mirror of
https://github.com/bashclub/check-opnsense.git
synced 2024-12-25 16:20:12 +01:00
24f551b52e
Typo "protocoll" instead of "protocol" caused agent to not work if the OpenVPN Server didn't have a description
2588 lines
115 KiB
Python
2588 lines
115 KiB
Python
#!/usr/bin/env python3
|
|
# -*- coding: utf-8 -*-
|
|
# vim: set fileencoding=utf-8:noet
|
|
|
|
## Copyright 2024 Bashclub https://github.com/bashclub
|
|
## BSD-2-Clause
|
|
##
|
|
## Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
|
|
##
|
|
## 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
|
|
##
|
|
## 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
|
|
##
|
|
## THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
|
|
## THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS
|
|
## BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
|
|
## GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
## LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
|
|
## OPNsense CheckMK Agent
|
|
## to install
|
|
## copy to /usr/local/etc/rc.syshook.d/start/99-checkmk_agent and chmod +x
|
|
##
|
|
## default config file /usr/local/etc/checkmk.conf
|
|
##
|
|
## for server-side implementation of
|
|
## * smartdisk - install the mkp from https://github.com/bashclub/checkmk-smart plugins os-smart
|
|
## * squid - install the mkp from https://exchange.checkmk.com/p/squid and forwarder -> listen on loopback active
|
|
## task types2
|
|
## speedtest|proxy|ssh|nmap|domain|blocklist
|
|
##
|
|
|
|
|
|
__VERSION__ = "1.2.8"
|
|
|
|
import sys
|
|
import os
|
|
import shlex
|
|
import glob
|
|
import re
|
|
import time
|
|
import json
|
|
import socket
|
|
import signal
|
|
import struct
|
|
import subprocess
|
|
import pwd
|
|
import threading
|
|
import ipaddress
|
|
import base64
|
|
import traceback
|
|
import syslog
|
|
import requests
|
|
import hashlib
|
|
from urllib3.connection import HTTPConnection
|
|
from urllib3.connectionpool import HTTPConnectionPool
|
|
from requests.adapters import HTTPAdapter
|
|
from cryptography import x509
|
|
from cryptography.hazmat.backends import default_backend as crypto_default_backend
|
|
from cryptography.hazmat.primitives import hashes
|
|
from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
|
|
from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC
|
|
from datetime import datetime
|
|
from xml.etree import cElementTree as ELementTree
|
|
from collections import Counter,defaultdict
|
|
from pprint import pprint
|
|
from socketserver import TCPServer,StreamRequestHandler
|
|
|
|
import unbound
|
|
unbound.RR_TYPE_TLSA = 52
|
|
unbound.RR_TYPE_SPF = unbound.RR_TYPE_TXT
|
|
from OpenSSL import SSL,crypto
|
|
from binascii import b2a_hex
|
|
from datetime import datetime
|
|
|
|
SCRIPTPATH = os.path.abspath(__file__)
|
|
SYSHOOK_METHOD = re.findall("rc\.syshook\.d\/(start|stop)/",SCRIPTPATH)
|
|
BASEDIR = "/usr/local/check_mk_agent"
|
|
VARDIR = "/var/lib/check_mk_agent"
|
|
CHECKMK_CONFIG = "/usr/local/etc/checkmk.conf"
|
|
MK_CONFDIR = os.path.dirname(CHECKMK_CONFIG)
|
|
LOCALDIR = os.path.join(BASEDIR,"local")
|
|
PLUGINSDIR = os.path.join(BASEDIR,"plugins")
|
|
SPOOLDIR = os.path.join(VARDIR,"spool")
|
|
TASKDIR = os.path.join(BASEDIR,"tasks")
|
|
TASKFILE_KEYS = "service|type|interval|interface|disabled|ipaddress|hostname|domain|port|piggyback|sshoptions|options|tenant"
|
|
TASKFILE_REGEX = re.compile(f"^({TASKFILE_KEYS}):\s*(.*?)(?:\s+#|$)",re.M)
|
|
MAX_SIMULATAN_THREADS = 4
|
|
|
|
for _dir in (BASEDIR, VARDIR, LOCALDIR, PLUGINSDIR, SPOOLDIR, TASKDIR):
|
|
if not os.path.exists(_dir):
|
|
try:
|
|
os.mkdir(_dir)
|
|
except:
|
|
pass
|
|
|
|
os.environ["MK_CONFDIR"] = MK_CONFDIR
|
|
os.environ["MK_LIBDIR"] = BASEDIR
|
|
os.environ["MK_VARDIR"] = BASEDIR
|
|
|
|
class object_dict(defaultdict):
|
|
def __getattr__(self,name):
|
|
return self[name] if name in self else ""
|
|
|
|
def etree_to_dict(t):
|
|
d = {t.tag: {} if t.attrib else None}
|
|
children = list(t)
|
|
if children:
|
|
dd = object_dict(list)
|
|
for dc in map(etree_to_dict, children):
|
|
for k, v in dc.items():
|
|
dd[k].append(v)
|
|
d = {t.tag: {k:v[0] if len(v) == 1 else v for k, v in dd.items()}}
|
|
if t.attrib:
|
|
d[t.tag].update(('@' + k, v) for k, v in t.attrib.items())
|
|
if t.text:
|
|
text = t.text.strip()
|
|
if children or t.attrib:
|
|
if text:
|
|
d[t.tag]['#text'] = text
|
|
else:
|
|
d[t.tag] = text
|
|
return d
|
|
|
|
def log(message,prio="notice"):
|
|
priority = {
|
|
"crit" :syslog.LOG_CRIT,
|
|
"err" :syslog.LOG_ERR,
|
|
"warning" :syslog.LOG_WARNING,
|
|
"notice" :syslog.LOG_NOTICE,
|
|
"info" :syslog.LOG_INFO,
|
|
}.get(str(prio).lower(),syslog.LOG_DEBUG)
|
|
syslog.openlog(ident="checkmk_agent",logoption=syslog.LOG_PID | syslog.LOG_NDELAY,facility=syslog.LOG_DAEMON)
|
|
syslog.syslog(priority,message)
|
|
|
|
def pad_pkcs7(message,size=16):
|
|
_pad = size - (len(message) % size)
|
|
if type(message) == str:
|
|
return message + chr(_pad) * _pad
|
|
else:
|
|
return message + bytes([_pad]) * _pad
|
|
|
|
class NginxConnection(HTTPConnection):
|
|
def __init__(self):
|
|
super().__init__("localhost")
|
|
def connect(self):
|
|
self.sock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
|
|
self.sock.connect("/var/run/nginx_status.sock")
|
|
|
|
class NginxConnectionPool(HTTPConnectionPool):
|
|
def __init__(self):
|
|
super().__init__("localhost")
|
|
def _new_conn(self):
|
|
return NginxConnection()
|
|
|
|
class NginxAdapter(HTTPAdapter):
|
|
## deprecated
|
|
def get_connection(self, url, proxies=None):
|
|
return NginxConnectionPool()
|
|
def get_connection_with_tls_context(self, request, verify, proxies=None, cert=None):
|
|
return NginxConnectionPool()
|
|
|
|
def check_pid(pid):
|
|
try:
|
|
os.kill(pid,0)
|
|
return True
|
|
except OSError: ## no permission check currently root
|
|
return False
|
|
|
|
class checkmk_handler(StreamRequestHandler):
|
|
def handle(self):
|
|
with self.server._mutex:
|
|
try:
|
|
_strmsg = self.server.do_checks(remote_ip=self.client_address[0])
|
|
except Exception as e:
|
|
raise
|
|
_strmsg = str(e).encode("utf-8")
|
|
try:
|
|
self.wfile.write(_strmsg)
|
|
except:
|
|
pass
|
|
|
|
class checkmk_checker(object):
|
|
_available_sysctl_list = []
|
|
_available_sysctl_temperature_list = []
|
|
_ipaccess_log = {}
|
|
_certificate_timestamp = 0
|
|
_check_cache = {}
|
|
_datastore_mutex = threading.RLock()
|
|
_datastore = object_dict()
|
|
|
|
def encrypt_msg(self,message,password='secretpassword'):
|
|
SALT_LENGTH = 8
|
|
KEY_LENGTH = 32
|
|
IV_LENGTH = 16
|
|
PBKDF2_CYCLES = 10_000
|
|
#SALT = b"Salted__"
|
|
SALT = os.urandom(SALT_LENGTH)
|
|
_backend = crypto_default_backend()
|
|
_kdf_key = PBKDF2HMAC(
|
|
algorithm = hashes.SHA256(),
|
|
length = KEY_LENGTH + IV_LENGTH,
|
|
salt = SALT,
|
|
iterations = PBKDF2_CYCLES,
|
|
backend = _backend
|
|
).derive(password.encode("utf-8"))
|
|
_key, _iv = _kdf_key[:KEY_LENGTH],_kdf_key[KEY_LENGTH:]
|
|
_encryptor = Cipher(
|
|
algorithms.AES(_key),
|
|
modes.CBC(_iv),
|
|
backend = _backend
|
|
).encryptor()
|
|
message = message.encode("utf-8")
|
|
message = pad_pkcs7(message)
|
|
_encrypted_message = _encryptor.update(message) + _encryptor.finalize()
|
|
return pad_pkcs7(b"03",10) + SALT + _encrypted_message
|
|
|
|
def decrypt_msg(self,message,password='secretpassword'):
|
|
SALT_LENGTH = 8
|
|
KEY_LENGTH = 32
|
|
IV_LENGTH = 16
|
|
PBKDF2_CYCLES = 10_000
|
|
message = message[10:] # strip header
|
|
SALT = message[:SALT_LENGTH]
|
|
message = message[SALT_LENGTH:]
|
|
_backend = crypto_default_backend()
|
|
_kdf_key = PBKDF2HMAC(
|
|
algorithm = hashes.SHA256(),
|
|
length = KEY_LENGTH + IV_LENGTH,
|
|
salt = SALT,
|
|
iterations = PBKDF2_CYCLES,
|
|
backend = _backend
|
|
).derive(password.encode("utf-8"))
|
|
_key, _iv = _kdf_key[:KEY_LENGTH],_kdf_key[KEY_LENGTH:]
|
|
_decryptor = Cipher(
|
|
algorithms.AES(_key),
|
|
modes.CBC(_iv),
|
|
backend = _backend
|
|
).decryptor()
|
|
_decrypted_message = _decryptor.update(message)
|
|
try:
|
|
return _decrypted_message.decode("utf-8").strip()
|
|
except UnicodeDecodeError:
|
|
return ("invalid key")
|
|
|
|
def _expired_lastaccesed(self,remote_ip):
|
|
_now = time.time()
|
|
_lastaccess = self._ipaccess_log.get(remote_ip,0)
|
|
_ret = True
|
|
if _lastaccess + self.expire_inventory > _now:
|
|
_ret = False
|
|
for _ip, _time in self._ipaccess_log.items():
|
|
if _time + self.expire_inventory < _now:
|
|
del self._ipaccess_log[_ip]
|
|
self._ipaccess_log[remote_ip] = _now
|
|
return _ret
|
|
|
|
def do_checks(self,debug=False,remote_ip=None,**kwargs):
|
|
self._getosinfo()
|
|
_errors = []
|
|
_failed_sections = []
|
|
_lines = ["<<<check_mk>>>"]
|
|
_lines.append("AgentOS: {os}".format(**self._info))
|
|
_lines.append(f"Version: {__VERSION__}")
|
|
_lines.append("Hostname: {hostname}".format(**self._info))
|
|
## only tenant data
|
|
if remote_ip in self.tenants.keys():
|
|
_secret = self.tenants.get(remote_ip,None)
|
|
_lines += self.taskrunner.get_data(tenant=remote_ip)[1:] ## remove number of tasks
|
|
_lines.append("")
|
|
if _secret:
|
|
return self.encrypt_msg("\n".join(_lines),password=_secret)
|
|
return "\n".join(_lines).encode("utf-8")
|
|
|
|
if self.onlyfrom:
|
|
_lines.append("OnlyFrom: {0}".format(",".join(self.onlyfrom)))
|
|
|
|
_lines.append(f"LocalDirectory: {LOCALDIR}")
|
|
_lines.append(f"PluginsDirectory: {PLUGINSDIR}")
|
|
_lines.append(f"AgentDirectory: {MK_CONFDIR}")
|
|
_lines.append(f"SpoolDirectory: {SPOOLDIR}")
|
|
|
|
for _check in dir(self):
|
|
if _check.startswith("check_"):
|
|
_name = _check.split("_",1)[1]
|
|
if _name in self.skipcheck:
|
|
continue
|
|
try:
|
|
_lines += getattr(self,_check)()
|
|
except:
|
|
_failed_sections.append(_name)
|
|
_errors.append(traceback.format_exc())
|
|
|
|
if os.path.isdir(PLUGINSDIR):
|
|
for _plugin_file in glob.glob(f"{PLUGINSDIR}/**",recursive=True):
|
|
if os.path.isfile(_plugin_file) and os.access(_plugin_file,os.X_OK):
|
|
try:
|
|
_cachetime = int(_plugin_file.split(os.path.sep)[-2])
|
|
except:
|
|
_cachetime = 0
|
|
try:
|
|
if _cachetime > 0:
|
|
_lines.append(self._run_cache_prog(_plugin_file,_cachetime))
|
|
else:
|
|
_lines.append(self._run_prog(_plugin_file))
|
|
except:
|
|
_errors.append(traceback.format_exc())
|
|
|
|
if self._expired_lastaccesed(remote_ip):
|
|
try:
|
|
_lines += self.do_inventory()
|
|
except:
|
|
_errors.append(traceback.format_exc())
|
|
|
|
|
|
_lines.append("<<<local:sep(0)>>>")
|
|
for _check in dir(self):
|
|
if _check.startswith("checklocal_"):
|
|
_name = _check.split("_",1)[1]
|
|
if _name in self.skipcheck:
|
|
continue
|
|
try:
|
|
_lines += getattr(self,_check)()
|
|
except:
|
|
_failed_sections.append(_name)
|
|
_errors.append(traceback.format_exc())
|
|
|
|
if os.path.isdir(LOCALDIR):
|
|
for _local_file in glob.glob(f"{LOCALDIR}/**",recursive=True):
|
|
if os.path.isfile(_local_file) and os.access(_local_file,os.X_OK):
|
|
try:
|
|
_cachetime = int(_local_file.split(os.path.sep)[-2])
|
|
except:
|
|
_cachetime = 0
|
|
try:
|
|
if _cachetime > 0:
|
|
_lines.append(self._run_cache_prog(_local_file,_cachetime))
|
|
else:
|
|
_lines.append(self._run_prog(_local_file))
|
|
except:
|
|
_errors.append(traceback.format_exc())
|
|
|
|
if os.path.isdir(SPOOLDIR):
|
|
_now = time.time()
|
|
for _filename in glob.glob(f"{SPOOLDIR}/*"):
|
|
_maxage = re.search("^(\d+)_",_filename)
|
|
|
|
if _maxage:
|
|
_maxage = int(_maxage.group(1))
|
|
_mtime = os.stat(_filename).st_mtime
|
|
if _now - _mtime > _maxage:
|
|
continue
|
|
with open(_filename) as _f:
|
|
_lines.append(_f.read())
|
|
|
|
_lines += self.taskrunner.get_data()
|
|
_lines.append("")
|
|
if debug:
|
|
sys.stdout.write("\n".join(_errors))
|
|
sys.stdout.flush()
|
|
if _failed_sections:
|
|
_lines.append("<<<check_mk>>>")
|
|
_lines.append("FailedPythonPlugins: {0}".format(",".join(_failed_sections)))
|
|
|
|
if self.encrypt and not debug:
|
|
return self.encrypt_msg("\n".join(_lines),password=self.encrypt)
|
|
return "\n".join(_lines).encode("utf-8")
|
|
|
|
def do_zabbix_output(self):
|
|
self._getosinfo()
|
|
_regex_convert = re.compile("^(?P<status>[0-3P])\s(?P<servicename>\".*?\"|\w+)\s(?P<metrics>[\w=.;|]+| -)\s(?P<details>.*)")
|
|
_json = []
|
|
for _check in dir(self):
|
|
if _check.startswith("checklocal_"):
|
|
_name = _check.split("_",1)[1]
|
|
if _name in self.skipcheck:
|
|
continue
|
|
try:
|
|
for _line in getattr(self,_check)():
|
|
try:
|
|
_entry = _regex_convert.search(_line).groupdict()
|
|
_entry["servicename"] = _entry["servicename"].strip('"')
|
|
_json.append(_entry)
|
|
except:
|
|
raise
|
|
except:
|
|
raise
|
|
return json.dumps(_json)
|
|
|
|
def _get_storedata(self,section,key):
|
|
with self._datastore_mutex:
|
|
return self._datastore.get(section,{}).get(key)
|
|
def _set_storedata(self,section,key,value):
|
|
with self._datastore_mutex:
|
|
if section not in self._datastore:
|
|
self._datastore[section] = object_dict()
|
|
self._datastore[section][key] = value
|
|
|
|
def _getosinfo(self):
|
|
_info = json.load(open("/usr/local/opnsense/version/core","r"))
|
|
_changelog = json.load(open("/usr/local/opnsense/changelog/index.json","r"))
|
|
_config_modified = os.stat("/conf/config.xml").st_mtime
|
|
try:
|
|
_default_version = {'series': _info.get("product_series"), 'version': _info.get("product_version"), 'date': time.strftime('%B %d, %Y')}
|
|
_latest_series = dict(map(lambda x: (x.get("series"),x),_changelog))
|
|
_latest_versions = dict(map(lambda x: (x.get("version"),x),_changelog))
|
|
_latest_firmware = _latest_series.get(_info.get("product_series"),_default_version)
|
|
_current_firmware = _latest_versions.get(_info.get("product_version").split("_")[0],_default_version).copy()
|
|
_current_firmware["age"] = int(time.time() - time.mktime(time.strptime(_current_firmware.get("date"),"%B %d, %Y")))
|
|
_current_firmware["version"] = _info.get("product_version")
|
|
except:
|
|
#raise
|
|
_latest_firmware = {}
|
|
_current_firmware = {}
|
|
_mayor_upgrade = None
|
|
try:
|
|
_upgrade_json = json.load(open("/tmp/pkg_upgrade.json","r"))
|
|
_upgrade_packages = dict(map(lambda x: (x.get("name"),x),_upgrade_json.get("upgrade_packages")))
|
|
_mayor_upgrade = _upgrade_json.get("upgrade_major_version")
|
|
_current_firmware["version"] = _upgrade_packages.get("opnsense").get("current_version")
|
|
_latest_firmware["version"] = _upgrade_packages.get("opnsense").get("new_version")
|
|
except:
|
|
_current_firmware["version"] = _current_firmware["version"].split("_")[0]
|
|
_latest_firmware["version"] = _current_firmware["version"] ## fixme ## no upgradepckg error on opnsense ... no new version
|
|
self._info = {
|
|
"os" : _info.get("product_name"),
|
|
"os_version" : _current_firmware.get("version","unknown"),
|
|
"version_age" : _current_firmware.get("age",0),
|
|
"config_age" : int(time.time() - _config_modified) ,
|
|
"last_configchange" : time.strftime("%H:%M %d.%m.%Y",time.localtime(_config_modified)),
|
|
"product_series" : _info.get("product_series"),
|
|
"latest_version" : (_mayor_upgrade if _mayor_upgrade else _latest_firmware.get("version","unknown")),
|
|
"latest_date" : _latest_firmware.get("date",""),
|
|
"hostname" : self._run_prog("hostname").strip(" \n")
|
|
}
|
|
if os.path.exists("/usr/local/opnsense/version/core.license"):
|
|
self._info["business_expire"] = datetime.strptime(json.load(open("/usr/local/opnsense/version/core.license","r")).get("valid_to","2000-01-01"),"%Y-%m-%d")
|
|
|
|
@staticmethod
|
|
def ip2int(ipaddr):
|
|
return struct.unpack("!I",socket.inet_aton(ipaddr))[0]
|
|
|
|
@staticmethod
|
|
def int2ip(intaddr):
|
|
return socket.inet_ntoa(struct.pack("!I",intaddr))
|
|
|
|
def pidof(self,prog,default=None):
|
|
_allprogs = re.findall("(\w+)\s+(\d+)",self._run_prog("ps ax -c -o command,pid"))
|
|
return int(dict(_allprogs).get(prog,default))
|
|
|
|
def _config_reader(self,config=""):
|
|
_config = ELementTree.parse("/conf/config.xml")
|
|
_root = _config.getroot()
|
|
return etree_to_dict(_root).get("opnsense",{})
|
|
|
|
@staticmethod
|
|
def get_common_name(certrdn):
|
|
try:
|
|
return next(filter(lambda x: x.oid == x509.oid.NameOID.COMMON_NAME,certrdn)).value.strip()
|
|
except:
|
|
return str(certrdn)
|
|
|
|
def _certificate_parser(self):
|
|
self._certificate_timestamp = time.time()
|
|
self._certificate_store = {}
|
|
for _cert in self._config_reader().get("cert"):
|
|
try:
|
|
_certpem = base64.b64decode(_cert.get("crt"))
|
|
_x509cert = x509.load_pem_x509_certificate(_certpem,crypto_default_backend())
|
|
_cert["not_valid_before"] = _x509cert.not_valid_before_utc.timestamp()
|
|
_cert["not_valid_after"] = _x509cert.not_valid_after_utc.timestamp()
|
|
_cert["serial"] = _x509cert.serial_number
|
|
_cert["common_name"] = self.get_common_name(_x509cert.subject)
|
|
_cert["issuer"] = self.get_common_name(_x509cert.issuer)
|
|
except:
|
|
pass
|
|
self._certificate_store[_cert.get("refid")] = _cert
|
|
|
|
def _get_certificate(self,refid):
|
|
if time.time() - self._certificate_timestamp > 3600:
|
|
self._certificate_parser()
|
|
return self._certificate_store.get(refid)
|
|
|
|
def _get_certificate_by_cn(self,cn,caref=None):
|
|
if time.time() - self._certificate_timestamp > 3600:
|
|
self._certificate_parser()
|
|
if caref:
|
|
_ret = filter(lambda x: x.get("common_name") == cn and x.get("caref") == caref,self._certificate_store.values())
|
|
else:
|
|
_ret = filter(lambda x: x.get("common_name") == cn,self._certificate_store.values())
|
|
try:
|
|
return next(_ret)
|
|
except StopIteration:
|
|
return {}
|
|
|
|
def get_opnsense_ipaddr(self):
|
|
try:
|
|
_ret = {}
|
|
for _if,_ip,_mask in re.findall("^([\w_]+):\sflags=(?:8943|8051|8043|8863).*?inet\s([\d.]+)\snetmask\s0x([a-f0-9]+)",self._run_prog("ifconfig"),re.DOTALL | re.M):
|
|
_ret[_if] = "{0}/{1}".format(_ip,str(bin(int(_mask,16))).count("1"))
|
|
return _ret
|
|
except:
|
|
return {}
|
|
|
|
def get_opnsense_interfaces(self):
|
|
_ifs = {}
|
|
for _name,_interface in self._config_reader().get("interfaces",{}).items():
|
|
if _interface.get("enable") != "1":
|
|
continue
|
|
_desc = _interface.get("descr")
|
|
_ifs[_interface.get("if","_")] = _desc if _desc else _name.upper()
|
|
|
|
try:
|
|
_wgserver = self._config_reader().get("OPNsense").get("wireguard").get("server").get("servers").get("server")
|
|
if type(_wgserver) == dict:
|
|
_wgserver = [_wgserver]
|
|
_ifs.update(
|
|
dict(
|
|
map(
|
|
lambda x: ("wg{}".format(x.get("instance")),"Wireguard_{}".format(x.get("name").strip().replace(" ","_"))),
|
|
_wgserver
|
|
)
|
|
)
|
|
)
|
|
except:
|
|
pass
|
|
return _ifs
|
|
|
|
def checklocal_firmware(self):
|
|
if self._info.get("os_version") != self._info.get("latest_version"):
|
|
return ["1 Firmware update_available=1|last_updated={version_age:.0f}|apply_finish_time={config_age:.0f} Version {os_version} ({latest_version} available {latest_date}) Config changed: {last_configchange}".format(**self._info)]
|
|
return ["0 Firmware update_available=0|last_updated={version_age:.0f}|apply_finish_time={config_age:.0f} Version {os_version} Config changed: {last_configchange}".format(**self._info)]
|
|
|
|
def checklocal_business(self):
|
|
if self._info.get("business_expire"):
|
|
_days = (self._info.get("business_expire") - datetime.now()).days
|
|
_date = self._info.get("business_expire").strftime("%d.%m.%Y")
|
|
return [f'P "Business Licence" expiredays={_days};;;30;60; Licence Expire: {_date}']
|
|
return []
|
|
|
|
def check_label(self):
|
|
_ret = ["<<<labels:sep(0)>>>"]
|
|
_dmsg = self._run_prog("dmesg",timeout=10)
|
|
if _dmsg.lower().find("hypervisor:") > -1:
|
|
_ret.append('{"cmk/device_type":"vm"}')
|
|
return _ret
|
|
|
|
def check_net(self):
|
|
_now = int(time.time())
|
|
_opnsense_ifs = self.get_opnsense_interfaces()
|
|
_ret = ["<<<statgrab_net>>>"]
|
|
_interface_data = []
|
|
_interface_data = self._run_prog("/usr/bin/netstat -i -b -d -n -W -f link").split("\n")
|
|
_header = _interface_data[0].lower()
|
|
_header = _header.replace("pkts","packets").replace("coll","collisions").replace("errs","error").replace("ibytes","rx").replace("obytes","tx")
|
|
_header = _header.split()
|
|
_interface_stats = dict(
|
|
map(
|
|
lambda x: (x.get("name"),x),
|
|
[
|
|
dict(zip(_header,_ifdata.split()))
|
|
for _ifdata in _interface_data[1:] if _ifdata
|
|
]
|
|
)
|
|
)
|
|
|
|
_ifconfig_out = self._run_prog("ifconfig -m -v -f inet:cidr,inet6:cidr")
|
|
_ifconfig_out += "END" ## fix regex
|
|
self._all_interfaces = object_dict()
|
|
self._carp_interfaces = object_dict()
|
|
for _interface, _data in re.findall("^(?P<iface>[\w.]+):\s(?P<data>.*?(?=^\w))",_ifconfig_out,re.DOTALL | re.MULTILINE):
|
|
_interface_dict = object_dict()
|
|
_interface_dict.update(_interface_stats.get(_interface,{}))
|
|
_interface_dict["interface_name"] = _opnsense_ifs.get(_interface,_interface)
|
|
_interface_dict["up"] = "false"
|
|
#if _interface.startswith("vmx"): ## vmware fix 10GBe (as OS Support)
|
|
# _interface_dict["speed"] = "10000"
|
|
_interface_dict["systime"] = _now
|
|
for _key, _val in re.findall("^\s*(\w+)[:\s=]+(.*?)$",_data,re.MULTILINE):
|
|
if _key == "description":
|
|
_interface_dict["interface_name"] = re.sub("_\((lan|wan|opt\d+)\)$","",_val.strip().replace(" ","_"))
|
|
if _key == "groups":
|
|
_interface_dict["groups"] = _val.strip().split()
|
|
if _key == "ether":
|
|
_interface_dict["phys_address"] = _val.strip()
|
|
if _key == "status" and _val.strip() == "active":
|
|
_interface_dict["up"] = "true"
|
|
if _interface.startswith("wg") and _interface_dict.get("flags",0) & 0x01:
|
|
_interface_dict["up"] = "true"
|
|
if _key == "flags":
|
|
_interface_dict["flags"] = int(re.findall("^[a-f\d]+",_val)[0],16)
|
|
## hack pppoe no status active or pppd pid
|
|
if _interface.lower().startswith("pppoe") and _interface_dict["flags"] & 0x10 and _interface_dict["flags"] & 0x1:
|
|
_interface_dict["up"] = "true"
|
|
## http://web.mit.edu/freebsd/head/sys/net/if.h
|
|
## 0x1 UP
|
|
## 0x2 BROADCAST
|
|
## 0x8 LOOPBACK
|
|
## 0x10 POINTTOPOINT
|
|
## 0x40 RUNNING
|
|
## 0x100 PROMISC
|
|
## 0x800 SIMPLEX
|
|
## 0x8000 MULTICAST
|
|
if _key == "media":
|
|
_match = re.search("\((?P<speed>\d+G?)[Bb]ase(?:.*?<(?P<duplex>.*?)>)?",_val)
|
|
if _match:
|
|
_interface_dict["speed"] = _match.group("speed").replace("G","000")
|
|
_interface_dict["duplex"] = _match.group("duplex")
|
|
if _key == "inet":
|
|
_match = re.search("^(?P<ipaddr>[\d.]+)\/(?P<cidr>\d+).*?(?:vhid\s(?P<vhid>\d+)|$)",_val,re.M)
|
|
if _match:
|
|
_cidr = _match.group("cidr")
|
|
_ipaddr = _match.group("ipaddr")
|
|
_vhid = _match.group("vhid")
|
|
if not _vhid:
|
|
_interface_dict["cidr"] = _cidr ## cidr wenn kein vhid
|
|
## fixme ipaddr dict / vhid dict
|
|
if _key == "inet6":
|
|
_match = re.search("^(?P<ipaddr>[0-9a-f:]+)\/(?P<prefix>\d+).*?(?:vhid\s(?P<vhid>\d+)|$)",_val,re.M)
|
|
if _match:
|
|
_ipaddr = _match.group("ipaddr")
|
|
_prefix = _match.group("prefix")
|
|
_vhid = _match.group("vhid")
|
|
if not _vhid:
|
|
_interface_dict["prefix"] = _prefix
|
|
## fixme ipaddr dict / vhid dict
|
|
if _key == "carp":
|
|
_match = re.search("(?P<status>MASTER|BACKUP)\svhid\s(?P<vhid>\d+)\sadvbase\s(?P<base>\d+)\sadvskew\s(?P<skew>\d+)",_val,re.M)
|
|
if _match:
|
|
_carpstatus = _match.group("status")
|
|
_vhid = _match.group("vhid")
|
|
self._carp_interfaces[_vhid] = (_interface,_carpstatus)
|
|
_advbase = _match.group("base")
|
|
_advskew = _match.group("skew")
|
|
## fixme vhid dict
|
|
if _key == "id":
|
|
_match = re.search("priority\s(\d+)",_val)
|
|
if _match:
|
|
_interface_dict["bridge_prio"] = _match.group(1)
|
|
if _key == "member":
|
|
_member = _interface_dict.get("member",[])
|
|
_member.append(_val.split()[0])
|
|
_interface_dict["member"] = _member
|
|
if _key == "Opened":
|
|
try:
|
|
_pid = int(_val.split(" ")[-1])
|
|
if check_pid(_pid):
|
|
_interface_dict["up"] = "true"
|
|
except ValueError:
|
|
pass
|
|
|
|
_flags = _interface_dict.get("flags")
|
|
if _flags and (_flags & 0x2 or _flags & 0x10 or _flags & 0x80): ## nur broadcast oder ptp .. und noarp
|
|
self._all_interfaces[_interface] = _interface_dict
|
|
else:
|
|
continue
|
|
#if re.search("^[*]?(pflog|pfsync|lo)\d?",_interface):
|
|
# continue
|
|
if not _opnsense_ifs.get(_interface):
|
|
continue
|
|
for _key,_val in _interface_dict.items():
|
|
if _key in ("mtu","ipackets","ierror","idrop","rx","opackets","oerror","tx","collisions","drop","interface_name","up","systime","phys_address","speed","duplex"):
|
|
if type(_val) in (str,int,float):
|
|
_sanitized_interface = _interface.replace(".","_")
|
|
_ret.append(f"{_sanitized_interface}.{_key} {_val}")
|
|
|
|
return _ret
|
|
|
|
def checklocal_services(self):
|
|
_phpcode = '<?php require_once("config.inc");require_once("system.inc"); require_once("plugins.inc"); require_once("util.inc"); foreach(plugins_services() as $_service) { printf("%s;%s;%s\n",$_service["name"],$_service["description"],service_status($_service));} ?>'
|
|
_proc = subprocess.Popen(["php"], stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.DEVNULL,encoding="utf-8")
|
|
_data,_ = _proc.communicate(input=_phpcode,timeout=15)
|
|
_services = []
|
|
for _service in _data.strip().split("\n"):
|
|
_services.append(_service.split(";"))
|
|
_num_services = len(_services)
|
|
_stopped_services = list(filter(lambda x: x[2] != '1',_services))
|
|
_num_stopped = len(_stopped_services)
|
|
_num_running = _num_services - _num_stopped
|
|
_stopped_services = ", ".join(map(lambda x: x[1],_stopped_services))
|
|
if _num_stopped > 0:
|
|
return [f"2 Services running_services={_num_running:.0f}|stopped_service={_num_stopped:.0f} Services: {_stopped_services} not running"]
|
|
return [f"0 Services running_services={_num_running:.0f}|stopped_service={_num_stopped:.0f} All Services running"]
|
|
|
|
def checklocal_carpstatus(self):
|
|
#sysctl net.inet.carp.demotion #TODO
|
|
_ret = []
|
|
_virtual = self._config_reader().get("virtualip")
|
|
if not _virtual:
|
|
return []
|
|
_virtual = _virtual.get("vip")
|
|
if not _virtual:
|
|
return []
|
|
if type(_virtual) != list:
|
|
_virtual = [_virtual]
|
|
for _vip in _virtual:
|
|
if _vip.get("mode") != "carp":
|
|
continue
|
|
_vhid = _vip.get("vhid")
|
|
_ipaddr = _vip.get("subnet")
|
|
_interface, _carpstatus = self._carp_interfaces.get(_vhid,(None,None))
|
|
_carpstatus_num = 1 if _carpstatus == "MASTER" else 0
|
|
_interface_name = self._all_interfaces.get(_interface,{}).get("interface_name",_interface)
|
|
if int(_vip.get("advskew")) < 50:
|
|
_status = 0 if _carpstatus == "MASTER" else 1
|
|
else:
|
|
_status = 0 if _carpstatus == "BACKUP" else 1
|
|
if not _interface:
|
|
continue
|
|
_ret.append(f"{_status} \"CARP: {_interface_name}@{_vhid}\" master={_carpstatus_num} {_carpstatus} {_ipaddr} ({_interface})")
|
|
return _ret
|
|
|
|
def check_dhcp(self):
|
|
if not os.path.exists("/var/dhcpd/var/db/dhcpd.leases"):
|
|
return []
|
|
_ret = ["<<<isc_dhcpd>>>"]
|
|
_ret.append("[general]\nPID: {0}".format(self.pidof("dhcpd",-1)))
|
|
|
|
_dhcpleases = open("/var/dhcpd/var/db/dhcpd.leases","r").read()
|
|
## FIXME
|
|
#_dhcpleases_dict = dict(map(lambda x: (self.ip2int(x[0]),x[1]),re.findall(r"lease\s(?P<ipaddr>[0-9.]+)\s\{.*?.\n\s+binding state\s(?P<state>\w+).*?\}",_dhcpleases,re.DOTALL)))
|
|
_dhcpleases_dict = dict(re.findall(r"lease\s(?P<ipaddr>[0-9.]+)\s\{.*?.\n\s+binding state\s(?P<state>active).*?\}",_dhcpleases,re.DOTALL))
|
|
_dhcpconf = open("/var/dhcpd/etc/dhcpd.conf","r").read()
|
|
_ret.append("[pools]")
|
|
for _subnet in re.finditer(r"subnet\s(?P<subnet>[0-9.]+)\snetmask\s(?P<netmask>[0-9.]+)\s\{.*?(?:pool\s\{.*?\}.*?)*}",_dhcpconf,re.DOTALL):
|
|
#_cidr = bin(self.ip2int(_subnet.group(2))).count("1")
|
|
#_available = 0
|
|
for _pool in re.finditer("pool\s\{.*?range\s(?P<start>[0-9.]+)\s(?P<end>[0-9.]+).*?\}",_subnet.group(0),re.DOTALL):
|
|
#_start,_end = self.ip2int(_pool.group(1)), self.ip2int(_pool.group(2))
|
|
#_ips_in_pool = filter(lambda x: _start < x[0] < _end,_dhcpleases_dict.items())
|
|
#pprint(_dhcpleases_dict)
|
|
#pprint(sorted(list(map(lambda x: (self._int2ip(x[0]),x[1]),_ips_in_pool))))
|
|
#_available += (_end - _start)
|
|
_ret.append("{0}\t{1}".format(_pool.group(1),_pool.group(2)))
|
|
|
|
#_ret.append("DHCP_{0}/{1} {2}".format(_subnet.group(1),_cidr,_available))
|
|
|
|
_ret.append("[leases]")
|
|
for _ip in sorted(_dhcpleases_dict.keys()):
|
|
_ret.append(_ip)
|
|
return _ret
|
|
|
|
def check_squid(self):
|
|
_squid_config = self._config_reader().get("OPNsense",{}).get("proxy",{})
|
|
if _squid_config.get("general",{}).get("enabled") != "1":
|
|
return []
|
|
_ret = ["<<<squid>>>"]
|
|
_port = _squid_config.get("forward",{}).get("port","3128")
|
|
try:
|
|
_response = requests.get(f"http://127.0.0.1:{_port}/squid-internal-mgr/5min",timeout=0.2)
|
|
if _response.status_code == 200:
|
|
_ret += _response.text.split("\n")
|
|
except:
|
|
pass
|
|
return _ret
|
|
|
|
def checklocal_pkgaudit(self):
|
|
try:
|
|
_data = json.loads(self._run_cache_prog("pkg audit -F --raw=json-compact -q",cachetime=360,ignore_error=True))
|
|
_vulns = _data.get("pkg_count",0)
|
|
if _vulns > 0:
|
|
_packages = ", ".join(_data.get("packages",{}).keys())
|
|
return [f"1 Audit issues={_vulns} Pkg: {_packages} vulnerable"]
|
|
raise
|
|
except:
|
|
pass
|
|
return ["0 Audit issues=0 OK"]
|
|
|
|
@staticmethod
|
|
def _read_from_openvpnsocket(vpnsocket,cmd):
|
|
_sock = socket.socket(socket.AF_UNIX,socket.SOCK_STREAM)
|
|
try:
|
|
_sock.connect(vpnsocket)
|
|
assert (_sock.recv(4096).decode("utf-8")).startswith(">INFO")
|
|
cmd = cmd.strip() + "\n"
|
|
_sock.send(cmd.encode("utf-8"))
|
|
_data = ""
|
|
while True:
|
|
_socket_data = _sock.recv(4096).decode("utf-8")
|
|
_data += _socket_data
|
|
if _data.strip().endswith("END") or _data.strip().startswith("SUCCESS:") or _data.strip().startswith("ERROR:"):
|
|
break
|
|
return _data
|
|
finally:
|
|
if _sock:
|
|
_sock.send("quit\n".encode("utf-8"))
|
|
_sock.close()
|
|
_sock = None
|
|
return ""
|
|
|
|
def _get_traffic(self,modul,interface,totalbytesin,totalbytesout):
|
|
_hist_data = self._get_storedata(modul,interface)
|
|
_slot = int(time.time())
|
|
_slot -= _slot%60
|
|
_hist_slot = 0
|
|
_traffic_in = _traffic_out = 0
|
|
if _hist_data:
|
|
_hist_slot,_hist_bytesin, _hist_bytesout = _hist_data
|
|
_traffic_in = int(totalbytesin -_hist_bytesin) / max(1,_slot - _hist_slot)
|
|
_traffic_out = int(totalbytesout - _hist_bytesout) / max(1,_slot - _hist_slot)
|
|
if _hist_slot != _slot:
|
|
self._set_storedata(modul,interface,(_slot,totalbytesin,totalbytesout))
|
|
return max(0,_traffic_in),max(0,_traffic_out)
|
|
|
|
@staticmethod
|
|
def _get_dpinger_gateway(gateway):
|
|
_path = "/var/run/dpinger_{0}.sock".format(gateway)
|
|
if os.path.exists(_path):
|
|
_sock = socket.socket(socket.AF_UNIX,socket.SOCK_STREAM)
|
|
try:
|
|
_sock.connect(_path)
|
|
_data = _sock.recv(1024).decode("utf-8").strip()
|
|
_name, _rtt, _rttsd, _loss = re.findall("(\S+)\s(\d+)\s(\d+)\s(\d+)$",_data)[0]
|
|
assert _name.strip() == gateway
|
|
return int(_rtt)/1_000_000.0,int(_rttsd)/1_000_000.0, int(_loss)
|
|
except:
|
|
raise
|
|
return -1,-1,-1
|
|
|
|
def checklocal_gateway(self):
|
|
_ret = []
|
|
_gateways = self._config_reader().get("OPNsense",{}).get("Gateways")
|
|
if not _gateways:
|
|
_gateways = self._config_reader().get("gateways")
|
|
if not _gateways:
|
|
return []
|
|
_gateway_items = _gateways.get("gateway_item",[])
|
|
if type(_gateway_items) != list:
|
|
_gateway_items = [_gateway_items] if _gateway_items else []
|
|
_interfaces = self._config_reader().get("interfaces",{})
|
|
_ipaddresses = self.get_opnsense_ipaddr()
|
|
for _gateway in _gateway_items:
|
|
if type(_gateway.get("descr")) != str:
|
|
_gateway["descr"] = _gateway.get("name")
|
|
if _gateway.get("monitor_disable") == "1" or _gateway.get("disabled") == "1":
|
|
continue
|
|
_interface = _interfaces.get(_gateway.get("interface"),{})
|
|
_gateway["realinterface"] = _interface.get("if")
|
|
if _gateway.get("ipprotocol") == "inet":
|
|
_gateway["ipaddr"] = _ipaddresses.get(_interface.get("if"))
|
|
else:
|
|
_gateway["ipaddr"] = ""
|
|
_gateway["rtt"], _gateway["rttsd"], _gateway["loss"] = self._get_dpinger_gateway(_gateway.get("name"))
|
|
_gateway["status"] = 0
|
|
if _gateway.get("loss") > 0 or _gateway.get("rtt") > 100:
|
|
_gateway["status"] = 1
|
|
if _gateway.get("loss") > 90 or _gateway.get("loss") == -1:
|
|
_gateway["status"] = 2
|
|
|
|
_ret.append("{status} \"Gateway {descr}\" rtt={rtt}|rttsd={rttsd}|loss={loss} Gateway on Interface: {realinterface} {gateway}".format(**_gateway))
|
|
return _ret
|
|
|
|
def checklocal_openvpn(self):
|
|
_ret = []
|
|
_cfr = self._config_reader().get("openvpn")
|
|
_cfn = self._config_reader().get("OPNsense").get("OpenVPN") ##TODO new Connections
|
|
if type(_cfr) != dict:
|
|
return _ret
|
|
|
|
if "openvpn-csc" in _cfr.keys():
|
|
_cso = _cfr.get("openvpn-csc") ## pre v23.7
|
|
else:
|
|
_cso = _cfn.get("Overwrites")
|
|
if type(_cso) == dict:
|
|
_cso = _cso.get("Overwrite")
|
|
_monitored_clients = {}
|
|
if type(_cso) == dict:
|
|
_cso = [_cso]
|
|
if type(_cso) == list:
|
|
_monitored_clients = dict(map(lambda x: (x.get("common_name").upper(),dict(x,current=[])),_cso))
|
|
|
|
_now = time.time()
|
|
_vpnclient = _cfr.get("openvpn-client",[])
|
|
_vpnserver = _cfr.get("openvpn-server",[])
|
|
if type(_vpnserver) != list:
|
|
_vpnserver = [_vpnserver] if _vpnserver else []
|
|
if type(_vpnclient) != list:
|
|
_vpnclient = [_vpnclient] if _vpnclient else []
|
|
for _server in _vpnserver + _vpnclient:
|
|
if _server.get("disable") == '1':
|
|
continue ## FIXME OK/WARN/SKIP
|
|
## server_tls, p2p_shared_key p2p_tls
|
|
_server["name"] = _server.get("description").strip() if _server.get("description") else "OpenVPN_{protocol}_{local_port}".format(**_server)
|
|
|
|
_caref = _server.get("caref")
|
|
_server_cert = self._get_certificate(_server.get("certref"))
|
|
_server["status"] = 3
|
|
_server["expiredays"] = 0
|
|
_server["expiredate"] = "no certificate found"
|
|
if _server_cert:
|
|
_notvalidafter = _server_cert.get("not_valid_after",0)
|
|
_server["expiredays"] = int((_notvalidafter - _now) / 86400)
|
|
_server["expiredate"] = time.strftime("Cert Expire: %d.%m.%Y",time.localtime(_notvalidafter))
|
|
if _server["expiredays"] < 61:
|
|
_server["status"] = 2 if _server["expiredays"] < 31 else 1
|
|
else:
|
|
_server["expiredate"] = "\\n" + _server["expiredate"]
|
|
|
|
_server["type"] = "server" if _server.get("local_port") else "client"
|
|
if _server.get("mode") in ("p2p_shared_key","p2p_tls"):
|
|
_unix = "/var/etc/openvpn/{type}{vpnid}.sock".format(**_server)
|
|
try:
|
|
|
|
_server["bytesin"], _server["bytesout"] = self._get_traffic("openvpn",
|
|
"SRV_{name}".format(**_server),
|
|
*(map(lambda x: int(x),re.findall("bytes\w+=(\d+)",self._read_from_openvpnsocket(_unix,"load-stats"))))
|
|
)
|
|
_laststate = self._read_from_openvpnsocket(_unix,"state 1").strip().split("\r\n")[-2]
|
|
_timestamp, _server["connstate"], _data = _laststate.split(",",2)
|
|
if _server["connstate"] == "CONNECTED":
|
|
_data = _data.split(",")
|
|
_server["vpn_ipaddr"] = _data[1]
|
|
_server["remote_ipaddr"] = _data[2]
|
|
_server["remote_port"] = _data[3]
|
|
_server["source_addr"] = _data[4]
|
|
_server["status"] = 0 if _server["status"] == 3 else _server["status"]
|
|
_ret.append('{status} "OpenVPN Connection: {name}" connections_ssl_vpn=1;;|if_in_octets={bytesin}|if_out_octets={bytesout}|expiredays={expiredays} Connected {remote_ipaddr}:{remote_port} {vpn_ipaddr} {expiredate}\Source IP: {source_addr}'.format(**_server))
|
|
else:
|
|
if _server["type"] == "client":
|
|
_server["status"] = 2
|
|
_ret.append('{status} "OpenVPN Connection: {name}" connections_ssl_vpn=0;;|if_in_octets={bytesin}|if_out_octets={bytesout}|expiredays={expiredays} {connstate} {expiredate}'.format(**_server))
|
|
else:
|
|
_server["status"] = 1 if _server["status"] != 2 else 2
|
|
_ret.append('{status} "OpenVPN Connection: {name}" connections_ssl_vpn=0;;|if_in_octets={bytesin}|if_out_octets={bytesout}|expiredays={expiredays} waiting on Port {local_port}/{protocol} {expiredate}'.format(**_server))
|
|
except:
|
|
_ret.append('2 "OpenVPN Connection: {name}" connections_ssl_vpn=0;;|expiredays={expiredays}|if_in_octets=0|if_out_octets=0 Server down Port:/{protocol} {expiredate}'.format(**_server))
|
|
continue
|
|
else:
|
|
if not _server.get("maxclients"):
|
|
_max_clients = ipaddress.IPv4Network(_server.get("tunnel_network")).num_addresses -2
|
|
if _server.get("topology_subnet") != "yes":
|
|
_max_clients = max(1,int(_max_clients/4)) ## p2p
|
|
_server["maxclients"] = _max_clients
|
|
try:
|
|
_unix = "/var/etc/openvpn/{type}{vpnid}.sock".format(**_server)
|
|
try:
|
|
|
|
_server["bytesin"], _server["bytesout"] = self._get_traffic("openvpn",
|
|
"SRV_{name}".format(**_server),
|
|
*(map(lambda x: int(x),re.findall("bytes\w+=(\d+)",self._read_from_openvpnsocket(_unix,"load-stats"))))
|
|
)
|
|
_server["status"] = 0 if _server["status"] == 3 else _server["status"]
|
|
except:
|
|
_server["bytesin"], _server["bytesout"] = 0,0
|
|
raise
|
|
|
|
_number_of_clients = 0
|
|
_now = int(time.time())
|
|
_response = self._read_from_openvpnsocket(_unix,"status 2")
|
|
for _client_match in re.finditer("^CLIENT_LIST,(.*?)$",_response,re.M):
|
|
_number_of_clients += 1
|
|
_client_raw = list(map(lambda x: x.strip(),_client_match.group(1).split(",")))
|
|
_client = {
|
|
"server" : _server.get("name"),
|
|
"common_name" : _client_raw[0],
|
|
"remote_ip" : _client_raw[1].rsplit(":",1)[0], ## ipv6
|
|
"vpn_ip" : _client_raw[2],
|
|
"vpn_ipv6" : _client_raw[3],
|
|
"bytes_received" : int(_client_raw[4]),
|
|
"bytes_sent" : int(_client_raw[5]),
|
|
"uptime" : _now - int(_client_raw[7]),
|
|
"username" : _client_raw[8] if _client_raw[8] != "UNDEF" else _client_raw[0],
|
|
"clientid" : int(_client_raw[9]),
|
|
"cipher" : _client_raw[11].strip("\r\n")
|
|
}
|
|
if _client["username"].upper() in _monitored_clients:
|
|
_monitored_clients[_client["username"].upper()]["current"].append(_client)
|
|
|
|
_server["clientcount"] = _number_of_clients
|
|
_ret.append('{status} "OpenVPN Server: {name}" connections_ssl_vpn={clientcount};;{maxclients}|if_in_octets={bytesin}|if_out_octets={bytesout}|expiredays={expiredays} {clientcount}/{maxclients} Connections Port:{local_port}/{protocol} {expiredate}'.format(**_server))
|
|
except:
|
|
_ret.append('2 "OpenVPN Server: {name}" connections_ssl_vpn=0;;{maxclients}|expiredays={expiredays}|if_in_octets=0|if_out_octets=0 Server down Port:{local_port}/{protocol} {expiredate}'.format(**_server))
|
|
|
|
for _client in _monitored_clients.values():
|
|
_current_conn = _client.get("current",[])
|
|
if _client.get("disable") == 1:
|
|
continue
|
|
if not _client.get("description"):
|
|
_client["description"] = _client.get("common_name")
|
|
_client["description"] = _client["description"].strip(" \r\n")
|
|
_client["expiredays"] = 0
|
|
_client["expiredate"] = "no certificate found"
|
|
_client["status"] = 3
|
|
_cert = self._get_certificate_by_cn(_client.get("common_name"))
|
|
if _cert:
|
|
_notvalidafter = _cert.get("not_valid_after")
|
|
_client["expiredays"] = int((_notvalidafter - _now) / 86400)
|
|
_client["expiredate"] = time.strftime("Cert Expire: %d.%m.%Y",time.localtime(_notvalidafter))
|
|
if _client["expiredays"] < 61:
|
|
_client["status"] = 2 if _client["expiredays"] < 31 else 1
|
|
else:
|
|
_client["expiredate"] = "\\n" + _client["expiredate"]
|
|
|
|
if _current_conn:
|
|
_client["uptime"] = max(map(lambda x: x.get("uptime"),_current_conn))
|
|
_client["count"] = len(_current_conn)
|
|
_client["bytes_received"], _client["bytes_sent"] = self._get_traffic("openvpn",
|
|
"CL_{description}".format(**_client),
|
|
sum(map(lambda x: x.get("bytes_received"),_current_conn)),
|
|
sum(map(lambda x: x.get("bytes_sent"),_current_conn))
|
|
)
|
|
_client["status"] = 0 if _client["status"] == 3 else _client["status"]
|
|
_client["longdescr"] = ""
|
|
for _conn in _current_conn:
|
|
_client["longdescr"] += "Server:{server} {remote_ip}:{vpn_ip} {cipher} ".format(**_conn)
|
|
_ret.append('{status} "OpenVPN Client: {description}" connectiontime={uptime}|connections_ssl_vpn={count}|if_in_octets={bytes_received}|if_out_octets={bytes_sent}|expiredays={expiredays} {longdescr} {expiredate}'.format(**_client))
|
|
else:
|
|
_ret.append('{status} "OpenVPN Client: {description}" connectiontime=0|connections_ssl_vpn=0|if_in_octets=0|if_out_octets=0|expiredays={expiredays} Nicht verbunden {expiredate}'.format(**_client))
|
|
return _ret
|
|
|
|
def checklocal_ipsec(self):
|
|
_ret =[]
|
|
_ipsec_config = self._config_reader().get("ipsec")
|
|
if type(_ipsec_config) != dict:
|
|
return []
|
|
if _ipsec_config.get("enable") != "1":
|
|
return []
|
|
_phase1config = _ipsec_config.get("phase1")
|
|
_phase2config = _ipsec_config.get("phase2")
|
|
if type(_phase1config) != list:
|
|
_phase1config = [_phase1config]
|
|
if type(_phase2config) != list:
|
|
_phase2config = [_phase2config]
|
|
_json_data = self._run_prog("/usr/local/opnsense/scripts/ipsec/list_status.py")
|
|
if len(_json_data.strip()) > 20:
|
|
_json_data = json.loads(_json_data)
|
|
else:
|
|
_json_data = {}
|
|
for _phase1 in _phase1config:
|
|
if _phase1 == None:
|
|
continue
|
|
_ikeid = _phase1.get("ikeid")
|
|
_name = _phase1.get("descr")
|
|
if len(_name.strip()) < 1:
|
|
_name = _phase1.get("remote-gateway")
|
|
_condata = _json_data.get(f"con{_ikeid}",{})
|
|
_con = {
|
|
"status" : 2,
|
|
"bytes-received" : 0,
|
|
"bytes-sent" : 0,
|
|
"life-time" : 0,
|
|
"state" : "unknown",
|
|
"remote-host" : "unknown",
|
|
"remote-name" : _name,
|
|
"local-id" : _condata.get("local-id"),
|
|
"remote-id" : _condata.get("remote-id")
|
|
}
|
|
_phase2_up = 0
|
|
for _sas in _condata.get("sas",[]):
|
|
_con["state"] = _sas.get("state")
|
|
_con["local-id"] = _sas.get("local-id")
|
|
_con["remote-id"] = _sas.get("remote-id")
|
|
|
|
if _sas.get("state") != "ESTABLISHED":
|
|
continue
|
|
_con["remote-host"] = _sas.get("remote-host")
|
|
for _child in _sas.get("child-sas",{}).values():
|
|
if _child.get("state") != "INSTALLED":
|
|
continue
|
|
_phase2_up += 1
|
|
_install_time = max(1,int(_child.get("install-time","1")))
|
|
_con["bytes-received"] += int(int(_child.get("bytes-in","0")) /_install_time)
|
|
_con["bytes-sent"] += int(int(_child.get("bytes-out","0")) /_install_time)
|
|
_con["life-time"] = max(_con["life-time"],_install_time)
|
|
_con["status"] = 0 if _con["status"] != 1 else 1
|
|
|
|
#_required_phase2 = len(list(filter(lambda x: x.get("ikeid") == _ikeid,_phase2config)))
|
|
|
|
#if _phase2_up >= _required_phase2:
|
|
if _phase2_up > 0:
|
|
_ret.append("{status} \"IPsec Tunnel: {remote-name}\" if_in_octets={bytes-received}|if_out_octets={bytes-sent}|lifetime={life-time} {state} {local-id} - {remote-id}({remote-host})".format(**_con))
|
|
elif _phase2_up == 0:
|
|
if _condata.keys():
|
|
_ret.append("{status} \"IPsec Tunnel: {remote-name}\" if_in_octets=0|if_out_octets=0|lifetime=0 not connected {local-id} - {remote-id}({remote-host})".format(**_con))
|
|
else:
|
|
_ret.append("{status} \"IPsec Tunnel: {remote-name}\" if_in_octets=0|if_out_octets=0|lifetime=0 not running".format(**_con))
|
|
else:
|
|
_con["status"] = max(_con["status"],1)
|
|
#_con["phase2"] = f"{_phase2_up}/{_required_phase2}"
|
|
_con["phase2"] = f"{_phase2_up}"
|
|
_ret.append("{status} \"IPsec Tunnel: {remote-name}\" if_in_octets={bytes-received}|if_out_octets={bytes-sent}|lifetime={life-time} {phase2} {state} {local-id} - {remote-id}({remote-host})".format(**_con))
|
|
return _ret
|
|
|
|
def checklocal_wireguard(self):
|
|
_ret = []
|
|
try:
|
|
_clients = self._config_reader().get("OPNsense").get("wireguard").get("client").get("clients").get("client")
|
|
if type(_clients) != list:
|
|
_clients = [_clients] if _clients else []
|
|
_clients = dict(map(lambda x: (x.get("pubkey"),x),_clients))
|
|
except:
|
|
return []
|
|
|
|
_now = time.time()
|
|
for _client in _clients.values(): ## fill defaults
|
|
_client["interface"] = ""
|
|
_client["endpoint"] = ""
|
|
_client["last_handshake"] = 0
|
|
_client["bytes_received"] = 0
|
|
_client["bytes_sent"] = 0
|
|
_client["status"] = 2
|
|
|
|
_dump = self._run_prog(["wg","show","all","dump"]).strip()
|
|
for _line in _dump.split("\n"):
|
|
_values = _line.split("\t")
|
|
if len(_values) != 9:
|
|
continue
|
|
_client = _clients.get(_values[1].strip())
|
|
if not _client:
|
|
continue
|
|
_client["interface"] = _values[0].strip()
|
|
_client["endpoint"] = _values[3].strip().rsplit(":",1)[0]
|
|
_client["last_handshake"] = int(_values[5].strip())
|
|
_client["bytes_received"], _client["bytes_sent"] = self._get_traffic("wireguard",_values[0].strip(),int(_values[6].strip()),int(_values[7].strip()))
|
|
_client["status"] = 2 if _now - _client["last_handshake"] > 300 else 0 ## 5min timeout
|
|
|
|
for _client in _clients.values():
|
|
if _client.get("status") == 2 and _client.get("endpoint") != "":
|
|
_client["endpoint"] = "last IP:" + _client["endpoint"]
|
|
_ret.append('{status} "WireGuard Client: {name}" if_in_octets={bytes_received}|if_out_octets={bytes_sent} {interface}: {endpoint} - {tunneladdress}'.format(**_client))
|
|
|
|
return _ret
|
|
|
|
def checklocal_unbound(self):
|
|
_ret = []
|
|
try:
|
|
_output = self._run_prog(["/usr/local/sbin/unbound-control", "-c", "/var/unbound/unbound.conf", "stats_noreset"])
|
|
_unbound_stat = dict(
|
|
map(
|
|
lambda x: (x[0].replace(".","_"),float(x[1])),
|
|
re.findall("total\.([\w.]+)=([\d.]+)",_output)
|
|
)
|
|
)
|
|
_ret.append("0 \"Unbound DNS\" dns_successes={num_queries:.0f}|dns_recursion={num_recursivereplies:.0f}|dns_cachehits={num_cachehits:.0f}|dns_cachemiss={num_cachemiss:.0f}|avg_response_time={recursion_time_avg} Unbound running".format(**_unbound_stat))
|
|
except:
|
|
_ret.append("2 \"Unbound DNS\" dns_successes=0|dns_recursion=0|dns_cachehits=0|dns_cachemiss=0|avg_response_time=0 Unbound not running")
|
|
return _ret
|
|
|
|
def checklocal_acmeclient(self):
|
|
_ret = []
|
|
_now = time.time()
|
|
try:
|
|
_acmecerts = self._config_reader().get("OPNsense").get("AcmeClient").get("certificates").get("certificate")
|
|
if type(_acmecerts) == dict:
|
|
_acmecerts = [_acmecerts]
|
|
except:
|
|
_acmecerts = []
|
|
for _cert_info in _acmecerts:
|
|
if _cert_info.get("enabled") != "1":
|
|
continue
|
|
if not _cert_info.get("description"):
|
|
_cert_info["description"] = _cert_info.get("name","unknown")
|
|
_certificate = self._get_certificate(_cert_info.get("certRefId"))
|
|
_cert_info["status"] = 1
|
|
if _certificate:
|
|
if type(_certificate) != dict:
|
|
_certificate = {}
|
|
_expiredays = _certificate.get("not_valid_after",_now) - _now
|
|
_not_valid_before = _certificate.get("not_valid_before",_cert_info.get("lastUpdate"))
|
|
_certificate_age = _now - int(_not_valid_before if _not_valid_before else _now)
|
|
_cert_info["age"] = int(_certificate_age)
|
|
if _cert_info.get("statusCode") == "200":
|
|
if _certificate_age > float(_cert_info.get("renewInterval","inf")):
|
|
_cert_info["status"] = 0
|
|
if _expiredays < 10:
|
|
_cert_info["status"] = 2
|
|
_cert_info["issuer"] = _certificate.get("issuer")
|
|
_cert_info["lastupdatedate"] = time.strftime("%d.%m.%Y",time.localtime(int(_cert_info.get("lastUpdate",0))))
|
|
_cert_info["expiredate"] = time.strftime("%d.%m.%Y",time.localtime(_certificate.get("not_valid_after",0)))
|
|
_ret.append("{status} \"ACME Cert: {description}\" age={age} Last Update: {lastupdatedate} Status: {statusCode} Cert expire: {expiredate}".format(**_cert_info))
|
|
else:
|
|
if _cert_info.get("statusCode") == "100":
|
|
_ret.append("1 \"ACME Cert: {description}\" age=0 Status: pending".format(**_cert_info))
|
|
else:
|
|
_ret.append("2 \"ACME Cert: {description}\" age=0 Error Status: {statusCode}".format(**_cert_info))
|
|
return _ret
|
|
|
|
def _read_nginx_socket(self):
|
|
session = requests.Session()
|
|
session.mount("http://nginx/vts", NginxAdapter())
|
|
response = session.get("http://nginx/vts")
|
|
return response.json()
|
|
|
|
def checklocal_nginx(self):
|
|
_ret = []
|
|
_config = self._config_reader().get("OPNsense").get("Nginx")
|
|
if type(_config) != dict:
|
|
return []
|
|
if _config.get("general",{}).get("enabled") != "1":
|
|
return []
|
|
|
|
try:
|
|
_data = self._read_nginx_socket()
|
|
except (requests.exceptions.ConnectionError,FileNotFoundError):
|
|
_data = {}
|
|
pass ## no socket
|
|
|
|
_uptime = _data.get("loadMsec",0)/1000
|
|
if _uptime > 0:
|
|
_starttime = datetime.fromtimestamp(_uptime).strftime("%d.%m.%Y %H:%M")
|
|
_uptime = time.time() - _uptime
|
|
_ret.append(f"0 \"Nginx Uptime\" uptime={_uptime} Up since {_starttime}")
|
|
else:
|
|
_ret.append("2 \"Nginx Uptime\" uptime=0 Down")
|
|
|
|
_upstream_config = _config.get("upstream")
|
|
_location_config = _config.get("location")
|
|
if type(_upstream_config) != list:
|
|
_upstream_config = [_upstream_config] if _upstream_config else []
|
|
_upstream_config = dict(map(lambda x: (x.get("@uuid"),x),_upstream_config))
|
|
if type(_location_config) != list:
|
|
_location_config = [_location_config] if _location_config else []
|
|
|
|
_upstream_data = _data.get("upstreamZones",{})
|
|
|
|
for _location in _location_config:
|
|
_upstream = _upstream_config.get(_location.get("upstream","__"))
|
|
_location["upstream_name"] = ""
|
|
if _upstream:
|
|
_location["upstream_name"] = _upstream.get("description")
|
|
_uuid = "upstream{0}".format(_upstream.get("@uuid","").replace("-",""))
|
|
_upstream_info = _upstream_data.get(_uuid)
|
|
if not _upstream_info:
|
|
_ret.append("1 \"Nginx Location: {description}\" connections=0|if_in_octets=0|if_out_octets=0 Upstream: {upstream_name} no Data".format(**_location))
|
|
continue
|
|
else:
|
|
_ret.append("1 \"Nginx Location: {description}\" connections=0|if_in_octets=0|if_out_octets=0 No Upstream".format(**_location))
|
|
continue
|
|
_location["requestCounter"] = 0
|
|
_location["inBytes"] = 0
|
|
_location["outBytes"] = 0
|
|
_isup = 0
|
|
for _server in _upstream_info:
|
|
if _server.get("down") == False:
|
|
_isup +=1
|
|
for _key in ("requestCounter","inBytes","outBytes"):
|
|
_location[_key] += _server.get(_key,0)
|
|
|
|
if _isup > 0:
|
|
_available_upstreams = len(_upstream_info)
|
|
_location["available_upstream"] = "{0}/{1}".format(_isup,_available_upstreams)
|
|
if _available_upstreams == _isup:
|
|
_ret.append("0 \"Nginx Location: {description}\" connections={requestCounter}|if_in_octets={inBytes}|if_out_octets={outBytes} Upstream: {upstream_name} OK".format(**_location))
|
|
else:
|
|
_ret.append("1 \"Nginx Location: {description}\" connections={requestCounter}|if_in_octets={inBytes}|if_out_octets={outBytes} Upstream: {upstream_name} {available_upstream} OK".format(**_location))
|
|
else:
|
|
_ret.append("2 \"Nginx Location: {description}\" connections={requestCounter}|if_in_octets={inBytes}|if_out_octets={outBytes} Upstream: {upstream_name} down".format(**_location))
|
|
return _ret
|
|
|
|
def check_haproxy(self):
|
|
_ret = ["<<<haproxy:sep(44)>>>"]
|
|
_path = "/var/run/haproxy.socket"
|
|
try:
|
|
_haproxy_servers = dict(map(lambda x: (x.get("@uuid"),x),self._config_reader().get("OPNsense").get("HAProxy").get("servers").get("server")))
|
|
_healthcheck_servers = []
|
|
for _backend in self._config_reader().get("OPNsense").get("HAProxy").get("backends").get("backend"):
|
|
if _backend.get("healthCheckEnabled") == "1" and _backend.get("healthCheck") != None:
|
|
for _server_id in _backend.get("linkedServers","").split(","):
|
|
_server = _haproxy_servers.get(_server_id)
|
|
_healthcheck_servers.append("{0},{1}".format(_backend.get("name",""),_server.get("name","")))
|
|
except:
|
|
return []
|
|
if os.path.exists(_path):
|
|
_sock = socket.socket(socket.AF_UNIX,socket.SOCK_STREAM)
|
|
_sock.connect(_path)
|
|
_sock.send("show stat\n".encode("utf-8"))
|
|
_data = ""
|
|
while True:
|
|
_sockdata = _sock.recv(4096)
|
|
if not _sockdata:
|
|
break
|
|
_data += _sockdata.decode("utf-8")
|
|
|
|
for _line in _data.split("\n"):
|
|
_linedata = _line.split(",")
|
|
if len(_linedata) < 33:
|
|
continue
|
|
#pprint(list(enumerate(_linedata)))
|
|
if _linedata[32] == "2":
|
|
if "{0},{1}".format(*_linedata) not in _healthcheck_servers:
|
|
continue ## ignore backends check disabled
|
|
_ret.append(_line)
|
|
return _ret
|
|
|
|
def check_smartinfo(self):
|
|
if not os.path.exists("/usr/local/sbin/smartctl"):
|
|
return []
|
|
REGEX_DISCPATH = re.compile("(sd[a-z]+|da[0-9]+|nvme[0-9]+|ada[0-9]+)$")
|
|
_ret = ["<<<disk_smart_info:sep(124)>>>"]
|
|
for _dev in filter(lambda x: REGEX_DISCPATH.match(x),os.listdir("/dev/")):
|
|
try:
|
|
_ret.append(str(smart_disc(_dev)))
|
|
except:
|
|
pass
|
|
return _ret
|
|
|
|
def check_ipmi(self):
|
|
if not os.path.exists("/usr/local/bin/ipmitool"):
|
|
return []
|
|
_out = self._run_prog("ipmitool sensor list")
|
|
_ipmisensor = re.findall("^(?!.*\sna\s.*$).*",_out,re.M)
|
|
if _ipmisensor:
|
|
return ["<<<ipmi:sep(124)>>>"] + _ipmisensor
|
|
return []
|
|
|
|
def check_apcupsd(self):
|
|
if self._config_reader().get("OPNsense",{}).get("apcupsd",{}).get("general",{}).get("Enabled") != "1":
|
|
return []
|
|
_ret = ["<<<apcaccess:sep(58)>>>"]
|
|
_ret.append("[[apcupsd.conf]]")
|
|
_ret.append(self._run_prog("apcaccess").strip())
|
|
return _ret
|
|
|
|
def check_df(self):
|
|
_ret = ["<<<df>>>"]
|
|
_ret += self._run_prog("df -kTP -t ufs").split("\n")[1:]
|
|
return _ret
|
|
|
|
def check_ssh(self):
|
|
if self._config_reader().get("system",{}).get("ssh",{}).get("enabled") != "enabled":
|
|
return []
|
|
_ret = ["<<<sshd_config>>>"]
|
|
_ret += self._run_cache_prog("sshd -T").splitlines()
|
|
return _ret
|
|
|
|
def check_kernel(self):
|
|
_ret = ["<<<kernel>>>"]
|
|
_out = self._run_prog("sysctl vm.stats",timeout=10)
|
|
_kernel = dict([_v.split(": ") for _v in _out.split("\n") if len(_v.split(": ")) == 2])
|
|
_ret.append("{0:.0f}".format(time.time()))
|
|
_ret.append("cpu {0} {1} {2} {4} {3}".format(*(self._run_prog("sysctl -n kern.cp_time","").split(" "))))
|
|
_ret.append("ctxt {0}".format(_kernel.get("vm.stats.sys.v_swtch")))
|
|
_sum = sum(map(lambda x: int(x[1]),(filter(lambda x: x[0] in ("vm.stats.vm.v_forks","vm.stats.vm.v_vforks","vm.stats.vm.v_rforks","vm.stats.vm.v_kthreads"),_kernel.items()))))
|
|
_ret.append("processes {0}".format(_sum))
|
|
return _ret
|
|
|
|
def check_temperature(self):
|
|
_ret = ["<<<lnx_thermal:sep(124)>>>"]
|
|
_out = self._run_prog("sysctl dev.cpu",timeout=10)
|
|
_cpus = dict([_v.split(": ") for _v in _out.split("\n") if len(_v.split(": ")) == 2])
|
|
_cpu_temperatures = list(map(
|
|
lambda x: float(x[1].replace("C","")),
|
|
filter(
|
|
lambda x: x[0].endswith("temperature"),
|
|
_cpus.items()
|
|
)
|
|
))
|
|
if _cpu_temperatures:
|
|
_cpu_temperature = int(max(_cpu_temperatures) * 1000)
|
|
_ret.append(f"CPU|enabled|unknown|{_cpu_temperature}")
|
|
|
|
_count = 0
|
|
for _tempsensor in self._available_sysctl_temperature_list:
|
|
_out = self._run_prog(f"sysctl -n {_tempsensor}",timeout=10)
|
|
if _out:
|
|
try:
|
|
_zone_temp = int(float(_out.replace("C","")) * 1000)
|
|
except ValueError:
|
|
_zone_temp = None
|
|
if _zone_temp:
|
|
if _tempsensor.find(".pchtherm.") > -1:
|
|
_ret.append(f"thermal_zone{_count}|enabled|unknown|{_zone_temp}|111000|critical|108000|passive")
|
|
else:
|
|
_ret.append(f"thermal_zone{_count}|enabled|unknown|{_zone_temp}")
|
|
_count += 1
|
|
if len(_ret) < 2:
|
|
return []
|
|
return _ret
|
|
|
|
def check_mem(self):
|
|
_ret = ["<<<statgrab_mem>>>"]
|
|
_pagesize = int(self._run_prog("sysctl -n hw.pagesize"))
|
|
_out = self._run_prog("sysctl vm.stats",timeout=10)
|
|
_mem = dict(map(lambda x: (x[0],int(x[1])) ,[_v.split(": ") for _v in _out.split("\n") if len(_v.split(": ")) == 2]))
|
|
_mem_cache = _mem.get("vm.stats.vm.v_cache_count") * _pagesize
|
|
_mem_free = _mem.get("vm.stats.vm.v_free_count") * _pagesize
|
|
_mem_inactive = _mem.get("vm.stats.vm.v_inactive_count") * _pagesize
|
|
_mem_total = _mem.get("vm.stats.vm.v_page_count") * _pagesize
|
|
_mem_avail = _mem_inactive + _mem_cache + _mem_free
|
|
_mem_used = _mem_total - _mem_avail # fixme mem.hw
|
|
_ret.append("mem.cache {0}".format(_mem_cache))
|
|
_ret.append("mem.free {0}".format(_mem_free))
|
|
_ret.append("mem.total {0}".format(_mem_total))
|
|
_ret.append("mem.used {0}".format(_mem_used))
|
|
_ret.append("swap.free 0")
|
|
_ret.append("swap.total 0")
|
|
_ret.append("swap.used 0")
|
|
return _ret
|
|
|
|
def check_zpool(self):
|
|
_ret = ["<<<zpool_status>>>"]
|
|
try:
|
|
for _line in self._run_prog("zpool status -x").split("\n"):
|
|
if _line.find("errors: No known data errors") == -1:
|
|
_ret.append(_line)
|
|
except:
|
|
return []
|
|
return _ret
|
|
|
|
def check_zfs(self):
|
|
_ret = ["<<<zfsget>>>"]
|
|
_ret.append(self._run_prog("zfs get -t filesystem,volume -Hp name,quota,used,avail,mountpoint,type"))
|
|
_ret.append("[df]")
|
|
_ret.append(self._run_prog("df -kP -t zfs"))
|
|
_ret.append("<<<zfs_arc_cache>>>")
|
|
_ret.append(self._run_prog("sysctl -q kstat.zfs.misc.arcstats").replace("kstat.zfs.misc.arcstats.","").replace(": "," = ").strip())
|
|
return _ret
|
|
|
|
def check_mounts(self):
|
|
_ret = ["<<<mounts>>>"]
|
|
_ret.append(self._run_prog("mount -p -t ufs").strip())
|
|
return _ret
|
|
|
|
def check_cpu(self):
|
|
_ret = ["<<<cpu>>>"]
|
|
_loadavg = self._run_prog("sysctl -n vm.loadavg").strip("{} \n")
|
|
_proc = self._run_prog("top -b -n 1").split("\n")[1].split(" ")
|
|
_proc = "{0}/{1}".format(_proc[3],_proc[0])
|
|
_lastpid = self._run_prog("sysctl -n kern.lastpid").strip(" \n")
|
|
_ncpu = self._run_prog("sysctl -n hw.ncpu").strip(" \n")
|
|
_ret.append(f"{_loadavg} {_proc} {_lastpid} {_ncpu}")
|
|
return _ret
|
|
|
|
def check_netctr(self):
|
|
_ret = ["<<<netctr>>>"]
|
|
_out = self._run_prog("netstat -inb")
|
|
for _line in re.finditer("^(?!Name|lo|plip)(?P<iface>\w+)\s+(?P<mtu>\d+).*?Link.*?\s+.*?\s+(?P<inpkts>\d+)\s+(?P<inerr>\d+)\s+(?P<indrop>\d+)\s+(?P<inbytes>\d+)\s+(?P<outpkts>\d+)\s+(?P<outerr>\d+)\s+(?P<outbytes>\d+)\s+(?P<coll>\d+)$",_out,re.M):
|
|
_ret.append("{iface} {inbytes} {inpkts} {inerr} {indrop} 0 0 0 0 {outbytes} {outpkts} {outerr} 0 0 0 0 0".format(**_line.groupdict()))
|
|
return _ret
|
|
|
|
def check_ntp(self):
|
|
_ret = ["<<<ntp>>>"]
|
|
for _line in self._run_prog("ntpq -np",timeout=30).split("\n")[2:]:
|
|
if _line.strip():
|
|
_ret.append("{0} {1}".format(_line[0],_line[1:]))
|
|
return _ret
|
|
|
|
def check_tcp(self):
|
|
_ret = ["<<<tcp_conn_stats>>>"]
|
|
_out = self._run_prog("netstat -na")
|
|
counts = Counter(re.findall("ESTABLISHED|LISTEN",_out))
|
|
for _key,_val in counts.items():
|
|
_ret.append(f"{_key} {_val}")
|
|
return _ret
|
|
|
|
def check_ps(self):
|
|
_ret = ["<<<ps>>>"]
|
|
_out = self._run_prog("ps ax -o state,user,vsz,rss,pcpu,command")
|
|
for _line in re.finditer("^(?P<stat>\w+)\s+(?P<user>\w+)\s+(?P<vsz>\d+)\s+(?P<rss>\d+)\s+(?P<cpu>[\d.]+)\s+(?P<command>.*)$",_out,re.M):
|
|
_ret.append("({user},{vsz},{rss},{cpu}) {command}".format(**_line.groupdict()))
|
|
return _ret
|
|
|
|
def check_uptime(self):
|
|
_ret = ["<<<uptime>>>"]
|
|
_uptime_sec = time.time() - int(self._run_prog("sysctl -n kern.boottime").split(" ")[3].strip(" ,"))
|
|
_idle_sec = re.findall("(\d+):[\d.]+\s+\[idle\]",self._run_prog("ps axw"))[0]
|
|
_ret.append(f"{_uptime_sec} {_idle_sec}")
|
|
return _ret
|
|
|
|
def do_inventory(self):
|
|
_ret = []
|
|
_persist = int(time.time()) + self.expire_inventory + 600
|
|
if os.path.exists("/sbin/dmidecode") or os.path.exists("/usr/local/sbin/dmidecode") :
|
|
_ret += [f"<<<dmidecode:sep(58):persist({_persist})>>>"]
|
|
_ret += self._run_cache_prog("dmidecode -q",7200).replace("\t",":").splitlines()
|
|
_ret += [f"<<<lnx_distro:sep(124):persist({_persist})>>>"]
|
|
if os.path.exists("/etc/os-release"):
|
|
_ret.append("[[[/etc/os-release]]]")
|
|
_ret.append(open("/etc/os-release","rt").read().replace("\n","|"))
|
|
else:
|
|
try:
|
|
_ret.append("[[[/etc/os-release]]]")
|
|
_ret += list(map(lambda x: 'Name={0}|VERSION="{1}"|VERSION_ID="{2}"|ID=freebsd|PRETTY_NAME="{0} {1}"'.format(x[0],x[1],x[1].split("-")[0]),re.findall("(\w+)\s([\w.-]+)\s(\d+)",self._run_cache_prog("uname -rsK",1200))))
|
|
except:
|
|
raise
|
|
_ret += [f"<<<lnx_packages:sep(124):persist({_persist})>>>"]
|
|
_ret += list(map(lambda x: "{0}|{1}|amd64|freebsd|{2}|install ok installed".format(*x),re.findall("(\S+)-([0-9][0-9a-z._,-]+)\s*(.*)",self._run_cache_prog("pkg info",1200),re.M)))
|
|
return _ret
|
|
|
|
def _run_prog(self,cmdline="",*args,shell=False,timeout=60,ignore_error=False):
|
|
if type(cmdline) == str:
|
|
_process = shlex.split(cmdline,posix=True)
|
|
else:
|
|
_process = cmdline
|
|
try:
|
|
return subprocess.check_output(_process,encoding="utf-8",shell=shell,stderr=subprocess.DEVNULL,timeout=timeout)
|
|
except subprocess.CalledProcessError as e:
|
|
if ignore_error:
|
|
return e.stdout
|
|
return ""
|
|
except subprocess.TimeoutExpired:
|
|
return ""
|
|
|
|
def _run_cache_prog(self,cmdline="",cachetime=10,*args,shell=False,ignore_error=False):
|
|
if type(cmdline) == str:
|
|
_process = shlex.split(cmdline,posix=True)
|
|
else:
|
|
_process = cmdline
|
|
_process_id = "".join(_process)
|
|
_runner = self._check_cache.get(_process_id)
|
|
if _runner == None:
|
|
_runner = checkmk_cached_process(_process,shell=shell,ignore_error=ignore_error)
|
|
self._check_cache[_process_id] = _runner
|
|
return _runner.get(cachetime)
|
|
|
|
class checkmk_cached_process(object):
|
|
def __init__(self,process,shell=False,ignore_error=False):
|
|
self._processs = process
|
|
self._islocal = os.path.dirname(process[0]).startswith(LOCALDIR)
|
|
self._shell = shell
|
|
self._ignore_error = ignore_error
|
|
self._mutex = threading.Lock()
|
|
with self._mutex:
|
|
self._data = (0,"")
|
|
self._thread = None
|
|
|
|
def _runner(self,timeout):
|
|
try:
|
|
_data = subprocess.check_output(self._processs,shell=self._shell,encoding="utf-8",stderr=subprocess.DEVNULL,timeout=timeout)
|
|
except subprocess.CalledProcessError as e:
|
|
if self._ignore_error:
|
|
_data = e.stdout
|
|
else:
|
|
_data = ""
|
|
except subprocess.TimeoutExpired:
|
|
_data = ""
|
|
with self._mutex:
|
|
self._data = (int(time.time()),_data)
|
|
self._thread = None
|
|
|
|
def get(self,cachetime):
|
|
with self._mutex:
|
|
_now = time.time()
|
|
_mtime = self._data[0]
|
|
if _now - _mtime > cachetime or cachetime == 0:
|
|
if not self._thread:
|
|
if cachetime > 0:
|
|
_timeout = cachetime*2-1
|
|
else:
|
|
_timeout = None
|
|
with self._mutex:
|
|
self._thread = threading.Thread(target=self._runner,args=[_timeout])
|
|
self._thread.start()
|
|
|
|
self._thread.join(30) ## waitmax
|
|
with self._mutex:
|
|
_mtime, _data = self._data
|
|
if not _data.strip():
|
|
return ""
|
|
if self._islocal:
|
|
_data = "".join([f"cached({_mtime},{cachetime}) {_line}" for _line in _data.splitlines(True) if len(_line.strip()) > 0])
|
|
else:
|
|
_data = re.sub("\B[<]{3}(.*?)[>]{3}\B",f"<<<\\1:cached({_mtime},{cachetime})>>>",_data)
|
|
return _data
|
|
|
|
class checkmk_server(TCPServer,checkmk_checker):
|
|
def __init__(self,port,pidfile,onlyfrom=None,encrypt=None,skipcheck=None,expire_inventory=0,tenants=None,**kwargs):
|
|
self.tcp_port = port
|
|
self.pidfile = pidfile
|
|
self.onlyfrom = onlyfrom.split(",") if onlyfrom else None
|
|
self.skipcheck = skipcheck.split(",") if skipcheck else []
|
|
self.tenants = self._get_tenants(tenants) if type(tenants) == str else {}
|
|
self._available_sysctl_list = self._run_prog("sysctl -aN").split()
|
|
self._available_sysctl_temperature_list = list(filter(lambda x: x.lower().find("temperature") > -1 and x.lower().find("cpu") == -1,self._available_sysctl_list))
|
|
self.encrypt = encrypt
|
|
self.expire_inventory = expire_inventory
|
|
self._mutex = threading.Lock()
|
|
self.user = pwd.getpwnam("root")
|
|
self.allow_reuse_address = True
|
|
self.taskrunner = checkmk_taskrunner(self)
|
|
TCPServer.__init__(self,("",port),checkmk_handler,bind_and_activate=False)
|
|
|
|
def _get_tenants(self,tenants):
|
|
_ret = {}
|
|
for _tenant in tenants.split(","):
|
|
if _tenant.find("#") > -1:
|
|
_addr,_secret = _tenant.split("#",1)
|
|
_ret[_addr] = _secret
|
|
else:
|
|
_ret[_addr] = None
|
|
return _ret
|
|
|
|
def verify_request(self, request, client_address):
|
|
if self.onlyfrom and client_address[0] not in self.onlyfrom and client_address[0] not in self.tenants.keys():
|
|
log("Client {0} not allowed".format(*client_address),"warn")
|
|
return False
|
|
return True
|
|
|
|
def _change_user(self):
|
|
_, _, _uid, _gid, _, _, _ = self.user
|
|
if os.getuid() != _uid:
|
|
os.setgid(_gid)
|
|
os.setuid(_uid)
|
|
|
|
def server_start(self):
|
|
log("starting checkmk_agent")
|
|
self.taskrunner.start()
|
|
signal.signal(signal.SIGTERM, self._signal_handler)
|
|
signal.signal(signal.SIGINT, self._signal_handler)
|
|
signal.signal(signal.SIGHUP, self._signal_handler)
|
|
self._change_user()
|
|
try:
|
|
self.server_bind()
|
|
self.server_activate()
|
|
except:
|
|
self.server_close()
|
|
raise
|
|
try:
|
|
self.serve_forever()
|
|
except KeyboardInterrupt:
|
|
sys.stdout.flush()
|
|
sys.stdout.write("\n")
|
|
pass
|
|
|
|
def cmkclient(self,checkoutput="127.0.0.1",port=None,encrypt=None,**kwargs):
|
|
_sock = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
|
|
_sock.settimeout(3)
|
|
try:
|
|
_sock.connect((checkoutput,port))
|
|
_sock.settimeout(None)
|
|
_msg = b""
|
|
while True:
|
|
_data = _sock.recv(2048)
|
|
if not _data:
|
|
break
|
|
_msg += _data
|
|
except TimeoutError:
|
|
sys.stderr.write("timeout\n")
|
|
sys.stderr.flush()
|
|
sys.exit(1)
|
|
|
|
if _msg[:2] == b"03":
|
|
if encrypt:
|
|
return self.decrypt_msg(_msg,encrypt)
|
|
else:
|
|
pprint(repr(_msg[:2]))
|
|
return "missing key"
|
|
return _msg.decode("utf-8")
|
|
|
|
def _signal_handler(self,signum,*args):
|
|
if signum in (signal.SIGTERM,signal.SIGINT):
|
|
log("stopping checkmk_agent")
|
|
threading.Thread(target=self.shutdown,name='shutdown').start()
|
|
sys.exit(0)
|
|
|
|
def daemonize(self):
|
|
try:
|
|
pid = os.fork()
|
|
if pid > 0:
|
|
## first parent
|
|
sys.exit(0)
|
|
except OSError as e:
|
|
sys.stderr.write("Fork failed\n")
|
|
sys.stderr.flush()
|
|
sys.exit(1)
|
|
os.chdir("/")
|
|
os.setsid()
|
|
os.umask(0)
|
|
try:
|
|
pid = os.fork()
|
|
if pid > 0:
|
|
## second
|
|
sys.exit(0)
|
|
except OSError as e:
|
|
sys.stderr.write("Fork 2 failed\n")
|
|
sys.stderr.flush()
|
|
sys.exit(1)
|
|
sys.stdout.flush()
|
|
sys.stderr.flush()
|
|
self._redirect_stream(sys.stdin,None)
|
|
self._redirect_stream(sys.stdout,None)
|
|
self._redirect_stream(sys.stderr,None)
|
|
with open(self.pidfile,"wt") as _pidfile:
|
|
_pidfile.write(str(os.getpid()))
|
|
os.chown(self.pidfile,self.user[2],self.user[3])
|
|
try:
|
|
self.server_start()
|
|
finally:
|
|
try:
|
|
os.remove(self.pidfile)
|
|
except:
|
|
pass
|
|
|
|
@staticmethod
|
|
def _redirect_stream(system_stream,target_stream):
|
|
if target_stream is None:
|
|
target_fd = os.open(os.devnull, os.O_RDWR)
|
|
else:
|
|
target_fd = target_stream.fileno()
|
|
os.dup2(target_fd, system_stream.fileno())
|
|
|
|
def __del__(self):
|
|
pass ## todo
|
|
|
|
BLACKLISTS = [
|
|
'all.s5h.net',
|
|
'aspews.ext.sorbs.net',
|
|
'b.barracudacentral.org',
|
|
'bl.nordspam.com',
|
|
'blackholes.five-ten-sg.com',
|
|
'blacklist.woody.ch',
|
|
'bogons.cymru.com',
|
|
'cbl.abuseat.org',
|
|
'combined.abuse.ch',
|
|
'combined.rbl.msrbl.net',
|
|
'db.wpbl.info',
|
|
'dnsbl-2.uceprotect.net',
|
|
'dnsbl-3.uceprotect.net',
|
|
'dnsbl.cyberlogic.net',
|
|
'dnsbl.sorbs.net',
|
|
'drone.abuse.ch',
|
|
'dul.ru',
|
|
'images.rbl.msrbl.net',
|
|
'ips.backscatterer.org',
|
|
'ix.dnsbl.manitu.net',
|
|
'korea.services.net',
|
|
'matrix.spfbl.net',
|
|
'phishing.rbl.msrbl.net',
|
|
'proxy.bl.gweep.ca',
|
|
'proxy.block.transip.nl',
|
|
'psbl.surriel.com',
|
|
'rbl.interserver.net',
|
|
'relays.bl.gweep.ca',
|
|
'relays.bl.kundenserver.de',
|
|
'relays.nether.net',
|
|
'residential.block.transip.nl',
|
|
'singular.ttk.pte.hu',
|
|
'spam.dnsbl.sorbs.net',
|
|
'spam.rbl.msrbl.net',
|
|
'spambot.bls.digibase.ca',
|
|
'spamlist.or.kr',
|
|
'spamrbl.imp.ch',
|
|
'spamsources.fabel.dk',
|
|
'ubl.lashback.com',
|
|
'virbl.bit.nl',
|
|
'virus.rbl.msrbl.net',
|
|
'virus.rbl.jp',
|
|
'wormrbl.imp.ch',
|
|
'z.mailspike.net',
|
|
'zen.spamhaus.org'
|
|
]
|
|
|
|
|
|
class checkmk_resolver(object):
|
|
def __init__(self,nameserver="127.0.0.1"):
|
|
self._ub_ctx = unbound.ub_ctx()
|
|
self._ub_ctx.add_ta_file("/var/unbound/root.key")
|
|
self._ub_ctx.set_fwd(nameserver)
|
|
self._ub_ctx.set_option("qname-minimisation:", "yes")
|
|
|
|
def dns_reverseip(self,ipaddr,tld=False):
|
|
_addr = ipaddress.ip_address(ipaddr)
|
|
if tld:
|
|
return _addr.reverse_pointer
|
|
return ".".join(_addr.reverse_pointer.split(".")[:-2])
|
|
|
|
def resolve(self,hostname,rrtype="A",secure=True):
|
|
rrtype = rrtype.upper()
|
|
_rrtype_code = getattr(unbound,f"RR_TYPE_{rrtype}",None)
|
|
if not _rrtype_code:
|
|
return False,None
|
|
if _rrtype_code == 12: #PTR
|
|
hostname = self.dns_reverseip(str(hostname),tld=True)
|
|
_status, _results = self._ub_ctx.resolve(hostname,_rrtype_code)
|
|
_is_secure = bool(_results.secure)
|
|
if _status == 0 and _results.havedata:
|
|
if _rrtype_code == 1: # A
|
|
return _is_secure, list(map(lambda x: ipaddress.IPv4Address(x),_results.data.address_list))
|
|
if _rrtype_code in (2,12): # NS, PTR
|
|
return _is_secure, list(map(lambda x: x.strip("."),_results.data.domain_list))
|
|
if _rrtype_code == 16: #TXT/SPF
|
|
_data = list(map(lambda x: x[1:].decode("ascii",errors="ignore"),_results.data.raw))
|
|
if rrtype == "SPF":
|
|
return _is_secure,list(filter(lambda x: x.startswith("v=spf1"),_data))
|
|
return _is_secure, _data
|
|
if _rrtype_code == 15: # MX
|
|
return _is_secure, _results.data.mx_list
|
|
if _rrtype_code == 28: # AAAA
|
|
return _is_secure, list(map(lambda x: ipaddress.IPv6Address(int(b2a_hex(x),16)),_results.data.raw))
|
|
if _rrtype_code == 52: # TLSA
|
|
_parsed_results = []
|
|
for _hexresult in map(lambda x: b2a_hex(x),_results.data.raw):
|
|
_parsed_results.append((int(_hexresult[0:2],16),int(_hexresult[2:4],16),int(_hexresult[4:6],16), _hexresult[6:].decode("ascii")))
|
|
return _is_secure, _parsed_results
|
|
|
|
return _is_secure,_results.data.raw
|
|
return _is_secure,[]
|
|
|
|
|
|
class checkmk_task(object):
|
|
def __init__(self,id,config):
|
|
self._mutex = threading.RLock()
|
|
self.id = id
|
|
self.config = config
|
|
self.lastmodified = time.time()
|
|
self.piggyback = config.get("piggyback","")
|
|
self.type = config.get("type")
|
|
_tenant = config.get("tenant")
|
|
self.tenant = _tenant.split(",") if type(_tenant) == str else []
|
|
self.interval = int(config.get("interval","3600"))
|
|
self.nextrun = time.time()
|
|
self.error = None
|
|
self._data = ""
|
|
self._thread = None
|
|
|
|
@property
|
|
def get_piggyback(self): ## namen mit host prefixen
|
|
with self._mutex:
|
|
return self.piggyback
|
|
|
|
def update(self,config):
|
|
with self._mutex:
|
|
self.interval = int(config.get("interval","3600"))
|
|
self.piggyback = config.get("piggyback")
|
|
_tenant = config.get("tenant")
|
|
self.tenant = _tenant.split(",") if type(_tenant) == str else []
|
|
self.config = config
|
|
_now = time.time()
|
|
self.lastmodified = _now
|
|
if self.nextrun < _now:
|
|
self.nextrun = _now + self.interval
|
|
|
|
def run(self):
|
|
_t = None
|
|
with self._mutex:
|
|
if self._thread == None:
|
|
self.error = None
|
|
_t = threading.Thread(target=self._run,name=self.id)
|
|
_t.daemon = True
|
|
self._thread = _t
|
|
self.nextrun = time.time() + self.interval
|
|
if _t:
|
|
_t.start()
|
|
|
|
def _run(self):
|
|
try:
|
|
_function = getattr(self,f"_{self.type}")
|
|
if _function:
|
|
_data = _function()
|
|
with self._mutex:
|
|
self._data = _data
|
|
finally:
|
|
with self._mutex:
|
|
self._thread = None
|
|
|
|
def _nmap(self):
|
|
host = self.config.get("hostname")
|
|
service = self.config.get("service","")
|
|
if not host:
|
|
return "<<<nmap>>>\n<nohostname />\n"
|
|
port = self.config.get("port","")
|
|
if port:
|
|
port = port + ","
|
|
scanoptions = f"-sS -sU -p{port}U:53,67,123,111,137,138,161,427,500,623,1645,1646,1812,1813,4500,5060,5353,T:21,22,23,25,53,80,88,135,139,389,443,444,445,465,485,514,593,623,636,902,1433,1720,3128,3129,3268,3269,3389,5060,5900,5988,5989,6556,8000,8006,8010,8080,8084,8300,8443"
|
|
_proc_args = (["nmap","-Pn","-R","--disable-arp-ping","--open","--noninteractive","-oX","-"] + shlex.split(scanoptions) + [host])
|
|
try:
|
|
_data = subprocess.check_output(_proc_args,shell=False,encoding="utf-8",stderr=subprocess.DEVNULL,timeout=300)
|
|
except subprocess.CalledProcessError as e:
|
|
with self._mutex:
|
|
self.error = e.stdout
|
|
_data = ""
|
|
except subprocess.TimeoutExpired:
|
|
_data = ""
|
|
_now = int(time.time())
|
|
_results = []
|
|
for _port in re.finditer("<port protocol=\"(?P<proto>tcp|udp)\"\sportid=\"(?P<port>\d+)\".*?state=\"(?P<state>[\w|]+)\"\sreason=\"(?P<reason>[\w-]+)\"(?:.*?name=\"(?P<protoname>[\w-]+)\")*.*</port>",_data):
|
|
_results.append(_port.groupdict())
|
|
|
|
_ret = {
|
|
"host" : host,
|
|
"service" : service,
|
|
"ports" : _results
|
|
}
|
|
return f"<<<nmap:sep(0):cached({_now},{self.interval*2})>>>\n" + json.dumps(_ret) + "\n<<<>>>"
|
|
|
|
def _dummy(self):
|
|
_now = int(time.time())
|
|
return f"<<<local:sep(0)>>>\ncached({_now},{self.interval*2}) 0 Dummy - Test\n<<<>>>"
|
|
|
|
def _cmk(self):
|
|
_now = int(time.time())
|
|
return f"<<<check_mk:cached({_now},{self.interval*2})>>>\nAgentOS: Task\nVersion: {__VERSION__}\n<<<>>>"
|
|
|
|
def _proxy(self):
|
|
host = self.config.get("hostname")
|
|
port = self.config.get("port","6556")
|
|
if not self.piggyback:
|
|
self.piggyback = host
|
|
_data = ""
|
|
|
|
|
|
def _speedtest(self):
|
|
pass
|
|
|
|
def _ssh(self):
|
|
pass
|
|
|
|
def _domain(self):
|
|
_domain = self.config.get("domain")
|
|
_dns = checkmk_resolver()
|
|
_dnssec,_soa = _dns.resolve(_domain,"SOA")
|
|
_resultcheck = {
|
|
"DOMAIN": _domain,
|
|
"DNSSEC": _dnssec,
|
|
"SOA" : repr(_soa),
|
|
"NS" : [],
|
|
"MX" : [],
|
|
"TLSA" : []
|
|
}
|
|
for _ns in _dns.resolve(_domain,"NS")[1]:
|
|
for _ipversion in ("A","AAAA"):
|
|
_ips = _dns.resolve(_ns,_ipversion)[1]
|
|
if not _ips:
|
|
continue
|
|
_ip = str(_ips[0])
|
|
_resultcheck["NS"].append([_ns,_ip])
|
|
|
|
for _prio,_mx in _dns.resolve(_domain,"MX")[1]:
|
|
_mx = _mx.strip(".")
|
|
_, _tlsa = _dns.resolve(f"_25._tcp.{_mx}","TLSA")
|
|
for _ipversion in ("A","AAAA"):
|
|
_ips = _dns.resolve(_mx,_ipversion)[1]
|
|
if not _ips:
|
|
continue
|
|
_ip = str(_ips[0])
|
|
_,_ptr = _dns.resolve(_ip,"PTR")
|
|
_sock,_banner = self.smtpconnect(_mx,_ip)
|
|
_cert_chain = ["",""]
|
|
if hasattr(_sock,"get_peer_cert_chain"):
|
|
_cert_chain = _sock.get_peer_cert_chain()
|
|
_resultcheck["MX"].append([
|
|
_mx,
|
|
_prio,
|
|
_ip,
|
|
"".join(_ptr),
|
|
self.getcertinfo(_cert_chain[0],tlsa=_tlsa,usage=3),
|
|
self.getcertinfo(_cert_chain[1:],tlsa=_tlsa,usage=2),
|
|
_banner
|
|
])
|
|
_resultcheck["TLSA"].append([_mx,_tlsa])
|
|
|
|
_now = int(time.time())
|
|
return f"<<<domaincheck:sep(0):cached({_now},{self.interval*2})>>>\n" + json.dumps(_resultcheck) + "\n<<<>>>"
|
|
|
|
def _blocklist(self):
|
|
_ipaddr = self.config.get("ipaddress","").split(",")
|
|
_dns = checkmk_resolver()
|
|
_service = self.config.get("service","")
|
|
if _ipaddr == [""]:
|
|
_hostname = self.config.get("hostname")
|
|
_ipaddr = map(str,_dns.resolve(_hostname,"A")[1])
|
|
if not _service:
|
|
_service = _hostname
|
|
if not _service:
|
|
_service = _ipaddr[0]
|
|
_listed = []
|
|
_ipchecklist = set(filter(lambda x: len(x) > 0,_ipaddr))
|
|
if len(_ipchecklist) == 0:
|
|
return ""
|
|
for _ip in _ipchecklist:
|
|
_reverse_ip = _dns.dns_reverseip(str(_ip))
|
|
for _blacklist in BLACKLISTS:
|
|
if _dns.resolve(f"{_reverse_ip}.{_blacklist}")[1]:
|
|
_listed.append((_ip,_blacklist))
|
|
|
|
_total_listed = len(_listed)
|
|
_status = 2 if _total_listed > 0 else 0
|
|
_message = " ".join(_ipaddr) + "not blocked"
|
|
if _total_listed > 0:
|
|
_message = ",".join([f"{_ip} is on {_bl}" for _ip,_bl in _listed])
|
|
_legacy = "{0} 'Blocklist {1}' blocklist={2}|blocked={3} {4}".format(_status,_service,len(BLACKLISTS),_total_listed,_message)
|
|
_now = int(time.time())
|
|
return f"<<<local:sep(0)>>>\ncached({_now},{self.interval*2}) " + _legacy + "\n<<<>>>"
|
|
|
|
def __str__(self):
|
|
with self._mutex:
|
|
sys.stderr.write(f"getdata-{self.id}\n")
|
|
sys.stderr.flush()
|
|
return self._data
|
|
|
|
def __repr__(self):
|
|
_next = self.nextrun - time.time()
|
|
return f"{self.id}: {_next}"
|
|
|
|
def __lt__(self,other):
|
|
return self.nextrun < other.nextrun
|
|
|
|
def cachecontent(self,content):
|
|
_now = int(time.time())
|
|
_cache=f"cache({_now},{self.interval})"
|
|
for _section in re.findall("^<<<(.*?)>>>\s*$",content,re.M):
|
|
if _section.group(1).startswith("local"):
|
|
continue
|
|
|
|
@staticmethod
|
|
def smtpconnect(hostname,ipaddr=None,port=25,starttls=True):
|
|
_banner = ""
|
|
if ipaddr == None:
|
|
ipaddr = hostname
|
|
try:
|
|
_sock = socket.create_connection((str(ipaddr),port),timeout=5)
|
|
_sock.settimeout(20)
|
|
_banner = _sock.recv(2048)
|
|
while not _banner.startswith(b"220 "):
|
|
_banner = _sock.recv(2048)
|
|
_banner = _banner.decode("utf-8")
|
|
_sock.send(b"EHLO checkmkopnSenseAgent\r\n")
|
|
if starttls:
|
|
if _sock.recv(4096).find(b"250-STARTTLS") == -1:
|
|
_sock.close()
|
|
return None,_banner.strip("\r\n")
|
|
_sock.send(b"STARTTLS\r\n")
|
|
_sock.recv(1024)
|
|
_ctx = SSL.Context(SSL.SSLv23_METHOD)
|
|
_ssl = SSL.Connection(_ctx,_sock)
|
|
_ssl.set_connect_state()
|
|
_ssl.set_tlsext_host_name(hostname.encode("ascii"))
|
|
_ssl.setblocking(1)
|
|
try:
|
|
_ssl.do_handshake()
|
|
except SSL.WantReadError:
|
|
pass
|
|
_ssl.sock_shutdown(socket.SHUT_RDWR)
|
|
_sock.close()
|
|
_sock = _ssl
|
|
else:
|
|
_sock.recv(1024)
|
|
except socket.error:
|
|
return None,""
|
|
return _sock,_banner.strip("\r\n")
|
|
|
|
def getcertinfo(self,x509cert,tlsa=None,usage=0):
|
|
if x509cert == None:
|
|
return {}
|
|
elif type(x509cert) == list:
|
|
return [self.getcertinfo(x,tlsa,usage) for x in x509cert]
|
|
else:
|
|
try:
|
|
_tlsa = []
|
|
if tlsa:
|
|
for _entry in filter(lambda x: x[0] == usage,tlsa):
|
|
_certhash, _tlsa_rr = self.get_tlsa_record(x509cert,usage,selector=_entry[1],mtype=_entry[2])
|
|
_tlsa.append([_entry[3] == _certhash,_tlsa_rr])
|
|
_dns_altnames = []
|
|
for _count in range(x509cert.get_extension_count()):
|
|
_extension = x509cert.get_extension(_count)
|
|
if _extension.get_short_name() == b"subjectAltName":
|
|
for _san in str(_extension).split(", "):
|
|
if _san.startswith("DNS:"):
|
|
_dns_altnames.append(_san[4:])
|
|
|
|
return {
|
|
"cn" : x509cert.get_subject().commonName,
|
|
"notAfter" : x509cert.get_notAfter().decode("ascii"),
|
|
"notBefore" : x509cert.get_notBefore().decode("ascii"),
|
|
"keysize" : x509cert.get_pubkey().bits(),
|
|
"algo" : x509cert.get_signature_algorithm().decode("ascii"),
|
|
"san" : _dns_altnames,
|
|
"tlsa" : _tlsa
|
|
}
|
|
except:
|
|
return {}
|
|
|
|
@staticmethod
|
|
def get_tlsa_record(x509cert,usage,selector,mtype):
|
|
if selector == 0:
|
|
_cert = crypto.dump_certificate(crypto.FILETYPE_ASN1,x509cert)
|
|
else:
|
|
_cert = crypto.dump_publickey(crypto.FILETYPE_ASN1,x509cert.get_pubkey())
|
|
if mtype == 0:
|
|
_hash = _cert.hex()
|
|
elif mtype == 1:
|
|
_hash = hashlib.sha256(_cert).hexdigest()
|
|
elif mtype == 2:
|
|
_hash = hashlib.sha512(_cert).hexdigest()
|
|
else:
|
|
_hash = _cert.hex() ## todo unknown
|
|
return _hash,f"{usage} {selector} {mtype} {_hash}"
|
|
|
|
|
|
class checkmk_taskrunner(object):
|
|
def __init__(self,cmkserver):
|
|
self._mutex = threading.RLock()
|
|
self.isrunning = True
|
|
self._queue = []
|
|
self.err = None
|
|
self._event = threading.Event()
|
|
|
|
def start(self):
|
|
_t = threading.Thread(target=self._run_forever,name="cmk_taskrunner")
|
|
_t.daemon = True
|
|
_t.start()
|
|
|
|
def get_data(self,tenant=None):
|
|
_data = []
|
|
_fails = 0
|
|
_task_running_count = len(self._get_running_task_threads())
|
|
sys.stderr.write("GetDATA\n")
|
|
sys.stderr.flush()
|
|
with self._mutex:
|
|
sys.stderr.flush()
|
|
if self.err:
|
|
for _line in str(self.err).split():
|
|
sys.stderr.write(_line)
|
|
self.err = None
|
|
_task_count = len(self._queue)
|
|
if _task_count == 0:
|
|
return []
|
|
_piggyback = ""
|
|
_data = []
|
|
for _task in sorted(self._queue,key=lambda x: x.get_piggyback):
|
|
if _task.error:
|
|
_fails += 1
|
|
#if tenant in (None,_task.tenant):
|
|
if len(_task.tenant) == 0 or tenant in _task.tenant:
|
|
if _task.get_piggyback != _piggyback:
|
|
if _piggyback != "":
|
|
_data += ["<<<<>>>>"]
|
|
_piggyback = _task.get_piggyback
|
|
if _piggyback:
|
|
_data += [f"<<<<{_piggyback}>>>>"]
|
|
_out = str(_task)
|
|
if len(_out.strip()) > 0:
|
|
_data += _out.split("\n")
|
|
if _piggyback != "":
|
|
_data += ["<<<<>>>>"]
|
|
|
|
_task_service = "{0} 'CMK Tasks' tasks={1}|tasks_running={2},tasks_failed={3} OK".format(0 if _fails == 0 else 1,_task_count,_task_running_count,_fails)
|
|
return [_task_service] + _data
|
|
|
|
def check_taskdir(self):
|
|
_ids = []
|
|
for _file in glob.glob(f"{TASKDIR}/*.task"):
|
|
_id = os.path.basename(_file)
|
|
_task = list(filter(lambda x: x.id == _id,self._queue))
|
|
if _task:
|
|
if _task[0].lastmodified < os.stat(_file).st_mtime:
|
|
sys.stderr.write(f"{_id} not modified\n")
|
|
sys.stderr.flush()
|
|
_ids.append(_id)
|
|
continue
|
|
with open(_file,"r",encoding="utf-8") as _f:
|
|
_options = dict(TASKFILE_REGEX.findall(_f.read()))
|
|
_type = _options.get("type","").strip()
|
|
if _type not in ("nmap","speedtest","proxy","ssh","domain","blocklist","cmk","dummy"):
|
|
sys.stderr.write(f"unknown {_type}\n")
|
|
sys.stderr.flush()
|
|
continue
|
|
#pprint(_options)
|
|
if _task:
|
|
_task[0].update(_options)
|
|
else:
|
|
_task = checkmk_task(_id,_options)
|
|
self._queue.append(_task)
|
|
_ids.append(_id)
|
|
|
|
# remove old tasks
|
|
for _task in self._queue:
|
|
if _task.id not in _ids:
|
|
self._queue.remove(_task)
|
|
#self._queue = list(filter(lambda x: x.id in _ids,self._queue)) ## remove config if file removed or disabled
|
|
#pprint(self._queue)
|
|
|
|
def _get_running_task_threads(self):
|
|
return list(filter(lambda x: x.name.endswith(".task"),threading.enumerate()))
|
|
|
|
def _run_forever(self):
|
|
_check = 0
|
|
PREEXEC = 120
|
|
while self.isrunning:
|
|
try:
|
|
_now = time.time()
|
|
if _check + 600 < _now:
|
|
with self._mutex:
|
|
self.check_taskdir()
|
|
_check = _now
|
|
continue
|
|
|
|
next_task = None
|
|
with self._mutex:
|
|
if self._queue:
|
|
self._queue.sort()
|
|
next_task = self._queue[0]
|
|
|
|
if next_task:
|
|
sys.stderr.write(f"next: {next_task.id} {next_task!r}\n")
|
|
sys.stderr.flush()
|
|
wait_time = max(0, next_task.nextrun - _now - PREEXEC)
|
|
if wait_time > 0:
|
|
self._event.wait(min(30, wait_time))
|
|
self._event.clear()
|
|
else:
|
|
self._run_task(next_task)
|
|
else:
|
|
self._event.wait(30)
|
|
self._event.clear()
|
|
|
|
except Exception as err:
|
|
sys.stderr.write(str(err) + "\n")
|
|
sys.stderr.flush()
|
|
|
|
def _run_task(self, task):
|
|
running_tasks = self._get_running_task_threads()
|
|
if len(running_tasks) < MAX_SIMULATAN_THREADS:
|
|
task.run()
|
|
else:
|
|
sys.stderr.write("Max Threads running wait\n")
|
|
sys.stderr.flush()
|
|
self._event.wait(3)
|
|
self._event.clear()
|
|
|
|
|
|
REGEX_SMART_VENDOR = re.compile(r"^\s*(?P<num>\d+)\s(?P<name>[-\w]+).*\s{2,}(?P<value>[\w\/() ]+)$",re.M)
|
|
REGEX_SMART_DICT = re.compile(r"^(.*?)[:=]\s*(.*?)$",re.M)
|
|
class smart_disc(object):
|
|
def __init__(self,device,description=""):
|
|
self.device = device
|
|
if description:
|
|
self.description = description
|
|
MAPPING = {
|
|
"Model Family" : ("model_family" ,lambda x: x),
|
|
"Model Number" : ("model_family" ,lambda x: x),
|
|
"Product" : ("model_family" ,lambda x: x),
|
|
"Vendor" : ("vendor" ,lambda x: x),
|
|
"Revision" : ("revision" ,lambda x: x),
|
|
"Device Model" : ("model_type" ,lambda x: x),
|
|
"Serial Number" : ("serial_number" ,lambda x: x),
|
|
"Serial number" : ("serial_number" ,lambda x: x),
|
|
"Firmware Version" : ("firmware_version" ,lambda x: x),
|
|
"User Capacity" : ("capacity" ,lambda x: x.split(" ")[0].replace(",","")),
|
|
"Total NVM Capacity": ("capacity" ,lambda x: x.split(" ")[0].replace(",","")),
|
|
"Rotation Rate" : ("rpm" ,lambda x: x.replace(" rpm","")),
|
|
"Form Factor" : ("formfactor" ,lambda x: x),
|
|
"SATA Version is" : ("transport" ,lambda x: x.split(",")[0]),
|
|
"Transport protocol": ("transport" ,lambda x: x),
|
|
"SMART support is" : ("smart" ,lambda x: int(x.lower() == "enabled")),
|
|
"Critical Warning" : ("critical" ,lambda x: self._saveint(x,base=16)),
|
|
"Temperature" : ("temperature" ,lambda x: x.split(" ")[0]),
|
|
"Data Units Read" : ("data_read_bytes" ,lambda x: x.split(" ")[0].replace(",","")),
|
|
"Data Units Written": ("data_write_bytes" ,lambda x: x.split(" ")[0].replace(",","")),
|
|
"Power On Hours" : ("poweronhours" ,lambda x: x.replace(",","")),
|
|
"Power Cycles" : ("powercycles" ,lambda x: x.replace(",","")),
|
|
"NVMe Version" : ("transport" ,lambda x: f"NVMe {x}"),
|
|
"Raw_Read_Error_Rate" : ("error_rate" ,lambda x: x.split(" ")[-1].replace(",","")),
|
|
"Reallocated_Sector_Ct" : ("reallocate" ,lambda x: x.replace(",","")),
|
|
"Seek_Error_Rate" : ("seek_error_rate",lambda x: x.split(" ")[-1].replace(",","")),
|
|
"Power_Cycle_Count" : ("powercycles" ,lambda x: x.replace(",","")),
|
|
"Temperature_Celsius" : ("temperature" ,lambda x: x.split(" ")[0]),
|
|
"Temperature_Internal" : ("temperature" ,lambda x: x.split(" ")[0]),
|
|
"Drive_Temperature" : ("temperature" ,lambda x: x.split(" ")[0]),
|
|
"UDMA_CRC_Error_Count" : ("udma_error" ,lambda x: x.replace(",","")),
|
|
"Offline_Uncorrectable" : ("uncorrectable" ,lambda x: x.replace(",","")),
|
|
"Power_On_Hours" : ("poweronhours" ,lambda x: x.replace(",","")),
|
|
"Spin_Retry_Count" : ("spinretry" ,lambda x: x.replace(",","")),
|
|
"Current_Pending_Sector": ("pendingsector" ,lambda x: x.replace(",","")),
|
|
"Current Drive Temperature" : ("temperature" ,lambda x: x.split(" ")[0]),
|
|
"Reallocated_Event_Count" : ("reallocate_ev" ,lambda x: x.split(" ")[0]),
|
|
"Warning Comp. Temp. Threshold" : ("temperature_warn" ,lambda x: x.split(" ")[0]),
|
|
"Critical Comp. Temp. Threshold" : ("temperature_crit" ,lambda x: x.split(" ")[0]),
|
|
"Media and Data Integrity Errors" : ("media_errors" ,lambda x: x),
|
|
"Airflow_Temperature_Cel" : ("temperature" ,lambda x: x),
|
|
"number of hours powered up" : ("poweronhours" ,lambda x: x.split(".")[0]),
|
|
"Accumulated power on time, hours" : ("poweronhours" ,lambda x: x.split(":")[0].replace("minutes ","")),
|
|
"Accumulated start-stop cycles" : ("powercycles" ,lambda x: x),
|
|
"Available Spare" : ("wearoutspare" ,lambda x: x.replace("%","")),
|
|
"SMART overall-health self-assessment test result" : ("smart_status" ,lambda x: int(x.lower().strip() == "passed")),
|
|
"SMART Health Status" : ("smart_status" ,lambda x: int(x.lower() == "ok")),
|
|
}
|
|
self._get_data()
|
|
for _key, _value in REGEX_SMART_DICT.findall(self._smartctl_output):
|
|
if _key in MAPPING.keys():
|
|
_map = MAPPING[_key]
|
|
setattr(self,_map[0],_map[1](_value))
|
|
|
|
for _vendor_num,_vendor_text,_value in REGEX_SMART_VENDOR.findall(self._smartctl_output):
|
|
if _vendor_text in MAPPING.keys():
|
|
_map = MAPPING[_vendor_text]
|
|
setattr(self,_map[0],_map[1](_value))
|
|
|
|
def _saveint(self,val,base=10):
|
|
try:
|
|
return int(val,base)
|
|
except (TypeError,ValueError):
|
|
return 0
|
|
|
|
def _get_data(self):
|
|
try:
|
|
self._smartctl_output = subprocess.check_output(["smartctl","-a","-n","standby", f"/dev/{self.device}"],encoding=sys.stdout.encoding,timeout=10)
|
|
except subprocess.CalledProcessError as e:
|
|
if e.returncode & 0x1:
|
|
raise
|
|
_status = ""
|
|
self._smartctl_output = e.output
|
|
if e.returncode & 0x2:
|
|
_status = "SMART Health Status: CRC Error"
|
|
if e.returncode & 0x4:
|
|
_status = "SMART Health Status: PREFAIL"
|
|
if e.returncode & 0x3:
|
|
_status = "SMART Health Status: DISK FAILING"
|
|
|
|
self._smartctl_output += f"\n{_status}\n"
|
|
except subprocess.TimeoutExpired:
|
|
self._smartctl_output += "\nSMART smartctl Timeout\n"
|
|
|
|
def __str__(self):
|
|
_ret = []
|
|
if getattr(self,"transport","").lower() == "iscsi": ## ignore ISCSI
|
|
return ""
|
|
if not getattr(self,"model_type",None):
|
|
self.model_type = getattr(self,"model_family","unknown")
|
|
if not getattr(self,"model_family",None):
|
|
self.model_type = getattr(self,"model_type","unknown")
|
|
for _k,_v in self.__dict__.items():
|
|
if _k.startswith("_") or _k in ("device"):
|
|
continue
|
|
_ret.append(f"{self.device}|{_k}|{_v}")
|
|
return "\n".join(_ret)
|
|
|
|
if __name__ == "__main__":
|
|
import argparse
|
|
class SmartFormatter(argparse.HelpFormatter):
|
|
def _split_lines(self, text, width):
|
|
if text.startswith('R|'):
|
|
return text[2:].splitlines()
|
|
# this is the RawTextHelpFormatter._split_lines
|
|
return argparse.HelpFormatter._split_lines(self, text, width)
|
|
_checks_available = sorted(list(map(lambda x: x.split("_")[1],filter(lambda x: x.startswith("check_") or x.startswith("checklocal_"),dir(checkmk_checker)))))
|
|
_ = lambda x: x
|
|
_parser = argparse.ArgumentParser(
|
|
add_help=False,
|
|
formatter_class=SmartFormatter
|
|
)
|
|
_parser.add_argument("--help",action="store_true",
|
|
help=_("show help message"))
|
|
_parser.add_argument("--start",action="store_true",
|
|
help=_("start the daemon"))
|
|
_parser.add_argument("--restart",action="store_true",
|
|
help=_("stop and restart the daemon"))
|
|
_parser.add_argument("--stop",action="store_true",
|
|
help=_("stop the daemon"))
|
|
_parser.add_argument("--status",action="store_true",
|
|
help=_("show daemon status"))
|
|
_parser.add_argument("--nodaemon",action="store_true",
|
|
help=_("run in foreground"))
|
|
_parser.add_argument("--checkoutput",nargs="?",const="127.0.0.1",type=str,metavar="hostname",
|
|
help=_("connect to [hostname]port and decrypt if needed"))
|
|
_parser.add_argument("--update",nargs="?",const="main",type=str,metavar="branch/commitid",
|
|
help=_("check for update"))
|
|
_parser.add_argument("--config",type=str,dest="configfile",default=CHECKMK_CONFIG,
|
|
help=_("path to config file"))
|
|
_parser.add_argument("--port",type=int,default=6556,
|
|
help=_("port checkmk_agent listen"))
|
|
_parser.add_argument("--encrypt",type=str,dest="encrypt",
|
|
help=_("encryption password (do not use from cmdline)"))
|
|
_parser.add_argument("--pidfile",type=str,default="/var/run/checkmk_agent.pid",
|
|
help=_("path to pid file"))
|
|
_parser.add_argument("--onlyfrom",type=str,
|
|
help=_("comma seperated ip addresses to allow"))
|
|
_parser.add_argument("--expire_inventory",type=int,default=3600*4,
|
|
help=_("number of seconds for inventory expire (default 4h)"))
|
|
_parser.add_argument("--skipcheck",type=str,
|
|
help=_("R|comma seperated checks that will be skipped \n{0}".format("\n".join([", ".join(_checks_available[i:i+10]) for i in range(0,len(_checks_available),10)]))))
|
|
_parser.add_argument("--zabbix",action="store_true",
|
|
help=_("only output local checks as json for zabbix parsing"))
|
|
_parser.add_argument("--debug",action="store_true",
|
|
help=_("debug Ausgabe"))
|
|
|
|
def _args_error(message):
|
|
print("#"*35)
|
|
print("checkmk_agent for opnsense")
|
|
print(f"Version: {__VERSION__}")
|
|
print("#"*35)
|
|
print(message)
|
|
print("")
|
|
print("use --help or -h for help")
|
|
sys.exit(1)
|
|
_parser.error = _args_error
|
|
args = _parser.parse_args()
|
|
if args.configfile and os.path.exists(args.configfile):
|
|
for _k,_v in re.findall(f"^(\w+):\s*(.*?)(?:\s+#|$)",open(args.configfile,"rt").read(),re.M):
|
|
if _k == "port":
|
|
args.port = int(_v)
|
|
if _k == "encrypt" and args.encrypt == None:
|
|
args.encrypt = _v
|
|
if _k == "onlyfrom":
|
|
args.onlyfrom = _v
|
|
if _k == "expire_inventory":
|
|
args.expire_inventory = _v
|
|
if _k == "skipcheck":
|
|
args.skipcheck = _v
|
|
if _k == "tenants":
|
|
args.tenants = _v
|
|
if _k.lower() == "localdir":
|
|
LOCALDIR = _v
|
|
if _k.lower() == "plugindir":
|
|
PLUGINSDIR = _v
|
|
if _k.lower() == "spooldir":
|
|
SPOOLDIR = _v
|
|
|
|
_server = checkmk_server(**args.__dict__)
|
|
_pid = 0
|
|
try:
|
|
with open(args.pidfile,"rt") as _pidfile:
|
|
_pid = int(_pidfile.read())
|
|
except (FileNotFoundError,IOError,ValueError):
|
|
_out = subprocess.check_output(["sockstat", "-l", "-p", str(args.port),"-P", "tcp"],encoding=sys.stdout.encoding)
|
|
try:
|
|
_pid = int(re.findall("\s(\d+)\s",_out.split("\n")[1])[0])
|
|
except (IndexError,ValueError):
|
|
pass
|
|
_active_methods = [getattr(args,x,False) for x in ("start","stop","restart","status","zabbix","nodaemon","debug","update","checkoutput","help")]
|
|
if SYSHOOK_METHOD and not any(_active_methods):
|
|
#print(f"SYSHOOK {SYSHOOK_METHOD} - {repr(_active_methods)}")
|
|
log(f"using syshook {SYSHOOK_METHOD[0]}")
|
|
setattr(args,SYSHOOK_METHOD[0],True)
|
|
if args.start:
|
|
if _pid > 0:
|
|
try:
|
|
os.kill(_pid,0)
|
|
sys.stderr.write(f"allready running with pid {_pid}\n")
|
|
sys.stderr.flush()
|
|
sys.exit(1)
|
|
except OSError:
|
|
pass
|
|
_server.daemonize()
|
|
|
|
elif args.status:
|
|
if _pid <= 0:
|
|
print("not running")
|
|
else:
|
|
try:
|
|
os.kill(_pid,0)
|
|
print("running")
|
|
except OSError:
|
|
print("not running")
|
|
|
|
elif args.stop or args.restart:
|
|
if _pid == 0:
|
|
sys.stderr.write("not running\n")
|
|
sys.stderr.flush()
|
|
if args.stop:
|
|
sys.exit(1)
|
|
try:
|
|
print("stopping")
|
|
os.kill(_pid,signal.SIGTERM)
|
|
except ProcessLookupError:
|
|
if os.path.exists(args.pidfile):
|
|
os.remove(args.pidfile)
|
|
|
|
if args.restart:
|
|
print("starting")
|
|
time.sleep(3)
|
|
_server.daemonize()
|
|
|
|
elif args.checkoutput:
|
|
sys.stdout.write(_server.cmkclient(**args.__dict__))
|
|
sys.stdout.write("\n")
|
|
sys.stdout.flush()
|
|
|
|
elif args.debug:
|
|
sys.stdout.write(_server.do_checks(debug=True).decode(sys.stdout.encoding))
|
|
sys.stdout.flush()
|
|
|
|
elif args.zabbix:
|
|
sys.stdout.write(_server.do_zabbix_output())
|
|
sys.stdout.flush()
|
|
|
|
elif args.nodaemon:
|
|
_server.server_start()
|
|
|
|
elif args.update:
|
|
import hashlib
|
|
import difflib
|
|
from pkg_resources import parse_version
|
|
_github_req = requests.get(f"https://api.github.com/repos/bashclub/check-opnsense/contents/opnsense_checkmk_agent.py?ref={args.update}")
|
|
if _github_req.status_code != 200:
|
|
raise Exception(f"Github Error {_github_req.status_code}")
|
|
_github_version = _github_req.json()
|
|
_github_last_modified = datetime.strptime(_github_req.headers.get("last-modified"),"%a, %d %b %Y %X %Z")
|
|
_new_script = base64.b64decode(_github_version.get("content")).decode("utf-8")
|
|
_new_version = re.findall("^__VERSION__.*?\"([0-9.]*)\"",_new_script,re.M)
|
|
_new_version = _new_version[0] if _new_version else "0.0.0"
|
|
_script_location = os.path.realpath(__file__)
|
|
_current_last_modified = datetime.fromtimestamp(int(os.path.getmtime(_script_location)))
|
|
with (open(_script_location,"rb")) as _f:
|
|
_content = _f.read()
|
|
_current_sha = hashlib.sha1(f"blob {len(_content)}\0".encode("utf-8") + _content).hexdigest()
|
|
_content = _content.decode("utf-8")
|
|
if _current_sha == _github_version.get("sha"):
|
|
print(f"allready up to date {_current_sha}")
|
|
sys.exit(0)
|
|
else:
|
|
_version = parse_version(__VERSION__)
|
|
_nversion = parse_version(_new_version)
|
|
if _version == _nversion:
|
|
print("same Version but checksums mismatch")
|
|
elif _version > _nversion:
|
|
print(f"ATTENTION: Downgrade from {__VERSION__} to {_new_version}")
|
|
while True:
|
|
try:
|
|
_answer = input(f"Update {_script_location} to {_new_version} (y/n) or show difference (d)? ")
|
|
except KeyboardInterrupt:
|
|
print("")
|
|
sys.exit(0)
|
|
if _answer in ("Y","y","yes","j","J"):
|
|
with open(_script_location,"wb") as _f:
|
|
_f.write(_new_script.encode("utf-8"))
|
|
|
|
print(f"updated to Version {_new_version}")
|
|
if _pid > 0:
|
|
try:
|
|
os.kill(_pid,0)
|
|
try:
|
|
_answer = input(f"Daemon is running (pid:{_pid}), reload and restart (Y/N)? ")
|
|
except KeyboardInterrupt:
|
|
print("")
|
|
sys.exit(0)
|
|
if _answer in ("Y","y","yes","j","J"):
|
|
print("stopping Daemon")
|
|
os.kill(_pid,signal.SIGTERM)
|
|
print("waiting")
|
|
time.sleep(5)
|
|
print("restart")
|
|
os.system(f"{_script_location} --start")
|
|
sys.exit(0)
|
|
except OSError:
|
|
pass
|
|
break
|
|
elif _answer in ("D","d"):
|
|
for _line in difflib.unified_diff(_content.split("\n"),
|
|
_new_script.split("\n"),
|
|
fromfile=f"Version: {__VERSION__}",
|
|
fromfiledate=_current_last_modified.isoformat(),
|
|
tofile=f"Version: {_new_version}",
|
|
tofiledate=_github_last_modified.isoformat(),
|
|
n=1,
|
|
lineterm=""):
|
|
print(_line)
|
|
else:
|
|
break
|
|
|
|
elif args.help:
|
|
print("#"*35)
|
|
print("checkmk_agent for opnsense")
|
|
print(f"Version: {__VERSION__}")
|
|
print("#"*35)
|
|
print("")
|
|
print("Latest Version under https://github.com/bashclub/check-opnsense")
|
|
print("Questions under https://forum.opnsense.org/index.php?topic=26594.0\n")
|
|
print("Server-side implementation for")
|
|
print("-"*35)
|
|
print("\t* smartdisk - install the mkp from https://github.com/bashclub/checkmk-smart plugins os-smart")
|
|
print("\t* squid - install the mkp from https://exchange.checkmk.com/p/squid and forwarder -> listen on loopback active\n")
|
|
_parser.print_help()
|
|
print("\n")
|
|
if "start" in SYSHOOK_METHOD:
|
|
print("The agent will start automatic on system boot")
|
|
else:
|
|
print("to start the agent on boot, copy the file to /usr/local/etc/rc.syshook.d/start/")
|
|
print(f"The CHECKMK_BASEDIR is under {BASEDIR} (local,plugin,spool,tasks).")
|
|
print(f"Default config file location is {args.configfile}, create it if it doesn't exist.")
|
|
print("Config file options port,encrypt,onlyfrom,skipcheck with a colon and the value like the commandline option\n")
|
|
print("active config:")
|
|
print("-"*35)
|
|
for _opt in ("port","encrypt","onlyfrom","skipcheck","tenants"):
|
|
_val = getattr(args,_opt,None)
|
|
if _val:
|
|
print(f"{_opt}: {_val}")
|
|
print("\n")
|
|
print("the following tasks are found")
|
|
try:
|
|
_taskrunner = checkmk_taskrunner(None)
|
|
_taskrunner.check_taskdir()
|
|
for _task in sorted(_taskrunner._queue,key=lambda x: (x.type,x.id)):
|
|
print(" * [{type}]{id} ({interval} sec) piggyback:{piggyback} tenant:{tenant}".format(**_task.__dict__))
|
|
except:
|
|
raise
|
|
|
|
print("")
|
|
|
|
else:
|
|
log("no arguments")
|
|
print("#"*35)
|
|
print("checkmk_agent for opnsense")
|
|
print(f"Version: {__VERSION__}")
|
|
print("#"*35)
|
|
print("use --help or -h for help")
|