Difference between revisions of "EGI CSIRT:Monitoring:NagiosInstallationGuide"

| Mission | Members | Contacts
| Incident handling | Alerts | Monitoring | Security challenges | Procedures | Dissemination

---

---

EGI-CSIRT Training and dissemination: Entry point | Advisories | Operational notices | Events | Objectives

---

Installation guide for NGI level (security monitoring) Nagios

Prerequisites

• Dedicated host

Given the special authentication/authorization needs of this service a dedicated node is need. As the egee-NAGIOS depends gLite-3.2 the node must use one of the supported linux distributions (RHEL|SL(C)|CENTOS 5)

• a X509 certificate

Installation Procedure

Disable SELINUX

First the SELINUX functionality should be disabled as most of the services won't run under SELINUX. This can be done by using the following variable definition at the /etc/selinux/config:

SELINUX=disabled

Configure repositories

The egee-NAGIOS installation needs the following YUM repositories:

• OS repositories

No special configuration is needed for these repositories

• DAG repository

This is usually installed with the distribution but disabled by default (needs to be enabled).

• EGEE-SA1 repositories

These are the repositories holding the current version of egee-NAGIOS packages. The repository configuration files can easily be installed by the latest *sa1-release* package that can be found here.

• lcg-CA

The lcg-CA repository configuration file can be found here

• glite-BDII

The glite-BDII repository configuration file can be found here

• glite-UI

The glite-BDII repository configuration file can be found here

These repositories have many common files. The yum-priorities plugin needs to be installed:

yum install yum-priorities

And repository files need to be modified to have the following priorities:

dag → 11
glite-UI → 16
sa1-centos5-release → 10
OS → 1

Finally, as egee-NAGIOS uses later versions of php and perl-DBI, these packages need to be excluded from OS repositories. Adding the following link at the OS repositories is excluding them:

exclude=php*,perl-DBI

Install packages

Now that all repositories are setup, the whole software can be simply installed by the following commands:

yum install lcg-CA
yum install httpd
yum groupinstall 'glite-UI (production - x86_64)'
yum install egee-NAGIOS

Note here that if the "-y" flag is added to yum commands the installation can be achieved unattended.

Configure using YAIM

The YAIM configuration for a NGI level security Nagios box can be done by using the following template. As usually YAIM configuration can and should be modified to match site's requirements.

# Generic
SITE_NAME=<The name of the site>
SITE_BDII_HOST=<The site BDII FQDN>
PX_HOST=<The FQDN of the MyProxy that will be used>
BDII_HOST=<A TOP-BDII that will be used>
RB_HOST=not.used.any.more # irrelevant, RB is unsupported
  
# VO configuration
VOS="ops"
VO_OPS_VOMS_SERVERS="vomss://voms.cern.ch:8443/voms/ops?/ops/"
VO_OPS_VOMSES="'ops lcg-voms.cern.ch 15009 /DC=ch/DC=cern/OU=computers/CN=lcg-voms.cern.ch ops 24' 'ops voms.cern.ch 15004 /DC=ch/DC=cern/OU=computers/CN=voms.cern.ch ops 24'"
VO_OPS_VOMS_CA_DN="'/DC=ch/DC=cern/CN=CERN Trusted Certification Authority' '/DC=ch/DC=cern/CN=CERN Trusted Certification Authority'"
VO_OPS_WMS_HOSTS="wms204.cern.ch wms205.cern.ch"

# Nagios
NAGIOS_HOST=<The nagios FQDN>
NAGIOS_ADMIN_DNS=<X509 subject DN of the admins>
NCG_NAGIOS_ADMIN=<An email for the admin notifications>
NAGIOS_ROLE=security
NCG_PROBES_TYPE=local
NCG_VO=ops
NAGIOS_HTTPD_ENABLE_CONFIG=true
NAGIOS_NCG_ENABLE_CONFIG=true
NAGIOS_SUDO_ENABLE_CONFIG=true
NAGIOS_NAGIOS_ENABLE_CONFIG=true
NAGIOS_CGI_ENABLE_CONFIG=true
NCG_REMOTE_USE_NAGIOS=false
NAGIOS_NSCA_PASS=MY_PASS

# NGI/ROC Nagios
ROC_NAME=<The NGI/ROC for which Nagios is running>
NCG_GOCDB_ROC_NAME=<The NGI/ROC for which Nagios is running>
NAGIOS_NCG_ENABLE_CRON=true
NCG_TOPOLOGY_USE_SAM=false
NCG_TOPOLOGY_USE_GOCDB=true
NCG_TOPOLOGY_USE_ENOC=false
NCG_TOPOLOGY_USE_LDAP=false
NCG_MDDB_SUPPORTED_PROFILES="security"
NCG_HASH_CONFIG_PROFILES="security"
NCG_REMOTE_USE_SAM=false
NCG_REMOTE_USE_NAGIOS=false
NCG_REMOTE_USE_ENOC=false
ATP_WEB_SECRET_KEY=<A key for the ATP web application>
MYSQL_ADMIN=<The MySQL root password>
ATP_DB_PASS=<The MySQL ATP password>
MDDB_DB_PASS=<The MySQL MDDB password>
MS_DB_PASS=<The MySQL metricstore password>
MYEGEE_DB_PASS=<The MySQL MyEGEE password>

The configuration is done via the following command:

/opt/glite/yaim/bin/yaim -s site-info.def -c -n glite-UI -n glite-NAGIOS

Finally the Nagios box needs a MyProxy proxy which can be created at the UI by the following command (it needs to be renewed at least every week):

myproxy-init -l nagios -s <MyProxy server FQDN> -k NagiosRetrieve-<Nagios server FQDN>-<VO used (ops)> -c 336 -x -Z <The Nagios's server certificate subject DN>

Authentication configuration

Normally YAIM grants access to the members of the VO that is used for the Nagios test. This is something that normally is not wanted for this kind of Nagios box. After each YAIM reconfiguration the contents of the file /etc/voms2htpasswd.conf must be replaced by the provider "url" which we want to grant access to. In central security Nagios Box the used configuration is:

gocdb://next.gocdb.eu/gocdbpi/private/?method=get_egee_contacts&roletype=Security Officer
gocdb://next.gocdb.eu/gocdbpi/private/?method=get_roc_contacts&roletype=Security Officer

The /etc/voms2htpasswd.conf.example shows some example configuration.

Known issues

• [Fixed at glite-yaim-nagios-1.0.94-1.el5] As of current Nagios YAIM functions (glite-yaim-nagios-1.0.91-1.el5) the "security" is not a valid role for Nagios. The following patch fixes this issue:

--- config_ncg	2010-06-30 12:36:48.000000000 +0300
+++ local/config_ncg	2010-07-13 19:55:03.000000000 +0300
@@ -66,7 +66,7 @@
 
 
 
-if [ $NAGIOS_ROLE != 'roc' ] && [ $NAGIOS_ROLE != 'site' ] && [ $NAGIOS_ROLE != 'project' ] && [ $NAGIOS_ROLE != 'vo' ]  && [ $NAGIOS_ROLE != 'ngi' ]
+if [ $NAGIOS_ROLE != 'roc' ] && [ $NAGIOS_ROLE != 'site' ] && [ $NAGIOS_ROLE != 'project' ] && [ $NAGIOS_ROLE != 'vo' ]  && [ $NAGIOS_ROLE != 'ngi' && [ $NAGIOS_ROLE != 'security' ]
 then
     yaimlog ERROR "\$NAGIOS_ROLE must be one of roc, ngi, site, project or vo" 
     exit ${YEX_CONFIG} 

• Reconfiguration (YAIM function execution) is modifying the voms2htpasswd configuration. After each re-configuration the "Authentication configuration" step needs to be followed again.

References

• This document is based on the clean egee-NAGIOS installation guide.
• The security probes (grid-monitoring-probes-org.sam.sec) are documented on the HellasGrid Trac