Secure your platform
This chapter suggests how to best secure your Centreon platform.
Strengthen user account security
After installing Centreon, it is necessary to change the default passwords of the following users:
- root
- centreon
- centreon-engine
- centreon-broker
- centreon-gorgone
To do this, use the following command with a privileged account (eg. sudo) or with root (not recommended — you should have a dedicated user):
passwd <account_name>
In addition, it is important to verify that the Apache account does not have connection rights to the terminal. Execute the following command:
cat /etc/passwd | grep apache
You must have /sbin/nologin like:
apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin
As a reminder, the list of users and groups can be found here
Enable SELinux
Centreon recently developed SELinux rules in order to strengthen the control of components by the operating system.
These rules are currently in beta mode and can be activated. You can activate them by following this procedure. In you detect of a problem, it is possible to disable SELinux globally and to send us your feedback in order to improve our rules on Github.
SELinux Overview
Security Enhanced Linux (SELinux) provides an additional layer of system security. SELinux fundamentally answers the
question: May <subject> do <action> to <object>?
, for example: May a web server access files in users' home
directories?
The standard access policy based on the user, group, and other permissions, known as Discretionary Access Control (DAC), does not enable system administrators to create comprehensive and fine-grained security policies, such as restricting specific applications to only viewing log files, while allowing other applications to append new data to the log files.
SELinux implements Mandatory Access Control (MAC). Every process and system resource has a special security label called an SELinux context. A SELinux context, sometimes referred to as an SELinux label, is an identifier which abstracts away the system-level details and focuses on the security properties of the entity. Not only does this provides a consistent way of referencing objects in the SELinux policy, but it also removes any ambiguity that can be found in other identification methods. For example, a file can have multiple valid path names on a system that makes use of bind mounts.
The SELinux policy uses these contexts in a series of rules which define how processes can interact with each other and the various system resources. By default, the policy does not allow any interaction unless a rule explicitly grants access.
For more information about SELinux please see Red Hat documentation
Activate SELinux in permissive mode
By default, SELinux is disabled during Centreon installation process. To enable SELinux in permissive mode, you need to
modify the /etc/selinux/config
file as:
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=permissive
# SELINUXTYPE= can take one of three two values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
Then reboot your server:
shutdown -r now
Install Centreon SELinux packages
Depending on the type of server, install the packages with the following command:
yum install centreon-common-selinux \
centreon-web-selinux \
centreon-broker-selinux \
centreon-engine-selinux \
centreon-gorgoned-selinux \
centreon-plugins-selinux
yum install centreon-common-selinux \
centreon-broker-selinux \
centreon-engine-selinux \
centreon-gorgoned-selinux \
centreon-plugins-selinux
yum install centreon-map-selinux
yum install centreon-mbi-selinux
To check the installation, execute the following command:
semodule -l | grep centreon
Depending on your type of server, you can see:
centreon-broker 0.0.5
centreon-common 0.0.10
centreon-engine 0.0.8
centreon-gorgoned 0.0.3
centreon-plugins 0.0.2
centreon-web 0.0.8
Audit logs and enable SELinux
Before enabling SELinux in enforcing mode, you need to be sure that no errors appear using the following command:
cat /var/log/audit/audit.log | grep -i denied
If errors appear, you have to analyse them and to decide if these errors are regular and must be added in addition of the Centreon default SELinux rules. To do this, use the following command to tranform error in SELinux rules:
audit2allow -a
Then execute the proposed rules.
If after a while, no error is present, you can activate SELinux in full mode by following this procedure using enforcing mode.
Do not hesitate to give us your feedback on Github.
Securing the installation of the DBMS
MariaDB propose a default procedure to secure the DBMS installation. Please execute the following command and follow instruction:
mysql_secure_installation
Enable firewalld
Install firewalld:
yum install firewalld
Enable firewalld:
systemctl enable firewalld
systemctl start firewalld
The list of network flows required for each type of server is defined here.
Example of rules for a Centreon Central or Remote Server:
# For default protocols
firewall-cmd --zone=public --add-service=ssh --permanent
firewall-cmd --zone=public --add-service=http --permanent
firewall-cmd --zone=public --add-service=snmp --permanent
firewall-cmd --zone=public --add-service=snmptrap --permanent
# Centreon Gorgone
firewall-cmd --zone=public --add-port=5556/tcp --permanent
# Centreon Broker
firewall-cmd --zone=public --add-port=5669/tcp --permanent
Example of rules for Centreon poller:
# For default protocols
firewall-cmd --zone=public --add-service=ssh --permanent
firewall-cmd --zone=public --add-service=snmp --permanent
firewall-cmd --zone=public --add-service=snmptrap --permanent
Once the rules have been added, it is necessary to reload firewalld:
firewall-cmd --reload
Enable fail2ban
Fail2Ban is an intrusion prevention software framework that protects computer servers from brute-force attacks.
Install fail2ban:
yum install epel-release
yum install fail2ban fail2ban-systemd yum python-inotify
If you have SELinux installed, then update the SELinux policies:
yum update -y selinux-policy*
Enable firewalld:
systemctl enable fail2ban
systemctl start fail2ban
Copy the default rules file:
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Edit /etc/fail2ban/jail.local
file and search [centreon] block, then modify such as:
[centreon]
port = http,https
logpath = /var/log/centreon/login.log
backend = pyinotify
To enable the centreon fail2ban rule, create the /etc/fail2ban/jail.d/custom.conf
file and add following lines:
[centreon]
enabled = true
findtime = 10m
bantime = 10m
maxretry = 3
maxretry is the number of authentication failed before to ban the IP address
bantime is the duration of the ban
findtime is the time range to find authentication failed
Then restart fail2ban to load your rule:
systemctl restart fail2ban
To check the status of the centreon rule you can run:
fail2ban-client status centreon
Status for the jail: centreon
|- Filter
| |- Currently failed: 1
| |- Total failed: 17
| `- File list: /var/log/centreon/login.log
`- Actions
|- Currently banned: 0
|- Total banned: 2
`- Banned IP list:
For more information go to the official website.
Securing the Apache web server
By default, Centreon installs a web server in HTTP mode. It is strongly recommended to switch to HTTPS mode by adding your certificate.
It is better to use a certificate validated by an authority rather than a self-signed one.
If you do not have a certificate validated by an authority, you can generate one on platforms such as Let's Encrypt.
Once you have your certificate, perform the following procedure to activate HTTPS mode on your Apache server:
- Install SSL module for Apache:
dnf install mod_ssl mod_security openssl
yum install httpd24-mod_ssl httpd24-mod_security openssl
- Install your certificates:
Copy your certificate and key on the server according your configuration; by default, it's:
- /etc/pki/tls/certs/ca.crt
- /etc/pki/tls/private/ca.key
- Backup previous Apache configuration for Centreon:
cp /etc/httpd/conf.d/10-centreon.conf{,.origin}
cp /opt/rh/httpd24/root/etc/httpd/conf.d/10-centreon.conf{,.origin}
- Edit Centreon Apache configuration
Centreon offers an example configuration file to enable HTTPS available in the following directory: /usr/share/centreon/examples/centreon.apache.https.conf
Edit the /etc/httpd/conf.d/10-centreon.conf as following:
Edit the /opt/rh/httpd24/root/etc/httpd/conf.d/10-centreon.conf as following:
Alias /centreon/api /usr/share/centreon
Alias /centreon /usr/share/centreon/www/
<LocationMatch ^/centreon/(?!api/latest/|api/beta/|api/v[0-9]+/|api/v[0-9]+\.[0-9]+/)(.*\.php(/.*)?)$>
ProxyPassMatch fcgi://127.0.0.1:9042/usr/share/centreon/www/$1
</LocationMatch>
<LocationMatch ^/centreon/api/(latest/|beta/|v[0-9]+/|v[0-9]+\.[0-9]+/)(.*)$>
ProxyPassMatch fcgi://127.0.0.1:9042/usr/share/centreon/api/index.php/$1
</LocationMatch>
ProxyTimeout 300
<VirtualHost *:80>
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</VirtualHost>
<VirtualHost *:443>
#####################
# SSL configuration #
#####################
SSLEngine On
SSLProtocol All -SSLv3 -SSLv2 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-DSS-AES256-GCM-SHA384:DHE-DSS-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-GCM-SHA256:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ADH:!IDEA
SSLHonorCipherOrder On
SSLCompression Off
SSLCertificateFile /etc/pki/tls/certs/ca.crt
SSLCertificateKeyFile /etc/pki/tls/private/ca.key
<Directory "/usr/share/centreon/www">
DirectoryIndex index.php
Options Indexes
AllowOverride all
Order allow,deny
Allow from all
Require all granted
<IfModule mod_php5.c>
php_admin_value engine Off
</IfModule>
RewriteRule ^index\.html$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.html [L]
ErrorDocument 404 /centreon/index.html
AddType text/plain hbs
</Directory>
<Directory "/usr/share/centreon/api">
Options Indexes
AllowOverride all
Order allow,deny
Allow from all
Require all granted
<IfModule mod_php5.c>
php_admin_value engine Off
</IfModule>
AddType text/plain hbs
</Directory>
</VirtualHost>
RedirectMatch ^/$ /centreon
Don't forget to change SSLCertificateFile and SSLCertificateKeyFile directives with the path containing your certificate and key.
- Enable HttpOnly / Secure flags and hide Apache server signature
Edit the /etc/httpd/conf.d/10-centreon.conf file and add the following line:
Header always edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
ServerSignature Off
ServerTokens Prod
Edit the /etc/php.d/50-centreon.ini file and turn off the expose_php
parameter:
expose_php = Off
Edit the /opt/rh/httpd24/root/etc/httpd/conf.d/10-centreon.conf file and add the following line:
Header set X-Frame-Options: "sameorigin"
Header always edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
ServerSignature Off
ServerTokens Prod
TraceEnable Off
Edit the /etc/opt/rh/rh-php72/php.d/50-centreon.ini file and turn off the expose_php
parameter:
expose_php = Off
- Hide the default /icons directory
Edit the /etc/httpd/conf.d/autoindex.conf file and comment the following line:
#Alias /icons/ "/usr/share/httpd/icons/"
Edit the /opt/rh/httpd24/root/etc/httpd/conf.d/autoindex.conf file and comment the following line:
#Alias /icons/ "/opt/rh/httpd24/root/usr/share/httpd/icons/"
- Disable mod_security boundary to enable license upload
Edit the /opt/rh/httpd24/root/etc/httpd/conf.d/mod_security.conf file and comment the following line:
#SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \
#"id:'200003',phase:2,t:none,log,deny,status:44,msg:'Multipart parser detected a possible unmatched boundary.'"
- Restart the Apache and PHP process to take in account the new configuration:
systemctl restart php-fpm httpd
Then check its status:
systemctl status httpd
If everything is ok, you must have:
● httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled)
Drop-In: /usr/lib/systemd/system/httpd.service.d
└─php-fpm.conf
Active: active (running) since Tue 2020-10-27 12:49:42 GMT; 2h 35min ago
Docs: man:httpd.service(8)
Main PID: 1483 (httpd)
Status: "Total requests: 446; Idle/Busy workers 100/0;Requests/sec: 0.0479; Bytes served/sec: 443 B/sec"
Tasks: 278 (limit: 5032)
Memory: 39.6M
CGroup: /system.slice/httpd.service
├─1483 /usr/sbin/httpd -DFOREGROUND
├─1484 /usr/sbin/httpd -DFOREGROUND
├─1485 /usr/sbin/httpd -DFOREGROUND
├─1486 /usr/sbin/httpd -DFOREGROUND
├─1487 /usr/sbin/httpd -DFOREGROUND
└─1887 /usr/sbin/httpd -DFOREGROUND
systemctl restart rh-php72-php-fpm httpd24-httpd
Then check its status:
systemctl status httpd24-httpd
If everything is ok, you must have:
● httpd24-httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd24-httpd.service; enabled; vendor preset: disabled)
Active: active (running) since mar. 2020-05-12 15:39:58 CEST; 25min ago
Process: 31762 ExecStop=/opt/rh/httpd24/root/usr/sbin/httpd-scl-wrapper $OPTIONS -k graceful-stop (code=exited, status=0/SUCCESS)
Main PID: 31786 (httpd)
Status: "Total requests: 850; Idle/Busy workers 50/50;Requests/sec: 0.547; Bytes served/sec: 5.1KB/sec"
CGroup: /system.slice/httpd24-httpd.service
├─ 1219 /opt/rh/httpd24/root/usr/sbin/httpd -DFOREGROUND
├─31786 /opt/rh/httpd24/root/usr/sbin/httpd -DFOREGROUND
├─31788 /opt/rh/httpd24/root/usr/sbin/httpd -DFOREGROUND
├─31789 /opt/rh/httpd24/root/usr/sbin/httpd -DFOREGROUND
├─31790 /opt/rh/httpd24/root/usr/sbin/httpd -DFOREGROUND
├─31802 /opt/rh/httpd24/root/usr/sbin/httpd -DFOREGROUND
├─31865 /opt/rh/httpd24/root/usr/sbin/httpd -DFOREGROUND
├─31866 /opt/rh/httpd24/root/usr/sbin/httpd -DFOREGROUND
├─31882 /opt/rh/httpd24/root/usr/sbin/httpd -DFOREGROUND
├─31903 /opt/rh/httpd24/root/usr/sbin/httpd -DFOREGROUND
└─32050 /opt/rh/httpd24/root/usr/sbin/httpd -DFOREGROUND
Custom URI
It is possible to update the URI of Centreon. For example, /centreon can be replaced by /monitoring.
At least one path level is mandatory.
To update the Centreon URI, you need to follow those steps:
- Go to
Administration > Parameters > Centreon UI
and change the Centreon Web Directory value.
- Edit Apache configuration file for Centreon Web
vim /etc/httpd/conf.d/10-centreon.conf
vim /opt/rh/httpd24/root/etc/httpd/conf.d/10-centreon.conf
and change /centreon path with your new path
Enabling http2
It is possible to enable http2 protocol to improve Centreon network performance.
To use http2, you need to follow those steps:
Install nghttp2 module:
dnf install nghttp2
- Enable http2 protocol in /etc/httpd/conf.d/10-centreon.conf:
...
<VirtualHost *:443>
Protocols h2 h2c http/1.1
...
</VirtualHost>
...
- Update method used by apache multi-processus module in /etc/httpd/conf.modules.d/00-mpm.conf:
-LoadModule mpm_prefork_module modules/mod_mpm_prefork.so
+#LoadModule mpm_prefork_module modules/mod_mpm_prefork.so
-#LoadModule mpm_event_module modules/mod_mpm_event.so
+LoadModule mpm_event_module modules/mod_mpm_event.so
- Restart the Apache process to take in account the new configuration:
systemctl restart httpd
Install nghttp2 module:
yum install httpd24-nghttp2
- Enable http2 protocol in /opt/rh/httpd24/root/etc/httpd/conf.d/10-centreon.conf:
...
<VirtualHost *:443>
Protocols h2 h2c http/1.1
...
</VirtualHost>
...
- Update method used by apache multi-processus module in /opt/rh/httpd24/root/etc/httpd/conf.modules.d/00-mpm.conf:
-LoadModule mpm_prefork_module modules/mod_mpm_prefork.so
+#LoadModule mpm_prefork_module modules/mod_mpm_prefork.so
-#LoadModule mpm_event_module modules/mod_mpm_event.so
+LoadModule mpm_event_module modules/mod_mpm_event.so
- Restart the Apache process to take in account the new configuration:
systemctl restart httpd24-httpd
User authentication
Centreon offers several methods to authenticate users:
- local (MySQL)
- LDAP
- Generic SSO or OpenId Connect
Create user profiles
Centreon offers to manage access permissions to the different menus, resources and possible actions on resources via the management of Access Control List.
Secure communications between servers
It is strongly recommended to secure communications between the different servers of the Centreon platform if some servers are not in a secure network.
The Table of network flows is available here.
Centreon Broker communication
Centreon Broker and the firewall
In certain cases, you may not be able to initialize the Centreon Broker data flow from the poller (or the Remote Server) to the Central Server or the Remote Server. See the following configuration to invert the flow.
Centreon Broker flow authentication
If you need to authenticate pollers that are sending data to the monitoring system, you can use the Centreon Broker authentication mechanism, which is based on X.509 certificates. See the following configuration to authenticate the peer.
Compress and encrypt the Centreon Broker communication
It is also possible to compress and encrypt the Centreon Broker communication.
Go to Configuration > Pollers > Broker configuration
menu, edit your Centreon Broker configuration
and enable for IPv4 inputs and outputs:
- Enable TLS encryption: Auto
- Enable negotiation: Yes
- Compression (zlib): Auto
Centreon Gorgone communication
This the official Centreon gorgone documentation to secure the communication.
Security event information management - SEIM
Centreon event logs are available in the following directories:
Logs directory | Central server | Remote Server | Poller | Centreon Map server | Centreon MBI Server |
---|---|---|---|---|---|
/var/log/centreon | X | X | |||
/var/log/centreon-broker | X | X | X | ||
/var/log/centreon-engine | X | X | X | ||
/var/log/centreon-gorgone | X | X | X | ||
/var/log/centreon-bi | X | X | |||
/var/log/centreon-map | X | X | X | X |
In addition, all actions to modify the Centreon configuration carried out by users are available via the
Administration > Logs
menu.
Backing up the platform
Centreon offers to save the configuration of the platform. To do this, go to the
Administration > Parameters > Backup
menu.