[PATCH] zabbix_agentd: v6.0.27 + ovpn certificate checks

[PATCH] zabbix_agentd: v6.0.27 + ovpn certificate checks

[Robin Roevens]

[-- Attachment #1: Type: text/plain, Size: 586 bytes --]

Hi all

A new version of the Zabbix Agent addon fixing a bug and improving
logfile reading performance with regex.

Added IPFire specific functionality: Checking and validating OpenVPN
Client, server and CA certificates.

Patch 1: Zabbix agent version update
Patch 2: Helper script for added openvpn certificate items
Patch 3: Actual configuration of agent for new certificate checking
functionality

Zabbix agentd wiki entry will be updated after merge.

Regards

Robin


-- 
Dit bericht is gescanned op virussen en andere gevaarlijke
inhoud door MailScanner en lijkt schoon te zijn.

[PATCH 1/3] zabbix_agentd: Update to 6.0.27 (LTS)

[Robin Roevens]

[-- Attachment #1: Type: text/plain, Size: 1651 bytes --]

- Update from version 6.0.22 to 6.0.27
- Update of rootfile not required

Bugs fixed:
- ZBX-23715: Fixed persistent directory path not following symlinks upon creation
- ZBX-22933: Improved vfs.file.regmatch and vfs.file.regexp items to use buffered file read

Full changelogs since 6.0.22:
- https://www.zabbix.com/rn/rn6.0.23
- https://www.zabbix.com/rn/rn6.0.24
- https://www.zabbix.com/rn/rn6.0.25
- https://www.zabbix.com/rn/rn6.0.26
- https://www.zabbix.com/rn/rn6.0.27
---
 lfs/zabbix_agentd | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/lfs/zabbix_agentd b/lfs/zabbix_agentd
index 0033d9a2c..65e111d2f 100644
--- a/lfs/zabbix_agentd
+++ b/lfs/zabbix_agentd
@@ -26,7 +26,7 @@ include Config
 
 SUMMARY    = Zabbix Agent
 
-VER        = 6.0.22
+VER        = 6.0.27
 
 THISAPP    = zabbix-$(VER)
 DL_FILE    = $(THISAPP).tar.gz
@@ -34,7 +34,7 @@ DL_FROM    = $(URL_IPFIRE)
 DIR_APP    = $(DIR_SRC)/$(THISAPP)
 TARGET     = $(DIR_INFO)/$(THISAPP)
 PROG       = zabbix_agentd
-PAK_VER    = 11
+PAK_VER    = 12
 
 DEPS       = fping
 
@@ -48,7 +48,7 @@ objects = $(DL_FILE)
 
 $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
 
-$(DL_FILE)_BLAKE2 = bba7911a24b00827c58d84938b5786d07f1eb44cbcad94cddf68b484ac9a2f514beb60225d006b8cefc5bbf92e51da27f26d9f6681e10f6322ed0841394e8d9d
+$(DL_FILE)_BLAKE2 = 793bb887bd8f0d3c2f3d15a4ed9bb5b1fcfb13fcf80ea077672744a1bd8524e213eaf53291e0f9eecb9eb055fee6f1e29e91f890b54698906beac21ca54db4e9
 
 install : $(TARGET)
 
-- 
2.43.0


-- 
Dit bericht is gescanned op virussen en andere gevaarlijke
inhoud door MailScanner en lijkt schoon te zijn.

[PATCH 2/3] zabbix_agentd: Add helper script to get and verify certificate details

[Robin Roevens]

[-- Attachment #1: Type: text/plain, Size: 5298 bytes --]

Add script to parse openssl output on certificates and return it as JSON for consumption by the Zabbix agent.
---
 .../ipfire_certificate_detail.sh              | 91 +++++++++++++++++++
 1 file changed, 91 insertions(+)
 create mode 100755 config/zabbix_agentd/ipfire_certificate_detail.sh

diff --git a/config/zabbix_agentd/ipfire_certificate_detail.sh b/config/zabbix_agentd/ipfire_certificate_detail.sh
new file mode 100755
index 000000000..9ca0ef5de
--- /dev/null
+++ b/config/zabbix_agentd/ipfire_certificate_detail.sh
@@ -0,0 +1,91 @@
+#!/bin/bash
+###############################################################################
+# ipfire_certificate_detail.sh - Get certificate details and validation results
+#                                in JSON format for use by Zabbix agent
+#
+# Author: robin.roevens (at) disroot.org
+# Version: 1.0
+#
+# Copyright (C) 2007-2024  IPFire Team  <info(a)ipfire.org> 
+# 
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+# 
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the 
+# GNU General Public License for more details.
+# 
+# You should have received a copy of the GNU General Public License 
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+# 
+###############################################################################
+
+# Required binaries
+OPENSSL=/usr/bin/openssl
+DATE=/bin/date
+
+# Parameter checking
+[[ $1 ]] || { echo "{\"error\":\"No CA certificate file given.\"}"; exit 1; }
+[[ -f $1 ]] || { echo "{\"error\":\"CA certificate not found: $1.\"}"; exit 1; }
+[[ -r $1 ]] || { echo "{\"error\":\"No read permission on CA certificate: $1.\"}"; exit 1; }
+[[ $2 ]] || { echo "{\"error\":\"No certificate file given.\"}"; exit 1; }
+[[ -f $2 ]] || { echo "{\"error\":\"Certificate not found: $2.\"}"; exit 1; }
+[[ -r $2 ]] || { echo "{\"error\":\"No read permission on certificate $2.\"}"; exit 1; }
+[[ -x $OPENSSL ]] || { echo "{\"error\":\"$OPENSSL binary not found or no permission.\"}"; exit 1; }
+[[ -x $DATE ]] || { echo "{\"error\":\"$DATE binary not found or no permission.\"}"; exit 1; }
+
+cafile=$1
+cert=$2
+
+# Parse certificate details
+cert_details=$(${OPENSSL} x509 -in "${cert}" -noout -text -certopt no_header,no_sigdump)
+version=$(echo "${cert_details}" | grep "Version:" | sed 's/^ \+Version: \([0-9]\+\) (.\+)$/\1/g')
+serial_number=$(echo "${cert_details}" | grep -A1 "Serial Number:" | tr -d '\n' | sed 's/^ \+Serial Number:\(\( \(.*\) ([0-9]\+x[0-9]\+).*\)\|\( \+\(.*\)$\)\)/\3\5/g')
+signature_algorithm=$(echo "${cert_details}" | grep "Signature Algorithm:" | sed 's/^ \+Signature Algorithm: //g')
+issuer=$(echo "${cert_details}" | grep "Issuer:" | sed 's/^ \+Issuer: //g' | sed 's/"/\\"/g')
+not_before_value=$(echo "${cert_details}" | grep "Not Before:" | sed 's/^ \+Not Before: //g')
+not_before_timestamp=$(${DATE} -d "${not_before_value}" +%s)
+not_after_value=$(echo "${cert_details}" | grep "Not After :" | sed 's/^ \+Not After : //g')
+not_after_timestamp=$(${DATE} -d "${not_after_value}" +%s)
+subject=$(echo "${cert_details}" | grep "Subject:" | sed 's/^ \+Subject: //g' | sed 's/"/\\"/g')
+public_key_algorithm=$(echo "${cert_details}" | grep "Public Key Algorithm:" | sed 's/^ \+Public Key Algorithm: //g')
+
+# Verify certificate
+cert_verify=$(${OPENSSL} verify -CAfile "${cafile}" "${cert}" 2>&1)
+if [[ $? != 0 ]]; then
+	result_value="invalid"
+	result_message="failed to verify certificate: x509: $(echo "${cert_verify}" | grep -E "error [0-9]+" | sed 's/^.\+: \(.\+\)/\1/g')"
+else
+	result_value="valid"
+	result_message="certificate verified successfully"
+fi
+
+# Generate fingerprints
+sha1_fingerprint=$(${OPENSSL} x509 -in "${cert}" -noout -fingerprint -sha1 | cut -d= -f2)
+sha256_fingerprint=$(${OPENSSL} x509 -in "${cert}" -noout -fingerprint -sha256 | cut -d= -f2)
+
+# Print certificate details in JSON
+echo -n "{\"x509\":{"
+echo -n "\"version\":\"${version}\","
+echo -n "\"serial_number\":\"${serial_number}\","
+echo -n "\"signature_algorithm\":\"${signature_algorithm}\","
+echo -n "\"issuer\":\"${issuer}\","
+echo -n "\"not_before\":{"
+echo -n "\"value\":\"${not_before_value}\","
+echo -n "\"timestamp\":\"${not_before_timestamp}\"},"
+echo -n "\"not_after\":{"
+echo -n "\"value\":\"${not_after_value}\","
+echo -n "\"timestamp\":\"${not_after_timestamp}\"},"
+echo -n "\"subject\":\"${subject}\","
+echo -n "\"public_key_algorithm\":\"${public_key_algorithm}\"},"
+echo -n "\"result\":{"
+echo -n "\"value\":\"${result_value}\","
+echo -n "\"message\":\"${result_message}\"},"
+echo -n "\"sha1_fingerprint\":\"${sha1_fingerprint}\","
+echo -n "\"sha256_fingerprint\":\"${sha256_fingerprint}\""
+echo -n "}"
+
+exit 0
\ No newline at end of file
-- 
2.43.0


-- 
Dit bericht is gescanned op virussen en andere gevaarlijke
inhoud door MailScanner en lijkt schoon te zijn.

[PATCH 3/3] zabbix_agentd: Add OpenVPN certificates items

[Robin Roevens]

[-- Attachment #1: Type: text/plain, Size: 7954 bytes --]

- Adds Zabbix Agent userparameters `ipfire.ovpn.clientcert` and `ipfire.ovpn.cacert` for the agent to get details about openvpn client, server and ca certificates.
- Moves all `ipfire.ovpn.*` userparameters to a separate config file `userparameter_ovpn.conf` to enable users to selectively disable openvpn items when not needed
- Includes `ipfire_certificate_detail.sh` script in sudoers for Zabbix Agent as it needs root permission to read openvpn certificate details.
- Adapts lfs install script to install new script and configfile
- Adds new script and configfile to rootfiles
---
 config/rootfiles/packages/zabbix_agentd        |  3 +++
 config/zabbix_agentd/sudoers                   |  1 +
 config/zabbix_agentd/userparameter_ipfire.conf |  8 +-------
 config/zabbix_agentd/userparameter_ovpn.conf   | 13 +++++++++++++
 lfs/zabbix_agentd                              |  7 +++++++
 5 files changed, 25 insertions(+), 7 deletions(-)
 create mode 100644 config/zabbix_agentd/userparameter_ovpn.conf

diff --git a/config/rootfiles/packages/zabbix_agentd b/config/rootfiles/packages/zabbix_agentd
index 729a47ac6..8e10cb4c8 100644
--- a/config/rootfiles/packages/zabbix_agentd
+++ b/config/rootfiles/packages/zabbix_agentd
@@ -20,3 +20,6 @@ var/ipfire/zabbix_agentd/zabbix_agentd_ipfire_mandatory.conf
 var/ipfire/zabbix_agentd/userparameters
 var/ipfire/zabbix_agentd/userparameters/userparameter_pakfire.conf
 var/ipfire/zabbix_agentd/userparameters/userparameter_ipfire.conf
+var/ipfire/zabbix_agentd/userparameters/userparameter_ovpn.conf
+var/ipfire/zabbix_agentd/scripts
+var/ipfire/zabbix_agentd/scripts/ipfire_certificate_detail.sh
diff --git a/config/zabbix_agentd/sudoers b/config/zabbix_agentd/sudoers
index d93ec5d55..138c75635 100644
--- a/config/zabbix_agentd/sudoers
+++ b/config/zabbix_agentd/sudoers
@@ -9,3 +9,4 @@
 #
 Defaults:zabbix !requiretty
 zabbix ALL=(ALL) NOPASSWD: /opt/pakfire/pakfire status, /usr/sbin/fping, /usr/local/bin/getipstat, /bin/cat /var/run/ovpnserver.log
+zabbix ALL=(ALL) NOPASSWD: /var/ipfire/zabbix_agentd/scripts/ipfire_certificate_detail.sh
diff --git a/config/zabbix_agentd/userparameter_ipfire.conf b/config/zabbix_agentd/userparameter_ipfire.conf
index ba0c6c2ca..d2d0c8307 100644
--- a/config/zabbix_agentd/userparameter_ipfire.conf
+++ b/config/zabbix_agentd/userparameter_ipfire.conf
@@ -9,10 +9,4 @@ UserParameter=ipfire.net.fw.hits.raw,sudo /usr/local/bin/getipstat -xf | grep "/
 # Number of currently Active DHCP leases
 UserParameter=ipfire.dhcpd.clients,grep -s -E 'lease|bind' /var/state/dhcp/dhcpd.leases | sed ':a;/{$/{N;s/\n//;ba}' | grep "state active" | wc -l
 # Number of Captive Portal clients
-UserParameter=ipfire.captive.clients,awk -F ',' 'length($2) == 17 {sum += 1} END {if (length(sum) == 0) print 0; else print sum}' /var/ipfire/captive/clients
-# Discovery of configured ovpn clients
-UserParameter=ipfire.ovpn.clients.discovery,cat /var/ipfire/ovpn/ovpnconfig 2>/dev/null | awk -F',' 'BEGIN { ORS = ""; print "[" } { printf "%s{\"{#NAME}\":\"%s\",\"{#COMMONNAME}\":\"%s\",\"{#STATE}\":\"%s\",\"{#REMARK}\":\"%s\",\"{#TYPE}\":\"%s\"}", separator, $3, $4, $2, $27, $5; separator = ","; } END { print "]" }'
-# Get OpenVPN status report
-UserParameter=ipfire.ovpn.statusreport.get,sudo cat /var/run/ovpnserver.log 2>/dev/null | awk -F"," 'function unixtime(t) { gsub(/[-:]/," ",t); return mktime(t) } BEGIN { ORS = ""; print "{" } /^Updated,.+/ { printf "\"timestamp\":%s,\"clients\":[",unixtime($2) } /^.+,[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+:[0-9]+,[0-9]+,[0-9]+,.+/ { if ($1 != "Common Name") { printf "%s{\"common_name\":\"%s\",\"real_address\":\"%s\",\"bytes_in\":\"%s\",\"bytes_out\":\"%s\",\"connected_since\":\"%s\"}", separator, $1, $2, $3, $4, unixtime($5); separator = ","; } } /^ROUTING TABLE/ { print "],\"routing_table\":["; separator = "" } /^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+,.+,[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+:[0-9]+,.+/ { if ($1 != "Virtual Address") { printf "%s{\"common_name\":\"%s\",\"virtual_address\":\"%s\",\"real_address\":\"%s\",\"last_ref\":\"%s\"}", separator, $2, $1, $3, unixtime($4); separator = "," } } END { print "]}" }'
-# Allow item key to be called with (unused) parameters. This allows the #SINGLETON method of discovering this item only when openvpn service is active
-Alias=ipfire.ovpn.statusreport.get[]:ipfire.ovpn.statusreport.get
\ No newline at end of file
+UserParameter=ipfire.captive.clients,awk -F ',' 'length($2) == 17 {sum += 1} END {if (length(sum) == 0) print 0; else print sum}' /var/ipfire/captive/clients
\ No newline at end of file
diff --git a/config/zabbix_agentd/userparameter_ovpn.conf b/config/zabbix_agentd/userparameter_ovpn.conf
new file mode 100644
index 000000000..a7a6d8535
--- /dev/null
+++ b/config/zabbix_agentd/userparameter_ovpn.conf
@@ -0,0 +1,13 @@
+# Parameters for monitoring IPFire OpenVPN specific metrics
+#
+# Discovery of configured ovpn clients
+UserParameter=ipfire.ovpn.clients.discovery,cat /var/ipfire/ovpn/ovpnconfig 2>/dev/null | awk -F',' 'BEGIN { ORS = ""; print "[" } { printf "%s{\"{#NAME}\":\"%s\",\"{#COMMONNAME}\":\"%s\",\"{#STATE}\":\"%s\",\"{#REMARK}\":\"%s\",\"{#TYPE}\":\"%s\"}", separator, $3, $4, $2, $27, $5; separator = ","; } END { print "]" }'
+# Get OpenVPN status report
+UserParameter=ipfire.ovpn.statusreport.get,sudo cat /var/run/ovpnserver.log 2>/dev/null | awk -F"," 'function unixtime(t) { gsub(/[-:]/," ",t); return mktime(t) } BEGIN { ORS = ""; print "{" } /^Updated,.+/ { printf "\"timestamp\":%s,\"clients\":[",unixtime($2) } /^.+,[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+:[0-9]+,[0-9]+,[0-9]+,.+/ { if ($1 != "Common Name") { printf "%s{\"common_name\":\"%s\",\"real_address\":\"%s\",\"bytes_in\":\"%s\",\"bytes_out\":\"%s\",\"connected_since\":\"%s\"}", separator, $1, $2, $3, $4, unixtime($5); separator = ","; } } /^ROUTING TABLE/ { print "],\"routing_table\":["; separator = "" } /^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+,.+,[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+:[0-9]+,.+/ { if ($1 != "Virtual Address") { printf "%s{\"common_name\":\"%s\",\"virtual_address\":\"%s\",\"real_address\":\"%s\",\"last_ref\":\"%s\"}", separator, $2, $1, $3, unixtime($4); separator = "," } } END { print "]}" }'
+# Get OpenVPN client certificate details
+UserParameter=ipfire.ovpn.clientcert[*],sudo /var/ipfire/zabbix_agentd/scripts/ipfire_certificate_detail.sh /var/ipfire/ovpn/ca/cacert.pem /var/ipfire/ovpn/certs/$1cert.pem
+UserParameter=ipfire.ovpn.cacert,sudo /var/ipfire/zabbix_agentd/scripts/ipfire_certificate_detail.sh /var/ipfire/ovpn/ca/cacert.pem /var/ipfire/ovpn/ca/cacert.pem
+
+# Allow item key to be called with (unused) parameters. This allows the #SINGLETON method of discovering this item only when openvpn service is active
+Alias=ipfire.ovpn.statusreport.get[]:ipfire.ovpn.statusreport.get
+Alias=ipfire.ovpn.cacert[]:ipfire.ovpn.cacert
\ No newline at end of file
diff --git a/lfs/zabbix_agentd b/lfs/zabbix_agentd
index 65e111d2f..5f274c309 100644
--- a/lfs/zabbix_agentd
+++ b/lfs/zabbix_agentd
@@ -110,6 +110,13 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 		/var/ipfire/zabbix_agentd/userparameters/userparameter_pakfire.conf
 	install -v -m 644 $(DIR_SRC)/config/zabbix_agentd/userparameter_ipfire.conf \
 		/var/ipfire/zabbix_agentd/userparameters/userparameter_ipfire.conf
+	install -v -m 644 $(DIR_SRC)/config/zabbix_agentd/userparameter_ovpn.conf \
+		/var/ipfire/zabbix_agentd/userparameters/userparameter_ovpn.conf
+
+	# Install IPFire-specific Zabbix Agent scripts
+	-mkdir -pv /var/ipfire/zabbix_agentd/scripts
+	install -v -m 755 $(DIR_SRC)/config/zabbix_agentd/ipfire_certificate_detail.sh \
+		/var/ipfire/zabbix_agentd/scripts/ipfire_certificate_detail.sh
 
 	# Create directory for additional agent modules
 	-mkdir -pv /usr/lib/zabbix
-- 
2.43.0


-- 
Dit bericht is gescanned op virussen en andere gevaarlijke
inhoud door MailScanner en lijkt schoon te zijn.

Re: [PATCH 1/3] zabbix_agentd: Update to 6.0.27 (LTS)

[Adolf Belka]

[-- Attachment #1: Type: text/plain, Size: 1728 bytes --]

Reviewed-by: Adolf Belka <adolf.belka(a)ipfire.org>

On 28/02/2024 19:58, Robin Roevens wrote:
> - Update from version 6.0.22 to 6.0.27
> - Update of rootfile not required
>
> Bugs fixed:
> - ZBX-23715: Fixed persistent directory path not following symlinks upon creation
> - ZBX-22933: Improved vfs.file.regmatch and vfs.file.regexp items to use buffered file read
>
> Full changelogs since 6.0.22:
> - https://www.zabbix.com/rn/rn6.0.23
> - https://www.zabbix.com/rn/rn6.0.24
> - https://www.zabbix.com/rn/rn6.0.25
> - https://www.zabbix.com/rn/rn6.0.26
> - https://www.zabbix.com/rn/rn6.0.27
> ---
>   lfs/zabbix_agentd | 6 +++---
>   1 file changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/lfs/zabbix_agentd b/lfs/zabbix_agentd
> index 0033d9a2c..65e111d2f 100644
> --- a/lfs/zabbix_agentd
> +++ b/lfs/zabbix_agentd
> @@ -26,7 +26,7 @@ include Config
>   
>   SUMMARY    = Zabbix Agent
>   
> -VER        = 6.0.22
> +VER        = 6.0.27
>   
>   THISAPP    = zabbix-$(VER)
>   DL_FILE    = $(THISAPP).tar.gz
> @@ -34,7 +34,7 @@ DL_FROM    = $(URL_IPFIRE)
>   DIR_APP    = $(DIR_SRC)/$(THISAPP)
>   TARGET     = $(DIR_INFO)/$(THISAPP)
>   PROG       = zabbix_agentd
> -PAK_VER    = 11
> +PAK_VER    = 12
>   
>   DEPS       = fping
>   
> @@ -48,7 +48,7 @@ objects = $(DL_FILE)
>   
>   $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
>   
> -$(DL_FILE)_BLAKE2 = bba7911a24b00827c58d84938b5786d07f1eb44cbcad94cddf68b484ac9a2f514beb60225d006b8cefc5bbf92e51da27f26d9f6681e10f6322ed0841394e8d9d
> +$(DL_FILE)_BLAKE2 = 793bb887bd8f0d3c2f3d15a4ed9bb5b1fcfb13fcf80ea077672744a1bd8524e213eaf53291e0f9eecb9eb055fee6f1e29e91f890b54698906beac21ca54db4e9
>   
>   install : $(TARGET)
>   

Re: [PATCH 2/3] zabbix_agentd: Add helper script to get and verify certificate details

[Adolf Belka]

[-- Attachment #1: Type: text/plain, Size: 5465 bytes --]

Reviewed-by: Adolf Belka <adolf.belka(a)ipfire.org>

On 28/02/2024 19:58, Robin Roevens wrote:
> Add script to parse openssl output on certificates and return it as JSON for consumption by the Zabbix agent.
> ---
>   .../ipfire_certificate_detail.sh              | 91 +++++++++++++++++++
>   1 file changed, 91 insertions(+)
>   create mode 100755 config/zabbix_agentd/ipfire_certificate_detail.sh
>
> diff --git a/config/zabbix_agentd/ipfire_certificate_detail.sh b/config/zabbix_agentd/ipfire_certificate_detail.sh
> new file mode 100755
> index 000000000..9ca0ef5de
> --- /dev/null
> +++ b/config/zabbix_agentd/ipfire_certificate_detail.sh
> @@ -0,0 +1,91 @@
> +#!/bin/bash
> +###############################################################################
> +# ipfire_certificate_detail.sh - Get certificate details and validation results
> +#                                in JSON format for use by Zabbix agent
> +#
> +# Author: robin.roevens (at) disroot.org
> +# Version: 1.0
> +#
> +# Copyright (C) 2007-2024  IPFire Team  <info(a)ipfire.org>
> +#
> +# This program is free software: you can redistribute it and/or modify
> +# it under the terms of the GNU General Public License as published by
> +# the Free Software Foundation, either version 3 of the License, or
> +# (at your option) any later version.
> +#
> +# This program is distributed in the hope that it will be useful,
> +# but WITHOUT ANY WARRANTY; without even the implied warranty of
> +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
> +# GNU General Public License for more details.
> +#
> +# You should have received a copy of the GNU General Public License
> +# along with this program.  If not, see <http://www.gnu.org/licenses/>.
> +#
> +###############################################################################
> +
> +# Required binaries
> +OPENSSL=/usr/bin/openssl
> +DATE=/bin/date
> +
> +# Parameter checking
> +[[ $1 ]] || { echo "{\"error\":\"No CA certificate file given.\"}"; exit 1; }
> +[[ -f $1 ]] || { echo "{\"error\":\"CA certificate not found: $1.\"}"; exit 1; }
> +[[ -r $1 ]] || { echo "{\"error\":\"No read permission on CA certificate: $1.\"}"; exit 1; }
> +[[ $2 ]] || { echo "{\"error\":\"No certificate file given.\"}"; exit 1; }
> +[[ -f $2 ]] || { echo "{\"error\":\"Certificate not found: $2.\"}"; exit 1; }
> +[[ -r $2 ]] || { echo "{\"error\":\"No read permission on certificate $2.\"}"; exit 1; }
> +[[ -x $OPENSSL ]] || { echo "{\"error\":\"$OPENSSL binary not found or no permission.\"}"; exit 1; }
> +[[ -x $DATE ]] || { echo "{\"error\":\"$DATE binary not found or no permission.\"}"; exit 1; }
> +
> +cafile=$1
> +cert=$2
> +
> +# Parse certificate details
> +cert_details=$(${OPENSSL} x509 -in "${cert}" -noout -text -certopt no_header,no_sigdump)
> +version=$(echo "${cert_details}" | grep "Version:" | sed 's/^ \+Version: \([0-9]\+\) (.\+)$/\1/g')
> +serial_number=$(echo "${cert_details}" | grep -A1 "Serial Number:" | tr -d '\n' | sed 's/^ \+Serial Number:\(\( \(.*\) ([0-9]\+x[0-9]\+).*\)\|\( \+\(.*\)$\)\)/\3\5/g')
> +signature_algorithm=$(echo "${cert_details}" | grep "Signature Algorithm:" | sed 's/^ \+Signature Algorithm: //g')
> +issuer=$(echo "${cert_details}" | grep "Issuer:" | sed 's/^ \+Issuer: //g' | sed 's/"/\\"/g')
> +not_before_value=$(echo "${cert_details}" | grep "Not Before:" | sed 's/^ \+Not Before: //g')
> +not_before_timestamp=$(${DATE} -d "${not_before_value}" +%s)
> +not_after_value=$(echo "${cert_details}" | grep "Not After :" | sed 's/^ \+Not After : //g')
> +not_after_timestamp=$(${DATE} -d "${not_after_value}" +%s)
> +subject=$(echo "${cert_details}" | grep "Subject:" | sed 's/^ \+Subject: //g' | sed 's/"/\\"/g')
> +public_key_algorithm=$(echo "${cert_details}" | grep "Public Key Algorithm:" | sed 's/^ \+Public Key Algorithm: //g')
> +
> +# Verify certificate
> +cert_verify=$(${OPENSSL} verify -CAfile "${cafile}" "${cert}" 2>&1)
> +if [[ $? != 0 ]]; then
> +	result_value="invalid"
> +	result_message="failed to verify certificate: x509: $(echo "${cert_verify}" | grep -E "error [0-9]+" | sed 's/^.\+: \(.\+\)/\1/g')"
> +else
> +	result_value="valid"
> +	result_message="certificate verified successfully"
> +fi
> +
> +# Generate fingerprints
> +sha1_fingerprint=$(${OPENSSL} x509 -in "${cert}" -noout -fingerprint -sha1 | cut -d= -f2)
> +sha256_fingerprint=$(${OPENSSL} x509 -in "${cert}" -noout -fingerprint -sha256 | cut -d= -f2)
> +
> +# Print certificate details in JSON
> +echo -n "{\"x509\":{"
> +echo -n "\"version\":\"${version}\","
> +echo -n "\"serial_number\":\"${serial_number}\","
> +echo -n "\"signature_algorithm\":\"${signature_algorithm}\","
> +echo -n "\"issuer\":\"${issuer}\","
> +echo -n "\"not_before\":{"
> +echo -n "\"value\":\"${not_before_value}\","
> +echo -n "\"timestamp\":\"${not_before_timestamp}\"},"
> +echo -n "\"not_after\":{"
> +echo -n "\"value\":\"${not_after_value}\","
> +echo -n "\"timestamp\":\"${not_after_timestamp}\"},"
> +echo -n "\"subject\":\"${subject}\","
> +echo -n "\"public_key_algorithm\":\"${public_key_algorithm}\"},"
> +echo -n "\"result\":{"
> +echo -n "\"value\":\"${result_value}\","
> +echo -n "\"message\":\"${result_message}\"},"
> +echo -n "\"sha1_fingerprint\":\"${sha1_fingerprint}\","
> +echo -n "\"sha256_fingerprint\":\"${sha256_fingerprint}\""
> +echo -n "}"
> +
> +exit 0
> \ No newline at end of file

Re: [PATCH 3/3] zabbix_agentd: Add OpenVPN certificates items

[Adolf Belka]

[-- Attachment #1: Type: text/plain, Size: 8119 bytes --]

Reviewed-by: Adolf Belka <adolf.belka(a)ipfire.org>

On 28/02/2024 19:58, Robin Roevens wrote:
> - Adds Zabbix Agent userparameters `ipfire.ovpn.clientcert` and `ipfire.ovpn.cacert` for the agent to get details about openvpn client, server and ca certificates.
> - Moves all `ipfire.ovpn.*` userparameters to a separate config file `userparameter_ovpn.conf` to enable users to selectively disable openvpn items when not needed
> - Includes `ipfire_certificate_detail.sh` script in sudoers for Zabbix Agent as it needs root permission to read openvpn certificate details.
> - Adapts lfs install script to install new script and configfile
> - Adds new script and configfile to rootfiles
> ---
>   config/rootfiles/packages/zabbix_agentd        |  3 +++
>   config/zabbix_agentd/sudoers                   |  1 +
>   config/zabbix_agentd/userparameter_ipfire.conf |  8 +-------
>   config/zabbix_agentd/userparameter_ovpn.conf   | 13 +++++++++++++
>   lfs/zabbix_agentd                              |  7 +++++++
>   5 files changed, 25 insertions(+), 7 deletions(-)
>   create mode 100644 config/zabbix_agentd/userparameter_ovpn.conf
>
> diff --git a/config/rootfiles/packages/zabbix_agentd b/config/rootfiles/packages/zabbix_agentd
> index 729a47ac6..8e10cb4c8 100644
> --- a/config/rootfiles/packages/zabbix_agentd
> +++ b/config/rootfiles/packages/zabbix_agentd
> @@ -20,3 +20,6 @@ var/ipfire/zabbix_agentd/zabbix_agentd_ipfire_mandatory.conf
>   var/ipfire/zabbix_agentd/userparameters
>   var/ipfire/zabbix_agentd/userparameters/userparameter_pakfire.conf
>   var/ipfire/zabbix_agentd/userparameters/userparameter_ipfire.conf
> +var/ipfire/zabbix_agentd/userparameters/userparameter_ovpn.conf
> +var/ipfire/zabbix_agentd/scripts
> +var/ipfire/zabbix_agentd/scripts/ipfire_certificate_detail.sh
> diff --git a/config/zabbix_agentd/sudoers b/config/zabbix_agentd/sudoers
> index d93ec5d55..138c75635 100644
> --- a/config/zabbix_agentd/sudoers
> +++ b/config/zabbix_agentd/sudoers
> @@ -9,3 +9,4 @@
>   #
>   Defaults:zabbix !requiretty
>   zabbix ALL=(ALL) NOPASSWD: /opt/pakfire/pakfire status, /usr/sbin/fping, /usr/local/bin/getipstat, /bin/cat /var/run/ovpnserver.log
> +zabbix ALL=(ALL) NOPASSWD: /var/ipfire/zabbix_agentd/scripts/ipfire_certificate_detail.sh
> diff --git a/config/zabbix_agentd/userparameter_ipfire.conf b/config/zabbix_agentd/userparameter_ipfire.conf
> index ba0c6c2ca..d2d0c8307 100644
> --- a/config/zabbix_agentd/userparameter_ipfire.conf
> +++ b/config/zabbix_agentd/userparameter_ipfire.conf
> @@ -9,10 +9,4 @@ UserParameter=ipfire.net.fw.hits.raw,sudo /usr/local/bin/getipstat -xf | grep "/
>   # Number of currently Active DHCP leases
>   UserParameter=ipfire.dhcpd.clients,grep -s -E 'lease|bind' /var/state/dhcp/dhcpd.leases | sed ':a;/{$/{N;s/\n//;ba}' | grep "state active" | wc -l
>   # Number of Captive Portal clients
> -UserParameter=ipfire.captive.clients,awk -F ',' 'length($2) == 17 {sum += 1} END {if (length(sum) == 0) print 0; else print sum}' /var/ipfire/captive/clients
> -# Discovery of configured ovpn clients
> -UserParameter=ipfire.ovpn.clients.discovery,cat /var/ipfire/ovpn/ovpnconfig 2>/dev/null | awk -F',' 'BEGIN { ORS = ""; print "[" } { printf "%s{\"{#NAME}\":\"%s\",\"{#COMMONNAME}\":\"%s\",\"{#STATE}\":\"%s\",\"{#REMARK}\":\"%s\",\"{#TYPE}\":\"%s\"}", separator, $3, $4, $2, $27, $5; separator = ","; } END { print "]" }'
> -# Get OpenVPN status report
> -UserParameter=ipfire.ovpn.statusreport.get,sudo cat /var/run/ovpnserver.log 2>/dev/null | awk -F"," 'function unixtime(t) { gsub(/[-:]/," ",t); return mktime(t) } BEGIN { ORS = ""; print "{" } /^Updated,.+/ { printf "\"timestamp\":%s,\"clients\":[",unixtime($2) } /^.+,[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+:[0-9]+,[0-9]+,[0-9]+,.+/ { if ($1 != "Common Name") { printf "%s{\"common_name\":\"%s\",\"real_address\":\"%s\",\"bytes_in\":\"%s\",\"bytes_out\":\"%s\",\"connected_since\":\"%s\"}", separator, $1, $2, $3, $4, unixtime($5); separator = ","; } } /^ROUTING TABLE/ { print "],\"routing_table\":["; separator = "" } /^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+,.+,[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+:[0-9]+,.+/ { if ($1 != "Virtual Address") { printf "%s{\"common_name\":\"%s\",\"virtual_address\":\"%s\",\"real_address\":\"%s\",\"last_ref\":\"%s\"}", separator, $2, $1, $3, unixtime($4); separator = "," } } END { print "]}" }'
> -# Allow item key to be called with (unused) parameters. This allows the #SINGLETON method of discovering this item only when openvpn service is active
> -Alias=ipfire.ovpn.statusreport.get[]:ipfire.ovpn.statusreport.get
> \ No newline at end of file
> +UserParameter=ipfire.captive.clients,awk -F ',' 'length($2) == 17 {sum += 1} END {if (length(sum) == 0) print 0; else print sum}' /var/ipfire/captive/clients
> \ No newline at end of file
> diff --git a/config/zabbix_agentd/userparameter_ovpn.conf b/config/zabbix_agentd/userparameter_ovpn.conf
> new file mode 100644
> index 000000000..a7a6d8535
> --- /dev/null
> +++ b/config/zabbix_agentd/userparameter_ovpn.conf
> @@ -0,0 +1,13 @@
> +# Parameters for monitoring IPFire OpenVPN specific metrics
> +#
> +# Discovery of configured ovpn clients
> +UserParameter=ipfire.ovpn.clients.discovery,cat /var/ipfire/ovpn/ovpnconfig 2>/dev/null | awk -F',' 'BEGIN { ORS = ""; print "[" } { printf "%s{\"{#NAME}\":\"%s\",\"{#COMMONNAME}\":\"%s\",\"{#STATE}\":\"%s\",\"{#REMARK}\":\"%s\",\"{#TYPE}\":\"%s\"}", separator, $3, $4, $2, $27, $5; separator = ","; } END { print "]" }'
> +# Get OpenVPN status report
> +UserParameter=ipfire.ovpn.statusreport.get,sudo cat /var/run/ovpnserver.log 2>/dev/null | awk -F"," 'function unixtime(t) { gsub(/[-:]/," ",t); return mktime(t) } BEGIN { ORS = ""; print "{" } /^Updated,.+/ { printf "\"timestamp\":%s,\"clients\":[",unixtime($2) } /^.+,[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+:[0-9]+,[0-9]+,[0-9]+,.+/ { if ($1 != "Common Name") { printf "%s{\"common_name\":\"%s\",\"real_address\":\"%s\",\"bytes_in\":\"%s\",\"bytes_out\":\"%s\",\"connected_since\":\"%s\"}", separator, $1, $2, $3, $4, unixtime($5); separator = ","; } } /^ROUTING TABLE/ { print "],\"routing_table\":["; separator = "" } /^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+,.+,[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+:[0-9]+,.+/ { if ($1 != "Virtual Address") { printf "%s{\"common_name\":\"%s\",\"virtual_address\":\"%s\",\"real_address\":\"%s\",\"last_ref\":\"%s\"}", separator, $2, $1, $3, unixtime($4); separator = "," } } END { print "]}" }'
> +# Get OpenVPN client certificate details
> +UserParameter=ipfire.ovpn.clientcert[*],sudo /var/ipfire/zabbix_agentd/scripts/ipfire_certificate_detail.sh /var/ipfire/ovpn/ca/cacert.pem /var/ipfire/ovpn/certs/$1cert.pem
> +UserParameter=ipfire.ovpn.cacert,sudo /var/ipfire/zabbix_agentd/scripts/ipfire_certificate_detail.sh /var/ipfire/ovpn/ca/cacert.pem /var/ipfire/ovpn/ca/cacert.pem
> +
> +# Allow item key to be called with (unused) parameters. This allows the #SINGLETON method of discovering this item only when openvpn service is active
> +Alias=ipfire.ovpn.statusreport.get[]:ipfire.ovpn.statusreport.get
> +Alias=ipfire.ovpn.cacert[]:ipfire.ovpn.cacert
> \ No newline at end of file
> diff --git a/lfs/zabbix_agentd b/lfs/zabbix_agentd
> index 65e111d2f..5f274c309 100644
> --- a/lfs/zabbix_agentd
> +++ b/lfs/zabbix_agentd
> @@ -110,6 +110,13 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
>   		/var/ipfire/zabbix_agentd/userparameters/userparameter_pakfire.conf
>   	install -v -m 644 $(DIR_SRC)/config/zabbix_agentd/userparameter_ipfire.conf \
>   		/var/ipfire/zabbix_agentd/userparameters/userparameter_ipfire.conf
> +	install -v -m 644 $(DIR_SRC)/config/zabbix_agentd/userparameter_ovpn.conf \
> +		/var/ipfire/zabbix_agentd/userparameters/userparameter_ovpn.conf
> +
> +	# Install IPFire-specific Zabbix Agent scripts
> +	-mkdir -pv /var/ipfire/zabbix_agentd/scripts
> +	install -v -m 755 $(DIR_SRC)/config/zabbix_agentd/ipfire_certificate_detail.sh \
> +		/var/ipfire/zabbix_agentd/scripts/ipfire_certificate_detail.sh
>   
>   	# Create directory for additional agent modules
>   	-mkdir -pv /usr/lib/zabbix