[ Lab 7.2 ] NRPE: Remote Nagios Checks via Puppet - smitja21/group-a-oe2 GitHub Wiki

[!NOTE] #63: NRPE Remote Nagios Check

Nagios Remote Plugin Executor (NRPE) is used for monitoring local system metrics like disk, load, users on remote infrastructure nodes.

Part 1: Build the NRPE Puppet Module

Task 1: Identify the correct disk device on each agent node

Run df -h / on db-a

group-a@db-a:~$ df -hT
Filesystem     Type      Size  Used Avail Use% Mounted on
/dev/root      ext4       29G  2.7G   26G  10% /
tmpfs          tmpfs     2.0G     0  2.0G   0% /dev/shm
tmpfs          tmpfs     784M  1.0M  783M   1% /run
tmpfs          tmpfs     5.0M     0  5.0M   0% /run/lock
efivarfs       efivarfs  128M   26K  128M   1% /sys/firmware/efi/efivars
/dev/sda16     ext4      881M  115M  704M  15% /boot
/dev/sda15     vfat      105M  6.2M   99M   6% /boot/efi
/dev/sdb1      ext4      7.8G   28K  7.4G   1% /mnt
tmpfs          tmpfs     392M   12K  392M   1% /run/user/1001
group-a@db-a:~$

Run df -h / on backup-a

Check with ssh ap-a df -h from mgmt-a

group-a@mgmt-a:~$ ssh app-a df -h
group-a@app-a's password:
Filesystem      Size  Used Avail Use% Mounted on
/dev/root        29G  2.4G   26G   9% /
tmpfs           2.0G     0  2.0G   0% /dev/shm
tmpfs           784M 1008K  783M   1% /run
tmpfs           5.0M     0  5.0M   0% /run/lock
efivarfs        128M   26K  128M   1% /sys/firmware/efi/efivars
/dev/sda16      881M  115M  704M  15% /boot
/dev/sda15      105M  6.2M   99M   6% /boot/efi
/dev/sdb1       7.8G   28K  7.4G   1% /mnt
tmpfs           392M   12K  392M   1% /run/user/1001
group-a@mgmt-a:~$

Task 2: Create the NRPE module director structure

Task 3: Write the install class

sudo nano $MODPATH/nrpe/manifests/install.pp

Task 4: Create the NRPE ERB configuration template

NRPE's configuration file /etc/nagios/nrpe.cfg must be managed by Puppet for consistent deployment across ndoes.

1. Download the base configuration file

2. Inspect the base file before modifying it

What value does allowed_hosts have in the downloaded file?
The value in allowed_hostsare 127.0.01 and mgmt-a (mgmt-x in this image because it is a template)

What command[] entries already exist, and which ones are missing or need to be added?
Missing partition sda15 and sda16

3. Copy the file into the module and convert it to a template

---

Change 1: Add a Puppet-managed header at the very top of the file

Change 2: Update allowed_hosts to accept requests from mgmt-a only:

Change 3: Confirm dont_blame_nrpe is set to 0

Change 4: Confirm SSL is enabled (add if not already present)

Change 5: Add or update the four required command[] entries.

---

4. Validate your template

The template sets dont_blame_nrpe=0. Look up what happens when this is set to 1. What attack becomes possible? Why is keeping it 0 a security best practice even though it limits what Nagios can pass to check commands?
According to the Nagios Support Knowledgebase, setting dont_blame_nrpe to 1 allows arguments to be received by external plugins. This is a security risk "due to possibilities of a malicious user finding a weakness and exploiting that weakness" NRPE - Configuring NRPE Commands To Accept Arguments

The ERB header uses <%= @facts['networking']['hostname'] %>. When Puppet applies the template to db-a and then to app-a, what will this line produce in each generated nrpe.cfg? Why is this useful for auditing which server a config file came from? \

Task 5: Write the config class

Task 6: Write the service class

Task 7: Write init.pp

Task 8: Apply the NRPE module to the agent nodes

Do not include this in mgmt

Paste the output of `sudo ss -tlnp | grep 5666 \

group-a@db-a:~$ sudo ss -tlnp | grep 5666
LISTEN 0      5            0.0.0.0:5666      0.0.0.0:*    users:(("nrpe",pid=408361,fd=4))
LISTEN 0      5               [::]:5666         [::]:*    users:(("nrpe",pid=408361,fd=5))
group-a@db-a:~$

Run sudo puppet agent --test --noop on db-a. Does Puppet report any drift? \

group-a@db-a:~$ sudo puppet agent --test --noop
Info: Refreshing CA certificate
Info: CA certificate is unmodified, using existing CA certificate
Info: Refreshing CRL
Info: CRL is unmodified, using existing CRL
Info: Using environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Notice: Requesting catalog from mgmt-a.oe2.org.nz:8140 (10.2.0.4)
Notice: Catalog compiled by mgmt-a.oe2.org.nz
Info: Applying configuration version '1775689859'
Notice: Applied catalog in 0.65 seconds

Part 2: Test NRPE Connectivity Before Configuring Nagios

Always test a check manually before declaring it in Puppet

Task 9: Install the NRPE client plugin on mgmt-a and open the firewall

1. Install the check_nrpe plugin

2. Verify the plugin is available

Task 10: Test each NRPE command from mgmt-a

Document the output of all four check_nrpe commands against db-a. Which checks returned OK? Did any fail? Yes, at first.

Part 3: Add NRPE Service Checks to the Nagios Module

Task 11: Add the NRPE host group and service checks to config.pp

Task 12: Apply and validate the full Nagios configuration