Spearhead
/
check_mk-check-selinux
1
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity

updated for 2.2+

This commit is contained in:
Marius Pana 2024-01-12 15:32:52 +02:00
parent f012c67877
commit da01bd0474
7 changed files with 150 additions and 74 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
agents/plugins/selinux
View File

@ -1,13 +1,20 @@
#!/bin/bash
#
# Check SELinux status
# SELinux has three modes:
# - permissive
# - enforcing
# - disabled
# -*- encoding: utf-8; py-indent-offset: 4 -*-
# 2024 Marius Pana <mp@spearhead.systems>
# we are not looking at SELINUXPOLICY - although it may be of interest
# in the future
# Reason for this no-op: shellcheck disable=... before the first command disables the error for the
# entire script.
:
# SELinux status: enabled
# SELinuxfs mount: /sys/fs/selinux
# SELinux root directory: /etc/selinux
# Loaded policy name: targeted
# Current mode: permissive
# Mode from config file: permissive
# Policy MLS status: enabled
# Policy deny_unknown status: allowed
# Max kernel policy version: 31
if command sestatus > /dev/null ; then
# Selinux status

42
checks/selinux
View File

@ -1,42 +0,0 @@
#!/usr/bin/env python
#
# Author: Marius Pana <mp@spearhead.systems>
factory_settings["selinux_default_levels"] = {
"modedisabled" : 2,
"curmodepermissive" : 1,
"filemodepermissive" : 2,
}
def inventory_selinux(info):
inventory = []
for line in info:
yield None, {}
def check_selinux(item, params, info):
for line in info:
state = 0
if line[0] == 'disabled':
state = params["modedisabled"]
return (state, "SELinux is disabled")
elif line[1] == "enforcing" and line[2] == "enforcing":
return(state, "SELinux is enabled and enforcing.")
elif line[1] == "enforcing" and line[2] == "permissive":
return(state, "SELinux is enforcing but config file is in permissive mode.")
elif line[1] == "permissive" and line[2] == "enforcing":
state = params["curmodepermissive"]
return (state, "SELinux is in permissive mode but config file is enforcing.")
elif line[2] == "permissive":
state = params["filemodepermissive"]
return (state, "SELinux is in permissive mode.")
else:
return(3, "SELinux not found in agent output")
check_info["selinux"] = {
"inventory_function" : inventory_selinux,
"check_function" : check_selinux,
"has_perfdata" : False,
"service_description" : "SELinux state",
"default_levels_variable" : "selinux_default_levels",
'group': 'selinux',
}

22
info
View File

@ -1,18 +1,14 @@
{'author': 'Marius Pana',
'description': 'Check SELinux status',
'download_url': 'https://code.spearhead.cloud/Spearhead/check_mk-check-selinux',
'files': {'agents': ['plugins/selinux'],
'bin': [],
'checkman': ['selinux'],
'checks': ['selinux'],
'doc': [],
'inventory': [],
'lib': [],
'notifications': [],
'pnp-templates': [],
'web': ['plugins/wato/selinux_check_parameters.py']},
'files': {'agent_based': ['selinux.py'],
'agents': ['plugins/selinux'],
'lib': ['python3/cmk/base/cee/plugins/bakery/selinux_bakery.py'],
'web': ['plugins/wato/selinux_parameters.py',
'plugins/wato/selinuxbakery_bakery.py']},
'name': 'selinux',
'title': 'Check SELinux',
'version': '1.0',
'version.min_required': '1.2.8p27',
'version.packaged': '1.2.8p27'}
'version': '1.1.0',
'version.min_required': '2.2.0p0',
'version.packaged': '2.2.0p8',
'version.usable_until': None}

30
lib/python3/cmk/base/cee/plugins/bakery/selinux_bakery.py Normal file
View File

@ -0,0 +1,30 @@
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
# 2024 Marius Pana <mp@spearhead.systems>
from pathlib import Path
from typing import Any
from .bakery_api.v1 import (
OS,
DebStep,
RpmStep,
SolStep,
Plugin,
PluginConfig,
SystemBinary,
WindowsConfigEntry,
register,
FileGenerator,
ScriptletGenerator,
WindowsConfigGenerator,
quote_shell_string,
)
def get_selinux_files(conf: Any) -> FileGenerator:
yield Plugin(base_os=OS.LINUX, source=Path("selinux"))
register.bakery_plugin(
name="selinux",
files_function=get_selinux_files,
)

35
lib/python3/cmk/base/plugins/agent_based/selinux.py Normal file
View File

@ -0,0 +1,35 @@
#!/usr/bin/env python
# -*- encoding: utf-8; py-indent-offset: 4 -*-
# 2024 Marius Pana <mp@spearhead.systems>
from .agent_based_api.v1 import *
def discover_selinux(section):
#for line in info:
# yield None, {}
#print(Service)
yield Service()
def check_selinux(params, section):
for line in section:
if line[0] == 'disabled':
yield Result(state=State(params["modedisabled"]), summary="SELinux is disabled")
elif line[1] == "enforcing" and line[2] == "enforcing":
yield Result(state=State.OK, summary="SELinux is enabled and enforcing")
elif line[1] == "enforcing" and line[2] == "permissive":
yield Result(state=State.WARN, summary="SELinux is enforcing but config file is in permissive mode.")
elif line[1] == "permissive" and line[2] == "enforcing":
yield Result(state=State(params["curmodepermissive"]), summary="SELinux is in permissive mode but config file is enforcing.")
elif line[2] == "permissive":
yield Result(state=State(params["curmodepermissive"]), summary="SELinux is in permissive mode.")
else:
yield Result(state=State.WARN, summary="SELinux not found in agent output")
register.check_plugin(
name="selinux",
service_name="SELinux state",
discovery_function=discover_selinux,
check_function=check_selinux,
check_ruleset_name="selinux",
check_default_parameters = {"modedisabled": 2, "curmodepermissive" : 1, "filemodepermissive" : 2}
)

41
web/plugins/wato/selinux_check_parameters.py
View File

@ -1,12 +1,24 @@
#!/usr/bin/python
# -*- encoding: utf-8; py-indent-offset: 4 -*-
# 2018 Marius Pana <mp@spearhead.systems>
# 2024 Marius Pana <mp@spearhead.systems>
register_check_parameters(
subgroup_os,
"selinux",
_("SELinux"),
Dictionary(
from cmk.gui.i18n import _
from cmk.gui.valuespec import (
Dictionary,
# Integer,
# TextInput,
)
from cmk.gui.plugins.wato.utils import (
CheckParameterRulespecWithoutItem,
rulespec_registry,
RulespecGroupCheckParametersOperatingSystem,
)
#def _item_valuespec_selinux():
# return TextInput(title="SELinux state", help="SELinux state configuration")
def _parameter_valuespec_selinux():
return Dictionary(
elements = [
( "modedisabled",
MonitoringState(
@ -23,8 +35,15 @@ register_check_parameters(
title = _("State when SELinux file mode is permissive"),
default_value = 2,
)),
]
),
None,
match_type = "dict",
)
],
)
rulespec_registry.register(
CheckParameterRulespecWithoutItem(
check_group_name="selinux",
group=RulespecGroupCheckParametersOperatingSystem,
match_type="dict",
#item_spec=_item_valuespec_selinux,
parameter_valuespec=_parameter_valuespec_selinux,
title=lambda: _("SELinux states"),
))

31
web/plugins/wato/selinuxbakery_bakery.py Normal file
View File

@ -0,0 +1,31 @@
#!/usr/bin/env python3
# -*- encoding: utf-8; py-indent-offset: 4 -*-
# 2024 Marius Pana <mp@spearhead.systems>
from cmk.gui.i18n import _
from cmk.gui.plugins.wato import (
HostRulespec,
rulespec_registry,
)
from cmk.gui.cee.plugins.wato.agent_bakery.rulespecs.utils import RulespecGroupMonitoringAgentsAgentPlugins
from cmk.gui.valuespec import (
DropdownChoice
)
def _valuespec_agent_config_selinux():
return DropdownChoice(
title=_("Deploy SELinux (Linux)"),
help=_("Hosts configured via this rule get the <tt>selinux</tt> plugin " "deployed."),
choices=[
(True, _("Deploy selinux plugin")),
(None, _("Do not deploy selinux plugin")),
],
)
rulespec_registry.register(
HostRulespec(
group=RulespecGroupMonitoringAgentsAgentPlugins,
name="agent_config:selinux",
valuespec=_valuespec_agent_config_selinux,
))