KNEL/KNELConfigMgmt-FetchApply
1
0
Fork 0
Code Pull Requests Actions Packages Releases Activity

refactor: Remove librenms, add ansible/salt clients

Browse Source 
- Remove all librenms references from initializers and configuration
- Keep tailscale as requested (remove netbird plans)
- Add ansible-core (already present) and salt-minion packages
- Create salt-client initializer for minion configuration
- Update roles to replace librenms-agent with salt-client
- Simplify oam initializer to only handle up2date script
- Update README to reflect new architecture and tools

Prepares infrastructure for migration to Salt configuration management
while maintaining tailscale for VPN connectivity.

💘 Generated with Crush

Assisted-by: GLM-4.6 via Crush <crush@charm.land>
This commit is contained in:
Charles N Wyble
2026-01-21 11:43:35 -05:00
parent 0a7efe5303
commit afe61cae9d
111 changed files with 7156 additions and 352 deletions
Download Patch File Download Diff File Expand all files Collapse all files

138
README.md
View File

@@ -2,24 +2,39 @@
This repository contains the KNEL server configuration management system implemented with the FetchApply framework.
**NOTE:** This is a one-time provisioning system. For ongoing configuration management, this will be replaced by:
- Ansible playbooks for configuration management
- Salt for system orchestration
## Overview
The KNEL FetchApply system provides automated server provisioning, configuration, and security hardening for Linux servers. It uses the FetchApply framework to apply configurations based on server classes and hostnames.
The KNEL FetchApply system provides automated server provisioning for Linux servers. It uses the FetchApply framework to apply initial configurations and then serves as a foundation for migrating to Ansible/Salt-based management.
## Repository Structure
```
.
├── classes/ # Server classifications
── physical/ # Physical Dell servers
├── virtual/ # Virtual machines
├── librenms/ # LibreNMS monitoring servers
│ ├── database/ # Database servers
│ ├── webserver/ # Web servers
│ └── dev-workstation/ # Development workstations
├── classes/
── server/ # Single class for all servers
├── initializers # List of initializers to run
└── roles # List of roles to apply
├── initializers/ # One-time setup scripts
├── modules/ # Recurring maintenance modules
├── roles/ # Groups of related modules
│ ├── system-setup/ # System detection and basic setup
│ ├── packages/ # Package installation with conditional logic
│ ├── oam/ # Operations and Maintenance setup
│ ├── system-config/ # System configuration files
│ ├── ssh-hardening/ # SSH security hardening
│ ├── ssh-keys/ # SSH authorized key deployment
│ ├── postfix/ # Email configuration
│ ├── 2fa/ # Two-factor authentication setup
│ ├── wazuh/ # Wazuh security monitoring
│ ├── security-hardening/ # SCAP/STIG compliance
│ ├── salt-client/ # Salt minion configuration
│ └── user-configuration/ # User shell settings
├── roles/ # Groups of related initializers
│ ├── security # Security-related initializers
│ └── monitoring # Monitoring-related initializers
├── modules/ # Placeholder for future Ansible modules
└── variables # Global configuration variables
```
@@ -44,9 +59,9 @@ sudo bash /tmp/install --operations-repository-url=https://git.knownelement.com/
Once installed, FetchApply will automatically:
1. Detect the server type based on hostname and hardware characteristics
2. Apply the appropriate configuration modules and initializers
3. Maintain the system configuration with regular runs
1. Detect system characteristics (physical/virtual, OS, special hosts)
2. Run initializers in sequence to provision the server
3. Apply security hardening and configuration management setup
You can also run FetchApply manually:
@@ -54,80 +69,61 @@ You can also run FetchApply manually:
sudo fa
```
## Server Classes
## System Detection
Servers are automatically classified based on their characteristics:
The system automatically detects:
### Physical Servers (`physical`)
- **Physical vs Virtual** - Using dmidecode and virt-what
- **Operating System** - Ubuntu vs Kali detection
- **Special Hosts** - NTP servers, development workstations
- **User Accounts** - Detects localuser and subodev users
- **Raspberry Pi** - Hardware detection for RPi-specific configs
**Criteria:** Dell physical hardware detected via dmidecode
## Initializers
**Applied Modules:**
- System setup and package installation
- SSH hardening
- Security hardening
- OAM monitoring
### Core Setup
- **system-setup** - System detection and variable setup
- **packages** - Package installation with conditional logic (includes ansible-core, salt-minion, tailscale)
- **user-configuration** - Shell settings and user preferences
### Virtual Machines (`virtual`)
### Configuration
- **system-config** - Deploy system configuration files (SNMP, NTP, Cockpit, etc.)
- **ssh-hardening** - SSH security hardening
- **ssh-keys** - Deploy SSH authorized keys
- **postfix** - Configure email delivery
- **salt-client** - Configure Salt minion for configuration management
**Criteria:** KVM/Hyper-V guests detected via virt-what
### Security
- **2fa** - Set up Google Authenticator for 2FA
- **wazuh** - Deploy Wazuh security monitoring agent
- **security-hardening** - SCAP/STIG compliance hardening
**Applied Modules:**
- System setup and package installation
- SSH hardening
- Security hardening (virtual-optimized)
- OAM monitoring
### Monitoring
- **oam** - Operations and Maintenance tools (up2date script)
### LibreNMS Servers (`librenms`)
## Configuration Management Tools
**Criteria:** Hostname contains "tsys-librenms"
The system installs clients for future configuration management:
**Applied Modules:**
- Standard server configuration
- LibreNMS monitoring setup
- Security hardening
### Development Workstations (`dev-workstation`)
**Criteria:** Hostname matches "subopi-dev" or "CharlesDevServer"
**Applied Modules:**
- Development tools and packages
- Less restrictive SSH configuration
- Security monitoring
- **Ansible Core** - Already installed for ad-hoc automation tasks
- **Salt Minion** - Configured and ready for Salt master connection
- **Tailscale** - VPN connectivity for secure remote access
## Security Features
The system includes comprehensive security hardening:
- SSH key-based authentication only
- 2FA support via Google Authenticator
- 2FA support via Google Authenticator (gradual rollout)
- Wazuh security monitoring
- SCAP/STIG compliance hardening
- Automated security updates
- AIDE file integrity monitoring
## Monitoring and Management
## Migration Path
- LibreNMS network monitoring integration
- Cockpit web-based management interface
- Comprehensive logging and audit trails
- SNMP monitoring configuration
- Performance monitoring tools
This system is designed as an initial provisioning step. Future migration plans:
## Configuration Templates
Configuration files are managed using mustache templates (via `mo`) to allow for:
- Environment-specific customizations
- Dynamic variable substitution
- Class-based configuration variations
## Maintenance
The system is designed to be idempotent and can be safely re-run to:
- Restore configuration drift
- Apply security updates
- Add new servers to the fleet
- Standardize configurations across environments
1. **Ansible Playbooks** - Replace initializers with Ansible roles for configuration management
2. **Salt Configuration** - Use Salt master for ongoing configuration orchestration
3. **Vault Integration** - Centralized secrets management
## Troubleshooting
@@ -137,10 +133,10 @@ For detailed status information:
sudo fa status
```
To run specific modules:
To run specific initializers:
```bash
sudo fa run <module-name>
sudo fa run <initializer-name>
```
To pause automatic runs during maintenance:
@@ -162,4 +158,4 @@ sudo fa resume
## License
This project is licensed under the terms specified in the LICENSE file.
This project is licensed under terms specified in the LICENSE file.

12
classes/database/initializers
View File

@@ -1,12 +0,0 @@
# Initializers for database servers
system-setup
packages
# Modules for database servers
oam
system-config
ssh-hardening
# Roles for database servers
security
monitoring

8
classes/database/modules
View File

@@ -1,8 +0,0 @@
# Modules for database servers
oam
system-config
ssh-hardening
# Roles for database servers
security
monitoring

3
classes/database/roles
View File

@@ -1,3 +0,0 @@
# Roles for database servers
security
monitoring

12
classes/dev-workstation/initializers
View File

@@ -1,12 +0,0 @@
# Initializers for development workstations
system-setup
packages
# Modules for development workstations
oam
system-config
ssh-hardening
# Roles for development workstations
security
monitoring

8
classes/dev-workstation/modules
View File

@@ -1,8 +0,0 @@
# Modules for development workstations
oam
system-config
ssh-hardening
# Roles for development workstations
security
monitoring

3
classes/dev-workstation/roles
View File

@@ -1,3 +0,0 @@
# Roles for development workstations
security
monitoring

0
classes/dev-workstation/variables
View File

13
classes/librenms/initializers
View File

@@ -1,13 +0,0 @@
# Initializers for LibreNMS servers
system-setup
packages
# Modules for LibreNMS servers
oam
system-config
ssh-hardening
librenms-agent
# Roles for LibreNMS servers
security
monitoring

0
classes/librenms/modules
View File

0
classes/librenms/roles
View File

0
classes/librenms/variables
View File

12
classes/ntp-server/initializers
View File

@@ -1,12 +0,0 @@
# Initializers for NTP servers
system-setup
packages
# Modules for NTP servers
oam
system-config
ssh-hardening
# Roles for NTP servers
security
monitoring

8
classes/ntp-server/modules
View File

@@ -1,8 +0,0 @@
# Modules for NTP servers
oam
system-config
ssh-hardening
# Roles for NTP servers
security
monitoring

3
classes/ntp-server/roles
View File

@@ -1,3 +0,0 @@
# Roles for NTP servers
security
monitoring

0
classes/ntp-server/variables
View File

12
classes/physical/initializers
View File

@@ -1,12 +0,0 @@
# Initializers for physical servers
system-setup
packages
# Modules for physical servers
oam
system-config
ssh-hardening
# Roles for physical servers
security
monitoring

8
classes/physical/modules
View File

@@ -1,8 +0,0 @@
# Modules for physical servers
oam
system-config
ssh-hardening
# Roles for physical servers
security
monitoring

3
classes/physical/roles
View File

@@ -1,3 +0,0 @@
# Roles for physical servers
security
monitoring

0
classes/physical/variables
View File

17
classes/server/initializers Normal file
View File

@@ -0,0 +1,17 @@
# Initializers for all servers (one-time provisioning)
system-setup
packages
oam
system-config
ssh-hardening
ssh-keys
postfix
2fa
wazuh
security-hardening
salt-client
user-configuration
# Roles for all servers
security
monitoring

3
classes/server/roles Normal file
View File

@@ -0,0 +1,3 @@
# Roles for all servers
security
monitoring

0
classes/virtual/initializers
View File

5
classes/virtual/modules
View File

@@ -1,5 +0,0 @@
# Modules for virtual servers
oam
system-config
ssh-hardening
security-hardening

3
classes/virtual/roles
View File

@@ -1,3 +0,0 @@
# Roles for virtual servers
security
monitoring

0
classes/virtual/variables
View File

12
classes/webserver/initializers
View File

@@ -1,12 +0,0 @@
# Initializers for web servers
system-setup
packages
# Modules for web servers
oam
system-config
ssh-hardening
# Roles for web servers
security
monitoring

8
classes/webserver/modules
View File

@@ -1,8 +0,0 @@
# Modules for web servers
oam
system-config
ssh-hardening
# Roles for web servers
security
monitoring

3
classes/webserver/roles
View File

@@ -1,3 +0,0 @@
# Roles for web servers
security
monitoring

0
classes/webserver/variables
View File

33
initializers/2fa/apply Executable file
View File

@@ -0,0 +1,33 @@
#!/bin/bash
# KNEL 2FA Module
# Configures two-factor authentication via Google Authenticator
set -euo pipefail
echo "Running 2FA module..."
# Install Google Authenticator for PAM
DEBIAN_FRONTEND="noninteractive" apt-get -y install \
libpam-google-authenticator \
qrencode
# Configure PAM for SSH with 2FA (use nullok for gradual rollout)
if [[ -f ./configs/sshd-pam ]]; then
cp ./configs/sshd-pam /etc/pam.d/sshd
fi
# Configure SSH to allow challenge-response authentication
if [[ -f ./configs/sshd-2fa-config ]]; then
# Backup existing config
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.backup
# Add 2FA settings to SSH config
cat ./configs/sshd-2fa-config >> /etc/ssh/sshd_config
fi
# Restart SSH service
systemctl restart ssh
echo "2FA module completed"
echo "Note: Users must run 'google-authenticator' to set up their 2FA tokens"

16
initializers/oam/apply Executable file
View File

@@ -0,0 +1,16 @@
#!/bin/bash
# KNEL OAM Initializer
# Sets up Operations and Maintenance tools
set -euo pipefail
echo "Running OAM initializer..."
# Setup up2date script
if [[ -f ./scripts/up2date.sh ]]; then
cp ./scripts/up2date.sh /usr/local/bin/up2date.sh
chmod +x /usr/local/bin/up2date.sh
fi
echo "OAM initializer completed"

9
initializers/oam/librenms/check_mk.socket Normal file
View File

@@ -0,0 +1,9 @@
[Unit]
Description=Check_MK LibreNMS Agent Socket
[Socket]
ListenStream=6556
Accept=yes
[Install]
WantedBy=sockets.target

7
initializers/oam/librenms/check_mk@.service Normal file
View File

@@ -0,0 +1,7 @@
[Unit]
Description=Check_MK LibreNMS Agent Service
After=network.target
[Service]
ExecStart=/usr/bin/check_mk_agent
StandardOutput=socket

659
initializers/oam/librenms/check_mk_agent Normal file
View File

@@ -0,0 +1,659 @@
#!/bin/bash
# +------------------------------------------------------------------+
# | ____ _ _ __ __ _ __ |
# | / ___| |__ ___ ___| | __ | \/ | |/ / |
# | | | | '_ \ / _ \/ __| |/ / | |\/| | ' / |
# | | |___| | | | __/ (__| < | | | | . \ |
# | \____|_| |_|\___|\___|_|\_\___|_| |_|_|\_\ |
# | |
# | Copyright Mathias Kettner 2014 mk@mathias-kettner.de |
# +------------------------------------------------------------------+
#
# This file is part of Check_MK.
# The official homepage is at http://mathias-kettner.de/check_mk.
#
# check_mk is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by
# the Free Software Foundation in version 2. check_mk is distributed
# in the hope that it will be useful, but WITHOUT ANY WARRANTY; with-
# out even the implied warranty of MERCHANTABILITY or FITNESS FOR A
# PARTICULAR PURPOSE. See the GNU General Public License for more de-
# ails. You should have received a copy of the GNU General Public
# License along with GNU Make; see the file COPYING. If not, write
# to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor,
# Boston, MA 02110-1301 USA.
# Remove locale settings to eliminate localized outputs where possible
export LC_ALL=C
unset LANG
export MK_LIBDIR="/usr/lib/check_mk_agent"
export MK_CONFDIR="/etc/check_mk"
export MK_VARDIR="/var/lib/check_mk_agent"
# Provide information about the remote host. That helps when data
# is being sent only once to each remote host.
if [ "$REMOTE_HOST" ] ; then
export REMOTE=$REMOTE_HOST
elif [ "$SSH_CLIENT" ] ; then
export REMOTE=${SSH_CLIENT%% *}
fi
# Make sure, locally installed binaries are found
PATH=$PATH:/usr/local/bin
# All executables in PLUGINSDIR will simply be executed and their
# ouput appended to the output of the agent. Plugins define their own
# sections and must output headers with '<<<' and '>>>'
PLUGINSDIR=$MK_LIBDIR/plugins
# All executables in LOCALDIR will by executabled and their
# output inserted into the section <<<local>>>. Please
# refer to online documentation for details about local checks.
LOCALDIR=$MK_LIBDIR/local
# All files in SPOOLDIR will simply appended to the agent
# output if they are not outdated (see below)
SPOOLDIR=$MK_VARDIR/spool
# close standard input (for security reasons) and stderr
if [ "$1" = -d ]
then
set -xv
else
exec </dev/null 2>/dev/null
fi
# Runs a command asynchronous by use of a cache file
function run_cached () {
local section=
if [ "$1" = -s ] ; then local section="echo '<<<$2>>>' ; " ; shift ; fi
local NAME=$1
local MAXAGE=$2
shift 2
local CMDLINE="$section$@"
if [ ! -d $MK_VARDIR/cache ]; then mkdir -p $MK_VARDIR/cache ; fi
CACHEFILE="$MK_VARDIR/cache/$NAME.cache"
# Check if the creation of the cache takes suspiciously long and return
# nothing if the age (access time) of $CACHEFILE.new is twice the MAXAGE
local NOW=$(date +%s)
if [ -e "$CACHEFILE.new" ] ; then
local CF_ATIME=$(stat -c %X "$CACHEFILE.new")
if [ $((NOW - CF_ATIME)) -ge $((MAXAGE * 2)) ] ; then
# Kill the process still accessing that file in case
# it is still running. This avoids overlapping processes!
fuser -k -9 "$CACHEFILE.new" >/dev/null 2>&1
rm -f "$CACHEFILE.new"
return
fi
fi
# Check if cache file exists and is recent enough
if [ -s "$CACHEFILE" ] ; then
local MTIME=$(stat -c %Y "$CACHEFILE")
if [ $((NOW - MTIME)) -le $MAXAGE ] ; then local USE_CACHEFILE=1 ; fi
# Output the file in any case, even if it is
# outdated. The new file will not yet be available
cat "$CACHEFILE"
fi
# Cache file outdated and new job not yet running? Start it
if [ -z "$USE_CACHEFILE" -a ! -e "$CACHEFILE.new" ] ; then
echo "set -o noclobber ; exec > \"$CACHEFILE.new\" || exit 1 ; $CMDLINE && mv \"$CACHEFILE.new\" \"$CACHEFILE\" || rm -f \"$CACHEFILE\" \"$CACHEFILE.new\"" | nohup bash >/dev/null 2>&1 &
fi
}
# Make run_cached available for subshells (plugins, local checks, etc.)
export -f run_cached
echo '<<<check_mk>>>'
echo Version: 1.2.6b5
echo AgentOS: linux
echo AgentDirectory: $MK_CONFDIR
echo DataDirectory: $MK_VARDIR
echo SpoolDirectory: $SPOOLDIR
echo PluginsDirectory: $PLUGINSDIR
echo LocalDirectory: $LOCALDIR
# If we are called via xinetd, try to find only_from configuration
if [ -n "$REMOTE_HOST" ]
then
echo -n 'OnlyFrom: '
echo $(sed -n '/^service[[:space:]]*check_mk/,/}/s/^[[:space:]]*only_from[[:space:]]*=[[:space:]]*\(.*\)/\1/p' /etc/xinetd.d/* | head -n1)
fi
# Print out Partitions / Filesystems. (-P gives non-wrapped POSIXed output)
# Heads up: NFS-mounts are generally supressed to avoid agent hangs.
# If hard NFS mounts are configured or you have too large nfs retry/timeout
# settings, accessing those mounts from the agent would leave you with
# thousands of agent processes and, ultimately, a dead monitored system.
# These should generally be monitored on the NFS server, not on the clients.
echo '<<<df>>>'
# The exclusion list is getting a bit of a problem. -l should hide any remote FS but seems
# to be all but working.
excludefs="-x smbfs -x cifs -x iso9660 -x udf -x nfsv4 -x nfs -x mvfs -x zfs"
df -PTlk $excludefs | sed 1d
# df inodes information
echo '<<<df>>>'
echo '[df_inodes_start]'
df -PTli $excludefs | sed 1d
echo '[df_inodes_end]'
# Filesystem usage for ZFS
if type zfs > /dev/null 2>&1 ; then
echo '<<<zfsget>>>'
zfs get -Hp name,quota,used,avail,mountpoint,type -t filesystem,volume || \
zfs get -Hp name,quota,used,avail,mountpoint,type
echo '[df]'
df -PTlk -t zfs | sed 1d
fi
# Check NFS mounts by accessing them with stat -f (System
# call statfs()). If this lasts more then 2 seconds we
# consider it as hanging. We need waitmax.
if type waitmax >/dev/null
then
STAT_VERSION=$(stat --version | head -1 | cut -d" " -f4)
STAT_BROKE="5.3.0"
echo '<<<nfsmounts>>>'
sed -n '/ nfs4\? /s/[^ ]* \([^ ]*\) .*/\1/p' < /proc/mounts |
sed 's/\\040/ /g' |
while read MP
do
if [ $STAT_VERSION != $STAT_BROKE ]; then
waitmax -s 9 2 stat -f -c "$MP ok %b %f %a %s" "$MP" || \
echo "$MP hanging 0 0 0 0"
else
waitmax -s 9 2 stat -f -c "$MP ok %b %f %a %s" "$MP" && \
printf '\n'|| echo "$MP hanging 0 0 0 0"
fi
done
echo '<<<cifsmounts>>>'
sed -n '/ cifs\? /s/[^ ]* \([^ ]*\) .*/\1/p' < /proc/mounts |
sed 's/\\040/ /g' |
while read MP
do
if [ $STAT_VERSION != $STAT_BROKE ]; then
waitmax -s 9 2 stat -f -c "$MP ok %b %f %a %s" "$MP" || \
echo "$MP hanging 0 0 0 0"
else
waitmax -s 9 2 stat -f -c "$MP ok %b %f %a %s" "$MP" && \
printf '\n'|| echo "$MP hanging 0 0 0 0"
fi
done
fi
# Check mount options. Filesystems may switch to 'ro' in case
# of a read error.
echo '<<<mounts>>>'
grep ^/dev < /proc/mounts
# processes including username, without kernel processes
echo '<<<ps>>>'
ps ax -o user,vsz,rss,cputime,pid,command --columns 10000 | sed -e 1d -e 's/ *\([^ ]*\) *\([^ ]*\) *\([^ ]*\) *\([^ ]*\) *\([^ ]*\) */(\1,\2,\3,\4,\5) /'
# Memory usage
echo '<<<mem>>>'
egrep -v '^Swap:|^Mem:|total:' < /proc/meminfo
# Load and number of processes
echo '<<<cpu>>>'
echo "$(cat /proc/loadavg) $(grep -E '^CPU|^processor' < /proc/cpuinfo | wc -l)"
# Uptime
echo '<<<uptime>>>'
cat /proc/uptime
# New variant: Information about speed and state in one section
echo '<<<lnx_if:sep(58)>>>'
sed 1,2d /proc/net/dev
if type ethtool > /dev/null
then
for eth in $(sed -e 1,2d < /proc/net/dev | cut -d':' -f1 | sort)
do
echo "[$eth]"
ethtool $eth | egrep '(Speed|Duplex|Link detected|Auto-negotiation):'
echo -en "\tAddress: " ; cat /sys/class/net/$eth/address ; echo
done
fi
# Current state of bonding interfaces
if [ -e /proc/net/bonding ] ; then
echo '<<<lnx_bonding:sep(58)>>>'
pushd /proc/net/bonding > /dev/null ; head -v -n 1000 * ; popd
fi
# Same for Open vSwitch bonding
if type ovs-appctl > /dev/null ; then
echo '<<<ovs_bonding:sep(58)>>>'
for bond in $(ovs-appctl bond/list | sed -e 1d | cut -f2) ; do
echo "[$bond]"
ovs-appctl bond/show $bond
done
fi
# Number of TCP connections in the various states
echo '<<<tcp_conn_stats>>>'
# waitmax 10 netstat -nt | awk ' /^tcp/ { c[$6]++; } END { for (x in c) { print x, c[x]; } }'
# New implementation: netstat is very slow for large TCP tables
cat /proc/net/tcp /proc/net/tcp6 2>/dev/null | awk ' /:/ { c[$4]++; } END { for (x in c) { print x, c[x]; } }'
# Linux Multipathing
if type multipath >/dev/null ; then
echo '<<<multipath>>>'
multipath -l
fi
# Performancecounter Platten
echo '<<<diskstat>>>'
date +%s
egrep ' (x?[shv]d[a-z]*|cciss/c[0-9]+d[0-9]+|emcpower[a-z]+|dm-[0-9]+|VxVM.*|mmcblk.*) ' < /proc/diskstats
if type dmsetup >/dev/null ; then
echo '[dmsetup_info]'
dmsetup info -c --noheadings --separator ' ' -o name,devno,vg_name,lv_name
fi
if [ -d /dev/vx/dsk ] ; then
echo '[vx_dsk]'
stat -c "%t %T %n" /dev/vx/dsk/*/*
fi
# Performancecounter Kernel
echo '<<<kernel>>>'
date +%s
cat /proc/vmstat /proc/stat
# Hardware sensors via IPMI (need ipmitool)
if type ipmitool > /dev/null
then
run_cached -s ipmi 300 "ipmitool sensor list | grep -v 'command failed' | sed -e 's/ *| */|/g' -e 's/ /_/g' -e 's/_*"'$'"//' -e 's/|/ /g' | egrep -v '^[^ ]+ na ' | grep -v ' discrete '"
fi
# IPMI data via ipmi-sensors (of freeipmi). Please make sure, that if you
# have installed freeipmi that IPMI is really support by your hardware.
if type ipmi-sensors >/dev/null
then
echo '<<<ipmi_sensors>>>'
# Newer ipmi-sensors version have new output format; Legacy format can be used
if ipmi-sensors --help | grep -q legacy-output; then
IPMI_FORMAT="--legacy-output"
else
IPMI_FORMAT=""
fi
# At least with ipmi-sensoirs 0.7.16 this group is Power_Unit instead of "Power Unit"
run_cached -s ipmi_sensors 300 "for class in Temperature Power_Unit Fan
do
ipmi-sensors $IPMI_FORMAT --sdr-cache-directory /var/cache -g "$class" | sed -e 's/ /_/g' -e 's/:_\?/ /g' -e 's@ \([^(]*\)_(\([^)]*\))@ \2_\1@'
# In case of a timeout immediately leave loop.
if [ $? = 255 ] ; then break ; fi
done"
fi
# RAID status of Linux software RAID
echo '<<<md>>>'
cat /proc/mdstat
# RAID status of Linux RAID via device mapper
if type dmraid >/dev/null && DMSTATUS=$(dmraid -r)
then
echo '<<<dmraid>>>'
# Output name and status
dmraid -s | grep -e ^name -e ^status
# Output disk names of the RAID disks
DISKS=$(echo "$DMSTATUS" | cut -f1 -d\:)
for disk in $DISKS ; do
device=$(cat /sys/block/$(basename $disk)/device/model )
status=$(echo "$DMSTATUS" | grep ^${disk})
echo "$status Model: $device"
done
fi
# RAID status of LSI controllers via cfggen
if type cfggen > /dev/null ; then
echo '<<<lsi>>>'
cfggen 0 DISPLAY | egrep '(Target ID|State|Volume ID|Status of volume)[[:space:]]*:' | sed -e 's/ *//g' -e 's/:/ /'
fi
# RAID status of LSI MegaRAID controller via MegaCli. You can download that tool from:
# http://www.lsi.com/downloads/Public/MegaRAID%20Common%20Files/8.02.16_MegaCLI.zip
if type MegaCli >/dev/null ; then
MegaCli_bin="MegaCli"
elif type MegaCli64 >/dev/null ; then
MegaCli_bin="MegaCli64"
elif type megacli >/dev/null ; then
MegaCli_bin="megacli"
else
MegaCli_bin="unknown"
fi
if [ "$MegaCli_bin" != "unknown" ]; then
echo '<<<megaraid_pdisks>>>'
for part in $($MegaCli_bin -EncInfo -aALL -NoLog < /dev/null \
| sed -rn 's/:/ /g; s/[[:space:]]+/ /g; s/^ //; s/ $//; s/Number of enclosures on adapter ([0-9]+).*/adapter \1/g; /^(Enclosure|Device ID|adapter) [0-9]+$/ p'); do
[ $part = adapter ] && echo ""
[ $part = 'Enclosure' ] && echo -ne "\ndev2enc"
echo -n " $part"
done
echo
$MegaCli_bin -PDList -aALL -NoLog < /dev/null | egrep 'Enclosure|Raw Size|Slot Number|Device Id|Firmware state|Inquiry|Adapter'
echo '<<<megaraid_ldisks>>>'
$MegaCli_bin -LDInfo -Lall -aALL -NoLog < /dev/null | egrep 'Size|State|Number|Adapter|Virtual'
echo '<<<megaraid_bbu>>>'
$MegaCli_bin -AdpBbuCmd -GetBbuStatus -aALL -NoLog < /dev/null | grep -v Exit
fi
# RAID status of 3WARE disk controller (by Radoslaw Bak)
if type tw_cli > /dev/null ; then
for C in $(tw_cli show | awk 'NR < 4 { next } { print $1 }'); do
echo '<<<3ware_info>>>'
tw_cli /$C show all | egrep 'Model =|Firmware|Serial'
echo '<<<3ware_disks>>>'
tw_cli /$C show drivestatus | egrep 'p[0-9]' | sed "s/^/$C\//"
echo '<<<3ware_units>>>'
tw_cli /$C show unitstatus | egrep 'u[0-9]' | sed "s/^/$C\//"
done
fi
# RAID controllers from areca (Taiwan)
# cli64 can be found at ftp://ftp.areca.com.tw/RaidCards/AP_Drivers/Linux/CLI/
if type cli64 >/dev/null ; then
run_cached -s arc_raid_status 300 "cli64 rsf info | tail -n +3 | head -n -2"
fi
# VirtualBox Guests. Section must always been output. Otherwise the
# check would not be executed in case no guest additions are installed.
# And that is something the check wants to detect
echo '<<<vbox_guest>>>'
if type VBoxControl >/dev/null 2>&1 ; then
VBoxControl -nologo guestproperty enumerate | cut -d, -f1,2
[ ${PIPESTATUS[0]} = 0 ] || echo "ERROR"
fi
# OpenVPN Clients. Currently we assume that the configuration # is in
# /etc/openvpn. We might find a safer way to find the configuration later.
if [ -e /etc/openvpn/openvpn-status.log ] ; then
echo '<<<openvpn_clients:sep(44)>>>'
sed -n -e '/CLIENT LIST/,/ROUTING TABLE/p' < /etc/openvpn/openvpn-status.log | sed -e 1,3d -e '$d'
fi
# Time synchronization with NTP
if type ntpq > /dev/null 2>&1 ; then
# remove heading, make first column space separated
run_cached -s ntp 30 "waitmax 5 ntpq -np | sed -e 1,2d -e 's/^\(.\)/\1 /' -e 's/^ /%/'"
fi
# Time synchronization with Chrony
if type chronyc > /dev/null 2>&1 ; then
# Force successful exit code. Otherwise section will be missing if daemon not running
run_cached -s chrony 30 "waitmax 5 chronyc tracking || true"
fi
if type nvidia-settings >/dev/null && [ -S /tmp/.X11-unix/X0 ]
then
echo '<<<nvidia>>>'
for var in GPUErrors GPUCoreTemp
do
DISPLAY=:0 waitmax 2 nvidia-settings -t -q $var | sed "s/^/$var: /"
done
fi
if [ -e /proc/drbd ]; then
echo '<<<drbd>>>'
cat /proc/drbd
fi
# Status of CUPS printer queues
if type lpstat > /dev/null 2>&1; then
if pgrep cups > /dev/null 2>&1; then
echo '<<<cups_queues>>>'
CPRINTCONF=/etc/cups/printers.conf
if [ -r "$CPRINTCONF" ] ; then
LOCAL_PRINTERS=$(grep -E "<(Default)?Printer .*>" $CPRINTCONF | awk '{print $2}' | sed -e 's/>//')
lpstat -p | while read LINE
do
PRINTER=$(echo $LINE | awk '{print $2}')
if echo "$LOCAL_PRINTERS" | grep -q "$PRINTER"; then
echo $LINE
fi
done
echo '---'
lpstat -o | while read LINE
do
PRINTER=${LINE%%-*}
if echo "$LOCAL_PRINTERS" | grep -q "$PRINTER"; then
echo $LINE
fi
done
else
lpstat -p
echo '---'
lpstat -o | sort
fi
fi
fi
# Heartbeat monitoring
# Different handling for heartbeat clusters with and without CRM
# for the resource state
if [ -S /var/run/heartbeat/crm/cib_ro -o -S /var/run/crm/cib_ro ] || pgrep crmd > /dev/null 2>&1; then
echo '<<<heartbeat_crm>>>'
crm_mon -1 -r | grep -v ^$ | sed 's/^ //; /^\sResource Group:/,$ s/^\s//; s/^\s/_/g'
fi
if type cl_status > /dev/null 2>&1; then
echo '<<<heartbeat_rscstatus>>>'
cl_status rscstatus
echo '<<<heartbeat_nodes>>>'
for NODE in $(cl_status listnodes); do
if [ $NODE != $(echo $HOSTNAME | tr 'A-Z' 'a-z') ]; then
STATUS=$(cl_status nodestatus $NODE)
echo -n "$NODE $STATUS"
for LINK in $(cl_status listhblinks $NODE 2>/dev/null); do
echo -n " $LINK $(cl_status hblinkstatus $NODE $LINK)"
done
echo
fi
done
fi
# Postfix mailqueue monitoring
#
# Only handle mailq when postfix user is present. The mailq command is also
# available when postfix is not installed. But it produces different outputs
# which are not handled by the check at the moment. So try to filter out the
# systems not using postfix by searching for the postfix user.a
#
# Cannot take the whole outout. This could produce several MB of agent output
# on blocking queues.
# Only handle the last 6 lines (includes the summary line at the bottom and
# the last message in the queue. The last message is not used at the moment
# but it could be used to get the timestamp of the last message.
if type postconf >/dev/null ; then
echo '<<<postfix_mailq>>>'
postfix_queue_dir=$(postconf -h queue_directory)
postfix_count=$(find $postfix_queue_dir/deferred -type f | wc -l)
postfix_size=$(du -ks $postfix_queue_dir/deferred | awk '{print $1 }')
if [ $postfix_count -gt 0 ]
then
echo -- $postfix_size Kbytes in $postfix_count Requests.
else
echo Mail queue is empty
fi
elif [ -x /usr/sbin/ssmtp ] ; then
echo '<<<postfix_mailq>>>'
mailq 2>&1 | sed 's/^[^:]*: \(.*\)/\1/' | tail -n 6
fi
#Check status of qmail mailqueue
if type qmail-qstat >/dev/null
then
echo "<<<qmail_stats>>>"
qmail-qstat
fi
# Check status of OMD sites
if type omd >/dev/null
then
run_cached -s omd_status 60 "omd status --bare --auto"
fi
# Welcome the ZFS check on Linux
# We do not endorse running ZFS on linux if your vendor doesnt support it ;)
# check zpool status
if type zpool >/dev/null; then
echo "<<<zpool_status>>>"
zpool status -x
fi
# Fileinfo-Check: put patterns for files into /etc/check_mk/fileinfo.cfg
if [ -r "$MK_CONFDIR/fileinfo.cfg" ] ; then
echo '<<<fileinfo:sep(124)>>>'
date +%s
stat -c "%n|%s|%Y" $(cat "$MK_CONFDIR/fileinfo.cfg")
fi
# Get stats about OMD monitoring cores running on this machine.
# Since cd is a shell builtin the check does not affect the performance
# on non-OMD machines.
if cd /omd/sites
then
echo '<<<livestatus_status:sep(59)>>>'
for site in *
do
if [ -S "/omd/sites/$site/tmp/run/live" ] ; then
echo "[$site]"
echo -e "GET status" | waitmax 3 /omd/sites/$site/bin/unixcat /omd/sites/$site/tmp/run/live
fi
done
fi
# Get statistics about monitored jobs. Below the job directory there
# is a sub directory per user that ran a job. That directory must be
# owned by the user so that a symlink or hardlink attack for reading
# arbitrary files can be avoided.
if pushd $MK_VARDIR/job >/dev/null; then
echo '<<<job>>>'
for username in *
do
if [ -d "$username" ] && cd "$username" ; then
su "$username" -c "head -n -0 -v *"
cd ..
fi
done
popd > /dev/null
fi
# Gather thermal information provided e.g. by acpi
# At the moment only supporting thermal sensors
if ls /sys/class/thermal/thermal_zone* >/dev/null 2>&1; then
echo '<<<lnx_thermal>>>'
for F in /sys/class/thermal/thermal_zone*; do
echo -n "${F##*/} "
if [ ! -e $F/mode ] ; then echo -n "- " ; fi
cat $F/{mode,type,temp,trip_point_*} | tr \\n " "
echo
done
fi
# Libelle Business Shadow
if type trd >/dev/null; then
echo "<<<libelle_business_shadow:sep(58)>>>"
trd -s
fi
# MK's Remote Plugin Executor
if [ -e "$MK_CONFDIR/mrpe.cfg" ]
then
echo '<<<mrpe>>>'
grep -Ev '^[[:space:]]*($|#)' "$MK_CONFDIR/mrpe.cfg" | \
while read descr cmdline
do
PLUGIN=${cmdline%% *}
OUTPUT=$(eval "$cmdline")
echo -n "(${PLUGIN##*/}) $descr $? $OUTPUT" | tr \\n \\1
echo
done
fi
# Local checks
echo '<<<local>>>'
if cd $LOCALDIR ; then
for skript in $(ls) ; do
if [ -f "$skript" -a -x "$skript" ] ; then
./$skript
fi
done
# Call some plugins only every X'th minute
for skript in [1-9]*/* ; do
if [ -x "$skript" ] ; then
run_cached local_${skript//\//\\} ${skript%/*} "$skript"
fi
done
fi
# Plugins
if cd $PLUGINSDIR ; then
for skript in $(ls) ; do
if [ -f "$skript" -a -x "$skript" ] ; then
./$skript
fi
done
# Call some plugins only every Xth minute
for skript in [1-9]*/* ; do
if [ -x "$skript" ] ; then
run_cached plugins_${skript//\//\\} ${skript%/*} "$skript"
fi
done
fi
# Agent output snippets created by cronjobs, etc.
if [ -d "$SPOOLDIR" ]
then
pushd "$SPOOLDIR" > /dev/null
now=$(date +%s)
for file in *
do
# output every file in this directory. If the file is prefixed
# with a number, then that number is the maximum age of the
# file in seconds. If the file is older than that, it is ignored.
maxage=""
part="$file"
# Each away all digits from the front of the filename and
# collect them in the variable maxage.
while [ "${part/#[0-9]/}" != "$part" ]
do
maxage=$maxage${part:0:1}
part=${part:1}
done
# If there is at least one digit, than we honor that.
if [ "$maxage" ] ; then
mtime=$(stat -c %Y "$file")
if [ $((now - mtime)) -gt $maxage ] ; then
continue
fi
fi
# Output the file
cat "$file"
done
popd > /dev/null
fi

114
initializers/oam/librenms/distro Normal file
View File

@@ -0,0 +1,114 @@
#!/usr/bin/env bash
# Detects which OS and if it is Linux then it will detect which Linux Distribution.
OS=`uname -s`
REV=`uname -r`
MACH=`uname -m`
if [ "${OS}" = "SunOS" ] ; then
OS=Solaris
ARCH=`uname -p`
OSSTR="${OS} ${REV}(${ARCH} `uname -v`)"
elif [ "${OS}" = "AIX" ] ; then
OSSTR="${OS} `oslevel` (`oslevel -r`)"
elif [ "${OS}" = "Linux" ] ; then
KERNEL=`uname -r`
if [ -f /etc/fedora-release ]; then
DIST=$(cat /etc/fedora-release | awk '{print $1}')
REV=`cat /etc/fedora-release | sed s/.*release\ // | sed s/\ .*//`
elif [ -f /etc/redhat-release ] ; then
DIST=$(cat /etc/redhat-release | awk '{print $1}')
if [ "${DIST}" = "CentOS" ]; then
DIST="CentOS"
elif [ "${DIST}" = "Mandriva" ]; then
DIST="Mandriva"
PSEUDONAME=`cat /etc/mandriva-release | sed s/.*\(// | sed s/\)//`
REV=`cat /etc/mandriva-release | sed s/.*release\ // | sed s/\ .*//`
elif [ -f /etc/oracle-release ]; then
DIST="Oracle"
else
DIST="RedHat"
fi
PSEUDONAME=`cat /etc/redhat-release | sed s/.*\(// | sed s/\)//`
REV=`cat /etc/redhat-release | sed s/.*release\ // | sed s/\ .*//`
elif [ -f /etc/mandrake-release ] ; then
DIST='Mandrake'
PSEUDONAME=`cat /etc/mandrake-release | sed s/.*\(// | sed s/\)//`
REV=`cat /etc/mandrake-release | sed s/.*release\ // | sed s/\ .*//`
elif [ -f /etc/devuan_version ] ; then
DIST="Devuan `cat /etc/devuan_version`"
REV=""
elif [ -f /etc/debian_version ] ; then
DIST="Debian `cat /etc/debian_version`"
REV=""
ID=`lsb_release -i | awk -F ':' '{print $2}' | sed 's/ //g'`
if [ "${ID}" = "Raspbian" ] ; then
DIST="Raspbian `cat /etc/debian_version`"
fi
elif [ -f /etc/gentoo-release ] ; then
DIST="Gentoo"
REV=$(tr -d '[[:alpha:]]' </etc/gentoo-release | tr -d " ")
elif [ -f /etc/arch-release ] ; then
DIST="Arch Linux"
REV="" # Omit version since Arch Linux uses rolling releases
IGNORE_LSB=1 # /etc/lsb-release would overwrite $REV with "rolling"
elif [ -f /etc/os-release ] ; then
DIST=$(grep '^NAME=' /etc/os-release | cut -d= -f2- | tr -d '"')
REV=$(grep '^VERSION_ID=' /etc/os-release | cut -d= -f2- | tr -d '"')
elif [ -f /etc/openwrt_version ] ; then
DIST="OpenWrt"
REV=$(cat /etc/openwrt_version)
elif [ -f /etc/pld-release ] ; then
DIST=$(cat /etc/pld-release)
REV=""
elif [ -f /etc/SuSE-release ] ; then
DIST=$(echo SLES $(grep VERSION /etc/SuSE-release | cut -d = -f 2 | tr -d " "))
REV=$(echo SP$(grep PATCHLEVEL /etc/SuSE-release | cut -d = -f 2 | tr -d " "))
fi
if [ -f /etc/lsb-release -a "${IGNORE_LSB}" != 1 ] ; then
LSB_DIST=$(lsb_release -si)
LSB_REV=$(lsb_release -sr)
if [ "$LSB_DIST" != "" ] ; then
DIST=$LSB_DIST
fi
if [ "$LSB_REV" != "" ] ; then
REV=$LSB_REV
fi
fi
if [ "`uname -a | awk '{print $(NF)}'`" = "DD-WRT" ] ; then
DIST="dd-wrt"
fi
if [ -n "${REV}" ]
then
OSSTR="${DIST} ${REV}"
else
OSSTR="${DIST}"
fi
elif [ "${OS}" = "Darwin" ] ; then
if [ -f /usr/bin/sw_vers ] ; then
OSSTR=`/usr/bin/sw_vers|grep -v Build|sed 's/^.*:.//'| tr "\n" ' '`
fi
elif [ "${OS}" = "FreeBSD" ] ; then
OSSTR=`/usr/bin/uname -mior`
fi
echo ${OSSTR}

9
initializers/oam/librenms/dmi.sh Normal file
View File

@@ -0,0 +1,9 @@
#!/usr/bin/env bash
echo '<<<dmi>>>'
# requires dmidecode
for FIELD in bios-vendor bios-version bios-release-date system-manufacturer system-product-name system-version system-serial-number system-uuid baseboard-manufacturer baseboard-product-name baseboard-version baseboard-serial-number baseboard-asset-tag chassis-manufacturer chassis-type chassis-version chassis-serial-number chassis-asset-tag processor-family processor-manufacturer processor-version processor-frequency
do
echo $FIELD="$(dmidecode -s $FIELD | grep -v '^#')"
done

22
initializers/oam/librenms/dpkg.sh Normal file
View File

@@ -0,0 +1,22 @@
#!/bin/bash
# Cache the file for 30 minutes
# If you want to override this, put the command in cron.
# We cache because it is a 1sec delay, which is painful for the poller
if [ -x /usr/bin/dpkg-query ]; then
DATE=$(date +%s)
FILE=/var/cache/librenms/agent-local-dpkg
[ -d /var/cache/librenms ] || mkdir -p /var/cache/librenms
if [ ! -e $FILE ]; then
dpkg-query -W --showformat='${Status} ${Package} ${Version} ${Architecture} ${Installed-Size}\n'|grep " installed "|cut -d\ -f4- > $FILE
fi
FILEMTIME=$(stat -c %Y $FILE)
FILEAGE=$(($DATE-$FILEMTIME))
if [ $FILEAGE -gt 1800 ]; then
dpkg-query -W --showformat='${Status} ${Package} ${Version} ${Architecture} ${Installed-Size}\n'|grep " installed "|cut -d\ -f4- > $FILE
fi
echo "<<<dpkg>>>"
cat $FILE
fi

1438
initializers/oam/librenms/mysql.sh Normal file
View File

File diff suppressed because it is too large Load Diff

34
initializers/oam/librenms/ntp-client Normal file
View File

@@ -0,0 +1,34 @@
#!/bin/sh
# Please make sure the paths below are correct.
# Alternatively you can put them in $0.conf, meaning if you've named
# this script ntp-client then it must go in ntp-client.conf .
#
# NTPQV output version of "ntpq -c rv"
# Version 4 is the most common and up to date version.
#
# If you are unsure, which to set, run this script and make sure that
# the JSON output variables match that in "ntpq -c rv".
#
################################################################
# Don't change anything unless you know what are you doing #
################################################################
BIN_NTPQ='/usr/bin/env ntpq'
BIN_GREP='/usr/bin/env grep'
BIN_AWK='/usr/bin/env awk'
CONFIG=$0".conf"
if [ -f "$CONFIG" ]; then
# shellcheck disable=SC1090
. "$CONFIG"
fi
NTP_OFFSET=$($BIN_NTPQ -c rv | $BIN_GREP "offset" | $BIN_AWK -Foffset= '{print $2}' | $BIN_AWK -F, '{print $1}')
NTP_FREQUENCY=$($BIN_NTPQ -c rv | $BIN_GREP "frequency" | $BIN_AWK -Ffrequency= '{print $2}' | $BIN_AWK -F, '{print $1}')
NTP_SYS_JITTER=$($BIN_NTPQ -c rv | $BIN_GREP "sys_jitter" | $BIN_AWK -Fsys_jitter= '{print $2}' | $BIN_AWK -F, '{print $1}')
NTP_CLK_JITTER=$($BIN_NTPQ -c rv | $BIN_GREP "clk_jitter" | $BIN_AWK -Fclk_jitter= '{print $2}' | $BIN_AWK -F, '{print $1}')
NTP_WANDER=$($BIN_NTPQ -c rv | $BIN_GREP "clk_wander" | $BIN_AWK -Fclk_wander= '{print $2}' | $BIN_AWK -F, '{print $1}')
NTP_VERSION=$($BIN_NTPQ -c rv | $BIN_GREP "version" | $BIN_AWK -F'ntpd ' '{print $2}' | $BIN_AWK -F. '{print $1}')
echo '{"data":{"offset":"'"$NTP_OFFSET"'","frequency":"'"$NTP_FREQUENCY"'","sys_jitter":"'"$NTP_SYS_JITTER"'","clk_jitter":"'"$NTP_CLK_JITTER"'","clk_wander":"'"$NTP_WANDER"'"},"version":"'"$NTP_VERSION"'","error":"0","errorString":""}'
exit 0

89
initializers/oam/librenms/ntp-server.sh Normal file
View File

@@ -0,0 +1,89 @@
#!/bin/sh
# Please make sure the paths below are correct.
# Alternatively you can put them in $0.conf, meaning if you've named
# this script ntp-client.sh then it must go in ntp-client.sh.conf .
#
# NTPQV output version of "ntpq -c rv"
# p1 DD-WRT and some other outdated linux distros
# p11 FreeBSD 11 and any linux distro that is up to date
#
# If you are unsure, which to set, run this script and make sure that
# the JSON output variables match that in "ntpq -c rv".
#
BIN_NTPD='/usr/bin/env ntpd'
BIN_NTPQ='/usr/bin/env ntpq'
BIN_NTPDC='/usr/bin/env ntpdc'
BIN_GREP='/usr/bin/env grep'
BIN_TR='/usr/bin/env tr'
BIN_CUT='/usr/bin/env cut'
BIN_SED="/usr/bin/env sed"
BIN_AWK='/usr/bin/env awk'
NTPQV="p11"
################################################################
# Don't change anything unless you know what are you doing #
################################################################
CONFIG=$0".conf"
if [ -f $CONFIG ]; then
. $CONFIG
fi
VERSION=1
STRATUM=`$BIN_NTPQ -c rv | $BIN_GREP -Eow "stratum=[0-9]+" | $BIN_CUT -d "=" -f 2`
# parse the ntpq info that requires version specific info
NTPQ_RAW=`$BIN_NTPQ -c rv | $BIN_GREP jitter | $BIN_SED 's/[[:alpha:]=,_]/ /g'`
if [ $NTPQV = "p11" ]; then
OFFSET=`echo $NTPQ_RAW | $BIN_AWK -F ' ' '{print $3}'`
FREQUENCY=`echo $NTPQ_RAW | $BIN_AWK -F ' ' '{print $4}'`
SYS_JITTER=`echo $NTPQ_RAW | $BIN_AWK -F ' ' '{print $5}'`
CLK_JITTER=`echo $NTPQ_RAW | $BIN_AWK -F ' ' '{print $6}'`
CLK_WANDER=`echo $NTPQ_RAW | $BIN_AWK -F ' ' '{print $7}'`
fi
if [ $NTPQV = "p1" ]; then
OFFSET=`echo $NTPQ_RAW | $BIN_AWK -F ' ' '{print $2}'`
FREQUENCY=`echo $NTPQ_RAW | $BIN_AWK -F ' ' '{print $3}'`
SYS_JITTER=`echo $NTPQ_RAW | $BIN_AWK -F ' ' '{print $4}'`
CLK_JITTER=`echo $NTPQ_RAW | $BIN_AWK -F ' ' '{print $5}'`
CLK_WANDER=`echo $NTPQ_RAW | $BIN_AWK -F ' ' '{print $6}'`
fi
VER=`$BIN_NTPD --version`
if [ "$VER" = '4.2.6p5' ]; then
USECMD=`echo $BIN_NTPDC -c iostats`
else
USECMD=`echo $BIN_NTPQ -c iostats localhost`
fi
CMD2=`$USECMD | $BIN_TR -d ' ' | $BIN_CUT -d : -f 2 | $BIN_TR '\n' ' '`
TIMESINCERESET=`echo $CMD2 | $BIN_AWK -F ' ' '{print $1}'`
RECEIVEDBUFFERS=`echo $CMD2 | $BIN_AWK -F ' ' '{print $2}'`
FREERECEIVEBUFFERS=`echo $CMD2 | $BIN_AWK -F ' ' '{print $3}'`
USEDRECEIVEBUFFERS=`echo $CMD2 | $BIN_AWK -F ' ' '{print $4}'`
LOWWATERREFILLS=`echo $CMD2 | $BIN_AWK -F ' ' '{print $5}'`
DROPPEDPACKETS=`echo $CMD2 | $BIN_AWK -F ' ' '{print $6}'`
IGNOREDPACKETS=`echo $CMD2 | $BIN_AWK -F ' ' '{print $7}'`
RECEIVEDPACKETS=`echo $CMD2 | $BIN_AWK -F ' ' '{print $8}'`
PACKETSSENT=`echo $CMD2 | $BIN_AWK -F ' ' '{print $9}'`
PACKETSENDFAILURES=`echo $CMD2 | $BIN_AWK -F ' ' '{print $10}'`
INPUTWAKEUPS=`echo $CMD2 | $BIN_AWK -F ' ' '{print $11}'`
USEFULINPUTWAKEUPS=`echo $CMD2 | $BIN_AWK -F ' ' '{print $12}'`
echo '{"data":{"offset":"'$OFFSET\
'","frequency":"'$FREQUENCY\
'","sys_jitter":"'$SYS_JITTER\
'","clk_jitter":"'$CLK_JITTER\
'","clk_wander":"'$CLK_WANDER\
'","stratum":"'$STRATUM\
'","time_since_reset":"'$TIMESINCERESET\
'","receive_buffers":"'$RECEIVEDBUFFERS\
'","free_receive_buffers":"'$FREERECEIVEBUFFERS\
'","used_receive_buffers":"'$USEDRECEIVEBUFFERS\
'","low_water_refills":"'$LOWWATERREFILLS\
'","dropped_packets":"'$DROPPEDPACKETS\
'","ignored_packets":"'$IGNOREDPACKETS\
'","received_packets":"'$RECEIVEDPACKETS\
'","packets_sent":"'$PACKETSSENT\
'","packet_send_failures":"'$PACKETSENDFAILURES\
'","input_wakeups":"'$PACKETSENDFAILURES\
'","useful_input_wakeups":"'$USEFULINPUTWAKEUPS\
'"},"error":"0","errorString":"","version":"'$VERSION'"}'

73
initializers/oam/librenms/os-updates.sh Normal file
View File

@@ -0,0 +1,73 @@
#!/usr/bin/env bash
################################################################
# copy this script to /etc/snmp/ and make it executable: #
# chmod +x /etc/snmp/os-updates.sh #
# ------------------------------------------------------------ #
# edit your snmpd.conf and include: #
# extend osupdate /opt/os-updates.sh #
#--------------------------------------------------------------#
# restart snmpd and activate the app for desired host #
#--------------------------------------------------------------#
# please make sure you have the path/binaries below #
################################################################
BIN_WC='/usr/bin/wc'
BIN_GREP='/bin/grep'
CMD_GREP='-c'
CMD_WC='-l'
BIN_ZYPPER='/usr/bin/zypper'
CMD_ZYPPER='-q lu'
BIN_YUM='/usr/bin/yum'
CMD_YUM='-q check-update'
BIN_DNF='/usr/bin/dnf'
CMD_DNF='-q check-update'
BIN_APT='/usr/bin/apt-get'
CMD_APT='-qq -s upgrade'
BIN_PACMAN='/usr/bin/pacman'
CMD_PACMAN='-Sup'
################################################################
# Don't change anything unless you know what are you doing #
################################################################
if [ -f $BIN_ZYPPER ]; then
# OpenSUSE
UPDATES=`$BIN_ZYPPER $CMD_ZYPPER | $BIN_WC $CMD_WC`
if [ $UPDATES -ge 2 ]; then
echo $(($UPDATES-2));
else
echo "0";
fi
elif [ -f $BIN_DNF ]; then
# Fedora
UPDATES=`$BIN_DNF $CMD_DNF | $BIN_WC $CMD_WC`
if [ $UPDATES -ge 1 ]; then
echo $(($UPDATES-1));
else
echo "0";
fi
elif [ -f $BIN_PACMAN ]; then
# Arch
UPDATES=`$BIN_PACMAN $CMD_PACMAN | $BIN_WC $CMD_WC`
if [ $UPDATES -ge 1 ]; then
echo $(($UPDATES-1));
else
echo "0";
fi
elif [ -f $BIN_YUM ]; then
# CentOS / Redhat
UPDATES=`$BIN_YUM $CMD_YUM | $BIN_WC $CMD_WC`
if [ $UPDATES -ge 1 ]; then
echo $(($UPDATES-1));
else
echo "0";
fi
elif [ -f $BIN_APT ]; then
# Debian / Devuan / Ubuntu
UPDATES=`$BIN_APT $CMD_APT | $BIN_GREP $CMD_GREP 'Inst'`
if [ $UPDATES -ge 1 ]; then
echo $UPDATES;
else
echo "0";
fi
else
echo "0";
fi

13
initializers/oam/librenms/postfix-queues Normal file
View File

@@ -0,0 +1,13 @@
#!/bin/bash
#Written by Valec 2006. Steal and share.
#Get postfix queue lengths
#extend mailq /opt/observer/scripts/getmailq.sh
QUEUES="incoming active deferred hold"
for i in $QUEUES; do
COUNT=$(qshape "$i" | grep TOTAL | awk '{print $2}')
printf "$COUNT\n"
done

548
initializers/oam/librenms/postfixdetailed Normal file
View File

@@ -0,0 +1,548 @@
#!/usr/bin/env perl
# add this to your snmpd.conf file as below
# extend postfixdetailed /etc/snmp/postfixdetailed
# The cache file to use.
my $cache='/var/cache/postfixdetailed';
# the location of pflogsumm
my $pflogsumm='/usr/bin/env pflogsumm';
#totals
# 847 received = received
# 852 delivered = delivered
# 0 forwarded = forwarded
# 3 deferred (67 deferrals)= deferred
# 0 bounced = bounced
# 593 rejected (41%) = rejected
# 0 reject warnings = rejectw
# 0 held = held
# 0 discarded (0%) = discarded
# 16899k bytes received = bytesr
# 18009k bytes delivered = bytesd
# 415 senders = senders
# 266 sending hosts/domains = sendinghd
# 15 recipients = recipients
# 9 recipient hosts/domains = recipienthd
######message deferral detail
#Connection refused = deferralcr
#Host is down = deferralhid
########message reject detail
#Client host rejected = chr
#Helo command rejected: need fully-qualified hostname = hcrnfqh
#Sender address rejected: Domain not found = sardnf
#Sender address rejected: not owned by user = sarnobu
#blocked using = bu
#Recipient address rejected: User unknown = raruu
#Helo command rejected: Invalid name = hcrin
#Sender address rejected: need fully-qualified address = sarnfqa
#Recipient address rejected: Domain not found = rardnf
#Recipient address rejected: need fully-qualified address = rarnfqa
#Improper use of SMTP command pipelining = iuscp
#Message size exceeds fixed limit = msefl
#Server configuration error = sce
#Server configuration problem = scp
#unknown reject reason = urr
my $old='';
#reads in the old data if it exists
if ( -f $cache ){
open(my $fh, "<", $cache) or die "Can't open '".$cache."'";
# if this is over 2048, something is most likely wrong
read($fh , $old , 2048);
close($fh);
}
my ( $received,
$delivered,
$forwarded,
$deferred,
$bounced,
$rejected,
$rejectw,
$held,
$discarded,
$bytesr,
$bytesd,
$senders,
$sendinghd,
$recipients,
$recipienthd,
$deferralcr,
$deferralhid,
$chr,
$hcrnfqh,
$sardnf,
$sarnobu,
$bu,
$raruu,
$hcrin,
$sarnfqa,
$rardnf,
$rarnfqa,
$iuscp,
$sce,
$scp,
$urr,
$msefl) = split ( /\n/, $old );
if ( ! defined( $received ) ){ $received=0; }
if ( ! defined( $delivered ) ){ $delivered=0; }
if ( ! defined( $forwarded ) ){ $forwarded=0; }
if ( ! defined( $deferred ) ){ $deferred=0; }
if ( ! defined( $bounced ) ){ $bounced=0; }
if ( ! defined( $rejected ) ){ $rejected=0; }
if ( ! defined( $rejectw ) ){ $rejectw=0; }
if ( ! defined( $held ) ){ $held=0; }
if ( ! defined( $discarded ) ){ $discarded=0; }
if ( ! defined( $bytesr ) ){ $bytesr=0; }
if ( ! defined( $bytesd ) ){ $bytesd=0; }
if ( ! defined( $senders ) ){ $senders=0; }
if ( ! defined( $sendinghd ) ){ $sendinghd=0; }
if ( ! defined( $recipients ) ){ $recipients=0; }
if ( ! defined( $recipienthd ) ){ $recipienthd=0; }
if ( ! defined( $deferralcr ) ){ $deferralcr=0; }
if ( ! defined( $deferralhid ) ){ $deferralhid=0; }
if ( ! defined( $chr ) ){ $chr=0; }
if ( ! defined( $hcrnfqh ) ){ $hcrnfqh=0; }
if ( ! defined( $sardnf ) ){ $sardnf=0; }
if ( ! defined( $sarnobu ) ){ $sarnobu=0; }
if ( ! defined( $bu ) ){ $bu=0; }
if ( ! defined( $raruu ) ){ $raruu=0; }
if ( ! defined( $hcrin ) ){ $hcrin=0; }
if ( ! defined( $sarnfqa ) ){ $sarnfqa=0; }
if ( ! defined( $rardnf ) ){ $rardnf=0; }
if ( ! defined( $rarnfqa ) ){ $rarnfqa=0; }
if ( ! defined( $iuscp ) ){ $iuscp=0; }
if ( ! defined( $msefl ) ){ $msefl=0; }
if ( ! defined( $sce ) ){ $sce=0; }
if ( ! defined( $scp ) ){ $scp=0; }
if ( ! defined( $urr ) ){ $urr=0; }
#init current variables
my $receivedC=0;
my $deliveredC=0;
my $forwardedC=0;
my $deferredC=0;
my $bouncedC=0;
my $rejectedC=0;
my $rejectwC=0;
my $heldC=0;
my $discardedC=0;
my $bytesrC=0;
my $bytesdC=0;
my $sendersC=0;
my $sendinghdC=0;
my $recipientsC=0;
my $recipienthdC=0;
my $deferralcrC=0;
my $deferralhidC=0;
my $hcrnfqhC=0;
my $sardnfC=0;
my $sarnobuC=0;
my $buC=0;
my $raruuC=0;
my $hcrinC=0;
my $sarnfqaC=0;
my $rardnfC=0;
my $rarnfqaC=0;
my $iuscpC=0;
my $mseflC=0;
my $sceC=0;
my $scpC=0;
my $urrC=0;
sub newValue{
my $old=$_[0];
my $new=$_[1];
#if new is undefined, just default to 0... this should never happen
if ( !defined( $new ) ){
warn('New not defined');
return 0;
}
#sets it to 0 if old is not defined
if ( !defined( $old ) ){
warn('Old not defined');
$old=0;
}
#make sure they are both numberic and if not set to zero
if( $old !~ /^[0123456789]*$/ ){
warn('Old not numeric');
$old=0;
}
if( $new !~ /^[0123456789]*$/ ){
warn('New not numeric');
$new=0;
}
#log rotation happened
if ( $old > $new ){
return $new;
};
return $new - $old;
}
my $output=`$pflogsumm /var/log/maillog`;
#holds RBL values till the end when it is compared to the old one
my $buNew=0;
#holds client host rejected values till the end when it is compared to the old one
my $chrNew=0;
# holds recipient address rejected values till the end when it is compared to the old one
my $raruuNew=0;
#holds the current values for checking later
my $current='';
my @outputA=split( /\n/, $output );
my $int=0;
while ( defined( $outputA[$int] ) ){
my $line=$outputA[$int];
$line=~s/^ *//;
$line=~s/ +/ /g;
$line=~s/\)$//;
my $handled=0;
#received line
if ( ( $line =~ /[0123456789] received$/ ) && ( ! $handled ) ){
$line=~s/ .*//;
$receivedC=$line;
$received=newValue( $received, $line );
$handled=1;
}
#delivered line
if ( ( $line =~ /[0123456789] delivered$/ ) && ( ! $handled ) ){
$line=~s/ .*//;
$deliveredC=$line;
$delivered=newValue( $delivered, $line );
$handled=1;
}
#forward line
if ( ( $line =~ /[0123456789] forwarded$/ ) && ( ! $handled ) ){
$line=~s/ .*//;
$forwardedC=$line;
$forwarded=newValue( $forwarded, $line );
$handled=1;
}
#defereed line
if ( ( $line =~ /[0123456789] deferred \(/ ) && ( ! $handled ) ){
$line=~s/ .*//;
$deferredC=$line;
$deferred=newValue( $deferred, $line );
$handled=1;
}
#bounced line
if ( ( $line =~ /[0123456789] bounced$/ ) && ( ! $handled ) ){
$line=~s/ .*//;
$bouncedC=$line;
$bounced=newValue( $bounced, $line );
$handled=1;
}
#rejected line
if ( ( $line =~ /[0123456789] rejected \(/ ) && ( ! $handled ) ){
$line=~s/ .*//;
$rejectedC=$line;
$rejected=newValue( $rejected, $line );
$handled=1;
}
#reject warning line
if ( ( $line =~ /[0123456789] reject warnings/ ) && ( ! $handled ) ){
$line=~s/ .*//;
$rejectwC=$line;
$rejectw=newValue( $rejectw, $line );
$handled=1;
}
#held line
if ( ( $line =~ /[0123456789] held$/ ) && ( ! $handled ) ){
$line=~s/ .*//;
$heldC=$line;
$held=newValue( $held, $line );
$handled=1;
}
#discarded line
if ( ( $line =~ /[0123456789] discarded \(/ ) && ( ! $handled ) ){
$line=~s/ .*//;
$discardedC=$line;
$discarded=newValue( $discarded, $line );
$handled=1;
}
#bytes received line
if ( ( $line =~ /[0123456789kM] bytes received$/ ) && ( ! $handled ) ){
$line=~s/ .*//;
$line=~s/k/000/;
$line=~s/M/000000/;
$bytesrC=$line;
$bytesr=newValue( $bytesr, $line );
$handled=1;
}
#bytes delivered line
if ( ( $line =~ /[0123456789kM] bytes delivered$/ ) && ( ! $handled ) ){
$line=~s/ .*//;
$line=~s/k/000/;
$line=~s/M/000000/;
$bytesdC=$line;
$bytesd=newValue( $bytesd, $line );
$handled=1;
}
#senders line
if ( ( $line =~ /[0123456789] senders$/ ) && ( ! $handled ) ){
$line=~s/ .*//;
$sendersC=$line;
$senders=newValue( $senders, $line );
$handled=1;
}
#sendering hosts/domains line
if ( ( $line =~ /[0123456789] sending hosts\/domains$/ ) && ( ! $handled ) ){
$line=~s/ .*//;
$sendinghdC=$line;
$sendinghd=newValue( $sendinghd, $line );
$handled=1;
}
#recipients line
if ( ( $line =~ /[0123456789] recipients$/ ) && ( ! $handled ) ){
$line=~s/ .*//;
$recipientsC=$line;
$recipients=newValue( $recipients, $line );
$handled=1;
}
#recipients line
if ( ( $line =~ /[0123456789] recipient hosts\/domains$/ ) && ( ! $handled ) ){
$line=~s/ .*//;
$recipienthdC=$line;
$recipienthd=newValue( $recipienthd, $line );
$handled=1;
}
# deferrals connectios refused
if ( ( $line =~ /[0123456789] 25\: Connection refused$/ ) && ( ! $handled ) ){
$line=~s/ .*//;
$deferralcrC=$line;
$deferralcr=newValue( $deferralcr, $line );
$handled=1;
}
# deferrals Host is down
if ( ( $line =~ /Host is down$/ ) && ( ! $handled ) ){
$line=~s/ .*//;
$deferralcrC=$line;
$deferralhidC=$line;
$deferralhid=newValue( $deferralhid, $line );
$handled=1;
}
# Client host rejected
if ( ( $line =~ /Client host rejected/ ) && ( ! $handled ) ){
$line=~s/.*\: //g;
$chrNew=$chrNew + $line;
$handled=1;
}
#Helo command rejected: need fully-qualified hostname
if ( ( $line =~ /Helo command rejected\: need fully\-qualified hostname/ ) && ( ! $handled ) ){
$line=~s/.*\: //g;
$hcrnfqhC=$line;
$hcrnfqh=newValue( $hcrnfqh, $line );
$handled=1;
}
#Sender address rejected: Domain not found
if ( ( $line =~ /Sender address rejected\: Domain not found/ ) && ( ! $handled ) ){
$line=~s/.*\: //g;
$sardnfC=$line;
$sardnf=newValue( $sardnf, $line );
$handled=1;
}
#Sender address rejected: not owned by user
if ( ( $line =~ /Sender address rejected\: not owned by user/ ) && ( ! $handled ) ){
$line=~s/.*\: //g;
$sarnobuC=$line;
$sarnobu=newValue( $sarnobu, $line );
$handled=1;
}
#blocked using
# These lines are RBLs so there will be more than one.
# Use $buNew to add them all up.
if ( ( $line =~ /blocked using/ ) && ( ! $handled ) ){
$line=~s/.*\: //g;
$buNew=$buNew + $line;
$handled=1;
}
#Recipient address rejected: User unknown
if ( ( $line =~ /Recipient address rejected\: User unknown/ ) && ( ! $handled ) ){
$line=~s/.*\: //g;
$raruuNew=$raruuNew + $line;
$handled=1;
}
#Helo command rejected: Invalid name
if ( ( $line =~ /Helo command rejected\: Invalid name/ ) && ( ! $handled ) ){
$line=~s/.*\: //g;
$hcrinC=$line;
$hcrin=newValue( $hcrin, $line );
}
#Sender address rejected: need fully-qualified address
if ( ( $line =~ /Sender address rejected\: need fully-qualified address/ ) && ( ! $handled ) ){
$line=~s/.*\: //g;
$sarnfqaC=$line;
$sarnfqa=newValue( $sarnfqa, $line );
}
#Recipient address rejected: Domain not found
if ( ( $line =~ /Recipient address rejected\: Domain not found/ ) && ( ! $handled ) ){
$line=~s/.*\: //g;
$rardnfC=$line;
$rardnf=newValue( $rardnf, $line );
}
#Improper use of SMTP command pipelining
if ( ( $line =~ /Improper use of SMTP command pipelining/ ) && ( ! $handled ) ){
$line=~s/.*\: //g;
$iuscpC=$line;
$iuscp=newValue( $iuscp, $line );
}
#Message size exceeds fixed limit
if ( ( $line =~ /Message size exceeds fixed limit/ ) && ( ! $handled ) ){
$line=~s/.*\: //g;
$mseflC=$line;
$msefl=newValue( $msefl, $line );
}
#Server configuration error
if ( ( $line =~ /Server configuration error/ ) && ( ! $handled ) ){
$line=~s/.*\: //g;
$sceC=$line;
$sce=newValue( $sce, $line );
}
#Server configuration problem
if ( ( $line =~ /Server configuration problem/ ) && ( ! $handled ) ){
$line=~s/.*\: //g;
$scpC=$line;
$scp=newValue( $scp, $line );
}
#unknown reject reason
if ( ( $line =~ /unknown reject reason/ ) && ( ! $handled ) ){
$line=~s/.*\: //g;
$urrC=$line;
$urr=newValue( $urr, $line );
}
$int++;
}
# final client host rejected total
$chr=newValue( $chr, $chrNew );
# final RBL total
$bu=newValue( $bu, $buNew );
# final recipient address rejected total
$raruu=newValue( $raruu, $raruuNew );
my $data=$received."\n".
$delivered."\n".
$forwarded."\n".
$deferred."\n".
$bounced."\n".
$rejected."\n".
$rejectw."\n".
$held."\n".
$discarded."\n".
$bytesr."\n".
$bytesd."\n".
$senders."\n".
$sendinghd."\n".
$recipients."\n".
$recipienthd."\n".
$deferralcr."\n".
$deferralhid."\n".
$chr."\n".
$hcrnfqh."\n".
$sardnf."\n".
$sarnobu."\n".
$bu."\n".
$raruu."\n".
$hcrin."\n".
$sarnfqa."\n".
$rardnf."\n".
$rarnfqa."\n".
$iuscp."\n".
$sce."\n".
$scp."\n".
$urr."\n".
$msefl."\n";
print $data;
my $current=$receivedC."\n".
$deliveredC."\n".
$forwardedC."\n".
$deferredC."\n".
$bouncedC."\n".
$rejectedC."\n".
$rejectwC."\n".
$heldC."\n".
$discardedC."\n".
$bytesrC."\n".
$bytesdC."\n".
$sendersC."\n".
$sendinghdC."\n".
$recipientsC."\n".
$recipienthdC."\n".
$deferralcrC."\n".
$deferralhidC."\n".
$chrNew."\n".
$hcrnfqhC."\n".
$sardnfC."\n".
$sarnobuC."\n".
$buNew."\n".
$raruuNew."\n".
$hcrinC."\n".
$sarnfqaC."\n".
$rardnfC."\n".
$rarnfqaC."\n".
$iuscpC."\n".
$sceC."\n".
$scpC."\n".
$urrC."\n".
$mseflC."\n";
open(my $fh, ">", $cache) or die "Can't open '".$cache."'";
print $fh $current;
close($fh);

46
initializers/oam/librenms/raspberry.sh Normal file
View File

@@ -0,0 +1,46 @@
#!/bin/bash
#######################################
# please read DOCS to succesfully get #
# raspberry sensors into your host #
#######################################
picmd='/usr/bin/vcgencmd'
pised='/bin/sed'
getTemp='measure_temp'
getVoltsCore='measure_volts core'
getVoltsRamC='measure_volts sdram_c'
getVoltsRamI='measure_volts sdram_i'
getVoltsRamP='measure_volts sdram_p'
getFreqArm='measure_clock arm'
getFreqCore='measure_clock core'
getStatusH264='codec_enabled H264'
getStatusMPG2='codec_enabled MPG2'
getStatusWVC1='codec_enabled WVC1'
getStatusMPG4='codec_enabled MPG4'
getStatusMJPG='codec_enabled MJPG'
getStatusWMV9='codec_enabled WMV9'
$picmd $getTemp | $pised 's|[^0-9.]||g'
$picmd "$getVoltsCore" | $pised 's|[^0-9.]||g'
$picmd "$getVoltsRamC" | $pised 's|[^0-9.]||g'
$picmd "$getVoltsRamI" | $pised 's|[^0-9.]||g'
$picmd "$getVoltsRamP" | $pised 's|[^0-9.]||g'
$picmd "$getFreqArm" | $pised 's/frequency([0-9]*)=//g'
$picmd "$getFreqCore" | $pised 's/frequency([0-9]*)=//g'
$picmd "$getStatusH264" | $pised 's/H264=//g'
$picmd "$getStatusMPG2" | $pised 's/MPG2=//g'
$picmd "$getStatusWVC1" | $pised 's/WVC1=//g'
$picmd "$getStatusMPG4" | $pised 's/MPG4=//g'
$picmd "$getStatusMJPG" | $pised 's/MJPG=//g'
$picmd "$getStatusWMV9" | $pised 's/WMV9=//g'
$picmd "$getStatusH264" | $pised 's/enabled/2/g'
$picmd "$getStatusMPG2" | $pised 's/enabled/2/g'
$picmd "$getStatusWVC1" | $pised 's/enabled/2/g'
$picmd "$getStatusMPG4" | $pised 's/enabled/2/g'
$picmd "$getStatusMJPG" | $pised 's/enabled/2/g'
$picmd "$getStatusWMV9" | $pised 's/enabled/2/g'
$picmd "$getStatusH264" | $pised 's/disabled/1/g'
$picmd "$getStatusMPG2" | $pised 's/disabled/1/g'
$picmd "$getStatusWVC1" | $pised 's/disabled/1/g'
$picmd "$getStatusMPG4" | $pised 's/disabled/1/g'
$picmd "$getStatusMJPG" | $pised 's/disabled/1/g'
$picmd "$getStatusWMV9" | $pised 's/disabled/1/g'

929
initializers/oam/librenms/smart Normal file
View File

@@ -0,0 +1,929 @@
#!/usr/bin/env perl
#Copyright (c) 2024, Zane C. Bowers-Hadley
#All rights reserved.
#
#Redistribution and use in source and binary forms, with or without modification,
#are permitted provided that the following conditions are met:
#
# * Redistributions of source code must retain the above copyright notice,
# this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above copyright notice,
# this list of conditions and the following disclaimer in the documentation
# and/or other materials provided with the distribution.
#
#THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
#ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
#WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
#IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
#INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
#BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
#DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
#LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
#OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
#THE POSSIBILITY OF SUCH DAMAGE.
=for comment
Add this to snmpd.conf like below.
extend smart /etc/snmp/smart
Then add to root's cron tab, if you have more than a few disks.
*/5 * * * * /etc/snmp/extends/smart -u
You will also need to create the config file, which defaults to the same path as the script,
but with .config appended. So if the script is located at /etc/snmp/smart, the config file
will be /etc/snmp/extends/smart.config. Alternatively you can also specific a config via -c.
Anything starting with a # is comment. The format for variables is $variable=$value. Empty
lines are ignored. Spaces and tabes at either the start or end of a line are ignored. Any
line with out a matched variable or # are treated as a disk.
#This is a comment
cache=/var/cache/smart
smartctl=/usr/local/sbin/smartctl
useSN=0
ada0
da5 /dev/da5 -d sat
twl0,0 /dev/twl0 -d 3ware,0
twl0,1 /dev/twl0 -d 3ware,1
twl0,2 /dev/twl0 -d 3ware,2
The variables are as below.
cache = The path to the cache file to use. Default: /var/cache/smart
smartctl = The path to use for smartctl. Default: /usr/bin/env smartctl
useSN = If set to 1, it will use the disks SN for reporting instead of the device name.
1 is the default. 0 will use the device name.
A disk line is can be as simple as just a disk name under /dev/. Such as in the config above
The line "ada0" would resolve to "/dev/ada0" and would be called with no special argument. If
a line has a space in it, everything before the space is treated as the disk name and is what
used for reporting and everything after that is used as the argument to be passed to smartctl.
If you want to guess at the configuration, call it with -g and it will print out what it thinks
it should be.
Switches:
-c <config> The config file to use.
-u Update
-p Pretty print the JSON.
-Z GZip+Base64 compress the results.
-g Guess at the config and print it to STDOUT
-C Enable manual checking for guess and cciss.
-S Set useSN to 0 when using -g
-t <test> Run the specified smart self test on all the devices.
-U When calling cciss_vol_status, call it with -u.
-G <modes> Guess modes to use. This is a comma seperated list.
Default :: scan-open,cciss-vol-status
Guess Modes:
- scan :: Use "--scan" with smartctl. "scan-open" will take presidence.
- scan-open :: Call smartctl with "--scan-open".
- cciss-vol-status :: Freebsd/Linux specific and if it sees /dev/sg0(on Linux) or
/dev/ciss0(on FreebSD) it will attempt to find drives via cciss-vol-status,
and then optionally checking for disks via smrtctl if -C is given. Should be noted
though that -C will not find drives that are currently missing/failed. If -U is given,
cciss_vol_status will be called with -u.
=cut
##
## You should not need to touch anything below here.
##
use warnings;
use strict;
use Getopt::Std;
use JSON;
use MIME::Base64;
use IO::Compress::Gzip qw(gzip $GzipError);
my $cache = '/var/cache/smart';
my $smartctl = '/usr/bin/env smartctl';
my @disks;
my $useSN = 1;
$Getopt::Std::STANDARD_HELP_VERSION = 1;
sub main::VERSION_MESSAGE {
print "SMART SNMP extend 0.3.2\n";
}
sub main::HELP_MESSAGE {
&VERSION_MESSAGE;
print "\n" . "-u Update '" . $cache . "'\n" . '-g Guess at the config and print it to STDOUT
-c <config> The config file to use.
-p Pretty print the JSON.
-Z GZip+Base64 compress the results.
-C Enable manual checking for guess and cciss.
-S Set useSN to 0 when using -g
-t <test> Run the specified smart self test on all the devices.
-U When calling cciss_vol_status, call it with -u.
-G <modes> Guess modes to use. This is a comma seperated list.
Default :: scan-open,cciss-vol-status
Scan Modes:
- scan :: Use "--scan" with smartctl. "scan-open" will take presidence.
- scan-open :: Call smartctl with "--scan-open".
- cciss-vol-status :: Freebsd/Linux specific and if it sees /dev/sg0(on Linux) or
/dev/ciss0(on FreebSD) it will attempt to find drives via cciss-vol-status,
and then optionally checking for disks via smrtctl if -C is given. Should be noted
though that -C will not find drives that are currently missing/failed. If -U is given,
cciss_vol_status will be called with -u.
';
} ## end sub main::HELP_MESSAGE
#gets the options
my %opts = ();
getopts( 'ugc:pZhvCSGt:U', \%opts );
if ( $opts{h} ) {
&HELP_MESSAGE;
exit;
}
if ( $opts{v} ) {
&VERSION_MESSAGE;
exit;
}
#
# figure out what scan modes to use if -g specified
#
my $scan_modes = {
'scan-open' => 0,
'scan' => 0,
'cciss_vol_status' => 0,
};
if ( $opts{g} ) {
if ( !defined( $opts{G} ) ) {
$opts{G} = 'scan-open,cciss_vol_status';
}
$opts{G} =~ s/[\ \t]//g;
my @scan_modes_split = split( /,/, $opts{G} );
foreach my $mode (@scan_modes_split) {
if ( !defined $scan_modes->{$mode} ) {
die( '"' . $mode . '" is not a recognized scan mode' );
}
$scan_modes->{$mode} = 1;
}
} ## end if ( $opts{g} )
# configure JSON for later usage
# only need to do this if actually running as in -g is not specified
my $json;
if ( !$opts{g} ) {
$json = JSON->new->allow_nonref->canonical(1);
if ( $opts{p} ) {
$json->pretty;
}
}
#
#
# guess if asked
#
#
if ( defined( $opts{g} ) ) {
#get what path to use for smartctl
$smartctl = `which smartctl`;
chomp($smartctl);
if ( $? != 0 ) {
warn("'which smartctl' failed with a exit code of $?");
exit 1;
}
#try to touch the default cache location and warn if it can't be done
system( 'touch ' . $cache . '>/dev/null' );
if ( $? != 0 ) {
$cache = '#Could not touch ' . $cache . "You will need to manually set it\n" . "cache=?\n";
} else {
system( 'rm -f ' . $cache . '>/dev/null' );
$cache = 'cache=' . $cache . "\n";
}
my $drive_lines = '';
#
#
# scan-open and scan guess mode handling
#
#
if ( $scan_modes->{'scan-open'} || $scan_modes->{'scan'} ) {
# used for checking if a disk has been found more than once
my %found_disks_names;
my @argumentsA;
# use scan-open if it is set, overriding scan if it is also set
my $mode = 'scan';
if ( $scan_modes->{'scan-open'} ) {
$mode = 'scan-open';
}
#have smartctl scan and see if it finds anythings not get found
my $scan_output = `$smartctl --$mode`;
my @scan_outputA = split( /\n/, $scan_output );
# remove non-SMART devices sometimes returned
@scan_outputA = grep( !/ses[0-9]/, @scan_outputA ); # not a disk, but may or may not have SMART attributes
@scan_outputA = grep( !/pass[0-9]/, @scan_outputA ); # very likely a duplicate and a disk under another name
@scan_outputA = grep( !/cd[0-9]/, @scan_outputA ); # CD drive
if ( $^O eq 'freebsd' ) {
@scan_outputA = grep( !/sa[0-9]/, @scan_outputA ); # tape drive
@scan_outputA = grep( !/ctl[0-9]/, @scan_outputA ); # CAM target layer
} elsif ( $^O eq 'linux' ) {
@scan_outputA = grep( !/st[0-9]/, @scan_outputA ); # SCSI tape drive
@scan_outputA = grep( !/ht[0-9]/, @scan_outputA ); # ATA tape drive
}
# make the first pass, figuring out what all we have and trimming comments
foreach my $arguments (@scan_outputA) {
my $name = $arguments;
$arguments =~ s/ \#.*//; # trim the comment out of the argument
$name =~ s/ .*//;
$name =~ s/\/dev\///;
if ( defined( $found_disks_names{$name} ) ) {
$found_disks_names{$name}++;
} else {
$found_disks_names{$name} = 0;
}
push( @argumentsA, $arguments );
} ## end foreach my $arguments (@scan_outputA)
# second pass, putting the lines together
my %current_disk;
foreach my $arguments (@argumentsA) {
my $not_virt = 1;
# check to see if we have a virtual device
my @virt_check = split( /\n/, `smartctl -i $arguments 2> /dev/null` );
foreach my $virt_check_line (@virt_check) {
if ( $virt_check_line =~ /(?i)Product\:.*LOGICAL VOLUME/ ) {
$not_virt = 0;
}
}
my $name = $arguments;
$name =~ s/ .*//;
$name =~ s/\/dev\///;
# only add it if not a virtual RAID drive
# HP RAID virtual disks will show up with very basical but totally useless smart data
if ($not_virt) {
if ( $found_disks_names{$name} == 0 ) {
# If no other devices, just name it after the base device.
$drive_lines = $drive_lines . $name . " " . $arguments . "\n";
} else {
# if more than one, start at zero and increment, apennding comma number to the base device name
if ( defined( $current_disk{$name} ) ) {
$current_disk{$name}++;
} else {
$current_disk{$name} = 0;
}
$drive_lines = $drive_lines . $name . "," . $current_disk{$name} . " " . $arguments . "\n";
}
} ## end if ($not_virt)
} ## end foreach my $arguments (@argumentsA)
} ## end if ( $scan_modes->{'scan-open'} || $scan_modes...)
#
#
# scan mode handler for cciss_vol_status
# /dev/sg* devices for cciss on Linux
# /dev/ccis* devices for cciss on FreeBSD
#
#
if ( $scan_modes->{'cciss_vol_status'} && ( $^O eq 'linux' || $^O eq 'freebsd' ) ) {
my $cciss;
if ( $^O eq 'freebsd' ) {
$cciss = 'ciss';
} elsif ( $^O eq 'linux' ) {
$cciss = 'sg';
}
my $uarg = '';
if ( $opts{U} ) {
$uarg = '-u';
}
# generate the initial device path that will be checked
my $sg_int = 0;
my $device = '/dev/' . $cciss . $sg_int;
my $sg_process = 1;
if ( -e $device ) {
my $output = `which cciss_vol_status 2> /dev/null`;
if ( $? != 0 && !$opts{C} ) {
$sg_process = 0;
$drive_lines
= $drive_lines
. "# -C not given, but "
. $device
. " exists and cciss_vol_status is not present\n"
. "# in path or 'ccis_vol_status -V "
. $device
. "' is failing\n";
} ## end if ( $? != 0 && !$opts{C} )
} ## end if ( -e $device )
my $seen_lines = {};
my $ignore_lines = {};
while ( -e $device && $sg_process ) {
my $output = `cciss_vol_status -V $uarg $device 2> /dev/null`;
if ( $? != 0 && $output eq '' && !$opts{C} ) {
# just empty here as we just want to skip it if it fails and there is no C
# warning is above
} elsif ( $? != 0 && $output eq '' && $opts{C} ) {
my $drive_count = 0;
my $continue = 1;
while ($continue) {
my $output = `$smartctl -i $device -d cciss,$drive_count 2> /dev/null`;
if ( $? != 0 ) {
$continue = 0;
} else {
my $add_it = 0;
my $id;
while ( $output =~ /(?i)Serial Number:(.*)/g ) {
$id = $1;
$id =~ s/^\s+|\s+$//g;
}
if ( defined($id) && !defined( $seen_lines->{$id} ) ) {
$add_it = 1;
$seen_lines->{$id} = 1;
}
if ( $continue && $add_it ) {
$drive_lines
= $drive_lines
. $cciss . '0-'
. $drive_count . ' '
. $device
. ' -d cciss,'
. $drive_count . "\n";
}
} ## end else [ if ( $? != 0 ) ]
$drive_count++;
} ## end while ($continue)
} else {
my $drive_count = 0;
# count the connector lines, this will make sure failed are founded as well
my $seen_conectors = {};
while ( $output =~ /(connector +\d+[IA]\ +box +\d+\ +bay +\d+.*)/g ) {
my $cciss_drive_line = $1;
my $connector = $cciss_drive_line;
$connector =~ s/(.*\ bay +\d+).*/$1/;
if ( !defined( $seen_lines->{$cciss_drive_line} )
&& !defined( $seen_conectors->{$connector} )
&& !defined( $ignore_lines->{$cciss_drive_line} ) )
{
$seen_lines->{$cciss_drive_line} = 1;
$seen_conectors->{$connector} = 1;
$drive_count++;
} else {
# going to be a connector we've already seen
# which will happen when it is processing replacement drives
# so save this as a device to ignore
$ignore_lines->{$cciss_drive_line} = 1;
}
} ## end while ( $output =~ /(connector +\d+[IA]\ +box +\d+\ +bay +\d+.*)/g)
my $drive_int = 0;
while ( $drive_int < $drive_count ) {
$drive_lines
= $drive_lines
. $cciss
. $sg_int . '-'
. $drive_int . ' '
. $device
. ' -d cciss,'
. $drive_int . "\n";
$drive_int++;
} ## end while ( $drive_int < $drive_count )
} ## end else [ if ( $? != 0 && $output eq '' && !$opts{C})]
$sg_int++;
$device = '/dev/' . $cciss . $sg_int;
} ## end while ( -e $device && $sg_process )
} ## end if ( $scan_modes->{'cciss_vol_status'} && ...)
my $useSN = 1;
if ( $opts{S} ) {
$useSN = 0;
}
print '# scan_modes='
. $opts{G}
. "\nuseSN="
. $useSN . "\n"
. 'smartctl='
. $smartctl . "\n"
. $cache
. $drive_lines;
exit 0;
} ## end if ( defined( $opts{g} ) )
#get which config file to use
my $config = $0 . '.config';
if ( defined( $opts{c} ) ) {
$config = $opts{c};
}
#reads the config file, optionally
my $config_file = '';
open( my $readfh, "<", $config ) or die "Can't open '" . $config . "'";
read( $readfh, $config_file, 1000000 );
close($readfh);
#
#
# parse the config file and remove comments and empty lines
#
#
my @configA = split( /\n/, $config_file );
@configA = grep( !/^$/, @configA );
@configA = grep( !/^\#/, @configA );
@configA = grep( !/^[\s\t]*$/, @configA );
my $configA_int = 0;
while ( defined( $configA[$configA_int] ) ) {
my $line = $configA[$configA_int];
chomp($line);
$line =~ s/^[\t\s]+//;
$line =~ s/[\t\s]+$//;
my ( $var, $val ) = split( /=/, $line, 2 );
my $matched;
if ( $var eq 'cache' ) {
$cache = $val;
$matched = 1;
}
if ( $var eq 'smartctl' ) {
$smartctl = $val;
$matched = 1;
}
if ( $var eq 'useSN' ) {
$useSN = $val;
$matched = 1;
}
if ( !defined($val) ) {
push( @disks, $line );
}
$configA_int++;
} ## end while ( defined( $configA[$configA_int] ) )
#
#
# run the specified self test on all disks if asked
#
#
if ( defined( $opts{t} ) ) {
# make sure we have something that atleast appears sane for the test name
my $valid_tesks = {
'offline' => 1,
'short' => 1,
'long' => 1,
'conveyance' => 1,
'afterselect,on' => 1,
};
if ( !defined( $valid_tesks->{ $opts{t} } ) && $opts{t} !~ /select,(\d+[\-\+]\d+|next|next\+\d+|redo\+\d+)/ ) {
print '"' . $opts{t} . "\" does not appear to be a valid test\n";
exit 1;
}
print "Running the SMART $opts{t} on all devices in the config...\n\n";
foreach my $line (@disks) {
my $disk;
my $name;
if ( $line =~ /\ / ) {
( $name, $disk ) = split( /\ /, $line, 2 );
} else {
$disk = $line;
$name = $line;
}
if ( $disk !~ /\// ) {
$disk = '/dev/' . $disk;
}
print "\n------------------------------------------------------------------\nDoing "
. $smartctl . ' -t '
. $opts{t} . ' '
. $disk
. " ...\n\n";
print `$smartctl -t $opts{t} $disk` . "\n";
} ## end foreach my $line (@disks)
exit 0;
} ## end if ( defined( $opts{t} ) )
#if set to 1, no cache will be written and it will be printed instead
my $noWrite = 0;
#
#
# if no -u, it means we are being called from snmped
#
#
if ( !defined( $opts{u} ) ) {
# if the cache file exists, print it, otherwise assume one is not being used
if ( -f $cache ) {
my $old = '';
open( my $readfh, "<", $cache ) or die "Can't open '" . $cache . "'";
read( $readfh, $old, 1000000 );
close($readfh);
print $old;
exit 0;
} else {
$opts{u} = 1;
$noWrite = 1;
}
} ## end if ( !defined( $opts{u} ) )
#
#
# Process each disk
#
#
my $to_return = {
data => { disks => {}, exit_nonzero => 0, unhealthy => 0, useSN => $useSN },
version => 1,
error => 0,
errorString => '',
};
foreach my $line (@disks) {
my $disk;
my $name;
if ( $line =~ /\ / ) {
( $name, $disk ) = split( /\ /, $line, 2 );
} else {
$disk = $line;
$name = $line;
}
if ( $disk !~ /\// ) {
$disk = '/dev/' . $disk;
}
my $output = `$smartctl -A $disk`;
my %IDs = (
'5' => 'null',
'10' => 'null',
'173' => 'null',
'177' => 'null',
'183' => 'null',
'184' => 'null',
'187' => 'null',
'188' => 'null',
'190' => 'null',
'194' => 'null',
'196' => 'null',
'197' => 'null',
'198' => 'null',
'199' => 'null',
'231' => 'null',
'232' => 'null',
'233' => 'null',
'9' => 'null',
'disk' => $disk,
'serial' => undef,
'selftest_log' => undef,
'health_pass' => 0,
max_temp => 'null',
exit => $?,
);
$IDs{'disk'} =~ s/^\/dev\///;
# if polling exited non-zero above, no reason running the rest of the checks
my $disk_id = $name;
if ( $IDs{exit} != 0 ) {
$to_return->{data}{exit_nonzero}++;
} else {
my @outputA;
if ( $output =~ /NVMe Log/ ) {
# we have an NVMe drive with annoyingly different output
my %mappings = (
'Temperature' => 194,
'Power Cycles' => 12,
'Power On Hours' => 9,
'Percentage Used' => 231,
);
foreach ( split( /\n/, $output ) ) {
if (/:/) {
my ( $key, $val ) = split(/:/);
$val =~ s/^\s+|\s+$|\D+//g;
if ( exists( $mappings{$key} ) ) {
if ( $mappings{$key} == 231 ) {
$IDs{ $mappings{$key} } = 100 - $val;
} else {
$IDs{ $mappings{$key} } = $val;
}
}
} ## end if (/:/)
} ## end foreach ( split( /\n/, $output ) )
} else {
@outputA = split( /\n/, $output );
my $outputAint = 0;
while ( defined( $outputA[$outputAint] ) ) {
my $line = $outputA[$outputAint];
$line =~ s/^ +//;
$line =~ s/ +/ /g;
if ( $line =~ /^[0123456789]+ / ) {
my @lineA = split( /\ /, $line, 10 );
my $raw = $lineA[9];
my $normalized = $lineA[3];
my $id = $lineA[0];
# Crucial SSD
# 202, Percent_Lifetime_Remain, same as 231, SSD Life Left
if ( $id == 202
&& $line =~ /Percent_Lifetime_Remain/ )
{
$IDs{231} = $raw;
}
# single int raw values
if ( ( $id == 5 )
|| ( $id == 10 )
|| ( $id == 173 )
|| ( $id == 183 )
|| ( $id == 184 )
|| ( $id == 187 )
|| ( $id == 196 )
|| ( $id == 197 )
|| ( $id == 198 )
|| ( $id == 199 ) )
{
my @rawA = split( /\ /, $raw );
$IDs{$id} = $rawA[0];
} ## end if ( ( $id == 5 ) || ( $id == 10 ) || ( $id...))
# single int normalized values
if ( ( $id == 177 )
|| ( $id == 230 )
|| ( $id == 231 )
|| ( $id == 232 )
|| ( $id == 233 ) )
{
# annoying non-standard disk
# WDC WDS500G2B0A
# 230 Media_Wearout_Indicator 0x0032 100 100 --- Old_age Always - 0x002e000a002e
# 232 Available_Reservd_Space 0x0033 100 100 004 Pre-fail Always - 100
# 233 NAND_GB_Written_TLC 0x0032 100 100 --- Old_age Always - 9816
if ( $id == 230
&& $line =~ /Media_Wearout_Indicator/ )
{
$IDs{233} = int($normalized);
} elsif ( $id == 232
&& $line =~ /Available_Reservd_Space/ )
{
$IDs{232} = int($normalized);
} else {
# only set 233 if it has not been set yet
# if it was set already then the above did it and we don't want
# to overwrite it
if ( $id == 233 && $IDs{233} eq "null" ) {
$IDs{$id} = int($normalized);
} elsif ( $id != 233 ) {
$IDs{$id} = int($normalized);
}
} ## end else [ if ( $id == 230 && $line =~ /Media_Wearout_Indicator/)]
} ## end if ( ( $id == 177 ) || ( $id == 230 ) || (...))
# 9, power on hours
if ( $id == 9 ) {
my @runtime = split( /[\ h]/, $raw );
$IDs{$id} = $runtime[0];
}
# 188, Command_Timeout
if ( $id == 188 ) {
my $total = 0;
my @rawA = split( /\ /, $raw );
my $rawAint = 0;
while ( defined( $rawA[$rawAint] ) ) {
$total = $total + $rawA[$rawAint];
$rawAint++;
}
$IDs{$id} = $total;
} ## end if ( $id == 188 )
# 190, airflow temp
# 194, temp
if ( ( $id == 190 )
|| ( $id == 194 ) )
{
my ($temp) = split( /\ /, $raw );
$IDs{$id} = $temp;
}
} ## end if ( $line =~ /^[0123456789]+ / )
# SAS Wrapping
# Section by Cameron Munroe (munroenet[at]gmail.com)
# Elements in Grown Defect List.
# Marking as 5 Reallocated_Sector_Ct
if ( $line =~ "Elements in grown defect list:" ) {
my @lineA = split( /\ /, $line, 10 );
my $raw = $lineA[5];
# Reallocated Sector Count ID
$IDs{5} = $raw;
}
# Current Drive Temperature
# Marking as 194 Temperature_Celsius
if ( $line =~ "Current Drive Temperature:" ) {
my @lineA = split( /\ /, $line, 10 );
my $raw = $lineA[3];
# Temperature C ID
$IDs{194} = $raw;
}
# End of SAS Wrapper
$outputAint++;
} ## end while ( defined( $outputA[$outputAint] ) )
} ## end else [ if ( $output =~ /NVMe Log/ ) ]
#get the selftest logs
$output = `$smartctl -l selftest $disk`;
@outputA = split( /\n/, $output );
my @completed = grep( /Completed/, @outputA );
$IDs{'completed'} = scalar @completed;
my @interrupted = grep( /Interrupted/, @outputA );
$IDs{'interrupted'} = scalar @interrupted;
my @read_failure = grep( /read failure/, @outputA );
$IDs{'read_failure'} = scalar @read_failure;
my @read_failure2 = grep( /Failed in segment/, @outputA );
$IDs{'read_failure'} = $IDs{'read_failure'} + scalar @read_failure2;
my @unknown_failure = grep( /unknown failure/, @outputA );
$IDs{'unknown_failure'} = scalar @unknown_failure;
my @extended = grep( /\d.*\ ([Ee]xtended|[Ll]ong).*(?![Dd]uration)/, @outputA );
$IDs{'extended'} = scalar @extended;
my @short = grep( /[Ss]hort/, @outputA );
$IDs{'short'} = scalar @short;
my @conveyance = grep( /[Cc]onveyance/, @outputA );
$IDs{'conveyance'} = scalar @conveyance;
my @selective = grep( /[Ss]elective/, @outputA );
$IDs{'selective'} = scalar @selective;
my @offline = grep( /(\d|[Bb]ackground|[Ff]oreground)+\ +[Oo]ffline/, @outputA );
$IDs{'offline'} = scalar @offline;
# if we have logs, actually grab the log output
if ( $IDs{'completed'} > 0
|| $IDs{'interrupted'} > 0
|| $IDs{'read_failure'} > 0
|| $IDs{'extended'} > 0
|| $IDs{'short'} > 0
|| $IDs{'conveyance'} > 0
|| $IDs{'selective'} > 0
|| $IDs{'offline'} > 0 )
{
my @headers = grep( /(Num\ +Test.*LBA| Description .*[Hh]ours)/, @outputA );
my @log_lines;
push( @log_lines, @extended, @short, @conveyance, @selective, @offline );
$IDs{'selftest_log'} = join( "\n", @headers, sort(@log_lines) );
} ## end if ( $IDs{'completed'} > 0 || $IDs{'interrupted'...})
# get the drive serial number, if needed
$disk_id = $name;
$output = `$smartctl -i $disk`;
# generally upper case, HP branded drives seem to report with lower case n
while ( $output =~ /(?i)Serial Number:(.*)/g ) {
$IDs{'serial'} = $1;
$IDs{'serial'} =~ s/^\s+|\s+$//g;
}
if ($useSN) {
$disk_id = $IDs{'serial'};
}
while ( $output =~ /(?i)Model Family:(.*)/g ) {
$IDs{'model_family'} = $1;
$IDs{'model_family'} =~ s/^\s+|\s+$//g;
}
while ( $output =~ /(?i)Device Model:(.*)/g ) {
$IDs{'device_model'} = $1;
$IDs{'device_model'} =~ s/^\s+|\s+$//g;
}
while ( $output =~ /(?i)Model Number:(.*)/g ) {
$IDs{'model_number'} = $1;
$IDs{'model_number'} =~ s/^\s+|\s+$//g;
}
while ( $output =~ /(?i)Firmware Version:(.*)/g ) {
$IDs{'fw_version'} = $1;
$IDs{'fw_version'} =~ s/^\s+|\s+$//g;
}
# mainly HP drives
while ( $output =~ /(?i)Vendor:(.*)/g ) {
$IDs{'vendor'} = $1;
$IDs{'vendor'} =~ s/^\s+|\s+$//g;
}
# mainly HP drives
while ( $output =~ /(?i)Product:(.*)/g ) {
$IDs{'product'} = $1;
$IDs{'product'} =~ s/^\s+|\s+$//g;
}
# mainly HP drives
while ( $output =~ /(?i)Revision:(.*)/g ) {
$IDs{'revision'} = $1;
$IDs{'revision'} =~ s/^\s+|\s+$//g;
}
# figure out what to use for the max temp, if there is one
if ( $IDs{'190'} =~ /^\d+$/ ) {
$IDs{max_temp} = $IDs{'190'};
} elsif ( $IDs{'194'} =~ /^\d+$/ ) {
$IDs{max_temp} = $IDs{'194'};
}
if ( $IDs{'194'} =~ /^\d+$/ && defined( $IDs{max_temp} ) && $IDs{'194'} > $IDs{max_temp} ) {
$IDs{max_temp} = $IDs{'194'};
}
$output = `$smartctl -H $disk`;
if ( $output =~ /SMART\ overall\-health\ self\-assessment\ test\ result\:\ PASSED/ ) {
$IDs{'health_pass'} = 1;
} elsif ( $output =~ /SMART\ Health\ Status\:\ OK/ ) {
$IDs{'health_pass'} = 1;
}
if ( !$IDs{'health_pass'} ) {
$to_return->{data}{unhealthy}++;
}
} ## end else [ if ( $IDs{exit} != 0 ) ]
# only bother to save this if useSN is not being used
if ( !$useSN ) {
$to_return->{data}{disks}{$disk_id} = \%IDs;
} elsif ( $IDs{exit} == 0 && defined($disk_id) ) {
$to_return->{data}{disks}{$disk_id} = \%IDs;
}
# smartctl will in some cases exit zero when it can't pull data for cciss
# so if we get a zero exit, but no serial then it means something errored
# and the device is likely dead
if ( $IDs{exit} == 0 && !defined( $IDs{serial} ) ) {
$to_return->{data}{unhealthy}++;
}
} ## end foreach my $line (@disks)
my $toReturn = $json->encode($to_return);
if ( !$opts{p} ) {
$toReturn = $toReturn . "\n";
}
if ( $opts{Z} ) {
my $toReturnCompressed;
gzip \$toReturn => \$toReturnCompressed;
my $compressed = encode_base64($toReturnCompressed);
$compressed =~ s/\n//g;
$compressed = $compressed . "\n";
if ( length($compressed) < length($toReturn) ) {
$toReturn = $compressed;
}
} ## end if ( $opts{Z} )
if ( !$noWrite ) {
open( my $writefh, ">", $cache ) or die "Can't open '" . $cache . "'";
print $writefh $toReturn;
close($writefh);
} else {
print $toReturn;
}

3
initializers/oam/librenms/smart.config Normal file
View File

@@ -0,0 +1,3 @@
smartctl=/usr/sbin/smartctl
cache=/var/cache/smart
sda

2048
initializers/oam/librenms/ss.py Normal file
View File

File diff suppressed because one or more lines are too long

45
initializers/oam/librenms/ups-nut.sh Normal file
View File

@@ -0,0 +1,45 @@
#!/bin/sh
################################################################
# Instructions: #
# 1. copy this script to /etc/snmp/ and make it executable: #
# chmod +x ups-nut.sh #
# 2. make sure UPS_NAME below matches the name of your UPS #
# 3. edit your snmpd.conf to include this line: #
# extend ups-nut /etc/snmp/ups-nut.sh #
# 4. restart snmpd on the host #
# 5. activate the app for the desired host in LibreNMS #
################################################################
UPS_NAME="${1:-APCUPS}"
PATH=$PATH:/usr/bin:/bin
TMP=$(upsc $UPS_NAME 2>/dev/null)
for value in "battery\.charge: [0-9.]+" "battery\.(runtime\.)?low: [0-9]+" "battery\.runtime: [0-9]+" "battery\.voltage: [0-9.]+" "battery\.voltage\.nominal: [0-9]+" "input\.voltage\.nominal: [0-9.]+" "input\.voltage: [0-9.]+" "ups\.load: [0-9.]+"
do
OUT=$(echo "$TMP" | grep -Eo "$value" | awk '{print $2}' | LANG=C sort | head -n 1)
if [ -n "$OUT" ]; then
echo "$OUT"
else
echo "Unknown"
fi
done
for value in "ups\.status:[A-Z ]{0,}OL" "ups\.status:[A-Z ]{0,}OB" "ups\.status:[A-Z ]{0,}LB" "ups\.status:[A-Z ]{0,}HB" "ups\.status:[A-Z ]{0,}RB" "ups\.status:[A-Z ]{0,}CHRG" "ups\.status:[A-Z ]{0,}DISCHRG" "ups\.status:[A-Z ]{0,}BYPASS" "ups\.status:[A-Z ]{0,}CAL" "ups\.status:[A-Z ]{0,}OFF" "ups\.status:[A-Z ]{0,}OVER" "ups\.status:[A-Z ]{0,}TRIM" "ups\.status:[A-Z ]{0,}BOOST" "ups\.status:[A-Z ]{0,}FSD" "ups\.alarm:[A-Z ]"
do
UNKNOWN=$(echo "$TMP" | grep -Eo "ups\.status:")
if [ -z "$UNKNOWN" ]; then
echo "Unknown"
else
OUT=$(echo "$TMP" | grep -Eo "$value")
if [ -n "$OUT" ]; then
echo "1"
else
echo "0"
fi
fi
done
UPSTEMP="ups\.temperature: [0-9.]+"
OUT=$(echo "$TMP" | grep -Eo "$UPSTEMP" | awk '{print $2}' | LANG=C sort | head -n 1)
[ -n "$OUT" ] && echo "$OUT" || echo "Unknown"

16
initializers/oam/scripts/up2date.sh Normal file
View File

@@ -0,0 +1,16 @@
#!/bin/bash
echo "Running apt-get update"
export DEBIAN_FRONTEND="noninteractive" && apt-get -qq --yes update
echo "Running apt-get dist-upgrade"
export DEBIAN_FRONTEND="noninteractive" && apt-get -qq --yes dist-upgrade
echo "Running apt-get upgrade"
export DEBIAN_FRONTEND="noninteractive" && apt-get -qq --yes upgrade
echo "Running apt-get purge"
export DEBIAN_FRONTEND="noninteractive" && apt-get -qq --purge autoremove --yes
export DEBIAN_FRONTEND="noninteractive" && apt-get -qq autoclean --yes

12
initializers/packages/apply
View File

@@ -1,7 +1,7 @@
#!/bin/bash
# KNEL Package Installation
# This initializer installs required packages
# This initializer installs required packages with conditional logic
set -euo pipefail
@@ -21,6 +21,7 @@ sh /tmp/webmin-setup.sh -f && rm -f /tmp/webmin-setup.sh
curl -fsSL https://tailscale.com/install.sh | sh
# Remove unwanted packages
export DEBIAN_FRONTEND="noninteractive"
apt-get -y --purge remove \
systemd-timesyncd \
chrony \
@@ -35,7 +36,7 @@ apt-get -y --purge remove \
apt-get --purge autoremove
# Install desired packages
apt-get install -y \
apt-get -y -o Dpkg::Options::="--force-confold" install \
virt-what \
auditd \
audispd-plugins \
@@ -68,6 +69,7 @@ apt-get install -y \
command-not-found \
lldpd \
ansible-core \
salt-minion \
net-tools \
dos2unix \
gpg \
@@ -103,19 +105,19 @@ apt-get install -y \
# Kali-specific packages
if [[ $KALI_CHECK -eq 0 ]]; then
apt-get install -y \
apt-get -y -o Dpkg::Options::="--force-confold" install \
latencytop \
cockpit-tests
fi
# KVM guest specific packages
if [[ $IS_KVM_GUEST -eq 1 ]]; then
apt-get install -y qemu-guest-agent
apt-get -y install qemu-guest-agent
fi
# Physical host specific packages
if [[ $IS_PHYSICAL_HOST -gt 0 ]]; then
apt-get install -y \
apt-get -y -o Dpkg::Options::="--force-confold" install \
i7z \
thermald \
cpufrequtils \

32
initializers/postfix/apply Executable file
View File

@@ -0,0 +1,32 @@
#!/bin/bash
# KNEL Postfix Module
# Configures postfix for email delivery
set -euo pipefail
echo "Running postfix module..."
# Stop postfix
systemctl stop postfix
# Configure postfix for local mail relay
if [[ -f ./configs/postfix_generic ]]; then
cp ./configs/postfix_generic /etc/postfix/generic
postmap /etc/postfix/generic
fi
# Set postfix configuration
postconf -e "inet_protocols = ipv4"
postconf -e "inet_interfaces = 127.0.0.1"
postconf -e "mydestination = 127.0.0.1"
postconf -e "relayhost = tsys-cloudron.knel.net"
postconf -e "smtp_generic_maps = hash:/etc/postfix/generic"
# Restart postfix
systemctl start postfix
# Test mail delivery
echo "Test email from $(hostname)" | mail -s "Test from $(hostname)" root
echo "Postfix module completed"

1
initializers/postfix/configs/postfix_generic Normal file
View File

@@ -0,0 +1 @@
/.*/ tsysrootaccount@knel.net

19
initializers/salt-client/apply Executable file
View File

@@ -0,0 +1,19 @@
#!/bin/bash
# KNEL Salt Client Initializer
# Configures Salt minion for configuration management
set -euo pipefail
echo "Running Salt client initializer..."
# Configure Salt minion if configuration file exists
if [[ -f ./configs/salt-minion ]]; then
cp ./configs/salt-minion /etc/salt/minion
fi
# Enable and start Salt minion service
systemctl enable salt-minion
systemctl start salt-minion
echo "Salt client initializer completed"

51
initializers/security-hardening/apply Executable file
View File

@@ -0,0 +1,51 @@
#!/bin/bash
# KNEL Security Hardening Module
# Implements SCAP/STIG security compliance
set -euo pipefail
echo "Running security hardening module..."
# Enable auditd
systemctl --now enable auditd
# Configure sysctl security parameters
if [[ -f ./configs/sysctl-hardening.conf ]]; then
cp ./configs/sysctl-hardening.conf /etc/sysctl.d/99-security-hardening.conf
sysctl -p /etc/sysctl.d/99-security-hardening.conf
fi
# Configure core dumps
if [[ -f ./configs/security-limits.conf ]]; then
cp ./configs/security-limits.conf /etc/security/limits.d/security-lening.conf
fi
# Set file permissions
chmod 644 /etc/passwd
chmod 600 /etc/shadow
chmod 644 /etc/group
chmod 600 /etc/gshadow
# Remove dangerous packages
DEBIAN_FRONTEND="noninteractive" apt-get -y purge \
telnetd \
rsh-server \
rsh-client \
telnet \
|| true
# Install security tools
DEBIAN_FRONTEND="noninteractive" apt-get -y install \
aide \
lynis \
chkrootkit \
rkhunter \
|| true
# Initialize AIDE database
if [[ ! -f /var/lib/aide/aide.db ]]; then
aideinit
fi
echo "Security hardening module completed"

0
modules/ssh-hardening/apply → initializers/ssh-hardening/apply
View File

0
modules/ssh-hardening/configs/localuser-ssh-authorized-keys → initializers/ssh-hardening/configs/localuser-ssh-authorized-keys
View File

0
modules/ssh-hardening/configs/root-ssh-authorized-keys → initializers/ssh-hardening/configs/root-ssh-authorized-keys
View File

0
modules/ssh-hardening/configs/ssh-audit-hardening.conf → initializers/ssh-hardening/configs/ssh-audit-hardening.conf
View File

0
modules/ssh-hardening/configs/tsys-sshd-config → initializers/ssh-hardening/configs/tsys-sshd-config
View File

42
initializers/ssh-keys/apply Executable file
View File

@@ -0,0 +1,42 @@
#!/bin/bash
# KNEL SSH Keys Initializer
# Sets up SSH authorized keys for users
set -euo pipefail
echo "Running SSH keys initializer..."
# Create SSH directories
mkdir -p $ROOT_SSH_DIR
# Setup root SSH keys
if [[ -f ./configs/root-ssh-authorized-keys ]]; then
cp ./configs/root-ssh-authorized-keys $ROOT_SSH_DIR/authorized_keys
chmod 400 $ROOT_SSH_DIR/authorized_keys
chown root: $ROOT_SSH_DIR/authorized_keys
fi
# Setup localuser SSH keys
if [[ $LOCALUSER_CHECK -gt 0 ]]; then
mkdir -p $LOCALUSER_SSH_DIR
if [[ -f ./configs/localuser-ssh-authorized-keys ]]; then
cp ./configs/localuser-ssh-authorized-keys $LOCALUSER_SSH_DIR/authorized_keys
chmod 400 $LOCALUSER_SSH_DIR/authorized_keys
chown localuser $LOCALUSER_SSH_DIR/authorized_keys
fi
fi
# Setup subodev SSH keys
if [[ $SUBODEV_CHECK -gt 0 ]]; then
mkdir -p $SUBODEV_SSH_DIR
if [[ -f ./configs/localuser-ssh-authorized-keys ]]; then
cp ./configs/localuser-ssh-authorized-keys $SUBODEV_SSH_DIR/authorized_keys
chmod 400 $SUBODEV_SSH_DIR/authorized_keys
chown subodev: $SUBODEV_SSH_DIR/authorized_keys
fi
fi
echo "SSH keys initializer completed"

2
initializers/ssh-keys/configs/localuser-ssh-authorized-keys Normal file
View File

@@ -0,0 +1,2 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDHaBNuLS+GYGRPc9wne63Ocr+R+/Q01Y9V0FTv0RnG3
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPyMR0lFgiMKhQJ5aqy68nR0BQp1cNzi/wIThyuTV4a8 tsyscto@ultix-control

2
initializers/ssh-keys/configs/root-ssh-authorized-keys Normal file
View File

@@ -0,0 +1,2 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDHaBNuLS+GYGRPc9wne63Ocr+R+/Q01Y9V0FTv0RnG3
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPyMR0lFgiMKhQJ5aqy68nR0BQp1cNzi/wIThyuTV4a8 tsyscto@ultix-control

46
initializers/system-config/AuditD/auditd.conf Normal file
View File

@@ -0,0 +1,46 @@
#
# Known Element Enterprises Customized Config File
# auditd
# Initial version 2025-06-27
#
local_events = yes
write_logs = yes
log_file = /var/log/audit/audit.log
log_group = adm
log_format = ENRICHED
flush = INCREMENTAL_ASYNC
freq = 50
max_log_file = 8
num_logs = 5
priority_boost = 4
name_format = NONE
max_log_file_action = keep_logs
space_left = 75
space_left_action = email
action_mail_acct = root
admin_space_left_action = halt
disk_full_action = SUSPEND
disk_error_action = SUSPEND
admin_space_left = 50
verify_email = yes
use_libwrap = yes
tcp_listen_queue = 5
tcp_max_per_addr = 1
tcp_client_max_idle = 0
transport = TCP
distribute_network = no
q_depth = 2000
overflow_action = SYSLOG
max_restarts = 10
plugin_dir = /etc/audit/plugins.d
end_of_event_timeout = 2
##tcp_client_ports = 1024-65535
##tcp_listen_port = 60
##krb5_key_file = /etc/audit/audit.key
krb5_principal = auditd
##name = mydomain

0
classes/database/variables → initializers/system-config/AuditD/rules.d/time-change.rules
View File

5
initializers/system-config/BANNERS/issue Normal file
View File

@@ -0,0 +1,5 @@
This system is the property of Known Element Enterprises LLC.
Authorized uses only. All activity may be monitored and reported.
All activities subject to monitoring/recording/review in real time and/or at a later time.

5
initializers/system-config/BANNERS/issue.net Normal file
View File

@@ -0,0 +1,5 @@
This system is the property of Known Element Enterprises LLC.
Authorized uses only. All activity may be monitored and reported.
All activities subject to monitoring/recording/review in real time and/or at a later time.

5
initializers/system-config/BANNERS/motd Normal file
View File

@@ -0,0 +1,5 @@
This system is the property of Known Element Enterprises LLC.
Authorized uses only. All activity may be monitored and reported.
All activities subject to monitoring/recording/review in real time and/or at a later time.

2
initializers/system-config/Cockpit/disallowed-users Normal file
View File

@@ -0,0 +1,2 @@
#/etc/cockpit/disallowed-users
# List of users which are not allowed to login to Cockpit

6
initializers/system-config/DHCP/dhclient.conf Normal file
View File

@@ -0,0 +1,6 @@
option rfc3442-classless-static-routes code 121 = array of unsigned integer 8;
send host-name = gethostname();
request subnet-mask, broadcast-address, time-offset, routers,
domain-name, host-name,
rfc3442-classless-static-routes;

23
initializers/system-config/Logrotate/logrotate.conf Normal file
View File

@@ -0,0 +1,23 @@
# see "man logrotate" for details
# global options do not affect preceding include directives
# rotate log files weekly
weekly
# keep 4 weeks worth of backlogs
rotate 4
# create new (empty) log files after rotating old ones
create 0640 root utmp
# use date as a suffix of the rotated file
#dateext
# uncomment this if you want your log files compressed
#compress
# packages drop log rotation information into this directory
include /etc/logrotate.d
# system-specific logs may also be configured here.

1
initializers/system-config/ModProbe/cramfs.conf Normal file
View File

@@ -0,0 +1 @@
install cramfs /bin/true

1
initializers/system-config/ModProbe/dccp.conf Normal file
View File

@@ -0,0 +1 @@
install dccp /bin/true

1
initializers/system-config/ModProbe/freevxfs.conf Normal file
View File

@@ -0,0 +1 @@
install freevxfs /bin/true

1
initializers/system-config/ModProbe/hfs.conf Normal file
View File

@@ -0,0 +1 @@
install hfs /bin/true

1
initializers/system-config/ModProbe/hfsplus.conf Normal file
View File

@@ -0,0 +1 @@
install hfsplus /bin/true

1
initializers/system-config/ModProbe/jffs2.conf Normal file
View File

@@ -0,0 +1 @@
install jffs2 /bin/true

1
initializers/system-config/ModProbe/rds.conf Normal file
View File

@@ -0,0 +1 @@
install rds /bin/true

1
initializers/system-config/ModProbe/sctp.conf Normal file
View File

@@ -0,0 +1 @@
install sctp /bin/true

1
initializers/system-config/ModProbe/squashfs.conf Normal file
View File

@@ -0,0 +1 @@
install squashfs /bin/true

1
initializers/system-config/ModProbe/tipc.conf Normal file
View File

@@ -0,0 +1 @@
install tipc /bin/true

1
initializers/system-config/ModProbe/udf.conf Normal file
View File

@@ -0,0 +1 @@
install udf /bin/true

1
initializers/system-config/ModProbe/usb_storage.conf Normal file
View File

@@ -0,0 +1 @@
install usb-storage /bin/true

7
initializers/system-config/NTP/ntp.conf Normal file
View File

@@ -0,0 +1,7 @@
driftfile /var/lib/ntp/ntp.drift
leapfile /usr/share/zoneinfo/leap-seconds.list
server pfv-netboot.knel.net
restrict 127.0.0.1
restrict ::1
interface ignore wildcard
interface listen 127.0.0.1

2
initializers/system-config/NetworkDiscovery/lldpd Normal file
View File

@@ -0,0 +1,2 @@
# Uncomment to start SNMP subagent and enable CDP, SONMP and EDP protocol
DAEMON_ARGS="-x -c -s -e"

0
modules/system-config/templates/aliases → initializers/system-config/SMTP/aliases
View File

1
initializers/system-config/SMTP/postfix_generic Normal file
View File

@@ -0,0 +1 @@
/.*/ tsysrootaccount@knel.net

1
initializers/system-config/SNMP/snmp-sudo.conf Normal file
View File

@@ -0,0 +1 @@
Debian-snmp ALL = NOPASSWD: /bin/cat

46
initializers/system-config/SNMP/snmpd-physicalhost.conf Normal file
View File

@@ -0,0 +1,46 @@
##########################################################################
# snmpd.conf
# Created by CNW on 11/3/2018 via snmpconf wizard and manual post tweaks
###########################################################################
# SECTION: Monitor Various Aspects of the Running Host
#
# disk: Check for disk space usage of a partition.
# The agent can check the amount of available disk space, and make
# sure it is above a set limit.
#
load 3 3 3
rocommunity kn3lmgmt
sysservices 76
#syslocation Rack, Room, Building, City, Country [Lat, Lon]
syslocation R4, Server Room, SITER, Pflugerville, United States
syscontact coo@turnsys.com
#NTP
extend ntp-client /usr/lib/check_mk_agent/local/ntp-client
#SMTP
extend mailq /usr/lib/check_mk_agent/local/postfix-queues
extend postfixdetailed /usr/lib/check_mk_agent/local/postfixdetailed
#OS Distribution Detection
extend distro /usr/local/bin/distro
extend osupdate /usr/lib/check_mk_agent/local/os-updates.sh
#Hardware Detection
extend manufacturer /usr/bin/sudo /usr/bin/cat /sys/devices/virtual/dmi/id/sys_vendor
extend hardware /usr/bin/sudo /usr/bin/cat /sys/devices/virtual/dmi/id/product_name
extend serial /usr/bin/sudo /usr/bin/cat /sys/devices/virtual/dmi/id/product_serial
#SMART
extend smart /usr/lib/check_mk_agent/local/smart
#Temperature
pass_persist .1.3.6.1.4.1.9.9.13.1.3 /usr/local/bin/temper-snmp
# Allow Systems Management Data Engine SNMP to connect to snmpd using SMUX
# smuxpeer .1.3.6.1.4.1.674.10892.1
# LLDP collection
master agentx

40
initializers/system-config/SNMP/snmpd-rpi.conf Normal file
View File

@@ -0,0 +1,40 @@
##########################################################################
# snmpd.conf
# Created by CNW on 11/3/2018 via snmpconf wizard and manual post tweaks
###########################################################################
# SECTION: Monitor Various Aspects of the Running Host
#
# disk: Check for disk space usage of a partition.
# The agent can check the amount of available disk space, and make
# sure it is above a set limit.
#
load 3 3 3
rocommunity kn3lmgmt
sysservices 76
#syslocation Rack, Room, Building, City, Country [Lat, Lon]
syslocation SITER, Pflugerville, United States
syscontact coo@turnsys.com
#NTP
extend ntp-client /usr/lib/check_mk_agent/local/ntp-client
#SMTP
extend mailq /usr/lib/check_mk_agent/local/postfix-queues
extend postfixdetailed /usr/lib/check_mk_agent/local/postfixdetailed
#OS Distribution Detection
extend distro /usr/local/bin/distro
extend osupdate /usr/lib/check_mk_agent/local/os-updates.sh
#Hardware Detection
extend hardware /usr/bin/sudo /usr/bin/cat /sys/firmware/devicetree/base/model
extend serial /usr/bin/sudo /usr/bin/cat /sys/firmware/devicetree/base/serial-number
# Allow Systems Management Data Engine SNMP to connect to snmpd using SMUX
# smuxpeer .1.3.6.1.4.1.674.10892.1
# LLDP collection
master agentx

44
initializers/system-config/SNMP/snmpd.conf Normal file
View File

@@ -0,0 +1,44 @@
##########################################################################
# snmpd.conf
# Created by CNW on 11/3/2018 via snmpconf wizard and manual post tweaks
###########################################################################
# SECTION: Monitor Various Aspects of the Running Host
#
# disk: Check for disk space usage of a partition.
# The agent can check the amount of available disk space, and make
# sure it is above a set limit.
#
load 3 3 3
rocommunity kn3lmgmt
sysservices 76
#syslocation Rack, Room, Building, City, Country [Lat, Lon]
syslocation R4, Server Room, SITER, Pflugerville, United States
syscontact coo@turnsys.com
#NTP
extend ntp-client /usr/lib/check_mk_agent/local/ntp-client
#SMTP
extend mailq /usr/lib/check_mk_agent/local/postfix-queues
extend postfixdetailed /usr/lib/check_mk_agent/local/postfixdetailed
#OS Distribution Detection
extend distro /usr/local/bin/distro
extend osupdate /usr/lib/check_mk_agent/local/os-updates.sh
# Socket statistics
extend ss /usr/lib/check_mk_agent/local/ss.py
#Hardware Detection
# (uncomment for x86 platforms)
extend manufacturer /usr/bin/sudo /usr/bin/cat /sys/devices/virtual/dmi/id/sys_vendor
extend hardware /usr/bin/sudo /usr/bin/cat /sys/devices/virtual/dmi/id/product_name
extend serial /usr/bin/sudo /usr/bin/cat /sys/devices/virtual/dmi/id/product_serial
# Allow Systems Management Data Engine SNMP to connect to snmpd using SMUX
# smuxpeer .1.3.6.1.4.1.674.10892.1
# LLDP collection
master agentx

2
initializers/system-config/SSH/AuthorizedKeys/localuser-ssh-authorized-keys Normal file
View File

@@ -0,0 +1,2 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDHaBNuLS+GYGRPc9wne63Ocr+R+/Q01Y9V0FTv0RnG3
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPyMR0lFgiMKhQJ5aqy68nR0BQp1cNzi/wIThyuTV4a8 tsyscto@ultix-control

2
initializers/system-config/SSH/AuthorizedKeys/root-ssh-authorized-keys Normal file
View File

@@ -0,0 +1,2 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDHaBNuLS+GYGRPc9wne63Ocr+R+/Q01Y9V0FTv0RnG3
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPyMR0lFgiMKhQJ5aqy68nR0BQp1cNzi/wIThyuTV4a8 tsyscto@ultix-control

19
initializers/system-config/SSH/Configs/ssh-audit-hardening.conf Normal file
View File

@@ -0,0 +1,19 @@
# Restrict key exchange, cipher, and MAC algorithms, as per sshaudit.com
# hardening guide.
KexAlgorithms sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,gss-curve25519-sha256-,diffie-hellman-group16-sha512,gss-group16-sha512-,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-gcm@openssh.com,aes128-ctr
MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com
HostKeyAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256
RequiredRSASize 3072
CASignatureAlgorithms sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256
GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-group16-sha512-
HostbasedAcceptedAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256
PubkeyAcceptedAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256

20
initializers/system-config/SSH/Configs/tsys-sshd-config Normal file
View File

@@ -0,0 +1,20 @@
Include /etc/ssh/sshd_config.d/*.conf
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
KbdInteractiveAuthentication no
PrintMotd no
PasswordAuthentication no
AllowTcpForwarding no
X11Forwarding no
ChallengeResponseAuthentication no
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
UsePAM yes
Banner /etc/issue.net
MaxAuthTries 2
MaxStartups 10:30:100
PermitRootLogin prohibit-password
ClientAliveInterval 300
ClientAliveCountMax 3
AllowUsers root localuser subodev
LoginGraceTime 60

0
modules/system-config/templates/rsyslog.conf → initializers/system-config/Syslog/rsyslog.conf
View File

31
initializers/system-config/Systemd/journald.conf Normal file
View File

@@ -0,0 +1,31 @@
[Journal]
#Compress=yes
#Seal=yes
#SplitMode=uid
#SyncIntervalSec=5m
#RateLimitIntervalSec=30s
#RateLimitBurst=10000
#SystemMaxUse=
#SystemKeepFree=
#SystemMaxFileSize=
#SystemMaxFiles=100
#RuntimeMaxUse=
#RuntimeKeepFree=
#RuntimeMaxFileSize=
#RuntimeMaxFiles=100
#MaxRetentionSec=
#MaxFileSec=1month
#ForwardToSyslog=yes
#ForwardToKMsg=no
#ForwardToConsole=no
#ForwardToWall=yes
#TTYPath=/dev/console
#MaxLevelStore=debug
#MaxLevelSyslog=debug
#MaxLevelKMsg=notice
#MaxLevelConsole=info
#MaxLevelWall=emerg
#LineMax=48K
#ReadKMsg=yes
#Audit=no
Storage=persistent

0
modules/system-config/templates/zshrc → initializers/system-config/ZSH/tsys-zshrc
View File

96
initializers/system-config/apply Executable file
View File

@@ -0,0 +1,96 @@
#!/bin/bash
# KNEL System Configuration Initializer
# Applies system-wide configuration files with conditional logic
set -euo pipefail
echo "Running system configuration initializer..."
# Create necessary directories
mkdir -p $ROOT_SSH_DIR
# Deploy system configuration files from copied templates
if [[ -f ./ConfigFiles/ZSH/tsys-zshrc ]]; then
cp ./ConfigFiles/ZSH/tsys-zshrc /etc/zshrc
fi
if [[ -f ./ConfigFiles/SMTP/aliases ]]; then
cp ./ConfigFiles/SMTP/aliases /etc/aliases
newaliases
fi
if [[ -f ./ConfigFiles/Syslog/rsyslog.conf ]]; then
cp ./ConfigFiles/Syslog/rsyslog.conf > /etc/rsyslog.conf
fi
# Configure DHCP client
if [[ -f ./ConfigFiles/DHCP/dhclient.conf ]]; then
cp ./ConfigFiles/DHCP/dhclient.conf > /etc/dhcp/dhclient.conf
fi
# Configure SNMP
systemctl stop snmpd 2>/dev/null || true
/etc/init.d/snmpd stop 2>/dev/null || true
if [[ -f ./ConfigFiles/SNMP/snmp-sudo.conf ]]; then
cp ./ConfigFiles/SNMP/snmp-sudo.conf > /etc/sudoers.d/Debian-snmp
fi
# Adjust SNMP service for log verbosity
sed -i "s|-Lsd|-LS6d|" /lib/systemd/system/snmpd.service
# Configure SNMP based on system type (with pi-detect)
if command -v vcgencmd >/dev/null 2>&1; then
export IS_RASPI="1"
else
export IS_RASPI="0"
fi
if [[ $IS_RASPI -eq 1 ]] && [[ -f ./ConfigFiles/SNMP/snmpd-rpi.conf ]]; then
cp ./ConfigFiles/SNMP/snmpd-rpi.conf /etc/snmp/snmpd.conf
elif [[ $IS_PHYSICAL_HOST -eq 1 ]] && [[ -f ./ConfigFiles/SNMP/snmpd-physicalhost.conf ]]; then
cp ./ConfigFiles/SNMP/snmpd-physicalhost.conf /etc/snmp/snmpd.conf
elif [[ $IS_VIRT_GUEST -eq 1 ]] && [[ -f ./ConfigFiles/SNMP/snmpd.conf ]]; then
cp ./ConfigFiles/SNMP/snmpd.conf /etc/snmp/snmpd.conf
fi
# Configure lldpd
if [[ -f ./ConfigFiles/NetworkDiscovery/lldpd ]]; then
cp ./ConfigFiles/NetworkDiscovery/lldpd /etc/default/lldpd
systemctl restart lldpd
fi
# Configure Cockpit
if [[ -f ./ConfigFiles/Cockpit/disallowed-users ]]; then
cp ./ConfigFiles/Cockpit/disallowed-users /etc/cockpit/disallowed-users
systemctl restart cockpit
fi
# Configure NTP for non-NTP servers
if [[ $NTP_SERVER_CHECK -eq 0 ]] && [[ -f ./ConfigFiles/NTP/ntp.conf ]]; then
cp ./ConfigFiles/NTP/ntp.conf /etc/ntpsec/ntp.conf
systemctl restart ntpsec.service
fi
# Always install rsyslog (removed librenms conditional)
DEBIAN_FRONTEND="noninteractive" apt-get -qq --yes -o Dpkg::Options::="--force-confold" install rsyslog
systemctl stop rsyslog
systemctl start rsyslog
# Reload systemd and restart SNMP
systemctl daemon-reload
systemctl restart snmpd 2>/dev/null || true
/etc/init.d/snmpd restart 2>/dev/null || true
# Performance tuning based on system type
if [[ $IS_PHYSICAL_HOST -gt 0 ]]; then
cpufreq-set -r -g performance
cpupower frequency-set --governor performance
fi
if [[ $IS_VIRT_GUEST -eq 1 ]]; then
tuned-adm profile virtual-guest
fi
echo "System configuration initializer completed"

3
initializers/system-config/templates/aliases Normal file
View File

@@ -0,0 +1,3 @@
# See man 5 aliases for format
postmaster: root
root: coo@turnsys.com

Some files were not shown because too many files have changed in this diff Show More