[ Lab 5.2 ] Nagios Troubleshooting & HTTPS - smitja21/group-a-oe2 GitHub Wiki

[!NOTE] #51: Nagios Troubleshooting & HTTPS

Part 1: Systematic Diagnostic Workflow

Task 1: Establish a working baseline before making changes

  1. Check the service states
  1. Check the current file permissions in /etc/nagios4/
  1. Check the puppet module state
  1. Check apache modules loaded

Output of ls -la /etc/nagios4/

Root has both read and write permissions as the owner, but group and others only have read permissions for the apache.conf, cgi.cfg, nagios.cfg.

nagios has read and write permissions as the owner, but only group can read, and others have no access to htdigest.users. Same applies for www-data but for httpasswd.users.

group-a@mgmt-a:~$ ls -la /etc/nagios4/.
total 104
drwxr-xr-x   5 root     root      4096 Mar 23 20:41 .
drwxr-xr-x 118 root     root     12288 Mar 23 20:47 ..
-rw-r--r--   1 root     root      1952 Jul 29  2024 apache2.conf
-rw-r--r--   1 root     root     13704 Jul 29  2024 cgi.cfg
drwxrwxr-x   2 root     puppet    4096 Mar 23 21:13 conf.d
-rw-r-----   1 nagios   www-data     0 Mar 23 19:57 htdigest.users
-rw-r-----   1 www-data www-data    50 Mar 23 20:34 htpasswd.users
-rw-r--r--   1 root     root     45997 Jul 29  2024 nagios.cfg
drwxr-xr-x   2 root     root      4096 Mar 23 19:57 objects
-rw-r-----   1 root     nagios    1308 Jul 29  2024 resource.cfg
drwxr-xr-x   2 root     root      4096 Mar 23 19:57 stylesheets
group-a@mgmt-a:~$

Does the current sudo puppet agent -test -noop produce any errors?

No errors

1.3 Enforce Authentication for All Access

Authtype Digest will hash the credentials (both user and password) for added security.

1.4 Enable Nagios Internal Authentication

Edit CGI configuration file in /etc/nagios4/cgi.cfg and set use_authetication=

1.5 Apply the changes


Shows that the authentication is working if the website is accessed without verifying credentials/login

Part 2: Expanding Monitoring with Service Checks

Task 2: Add SSH and HTTP service checks for db-a

  1. In config.pp for nagios, inside of the nagios::config class and after nagios_host
nagios_service attribute explaination
host_name which host this service belongs to
service_description label shown in Nagios web
target the file that writes the service definition into
check_command => 'check_ssh' runs against the host
notification_options => 'w,c,r' w = warning, c = critical, r = recovery
  1. Apply the updated module and verify
  1. Validate the complete Nagios config
  1. Manually test the SSH check plugin

Stop SSH on db-a sudo systemctl stop ssh

Part 4: Securing the Web Interface with HTTPS

In HTTP, the nagiosadmin password is transmitted in cleartext on every request.

Task 3: Verify your group domain resolves to your server

  1. Paste the output of dig group-a.op-bit.nz +short and curl -s ifconfig.me. Do the IP addresses match? group-a@mgmt-a:~$ dig $GROUP_DOMAIN +short 20.211.30.149 group-a@mgmt-a:~$ curl -s ifconfig.me 20.211.30.149group-a@mgmt-a:~$ Yes, they match.

Task 4: Configure Apache with your group ServerName

Apache must know the canonical hostname.

  1. Ensure the puppetlabs-stdlib module is installed
  1. Add the ServerName to config.pp
  1. Apply and verify

Task 5: Install certbot and test with a dry run

Let's encrypt enforces a rate limit of 5 failed certificate requests per domain per hour. Staging dry-run uses a rate limited environment.

  1. First, check if it's installed
  1. Dry run against Let's Encrypt staging server

Task 6: Obtain the certificate and enable HTTPS

Apache plugin configures Apache's virtual host automatically

https://group-a.op-bit.nz/nagios4

Task 7: Enforce certificate renewal via Puppet

  1. Inside of nagios::service