From 58181e774d473a604ca0cf69d746973a94eb3265 Mon Sep 17 00:00:00 2001 From: Giacomo Sanchietti Date: Tue, 10 Feb 2026 11:29:16 +0100 Subject: [PATCH 1/3] feat: add checkmk custom agent --- config/ns-checkmk-agent.conf | 2 + packages/ns-checkmk-agent/Makefile | 72 +++++++++++++++++++ packages/ns-checkmk-agent/README.md | 67 +++++++++++++++++ .../files/check_mk_agent.init | 19 +++++ 4 files changed, 160 insertions(+) create mode 100644 config/ns-checkmk-agent.conf create mode 100644 packages/ns-checkmk-agent/Makefile create mode 100644 packages/ns-checkmk-agent/README.md create mode 100644 packages/ns-checkmk-agent/files/check_mk_agent.init diff --git a/config/ns-checkmk-agent.conf b/config/ns-checkmk-agent.conf new file mode 100644 index 000000000..29eec6aea --- /dev/null +++ b/config/ns-checkmk-agent.conf @@ -0,0 +1,2 @@ +CONFIG_PACKAGE_ns-checkmk-agent=y +CONFIG_PACKAGE_socat=y diff --git a/packages/ns-checkmk-agent/Makefile b/packages/ns-checkmk-agent/Makefile new file mode 100644 index 000000000..030c4ebba --- /dev/null +++ b/packages/ns-checkmk-agent/Makefile @@ -0,0 +1,72 @@ +# +# Copyright (C) 2026 Nethesis S.r.l. +# SPDX-License-Identifier: GPL-2.0-only +# + +include $(TOPDIR)/rules.mk + +PKG_NAME:=ns-checkmk-agent +PKG_VERSION:=0.0.1 +PKG_RELEASE:=1 + +PKG_BUILD_DIR:=$(BUILD_DIR)/ns-checkmk-agent-$(PKG_VERSION) + +PKG_MAINTAINER:=Giacomo Sanchietti +PKG_LICENSE:=GPL-3.0-only + +include $(INCLUDE_DIR)/package.mk + +define Package/ns-checkmk-agent + SECTION:=base + CATEGORY:=NethSecurity + TITLE:=Check_MK monitoring agent + URL:=https://github.com/Checkmk/checkmk + DEPENDS:=+socat + PKGARCH:=all +endef + +define Package/ns-checkmk-agent/description + Check_MK monitoring agent for NethSecurity with custom plugins +endef + +# Base URLs for downloads +CHECKMK_AGENT_URL:=https://raw.githubusercontent.com/Checkmk/checkmk/master/agents/check_mk_agent.openwrt +PLUGIN_BASE_URL:=https://raw.githubusercontent.com/Coverup20/checkmk-tools/refs/heads/main/script-check-nsec8/full + +# List of plugin files to download (add more as needed) +PLUGIN_FILES:=check_dhcp_leases.sh check_dns_resolution.sh check_firewall_connections.sh check_firewall_rules.sh check_firewall_traffic.sh check_martian_packets.sh check_opkg_packages.sh check_ovpn_host2net.sh check_root_access.sh check_uptime.sh check_vpn_tunnels.sh check_wan_status.sh + +define Build/Prepare + mkdir -p $(PKG_BUILD_DIR)/plugins + + # Download main Check_MK agent + wget -O $(PKG_BUILD_DIR)/check_mk_agent $(CHECKMK_AGENT_URL) + + # Download plugin files using shell script loop + for plugin in $(PLUGIN_FILES); do \ + echo "Downloading plugin: $$plugin"; \ + wget -O $(PKG_BUILD_DIR)/plugins/$$plugin $(PLUGIN_BASE_URL)/$$plugin || \ + echo "Warning: Failed to download $$plugin"; \ + done +endef + +define Build/Compile +endef + +define Package/ns-checkmk-agent/install + $(INSTALL_DIR) $(1)/usr/bin + $(INSTALL_DIR) $(1)/etc/init.d + $(INSTALL_DIR) $(1)/usr/lib/check_mk_agent/plugins + + $(INSTALL_BIN) $(PKG_BUILD_DIR)/check_mk_agent $(1)/usr/bin/check_mk_agent + $(INSTALL_BIN) ./files/check_mk_agent.init $(1)/etc/init.d/check_mk_agent + + # Install plugin files + if [ -d $(PKG_BUILD_DIR)/plugins ]; then \ + for plugin in $(PKG_BUILD_DIR)/plugins/*; do \ + [ -f "$$plugin" ] && $(INSTALL_BIN) $$plugin $(1)/usr/lib/check_mk_agent/plugins/; \ + done; \ + fi +endef + +$(eval $(call BuildPackage,ns-checkmk-agent)) diff --git a/packages/ns-checkmk-agent/README.md b/packages/ns-checkmk-agent/README.md new file mode 100644 index 000000000..2f990deaa --- /dev/null +++ b/packages/ns-checkmk-agent/README.md @@ -0,0 +1,67 @@ +# ns-checkmk-agent + +Check_MK monitoring agent integration for NethSecurity. + +## Description + +This package provides the Check_MK agent for monitoring NethSecurity firewalls. It includes: + +- Main Check_MK agent from the official Checkmk repository +- Custom plugins for NethSecurity-specific monitoring +- Procd-managed service using socat to listen on TCP port 6556 + +## Features + +- Automatic start on boot (START=98) +- Respawn on failure +- TCP listener on port 6556 using socat +- Plugin support at `/usr/lib/check_mk_agent/plugins/` + +## Adding More Plugins + +To add additional plugin files from the [checkmk-tools repository](https://github.com/Coverup20/checkmk-tools/tree/main/script-check-nsec8/full): + +1. Browse the plugin directory on GitHub to find available plugins +2. Add the plugin name to the `PLUGIN_FILES` variable in the Makefile: + +```makefile +PLUGIN_FILES:=nethsecurity openvpn ipsec mwan3 certificates +``` + +3. The plugin will be automatically downloaded and installed to `/usr/lib/check_mk_agent/plugins/` during the build + +## Testing + +After installation on a NethSecurity firewall: + +```bash +# Test agent locally +/usr/bin/check_mk_agent + +# Test via network from monitoring server +echo "" | nc 6556 + +# Check service status +/etc/init.d/check_mk_agent status + +# Start/stop service +/etc/init.d/check_mk_agent start +/etc/init.d/check_mk_agent stop +``` + +## Configuration + +The service is configured via procd and requires no additional configuration files. To enable/disable the service: + +```bash +/etc/init.d/check_mk_agent enable +/etc/init.d/check_mk_agent disable +``` + +## Dependencies + +- socat: Used to expose the agent via TCP socket + +## Firewall Rules + +Remember to allow incoming connections on TCP port 6556 from your Check_MK monitoring server. diff --git a/packages/ns-checkmk-agent/files/check_mk_agent.init b/packages/ns-checkmk-agent/files/check_mk_agent.init new file mode 100644 index 000000000..958059e9a --- /dev/null +++ b/packages/ns-checkmk-agent/files/check_mk_agent.init @@ -0,0 +1,19 @@ +#!/bin/sh /etc/rc.common +START=98 +STOP=10 +USE_PROCD=1 + +PROG=/usr/bin/check_mk_agent + +start_service() { + procd_open_instance + procd_set_param respawn + procd_set_param command socat TCP-LISTEN:6556,reuseaddr,fork,keepalive EXEC:$PROG + procd_set_param stdout 1 + procd_set_param stderr 1 + procd_close_instance +} + +stop_service() { + killall socat >/dev/null 2>&1 || true +} From 44ec6819bb7bf3243c5e2f936b669577e1d311e6 Mon Sep 17 00:00:00 2001 From: Giacomo Sanchietti Date: Tue, 10 Feb 2026 15:49:59 +0100 Subject: [PATCH 2/3] fix --- packages/ns-checkmk-agent/Makefile | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/packages/ns-checkmk-agent/Makefile b/packages/ns-checkmk-agent/Makefile index 030c4ebba..48387633f 100644 --- a/packages/ns-checkmk-agent/Makefile +++ b/packages/ns-checkmk-agent/Makefile @@ -44,9 +44,9 @@ define Build/Prepare # Download plugin files using shell script loop for plugin in $(PLUGIN_FILES); do \ - echo "Downloading plugin: $$plugin"; \ - wget -O $(PKG_BUILD_DIR)/plugins/$$plugin $(PLUGIN_BASE_URL)/$$plugin || \ - echo "Warning: Failed to download $$plugin"; \ + echo "Downloading plugin: $plugin"; \ + wget -O $(PKG_BUILD_DIR)/plugins/$plugin $(PLUGIN_BASE_URL)/$plugin || \ + echo "Warning: Failed to download $plugin"; \ done endef @@ -64,7 +64,7 @@ define Package/ns-checkmk-agent/install # Install plugin files if [ -d $(PKG_BUILD_DIR)/plugins ]; then \ for plugin in $(PKG_BUILD_DIR)/plugins/*; do \ - [ -f "$$plugin" ] && $(INSTALL_BIN) $$plugin $(1)/usr/lib/check_mk_agent/plugins/; \ + [ -f "$plugin" ] && $(INSTALL_BIN) "$plugin" $(1)/usr/lib/check_mk_agent/plugins/; \ done; \ fi endef From aabcb39483574ab117e09eeb306cce03d517b7d9 Mon Sep 17 00:00:00 2001 From: Giacomo Sanchietti Date: Tue, 10 Feb 2026 15:57:30 +0100 Subject: [PATCH 3/3] fix --- packages/ns-checkmk-agent/Makefile | 40 +++++++++++++++++++----------- 1 file changed, 25 insertions(+), 15 deletions(-) diff --git a/packages/ns-checkmk-agent/Makefile b/packages/ns-checkmk-agent/Makefile index 48387633f..0cf2f9b28 100644 --- a/packages/ns-checkmk-agent/Makefile +++ b/packages/ns-checkmk-agent/Makefile @@ -33,21 +33,25 @@ endef CHECKMK_AGENT_URL:=https://raw.githubusercontent.com/Checkmk/checkmk/master/agents/check_mk_agent.openwrt PLUGIN_BASE_URL:=https://raw.githubusercontent.com/Coverup20/checkmk-tools/refs/heads/main/script-check-nsec8/full -# List of plugin files to download (add more as needed) -PLUGIN_FILES:=check_dhcp_leases.sh check_dns_resolution.sh check_firewall_connections.sh check_firewall_rules.sh check_firewall_traffic.sh check_martian_packets.sh check_opkg_packages.sh check_ovpn_host2net.sh check_root_access.sh check_uptime.sh check_vpn_tunnels.sh check_wan_status.sh - define Build/Prepare mkdir -p $(PKG_BUILD_DIR)/plugins # Download main Check_MK agent wget -O $(PKG_BUILD_DIR)/check_mk_agent $(CHECKMK_AGENT_URL) - # Download plugin files using shell script loop - for plugin in $(PLUGIN_FILES); do \ - echo "Downloading plugin: $plugin"; \ - wget -O $(PKG_BUILD_DIR)/plugins/$plugin $(PLUGIN_BASE_URL)/$plugin || \ - echo "Warning: Failed to download $plugin"; \ - done + # Download all plugins + wget -O $(PKG_BUILD_DIR)/plugins/check_dhcp_leases.sh $(PLUGIN_BASE_URL)/check_dhcp_leases.sh + wget -O $(PKG_BUILD_DIR)/plugins/check_dns_resolution.sh $(PLUGIN_BASE_URL)/check_dns_resolution.sh + wget -O $(PKG_BUILD_DIR)/plugins/check_firewall_connections.sh $(PLUGIN_BASE_URL)/check_firewall_connections.sh + wget -O $(PKG_BUILD_DIR)/plugins/check_firewall_rules.sh $(PLUGIN_BASE_URL)/check_firewall_rules.sh + wget -O $(PKG_BUILD_DIR)/plugins/check_firewall_traffic.sh $(PLUGIN_BASE_URL)/check_firewall_traffic.sh + wget -O $(PKG_BUILD_DIR)/plugins/check_martian_packets.sh $(PLUGIN_BASE_URL)/check_martian_packets.sh + wget -O $(PKG_BUILD_DIR)/plugins/check_opkg_packages.sh $(PLUGIN_BASE_URL)/check_opkg_packages.sh + wget -O $(PKG_BUILD_DIR)/plugins/check_ovpn_host2net.sh $(PLUGIN_BASE_URL)/check_ovpn_host2net.sh + wget -O $(PKG_BUILD_DIR)/plugins/check_root_access.sh $(PLUGIN_BASE_URL)/check_root_access.sh + wget -O $(PKG_BUILD_DIR)/plugins/check_uptime.sh $(PLUGIN_BASE_URL)/check_uptime.sh + wget -O $(PKG_BUILD_DIR)/plugins/check_vpn_tunnels.sh $(PLUGIN_BASE_URL)/check_vpn_tunnels.sh + wget -O $(PKG_BUILD_DIR)/plugins/check_wan_status.sh $(PLUGIN_BASE_URL)/check_wan_status.sh endef define Build/Compile @@ -61,12 +65,18 @@ define Package/ns-checkmk-agent/install $(INSTALL_BIN) $(PKG_BUILD_DIR)/check_mk_agent $(1)/usr/bin/check_mk_agent $(INSTALL_BIN) ./files/check_mk_agent.init $(1)/etc/init.d/check_mk_agent - # Install plugin files - if [ -d $(PKG_BUILD_DIR)/plugins ]; then \ - for plugin in $(PKG_BUILD_DIR)/plugins/*; do \ - [ -f "$plugin" ] && $(INSTALL_BIN) "$plugin" $(1)/usr/lib/check_mk_agent/plugins/; \ - done; \ - fi + $(INSTALL_BIN) $(PKG_BUILD_DIR)/plugins/check_dhcp_leases.sh $(1)/usr/lib/check_mk_agent/plugins/check_dhcp_leases.sh + $(INSTALL_BIN) $(PKG_BUILD_DIR)/plugins/check_dns_resolution.sh $(1)/usr/lib/check_mk_agent/plugins/check_dns_resolution.sh + $(INSTALL_BIN) $(PKG_BUILD_DIR)/plugins/check_firewall_connections.sh $(1)/usr/lib/check_mk_agent/plugins/check_firewall_connections.sh + $(INSTALL_BIN) $(PKG_BUILD_DIR)/plugins/check_firewall_rules.sh $(1)/usr/lib/check_mk_agent/plugins/check_firewall_rules.sh + $(INSTALL_BIN) $(PKG_BUILD_DIR)/plugins/check_firewall_traffic.sh $(1)/usr/lib/check_mk_agent/plugins/check_firewall_traffic.sh + $(INSTALL_BIN) $(PKG_BUILD_DIR)/plugins/check_martian_packets.sh $(1)/usr/lib/check_mk_agent/plugins/check_martian_packets.sh + $(INSTALL_BIN) $(PKG_BUILD_DIR)/plugins/check_opkg_packages.sh $(1)/usr/lib/check_mk_agent/plugins/check_opkg_packages.sh + $(INSTALL_BIN) $(PKG_BUILD_DIR)/plugins/check_ovpn_host2net.sh $(1)/usr/lib/check_mk_agent/plugins/check_ovpn_host2net.sh + $(INSTALL_BIN) $(PKG_BUILD_DIR)/plugins/check_root_access.sh $(1)/usr/lib/check_mk_agent/plugins/check_root_access.sh + $(INSTALL_BIN) $(PKG_BUILD_DIR)/plugins/check_uptime.sh $(1)/usr/lib/check_mk_agent/plugins/check_uptime.sh + $(INSTALL_BIN) $(PKG_BUILD_DIR)/plugins/check_vpn_tunnels.sh $(1)/usr/lib/check_mk_agent/plugins/check_vpn_tunnels.sh + $(INSTALL_BIN) $(PKG_BUILD_DIR)/plugins/check_wan_status.sh $(1)/usr/lib/check_mk_agent/plugins/check_wan_status.sh endef $(eval $(call BuildPackage,ns-checkmk-agent))