Install Nagios Core on CentOS 8

Posted: November 4, 2019 in Linux

I disabled SELinux

sed -i 's/^SELINUX=.*/SELINUX=disabled/g' /etc/selinux/config
setenforce 0

 

Install python and other prerequisities

 

dnf install -y compat-openssl10 python3 perl gcc glibc glibc-common wget unzip httpd php gd gd-devel perl postfix 
alternatives --set python /usr/bin/python3 

Add nagios user and group

useradd nagios
groupadd nagcmd 

Add both the nagios user and the apache user to the nagcmd group 

usermod -G nagcmd nagios
usermod -G nagcmd apache

Download nagios setup

mkdir setup 
cd setup 
wget https://assets.nagios.com/downloads/nagioscore/releases/nagios-4.4.5.tar.gz 
tar xvf nagios-4.4.5.tar.gz

Install nagios

cd nagios-4.4.5 
./configure --with-command-group=nagcmd 
make all 
make install 
make install-init 
make install-commandmode 
make install-config 
make install-webconf 
# set nagiosadmin password 
htpasswd -s -c /usr/local/nagios/etc/htpasswd.users nagiosadmin 

Setup EventHandlers

cp -R contrib/eventhandlers/ /usr/local/nagios/libexec/ 
chown -R nagios:nagios /usr/local/nagios/libexec/eventhandlers

 

 

Download and install nagios plugins

yum install -y gcc glibc glibc-common make gettext automake autoconf wget openssl-devel net-snmp net-snmp-utils
cd /tmp
wget --no-check-certificate -O nagios-plugins.tar.gz https://github.com/nagios-plugins/nagios-plugins/archive/release-2.2.1.tar.gz
tar zxf nagios-plugins.tar.gz
cd /tmp/nagios-plugins-release-2.2.1/
./tools/setup
./configure --with-openssl --with-nagios-user=nagios --with-nagios-group=nagios
make
make install

 Apache configuration:

Create file (if not exists): /etc/httpd/conf.d/nagios.conf

ScriptAlias /nagios/cgi-bin "/usr/local/nagios/sbin"

<Directory "/usr/local/nagios/sbin">
  
   Options ExecCGI
   AllowOverride None
   <IfVersion >= 2.3>
      <RequireAll>
         Require all granted
#        Require host 127.0.0.1

         AuthName "Nagios Access"
         AuthType Basic
         AuthUserFile /usr/local/nagios/etc/htpasswd.users
         Require valid-user
      </RequireAll>
   </IfVersion>
   <IfVersion < 2.3>
      Order allow,deny
      Allow from all
      Order deny,allow
#     Deny from all
#     Allow from 127.0.0.1

      AuthName "Nagios Access"
      AuthType Basic
      AuthUserFile /usr/local/nagios/etc/htpasswd.users
      Require valid-user
   </IfVersion>
</Directory>

Alias /nagios "/usr/local/nagios/share"

<Directory "/usr/local/nagios/share">
  SSLRequireSSL
   Options None
   AllowOverride None
   <IfVersion >= 2.3>
      <RequireAll>
         Require all granted
#        Require host 127.0.0.1

         AuthName "Nagios Access"
         AuthType Basic
         AuthUserFile /usr/local/nagios/etc/htpasswd.users
         Require valid-user
      </RequireAll>
   </IfVersion>
   <IfVersion < 2.3>
      Order allow,deny
      Allow from all
     Order deny,allow
#     Deny from all
#     Allow from 127.0.0.1

      AuthName "Nagios Access"
      AuthType Basic
      AuthUserFile /usr/local/nagios/etc/htpasswd.users
      Require valid-user
   </IfVersion>
</Directory>

Install NRPE

NRPE allows you to remotely execute Nagios plugins on other Linux/Unix machines. This allows you to monitor remote machine metrics (disk usage, CPU load, etc.). NRPE can also communicate with some of the Windows agent addons, so you can execute scripts and check metrics on remote Windows machines as well.

# install nrpe 
dnf install openssl-devel 
wget https://github.com/NagiosEnterprises/nrpe/releases/download/nrpe-3.2.1/nrpe-3.2.1.tar.gz 
tar -xvf nrpe-3.2.1.tar.gz 
cd nrpe-3.2.1 
./configure --disable-ssl --with-nrpe-user=nagios --with-nrpe-group=nagios --with-nagios-user=nagios --with-nagios-group=nagios --libexecdir=/usr/local/nagios/libexec/ --bindir=/usr/local/nagios/bin/ --prefix=/usr/local/nagios 
make 
make install 
cp src/check_nrpe /usr/local/nagios/libexec/

Install NCPA 

NCPA is a cross-platform monitoring agent that runs on Windows, Linux/Unix, and Mac OS/X machines. Its features include both active and passive checks, remote management, and a local monitoring interface.

 

wget https://assets.nagios.com/downloads/ncpa/check_ncpa.tar.gz 
tar -zxf check_ncpa.tar.gz 
mv check_ncpa.py /usr/local/nagios/libexec/ 
chown nagios:nagios /usr/local/nagios/libexec/check_ncpa.py 
chmod 775 /usr/local/nagios/libexec/check_ncpa.py 

Next add your command (ncpa into commands.cfg) 

vim /usr/local/nagios/etc/objects/commands.cfg 

define command { 

    command_name    check_ncpa 

    command_line    $USER1$/check_ncpa.py -H $HOSTADDRESS$ $ARG1$ 

} 

Adding contact

edit contacts.cfg and change email address

define contact{
        contact_name            nagiosadmin             ; Short name of user
        use                     generic-contact         ; Inherit default values from generic-contact template (defined above)
        alias                   Nagios Admin            ; Full name of user
        email                   dragan.vucanovic@hotmail.com       ; <<***** CHANGE THIS TO YOUR EMAIL ADDRESS ******
        }

Enable and start nagios and httpd

systemctl start nagios
systemctl enable nagios
systemctl enable httpd
systemctl start httpd

Active directory authentication and LDAP over SSL

Install Root CA certificates

dnf install mod_ldap

This enables SSL, AD authentication and redirect http to https

Edit /etc/httpd/conf.d/nagios.conf

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

LogLevel warn

ScriptAlias /nagios/cgi-bin "/usr/local/nagios/sbin"

<Directory "/usr/local/nagios/sbin">
  SSLRequireSSL
   Options ExecCGI
   AllowOverride None
    Order allow,deny
    Allow from all
    AuthBasicProvider ldap file
    AuthType Basic
    AuthLDAPBindAuthoritative on
    AuthLDAPGroupAttributeIsDN on
    AuthName "Active Directory Login"
    AuthLDAPURL "ldaps://test.com:636/dc=test,dc=com?sAMAccountName
    AuthLDAPBindDN "bindtest@test.com"
    AuthLDAPBindPassword pass
    AuthUserFile /usr/local/nagios/etc/htpasswd.users 
    Require valid-user

    
</Directory>

Alias /nagios "/usr/local/nagios/share"

<Directory "/usr/local/nagios/share">
  SSLRequireSSL
   Options ExecCGI
   AllowOverride None
   AuthBasicProvider ldap file
   AuthType Basic
   AuthLDAPBindAuthoritative on
   AuthName "Active Directory Login 1"
   AuthLDAPURL "ldaps://test.com:636/dc=test,dc=com?sAMAccountName
   AuthLDAPBindDN "bindtest@test.com"
   AuthLDAPBindPassword pass
   AuthUserFile /usr/local/nagios/etc/htpasswd.users
   #Require valid-user
   Require ldap-group CN=mygroup ,OU=Security,OU=Groups,OU=test,DC=test,DC=com
    
</Directory>

/etc/httpd/conf.d/ssl.conf

SSLCertificateFile /etc/ssl/certs/nagios.cer
SSLCertificateKeyFile /etc/ssl/certs/nagios.key

To avoid

It appears as though you do not have permission to view information for any of the hosts you requested…

If you believe this is an error, check the HTTP server authentication requirements for accessing this CGI
and check the authorization options in your CGI configuration file.
Replace all of the “nagiosadmin” entries with “*” in /usr/local/nagios/etc/cgi.cfg

sed -i 's/nagiosadmin/*/' /usr/local/nagios/etc/cgi.cfg
systemctl restart nagios
systemctl restart httpd 

Using Start TLS

STARTTLS is an alternative approach that is now the preferred method of encrypting an LDAP connection. STARTTLS “upgrades” a non-encrypted connection by wrapping it with SSL/TLS after/during the connection process. This allows unencrypted and encrypted connections to be handled by the same port. This guide will utilize STARTTLS to encrypt connections.

Now our /etc/httpd/conf.d/nagios.conf looks like this:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

LogLevel debug 

LDAPTrustedMode TLS

ScriptAlias /nagios/cgi-bin "/usr/local/nagios/sbin"
<Directory "/usr/local/nagios/sbin">
  SSLRequireSSL
   Options ExecCGI
   AllowOverride None
    Order allow,deny
    Allow from all
    AuthBasicProvider ldap file
    AuthType Basic
    AuthName "login to continue"
    AuthBasicProvider ldap
    AuthLDAPBindAuthoritative on
    AuthLDAPURL "ldap://test.com/dc=devtech,dc=local?sAMAccountName
    AuthLDAPBindDN "test@dtest.com"
    AuthLDAPBindPassword "pass"
    #require valid-user
    AuthLDAPSubGroupAttribute member
    #AuthLDAPGroupAttributeIsDN on
    AuthLDAPSubGroupClass group
    AuthUserFile /usr/local/nagios/etc/htpasswd.users
   Require ldap-group CN=Ansible AWX,OU=Security,OU=Groups,OU=test,DC=test,DC=com   

</Directory>
Alias /nagios "/usr/local/nagios/share"
<Directory "/usr/local/nagios/share">
  SSLRequireSSL
   Options None
   AllowOverride None
   AuthBasicProvider ldap file
   AuthType Basic
   AuthName "login to continue"
   AuthBasicProvider ldap
   AuthLDAPBindAuthoritative on
   AuthLDAPURL "ldap://test.com/dc=test,dc=com?sAMAccountName
   AuthLDAPBindDN "test@test.com"
   AuthLDAPBindPassword "pass"
   #require valid-user
   AuthLDAPSubGroupAttribute member
   #AuthLDAPGroupAttributeIsDN on
   AuthLDAPSubGroupClass group
   AuthUserFile /usr/local/nagios/etc/htpasswd.users
   Require ldap-group CN=mygroup,OU=Security,OU=Groups,OU=test,DC=test,DC=com 
  </Directory>

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s