search

opnsense / core

OPNsense GUI, API and systems backend
https://opnsense.org/
BSD 2-Clause "Simplified" License
3.26k stars 725 forks source link

Proposal: manage sudo rules #3777

Closed fraenki closed 4 years ago

fraenki commented 4 years ago

Hi @AdSchellevis and @fichtner!

When trying to monitor OPNsense firewalls with tools like Zabbix (Agent) several tests and checks require root privileges. In case of Zabbix Agent, we are currently using the following sudo rules for basic monitoring of our OPNsense firewalls:

root@opnsense:~ # cat /usr/local/etc/sudoers.d/zabbix 
Cmnd_Alias ZABBIX = \
    /usr/bin/fstat, \
    /sbin/pfctl *, \
    /usr/local/sbin/pftop *, \
    /usr/local/bin/python3 /usr/local/bin/zabbix_check_ipsec.py *
zabbix ALL=(ALL) NOPASSWD: ZABBIX

Of course, in theory it would be possible to wrap all these checks into configctl actions, but this would make it impossible to use standard monitoring templates. Especially when using Zabbix there are many monitoring templates ready-to-use for FreeBSD. The same could possibly be said for other monitoring solutions too.

So, instead of reinventing the wheel and requiring custom checks in order to properly monitor OPNsense, I'd suggest to create a MVC-based "plugin" in core to manage custom sudo rules in /usr/local/etc/sudoers.d. It would provide a similar interface like the one that was implemented for os-haproxy in order to create HAProxy configurations from the Let's Encrypt plugin (https://github.com/opnsense/plugins/blob/master/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.php). This way it would be pretty easy to manage sudo rules from other plugins that rely on this functionality. Furthermore this new sudo plugin could replace the existing sudoers code/template in core.

I would volunteer to provide a proof-of-concept. The Zabbix Agent plugin would be the first plugin to use this new functionality in order to provide a seamless monitoring experience for OPNsense.

However, depending on your security concerns, this core "plugin" will not have a GUI, but instead would only be used by plugins and other core components in the backend only. I could understand if you don't want a GUI for this to not encourage people to deploy their custom/unsupported code on OPNsense. On the other hand, if you don't mind, I'd build a tiny GUI to add/remove/edit sudo rules, too.

What do you think? Do you have different ideas or concerns? Thanks for your time and consideration.

AdSchellevis commented 4 years ago

Hi Frank,

I'm not sure we really need a new facility for this, but maybe I'm missing something. Can you explain a bit more about the use case and the standard scripts (examples) that should be allowed for zabbix?

It sounds like the sudo rules should be part of the package, if we need to register a set of files from within a directory, it might be an option to fix this in the template generation (if not 100% static).

Best regards,

Ad

fichtner commented 4 years ago

Hi Frank,

For me this seems out of scope. I'm ok with shipping static files in plugins. Templating them is more difficult (we do it in core very lightly), let alone building a framework for a security issue prone use case.

Cheers, Franco

fraenki commented 4 years ago

Thanks, I'll include a static file in one of the next releases.