updated for 2.2+
This commit is contained in:
parent
f012c67877
commit
da01bd0474
@ -1,13 +1,20 @@
|
|||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
#
|
# -*- encoding: utf-8; py-indent-offset: 4 -*-
|
||||||
# Check SELinux status
|
# 2024 Marius Pana <mp@spearhead.systems>
|
||||||
# SELinux has three modes:
|
|
||||||
# - permissive
|
|
||||||
# - enforcing
|
|
||||||
# - disabled
|
|
||||||
|
|
||||||
# we are not looking at SELINUXPOLICY - although it may be of interest
|
# Reason for this no-op: shellcheck disable=... before the first command disables the error for the
|
||||||
# in the future
|
# entire script.
|
||||||
|
:
|
||||||
|
|
||||||
|
# SELinux status: enabled
|
||||||
|
# SELinuxfs mount: /sys/fs/selinux
|
||||||
|
# SELinux root directory: /etc/selinux
|
||||||
|
# Loaded policy name: targeted
|
||||||
|
# Current mode: permissive
|
||||||
|
# Mode from config file: permissive
|
||||||
|
# Policy MLS status: enabled
|
||||||
|
# Policy deny_unknown status: allowed
|
||||||
|
# Max kernel policy version: 31
|
||||||
|
|
||||||
if command sestatus > /dev/null ; then
|
if command sestatus > /dev/null ; then
|
||||||
# Selinux status
|
# Selinux status
|
||||||
|
@ -1,42 +0,0 @@
|
|||||||
#!/usr/bin/env python
|
|
||||||
#
|
|
||||||
# Author: Marius Pana <mp@spearhead.systems>
|
|
||||||
|
|
||||||
factory_settings["selinux_default_levels"] = {
|
|
||||||
"modedisabled" : 2,
|
|
||||||
"curmodepermissive" : 1,
|
|
||||||
"filemodepermissive" : 2,
|
|
||||||
}
|
|
||||||
|
|
||||||
def inventory_selinux(info):
|
|
||||||
inventory = []
|
|
||||||
for line in info:
|
|
||||||
yield None, {}
|
|
||||||
|
|
||||||
def check_selinux(item, params, info):
|
|
||||||
for line in info:
|
|
||||||
state = 0
|
|
||||||
if line[0] == 'disabled':
|
|
||||||
state = params["modedisabled"]
|
|
||||||
return (state, "SELinux is disabled")
|
|
||||||
elif line[1] == "enforcing" and line[2] == "enforcing":
|
|
||||||
return(state, "SELinux is enabled and enforcing.")
|
|
||||||
elif line[1] == "enforcing" and line[2] == "permissive":
|
|
||||||
return(state, "SELinux is enforcing but config file is in permissive mode.")
|
|
||||||
elif line[1] == "permissive" and line[2] == "enforcing":
|
|
||||||
state = params["curmodepermissive"]
|
|
||||||
return (state, "SELinux is in permissive mode but config file is enforcing.")
|
|
||||||
elif line[2] == "permissive":
|
|
||||||
state = params["filemodepermissive"]
|
|
||||||
return (state, "SELinux is in permissive mode.")
|
|
||||||
else:
|
|
||||||
return(3, "SELinux not found in agent output")
|
|
||||||
|
|
||||||
check_info["selinux"] = {
|
|
||||||
"inventory_function" : inventory_selinux,
|
|
||||||
"check_function" : check_selinux,
|
|
||||||
"has_perfdata" : False,
|
|
||||||
"service_description" : "SELinux state",
|
|
||||||
"default_levels_variable" : "selinux_default_levels",
|
|
||||||
'group': 'selinux',
|
|
||||||
}
|
|
22
info
22
info
@ -1,18 +1,14 @@
|
|||||||
{'author': 'Marius Pana',
|
{'author': 'Marius Pana',
|
||||||
'description': 'Check SELinux status',
|
'description': 'Check SELinux status',
|
||||||
'download_url': 'https://code.spearhead.cloud/Spearhead/check_mk-check-selinux',
|
'download_url': 'https://code.spearhead.cloud/Spearhead/check_mk-check-selinux',
|
||||||
'files': {'agents': ['plugins/selinux'],
|
'files': {'agent_based': ['selinux.py'],
|
||||||
'bin': [],
|
'agents': ['plugins/selinux'],
|
||||||
'checkman': ['selinux'],
|
'lib': ['python3/cmk/base/cee/plugins/bakery/selinux_bakery.py'],
|
||||||
'checks': ['selinux'],
|
'web': ['plugins/wato/selinux_parameters.py',
|
||||||
'doc': [],
|
'plugins/wato/selinuxbakery_bakery.py']},
|
||||||
'inventory': [],
|
|
||||||
'lib': [],
|
|
||||||
'notifications': [],
|
|
||||||
'pnp-templates': [],
|
|
||||||
'web': ['plugins/wato/selinux_check_parameters.py']},
|
|
||||||
'name': 'selinux',
|
'name': 'selinux',
|
||||||
'title': 'Check SELinux',
|
'title': 'Check SELinux',
|
||||||
'version': '1.0',
|
'version': '1.1.0',
|
||||||
'version.min_required': '1.2.8p27',
|
'version.min_required': '2.2.0p0',
|
||||||
'version.packaged': '1.2.8p27'}
|
'version.packaged': '2.2.0p8',
|
||||||
|
'version.usable_until': None}
|
30
lib/python3/cmk/base/cee/plugins/bakery/selinux_bakery.py
Normal file
30
lib/python3/cmk/base/cee/plugins/bakery/selinux_bakery.py
Normal file
@ -0,0 +1,30 @@
|
|||||||
|
#!/usr/bin/env python3
|
||||||
|
# -*- coding: utf-8 -*-
|
||||||
|
# 2024 Marius Pana <mp@spearhead.systems>
|
||||||
|
|
||||||
|
from pathlib import Path
|
||||||
|
from typing import Any
|
||||||
|
|
||||||
|
from .bakery_api.v1 import (
|
||||||
|
OS,
|
||||||
|
DebStep,
|
||||||
|
RpmStep,
|
||||||
|
SolStep,
|
||||||
|
Plugin,
|
||||||
|
PluginConfig,
|
||||||
|
SystemBinary,
|
||||||
|
WindowsConfigEntry,
|
||||||
|
register,
|
||||||
|
FileGenerator,
|
||||||
|
ScriptletGenerator,
|
||||||
|
WindowsConfigGenerator,
|
||||||
|
quote_shell_string,
|
||||||
|
)
|
||||||
|
|
||||||
|
def get_selinux_files(conf: Any) -> FileGenerator:
|
||||||
|
yield Plugin(base_os=OS.LINUX, source=Path("selinux"))
|
||||||
|
|
||||||
|
register.bakery_plugin(
|
||||||
|
name="selinux",
|
||||||
|
files_function=get_selinux_files,
|
||||||
|
)
|
35
lib/python3/cmk/base/plugins/agent_based/selinux.py
Normal file
35
lib/python3/cmk/base/plugins/agent_based/selinux.py
Normal file
@ -0,0 +1,35 @@
|
|||||||
|
#!/usr/bin/env python
|
||||||
|
# -*- encoding: utf-8; py-indent-offset: 4 -*-
|
||||||
|
# 2024 Marius Pana <mp@spearhead.systems>
|
||||||
|
|
||||||
|
from .agent_based_api.v1 import *
|
||||||
|
|
||||||
|
def discover_selinux(section):
|
||||||
|
#for line in info:
|
||||||
|
# yield None, {}
|
||||||
|
#print(Service)
|
||||||
|
yield Service()
|
||||||
|
|
||||||
|
def check_selinux(params, section):
|
||||||
|
for line in section:
|
||||||
|
if line[0] == 'disabled':
|
||||||
|
yield Result(state=State(params["modedisabled"]), summary="SELinux is disabled")
|
||||||
|
elif line[1] == "enforcing" and line[2] == "enforcing":
|
||||||
|
yield Result(state=State.OK, summary="SELinux is enabled and enforcing")
|
||||||
|
elif line[1] == "enforcing" and line[2] == "permissive":
|
||||||
|
yield Result(state=State.WARN, summary="SELinux is enforcing but config file is in permissive mode.")
|
||||||
|
elif line[1] == "permissive" and line[2] == "enforcing":
|
||||||
|
yield Result(state=State(params["curmodepermissive"]), summary="SELinux is in permissive mode but config file is enforcing.")
|
||||||
|
elif line[2] == "permissive":
|
||||||
|
yield Result(state=State(params["curmodepermissive"]), summary="SELinux is in permissive mode.")
|
||||||
|
else:
|
||||||
|
yield Result(state=State.WARN, summary="SELinux not found in agent output")
|
||||||
|
|
||||||
|
register.check_plugin(
|
||||||
|
name="selinux",
|
||||||
|
service_name="SELinux state",
|
||||||
|
discovery_function=discover_selinux,
|
||||||
|
check_function=check_selinux,
|
||||||
|
check_ruleset_name="selinux",
|
||||||
|
check_default_parameters = {"modedisabled": 2, "curmodepermissive" : 1, "filemodepermissive" : 2}
|
||||||
|
)
|
@ -1,12 +1,24 @@
|
|||||||
#!/usr/bin/python
|
#!/usr/bin/python
|
||||||
# -*- encoding: utf-8; py-indent-offset: 4 -*-
|
# -*- encoding: utf-8; py-indent-offset: 4 -*-
|
||||||
# 2018 Marius Pana <mp@spearhead.systems>
|
# 2024 Marius Pana <mp@spearhead.systems>
|
||||||
|
|
||||||
register_check_parameters(
|
from cmk.gui.i18n import _
|
||||||
subgroup_os,
|
from cmk.gui.valuespec import (
|
||||||
"selinux",
|
Dictionary,
|
||||||
_("SELinux"),
|
# Integer,
|
||||||
Dictionary(
|
# TextInput,
|
||||||
|
)
|
||||||
|
from cmk.gui.plugins.wato.utils import (
|
||||||
|
CheckParameterRulespecWithoutItem,
|
||||||
|
rulespec_registry,
|
||||||
|
RulespecGroupCheckParametersOperatingSystem,
|
||||||
|
)
|
||||||
|
|
||||||
|
#def _item_valuespec_selinux():
|
||||||
|
# return TextInput(title="SELinux state", help="SELinux state configuration")
|
||||||
|
|
||||||
|
def _parameter_valuespec_selinux():
|
||||||
|
return Dictionary(
|
||||||
elements = [
|
elements = [
|
||||||
( "modedisabled",
|
( "modedisabled",
|
||||||
MonitoringState(
|
MonitoringState(
|
||||||
@ -23,8 +35,15 @@ register_check_parameters(
|
|||||||
title = _("State when SELinux file mode is permissive"),
|
title = _("State when SELinux file mode is permissive"),
|
||||||
default_value = 2,
|
default_value = 2,
|
||||||
)),
|
)),
|
||||||
]
|
],
|
||||||
),
|
|
||||||
None,
|
|
||||||
match_type = "dict",
|
|
||||||
)
|
)
|
||||||
|
|
||||||
|
rulespec_registry.register(
|
||||||
|
CheckParameterRulespecWithoutItem(
|
||||||
|
check_group_name="selinux",
|
||||||
|
group=RulespecGroupCheckParametersOperatingSystem,
|
||||||
|
match_type="dict",
|
||||||
|
#item_spec=_item_valuespec_selinux,
|
||||||
|
parameter_valuespec=_parameter_valuespec_selinux,
|
||||||
|
title=lambda: _("SELinux states"),
|
||||||
|
))
|
31
web/plugins/wato/selinuxbakery_bakery.py
Normal file
31
web/plugins/wato/selinuxbakery_bakery.py
Normal file
@ -0,0 +1,31 @@
|
|||||||
|
#!/usr/bin/env python3
|
||||||
|
# -*- encoding: utf-8; py-indent-offset: 4 -*-
|
||||||
|
# 2024 Marius Pana <mp@spearhead.systems>
|
||||||
|
|
||||||
|
from cmk.gui.i18n import _
|
||||||
|
from cmk.gui.plugins.wato import (
|
||||||
|
HostRulespec,
|
||||||
|
rulespec_registry,
|
||||||
|
)
|
||||||
|
from cmk.gui.cee.plugins.wato.agent_bakery.rulespecs.utils import RulespecGroupMonitoringAgentsAgentPlugins
|
||||||
|
from cmk.gui.valuespec import (
|
||||||
|
DropdownChoice
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
|
def _valuespec_agent_config_selinux():
|
||||||
|
return DropdownChoice(
|
||||||
|
title=_("Deploy SELinux (Linux)"),
|
||||||
|
help=_("Hosts configured via this rule get the <tt>selinux</tt> plugin " "deployed."),
|
||||||
|
choices=[
|
||||||
|
(True, _("Deploy selinux plugin")),
|
||||||
|
(None, _("Do not deploy selinux plugin")),
|
||||||
|
],
|
||||||
|
)
|
||||||
|
|
||||||
|
rulespec_registry.register(
|
||||||
|
HostRulespec(
|
||||||
|
group=RulespecGroupMonitoringAgentsAgentPlugins,
|
||||||
|
name="agent_config:selinux",
|
||||||
|
valuespec=_valuespec_agent_config_selinux,
|
||||||
|
))
|
Loading…
Reference in New Issue
Block a user