# MALP - Monitor A Linux Platform

A lightweight Ruby CGI status page for home server monitoring.

## Install

Copy this repository directory to `/var/www`, so `/var/www/malp/cgi-bin` exists.

As root:

```
mkdir /var/www/malp/data
chown apache:apache /var/www/malp/data
```

### Install ruby

As root:

```
dnf install ruby
```

### If using SELinux (e.g. AlmaLinux)

As root:

```
chcon -R -t httpd_sys_script_exec_t /var/www/malp/cgi-bin
chcon -R -t httpd_sys_rw_content_t /var/www/malp/data
chcon -t bin_t /var/www/malp/bin/malpd
semodule -i /var/www/malp/selinux/malp_to_malpd.pp
```

### Example Apache HTTPD Setup

Here is my example setup.
My server's name is `anubis`.
Replace as desired.

#### Create self-signed TLS certificate

As root:

```
mkdir /etc/httpd/tls
cd /etc/httpd/tls
openssl ecparam -name secp384r1 -genkey -noout -out anubis.key
openssl req -new -x509 -key anubis.key -out anubis.crt -days 3650 -sha384
```

#### /etc/httpd/conf.d/anubis.conf

```
<VirtualHost *:80>
    ServerName anubis
    ServerAlias anubis

    # Permanent redirect to the same URI on HTTPS
    Redirect permanent / https://anubis/
</VirtualHost>

<VirtualHost *:443>
    ServerName anubis
    DocumentRoot /var/www/html

    SSLEngine on

    SSLCertificateFile /etc/httpd/tls/anubis.crt
    SSLCertificateKeyFile /etc/httpd/tls/anubis.key

    # Modern TLS Security (Recommended for ECDSA)
    SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
    SSLCipherSuite          ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384
    SSLHonorCipherOrder     off
    SSLSessionTickets       off

    ErrorLog /var/log/httpd/anubis-error.log
    CustomLog /var/log/httpd/anubis-access.log combined

    <Directory /var/www/html>
        Options Indexes FollowSymLinks
        AllowOverride All
        Require all granted
    </Directory>

    ScriptAlias / /var/www/malp/cgi-bin/malp.rb
</VirtualHost>
```

### Set user name and password

As root:

```
/var/www/malp/bin/setpasswd
```

### Install systemd units

As root:

```
cp /var/www/malp/systemd/* /usr/lib/systemd/system
systemctl enable --now malpd.socket
systemctl enable --now malpd.service
```

### Virtual Machine Info

#### Generate SSH Key

On server host OS, generate an SSH key that will be used to gather information
from each running VM.
Leave the passphrase empty so it can be used non-interactively.

```
ssh-keygen -f /root/.ssh/malp-vm-key
```

#### malp user

On each VM to gather status information, add a `malp` user with:

```
useradd -m malp
```

Add a /home/malp/.ssh/authorized_keys file with content such as (replacing the
SSH key beginning with `ssh-ed25519`...):

```
command="/path/to/malp/bin/vm-info",no-port-forwarding,no-x11-forwarding,no-agent-forwarding,no-pty ssh-ed25519 AAAAC3Nza...user@example.com
```

#### vm-info script

Make the `bin/vm-info` script available on each VM (via scp/rsync, NFS, etc...)