[PATCH] zabbix_agentd: v6.0.27 + ovpn certificate checks

List overview All Threads
Download

newer

older

Re: IPFire 2.29 - Core Update 184...

[PATCH] en.pl: Correct typo of...

Robin Roevens

28 Feb 2024 28 Feb '24

6:58 p.m.

Hi all

A new version of the Zabbix Agent addon fixing a bug and improving logfile reading performance with regex.

Added IPFire specific functionality: Checking and validating OpenVPN Client, server and CA certificates.

Patch 1: Zabbix agent version update Patch 2: Helper script for added openvpn certificate items Patch 3: Actual configuration of agent for new certificate checking functionality

Zabbix agentd wiki entry will be updated after merge.

Regards

Robin

-- Dit bericht is gescanned op virussen en andere gevaarlijke inhoud door MailScanner en lijkt schoon te zijn.

Show replies by date

Robin Roevens

28 Feb 28 Feb

6:58 p.m.

New subject: [PATCH 1/3] zabbix_agentd: Update to 6.0.27 (LTS)

- Update from version 6.0.22 to 6.0.27 - Update of rootfile not required

Bugs fixed: - ZBX-23715: Fixed persistent directory path not following symlinks upon creation - ZBX-22933: Improved vfs.file.regmatch and vfs.file.regexp items to use buffered file read

Full changelogs since 6.0.22: - https://www.zabbix.com/rn/rn6.0.23 - https://www.zabbix.com/rn/rn6.0.24 - https://www.zabbix.com/rn/rn6.0.25 - https://www.zabbix.com/rn/rn6.0.26 - https://www.zabbix.com/rn/rn6.0.27 --- lfs/zabbix_agentd | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/lfs/zabbix_agentd b/lfs/zabbix_agentd index 0033d9a2c..65e111d2f 100644 --- a/lfs/zabbix_agentd +++ b/lfs/zabbix_agentd @@ -26,7 +26,7 @@ include Config

SUMMARY = Zabbix Agent

-VER = 6.0.22 +VER = 6.0.27

THISAPP = zabbix-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -34,7 +34,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = zabbix_agentd -PAK_VER = 11 +PAK_VER = 12

DEPS = fping

@@ -48,7 +48,7 @@ objects = $(DL_FILE)

$(DL_FILE) = $(DL_FROM)/$(DL_FILE)

-$(DL_FILE)_BLAKE2 = bba7911a24b00827c58d84938b5786d07f1eb44cbcad94cddf68b484ac9a2f514beb60225d006b8cefc5bbf92e51da27f26d9f6681e10f6322ed0841394e8d9d +$(DL_FILE)_BLAKE2 = 793bb887bd8f0d3c2f3d15a4ed9bb5b1fcfb13fcf80ea077672744a1bd8524e213eaf53291e0f9eecb9eb055fee6f1e29e91f890b54698906beac21ca54db4e9

install : $(TARGET)

-- 2.43.0 -- Dit bericht is gescanned op virussen en andere gevaarlijke inhoud door MailScanner en lijkt schoon te zijn.

Adolf Belka

7:46 p.m.

New subject: [PATCH 1/3] zabbix_agentd: Update to 6.0.27 (LTS)

Reviewed-by: Adolf Belka adolf.belka@ipfire.org

On 28/02/2024 19:58, Robin Roevens wrote:

...

Update from version 6.0.22 to 6.0.27

Update of rootfile not required

Bugs fixed:

ZBX-23715: Fixed persistent directory path not following symlinks upon creation

ZBX-22933: Improved vfs.file.regmatch and vfs.file.regexp items to use buffered file read

Full changelogs since 6.0.22:

https://www.zabbix.com/rn/rn6.0.23

https://www.zabbix.com/rn/rn6.0.24

https://www.zabbix.com/rn/rn6.0.25

https://www.zabbix.com/rn/rn6.0.26

https://www.zabbix.com/rn/rn6.0.27

lfs/zabbix_agentd | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/lfs/zabbix_agentd b/lfs/zabbix_agentd index 0033d9a2c..65e111d2f 100644 --- a/lfs/zabbix_agentd +++ b/lfs/zabbix_agentd @@ -26,7 +26,7 @@ include Config

SUMMARY = Zabbix Agent

-VER = 6.0.22 +VER = 6.0.27

THISAPP = zabbix-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -34,7 +34,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = zabbix_agentd -PAK_VER = 11 +PAK_VER = 12

DEPS = fping

@@ -48,7 +48,7 @@ objects = $(DL_FILE)

$(DL_FILE) = $(DL_FROM)/$(DL_FILE)

-$(DL_FILE)_BLAKE2 = bba7911a24b00827c58d84938b5786d07f1eb44cbcad94cddf68b484ac9a2f514beb60225d006b8cefc5bbf92e51da27f26d9f6681e10f6322ed0841394e8d9d +$(DL_FILE)_BLAKE2 = 793bb887bd8f0d3c2f3d15a4ed9bb5b1fcfb13fcf80ea077672744a1bd8524e213eaf53291e0f9eecb9eb055fee6f1e29e91f890b54698906beac21ca54db4e9

install : $(TARGET)

Robin Roevens

6:58 p.m.

New subject: [PATCH 2/3] zabbix_agentd: Add helper script to get and verify certificate details

Add script to parse openssl output on certificates and return it as JSON for consumption by the Zabbix agent. --- .../ipfire_certificate_detail.sh | 91 +++++++++++++++++++ 1 file changed, 91 insertions(+) create mode 100755 config/zabbix_agentd/ipfire_certificate_detail.sh

diff --git a/config/zabbix_agentd/ipfire_certificate_detail.sh b/config/zabbix_agentd/ipfire_certificate_detail.sh new file mode 100755 index 000000000..9ca0ef5de --- /dev/null +++ b/config/zabbix_agentd/ipfire_certificate_detail.sh @@ -0,0 +1,91 @@ +#!/bin/bash +############################################################################### +# ipfire_certificate_detail.sh - Get certificate details and validation results +# in JSON format for use by Zabbix agent +# +# Author: robin.roevens (at) disroot.org +# Version: 1.0 +# +# Copyright (C) 2007-2024 IPFire Team info@ipfire.org +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see http://www.gnu.org/licenses/. +# +############################################################################### + +# Required binaries +OPENSSL=/usr/bin/openssl +DATE=/bin/date + +# Parameter checking +[[ $1 ]] || { echo "{"error":"No CA certificate file given."}"; exit 1; } +[[ -f $1 ]] || { echo "{"error":"CA certificate not found: $1."}"; exit 1; } +[[ -r $1 ]] || { echo "{"error":"No read permission on CA certificate: $1."}"; exit 1; } +[[ $2 ]] || { echo "{"error":"No certificate file given."}"; exit 1; } +[[ -f $2 ]] || { echo "{"error":"Certificate not found: $2."}"; exit 1; } +[[ -r $2 ]] || { echo "{"error":"No read permission on certificate $2."}"; exit 1; } +[[ -x $OPENSSL ]] || { echo "{"error":"$OPENSSL binary not found or no permission."}"; exit 1; } +[[ -x $DATE ]] || { echo "{"error":"$DATE binary not found or no permission."}"; exit 1; } + +cafile=$1 +cert=$2 + +# Parse certificate details +cert_details=$(${OPENSSL} x509 -in "${cert}" -noout -text -certopt no_header,no_sigdump) +version=$(echo "${cert_details}" | grep "Version:" | sed 's/^ +Version: ([0-9]+) (.+)$/\1/g') +serial_number=$(echo "${cert_details}" | grep -A1 "Serial Number:" | tr -d '\n' | sed 's/^ +Serial Number:(( (.*) ([0-9]+x[0-9]+).*)|( +(.*)$))/\3\5/g') +signature_algorithm=$(echo "${cert_details}" | grep "Signature Algorithm:" | sed 's/^ +Signature Algorithm: //g') +issuer=$(echo "${cert_details}" | grep "Issuer:" | sed 's/^ +Issuer: //g' | sed 's/"/\"/g') +not_before_value=$(echo "${cert_details}" | grep "Not Before:" | sed 's/^ +Not Before: //g') +not_before_timestamp=$(${DATE} -d "${not_before_value}" +%s) +not_after_value=$(echo "${cert_details}" | grep "Not After :" | sed 's/^ +Not After : //g') +not_after_timestamp=$(${DATE} -d "${not_after_value}" +%s) +subject=$(echo "${cert_details}" | grep "Subject:" | sed 's/^ +Subject: //g' | sed 's/"/\"/g') +public_key_algorithm=$(echo "${cert_details}" | grep "Public Key Algorithm:" | sed 's/^ +Public Key Algorithm: //g') + +# Verify certificate +cert_verify=$(${OPENSSL} verify -CAfile "${cafile}" "${cert}" 2>&1) +if [[ $? != 0 ]]; then + result_value="invalid" + result_message="failed to verify certificate: x509: $(echo "${cert_verify}" | grep -E "error [0-9]+" | sed 's/^.+: (.+)/\1/g')" +else + result_value="valid" + result_message="certificate verified successfully" +fi + +# Generate fingerprints +sha1_fingerprint=$(${OPENSSL} x509 -in "${cert}" -noout -fingerprint -sha1 | cut -d= -f2) +sha256_fingerprint=$(${OPENSSL} x509 -in "${cert}" -noout -fingerprint -sha256 | cut -d= -f2) + +# Print certificate details in JSON +echo -n "{"x509":{" +echo -n ""version":"${version}"," +echo -n ""serial_number":"${serial_number}"," +echo -n ""signature_algorithm":"${signature_algorithm}"," +echo -n ""issuer":"${issuer}"," +echo -n ""not_before":{" +echo -n ""value":"${not_before_value}"," +echo -n ""timestamp":"${not_before_timestamp}"}," +echo -n ""not_after":{" +echo -n ""value":"${not_after_value}"," +echo -n ""timestamp":"${not_after_timestamp}"}," +echo -n ""subject":"${subject}"," +echo -n ""public_key_algorithm":"${public_key_algorithm}"}," +echo -n ""result":{" +echo -n ""value":"${result_value}"," +echo -n ""message":"${result_message}"}," +echo -n ""sha1_fingerprint":"${sha1_fingerprint}"," +echo -n ""sha256_fingerprint":"${sha256_fingerprint}"" +echo -n "}" + +exit 0 \ No newline at end of file

-- 2.43.0 -- Dit bericht is gescanned op virussen en andere gevaarlijke inhoud door MailScanner en lijkt schoon te zijn.

Adolf Belka

7:48 p.m.

New subject: [PATCH 2/3] zabbix_agentd: Add helper script to get and verify certificate details

Reviewed-by: Adolf Belka adolf.belka@ipfire.org

On 28/02/2024 19:58, Robin Roevens wrote:

...

Add script to parse openssl output on certificates and return it as JSON for consumption by the Zabbix agent.

.../ipfire_certificate_detail.sh | 91 +++++++++++++++++++ 1 file changed, 91 insertions(+) create mode 100755 config/zabbix_agentd/ipfire_certificate_detail.sh

diff --git a/config/zabbix_agentd/ipfire_certificate_detail.sh b/config/zabbix_agentd/ipfire_certificate_detail.sh new file mode 100755 index 000000000..9ca0ef5de --- /dev/null +++ b/config/zabbix_agentd/ipfire_certificate_detail.sh @@ -0,0 +1,91 @@ +#!/bin/bash +############################################################################### +# ipfire_certificate_detail.sh - Get certificate details and validation results +# in JSON format for use by Zabbix agent +# +# Author: robin.roevens (at) disroot.org +# Version: 1.0 +# +# Copyright (C) 2007-2024 IPFire Team info@ipfire.org +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see http://www.gnu.org/licenses/. +# +###############################################################################

+# Required binaries +OPENSSL=/usr/bin/openssl +DATE=/bin/date

+# Parameter checking +[[ $1 ]] || { echo "{"error":"No CA certificate file given."}"; exit 1; } +[[ -f $1 ]] || { echo "{"error":"CA certificate not found: $1."}"; exit 1; } +[[ -r $1 ]] || { echo "{"error":"No read permission on CA certificate: $1."}"; exit 1; } +[[ $2 ]] || { echo "{"error":"No certificate file given."}"; exit 1; } +[[ -f $2 ]] || { echo "{"error":"Certificate not found: $2."}"; exit 1; } +[[ -r $2 ]] || { echo "{"error":"No read permission on certificate $2."}"; exit 1; } +[[ -x $OPENSSL ]] || { echo "{"error":"$OPENSSL binary not found or no permission."}"; exit 1; } +[[ -x $DATE ]] || { echo "{"error":"$DATE binary not found or no permission."}"; exit 1; }

+cafile=$1 +cert=$2

+# Parse certificate details +cert_details=$(${OPENSSL} x509 -in "${cert}" -noout -text -certopt no_header,no_sigdump) +version=$(echo "${cert_details}" | grep "Version:" | sed 's/^ +Version: ([0-9]+) (.+)$/\1/g') +serial_number=$(echo "${cert_details}" | grep -A1 "Serial Number:" | tr -d '\n' | sed 's/^ +Serial Number:(( (.*) ([0-9]+x[0-9]+).*)|( +(.*)$))/\3\5/g') +signature_algorithm=$(echo "${cert_details}" | grep "Signature Algorithm:" | sed 's/^ +Signature Algorithm: //g') +issuer=$(echo "${cert_details}" | grep "Issuer:" | sed 's/^ +Issuer: //g' | sed 's/"/\"/g') +not_before_value=$(echo "${cert_details}" | grep "Not Before:" | sed 's/^ +Not Before: //g') +not_before_timestamp=$(${DATE} -d "${not_before_value}" +%s) +not_after_value=$(echo "${cert_details}" | grep "Not After :" | sed 's/^ +Not After : //g') +not_after_timestamp=$(${DATE} -d "${not_after_value}" +%s) +subject=$(echo "${cert_details}" | grep "Subject:" | sed 's/^ +Subject: //g' | sed 's/"/\"/g') +public_key_algorithm=$(echo "${cert_details}" | grep "Public Key Algorithm:" | sed 's/^ +Public Key Algorithm: //g')

+# Verify certificate +cert_verify=$(${OPENSSL} verify -CAfile "${cafile}" "${cert}" 2>&1) +if [[ $? != 0 ]]; then

result_value="invalid"

result_message="failed to verify certificate: x509: $(echo "${cert_verify}" | grep -E "error [0-9]+" | sed 's/^.+: (.+)/\1/g')"

+else

result_value="valid"

result_message="certificate verified successfully"

+fi

+# Generate fingerprints +sha1_fingerprint=$(${OPENSSL} x509 -in "${cert}" -noout -fingerprint -sha1 | cut -d= -f2) +sha256_fingerprint=$(${OPENSSL} x509 -in "${cert}" -noout -fingerprint -sha256 | cut -d= -f2)

+# Print certificate details in JSON +echo -n "{"x509":{" +echo -n ""version":"${version}"," +echo -n ""serial_number":"${serial_number}"," +echo -n ""signature_algorithm":"${signature_algorithm}"," +echo -n ""issuer":"${issuer}"," +echo -n ""not_before":{" +echo -n ""value":"${not_before_value}"," +echo -n ""timestamp":"${not_before_timestamp}"}," +echo -n ""not_after":{" +echo -n ""value":"${not_after_value}"," +echo -n ""timestamp":"${not_after_timestamp}"}," +echo -n ""subject":"${subject}"," +echo -n ""public_key_algorithm":"${public_key_algorithm}"}," +echo -n ""result":{" +echo -n ""value":"${result_value}"," +echo -n ""message":"${result_message}"}," +echo -n ""sha1_fingerprint":"${sha1_fingerprint}"," +echo -n ""sha256_fingerprint":"${sha256_fingerprint}"" +echo -n "}"

+exit 0 \ No newline at end of file

Robin Roevens

6:58 p.m.

New subject: [PATCH 3/3] zabbix_agentd: Add OpenVPN certificates items

- Adds Zabbix Agent userparameters `ipfire.ovpn.clientcert` and `ipfire.ovpn.cacert` for the agent to get details about openvpn client, server and ca certificates. - Moves all `ipfire.ovpn.*` userparameters to a separate config file `userparameter_ovpn.conf` to enable users to selectively disable openvpn items when not needed - Includes `ipfire_certificate_detail.sh` script in sudoers for Zabbix Agent as it needs root permission to read openvpn certificate details. - Adapts lfs install script to install new script and configfile - Adds new script and configfile to rootfiles --- config/rootfiles/packages/zabbix_agentd | 3 +++ config/zabbix_agentd/sudoers | 1 + config/zabbix_agentd/userparameter_ipfire.conf | 8 +------- config/zabbix_agentd/userparameter_ovpn.conf | 13 +++++++++++++ lfs/zabbix_agentd | 7 +++++++ 5 files changed, 25 insertions(+), 7 deletions(-) create mode 100644 config/zabbix_agentd/userparameter_ovpn.conf

diff --git a/config/rootfiles/packages/zabbix_agentd b/config/rootfiles/packages/zabbix_agentd index 729a47ac6..8e10cb4c8 100644 --- a/config/rootfiles/packages/zabbix_agentd +++ b/config/rootfiles/packages/zabbix_agentd @@ -20,3 +20,6 @@ var/ipfire/zabbix_agentd/zabbix_agentd_ipfire_mandatory.conf var/ipfire/zabbix_agentd/userparameters var/ipfire/zabbix_agentd/userparameters/userparameter_pakfire.conf var/ipfire/zabbix_agentd/userparameters/userparameter_ipfire.conf +var/ipfire/zabbix_agentd/userparameters/userparameter_ovpn.conf +var/ipfire/zabbix_agentd/scripts +var/ipfire/zabbix_agentd/scripts/ipfire_certificate_detail.sh diff --git a/config/zabbix_agentd/sudoers b/config/zabbix_agentd/sudoers index d93ec5d55..138c75635 100644 --- a/config/zabbix_agentd/sudoers +++ b/config/zabbix_agentd/sudoers @@ -9,3 +9,4 @@ # Defaults:zabbix !requiretty zabbix ALL=(ALL) NOPASSWD: /opt/pakfire/pakfire status, /usr/sbin/fping, /usr/local/bin/getipstat, /bin/cat /var/run/ovpnserver.log +zabbix ALL=(ALL) NOPASSWD: /var/ipfire/zabbix_agentd/scripts/ipfire_certificate_detail.sh diff --git a/config/zabbix_agentd/userparameter_ipfire.conf b/config/zabbix_agentd/userparameter_ipfire.conf index ba0c6c2ca..d2d0c8307 100644 --- a/config/zabbix_agentd/userparameter_ipfire.conf +++ b/config/zabbix_agentd/userparameter_ipfire.conf @@ -9,10 +9,4 @@ UserParameter=ipfire.net.fw.hits.raw,sudo /usr/local/bin/getipstat -xf | grep "/ # Number of currently Active DHCP leases UserParameter=ipfire.dhcpd.clients,grep -s -E 'lease|bind' /var/state/dhcp/dhcpd.leases | sed ':a;/{$/{N;s/\n//;ba}' | grep "state active" | wc -l # Number of Captive Portal clients -UserParameter=ipfire.captive.clients,awk -F ',' 'length($2) == 17 {sum += 1} END {if (length(sum) == 0) print 0; else print sum}' /var/ipfire/captive/clients -# Discovery of configured ovpn clients -UserParameter=ipfire.ovpn.clients.discovery,cat /var/ipfire/ovpn/ovpnconfig 2>/dev/null | awk -F',' 'BEGIN { ORS = ""; print "[" } { printf "%s{"{#NAME}":"%s","{#COMMONNAME}":"%s","{#STATE}":"%s","{#REMARK}":"%s","{#TYPE}":"%s"}", separator, $3, $4, $2, $27, $5; separator = ","; } END { print "]" }' -# Get OpenVPN status report -UserParameter=ipfire.ovpn.statusreport.get,sudo cat /var/run/ovpnserver.log 2>/dev/null | awk -F"," 'function unixtime(t) { gsub(/[-:]/," ",t); return mktime(t) } BEGIN { ORS = ""; print "{" } /^Updated,.+/ { printf ""timestamp":%s,"clients":[",unixtime($2) } /^.+,[0-9]+.[0-9]+.[0-9]+.[0-9]+:[0-9]+,[0-9]+,[0-9]+,.+/ { if ($1 != "Common Name") { printf "%s{"common_name":"%s","real_address":"%s","bytes_in":"%s","bytes_out":"%s","connected_since":"%s"}", separator, $1, $2, $3, $4, unixtime($5); separator = ","; } } /^ROUTING TABLE/ { print "],"routing_table":["; separator = "" } /^[0-9]+.[0-9]+.[0-9]+.[0-9]+,.+,[0-9]+.[0-9]+.[0-9]+.[0-9]+:[0-9]+,.+/ { if ($1 != "Virtual Address") { printf "%s{"common_name":"%s","virtual_address":"%s","real_address":"%s","last_ref":"%s"}", separator, $2, $1, $3, unixtime($4); separator = "," } } END { print "]}" }' -# Allow item key to be called with (unused) parameters. This allows the #SINGLETON method of discovering this item only when openvpn service is active -Alias=ipfire.ovpn.statusreport.get[]:ipfire.ovpn.statusreport.get \ No newline at end of file +UserParameter=ipfire.captive.clients,awk -F ',' 'length($2) == 17 {sum += 1} END {if (length(sum) == 0) print 0; else print sum}' /var/ipfire/captive/clients \ No newline at end of file diff --git a/config/zabbix_agentd/userparameter_ovpn.conf b/config/zabbix_agentd/userparameter_ovpn.conf new file mode 100644 index 000000000..a7a6d8535 --- /dev/null +++ b/config/zabbix_agentd/userparameter_ovpn.conf @@ -0,0 +1,13 @@ +# Parameters for monitoring IPFire OpenVPN specific metrics +# +# Discovery of configured ovpn clients +UserParameter=ipfire.ovpn.clients.discovery,cat /var/ipfire/ovpn/ovpnconfig 2>/dev/null | awk -F',' 'BEGIN { ORS = ""; print "[" } { printf "%s{"{#NAME}":"%s","{#COMMONNAME}":"%s","{#STATE}":"%s","{#REMARK}":"%s","{#TYPE}":"%s"}", separator, $3, $4, $2, $27, $5; separator = ","; } END { print "]" }' +# Get OpenVPN status report +UserParameter=ipfire.ovpn.statusreport.get,sudo cat /var/run/ovpnserver.log 2>/dev/null | awk -F"," 'function unixtime(t) { gsub(/[-:]/," ",t); return mktime(t) } BEGIN { ORS = ""; print "{" } /^Updated,.+/ { printf ""timestamp":%s,"clients":[",unixtime($2) } /^.+,[0-9]+.[0-9]+.[0-9]+.[0-9]+:[0-9]+,[0-9]+,[0-9]+,.+/ { if ($1 != "Common Name") { printf "%s{"common_name":"%s","real_address":"%s","bytes_in":"%s","bytes_out":"%s","connected_since":"%s"}", separator, $1, $2, $3, $4, unixtime($5); separator = ","; } } /^ROUTING TABLE/ { print "],"routing_table":["; separator = "" } /^[0-9]+.[0-9]+.[0-9]+.[0-9]+,.+,[0-9]+.[0-9]+.[0-9]+.[0-9]+:[0-9]+,.+/ { if ($1 != "Virtual Address") { printf "%s{"common_name":"%s","virtual_address":"%s","real_address":"%s","last_ref":"%s"}", separator, $2, $1, $3, unixtime($4); separator = "," } } END { print "]}" }' +# Get OpenVPN client certificate details +UserParameter=ipfire.ovpn.clientcert[*],sudo /var/ipfire/zabbix_agentd/scripts/ipfire_certificate_detail.sh /var/ipfire/ovpn/ca/cacert.pem /var/ipfire/ovpn/certs/$1cert.pem +UserParameter=ipfire.ovpn.cacert,sudo /var/ipfire/zabbix_agentd/scripts/ipfire_certificate_detail.sh /var/ipfire/ovpn/ca/cacert.pem /var/ipfire/ovpn/ca/cacert.pem + +# Allow item key to be called with (unused) parameters. This allows the #SINGLETON method of discovering this item only when openvpn service is active +Alias=ipfire.ovpn.statusreport.get[]:ipfire.ovpn.statusreport.get +Alias=ipfire.ovpn.cacert[]:ipfire.ovpn.cacert \ No newline at end of file diff --git a/lfs/zabbix_agentd b/lfs/zabbix_agentd index 65e111d2f..5f274c309 100644 --- a/lfs/zabbix_agentd +++ b/lfs/zabbix_agentd @@ -110,6 +110,13 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) /var/ipfire/zabbix_agentd/userparameters/userparameter_pakfire.conf install -v -m 644 $(DIR_SRC)/config/zabbix_agentd/userparameter_ipfire.conf \ /var/ipfire/zabbix_agentd/userparameters/userparameter_ipfire.conf + install -v -m 644 $(DIR_SRC)/config/zabbix_agentd/userparameter_ovpn.conf \ + /var/ipfire/zabbix_agentd/userparameters/userparameter_ovpn.conf + + # Install IPFire-specific Zabbix Agent scripts + -mkdir -pv /var/ipfire/zabbix_agentd/scripts + install -v -m 755 $(DIR_SRC)/config/zabbix_agentd/ipfire_certificate_detail.sh \ + /var/ipfire/zabbix_agentd/scripts/ipfire_certificate_detail.sh

# Create directory for additional agent modules -mkdir -pv /usr/lib/zabbix

-- 2.43.0 -- Dit bericht is gescanned op virussen en andere gevaarlijke inhoud door MailScanner en lijkt schoon te zijn.

Adolf Belka

7:48 p.m.

New subject: [PATCH 3/3] zabbix_agentd: Add OpenVPN certificates items

Reviewed-by: Adolf Belka adolf.belka@ipfire.org

On 28/02/2024 19:58, Robin Roevens wrote:

...

Adds Zabbix Agent userparameters `ipfire.ovpn.clientcert` and `ipfire.ovpn.cacert` for the agent to get details about openvpn client, server and ca certificates.

Moves all `ipfire.ovpn.*` userparameters to a separate config file `userparameter_ovpn.conf` to enable users to selectively disable openvpn items when not needed

Includes `ipfire_certificate_detail.sh` script in sudoers for Zabbix Agent as it needs root permission to read openvpn certificate details.

Adapts lfs install script to install new script and configfile

Adds new script and configfile to rootfiles

config/rootfiles/packages/zabbix_agentd | 3 +++ config/zabbix_agentd/sudoers | 1 + config/zabbix_agentd/userparameter_ipfire.conf | 8 +------- config/zabbix_agentd/userparameter_ovpn.conf | 13 +++++++++++++ lfs/zabbix_agentd | 7 +++++++ 5 files changed, 25 insertions(+), 7 deletions(-) create mode 100644 config/zabbix_agentd/userparameter_ovpn.conf

diff --git a/config/rootfiles/packages/zabbix_agentd b/config/rootfiles/packages/zabbix_agentd index 729a47ac6..8e10cb4c8 100644 --- a/config/rootfiles/packages/zabbix_agentd +++ b/config/rootfiles/packages/zabbix_agentd @@ -20,3 +20,6 @@ var/ipfire/zabbix_agentd/zabbix_agentd_ipfire_mandatory.conf var/ipfire/zabbix_agentd/userparameters var/ipfire/zabbix_agentd/userparameters/userparameter_pakfire.conf var/ipfire/zabbix_agentd/userparameters/userparameter_ipfire.conf +var/ipfire/zabbix_agentd/userparameters/userparameter_ovpn.conf +var/ipfire/zabbix_agentd/scripts +var/ipfire/zabbix_agentd/scripts/ipfire_certificate_detail.sh diff --git a/config/zabbix_agentd/sudoers b/config/zabbix_agentd/sudoers index d93ec5d55..138c75635 100644 --- a/config/zabbix_agentd/sudoers +++ b/config/zabbix_agentd/sudoers @@ -9,3 +9,4 @@ # Defaults:zabbix !requiretty zabbix ALL=(ALL) NOPASSWD: /opt/pakfire/pakfire status, /usr/sbin/fping, /usr/local/bin/getipstat, /bin/cat /var/run/ovpnserver.log +zabbix ALL=(ALL) NOPASSWD: /var/ipfire/zabbix_agentd/scripts/ipfire_certificate_detail.sh diff --git a/config/zabbix_agentd/userparameter_ipfire.conf b/config/zabbix_agentd/userparameter_ipfire.conf index ba0c6c2ca..d2d0c8307 100644 --- a/config/zabbix_agentd/userparameter_ipfire.conf +++ b/config/zabbix_agentd/userparameter_ipfire.conf @@ -9,10 +9,4 @@ UserParameter=ipfire.net.fw.hits.raw,sudo /usr/local/bin/getipstat -xf | grep "/ # Number of currently Active DHCP leases UserParameter=ipfire.dhcpd.clients,grep -s -E 'lease|bind' /var/state/dhcp/dhcpd.leases | sed ':a;/{$/{N;s/\n//;ba}' | grep "state active" | wc -l # Number of Captive Portal clients -UserParameter=ipfire.captive.clients,awk -F ',' 'length($2) == 17 {sum += 1} END {if (length(sum) == 0) print 0; else print sum}' /var/ipfire/captive/clients -# Discovery of configured ovpn clients -UserParameter=ipfire.ovpn.clients.discovery,cat /var/ipfire/ovpn/ovpnconfig 2>/dev/null | awk -F',' 'BEGIN { ORS = ""; print "[" } { printf "%s{"{#NAME}":"%s","{#COMMONNAME}":"%s","{#STATE}":"%s","{#REMARK}":"%s","{#TYPE}":"%s"}", separator, $3, $4, $2, $27, $5; separator = ","; } END { print "]" }' -# Get OpenVPN status report -UserParameter=ipfire.ovpn.statusreport.get,sudo cat /var/run/ovpnserver.log 2>/dev/null | awk -F"," 'function unixtime(t) { gsub(/[-:]/," ",t); return mktime(t) } BEGIN { ORS = ""; print "{" } /^Updated,.+/ { printf ""timestamp":%s,"clients":[",unixtime($2) } /^.+,[0-9]+.[0-9]+.[0-9]+.[0-9]+:[0-9]+,[0-9]+,[0-9]+,.+/ { if ($1 != "Common Name") { printf "%s{"common_name":"%s","real_address":"%s","bytes_in":"%s","bytes_out":"%s","connected_since":"%s"}", separator, $1, $2, $3, $4, unixtime($5); separator = ","; } } /^ROUTING TABLE/ { print "],"routing_table":["; separator = "" } /^[0-9]+.[0-9]+.[0-9]+.[0-9]+,.+,[0-9]+.[0-9]+.[0-9]+.[0-9]+:[0-9]+,.+/ { if ($1 != "Virtual Address") { printf "%s{"common_name":"%s","virtual_address":"%s","real_address":"%s","last_ref":"%s"}", separator, $2, $1, $3, unixtime($4); separator = "," } } END { print "]}" }' -# Allow item key to be called with (unused) parameters. This allows the #SINGLETON method of discovering this item only when openvpn service is active -Alias=ipfire.ovpn.statusreport.get[]:ipfire.ovpn.statusreport.get \ No newline at end of file +UserParameter=ipfire.captive.clients,awk -F ',' 'length($2) == 17 {sum += 1} END {if (length(sum) == 0) print 0; else print sum}' /var/ipfire/captive/clients \ No newline at end of file diff --git a/config/zabbix_agentd/userparameter_ovpn.conf b/config/zabbix_agentd/userparameter_ovpn.conf new file mode 100644 index 000000000..a7a6d8535 --- /dev/null +++ b/config/zabbix_agentd/userparameter_ovpn.conf @@ -0,0 +1,13 @@ +# Parameters for monitoring IPFire OpenVPN specific metrics +# +# Discovery of configured ovpn clients +UserParameter=ipfire.ovpn.clients.discovery,cat /var/ipfire/ovpn/ovpnconfig 2>/dev/null | awk -F',' 'BEGIN { ORS = ""; print "[" } { printf "%s{"{#NAME}":"%s","{#COMMONNAME}":"%s","{#STATE}":"%s","{#REMARK}":"%s","{#TYPE}":"%s"}", separator, $3, $4, $2, $27, $5; separator = ","; } END { print "]" }' +# Get OpenVPN status report +UserParameter=ipfire.ovpn.statusreport.get,sudo cat /var/run/ovpnserver.log 2>/dev/null | awk -F"," 'function unixtime(t) { gsub(/[-:]/," ",t); return mktime(t) } BEGIN { ORS = ""; print "{" } /^Updated,.+/ { printf ""timestamp":%s,"clients":[",unixtime($2) } /^.+,[0-9]+.[0-9]+.[0-9]+.[0-9]+:[0-9]+,[0-9]+,[0-9]+,.+/ { if ($1 != "Common Name") { printf "%s{"common_name":"%s","real_address":"%s","bytes_in":"%s","bytes_out":"%s","connected_since":"%s"}", separator, $1, $2, $3, $4, unixtime($5); separator = ","; } } /^ROUTING TABLE/ { print "],"routing_table":["; separator = "" } /^[0-9]+.[0-9]+.[0-9]+.[0-9]+,.+,[0-9]+.[0-9]+.[0-9]+.[0-9]+:[0-9]+,.+/ { if ($1 != "Virtual Address") { printf "%s{"common_name":"%s","virtual_address":"%s","real_address":"%s","last_ref":"%s"}", separator, $2, $1, $3, unixtime($4); separator = "," } } END { print "]}" }' +# Get OpenVPN client certificate details +UserParameter=ipfire.ovpn.clientcert[*],sudo /var/ipfire/zabbix_agentd/scripts/ipfire_certificate_detail.sh /var/ipfire/ovpn/ca/cacert.pem /var/ipfire/ovpn/certs/$1cert.pem +UserParameter=ipfire.ovpn.cacert,sudo /var/ipfire/zabbix_agentd/scripts/ipfire_certificate_detail.sh /var/ipfire/ovpn/ca/cacert.pem /var/ipfire/ovpn/ca/cacert.pem

+# Allow item key to be called with (unused) parameters. This allows the #SINGLETON method of discovering this item only when openvpn service is active +Alias=ipfire.ovpn.statusreport.get[]:ipfire.ovpn.statusreport.get +Alias=ipfire.ovpn.cacert[]:ipfire.ovpn.cacert \ No newline at end of file diff --git a/lfs/zabbix_agentd b/lfs/zabbix_agentd index 65e111d2f..5f274c309 100644 --- a/lfs/zabbix_agentd +++ b/lfs/zabbix_agentd @@ -110,6 +110,13 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) /var/ipfire/zabbix_agentd/userparameters/userparameter_pakfire.conf install -v -m 644 $(DIR_SRC)/config/zabbix_agentd/userparameter_ipfire.conf \ /var/ipfire/zabbix_agentd/userparameters/userparameter_ipfire.conf
install -v -m 644 $(DIR_SRC)/config/zabbix_agentd/userparameter_ovpn.conf \
/var/ipfire/zabbix_agentd/userparameters/userparameter_ovpn.conf
# Install IPFire-specific Zabbix Agent scripts

-mkdir -pv /var/ipfire/zabbix_agentd/scripts

install -v -m 755 $(DIR_SRC)/config/zabbix_agentd/ipfire_certificate_detail.sh \
/var/ipfire/zabbix_agentd/scripts/ipfire_certificate_detail.sh
# Create directory for additional agent modules -mkdir -pv /usr/lib/zabbix

268

Age (days ago)

268

Last active (days ago)

development@lists.ipfire.org

6 comments

2 participants

tags (0)

participants (2)

Adolf Belka
Robin Roevens