OAM / security hardending is my entire next week. laying the groundwork.

ConfigFiles/SNMP/snmpd-physicalhost.conf

@@ -37,6 +37,9 @@ extend serial /usr/bin/sudo /usr/bin/cat /sys/devices/virtual/dmi/id/product_ser
 #SMART
 extend smart /bin/cat /var/cache/smart
 
+#Temperature
+pass_persist    .1.3.6.1.4.1.9.9.13.1.3 /usr/local/bin/temper-snmp
+
 
 # Allow Systems Management Data Engine SNMP to connect to snmpd using SMUX
 # smuxpeer .1.3.6.1.4.1.674.10892.1

Modules/Security/secharden-wazuh copy.sh

@@ -0,0 +1,19 @@
+#!/bin/bash
+
+# We don't want to run this on the wazuh server, otherwise bad things happen...
+
+export TSYS_NSM_CHECK
+TSYS_NSM_CHECK="$(hostname |grep -c tsys-nsm ||true)"
+
+if [ "$TSYS_NSM_CHECK" -eq 0 ]; then
+
+curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpg
+echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" > /etc/apt/sources.list.d/wazuh.list
+apt-get update
+WAZUH_MANAGER="tsys-nsm.knel.net" apt-get -y install wazuh-agent
+systemctl daemon-reload
+systemctl enable wazuh-agent
+systemctl start wazuh-agent
+echo "wazuh-agent hold" | dpkg --set-selections
+
+fi

Modules/Security/secharden-wazuh.sh

@@ -6,14 +6,9 @@ export TSYS_NSM_CHECK
 TSYS_NSM_CHECK="$(hostname |grep -c tsys-nsm ||true)"
 
 if [ "$TSYS_NSM_CHECK" -eq 0 ]; then
-
-curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpg
-echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" > /etc/apt/sources.list.d/wazuh.list
-apt-get update
-WAZUH_MANAGER="tsys-nsm.knel.net" apt-get -y install wazuh-agent
-systemctl daemon-reload
-systemctl enable wazuh-agent
-systemctl start wazuh-agent
-echo "wazuh-agent hold" | dpkg --set-selections
-
+echo "stub... installing agent..."
+fi
+
+if [ "$TSYS_NSM_CHECK" -ne 0 ]; then
+echo "stub... NOT installing agent... NO BAD THINGS..."
 fi

SetupNewSystem.sh

@@ -90,9 +90,17 @@ curl --silent ${DL_ROOT}/scripts/up2date.sh > /usr/local/bin/up2date.sh && chmod
 
 echo "Setting up librenms agent..."
 
-rm -rf /usr/local/librenms-agent || true
-curl --silent ${DL_ROOT}/Agents/librenms.tar.gz > /usr/local/librenms.tar.gz
-cd /usr/local && tar xfz librenms.tar.gz && rm -f /usr/local/librenms.tar.gz
+if [ ! -d /usr/local/librenms-agent ]; then
+mkdir -p /usr/local/librenms-agent
+fi
+
+curl --silent ${DL_ROOT}/Agents/librenms/ntp-client.sh > /usr/local/librenms-agent/ntp-client.sh
+curl --silent ${DL_ROOT}/Agents/librenms/ntp-server.sh > /usr/local/librenms-agent/ntp-server.sh
+curl --silent ${DL_ROOT}/Agents/librenms/os-updates.sh > /usr/local/librenms-agent/os-updates.sh
+curl --silent ${DL_ROOT}/Agents/librenms/postfixdetailed.sh > /usr/local/librenms-agent/postfixdetailed.sh
+curl --silent ${DL_ROOT}/Agents/librenms/postfix-queues.sh > /usr/local/librenms-agent/postfixdetailed.sh
+curl --silent ${DL_ROOT}/Agents/librenms/smart > /usr/local/librenms-agent/smart
+curl --silent ${DL_ROOT}/Agents/librenms/smart.config > /usr/local/librenms-agent/smart.config
 
 echo Completed running "$FUNCNAME"
 

librenms/distro

@@ -1,114 +0,0 @@
-#!/usr/bin/env bash
-# Detects which OS and if it is Linux then it will detect which Linux Distribution.
-
-OS=`uname -s`
-REV=`uname -r`
-MACH=`uname -m`
-
-if [ "${OS}" = "SunOS" ] ; then
-  OS=Solaris
-  ARCH=`uname -p`
-  OSSTR="${OS} ${REV}(${ARCH} `uname -v`)"
-
-elif [ "${OS}" = "AIX" ] ; then
-  OSSTR="${OS} `oslevel` (`oslevel -r`)"
-
-elif [ "${OS}" = "Linux" ] ; then
-  KERNEL=`uname -r`
-
-  if [ -f /etc/fedora-release ]; then
-    DIST=$(cat /etc/fedora-release | awk '{print $1}')
-    REV=`cat /etc/fedora-release | sed s/.*release\ // | sed s/\ .*//`
-        
-  elif [ -f /etc/redhat-release ] ; then
-    DIST=$(cat /etc/redhat-release | awk '{print $1}')
-    if [ "${DIST}" = "CentOS" ]; then
-      DIST="CentOS"
-    elif [ "${DIST}" = "Mandriva" ]; then
-      DIST="Mandriva"
-      PSEUDONAME=`cat /etc/mandriva-release | sed s/.*\(// | sed s/\)//`
-      REV=`cat /etc/mandriva-release | sed s/.*release\ // | sed s/\ .*//`
-    elif [ -f /etc/oracle-release ]; then
-      DIST="Oracle"
-    else
-      DIST="RedHat"
-    fi
-
-    PSEUDONAME=`cat /etc/redhat-release | sed s/.*\(// | sed s/\)//`
-    REV=`cat /etc/redhat-release | sed s/.*release\ // | sed s/\ .*//`
-
-  elif [ -f /etc/mandrake-release ] ; then
-    DIST='Mandrake'
-    PSEUDONAME=`cat /etc/mandrake-release | sed s/.*\(// | sed s/\)//`
-    REV=`cat /etc/mandrake-release | sed s/.*release\ // | sed s/\ .*//`
-
-  elif [ -f /etc/devuan_version ] ; then
-    DIST="Devuan `cat /etc/devuan_version`"
-    REV=""
-
-  elif [ -f /etc/debian_version ] ; then
-    DIST="Debian `cat /etc/debian_version`"
-    REV=""
-    ID=`lsb_release -i | awk -F ':' '{print $2}' | sed 's/	//g'`
-    if [ "${ID}" = "Raspbian" ] ; then
-      DIST="Raspbian `cat /etc/debian_version`"
-    fi
-
-  elif [ -f /etc/gentoo-release ] ; then
-    DIST="Gentoo"
-    REV=$(tr -d '[[:alpha:]]' </etc/gentoo-release | tr -d " ")
-
-  elif [ -f /etc/arch-release ] ; then
-    DIST="Arch Linux"
-    REV="" # Omit version since Arch Linux uses rolling releases
-    IGNORE_LSB=1 # /etc/lsb-release would overwrite $REV with "rolling"
-
-  elif [ -f /etc/os-release ] ; then
-    DIST=$(grep '^NAME=' /etc/os-release | cut -d= -f2- | tr -d '"')
-    REV=$(grep '^VERSION_ID=' /etc/os-release | cut -d= -f2- | tr -d '"')
-
-  elif [ -f /etc/openwrt_version ] ; then
-    DIST="OpenWrt"
-    REV=$(cat /etc/openwrt_version)
-
-  elif [ -f /etc/pld-release ] ; then
-    DIST=$(cat /etc/pld-release)
-    REV=""
-
-  elif [ -f /etc/SuSE-release ] ; then
-    DIST=$(echo SLES $(grep VERSION /etc/SuSE-release | cut -d = -f 2 | tr -d " "))
-    REV=$(echo SP$(grep PATCHLEVEL /etc/SuSE-release | cut -d = -f 2 | tr -d " "))
-  fi
-
-  if [ -f /etc/lsb-release -a "${IGNORE_LSB}" != 1 ] ; then
-    LSB_DIST=$(lsb_release -si)
-    LSB_REV=$(lsb_release -sr)
-    if [ "$LSB_DIST" != "" ] ; then
-      DIST=$LSB_DIST
-    fi
-    if [ "$LSB_REV" != "" ] ; then
-      REV=$LSB_REV
-    fi
-  fi
-
-  if [ "`uname -a | awk '{print $(NF)}'`" = "DD-WRT" ] ; then
-    DIST="dd-wrt"
-  fi
-
-  if [ -n "${REV}" ]
-  then
-    OSSTR="${DIST} ${REV}"
-  else
-    OSSTR="${DIST}"
-  fi
-
-elif [ "${OS}" = "Darwin" ] ; then
-  if [ -f /usr/bin/sw_vers ] ; then
-    OSSTR=`/usr/bin/sw_vers|grep -v Build|sed 's/^.*:.//'| tr "\n" ' '`
-  fi
-
-elif [ "${OS}" = "FreeBSD" ] ; then
-  OSSTR=`/usr/bin/uname -mior`
-fi
-
-echo ${OSSTR}

librenms/snmpd.conf

@@ -1,32 +0,0 @@
-##########################################################################
-# snmpd.conf
-# Created by CNW on 11/3/2018 via snmpconf wizard and manual post tweaks
-###########################################################################
-# SECTION: Monitor Various Aspects of the Running Host
-#
-#   The following check up on various aspects of a host.
-
-# disk: Check for disk space usage of a partition.
-#   The agent can check the amount of available disk space, and make
-#   sure it is above a set limit.  
-#   
-load  3 3 3
-rocommunity  kn3lmgmt 10.253.3.99
-syslocation PFV
-syscontact  prodtechopsalerts@turnsys.com
-sysservices 76
-
-
-#TSYS tweaks
-#Temperature
-#pass_persist    .1.3.6.1.4.1.9.9.13.1.3 /usr/local/bin/temper-snmp
-#Smart
-extend smart /usr/local/librenms/smart
-#NTP
-extend ntp-client /usr/local/librenms/ntp-client.sh
-#SMTP
-extend mailq /usr/local/librenms/postfix-queues
-#Distro Detection
-extend .1.3.6.1.4.1.2021.7890.1 distro /usr/local/librenms/distro
-#extend zfs /usr/local/bin/zfs
-extend osupdate /usr/local/librenms/os-updates.sh