From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: [PATCH 4/4] [V2] zabbix_agentd: Add IPFire specific userparameters Date: Mon, 12 Apr 2021 11:36:37 +0100 Message-ID: In-Reply-To: <20210407204455.450-5-robin.roevens@disroot.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============2864156144101741438==" List-Id: --===============2864156144101741438== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hello, > On 7 Apr 2021, at 21:44, Robin Roevens wrote: >=20 > Provide IPFire specific items for the Zabbix server to monitor: > - Networking stats: > - ipfire.net.gateway.pingtime: Internet Line Quality > - ipfire.net.gateway.ping: Internet connection > - ipfire.net.fw.hits[*]: Firewall hits > - IPFire service states: > - ipfire.services: JSON formatted state of all IPFire services > using new ipfire_services.pl script. >=20 > Users can install the IPFire 2 Zabbix template-set provided here: > https://share.zabbix.com/network-appliances/ipfire-2 > to monitor these metrics. Or create their own template. >=20 > Signed-off-by: Robin Roevens > --- > config/rootfiles/packages/zabbix_agentd | 3 + > config/zabbix_agentd/ipfire_services.pl | 221 ++++++++++++++++++ > config/zabbix_agentd/sudoers | 2 +- > .../template_module_ipfire_network_stats.conf | 4 + > .../template_module_ipfire_services.conf | 2 + > lfs/zabbix_agentd | 8 +- > src/paks/zabbix_agentd/install.sh | 5 + > src/paks/zabbix_agentd/uninstall.sh | 2 + > 8 files changed, 245 insertions(+), 2 deletions(-) > create mode 100755 config/zabbix_agentd/ipfire_services.pl > create mode 100644 config/zabbix_agentd/template_module_ipfire_network_stat= s.conf > create mode 100644 config/zabbix_agentd/template_module_ipfire_services.conf >=20 > diff --git a/config/rootfiles/packages/zabbix_agentd b/config/rootfiles/pac= kages/zabbix_agentd > index 6945c5ef7..aa3f1846b 100644 > --- a/config/rootfiles/packages/zabbix_agentd > +++ b/config/rootfiles/packages/zabbix_agentd > @@ -3,9 +3,12 @@ etc/rc.d/init.d/zabbix_agentd > etc/sudoers.d/zabbix.ipfirenew > #etc/zabbix_agentd > #etc/zabbix_agentd/scripts > +etc/zabbix_agentd/scripts/ipfire_services.pl.ipfirenew > etc/zabbix_agentd/zabbix_agentd.conf.ipfirenew > #etc/zabbix_agentd/zabbix_agentd.d > etc/zabbix_agentd/zabbix_agentd.d/template_app_pakfire.conf.ipfirenew > +etc/zabbix_agentd/zabbix_agentd.d/template_module_ipfire_network_stats.con= f.ipfirenew > +etc/zabbix_agentd/zabbix_agentd.d/template_module_ipfire_services.conf.ipf= irenew > usr/bin/zabbix_get > usr/bin/zabbix_sender > #usr/lib/modules > diff --git a/config/zabbix_agentd/ipfire_services.pl b/config/zabbix_agentd= /ipfire_services.pl > new file mode 100755 > index 000000000..dbf8aec56 > --- /dev/null > +++ b/config/zabbix_agentd/ipfire_services.pl > @@ -0,0 +1,221 @@ > +#!/usr/bin/perl > +##########################################################################= ##### > +# ipfire_services.pl - Retrieves available IPFire services information and= =20 > +# return this as a JSON array suitable for easy proce= ssing=20 > +# by Zabbix server > +# > +# Author: robin.roevens (at) disroot.org > +# Version: 1.0 > +# > +# Based on: services.cgi by IPFire Team > +# Copyright (C) 2007-2021 IPFire Team =20 > +#=20 > +# This program is free software: you can redistribute it and/or modify > +# it under the terms of the GNU General Public License as published by > +# the Free Software Foundation, either version 3 of the License, or > +# (at your option) any later version. > +#=20 > +# This program is distributed in the hope that it will be useful, > +# but WITHOUT ANY WARRANTY; without even the implied warranty of > +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the=20 > +# GNU General Public License for more details. > +#=20 > +# You should have received a copy of the GNU General Public License=20 > +# along with this program. If not, see . > +#=20 > +##########################################################################= ##### > + > +use strict; > + > +# enable only the following on debugging purpose > +# use warnings; > + > +# Maps a nice printable name to the changing part of the pid file, which > +# is also the name of the program > +my %servicenames =3D( > + 'DHCP Server' =3D> 'dhcpd', > + 'Web Server' =3D> 'httpd', > + 'CRON Server' =3D> 'fcron', > + 'DNS Proxy Server' =3D> 'unbound', > + 'Logging Server' =3D> 'syslogd', > + 'Kernel Logging Server' =3D> 'klogd', > + 'NTP Server' =3D> 'ntpd', > + 'Secure Shell Server' =3D> 'sshd', > + 'VPN' =3D> 'charon', > + 'Web Proxy' =3D> 'squid', > + 'Intrusion Detection System' =3D> 'suricata', > + 'OpenVPN' =3D> 'openvpn' > +); You have a hard-coded list with process names here. It technically is missing= add-ons but including everything would make this list very long and a lot of= work to maintain... > + > +# Hash to overwrite the process name of a process if it differs from the l= aunch command. > +my %overwrite_exename_hash =3D ( > + "suricata" =3D> "Suricata-Main" > +); > + > +my $first =3D 1; > + > +print "["; > + > +# Built-in services > +my $key =3D ''; > +foreach $key (sort keys %servicenames){ > + print "," if not $first; > + $first =3D 0; > + > + print "{"; > + print "\"service\":\"$key\","; > + > + my $shortname =3D $servicenames{$key}; > + print &servicestats($shortname); > +=09 > + print "}"; > +} > + > +# Generate list of installed addon pak's > +my @pak =3D `find /opt/pakfire/db/installed/meta-* 2>/dev/null | cut -d"-"= -f2`; > +foreach (@pak){ > + chomp($_); > + > + # Check which of the paks are services > + my @svc =3D `find /etc/init.d/$_ 2>/dev/null | cut -d"/" -f4`; > + foreach (@svc){ > + # blacklist some packages > + # > + # alsa has trouble with the volume saving and was not really stopped > + # mdadm should not stopped with webif because this could crash the system > + # > + chomp($_); > + if ( $_ eq 'squid' ) { > + next; > + } > + if ( ($_ ne "alsa") && ($_ ne "mdadm") ) { Another hardcoded list due to code duplication. Not your fault, but not prett= y. > + print ","; > + print "{"; > + > + print "\"service\":\"Addon: $_\","; > + print "\"servicename\":\"$_\","; > + > + my $onboot =3D isautorun($_); > + print "\"onboot\":$onboot,"; > + > + print &addonservicestats($_); > + > + print "}"; > + } > + } > +}=09 > + > +print "]"; > + > +sub servicestats{ > + my $cmd =3D $_[0]; > + my $status =3D "\"servicename\":\"$cmd\",\"state\":\"0\""; > + my $pid =3D ''; > + my $testcmd =3D ''; > + my $exename; > + my $memory; > + > + > + $cmd =3D~ /(^[a-z]+)/; > +=09 > + # Check if the exename needs to be overwritten. > + # This happens if the expected process name string > + # differs from the real one. This may happened if > + # a service uses multiple processes or threads. > + if (exists($overwrite_exename_hash{$cmd})) { > + # Grab the string which will be reported by > + # the process from the corresponding hash. > + $exename =3D $overwrite_exename_hash{$1}; > + } else { > + # Directly expect the launched command as > + # process name. > + $exename =3D $1; > + } > +=09 > + if (open(FILE, "/var/run/${cmd}.pid")){ > + $pid =3D ; chomp $pid; > + close FILE; > + if (open(FILE, "/proc/${pid}/status")){ > + while (){ > + if (/^Name:\W+(.*)/) { > + $testcmd =3D $1; > + } > + } > + close FILE; > + } > + if (open(FILE, "/proc/${pid}/status")) { > + while () { > + my ($key, $val) =3D split(":", $_, 2); > + if ($key eq 'VmRSS') { > + $val =3D~ /\s*([0-9]*)\s+kB/; > + # Convert kB to B > + $memory =3D $1*1024; > + last; > + } > + } > + close(FILE); > + } > + if ($testcmd =3D~ /$exename/){ > + $status =3D "\"servicename\":\"$cmd\",\"state\":1,\"pid\":$pid,\"memory= \":$memory"; > + } > + } > + return $status; > +} > + > +sub isautorun{ > + my $cmd =3D $_[0]; > + my $status =3D "0"; > + my $init =3D `find /etc/rc.d/rc3.d/S??${cmd} 2>/dev/null`; > + chomp ($init); > + if ($init ne ''){ > + $status =3D "1"; > + } > + $init =3D `find /etc/rc.d/rc3.d/off/S??${cmd} 2>/dev/null`; > + chomp ($init); > + if ($init ne ''){ > + $status =3D "0"; > + } > + > + return $status; > +} > + > +sub addonservicestats{ > + my $cmd =3D $_[0]; > + my $status =3D "0"; > + my $pid =3D ''; > + my $testcmd =3D ''; > + my $exename; > + my @memory =3D (0); > + > + $testcmd =3D `sudo /usr/local/bin/addonctrl $_ status 2>/dev/null`; > + > + if ( $testcmd =3D~ /is\ running/ && $testcmd !~ /is\ not\ running/= ){ > + $status =3D "\"state\":1"; > + > + $testcmd =3D~ s/.* //gi; > + $testcmd =3D~ s/[a-z_]//gi; > + $testcmd =3D~ s/\[[0-1]\;[0-9]+//gi; > + $testcmd =3D~ s/[\(\)\.]//gi; > + $testcmd =3D~ s/ //gi; > + $testcmd =3D~ s/=1B//gi; > + > + my @pid =3D split(/\s/,$testcmd); > + $status .=3D",\"pid\":\"$pid[0]\""; > + > + my $memory =3D 0; > + > + foreach (@pid){ > + chomp($_); > + if (open(FILE, "/proc/$_/statm")){ > + my $temp =3D ; > + @memory =3D split(/ /,$temp); > + } > + $memory+=3D$memory[0]; > + } > + $memory*=3D1024; > + $status .=3D",\"memory\":$memory"; > + }else{ > + $status =3D "\"state\":0"; > + } > + return $status; > +} > diff --git a/config/zabbix_agentd/sudoers b/config/zabbix_agentd/sudoers > index 1b362a4fd..340bb8e66 100644 > --- a/config/zabbix_agentd/sudoers > +++ b/config/zabbix_agentd/sudoers > @@ -14,4 +14,4 @@ > # Append / edit the following list of commands to fit your needs: > # > Defaults:zabbix !requiretty > -zabbix ALL=3D(ALL) NOPASSWD: /opt/pakfire/pakfire status > +zabbix ALL=3D(ALL) NOPASSWD: /opt/pakfire/pakfire status, /usr/local/bin/a= ddonctrl, /sbin/iptables, /usr/sbin/fping This is absolutely impossible to give the zabbix user control to start/stop a= ny add-on and to read and change the entire iptables ruleset. Zabbix is listening on the network and does not have any kind of authenticati= on. Any security vulnerabilities in Zabbix would allow to alter the firewall = rules and DoS any add-ons. This is dangerous. Are there any alternative ways to realise this functionality? > diff --git a/config/zabbix_agentd/template_module_ipfire_network_stats.conf= b/config/zabbix_agentd/template_module_ipfire_network_stats.conf > new file mode 100644 > index 000000000..f1658ed07 > --- /dev/null > +++ b/config/zabbix_agentd/template_module_ipfire_network_stats.conf > @@ -0,0 +1,4 @@ > +### Parameters for monitoring IPFire network statistics=20 > +UserParameter=3Dipfire.net.gateway.pingtime,sudo /usr/sbin/fping -c 3 gate= way 2>&1 | tail -n 1 | awk '{print $NF}' | cut -d '/' -f2 > +UserParameter=3Dipfire.net.gateway.ping,sudo /usr/sbin/fping -q -r 3 gatew= ay; [ ! $? ]; echo $? > +UserParameter=3Dipfire.net.fw.hits[*],sudo /sbin/iptables -vnxL $1 | grep = "\/\* $2 \*\/" | awk '{ print $$2 }'; > diff --git a/config/zabbix_agentd/template_module_ipfire_services.conf b/co= nfig/zabbix_agentd/template_module_ipfire_services.conf > new file mode 100644 > index 000000000..5f95218e3 > --- /dev/null > +++ b/config/zabbix_agentd/template_module_ipfire_services.conf > @@ -0,0 +1,2 @@ > +### Parameter for monitoring IPFire services > +UserParameter=3Dipfire.services,/etc/zabbix_agentd/scripts/ipfire_services= .pl > diff --git a/lfs/zabbix_agentd b/lfs/zabbix_agentd > index 73e08d20a..c0d28d51f 100644 > --- a/lfs/zabbix_agentd > +++ b/lfs/zabbix_agentd > @@ -33,7 +33,7 @@ DIR_APP =3D $(DIR_SRC)/$(THISAPP) > TARGET =3D $(DIR_INFO)/$(THISAPP) > PROG =3D zabbix_agentd > PAK_VER =3D 5 > -DEPS =3D > +DEPS =3D "fping" >=20 > ###########################################################################= #### > # Top-level Rules > @@ -97,6 +97,12 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) > /etc/zabbix_agentd/zabbix_agentd.conf.ipfirenew > install -v -m 644 $(DIR_SRC)/config/zabbix_agentd/template_app_pakfire.con= f \ > /etc/zabbix_agentd/zabbix_agentd.d/template_app_pakfire.conf.ipfirenew > + install -v -m 644 $(DIR_SRC)/config/zabbix_agentd/template_module_ipfire_= network_stats.conf \ > + /etc/zabbix_agentd/zabbix_agentd.d/template_module_ipfire_network_stats.= conf.ipfirenew > + install -v -m 644 $(DIR_SRC)/config/zabbix_agentd/template_module_ipfire_= services.conf \ > + /etc/zabbix_agentd/zabbix_agentd.d/template_module_ipfire_services.conf.= ipfirenew > + install -v -m 755 $(DIR_SRC)/config/zabbix_agentd/ipfire_services.pl \ > + /etc/zabbix_agentd/scripts/ipfire_services.pl.ipfirenew >=20 > # Create directory for additional agent modules > -mkdir -pv /usr/lib/zabbix > diff --git a/src/paks/zabbix_agentd/install.sh b/src/paks/zabbix_agentd/ins= tall.sh > index 4248a7ec1..ced915c81 100644 > --- a/src/paks/zabbix_agentd/install.sh > +++ b/src/paks/zabbix_agentd/install.sh > @@ -66,8 +66,13 @@ restore_backup ${NAME} > # Put zabbix configfiles in place > setup_configfile /etc/zabbix_agentd/zabbix_agentd.conf > setup_configfile /etc/zabbix_agentd/zabbix_agentd.d/template_app_pakfire.co= nf > +setup_configfile /etc/zabbix_agentd/zabbix_agentd.d/template_module_ipfire= _network_stats.conf > +setup_configfile /etc/zabbix_agentd/zabbix_agentd.d/template_module_ipfire= _services.conf > setup_configfile /etc/sudoers.d/zabbix >=20 > +# Overwrite script if it exists as user should not modify it but it is inc= luded in backup > +mv /etc/zabbix_agentd/scripts/ipfire_services.pl.ipfirenew /etc/zabbix_age= ntd/scripts/ipfire_services.pl > + > if $review_required; then > echo "WARNING: New versions of some configfile(s) where provided as .ipfir= enew-files." > echo " They may need manual review in order to take advantage of n= ew features" > diff --git a/src/paks/zabbix_agentd/uninstall.sh b/src/paks/zabbix_agentd/u= ninstall.sh > index 7a13880c5..ccbc8f7cf 100644 > --- a/src/paks/zabbix_agentd/uninstall.sh > +++ b/src/paks/zabbix_agentd/uninstall.sh > @@ -26,6 +26,8 @@ stop_service ${NAME} >=20 > # Remove .ipfirenew files in advance so they won't be included in backup > rm -rfv /etc/zabbix_agentd/*.ipfirenew /etc/zabbix_agentd/*/*.ipfirenew > +# Remove script-file as it should not have been modified by user > +rm -fv /etc/zabbix_agentd/scripts/ipfire_services.pl >=20 > make_backup ${NAME} > remove_files > --=20 > 2.30.2 >=20 >=20 > --=20 > Dit bericht is gescanned op virussen en andere gevaarlijke > inhoud door MailScanner en lijkt schoon te zijn. >=20 -Michael --===============2864156144101741438==--