   included    .1.3.6.1.2.1.25.1

# rocommunity: a SNMPv1/SNMPv2c read-only access community name
rocommunity  public default -V systemonly
rocommunity6 public default -V systemonly

# Grant only system information to SNMPv3 users
#access  grpAuthOnlyUser  ""      usm     auth    nopriv  exact   systemonly  none    none
#access  grpAuthPrivUser  ""      usm     auth    priv    exact   systemonly  none    none

# Additional monitoring
# Load averages
#extend load    /bin/cat   /proc/loadavg
# Disk space
#extend dfspace /bin/df    -P

# Disable older SNMP versions (only allow SNMPv3)
#disableSnmpv1d yes
#disableSnmpv2cd yes

# Logging
#authtrapenable 1
EOF

  log_message "SUCCESS" "SNMP configuration created at $snmpd_conf"
  
  # Create SNMP client configuration example
  local snmp_client_conf="/root/snmp-client-example.txt"
  
  log_message "INFO" "Creating SNMP client configuration example"
  
  cat > "$snmp_client_conf" << EOF
# SNMP Client Configuration Example
# Generated by security hardening script

# Add the following to your SNMP client configuration to connect to this server

# SNMPv3 with authentication
# Replace SERVER_IP with the IP address of this server
snmpwalk -v 3 -u authOnlyUser -a MD5 -A "auth_pass_phrase" SERVER_IP

# SNMPv3 with authentication and privacy
# Replace SERVER_IP with the IP address of this server
snmpwalk -v 3 -u authPrivUser -a SHA -A "auth_pass_phrase" -x DES -X "priv_pass_phrase" SERVER_IP
EOF

  log_message "SUCCESS" "SNMP client configuration example created at $snmp_client_conf"
  
  # Restart SNMP service
  log_message "INFO" "Restarting SNMP service"
  service enable snmpd
  service restart snmpd
  
  if [ $? -eq 0 ]; then
    log_message "SUCCESS" "SNMP service restarted successfully"
  else
    log_message "ERROR" "Failed to restart SNMP service"
    return 1
  fi
}

# Function to configure NRPE
configure_nrpe() {
  log_message "INFO" "Configuring NRPE monitoring"
  
  # Install NRPE if not already installed
  if ! is_package_installed "nagios-nrpe-server"; then
    log_message "INFO" "Installing NRPE and monitoring plugins"
    apt-get install -y nagios-nrpe-server nagios-plugins nagios-nrpe-plugin
    
    if [ $? -ne 0 ]; then
      log_message "ERROR" "Failed to install NRPE"
      return 1
    fi
  else
    log_message "INFO" "NRPE is already installed"
  fi
  
  # Configure NRPE
  local nrpe_conf="/etc/nagios/nrpe.conf"
  
  log_message "INFO" "Creating NRPE configuration"
  backup_file "$nrpe_conf"
  
  cat > "$nrpe_conf" << EOF
# NRPE Configuration
# Generated by security hardening script

# Log facility to use
log_facility=daemon

# Log level
debug=0

# Run as this user
nrpe_user=nagios
nrpe_group=nagios

# NRPE port
server_port=5666

# NRPE server address (listen on all interfaces)
server_address=0.0.0.0

# Allow connections from these monitoring servers (replace with your Nagios server IP)
allowed_hosts=127.0.0.1,$NAGIOS_SERVER_IP

# Connection restrictions
dont_blame_nrpe=0
allow_bash_command_substitution=0

# Command timeout
command_timeout=60
connection_timeout=300

# SSL/TLS options
ssl_version=TLSv1.2+
use_ssl=1

# Command definitions

# Basic system checks
command[check_users]=/usr/lib/nagios/plugins/check_users -w 5 -c 10
command[check_load]=/usr/lib/nagios/plugins/check_load -w 15,10,5 -c 30,25,20
command[check_disk]=/usr/lib/nagios/plugins/check_disk -w 20% -c 10% -p /
command[check_zombie_procs]=/usr/lib/nagios/plugins/check_procs -w 5 -c 10 -s Z
command[check_total_procs]=/usr/lib/nagios/plugins/check_procs -w 150 -c 200
command[check_mem]=/usr/lib/nagios/plugins/check_mem -w 80 -c 90

# Network checks
command[check_ssh]=/usr/lib/nagios/plugins/check_ssh -p 2222 localhost
command[check_http]=/usr/lib/nagios/plugins/check_http localhost
command[check_ping]=/usr/lib/nagios/plugins/check_ping -H 8.8.8.8 -w 100.0,20% -c 500.0,60%

# Service checks
command[check_ntp]=/usr/lib/nagios/plugins/check_ntp_time -H pool.ntp.org -w 0.5 -c 1
EOF

  log_message "SUCCESS" "NRPE configuration created at $nrpe_conf"
  
  # Install memory check plugin if it doesn't exist
  if [ ! -f "/usr/lib/nagios/plugins/check_mem" ]; then
    log_message "INFO" "Installing memory check plugin for NRPE"
    
    cat > "/usr/lib/nagios/plugins/check_mem" << 'EOF'
#!/bin/bash
# Check memory usage plugin for Nagios

# Defaults
WARNING=80
CRITICAL=90

# Process arguments
while getopts "w:c:" opt; do
  case $opt in
    w) WARNING=$OPTARG ;;
    c) CRITICAL=$OPTARG ;;
    *) echo "Usage: $0 -w warning_percent -c critical_percent"; exit 3 ;;
  esac
done

# Get memory information
MEM_TOTAL=$(free -m | grep "Mem:" | awk '{print $2}')
MEM_FREE=$(free -m | grep "Mem:" | awk '{print $4+$6+$7}')
MEM_USED=$((MEM_TOTAL - MEM_FREE))
MEM_PERCENT=$((MEM_USED * 100 / MEM_TOTAL))

# Perform check
if [ $MEM_PERCENT -ge $CRITICAL ]; then
  echo "CRITICAL - Memory usage: $MEM_PERCENT% ($MEM_USED MB of $MEM_TOTAL MB) | memory=$MEM_PERCENT%;$WARNING;$CRITICAL;0;100"
  exit 2
elif [ $MEM_PERCENT -ge $WARNING ]; then
  echo "WARNING - Memory usage: $MEM_PERCENT% ($MEM_USED MB of $MEM_TOTAL MB) | memory=$MEM_PERCENT%;$WARNING;$CRITICAL;0;100"
  exit 1
else
  echo "OK - Memory usage: $MEM_PERCENT% ($MEM_USED MB of $MEM_TOTAL MB) | memory=$MEM_PERCENT%;$WARNING;$CRITICAL;0;100"
  exit 0
fi
EOF

    chmod +x "/usr/lib/nagios/plugins/check_mem"
    log_message "SUCCESS" "Memory check plugin installed for NRPE"
  fi
  
  # Create NRPE setup documentation
  local nrpe_doc="/root/nrpe-setup-documentation.txt"
  
  log_message "INFO" "Creating NRPE setup documentation"
  
  cat > "$nrpe_doc" << EOF
# NRPE Setup Documentation
# Generated by security hardening script

To complete the NRPE setup:

1. Edit the NRPE configuration file: $nrpe_conf
   - Replace "NAGIOS_SERVER_IP" with the IP address of your Nagios server
   - Add any additional custom commands you need

2. Restart the NRPE service:
   systemctl restart nagios-nrpe-server

3. On your Nagios server, add this host with commands like:
   check_nrpe -H SERVER_IP -c check_load
   check_nrpe -H SERVER_IP -c check_disk
   check_nrpe -H SERVER_IP -c check_mem

4. Remember to open port 5666 in the firewall if you need to connect from a remote Nagios server:
   ufw allow 5666/tcp

5. Available commands:
   - check_users: Checks number of logged-in users
   - check_load: Checks system load
   - check_disk: Checks disk usage
   - check_zombie_procs: Checks for zombie processes
   - check_total_procs: Checks total number of processes
   - check_mem: Checks memory usage
   - check_ssh: Checks SSH service
   - check_http: Checks HTTP service
   - check_ping: Checks network connectivity
   - check_ntp: Checks NTP synchronization
EOF

  log_message "SUCCESS" "NRPE setup documentation created at $nrpe_doc"
  
  # Restart NRPE service
  log_message "INFO" "Restarting NRPE service"
  service enable nagios-nrpe-server
  service restart nagios-nrpe-server
  
  if [ $? -eq 0 ]; then
    log_message "SUCCESS" "NRPE service restarted successfully"
  else
    log_message "ERROR" "Failed to restart NRPE service"
    return 1
  fi
}

#
log_message "SCRIPT" "monitoring.sh"

# Main execution for monitoring
configure_snmp
configure_nrpe

log_message "SUCCESS" "Monitoring configuration completed"