Merge pull request #1 from radiorabe/feature/timedatectl

[timedatectl] new template

app/timedatectl/README.md

@@ -0,0 +1,50 @@
+# Zabbix timedatectl monitoring
+High level monitoring for time and date keeping based on the backend agnostic [timedatectl](https://www.freedesktop.org/software/systemd/man/timedatectl.html) command.
+
+This template is part of [RaBe's Zabbix template and helpers
+collection](https://github.com/radiorabe/rabe-zabbix).
+
+## Usage
+
+1. Import the [`Template_App_timedatectl_active.xml`](Template_App_timedatectl_active.xml)
+   into your Zabbix server (click on the `Raw` button to download).
+2. Add the template to your host (or stack template)
+3. Check if new data arrives
+
+## Template App timedatectl active
+### Items
+* NTP enabled (`rabe.timedatectl.ntp.enabled`)  
+* NTP synchronized (`rabe.timedatectl.ntp.synchronized`)  
+### Macros
+* `{$TIMEDATECTL_MAX_NO_SYNC_TIME}` (default: 60m)
+### Triggers
+* Warning: NTP not enabled
+  ```
+  {Template App timedatectl active:rabe.timedatectl.ntp.enabled.last()}=0
+  ```
+* Information: NTP not synchronized
+  ```
+  {Template App timedatectl active:rabe.timedatectl.ntp.synchronized.last()}=0
+  ```
+* Warning: NTP not synchronized for more than {$TIMEDATECTL_MAX_NO_SYNC_TIME}
+  ```
+  {Template App timedatectl active:rabe.timedatectl.ntp.synchronized.last(,{$TIMEDATECTL_MAX_NO_SYNC_TIME})}<1
+  ```
+## SELinux Policy
+
+The [rabetimedatectl](selinux/rabetimedatectl.te) policy module allows the agent to connect to dbus and lets
+it request info from the timedated service. It also allows answers from the timedated service to the agent.
+## UserParameters
+
+| Key | Description |
+| --- | ----------- |
+| `rabe.timedatectl.ntp.enabled` | "NTP enabled" yes/no value from `timedatectl status` output |
+| `rabe.timedatectl.ntp.synchronized` | "NTP synchonized" yes/no value from `timedatectl status` output |
+
+## License
+This template is free software: you can redistribute it and/or modify it under
+the terms of the GNU Affero General Public License as published by the Free
+Software Foundation, version 3 of the License.
+
+## Copyright
+Copyright (c) 2017 - 2019 [Radio Bern RaBe](http://www.rabe.ch)

app/timedatectl/Template_App_timedatectl_active.xml

@@ -0,0 +1,175 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<zabbix_export>
+    <version>3.0</version>
+    <date>2017-02-05T01:53:46Z</date>
+    <groups>
+        <group>
+            <name>App templates</name>
+        </group>
+    </groups>
+    <templates>
+        <template>
+            <template>Template App timedatectl active</template>
+            <name>Template App timedatectl active</name>
+            <description/>
+            <groups>
+                <group>
+                    <name>App templates</name>
+                </group>
+            </groups>
+            <applications>
+                <application>
+                    <name>timedatectl</name>
+                </application>
+            </applications>
+            <items>
+                <item>
+                    <name>NTP enabled</name>
+                    <type>7</type>
+                    <snmp_community/>
+                    <multiplier>0</multiplier>
+                    <snmp_oid/>
+                    <key>rabe.timedatectl.ntp.enabled</key>
+                    <delay>3600</delay>
+                    <history>90</history>
+                    <trends>365</trends>
+                    <status>0</status>
+                    <value_type>3</value_type>
+                    <allowed_hosts/>
+                    <units/>
+                    <delta>0</delta>
+                    <snmpv3_contextname/>
+                    <snmpv3_securityname/>
+                    <snmpv3_securitylevel>0</snmpv3_securitylevel>
+                    <snmpv3_authprotocol>0</snmpv3_authprotocol>
+                    <snmpv3_authpassphrase/>
+                    <snmpv3_privprotocol>0</snmpv3_privprotocol>
+                    <snmpv3_privpassphrase/>
+                    <formula>1</formula>
+                    <delay_flex/>
+                    <params/>
+                    <ipmi_sensor/>
+                    <data_type>3</data_type>
+                    <authtype>0</authtype>
+                    <username/>
+                    <password/>
+                    <publickey/>
+                    <privatekey/>
+                    <port/>
+                    <description/>
+                    <inventory_link>0</inventory_link>
+                    <applications>
+                        <application>
+                            <name>timedatectl</name>
+                        </application>
+                    </applications>
+                    <valuemap>
+                        <name>Service state</name>
+                    </valuemap>
+                    <logtimefmt/>
+                </item>
+                <item>
+                    <name>NTP synchronized</name>
+                    <type>7</type>
+                    <snmp_community/>
+                    <multiplier>0</multiplier>
+                    <snmp_oid/>
+                    <key>rabe.timedatectl.ntp.synchronized</key>
+                    <delay>300</delay>
+                    <history>90</history>
+                    <trends>365</trends>
+                    <status>0</status>
+                    <value_type>3</value_type>
+                    <allowed_hosts/>
+                    <units/>
+                    <delta>0</delta>
+                    <snmpv3_contextname/>
+                    <snmpv3_securityname/>
+                    <snmpv3_securitylevel>0</snmpv3_securitylevel>
+                    <snmpv3_authprotocol>0</snmpv3_authprotocol>
+                    <snmpv3_authpassphrase/>
+                    <snmpv3_privprotocol>0</snmpv3_privprotocol>
+                    <snmpv3_privpassphrase/>
+                    <formula>1</formula>
+                    <delay_flex/>
+                    <params/>
+                    <ipmi_sensor/>
+                    <data_type>3</data_type>
+                    <authtype>0</authtype>
+                    <username/>
+                    <password/>
+                    <publickey/>
+                    <privatekey/>
+                    <port/>
+                    <description/>
+                    <inventory_link>0</inventory_link>
+                    <applications>
+                        <application>
+                            <name>timedatectl</name>
+                        </application>
+                    </applications>
+                    <valuemap>
+                        <name>Service state</name>
+                    </valuemap>
+                    <logtimefmt/>
+                </item>
+            </items>
+            <discovery_rules/>
+            <macros>
+                <macro>
+                    <macro>{$TIMEDATECTL_MAX_NO_SYNC_TIME}</macro>
+                    <value>60m</value>
+                </macro>
+            </macros>
+            <templates/>
+            <screens/>
+        </template>
+    </templates>
+    <triggers>
+        <trigger>
+            <expression>{Template App timedatectl active:rabe.timedatectl.ntp.enabled.last()}=0</expression>
+            <name>NTP not enabled on {HOST.NAME}</name>
+            <url/>
+            <status>0</status>
+            <priority>2</priority>
+            <description/>
+            <type>0</type>
+            <dependencies/>
+        </trigger>
+        <trigger>
+            <expression>{Template App timedatectl active:rabe.timedatectl.ntp.synchronized.last()}=0</expression>
+            <name>NTP not synchronized on {HOST.NAME}</name>
+            <url/>
+            <status>0</status>
+            <priority>1</priority>
+            <description/>
+            <type>0</type>
+            <dependencies/>
+        </trigger>
+        <trigger>
+            <expression>{Template App timedatectl active:rabe.timedatectl.ntp.synchronized.last(,{$TIMEDATECTL_MAX_NO_SYNC_TIME})}&lt;1</expression>
+            <name>NTP not synchronized for more than {$TIMEDATECTL_MAX_NO_SYNC_TIME} on {HOST.NAME}</name>
+            <url/>
+            <status>0</status>
+            <priority>2</priority>
+            <description/>
+            <type>0</type>
+            <dependencies/>
+        </trigger>
+    </triggers>
+    <value_maps>
+        <value_map>
+            <name>Service state</name>
+            <mappings>
+                <mapping>
+                    <value>0</value>
+                    <newvalue>Down</newvalue>
+                </mapping>
+                <mapping>
+                    <value>1</value>
+                    <newvalue>Up</newvalue>
+                </mapping>
+            </mappings>
+        </value_map>
+    </value_maps>
+</zabbix_export>

app/timedatectl/doc/README.SELinux.md

@@ -0,0 +1,4 @@
+## SELinux Policy
+
+The [rabetimedatectl](selinux/rabetimedatectl.te) policy module allows the agent to connect to dbus and lets
+it request info from the timedated service. It also allows answers from the timedated service to the agent.

app/timedatectl/doc/README.UserParameters.md

@@ -0,0 +1,6 @@
+## UserParameters
+
+| Key | Description |
+| --- | ----------- |
+| `rabe.timedatectl.ntp.enabled` | "NTP enabled" yes/no value from `timedatectl status` output |
+| `rabe.timedatectl.ntp.synchronized` | "NTP synchonized" yes/no value from `timedatectl status` output |

app/timedatectl/doc/README.head.md

@@ -0,0 +1 @@
+High level monitoring for time and date keeping based on the backend agnostic [timedatectl](https://www.freedesktop.org/software/systemd/man/timedatectl.html) command.

app/timedatectl/selinux/rabezbxtimedatectl.te

@@ -0,0 +1,30 @@
+module rabezbxtimedatectl 1.0;
+
+require {
+    type zabbix_agent_t;
+    type system_dbusd_t;
+    type systemd_timedated_t;
+    class unix_stream_socket connectto;
+    class dbus send_msg;
+}
+
+#============= zabbix_agent_t ==============
+
+# let zabbix agent connect to the system dbus socket
+#!!!! The file '/run/dbus/system_bus_socket' is mislabeled on your system.  
+#!!!! Fix with $ restorecon -R -v /run/dbus/system_bus_socket
+#     The file is mistagged on all systems and restorecon does not
+#     fix it. matchpathcon seems to think everything is ok and I
+#     have concluded that the fail is the above error.
+allow zabbix_agent_t system_dbusd_t:unix_stream_socket connectto;
+
+# let zabbix agent send messages to dbus
+allow zabbix_agent_t system_dbusd_t:dbus send_msg;
+
+# allow zabbix agent to send timedatectl dbus messages in dbus user_avc
+allow zabbix_agent_t systemd_timedated_t:dbus send_msg;
+
+#============= systemd_timedated_t ==============
+
+# allow timedated to send answers to zabbix agent
+allow systemd_timedated_t zabbix_agent_t:dbus send_msg;

app/timedatectl/userparameters/timedatectl.conf

@@ -0,0 +1,19 @@
+#
+# timedatectl UserParameters
+#
+# The parameters in here are based on the porcelain status command. CentOS currently does
+# not support timedatectl show --property=NTPSynchronized --value. This will keep on using
+# status until all the systems we support can do show.
+#
+
+#
+# "NTP enabled" yes/no value from timedatectl output
+#
+# We support both the legacy (ie. CentOS 7) "NTP enabled" and the modern (ie. Fedora) "Network time on" string.
+#
+UserParameter=rabe.timedatectl.ntp.enabled,/bin/timedatectl --no-pager status | /bin/awk -F ': ' '/* ^[[:space:]]*(Network time on|NTP enabled):/ { if ($2 == "yes") { print 1; } else { print 0; } }'
+
+#
+# "NTP synchonized" yes/no value from timedatectl output
+#
+UserParameter=rabe.timedatectl.ntp.synchronized,/bin/timedatectl --no-pager status | /bin/awk -F ': ' '/* ^[[:space:]]*NTP synchronized:/ { if ($2 == "yes") { print 1; } else { print 0; } }'