Skip to main content

Securing your poller

Strengthen user account security​

After installing Centreon, you must change the default passwords of the following users:

  • root
  • centreon
  • centreon-engine
  • centreon-broker
  • centreon-gorgone

To do this, use the following command with a privileged account (e.g., sudo) or with root (not recommended β€” you should have a dedicated user):

passwd <account_name>

Enable SELinux​

Centreon developed SELinux rules in order to strengthen the control of components by the operating system.

These rules are currently in beta mode and can be activated. You can activate them by following this procedure. If you detect a problem, you can disable SELinux globally and send us your feedback in order to improve our rules on Github.

SELinux Overview​

Security Enhanced Linux (SELinux) provides an additional layer of system security. SELinux fundamentally answers the question: May <subject> do <action> to <object>?, for example: May a web server access files in users' home directories?

The standard access policy based on the user, group, and other permissions, known as Discretionary Access Control (DAC), does not enable system administrators to create comprehensive and fine-grained security policies, such as restricting specific applications to only viewing log files, while allowing other applications to append new data to the log files.

SELinux implements Mandatory Access Control (MAC). Every process and system resource has a special security label called an SELinux context. An SELinux context, sometimes referred to as an SELinux label, is an identifier that abstracts away the system-level details and focuses on the security properties of the entity. Not only does this provide a consistent way of referencing objects in the SELinux policy, but it also removes any ambiguity that can be found in other identification methods. For example, a file can have multiple valid path names on a system that makes use of bind mounts.

The SELinux policy uses these contexts in a series of rules that define how processes can interact with each other and the various system resources. By default, the policy does not allow any interaction unless a rule explicitly grants access.

For more information about SELinux, please see Red Hat documentation

Activate SELinux in permissive mode​

By default, SELinux is disabled during the Centreon installation process. To enable SELinux in permissive mode, you need to modify the /etc/selinux/config file as:

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=permissive
# SELINUXTYPE= can take one of three two values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted

Then reboot your server:

shutdown -r now

Install Centreon SELinux packages​

Depending on the type of server, install the packages with the following command:

dnf install centreon-common-selinux \
centreon-broker-selinux \
centreon-engine-selinux \
centreon-gorgoned-selinux \
centreon-plugins-selinux

To check the installation, execute the following command:

semodule -l | grep centreon

Depending on your type of server, you can see:

centreon-broker 0.0.5
centreon-common 0.0.10
centreon-engine 0.0.8
centreon-gorgoned 0.0.3
centreon-plugins 0.0.2

Audit logs and enable SELinux​

Before enabling SELinux in enforcing mode, you need to be sure that no errors appear using the following command:

cat /var/log/audit/audit.log | grep -i denied

If errors appear, you must analyze them and decide if these errors are regular and should be added to the Centreon default SELinux rules. To do this, use the following command to transform errors into SELinux rules:

audit2allow -a

Then execute the proposed rules.

If after a while, no error is present, you can activate SELinux in full mode by following this procedure using enforcing mode.

Do not hesitate to give us your feedback on Github.

Enable firewalld​

Install firewalld:

dnf install firewalld

Enable firewalld:

systemctl enable firewalld
systemctl start firewalld

Then add rules for firewalld:

Execute the following commands:

# For default protocols
firewall-cmd --zone=public --add-service=ssh --permanent
firewall-cmd --zone=public --add-service=snmp --permanent
firewall-cmd --zone=public --add-service=snmptrap --permanent
# Centreon Gorgone
firewall-cmd --zone=public --add-port=443/tcp --permanent

Once the rules have been added, reload firewalld:

firewall-cmd --reload

To check that the configuration has been applied correctly, use the following command to list all active rules:

firewall-cmd --list-all

For instance:

public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: http snmp snmptrap ssh
ports: 443/tcp
protocols:
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

Centreon Gorgone communication​

Make sure that the /etc/centreon-gorgone/config.d/40-gorgoned.yaml file (on each poller) contains the following lines:

name: action
package: "gorgone::modules::core::action::hooks"
enable: true
command_timeout: 30
whitelist_cmds: true
allowed_cmds:
- ^sudo\s+(/bin/)?systemctl\s+(reload|restart)\s+(centengine|centreontrapd|cbd)\s*$
- ^(sudo\s+)?(/usr/bin/)?service\s+(centengine|centreontrapd|cbd|cbd-sql)\s+(reload|restart)\s*$
- ^/usr/sbin/centenginestats\s+-c\s+/etc/centreon-engine/centengine\.cfg\s*$
- ^cat\s+/var/lib/centreon-engine/[a-zA-Z0-9\-]+-stats\.json\s*$
- ^/usr/lib/centreon/plugins/.*$
- ^/bin/perl /usr/share/centreon/bin/anomaly_detection --seasonality >> /var/log/centreon/anomaly_detection\.log 2>&1\s*$
- ^/usr/bin/php -q /usr/share/centreon/cron/centreon-helios\.php >> /var/log/centreon-helios\.log 2>&1\s*$
- ^centreon
- ^mkdir
- ^/usr/share/centreon/www/modules/centreon-autodiscovery-server/script/run_save_discovered_host --all --job-id=\d+ --export-conf --token=\S+$
- ^/usr/share/centreon/bin/centreon -u "centreon-gorgone" -p \S+ -w -o CentreonWorker -a processQueue$

Security Information and Event Management - SIEM​

Centreon event logs are available in the following directories:

  • /var/log/centreon-broker
  • /var/log/centreon-engine
  • /var/log/centreon-gorgone

Backing up the platform​

Make sure you back up your custom plugins, and the following configuration files:

  • /etc/centreon/centreon_vmware.pm
  • /etc/centreon-as400/
  • /var/lib/centreon/centplugins/*
  • /var/log/centreon-engine/*.dat
  • /var/lib/centreon-broker/*

Disaster recovery for a poller​

Follow this procedure to replace a failed poller by a new one:

  1. On a new machine, install the new poller.

  2. Restore onto the new machine the backups of local configurations you have made for the failed poller:

    • /etc/centreon/centreon_vmware.pm
    • /etc/centreon-as400/
    • /var/lib/centreon/centplugins/*
    • /var/log/centreon-engine/*.dat
    • /var/lib/centreon-broker/*
  3. Use the Mass change feature to make sure the new poller now monitors all the hosts that the failed poller did.

  4. Deploy the configuration for the new poller.

  5. Delete the old poller.