Cacti

Introduction
Cacti is a frontend for RRDtool, the evolution of MRTG, which facilitates the monitoring and capacity planning of various systems.

Cacti Server
First create a dedicated partition for the database and one for the Cacti files: lvcreate -L 4g -n mysql_lv /dev/system lvdisplay /dev/system/mysql_lv mkfs.xfs /dev/system/mysql_lv echo "/dev/system/mysql_lv /var/lib/mysql xfs defaults,nosuid,nodev 1 3" >> /etc/fstab

lvcreate -L 8g -n htdocs_lv /dev/system lvdisplay /dev/system/htdocs_lv mkfs.xfs /dev/system/htdocs_lv echo "/dev/system/htdocs_lv /var/www/html xfs defaults,nosuid,nodev 1 3" >> /etc/fstab

mkdir -p /var/lib/mysql mount /var/lib/mysql chown mysql:mysql /var/lib/mysql

mkdir -p /var/www/html mount /var/www/html

Enable the following additional repositories:
 * EPEL
 * IUS

Install all prerequisites, such as RRDtool, Net-SNMP, Apache, MySQL/MariaDB and PHP: yum install -y httpd mod_ssl elinks php72u php72u-mysqlnd mariadb mariadb-server net-snmp net-snmp-utils rrdtool php72u-gd php72u-ldap php72u-mbstring php72u-process php72u-snmp php72u-xml patch

Set different parameters for PHP: echo ' TLS_REQCERT    never ' >> /etc/openldap/ldap.conf

echo 'expose_php = Off date.timezone = Europe/Zurich memory_limit = 800M max_execution_time = 60' >> /etc/php.d/50-custom.ini restorecon -F /etc/php.d/50-custom.ini

Configure the web server: echo '  SetHandler server-status Require host localhost  ' > /etc/httpd/conf.d/server-status.conf

echo ' ProxyRequests Off TraceEnable off ServerTokens Prod  AllowMethods GET POST  LimitRequestFields     100 LimitRequestFieldSize 8190 LimitRequestLine      8190 LimitXMLRequestBody  51200 SSLStrictSNIVHostCheck on SSLProtocol             all -SSLv3 SSLCipherSuite         HIGH:!MEDIUM:!LOW:!MD5:!RC4:!3DES:!DSS:!aNULL:!eNULL:!EXP SSLHonorCipherOrder    on SSLCompression          off SSLProxyEngine         off  SSLOptions +StdEnvVars   SSLOptions +StdEnvVars  ' > /etc/httpd/conf.d/httpd-sec.conf
 * 1) When running a reverse proxy only,
 * 2) do not allow forward proxy requests
 * 1) Disable TRACE method
 * 1) Restrict Server Banner
 * 1) Restrict HTTP methods
 * 1) Limits
 * 2) LimitRequestBody    102400
 * 1) SSL
 * 1) SSLSessionTickets     off

echo '  ServerName cacti.example.com # Document Root DocumentRoot "/var/www/html/cacti" # Log ErrorLog logs/error_log CustomLog logs/access_log combined # Security Headers #Header always set Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'; upgrade-insecure-requests;" Header always set X-Frame-Options "SAMEORIGIN" Header always set X-Xss-Protection "1; mode=block" Header always set X-Content-Type-Options "nosniff" Header always set Set-Cookie "HTTPOnly" #Force the use of HTTPS RewriteEngine on    RewriteCond %{HTTPS} !=on RewriteRule ^(.*) https://%{SERVER_NAME}$1 [L,R]   ServerName cacti.example.com # Document Root DocumentRoot "/var/www/html/cacti" # Log ErrorLog logs/error_log CustomLog logs/access_log combined # SSL config SSLEngine on    SSLCertificateFile      /etc/pki/tls/certs/cacti.example.com.crt SSLCertificateKeyFile  /etc/pki/tls/private/cacti.example.com.key SSLCertificateChainFile /etc/pki/tls/certs/cacti.example.com.chain.pem # Security Headers Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" #Header always set Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'; upgrade-insecure-requests;" Header always set X-Frame-Options "SAMEORIGIN" Header always set X-Xss-Protection "1; mode=block" Header always set X-Content-Type-Options "nosniff" Header always set Set-Cookie "secure; HTTPOnly"  ' > /etc/httpd/conf.d/cacti.example.com.conf

systemctl enable httpd.service systemctl start httpd.service

Proceed with the MySQL/MariaDB configuration and database creation: sed -i '/^\[mysqld\]/a \ character-set-server = utf8mb4 \ collation-server = utf8mb4_unicode_ci \ open_files_limit = 8192 \ max_connections = 1000 \ max_allowed_packet = 64M \ max_heap_table_size = 185M \ tmp_table_size = 64M \ join_buffer_size = 128M \ innodb_file_per_table = 1 \ innodb_doublewrite = 0 \ innodb_additional_mem_pool_size = 80M \ innodb_flush_log_at_trx_commit = 2 \ innodb_buffer_pool_size = 1024M \ innodb_file_format = Barracuda \ innodb_large_prefix = 1 ' /etc/my.cnf.d/server.cnf

systemctl enable mariadb.service systemctl start mariadb.service

mysqladmin --user=root password somepassword mysqladmin --user=root --password reload mysqladmin --user=root --password create cacti

Decompress the package downloaded from the official website: tar xzf cacti-*.tar.gz rm cacti-*.tar.gz mv cacti-* /srv/www/htdocs/cacti

Create the required tables: mysql --user=root --password cacti < /srv/www/htdocs/cacti/cacti.sql

mysql_tzinfo_to_sql /usr/share/zoneinfo | mysql --user=root --password mysql

mysql --user=root --password mysql mysql> GRANT ALL ON cacti.* TO cactiuser@localhost IDENTIFIED BY 'somepassword'; mysql> GRANT SELECT ON mysql.time_zone_name to cactiuser@localhost; mysql> flush privileges; mysql> quit

Set the credentials for access to the db: cp -p /srv/www/htdocs/cacti/include/config.php /srv/www/htdocs/cacti/include/config.php.dist vi /srv/www/htdocs/cacti/include/config.php cp -p /srv/www/htdocs/cacti/include/config.php /srv/www/htdocs/cacti/include/config.php.custom

Set the correct permissions: chown -R root:root /var/www/html/cacti chown -R apache:apache /var/www/html/cacti/rra /var/www/html/cacti/log /var/www/html/cacti/cache

Schedule the execution of the poller: echo ' # # */5 * * * *    apache php /var/www/html/cacti/poller.php > /tmp/poller.log 2>&1 ' >> /etc/crontab
 * 1) Cacti

Spine
Spine is a poller written in C that allows you to get better performance than cmd.php, necessary when you have to monitor a large number of systems.

Install the dependencies: yum install -y autoconf automake libtool gcc mariadb-libs mariadb-devel net-snmp-devel help2man

Decompress and compile the package downloaded from the official website: tar xzf cacti-spine-*.tar.gz rm cacti-spine-*.tar.gz cd cacti-spine-*

./configure make

Install the created executable and the configuration file: cp -pi ./spine /usr/bin/ cp -pi spine.conf.dist /etc/spine.conf

Also in this case change the password to access the database (DB_Pass): vi /etc/spine.conf cp -p /etc/spine.conf /etc/spine.conf.custom

Set the correct permissions: usermod -s /bin/bash apache chown root:root /etc/spine.conf /usr/bin/spine chmod 4711 /usr/bin/spine

Uninstall the compiler: yum erase -y gcc

SELinux
Apply the following changes to SELinux: setsebool -P httpd_can_connect_ldap 1 setsebool -P httpd_can_network_connect 1 setsebool -P httpd_can_sendmail 1

restorecon -RF /var/www

semanage fcontext -a -t httpd_log_t "/var/www/html/cacti/log(/.*)?" restorecon -RF /var/www/html/cacti/log

semanage fcontext -a -t httpd_log_t "/var/www/html/cacti_test/log(/.*)?" restorecon -RF /var/www/html/cacti_test/log


 * 1) grep httpd /var/log/audit/audit.log | audit2allow -M cacti
 * 2) grep ping /var/log/audit/audit.log | audit2allow -M ping
 * 1) semodule -i /etc/semodules/cacti.pp
 * 2) semodule -i /etc/semodules/ping.pp

semanage permissive -a httpd_t

Cacti Server
Backup Cacti files: rsync -a --delete --exclude='*.rrd' --exclude='*.log*' /var/www/html /var/backup

Backup Cacti database: /opt/bin/mysql_backup.sh ls -lah /opt/backup/mysql-databases.sql

Update Cacti: tar xzf cacti-*.tar.gz -C /var/www/html/cacti --strip-components=1 rm cacti-*.tar.gz chown -R root:root /var/www/html/cacti chown -R apache:apache /var/www/html/cacti/rra /var/www/html/cacti/log /var/www/html/cacti/cache

Restore the config file: cp -p /var/www/html/cacti/include/config.php /var/www/html/cacti/include/config.php.dist cp -p /var/www/html/cacti/include/config.php.custom /var/www/html/cacti/include/config.php

SELinux: restorecon -RF /var/www/html/cacti

Permissions needed during the web update: chown -R apache:apache /var/www/html/cacti/resource/snmp_queries/ chown -R apache:apache /var/www/html/cacti/resource/script_server/ chown -R apache:apache /var/www/html/cacti/resource/script_queries/ chown -R apache:apache /var/www/html/cacti/scripts/

Spine
Install the compiler: yum install -y gcc

Update Spine: tar xzf cacti-spine-*.tar.gz rm cacti-spine-*.tar.gz cd cacti-spine-*

./bootstrap ./configure make

cp -pf ./spine /usr/bin/

chown root:root /etc/spine.conf /usr/bin/spine chmod 4711 /usr/bin/spine

Uninstall the compiler: yum erase -y gcc cpp

MySQL/MariaDB daily backup
echo '# # 0 3 * * * /opt/bin/mysql_backup.sh' >> /var/spool/cron/root
 * 1) MySQL/MariaDB daily backup

echo ' [mysqldump] user=root password=******** ' >> ~/.my.cnf

chmod go= ~/.my.cnf mkdir -p /opt/backup

echo ' # # # DUMPDIR=/opt/backup DUMPOPT="--all-databases" DBUSER=root MAILTO=me@example.com mysqldump --user $DBUSER $DUMPOPT > $DUMPDIR/mysql-databases.sql if [ $? -ne 0 ]; then echo "MySQL/MariaDB databases backup failed." | mail -s "MySQL/MariaDB daily backup on $(hostname -f)" $MAILTO fi ' > /opt/bin/mysql_backup.sh
 * 1) MySQL/MariaDB databases backup script
 * 1) Note: password is retrived from ~/.my.cnf

chmod a+x /opt/bin/mysql_backup.sh

cacti_new_device.sh
This script can be used to:
 * Add a new server in Cacti by assigning it a specific device template
 * Create charts for the new server
 * Add the new servers in a specific tree

Usage: /opt/bin/cacti_new_device.sh --name name.domain.tld --description 'NAME - device description' --template 'device template' [--tree 'existing tree/node] [--help] --name         Device name (FQDN) --description  Device description --template     Device template to use --tree         Existing tree/node where to insert the device --help         Show this help

Example: /opt/bin/cacti_new_device.sh --name "newserver.example.com" --description "NEWSERVER - Cacti Test Server" --tree "Linux/Test"

Source code:

Links

 * The Cacti Manual