Merge pull request #13 from baile320/baile320_observium_corrections

Observium Module Security Fixes
benjamin-robertson · Jun 20, 2024 · 197571f · 197571f
2 parents 5b37fce + a46b363
commit 197571f
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 14 deletions.
diff --git a/data/common.yaml b/data/common.yaml
@@ -1,7 +1,5 @@
 ---
 observium::auth_mechanism: "mysql"
-observium::db_password: "changeme"
-observium::rootdb_password: "hello123"
 observium::download_url: "http://www.observium.org/"
 observium::installer_name: "observium-community-latest.tar.gz"
 observium::install_dir: "/opt/observium"
@@ -10,9 +8,7 @@ observium::db_user: "observium"
 observium::community: "puppet"
 observium::snmpv3_authlevel: "authPriv"
 observium::snmpv3_authname: "observium"
-observium::snmpv3_authpass: "setme1234"
 observium::snmpv3_authalgo: "SHA"
-observium::snmpv3_cryptopass: "setme1234"
 observium::snmpv3_cryptoalgo: "AES"
 observium::snmpd_agentaddress:
   - udp:127.0.0.1:161
@@ -26,7 +22,6 @@ observium::observium_additional_conf:
   - '//extra lines'
   - '//as many as you'
   - '//would like'
-observium::admin_password: "changeme"
 observium::apache_custom_options: {}
 observium::apache_auth_require: "all granted"
 observium::apache_port: 80

diff --git a/manifests/database_init.pp b/manifests/database_init.pp
@@ -13,12 +13,15 @@
   # init the database if the user table is not present
   exec { 'init observium databse':
     command => '/opt/observium/discovery.php -u',
-    unless  => "${mysql_location} -u observium --password=${observium::db_password} observium -e 'select * from users'",
+    unless  => "${mysql_location} -u ${observium::db_user} --password='${observium::db_password}' observium -e \"select * from observium.users\"",
   }
 
-  exec { 'Create admin user':
-    command => "/opt/observium/adduser.php admin ${observium::admin_password} 10",
-    unless  => "${mysql_location} -u observium --password=${observium::db_password} observium -e 'select * from users WHERE username LIKE \"admin\"' | grep admin",
+  # when auth_mechanism is 'remote', privilege level is given by observium's auth_remote_userlevel setting
+  unless $observium::auth_mechanism == 'remote' {
+    exec { 'Create admin user':
+      command => "/opt/observium/adduser.php admin ${observium::admin_password} 10",
+      unless  => "${mysql_location} -u ${observium::db_user} --password='${observium::db_password}' observium -e \"select * from observium.users WHERE username LIKE 'admin'\" | grep admin",
+    }
   }
 
   # add local host to database
@@ -30,7 +33,7 @@
   }
   exec { 'Add local host as device':
     command => "/opt/observium/add_device.php 127.0.0.1 ${v3auth} v3 ${observium::snmpv3_authname} ${observium::snmpv3_authpass} ${observium::snmpv3_cryptopass} ${observium::snmpv3_authalgo} ${observium::snmpv3_cryptoalgo}",
-    unless  => "${mysql_location} -u observium --password=${observium::db_password} observium -e 'select hostname from devices WHERE hostname LIKE \"127.0.0.1\"' | grep 127.0.0.1",
+    unless  => "${mysql_location} -u ${observium::db_user} --password='${observium::db_password}' observium -e 'select hostname from devices WHERE hostname LIKE \"127.0.0.1\"' | grep 127.0.0.1",
   }
 
   # Perform discovery for nodes which have been added. 

diff --git a/manifests/mariadb.pp b/manifests/mariadb.pp
@@ -6,8 +6,9 @@
 #
 class observium::mariadb {
   assert_private()
+
   # Check we are managing mysql
-  if observium::manage_mysql {
+  if $observium::manage_mysql {
     case $facts['os']['family'] {
       'RedHat': {
         Class { '::mysql::server':
@@ -19,9 +20,6 @@
       }
       'Debian': {
         Class { '::mysql::server':
-          #package_name   => 'mariadb-server',
-          #package_ensure => 'present',
-          #service_name   => 'mysqld',
           root_password    => $observium::rootdb_password,
           override_options => {
             'mysqld' => {