Tips-Of-Mine/Hardening-Linux-Debian-Ubuntu
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Hardening-Linux-Debian-Ubuntu/modules/monitoring.sh
hcornet ecdf93e011
All checks were successful
Deployment Verification / deploy-and-test (push) Successful in 2m2s
Details
Update : check SNMP
2025-04-25 18:41:31 +02:00

316 lines
9.2 KiB
Bash
Raw Blame History

#!/bin/bash
# =============================================================================
# Monitoring configuration module (SNMP and NRPE)
# =============================================================================
# Set script directory
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
# Source common functions and variables
source "./common.sh"
source "./custom/custom_snmp"
# Function to configure SNMP
configure_snmp() {
log_message "INFO" "Configuring SNMP monitoring"
# Install SNMP if not already installed
if ! is_package_installed "snmpd"; then
log_message "INFO" "Installing SNMP"
apt-get install -y snmpd snmp
if [ $? -ne 0 ]; then
log_message "ERROR" "Failed to install SNMP"
return 1
fi
else
log_message "INFO" "SNMP is already installed"
fi
# Configure SNMP
local snmpd_conf="/etc/snmp/snmpd.conf"
log_message "INFO" "Creating SNMP configuration"
backup_file "$snmpd_conf"
cat > "$snmpd_conf" << EOF
# SNMP Configuration
# Generated by security hardening script
# SECTION: Agent Operating Mode
# This section defines how the agent will operate when it is running.
# master: Should the agent operate as a master agent or not.
# Currently, the only supported master agent type for this token is "agentx".
master agentx
# Listen on localhost and specific network interface
agentAddress 127.0.0.1,[::1],$SNMP_AGENTADDRESS
# Information about this host
sysLocation "$SNMP_SYSLOCATION"
sysContact $SNMP_SYSCONTACT
sysName $SNMP_SYSDESCR
sysDescr "$SNMP_SYSDESCR"
# sysservices: The proper value for the sysServices object.
sysServices 72
# Authentication (replace with your own values)
# Format: user_name security_name auth_protocol auth_passphrase priv_protocol priv_passphrase
#createUser authOnlyUser MD5 "auth_pass_phrase"
#createUser authPrivUser SHA "auth_pass_phrase" DES "priv_pass_phrase"
# Grant access to SNMPv3 users
#rouser authOnlyUser auth
#rouser authPrivUser priv
rouser authPrivUser authpriv -V systemonly
# Views
view systemonly included .1.3.6.1.2.1.1
view systemonly included .1.3.6.1.2.1.25.1
# rocommunity: a SNMPv1/SNMPv2c read-only access community name
rocommunity public default -V systemonly
rocommunity6 public default -V systemonly
# Grant only system information to SNMPv3 users
#access grpAuthOnlyUser "" usm auth nopriv exact systemonly none none
#access grpAuthPrivUser "" usm auth priv exact systemonly none none
# Additional monitoring
# Load averages
#extend load /bin/cat /proc/loadavg
# Disk space
#extend dfspace /bin/df -P
# Disable older SNMP versions (only allow SNMPv3)
#disableSnmpv1d yes
#disableSnmpv2cd yes
# Logging
#authtrapenable 1
EOF
log_message "SUCCESS" "SNMP configuration created at $snmpd_conf"
# Create SNMP client configuration example
local snmp_client_conf="/root/snmp-client-example.txt"
log_message "INFO" "Creating SNMP client configuration example"
cat > "$snmp_client_conf" << EOF
# SNMP Client Configuration Example
# Generated by security hardening script
# Add the following to your SNMP client configuration to connect to this server
# SNMPv3 with authentication
# Replace SERVER_IP with the IP address of this server
snmpwalk -v 3 -u authOnlyUser -a MD5 -A "auth_pass_phrase" SERVER_IP
# SNMPv3 with authentication and privacy
# Replace SERVER_IP with the IP address of this server
snmpwalk -v 3 -u authPrivUser -a SHA -A "auth_pass_phrase" -x DES -X "priv_pass_phrase" SERVER_IP
EOF
log_message "SUCCESS" "SNMP client configuration example created at $snmp_client_conf"
# Restart SNMP service
log_message "INFO" "Restarting SNMP service"
service enable snmpd
service restart snmpd
if [ $? -eq 0 ]; then
log_message "SUCCESS" "SNMP service restarted successfully"
else
log_message "ERROR" "Failed to restart SNMP service"
return 1
fi
}
# Function to configure NRPE
configure_nrpe() {
log_message "INFO" "Configuring NRPE monitoring"
# Install NRPE if not already installed
if ! is_package_installed "nagios-nrpe-server"; then
log_message "INFO" "Installing NRPE and monitoring plugins"
apt-get install -y nagios-nrpe-server nagios-plugins nagios-nrpe-plugin
if [ $? -ne 0 ]; then
log_message "ERROR" "Failed to install NRPE"
return 1
fi
else
log_message "INFO" "NRPE is already installed"
fi
# Configure NRPE
local nrpe_conf="/etc/nagios/nrpe.conf"
log_message "INFO" "Creating NRPE configuration"
backup_file "$nrpe_conf"
cat > "$nrpe_conf" << EOF
# NRPE Configuration
# Generated by security hardening script
# Log facility to use
log_facility=daemon
# Log level
debug=0
# Run as this user
nrpe_user=nagios
nrpe_group=nagios
# NRPE port
server_port=5666
# NRPE server address (listen on all interfaces)
server_address=0.0.0.0
# Allow connections from these monitoring servers (replace with your Nagios server IP)
allowed_hosts=127.0.0.1,NAGIOS_SERVER_IP
# Connection restrictions
dont_blame_nrpe=0
allow_bash_command_substitution=0
# Command timeout
command_timeout=60
connection_timeout=300
# SSL/TLS options
ssl_version=TLSv1.2+
use_ssl=1
# Command definitions
# Basic system checks
command[check_users]=/usr/lib/nagios/plugins/check_users -w 5 -c 10
command[check_load]=/usr/lib/nagios/plugins/check_load -w 15,10,5 -c 30,25,20
command[check_disk]=/usr/lib/nagios/plugins/check_disk -w 20% -c 10% -p /
command[check_zombie_procs]=/usr/lib/nagios/plugins/check_procs -w 5 -c 10 -s Z
command[check_total_procs]=/usr/lib/nagios/plugins/check_procs -w 150 -c 200
command[check_mem]=/usr/lib/nagios/plugins/check_mem -w 80 -c 90
# Network checks
command[check_ssh]=/usr/lib/nagios/plugins/check_ssh -p 2222 localhost
command[check_http]=/usr/lib/nagios/plugins/check_http localhost
command[check_ping]=/usr/lib/nagios/plugins/check_ping -H 8.8.8.8 -w 100.0,20% -c 500.0,60%
# Service checks
command[check_ntp]=/usr/lib/nagios/plugins/check_ntp_time -H pool.ntp.org -w 0.5 -c 1
EOF
log_message "SUCCESS" "NRPE configuration created at $nrpe_conf"
# Install memory check plugin if it doesn't exist
if [ ! -f "/usr/lib/nagios/plugins/check_mem" ]; then
log_message "INFO" "Installing memory check plugin for NRPE"
cat > "/usr/lib/nagios/plugins/check_mem" << 'EOF'
#!/bin/bash
# Check memory usage plugin for Nagios
# Defaults
WARNING=80
CRITICAL=90
# Process arguments
while getopts "w:c:" opt; do
case $opt in
w) WARNING=$OPTARG ;;
c) CRITICAL=$OPTARG ;;
*) echo "Usage: $0 -w warning_percent -c critical_percent"; exit 3 ;;
esac
done
# Get memory information
MEM_TOTAL=$(free -m | grep "Mem:" | awk '{print $2}')
MEM_FREE=$(free -m | grep "Mem:" | awk '{print $4+$6+$7}')
MEM_USED=$((MEM_TOTAL - MEM_FREE))
MEM_PERCENT=$((MEM_USED * 100 / MEM_TOTAL))
# Perform check
if [ $MEM_PERCENT -ge $CRITICAL ]; then
echo "CRITICAL - Memory usage: $MEM_PERCENT% ($MEM_USED MB of $MEM_TOTAL MB) | memory=$MEM_PERCENT%;$WARNING;$CRITICAL;0;100"
exit 2
elif [ $MEM_PERCENT -ge $WARNING ]; then
echo "WARNING - Memory usage: $MEM_PERCENT% ($MEM_USED MB of $MEM_TOTAL MB) | memory=$MEM_PERCENT%;$WARNING;$CRITICAL;0;100"
exit 1
else
echo "OK - Memory usage: $MEM_PERCENT% ($MEM_USED MB of $MEM_TOTAL MB) | memory=$MEM_PERCENT%;$WARNING;$CRITICAL;0;100"
exit 0
fi
EOF
chmod +x "/usr/lib/nagios/plugins/check_mem"
log_message "SUCCESS" "Memory check plugin installed for NRPE"
fi
# Create NRPE setup documentation
local nrpe_doc="/root/nrpe-setup-documentation.txt"
log_message "INFO" "Creating NRPE setup documentation"
cat > "$nrpe_doc" << EOF
# NRPE Setup Documentation
# Generated by security hardening script
To complete the NRPE setup:
1. Edit the NRPE configuration file: $nrpe_conf
- Replace "NAGIOS_SERVER_IP" with the IP address of your Nagios server
- Add any additional custom commands you need
2. Restart the NRPE service:
systemctl restart nagios-nrpe-server
3. On your Nagios server, add this host with commands like:
check_nrpe -H SERVER_IP -c check_load
check_nrpe -H SERVER_IP -c check_disk
check_nrpe -H SERVER_IP -c check_mem
4. Remember to open port 5666 in the firewall if you need to connect from a remote Nagios server:
ufw allow 5666/tcp
5. Available commands:
- check_users: Checks number of logged-in users
- check_load: Checks system load
- check_disk: Checks disk usage
- check_zombie_procs: Checks for zombie processes
- check_total_procs: Checks total number of processes
- check_mem: Checks memory usage
- check_ssh: Checks SSH service
- check_http: Checks HTTP service
- check_ping: Checks network connectivity
- check_ntp: Checks NTP synchronization
EOF
log_message "SUCCESS" "NRPE setup documentation created at $nrpe_doc"
# Restart NRPE service
log_message "INFO" "Restarting NRPE service"
service enable nagios-nrpe-server
service restart nagios-nrpe-server
if [ $? -eq 0 ]; then
log_message "SUCCESS" "NRPE service restarted successfully"
else
log_message "ERROR" "Failed to restart NRPE service"
return 1
fi
}
#
log_message "SCRIPT" "monitoring.sh"
# Main execution for monitoring
configure_snmp
configure_nrpe
log_message "SUCCESS" "Monitoring configuration completed"
Reference in New Issue View Git Blame Copy Permalink