Open Source Premium Checks (#16)

* Open Source Premium Checks This commit open-sources the previously semi private premium checks and makes them available for the community to use * Remove Premium Attribute This commit removes the premium attribute from the checks
trento-project · Sep 26, 2024 · 5ff03f6 · 5ff03f6
1 parent f10ae9b
commit 5ff03f6
Show file tree

Hide file tree

Showing 77 changed files with 4,356 additions and 0 deletions.
diff --git a/checks/0AA227.yaml b/checks/0AA227.yaml
@@ -0,0 +1,60 @@
+id: "0AA227"
+name: Cluster priority-fencing-delay
+group: Pacemaker
+description: |
+  Check if global cluster property `priority-fencing-delay` is set on 2-node ASCS/ERS cluster.
+remediation: |
+  ## Abstract
+  The value `priority-fencing-delay` must be set according to the best practices to enable priority fencing.
+
+  ## Remediation
+  Adjust the `priority-fencing-delay` cluster property as recommended in the best practices.
+
+  ```
+  crm configure property priority-fencing-delay=30
+  ```
+
+  ## References
+  Azure:
+    - https://documentation.suse.com/sle-ha/15-SP5/single-html/SLE-HA-administration/index.html#pro-ha-storage-protect-fencing
+    - https://learn.microsoft.com/en-us/azure/sap/workloads/high-availability-guide-suse-pacemaker?tabs=msi#create-a-fencing-device-on-the-pacemaker-cluster
+
+  AWS:
+    - https://documentation.suse.com/sle-ha/15-SP5/single-html/SLE-HA-administration/index.html#pro-ha-storage-protect-fencing
+    - https://docs.aws.amazon.com/sap/latest/sap-netweaver/sles-netweaver-ha-cluster-resources.html#cluster-bootstrap
+
+  GCP:
+    - https://documentation.suse.com/sle-ha/15-SP5/single-html/SLE-HA-administration/index.html#pro-ha-storage-protect-fencing
+    - https://cloud.google.com/solutions/sap/docs/netweaver-ha-config-sles#set_up_fencing
+
+  Nutanix:
+    - https://documentation.suse.com/sle-ha/15-SP5/single-html/SLE-HA-administration/index.html#pro-ha-storage-protect-fencing
+
+  SUSE / KVM:
+    - https://documentation.suse.com/sle-ha/15-SP5/single-html/SLE-HA-administration/index.html#pro-ha-storage-protect-fencing
+
+  VMware:
+    - https://documentation.suse.com/sle-ha/15-SP5/single-html/SLE-HA-administration/index.html#pro-ha-storage-protect-fencing
+severity: warning
+metadata:
+  target_type: cluster
+  cluster_type: ascs_ers
+facts:
+  - name: cluster_sids
+    gatherer: ascsers_cluster@v1
+  - name: cib_configuration
+    gatherer: cibadmin@v1
+    argument: cib.configuration
+values:
+  - name: priority_fencing_delay
+    default: 30
+expectations:  
+  - name: priority_fencing_delay
+    expect: |
+      if facts.cib_configuration.nodes.node.len != 2 { return true; } // only run on 2 node cluster
+      let props = facts.cib_configuration.crm_config.cluster_property_set
+        .find(|p| p.id == "cib-bootstrap-options" && p.contains("nvpair"));
+      if props == () { return false; }
+      props.nvpair
+        .find(|nv| nv.name == "priority-fencing-delay" && nv.value == values.priority_fencing_delay) != ();
+    failure_message: cluster property priority-fencing-delay is not set to ${values.priority_fencing_delay}
diff --git a/checks/0B0F87.yaml b/checks/0B0F87.yaml
@@ -0,0 +1,48 @@
+id: "0B0F87"
+name: SAPHanaSR version identical on all nodes
+group: OS and package versions
+description: |
+  Installed SAPHanaSR version is identical on all nodes
+remediation: |
+  ## Abstract
+  Installed SAPHanaSR version must be identical on all nodes of the cluster
+
+  ## Remediation
+  Install identical SAPHanaSR version on all nodes of the cluster
+
+  ## Reference
+  Azure:
+
+    - https://learn.microsoft.com/en-us/azure/sap/workloads/sap-hana-high-availability#implement-hana-hooks-saphanasr-and-suschksrv
+
+  AWS:
+
+  GCP:
+
+  Nutanix:
+
+    - https://documentation.suse.com/sbp/all/single-html/SLES4SAP-hana-sr-guide-PerfOpt-15/#cha.s4s.hana-hook
+
+  SUSE / KVM:
+
+    - https://documentation.suse.com/sbp/all/single-html/SLES4SAP-hana-sr-guide-PerfOpt-15/#cha.s4s.hana-hook
+
+  VMware:
+
+    - https://documentation.suse.com/sbp/all/single-html/SLES4SAP-hana-sr-guide-PerfOpt-15/#cha.s4s.hana-hook
+
+
+metadata:
+  target_type: cluster
+  cluster_type: hana_scale_up
+  architecture_type: classic
+
+facts:
+  - name: installed_saphanasr_version
+    gatherer: package_version@v1
+    argument: SAPHanaSR
+
+expectations:
+  - name: saphanasr_version_identical
+    expect_same: facts.installed_saphanasr_version[0].version
+    failure_message: Installed SAPHanaSR version is expected to be identical on all nodes, but differs
diff --git a/checks/0D636F.yaml b/checks/0D636F.yaml
@@ -0,0 +1,57 @@
+id: "0D636F"
+name: ASCS Enqueue server restart is disabled - ENSA2
+group: SAP profiles
+description: |
+  The enqueue server restart has to be disabled for the ASCS instance in an ENSA2 setup.
+remediation: |
+  ## Abstract
+  The ASCS Enqueue server restart must be disabled in the ENSA2 setup.
+  A restart would result in a loss of the enqueue locks.
+
+  ## Remediation
+  Make sure to change `Restart_Program_01 = local $(_ENQ) pf=$(_PF)` to `Start_Program_01 = local $(_ENQ) pf=$(_PF)` in the ASCS profile.
+
+  ## References
+  AZURE:
+    - https://documentation.suse.com/sbp/sap-15/single-html/SAP-S4HA10-setupguide-simplemount-sle15/index.html#id-adapting-sap-profiles-to-match-the-sap-s4-ha-clu-1-0-certification
+
+  AWS:
+    - https://documentation.suse.com/sbp/sap-15/single-html/SAP-S4HA10-setupguide-simplemount-sle15/index.html#id-adapting-sap-profiles-to-match-the-sap-s4-ha-clu-1-0-certification
+
+  GCP:
+    - https://documentation.suse.com/sbp/sap-15/single-html/SAP-S4HA10-setupguide-simplemount-sle15/index.html#id-adapting-sap-profiles-to-match-the-sap-s4-ha-clu-1-0-certification
+
+  SUSE / KVM:
+    - https://documentation.suse.com/sbp/sap-15/single-html/SAP-S4HA10-setupguide-simplemount-sle15/index.html#id-adapting-sap-profiles-to-match-the-sap-s4-ha-clu-1-0-certification
+
+  Nutanix:
+    - https://documentation.suse.com/sbp/sap-15/single-html/SAP-S4HA10-setupguide-simplemount-sle15/index.html#id-adapting-sap-profiles-to-match-the-sap-s4-ha-clu-1-0-certification
+
+  VMware:
+    - https://documentation.suse.com/sbp/sap-15/single-html/SAP-S4HA10-setupguide-simplemount-sle15/index.html#id-adapting-sap-profiles-to-match-the-sap-s4-ha-clu-1-0-certification
+metadata:
+  target_type: cluster
+  cluster_type: ascs_ers
+facts:
+  - name: cluster_sids
+    gatherer: ascsers_cluster@v1
+  - name: sap_profiles
+    gatherer: sap_profiles@v1
+expectations:
+  - name: enq_startmode_is_start
+    expect: |
+      let sids = facts.cluster_sids.keys();
+      for sid in sids {
+        if facts.cluster_sids[sid].ensa_version == "ensa1" { continue; } // skip sid
+        let inst = facts.cluster_sids[sid].instances.find(|inst| inst.name == `ASCS${inst.instance_number}`);
+        if inst == () { return false; }
+        let result = facts.sap_profiles[sid].profiles.find(|p| {
+          p.content.contains("INSTANCE_NAME") && 
+          p.content["INSTANCE_NAME"] == inst.name &&
+          !p.content.contains("Restart_Program_01") && // check restart is disabled
+          p.content.contains("Start_Program_01")       // check start is enabled
+        });
+        if result == () { return false; }
+      }
+      return true;      
+    failure_message: At least one enqueue server restart is enabled and has to be disabled.
diff --git a/checks/1E91FF.yaml b/checks/1E91FF.yaml
@@ -0,0 +1,71 @@
+id: "1E91FF"
+name: ASCS instance MINIMAL_PROBE - simple_mount
+group: ASCS / ERS Cluster - cluster resources
+description: |
+  The parameter `MINIMAL_PROBE` is set to `true` for ASCS instances in the simple mount setup.
+remediation: |
+  ## Abstract
+  The parameter `MINIMAL_PROBE` must be set to `true` for ASCS instances cluster resources in the simple mount setup.
+
+  ## Remediation
+  Set the parameter `MINIMAL_PROBE` to `true` for the ASCS instance cluster resource.
+
+  ```
+  primitive rsc_sap_EN2_ASCS00 SAPInstance \
+    [..] \
+    params [..] InstanceName=EN2_ASCS00_sapen2as \
+      MINIMAL_PROBE=true \
+    [..] \
+  ```
+
+  ## References
+  Azure:
+    - https://documentation.suse.com/sbp/sap-15/html/SAP-S4HA10-setupguide-simplemount-sle15/index.html#id-configuring-resources-for-the-ascs-instance
+    - https://learn.microsoft.com/en-us/azure/sap/workloads/high-availability-guide-suse-nfs-simple-mount?tabs=lb-portal%2Censa1#install-sap-netweaver-ascs-and-ers
+
+  AWS:
+    - https://documentation.suse.com/sbp/sap-15/html/SAP-S4HA10-setupguide-simplemount-sle15/index.html#id-configuring-resources-for-the-ascs-instance
+    - https://docs.aws.amazon.com/sap/latest/sap-netweaver/sles-netweaver-ha-cluster-resources.html#sap-resources-simple
+
+  GCP:
+    - https://documentation.suse.com/sbp/sap-15/html/SAP-S4HA10-setupguide-simplemount-sle15/index.html#id-configuring-resources-for-the-ascs-instance
+    - https://cloud.google.com/solutions/sap/docs/netweaver-ha-config-sles#configure_the_cluster_resources_for_ascs_and_ers
+
+  Nutanix:
+    - https://documentation.suse.com/sbp/sap-15/html/SAP-S4HA10-setupguide-simplemount-sle15/index.html#id-configuring-resources-for-the-ascs-instance
+
+  SUSE / KVM:
+    - https://documentation.suse.com/sbp/sap-15/html/SAP-S4HA10-setupguide-simplemount-sle15/index.html#id-configuring-resources-for-the-ascs-instance
+
+  VMware:
+    - https://documentation.suse.com/sbp/sap-15/html/SAP-S4HA10-setupguide-simplemount-sle15/index.html#id-configuring-resources-for-the-ascs-instance
+metadata:
+  target_type: cluster
+  cluster_type: ascs_ers
+facts:
+  - name: cluster_sids
+    gatherer: ascsers_cluster@v1
+  - name: cib_configuration
+    gatherer: cibadmin@v1
+    argument: cib.configuration
+values:
+  - name: resource_type
+    default: ASCS
+expectations:  
+  - name: resource_minimal_probe
+    expect: |
+      let sids = facts.cluster_sids.keys();
+      for sid in sids {
+        let inst = facts.cluster_sids[sid].instances.find(|i| i.name == `${values.resource_type}${i.instance_number}`);        
+        if inst == () { return false; }
+        if inst.filesystem_based { continue; } // skip instance if resource_managed
+        let group = facts.cib_configuration.resources.group.find(|g| g.id == inst.resource_group);
+        if group == () { return false; }
+        let prim = group.primitive.find(|p| p.type == "SAPInstance" && p.contains("instance_attributes"));
+        if prim == () { return false; }
+        let result = prim.instance_attributes.nvpair
+          .find(|nv| nv.name == "MINIMAL_PROBE" && nv.value == true);
+        if result == () { return false; }
+      }
+      return true;      
+    failure_message: At least one ${values.resource_type} resource does not have MINIMAL_PROBE set to true in simple mount setup
diff --git a/checks/1F877F.yaml b/checks/1F877F.yaml
@@ -0,0 +1,34 @@
+id: "1F877F"
+name: users sidadm and sapadm
+group: OS users/groups
+description: |
+  A user for each SID (sidadm) and a sapadm user should exist on every cluster node.
+remediation: |
+  ## Abstract
+  sidadm and a sapadm user must exist for every cluster managed SID on every cluster node.
+
+  ## Remediation
+  Create the missing sidadm and sapadm users for every cluster managed SID on every cluster node.
+metadata:
+  target_type: cluster
+  cluster_type: ascs_ers
+facts:
+  - name: cluster_sids
+    gatherer: ascsers_cluster@v1
+  - name: passwd
+    gatherer: passwd@v1
+expectations:
+  - name: sapadm_exist
+    expect: |
+      facts.passwd.find(|u| u.user == "sapadm") != ();
+    failure_message: The sapadm user does not exist on all cluster nodes
+  - name: sidadm_exist
+    expect: |
+      let sids = facts.cluster_sids.keys();
+      for sid in sids {
+        let sidadm = `${sid.to_lower()}adm`;
+        let result = facts.passwd.find(|u| u.user == sidadm);
+        if result == () { return false; }
+      }
+      return true;      
+    failure_message: The sidadm user does not exist for every managed SID on all cluster nodes
diff --git a/checks/2B37D1.yaml b/checks/2B37D1.yaml
@@ -0,0 +1,52 @@
+id: "2B37D1"
+name: Polkit rules for SAP instance systemd services
+group: Sapservices
+description: |
+  A polkit rule should exist for each SAP instance that is started with systemd.
+remediation: |
+  ## Abstract
+  A polkit rule like /etc/polkit-1/rules.d/10-SAP${SID}-${inst}.rules must exist for every SAP instance that is started with systemd.
+
+  ## Remediation
+  Create a rule file in /etc/polkit-1/rules.d/10-SAP${SID}-${inst}.rules with the following content:
+
+  ```
+  polkit.addRule(function(action, subject) {
+    if (action.id == "org.freedesktop.systemd1.manage-units") {
+        if (subject.user == "${sid}adm" && action.lookup("unit") == "SAP${SID}_${inst}.service"  &&
+            (action.lookup("verb") == "restart" || action.lookup("verb") == "stop" || action.lookup("verb") == "start")) {
+            return polkit.Result.YES;
+        }
+    }
+  });
+
+  ```
+
+  ## Reference
+  - https://me.sap.com/notes/3139184
+metadata:
+  target_type: cluster
+  cluster_type: ascs_ers
+facts:
+  - name: cluster_sids
+    gatherer: ascsers_cluster@v1
+  - name: sapservices
+    gatherer: sapservices@v1
+  - name: polkit_instance_rules
+    gatherer: dir_scan@v1
+    argument: "/etc/polkit-1/rules.d/[0-9][0-9]-SAP[A-Z][A-Z0-9][A-Z0-9]-[0-9][0-9].rules"
+expectations:
+  - name: polkit_instance_rules_exist
+    expect: |
+      for sid in facts.cluster_sids.keys() {
+        for instance in facts.cluster_sids[sid].instances {
+          let expected_rule_name = `/etc/polkit-1/rules.d/10-SAP${sid}-${instance.instance_number}.rules`;
+          if facts.sapservices.some(|service|
+            service.kind == "systemctl" && service.sid == sid && service.instance_nr == instance.instance_number
+          ) && !facts.polkit_instance_rules.some(|rule| rule.name == expected_rule_name) {
+            return false;
+          }
+        }
+      }
+      return true;
+    failure_message: At least one Polkit rule is missing for a clustered SAP instance that is started with systemd
diff --git a/checks/31BDCB.yaml b/checks/31BDCB.yaml
@@ -0,0 +1,30 @@
+id: "31BDCB"
+name: supported SAPHanaSR version
+group: OS and package versions
+description: |
+  SAPHanaSR version is supported
+remediation: |
+  ## Abstract
+  Installed SAPHanaSR version must be equal or higher than the recommended value
+  ## Remediation
+  Install or upgrade to a supported SAPHanaSR version
+  ## Reference
+  As it is highly recommended to use the HA/DR provider hook when running SAP workloads in HA environments and the HA/DR provider hook support started with SAPHanaSR version 0.153.2, delivered on installation media of 15SP1 and as update package for 15GA, the version of the SAPHanaSR package must be at least 0.153.2.
+  - https://documentation.suse.com/sbp/all/single-html/SLES4SAP-hana-sr-guide-PerfOpt-15/#id-installing-additional-software
+    (EXAMPLE 1:Installing additional software for the HA cluster)
+
+
+metadata:
+  target_type: cluster
+  cluster_type: hana_scale_up
+  architecture_type: classic
+
+facts:
+  - name: compare_SAPHanaSR_version
+    gatherer: package_version@v1
+    argument: SAPHanaSR,0.153.2
+
+expectations:
+  - name: expectations_SAPHanaSR_version
+    expect: facts.compare_SAPHanaSR_version < 1
+    failure_message: The installed SAPHanaSR version is older than the recommended version (0.153.2)
diff --git a/checks/33B87B.yaml b/checks/33B87B.yaml
@@ -0,0 +1,28 @@
+id: "33B87B"
+name: supported supportutils-plugin-ha-sap version
+group: OS and package versions
+description: |
+  supportutils-plugin-ha-sap version is supported
+remediation: |
+  ## Abstract
+  Installed supportutils-plugin-ha-sap version must be equal or higher than the recommended value
+
+  ## Remediation
+  Install or upgrade to a supported supportutils-plugin-ha-sap version
+
+  ## Reference
+  - https://documentation.suse.com/en-us/sbp/all/single-html/SLES4SAP-hana-sr-guide-PerfOpt-15/
+
+
+metadata:
+  target_type: cluster
+  cluster_type: ascs_ers
+
+facts:
+  - name: compare_supportutils_plugin_ha_sap
+    gatherer: package_version
+    argument: supportutils-plugin-ha-sap,0.0.1
+
+expectations:
+  - name: expectations_supportutils_plugin_ha_sap_version
+    expect: facts.compare_supportutils_plugin_ha_sap < 1