diff mbox series

[3/3] zabbix_agentd: Add OpenVPN certificates items

Message ID	20240228191952.28258-4-robin.roevens@disroot.org
State	Staged
Commit	bff53f09ffb26cee1e410a2ee812efe4b83538d3
Headers	From: Robin Roevens <robin.roevens@disroot.org> To: development@lists.ipfire.org Subject: [PATCH 3/3] zabbix_agentd: Add OpenVPN certificates items Date: Wed, 28 Feb 2024 19:58:36 +0100 Message-ID: <20240228191952.28258-4-robin.roevens@disroot.org> In-Reply-To: <20240228191952.28258-1-robin.roevens@disroot.org> References: <20240228191952.28258-1-robin.roevens@disroot.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit country: NL(-0.01), ip: 178.21.23.139(0.00)]; RCPT_COUNT_TWO(0.00)[2]; PREVIOUSLY_DELIVERED(0.00)[development@lists.ipfire.org]; FUZZY_BLOCKED(0.00)[rspamd.com]; MIME_TRACE(0.00)[0:+]; ARC_NA(0.00)[]; TO_DN_SOME(0.00)[]; RCVD_COUNT_THREE(0.00)[3]; RCVD_TLS_LAST(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; ASN(0.00)[asn:50673, ipnet:178.21.23.0/24, country:NL]; DKIM_REPUTATION(0.00)[0]; ARC_SIGNED(0.00)[lists.ipfire.org:s=202003rsa:i=1]; MISSING_XM_UA(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DKIM_TRACE(0.00)[disroot.org:+]; FROM_HAS_DN(0.00)[] Message-ID-Hash: VJVNH4R4FDGDL4L46ZCZ3QDCE6HTRQL7 Precedence: list Archived-At: <https://lists.ipfire.org/hyperkitty/list/development@lists.ipfire.org/message/VJVNH4R4FDGDL4L46ZCZ3QDCE6HTRQL7/>
Series	[1/3] zabbix_agentd: Update to 6.0.27 (LTS) \| [1/3] zabbix_agentd: Update to 6.0.27 (LTS) [2/3] zabbix_agentd: Add helper script to get and verify certificate details [3/3] zabbix_agentd: Add OpenVPN certificates items

Commit Message

Robin Roevens Feb. 28, 2024, 6:58 p.m. UTC

  - Adds Zabbix Agent userparameters `ipfire.ovpn.clientcert` and `ipfire.ovpn.cacert` for the agent to get details about openvpn client, server and ca certificates.
- Moves all `ipfire.ovpn.*` userparameters to a separate config file `userparameter_ovpn.conf` to enable users to selectively disable openvpn items when not needed
- Includes `ipfire_certificate_detail.sh` script in sudoers for Zabbix Agent as it needs root permission to read openvpn certificate details.
- Adapts lfs install script to install new script and configfile
- Adds new script and configfile to rootfiles
---
 config/rootfiles/packages/zabbix_agentd        |  3 +++
 config/zabbix_agentd/sudoers                   |  1 +
 config/zabbix_agentd/userparameter_ipfire.conf |  8 +-------
 config/zabbix_agentd/userparameter_ovpn.conf   | 13 +++++++++++++
 lfs/zabbix_agentd                              |  7 +++++++
 5 files changed, 25 insertions(+), 7 deletions(-)
 create mode 100644 config/zabbix_agentd/userparameter_ovpn.conf

Comments

Adolf Belka Feb. 28, 2024, 7:48 p.m. UTC | #1

Reviewed-by: Adolf Belka <adolf.belka@ipfire.org>

On 28/02/2024 19:58, Robin Roevens wrote:
> - Adds Zabbix Agent userparameters `ipfire.ovpn.clientcert` and `ipfire.ovpn.cacert` for the agent to get details about openvpn client, server and ca certificates.
> - Moves all `ipfire.ovpn.*` userparameters to a separate config file `userparameter_ovpn.conf` to enable users to selectively disable openvpn items when not needed
> - Includes `ipfire_certificate_detail.sh` script in sudoers for Zabbix Agent as it needs root permission to read openvpn certificate details.
> - Adapts lfs install script to install new script and configfile
> - Adds new script and configfile to rootfiles
> ---
>   config/rootfiles/packages/zabbix_agentd        |  3 +++
>   config/zabbix_agentd/sudoers                   |  1 +
>   config/zabbix_agentd/userparameter_ipfire.conf |  8 +-------
>   config/zabbix_agentd/userparameter_ovpn.conf   | 13 +++++++++++++
>   lfs/zabbix_agentd                              |  7 +++++++
>   5 files changed, 25 insertions(+), 7 deletions(-)
>   create mode 100644 config/zabbix_agentd/userparameter_ovpn.conf
>
> diff --git a/config/rootfiles/packages/zabbix_agentd b/config/rootfiles/packages/zabbix_agentd
> index 729a47ac6..8e10cb4c8 100644
> --- a/config/rootfiles/packages/zabbix_agentd
> +++ b/config/rootfiles/packages/zabbix_agentd
> @@ -20,3 +20,6 @@ var/ipfire/zabbix_agentd/zabbix_agentd_ipfire_mandatory.conf
>   var/ipfire/zabbix_agentd/userparameters
>   var/ipfire/zabbix_agentd/userparameters/userparameter_pakfire.conf
>   var/ipfire/zabbix_agentd/userparameters/userparameter_ipfire.conf
> +var/ipfire/zabbix_agentd/userparameters/userparameter_ovpn.conf
> +var/ipfire/zabbix_agentd/scripts
> +var/ipfire/zabbix_agentd/scripts/ipfire_certificate_detail.sh
> diff --git a/config/zabbix_agentd/sudoers b/config/zabbix_agentd/sudoers
> index d93ec5d55..138c75635 100644
> --- a/config/zabbix_agentd/sudoers
> +++ b/config/zabbix_agentd/sudoers
> @@ -9,3 +9,4 @@
>   #
>   Defaults:zabbix !requiretty
>   zabbix ALL=(ALL) NOPASSWD: /opt/pakfire/pakfire status, /usr/sbin/fping, /usr/local/bin/getipstat, /bin/cat /var/run/ovpnserver.log
> +zabbix ALL=(ALL) NOPASSWD: /var/ipfire/zabbix_agentd/scripts/ipfire_certificate_detail.sh
> diff --git a/config/zabbix_agentd/userparameter_ipfire.conf b/config/zabbix_agentd/userparameter_ipfire.conf
> index ba0c6c2ca..d2d0c8307 100644
> --- a/config/zabbix_agentd/userparameter_ipfire.conf
> +++ b/config/zabbix_agentd/userparameter_ipfire.conf
> @@ -9,10 +9,4 @@ UserParameter=ipfire.net.fw.hits.raw,sudo /usr/local/bin/getipstat -xf | grep "/
>   # Number of currently Active DHCP leases
>   UserParameter=ipfire.dhcpd.clients,grep -s -E 'lease|bind' /var/state/dhcp/dhcpd.leases | sed ':a;/{$/{N;s/\n//;ba}' | grep "state active" | wc -l
>   # Number of Captive Portal clients
> -UserParameter=ipfire.captive.clients,awk -F ',' 'length($2) == 17 {sum += 1} END {if (length(sum) == 0) print 0; else print sum}' /var/ipfire/captive/clients
> -# Discovery of configured ovpn clients
> -UserParameter=ipfire.ovpn.clients.discovery,cat /var/ipfire/ovpn/ovpnconfig 2>/dev/null | awk -F',' 'BEGIN { ORS = ""; print "[" } { printf "%s{\"{#NAME}\":\"%s\",\"{#COMMONNAME}\":\"%s\",\"{#STATE}\":\"%s\",\"{#REMARK}\":\"%s\",\"{#TYPE}\":\"%s\"}", separator, $3, $4, $2, $27, $5; separator = ","; } END { print "]" }'
> -# Get OpenVPN status report
> -UserParameter=ipfire.ovpn.statusreport.get,sudo cat /var/run/ovpnserver.log 2>/dev/null | awk -F"," 'function unixtime(t) { gsub(/[-:]/," ",t); return mktime(t) } BEGIN { ORS = ""; print "{" } /^Updated,.+/ { printf "\"timestamp\":%s,\"clients\":[",unixtime($2) } /^.+,[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+:[0-9]+,[0-9]+,[0-9]+,.+/ { if ($1 != "Common Name") { printf "%s{\"common_name\":\"%s\",\"real_address\":\"%s\",\"bytes_in\":\"%s\",\"bytes_out\":\"%s\",\"connected_since\":\"%s\"}", separator, $1, $2, $3, $4, unixtime($5); separator = ","; } } /^ROUTING TABLE/ { print "],\"routing_table\":["; separator = "" } /^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+,.+,[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+:[0-9]+,.+/ { if ($1 != "Virtual Address") { printf "%s{\"common_name\":\"%s\",\"virtual_address\":\"%s\",\"real_address\":\"%s\",\"last_ref\":\"%s\"}", separator, $2, $1, $3, unixtime($4); separator = "," } } END { print "]}" }'
> -# Allow item key to be called with (unused) parameters. This allows the #SINGLETON method of discovering this item only when openvpn service is active
> -Alias=ipfire.ovpn.statusreport.get[]:ipfire.ovpn.statusreport.get
> \ No newline at end of file
> +UserParameter=ipfire.captive.clients,awk -F ',' 'length($2) == 17 {sum += 1} END {if (length(sum) == 0) print 0; else print sum}' /var/ipfire/captive/clients
> \ No newline at end of file
> diff --git a/config/zabbix_agentd/userparameter_ovpn.conf b/config/zabbix_agentd/userparameter_ovpn.conf
> new file mode 100644
> index 000000000..a7a6d8535
> --- /dev/null
> +++ b/config/zabbix_agentd/userparameter_ovpn.conf
> @@ -0,0 +1,13 @@
> +# Parameters for monitoring IPFire OpenVPN specific metrics
> +#
> +# Discovery of configured ovpn clients
> +UserParameter=ipfire.ovpn.clients.discovery,cat /var/ipfire/ovpn/ovpnconfig 2>/dev/null | awk -F',' 'BEGIN { ORS = ""; print "[" } { printf "%s{\"{#NAME}\":\"%s\",\"{#COMMONNAME}\":\"%s\",\"{#STATE}\":\"%s\",\"{#REMARK}\":\"%s\",\"{#TYPE}\":\"%s\"}", separator, $3, $4, $2, $27, $5; separator = ","; } END { print "]" }'
> +# Get OpenVPN status report
> +UserParameter=ipfire.ovpn.statusreport.get,sudo cat /var/run/ovpnserver.log 2>/dev/null | awk -F"," 'function unixtime(t) { gsub(/[-:]/," ",t); return mktime(t) } BEGIN { ORS = ""; print "{" } /^Updated,.+/ { printf "\"timestamp\":%s,\"clients\":[",unixtime($2) } /^.+,[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+:[0-9]+,[0-9]+,[0-9]+,.+/ { if ($1 != "Common Name") { printf "%s{\"common_name\":\"%s\",\"real_address\":\"%s\",\"bytes_in\":\"%s\",\"bytes_out\":\"%s\",\"connected_since\":\"%s\"}", separator, $1, $2, $3, $4, unixtime($5); separator = ","; } } /^ROUTING TABLE/ { print "],\"routing_table\":["; separator = "" } /^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+,.+,[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+:[0-9]+,.+/ { if ($1 != "Virtual Address") { printf "%s{\"common_name\":\"%s\",\"virtual_address\":\"%s\",\"real_address\":\"%s\",\"last_ref\":\"%s\"}", separator, $2, $1, $3, unixtime($4); separator = "," } } END { print "]}" }'
> +# Get OpenVPN client certificate details
> +UserParameter=ipfire.ovpn.clientcert[*],sudo /var/ipfire/zabbix_agentd/scripts/ipfire_certificate_detail.sh /var/ipfire/ovpn/ca/cacert.pem /var/ipfire/ovpn/certs/$1cert.pem
> +UserParameter=ipfire.ovpn.cacert,sudo /var/ipfire/zabbix_agentd/scripts/ipfire_certificate_detail.sh /var/ipfire/ovpn/ca/cacert.pem /var/ipfire/ovpn/ca/cacert.pem
> +
> +# Allow item key to be called with (unused) parameters. This allows the #SINGLETON method of discovering this item only when openvpn service is active
> +Alias=ipfire.ovpn.statusreport.get[]:ipfire.ovpn.statusreport.get
> +Alias=ipfire.ovpn.cacert[]:ipfire.ovpn.cacert
> \ No newline at end of file
> diff --git a/lfs/zabbix_agentd b/lfs/zabbix_agentd
> index 65e111d2f..5f274c309 100644
> --- a/lfs/zabbix_agentd
> +++ b/lfs/zabbix_agentd
> @@ -110,6 +110,13 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
>   		/var/ipfire/zabbix_agentd/userparameters/userparameter_pakfire.conf
>   	install -v -m 644 $(DIR_SRC)/config/zabbix_agentd/userparameter_ipfire.conf \
>   		/var/ipfire/zabbix_agentd/userparameters/userparameter_ipfire.conf
> +	install -v -m 644 $(DIR_SRC)/config/zabbix_agentd/userparameter_ovpn.conf \
> +		/var/ipfire/zabbix_agentd/userparameters/userparameter_ovpn.conf
> +
> +	# Install IPFire-specific Zabbix Agent scripts
> +	-mkdir -pv /var/ipfire/zabbix_agentd/scripts
> +	install -v -m 755 $(DIR_SRC)/config/zabbix_agentd/ipfire_certificate_detail.sh \
> +		/var/ipfire/zabbix_agentd/scripts/ipfire_certificate_detail.sh
>   
>   	# Create directory for additional agent modules
>   	-mkdir -pv /usr/lib/zabbix

diff mbox series

Patch

diff --git a/config/rootfiles/packages/zabbix_agentd b/config/rootfiles/packages/zabbix_agentd
index 729a47ac6..8e10cb4c8 100644
--- a/config/rootfiles/packages/zabbix_agentd
+++ b/config/rootfiles/packages/zabbix_agentd
@@ -20,3 +20,6 @@  var/ipfire/zabbix_agentd/zabbix_agentd_ipfire_mandatory.conf
 var/ipfire/zabbix_agentd/userparameters
 var/ipfire/zabbix_agentd/userparameters/userparameter_pakfire.conf
 var/ipfire/zabbix_agentd/userparameters/userparameter_ipfire.conf
+var/ipfire/zabbix_agentd/userparameters/userparameter_ovpn.conf
+var/ipfire/zabbix_agentd/scripts
+var/ipfire/zabbix_agentd/scripts/ipfire_certificate_detail.sh
diff --git a/config/zabbix_agentd/sudoers b/config/zabbix_agentd/sudoers
index d93ec5d55..138c75635 100644
--- a/config/zabbix_agentd/sudoers
+++ b/config/zabbix_agentd/sudoers
@@ -9,3 +9,4 @@ 
 #
 Defaults:zabbix !requiretty
 zabbix ALL=(ALL) NOPASSWD: /opt/pakfire/pakfire status, /usr/sbin/fping, /usr/local/bin/getipstat, /bin/cat /var/run/ovpnserver.log
+zabbix ALL=(ALL) NOPASSWD: /var/ipfire/zabbix_agentd/scripts/ipfire_certificate_detail.sh
diff --git a/config/zabbix_agentd/userparameter_ipfire.conf b/config/zabbix_agentd/userparameter_ipfire.conf
index ba0c6c2ca..d2d0c8307 100644
--- a/config/zabbix_agentd/userparameter_ipfire.conf
+++ b/config/zabbix_agentd/userparameter_ipfire.conf
@@ -9,10 +9,4 @@  UserParameter=ipfire.net.fw.hits.raw,sudo /usr/local/bin/getipstat -xf | grep "/
 # Number of currently Active DHCP leases
 UserParameter=ipfire.dhcpd.clients,grep -s -E 'lease|bind' /var/state/dhcp/dhcpd.leases | sed ':a;/{$/{N;s/\n//;ba}' | grep "state active" | wc -l
 # Number of Captive Portal clients
-UserParameter=ipfire.captive.clients,awk -F ',' 'length($2) == 17 {sum += 1} END {if (length(sum) == 0) print 0; else print sum}' /var/ipfire/captive/clients
-# Discovery of configured ovpn clients
-UserParameter=ipfire.ovpn.clients.discovery,cat /var/ipfire/ovpn/ovpnconfig 2>/dev/null | awk -F',' 'BEGIN { ORS = ""; print "[" } { printf "%s{\"{#NAME}\":\"%s\",\"{#COMMONNAME}\":\"%s\",\"{#STATE}\":\"%s\",\"{#REMARK}\":\"%s\",\"{#TYPE}\":\"%s\"}", separator, $3, $4, $2, $27, $5; separator = ","; } END { print "]" }'
-# Get OpenVPN status report
-UserParameter=ipfire.ovpn.statusreport.get,sudo cat /var/run/ovpnserver.log 2>/dev/null | awk -F"," 'function unixtime(t) { gsub(/[-:]/," ",t); return mktime(t) } BEGIN { ORS = ""; print "{" } /^Updated,.+/ { printf "\"timestamp\":%s,\"clients\":[",unixtime($2) } /^.+,[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+:[0-9]+,[0-9]+,[0-9]+,.+/ { if ($1 != "Common Name") { printf "%s{\"common_name\":\"%s\",\"real_address\":\"%s\",\"bytes_in\":\"%s\",\"bytes_out\":\"%s\",\"connected_since\":\"%s\"}", separator, $1, $2, $3, $4, unixtime($5); separator = ","; } } /^ROUTING TABLE/ { print "],\"routing_table\":["; separator = "" } /^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+,.+,[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+:[0-9]+,.+/ { if ($1 != "Virtual Address") { printf "%s{\"common_name\":\"%s\",\"virtual_address\":\"%s\",\"real_address\":\"%s\",\"last_ref\":\"%s\"}", separator, $2, $1, $3, unixtime($4); separator = "," } } END { print "]}" }'
-# Allow item key to be called with (unused) parameters. This allows the #SINGLETON method of discovering this item only when openvpn service is active
-Alias=ipfire.ovpn.statusreport.get[]:ipfire.ovpn.statusreport.get
\ No newline at end of file
+UserParameter=ipfire.captive.clients,awk -F ',' 'length($2) == 17 {sum += 1} END {if (length(sum) == 0) print 0; else print sum}' /var/ipfire/captive/clients
\ No newline at end of file
diff --git a/config/zabbix_agentd/userparameter_ovpn.conf b/config/zabbix_agentd/userparameter_ovpn.conf
new file mode 100644
index 000000000..a7a6d8535
--- /dev/null
+++ b/config/zabbix_agentd/userparameter_ovpn.conf
@@ -0,0 +1,13 @@ 
+# Parameters for monitoring IPFire OpenVPN specific metrics
+#
+# Discovery of configured ovpn clients
+UserParameter=ipfire.ovpn.clients.discovery,cat /var/ipfire/ovpn/ovpnconfig 2>/dev/null | awk -F',' 'BEGIN { ORS = ""; print "[" } { printf "%s{\"{#NAME}\":\"%s\",\"{#COMMONNAME}\":\"%s\",\"{#STATE}\":\"%s\",\"{#REMARK}\":\"%s\",\"{#TYPE}\":\"%s\"}", separator, $3, $4, $2, $27, $5; separator = ","; } END { print "]" }'
+# Get OpenVPN status report
+UserParameter=ipfire.ovpn.statusreport.get,sudo cat /var/run/ovpnserver.log 2>/dev/null | awk -F"," 'function unixtime(t) { gsub(/[-:]/," ",t); return mktime(t) } BEGIN { ORS = ""; print "{" } /^Updated,.+/ { printf "\"timestamp\":%s,\"clients\":[",unixtime($2) } /^.+,[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+:[0-9]+,[0-9]+,[0-9]+,.+/ { if ($1 != "Common Name") { printf "%s{\"common_name\":\"%s\",\"real_address\":\"%s\",\"bytes_in\":\"%s\",\"bytes_out\":\"%s\",\"connected_since\":\"%s\"}", separator, $1, $2, $3, $4, unixtime($5); separator = ","; } } /^ROUTING TABLE/ { print "],\"routing_table\":["; separator = "" } /^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+,.+,[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+:[0-9]+,.+/ { if ($1 != "Virtual Address") { printf "%s{\"common_name\":\"%s\",\"virtual_address\":\"%s\",\"real_address\":\"%s\",\"last_ref\":\"%s\"}", separator, $2, $1, $3, unixtime($4); separator = "," } } END { print "]}" }'
+# Get OpenVPN client certificate details
+UserParameter=ipfire.ovpn.clientcert[*],sudo /var/ipfire/zabbix_agentd/scripts/ipfire_certificate_detail.sh /var/ipfire/ovpn/ca/cacert.pem /var/ipfire/ovpn/certs/$1cert.pem
+UserParameter=ipfire.ovpn.cacert,sudo /var/ipfire/zabbix_agentd/scripts/ipfire_certificate_detail.sh /var/ipfire/ovpn/ca/cacert.pem /var/ipfire/ovpn/ca/cacert.pem
+
+# Allow item key to be called with (unused) parameters. This allows the #SINGLETON method of discovering this item only when openvpn service is active
+Alias=ipfire.ovpn.statusreport.get[]:ipfire.ovpn.statusreport.get
+Alias=ipfire.ovpn.cacert[]:ipfire.ovpn.cacert
\ No newline at end of file
diff --git a/lfs/zabbix_agentd b/lfs/zabbix_agentd
index 65e111d2f..5f274c309 100644
--- a/lfs/zabbix_agentd
+++ b/lfs/zabbix_agentd
@@ -110,6 +110,13 @@  $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 		/var/ipfire/zabbix_agentd/userparameters/userparameter_pakfire.conf
 	install -v -m 644 $(DIR_SRC)/config/zabbix_agentd/userparameter_ipfire.conf \
 		/var/ipfire/zabbix_agentd/userparameters/userparameter_ipfire.conf
+	install -v -m 644 $(DIR_SRC)/config/zabbix_agentd/userparameter_ovpn.conf \
+		/var/ipfire/zabbix_agentd/userparameters/userparameter_ovpn.conf
+
+	# Install IPFire-specific Zabbix Agent scripts
+	-mkdir -pv /var/ipfire/zabbix_agentd/scripts
+	install -v -m 755 $(DIR_SRC)/config/zabbix_agentd/ipfire_certificate_detail.sh \
+		/var/ipfire/zabbix_agentd/scripts/ipfire_certificate_detail.sh
 
 	# Create directory for additional agent modules
 	-mkdir -pv /usr/lib/zabbix