AWS ssm agent for pfsense
-
Since pfsense is a very handy AMI available on AWS, adding the AWS ssm agent so the node can be MANAGED using standard AWS ssm management conventions.
the ssm agent has been ported to BSD:
https://www.freshports.org/sysutils/amazon-ssm-agent
https://freebsd.pkgs.org/12/freebsd-i386/amazon-ssm-agent-2.3.612.0_1.txz.htmlPerhaps it is a package that only appears in the AMI.
-
It's not in the AMI either, unfortunately. I'd really like to use it.
I managed to install it via
pkg add https://pkg.freebsd.org/FreeBSD:11:amd64/quarterly/All/amazon-ssm-agent-2.3.1205.0.txz
Last thing to figure out is how to enable the service to persist after a reboot. Any help would be appreciated! Command
sudo service amazon-ssm-agent enabled
didn't do anything, no output at all.I had to create the
ssm-user
and start the service manually withsudo service amazon-ssm-agent onestart
. I can connect through SSM Session Manager and forward the web interface port to my local machine without opening any SSH ports on the instance or through the NACL. -
to automate starting the service, create a wrapper file and place it in /usr/local/etc/rc.d, and you MUST have an extension of .sh, and it'll run. My file is "amazon-ssm-agent-wrapper.sh" and the contents are:
#!/bin/sh
DIR="$( cd "$( dirname "$0" )" && pwd )"
sh $DIR/amazon-ssm-agent onestartFor the LOGGING of ssm agent to cloudwatch (if you are interested) you have to take the wayback machine b/c the ssm agent 2.3.x is so ancient.
go to /usr/local/etc/amazon/ssm, create a new file (start fresh) called seelog.xml (you'll see templates there), sample below. I wanted to split into two separate logs files, but it doesn't look possible.
!--amazon-ssm-agent uses seelog logging -->
<!--Seelog has github wiki pages, which contain detailed how-tos references: https://github.com/cihub/seelog/wiki -->
<!--Seelog examples can be found here: https://github.com/cihub/seelog-examples -->
<!--References to mods: -->
<!--How to add cloudwatch: https://docs.aws.amazon.com/systems-manager/latest/userguide/monitoring-ssm-agent.html -->
<!--For "deep" examples: https://github.com/cihub/seelog/wiki/Example-config -->
<seelog type="adaptive" mininterval="2000000" maxinterval="100000000" critmsgcount="500" minlevel="info">
<outputs formatid="fmtinfo">
<console/>
<!-- <file path="/var/log/amazon/ssm/amazon-ssm-agent.log"/> -->
<rollingfile type="size" filename="/var/log/amazon/ssm/amazon-ssm-agent.log" maxsize="10000000" maxrolls="5"/>-
<filter levels="error,critical" formatid="fmterror">
<rollingfile type="size" filename="/var/log/amazon/ssm/errors.log" maxsize="10000000" maxrolls="5"/>-
<!-- LINE BELOW DOESN'T WORK YET - it gets overwritten by next "cloudwatch_receiver stmt."-->
<!-- <custom name="cloudwatch_receiver" data-log-group="ssm-agent-errors"/> -->
</filter>
<!-- ENTER THE CLOUDWATCH LOG GROUP NAME AFTER 'data-log-group' -->
<custom name="cloudwatch_receiver" formatid="fmtinfo" data-log-group="ssm-agent-log"/>
</outputs>
<formats>
<format id="fmterror" format="%Date %Time %LEVEL [%FuncShort @ %File.%Line] %Msg%n"/>
<format id="fmtdebug" format="%Date %Time %LEVEL [%FuncShort @ %File.%Line] %Msg%n"/>
<format id="fmtinfo" format="%Date %Time %LEVEL %Msg%n"/>
</formats>
</seelog>