Ansible role installing check_mk agent on opnsense.
The role includes some local checks:
Check all configured gateways; one check is created per configured gateway
Sample output:
GWSTATUS-GW-WAN OK - GW_WAN (192.168.1.1) : Online
Check if a crash placed some file in /var/crash/
;
Sample output:
0 CRASHSTATUS crashes=0 OK - no crashes found
Check if there are some updates available;
Sample output:
FIRMWARE OK - update 23.1.2 to 23.1.3 available since 1 days
PACKAGES WARNING - packages actions required
This check can be configured using a file /usr/local/lib/check_mk_agent/local/firmware_status.yml
.
You can distribute this file by defining
opn_check_mk_additional_files:
firmware_status.yml: "{{ opn_check_mk_lib_dir }}/local/"
Configurable vars:
warn_days
: warn if the outstanding update is older then X days; default: 1crit_days
: critical if the outstanding update is older then X days; default: 14ignore_rc
: ignore release candidate versions; default: Truefetch_changelog_days
: fetch new changelogs once X day(s); default: 1fetch_changelog_timeout
: fetch changelog timeout in seconds; default: 20pkg_update_test
: perform a pkg update test; if set toFalse
, thePACKAGES
will be skipped; default: Truepkg_update_timeout
: timeout for pkg update test in seconds; default: 20
Audit installed packages against known vulnerabilities.
Sample output:
PKGAUDIT OK - no unacknowledged vulnerable packages found
You can acknowledge some package vulnerabilties using a pkg_audit.yml
file; this can be distributed by defining
opn_check_mk_additional_files:
pkg_audit.yml: "{{ opn_check_mk_lib_dir }}/local/"
A sample pkg_audit.yml
can be generated using:
# /usr/local/lib/check_mk_agent/local/pkg_audit.py -p
---
curl:
issues:
- curl -- multiple vulnerabilities
...
check installed packages for missing dependencies
Sample output:
PCK_CHECK_DEPENDENCIES - OK -
Check for problems in the current pf rule definitions;
Sample output:
PFCTLSTATUS - OK - pfctl rules OK
Check power unit state using dmidecode (one check per unit).
Sample output:
0 PowerUnitGroup1 - OK - Power Unit Group: 1 Status: Present, OK
0 PowerUnitGroup2 - OK - Power Unit Group: 2 Status: Present, OK
The role can download the Check_MK Agent for FreeBSD from your checkmk server instance (see checkmk_hostname
, checkmk_path
and checkmk_proto
in defaults/main.yml)
or you can download it on your own from
- your check_mk instance (https://yourCheckMK/check_mk/wato.py?folder=&mode=download_agents)
- or https://raw.githubusercontent.com/tribe29/checkmk/master/agents/check_mk_agent.freebsd
to files/check_mk_agent.freebsd
.
The role requires to be run after https://github.com/Rosa-Luxemburgstiftung-Berlin/ansible-opnsense-facts .
The role must be run as root or w/ become: true
.
And, of course, you will need to create a packet filter rule to allow connections from your checkmk server to the opnsense firewall on port 6556.
- name: opnsense
hosts: opnsense
vars:
ansible_become: false
roles:
- role: ansible-opnsense-facts
tags:
- opnsense
- facts
- role: ansible-opnsense-checkmk
tags:
- opnsense
- checkmk