Monitoring GVM tasks / results with Icinga2

Prerequisites

• python-gvm
• gvm-tools >= 2.0 (for gvm-script)
• An already working Icinga 2 setup (Tested / known to be working with versions 2.7.x up to 2.12.x)
• Debian environment (this guide probably can be adapted to other systems as well)
• A valid GVM user with access to the monitored task

Setup

1. Change to the nagios user

   sudo -u nagios bash
   

2. Download check-gmp.gmp.py and place it into /etc/icinga2/scripts (Note: It seems a pip3 install gvm-tools doesn’t install that file locally)

   wget https://raw.githubusercontent.com/greenbone/gvm-tools/master/scripts/check-gmp.gmp.py -O /etc/icinga2/scripts/check-gmp.gmp.py
   

3. Make sure that the file is owned by the nagios user (if you have missed step 1.)

   chown nagios:nagios /etc/icinga2/scripts/check-gmp.gmp.py
   

4. Create a new file /etc/icinga2/conf.d/services/gvm_gmp.conf and insert the following code:

   object CheckCommand "check_gmp" {
   
   	import "plugin-check-command"
   	command = [ "/usr/local/bin/gvm-script"]
   	arguments = {
   
       	"--gmp-username" = {
    	   	value = "$gmp_username$"
    	   	order = 0
       	}
       	"--gmp-password" = {
    	   	value = "$gmp_password$"
    	   	order = 1
       	}
       	"--timeout" = {
    	   	value = "$timeout$"
    	   	order = 2
       	}
       	"connection_type" = {
       		value = "$connection_type$"
       		skip_key = true
       		order = 3
       	}
       	"--hostname" = {
    	   	value = "$hostname$"
    	   	order = 4
       	}
       	"/etc/icinga2/scripts/check-gmp.gmp.py" = {
    	   	order = 5
       	}
       	"--port" = {
    	   	value = "$port$"
    	   	order = 6
       	}
       	"--last-report" = {
    	   	set_if = "$last_report$"
    	   	order = 7
       	}
       	"--status" = {
    	   	set_if = "$status$"
    	   	order = 8
       	}
       	"--task" = {
    	   	value = "$task$"
    	   	order = 9
   	   	}
   	}
   }
   
   apply Service "gvm_gmp" {
   
   	import "generic-service"
   
   	check_interval = 8h
   	retry_interval = 5m
   
   	assign where host.name == "example.com"
   	check_command = "check_gmp"
   	vars.hostname = "example.com"
   	vars.connection_type = "tls"
   	vars.port = 9390
   	vars.last_report = 1
   	vars.status = 1
   	vars.gmp_username = "user"
   	vars.gmp_password = "password"
   	vars.task = "mytaskname"
   }
   

5. Again make sure that the file is owned by the nagios user (if you have missed step 1.)

   chown nagios:nagios /etc/icinga2/conf.d/services/gvm_gmp.conf
   

6. Configure gvm_gmp.conf to your needs (see README.md#check-gmpgmppy@gvm-tools for available options). The check_gmp command could be also extended if required for additional options which could be called by the gvm_gmp service.

   Also note that the path to the /usr/local/bin/gvm-script command might need to be adapted to your environment. Similar are the check_interval and retry_interval intervals, the example.com hostname, the connection_type and the gmp username and password which should be adapted to your needs.

7. Restart icinga2

   service icinga2 restart
   

With the next run of the service check you should get an result like e.g. the following in your Icinga2 Web GUI:

GMP OK: 0 vulnerabilities found - High: 0 Medium: 0 Low: 0
Report did not contain any vulnerabilities
Report did contain 2 errors