From dddc133ad41b912a798dc4c26f247790f9024f19 Mon Sep 17 00:00:00 2001
From: Martin Winkler <efelon@winklerfamilie.eu>
Date: Sun, 10 Nov 2019 11:48:10 +0100
Subject: [PATCH] Initial snmp management seq

Two extends included (raspberry, osupdate)
---
 seqs/snmp.sh    | 146 ++++++++++++++++++++++++++++++++++++++++++++++++
 seqs/snmpd.conf |  61 ++++++++++++++++++++
 2 files changed, 207 insertions(+)
 create mode 100755 seqs/snmp.sh
 create mode 100644 seqs/snmpd.conf

diff --git a/seqs/snmp.sh b/seqs/snmp.sh
new file mode 100755
index 0000000..2470c94
--- /dev/null
+++ b/seqs/snmp.sh
@@ -0,0 +1,146 @@
+#!/bin/bash
+
+seqDir="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >>/dev/null 2>&1 && pwd )"
+toolName="snmpd"
+toolConfigLoc="/etc/snmp"
+toolConfig="${toolConfigLoc}/snmpd.conf"
+
+
+step_1_info() { echo "Install packages for $toolName"; }
+step_1_alias() { ALIAS="install"; }
+step_1() {
+  exe apt update
+  if [ $QUIET != 0 ]; then
+    exe apt-get -qq install $toolName
+  else
+    exe apt install $toolName
+  fi
+  saveReturn $?
+  endReturn
+}
+
+step_2_info() { echo "Setup snmp v3 access"; }
+step_2() {
+  #
+  ## Create authentication entry
+  exep "cat \"$v3AuthLoc\" | grep -e '^\s*usmUser'"
+
+  if [ "$?" == "0" ]; then
+    echo
+
+    read -p "User entry found. Continue: y/n(default)? " answer
+    case $answer in
+      [yY])
+        echo
+        echo Continuing installation...
+        ;;
+      *)
+        echo
+        echo Installation aborted
+        return 1; 
+        ;;
+    esac 
+  fi
+
+  read -p "SNMPv3 Username: " v3User
+  read -s -p "SNMPv3 Password: " v3Pass
+  echo
+
+  exe service snmpd stop
+
+  # this line will be replaced on start of snmpd with a line starting with:
+  # usmUser
+  v3AuthEntry="createUser ${v3User} SHA \"${v3Pass}\" DES" 
+  addConf -a "$v3AuthEntry" "$v3AuthLoc"
+
+  #
+  ## Add custom base configuration
+  addConf -c "" "${toolConfig}"
+  exe cp "${seqDir}/snmpd.conf" "${toolConfig}"
+
+  #
+  ## Add username as rouser
+  exe sed -i "s/authOnlyUser/${v3User}/" "$toolConfig"
+
+  #
+  ## Write syslocation
+  read -p "sysLocation: " v3Location
+  read -p "sysContact (name <webmaster@example.com>): " v3Contact
+
+  exe sed -i "s/\(sysLocation\s*\).*/\1${v3Location}/" "$toolConfig"
+  exe sed -i "s/\(sysContact\s*\).*/\1${v3Contact}/" "$toolConfig"
+}
+v3AuthLoc="/var/lib/snmp/snmpd.conf"
+
+step_20_info() { echo "Extend $toolName for Raspberry Pi"; }
+step_20_alias() { ALIAS="raspberry"; }
+step_20() {
+  checkExtend raspberry
+  if [ "$?" != "0" ]; then
+    return 1
+  fi
+
+  exe wget https://raw.githubusercontent.com/librenms/librenms-agent/master/snmp/raspberry.sh -O "${rpiExtendLoc}"
+  saveReturn $?
+  endReturn
+  exe chmod +x "$rpiExtendLoc"
+
+  addConf -a "extend raspberry /etc/snmp/raspberry.sh" "$toolConfig"
+  addConf -c "$rpiSudoersContent" "$rpiSudoersLoc"
+
+  exe service snmpd restart
+}
+
+rpiExtendLoc="${toolConfigLoc}/raspberry.sh"
+rpiSudoersLoc="/etc/sudoers.d/snmprpi"
+rpiSudoersContent="\
+  Debian-snmp ALL=(ALL) NOPASSWD: /etc/snmp/raspberry.sh, /usr/bin/vcgencmd*"
+
+step_22_info() { echo "Extend $toolName with OS update availablity"; }
+step_22_alias() { ALIAS="osupdate"; }
+step_22() {
+  checkExtend osupdate 
+  if [ "$?" != "0" ]; then
+    return 1
+  fi
+  
+  exe wget https://raw.githubusercontent.com/librenms/librenms-agent/master/snmp/osupdate -O "${osUpdateExtendLoc}"
+  exe chmod +x "$osUpdateExtendLoc"
+  addConf -a "extend osupdate $osUpdateExtendLoc" "$toolConfig"
+
+  exe service snmpd restart
+}
+osUpdateExtendLoc="${toolConfigLoc}/osupdate"
+
+step_23_info() { echo "Create cron job for periodical (every 8 hours) apt-get update"; }
+step_23() {
+  addConf -s "$osUpdateCronContent" "$osUpdateCron"
+}
+osUpdateCron="/etc/cron.d/aptUpdate"
+osUpdateCronContent="22 */6 * * * root /usr/bin/apt-get -qq update"
+
+#fail2ban
+#exe wget https://github.com/librenms/librenms-agent/raw/master/snmp/fail2ban -O "${toolConfig}/fail2ban"
+# nginx
+#exe wget https://raw.githubusercontent.com/librenms/librenms-agent/master/snmp/nginx -O "${toolConfig}/nginx"
+# php-fpm
+#exe wget https://github.com/librenms/librenms-agent/raw/master/snmp/phpfpmsp -O "${toolConfig}/phpfpmsp"
+
+checkExtend() {
+  exep "cat \"$toolConfig\" | grep -e '^\s*extend\s\+${1}' >>/dev/null 2>&1"
+  # Only warn if entry exists and dry-run is not seleted
+  if [ "$?" == "0" ] && [ "$DRY" == "0" ] ; then  
+    echo "[WARN] Extend for ${1} exists"
+    return 1
+  fi 
+
+  # adding dry run output for clarification
+  if [ "$DRY" != "0" ] ; then
+    echo "-- check if \"extend ${1}\" exists..dry-run"
+  fi
+
+  return 0
+}
+
+VERSION_SEQREV=5
+. sequencer.sh
diff --git a/seqs/snmpd.conf b/seqs/snmpd.conf
new file mode 100644
index 0000000..a83c8d1
--- /dev/null
+++ b/seqs/snmpd.conf
@@ -0,0 +1,61 @@
+#  AGENT BEHAVIOUR
+agentAddress udp:161,udp6:[::1]:161
+
+                                                 #  system + hrSystem groups only
+view   systemonly  included   .1.3.6.1.2.1.1
+view   systemonly  included   .1.3.6.1.2.1.25.1
+
+                                                 #  Full access from the local host
+#rocommunity public  localhost
+                                                 #  Default access to basic system info
+ rocommunity public  default    -V systemonly
+                                                 #  rocommunity6 is for IPv6
+ rocommunity6 public  default   -V systemonly
+
+                                                #  Full read-only access for SNMPv3
+ rouser   authOnlyUser
+
+#  SYSTEM INFORMATION
+
+sysLocation    Sitting on the Dock of the Bay
+sysContact     Me <me@example.org>
+                                                 # Application + End-to-End layers
+sysServices    72
+
+#  Process Monitoring
+                               # At least one  'mountd' process
+proc  mountd
+                               # No more than 4 'ntalkd' processes - 0 is OK
+proc  ntalkd    4
+                               # At least one 'sendmail' process, but no more than 10
+proc  sendmail 10 1
+
+#  Disk Monitoring
+                               # 10MBs required on root disk, 5% free on /var, 10% free on all other disks
+disk       /     10000
+disk       /var  5%
+includeAllDisks  10%
+
+#  System Load
+                               # Unacceptable 1-, 5-, and 15-minute load averages
+load   12 10 5
+
+#  ACTIVE MONITORING
+                                    #   send SNMPv1  traps
+ trapsink     localhost public
+
+#  Event MIB - automatically generate alerts
+                                   # Remember to activate the 'createUser' lines above
+iquerySecName   internalUser       
+rouser          internalUser
+
+#  AgentX Sub-agents
+                                           #  Run as an AgentX master agent
+ master          agentx
+
+#If the snmpd was compiled with TCP Wrapper support, it logs every connection made to the agent. This setting disables  the
+#log messages for accepted connections. Denied connections will still be logged.
+dontLogTCPWrappersConnects true
+
+#  EXTENDING THE AGENT
+