Solved

Installing Centreon on a CIS-compliant OS


Badge +3

Hello,

 

I’m trying to install Centreon on my AWS cloud using AMIs `ami-04be5c2c7e9923780` (Oracle Linux 9) or `ami-081241b2722de973f` (Alma Linux 😎 but I’m encountering issues during the web installation process.

Firstly, we are encountering errors during the Centreon installation, such as "usermod: group centreon-engine does not exist," among others. Additionally, configuration files are not being created:


ls -lrt /var/cache/centreon/config/engine/*
ls: cannot access '/var/cache/centreon/config/engine/*': No such file or directory

ls -lrt /var/cache/centreon/config/broker/*
ls: cannot access '/var/cache/centreon/config/broker/*': No such file or directory
 

This seems to be because Centreon does not support operating systems hardened by CIS compliances. The main purpose of my post here is to find out if others have encountered the same issue and if there is a known fix available. Additionally, I would like to inquire if the Centreon team plans to implement support for CIS-compliant OS.

With growing concerns about IT security, it's crucial that Centreon can work effectively on these platforms. Any insights or solutions would be greatly appreciated.

Christopher

 

icon

Best answer by christopher.jacques 9 July 2024, 15:05

View original

3 replies

Badge +2

Hello,

 

Am having same error when installing on Alma Linux.

Would be very grateful if someone can help us.

 

Thanks,

M.B

Badge +3

Hello,

I've successfully installed Centreon on a CIS-compliant OS (AlmaLinux 8). However, due to certain OS restrictions, the centreon-engine group couldn't be created during the installation process.

As a workaround, it's necessary to create the user group before proceeding with the installation:

 

groupadd --gid 976 centreon-engine

useradd --uid 977 --gid 976 --home /var/lib/centreon-engine --shell /bin/bash centreon-engine

 

CIS-compliant operating systems typically come with nftables installed and enabled (an alternative to iptables or firewalld).

First, check if nftables is started:

systemctl status nftables



Then create nftables.conf

vi /etc/nftables.conf

 

Add Centreon flows:

table inet filter {
    chain input {
        type filter hook input priority 0; policy drop;

        # Allow established and related connections
        ct state established,related accept

        # Allow loopback traffic
        iif lo accept

        # Allow SSH traffic
        tcp dport 22 accept

        # Allow HTTP traffic
        tcp dport 80 accept

        # Allow HTTPS traffic
        tcp dport 443 accept

        # Allow SNMP traffic
        udp dport 161 accept

        # Allow SNMPTRAP traffic
        udp dport 162 accept

        # Allow Centreon Gorgone traffic
        tcp dport 5556 accept

        # Allow Centreon Broker traffic
        tcp dport 5669 accept

        # Allow ICMP (ping) traffic
        icmp type { destination-unreachable, router-advertisement, router-solicitation, time-exceeded, parameter-problem } accept
        icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept

        # Drop all other traffic
        counter drop
    }

    chain forward {
        type filter hook forward priority 0; policy drop;
    }

    chain output {
        type filter hook output priority 0; policy accept;
    }
}


Apply the configuration:

nft -f /etc/nftables.conf



To make the configuration persistent, use the following command:

nft list ruleset > /etc/sysconfig/nftables.conf



Then restart nftables:

systemctl restart nftables



Thank you
Christopher


 

Userlevel 5
Badge +17

thanks @christopher.jacques we’ll talk with the Centreon tech team to see how feasible it would be to adjust and offer out-of-the-box support for CIS-compliant OSes.

Reply