From ff8d7119453eeb57d2ec5ec677daa410cb1eaa1b Mon Sep 17 00:00:00 2001
From: Christian Pointner <equinox@spreadspace.org>
Date: Wed, 27 Oct 2021 21:48:35 +0200
Subject: add ssl exporter and ssh check for all debian/ubuntu based hosts

---
 inventory/host_vars/ch-prometheus.yml                    | 13 +++++++++++++
 inventory/host_vars/ch-testvm-prometheus.yml             | 16 ++++++++++++++++
 .../prometheus/exporter/ssl/templates/service.j2         |  4 ++--
 3 files changed, 31 insertions(+), 2 deletions(-)

diff --git a/inventory/host_vars/ch-prometheus.yml b/inventory/host_vars/ch-prometheus.yml
index d217de07..361a8c02 100644
--- a/inventory/host_vars/ch-prometheus.yml
+++ b/inventory/host_vars/ch-prometheus.yml
@@ -54,6 +54,7 @@ prometheus_exporter_node_textfile_collector_scripts:
   - smartmon
 
 prometheus_exporters_extra:
+  - ssl
   - ipmi
 
 prometheus_exporter_ipmi_modules:
@@ -64,6 +65,18 @@ prometheus_exporter_ipmi_modules:
     - chassis
     - sel
 
+prometheus_job_multitarget_blackbox__probe:
+  ch-mon:
+  - instance: "ssh-{{ inventory_hostname }}"
+    target: "{{ network_zones.lan.prefix | ipaddr(network_zones.lan.offsets[inventory_hostname]) | ipaddr('address') }}:{{ ansible_port | default(22) }}"
+    module: ssh_banner
+
+prometheus_job_multitarget_ssl__probe:
+  ch-prometheus:
+  - instance: "sslcert-prometheus-{{ inventory_hostname }}"
+    target: "/etc/ssl/prometheus/**/*.pem"
+    module: file
+
 
 installer_storage:
   type: lvm
diff --git a/inventory/host_vars/ch-testvm-prometheus.yml b/inventory/host_vars/ch-testvm-prometheus.yml
index 755ebc62..089b1571 100644
--- a/inventory/host_vars/ch-testvm-prometheus.yml
+++ b/inventory/host_vars/ch-testvm-prometheus.yml
@@ -47,10 +47,26 @@ ntp_client:
   - name: at.pool.ntp.org
     options: iburst
 
+
+prometheus_exporters_extra:
+  - ssl
+
 prometheus_exporter_node_textfile_collector_scripts:
   - deleted-libraries
   - chrony
 
+prometheus_job_multitarget_blackbox__probe:
+  ch-mon:
+  - instance: "ssh-{{ inventory_hostname }}"
+    target: "{{ network_zones.svc.prefix | ipaddr(network_zones.svc.offsets[inventory_hostname]) | ipaddr('address') }}:{{ ansible_port | default(22) }}"
+    module: ssh_banner
+
+prometheus_job_multitarget_ssl__probe:
+  ch-testvm-prometheus:
+  - instance: "sslcert-prometheus-{{ inventory_hostname }}"
+    target: "/etc/ssl/prometheus/**/*.pem"
+    module: file
+
 
 containerd_storage:
   type: lvm
diff --git a/roles/monitoring/prometheus/exporter/ssl/templates/service.j2 b/roles/monitoring/prometheus/exporter/ssl/templates/service.j2
index fdd754a4..f0e1be30 100644
--- a/roles/monitoring/prometheus/exporter/ssl/templates/service.j2
+++ b/roles/monitoring/prometheus/exporter/ssl/templates/service.j2
@@ -7,8 +7,8 @@ ExecStart=/usr/bin/prometheus-ssl-exporter --web.listen-address="127.0.0.1:9219"
 ExecReload=/bin/kill -HUP $MAINPID
 
 # systemd hardening-options
-AmbientCapabilities=
-CapabilityBoundingSet=
+AmbientCapabilities=CAP_DAC_READ_SEARCH
+CapabilityBoundingSet=CAP_DAC_READ_SEARCH
 DeviceAllow=/dev/null rw
 DevicePolicy=strict
 LockPersonality=true
-- 
cgit v1.2.3