diff --git a/README.md b/README.md index 4463dc9..3fdfdcd 100644 --- a/README.md +++ b/README.md @@ -2,25 +2,40 @@ This repository contains the KNEL server configuration management system implemented with the FetchApply framework. +**NOTE:** This is a one-time provisioning system. For ongoing configuration management, this will be replaced by: +- Ansible playbooks for configuration management +- Salt for system orchestration + ## Overview -The KNEL FetchApply system provides automated server provisioning, configuration, and security hardening for Linux servers. It uses the FetchApply framework to apply configurations based on server classes and hostnames. +The KNEL FetchApply system provides automated server provisioning for Linux servers. It uses the FetchApply framework to apply initial configurations and then serves as a foundation for migrating to Ansible/Salt-based management. ## Repository Structure ``` . -├── classes/ # Server classifications -│ ├── physical/ # Physical Dell servers -│ ├── virtual/ # Virtual machines -│ ├── librenms/ # LibreNMS monitoring servers -│ ├── database/ # Database servers -│ ├── webserver/ # Web servers -│ └── dev-workstation/ # Development workstations -├── initializers/ # One-time setup scripts -├── modules/ # Recurring maintenance modules -├── roles/ # Groups of related modules -└── variables # Global configuration variables +├── classes/ +│ └── server/ # Single class for all servers +│ ├── initializers # List of initializers to run +│ └── roles # List of roles to apply +├── initializers/ # One-time setup scripts +│ ├── system-setup/ # System detection and basic setup +│ ├── packages/ # Package installation with conditional logic +│ ├── oam/ # Operations and Maintenance setup +│ ├── system-config/ # System configuration files +│ ├── ssh-hardening/ # SSH security hardening +│ ├── ssh-keys/ # SSH authorized key deployment +│ ├── postfix/ # Email configuration +│ ├── 2fa/ # Two-factor authentication setup +│ ├── wazuh/ # Wazuh security monitoring +│ ├── security-hardening/ # SCAP/STIG compliance +│ ├── salt-client/ # Salt minion configuration +│ └── user-configuration/ # User shell settings +├── roles/ # Groups of related initializers +│ ├── security # Security-related initializers +│ └── monitoring # Monitoring-related initializers +├── modules/ # Placeholder for future Ansible modules +└── variables # Global configuration variables ``` ## Installation @@ -44,9 +59,9 @@ sudo bash /tmp/install --operations-repository-url=https://git.knownelement.com/ Once installed, FetchApply will automatically: -1. Detect the server type based on hostname and hardware characteristics -2. Apply the appropriate configuration modules and initializers -3. Maintain the system configuration with regular runs +1. Detect system characteristics (physical/virtual, OS, special hosts) +2. Run initializers in sequence to provision the server +3. Apply security hardening and configuration management setup You can also run FetchApply manually: @@ -54,80 +69,61 @@ You can also run FetchApply manually: sudo fa ``` -## Server Classes +## System Detection -Servers are automatically classified based on their characteristics: +The system automatically detects: -### Physical Servers (`physical`) +- **Physical vs Virtual** - Using dmidecode and virt-what +- **Operating System** - Ubuntu vs Kali detection +- **Special Hosts** - NTP servers, development workstations +- **User Accounts** - Detects localuser and subodev users +- **Raspberry Pi** - Hardware detection for RPi-specific configs -**Criteria:** Dell physical hardware detected via dmidecode +## Initializers -**Applied Modules:** -- System setup and package installation -- SSH hardening -- Security hardening -- OAM monitoring +### Core Setup +- **system-setup** - System detection and variable setup +- **packages** - Package installation with conditional logic (includes ansible-core, salt-minion, tailscale) +- **user-configuration** - Shell settings and user preferences -### Virtual Machines (`virtual`) +### Configuration +- **system-config** - Deploy system configuration files (SNMP, NTP, Cockpit, etc.) +- **ssh-hardening** - SSH security hardening +- **ssh-keys** - Deploy SSH authorized keys +- **postfix** - Configure email delivery +- **salt-client** - Configure Salt minion for configuration management -**Criteria:** KVM/Hyper-V guests detected via virt-what +### Security +- **2fa** - Set up Google Authenticator for 2FA +- **wazuh** - Deploy Wazuh security monitoring agent +- **security-hardening** - SCAP/STIG compliance hardening -**Applied Modules:** -- System setup and package installation -- SSH hardening -- Security hardening (virtual-optimized) -- OAM monitoring +### Monitoring +- **oam** - Operations and Maintenance tools (up2date script) -### LibreNMS Servers (`librenms`) +## Configuration Management Tools -**Criteria:** Hostname contains "tsys-librenms" +The system installs clients for future configuration management: -**Applied Modules:** -- Standard server configuration -- LibreNMS monitoring setup -- Security hardening - -### Development Workstations (`dev-workstation`) - -**Criteria:** Hostname matches "subopi-dev" or "CharlesDevServer" - -**Applied Modules:** -- Development tools and packages -- Less restrictive SSH configuration -- Security monitoring +- **Ansible Core** - Already installed for ad-hoc automation tasks +- **Salt Minion** - Configured and ready for Salt master connection +- **Tailscale** - VPN connectivity for secure remote access ## Security Features -The system includes comprehensive security hardening: - - SSH key-based authentication only -- 2FA support via Google Authenticator +- 2FA support via Google Authenticator (gradual rollout) - Wazuh security monitoring - SCAP/STIG compliance hardening -- Automated security updates +- AIDE file integrity monitoring -## Monitoring and Management +## Migration Path -- LibreNMS network monitoring integration -- Cockpit web-based management interface -- Comprehensive logging and audit trails -- SNMP monitoring configuration -- Performance monitoring tools +This system is designed as an initial provisioning step. Future migration plans: -## Configuration Templates - -Configuration files are managed using mustache templates (via `mo`) to allow for: -- Environment-specific customizations -- Dynamic variable substitution -- Class-based configuration variations - -## Maintenance - -The system is designed to be idempotent and can be safely re-run to: -- Restore configuration drift -- Apply security updates -- Add new servers to the fleet -- Standardize configurations across environments +1. **Ansible Playbooks** - Replace initializers with Ansible roles for configuration management +2. **Salt Configuration** - Use Salt master for ongoing configuration orchestration +3. **Vault Integration** - Centralized secrets management ## Troubleshooting @@ -137,10 +133,10 @@ For detailed status information: sudo fa status ``` -To run specific modules: +To run specific initializers: ```bash -sudo fa run +sudo fa run ``` To pause automatic runs during maintenance: @@ -162,4 +158,4 @@ sudo fa resume ## License -This project is licensed under the terms specified in the LICENSE file. \ No newline at end of file +This project is licensed under terms specified in the LICENSE file. \ No newline at end of file diff --git a/classes/database/initializers b/classes/database/initializers deleted file mode 100644 index efc97db..0000000 --- a/classes/database/initializers +++ /dev/null @@ -1,12 +0,0 @@ -# Initializers for database servers -system-setup -packages - -# Modules for database servers -oam -system-config -ssh-hardening - -# Roles for database servers -security -monitoring \ No newline at end of file diff --git a/classes/database/modules b/classes/database/modules deleted file mode 100644 index e55c089..0000000 --- a/classes/database/modules +++ /dev/null @@ -1,8 +0,0 @@ -# Modules for database servers -oam -system-config -ssh-hardening - -# Roles for database servers -security -monitoring \ No newline at end of file diff --git a/classes/database/roles b/classes/database/roles deleted file mode 100644 index cd098ad..0000000 --- a/classes/database/roles +++ /dev/null @@ -1,3 +0,0 @@ -# Roles for database servers -security -monitoring \ No newline at end of file diff --git a/classes/dev-workstation/initializers b/classes/dev-workstation/initializers deleted file mode 100644 index f1df166..0000000 --- a/classes/dev-workstation/initializers +++ /dev/null @@ -1,12 +0,0 @@ -# Initializers for development workstations -system-setup -packages - -# Modules for development workstations -oam -system-config -ssh-hardening - -# Roles for development workstations -security -monitoring \ No newline at end of file diff --git a/classes/dev-workstation/modules b/classes/dev-workstation/modules deleted file mode 100644 index 77670ee..0000000 --- a/classes/dev-workstation/modules +++ /dev/null @@ -1,8 +0,0 @@ -# Modules for development workstations -oam -system-config -ssh-hardening - -# Roles for development workstations -security -monitoring \ No newline at end of file diff --git a/classes/dev-workstation/roles b/classes/dev-workstation/roles deleted file mode 100644 index 062b990..0000000 --- a/classes/dev-workstation/roles +++ /dev/null @@ -1,3 +0,0 @@ -# Roles for development workstations -security -monitoring \ No newline at end of file diff --git a/classes/dev-workstation/variables b/classes/dev-workstation/variables deleted file mode 100644 index e69de29..0000000 diff --git a/classes/librenms/initializers b/classes/librenms/initializers deleted file mode 100644 index 82745db..0000000 --- a/classes/librenms/initializers +++ /dev/null @@ -1,13 +0,0 @@ -# Initializers for LibreNMS servers -system-setup -packages - -# Modules for LibreNMS servers -oam -system-config -ssh-hardening -librenms-agent - -# Roles for LibreNMS servers -security -monitoring \ No newline at end of file diff --git a/classes/librenms/modules b/classes/librenms/modules deleted file mode 100644 index e69de29..0000000 diff --git a/classes/librenms/roles b/classes/librenms/roles deleted file mode 100644 index e69de29..0000000 diff --git a/classes/librenms/variables b/classes/librenms/variables deleted file mode 100644 index e69de29..0000000 diff --git a/classes/ntp-server/initializers b/classes/ntp-server/initializers deleted file mode 100644 index 955cd9a..0000000 --- a/classes/ntp-server/initializers +++ /dev/null @@ -1,12 +0,0 @@ -# Initializers for NTP servers -system-setup -packages - -# Modules for NTP servers -oam -system-config -ssh-hardening - -# Roles for NTP servers -security -monitoring \ No newline at end of file diff --git a/classes/ntp-server/modules b/classes/ntp-server/modules deleted file mode 100644 index 661e78b..0000000 --- a/classes/ntp-server/modules +++ /dev/null @@ -1,8 +0,0 @@ -# Modules for NTP servers -oam -system-config -ssh-hardening - -# Roles for NTP servers -security -monitoring \ No newline at end of file diff --git a/classes/ntp-server/roles b/classes/ntp-server/roles deleted file mode 100644 index f7c721e..0000000 --- a/classes/ntp-server/roles +++ /dev/null @@ -1,3 +0,0 @@ -# Roles for NTP servers -security -monitoring \ No newline at end of file diff --git a/classes/ntp-server/variables b/classes/ntp-server/variables deleted file mode 100644 index e69de29..0000000 diff --git a/classes/physical/initializers b/classes/physical/initializers deleted file mode 100644 index 26260e2..0000000 --- a/classes/physical/initializers +++ /dev/null @@ -1,12 +0,0 @@ -# Initializers for physical servers -system-setup -packages - -# Modules for physical servers -oam -system-config -ssh-hardening - -# Roles for physical servers -security -monitoring \ No newline at end of file diff --git a/classes/physical/modules b/classes/physical/modules deleted file mode 100644 index 728ddaa..0000000 --- a/classes/physical/modules +++ /dev/null @@ -1,8 +0,0 @@ -# Modules for physical servers -oam -system-config -ssh-hardening - -# Roles for physical servers -security -monitoring \ No newline at end of file diff --git a/classes/physical/roles b/classes/physical/roles deleted file mode 100644 index c458a53..0000000 --- a/classes/physical/roles +++ /dev/null @@ -1,3 +0,0 @@ -# Roles for physical servers -security -monitoring \ No newline at end of file diff --git a/classes/physical/variables b/classes/physical/variables deleted file mode 100644 index e69de29..0000000 diff --git a/classes/server/initializers b/classes/server/initializers new file mode 100644 index 0000000..eea2f66 --- /dev/null +++ b/classes/server/initializers @@ -0,0 +1,17 @@ +# Initializers for all servers (one-time provisioning) +system-setup +packages +oam +system-config +ssh-hardening +ssh-keys +postfix +2fa +wazuh +security-hardening +salt-client +user-configuration + +# Roles for all servers +security +monitoring \ No newline at end of file diff --git a/classes/server/roles b/classes/server/roles new file mode 100644 index 0000000..d7b2412 --- /dev/null +++ b/classes/server/roles @@ -0,0 +1,3 @@ +# Roles for all servers +security +monitoring \ No newline at end of file diff --git a/classes/virtual/initializers b/classes/virtual/initializers deleted file mode 100644 index e69de29..0000000 diff --git a/classes/virtual/modules b/classes/virtual/modules deleted file mode 100644 index 713fa51..0000000 --- a/classes/virtual/modules +++ /dev/null @@ -1,5 +0,0 @@ -# Modules for virtual servers -oam -system-config -ssh-hardening -security-hardening \ No newline at end of file diff --git a/classes/virtual/roles b/classes/virtual/roles deleted file mode 100644 index f5a6d2f..0000000 --- a/classes/virtual/roles +++ /dev/null @@ -1,3 +0,0 @@ -# Roles for virtual servers -security -monitoring \ No newline at end of file diff --git a/classes/virtual/variables b/classes/virtual/variables deleted file mode 100644 index e69de29..0000000 diff --git a/classes/webserver/initializers b/classes/webserver/initializers deleted file mode 100644 index 91c3398..0000000 --- a/classes/webserver/initializers +++ /dev/null @@ -1,12 +0,0 @@ -# Initializers for web servers -system-setup -packages - -# Modules for web servers -oam -system-config -ssh-hardening - -# Roles for web servers -security -monitoring \ No newline at end of file diff --git a/classes/webserver/modules b/classes/webserver/modules deleted file mode 100644 index f7b0d95..0000000 --- a/classes/webserver/modules +++ /dev/null @@ -1,8 +0,0 @@ -# Modules for web servers -oam -system-config -ssh-hardening - -# Roles for web servers -security -monitoring \ No newline at end of file diff --git a/classes/webserver/roles b/classes/webserver/roles deleted file mode 100644 index 382e43b..0000000 --- a/classes/webserver/roles +++ /dev/null @@ -1,3 +0,0 @@ -# Roles for web servers -security -monitoring \ No newline at end of file diff --git a/classes/webserver/variables b/classes/webserver/variables deleted file mode 100644 index e69de29..0000000 diff --git a/initializers/2fa/apply b/initializers/2fa/apply new file mode 100755 index 0000000..d894119 --- /dev/null +++ b/initializers/2fa/apply @@ -0,0 +1,33 @@ +#!/bin/bash + +# KNEL 2FA Module +# Configures two-factor authentication via Google Authenticator + +set -euo pipefail + +echo "Running 2FA module..." + +# Install Google Authenticator for PAM +DEBIAN_FRONTEND="noninteractive" apt-get -y install \ + libpam-google-authenticator \ + qrencode + +# Configure PAM for SSH with 2FA (use nullok for gradual rollout) +if [[ -f ./configs/sshd-pam ]]; then + cp ./configs/sshd-pam /etc/pam.d/sshd +fi + +# Configure SSH to allow challenge-response authentication +if [[ -f ./configs/sshd-2fa-config ]]; then + # Backup existing config + cp /etc/ssh/sshd_config /etc/ssh/sshd_config.backup + + # Add 2FA settings to SSH config + cat ./configs/sshd-2fa-config >> /etc/ssh/sshd_config +fi + +# Restart SSH service +systemctl restart ssh + +echo "2FA module completed" +echo "Note: Users must run 'google-authenticator' to set up their 2FA tokens" \ No newline at end of file diff --git a/initializers/oam/apply b/initializers/oam/apply new file mode 100755 index 0000000..9a1314d --- /dev/null +++ b/initializers/oam/apply @@ -0,0 +1,16 @@ +#!/bin/bash + +# KNEL OAM Initializer +# Sets up Operations and Maintenance tools + +set -euo pipefail + +echo "Running OAM initializer..." + +# Setup up2date script +if [[ -f ./scripts/up2date.sh ]]; then + cp ./scripts/up2date.sh /usr/local/bin/up2date.sh + chmod +x /usr/local/bin/up2date.sh +fi + +echo "OAM initializer completed" \ No newline at end of file diff --git a/initializers/oam/librenms/check_mk.socket b/initializers/oam/librenms/check_mk.socket new file mode 100644 index 0000000..02760ff --- /dev/null +++ b/initializers/oam/librenms/check_mk.socket @@ -0,0 +1,9 @@ +[Unit] +Description=Check_MK LibreNMS Agent Socket + +[Socket] +ListenStream=6556 +Accept=yes + +[Install] +WantedBy=sockets.target diff --git a/initializers/oam/librenms/check_mk@.service b/initializers/oam/librenms/check_mk@.service new file mode 100644 index 0000000..bea7144 --- /dev/null +++ b/initializers/oam/librenms/check_mk@.service @@ -0,0 +1,7 @@ +[Unit] +Description=Check_MK LibreNMS Agent Service +After=network.target + +[Service] +ExecStart=/usr/bin/check_mk_agent +StandardOutput=socket diff --git a/initializers/oam/librenms/check_mk_agent b/initializers/oam/librenms/check_mk_agent new file mode 100644 index 0000000..6b6e03a --- /dev/null +++ b/initializers/oam/librenms/check_mk_agent @@ -0,0 +1,659 @@ +#!/bin/bash +# +------------------------------------------------------------------+ +# | ____ _ _ __ __ _ __ | +# | / ___| |__ ___ ___| | __ | \/ | |/ / | +# | | | | '_ \ / _ \/ __| |/ / | |\/| | ' / | +# | | |___| | | | __/ (__| < | | | | . \ | +# | \____|_| |_|\___|\___|_|\_\___|_| |_|_|\_\ | +# | | +# | Copyright Mathias Kettner 2014 mk@mathias-kettner.de | +# +------------------------------------------------------------------+ +# +# This file is part of Check_MK. +# The official homepage is at http://mathias-kettner.de/check_mk. +# +# check_mk is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by +# the Free Software Foundation in version 2. check_mk is distributed +# in the hope that it will be useful, but WITHOUT ANY WARRANTY; with- +# out even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. See the GNU General Public License for more de- +# ails. You should have received a copy of the GNU General Public +# License along with GNU Make; see the file COPYING. If not, write +# to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, +# Boston, MA 02110-1301 USA. + +# Remove locale settings to eliminate localized outputs where possible +export LC_ALL=C +unset LANG + +export MK_LIBDIR="/usr/lib/check_mk_agent" +export MK_CONFDIR="/etc/check_mk" +export MK_VARDIR="/var/lib/check_mk_agent" + +# Provide information about the remote host. That helps when data +# is being sent only once to each remote host. +if [ "$REMOTE_HOST" ] ; then + export REMOTE=$REMOTE_HOST +elif [ "$SSH_CLIENT" ] ; then + export REMOTE=${SSH_CLIENT%% *} +fi + +# Make sure, locally installed binaries are found +PATH=$PATH:/usr/local/bin + +# All executables in PLUGINSDIR will simply be executed and their +# ouput appended to the output of the agent. Plugins define their own +# sections and must output headers with '<<<' and '>>>' +PLUGINSDIR=$MK_LIBDIR/plugins + +# All executables in LOCALDIR will by executabled and their +# output inserted into the section <<>>. Please +# refer to online documentation for details about local checks. +LOCALDIR=$MK_LIBDIR/local + +# All files in SPOOLDIR will simply appended to the agent +# output if they are not outdated (see below) +SPOOLDIR=$MK_VARDIR/spool + +# close standard input (for security reasons) and stderr +if [ "$1" = -d ] +then + set -xv +else + exec /dev/null +fi + +# Runs a command asynchronous by use of a cache file +function run_cached () { + local section= + if [ "$1" = -s ] ; then local section="echo '<<<$2>>>' ; " ; shift ; fi + local NAME=$1 + local MAXAGE=$2 + shift 2 + local CMDLINE="$section$@" + + if [ ! -d $MK_VARDIR/cache ]; then mkdir -p $MK_VARDIR/cache ; fi + CACHEFILE="$MK_VARDIR/cache/$NAME.cache" + + # Check if the creation of the cache takes suspiciously long and return + # nothing if the age (access time) of $CACHEFILE.new is twice the MAXAGE + local NOW=$(date +%s) + if [ -e "$CACHEFILE.new" ] ; then + local CF_ATIME=$(stat -c %X "$CACHEFILE.new") + if [ $((NOW - CF_ATIME)) -ge $((MAXAGE * 2)) ] ; then + # Kill the process still accessing that file in case + # it is still running. This avoids overlapping processes! + fuser -k -9 "$CACHEFILE.new" >/dev/null 2>&1 + rm -f "$CACHEFILE.new" + return + fi + fi + + # Check if cache file exists and is recent enough + if [ -s "$CACHEFILE" ] ; then + local MTIME=$(stat -c %Y "$CACHEFILE") + if [ $((NOW - MTIME)) -le $MAXAGE ] ; then local USE_CACHEFILE=1 ; fi + # Output the file in any case, even if it is + # outdated. The new file will not yet be available + cat "$CACHEFILE" + fi + + # Cache file outdated and new job not yet running? Start it + if [ -z "$USE_CACHEFILE" -a ! -e "$CACHEFILE.new" ] ; then + echo "set -o noclobber ; exec > \"$CACHEFILE.new\" || exit 1 ; $CMDLINE && mv \"$CACHEFILE.new\" \"$CACHEFILE\" || rm -f \"$CACHEFILE\" \"$CACHEFILE.new\"" | nohup bash >/dev/null 2>&1 & + fi +} + +# Make run_cached available for subshells (plugins, local checks, etc.) +export -f run_cached + +echo '<<>>' +echo Version: 1.2.6b5 +echo AgentOS: linux +echo AgentDirectory: $MK_CONFDIR +echo DataDirectory: $MK_VARDIR +echo SpoolDirectory: $SPOOLDIR +echo PluginsDirectory: $PLUGINSDIR +echo LocalDirectory: $LOCALDIR + +# If we are called via xinetd, try to find only_from configuration +if [ -n "$REMOTE_HOST" ] +then + echo -n 'OnlyFrom: ' + echo $(sed -n '/^service[[:space:]]*check_mk/,/}/s/^[[:space:]]*only_from[[:space:]]*=[[:space:]]*\(.*\)/\1/p' /etc/xinetd.d/* | head -n1) +fi + +# Print out Partitions / Filesystems. (-P gives non-wrapped POSIXed output) +# Heads up: NFS-mounts are generally supressed to avoid agent hangs. +# If hard NFS mounts are configured or you have too large nfs retry/timeout +# settings, accessing those mounts from the agent would leave you with +# thousands of agent processes and, ultimately, a dead monitored system. +# These should generally be monitored on the NFS server, not on the clients. + +echo '<<>>' +# The exclusion list is getting a bit of a problem. -l should hide any remote FS but seems +# to be all but working. +excludefs="-x smbfs -x cifs -x iso9660 -x udf -x nfsv4 -x nfs -x mvfs -x zfs" +df -PTlk $excludefs | sed 1d + +# df inodes information +echo '<<>>' +echo '[df_inodes_start]' +df -PTli $excludefs | sed 1d +echo '[df_inodes_end]' + +# Filesystem usage for ZFS +if type zfs > /dev/null 2>&1 ; then + echo '<<>>' + zfs get -Hp name,quota,used,avail,mountpoint,type -t filesystem,volume || \ + zfs get -Hp name,quota,used,avail,mountpoint,type + echo '[df]' + df -PTlk -t zfs | sed 1d +fi + +# Check NFS mounts by accessing them with stat -f (System +# call statfs()). If this lasts more then 2 seconds we +# consider it as hanging. We need waitmax. +if type waitmax >/dev/null +then + STAT_VERSION=$(stat --version | head -1 | cut -d" " -f4) + STAT_BROKE="5.3.0" + + echo '<<>>' + sed -n '/ nfs4\? /s/[^ ]* \([^ ]*\) .*/\1/p' < /proc/mounts | + sed 's/\\040/ /g' | + while read MP + do + if [ $STAT_VERSION != $STAT_BROKE ]; then + waitmax -s 9 2 stat -f -c "$MP ok %b %f %a %s" "$MP" || \ + echo "$MP hanging 0 0 0 0" + else + waitmax -s 9 2 stat -f -c "$MP ok %b %f %a %s" "$MP" && \ + printf '\n'|| echo "$MP hanging 0 0 0 0" + fi + done + + echo '<<>>' + sed -n '/ cifs\? /s/[^ ]* \([^ ]*\) .*/\1/p' < /proc/mounts | + sed 's/\\040/ /g' | + while read MP + do + if [ $STAT_VERSION != $STAT_BROKE ]; then + waitmax -s 9 2 stat -f -c "$MP ok %b %f %a %s" "$MP" || \ + echo "$MP hanging 0 0 0 0" + else + waitmax -s 9 2 stat -f -c "$MP ok %b %f %a %s" "$MP" && \ + printf '\n'|| echo "$MP hanging 0 0 0 0" + fi + done +fi + +# Check mount options. Filesystems may switch to 'ro' in case +# of a read error. +echo '<<>>' +grep ^/dev < /proc/mounts + +# processes including username, without kernel processes +echo '<<>>' +ps ax -o user,vsz,rss,cputime,pid,command --columns 10000 | sed -e 1d -e 's/ *\([^ ]*\) *\([^ ]*\) *\([^ ]*\) *\([^ ]*\) *\([^ ]*\) */(\1,\2,\3,\4,\5) /' + +# Memory usage +echo '<<>>' +egrep -v '^Swap:|^Mem:|total:' < /proc/meminfo + +# Load and number of processes +echo '<<>>' +echo "$(cat /proc/loadavg) $(grep -E '^CPU|^processor' < /proc/cpuinfo | wc -l)" + +# Uptime +echo '<<>>' +cat /proc/uptime + + +# New variant: Information about speed and state in one section +echo '<<>>' +sed 1,2d /proc/net/dev +if type ethtool > /dev/null +then + for eth in $(sed -e 1,2d < /proc/net/dev | cut -d':' -f1 | sort) + do + echo "[$eth]" + ethtool $eth | egrep '(Speed|Duplex|Link detected|Auto-negotiation):' + echo -en "\tAddress: " ; cat /sys/class/net/$eth/address ; echo + done +fi + + +# Current state of bonding interfaces +if [ -e /proc/net/bonding ] ; then + echo '<<>>' + pushd /proc/net/bonding > /dev/null ; head -v -n 1000 * ; popd +fi + +# Same for Open vSwitch bonding +if type ovs-appctl > /dev/null ; then + echo '<<>>' + for bond in $(ovs-appctl bond/list | sed -e 1d | cut -f2) ; do + echo "[$bond]" + ovs-appctl bond/show $bond + done +fi + + +# Number of TCP connections in the various states +echo '<<>>' +# waitmax 10 netstat -nt | awk ' /^tcp/ { c[$6]++; } END { for (x in c) { print x, c[x]; } }' +# New implementation: netstat is very slow for large TCP tables +cat /proc/net/tcp /proc/net/tcp6 2>/dev/null | awk ' /:/ { c[$4]++; } END { for (x in c) { print x, c[x]; } }' + +# Linux Multipathing +if type multipath >/dev/null ; then + echo '<<>>' + multipath -l +fi + +# Performancecounter Platten +echo '<<>>' +date +%s +egrep ' (x?[shv]d[a-z]*|cciss/c[0-9]+d[0-9]+|emcpower[a-z]+|dm-[0-9]+|VxVM.*|mmcblk.*) ' < /proc/diskstats +if type dmsetup >/dev/null ; then + echo '[dmsetup_info]' + dmsetup info -c --noheadings --separator ' ' -o name,devno,vg_name,lv_name +fi +if [ -d /dev/vx/dsk ] ; then + echo '[vx_dsk]' + stat -c "%t %T %n" /dev/vx/dsk/*/* +fi + + +# Performancecounter Kernel +echo '<<>>' +date +%s +cat /proc/vmstat /proc/stat + +# Hardware sensors via IPMI (need ipmitool) +if type ipmitool > /dev/null +then + run_cached -s ipmi 300 "ipmitool sensor list | grep -v 'command failed' | sed -e 's/ *| */|/g' -e 's/ /_/g' -e 's/_*"'$'"//' -e 's/|/ /g' | egrep -v '^[^ ]+ na ' | grep -v ' discrete '" +fi + + +# IPMI data via ipmi-sensors (of freeipmi). Please make sure, that if you +# have installed freeipmi that IPMI is really support by your hardware. +if type ipmi-sensors >/dev/null +then + echo '<<>>' + # Newer ipmi-sensors version have new output format; Legacy format can be used + if ipmi-sensors --help | grep -q legacy-output; then + IPMI_FORMAT="--legacy-output" + else + IPMI_FORMAT="" + fi + # At least with ipmi-sensoirs 0.7.16 this group is Power_Unit instead of "Power Unit" + run_cached -s ipmi_sensors 300 "for class in Temperature Power_Unit Fan + do + ipmi-sensors $IPMI_FORMAT --sdr-cache-directory /var/cache -g "$class" | sed -e 's/ /_/g' -e 's/:_\?/ /g' -e 's@ \([^(]*\)_(\([^)]*\))@ \2_\1@' + # In case of a timeout immediately leave loop. + if [ $? = 255 ] ; then break ; fi + done" +fi + +# RAID status of Linux software RAID +echo '<<>>' +cat /proc/mdstat + +# RAID status of Linux RAID via device mapper +if type dmraid >/dev/null && DMSTATUS=$(dmraid -r) +then + echo '<<>>' + + # Output name and status + dmraid -s | grep -e ^name -e ^status + + # Output disk names of the RAID disks + DISKS=$(echo "$DMSTATUS" | cut -f1 -d\:) + + for disk in $DISKS ; do + device=$(cat /sys/block/$(basename $disk)/device/model ) + status=$(echo "$DMSTATUS" | grep ^${disk}) + echo "$status Model: $device" + done +fi + +# RAID status of LSI controllers via cfggen +if type cfggen > /dev/null ; then + echo '<<>>' + cfggen 0 DISPLAY | egrep '(Target ID|State|Volume ID|Status of volume)[[:space:]]*:' | sed -e 's/ *//g' -e 's/:/ /' +fi + +# RAID status of LSI MegaRAID controller via MegaCli. You can download that tool from: +# http://www.lsi.com/downloads/Public/MegaRAID%20Common%20Files/8.02.16_MegaCLI.zip +if type MegaCli >/dev/null ; then + MegaCli_bin="MegaCli" +elif type MegaCli64 >/dev/null ; then + MegaCli_bin="MegaCli64" +elif type megacli >/dev/null ; then + MegaCli_bin="megacli" +else + MegaCli_bin="unknown" +fi + +if [ "$MegaCli_bin" != "unknown" ]; then + echo '<<>>' + for part in $($MegaCli_bin -EncInfo -aALL -NoLog < /dev/null \ + | sed -rn 's/:/ /g; s/[[:space:]]+/ /g; s/^ //; s/ $//; s/Number of enclosures on adapter ([0-9]+).*/adapter \1/g; /^(Enclosure|Device ID|adapter) [0-9]+$/ p'); do + [ $part = adapter ] && echo "" + [ $part = 'Enclosure' ] && echo -ne "\ndev2enc" + echo -n " $part" + done + echo + $MegaCli_bin -PDList -aALL -NoLog < /dev/null | egrep 'Enclosure|Raw Size|Slot Number|Device Id|Firmware state|Inquiry|Adapter' + echo '<<>>' + $MegaCli_bin -LDInfo -Lall -aALL -NoLog < /dev/null | egrep 'Size|State|Number|Adapter|Virtual' + echo '<<>>' + $MegaCli_bin -AdpBbuCmd -GetBbuStatus -aALL -NoLog < /dev/null | grep -v Exit +fi + +# RAID status of 3WARE disk controller (by Radoslaw Bak) +if type tw_cli > /dev/null ; then + for C in $(tw_cli show | awk 'NR < 4 { next } { print $1 }'); do + echo '<<<3ware_info>>>' + tw_cli /$C show all | egrep 'Model =|Firmware|Serial' + echo '<<<3ware_disks>>>' + tw_cli /$C show drivestatus | egrep 'p[0-9]' | sed "s/^/$C\//" + echo '<<<3ware_units>>>' + tw_cli /$C show unitstatus | egrep 'u[0-9]' | sed "s/^/$C\//" + done +fi + +# RAID controllers from areca (Taiwan) +# cli64 can be found at ftp://ftp.areca.com.tw/RaidCards/AP_Drivers/Linux/CLI/ +if type cli64 >/dev/null ; then + run_cached -s arc_raid_status 300 "cli64 rsf info | tail -n +3 | head -n -2" +fi + +# VirtualBox Guests. Section must always been output. Otherwise the +# check would not be executed in case no guest additions are installed. +# And that is something the check wants to detect +echo '<<>>' +if type VBoxControl >/dev/null 2>&1 ; then + VBoxControl -nologo guestproperty enumerate | cut -d, -f1,2 + [ ${PIPESTATUS[0]} = 0 ] || echo "ERROR" +fi + +# OpenVPN Clients. Currently we assume that the configuration # is in +# /etc/openvpn. We might find a safer way to find the configuration later. +if [ -e /etc/openvpn/openvpn-status.log ] ; then + echo '<<>>' + sed -n -e '/CLIENT LIST/,/ROUTING TABLE/p' < /etc/openvpn/openvpn-status.log | sed -e 1,3d -e '$d' +fi + +# Time synchronization with NTP +if type ntpq > /dev/null 2>&1 ; then + # remove heading, make first column space separated + run_cached -s ntp 30 "waitmax 5 ntpq -np | sed -e 1,2d -e 's/^\(.\)/\1 /' -e 's/^ /%/'" +fi + +# Time synchronization with Chrony +if type chronyc > /dev/null 2>&1 ; then + # Force successful exit code. Otherwise section will be missing if daemon not running + run_cached -s chrony 30 "waitmax 5 chronyc tracking || true" +fi + +if type nvidia-settings >/dev/null && [ -S /tmp/.X11-unix/X0 ] +then + echo '<<>>' + for var in GPUErrors GPUCoreTemp + do + DISPLAY=:0 waitmax 2 nvidia-settings -t -q $var | sed "s/^/$var: /" + done +fi + +if [ -e /proc/drbd ]; then + echo '<<>>' + cat /proc/drbd +fi + +# Status of CUPS printer queues +if type lpstat > /dev/null 2>&1; then + if pgrep cups > /dev/null 2>&1; then + echo '<<>>' + CPRINTCONF=/etc/cups/printers.conf + if [ -r "$CPRINTCONF" ] ; then + LOCAL_PRINTERS=$(grep -E "<(Default)?Printer .*>" $CPRINTCONF | awk '{print $2}' | sed -e 's/>//') + lpstat -p | while read LINE + do + PRINTER=$(echo $LINE | awk '{print $2}') + if echo "$LOCAL_PRINTERS" | grep -q "$PRINTER"; then + echo $LINE + fi + done + echo '---' + lpstat -o | while read LINE + do + PRINTER=${LINE%%-*} + if echo "$LOCAL_PRINTERS" | grep -q "$PRINTER"; then + echo $LINE + fi + done + else + lpstat -p + echo '---' + lpstat -o | sort + fi + fi +fi + +# Heartbeat monitoring +# Different handling for heartbeat clusters with and without CRM +# for the resource state +if [ -S /var/run/heartbeat/crm/cib_ro -o -S /var/run/crm/cib_ro ] || pgrep crmd > /dev/null 2>&1; then + echo '<<>>' + crm_mon -1 -r | grep -v ^$ | sed 's/^ //; /^\sResource Group:/,$ s/^\s//; s/^\s/_/g' +fi +if type cl_status > /dev/null 2>&1; then + echo '<<>>' + cl_status rscstatus + + echo '<<>>' + for NODE in $(cl_status listnodes); do + if [ $NODE != $(echo $HOSTNAME | tr 'A-Z' 'a-z') ]; then + STATUS=$(cl_status nodestatus $NODE) + echo -n "$NODE $STATUS" + for LINK in $(cl_status listhblinks $NODE 2>/dev/null); do + echo -n " $LINK $(cl_status hblinkstatus $NODE $LINK)" + done + echo + fi + done +fi + +# Postfix mailqueue monitoring +# +# Only handle mailq when postfix user is present. The mailq command is also +# available when postfix is not installed. But it produces different outputs +# which are not handled by the check at the moment. So try to filter out the +# systems not using postfix by searching for the postfix user.a +# +# Cannot take the whole outout. This could produce several MB of agent output +# on blocking queues. +# Only handle the last 6 lines (includes the summary line at the bottom and +# the last message in the queue. The last message is not used at the moment +# but it could be used to get the timestamp of the last message. +if type postconf >/dev/null ; then + echo '<<>>' + postfix_queue_dir=$(postconf -h queue_directory) + postfix_count=$(find $postfix_queue_dir/deferred -type f | wc -l) + postfix_size=$(du -ks $postfix_queue_dir/deferred | awk '{print $1 }') + if [ $postfix_count -gt 0 ] + then + echo -- $postfix_size Kbytes in $postfix_count Requests. + else + echo Mail queue is empty + fi +elif [ -x /usr/sbin/ssmtp ] ; then + echo '<<>>' + mailq 2>&1 | sed 's/^[^:]*: \(.*\)/\1/' | tail -n 6 +fi + +#Check status of qmail mailqueue +if type qmail-qstat >/dev/null +then + echo "<<>>" + qmail-qstat +fi + +# Check status of OMD sites +if type omd >/dev/null +then + run_cached -s omd_status 60 "omd status --bare --auto" +fi + + +# Welcome the ZFS check on Linux +# We do not endorse running ZFS on linux if your vendor doesnt support it ;) +# check zpool status +if type zpool >/dev/null; then + echo "<<>>" + zpool status -x +fi + + +# Fileinfo-Check: put patterns for files into /etc/check_mk/fileinfo.cfg +if [ -r "$MK_CONFDIR/fileinfo.cfg" ] ; then + echo '<<>>' + date +%s + stat -c "%n|%s|%Y" $(cat "$MK_CONFDIR/fileinfo.cfg") +fi + +# Get stats about OMD monitoring cores running on this machine. +# Since cd is a shell builtin the check does not affect the performance +# on non-OMD machines. +if cd /omd/sites +then + echo '<<>>' + for site in * + do + if [ -S "/omd/sites/$site/tmp/run/live" ] ; then + echo "[$site]" + echo -e "GET status" | waitmax 3 /omd/sites/$site/bin/unixcat /omd/sites/$site/tmp/run/live + fi + done +fi + +# Get statistics about monitored jobs. Below the job directory there +# is a sub directory per user that ran a job. That directory must be +# owned by the user so that a symlink or hardlink attack for reading +# arbitrary files can be avoided. +if pushd $MK_VARDIR/job >/dev/null; then + echo '<<>>' + for username in * + do + if [ -d "$username" ] && cd "$username" ; then + su "$username" -c "head -n -0 -v *" + cd .. + fi + done + popd > /dev/null +fi + +# Gather thermal information provided e.g. by acpi +# At the moment only supporting thermal sensors +if ls /sys/class/thermal/thermal_zone* >/dev/null 2>&1; then + echo '<<>>' + for F in /sys/class/thermal/thermal_zone*; do + echo -n "${F##*/} " + if [ ! -e $F/mode ] ; then echo -n "- " ; fi + cat $F/{mode,type,temp,trip_point_*} | tr \\n " " + echo + done +fi + +# Libelle Business Shadow +if type trd >/dev/null; then + echo "<<>>" + trd -s +fi + +# MK's Remote Plugin Executor +if [ -e "$MK_CONFDIR/mrpe.cfg" ] +then + echo '<<>>' + grep -Ev '^[[:space:]]*($|#)' "$MK_CONFDIR/mrpe.cfg" | \ + while read descr cmdline + do + PLUGIN=${cmdline%% *} + OUTPUT=$(eval "$cmdline") + echo -n "(${PLUGIN##*/}) $descr $? $OUTPUT" | tr \\n \\1 + echo + done +fi + + +# Local checks +echo '<<>>' +if cd $LOCALDIR ; then + for skript in $(ls) ; do + if [ -f "$skript" -a -x "$skript" ] ; then + ./$skript + fi + done + # Call some plugins only every X'th minute + for skript in [1-9]*/* ; do + if [ -x "$skript" ] ; then + run_cached local_${skript//\//\\} ${skript%/*} "$skript" + fi + done +fi + +# Plugins +if cd $PLUGINSDIR ; then + for skript in $(ls) ; do + if [ -f "$skript" -a -x "$skript" ] ; then + ./$skript + fi + done + # Call some plugins only every Xth minute + for skript in [1-9]*/* ; do + if [ -x "$skript" ] ; then + run_cached plugins_${skript//\//\\} ${skript%/*} "$skript" + fi + done +fi + +# Agent output snippets created by cronjobs, etc. +if [ -d "$SPOOLDIR" ] +then + pushd "$SPOOLDIR" > /dev/null + now=$(date +%s) + + for file in * + do + # output every file in this directory. If the file is prefixed + # with a number, then that number is the maximum age of the + # file in seconds. If the file is older than that, it is ignored. + maxage="" + part="$file" + + # Each away all digits from the front of the filename and + # collect them in the variable maxage. + while [ "${part/#[0-9]/}" != "$part" ] + do + maxage=$maxage${part:0:1} + part=${part:1} + done + + # If there is at least one digit, than we honor that. + if [ "$maxage" ] ; then + mtime=$(stat -c %Y "$file") + if [ $((now - mtime)) -gt $maxage ] ; then + continue + fi + fi + + # Output the file + cat "$file" + done + popd > /dev/null +fi diff --git a/initializers/oam/librenms/distro b/initializers/oam/librenms/distro new file mode 100644 index 0000000..61ad248 --- /dev/null +++ b/initializers/oam/librenms/distro @@ -0,0 +1,114 @@ +#!/usr/bin/env bash +# Detects which OS and if it is Linux then it will detect which Linux Distribution. + +OS=`uname -s` +REV=`uname -r` +MACH=`uname -m` + +if [ "${OS}" = "SunOS" ] ; then + OS=Solaris + ARCH=`uname -p` + OSSTR="${OS} ${REV}(${ARCH} `uname -v`)" + +elif [ "${OS}" = "AIX" ] ; then + OSSTR="${OS} `oslevel` (`oslevel -r`)" + +elif [ "${OS}" = "Linux" ] ; then + KERNEL=`uname -r` + + if [ -f /etc/fedora-release ]; then + DIST=$(cat /etc/fedora-release | awk '{print $1}') + REV=`cat /etc/fedora-release | sed s/.*release\ // | sed s/\ .*//` + + elif [ -f /etc/redhat-release ] ; then + DIST=$(cat /etc/redhat-release | awk '{print $1}') + if [ "${DIST}" = "CentOS" ]; then + DIST="CentOS" + elif [ "${DIST}" = "Mandriva" ]; then + DIST="Mandriva" + PSEUDONAME=`cat /etc/mandriva-release | sed s/.*\(// | sed s/\)//` + REV=`cat /etc/mandriva-release | sed s/.*release\ // | sed s/\ .*//` + elif [ -f /etc/oracle-release ]; then + DIST="Oracle" + else + DIST="RedHat" + fi + + PSEUDONAME=`cat /etc/redhat-release | sed s/.*\(// | sed s/\)//` + REV=`cat /etc/redhat-release | sed s/.*release\ // | sed s/\ .*//` + + elif [ -f /etc/mandrake-release ] ; then + DIST='Mandrake' + PSEUDONAME=`cat /etc/mandrake-release | sed s/.*\(// | sed s/\)//` + REV=`cat /etc/mandrake-release | sed s/.*release\ // | sed s/\ .*//` + + elif [ -f /etc/devuan_version ] ; then + DIST="Devuan `cat /etc/devuan_version`" + REV="" + + elif [ -f /etc/debian_version ] ; then + DIST="Debian `cat /etc/debian_version`" + REV="" + ID=`lsb_release -i | awk -F ':' '{print $2}' | sed 's/ //g'` + if [ "${ID}" = "Raspbian" ] ; then + DIST="Raspbian `cat /etc/debian_version`" + fi + + elif [ -f /etc/gentoo-release ] ; then + DIST="Gentoo" + REV=$(tr -d '[[:alpha:]]' >>' + +# requires dmidecode +for FIELD in bios-vendor bios-version bios-release-date system-manufacturer system-product-name system-version system-serial-number system-uuid baseboard-manufacturer baseboard-product-name baseboard-version baseboard-serial-number baseboard-asset-tag chassis-manufacturer chassis-type chassis-version chassis-serial-number chassis-asset-tag processor-family processor-manufacturer processor-version processor-frequency +do + echo $FIELD="$(dmidecode -s $FIELD | grep -v '^#')" +done diff --git a/initializers/oam/librenms/dpkg.sh b/initializers/oam/librenms/dpkg.sh new file mode 100644 index 0000000..e89e2a0 --- /dev/null +++ b/initializers/oam/librenms/dpkg.sh @@ -0,0 +1,22 @@ +#!/bin/bash +# Cache the file for 30 minutes +# If you want to override this, put the command in cron. +# We cache because it is a 1sec delay, which is painful for the poller +if [ -x /usr/bin/dpkg-query ]; then + DATE=$(date +%s) + FILE=/var/cache/librenms/agent-local-dpkg + + [ -d /var/cache/librenms ] || mkdir -p /var/cache/librenms + + if [ ! -e $FILE ]; then + dpkg-query -W --showformat='${Status} ${Package} ${Version} ${Architecture} ${Installed-Size}\n'|grep " installed "|cut -d\ -f4- > $FILE + fi + FILEMTIME=$(stat -c %Y $FILE) + FILEAGE=$(($DATE-$FILEMTIME)) + if [ $FILEAGE -gt 1800 ]; then + dpkg-query -W --showformat='${Status} ${Package} ${Version} ${Architecture} ${Installed-Size}\n'|grep " installed "|cut -d\ -f4- > $FILE + fi + echo "<<>>" + cat $FILE +fi + diff --git a/initializers/oam/librenms/mysql.sh b/initializers/oam/librenms/mysql.sh new file mode 100644 index 0000000..c56e4e7 --- /dev/null +++ b/initializers/oam/librenms/mysql.sh @@ -0,0 +1,1438 @@ +#!/usr/bin/php + true, # Do you want to check InnoDB statistics? + 'master' => true, # Do you want to check binary logging? + 'slave' => true, # Do you want to check slave status? + 'procs' => true, # Do you want to check SHOW PROCESSLIST? + 'get_qrt' => true, # Get query response times from Percona Server or MariaDB? +); + +$use_ss = FALSE; # Whether to use the script server or not +$debug = FALSE; # Define whether you want debugging behavior. +$debug_log = FALSE; # If $debug_log is a filename, it'll be used. + +# ============================================================================ +# You should not need to change anything below this line. +# ============================================================================ +$version = "1.1.7"; + +# ============================================================================ +# Include settings from an external config file (issue 39). +# ============================================================================ +echo("<<>>\n"); + +if (file_exists(__FILE__ . '.cnf' ) ) { + require(__FILE__ . '.cnf'); + debug('Found configuration file ' . __FILE__ . '.cnf'); +} + +# Make this a happy little script even when there are errors. +$no_http_headers = true; +ini_set('implicit_flush', false); # No output, ever. +if ($debug ) { + ini_set('display_errors', true); + ini_set('display_startup_errors', true); + ini_set('error_reporting', 2147483647); +} +else { + ini_set('error_reporting', E_ERROR); +} +ob_start(); # Catch all output such as notices of undefined array indexes. +function error_handler($errno, $errstr, $errfile, $errline) { + print("$errstr at $errfile line $errline\n"); + debug("$errstr at $errfile line $errline"); +} +# ============================================================================ +# Set up the stuff we need to be called by the script server. +# ============================================================================ +#if ($use_ss ) { +# if (file_exists( dirname(__FILE__) . "/../include/global.php") ) { +# # See issue 5 for the reasoning behind this. +# debug("including " . dirname(__FILE__) . "/../include/global.php"); +# include_once(dirname(__FILE__) . "/../include/global.php"); +# } +# elseif (file_exists( dirname(__FILE__) . "/../include/config.php" ) ) { +# # Some Cacti installations don't have global.php. +# debug("including " . dirname(__FILE__) . "/../include/config.php"); +# include_once(dirname(__FILE__) . "/../include/config.php"); +# } +#} + +# ============================================================================ +# Set the default timezone either to the configured, system timezone, or the +# default set above in the script. +# ============================================================================ +if ( function_exists("date_default_timezone_set") + && function_exists("date_default_timezone_get") ) { + $tz = ($timezone ? $timezone : @date_default_timezone_get()); + if ( $tz ) { + @date_default_timezone_set($tz); + } +} + + +# ============================================================================ +# Make sure we can also be called as a script. +# ============================================================================ +if (!isset($called_by_script_server)) { + debug($_SERVER["argv"]); + array_shift($_SERVER["argv"]); # Strip off this script's filename + $options = parse_cmdline($_SERVER["argv"]); + validate_options($options); + $result = ss_get_mysql_stats($options); + + debug($result); + if (!$debug ) { + # Throw away the buffer, which ought to contain only errors. + ob_end_clean(); + } + else { + ob_end_flush(); # In debugging mode, print out the errors. + } + + # Split the result up and extract only the desired parts of it. + $options['items'] = ""; + $wanted = explode(',', $options['items']); + $output = array(); + foreach ( explode(' ', $result) as $item ) { + if (in_array(substr($item, 0, 2), $wanted) ) { + $output[] = $item; + } + list($short, $val) = explode(":", $item); + echo(strtolower($short).":".strtolower($val)."\n"); + } + debug(array("Final result", $output)); + print(implode(' ', $output)); +} + +# ============================================================================ +# End "if file was not included" section. +# ============================================================================ +} + +# ============================================================================ +# Work around the lack of array_change_key_case in older PHP. +# ============================================================================ +if (!function_exists('array_change_key_case') ) { + function array_change_key_case($arr) { + $res = array(); + foreach ( $arr as $key => $val ) { + $res[strtolower($key)] = $val; + } + return $res; + } +} + +# ============================================================================ +# Validate that the command-line options are here and correct +# ============================================================================ +function validate_options($options) { + debug($options); + $opts = array('items', 'user', 'pass', 'heartbeat', 'nocache', 'port', 'server-id'); + # Required command-line options + foreach ( array() as $option ) { + if (!isset($options[$option]) || !$options[$option] ) { + usage("Required option --$option is missing"); + } + } + foreach ( $options as $key => $val ) { + if (!in_array($key, $opts) ) { + usage("Unknown option --$key"); + } + } +} + +# ============================================================================ +# Print out a brief usage summary +# ============================================================================ +function usage($message) { + global $mysql_host, $mysql_user, $mysql_pass, $mysql_port; + + $usage = << --items [OPTION] + + --host MySQL host + --items Comma-separated list of the items whose data you want + --user MySQL username + --pass MySQL password + --port MySQL port + --socket MySQL socket + --flags MySQL flags + --connection-timeout MySQL connection timeout + --server-id Server id to associate with a heartbeat if heartbeat usage is enabled + --nocache Do not cache results in a file + --help Show usage + +EOF; + die($usage); +} + +# ============================================================================ +# Parse command-line arguments, in the format --arg value --arg value, and +# return them as an array ( arg => value ) +# ============================================================================ +function parse_cmdline( $args ) { + $result = array(); + $cur_arg = ''; + foreach ($args as $val) { + if (strpos($val, '--') === 0 ) { + if (strpos($val, '--no') === 0 ) { + # It's an option without an argument, but it's a --nosomething so + # it's OK. + $result[substr($val, 2)] = 1; + $cur_arg = ''; + } + elseif ($cur_arg ) { # Maybe the last --arg was an option with no arg + if ($cur_arg == '--user' || $cur_arg == '--pass' || $cur_arg == '--port' ) { + # Special case because Cacti will pass these without an arg + $cur_arg = ''; + } + else { + die("No arg: $cur_arg\n"); + } + } + else { + $cur_arg = $val; + } + } + else { + $result[substr($cur_arg, 2)] = $val; + $cur_arg = ''; + } + } + if ($cur_arg && ($cur_arg != '--user' && $cur_arg != '--pass' && $cur_arg != '--port') ) { + die("No arg: $cur_arg\n"); + } + debug($result); + return $result; +} + +# ============================================================================ +# This is the main function. Some parameters are filled in from defaults at the +# top of this file. +# ============================================================================ +function ss_get_mysql_stats( $options ) { + # Process connection options and connect to MySQL. + global $debug, $mysql_host, $mysql_user, $mysql_pass, $cache_dir, $poll_time, $chk_options, + $mysql_port, $mysql_socket, $mysql_flags, + $mysql_ssl, $mysql_ssl_key, $mysql_ssl_cert, $mysql_ssl_ca, + $mysql_connection_timeout, + $heartbeat, $heartbeat_table, $heartbeat_server_id, $heartbeat_utc; + + # Connect to MySQL. + $user = isset($options['user']) ? $options['user'] : $mysql_user; + $pass = isset($options['pass']) ? $options['pass'] : $mysql_pass; + $port = isset($options['port']) ? $options['port'] : $mysql_port; + $host = isset($options['host']) ? $options['host'] : $mysql_host; + + $socket = isset($options['socket']) ? $options['socket'] : $mysql_socket; + $flags = isset($options['flags']) ? $options['flags'] : $mysql_flags; + $connection_timeout = isset($options['connection-timeout']) ? $options['connection-timeout'] : $mysql_connection_timeout; + $heartbeat_server_id = isset($options['server-id']) ? $options['server-id'] : $heartbeat_server_id; + + # If there is a port, or if it's a non-standard port, we add ":$port" to the + # hostname. + $host_str = $host.($port != 3306 ? ":$port" : ''); + + + $sanitized_host = str_replace(array(":", "/"), array("", "_"), $host); + $cache_file = "$cache_dir/agent-local-mysql"; + debug("Cache file is $cache_file"); + + # First, check the cache. + $fp = null; + if ( $cache_dir && !array_key_exists('nocache', $options) ) { + if ( $fp = fopen($cache_file, 'a+') ) { + $locked = flock($fp, 1); # LOCK_SH + if ( $locked ) { + if ( filesize($cache_file) > 0 + && filectime($cache_file) + ($poll_time/2) > time() + && ($arr = file($cache_file)) + ) {# The cache file is good to use. + debug("Using the cache file"); + fclose($fp); + return $arr[0]; + } + else { + debug("The cache file seems too small or stale"); + # Escalate the lock to exclusive, so we can write to it. + if ( flock($fp, 2) ) { # LOCK_EX + # We might have blocked while waiting for that LOCK_EX, and + # another process ran and updated it. Let's see if we can just + # return the data now: + if ( filesize($cache_file) > 0 + && filectime($cache_file) + ($poll_time/2) > time() + && ($arr = file($cache_file)) + ) {# The cache file is good to use. + debug("Using the cache file"); + fclose($fp); + return $arr[0]; + } + ftruncate($fp, 0); # Now it's ready for writing later. + } + } + } + else { + $fp = null; + debug("Couldn't lock the cache file, ignoring it"); + } + } + else { + $fp = null; + debug("Couldn't open the cache file"); + } + } + else { + debug("Caching is disabled."); + } + + # Connect to MySQL. + debug(array('Connecting to', $host, $port, $user, $pass)); + if ( !extension_loaded('mysqli') ) { + debug("PHP MySQLi extension is not loaded"); + die("PHP MySQLi extension is not loaded"); + } + $conn = mysqli_init(); + $conn->options(MYSQLI_OPT_CONNECT_TIMEOUT, $connection_timeout); + if ( $mysql_ssl ) { + mysqli_ssl_set($conn, $mysql_ssl_key, $mysql_ssl_cert, $mysql_ssl_ca, NULL, NULL); + } + @mysqli_real_connect($conn, $host, $user, $pass, NULL, $port, $socket, $flags); + if ( mysqli_connect_errno() ) { + debug("MySQL connection failed: " . mysqli_connect_error()); + die("ERROR: " . mysqli_connect_error()); + } + + # MySQL server version. + # The form of this version number is main_version * 10000 + minor_version * 100 + sub_version + # i.e. version 5.5.44 is 50544. + $mysql_version = mysqli_get_server_version($conn); + debug("MySQL server version is " . $mysql_version); + + # Set up variables. + $status = array( # Holds the result of SHOW STATUS, SHOW INNODB STATUS, etc + # Define some indexes so they don't cause errors with += operations. + 'relay_log_space' => null, + 'binary_log_space' => null, + 'current_transactions' => 0, + 'locked_transactions' => 0, + 'active_transactions' => 0, + 'innodb_locked_tables' => 0, + 'innodb_tables_in_use' => 0, + 'innodb_lock_structs' => 0, + 'innodb_lock_wait_secs' => 0, + 'innodb_sem_waits' => 0, + 'innodb_sem_wait_time_ms'=> 0, + # Values for the 'state' column from SHOW PROCESSLIST (converted to + # lowercase, with spaces replaced by underscores) + 'State_closing_tables' => 0, + 'State_copying_to_tmp_table' => 0, + 'State_end' => 0, + 'State_freeing_items' => 0, + 'State_init' => 0, + 'State_locked' => 0, + 'State_login' => 0, + 'State_preparing' => 0, + 'State_reading_from_net' => 0, + 'State_sending_data' => 0, + 'State_sorting_result' => 0, + 'State_statistics' => 0, + 'State_updating' => 0, + 'State_writing_to_net' => 0, + 'State_none' => 0, + 'State_other' => 0, # Everything not listed above + ); + + # Get SHOW STATUS and convert the name-value array into a simple + # associative array. + $result = run_query("SHOW /*!50002 GLOBAL */ STATUS", $conn); + foreach ( $result as $row ) { + $status[$row[0]] = $row[1]; + } + + # Get SHOW VARIABLES and do the same thing, adding it to the $status array. + $result = run_query("SHOW VARIABLES", $conn); + foreach ( $result as $row ) { + $status[$row[0]] = $row[1]; + } + + # Get SHOW SLAVE STATUS, and add it to the $status array. + if ( $chk_options['slave'] ) { + # Leverage lock-free SHOW SLAVE STATUS if available + $result = run_query("SHOW SLAVE STATUS NONBLOCKING", $conn); + if ( !$result ) { + $result = run_query("SHOW SLAVE STATUS NOLOCK", $conn); + if ( !$result ) { + $result = run_query("SHOW SLAVE STATUS", $conn); + } + } + $slave_status_rows_gotten = 0; + foreach ( $result as $row ) { + $slave_status_rows_gotten++; + # Must lowercase keys because different MySQL versions have different + # lettercase. + $row = array_change_key_case($row, CASE_LOWER); + $status['relay_log_space'] = $row['relay_log_space']; + $status['slave_lag'] = $row['seconds_behind_master']; + + # Check replication heartbeat, if present. + if ( $heartbeat ) { + if ( $heartbeat_utc ) { + $now_func = 'UNIX_TIMESTAMP(UTC_TIMESTAMP)'; + } + else { + $now_func = 'UNIX_TIMESTAMP()'; + } + $result2 = run_query( + "SELECT MAX($now_func - ROUND(UNIX_TIMESTAMP(ts)))" + . " AS delay FROM $heartbeat_table" + . " WHERE $heartbeat_server_id = 0 OR server_id = $heartbeat_server_id", $conn); + $slave_delay_rows_gotten = 0; + foreach ( $result2 as $row2 ) { + $slave_delay_rows_gotten++; + if ( $row2 && is_array($row2) + && array_key_exists('delay', $row2) ) + { + $status['slave_lag'] = $row2['delay']; + } + else { + debug("Couldn't get slave lag from $heartbeat_table"); + } + } + if ( $slave_delay_rows_gotten == 0 ) { + debug("Got nothing from heartbeat query"); + } + } + + # Scale slave_running and slave_stopped relative to the slave lag. + $status['slave_running'] = ($row['slave_sql_running'] == 'Yes') + ? $status['slave_lag'] : 0; + $status['slave_stopped'] = ($row['slave_sql_running'] == 'Yes') + ? 0 : $status['slave_lag']; + } + if ( $slave_status_rows_gotten == 0 ) { + debug("Got nothing from SHOW SLAVE STATUS"); + } + } + + # Get SHOW MASTER STATUS, and add it to the $status array. + if ($chk_options['master'] + && array_key_exists('log_bin', $status) + && $status['log_bin'] == 'ON' + ) { # See issue #8 + $binlogs = array(0); + $result = run_query("SHOW MASTER LOGS", $conn); + foreach ( $result as $row ) { + $row = array_change_key_case($row, CASE_LOWER); + # Older versions of MySQL may not have the File_size column in the + # results of the command. Zero-size files indicate the user is + # deleting binlogs manually from disk (bad user! bad!). + if (array_key_exists('file_size', $row) && $row['file_size'] > 0 ) { + $binlogs[] = $row['file_size']; + } + } + if (count($binlogs)) { + $status['binary_log_space'] = to_int(array_sum($binlogs)); + } + } + + # Get SHOW PROCESSLIST and aggregate it by state, then add it to the array + # too. + if ( $chk_options['procs'] ) { + $result = run_query('SHOW PROCESSLIST', $conn); + foreach ( $result as $row ) { + $state = $row['State']; + if ( is_null($state) ) { + $state = 'NULL'; + } + if ( $state == '' ) { + $state = 'none'; + } + # MySQL 5.5 replaces the 'Locked' state with a variety of "Waiting for + # X lock" types of statuses. Wrap these all back into "Locked" because + # we don't really care about the type of locking it is. + $state = preg_replace('/^(Table lock|Waiting for .*lock)$/', 'Locked', $state); + $state = str_replace(' ', '_', strtolower($state)); + if ( array_key_exists("State_$state", $status) ) { + increment($status, "State_$state", 1); + } + else { + increment($status, "State_other", 1); + } + } + } + + # Get SHOW ENGINES to be able to determine whether InnoDB is present. + $engines = array(); + $result = run_query("SHOW ENGINES", $conn); + foreach ( $result as $row ) { + $engines[$row[0]] = $row[1]; + } + + # Get SHOW INNODB STATUS and extract the desired metrics from it, then add + # those to the array too. + if ($chk_options['innodb'] + && array_key_exists('InnoDB', $engines) + && $engines['InnoDB'] == 'YES' + || $engines['InnoDB'] == 'DEFAULT' + ) { + $result = run_query("SHOW /*!50000 ENGINE*/ INNODB STATUS", $conn); + $istatus_text = $result[0]['Status']; + $istatus_vals = get_innodb_array($istatus_text, $mysql_version); + + # Get response time histogram from Percona Server or MariaDB if enabled. + if ( $chk_options['get_qrt'] + && (( isset($status['have_response_time_distribution']) + && $status['have_response_time_distribution'] == 'YES') + || (isset($status['query_response_time_stats']) + && $status['query_response_time_stats'] == 'ON')) ) + { + debug('Getting query time histogram'); + $i = 0; + $result = run_query( + "SELECT `count`, ROUND(total * 1000000) AS total " + . "FROM INFORMATION_SCHEMA.QUERY_RESPONSE_TIME " + . "WHERE `time` <> 'TOO LONG'", + $conn); + foreach ( $result as $row ) { + if ( $i > 13 ) { + # It's possible that the number of rows returned isn't 14. + # Don't add extra status counters. + break; + } + $count_key = sprintf("Query_time_count_%02d", $i); + $total_key = sprintf("Query_time_total_%02d", $i); + $status[$count_key] = $row['count']; + $status[$total_key] = $row['total']; + $i++; + } + # It's also possible that the number of rows returned is too few. + # Don't leave any status counters unassigned; it will break graphs. + while ( $i <= 13 ) { + $count_key = sprintf("Query_time_count_%02d", $i); + $total_key = sprintf("Query_time_total_%02d", $i); + $status[$count_key] = 0; + $status[$total_key] = 0; + $i++; + } + } + else { + debug('Not getting time histogram because it is not enabled'); + } + + # Override values from InnoDB parsing with values from SHOW STATUS, + # because InnoDB status might not have everything and the SHOW STATUS is + # to be preferred where possible. + $overrides = array( + 'Innodb_buffer_pool_pages_data' => 'database_pages', + 'Innodb_buffer_pool_pages_dirty' => 'modified_pages', + 'Innodb_buffer_pool_pages_free' => 'free_pages', + 'Innodb_buffer_pool_pages_total' => 'pool_size', + 'Innodb_data_fsyncs' => 'file_fsyncs', + 'Innodb_data_pending_reads' => 'pending_normal_aio_reads', + 'Innodb_data_pending_writes' => 'pending_normal_aio_writes', + 'Innodb_os_log_pending_fsyncs' => 'pending_log_flushes', + 'Innodb_pages_created' => 'pages_created', + 'Innodb_pages_read' => 'pages_read', + 'Innodb_pages_written' => 'pages_written', + 'Innodb_rows_deleted' => 'rows_deleted', + 'Innodb_rows_inserted' => 'rows_inserted', + 'Innodb_rows_read' => 'rows_read', + 'Innodb_rows_updated' => 'rows_updated', + 'Innodb_buffer_pool_reads' => 'pool_reads', + 'Innodb_buffer_pool_read_requests' => 'pool_read_requests', + ); + + # If the SHOW STATUS value exists, override... + foreach ( $overrides as $key => $val ) { + if (array_key_exists($key, $status) ) { + debug("Override $key"); + $istatus_vals[$val] = $status[$key]; + } + } + + # Now copy the values into $status. + foreach ( $istatus_vals as $key => $val ) { + $status[$key] = $istatus_vals[$key]; + } + } + + # Make table_open_cache backwards-compatible (issue 63). + if (array_key_exists('table_open_cache', $status) ) { + $status['table_cache'] = $status['table_open_cache']; + } + + # Compute how much of the key buffer is used and unflushed (issue 127). + $status['Key_buf_bytes_used'] + = big_sub($status['key_buffer_size'], + big_multiply($status['Key_blocks_unused'], + $status['key_cache_block_size'])); + $status['Key_buf_bytes_unflushed'] + = big_multiply($status['Key_blocks_not_flushed'], + $status['key_cache_block_size']); + + if (array_key_exists('unflushed_log', $status) + && $status['unflushed_log'] + ) { + # TODO: I'm not sure what the deal is here; need to debug this. But the + # unflushed log bytes spikes a lot sometimes and it's impossible for it to + # be more than the log buffer. + debug("Unflushed log: $status[unflushed_log]"); + $status['unflushed_log'] + = max($status['unflushed_log'], $status['innodb_log_buffer_size']); + } + + # Define the variables to output. I use shortened variable names so maybe + # it'll all fit in 1024 bytes for Cactid and Spine's benefit. + # This list must come right after the word MAGIC_VARS_DEFINITIONS. The Perl script + # parses it and uses it as a Perl variable. + $keys = array( + 'Key_read_requests' => 'a0', + 'Key_reads' => 'a1', + 'Key_write_requests' => 'a2', + 'Key_writes' => 'a3', + 'history_list' => 'a4', + 'innodb_transactions' => 'a5', + 'read_views' => 'a6', + 'current_transactions' => 'a7', + 'locked_transactions' => 'a8', + 'active_transactions' => 'a9', + 'pool_size' => 'aa', + 'free_pages' => 'ab', + 'database_pages' => 'ac', + 'modified_pages' => 'ad', + 'pages_read' => 'ae', + 'pages_created' => 'af', + 'pages_written' => 'ag', + 'file_fsyncs' => 'ah', + 'file_reads' => 'ai', + 'file_writes' => 'aj', + 'log_writes' => 'ak', + 'pending_aio_log_ios' => 'al', + 'pending_aio_sync_ios' => 'am', + 'pending_buf_pool_flushes' => 'an', + 'pending_chkp_writes' => 'ao', + 'pending_ibuf_aio_reads' => 'ap', + 'pending_log_flushes' => 'aq', + 'pending_log_writes' => 'ar', + 'pending_normal_aio_reads' => 'as', + 'pending_normal_aio_writes' => 'at', + 'ibuf_inserts' => 'au', + 'ibuf_merged' => 'av', + 'ibuf_merges' => 'aw', + 'spin_waits' => 'ax', + 'spin_rounds' => 'ay', + 'os_waits' => 'az', + 'rows_inserted' => 'b0', + 'rows_updated' => 'b1', + 'rows_deleted' => 'b2', + 'rows_read' => 'b3', + 'Table_locks_waited' => 'b4', + 'Table_locks_immediate' => 'b5', + 'Slow_queries' => 'b6', + 'Open_files' => 'b7', + 'Open_tables' => 'b8', + 'Opened_tables' => 'b9', + 'innodb_open_files' => 'ba', + 'open_files_limit' => 'bb', + 'table_cache' => 'bc', + 'Aborted_clients' => 'bd', + 'Aborted_connects' => 'be', + 'Max_used_connections' => 'bf', + 'Slow_launch_threads' => 'bg', + 'Threads_cached' => 'bh', + 'Threads_connected' => 'bi', + 'Threads_created' => 'bj', + 'Threads_running' => 'bk', + 'max_connections' => 'bl', + 'thread_cache_size' => 'bm', + 'Connections' => 'bn', + 'slave_running' => 'bo', + 'slave_stopped' => 'bp', + 'Slave_retried_transactions' => 'bq', + 'slave_lag' => 'br', + 'Slave_open_temp_tables' => 'bs', + 'Qcache_free_blocks' => 'bt', + 'Qcache_free_memory' => 'bu', + 'Qcache_hits' => 'bv', + 'Qcache_inserts' => 'bw', + 'Qcache_lowmem_prunes' => 'bx', + 'Qcache_not_cached' => 'by', + 'Qcache_queries_in_cache' => 'bz', + 'Qcache_total_blocks' => 'c0', + 'query_cache_size' => 'c1', + 'Questions' => 'c2', + 'Com_update' => 'c3', + 'Com_insert' => 'c4', + 'Com_select' => 'c5', + 'Com_delete' => 'c6', + 'Com_replace' => 'c7', + 'Com_load' => 'c8', + 'Com_update_multi' => 'c9', + 'Com_insert_select' => 'ca', + 'Com_delete_multi' => 'cb', + 'Com_replace_select' => 'cc', + 'Select_full_join' => 'cd', + 'Select_full_range_join' => 'ce', + 'Select_range' => 'cf', + 'Select_range_check' => 'cg', + 'Select_scan' => 'ch', + 'Sort_merge_passes' => 'ci', + 'Sort_range' => 'cj', + 'Sort_rows' => 'ck', + 'Sort_scan' => 'cl', + 'Created_tmp_tables' => 'cm', + 'Created_tmp_disk_tables' => 'cn', + 'Created_tmp_files' => 'co', + 'Bytes_sent' => 'cp', + 'Bytes_received' => 'cq', + 'innodb_log_buffer_size' => 'cr', + 'unflushed_log' => 'cs', + 'log_bytes_flushed' => 'ct', + 'log_bytes_written' => 'cu', + 'relay_log_space' => 'cv', + 'binlog_cache_size' => 'cw', + 'Binlog_cache_disk_use' => 'cx', + 'Binlog_cache_use' => 'cy', + 'binary_log_space' => 'cz', + 'innodb_locked_tables' => 'd0', + 'innodb_lock_structs' => 'd1', + 'State_closing_tables' => 'd2', + 'State_copying_to_tmp_table' => 'd3', + 'State_end' => 'd4', + 'State_freeing_items' => 'd5', + 'State_init' => 'd6', + 'State_locked' => 'd7', + 'State_login' => 'd8', + 'State_preparing' => 'd9', + 'State_reading_from_net' => 'da', + 'State_sending_data' => 'db', + 'State_sorting_result' => 'dc', + 'State_statistics' => 'dd', + 'State_updating' => 'de', + 'State_writing_to_net' => 'df', + 'State_none' => 'dg', + 'State_other' => 'dh', + 'Handler_commit' => 'di', + 'Handler_delete' => 'dj', + 'Handler_discover' => 'dk', + 'Handler_prepare' => 'dl', + 'Handler_read_first' => 'dm', + 'Handler_read_key' => 'dn', + 'Handler_read_next' => 'do', + 'Handler_read_prev' => 'dp', + 'Handler_read_rnd' => 'dq', + 'Handler_read_rnd_next' => 'dr', + 'Handler_rollback' => 'ds', + 'Handler_savepoint' => 'dt', + 'Handler_savepoint_rollback' => 'du', + 'Handler_update' => 'dv', + 'Handler_write' => 'dw', + + # Some InnoDB stats added later... + 'innodb_tables_in_use' => 'dx', + 'innodb_lock_wait_secs' => 'dy', + 'hash_index_cells_total' => 'dz', + 'hash_index_cells_used' => 'e0', + 'total_mem_alloc' => 'e1', + 'additional_pool_alloc' => 'e2', + 'uncheckpointed_bytes' => 'e3', + 'ibuf_used_cells' => 'e4', + 'ibuf_free_cells' => 'e5', + 'ibuf_cell_count' => 'e6', + 'adaptive_hash_memory' => 'e7', + 'page_hash_memory' => 'e8', + 'dictionary_cache_memory' => 'e9', + 'file_system_memory' => 'ea', + 'lock_system_memory' => 'eb', + 'recovery_system_memory' => 'ec', + 'thread_hash_memory' => 'ed', + 'innodb_sem_waits' => 'ee', + 'innodb_sem_wait_time_ms' => 'ef', + 'Key_buf_bytes_unflushed' => 'eg', + 'Key_buf_bytes_used' => 'eh', + 'key_buffer_size' => 'ei', + 'Innodb_row_lock_time' => 'ej', + 'Innodb_row_lock_waits' => 'ek', + + # Values not parsed by LibreNMS + 'Query_time_count_00' => 'ol', + 'Query_time_count_01' => 'om', + 'Query_time_count_02' => 'on', + 'Query_time_count_03' => 'oo', + 'Query_time_count_04' => 'op', + 'Query_time_count_05' => 'oq', + 'Query_time_count_06' => 'or', + 'Query_time_count_07' => 'os', + 'Query_time_count_08' => 'ot', + 'Query_time_count_09' => 'ou', + 'Query_time_count_10' => 'ov', + 'Query_time_count_11' => 'ow', + 'Query_time_count_12' => 'ox', + 'Query_time_count_13' => 'oy', + 'Query_time_total_00' => 'oz', + 'Query_time_total_01' => 'pg', + 'Query_time_total_02' => 'ph', + 'Query_time_total_03' => 'pi', + 'Query_time_total_04' => 'pj', + 'Query_time_total_05' => 'pk', + 'Query_time_total_06' => 'pl', + 'Query_time_total_07' => 'pm', + 'Query_time_total_08' => 'pn', + 'Query_time_total_09' => 'po', + 'Query_time_total_10' => 'pp', + 'Query_time_total_11' => 'pq', + 'Query_time_total_12' => 'pr', + 'Query_time_total_13' => 'ps', + 'wsrep_replicated_bytes' => 'pt', + 'wsrep_received_bytes' => 'pu', + 'wsrep_replicated' => 'pv', + 'wsrep_received' => 'pw', + 'wsrep_local_cert_failures' => 'px', + 'wsrep_local_bf_aborts' => 'py', + 'wsrep_local_send_queue' => 'pz', + 'wsrep_local_recv_queue' => 'qg', + 'wsrep_cluster_size' => 'qh', + 'wsrep_cert_deps_distance' => 'qi', + 'wsrep_apply_window' => 'qj', + 'wsrep_commit_window' => 'qk', + 'wsrep_flow_control_paused' => 'ql', + 'wsrep_flow_control_sent' => 'qm', + 'wsrep_flow_control_recv' => 'qn', + 'pool_reads' => 'qo', + 'pool_read_requests' => 'qp', + ); + + # Return the output. + $output = array(); + foreach ($keys as $key => $short ) { + # If the value isn't defined, return -1 which is lower than (most graphs') + # minimum value of 0, so it'll be regarded as a missing value. + $val = isset($status[$key]) ? $status[$key] : -1; + $output[] = "$short:$val"; + } + $result = implode(' ', $output); + if ($fp ) { + if (fwrite($fp, $result) === FALSE ) { + die("Can't write '$cache_file'"); + } + fclose($fp); + } + + return $result; + +} + +# ============================================================================ +# Given INNODB STATUS text, returns a key-value array of the parsed text. Each +# line shows a sample of the input for both standard InnoDB as you would find in +# MySQL 5.0, and XtraDB or enhanced InnoDB from Percona if applicable. Note +# that extra leading spaces are ignored due to trim(). +# ============================================================================ +function get_innodb_array($text, $mysql_version) { + $results = array( + 'spin_waits' => array(), + 'spin_rounds' => array(), + 'os_waits' => array(), + 'pending_normal_aio_reads' => null, + 'pending_normal_aio_writes' => null, + 'pending_ibuf_aio_reads' => null, + 'pending_aio_log_ios' => null, + 'pending_aio_sync_ios' => null, + 'pending_log_flushes' => null, + 'pending_buf_pool_flushes' => null, + 'file_reads' => null, + 'file_writes' => null, + 'file_fsyncs' => null, + 'ibuf_inserts' => null, + 'ibuf_merged' => null, + 'ibuf_merges' => null, + 'log_bytes_written' => null, + 'unflushed_log' => null, + 'log_bytes_flushed' => null, + 'pending_log_writes' => null, + 'pending_chkp_writes' => null, + 'log_writes' => null, + 'pool_size' => null, + 'free_pages' => null, + 'database_pages' => null, + 'modified_pages' => null, + 'pages_read' => null, + 'pages_created' => null, + 'pages_written' => null, + 'queries_inside' => null, + 'queries_queued' => null, + 'read_views' => null, + 'rows_inserted' => null, + 'rows_updated' => null, + 'rows_deleted' => null, + 'rows_read' => null, + 'innodb_transactions' => null, + 'unpurged_txns' => null, + 'history_list' => null, + 'current_transactions' => null, + 'hash_index_cells_total' => null, + 'hash_index_cells_used' => null, + 'total_mem_alloc' => null, + 'additional_pool_alloc' => null, + 'last_checkpoint' => null, + 'uncheckpointed_bytes' => null, + 'ibuf_used_cells' => null, + 'ibuf_free_cells' => null, + 'ibuf_cell_count' => null, + 'adaptive_hash_memory' => null, + 'page_hash_memory' => null, + 'dictionary_cache_memory' => null, + 'file_system_memory' => null, + 'lock_system_memory' => null, + 'recovery_system_memory' => null, + 'thread_hash_memory' => null, + 'innodb_sem_waits' => null, + 'innodb_sem_wait_time_ms' => null, + ); + $txn_seen = FALSE; + foreach ( explode("\n", $text) as $line ) { + $line = trim($line); + $row = preg_split('/ +/', $line); + + # SEMAPHORES + if (strpos($line, 'Mutex spin waits') === 0 ) { + # Mutex spin waits 79626940, rounds 157459864, OS waits 698719 + # Mutex spin waits 0, rounds 247280272495, OS waits 316513438 + $results['spin_waits'][] = to_int($row[3]); + $results['spin_rounds'][] = to_int($row[5]); + $results['os_waits'][] = to_int($row[8]); + } + elseif (strpos($line, 'RW-shared spins') === 0 + && strpos($line, ';') > 0 ) { + # RW-shared spins 3859028, OS waits 2100750; RW-excl spins 4641946, OS waits 1530310 + $results['spin_waits'][] = to_int($row[2]); + $results['spin_waits'][] = to_int($row[8]); + $results['os_waits'][] = to_int($row[5]); + $results['os_waits'][] = to_int($row[11]); + } + elseif (strpos($line, 'RW-shared spins') === 0 && strpos($line, '; RW-excl spins') === FALSE) { + # Post 5.5.17 SHOW ENGINE INNODB STATUS syntax + # RW-shared spins 604733, rounds 8107431, OS waits 241268 + $results['spin_waits'][] = to_int($row[2]); + $results['os_waits'][] = to_int($row[7]); + } + elseif (strpos($line, 'RW-excl spins') === 0) { + # Post 5.5.17 SHOW ENGINE INNODB STATUS syntax + # RW-excl spins 604733, rounds 8107431, OS waits 241268 + $results['spin_waits'][] = to_int($row[2]); + $results['os_waits'][] = to_int($row[7]); + } + elseif (strpos($line, 'seconds the semaphore:') > 0) { + # --Thread 907205 has waited at handler/ha_innodb.cc line 7156 for 1.00 seconds the semaphore: + increment($results, 'innodb_sem_waits', 1); + increment($results, + 'innodb_sem_wait_time_ms', to_int($row[9]) * 1000); + } + + # TRANSACTIONS + elseif ( strpos($line, 'Trx id counter') === 0 ) { + # The beginning of the TRANSACTIONS section: start counting + # transactions + if ( $mysql_version < 50600 ) { + # For versions prior 5.6: two decimals or one hex + # Trx id counter 0 1170664159 + # Trx id counter 861B144C + $results['innodb_transactions'] = isset($row[4]) ? make_bigint( + $row[3], $row[4]) : base_convert($row[3], 16, 10); + } + else { + # For versions 5.6+ and MariaDB 10.x: one decimal + # Trx id counter 2903813 + $results['innodb_transactions'] = $row[3]; + } + $txn_seen = TRUE; + } + elseif ( strpos($line, 'Purge done for trx') === 0 ) { + if ( $mysql_version < 50600 ) { + # For versions prior 5.6: two decimals or one hex + # Purge done for trx's n:o < 0 1170663853 undo n:o < 0 0 + # Purge done for trx's n:o < 861B135D undo n:o < 0 + $purged_to = $row[7] == 'undo' ? base_convert($row[6], 16, 10) : make_bigint($row[6], $row[7]); + } + else { + # For versions 5.6+ and MariaDB 10.x: one decimal + # Purge done for trx's n:o < 2903354 undo n:o < 0 state: running but idle + $purged_to = $row[6]; + } + $results['unpurged_txns'] + = big_sub($results['innodb_transactions'], $purged_to); + } + elseif (strpos($line, 'History list length') === 0 ) { + # History list length 132 + $results['history_list'] = to_int($row[3]); + } + elseif ( $txn_seen && strpos($line, '---TRANSACTION') === 0 ) { + # ---TRANSACTION 0, not started, process no 13510, OS thread id 1170446656 + increment($results, 'current_transactions', 1); + if ( strpos($line, 'ACTIVE') > 0 ) { + increment($results, 'active_transactions', 1); + } + } + elseif ( $txn_seen && strpos($line, '------- TRX HAS BEEN') === 0 ) { + # ------- TRX HAS BEEN WAITING 32 SEC FOR THIS LOCK TO BE GRANTED: + increment($results, 'innodb_lock_wait_secs', to_int($row[5])); + } + elseif ( strpos($line, 'read views open inside InnoDB') > 0 ) { + # 1 read views open inside InnoDB + $results['read_views'] = to_int($row[0]); + } + elseif ( strpos($line, 'mysql tables in use') === 0 ) { + # mysql tables in use 2, locked 2 + increment($results, 'innodb_tables_in_use', to_int($row[4])); + increment($results, 'innodb_locked_tables', to_int($row[6])); + } + elseif ( $txn_seen && strpos($line, 'lock struct(s)') > 0 ) { + # 23 lock struct(s), heap size 3024, undo log entries 27 + # LOCK WAIT 12 lock struct(s), heap size 3024, undo log entries 5 + # LOCK WAIT 2 lock struct(s), heap size 368 + if ( strpos($line, 'LOCK WAIT') === 0 ) { + increment($results, 'innodb_lock_structs', to_int($row[2])); + increment($results, 'locked_transactions', 1); + } + else { + increment($results, 'innodb_lock_structs', to_int($row[0])); + } + } + + # FILE I/O + elseif (strpos($line, ' OS file reads, ') > 0 ) { + # 8782182 OS file reads, 15635445 OS file writes, 947800 OS fsyncs + $results['file_reads'] = to_int($row[0]); + $results['file_writes'] = to_int($row[4]); + $results['file_fsyncs'] = to_int($row[8]); + } + elseif (strpos($line, 'Pending normal aio reads:') === 0 ) { + # Pending normal aio reads: 0, aio writes: 0, + $results['pending_normal_aio_reads'] = to_int($row[4]); + $results['pending_normal_aio_writes'] = to_int($row[7]); + } + elseif (strpos($line, 'ibuf aio reads') === 0 ) { + # ibuf aio reads: 0, log i/o's: 0, sync i/o's: 0 + $results['pending_ibuf_aio_reads'] = to_int($row[3]); + $results['pending_aio_log_ios'] = to_int($row[6]); + $results['pending_aio_sync_ios'] = to_int($row[9]); + } + elseif ( strpos($line, 'Pending flushes (fsync)') === 0 ) { + # Pending flushes (fsync) log: 0; buffer pool: 0 + $results['pending_log_flushes'] = to_int($row[4]); + $results['pending_buf_pool_flushes'] = to_int($row[7]); + } + + # INSERT BUFFER AND ADAPTIVE HASH INDEX + elseif (strpos($line, 'Ibuf for space 0: size ') === 0 ) { + # Older InnoDB code seemed to be ready for an ibuf per tablespace. It + # had two lines in the output. Newer has just one line, see below. + # Ibuf for space 0: size 1, free list len 887, seg size 889, is not empty + # Ibuf for space 0: size 1, free list len 887, seg size 889, + $results['ibuf_used_cells'] = to_int($row[5]); + $results['ibuf_free_cells'] = to_int($row[9]); + $results['ibuf_cell_count'] = to_int($row[12]); + } + elseif (strpos($line, 'Ibuf: size ') === 0 ) { + # Ibuf: size 1, free list len 4634, seg size 4636, + $results['ibuf_used_cells'] = to_int($row[2]); + $results['ibuf_free_cells'] = to_int($row[6]); + $results['ibuf_cell_count'] = to_int($row[9]); + if (strpos($line, 'merges')) { + $results['ibuf_merges'] = to_int($row[10]); + } + } + elseif (strpos($line, ', delete mark ') > 0 && strpos($prev_line, 'merged operations:') === 0 ) { + # Output of show engine innodb status has changed in 5.5 + # merged operations: + # insert 593983, delete mark 387006, delete 73092 + $results['ibuf_inserts'] = to_int($row[1]); + $results['ibuf_merged'] = to_int($row[1]) + to_int($row[4]) + to_int($row[6]); + } + elseif (strpos($line, ' merged recs, ') > 0 ) { + # 19817685 inserts, 19817684 merged recs, 3552620 merges + $results['ibuf_inserts'] = to_int($row[0]); + $results['ibuf_merged'] = to_int($row[2]); + $results['ibuf_merges'] = to_int($row[5]); + } + elseif (strpos($line, 'Hash table size ') === 0 ) { + # In some versions of InnoDB, the used cells is omitted. + # Hash table size 4425293, used cells 4229064, .... + # Hash table size 57374437, node heap has 72964 buffer(s) <-- no used cells + $results['hash_index_cells_total'] = to_int($row[3]); + $results['hash_index_cells_used'] + = strpos($line, 'used cells') > 0 ? to_int($row[6]) : '0'; + } + + # LOG + elseif (strpos($line, " log i/o's done, ") > 0 ) { + # 3430041 log i/o's done, 17.44 log i/o's/second + # 520835887 log i/o's done, 17.28 log i/o's/second, 518724686 syncs, 2980893 checkpoints + # TODO: graph syncs and checkpoints + $results['log_writes'] = to_int($row[0]); + } + elseif (strpos($line, " pending log writes, ") > 0 ) { + # 0 pending log writes, 0 pending chkp writes + $results['pending_log_writes'] = to_int($row[0]); + $results['pending_chkp_writes'] = to_int($row[4]); + } + elseif (strpos($line, "Log sequence number") === 0 ) { + # This number is NOT printed in hex in InnoDB plugin. + # Log sequence number 13093949495856 //plugin + # Log sequence number 125 3934414864 //normal + $results['log_bytes_written'] + = isset($row[4]) + ? make_bigint($row[3], $row[4]) + : to_int($row[3]); + } + elseif (strpos($line, "Log flushed up to") === 0 ) { + # This number is NOT printed in hex in InnoDB plugin. + # Log flushed up to 13093948219327 + # Log flushed up to 125 3934414864 + $results['log_bytes_flushed'] + = isset($row[5]) + ? make_bigint($row[4], $row[5]) + : to_int($row[4]); + } + elseif (strpos($line, "Last checkpoint at") === 0 ) { + # Last checkpoint at 125 3934293461 + $results['last_checkpoint'] + = isset($row[4]) + ? make_bigint($row[3], $row[4]) + : to_int($row[3]); + } + + # BUFFER POOL AND MEMORY + elseif (strpos($line, "Total memory allocated") === 0 && strpos($line, "in additional pool allocated") > 0 ) { + # Total memory allocated 29642194944; in additional pool allocated 0 + # Total memory allocated by read views 96 + $results['total_mem_alloc'] = to_int($row[3]); + $results['additional_pool_alloc'] = to_int($row[8]); + } + elseif(strpos($line, 'Adaptive hash index ') === 0 ) { + # Adaptive hash index 1538240664 (186998824 + 1351241840) + $results['adaptive_hash_memory'] = to_int($row[3]); + } + elseif(strpos($line, 'Page hash ') === 0 ) { + # Page hash 11688584 + $results['page_hash_memory'] = to_int($row[2]); + } + elseif(strpos($line, 'Dictionary cache ') === 0 ) { + # Dictionary cache 145525560 (140250984 + 5274576) + $results['dictionary_cache_memory'] = to_int($row[2]); + } + elseif(strpos($line, 'File system ') === 0 ) { + # File system 313848 (82672 + 231176) + $results['file_system_memory'] = to_int($row[2]); + } + elseif(strpos($line, 'Lock system ') === 0 ) { + # Lock system 29232616 (29219368 + 13248) + $results['lock_system_memory'] = to_int($row[2]); + } + elseif(strpos($line, 'Recovery system ') === 0 ) { + # Recovery system 0 (0 + 0) + $results['recovery_system_memory'] = to_int($row[2]); + } + elseif(strpos($line, 'Threads ') === 0 ) { + # Threads 409336 (406936 + 2400) + $results['thread_hash_memory'] = to_int($row[1]); + } + elseif(strpos($line, 'innodb_io_pattern ') === 0 ) { + # innodb_io_pattern 0 (0 + 0) + $results['innodb_io_pattern_memory'] = to_int($row[1]); + } + elseif (strpos($line, "Buffer pool size ") === 0 ) { + # The " " after size is necessary to avoid matching the wrong line: + # Buffer pool size 1769471 + # Buffer pool size, bytes 28991012864 + $results['pool_size'] = to_int($row[3]); + } + elseif (strpos($line, "Free buffers") === 0 ) { + # Free buffers 0 + $results['free_pages'] = to_int($row[2]); + } + elseif (strpos($line, "Database pages") === 0 ) { + # Database pages 1696503 + $results['database_pages'] = to_int($row[2]); + } + elseif (strpos($line, "Modified db pages") === 0 ) { + # Modified db pages 160602 + $results['modified_pages'] = to_int($row[3]); + } + elseif (strpos($line, "Pages read ahead") === 0 ) { + # Must do this BEFORE the next test, otherwise it'll get fooled by this + # line from the new plugin (see samples/innodb-015.txt): + # Pages read ahead 0.00/s, evicted without access 0.06/s + # TODO: No-op for now, see issue 134. + } + elseif (strpos($line, "Pages read") === 0 ) { + # Pages read 15240822, created 1770238, written 21705836 + $results['pages_read'] = to_int($row[2]); + $results['pages_created'] = to_int($row[4]); + $results['pages_written'] = to_int($row[6]); + } + + # ROW OPERATIONS + elseif (strpos($line, 'Number of rows inserted') === 0 ) { + # Number of rows inserted 50678311, updated 66425915, deleted 20605903, read 454561562 + $results['rows_inserted'] = to_int($row[4]); + $results['rows_updated'] = to_int($row[6]); + $results['rows_deleted'] = to_int($row[8]); + $results['rows_read'] = to_int($row[10]); + } + elseif (strpos($line, " queries inside InnoDB, ") > 0 ) { + # 0 queries inside InnoDB, 0 queries in queue + $results['queries_inside'] = to_int($row[0]); + $results['queries_queued'] = to_int($row[4]); + } + $prev_line = $line; + } + + foreach ( array('spin_waits', 'spin_rounds', 'os_waits') as $key ) { + $results[$key] = to_int(array_sum($results[$key])); + } + $results['unflushed_log'] + = big_sub($results['log_bytes_written'], $results['log_bytes_flushed']); + $results['uncheckpointed_bytes'] + = big_sub($results['log_bytes_written'], $results['last_checkpoint']); + + return $results; +} + +# ============================================================================ +# Returns a bigint from two ulint or a single hex number. This is tested in +# t/mysql_stats.php and copied, without tests, to ss_get_by_ssh.php. +# ============================================================================ +function make_bigint ($hi, $lo = null) { + debug(array($hi, $lo)); + if (is_null($lo) ) { + # Assume it is a hex string representation. + return base_convert($hi, 16, 10); + } + else { + $hi = $hi ? $hi : '0'; # Handle empty-string or whatnot + $lo = $lo ? $lo : '0'; + return big_add(big_multiply($hi, 4294967296), $lo); + } +} + +# ============================================================================ +# Extracts the numbers from a string. You can't reliably do this by casting to +# an int, because numbers that are bigger than PHP's int (varies by platform) +# will be truncated. And you can't use sprintf(%u) either, because the maximum +# value that will return on some platforms is 4022289582. So this just handles +# them as a string instead. It extracts digits until it finds a non-digit and +# quits. This is tested in t/mysql_stats.php and copied, without tests, to +# ss_get_by_ssh.php. +# ============================================================================ +function to_int ( $str ) { + debug($str); + global $debug; + preg_match('{(\d+)}', $str, $m); + if (isset($m[1]) ) { + return $m[1]; + } + elseif ($debug ) { + print_r(debug_backtrace()); + } + else { + return 0; + } +} + +# ============================================================================ +# Wrap mysql_query in error-handling, and instead of returning the result, +# return an array of arrays in the result. +# ============================================================================ + +# ============================================================================ +function run_query($sql, $conn) { + global $debug; + debug($sql); + $result = @mysqli_query($conn, $sql); + if ( $debug && strpos($sql, 'SHOW SLAVE STATUS ') === false ) { + $error = @mysqli_error($conn); + if ( $error ) { + debug(array($sql, $error)); + die("SQLERR $error in $sql"); + } + } + $array = array(); + $count = @mysqli_num_rows($result); + if ( $count > 10000 ) { + debug('Abnormal number of rows returned: ' . $count); + } + else { + while ( $row = @mysqli_fetch_array($result) ) { + $array[] = $row; + } + } + debug(array($sql, $array)); + return $array; +} + +# Safely increments a value that might be null. +# ============================================================================ +function increment(&$arr, $key, $howmuch) { + debug(array($key, $howmuch)); + if (array_key_exists($key, $arr) && isset($arr[$key]) ) { + $arr[$key] = big_add($arr[$key], $howmuch); + } + else { + $arr[$key] = $howmuch; + } +} + +# ============================================================================ +# Multiply two big integers together as accurately as possible with reasonable +# effort. This is tested in t/mysql_stats.php and copied, without tests, to +# ss_get_by_ssh.php. $force is for testability. +# ============================================================================ +function big_multiply ($left, $right, $force = null) { + if (function_exists("gmp_mul") && (is_null($force) || $force == 'gmp') ) { + debug(array('gmp_mul', $left, $right)); + return gmp_strval( gmp_mul( $left, $right )); + } + elseif (function_exists("bcmul") && (is_null($force) || $force == 'bc') ) { + debug(array('bcmul', $left, $right)); + return bcmul( $left, $right ); + } + else { # Or $force == 'something else' + debug(array('sprintf', $left, $right)); + return sprintf("%.0f", $left * $right); + } +} + +# ============================================================================ +# Subtract two big integers as accurately as possible with reasonable effort. +# This is tested in t/mysql_stats.php and copied, without tests, to +# ss_get_by_ssh.php. $force is for testability. +# ============================================================================ +function big_sub ($left, $right, $force = null) { + debug(array($left, $right)); + if (is_null($left) ) { $left = 0; } + if (is_null($right) ) { $right = 0; } + if (function_exists("gmp_sub") && (is_null($force) || $force == 'gmp')) { + debug(array('gmp_sub', $left, $right)); + return gmp_strval( gmp_sub( $left, $right )); + } + elseif (function_exists("bcsub") && (is_null($force) || $force == 'bc')) { + debug(array('bcsub', $left, $right)); + return bcsub( $left, $right ); + } + else { # Or $force == 'something else' + debug(array('to_int', $left, $right)); + return to_int($left - $right); + } +} + +# ============================================================================ +# Add two big integers together as accurately as possible with reasonable +# effort. This is tested in t/mysql_stats.php and copied, without tests, to +# ss_get_by_ssh.php. $force is for testability. +# ============================================================================ +function big_add ($left, $right, $force = null) { + if (is_null($left) ) { $left = 0; } + if (is_null($right) ) { $right = 0; } + if (function_exists("gmp_add") && (is_null($force) || $force == 'gmp')) { + debug(array('gmp_add', $left, $right)); + return gmp_strval( gmp_add( $left, $right )); + } + elseif (function_exists("bcadd") && (is_null($force) || $force == 'bc')) { + debug(array('bcadd', $left, $right)); + return bcadd( $left, $right ); + } + else { # Or $force == 'something else' + debug(array('to_int', $left, $right)); + return to_int($left + $right); + } +} + +# ============================================================================ +# Writes to a debugging log. +# ============================================================================ +function debug($val) { + global $debug_log; + if (!$debug_log ) { + return; + } + if ($fp = fopen($debug_log, 'a+') ) { + $trace = debug_backtrace(); + $calls = array(); + $i = 0; + $line = 0; + $file = ''; + foreach ( debug_backtrace() as $arr ) { + if ($i++ ) { + $calls[] = "$arr[function]() at $file:$line"; + } + $line = array_key_exists('line', $arr) ? $arr['line'] : '?'; + $file = array_key_exists('file', $arr) ? $arr['file'] : '?'; + } + if (!count($calls) ) { + $calls[] = "at $file:$line"; + } + fwrite($fp, date('Y-m-d h:i:s') . ' ' . implode(' <- ', $calls)); + fwrite($fp, "\n" . var_export($val, TRUE) . "\n"); + fclose($fp); + } + else { # Disable logging + print("Warning: disabling debug logging to $debug_log\n"); + $debug_log = FALSE; + } +} diff --git a/initializers/oam/librenms/ntp-client b/initializers/oam/librenms/ntp-client new file mode 100644 index 0000000..eccb5e5 --- /dev/null +++ b/initializers/oam/librenms/ntp-client @@ -0,0 +1,34 @@ +#!/bin/sh +# Please make sure the paths below are correct. +# Alternatively you can put them in $0.conf, meaning if you've named +# this script ntp-client then it must go in ntp-client.conf . +# +# NTPQV output version of "ntpq -c rv" +# Version 4 is the most common and up to date version. +# +# If you are unsure, which to set, run this script and make sure that +# the JSON output variables match that in "ntpq -c rv". +# +################################################################ +# Don't change anything unless you know what are you doing # +################################################################ +BIN_NTPQ='/usr/bin/env ntpq' +BIN_GREP='/usr/bin/env grep' +BIN_AWK='/usr/bin/env awk' + +CONFIG=$0".conf" +if [ -f "$CONFIG" ]; then + # shellcheck disable=SC1090 + . "$CONFIG" +fi + +NTP_OFFSET=$($BIN_NTPQ -c rv | $BIN_GREP "offset" | $BIN_AWK -Foffset= '{print $2}' | $BIN_AWK -F, '{print $1}') +NTP_FREQUENCY=$($BIN_NTPQ -c rv | $BIN_GREP "frequency" | $BIN_AWK -Ffrequency= '{print $2}' | $BIN_AWK -F, '{print $1}') +NTP_SYS_JITTER=$($BIN_NTPQ -c rv | $BIN_GREP "sys_jitter" | $BIN_AWK -Fsys_jitter= '{print $2}' | $BIN_AWK -F, '{print $1}') +NTP_CLK_JITTER=$($BIN_NTPQ -c rv | $BIN_GREP "clk_jitter" | $BIN_AWK -Fclk_jitter= '{print $2}' | $BIN_AWK -F, '{print $1}') +NTP_WANDER=$($BIN_NTPQ -c rv | $BIN_GREP "clk_wander" | $BIN_AWK -Fclk_wander= '{print $2}' | $BIN_AWK -F, '{print $1}') +NTP_VERSION=$($BIN_NTPQ -c rv | $BIN_GREP "version" | $BIN_AWK -F'ntpd ' '{print $2}' | $BIN_AWK -F. '{print $1}') + +echo '{"data":{"offset":"'"$NTP_OFFSET"'","frequency":"'"$NTP_FREQUENCY"'","sys_jitter":"'"$NTP_SYS_JITTER"'","clk_jitter":"'"$NTP_CLK_JITTER"'","clk_wander":"'"$NTP_WANDER"'"},"version":"'"$NTP_VERSION"'","error":"0","errorString":""}' + +exit 0 diff --git a/initializers/oam/librenms/ntp-server.sh b/initializers/oam/librenms/ntp-server.sh new file mode 100644 index 0000000..bbf5c73 --- /dev/null +++ b/initializers/oam/librenms/ntp-server.sh @@ -0,0 +1,89 @@ +#!/bin/sh +# Please make sure the paths below are correct. +# Alternatively you can put them in $0.conf, meaning if you've named +# this script ntp-client.sh then it must go in ntp-client.sh.conf . +# +# NTPQV output version of "ntpq -c rv" +# p1 DD-WRT and some other outdated linux distros +# p11 FreeBSD 11 and any linux distro that is up to date +# +# If you are unsure, which to set, run this script and make sure that +# the JSON output variables match that in "ntpq -c rv". +# +BIN_NTPD='/usr/bin/env ntpd' +BIN_NTPQ='/usr/bin/env ntpq' +BIN_NTPDC='/usr/bin/env ntpdc' +BIN_GREP='/usr/bin/env grep' +BIN_TR='/usr/bin/env tr' +BIN_CUT='/usr/bin/env cut' +BIN_SED="/usr/bin/env sed" +BIN_AWK='/usr/bin/env awk' +NTPQV="p11" +################################################################ +# Don't change anything unless you know what are you doing # +################################################################ +CONFIG=$0".conf" +if [ -f $CONFIG ]; then + . $CONFIG +fi +VERSION=1 + +STRATUM=`$BIN_NTPQ -c rv | $BIN_GREP -Eow "stratum=[0-9]+" | $BIN_CUT -d "=" -f 2` + +# parse the ntpq info that requires version specific info +NTPQ_RAW=`$BIN_NTPQ -c rv | $BIN_GREP jitter | $BIN_SED 's/[[:alpha:]=,_]/ /g'` +if [ $NTPQV = "p11" ]; then + OFFSET=`echo $NTPQ_RAW | $BIN_AWK -F ' ' '{print $3}'` + FREQUENCY=`echo $NTPQ_RAW | $BIN_AWK -F ' ' '{print $4}'` + SYS_JITTER=`echo $NTPQ_RAW | $BIN_AWK -F ' ' '{print $5}'` + CLK_JITTER=`echo $NTPQ_RAW | $BIN_AWK -F ' ' '{print $6}'` + CLK_WANDER=`echo $NTPQ_RAW | $BIN_AWK -F ' ' '{print $7}'` +fi +if [ $NTPQV = "p1" ]; then + OFFSET=`echo $NTPQ_RAW | $BIN_AWK -F ' ' '{print $2}'` + FREQUENCY=`echo $NTPQ_RAW | $BIN_AWK -F ' ' '{print $3}'` + SYS_JITTER=`echo $NTPQ_RAW | $BIN_AWK -F ' ' '{print $4}'` + CLK_JITTER=`echo $NTPQ_RAW | $BIN_AWK -F ' ' '{print $5}'` + CLK_WANDER=`echo $NTPQ_RAW | $BIN_AWK -F ' ' '{print $6}'` +fi + +VER=`$BIN_NTPD --version` +if [ "$VER" = '4.2.6p5' ]; then + USECMD=`echo $BIN_NTPDC -c iostats` +else + USECMD=`echo $BIN_NTPQ -c iostats localhost` +fi +CMD2=`$USECMD | $BIN_TR -d ' ' | $BIN_CUT -d : -f 2 | $BIN_TR '\n' ' '` + +TIMESINCERESET=`echo $CMD2 | $BIN_AWK -F ' ' '{print $1}'` +RECEIVEDBUFFERS=`echo $CMD2 | $BIN_AWK -F ' ' '{print $2}'` +FREERECEIVEBUFFERS=`echo $CMD2 | $BIN_AWK -F ' ' '{print $3}'` +USEDRECEIVEBUFFERS=`echo $CMD2 | $BIN_AWK -F ' ' '{print $4}'` +LOWWATERREFILLS=`echo $CMD2 | $BIN_AWK -F ' ' '{print $5}'` +DROPPEDPACKETS=`echo $CMD2 | $BIN_AWK -F ' ' '{print $6}'` +IGNOREDPACKETS=`echo $CMD2 | $BIN_AWK -F ' ' '{print $7}'` +RECEIVEDPACKETS=`echo $CMD2 | $BIN_AWK -F ' ' '{print $8}'` +PACKETSSENT=`echo $CMD2 | $BIN_AWK -F ' ' '{print $9}'` +PACKETSENDFAILURES=`echo $CMD2 | $BIN_AWK -F ' ' '{print $10}'` +INPUTWAKEUPS=`echo $CMD2 | $BIN_AWK -F ' ' '{print $11}'` +USEFULINPUTWAKEUPS=`echo $CMD2 | $BIN_AWK -F ' ' '{print $12}'` + +echo '{"data":{"offset":"'$OFFSET\ +'","frequency":"'$FREQUENCY\ +'","sys_jitter":"'$SYS_JITTER\ +'","clk_jitter":"'$CLK_JITTER\ +'","clk_wander":"'$CLK_WANDER\ +'","stratum":"'$STRATUM\ +'","time_since_reset":"'$TIMESINCERESET\ +'","receive_buffers":"'$RECEIVEDBUFFERS\ +'","free_receive_buffers":"'$FREERECEIVEBUFFERS\ +'","used_receive_buffers":"'$USEDRECEIVEBUFFERS\ +'","low_water_refills":"'$LOWWATERREFILLS\ +'","dropped_packets":"'$DROPPEDPACKETS\ +'","ignored_packets":"'$IGNOREDPACKETS\ +'","received_packets":"'$RECEIVEDPACKETS\ +'","packets_sent":"'$PACKETSSENT\ +'","packet_send_failures":"'$PACKETSENDFAILURES\ +'","input_wakeups":"'$PACKETSENDFAILURES\ +'","useful_input_wakeups":"'$USEFULINPUTWAKEUPS\ +'"},"error":"0","errorString":"","version":"'$VERSION'"}' diff --git a/initializers/oam/librenms/os-updates.sh b/initializers/oam/librenms/os-updates.sh new file mode 100644 index 0000000..33e1f9c --- /dev/null +++ b/initializers/oam/librenms/os-updates.sh @@ -0,0 +1,73 @@ +#!/usr/bin/env bash +################################################################ +# copy this script to /etc/snmp/ and make it executable: # +# chmod +x /etc/snmp/os-updates.sh # +# ------------------------------------------------------------ # +# edit your snmpd.conf and include: # +# extend osupdate /opt/os-updates.sh # +#--------------------------------------------------------------# +# restart snmpd and activate the app for desired host # +#--------------------------------------------------------------# +# please make sure you have the path/binaries below # +################################################################ +BIN_WC='/usr/bin/wc' +BIN_GREP='/bin/grep' +CMD_GREP='-c' +CMD_WC='-l' +BIN_ZYPPER='/usr/bin/zypper' +CMD_ZYPPER='-q lu' +BIN_YUM='/usr/bin/yum' +CMD_YUM='-q check-update' +BIN_DNF='/usr/bin/dnf' +CMD_DNF='-q check-update' +BIN_APT='/usr/bin/apt-get' +CMD_APT='-qq -s upgrade' +BIN_PACMAN='/usr/bin/pacman' +CMD_PACMAN='-Sup' + +################################################################ +# Don't change anything unless you know what are you doing # +################################################################ +if [ -f $BIN_ZYPPER ]; then + # OpenSUSE + UPDATES=`$BIN_ZYPPER $CMD_ZYPPER | $BIN_WC $CMD_WC` + if [ $UPDATES -ge 2 ]; then + echo $(($UPDATES-2)); + else + echo "0"; + fi +elif [ -f $BIN_DNF ]; then + # Fedora + UPDATES=`$BIN_DNF $CMD_DNF | $BIN_WC $CMD_WC` + if [ $UPDATES -ge 1 ]; then + echo $(($UPDATES-1)); + else + echo "0"; + fi +elif [ -f $BIN_PACMAN ]; then + # Arch + UPDATES=`$BIN_PACMAN $CMD_PACMAN | $BIN_WC $CMD_WC` + if [ $UPDATES -ge 1 ]; then + echo $(($UPDATES-1)); + else + echo "0"; + fi +elif [ -f $BIN_YUM ]; then + # CentOS / Redhat + UPDATES=`$BIN_YUM $CMD_YUM | $BIN_WC $CMD_WC` + if [ $UPDATES -ge 1 ]; then + echo $(($UPDATES-1)); + else + echo "0"; + fi +elif [ -f $BIN_APT ]; then + # Debian / Devuan / Ubuntu + UPDATES=`$BIN_APT $CMD_APT | $BIN_GREP $CMD_GREP 'Inst'` + if [ $UPDATES -ge 1 ]; then + echo $UPDATES; + else + echo "0"; + fi +else + echo "0"; +fi diff --git a/initializers/oam/librenms/postfix-queues b/initializers/oam/librenms/postfix-queues new file mode 100644 index 0000000..1d3491e --- /dev/null +++ b/initializers/oam/librenms/postfix-queues @@ -0,0 +1,13 @@ +#!/bin/bash + +#Written by Valec 2006. Steal and share. +#Get postfix queue lengths + +#extend mailq /opt/observer/scripts/getmailq.sh + +QUEUES="incoming active deferred hold" + +for i in $QUEUES; do + COUNT=$(qshape "$i" | grep TOTAL | awk '{print $2}') + printf "$COUNT\n" +done diff --git a/initializers/oam/librenms/postfixdetailed b/initializers/oam/librenms/postfixdetailed new file mode 100644 index 0000000..e6cb1e9 --- /dev/null +++ b/initializers/oam/librenms/postfixdetailed @@ -0,0 +1,548 @@ +#!/usr/bin/env perl + +# add this to your snmpd.conf file as below +# extend postfixdetailed /etc/snmp/postfixdetailed + +# The cache file to use. +my $cache='/var/cache/postfixdetailed'; + +# the location of pflogsumm +my $pflogsumm='/usr/bin/env pflogsumm'; + +#totals +# 847 received = received +# 852 delivered = delivered +# 0 forwarded = forwarded +# 3 deferred (67 deferrals)= deferred +# 0 bounced = bounced +# 593 rejected (41%) = rejected +# 0 reject warnings = rejectw +# 0 held = held +# 0 discarded (0%) = discarded + +# 16899k bytes received = bytesr +# 18009k bytes delivered = bytesd +# 415 senders = senders +# 266 sending hosts/domains = sendinghd +# 15 recipients = recipients +# 9 recipient hosts/domains = recipienthd + +######message deferral detail +#Connection refused = deferralcr +#Host is down = deferralhid + +########message reject detail +#Client host rejected = chr +#Helo command rejected: need fully-qualified hostname = hcrnfqh +#Sender address rejected: Domain not found = sardnf +#Sender address rejected: not owned by user = sarnobu +#blocked using = bu +#Recipient address rejected: User unknown = raruu +#Helo command rejected: Invalid name = hcrin +#Sender address rejected: need fully-qualified address = sarnfqa +#Recipient address rejected: Domain not found = rardnf +#Recipient address rejected: need fully-qualified address = rarnfqa +#Improper use of SMTP command pipelining = iuscp +#Message size exceeds fixed limit = msefl +#Server configuration error = sce +#Server configuration problem = scp +#unknown reject reason = urr + +my $old=''; + +#reads in the old data if it exists +if ( -f $cache ){ + open(my $fh, "<", $cache) or die "Can't open '".$cache."'"; + # if this is over 2048, something is most likely wrong + read($fh , $old , 2048); + close($fh); +} + +my ( $received, + $delivered, + $forwarded, + $deferred, + $bounced, + $rejected, + $rejectw, + $held, + $discarded, + $bytesr, + $bytesd, + $senders, + $sendinghd, + $recipients, + $recipienthd, + $deferralcr, + $deferralhid, + $chr, + $hcrnfqh, + $sardnf, + $sarnobu, + $bu, + $raruu, + $hcrin, + $sarnfqa, + $rardnf, + $rarnfqa, + $iuscp, + $sce, + $scp, + $urr, + $msefl) = split ( /\n/, $old ); + +if ( ! defined( $received ) ){ $received=0; } +if ( ! defined( $delivered ) ){ $delivered=0; } +if ( ! defined( $forwarded ) ){ $forwarded=0; } +if ( ! defined( $deferred ) ){ $deferred=0; } +if ( ! defined( $bounced ) ){ $bounced=0; } +if ( ! defined( $rejected ) ){ $rejected=0; } +if ( ! defined( $rejectw ) ){ $rejectw=0; } +if ( ! defined( $held ) ){ $held=0; } +if ( ! defined( $discarded ) ){ $discarded=0; } +if ( ! defined( $bytesr ) ){ $bytesr=0; } +if ( ! defined( $bytesd ) ){ $bytesd=0; } +if ( ! defined( $senders ) ){ $senders=0; } +if ( ! defined( $sendinghd ) ){ $sendinghd=0; } +if ( ! defined( $recipients ) ){ $recipients=0; } +if ( ! defined( $recipienthd ) ){ $recipienthd=0; } +if ( ! defined( $deferralcr ) ){ $deferralcr=0; } +if ( ! defined( $deferralhid ) ){ $deferralhid=0; } +if ( ! defined( $chr ) ){ $chr=0; } +if ( ! defined( $hcrnfqh ) ){ $hcrnfqh=0; } +if ( ! defined( $sardnf ) ){ $sardnf=0; } +if ( ! defined( $sarnobu ) ){ $sarnobu=0; } +if ( ! defined( $bu ) ){ $bu=0; } +if ( ! defined( $raruu ) ){ $raruu=0; } +if ( ! defined( $hcrin ) ){ $hcrin=0; } +if ( ! defined( $sarnfqa ) ){ $sarnfqa=0; } +if ( ! defined( $rardnf ) ){ $rardnf=0; } +if ( ! defined( $rarnfqa ) ){ $rarnfqa=0; } +if ( ! defined( $iuscp ) ){ $iuscp=0; } +if ( ! defined( $msefl ) ){ $msefl=0; } +if ( ! defined( $sce ) ){ $sce=0; } +if ( ! defined( $scp ) ){ $scp=0; } +if ( ! defined( $urr ) ){ $urr=0; } + +#init current variables +my $receivedC=0; +my $deliveredC=0; +my $forwardedC=0; +my $deferredC=0; +my $bouncedC=0; +my $rejectedC=0; +my $rejectwC=0; +my $heldC=0; +my $discardedC=0; +my $bytesrC=0; +my $bytesdC=0; +my $sendersC=0; +my $sendinghdC=0; +my $recipientsC=0; +my $recipienthdC=0; +my $deferralcrC=0; +my $deferralhidC=0; +my $hcrnfqhC=0; +my $sardnfC=0; +my $sarnobuC=0; +my $buC=0; +my $raruuC=0; +my $hcrinC=0; +my $sarnfqaC=0; +my $rardnfC=0; +my $rarnfqaC=0; +my $iuscpC=0; +my $mseflC=0; +my $sceC=0; +my $scpC=0; +my $urrC=0; + +sub newValue{ + my $old=$_[0]; + my $new=$_[1]; + + #if new is undefined, just default to 0... this should never happen + if ( !defined( $new ) ){ + warn('New not defined'); + return 0; + } + + #sets it to 0 if old is not defined + if ( !defined( $old ) ){ + warn('Old not defined'); + $old=0; + } + + #make sure they are both numberic and if not set to zero + if( $old !~ /^[0123456789]*$/ ){ + warn('Old not numeric'); + $old=0; + } + if( $new !~ /^[0123456789]*$/ ){ + warn('New not numeric'); + $new=0; + } + + #log rotation happened + if ( $old > $new ){ + return $new; + }; + + return $new - $old; +} + + +my $output=`$pflogsumm /var/log/maillog`; + +#holds RBL values till the end when it is compared to the old one +my $buNew=0; + + +#holds client host rejected values till the end when it is compared to the old one +my $chrNew=0; + +# holds recipient address rejected values till the end when it is compared to the old one +my $raruuNew=0; + +#holds the current values for checking later +my $current=''; + +my @outputA=split( /\n/, $output ); +my $int=0; +while ( defined( $outputA[$int] ) ){ + my $line=$outputA[$int]; + + $line=~s/^ *//; + $line=~s/ +/ /g; + $line=~s/\)$//; + + my $handled=0; + + #received line + if ( ( $line =~ /[0123456789] received$/ ) && ( ! $handled ) ){ + $line=~s/ .*//; + $receivedC=$line; + $received=newValue( $received, $line ); + $handled=1; + } + + #delivered line + if ( ( $line =~ /[0123456789] delivered$/ ) && ( ! $handled ) ){ + $line=~s/ .*//; + $deliveredC=$line; + $delivered=newValue( $delivered, $line ); + $handled=1; + } + + #forward line + if ( ( $line =~ /[0123456789] forwarded$/ ) && ( ! $handled ) ){ + $line=~s/ .*//; + $forwardedC=$line; + $forwarded=newValue( $forwarded, $line ); + $handled=1; + } + + #defereed line + if ( ( $line =~ /[0123456789] deferred \(/ ) && ( ! $handled ) ){ + $line=~s/ .*//; + $deferredC=$line; + $deferred=newValue( $deferred, $line ); + $handled=1; + } + + #bounced line + if ( ( $line =~ /[0123456789] bounced$/ ) && ( ! $handled ) ){ + $line=~s/ .*//; + $bouncedC=$line; + $bounced=newValue( $bounced, $line ); + $handled=1; + } + + #rejected line + if ( ( $line =~ /[0123456789] rejected \(/ ) && ( ! $handled ) ){ + $line=~s/ .*//; + $rejectedC=$line; + $rejected=newValue( $rejected, $line ); + $handled=1; + } + + #reject warning line + if ( ( $line =~ /[0123456789] reject warnings/ ) && ( ! $handled ) ){ + $line=~s/ .*//; + $rejectwC=$line; + $rejectw=newValue( $rejectw, $line ); + $handled=1; + } + + #held line + if ( ( $line =~ /[0123456789] held$/ ) && ( ! $handled ) ){ + $line=~s/ .*//; + $heldC=$line; + $held=newValue( $held, $line ); + $handled=1; + } + + #discarded line + if ( ( $line =~ /[0123456789] discarded \(/ ) && ( ! $handled ) ){ + $line=~s/ .*//; + $discardedC=$line; + $discarded=newValue( $discarded, $line ); + $handled=1; + } + + #bytes received line + if ( ( $line =~ /[0123456789kM] bytes received$/ ) && ( ! $handled ) ){ + $line=~s/ .*//; + $line=~s/k/000/; + $line=~s/M/000000/; + $bytesrC=$line; + $bytesr=newValue( $bytesr, $line ); + $handled=1; + } + + #bytes delivered line + if ( ( $line =~ /[0123456789kM] bytes delivered$/ ) && ( ! $handled ) ){ + $line=~s/ .*//; + $line=~s/k/000/; + $line=~s/M/000000/; + $bytesdC=$line; + $bytesd=newValue( $bytesd, $line ); + $handled=1; + } + + #senders line + if ( ( $line =~ /[0123456789] senders$/ ) && ( ! $handled ) ){ + $line=~s/ .*//; + $sendersC=$line; + $senders=newValue( $senders, $line ); + $handled=1; + } + + #sendering hosts/domains line + if ( ( $line =~ /[0123456789] sending hosts\/domains$/ ) && ( ! $handled ) ){ + $line=~s/ .*//; + $sendinghdC=$line; + $sendinghd=newValue( $sendinghd, $line ); + $handled=1; + } + + #recipients line + if ( ( $line =~ /[0123456789] recipients$/ ) && ( ! $handled ) ){ + $line=~s/ .*//; + $recipientsC=$line; + $recipients=newValue( $recipients, $line ); + $handled=1; + } + + #recipients line + if ( ( $line =~ /[0123456789] recipient hosts\/domains$/ ) && ( ! $handled ) ){ + $line=~s/ .*//; + $recipienthdC=$line; + $recipienthd=newValue( $recipienthd, $line ); + $handled=1; + } + + # deferrals connectios refused + if ( ( $line =~ /[0123456789] 25\: Connection refused$/ ) && ( ! $handled ) ){ + $line=~s/ .*//; + $deferralcrC=$line; + $deferralcr=newValue( $deferralcr, $line ); + $handled=1; + } + + # deferrals Host is down + if ( ( $line =~ /Host is down$/ ) && ( ! $handled ) ){ + $line=~s/ .*//; + $deferralcrC=$line; + $deferralhidC=$line; + $deferralhid=newValue( $deferralhid, $line ); + $handled=1; + } + + # Client host rejected + if ( ( $line =~ /Client host rejected/ ) && ( ! $handled ) ){ + $line=~s/.*\: //g; + $chrNew=$chrNew + $line; + $handled=1; + } + + #Helo command rejected: need fully-qualified hostname + if ( ( $line =~ /Helo command rejected\: need fully\-qualified hostname/ ) && ( ! $handled ) ){ + $line=~s/.*\: //g; + $hcrnfqhC=$line; + $hcrnfqh=newValue( $hcrnfqh, $line ); + $handled=1; + } + + #Sender address rejected: Domain not found + if ( ( $line =~ /Sender address rejected\: Domain not found/ ) && ( ! $handled ) ){ + $line=~s/.*\: //g; + $sardnfC=$line; + $sardnf=newValue( $sardnf, $line ); + $handled=1; + } + + #Sender address rejected: not owned by user + if ( ( $line =~ /Sender address rejected\: not owned by user/ ) && ( ! $handled ) ){ + $line=~s/.*\: //g; + $sarnobuC=$line; + $sarnobu=newValue( $sarnobu, $line ); + $handled=1; + } + + #blocked using + # These lines are RBLs so there will be more than one. + # Use $buNew to add them all up. + if ( ( $line =~ /blocked using/ ) && ( ! $handled ) ){ + $line=~s/.*\: //g; + $buNew=$buNew + $line; + $handled=1; + } + + #Recipient address rejected: User unknown + if ( ( $line =~ /Recipient address rejected\: User unknown/ ) && ( ! $handled ) ){ + $line=~s/.*\: //g; + $raruuNew=$raruuNew + $line; + $handled=1; + } + + #Helo command rejected: Invalid name + if ( ( $line =~ /Helo command rejected\: Invalid name/ ) && ( ! $handled ) ){ + $line=~s/.*\: //g; + $hcrinC=$line; + $hcrin=newValue( $hcrin, $line ); + } + + #Sender address rejected: need fully-qualified address + if ( ( $line =~ /Sender address rejected\: need fully-qualified address/ ) && ( ! $handled ) ){ + $line=~s/.*\: //g; + $sarnfqaC=$line; + $sarnfqa=newValue( $sarnfqa, $line ); + } + + #Recipient address rejected: Domain not found + if ( ( $line =~ /Recipient address rejected\: Domain not found/ ) && ( ! $handled ) ){ + $line=~s/.*\: //g; + $rardnfC=$line; + $rardnf=newValue( $rardnf, $line ); + } + + #Improper use of SMTP command pipelining + if ( ( $line =~ /Improper use of SMTP command pipelining/ ) && ( ! $handled ) ){ + $line=~s/.*\: //g; + $iuscpC=$line; + $iuscp=newValue( $iuscp, $line ); + } + + #Message size exceeds fixed limit + if ( ( $line =~ /Message size exceeds fixed limit/ ) && ( ! $handled ) ){ + $line=~s/.*\: //g; + $mseflC=$line; + $msefl=newValue( $msefl, $line ); + } + + #Server configuration error + if ( ( $line =~ /Server configuration error/ ) && ( ! $handled ) ){ + $line=~s/.*\: //g; + $sceC=$line; + $sce=newValue( $sce, $line ); + } + + #Server configuration problem + if ( ( $line =~ /Server configuration problem/ ) && ( ! $handled ) ){ + $line=~s/.*\: //g; + $scpC=$line; + $scp=newValue( $scp, $line ); + } + + #unknown reject reason + if ( ( $line =~ /unknown reject reason/ ) && ( ! $handled ) ){ + $line=~s/.*\: //g; + $urrC=$line; + $urr=newValue( $urr, $line ); + } + + $int++; +} + + +# final client host rejected total +$chr=newValue( $chr, $chrNew ); + +# final RBL total +$bu=newValue( $bu, $buNew ); + +# final recipient address rejected total +$raruu=newValue( $raruu, $raruuNew ); + +my $data=$received."\n". + $delivered."\n". + $forwarded."\n". + $deferred."\n". + $bounced."\n". + $rejected."\n". + $rejectw."\n". + $held."\n". + $discarded."\n". + $bytesr."\n". + $bytesd."\n". + $senders."\n". + $sendinghd."\n". + $recipients."\n". + $recipienthd."\n". + $deferralcr."\n". + $deferralhid."\n". + $chr."\n". + $hcrnfqh."\n". + $sardnf."\n". + $sarnobu."\n". + $bu."\n". + $raruu."\n". + $hcrin."\n". + $sarnfqa."\n". + $rardnf."\n". + $rarnfqa."\n". + $iuscp."\n". + $sce."\n". + $scp."\n". + $urr."\n". + $msefl."\n"; + +print $data; + +my $current=$receivedC."\n". + $deliveredC."\n". + $forwardedC."\n". + $deferredC."\n". + $bouncedC."\n". + $rejectedC."\n". + $rejectwC."\n". + $heldC."\n". + $discardedC."\n". + $bytesrC."\n". + $bytesdC."\n". + $sendersC."\n". + $sendinghdC."\n". + $recipientsC."\n". + $recipienthdC."\n". + $deferralcrC."\n". + $deferralhidC."\n". + $chrNew."\n". + $hcrnfqhC."\n". + $sardnfC."\n". + $sarnobuC."\n". + $buNew."\n". + $raruuNew."\n". + $hcrinC."\n". + $sarnfqaC."\n". + $rardnfC."\n". + $rarnfqaC."\n". + $iuscpC."\n". + $sceC."\n". + $scpC."\n". + $urrC."\n". + $mseflC."\n"; + +open(my $fh, ">", $cache) or die "Can't open '".$cache."'"; +print $fh $current; +close($fh); diff --git a/initializers/oam/librenms/raspberry.sh b/initializers/oam/librenms/raspberry.sh new file mode 100644 index 0000000..404e815 --- /dev/null +++ b/initializers/oam/librenms/raspberry.sh @@ -0,0 +1,46 @@ +#!/bin/bash +####################################### +# please read DOCS to succesfully get # +# raspberry sensors into your host # +####################################### +picmd='/usr/bin/vcgencmd' +pised='/bin/sed' +getTemp='measure_temp' +getVoltsCore='measure_volts core' +getVoltsRamC='measure_volts sdram_c' +getVoltsRamI='measure_volts sdram_i' +getVoltsRamP='measure_volts sdram_p' +getFreqArm='measure_clock arm' +getFreqCore='measure_clock core' +getStatusH264='codec_enabled H264' +getStatusMPG2='codec_enabled MPG2' +getStatusWVC1='codec_enabled WVC1' +getStatusMPG4='codec_enabled MPG4' +getStatusMJPG='codec_enabled MJPG' +getStatusWMV9='codec_enabled WMV9' + +$picmd $getTemp | $pised 's|[^0-9.]||g' +$picmd "$getVoltsCore" | $pised 's|[^0-9.]||g' +$picmd "$getVoltsRamC" | $pised 's|[^0-9.]||g' +$picmd "$getVoltsRamI" | $pised 's|[^0-9.]||g' +$picmd "$getVoltsRamP" | $pised 's|[^0-9.]||g' +$picmd "$getFreqArm" | $pised 's/frequency([0-9]*)=//g' +$picmd "$getFreqCore" | $pised 's/frequency([0-9]*)=//g' +$picmd "$getStatusH264" | $pised 's/H264=//g' +$picmd "$getStatusMPG2" | $pised 's/MPG2=//g' +$picmd "$getStatusWVC1" | $pised 's/WVC1=//g' +$picmd "$getStatusMPG4" | $pised 's/MPG4=//g' +$picmd "$getStatusMJPG" | $pised 's/MJPG=//g' +$picmd "$getStatusWMV9" | $pised 's/WMV9=//g' +$picmd "$getStatusH264" | $pised 's/enabled/2/g' +$picmd "$getStatusMPG2" | $pised 's/enabled/2/g' +$picmd "$getStatusWVC1" | $pised 's/enabled/2/g' +$picmd "$getStatusMPG4" | $pised 's/enabled/2/g' +$picmd "$getStatusMJPG" | $pised 's/enabled/2/g' +$picmd "$getStatusWMV9" | $pised 's/enabled/2/g' +$picmd "$getStatusH264" | $pised 's/disabled/1/g' +$picmd "$getStatusMPG2" | $pised 's/disabled/1/g' +$picmd "$getStatusWVC1" | $pised 's/disabled/1/g' +$picmd "$getStatusMPG4" | $pised 's/disabled/1/g' +$picmd "$getStatusMJPG" | $pised 's/disabled/1/g' +$picmd "$getStatusWMV9" | $pised 's/disabled/1/g' diff --git a/initializers/oam/librenms/smart b/initializers/oam/librenms/smart new file mode 100644 index 0000000..935ed7a --- /dev/null +++ b/initializers/oam/librenms/smart @@ -0,0 +1,929 @@ +#!/usr/bin/env perl +#Copyright (c) 2024, Zane C. Bowers-Hadley +#All rights reserved. +# +#Redistribution and use in source and binary forms, with or without modification, +#are permitted provided that the following conditions are met: +# +# * Redistributions of source code must retain the above copyright notice, +# this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above copyright notice, +# this list of conditions and the following disclaimer in the documentation +# and/or other materials provided with the distribution. +# +#THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND +#ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED +#WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. +#IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +#INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, +#BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +#DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF +#LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR +#OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF +#THE POSSIBILITY OF SUCH DAMAGE. + +=for comment + +Add this to snmpd.conf like below. + + extend smart /etc/snmp/smart + +Then add to root's cron tab, if you have more than a few disks. + + */5 * * * * /etc/snmp/extends/smart -u + +You will also need to create the config file, which defaults to the same path as the script, +but with .config appended. So if the script is located at /etc/snmp/smart, the config file +will be /etc/snmp/extends/smart.config. Alternatively you can also specific a config via -c. + +Anything starting with a # is comment. The format for variables is $variable=$value. Empty +lines are ignored. Spaces and tabes at either the start or end of a line are ignored. Any +line with out a matched variable or # are treated as a disk. + + #This is a comment + cache=/var/cache/smart + smartctl=/usr/local/sbin/smartctl + useSN=0 + ada0 + da5 /dev/da5 -d sat + twl0,0 /dev/twl0 -d 3ware,0 + twl0,1 /dev/twl0 -d 3ware,1 + twl0,2 /dev/twl0 -d 3ware,2 + +The variables are as below. + + cache = The path to the cache file to use. Default: /var/cache/smart + smartctl = The path to use for smartctl. Default: /usr/bin/env smartctl + useSN = If set to 1, it will use the disks SN for reporting instead of the device name. + 1 is the default. 0 will use the device name. + +A disk line is can be as simple as just a disk name under /dev/. Such as in the config above +The line "ada0" would resolve to "/dev/ada0" and would be called with no special argument. If +a line has a space in it, everything before the space is treated as the disk name and is what +used for reporting and everything after that is used as the argument to be passed to smartctl. + +If you want to guess at the configuration, call it with -g and it will print out what it thinks +it should be. + + +Switches: + +-c The config file to use. +-u Update +-p Pretty print the JSON. +-Z GZip+Base64 compress the results. + +-g Guess at the config and print it to STDOUT +-C Enable manual checking for guess and cciss. +-S Set useSN to 0 when using -g +-t Run the specified smart self test on all the devices. +-U When calling cciss_vol_status, call it with -u. +-G Guess modes to use. This is a comma seperated list. + Default :: scan-open,cciss-vol-status + +Guess Modes: + +- scan :: Use "--scan" with smartctl. "scan-open" will take presidence. + +- scan-open :: Call smartctl with "--scan-open". + +- cciss-vol-status :: Freebsd/Linux specific and if it sees /dev/sg0(on Linux) or + /dev/ciss0(on FreebSD) it will attempt to find drives via cciss-vol-status, + and then optionally checking for disks via smrtctl if -C is given. Should be noted + though that -C will not find drives that are currently missing/failed. If -U is given, + cciss_vol_status will be called with -u. + +=cut + +## +## You should not need to touch anything below here. +## +use warnings; +use strict; +use Getopt::Std; +use JSON; +use MIME::Base64; +use IO::Compress::Gzip qw(gzip $GzipError); + +my $cache = '/var/cache/smart'; +my $smartctl = '/usr/bin/env smartctl'; +my @disks; +my $useSN = 1; + +$Getopt::Std::STANDARD_HELP_VERSION = 1; + +sub main::VERSION_MESSAGE { + print "SMART SNMP extend 0.3.2\n"; +} + +sub main::HELP_MESSAGE { + &VERSION_MESSAGE; + print "\n" . "-u Update '" . $cache . "'\n" . '-g Guess at the config and print it to STDOUT +-c The config file to use. +-p Pretty print the JSON. +-Z GZip+Base64 compress the results. +-C Enable manual checking for guess and cciss. +-S Set useSN to 0 when using -g +-t Run the specified smart self test on all the devices. +-U When calling cciss_vol_status, call it with -u. +-G Guess modes to use. This is a comma seperated list. + Default :: scan-open,cciss-vol-status + + +Scan Modes: + +- scan :: Use "--scan" with smartctl. "scan-open" will take presidence. + +- scan-open :: Call smartctl with "--scan-open". + +- cciss-vol-status :: Freebsd/Linux specific and if it sees /dev/sg0(on Linux) or + /dev/ciss0(on FreebSD) it will attempt to find drives via cciss-vol-status, + and then optionally checking for disks via smrtctl if -C is given. Should be noted + though that -C will not find drives that are currently missing/failed. If -U is given, + cciss_vol_status will be called with -u. +'; + +} ## end sub main::HELP_MESSAGE + +#gets the options +my %opts = (); +getopts( 'ugc:pZhvCSGt:U', \%opts ); + +if ( $opts{h} ) { + &HELP_MESSAGE; + exit; +} +if ( $opts{v} ) { + &VERSION_MESSAGE; + exit; +} + +# +# figure out what scan modes to use if -g specified +# +my $scan_modes = { + 'scan-open' => 0, + 'scan' => 0, + 'cciss_vol_status' => 0, +}; +if ( $opts{g} ) { + if ( !defined( $opts{G} ) ) { + $opts{G} = 'scan-open,cciss_vol_status'; + } + $opts{G} =~ s/[\ \t]//g; + my @scan_modes_split = split( /,/, $opts{G} ); + foreach my $mode (@scan_modes_split) { + if ( !defined $scan_modes->{$mode} ) { + die( '"' . $mode . '" is not a recognized scan mode' ); + } + $scan_modes->{$mode} = 1; + } +} ## end if ( $opts{g} ) + +# configure JSON for later usage +# only need to do this if actually running as in -g is not specified +my $json; +if ( !$opts{g} ) { + + $json = JSON->new->allow_nonref->canonical(1); + if ( $opts{p} ) { + $json->pretty; + } +} + +# +# +# guess if asked +# +# +if ( defined( $opts{g} ) ) { + + #get what path to use for smartctl + $smartctl = `which smartctl`; + chomp($smartctl); + if ( $? != 0 ) { + warn("'which smartctl' failed with a exit code of $?"); + exit 1; + } + + #try to touch the default cache location and warn if it can't be done + system( 'touch ' . $cache . '>/dev/null' ); + if ( $? != 0 ) { + $cache = '#Could not touch ' . $cache . "You will need to manually set it\n" . "cache=?\n"; + } else { + system( 'rm -f ' . $cache . '>/dev/null' ); + $cache = 'cache=' . $cache . "\n"; + } + + my $drive_lines = ''; + + # + # + # scan-open and scan guess mode handling + # + # + if ( $scan_modes->{'scan-open'} || $scan_modes->{'scan'} ) { + # used for checking if a disk has been found more than once + my %found_disks_names; + my @argumentsA; + + # use scan-open if it is set, overriding scan if it is also set + my $mode = 'scan'; + if ( $scan_modes->{'scan-open'} ) { + $mode = 'scan-open'; + } + + #have smartctl scan and see if it finds anythings not get found + my $scan_output = `$smartctl --$mode`; + my @scan_outputA = split( /\n/, $scan_output ); + + # remove non-SMART devices sometimes returned + @scan_outputA = grep( !/ses[0-9]/, @scan_outputA ); # not a disk, but may or may not have SMART attributes + @scan_outputA = grep( !/pass[0-9]/, @scan_outputA ); # very likely a duplicate and a disk under another name + @scan_outputA = grep( !/cd[0-9]/, @scan_outputA ); # CD drive + if ( $^O eq 'freebsd' ) { + @scan_outputA = grep( !/sa[0-9]/, @scan_outputA ); # tape drive + @scan_outputA = grep( !/ctl[0-9]/, @scan_outputA ); # CAM target layer + } elsif ( $^O eq 'linux' ) { + @scan_outputA = grep( !/st[0-9]/, @scan_outputA ); # SCSI tape drive + @scan_outputA = grep( !/ht[0-9]/, @scan_outputA ); # ATA tape drive + } + + # make the first pass, figuring out what all we have and trimming comments + foreach my $arguments (@scan_outputA) { + my $name = $arguments; + + $arguments =~ s/ \#.*//; # trim the comment out of the argument + $name =~ s/ .*//; + $name =~ s/\/dev\///; + if ( defined( $found_disks_names{$name} ) ) { + $found_disks_names{$name}++; + } else { + $found_disks_names{$name} = 0; + } + + push( @argumentsA, $arguments ); + + } ## end foreach my $arguments (@scan_outputA) + + # second pass, putting the lines together + my %current_disk; + foreach my $arguments (@argumentsA) { + my $not_virt = 1; + + # check to see if we have a virtual device + my @virt_check = split( /\n/, `smartctl -i $arguments 2> /dev/null` ); + foreach my $virt_check_line (@virt_check) { + if ( $virt_check_line =~ /(?i)Product\:.*LOGICAL VOLUME/ ) { + $not_virt = 0; + } + } + + my $name = $arguments; + $name =~ s/ .*//; + $name =~ s/\/dev\///; + + # only add it if not a virtual RAID drive + # HP RAID virtual disks will show up with very basical but totally useless smart data + if ($not_virt) { + if ( $found_disks_names{$name} == 0 ) { + # If no other devices, just name it after the base device. + $drive_lines = $drive_lines . $name . " " . $arguments . "\n"; + } else { + # if more than one, start at zero and increment, apennding comma number to the base device name + if ( defined( $current_disk{$name} ) ) { + $current_disk{$name}++; + } else { + $current_disk{$name} = 0; + } + $drive_lines = $drive_lines . $name . "," . $current_disk{$name} . " " . $arguments . "\n"; + } + } ## end if ($not_virt) + + } ## end foreach my $arguments (@argumentsA) + } ## end if ( $scan_modes->{'scan-open'} || $scan_modes...) + + # + # + # scan mode handler for cciss_vol_status + # /dev/sg* devices for cciss on Linux + # /dev/ccis* devices for cciss on FreeBSD + # + # + if ( $scan_modes->{'cciss_vol_status'} && ( $^O eq 'linux' || $^O eq 'freebsd' ) ) { + my $cciss; + if ( $^O eq 'freebsd' ) { + $cciss = 'ciss'; + } elsif ( $^O eq 'linux' ) { + $cciss = 'sg'; + } + + my $uarg = ''; + if ( $opts{U} ) { + $uarg = '-u'; + } + + # generate the initial device path that will be checked + my $sg_int = 0; + my $device = '/dev/' . $cciss . $sg_int; + + my $sg_process = 1; + if ( -e $device ) { + my $output = `which cciss_vol_status 2> /dev/null`; + if ( $? != 0 && !$opts{C} ) { + $sg_process = 0; + $drive_lines + = $drive_lines + . "# -C not given, but " + . $device + . " exists and cciss_vol_status is not present\n" + . "# in path or 'ccis_vol_status -V " + . $device + . "' is failing\n"; + } ## end if ( $? != 0 && !$opts{C} ) + } ## end if ( -e $device ) + my $seen_lines = {}; + my $ignore_lines = {}; + while ( -e $device && $sg_process ) { + my $output = `cciss_vol_status -V $uarg $device 2> /dev/null`; + if ( $? != 0 && $output eq '' && !$opts{C} ) { + # just empty here as we just want to skip it if it fails and there is no C + # warning is above + } elsif ( $? != 0 && $output eq '' && $opts{C} ) { + my $drive_count = 0; + my $continue = 1; + while ($continue) { + my $output = `$smartctl -i $device -d cciss,$drive_count 2> /dev/null`; + if ( $? != 0 ) { + $continue = 0; + } else { + my $add_it = 0; + my $id; + while ( $output =~ /(?i)Serial Number:(.*)/g ) { + $id = $1; + $id =~ s/^\s+|\s+$//g; + } + if ( defined($id) && !defined( $seen_lines->{$id} ) ) { + $add_it = 1; + $seen_lines->{$id} = 1; + } + if ( $continue && $add_it ) { + $drive_lines + = $drive_lines + . $cciss . '0-' + . $drive_count . ' ' + . $device + . ' -d cciss,' + . $drive_count . "\n"; + } + } ## end else [ if ( $? != 0 ) ] + $drive_count++; + } ## end while ($continue) + } else { + my $drive_count = 0; + # count the connector lines, this will make sure failed are founded as well + my $seen_conectors = {}; + while ( $output =~ /(connector +\d+[IA]\ +box +\d+\ +bay +\d+.*)/g ) { + my $cciss_drive_line = $1; + my $connector = $cciss_drive_line; + $connector =~ s/(.*\ bay +\d+).*/$1/; + if ( !defined( $seen_lines->{$cciss_drive_line} ) + && !defined( $seen_conectors->{$connector} ) + && !defined( $ignore_lines->{$cciss_drive_line} ) ) + { + $seen_lines->{$cciss_drive_line} = 1; + $seen_conectors->{$connector} = 1; + $drive_count++; + } else { + # going to be a connector we've already seen + # which will happen when it is processing replacement drives + # so save this as a device to ignore + $ignore_lines->{$cciss_drive_line} = 1; + } + } ## end while ( $output =~ /(connector +\d+[IA]\ +box +\d+\ +bay +\d+.*)/g) + my $drive_int = 0; + while ( $drive_int < $drive_count ) { + $drive_lines + = $drive_lines + . $cciss + . $sg_int . '-' + . $drive_int . ' ' + . $device + . ' -d cciss,' + . $drive_int . "\n"; + + $drive_int++; + } ## end while ( $drive_int < $drive_count ) + } ## end else [ if ( $? != 0 && $output eq '' && !$opts{C})] + + $sg_int++; + $device = '/dev/' . $cciss . $sg_int; + } ## end while ( -e $device && $sg_process ) + } ## end if ( $scan_modes->{'cciss_vol_status'} && ...) + + my $useSN = 1; + if ( $opts{S} ) { + $useSN = 0; + } + + print '# scan_modes=' + . $opts{G} + . "\nuseSN=" + . $useSN . "\n" + . 'smartctl=' + . $smartctl . "\n" + . $cache + . $drive_lines; + + exit 0; +} ## end if ( defined( $opts{g} ) ) + +#get which config file to use +my $config = $0 . '.config'; +if ( defined( $opts{c} ) ) { + $config = $opts{c}; +} + +#reads the config file, optionally +my $config_file = ''; +open( my $readfh, "<", $config ) or die "Can't open '" . $config . "'"; +read( $readfh, $config_file, 1000000 ); +close($readfh); + +# +# +# parse the config file and remove comments and empty lines +# +# +my @configA = split( /\n/, $config_file ); +@configA = grep( !/^$/, @configA ); +@configA = grep( !/^\#/, @configA ); +@configA = grep( !/^[\s\t]*$/, @configA ); +my $configA_int = 0; +while ( defined( $configA[$configA_int] ) ) { + my $line = $configA[$configA_int]; + chomp($line); + $line =~ s/^[\t\s]+//; + $line =~ s/[\t\s]+$//; + + my ( $var, $val ) = split( /=/, $line, 2 ); + + my $matched; + if ( $var eq 'cache' ) { + $cache = $val; + $matched = 1; + } + + if ( $var eq 'smartctl' ) { + $smartctl = $val; + $matched = 1; + } + + if ( $var eq 'useSN' ) { + $useSN = $val; + $matched = 1; + } + + if ( !defined($val) ) { + push( @disks, $line ); + } + + $configA_int++; +} ## end while ( defined( $configA[$configA_int] ) ) + +# +# +# run the specified self test on all disks if asked +# +# +if ( defined( $opts{t} ) ) { + + # make sure we have something that atleast appears sane for the test name + my $valid_tesks = { + 'offline' => 1, + 'short' => 1, + 'long' => 1, + 'conveyance' => 1, + 'afterselect,on' => 1, + }; + if ( !defined( $valid_tesks->{ $opts{t} } ) && $opts{t} !~ /select,(\d+[\-\+]\d+|next|next\+\d+|redo\+\d+)/ ) { + print '"' . $opts{t} . "\" does not appear to be a valid test\n"; + exit 1; + } + + print "Running the SMART $opts{t} on all devices in the config...\n\n"; + + foreach my $line (@disks) { + my $disk; + my $name; + if ( $line =~ /\ / ) { + ( $name, $disk ) = split( /\ /, $line, 2 ); + } else { + $disk = $line; + $name = $line; + } + if ( $disk !~ /\// ) { + $disk = '/dev/' . $disk; + } + + print "\n------------------------------------------------------------------\nDoing " + . $smartctl . ' -t ' + . $opts{t} . ' ' + . $disk + . " ...\n\n"; + print `$smartctl -t $opts{t} $disk` . "\n"; + + } ## end foreach my $line (@disks) + + exit 0; +} ## end if ( defined( $opts{t} ) ) + +#if set to 1, no cache will be written and it will be printed instead +my $noWrite = 0; + +# +# +# if no -u, it means we are being called from snmped +# +# +if ( !defined( $opts{u} ) ) { + # if the cache file exists, print it, otherwise assume one is not being used + if ( -f $cache ) { + my $old = ''; + open( my $readfh, "<", $cache ) or die "Can't open '" . $cache . "'"; + read( $readfh, $old, 1000000 ); + close($readfh); + print $old; + exit 0; + } else { + $opts{u} = 1; + $noWrite = 1; + } +} ## end if ( !defined( $opts{u} ) ) + +# +# +# Process each disk +# +# +my $to_return = { + data => { disks => {}, exit_nonzero => 0, unhealthy => 0, useSN => $useSN }, + version => 1, + error => 0, + errorString => '', +}; +foreach my $line (@disks) { + my $disk; + my $name; + if ( $line =~ /\ / ) { + ( $name, $disk ) = split( /\ /, $line, 2 ); + } else { + $disk = $line; + $name = $line; + } + if ( $disk !~ /\// ) { + $disk = '/dev/' . $disk; + } + + my $output = `$smartctl -A $disk`; + my %IDs = ( + '5' => 'null', + '10' => 'null', + '173' => 'null', + '177' => 'null', + '183' => 'null', + '184' => 'null', + '187' => 'null', + '188' => 'null', + '190' => 'null', + '194' => 'null', + '196' => 'null', + '197' => 'null', + '198' => 'null', + '199' => 'null', + '231' => 'null', + '232' => 'null', + '233' => 'null', + '9' => 'null', + 'disk' => $disk, + 'serial' => undef, + 'selftest_log' => undef, + 'health_pass' => 0, + max_temp => 'null', + exit => $?, + ); + $IDs{'disk'} =~ s/^\/dev\///; + + # if polling exited non-zero above, no reason running the rest of the checks + my $disk_id = $name; + if ( $IDs{exit} != 0 ) { + $to_return->{data}{exit_nonzero}++; + } else { + my @outputA; + + if ( $output =~ /NVMe Log/ ) { + # we have an NVMe drive with annoyingly different output + my %mappings = ( + 'Temperature' => 194, + 'Power Cycles' => 12, + 'Power On Hours' => 9, + 'Percentage Used' => 231, + ); + foreach ( split( /\n/, $output ) ) { + if (/:/) { + my ( $key, $val ) = split(/:/); + $val =~ s/^\s+|\s+$|\D+//g; + if ( exists( $mappings{$key} ) ) { + if ( $mappings{$key} == 231 ) { + $IDs{ $mappings{$key} } = 100 - $val; + } else { + $IDs{ $mappings{$key} } = $val; + } + } + } ## end if (/:/) + } ## end foreach ( split( /\n/, $output ) ) + + } else { + @outputA = split( /\n/, $output ); + my $outputAint = 0; + while ( defined( $outputA[$outputAint] ) ) { + my $line = $outputA[$outputAint]; + $line =~ s/^ +//; + $line =~ s/ +/ /g; + + if ( $line =~ /^[0123456789]+ / ) { + my @lineA = split( /\ /, $line, 10 ); + my $raw = $lineA[9]; + my $normalized = $lineA[3]; + my $id = $lineA[0]; + + # Crucial SSD + # 202, Percent_Lifetime_Remain, same as 231, SSD Life Left + if ( $id == 202 + && $line =~ /Percent_Lifetime_Remain/ ) + { + $IDs{231} = $raw; + } + + # single int raw values + if ( ( $id == 5 ) + || ( $id == 10 ) + || ( $id == 173 ) + || ( $id == 183 ) + || ( $id == 184 ) + || ( $id == 187 ) + || ( $id == 196 ) + || ( $id == 197 ) + || ( $id == 198 ) + || ( $id == 199 ) ) + { + my @rawA = split( /\ /, $raw ); + $IDs{$id} = $rawA[0]; + } ## end if ( ( $id == 5 ) || ( $id == 10 ) || ( $id...)) + + # single int normalized values + if ( ( $id == 177 ) + || ( $id == 230 ) + || ( $id == 231 ) + || ( $id == 232 ) + || ( $id == 233 ) ) + { + # annoying non-standard disk + # WDC WDS500G2B0A + # 230 Media_Wearout_Indicator 0x0032 100 100 --- Old_age Always - 0x002e000a002e + # 232 Available_Reservd_Space 0x0033 100 100 004 Pre-fail Always - 100 + # 233 NAND_GB_Written_TLC 0x0032 100 100 --- Old_age Always - 9816 + + if ( $id == 230 + && $line =~ /Media_Wearout_Indicator/ ) + { + $IDs{233} = int($normalized); + } elsif ( $id == 232 + && $line =~ /Available_Reservd_Space/ ) + { + $IDs{232} = int($normalized); + } else { + # only set 233 if it has not been set yet + # if it was set already then the above did it and we don't want + # to overwrite it + if ( $id == 233 && $IDs{233} eq "null" ) { + $IDs{$id} = int($normalized); + } elsif ( $id != 233 ) { + $IDs{$id} = int($normalized); + } + } ## end else [ if ( $id == 230 && $line =~ /Media_Wearout_Indicator/)] + } ## end if ( ( $id == 177 ) || ( $id == 230 ) || (...)) + + # 9, power on hours + if ( $id == 9 ) { + my @runtime = split( /[\ h]/, $raw ); + $IDs{$id} = $runtime[0]; + } + + # 188, Command_Timeout + if ( $id == 188 ) { + my $total = 0; + my @rawA = split( /\ /, $raw ); + my $rawAint = 0; + while ( defined( $rawA[$rawAint] ) ) { + $total = $total + $rawA[$rawAint]; + $rawAint++; + } + $IDs{$id} = $total; + } ## end if ( $id == 188 ) + + # 190, airflow temp + # 194, temp + if ( ( $id == 190 ) + || ( $id == 194 ) ) + { + my ($temp) = split( /\ /, $raw ); + $IDs{$id} = $temp; + } + } ## end if ( $line =~ /^[0123456789]+ / ) + + # SAS Wrapping + # Section by Cameron Munroe (munroenet[at]gmail.com) + + # Elements in Grown Defect List. + # Marking as 5 Reallocated_Sector_Ct + if ( $line =~ "Elements in grown defect list:" ) { + + my @lineA = split( /\ /, $line, 10 ); + my $raw = $lineA[5]; + + # Reallocated Sector Count ID + $IDs{5} = $raw; + + } + + # Current Drive Temperature + # Marking as 194 Temperature_Celsius + if ( $line =~ "Current Drive Temperature:" ) { + + my @lineA = split( /\ /, $line, 10 ); + my $raw = $lineA[3]; + + # Temperature C ID + $IDs{194} = $raw; + + } + + # End of SAS Wrapper + + $outputAint++; + } ## end while ( defined( $outputA[$outputAint] ) ) + } ## end else [ if ( $output =~ /NVMe Log/ ) ] + + #get the selftest logs + $output = `$smartctl -l selftest $disk`; + @outputA = split( /\n/, $output ); + my @completed = grep( /Completed/, @outputA ); + $IDs{'completed'} = scalar @completed; + my @interrupted = grep( /Interrupted/, @outputA ); + $IDs{'interrupted'} = scalar @interrupted; + my @read_failure = grep( /read failure/, @outputA ); + $IDs{'read_failure'} = scalar @read_failure; + my @read_failure2 = grep( /Failed in segment/, @outputA ); + $IDs{'read_failure'} = $IDs{'read_failure'} + scalar @read_failure2; + my @unknown_failure = grep( /unknown failure/, @outputA ); + $IDs{'unknown_failure'} = scalar @unknown_failure; + my @extended = grep( /\d.*\ ([Ee]xtended|[Ll]ong).*(?![Dd]uration)/, @outputA ); + $IDs{'extended'} = scalar @extended; + my @short = grep( /[Ss]hort/, @outputA ); + $IDs{'short'} = scalar @short; + my @conveyance = grep( /[Cc]onveyance/, @outputA ); + $IDs{'conveyance'} = scalar @conveyance; + my @selective = grep( /[Ss]elective/, @outputA ); + $IDs{'selective'} = scalar @selective; + my @offline = grep( /(\d|[Bb]ackground|[Ff]oreground)+\ +[Oo]ffline/, @outputA ); + $IDs{'offline'} = scalar @offline; + + # if we have logs, actually grab the log output + if ( $IDs{'completed'} > 0 + || $IDs{'interrupted'} > 0 + || $IDs{'read_failure'} > 0 + || $IDs{'extended'} > 0 + || $IDs{'short'} > 0 + || $IDs{'conveyance'} > 0 + || $IDs{'selective'} > 0 + || $IDs{'offline'} > 0 ) + { + my @headers = grep( /(Num\ +Test.*LBA| Description .*[Hh]ours)/, @outputA ); + + my @log_lines; + push( @log_lines, @extended, @short, @conveyance, @selective, @offline ); + $IDs{'selftest_log'} = join( "\n", @headers, sort(@log_lines) ); + } ## end if ( $IDs{'completed'} > 0 || $IDs{'interrupted'...}) + + # get the drive serial number, if needed + $disk_id = $name; + $output = `$smartctl -i $disk`; + # generally upper case, HP branded drives seem to report with lower case n + while ( $output =~ /(?i)Serial Number:(.*)/g ) { + $IDs{'serial'} = $1; + $IDs{'serial'} =~ s/^\s+|\s+$//g; + } + if ($useSN) { + $disk_id = $IDs{'serial'}; + } + + while ( $output =~ /(?i)Model Family:(.*)/g ) { + $IDs{'model_family'} = $1; + $IDs{'model_family'} =~ s/^\s+|\s+$//g; + } + + while ( $output =~ /(?i)Device Model:(.*)/g ) { + $IDs{'device_model'} = $1; + $IDs{'device_model'} =~ s/^\s+|\s+$//g; + } + + while ( $output =~ /(?i)Model Number:(.*)/g ) { + $IDs{'model_number'} = $1; + $IDs{'model_number'} =~ s/^\s+|\s+$//g; + } + + while ( $output =~ /(?i)Firmware Version:(.*)/g ) { + $IDs{'fw_version'} = $1; + $IDs{'fw_version'} =~ s/^\s+|\s+$//g; + } + + # mainly HP drives + while ( $output =~ /(?i)Vendor:(.*)/g ) { + $IDs{'vendor'} = $1; + $IDs{'vendor'} =~ s/^\s+|\s+$//g; + } + + # mainly HP drives + while ( $output =~ /(?i)Product:(.*)/g ) { + $IDs{'product'} = $1; + $IDs{'product'} =~ s/^\s+|\s+$//g; + } + + # mainly HP drives + while ( $output =~ /(?i)Revision:(.*)/g ) { + $IDs{'revision'} = $1; + $IDs{'revision'} =~ s/^\s+|\s+$//g; + } + + # figure out what to use for the max temp, if there is one + if ( $IDs{'190'} =~ /^\d+$/ ) { + $IDs{max_temp} = $IDs{'190'}; + } elsif ( $IDs{'194'} =~ /^\d+$/ ) { + $IDs{max_temp} = $IDs{'194'}; + } + if ( $IDs{'194'} =~ /^\d+$/ && defined( $IDs{max_temp} ) && $IDs{'194'} > $IDs{max_temp} ) { + $IDs{max_temp} = $IDs{'194'}; + } + + $output = `$smartctl -H $disk`; + if ( $output =~ /SMART\ overall\-health\ self\-assessment\ test\ result\:\ PASSED/ ) { + $IDs{'health_pass'} = 1; + } elsif ( $output =~ /SMART\ Health\ Status\:\ OK/ ) { + $IDs{'health_pass'} = 1; + } + + if ( !$IDs{'health_pass'} ) { + $to_return->{data}{unhealthy}++; + } + } ## end else [ if ( $IDs{exit} != 0 ) ] + + # only bother to save this if useSN is not being used + if ( !$useSN ) { + $to_return->{data}{disks}{$disk_id} = \%IDs; + } elsif ( $IDs{exit} == 0 && defined($disk_id) ) { + $to_return->{data}{disks}{$disk_id} = \%IDs; + } + + # smartctl will in some cases exit zero when it can't pull data for cciss + # so if we get a zero exit, but no serial then it means something errored + # and the device is likely dead + if ( $IDs{exit} == 0 && !defined( $IDs{serial} ) ) { + $to_return->{data}{unhealthy}++; + } +} ## end foreach my $line (@disks) + +my $toReturn = $json->encode($to_return); + +if ( !$opts{p} ) { + $toReturn = $toReturn . "\n"; +} + +if ( $opts{Z} ) { + my $toReturnCompressed; + gzip \$toReturn => \$toReturnCompressed; + my $compressed = encode_base64($toReturnCompressed); + $compressed =~ s/\n//g; + $compressed = $compressed . "\n"; + if ( length($compressed) < length($toReturn) ) { + $toReturn = $compressed; + } +} ## end if ( $opts{Z} ) + +if ( !$noWrite ) { + open( my $writefh, ">", $cache ) or die "Can't open '" . $cache . "'"; + print $writefh $toReturn; + close($writefh); +} else { + print $toReturn; +} diff --git a/initializers/oam/librenms/smart.config b/initializers/oam/librenms/smart.config new file mode 100644 index 0000000..2b12988 --- /dev/null +++ b/initializers/oam/librenms/smart.config @@ -0,0 +1,3 @@ +smartctl=/usr/sbin/smartctl +cache=/var/cache/smart +sda diff --git a/initializers/oam/librenms/ss.py b/initializers/oam/librenms/ss.py new file mode 100644 index 0000000..0bb9063 --- /dev/null +++ b/initializers/oam/librenms/ss.py @@ -0,0 +1,2048 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + librenms-agent/snmp/ss.py at master · librenms/librenms-agent · GitHub + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + +
+ Skip to content + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + +
+ +
+ + + + + + + + +
+ + + + + +
+ + + + + + + + + +
+
+
+ + + + + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + +
+ + + + + +
+ + + +
+
+ +
+ +
+

Footer

+ + + + +
+
+ + + + + © 2025 GitHub, Inc. + +
+ + +
+
+ + + + + + + + + + + + + + + + + + + +
+
+
+ + + diff --git a/initializers/oam/librenms/ups-nut.sh b/initializers/oam/librenms/ups-nut.sh new file mode 100644 index 0000000..b75580a --- /dev/null +++ b/initializers/oam/librenms/ups-nut.sh @@ -0,0 +1,45 @@ +#!/bin/sh +################################################################ +# Instructions: # +# 1. copy this script to /etc/snmp/ and make it executable: # +# chmod +x ups-nut.sh # +# 2. make sure UPS_NAME below matches the name of your UPS # +# 3. edit your snmpd.conf to include this line: # +# extend ups-nut /etc/snmp/ups-nut.sh # +# 4. restart snmpd on the host # +# 5. activate the app for the desired host in LibreNMS # +################################################################ +UPS_NAME="${1:-APCUPS}" + +PATH=$PATH:/usr/bin:/bin +TMP=$(upsc $UPS_NAME 2>/dev/null) + +for value in "battery\.charge: [0-9.]+" "battery\.(runtime\.)?low: [0-9]+" "battery\.runtime: [0-9]+" "battery\.voltage: [0-9.]+" "battery\.voltage\.nominal: [0-9]+" "input\.voltage\.nominal: [0-9.]+" "input\.voltage: [0-9.]+" "ups\.load: [0-9.]+" +do + OUT=$(echo "$TMP" | grep -Eo "$value" | awk '{print $2}' | LANG=C sort | head -n 1) + if [ -n "$OUT" ]; then + echo "$OUT" + else + echo "Unknown" + fi +done + +for value in "ups\.status:[A-Z ]{0,}OL" "ups\.status:[A-Z ]{0,}OB" "ups\.status:[A-Z ]{0,}LB" "ups\.status:[A-Z ]{0,}HB" "ups\.status:[A-Z ]{0,}RB" "ups\.status:[A-Z ]{0,}CHRG" "ups\.status:[A-Z ]{0,}DISCHRG" "ups\.status:[A-Z ]{0,}BYPASS" "ups\.status:[A-Z ]{0,}CAL" "ups\.status:[A-Z ]{0,}OFF" "ups\.status:[A-Z ]{0,}OVER" "ups\.status:[A-Z ]{0,}TRIM" "ups\.status:[A-Z ]{0,}BOOST" "ups\.status:[A-Z ]{0,}FSD" "ups\.alarm:[A-Z ]" +do + UNKNOWN=$(echo "$TMP" | grep -Eo "ups\.status:") + if [ -z "$UNKNOWN" ]; then + echo "Unknown" + else + OUT=$(echo "$TMP" | grep -Eo "$value") + if [ -n "$OUT" ]; then + echo "1" + else + echo "0" + fi + fi +done + +UPSTEMP="ups\.temperature: [0-9.]+" +OUT=$(echo "$TMP" | grep -Eo "$UPSTEMP" | awk '{print $2}' | LANG=C sort | head -n 1) +[ -n "$OUT" ] && echo "$OUT" || echo "Unknown" + diff --git a/initializers/oam/scripts/up2date.sh b/initializers/oam/scripts/up2date.sh new file mode 100644 index 0000000..5370536 --- /dev/null +++ b/initializers/oam/scripts/up2date.sh @@ -0,0 +1,16 @@ +#!/bin/bash + +echo "Running apt-get update" +export DEBIAN_FRONTEND="noninteractive" && apt-get -qq --yes update + +echo "Running apt-get dist-upgrade" +export DEBIAN_FRONTEND="noninteractive" && apt-get -qq --yes dist-upgrade + +echo "Running apt-get upgrade" +export DEBIAN_FRONTEND="noninteractive" && apt-get -qq --yes upgrade + + +echo "Running apt-get purge" +export DEBIAN_FRONTEND="noninteractive" && apt-get -qq --purge autoremove --yes +export DEBIAN_FRONTEND="noninteractive" && apt-get -qq autoclean --yes + diff --git a/initializers/packages/apply b/initializers/packages/apply index b994030..ba4fc3a 100755 --- a/initializers/packages/apply +++ b/initializers/packages/apply @@ -1,7 +1,7 @@ #!/bin/bash # KNEL Package Installation -# This initializer installs required packages +# This initializer installs required packages with conditional logic set -euo pipefail @@ -21,6 +21,7 @@ sh /tmp/webmin-setup.sh -f && rm -f /tmp/webmin-setup.sh curl -fsSL https://tailscale.com/install.sh | sh # Remove unwanted packages +export DEBIAN_FRONTEND="noninteractive" apt-get -y --purge remove \ systemd-timesyncd \ chrony \ @@ -35,7 +36,7 @@ apt-get -y --purge remove \ apt-get --purge autoremove # Install desired packages -apt-get install -y \ +apt-get -y -o Dpkg::Options::="--force-confold" install \ virt-what \ auditd \ audispd-plugins \ @@ -68,6 +69,7 @@ apt-get install -y \ command-not-found \ lldpd \ ansible-core \ + salt-minion \ net-tools \ dos2unix \ gpg \ @@ -103,19 +105,19 @@ apt-get install -y \ # Kali-specific packages if [[ $KALI_CHECK -eq 0 ]]; then - apt-get install -y \ + apt-get -y -o Dpkg::Options::="--force-confold" install \ latencytop \ cockpit-tests fi # KVM guest specific packages if [[ $IS_KVM_GUEST -eq 1 ]]; then - apt-get install -y qemu-guest-agent + apt-get -y install qemu-guest-agent fi # Physical host specific packages if [[ $IS_PHYSICAL_HOST -gt 0 ]]; then - apt-get install -y \ + apt-get -y -o Dpkg::Options::="--force-confold" install \ i7z \ thermald \ cpufrequtils \ diff --git a/initializers/postfix/apply b/initializers/postfix/apply new file mode 100755 index 0000000..de3df90 --- /dev/null +++ b/initializers/postfix/apply @@ -0,0 +1,32 @@ +#!/bin/bash + +# KNEL Postfix Module +# Configures postfix for email delivery + +set -euo pipefail + +echo "Running postfix module..." + +# Stop postfix +systemctl stop postfix + +# Configure postfix for local mail relay +if [[ -f ./configs/postfix_generic ]]; then + cp ./configs/postfix_generic /etc/postfix/generic + postmap /etc/postfix/generic +fi + +# Set postfix configuration +postconf -e "inet_protocols = ipv4" +postconf -e "inet_interfaces = 127.0.0.1" +postconf -e "mydestination = 127.0.0.1" +postconf -e "relayhost = tsys-cloudron.knel.net" +postconf -e "smtp_generic_maps = hash:/etc/postfix/generic" + +# Restart postfix +systemctl start postfix + +# Test mail delivery +echo "Test email from $(hostname)" | mail -s "Test from $(hostname)" root + +echo "Postfix module completed" \ No newline at end of file diff --git a/initializers/postfix/configs/postfix_generic b/initializers/postfix/configs/postfix_generic new file mode 100644 index 0000000..0712713 --- /dev/null +++ b/initializers/postfix/configs/postfix_generic @@ -0,0 +1 @@ +/.*/ tsysrootaccount@knel.net \ No newline at end of file diff --git a/initializers/salt-client/apply b/initializers/salt-client/apply new file mode 100755 index 0000000..117cb70 --- /dev/null +++ b/initializers/salt-client/apply @@ -0,0 +1,19 @@ +#!/bin/bash + +# KNEL Salt Client Initializer +# Configures Salt minion for configuration management + +set -euo pipefail + +echo "Running Salt client initializer..." + +# Configure Salt minion if configuration file exists +if [[ -f ./configs/salt-minion ]]; then + cp ./configs/salt-minion /etc/salt/minion +fi + +# Enable and start Salt minion service +systemctl enable salt-minion +systemctl start salt-minion + +echo "Salt client initializer completed" \ No newline at end of file diff --git a/initializers/security-hardening/apply b/initializers/security-hardening/apply new file mode 100755 index 0000000..6097632 --- /dev/null +++ b/initializers/security-hardening/apply @@ -0,0 +1,51 @@ +#!/bin/bash + +# KNEL Security Hardening Module +# Implements SCAP/STIG security compliance + +set -euo pipefail + +echo "Running security hardening module..." + +# Enable auditd +systemctl --now enable auditd + +# Configure sysctl security parameters +if [[ -f ./configs/sysctl-hardening.conf ]]; then + cp ./configs/sysctl-hardening.conf /etc/sysctl.d/99-security-hardening.conf + sysctl -p /etc/sysctl.d/99-security-hardening.conf +fi + +# Configure core dumps +if [[ -f ./configs/security-limits.conf ]]; then + cp ./configs/security-limits.conf /etc/security/limits.d/security-lening.conf +fi + +# Set file permissions +chmod 644 /etc/passwd +chmod 600 /etc/shadow +chmod 644 /etc/group +chmod 600 /etc/gshadow + +# Remove dangerous packages +DEBIAN_FRONTEND="noninteractive" apt-get -y purge \ + telnetd \ + rsh-server \ + rsh-client \ + telnet \ + || true + +# Install security tools +DEBIAN_FRONTEND="noninteractive" apt-get -y install \ + aide \ + lynis \ + chkrootkit \ + rkhunter \ + || true + +# Initialize AIDE database +if [[ ! -f /var/lib/aide/aide.db ]]; then + aideinit +fi + +echo "Security hardening module completed" \ No newline at end of file diff --git a/modules/ssh-hardening/apply b/initializers/ssh-hardening/apply similarity index 100% rename from modules/ssh-hardening/apply rename to initializers/ssh-hardening/apply diff --git a/modules/ssh-hardening/configs/localuser-ssh-authorized-keys b/initializers/ssh-hardening/configs/localuser-ssh-authorized-keys similarity index 100% rename from modules/ssh-hardening/configs/localuser-ssh-authorized-keys rename to initializers/ssh-hardening/configs/localuser-ssh-authorized-keys diff --git a/modules/ssh-hardening/configs/root-ssh-authorized-keys b/initializers/ssh-hardening/configs/root-ssh-authorized-keys similarity index 100% rename from modules/ssh-hardening/configs/root-ssh-authorized-keys rename to initializers/ssh-hardening/configs/root-ssh-authorized-keys diff --git a/modules/ssh-hardening/configs/ssh-audit-hardening.conf b/initializers/ssh-hardening/configs/ssh-audit-hardening.conf similarity index 100% rename from modules/ssh-hardening/configs/ssh-audit-hardening.conf rename to initializers/ssh-hardening/configs/ssh-audit-hardening.conf diff --git a/modules/ssh-hardening/configs/tsys-sshd-config b/initializers/ssh-hardening/configs/tsys-sshd-config similarity index 100% rename from modules/ssh-hardening/configs/tsys-sshd-config rename to initializers/ssh-hardening/configs/tsys-sshd-config diff --git a/initializers/ssh-keys/apply b/initializers/ssh-keys/apply new file mode 100755 index 0000000..020fcdd --- /dev/null +++ b/initializers/ssh-keys/apply @@ -0,0 +1,42 @@ +#!/bin/bash + +# KNEL SSH Keys Initializer +# Sets up SSH authorized keys for users + +set -euo pipefail + +echo "Running SSH keys initializer..." + +# Create SSH directories +mkdir -p $ROOT_SSH_DIR + +# Setup root SSH keys +if [[ -f ./configs/root-ssh-authorized-keys ]]; then + cp ./configs/root-ssh-authorized-keys $ROOT_SSH_DIR/authorized_keys + chmod 400 $ROOT_SSH_DIR/authorized_keys + chown root: $ROOT_SSH_DIR/authorized_keys +fi + +# Setup localuser SSH keys +if [[ $LOCALUSER_CHECK -gt 0 ]]; then + mkdir -p $LOCALUSER_SSH_DIR + + if [[ -f ./configs/localuser-ssh-authorized-keys ]]; then + cp ./configs/localuser-ssh-authorized-keys $LOCALUSER_SSH_DIR/authorized_keys + chmod 400 $LOCALUSER_SSH_DIR/authorized_keys + chown localuser $LOCALUSER_SSH_DIR/authorized_keys + fi +fi + +# Setup subodev SSH keys +if [[ $SUBODEV_CHECK -gt 0 ]]; then + mkdir -p $SUBODEV_SSH_DIR + + if [[ -f ./configs/localuser-ssh-authorized-keys ]]; then + cp ./configs/localuser-ssh-authorized-keys $SUBODEV_SSH_DIR/authorized_keys + chmod 400 $SUBODEV_SSH_DIR/authorized_keys + chown subodev: $SUBODEV_SSH_DIR/authorized_keys + fi +fi + +echo "SSH keys initializer completed" \ No newline at end of file diff --git a/initializers/ssh-keys/configs/localuser-ssh-authorized-keys b/initializers/ssh-keys/configs/localuser-ssh-authorized-keys new file mode 100644 index 0000000..3199386 --- /dev/null +++ b/initializers/ssh-keys/configs/localuser-ssh-authorized-keys @@ -0,0 +1,2 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDHaBNuLS+GYGRPc9wne63Ocr+R+/Q01Y9V0FTv0RnG3 +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPyMR0lFgiMKhQJ5aqy68nR0BQp1cNzi/wIThyuTV4a8 tsyscto@ultix-control \ No newline at end of file diff --git a/initializers/ssh-keys/configs/root-ssh-authorized-keys b/initializers/ssh-keys/configs/root-ssh-authorized-keys new file mode 100644 index 0000000..3199386 --- /dev/null +++ b/initializers/ssh-keys/configs/root-ssh-authorized-keys @@ -0,0 +1,2 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDHaBNuLS+GYGRPc9wne63Ocr+R+/Q01Y9V0FTv0RnG3 +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPyMR0lFgiMKhQJ5aqy68nR0BQp1cNzi/wIThyuTV4a8 tsyscto@ultix-control \ No newline at end of file diff --git a/initializers/system-config/AuditD/auditd.conf b/initializers/system-config/AuditD/auditd.conf new file mode 100644 index 0000000..3292aff --- /dev/null +++ b/initializers/system-config/AuditD/auditd.conf @@ -0,0 +1,46 @@ +# +# Known Element Enterprises Customized Config File +# auditd +# Initial version 2025-06-27 +# + +local_events = yes +write_logs = yes +log_file = /var/log/audit/audit.log +log_group = adm +log_format = ENRICHED +flush = INCREMENTAL_ASYNC +freq = 50 +max_log_file = 8 +num_logs = 5 +priority_boost = 4 +name_format = NONE +max_log_file_action = keep_logs +space_left = 75 +space_left_action = email +action_mail_acct = root + +admin_space_left_action = halt +disk_full_action = SUSPEND +disk_error_action = SUSPEND +admin_space_left = 50 + +verify_email = yes +use_libwrap = yes +tcp_listen_queue = 5 +tcp_max_per_addr = 1 +tcp_client_max_idle = 0 +transport = TCP +distribute_network = no +q_depth = 2000 +overflow_action = SYSLOG +max_restarts = 10 +plugin_dir = /etc/audit/plugins.d +end_of_event_timeout = 2 +##tcp_client_ports = 1024-65535 +##tcp_listen_port = 60 + +##krb5_key_file = /etc/audit/audit.key +krb5_principal = auditd + +##name = mydomain \ No newline at end of file diff --git a/classes/database/variables b/initializers/system-config/AuditD/rules.d/time-change.rules similarity index 100% rename from classes/database/variables rename to initializers/system-config/AuditD/rules.d/time-change.rules diff --git a/initializers/system-config/BANNERS/issue b/initializers/system-config/BANNERS/issue new file mode 100644 index 0000000..cace08b --- /dev/null +++ b/initializers/system-config/BANNERS/issue @@ -0,0 +1,5 @@ +This system is the property of Known Element Enterprises LLC. + +Authorized uses only. All activity may be monitored and reported. + +All activities subject to monitoring/recording/review in real time and/or at a later time. \ No newline at end of file diff --git a/initializers/system-config/BANNERS/issue.net b/initializers/system-config/BANNERS/issue.net new file mode 100644 index 0000000..cace08b --- /dev/null +++ b/initializers/system-config/BANNERS/issue.net @@ -0,0 +1,5 @@ +This system is the property of Known Element Enterprises LLC. + +Authorized uses only. All activity may be monitored and reported. + +All activities subject to monitoring/recording/review in real time and/or at a later time. \ No newline at end of file diff --git a/initializers/system-config/BANNERS/motd b/initializers/system-config/BANNERS/motd new file mode 100644 index 0000000..cace08b --- /dev/null +++ b/initializers/system-config/BANNERS/motd @@ -0,0 +1,5 @@ +This system is the property of Known Element Enterprises LLC. + +Authorized uses only. All activity may be monitored and reported. + +All activities subject to monitoring/recording/review in real time and/or at a later time. \ No newline at end of file diff --git a/initializers/system-config/Cockpit/disallowed-users b/initializers/system-config/Cockpit/disallowed-users new file mode 100644 index 0000000..4afe878 --- /dev/null +++ b/initializers/system-config/Cockpit/disallowed-users @@ -0,0 +1,2 @@ +#/etc/cockpit/disallowed-users +# List of users which are not allowed to login to Cockpit \ No newline at end of file diff --git a/initializers/system-config/DHCP/dhclient.conf b/initializers/system-config/DHCP/dhclient.conf new file mode 100644 index 0000000..0378ca3 --- /dev/null +++ b/initializers/system-config/DHCP/dhclient.conf @@ -0,0 +1,6 @@ +option rfc3442-classless-static-routes code 121 = array of unsigned integer 8; + +send host-name = gethostname(); +request subnet-mask, broadcast-address, time-offset, routers, + domain-name, host-name, + rfc3442-classless-static-routes; diff --git a/initializers/system-config/Logrotate/logrotate.conf b/initializers/system-config/Logrotate/logrotate.conf new file mode 100644 index 0000000..e571f2b --- /dev/null +++ b/initializers/system-config/Logrotate/logrotate.conf @@ -0,0 +1,23 @@ +# see "man logrotate" for details + +# global options do not affect preceding include directives + +# rotate log files weekly +weekly + +# keep 4 weeks worth of backlogs +rotate 4 + +# create new (empty) log files after rotating old ones +create 0640 root utmp + +# use date as a suffix of the rotated file +#dateext + +# uncomment this if you want your log files compressed +#compress + +# packages drop log rotation information into this directory +include /etc/logrotate.d + +# system-specific logs may also be configured here. \ No newline at end of file diff --git a/initializers/system-config/ModProbe/cramfs.conf b/initializers/system-config/ModProbe/cramfs.conf new file mode 100644 index 0000000..8a1840d --- /dev/null +++ b/initializers/system-config/ModProbe/cramfs.conf @@ -0,0 +1 @@ +install cramfs /bin/true \ No newline at end of file diff --git a/initializers/system-config/ModProbe/dccp.conf b/initializers/system-config/ModProbe/dccp.conf new file mode 100644 index 0000000..581b897 --- /dev/null +++ b/initializers/system-config/ModProbe/dccp.conf @@ -0,0 +1 @@ +install dccp /bin/true \ No newline at end of file diff --git a/initializers/system-config/ModProbe/freevxfs.conf b/initializers/system-config/ModProbe/freevxfs.conf new file mode 100644 index 0000000..d955a1b --- /dev/null +++ b/initializers/system-config/ModProbe/freevxfs.conf @@ -0,0 +1 @@ +install freevxfs /bin/true \ No newline at end of file diff --git a/initializers/system-config/ModProbe/hfs.conf b/initializers/system-config/ModProbe/hfs.conf new file mode 100644 index 0000000..d958196 --- /dev/null +++ b/initializers/system-config/ModProbe/hfs.conf @@ -0,0 +1 @@ +install hfs /bin/true \ No newline at end of file diff --git a/initializers/system-config/ModProbe/hfsplus.conf b/initializers/system-config/ModProbe/hfsplus.conf new file mode 100644 index 0000000..ff899bb --- /dev/null +++ b/initializers/system-config/ModProbe/hfsplus.conf @@ -0,0 +1 @@ +install hfsplus /bin/true \ No newline at end of file diff --git a/initializers/system-config/ModProbe/jffs2.conf b/initializers/system-config/ModProbe/jffs2.conf new file mode 100644 index 0000000..4d667ff --- /dev/null +++ b/initializers/system-config/ModProbe/jffs2.conf @@ -0,0 +1 @@ +install jffs2 /bin/true \ No newline at end of file diff --git a/initializers/system-config/ModProbe/rds.conf b/initializers/system-config/ModProbe/rds.conf new file mode 100644 index 0000000..3bc54e4 --- /dev/null +++ b/initializers/system-config/ModProbe/rds.conf @@ -0,0 +1 @@ +install rds /bin/true \ No newline at end of file diff --git a/initializers/system-config/ModProbe/sctp.conf b/initializers/system-config/ModProbe/sctp.conf new file mode 100644 index 0000000..33bcb68 --- /dev/null +++ b/initializers/system-config/ModProbe/sctp.conf @@ -0,0 +1 @@ +install sctp /bin/true \ No newline at end of file diff --git a/initializers/system-config/ModProbe/squashfs.conf b/initializers/system-config/ModProbe/squashfs.conf new file mode 100644 index 0000000..9de3008 --- /dev/null +++ b/initializers/system-config/ModProbe/squashfs.conf @@ -0,0 +1 @@ +install squashfs /bin/true \ No newline at end of file diff --git a/initializers/system-config/ModProbe/tipc.conf b/initializers/system-config/ModProbe/tipc.conf new file mode 100644 index 0000000..a2a8e52 --- /dev/null +++ b/initializers/system-config/ModProbe/tipc.conf @@ -0,0 +1 @@ +install tipc /bin/true \ No newline at end of file diff --git a/initializers/system-config/ModProbe/udf.conf b/initializers/system-config/ModProbe/udf.conf new file mode 100644 index 0000000..dc5169d --- /dev/null +++ b/initializers/system-config/ModProbe/udf.conf @@ -0,0 +1 @@ +install udf /bin/true \ No newline at end of file diff --git a/initializers/system-config/ModProbe/usb_storage.conf b/initializers/system-config/ModProbe/usb_storage.conf new file mode 100644 index 0000000..a4f90da --- /dev/null +++ b/initializers/system-config/ModProbe/usb_storage.conf @@ -0,0 +1 @@ +install usb-storage /bin/true \ No newline at end of file diff --git a/initializers/system-config/NTP/ntp.conf b/initializers/system-config/NTP/ntp.conf new file mode 100644 index 0000000..ea510a3 --- /dev/null +++ b/initializers/system-config/NTP/ntp.conf @@ -0,0 +1,7 @@ +driftfile /var/lib/ntp/ntp.drift +leapfile /usr/share/zoneinfo/leap-seconds.list +server pfv-netboot.knel.net +restrict 127.0.0.1 +restrict ::1 +interface ignore wildcard +interface listen 127.0.0.1 \ No newline at end of file diff --git a/initializers/system-config/NetworkDiscovery/lldpd b/initializers/system-config/NetworkDiscovery/lldpd new file mode 100644 index 0000000..f44c8a0 --- /dev/null +++ b/initializers/system-config/NetworkDiscovery/lldpd @@ -0,0 +1,2 @@ +# Uncomment to start SNMP subagent and enable CDP, SONMP and EDP protocol +DAEMON_ARGS="-x -c -s -e" \ No newline at end of file diff --git a/modules/system-config/templates/aliases b/initializers/system-config/SMTP/aliases similarity index 100% rename from modules/system-config/templates/aliases rename to initializers/system-config/SMTP/aliases diff --git a/initializers/system-config/SMTP/postfix_generic b/initializers/system-config/SMTP/postfix_generic new file mode 100644 index 0000000..0712713 --- /dev/null +++ b/initializers/system-config/SMTP/postfix_generic @@ -0,0 +1 @@ +/.*/ tsysrootaccount@knel.net \ No newline at end of file diff --git a/initializers/system-config/SNMP/snmp-sudo.conf b/initializers/system-config/SNMP/snmp-sudo.conf new file mode 100644 index 0000000..3ce5fd3 --- /dev/null +++ b/initializers/system-config/SNMP/snmp-sudo.conf @@ -0,0 +1 @@ +Debian-snmp ALL = NOPASSWD: /bin/cat diff --git a/initializers/system-config/SNMP/snmpd-physicalhost.conf b/initializers/system-config/SNMP/snmpd-physicalhost.conf new file mode 100644 index 0000000..20885f3 --- /dev/null +++ b/initializers/system-config/SNMP/snmpd-physicalhost.conf @@ -0,0 +1,46 @@ +########################################################################## +# snmpd.conf +# Created by CNW on 11/3/2018 via snmpconf wizard and manual post tweaks +########################################################################### +# SECTION: Monitor Various Aspects of the Running Host +# + +# disk: Check for disk space usage of a partition. +# The agent can check the amount of available disk space, and make +# sure it is above a set limit. +# +load 3 3 3 +rocommunity kn3lmgmt +sysservices 76 + +#syslocation Rack, Room, Building, City, Country [Lat, Lon] +syslocation R4, Server Room, SITER, Pflugerville, United States +syscontact coo@turnsys.com + +#NTP +extend ntp-client /usr/lib/check_mk_agent/local/ntp-client + +#SMTP +extend mailq /usr/lib/check_mk_agent/local/postfix-queues +extend postfixdetailed /usr/lib/check_mk_agent/local/postfixdetailed + +#OS Distribution Detection +extend distro /usr/local/bin/distro +extend osupdate /usr/lib/check_mk_agent/local/os-updates.sh + +#Hardware Detection +extend manufacturer /usr/bin/sudo /usr/bin/cat /sys/devices/virtual/dmi/id/sys_vendor +extend hardware /usr/bin/sudo /usr/bin/cat /sys/devices/virtual/dmi/id/product_name +extend serial /usr/bin/sudo /usr/bin/cat /sys/devices/virtual/dmi/id/product_serial + +#SMART +extend smart /usr/lib/check_mk_agent/local/smart + +#Temperature +pass_persist .1.3.6.1.4.1.9.9.13.1.3 /usr/local/bin/temper-snmp + +# Allow Systems Management Data Engine SNMP to connect to snmpd using SMUX +# smuxpeer .1.3.6.1.4.1.674.10892.1 + +# LLDP collection +master agentx \ No newline at end of file diff --git a/initializers/system-config/SNMP/snmpd-rpi.conf b/initializers/system-config/SNMP/snmpd-rpi.conf new file mode 100644 index 0000000..b74049d --- /dev/null +++ b/initializers/system-config/SNMP/snmpd-rpi.conf @@ -0,0 +1,40 @@ +########################################################################## +# snmpd.conf +# Created by CNW on 11/3/2018 via snmpconf wizard and manual post tweaks +########################################################################### +# SECTION: Monitor Various Aspects of the Running Host +# + +# disk: Check for disk space usage of a partition. +# The agent can check the amount of available disk space, and make +# sure it is above a set limit. +# +load 3 3 3 +rocommunity kn3lmgmt +sysservices 76 + +#syslocation Rack, Room, Building, City, Country [Lat, Lon] +syslocation SITER, Pflugerville, United States +syscontact coo@turnsys.com + +#NTP +extend ntp-client /usr/lib/check_mk_agent/local/ntp-client + +#SMTP +extend mailq /usr/lib/check_mk_agent/local/postfix-queues +extend postfixdetailed /usr/lib/check_mk_agent/local/postfixdetailed + +#OS Distribution Detection +extend distro /usr/local/bin/distro +extend osupdate /usr/lib/check_mk_agent/local/os-updates.sh + + +#Hardware Detection +extend hardware /usr/bin/sudo /usr/bin/cat /sys/firmware/devicetree/base/model +extend serial /usr/bin/sudo /usr/bin/cat /sys/firmware/devicetree/base/serial-number + +# Allow Systems Management Data Engine SNMP to connect to snmpd using SMUX +# smuxpeer .1.3.6.1.4.1.674.10892.1 + +# LLDP collection +master agentx \ No newline at end of file diff --git a/initializers/system-config/SNMP/snmpd.conf b/initializers/system-config/SNMP/snmpd.conf new file mode 100644 index 0000000..ef6dd9d --- /dev/null +++ b/initializers/system-config/SNMP/snmpd.conf @@ -0,0 +1,44 @@ +########################################################################## +# snmpd.conf +# Created by CNW on 11/3/2018 via snmpconf wizard and manual post tweaks +########################################################################### +# SECTION: Monitor Various Aspects of the Running Host +# + +# disk: Check for disk space usage of a partition. +# The agent can check the amount of available disk space, and make +# sure it is above a set limit. +# +load 3 3 3 +rocommunity kn3lmgmt +sysservices 76 + +#syslocation Rack, Room, Building, City, Country [Lat, Lon] +syslocation R4, Server Room, SITER, Pflugerville, United States +syscontact coo@turnsys.com + +#NTP +extend ntp-client /usr/lib/check_mk_agent/local/ntp-client + +#SMTP +extend mailq /usr/lib/check_mk_agent/local/postfix-queues +extend postfixdetailed /usr/lib/check_mk_agent/local/postfixdetailed + +#OS Distribution Detection +extend distro /usr/local/bin/distro +extend osupdate /usr/lib/check_mk_agent/local/os-updates.sh + +# Socket statistics +extend ss /usr/lib/check_mk_agent/local/ss.py + +#Hardware Detection +# (uncomment for x86 platforms) +extend manufacturer /usr/bin/sudo /usr/bin/cat /sys/devices/virtual/dmi/id/sys_vendor +extend hardware /usr/bin/sudo /usr/bin/cat /sys/devices/virtual/dmi/id/product_name +extend serial /usr/bin/sudo /usr/bin/cat /sys/devices/virtual/dmi/id/product_serial + +# Allow Systems Management Data Engine SNMP to connect to snmpd using SMUX +# smuxpeer .1.3.6.1.4.1.674.10892.1 + +# LLDP collection +master agentx \ No newline at end of file diff --git a/initializers/system-config/SSH/AuthorizedKeys/localuser-ssh-authorized-keys b/initializers/system-config/SSH/AuthorizedKeys/localuser-ssh-authorized-keys new file mode 100644 index 0000000..3199386 --- /dev/null +++ b/initializers/system-config/SSH/AuthorizedKeys/localuser-ssh-authorized-keys @@ -0,0 +1,2 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDHaBNuLS+GYGRPc9wne63Ocr+R+/Q01Y9V0FTv0RnG3 +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPyMR0lFgiMKhQJ5aqy68nR0BQp1cNzi/wIThyuTV4a8 tsyscto@ultix-control \ No newline at end of file diff --git a/initializers/system-config/SSH/AuthorizedKeys/root-ssh-authorized-keys b/initializers/system-config/SSH/AuthorizedKeys/root-ssh-authorized-keys new file mode 100644 index 0000000..3199386 --- /dev/null +++ b/initializers/system-config/SSH/AuthorizedKeys/root-ssh-authorized-keys @@ -0,0 +1,2 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDHaBNuLS+GYGRPc9wne63Ocr+R+/Q01Y9V0FTv0RnG3 +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPyMR0lFgiMKhQJ5aqy68nR0BQp1cNzi/wIThyuTV4a8 tsyscto@ultix-control \ No newline at end of file diff --git a/initializers/system-config/SSH/Configs/ssh-audit-hardening.conf b/initializers/system-config/SSH/Configs/ssh-audit-hardening.conf new file mode 100644 index 0000000..150fc83 --- /dev/null +++ b/initializers/system-config/SSH/Configs/ssh-audit-hardening.conf @@ -0,0 +1,19 @@ +# Restrict key exchange, cipher, and MAC algorithms, as per sshaudit.com +# hardening guide. + KexAlgorithms sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,gss-curve25519-sha256-,diffie-hellman-group16-sha512,gss-group16-sha512-,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256 + +Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-gcm@openssh.com,aes128-ctr + +MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com + +HostKeyAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256 + +RequiredRSASize 3072 + +CASignatureAlgorithms sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256 + +GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-group16-sha512- + +HostbasedAcceptedAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256 + +PubkeyAcceptedAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256 \ No newline at end of file diff --git a/initializers/system-config/SSH/Configs/tsys-sshd-config b/initializers/system-config/SSH/Configs/tsys-sshd-config new file mode 100644 index 0000000..7325a6f --- /dev/null +++ b/initializers/system-config/SSH/Configs/tsys-sshd-config @@ -0,0 +1,20 @@ +Include /etc/ssh/sshd_config.d/*.conf +HostKey /etc/ssh/ssh_host_rsa_key +HostKey /etc/ssh/ssh_host_ed25519_key +KbdInteractiveAuthentication no +PrintMotd no +PasswordAuthentication no +AllowTcpForwarding no +X11Forwarding no +ChallengeResponseAuthentication no +AcceptEnv LANG LC_* +Subsystem sftp /usr/lib/openssh/sftp-server +UsePAM yes +Banner /etc/issue.net +MaxAuthTries 2 +MaxStartups 10:30:100 +PermitRootLogin prohibit-password +ClientAliveInterval 300 +ClientAliveCountMax 3 +AllowUsers root localuser subodev +LoginGraceTime 60 \ No newline at end of file diff --git a/modules/system-config/templates/rsyslog.conf b/initializers/system-config/Syslog/rsyslog.conf similarity index 100% rename from modules/system-config/templates/rsyslog.conf rename to initializers/system-config/Syslog/rsyslog.conf diff --git a/initializers/system-config/Systemd/journald.conf b/initializers/system-config/Systemd/journald.conf new file mode 100644 index 0000000..decbe3b --- /dev/null +++ b/initializers/system-config/Systemd/journald.conf @@ -0,0 +1,31 @@ +[Journal] +#Compress=yes +#Seal=yes +#SplitMode=uid +#SyncIntervalSec=5m +#RateLimitIntervalSec=30s +#RateLimitBurst=10000 +#SystemMaxUse= +#SystemKeepFree= +#SystemMaxFileSize= +#SystemMaxFiles=100 +#RuntimeMaxUse= +#RuntimeKeepFree= +#RuntimeMaxFileSize= +#RuntimeMaxFiles=100 +#MaxRetentionSec= +#MaxFileSec=1month +#ForwardToSyslog=yes +#ForwardToKMsg=no +#ForwardToConsole=no +#ForwardToWall=yes +#TTYPath=/dev/console +#MaxLevelStore=debug +#MaxLevelSyslog=debug +#MaxLevelKMsg=notice +#MaxLevelConsole=info +#MaxLevelWall=emerg +#LineMax=48K +#ReadKMsg=yes +#Audit=no +Storage=persistent \ No newline at end of file diff --git a/modules/system-config/templates/zshrc b/initializers/system-config/ZSH/tsys-zshrc similarity index 100% rename from modules/system-config/templates/zshrc rename to initializers/system-config/ZSH/tsys-zshrc diff --git a/initializers/system-config/apply b/initializers/system-config/apply new file mode 100755 index 0000000..3cf9a63 --- /dev/null +++ b/initializers/system-config/apply @@ -0,0 +1,96 @@ +#!/bin/bash + +# KNEL System Configuration Initializer +# Applies system-wide configuration files with conditional logic + +set -euo pipefail + +echo "Running system configuration initializer..." + +# Create necessary directories +mkdir -p $ROOT_SSH_DIR + +# Deploy system configuration files from copied templates +if [[ -f ./ConfigFiles/ZSH/tsys-zshrc ]]; then + cp ./ConfigFiles/ZSH/tsys-zshrc /etc/zshrc +fi + +if [[ -f ./ConfigFiles/SMTP/aliases ]]; then + cp ./ConfigFiles/SMTP/aliases /etc/aliases + newaliases +fi + +if [[ -f ./ConfigFiles/Syslog/rsyslog.conf ]]; then + cp ./ConfigFiles/Syslog/rsyslog.conf > /etc/rsyslog.conf +fi + +# Configure DHCP client +if [[ -f ./ConfigFiles/DHCP/dhclient.conf ]]; then + cp ./ConfigFiles/DHCP/dhclient.conf > /etc/dhcp/dhclient.conf +fi + +# Configure SNMP +systemctl stop snmpd 2>/dev/null || true +/etc/init.d/snmpd stop 2>/dev/null || true + +if [[ -f ./ConfigFiles/SNMP/snmp-sudo.conf ]]; then + cp ./ConfigFiles/SNMP/snmp-sudo.conf > /etc/sudoers.d/Debian-snmp +fi + +# Adjust SNMP service for log verbosity +sed -i "s|-Lsd|-LS6d|" /lib/systemd/system/snmpd.service + +# Configure SNMP based on system type (with pi-detect) +if command -v vcgencmd >/dev/null 2>&1; then + export IS_RASPI="1" +else + export IS_RASPI="0" +fi + +if [[ $IS_RASPI -eq 1 ]] && [[ -f ./ConfigFiles/SNMP/snmpd-rpi.conf ]]; then + cp ./ConfigFiles/SNMP/snmpd-rpi.conf /etc/snmp/snmpd.conf +elif [[ $IS_PHYSICAL_HOST -eq 1 ]] && [[ -f ./ConfigFiles/SNMP/snmpd-physicalhost.conf ]]; then + cp ./ConfigFiles/SNMP/snmpd-physicalhost.conf /etc/snmp/snmpd.conf +elif [[ $IS_VIRT_GUEST -eq 1 ]] && [[ -f ./ConfigFiles/SNMP/snmpd.conf ]]; then + cp ./ConfigFiles/SNMP/snmpd.conf /etc/snmp/snmpd.conf +fi + +# Configure lldpd +if [[ -f ./ConfigFiles/NetworkDiscovery/lldpd ]]; then + cp ./ConfigFiles/NetworkDiscovery/lldpd /etc/default/lldpd + systemctl restart lldpd +fi + +# Configure Cockpit +if [[ -f ./ConfigFiles/Cockpit/disallowed-users ]]; then + cp ./ConfigFiles/Cockpit/disallowed-users /etc/cockpit/disallowed-users + systemctl restart cockpit +fi + +# Configure NTP for non-NTP servers +if [[ $NTP_SERVER_CHECK -eq 0 ]] && [[ -f ./ConfigFiles/NTP/ntp.conf ]]; then + cp ./ConfigFiles/NTP/ntp.conf /etc/ntpsec/ntp.conf + systemctl restart ntpsec.service +fi + +# Always install rsyslog (removed librenms conditional) +DEBIAN_FRONTEND="noninteractive" apt-get -qq --yes -o Dpkg::Options::="--force-confold" install rsyslog +systemctl stop rsyslog +systemctl start rsyslog + +# Reload systemd and restart SNMP +systemctl daemon-reload +systemctl restart snmpd 2>/dev/null || true +/etc/init.d/snmpd restart 2>/dev/null || true + +# Performance tuning based on system type +if [[ $IS_PHYSICAL_HOST -gt 0 ]]; then + cpufreq-set -r -g performance + cpupower frequency-set --governor performance +fi + +if [[ $IS_VIRT_GUEST -eq 1 ]]; then + tuned-adm profile virtual-guest +fi + +echo "System configuration initializer completed" \ No newline at end of file diff --git a/initializers/system-config/templates/aliases b/initializers/system-config/templates/aliases new file mode 100644 index 0000000..799fcb9 --- /dev/null +++ b/initializers/system-config/templates/aliases @@ -0,0 +1,3 @@ +# See man 5 aliases for format +postmaster: root +root: coo@turnsys.com diff --git a/initializers/system-config/templates/rsyslog.conf b/initializers/system-config/templates/rsyslog.conf new file mode 100644 index 0000000..bac83ec --- /dev/null +++ b/initializers/system-config/templates/rsyslog.conf @@ -0,0 +1,6 @@ +module(load="imuxsock") # provides support for local system logging +module(load="imklog") # provides kernel logging support +#module(load="immark") # provides --MARK-- message capability + +*.* @tsys-librenms.knel.net:514 +:omusrmsg:EOF \ No newline at end of file diff --git a/initializers/system-config/templates/zshrc b/initializers/system-config/templates/zshrc new file mode 100644 index 0000000..01b6558 --- /dev/null +++ b/initializers/system-config/templates/zshrc @@ -0,0 +1,258 @@ +# ~/.zshrc file for zsh interactive shells. +# see /usr/share/doc/zsh/examples/zshrc for examples + +setopt autocd # change directory just by typing its name +#setopt correct # auto correct mistakes +setopt interactivecomments # allow comments in interactive mode +setopt magicequalsubst # enable filename expansion for arguments of the form ‘anything=expression’ +setopt nonomatch # hide error message if there is no match for the pattern +setopt notify # report the status of background jobs immediately +setopt numericglobsort # sort filenames numerically when it makes sense +setopt promptsubst # enable command substitution in prompt + +WORDCHARS=${WORDCHARS//\/} # Don't consider certain characters part of the word + +# hide EOL sign ('%') +PROMPT_EOL_MARK="" + +# configure key keybindings +bindkey -v # emacs key bindings +bindkey ' ' magic-space # do history expansion on space +bindkey '^U' backward-kill-line # ctrl + U +bindkey '^[[3;5~' kill-word # ctrl + Supr +bindkey '^[[3~' delete-char # delete +bindkey '^[[1;5C' forward-word # ctrl + -> +bindkey '^[[1;5D' backward-word # ctrl + <- +bindkey '^[[5~' beginning-of-buffer-or-history # page up +bindkey '^[[6~' end-of-buffer-or-history # page down +bindkey '^[[H' beginning-of-line # home +bindkey '^[[F' end-of-line # end +bindkey '^[[Z' undo # shift + tab undo last action + +# enable completion features +autoload -Uz compinit +compinit -d ~/.cache/zcompdump +zstyle ':completion:*:*:*:*:*' menu select +zstyle ':completion:*' auto-description 'specify: %d' +zstyle ':completion:*' completer _expand _complete +zstyle ':completion:*' format 'Completing %d' +zstyle ':completion:*' group-name '' +zstyle ':completion:*' list-colors '' +zstyle ':completion:*' list-prompt %SAt %p: Hit TAB for more, or the character to insert%s +zstyle ':completion:*' matcher-list 'm:{a-zA-Z}={A-Za-z}' +zstyle ':completion:*' rehash true +zstyle ':completion:*' select-prompt %SScrolling active: current selection at %p%s +zstyle ':completion:*' use-compctl false +zstyle ':completion:*' verbose true +zstyle ':completion:*:kill:*' command 'ps -u $USER -o pid,%cpu,tty,cputime,cmd' + +# History configurations +HISTFILE=~/.zsh_history +HISTSIZE=10000 +SAVEHIST=200000 +setopt hist_expire_dups_first # delete duplicates first when HISTFILE size exceeds HISTSIZE +setopt hist_ignore_dups # ignore duplicated commands history list +setopt hist_ignore_space # ignore commands that start with space +setopt hist_verify # show command with history expansion to user before running it +#setopt share_history # share command history data + +# force zsh to show the complete history +alias history="history 0" + +# configure `time` format +TIMEFMT=$'\nreal\t%E\nuser\t%U\nsys\t%S\ncpu\t%P' + +# make less more friendly for non-text input files, see lesspipe(1) +#[ -x /usr/bin/lesspipe ] && eval "$(SHELL=/bin/sh lesspipe)" + +# set variable identifying the chroot you work in (used in the prompt below) +if [ -z "${debian_chroot:-}" ] && [ -r /etc/debian_chroot ]; then + debian_chroot=$(cat /etc/debian_chroot) +fi + +# set a fancy prompt (non-color, unless we know we "want" color) +case "$TERM" in + xterm-color|*-256color) color_prompt=yes;; +esac + +# uncomment for a colored prompt, if the terminal has the capability; turned +# off by default to not distract the user: the focus in a terminal window +# should be on the output of commands, not on the prompt +force_color_prompt=yes + +if [ -n "$force_color_prompt" ]; then + if [ -x /usr/bin/tput ] && tput setaf 1 >&/dev/null; then + # We have color support; assume it's compliant with Ecma-48 + # (ISO/IEC-6429). (Lack of such support is extremely rare, and such + # a case would tend to support setf rather than setaf.) + color_prompt=yes + else + color_prompt= + fi +fi + +configure_prompt() { + prompt_symbol=㉿ + # Skull emoji for root terminal + #[ "$EUID" -eq 0 ] && prompt_symbol=💀 + case "$PROMPT_ALTERNATIVE" in + twoline) + PROMPT=$'%F{%(#.blue.green)}┌──${debian_chroot:+($debian_chroot)─}${VIRTUAL_ENV:+($(basename $VIRTUAL_ENV))─}(%B%F{%(#.red.blue)}%n'$prompt_symbol$'%m%b%F{%(#.blue.green)})-[%B%F{reset}%(6~.%-1~/…/%4~.%5~)%b%F{%(#.blue.green)}]\n└─%B%(#.%F{red}#.%F{blue}$)%b%F{reset} ' + # Right-side prompt with exit codes and background processes + #RPROMPT=$'%(?.. %? %F{red}%B⨯%b%F{reset})%(1j. %j %F{yellow}%B⚙%b%F{reset}.)' + ;; + oneline) + PROMPT=$'${debian_chroot:+($debian_chroot)}${VIRTUAL_ENV:+($(basename $VIRTUAL_ENV))}%B%F{%(#.red.blue)}%n@%m%b%F{reset}:%B%F{%(#.blue.green)}%~%b%F{reset}%(#.#.$) ' + RPROMPT= + ;; + backtrack) + PROMPT=$'${debian_chroot:+($debian_chroot)}${VIRTUAL_ENV:+($(basename $VIRTUAL_ENV))}%B%F{red}%n@%m%b%F{reset}:%B%F{blue}%~%b%F{reset}%(#.#.$) ' + RPROMPT= + ;; + esac + unset prompt_symbol +} + +# The following block is surrounded by two delimiters. +# These delimiters must not be modified. Thanks. +# START KALI CONFIG VARIABLES +PROMPT_ALTERNATIVE=twoline +NEWLINE_BEFORE_PROMPT=yes +# STOP KALI CONFIG VARIABLES + +if [ "$color_prompt" = yes ]; then + # override default virtualenv indicator in prompt + VIRTUAL_ENV_DISABLE_PROMPT=1 + + configure_prompt + + # enable syntax-highlighting + if [ -f /usr/share/zsh-syntax-highlighting/zsh-syntax-highlighting.zsh ]; then + . /usr/share/zsh-syntax-highlighting/zsh-syntax-highlighting.zsh + ZSH_HIGHLIGHT_HIGHLIGHTERS=(main brackets pattern) + ZSH_HIGHLIGHT_STYLES[default]=none + ZSH_HIGHLIGHT_STYLES[unknown-token]=underline + ZSH_HIGHLIGHT_STYLES[reserved-word]=fg=cyan,bold + ZSH_HIGHLIGHT_STYLES[suffix-alias]=fg=green,underline + ZSH_HIGHLIGHT_STYLES[global-alias]=fg=green,bold + ZSH_HIGHLIGHT_STYLES[precommand]=fg=green,underline + ZSH_HIGHLIGHT_STYLES[commandseparator]=fg=blue,bold + ZSH_HIGHLIGHT_STYLES[autodirectory]=fg=green,underline + ZSH_HIGHLIGHT_STYLES[path]=bold + ZSH_HIGHLIGHT_STYLES[path_pathseparator]= + ZSH_HIGHLIGHT_STYLES[path_prefix_pathseparator]= + ZSH_HIGHLIGHT_STYLES[globbing]=fg=blue,bold + ZSH_HIGHLIGHT_STYLES[history-expansion]=fg=blue,bold + ZSH_HIGHLIGHT_STYLES[command-substitution]=none + ZSH_HIGHLIGHT_STYLES[command-substitution-delimiter]=fg=magenta,bold + ZSH_HIGHLIGHT_STYLES[process-substitution]=none + ZSH_HIGHLIGHT_STYLES[process-substitution-delimiter]=fg=magenta,bold + ZSH_HIGHLIGHT_STYLES[single-hyphen-option]=fg=green + ZSH_HIGHLIGHT_STYLES[double-hyphen-option]=fg=green + ZSH_HIGHLIGHT_STYLES[back-quoted-argument]=none + ZSH_HIGHLIGHT_STYLES[back-quoted-argument-delimiter]=fg=blue,bold + ZSH_HIGHLIGHT_STYLES[single-quoted-argument]=fg=yellow + ZSH_HIGHLIGHT_STYLES[double-quoted-argument]=fg=yellow + ZSH_HIGHLIGHT_STYLES[dollar-quoted-argument]=fg=yellow + ZSH_HIGHLIGHT_STYLES[rc-quote]=fg=magenta + ZSH_HIGHLIGHT_STYLES[dollar-double-quoted-argument]=fg=magenta,bold + ZSH_HIGHLIGHT_STYLES[back-double-quoted-argument]=fg=magenta,bold + ZSH_HIGHLIGHT_STYLES[back-dollar-quoted-argument]=fg=magenta,bold + ZSH_HIGHLIGHT_STYLES[assign]=none + ZSH_HIGHLIGHT_STYLES[redirection]=fg=blue,bold + ZSH_HIGHLIGHT_STYLES[comment]=fg=black,bold + ZSH_HIGHLIGHT_STYLES[named-fd]=none + ZSH_HIGHLIGHT_STYLES[numeric-fd]=none + ZSH_HIGHLIGHT_STYLES[arg0]=fg=cyan + ZSH_HIGHLIGHT_STYLES[bracket-error]=fg=red,bold + ZSH_HIGHLIGHT_STYLES[bracket-level-1]=fg=blue,bold + ZSH_HIGHLIGHT_STYLES[bracket-level-2]=fg=green,bold + ZSH_HIGHLIGHT_STYLES[bracket-level-3]=fg=magenta,bold + ZSH_HIGHLIGHT_STYLES[bracket-level-4]=fg=yellow,bold + ZSH_HIGHLIGHT_STYLES[bracket-level-5]=fg=cyan,bold + ZSH_HIGHLIGHT_STYLES[cursor-matchingbracket]=standout + fi +else + PROMPT='${debian_chroot:+($debian_chroot)}%n@%m:%~%(#.#.$) ' +fi +unset color_prompt force_color_prompt + +toggle_oneline_prompt(){ + if [ "$PROMPT_ALTERNATIVE" = oneline ]; then + PROMPT_ALTERNATIVE=twoline + else + PROMPT_ALTERNATIVE=oneline + fi + configure_prompt + zle reset-prompt +} +zle -N toggle_oneline_prompt +bindkey ^P toggle_oneline_prompt + +# If this is an xterm set the title to user@host:dir +case "$TERM" in +xterm*|rxvt*|Eterm|aterm|kterm|gnome*|alacritty) + TERM_TITLE=$'\e]0;${debian_chroot:+($debian_chroot)}${VIRTUAL_ENV:+($(basename $VIRTUAL_ENV))}%n@%m: %~\a' + ;; +*) + ;; +esac + +precmd() { + # Print the previously configured title + print -Pnr -- "$TERM_TITLE" + + # Print a new line before the prompt, but only if it is not the first line + if [ "$NEWLINE_BEFORE_PROMPT" = yes ]; then + if [ -z "$_NEW_LINE_BEFORE_PROMPT" ]; then + _NEW_LINE_BEFORE_PROMPT=1 + else + print "" + fi + fi +} + +# enable color support of ls, less and man, and also add handy aliases +if [ -x /usr/bin/dircolors ]; then + test -r ~/.dircolors && eval "$(dircolors -b ~/.dircolors)" || eval "$(dircolors -b)" + export LS_COLORS="$LS_COLORS:ow=30;44:" # fix ls color for folders with 777 permissions + + alias ls='ls --color=auto' + #alias dir='dir --color=auto' + #alias vdir='vdir --color=auto' + + alias grep='grep --color=auto' + alias fgrep='fgrep --color=auto' + alias egrep='egrep --color=auto' + alias diff='diff --color=auto' + alias ip='ip --color=auto' + + export LESS_TERMCAP_mb=$'\E[1;31m' # begin blink + export LESS_TERMCAP_md=$'\E[1;36m' # begin bold + export LESS_TERMCAP_me=$'\E[0m' # reset bold/blink + export LESS_TERMCAP_so=$'\E[01;33m' # begin reverse video + export LESS_TERMCAP_se=$'\E[0m' # reset reverse video + export LESS_TERMCAP_us=$'\E[1;32m' # begin underline + export LESS_TERMCAP_ue=$'\E[0m' # reset underline + + # Take advantage of $LS_COLORS for completion as well + zstyle ':completion:*' list-colors "${(s.:.)LS_COLORS}" + zstyle ':completion:*:*:kill:*:processes' list-colors '=(#b) #([0-9]#)*=0=01;31' +fi + +# some more ls aliases +alias ll='ls -l' +alias la='ls -A' +alias l='ls -CF' + +# enable auto-suggestions based on the history +if [ -f /usr/share/zsh-autosuggestions/zsh-autosuggestions.zsh ]; then + . /usr/share/zsh-autosuggestions/zsh-autosuggestions.zsh + # change suggestion color + ZSH_AUTOSUGGEST_HIGHLIGHT_STYLE='fg=#999' +fi + +# enable command-not-found if installed +if [ -f /etc/zsh_command_not_found ]; then + . /etc/zsh_command_not_found +fi \ No newline at end of file diff --git a/initializers/user-configuration/apply b/initializers/user-configuration/apply new file mode 100755 index 0000000..169aecf --- /dev/null +++ b/initializers/user-configuration/apply @@ -0,0 +1,26 @@ +#!/bin/bash + +# KNEL User Configuration Initializer +# Configures user shells and other user-specific settings + +set -euo pipefail + +echo "Running user configuration initializer..." + +# Change shell to zsh for root +chsh -s $(which zsh) root + +# Change shell to zsh for localuser if exists +if [[ $LOCALUSER_CHECK -gt 0 ]]; then + chsh -s "$(which zsh)" localuser +fi + +# Change shell to zsh for subodev if exists +if [[ $SUBODEV_CHECK -gt 0 ]]; then + chsh -s "$(which zsh)" subodev +fi + +# Enable accounting +/usr/sbin/accton on + +echo "User configuration initializer completed" \ No newline at end of file diff --git a/initializers/wazuh/apply b/initializers/wazuh/apply new file mode 100755 index 0000000..e6e912d --- /dev/null +++ b/initializers/wazuh/apply @@ -0,0 +1,44 @@ +#!/bin/bash + +# KNEL Wazuh Security Module +# Deploys and configures Wazuh security monitoring + +set -euo pipefail + +echo "Running Wazuh security module..." + +# Check if this is the Wazuh server +export TSYS_NSM_CHECK="$(hostname | grep -c tsys-nsm || echo 0)" + +if [[ $TSYS_NSM_CHECK -eq 0 ]]; then + echo "Setting up Wazuh agent..." + + # Remove existing keyring if present + if [[ -f /usr/share/keyrings/wazuh.gpg ]]; then + rm -f /usr/share/keyrings/wazuh.gpg + fi + + # Add Wazuh repository + curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import + chmod 644 /usr/share/keyrings/wazuh.gpg + echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" > /etc/apt/sources.list.d/wazuh.list + + # Install Wazuh agent + apt-get update + DEBIAN_FRONTEND="noninteractive" apt-get -y install wazuh-agent + + # Configure Wazuh agent + if [[ -f ./configs/wazuh-agent.conf ]]; then + cp ./configs/wazuh-agent.conf /var/ossec/etc/ossec.conf + fi + + # Start and enable Wazuh agent + systemctl daemon-reload + systemctl enable wazuh-agent + systemctl restart wazuh-agent + +else + echo "This is a Wazuh server, skipping agent setup" +fi + +echo "Wazuh security module completed" \ No newline at end of file diff --git a/modules/README.md b/modules/README.md new file mode 100644 index 0000000..1c6cfc3 --- /dev/null +++ b/modules/README.md @@ -0,0 +1,4 @@ +# Modules directory is empty - all functionality moved to initializers for one-time provisioning +# Future: Modules will be created for ongoing management when transitioned to Ansible/Salt + +# This directory is intentionally left as placeholder for eventual Ansible module structure \ No newline at end of file diff --git a/modules/librenms-agent/apply b/modules/librenms-agent/apply deleted file mode 100755 index 7e37f23..0000000 --- a/modules/librenms-agent/apply +++ /dev/null @@ -1,31 +0,0 @@ -#!/bin/bash - -# KNEL LibreNMS Agent Module -# Deploys and configures LibreNMS monitoring agent - -set -euo pipefail - -echo "Running LibreNMS agent module..." - -# Check if this is a LibreNMS server -if [[ $LIBRENMS_CHECK -eq 1 ]]; then - echo "This is a LibreNMS server, skipping agent setup" - exit 0 -fi - -# Deploy LibreNMS agent configuration -if [[ -f ./configs/librenms-agent.conf ]]; then - # Create agent directory if needed - mkdir -p /etc/librenms-agent - - # Copy agent configuration - cp ./configs/librenms-agent.conf /etc/librenms-agent/ - - # Start the agent service if available - if systemctl list-unit-files | grep -q librenms-agent; then - systemctl enable librenms-agent - systemctl restart librenms-agent - fi -fi - -echo "LibreNMS agent module completed" \ No newline at end of file diff --git a/modules/oam/apply b/modules/oam/apply deleted file mode 100755 index 9c95780..0000000 --- a/modules/oam/apply +++ /dev/null @@ -1,27 +0,0 @@ -#!/bin/bash - -# KNEL OAM Module -# Operations and Maintenance Module - -set -euo pipefail - -echo "Running OAM module..." - -# Setup up2date script -if [[ -f ./scripts/up2date.sh ]]; then - cp ./scripts/up2date.sh /usr/local/bin/up2date.sh - chmod +x /usr/local/bin/up2date.sh -fi - -# Configure LibreNMS if this is not a LibreNMS server -if [[ $LIBRENMS_CHECK -eq 0 ]]; then - # Install rsyslog if needed - apt-get update - apt-get install -y rsyslog - - # Restart rsyslog - systemctl stop rsyslog - systemctl start rsyslog -fi - -echo "OAM module completed" \ No newline at end of file diff --git a/modules/system-config/apply b/modules/system-config/apply deleted file mode 100755 index 6c898e0..0000000 --- a/modules/system-config/apply +++ /dev/null @@ -1,75 +0,0 @@ -#!/bin/bash - -# KNEL System Configuration Module -# Applies system-wide configuration files - -set -euo pipefail - -echo "Running system configuration module..." - -# Create necessary directories -mkdir -p /root/.ssh - -# Deploy system configuration files -if [[ -f ./templates/zshrc ]]; then - mo ./templates/zshrc > /etc/zshrc -fi - -if [[ -f ./templates/aliases ]]; then - mo ./templates/aliases > /etc/aliases - newaliases -fi - -if [[ -f ./templates/rsyslog.conf ]]; then - mo ./templates/rsyslog.conf > /etc/rsyslog.conf -fi - -# Configure DHCP client -if [[ -f ./templates/dhclient.conf ]]; then - mo ./templates/dhclient.conf > /etc/dhcp/dhclient.conf -fi - -# Configure SNMP -systemctl stop snmpd 2>/dev/null || true -/etc/init.d/snmpd stop 2>/dev/null || true - -if [[ -f ./templates/snmp-sudo.conf ]]; then - mo ./templates/snmp-sudo.conf > /etc/sudoers.d/Debian-snmp -fi - -# Adjust SNMP service for log verbosity -sed -i "s|-Lsd|-LS6d|" /lib/systemd/system/snmpd.service - -# Configure SNMP based on system type -if [[ $IS_RASPI -eq 1 ]] && [[ -f ./templates/snmpd-rpi.conf ]]; then - mo ./templates/snmpd-rpi.conf > /etc/snmp/snmpd.conf -elif [[ $IS_PHYSICAL_HOST -eq 1 ]] && [[ -f ./templates/snmpd-physicalhost.conf ]]; then - mo ./templates/snmpd-physicalhost.conf > /etc/snmp/snmpd.conf -elif [[ $IS_VIRT_GUEST -eq 1 ]] && [[ -f ./templates/snmpd.conf ]]; then - mo ./templates/snmpd.conf > /etc/snmp/snmpd.conf -fi - -# Configure lldpd -if [[ -f ./templates/lldpd ]]; then - mo ./templates/lldpd > /etc/default/lldpd - systemctl restart lldpd -fi - -# Configure Cockpit -if [[ -f ./templates/disallowed-users ]]; then - mo ./templates/disallowed-users > /etc/cockpit/disallowed-users - systemctl restart cockpit -fi - -# Configure NTP for non-NTP servers -if [[ $NTP_SERVER_CHECK -eq 0 ]] && [[ -f ./templates/ntp.conf ]]; then - mo ./templates/ntp.conf > /etc/ntpsec/ntp.conf - systemctl restart ntpsec.service -fi - -# Reload systemd and restart SNMP -systemctl daemon-reload -systemctl restart snmpd 2>/dev/null || true -/etc/init.d/snmpd restart 2>/dev/null || true - -echo "System configuration module completed" \ No newline at end of file diff --git a/roles/monitoring b/roles/monitoring index 5ca6c3d..7783733 100644 --- a/roles/monitoring +++ b/roles/monitoring @@ -1,6 +1,5 @@ # Monitoring Role -# Combines monitoring and management modules +# Combines monitoring-related initializers oam -system-config -monitoring \ No newline at end of file +salt-client \ No newline at end of file diff --git a/roles/security b/roles/security index 0ea6ee4..5ec2508 100644 --- a/roles/security +++ b/roles/security @@ -1,5 +1,6 @@ # Security Role -# Combines all security-related modules +# Combines all security-related initializers (designed for one-time provisioning) +# Future: These will be replaced by Ansible playbooks for ongoing management ssh-hardening 2fa diff --git a/variables b/variables index 5fcbf8f..90dafcc 100644 --- a/variables +++ b/variables @@ -13,7 +13,6 @@ export KALI_CHECK export VIRT_TYPE export IS_VIRT_GUEST export IS_KVM_GUEST -export LIBRENMS_CHECK export NTP_SERVER_CHECK export DEV_WORKSTATION_CHECK export IS_RASPI