/
01-system
141 lines (121 loc) 路 4.62 KB
/
01-system
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
# Uptime
check system $HOST_uptime
if uptime > 180 days then alert every 33 cycles
check system $HOST
# Overload
if cpu usage (user) > 70% then alert
if cpu usage (system) > 30% then alert
# Momentary overload (n+1)
if loadavg (1min) > 3 then alert
# Constant overload (n)
if loadavg (5min) > 2 then alert
# Memory usage
if memory usage > 75% then alert
if swap usage > 25% then alert
#if swap usage > 45% then alert
# IO overload
if cpu usage (wait) > 20% then alert
if filedescriptors > 5000 then alert
# Disk full
check filesystem rootfs with path "/"
if space usage > 90% then alert
# Available entropy at first
check program kernel_entropy
with path "/usr/local/sbin/server-integrity.sh -c ENTROPY -r '@@INTEGRITY_ENTROPY@@'"
group integrity
if status != 0 then alert
# Number of CPU cores
check program hardware_cpu
with path "/usr/local/sbin/server-integrity.sh -c CPU -r '@@INTEGRITY_CPU@@'" every 33 cycles
group integrity
if status != 0 then alert
# Total memory (MB)
check program hardware_ram
with path "/usr/local/sbin/server-integrity.sh -c RAM -r '@@INTEGRITY_RAM_MB@@'" every 33 cycles
group integrity
if status != 0 then alert
# PCI devices
check program hardware_pci_hash
with path "/usr/local/sbin/server-integrity.sh -c PCI -r '@@INTEGRITY_PCI_HASH@@'" every 33 cycles
group integrity
if status != 0 then alert
# USB devices
check program hardware_usb_hash
with path "/usr/local/sbin/server-integrity.sh -c USB -r '@@INTEGRITY_USB_HASH@@'" every 33 cycles
group integrity
if status != 0 then alert
# Disk partitions
# - bare metal /dev/[sh]d*
# - VMware /dev/sd*
# - KVM /dev/vd*
# - XEN /dev/xvd*
# - OpenVZ: no disk devices, enter empty string
check program hardware_disk
with path "/usr/local/sbin/server-integrity.sh -c DISK -r '@@INTEGRITY_DISKS@@'" every 33 cycles
group integrity
if status != 0 then alert
# Swap sizes (kB)
check program hardware_swap
with path "/usr/local/sbin/server-integrity.sh -c SWAP -r '@@INTEGRITY_SWAPS@@'" every 33 cycles
group integrity
if status != 0 then alert
# Kernel clock source
check program kernel_clocksource
with path "/usr/local/sbin/server-integrity.sh -c CLOCKSOURCE -r '@@INTEGRITY_CLOCKSOURCE@@'" every 33 cycles
group integrity
if status != 0 then alert
# Virtual console on Xen
check program device_vconsole
with path "/usr/local/sbin/server-integrity.sh -c VCONSOLE -r '@@INTEGRITY_VCONSOLE@@'" every 33 cycles
group integrity
if status != 0 then alert
# First nameserver (IPv4 only)
check program network_dns
with path "/usr/local/sbin/server-integrity.sh -c DNS1 -r '@@INTEGRITY_FIRST_DNS@@'" every 33 cycles
group integrity
if status != 0 then alert
# First IPv4 address
check program network_ip
with path "/usr/local/sbin/server-integrity.sh -c IP1 -r '@@INTEGRITY_FIRST_IP@@'" every 33 cycles
group integrity
if status != 0 then alert
# Default IPv4 gateway
check program network_gateway
with path "/usr/local/sbin/server-integrity.sh -c GATEWAY -r '@@INTEGRITY_GATEWAY@@'" every 33 cycles
group integrity
if status != 0 then alert
# First hop towards the nearest root server
# WARNING There could be more routers
check program network_hop
with path "/usr/local/sbin/server-integrity.sh -c HOP1 -h @@INTEGRITY_NEAREST@@ -r '@@INTEGRITY_HOP@@'" every 33 cycles
# Second hop
# with path "/usr/local/sbin/server-integrity.sh -c HOP2 -h @@INTEGRITY_NEAREST@@ -r '@@INTEGRITY_HOP2@@'" every 33 cycles
group integrity
if status != 0 then alert
# First reverse record
check program network_ptr
with path "/usr/local/sbin/server-integrity.sh -c PTR1 -r '@@INTEGRITY_REVERSE@@'" every 33 cycles
group integrity
if status != 0 then alert
# First mail exchanger
check program network_mx
with path "/usr/local/sbin/server-integrity.sh -c MX1 -r '@@INTEGRITY_FIRST_MX@@'" every 33 cycles
group integrity
if status != 0 then alert
# Number of resolvers
check program network_resolvers
with path "/usr/local/sbin/server-integrity.sh -c RES -r '@@INTEGRITY_RESOLVERS@@'" every 33 cycles
group integrity
if status != 0 then alert
# List of files in /
check program fs_rootlist
with path "/usr/local/sbin/server-integrity.sh -c ROOT -r '@@INTEGRITY_ROOTLIST@@'" every 33 cycles
group integrity
if status != 0 then alert
# Password shadow file
check file password_shadow with path "/etc/shadow"
group integrity
if changed checksum then alert
if failed permission 640 then unmonitor
if failed uid root then unmonitor
if failed gid shadow then unmonitor