How to audit commit operations

How to audit Monarch commit operations

Customers require that changes to the configuration of Nagios be logged. The Monarch tool is used to make changes to the configuration of Nagios. When the user of Monarch wishes these changes to be pushed to Nagios a commit operation is performed. As part of the commit operation the timestamp at which the commit is done and the name of the user performing the commit are written into the main Nagios configuration file. This is also true in the case of Monarch Groups when a build instance is completed. This document to allow customers to add auditing of commit operations by logging the timestamp and name of the user performing commits and build instance operations to the Event Console. A new application type AUDIT is created in the Event Console and the GroundWork Reports Event History (gw-event-history) report can be used by the customer to list all audit events.

The AUDIT type won't show up in the Event Console (under System Filters > Filter Events > Applications) until it has a reason to refresh the list of application types from the database. The simplest way to force this is to stop displaying the Event Console (e.g. redirect your browser to the Status viewer instead, and then come back to the Event Console).
Prerequisites

These instructions will work on an installed GroundWork Monitor Enterprise or Professional 5.2.0 or later.

Installation

As user nagios on the GroundWork server perform the following steps:

  1. Place the contents of Appendix A into a file:
    /usr/local/groundwork/core/migration/add_audit_application_type.pl
  2. Execute the following commands:
    cd /usr/local/groundwork/core/migration
    chmod 744 add_audit_application_type.pl
    ./add_audit_application_type.pl
  3. Place the contents of Appendix B into a file:
    /usr/local/groundwork/foundation/feeder/audit-nagios.pl
  4. Execute the following commands:
    cd /usr/local/groundwork/foundation/feeder
    chmod 744 audit-nagios.pl
    /usr/local/groundwork/common/bin/mkservice nagios nagios /usr/local/groundwork/core/services/feeder-nagios-audit
  5. Replace the contents of the following file with the contents of Appendix C:
    /usr/local/groundwork/core/services/feeder-nagios-audit/run
  6. Append the contents of Appendix D to syslog-ng.conf:
    /usr/local/groundwork/common/etc/syslog-ng.conf

As user root on the GroundWork server perform the following steps:

  1. Restart syslog
    /usr/local/groundwork/ctlscript.sh restart syslog-ng
  2. Restart GroundWork services
    /usr/local/groundwork/ctlscript.sh restart gwservices
Appendix A

add_audit_application_type.pl

#!/usr/local/groundwork/perl/bin/perl -w --
#
# Database updater for audit logging within GroundWork Monitor
#
# Original version by Dr. Dave Blunt.
# Now modified for use with PostgreSQL.
#
# Last modified: 2011-11-09
#
# Usage: add_audit_application_type.pl
#
# Description:
#
# This script will access the GWCollageDB database based on the settings
# determined with the CollageQuery methods.  Thus, the script must be run
# on the relevant GroundWork server.
#
# It will add rows to the ApplicationType, ConsolidationCriteria and
# ApplicationEntityProperty tables to support delivery and reporting on
# audit messages supplied by an external script 'audit-nagios.pl' that
# watches for commit operations on the Monarch database.

use strict;
use DBI;
use CollageQuery;

my ( $dbname, $dbhost, $dbuser, $dbpass, $dbtype ) = CollageQuery::readGroundworkDBConfig('collage');
my $dsn = '';
if ( defined($dbtype) && $dbtype eq 'postgresql' ) {
    $dsn = "DBI:Pg:dbname=$dbname;host=$dbhost";
}
else {
    $dsn = "DBI:mysql:database=$dbname;host=$dbhost";
}
my $dbh = DBI->connect( $dsn, $dbuser, $dbpass, { 'AutoCommit' => 1 } )
    or die "Cannot connect to database $dbname. Error: " . $DBI::errstr;
my $query;
my $sth;

# Add the AUDIT application type.
$query = "insert into ApplicationType values(DEFAULT,'AUDIT','Audit logs for GroundWork Monitor','Device')";
$sth   = $dbh->prepare($query);
$sth->execute() or die $@;
$sth->finish();

# Get back the AUDIT ApplicationTypeID for later reference.
$query = "select ApplicationTypeID as \"ApplicationTypeID\" from ApplicationType where Name='AUDIT'";
$sth   = $dbh->prepare($query);
$sth->execute() or die $@;
my $appID;
while ( my $row = $sth->fetchrow_hashref() ) {
    $appID = $$row{ApplicationTypeID};
}
$sth->finish();

# Add the Consolidation criteria for AUDIT messages.
$query = "insert into ConsolidationCriteria values(DEFAULT,'AUDIT','OperationStatus;Device;MonitorStatus;ipaddress;ErrorType;SubComponent')";
$sth   = $dbh->prepare($query);
$sth->execute() or die $@;
$sth->finish();

# Add the ApplicationEntityProperty settings that control what is displayed in the NOC Console.

$query = "select EntityTypeID as \"EntityTypeID\" from EntityType where Name='LOG_MESSAGE'";
$sth   = $dbh->prepare($query);
$sth->execute() or die $@;
my $enttypeID;
while ( my $row = $sth->fetchrow_hashref() ) {
    $enttypeID = $$row{EntityTypeID};
}
$sth->finish();

$query = "select PropertyTypeID as \"PropertyTypeID\", Name as \"Name\" from PropertyType";
$sth   = $dbh->prepare($query);
$sth->execute() or die $@;
my %proptypeID;
while ( my $row = $sth->fetchrow_hashref() ) {
    $proptypeID{ $$row{Name} } = $$row{PropertyTypeID};
}
$sth->finish();

$query = "insert into ApplicationEntityProperty values(DEFAULT,'$appID','$enttypeID','$proptypeID{SubComponent}','2')";
$sth   = $dbh->prepare($query);
$sth->execute() or die $@;
$sth->finish();

$query = "insert into ApplicationEntityProperty values(DEFAULT,'$appID','$enttypeID','$proptypeID{ErrorType}','3')";
$sth   = $dbh->prepare($query);
$sth->execute() or die $@;
$sth->finish();

$query = "insert into ApplicationEntityProperty values(DEFAULT,'$appID','$enttypeID','$proptypeID{ipaddress}','1')";
$sth   = $dbh->prepare($query);
$sth->execute() or die $@;
$sth->finish();

$dbh->disconnect();
print "Database update completed.\n";
exit 0;
Appendix B

audit-nagios.pl

#!/usr/local/groundwork/perl/bin/perl

my $check_interval=60;
my $last_check_time=time;
while(1) {
  # build a list of nagios.cfg files to stat
  my @files=();
  my @files=`find /usr/local/groundwork/nagios/etc -name nagios.cfg`;
  foreach $file (@files) {
    my $message='';
    chomp $file;
    my $result=`/usr/bin/stat -c %Y $file`;
    chomp $result;
    if ($result gt $last_check_time ) { # if file has changed
      my $line = `/bin/grep "nagios.cfg generated" $file`;
      chomp $line;
      my ($date,$user) = $line=~/generated\s(\d\d\d\d-\d\d-\d\d\s\d\d:\d\d:\d\d)\sby\s(\S+)\sfrom/;
      $message="File $file updated by user $user at $date.";
      log_audit_message($file,$message);
    }
  }
  $last_check_time=time;
  sleep $check_interval;
}
exit 0;
sub log_audit_message {
  my $file = shift;
  my $message = shift;
  my $result = `/usr/bin/logger -p local4.info $message`;
}
Appendix C

run

#!/bin/sh
# Script for Supervise : Audit Nagios Feeder
exec 2>&1
sleep 30
exec /usr/local/groundwork/common/bin/setuidgid nagios /usr/local/groundwork/foundation/feeder/audit-nagios.pl
Appendix D

syslog-ng.conf settings

filter f_audit-nagios { message('nagios\.cfg updated by user'); };
template t_gw_audit-nagios_feeder
{
  template("<GENERICLOG MonitorServerName='localhost' Device='$HOST' ApplicationType='AUDIT' MonitorStatus='WARNING' ReportDate='$YEAR-$MONTH-$DAY $HOUR:$MIN:$SEC' Severity='WARNING' ipaddress='$HOST' SubComponent='$PROGRAM' TextMessage='$MSGONLY' />\n");
};
destination d_gw_audit-nagios_feeder { tcp("localhost" port(4913) template(t_gw_audit-nagios_feeder)); };
log { source(s_local); filter(f_audit-nagios); destination(d_gw_audit-nagios_feeder); };
Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.