Securing your poller
IMPORTANT: It is the customer's resonsibility to secure the OS of the poller's host machine, and to update its OS.
Strengthen user account security​
After installing Centreon, you must change the default passwords of the following users:
- root
- centreon
- centreon-engine
- centreon-broker
- centreon-gorgone
To do this, use the following command with a privileged account (e.g., sudo) or with root (not recommended — you should have a dedicated user):
passwd <account_name>
Enable SELinux​
Centreon developed SELinux rules in order to strengthen the control of components by the operating system.
These rules are currently in beta mode and can be activated. You can activate them by following this procedure. If you detect a problem, you can disable SELinux globally and send us your feedback in order to improve our rules on Github.
SELinux Overview​
Security Enhanced Linux (SELinux) provides an additional layer of system security. SELinux fundamentally answers the
question: May <subject> do <action> to <object>?
, for example: May a web server access files in users' home
directories?
The standard access policy based on the user, group, and other permissions, known as Discretionary Access Control (DAC), does not enable system administrators to create comprehensive and fine-grained security policies, such as restricting specific applications to only viewing log files, while allowing other applications to append new data to the log files.
SELinux implements Mandatory Access Control (MAC). Every process and system resource has a special security label called an SELinux context. An SELinux context, sometimes referred to as an SELinux label, is an identifier that abstracts away the system-level details and focuses on the security properties of the entity. Not only does this provide a consistent way of referencing objects in the SELinux policy, but it also removes any ambiguity that can be found in other identification methods. For example, a file can have multiple valid path names on a system that makes use of bind mounts.
The SELinux policy uses these contexts in a series of rules that define how processes can interact with each other and the various system resources. By default, the policy does not allow any interaction unless a rule explicitly grants access.
For more information about SELinux, please see Red Hat documentation
Activate SELinux​
By default, SELinux is disabled during the Centreon installation process and must be reenabled after it for security reasons.
To enable SELinux again, edit the /etc/selinux/config file and change the value with the following options:
SELINUX=enforcing
to make SELinux security policy enforced.SELINUX=permissive
to make SELinux print warnings instead of enforce security policy.
Then reboot your server:
shutdown -r now
Install Centreon SELinux packages​
Depending on the type of server, install the packages with the following command:
- Alma / RHEL / Oracle Linux 8
- Alma / RHEL / Oracle Linux 9
- Debian 11
dnf install centreon-common-selinux \
centreon-broker-selinux \
centreon-engine-selinux \
centreon-gorgoned-selinux \
centreon-plugins-selinux
dnf install centreon-common-selinux \
centreon-broker-selinux \
centreon-engine-selinux \
centreon-gorgoned-selinux \
centreon-plugins-selinux
apt install centreon-common-selinux \
centreon-broker-selinux \
centreon-engine-selinux \
centreon-gorgoned-selinux \
centreon-plugins-selinux
To check the installation, execute the following command:
semodule -l | grep centreon
Depending on your type of server, you can see:
centreon-broker 0.0.5
centreon-common 0.0.10
centreon-engine 0.0.8
centreon-gorgoned 0.0.3
centreon-plugins 0.0.2
Audit logs and enable SELinux​
Before enabling SELinux in enforcing mode, you need to be sure that no errors appear using the following command:
cat /var/log/audit/audit.log | grep -i denied
If errors appear, you must analyze them and decide if these errors are regular and should be added to the Centreon default SELinux rules. To do this, use the following command to transform errors into SELinux rules:
audit2allow -a
Then execute the proposed rules.
If after a while, no error is present, you can activate SELinux in full mode by following this procedure using enforcing mode.
Do not hesitate to give us your feedback on Github.
Enable firewalld​
- Alma / RHEL / Oracle Linux 8
- Alma / RHEL / Oracle Linux 9
- Debian 11
Install firewalld:
dnf install firewalld
Install firewalld:
dnf install firewalld
Install firewalld:
apt install firewalld
Enable firewalld:
systemctl enable firewalld
systemctl start firewalld
Then add rules for firewalld:
Execute the following commands:
# For default protocols
firewall-cmd --zone=public --add-service=ssh --permanent
firewall-cmd --zone=public --add-service=snmp --permanent
firewall-cmd --zone=public --add-service=snmptrap --permanent
# Centreon Gorgone
firewall-cmd --zone=public --add-port=443/tcp --permanent
Once the rules have been added, reload firewalld:
firewall-cmd --reload
To check that the configuration has been applied correctly, use the following command to list all active rules:
firewall-cmd --list-all
For instance:
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: http snmp snmptrap ssh
ports: 443/tcp
protocols:
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
Centreon Gorgone communication​
On each poller, the /etc/centreon-gorgone/config.d/whitelist.conf.d/centreon.yaml file contains the whitelists for Gorgone. If you want to customize the allowed commands, do not edit this file. Create a new one in the same folder, e.g. /etc/centreon-gorgone/config.d/whitelist.conf.d/custom.yaml.
Security Information and Event Management - SIEM​
Centreon event logs are available in the following directories:
- /var/log/centreon-broker
- /var/log/centreon-engine
- /var/log/centreon-gorgone
Backing up the platform​
Make sure you back up your custom plugins, and the following configuration files:
- /etc/centreon/centreon_vmware.pm
- /etc/centreon-as400/
- /var/lib/centreon/centplugins/*
- /var/log/centreon-engine/*.dat
- /var/lib/centreon-broker/*
Disaster recovery for a poller​
Follow this procedure to replace a failed poller by a new one:
On a new machine, install the new poller.
Restore onto the new machine the backups of local configurations you have made for the failed poller:
- /etc/centreon/centreon_vmware.pm
- /etc/centreon-as400/
- /var/lib/centreon/centplugins/*
- /var/log/centreon-engine/*.dat
- /var/lib/centreon-broker/*
Use the Mass change feature to make sure the new poller now monitors all the hosts that the failed poller did.
Deploy the configuration for the new poller.
Delete the old poller.