Ansible role installing check_mk agent on opnsense.
The role includes some local checks:
Check all configured gateways; one check is created per configured gateway
Sample output:
GWSTATUS-GW-WAN OK - GW_WAN (192.168.1.1) : Online
Check if a crash placed some file in /var/crash/;
Sample output:
0 CRASHSTATUS crashes=0 OK - no crashes found
Check if there are some updates available;
Sample output:
FIRMWARE OK - update 23.1.2 to 23.1.3 available since 1 days
PACKAGES WARNING - packages actions required
This check can be configured using a file /usr/local/lib/check_mk_agent/local/firmware_status.yml.
You can distribute this file by defining
opn_check_mk_additional_files:
firmware_status.yml: "{{ opn_check_mk_lib_dir }}/local/"
Configurable vars:
warn_days: warn if the outstanding update is older then X days; default: 1crit_days: critical if the outstanding update is older then X days; default: 14ignore_rc: ignore release candidate versions; default: Truefetch_changelog_days: fetch new changelogs once X day(s); default: 1fetch_changelog_timeout: fetch changelog timeout in seconds; default: 20pkg_update_test: perform a pkg update test; if set toFalse, thePACKAGESwill be skipped; default: Truepkg_update_timeout: timeout for pkg update test in seconds; default: 20
Audit installed packages against known vulnerabilities.
Sample output:
PKGAUDIT OK - no unacknowledged vulnerable packages found
You can acknowledge some package vulnerabilties using a pkg_audit.yml file; this can be distributed by defining
opn_check_mk_additional_files:
pkg_audit.yml: "{{ opn_check_mk_lib_dir }}/local/"
A sample pkg_audit.yml can be generated using:
# /usr/local/lib/check_mk_agent/local/pkg_audit.py -p
---
curl:
issues:
- curl -- multiple vulnerabilities
...
check installed packages for missing dependencies
Sample output:
PCK_CHECK_DEPENDENCIES - OK -
Check for problems in the current pf rule definitions;
Sample output:
PFCTLSTATUS - OK - pfctl rules OK
Check power unit state using dmidecode (one check per unit).
Sample output:
0 PowerUnitGroup1 - OK - Power Unit Group: 1 Status: Present, OK
0 PowerUnitGroup2 - OK - Power Unit Group: 2 Status: Present, OK
Make sure you configure your OPNsense router as follows:
Modify the /boot/loader.conf file and add at least on of the following entries:
coretemp_load="YES"
amdtemp_load="YES"
It's also acceptable to have both entries in your configuration.
In some cases, if the script does not recognize the thermal sensor, you can manually switch it to either amdtemp or coretemp via the GUI.
To do this, navigate to: System > Settings > Miscellaneous > Thermal Sensors > Hardware
Alternatively, you can set this configuration using the OPNsense role under general settings:
opn_general:
system/webgui/thermal_hardware: "amdtemp"
Troubleshoot the functionality of your thermal sensors by using this command on your opnsense:
sysctl -a | grep temperature
The role includes some (optional) plugins
a improved version of the checkkmk wireguard plugin (see PR #32)
The role can download the Check_MK Agent for FreeBSD from your checkmk server instance (see checkmk_hostname, checkmk_path and checkmk_proto in defaults/main.yml)
or you can download it on your own from
- your check_mk instance (https://yourCheckMK/check_mk/wato.py?folder=&mode=download_agents)
- or https://raw.githubusercontent.com/tribe29/checkmk/master/agents/check_mk_agent.freebsd
to files/check_mk_agent.freebsd.
The role requires to be run after https://github.com/Rosa-Luxemburgstiftung-Berlin/ansible-opnsense-facts .
The role must be run as root or w/ become: true.
And, of course, you will need to create a packet filter rule to allow connections from your checkmk server to the opnsense firewall on port 6556.
- name: opnsense
hosts: opnsense
vars:
ansible_become: false
roles:
- role: ansible-opnsense-facts
tags:
- opnsense
- facts
- role: ansible-opnsense-checkmk
tags:
- opnsense
- checkmk