From mboxrd@z Thu Jan 1 00:00:00 1970 From: Adolf Belka To: development@lists.ipfire.org Subject: Re: [PATCH 3/3] zabbix_agentd: Add OpenVPN certificates items Date: Wed, 28 Feb 2024 20:48:55 +0100 Message-ID: <444760e8-0f8c-4023-96c9-56f12d2d836f@ipfire.org> In-Reply-To: <20240228191952.28258-4-robin.roevens@disroot.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============5690053244444144133==" List-Id: --===============5690053244444144133== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Reviewed-by: Adolf Belka On 28/02/2024 19:58, Robin Roevens wrote: > - Adds Zabbix Agent userparameters `ipfire.ovpn.clientcert` and `ipfire.ovp= n.cacert` for the agent to get details about openvpn client, server and ca ce= rtificates. > - Moves all `ipfire.ovpn.*` userparameters to a separate config file `userp= arameter_ovpn.conf` to enable users to selectively disable openvpn items when= not needed > - Includes `ipfire_certificate_detail.sh` script in sudoers for Zabbix Agen= t as it needs root permission to read openvpn certificate details. > - Adapts lfs install script to install new script and configfile > - Adds new script and configfile to rootfiles > --- > config/rootfiles/packages/zabbix_agentd | 3 +++ > config/zabbix_agentd/sudoers | 1 + > config/zabbix_agentd/userparameter_ipfire.conf | 8 +------- > config/zabbix_agentd/userparameter_ovpn.conf | 13 +++++++++++++ > lfs/zabbix_agentd | 7 +++++++ > 5 files changed, 25 insertions(+), 7 deletions(-) > create mode 100644 config/zabbix_agentd/userparameter_ovpn.conf > > diff --git a/config/rootfiles/packages/zabbix_agentd b/config/rootfiles/pac= kages/zabbix_agentd > index 729a47ac6..8e10cb4c8 100644 > --- a/config/rootfiles/packages/zabbix_agentd > +++ b/config/rootfiles/packages/zabbix_agentd > @@ -20,3 +20,6 @@ var/ipfire/zabbix_agentd/zabbix_agentd_ipfire_mandatory.c= onf > var/ipfire/zabbix_agentd/userparameters > var/ipfire/zabbix_agentd/userparameters/userparameter_pakfire.conf > var/ipfire/zabbix_agentd/userparameters/userparameter_ipfire.conf > +var/ipfire/zabbix_agentd/userparameters/userparameter_ovpn.conf > +var/ipfire/zabbix_agentd/scripts > +var/ipfire/zabbix_agentd/scripts/ipfire_certificate_detail.sh > diff --git a/config/zabbix_agentd/sudoers b/config/zabbix_agentd/sudoers > index d93ec5d55..138c75635 100644 > --- a/config/zabbix_agentd/sudoers > +++ b/config/zabbix_agentd/sudoers > @@ -9,3 +9,4 @@ > # > Defaults:zabbix !requiretty > zabbix ALL=3D(ALL) NOPASSWD: /opt/pakfire/pakfire status, /usr/sbin/fping= , /usr/local/bin/getipstat, /bin/cat /var/run/ovpnserver.log > +zabbix ALL=3D(ALL) NOPASSWD: /var/ipfire/zabbix_agentd/scripts/ipfire_cert= ificate_detail.sh > diff --git a/config/zabbix_agentd/userparameter_ipfire.conf b/config/zabbix= _agentd/userparameter_ipfire.conf > index ba0c6c2ca..d2d0c8307 100644 > --- a/config/zabbix_agentd/userparameter_ipfire.conf > +++ b/config/zabbix_agentd/userparameter_ipfire.conf > @@ -9,10 +9,4 @@ UserParameter=3Dipfire.net.fw.hits.raw,sudo /usr/local/bin= /getipstat -xf | grep "/ > # Number of currently Active DHCP leases > UserParameter=3Dipfire.dhcpd.clients,grep -s -E 'lease|bind' /var/state/d= hcp/dhcpd.leases | sed ':a;/{$/{N;s/\n//;ba}' | grep "state active" | wc -l > # Number of Captive Portal clients > -UserParameter=3Dipfire.captive.clients,awk -F ',' 'length($2) =3D=3D 17 {s= um +=3D 1} END {if (length(sum) =3D=3D 0) print 0; else print sum}' /var/ipfi= re/captive/clients > -# Discovery of configured ovpn clients > -UserParameter=3Dipfire.ovpn.clients.discovery,cat /var/ipfire/ovpn/ovpncon= fig 2>/dev/null | awk -F',' 'BEGIN { ORS =3D ""; print "[" } { printf "%s{\"{= #NAME}\":\"%s\",\"{#COMMONNAME}\":\"%s\",\"{#STATE}\":\"%s\",\"{#REMARK}\":\"= %s\",\"{#TYPE}\":\"%s\"}", separator, $3, $4, $2, $27, $5; separator =3D ",";= } END { print "]" }' > -# Get OpenVPN status report > -UserParameter=3Dipfire.ovpn.statusreport.get,sudo cat /var/run/ovpnserver.= log 2>/dev/null | awk -F"," 'function unixtime(t) { gsub(/[-:]/," ",t); retur= n mktime(t) } BEGIN { ORS =3D ""; print "{" } /^Updated,.+/ { printf "\"times= tamp\":%s,\"clients\":[",unixtime($2) } /^.+,[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+:[= 0-9]+,[0-9]+,[0-9]+,.+/ { if ($1 !=3D "Common Name") { printf "%s{\"common_na= me\":\"%s\",\"real_address\":\"%s\",\"bytes_in\":\"%s\",\"bytes_out\":\"%s\",= \"connected_since\":\"%s\"}", separator, $1, $2, $3, $4, unixtime($5); separa= tor =3D ","; } } /^ROUTING TABLE/ { print "],\"routing_table\":["; separator = =3D "" } /^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+,.+,[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+:[= 0-9]+,.+/ { if ($1 !=3D "Virtual Address") { printf "%s{\"common_name\":\"%s\= ",\"virtual_address\":\"%s\",\"real_address\":\"%s\",\"last_ref\":\"%s\"}", s= eparator, $2, $1, $3, unixtime($4); separator =3D "," } } END { print "]}" }' > -# Allow item key to be called with (unused) parameters. This allows the #S= INGLETON method of discovering this item only when openvpn service is active > -Alias=3Dipfire.ovpn.statusreport.get[]:ipfire.ovpn.statusreport.get > \ No newline at end of file > +UserParameter=3Dipfire.captive.clients,awk -F ',' 'length($2) =3D=3D 17 {s= um +=3D 1} END {if (length(sum) =3D=3D 0) print 0; else print sum}' /var/ipfi= re/captive/clients > \ No newline at end of file > diff --git a/config/zabbix_agentd/userparameter_ovpn.conf b/config/zabbix_a= gentd/userparameter_ovpn.conf > new file mode 100644 > index 000000000..a7a6d8535 > --- /dev/null > +++ b/config/zabbix_agentd/userparameter_ovpn.conf > @@ -0,0 +1,13 @@ > +# Parameters for monitoring IPFire OpenVPN specific metrics > +# > +# Discovery of configured ovpn clients > +UserParameter=3Dipfire.ovpn.clients.discovery,cat /var/ipfire/ovpn/ovpncon= fig 2>/dev/null | awk -F',' 'BEGIN { ORS =3D ""; print "[" } { printf "%s{\"{= #NAME}\":\"%s\",\"{#COMMONNAME}\":\"%s\",\"{#STATE}\":\"%s\",\"{#REMARK}\":\"= %s\",\"{#TYPE}\":\"%s\"}", separator, $3, $4, $2, $27, $5; separator =3D ",";= } END { print "]" }' > +# Get OpenVPN status report > +UserParameter=3Dipfire.ovpn.statusreport.get,sudo cat /var/run/ovpnserver.= log 2>/dev/null | awk -F"," 'function unixtime(t) { gsub(/[-:]/," ",t); retur= n mktime(t) } BEGIN { ORS =3D ""; print "{" } /^Updated,.+/ { printf "\"times= tamp\":%s,\"clients\":[",unixtime($2) } /^.+,[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+:[= 0-9]+,[0-9]+,[0-9]+,.+/ { if ($1 !=3D "Common Name") { printf "%s{\"common_na= me\":\"%s\",\"real_address\":\"%s\",\"bytes_in\":\"%s\",\"bytes_out\":\"%s\",= \"connected_since\":\"%s\"}", separator, $1, $2, $3, $4, unixtime($5); separa= tor =3D ","; } } /^ROUTING TABLE/ { print "],\"routing_table\":["; separator = =3D "" } /^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+,.+,[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+:[= 0-9]+,.+/ { if ($1 !=3D "Virtual Address") { printf "%s{\"common_name\":\"%s\= ",\"virtual_address\":\"%s\",\"real_address\":\"%s\",\"last_ref\":\"%s\"}", s= eparator, $2, $1, $3, unixtime($4); separator =3D "," } } END { print "]}" }' > +# Get OpenVPN client certificate details > +UserParameter=3Dipfire.ovpn.clientcert[*],sudo /var/ipfire/zabbix_agentd/s= cripts/ipfire_certificate_detail.sh /var/ipfire/ovpn/ca/cacert.pem /var/ipfir= e/ovpn/certs/$1cert.pem > +UserParameter=3Dipfire.ovpn.cacert,sudo /var/ipfire/zabbix_agentd/scripts/= ipfire_certificate_detail.sh /var/ipfire/ovpn/ca/cacert.pem /var/ipfire/ovpn/= ca/cacert.pem > + > +# Allow item key to be called with (unused) parameters. This allows the #S= INGLETON method of discovering this item only when openvpn service is active > +Alias=3Dipfire.ovpn.statusreport.get[]:ipfire.ovpn.statusreport.get > +Alias=3Dipfire.ovpn.cacert[]:ipfire.ovpn.cacert > \ No newline at end of file > diff --git a/lfs/zabbix_agentd b/lfs/zabbix_agentd > index 65e111d2f..5f274c309 100644 > --- a/lfs/zabbix_agentd > +++ b/lfs/zabbix_agentd > @@ -110,6 +110,13 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) > /var/ipfire/zabbix_agentd/userparameters/userparameter_pakfire.conf > install -v -m 644 $(DIR_SRC)/config/zabbix_agentd/userparameter_ipfire.c= onf \ > /var/ipfire/zabbix_agentd/userparameters/userparameter_ipfire.conf > + install -v -m 644 $(DIR_SRC)/config/zabbix_agentd/userparameter_ovpn.conf= \ > + /var/ipfire/zabbix_agentd/userparameters/userparameter_ovpn.conf > + > + # Install IPFire-specific Zabbix Agent scripts > + -mkdir -pv /var/ipfire/zabbix_agentd/scripts > + install -v -m 755 $(DIR_SRC)/config/zabbix_agentd/ipfire_certificate_deta= il.sh \ > + /var/ipfire/zabbix_agentd/scripts/ipfire_certificate_detail.sh > =20 > # Create directory for additional agent modules > -mkdir -pv /usr/lib/zabbix --===============5690053244444144133==--