Wednesday, February 13, 2019

Creating selinux policies for icinga nrpe on redhat/centos Linux


We all know how to configure nrpe in a system and configure remote checks with nrpe. We do this with lightning speed with SELINUX=disabled. But when some systems will have selinux enabled. Then how we will configure nrpe on it? Simple. We will disable selinux and configure nrpe.

Well, that is not recommended. We need to keep the selinux enforcing and configure nrpe with selinux. it was very difficult in old days. But not now. We will see how to install and configure nrpe with selinux.

First of all we have to install a couple of softwares to ease the process. setroubleshoot and setroubleshoot-server. This is very important. Without this we cant move ahead.
#yum install setroubleshoot setroubleshoot-server
#systemctl restart auditd.service (please note:  this will fail)
#service auditd restart
Then restart the nrpe service and run the commands from the icinga node. We can see a lot of errors in the journalctl log.

Once we run almost all the checks we will have 99% selinux rules required in the journal log.
So we will grep the nrpe related lines and generate a te(type enforcement) file. Here we are using nagios_user as the nrpe user.
#grep "nrpe\|nagios_user\|check_" /var/log/audit/audit.log | audit2allow -m nrpe_plugins > nrpe_plugins.te
Now compile it:
#checkmodule -M -m -o nrpe_plugins.mod nrpe_plugins.te
checkmodule  is  a program that checks and compiles a SELinux security policy module into a binary representation.

Creating policy:
#semodule_package -o nrpe_plugins.pp -m nrpe_plugins.mod
semodule_package is the tool used to create a SELinux policy module package from a binary policy module and optionally other data such as file contexts.

once the policy file is ready, you can copy the policy file to the similar systems and install the policy using the following command,
#semodule -i nrpe_plugins.pp
During all these process, you can check the logs using,
#journalctl -b -0
#journalctl -f   (for real time)

To view the installed selinux modules on the server you can use the command
#semodule -l

To remove any installed selinux modules on the server you can use the command
#semodule -r module_name_to_be_removed

No comments:

Post a Comment

Be nice. That's all.