Module: check_mk
Branch: master
Commit: 04a3dd971218faaa0c8a6a03c1a34ddfffc79a8a
URL:
http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=04a3dd971218fa…
Author: Mathias Kettner <mk(a)mathias-kettner.de>
Date: Mon Dec 6 11:52:03 2010 +0100
new check check_mk.only_from: check IP access configuration
---
ChangeLog | 4 +-
agents/check_mk_agent.linux | 10 ++++
agents/windows/check_mk_agent.cc | 17 +++++++
agents/windows/check_mk_agent.exe | Bin 94720 -> 95232 bytes
checkman/check_mk.only_from | 35 ++++++++++++++
checks/check_mk | 95 +++++++++++++++++++++++++++++++++++++
multisite.mk | 11 ++--
7 files changed, 166 insertions(+), 6 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index f59d391..3f4bee3 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -92,7 +92,9 @@
* printer_supply: In case of OKI c5900 devices the name of the supply units ins not
unique. The color of the supply unit is reported in a dedicated OID and added to
the
check item name to have a unique name now.
- * prnter_supply: Added simple pnp template to have better graph formating for the
check results
+ * printer_supply: Added simple pnp template to have better graph formating for the
check results
+ * check_mk.only_from: new check for monitoring the IP address access restriction of
the
+ agent. The current Linux and Windows agents provide this information.
Multisite:
* The custom open/close states of custom links are now stored for each
diff --git a/agents/check_mk_agent.linux b/agents/check_mk_agent.linux
index ebcf520..1837e7d 100755
--- a/agents/check_mk_agent.linux
+++ b/agents/check_mk_agent.linux
@@ -55,6 +55,16 @@ fi
echo '<<<check_mk>>>'
echo Version: 1.1.9i1
echo AgentOS: linux
+echo PluginsDirectory: $PLUGINSDIR
+echo LocalDirectory: $LOCALDIR
+echo AgentDirectory: $MK_CONFDIR
+
+# If we are called via xinetd, try to find only_from configuration
+if [ -n "$REMOTE_HOST" ]
+then
+ echo -n 'OnlyFrom: '
+ sed -n
'/^service[[:space:]]*check_mk/,/}/s/^[[:space:]]*only_from[[:space:]]*=[[:space:]]*\(.*\)/\1/p'
/etc/xinetd.d/* | head -n1
+fi
# Partitionen (-P verhindert Zeilenumbruch bei langen Mountpunkten)
# Achtung: NFS-Mounts werden grundsaetzlich ausgeblendet, um
diff --git a/agents/windows/check_mk_agent.cc b/agents/windows/check_mk_agent.cc
index a4f6ff3..143f962 100755
--- a/agents/windows/check_mk_agent.cc
+++ b/agents/windows/check_mk_agent.cc
@@ -94,6 +94,7 @@ char g_config_file[256];
struct ipspec {
uint32_t address;
uint32_t netmask;
+ int bits;
};
#define MAX_ONLY_FROM 32
@@ -1050,6 +1051,21 @@ void section_check_mk(SOCKET &out)
output(out, "AgentDirectory: %s\n", g_agent_directory);
output(out, "PluginsDirectory: %s\n", g_plugins_dir);
output(out, "LocalDirectory: %s\n", g_local_dir);
+ output(out, "OnlyFrom:");
+ if (g_num_only_from == 0)
+ output(out, " 0.0.0.0/0\n");
+ else {
+ for (unsigned i=0; i < g_num_only_from; i++) {
+ ipspec *is = &g_only_from[i];
+ output(out, " %d.%d.%d.%d/%d",
+ is->address & 0xff,
+ is->address >> 8 & 0xff,
+ is->address >> 16 & 0xff,
+ is->address >> 24 & 0xff,
+ is->bits);
+ }
+ output(out, "\n");
+ }
}
void output_data(SOCKET &out)
@@ -1460,6 +1476,7 @@ void add_only_from(char *value)
t[0] = s[3];
g_only_from[g_num_only_from].address = ip;
g_only_from[g_num_only_from].netmask = mask;
+ g_only_from[g_num_only_from].bits = bits;
if ((ip & mask) != ip) {
fprintf(stderr, "Invalid only_hosts entry: host part not 0: %s/%u",
diff --git a/agents/windows/check_mk_agent.exe b/agents/windows/check_mk_agent.exe
index 4f02124..be9b18a 100755
Binary files a/agents/windows/check_mk_agent.exe and b/agents/windows/check_mk_agent.exe
differ
diff --git a/checkman/check_mk.only_from b/checkman/check_mk.only_from
new file mode 100644
index 0000000..f7bad0c
--- /dev/null
+++ b/checkman/check_mk.only_from
@@ -0,0 +1,35 @@
+title: Check IP restriction of Check_MK agent
+agents: linux, windows
+author: Mathias Kettner <mk(a)mathias-kettner.de>
+license: GPL
+distribution: check_mk
+description:
+ This checks makes sure that the Check_MK agent on the target system
+ has configured certain IP address based access restrictions. The check
+ needs the agent to be configured with those restrictions. The windows
+ agent is configured via an {.ini}-file. The Linux agent is configured
+ via {/etc/xinetd.d/check_mk}.
+
+examples:
+ # Expect agent to accecpt only localhost and one specific network
+ check_mk_only_from_default = [ "192.168.56.0/30", "127.0.0.1" ]
+
+ # Hosts with the tag 'dmz' should have an different configuration
+ check_parameters += [
+ ( [ "10.0.0.0/8" ], [ "dmz" ], ALL_HOSTS, [ "Check_MK Agent
Access" ] ),
+ ]
+
+inventory:
+ One check is created per host, if {check_mk_only_from_default} is explicitely
+ set in {main.mk} and the agent provides an {OnlyFrom:} header in the section
+ {<<<check_mk>>>}.
+
+[parameters]
+target_networks (list(string)): A python list of the allowed networks and IP addresses
the
+ agent should be configured for. The order of the entries is not relevant. To host
addresses
+ a {/32} will be appended automatically.
+
+[configuration]
+check_mk_only_from_default (list(string)): Default IP access configuration expected from
agents.
+ This variable must be set in order for the inventory to create checks, even if you
configure more
+ more specific parameters via {check_parameters}.
diff --git a/checks/check_mk b/checks/check_mk
new file mode 100644
index 0000000..86dd884
--- /dev/null
+++ b/checks/check_mk
@@ -0,0 +1,95 @@
+#!/usr/bin/python
+# -*- encoding: utf-8; py-indent-offset: 4 -*-
+# +------------------------------------------------------------------+
+# | ____ _ _ __ __ _ __ |
+# | / ___| |__ ___ ___| | __ | \/ | |/ / |
+# | | | | '_ \ / _ \/ __| |/ / | |\/| | ' / |
+# | | |___| | | | __/ (__| < | | | | . \ |
+# | \____|_| |_|\___|\___|_|\_\___|_| |_|_|\_\ |
+# | |
+# | Copyright Mathias Kettner 2010 mk(a)mathias-kettner.de |
+# +------------------------------------------------------------------+
+#
+# This file is part of Check_MK.
+# The official homepage is at
http://mathias-kettner.de/check_mk.
+#
+# check_mk is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by
+# the Free Software Foundation in version 2. check_mk is distributed
+# in the hope that it will be useful, but WITHOUT ANY WARRANTY; with-
+# out even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE. See the GNU General Public License for more de-
+# ails. You should have received a copy of the GNU General Public
+# License along with GNU Make; see the file COPYING. If not, write
+# to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor,
+# Boston, MA 02110-1301 USA.
+# Target
+
+
+# Target value for agent's IP access configuration. Only if this
+# is not None, the inventory will create services
+check_mk_only_from_default = None
+
+def inventory_only_from(checkname, info):
+ if check_mk_only_from_default != None:
+ for line in info:
+ if line[0] == "OnlyFrom:":
+ return [(None, 'check_mk_only_from_default')]
+
+def check_mk_factorize_curly(n):
+ # factorize 10.0.0.{1,2,3}
+ if '{' in n:
+ result = []
+ iprange = n[n.find('{') + 1:n.find('}')].split(',')
+ prefix = n[:n.find('{')]
+ for suffix in iprange:
+ result.append(prefix + suffix)
+ return result
+ else:
+ return [n]
+
+def check_mk_normalize_network(n):
+ if '/' in n:
+ return n
+ else:
+ return n + "/32"
+
+
+def check_only_from(item, param, info):
+ if param == None:
+ return (1, "WARN - IP access restriction not monitored for this host")
+ for line in info:
+ if line[0] == "OnlyFrom:":
+ an = []
+ for n in line[1:]:
+ an += check_mk_factorize_curly(n)
+
+ allowed_nets = map(check_mk_normalize_network, an)
+ should_nets = map(check_mk_normalize_network, param)
+
+ too_much = []
+ too_few = []
+
+ for net in allowed_nets:
+ if net not in should_nets:
+ too_much.append(net)
+ for net in should_nets:
+ if net not in allowed_nets:
+ too_few.append(net)
+ status = 0
+ infotexts = []
+ if len(too_much) > 0:
+ status = 1
+ infotexts.append("agent allows extra: %s" % ("
".join(too_much)))
+ if len(too_few) > 0:
+ status = 1
+ infotexts.append("agent blocks: %s" % ("
".join(too_few)))
+ if status == 1:
+ return (1, "WARN - invalid access configuration: %s" % (",
".join(infotexts)))
+ else:
+ return (0, "OK - allowed IP ranges: %s" % ("
".join(allowed_nets)))
+ return (3, "UNKNOWN - Agent does not send OnlyFrom: header")
+
+
+check_info['check_mk.only_from'] = (check_only_from, "Check_MK Agent
Access", 0, inventory_only_from)
+
diff --git a/multisite.mk b/multisite.mk
index 38780ba..52d4733 100644
--- a/multisite.mk
+++ b/multisite.mk
@@ -18,11 +18,12 @@ admin_users = [ "nagiosadmin" ]
# Sites to connect to. If this variable is unset, a single
# connection to the local host is done.
-#sites = {
-# # connect to local Nagios
-# "local" : {
-# "alias" : "Munich"
-# },
+sites = {
+ # connect to local Nagios
+ "wato" : {
+ "alias" : "Munich"
+ },
+}
#
# # connect to remote site (e.g. local OMD site 'paris')
# "paris": {