├── check_ossec_agent ├── README.md └── check_ossec_agent.sh ├── axfr-to-nagios ├── README.md └── axfr-to-nagios.sh ├── check_updates ├── check_arch_updates.sh ├── check_apt-updates.sh └── check_yum_updates.sh ├── README.md ├── check_hsm_advanced ├── README.md └── hsm.sh ├── check_dns_zone_sync └── check_dns_zone_sync.sh ├── check_crl ├── README.md └── check_crl.py └── check_ocsp_hard ├── README.md └── check_ocsp_hard.sh /check_ossec_agent/README.md: -------------------------------------------------------------------------------- 1 | ## check_ossec_agents 2 | 3 | Simple nagios plugin to check an OSSEC server for disconnected agents. 4 | -------------------------------------------------------------------------------- /axfr-to-nagios/README.md: -------------------------------------------------------------------------------- 1 | # AXFR to nagios 2 | 3 | Simple script which uses dig and a DNS zone transfer to create Nagios config. 4 | 5 | ## Usage 6 | 7 | ./axfr-to-nagios.sh DOMAIN NAMESERVER NAGIOS_MONITOR_HOST CONTACT_GROUPS 8 | 9 | Example: 10 | 11 | ./axfr-to-nagios.sh example.org 10.23.0.6 localhost admins 12 | 13 | The command definition used is: 14 | 15 | define command { 16 | command_name check_http_with_url 17 | command_line /usr/lib/nagios/plugins/check_http -N -t 30 -H $ -u $ -w $ -c $ 18 | } 19 | 20 | Remember to change your DNS server config to allow your nagios server to do a ZONE transfer. For bind this would be: 21 | 22 | options { 23 | // [...] 24 | allow-transfer { 10.10.20.30 }; 25 | }; 26 | -------------------------------------------------------------------------------- /check_updates/check_arch_updates.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Very simple nagios check for pacman updates 3 | # License: GPLv3 4 | # Author: Remy van Elst - https://raymii.org 5 | sudo -n $(which pacman) -Sy > /dev/null 2>&1 6 | if [[ $? != 0 ]]; then 7 | echo "UNKNOWN: Could not update pacman db. Please add sudo rule for $(whoami) user." 8 | echo "# visudo -f /etc/sudoers.d/10_nagios_pacman" 9 | echo "$(whoami) ALL=(ALL) NOPASSWD: $(which pacman) -Sy" 10 | exit 4 11 | fi 12 | 13 | PACMAN_UPDATE_TEXT="$($(which pacman) -Qu)" 14 | PACMAN_UPDATE_NO=$(echo -n "${PACMAN_UPDATE_TEXT}" | wc -l) 15 | if [[ "${PACMAN_UPDATE_NO}" -ge 1 ]]; then 16 | echo "WARNING: ${PACMAN_UPDATE_NO} updates available." 17 | echo "${PACMAN_UPDATE_TEXT}" 18 | exit 1 19 | else 20 | echo "OK: ${PACMAN_UPDATE_NO} updates available." 21 | exit 0 22 | fi 23 | -------------------------------------------------------------------------------- /check_updates/check_apt-updates.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Very simple nagios check for apt updates 3 | # License: GPLv3 4 | # Author: Remy van Elst - https://raymii.org 5 | sudo -n $(which apt-get) -qq update > /dev/null 2>&1 6 | if [[ $? != 0 ]]; then 7 | echo "UNKNOWN: Could not apt-get update. Please add sudo rule for $(whoami) user:" 8 | echo "# visudo -f /etc/sudoers.d/10_nagios_apt" 9 | echo "$(whoami) ALL=(ALL) NOPASSWD: $(which apt-get) -qq update" 10 | exit 4 11 | fi 12 | 13 | APT_UPDATE_TEXT="$($(which apt-get) -qq --just-print upgrade | awk '/Inst/ {print $2"\t"$3"\t -> "$4}' | sort -u | sed -e 's/\[//g' -e 's/\]//g' -e 's/(//g' -e 's/)//g' | column -t)" 14 | APT_UPDATE_NO=$(echo -n "${APT_UPDATE_TEXT}" | wc -l) 15 | if [[ "${APT_UPDATE_NO}" -ge 1 ]]; then 16 | echo "WARNING: ${APT_UPDATE_NO} updates available." 17 | echo "${APT_UPDATE_TEXT}" 18 | exit 1 19 | else 20 | echo "OK: ${APT_UPDATE_NO} updates available." 21 | exit 0 22 | fi 23 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # My Nagios Plugins 2 | 3 | This is a repo with my nagios plugins. 4 | 5 | ## Plugins: 6 | 7 | - [check_crl - check when a CRL needs to be updated and alert if it is lower than the set threshold in minutes.](https://raymii.org/cms/p_Nagios_plugin_to_check_crl_expiry_in_hours) 8 | - [check_ocsp_hard - check if an OCSP is working, with the certificate PEM and issuer PEM in the check.](https://raymii.org/cms/p_Nagios_plugin_to_check_OCSP) 9 | - [check_hsm_advanced is used to monitor Safenet HSM's, (ProtectServer).](https://raymii.org/s/software/Nagios_Plugin_to_check_a_Safenet_HSM.html) 10 | - check_dns_zone_sync - simple DNS zone sync check, compares domain Serial from master DNS server to slave DNS servers serial 11 | - check_ossec_agents - checks an ossec server if there are disconnected agents and list them. 12 | - AXFR-to-nagios - Simple script which converts a DIG zonetransfer to a nagios HTTP check config file 13 | - check_updates - simple checks for apt, yum and pacman updates. 14 | -------------------------------------------------------------------------------- /check_updates/check_yum_updates.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Very simple nagios check for yum updates 3 | # License: GPLv3 4 | # Author: Remy van Elst - https://raymii.org 5 | sudo -n $(which yum) -q --exclude="kernel*" check-update > /dev/null 2>&1 6 | if [[ $? != 0 ]]; then 7 | echo "UNKNOWN: Could not yum update. Please add sudo rule for $(whoami) user." 8 | echo "# visudo -f /etc/sudoers.d/10_nagios_yum" 9 | echo "$(whoami) ALL=(ALL) NOPASSWD: $(which yum) -q --exclude="kernel*" check-update " 10 | exit 4 11 | fi 12 | 13 | YUM_UPDATE_TEXT="$($(which yum) check-update 2>&1 | grep -v -e "^$" -e "kernel" -e "Obsoleting" -e "Excluding" -e "Finished" -e "plugins:" -e "mirror" -e "epel-source" -e "epel-debuginfo" -e "no version information" -e "base:" -e "epel:" -e "rpmforge" -e "remi" -e "extra:" -e "updates:" -e "extras" | awk '{print $1"\t -> "$2}' | column -t)" 14 | YUM_UPDATE_NO=$(echo -n "${YUM_UPDATE_TEXT}" | wc -l) 15 | if [[ "${YUM_UPDATE_NO}" -ge 1 ]]; then 16 | echo "WARNING: ${YUM_UPDATE_NO} updates available." 17 | echo "${YUM_UPDATE_TEXT}" 18 | exit 1 19 | else 20 | echo "OK: ${YUM_UPDATE_NO} updates available." 21 | exit 0 22 | fi 23 | -------------------------------------------------------------------------------- /check_ossec_agent/check_ossec_agent.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Copyright (C) 2014 Remy van Elst 3 | 4 | # This program is free software: you can redistribute it and/or modify 5 | # it under the terms of the GNU General Public License as published by 6 | # the Free Software Foundation, either version 3 of the License, or 7 | # (at your option) any later version. 8 | 9 | # This program is distributed in the hope that it will be useful, 10 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 11 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 12 | # GNU General Public License for more details. 13 | 14 | # You should have received a copy of the GNU General Public License 15 | # along with this program. If not, see . 16 | 17 | 18 | if [[ -r "/etc/ossec-init.conf" ]]; then 19 | source /etc/ossec-init.conf 20 | fi 21 | 22 | if [[ -z "${DIRECTORY}" ]]; then 23 | echo "UNKNOWN: Cannot determine OSSEC directory. OSSEC may not be installed" 24 | exit 3 25 | elif [[ "${TYPE}" = "agent" ]]; then 26 | echo "UNKNOWN: Target is not an OSSEC server" 27 | exit 3 28 | fi 29 | 30 | AGENTS="$(sudo -n ${DIRECTORY}/bin/list_agents -n)" 31 | if [[ ${?} != "0" ]]; then 32 | echo "UNKNOWN: Unable to execute list_agents. Is sudo configured?" 33 | echo "Add the following to /etc/sudoers USING VISUDO!:" 34 | echo -e "$(whoami)\tALL=NOPASSWD:\t${DIRECTORY}/bin/list_agents -n" 35 | exit 3 36 | fi 37 | 38 | INACTIVE_AGENTS="$(sudo -n ${DIRECTORY}/bin/list_agents -n | grep -c -- "is not active")" 39 | if [[ "${INACTIVE_AGENTS}" != "0" ]]; then 40 | echo "CRITICAL: ${INACTIVE_AGENTS} OSSEC Agents not connected" 41 | echo "${AGENTS}" | awk '{ printf $1", "}' 42 | exit 2 43 | else 44 | echo "OK: All OSSEC Agents are connected" 45 | exit 0 46 | fi -------------------------------------------------------------------------------- /axfr-to-nagios/axfr-to-nagios.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # Copyright (C) 2014 Remy van Elst; https://raymii.org 4 | # 5 | # This program is free software: you can redistribute it and/or modify 6 | # it under the terms of the GNU General Public License as published by 7 | # the Free Software Foundation, either version 3 of the License, or 8 | # (at your option) any later version. 9 | # 10 | # This program is distributed in the hope that it will be useful, 11 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 12 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 | # GNU General Public License for more details. 14 | # 15 | # You should have received a copy of the GNU General Public License 16 | # along with this program. If not, see . 17 | 18 | DOMAIN="$1" 19 | NAMESERVER="$2" 20 | MONITOR_HOST="$3" 21 | CONTACT_GROUPS="$4" 22 | 23 | usage() { 24 | echo "Usage: ./${0} DOMAIN NAMESERVER NAGIOS_MONITOR_HOST CONTACT_GROUPS" 25 | echo "This script converts a dig based zone transfer to a nagios check http config" 26 | echo "Example: ./${0} example.org 10.23.0.6 localhost admins" 27 | echo "The command definition used is:" 28 | echo "define command {" 29 | echo " command_name check_http_with_url" 30 | echo " command_line /usr/lib/nagios/plugins/check_http -N -t 30 -H $ARG1$ -u $ARG2$ -w $ARG3$ -c $ARG4$" 31 | echo "}" 32 | exit 1 33 | } 34 | 35 | [[ -z "${1}" || -z "${2}" || -z "${3}" || -z "${4}" ]] && usage ; 36 | 37 | DOMAINS="$(dig AXFR @${NAMESERVER} ${DOMAIN} | grep 'A\|CNAME' | awk {'print substr($1, 1, length($1) - 1)'} | sort -u | grep '[[:alpha:]]')" 38 | 39 | while read DOMAIN; do 40 | echo "define service {" 41 | echo " use generic-service" 42 | echo " host_name ${MONITOR_HOST}" 43 | echo " service_description http://${DOMAIN}" 44 | echo " contact_groups ${CONTACT_GROUPS}" 45 | echo " check_command check_http_with_url!${DOMAIN}!/!3!5" 46 | echo "}" 47 | echo "" 48 | done <<< "${DOMAINS}" 49 | -------------------------------------------------------------------------------- /check_hsm_advanced/README.md: -------------------------------------------------------------------------------- 1 | # check_hsm 2 | Monitor a Safenet ProtectServer HSM 3 | Author: R. van Elst (https://raymii.org) 4 | 5 | ## Usage 6 | 7 | usage: ./hsm.sh options 8 | 9 | This script checks various safenet HSM things and outputs nagios style results. 10 | 11 | OPTIONS: 12 | -h Show this message 13 | -t Check type: "battery", "RAM", "datetime", "eventlog", "initialized", "hsminfo", "fminfo" 14 | -n HSM name for $ET_HSM_NETCLIENT_SERVERLIST. 15 | -b ctcheck binary (default: /opt/PTK/bin/ctcheck) 16 | 17 | CHECKS: 18 | battery Show HSM Battery status, GOOD (ok) or LOW (crit) 19 | ram HSM RAM, (ok) if <75% used, (warn) >75% <85% used, (crit) if >85% used. 20 | datetime Local HSM date/time, (crit) if different from host time, host should use ntp in same timezone. 21 | eventlog (ok) if eventlog not full, (crit) if eventlog full. 22 | initialized (ok) if initialized, (crit) if not. Documentation states that a FALSE could mean a tampered device. 23 | hsminfo always (ok), returns general HSM info, model, version, firmware and such. 24 | fminfo always (ok), returns Funcrtional Module information. 25 | 26 | 27 | 28 | 29 | ## Examples 30 | 31 | user@host ~$ ./hsm.sh -n hsm-038 -t ram 32 | OK: RAM Usage OK: 41% used, ( 10192256 total). HSM: hsm-038. 33 | user@host ~$ ./hsm.sh -n hsm-038 -t datetime 34 | OK: HSM: hsm-038 time is the same as local time: 15/04/2013 12:48. 35 | user@host ~$ ./hsm.sh -n hsm-038 -t eventlog 36 | OK: HSM: hsm-038 Event Log Count: 11 37 | user@host ~$ ./hsm.sh -n hsm-038 -t initialized 38 | OK: HSM: hsm-038 is initialized. All is well. 39 | user@host ~$ ./hsm.sh -n hsm-038 -t hsminfo 40 | OK: HSM: hsm-038; Serial Number:[...]; Model: [...]; Device Revision: F; Firmware Revision: [...]; Manufacturing Date: [...]; Device Batch: [...]; PTKC Revision: [...]; Slot Count: [...] Security Mode: [...]; Transport Mode:[...]; Event Log Count: 88. 41 | user@host ~$ ./hsm.sh -n hsm-038 -t battery 42 | OK: Battery status is good for HSM: hsm-038 43 | -------------------------------------------------------------------------------- /check_dns_zone_sync/check_dns_zone_sync.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Copyright (C) 2013 - Remy van Elst 3 | 4 | # This program is free software: you can redistribute it and/or modify 5 | # it under the terms of the GNU General Public License as published by 6 | # the Free Software Foundation, either version 3 of the License, or 7 | # (at your option) any later version. 8 | 9 | # This program is distributed in the hope that it will be useful, 10 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 11 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 12 | # GNU General Public License for more details. 13 | 14 | # You should have received a copy of the GNU General Public License 15 | # along with this program. If not, see . 16 | 17 | if [[ "${BASH_VERSION:0:1}" -ne 4 ]]; then 18 | # Is needed for the advanced array support" 19 | echo "CRITICAL: Bash version 4 or higher is required." 20 | exit 2 21 | fi 22 | 23 | declare -A MASTERSOA 24 | 25 | MASTERSERVER="10.0.2.99" 26 | SLAVESERVERS=("10.56.2.99" "10.22.6.99") 27 | DOMAINS=("your-int-domain.ext" "example.org" " your-other-domain.ext") 28 | 29 | domaincount=0 30 | for domain in ${DOMAINS[@]}; do 31 | MASTERSOA[$domaincount]=`dig @$MASTERSERVER +short SOA $domain | awk '{ print $3 }'` 32 | let domaincount++ 33 | done 34 | 35 | errors=0 36 | domaincount=0 37 | for domain in ${DOMAINS[@]}; do 38 | for slave in ${SLAVESERVERS[@]}; do 39 | slavesoa=`dig @$slave +short SOA $domain | awk '{ print $3 }'` 40 | if [[ $slavesoa -ne ${MASTERSOA[$domaincount]} ]]; then 41 | echo -n "CRITICAL: DNS zone for $domain on minion $slave out of sync with master $MASTERSERVER. " 42 | echo -n "It is $slavesoa but it should be ${MASTERSOA[$domaincount]}.; " 43 | let errors++ 44 | fi 45 | done 46 | let domaincount++ 47 | done 48 | 49 | if [[ $errors -ne 0 ]]; then 50 | echo " Errors in DNS zone sync." 51 | exit 2 52 | elif [[ $errors -eq 0 ]]; then 53 | echo "OK: All DNS zones in sync. Domains checked: ${DOMAINS[@]}. Nameservers checked: ${SLAVESERVERS[@]} against master $MASTERSERVER" 54 | exit 0 55 | fi 56 | -------------------------------------------------------------------------------- /check_crl/README.md: -------------------------------------------------------------------------------- 1 | ### Nagios plugin to check CRL expiry in hours 2 | 3 | 4 | This is a nagios plugin which you can use to check if a CRL (Certificate Revocation List, public list with revoked certificates) is still valid. This is based on the check_crl.py plugin from [Michele Baldessari](http://acksyn.org/?p=690). It is modified it so that it checks the time in minutes (for more precision) instead of days, it has a GMT time comparison bug fixed and I've added error handling so that if the plugin cannot get a crl file (because the webserver is down) it gives a Critical error in nagios. 5 | 6 | #### Download 7 | 8 | [Download the plugin from my github](https://github.com/RaymiiOrg/nagios) 9 | [Download the plugin from raymii.org](https://raymii.org/s/inc/downloads/check_crl.py) 10 | 11 | #### Install and Usage 12 | 13 | This guide covers the steps needed for Ubuntu 10.04/12.04 and Debian 6. It should also work on other distro's, but make sure to modify the commands where needed. 14 | 15 | Make sure you have openssl, python3 and a module needed by the script installed on the nagios host: 16 | 17 | apt-get install python3 openssl python-m2crypto 18 | 19 | Now place the script on the host. I've placed in */etc/nagios/plugins/check_crl.py*. 20 | 21 | wget -O /etc/nagios/plugins/check_crl.py http://raymii.org/s/inc/downloads/check_crl.py 22 | 23 | Make sure the script is executable: 24 | 25 | chmod +x /etc/nagios/plugins/check_crl.py 26 | 27 | Now test the script. I'm using the URL of the Comodo CA CRL file which is the CA that signed my certificate for raymii.org. 28 | 29 | 30 | /etc/nagios/plugins/check_crl.py -h http://crl.comodoca.com/PositiveSSLCA2.crl -w 480 -c 360 31 | OK CRL Expires in 5109 minutes (on Thu May 9 07:30:32 2013 GMT) 32 | 33 | /etc/nagios/plugins/check_crl.py -h http://crl.comodoca.com/PositiveSSLCA2.crl -w 5200 -c 360 34 | WARNING CRL Expires in 5108 minutes (on Thu May 9 07:30:32 2013 GMT) 35 | 36 | /etc/nagios/plugins/check_crl.py -h http://crl.comodoca.com/PositiveSSLCA2.crl -w 5000 -c 5300 37 | CRITICAL CRL Expires in 5108 minutes (on Thu May 9 07:30:32 2013 GMT) 38 | 39 | Lets add the nagios command: 40 | 41 | define command{ 42 | command_name crl_check 43 | command_line /etc/nagios-plugins/check_crl.py -u $ARG1$ -w $ARG2$ -c $ARG3$ 44 | } 45 | 46 | And lets add the command to a service check: 47 | 48 | define service { 49 | use generic-service 50 | host_name localhost 51 | service_description Comodo PositiveSSL CA2 CRL 52 | contact nagiosadmin 53 | check_command crl_check!http://crl.comodoca.com/PositiveSSLCA2.crl!24!12 54 | } 55 | 56 | The above service check runs on the nagios defined host "localhost", uses the (default) service template "generic-service" and had the contact "nagiosadmin". As you can see, the URL maps to $ARG1$, the warning hours to $ARG2$ and the critical hours to $ARG3$. This means that if the field *"Next Update:"* is less then 8 hours in the future you get a warning and if it is less then 6 hours you get a critical. 57 | 58 | #### Changelog 59 | 60 | 03-04-2013: 61 | - Changed time to minutes for more precision 62 | - Fixed timezone bug by comparing GMT with GMT 63 | 64 | 06-11-2012: 65 | - Changed checking interval from dates to hours 66 | - Added error catching if a crl file cannot be retreived 67 | -------------------------------------------------------------------------------- /check_ocsp_hard/README.md: -------------------------------------------------------------------------------- 1 | ### Nagios plugin to check an OCSP server with hardcoded certificate 2 | 3 | 4 | This is a nagios plugin to check an OCSP server. It does so by having either a PEM encoded certificate in the code, and the PEM encoded certificate of the issuer in the code, or by using two given PEM files. This is sent to the OCSP server and the response is then parsed to give the correct nagios result. It is targeted at administrators who have their own OCSP and need to know when it is not working. 5 | 6 | This version has contributions from [Pali Sigurdsson](https://github.com/palli/). 7 | 8 | [Do you need a VPS for hosting nagios? InceptionHosting has very good VPS servers!](http://clients.inceptionhosting.com/aff.php?aff=083) 9 | 10 | #### Download 11 | 12 | [Download the plugin from my github](https://github.com/RaymiiOrg/nagios) 13 | [Download the plugin from raymii.org](https://raymii.org/s/inc/downloads/check_ocsp.sh) 14 | 15 | #### Usage 16 | 17 | `./check_ocsp.sh`: 18 | 19 | - `-H host_name` - remote host to check 20 | - `-P port` - port to use 21 | - `--noverify` - Don't verify if certificate is valid 22 | - `--max-age 4800` - alert if certificate is about to expire 23 | - `--cert filename` - use this cert file instead of the hardcoded one 24 | - `--issuer filename.pem` - use this issuer certificate instead of the hardcoded one 25 | - `--verbose` - handy for troubleshooting, echos the exact openssl command used 26 | 27 | 28 | #### Installation 29 | 30 | This guide covers the steps needed for Ubuntu 10.04/12.04 and Debian 6. It should also work on other distro's, but make sure to modify the commands where needed (package installation for example). 31 | 32 | First make sure you have the required tools: 33 | 34 | apt-get install gawk grep bash sed wget curl openssl 35 | 36 | Place the script on the nagios host (I've placed it in */etc/nagios/plugins/*): 37 | 38 | wget -O */etc/nagios/plugins/check_ocsp_hard.sh http://raymii.org/s/inc/downloads/check_ocsp_hard.sh 39 | 40 | Make sure that the script is executable: 41 | 42 | chmod +x /etc/nagios/plugins/check_ocsp_hard.sh 43 | 44 | Now test it: 45 | 46 | /etc/nagios/plugins/check_ocsp_hard.sh 47 | OK: OCSP up and running - status of certificate for raymii.org GOOD by OCSP: http://ocsp.comodoca.com/ 48 | 49 | #### Nagios config 50 | 51 | Here's some example nagios config: 52 | 53 | Lets create a command definition: 54 | 55 | define command{ 56 | command_name check_ocsp 57 | command_line /etc/nagios-plugins/check_ocsp.sh -H $USER1$ -p $USER2$ --cert $USER3$ --issuer $USER4$ 58 | } 59 | 60 | And a service check: 61 | 62 | define service { 63 | use generic-service 64 | host_name localhost 65 | service_description OCSP check of $OCSP for $DOMAIN 66 | contact nagiosadmin 67 | check_command check_ocsp!raymii.org!443!/etc/ssl/certs/raymiiorg.pem!/etc/ssl/certs/comodo.pem 68 | } 69 | 70 | 71 | Or if you use a hardcoded certificate: 72 | 73 | define command{ 74 | command_name check_ocsp_hard 75 | command_line /etc/nagios-plugins/check_ocsp.sh 76 | } 77 | 78 | define service { 79 | use generic-service 80 | host_name localhost 81 | service_description OCSP check of $OCSP for $DOMAIN with hardcoded certificate 82 | contact nagiosadmin 83 | check_command check_ocsp_hard 84 | } 85 | 86 | 87 | 88 | -------------------------------------------------------------------------------- /check_crl/check_crl.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3 2 | # Copyright (C) 2013 - Remy van Elst 3 | 4 | # This program is free software: you can redistribute it and/or modify 5 | # it under the terms of the GNU General Public License as published by 6 | # the Free Software Foundation, either version 3 of the License, or 7 | # (at your option) any later version. 8 | 9 | # This program is distributed in the hope that it will be useful, 10 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 11 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 12 | # GNU General Public License for more details. 13 | 14 | # You should have received a copy of the GNU General Public License 15 | # along with this program. If not, see . 16 | 17 | # Mark Ruys - 2015-8-27 18 | # Changelog: - catch openssl parsing errors 19 | # - clean up temporary file on error 20 | # - add support for PEM CRL's 21 | # - fix message when CRL has been expired 22 | # - pretty print duration 23 | 24 | # Jeroen Nijhof 25 | # Changelog: - fixed timezone bug by comparing GMT with GMT 26 | # - changed hours to minutes for even more precision 27 | 28 | # Remy van Elst - raymii.org - 2012 29 | # 05.11.2012 30 | # Changelog: - check with hours instead of dates for more precision, 31 | # - URL errors are now also catched as nagios exit code. 32 | 33 | # Michele Baldessari - Leitner Technologies - 2011 34 | # 23.08.2011 35 | 36 | import time 37 | import datetime 38 | import getopt 39 | import os 40 | import pprint 41 | import subprocess 42 | import sys 43 | import tempfile 44 | import urllib.request, urllib.parse, urllib.error 45 | 46 | def check_crl(url, warn, crit): 47 | tmpcrl = tempfile.mktemp(".crl") 48 | #request = urllib.request.urlretrieve(url, tmpcrl) 49 | try: 50 | urllib.request.urlretrieve(url, tmpcrl) 51 | except: 52 | print ("CRITICAL: CRL could not be retrieved: %s" % url) 53 | os.remove(tmpcrl) 54 | sys.exit(2) 55 | 56 | try: 57 | inform = 'DER' 58 | crlfile = open(tmpcrl, "r") 59 | for line in crlfile: 60 | if "BEGIN X509 CRL" in line: 61 | inform = 'PEM' 62 | break 63 | crlfile.close() 64 | 65 | ret = subprocess.check_output(["/usr/bin/openssl", "crl", "-inform", inform, "-noout", "-nextupdate", "-in", tmpcrl], stderr=subprocess.STDOUT) 66 | except: 67 | print ("UNKNOWN: CRL could not be parsed: %s %s" % url) 68 | os.remove(tmpcrl) 69 | sys.exit(3) 70 | 71 | nextupdate = ret.strip().decode('utf-8').split("=") 72 | os.remove(tmpcrl) 73 | eol = time.mktime(time.strptime(nextupdate[1],"%b %d %H:%M:%S %Y GMT")) 74 | today = time.mktime(datetime.datetime.utcnow().timetuple()) 75 | minutes = (eol - today) / 60 76 | if abs(minutes) < 4 * 60: 77 | expires = minutes 78 | unit = "minutes" 79 | elif abs(minutes) < 2 * 24 * 60: 80 | expires = minutes / 60 81 | unit = "hours" 82 | else: 83 | expires = minutes / (24 * 60) 84 | unit = "days" 85 | gmtstr = time.asctime(time.localtime(eol)) 86 | if minutes < 0: 87 | msg = "CRITICAL CRL expired %d %s ago (on %s GMT)" % (-expires, unit, gmtstr) 88 | exitcode = 2 89 | elif minutes <= crit: 90 | msg = "CRITICAL CRL expires in %d %s (on %s GMT)" % (expires, unit, gmtstr) 91 | exitcode = 2 92 | elif minutes <= warn: 93 | msg = "WARNING CRL expires in %d %s (on %s GMT)" % (expires, unit, gmtstr) 94 | exitcode = 1 95 | else: 96 | msg = "OK CRL expires in %d %s (on %s GMT)" % (expires, unit, gmtstr) 97 | exitcode = 0 98 | 99 | print (msg) 100 | sys.exit(exitcode) 101 | 102 | def usage(): 103 | print ("check_crl.py -h|--help -v|--verbose -u|--url= -w|--warning= -c|--critical=") 104 | print ("") 105 | print ("Example, if you want to get a warning if a CRL expires in 8 hours and a critical if it expires in 6 hours:") 106 | print ("./check_crl.py -u \"http://domain.tld/url/crl.crl\" -w 480 -c 360") 107 | 108 | def main(): 109 | try: 110 | opts, args = getopt.getopt(sys.argv[1:], "hu:w:c:", ["help", "url=", "warning=", "critical="]) 111 | except getopt.GetoptError as err: 112 | usage() 113 | sys.exit(2) 114 | url = None 115 | warning = None 116 | critical = None 117 | for o, a in opts: 118 | if o in ("-h", "--help"): 119 | usage() 120 | sys.exit() 121 | elif o in ("-u", "--url"): 122 | url = a 123 | elif o in ("-w", "--warning"): 124 | warning = a 125 | elif o in ("-c", "--critical"): 126 | critical = a 127 | else: 128 | assert False, "unhandled option" 129 | 130 | if url != None and warning != None and critical != None: 131 | check_crl(url, int(warning), int(critical)) 132 | else: 133 | usage() 134 | sys.exit(2) 135 | 136 | 137 | if __name__ == "__main__": 138 | main() 139 | -------------------------------------------------------------------------------- /check_hsm_advanced/hsm.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Copyright (C) 2013 - Remy van Elst 3 | 4 | # This program is free software: you can redistribute it and/or modify 5 | # it under the terms of the GNU General Public License as published by 6 | # the Free Software Foundation, either version 3 of the License, or 7 | # (at your option) any later version. 8 | 9 | # This program is distributed in the hope that it will be useful, 10 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 11 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 12 | # GNU General Public License for more details. 13 | 14 | # You should have received a copy of the GNU General Public License 15 | # along with this program. If not, see . 16 | 17 | # First some variables 18 | CTC="/opt/safenet/protecttoolkit5/ptk/bin/ctcheck" 19 | CTCOPTS="-N" # no globals 20 | HSM_NAME="" 21 | CHECK_TYPE="" 22 | HSM_GREP='grep -v -e ^# -e ^$' 23 | HSM_SED='sed s/~//g' 24 | 25 | # Make sure we can access everything. 26 | export CPROVDIR=/opt/safenet/protecttoolkit5/ptk 27 | export PATH=$PATH:$CPROVDIR/bin 28 | export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$CPROVDIR/lib 29 | export MANPATH=$MANPATH:$CPROVDIR/man 30 | 31 | 32 | # How should I be used? 33 | function usage() { 34 | cat << EOF 35 | usage: $0 options 36 | 37 | This script checks various safenet HSM things and outputs nagios style results. 38 | 39 | OPTIONS: 40 | -h Show this message 41 | -t Check type: "battery", "RAM", "datetime", "eventlog", "initialized", "hsminfo", "fminfo" 42 | -n HSM name for \$ET_HSM_NETCLIENT_SERVERLIST. 43 | -b ctcheck binary (default: /opt/safenet/protecttoolkit5/ptk/bin/ctcheck) 44 | 45 | CHECKS: 46 | battery Show HSM Battery status, GOOD (ok) or LOW (crit) 47 | ram HSM RAM, (ok) if <75% used, (warn) >75% <85% used, (crit) if >85% used. 48 | datetime Local HSM date/time, (crit) if different from host time, host should use ntp in same timezone. 49 | eventlog (ok) if eventlog not full, (crit) if eventlog full. 50 | initialized (ok) if initialized, (crit) if not. Documentation states that a FALSE could mean a tampered device. 51 | hsminfo always (ok), returns general HSM info, model, version, firmware and such. 52 | fminfo always (ok), returns Funcrtional Module information. 53 | EOF 54 | exit 3 55 | } 56 | 57 | # DRY, nagios exit codes are quite simple.. 58 | # usage: nagios_response EXITCODE "MESSAGE" 59 | function nagios_response() { 60 | if [[ ! -z ${1} ]] && [[ ! -z ${2} ]]; then 61 | EXIT_MESSAGE=${2} 62 | case ${1} in 63 | 0) 64 | EXIT_CODE=0 65 | EXIT_CODE_VERBOSE="OK:" 66 | ;; 67 | 1) 68 | EXIT_CODE=1 69 | EXIT_CODE_VERBOSE="WARNING:" 70 | ;; 71 | 2) 72 | EXIT_CODE=2 73 | EXIT_CODE_VERBOSE="CRITICAL:" 74 | ;; 75 | 3) 76 | EXIT_CODE=3 77 | EXIT_CODE_VERBOSE="UNKNOWN:" 78 | ;; 79 | esac 80 | 81 | echo -n ${EXIT_CODE_VERBOSE} 82 | echo -n " " 83 | echo "${EXIT_MESSAGE}" 84 | exit ${EXIT_CODE} 85 | 86 | else 87 | echo "CRITICAL: exit code unknown or wrong option provided." 88 | exit 2 89 | fi 90 | 91 | } 92 | 93 | # HSM Connection test 94 | function hsm_conn_test() { 95 | HSM_CONN_TEST=`$CTC $CTCOPTS -n 2>&1` 96 | if [[ "$HSM_CONN_TEST" == "ctcheck: CM_Initialize returned 5" ]]; then 97 | nagios_response 3 "Could not connect to HSM ${HSM_NAME}" 98 | fi 99 | } 100 | 101 | 102 | # Output basic HSM info 103 | function check_hsm_device_info() { 104 | SN=`$CTC $CTCOPTS -b serialnumber | $HSM_GREP | $HSM_SED` 105 | MODEL=`$CTC $CTCOPTS -b model | $HSM_GREP | $HSM_SED` 106 | DEV_REV=`$CTC $CTCOPTS -b devicerevision | $HSM_GREP | $HSM_SED` 107 | FIRMWARE_REV=`$CTC $CTCOPTS -b firmwarerevision | $HSM_GREP | $HSM_SED` 108 | DATEOFMAN=`$CTC $CTCOPTS -b dateofmanufacture | $HSM_GREP | $HSM_SED` 109 | EVENT_LOG_COUNT=`$CTC $CTCOPTS -b eventlogcount | $HSM_GREP | $HSM_SED` 110 | SLOT_COUNT=`$CTC $CTCOPTS -b slotcount | $HSM_GREP | $HSM_SED` 111 | PTKC_REV=`$CTC $CTCOPTS -b ptkcrevision | $HSM_GREP | $HSM_SED` 112 | DEV_BATCH=`$CTC $CTCOPTS -b batch | $HSM_GREP | $HSM_SED` 113 | SEC_MODE=`$CTC $CTCOPTS -b securitymode | $HSM_GREP | $HSM_SED` 114 | TRANS_MODE=`$CTC $CTCOPTS -b transportmode | $HSM_GREP | $HSM_SED` 115 | nagios_response 0 "HSM: ${HSM_NAME}; Serial Number: ${SN}; Model: ${MODEL}; Device Revision: ${DEV_REV}; Firmware Revision: ${FIRMWARE_REV}; Manufacturing Date: ${DATEOFMAN}; Device Batch: ${DEV_BATCH}; PTKC Revision: ${PTKC_REV}; Slot Count: ${SLOT_COUNT}; Security Mode: ${SEC_MODE}; Transport Mode: ${TRANS_MODE}; Event Log Count: ${EVENT_LOG_COUNT}." 116 | } 117 | 118 | # Output Functional Module Information 119 | function check_hsm_fm_info { 120 | FUNC_MODL_SUPP=`$CTC $CTCOPTS -b fmsupport | $HSM_GREP | $HSM_SED` 121 | FUNC_MODL_LABEL=`$CTC $CTCOPTS -b fmlabel | $HSM_GREP | $HSM_SED` 122 | FUNC_MODL_VERSION=`$CTC $CTCOPTS -b fmversion | $HSM_GREP | $HSM_SED` 123 | FUNC_MODL_MANF=`$CTC $CTCOPTS -b fmmanufacturer | $HSM_GREP | $HSM_SED` 124 | FUNC_MODL_BT=`$CTC $CTCOPTS -b fmbuildtime | $HSM_GREP | $HSM_SED` 125 | FUNC_MODL_ROM=`$CTC $CTCOPTS -b fmromsize | $HSM_GREP | $HSM_SED` 126 | FUNC_MODL_RAM=`$CTC $CTCOPTS -b fmramsize | $HSM_GREP | $HSM_SED` 127 | nagios_response 0 "HSM: ${HSM_NAME}; FM Support: ${FUNC_MODL_SUPP}; FM Label: ${FUNC_MODL_LABEL}; FM Version: ${FUNC_MODL_VERSION}; FM Manufacter: ${FUNC_MODL_MANF}; FM Build DateTime: ${FUNC_MODL_BT}; FM ROM Space: ${FUNC_MODL_ROM}; FM RAM Space: ${FUNC_MODL_RAM}." 128 | } 129 | 130 | function check_hsm_battery() { 131 | battery_command=`$CTC $CTCOPTS -b batterystatus | $HSM_GREP | $HSM_SED` 132 | if [[ $battery_command == "GOOD" ]]; then 133 | nagios_response 0 "Battery status is good for HSM: ${HSM_NAME}" 134 | elif [[ $battery_command == "LOW" ]]; then 135 | nagios_response 2 "Battery status is LOW for HSM: ${HSM_NAME}" 136 | else 137 | nagios_response 3 "Battery status is unknown for HSM: ${HSM_NAME}" 138 | fi 139 | } 140 | 141 | function check_hsm_initialized() { 142 | hsm_initialized_command=`$CTC $CTCOPTS -b deviceinitialised | $HSM_GREP | $HSM_SED` 143 | if [[ "$hsm_initialized_command" == "TRUE" ]]; then 144 | nagios_response 0 "HSM: ${HSM_NAME} is initialized. All is well." 145 | elif [[ "$hsm_initialized_command" == "TRUE" ]]; then 146 | nagios_response 2 "HSM: ${HSM_NAME} reports not initialized. Device might be TAMPERED." 147 | else 148 | nagios_response 3 "HSM ${HSM_NAME} initialization status unknown." 149 | fi 150 | } 151 | 152 | function check_hsm_eventlog() { 153 | EVENT_LOG_COUNT=`$CTC $CTCOPTS -b eventlogcount| $HSM_GREP | $HSM_SED` 154 | nagios_response 0 "HSM: ${HSM_NAME} Event Log Count: ${EVENT_LOG_COUNT}" 155 | } 156 | 157 | function check_hsm_ram() { 158 | FREE_RAM=`$CTC $CTCOPTS -b freepublicmemory | $HSM_GREP | $HSM_SED` 159 | TOTAL_RAM=`$CTC $CTCOPTS -b totalpublicmemory | $HSM_GREP | $HSM_SED` 160 | USED_RAM=$(( ${TOTAL_RAM} - ${FREE_RAM} )) 161 | TOTAL_PERC=$(( ${TOTAL_RAM} / 100 )) 162 | USED_PERC=$(( ${USED_RAM} / ${TOTAL_PERC} )) 163 | 164 | OK=50 165 | CRIT=85 166 | 167 | if [[ ${USED_PERC} < ${OK} ]]; then 168 | nagios_response 0 "RAM Usage OK: ${USED_PERC}% used, ( ${TOTAL_RAM} total). HSM: ${HSM_NAME}."; 169 | elif [[ ${USED_PERC} > ${OK} ]] && [[ ${USED_PERC} < ${CRIT} ]]; then 170 | nagios_response 1 "RAM Usage WARN: ${USED_PERC}% used, ( ${TOTAL_RAM} total). HSM: ${HSM_NAME}."; 171 | elif [[ ${USED_PERC} > ${CRIT} ]]; then 172 | nagios_response 2 "RAM Usage CRIT: ${USED_PERC}% used, ( ${TOTAL_RAM} total). HSM: ${HSM_NAME}."; 173 | else 174 | nagios_response 3 "RAM Usage unknown for HSM ${HSM_NAME}"; 175 | fi 176 | } 177 | 178 | function check_hsm_datetime() { 179 | 180 | LOCAL_TIME=`date +%d/%m/%Y\ %H:%M` 181 | HSM_FULL_TIME=`$CTC $CTCOPTS -b clocklocal | $HSM_GREP | $HSM_SED` 182 | HSM_TIME=${HSM_FULL_TIME:0:16} 183 | 184 | if [[ ${LOCAL_TIME} == ${HSM_TIME} ]]; then 185 | nagios_response 0 "HSM: ${HSM_NAME} time is the same as local time: ${LOCAL_TIME}." 186 | else 187 | nagios_response 2 "HSM: ${HSM_NAME} time is NOT CORRECT. It is ${HSM_TIME} but it should be ${LOCAL_TIME}." 188 | fi 189 | 190 | } 191 | 192 | 193 | # option parsing 194 | while getopts “ht:b:n:” OPTION; do 195 | case ${OPTION} in 196 | h) 197 | usage 198 | ;; 199 | t) 200 | CHECK_TYPE=${OPTARG} 201 | ;; 202 | b) 203 | U_CTC=${OPTARG} 204 | ;; 205 | n) 206 | HSM_NAME=${OPTARG} 207 | ;; 208 | ?) 209 | usage 210 | ;; 211 | esac 212 | done 213 | 214 | ## Do we have a binary overrride? 215 | if [[ ! -z ${U_CTC} ]] && [[ -f ${U_CTC} ]]; then 216 | CTC=${U_CTC} 217 | fi 218 | 219 | ## Do we have all required options? 220 | if [[ -z ${CHECK_TYPE} ]] || [[ -z ${CTC} ]] || [[ -z ${HSM_NAME} ]]; then 221 | usage 222 | fi 223 | 224 | # Export HSM list 225 | export ET_HSM_NETCLIENT_SERVERLIST=${HSM_NAME} 226 | ET_HSM_NETCLIENT_SERVERLIST=${HSM_NAME} 227 | 228 | # Does the ctcheck exist? 229 | if [[ ! -f ${CTC} ]]; then 230 | nagios_response 2 "CTCHECK binary not available: ${CTC}." 231 | fi 232 | 233 | hsm_conn_test 234 | 235 | case ${CHECK_TYPE} in 236 | "battery") 237 | check_hsm_battery; 238 | ;; 239 | "ram") 240 | check_hsm_ram; 241 | ;; 242 | "hsminfo") 243 | check_hsm_device_info; 244 | ;; 245 | "fminfo") 246 | check_hsm_fm_info; 247 | ;; 248 | "datetime") 249 | check_hsm_datetime; 250 | ;; 251 | "initialized") 252 | check_hsm_initialized; 253 | ;; 254 | "eventlog") 255 | check_hsm_eventlog; 256 | ;; 257 | ?) 258 | echo "Check type not supported." 259 | usage 260 | ;; 261 | esac 262 | 263 | -------------------------------------------------------------------------------- /check_ocsp_hard/check_ocsp_hard.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Hardcoded OCSP check 3 | # Hard coded to certificate of raymii.org 4 | #Copyright (c) 2012 Remy van Elst 5 | #Permission is hereby granted, free of charge, to any person obtaining a copy 6 | #of this software and associated documentation files (the "Software"), to deal 7 | #in the Software without restriction, including without limitation the rights 8 | #to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | #copies of the Software, and to permit persons to whom the Software is 10 | #furnished to do so, subject to the following conditions: 11 | # 12 | #The above copyright notice and this permission notice shall be included in 13 | #all copies or substantial portions of the Software. 14 | # 15 | #THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | #IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | #FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | #AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | #LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | #OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN 21 | #THE SOFTWARE. 22 | 23 | # Adapated by palli@opensource.is at 2013-05-02 24 | # * Certificates changed 25 | # * Added argument -H 26 | 27 | OK=0 28 | WARNING=1 29 | CRITICAL=2 30 | UNKNOWN=3 31 | HOSTNAME=localhost # by default check localhost 32 | PORT=80 # default port is 80 33 | 34 | OPENSSL="openssl" # Command used to invoke openssl 35 | 36 | print_help() { 37 | cat << EOF 38 | $0 version $VERSION 39 | This Plugin checks if a remote OCSP server and see if it validates our certificate 40 | 41 | Usage: $0 [--help] [-H localhost] [-P 80] 42 | [--cert filename.cer]" [--issuer filename.cer] 43 | [--noverify] [--max-age AGE]" 44 | [--path-to-openssl /usr/bin/openssl] 45 | [--url http://\$hostname:\$port]"] 46 | [--openssl-command /some/other/command] 47 | 48 | Notes: 49 | If --url is not specified it is assumed to be http://host_name 50 | 51 | Examples: 52 | # $0 -H host.example.com -P 80 --issuer issuer.cer --cert cert_to_check.cer 53 | 54 | EOF 55 | } 56 | # Parse arguments 57 | while [ $# -gt 0 ] 58 | do 59 | case $1 60 | in 61 | -h) 62 | print_help 63 | shift 1 64 | exit $OK 65 | ;; 66 | 67 | --help) 68 | print_help 69 | shift 1 70 | exit $OK 71 | ;; 72 | -H) 73 | HOSTNAME=$2 74 | shift 2 75 | ;; 76 | -P) 77 | PORT=$2 78 | shift 2 79 | ;; 80 | --path-to-openssl) 81 | OPENSSL=$2 82 | shift 2 83 | ;; 84 | --openssl-command) 85 | OPENSSL_COMMAND=$2 86 | shift 2 87 | ;; 88 | --url) 89 | OCSPURL=$2 90 | shift 2 91 | ;; 92 | --cert) 93 | CERT=$2 94 | shift 2 95 | ;; 96 | --issuer) 97 | ISSUER=$2 98 | shift 2 99 | ;; 100 | --noverify) 101 | OPTIONS="$OPTIONS -noverify" 102 | shift 1 103 | ;; 104 | --max-age) 105 | OPTIONS="$OPTIONS -status_age $2" 106 | shift 2 107 | ;; 108 | --verbose) 109 | VERBOSE=yes 110 | shift 1 111 | ;; 112 | *) 113 | echo "Invalid parameter: $1" 114 | print_help 115 | exit $UNKNOWN 116 | ;; 117 | esac 118 | done 119 | 120 | 121 | 122 | 123 | CERTCN=$CERT 124 | #CERTCN="michal.cert" 125 | # 126 | CERTTOCHECK='-----BEGIN CERTIFICATE----- 127 | MIIE6TCCA9GgAwIBAgIRAMGj2NANcvzkg82EdZ6ewLwwDQYJKoZIhvcNAQEFBQAw 128 | czELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G 129 | A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxGTAXBgNV 130 | BAMTEFBvc2l0aXZlU1NMIENBIDIwHhcNMTIwNjI1MDAwMDAwWhcNMTQwNjI1MjM1 131 | OTU5WjBOMSEwHwYDVQQLExhEb21haW4gQ29udHJvbCBWYWxpZGF0ZWQxFDASBgNV 132 | BAsTC1Bvc2l0aXZlU1NMMRMwEQYDVQQDEwpyYXltaWkub3JnMIIBIjANBgkqhkiG 133 | 9w0BAQEFAAOCAQ8AMIIBCgKCAQEA10FohUnfpkPX9BTHT6DJPp4VBZulGQyCwFSS 134 | rovT4sP8p+AZC2QlhwkvmgYDoehE4dt+BblBVG1Yq6VXSAJHHWr93HIr+IcVSyeG 135 | Y1xEfJM2+ZJM0Y0TQmbweC92pc5bdK9ACUPjaxrMPdgMRk7QXo38+WP7FBGoKMvT 136 | Tblx6LM0H5r7TLqjR3638ZQVHCQIZas7D8iPOPR2548Hg8/88X4/V/OJCLFtEvfd 137 | 0esthJ58saEBCragRNFg4cqf8pZby+YI11f6ydQ/VmjWyaqdjhSm/gyeW7+4uDp1 138 | p1YcWHTLnLRrZMEgS+6hOfmrY6dClzQ1LGB9o0uJhOwFUuf02wIDAQABo4IBmzCC 139 | AZcwHwYDVR0jBBgwFoAUmeRAX2sUXj4F2d3TY1T8Yrj3AKwwHQYDVR0OBBYEFDpL 140 | KT5kugQGQ9hsYM1p0/eejotPMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAA 141 | MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBGBgNVHSAEPzA9MDsGCysG 142 | AQQBsjEBAgIHMCwwKgYIKwYBBQUHAgEWHmh0dHA6Ly93d3cucG9zaXRpdmVzc2wu 143 | Y29tL0NQUzA7BgNVHR8ENDAyMDCgLqAshipodHRwOi8vY3JsLmNvbW9kb2NhLmNv 144 | bS9Qb3NpdGl2ZVNTTENBMi5jcmwwbAYIKwYBBQUHAQEEYDBeMDYGCCsGAQUFBzAC 145 | hipodHRwOi8vY3J0LmNvbW9kb2NhLmNvbS9Qb3NpdGl2ZVNTTENBMi5jcnQwJAYI 146 | KwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmNvbW9kb2NhLmNvbTAlBgNVHREEHjAcggpy 147 | YXltaWkub3Jngg53d3cucmF5bWlpLm9yZzANBgkqhkiG9w0BAQUFAAOCAQEATAfY 148 | a9H1HGUK3UekE7py7v/i+UIcC+GiQt3VYFLFD2kDFk3pU9ZlpCl1gsNiGiUcoGLT 149 | Hovwy64Rj0KMxQFugL+zyfzzD7MuRDqxbdPGrsnTRTGW2onfm4MrQI5WOC69DbKx 150 | wVGKscaQ+X43EGATOvoPXJ5vqkspQn+Wh/QIiliWjFcBbMAOYWTQRn9EMb8sFyhz 151 | Oe/Xm2oyNZRW+o1obb4CFk7gcBsJ//OGDmKBiQMO5RiIivaY6wUHgyvPM+guQ0N9 152 | fyDed0L9Oai24fvoHLz8JK3rxgEi/n4tSXb4j2ShS5B71oJp9XyDO8DR5a7QD3qs 153 | jJoiuwX8NIvXpzFUAA== 154 | -----END CERTIFICATE-----' 155 | # AddTrust External CA Root as on 08-NOV-2012 156 | ISSUERCERT='-----BEGIN CERTIFICATE----- 157 | MIIE5TCCA82gAwIBAgIQB28SRoFFnCjVSNaXxA4AGzANBgkqhkiG9w0BAQUFADBv 158 | MQswCQYDVQQGEwJTRTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFk 159 | ZFRydXN0IEV4dGVybmFsIFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBF 160 | eHRlcm5hbCBDQSBSb290MB4XDTEyMDIxNjAwMDAwMFoXDTIwMDUzMDEwNDgzOFow 161 | czELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G 162 | A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxGTAXBgNV 163 | BAMTEFBvc2l0aXZlU1NMIENBIDIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK 164 | AoIBAQDo6jnjIqaqucQA0OeqZztDB71Pkuu8vgGjQK3g70QotdA6voBUF4V6a4Rs 165 | NjbloyTi/igBkLzX3Q+5K05IdwVpr95XMLHo+xoD9jxbUx6hAUlocnPWMytDqTcy 166 | Ug+uJ1YxMGCtyb1zLDnukNh1sCUhYHsqfwL9goUfdE+SNHNcHQCgsMDqmOK+ARRY 167 | FygiinddUCXNmmym5QzlqyjDsiCJ8AckHpXCLsDl6ez2PRIHSD3SwyNWQezT3zVL 168 | yOf2hgVSEEOajBd8i6q8eODwRTusgFX+KJPhChFo9FJXb/5IC1tdGmpnc5mCtJ5D 169 | YD7HWyoSbhruyzmuwzWdqLxdsC/DAgMBAAGjggF3MIIBczAfBgNVHSMEGDAWgBSt 170 | vZh6NLQm9/rEJlTvA73gJMtUGjAdBgNVHQ4EFgQUmeRAX2sUXj4F2d3TY1T8Yrj3 171 | AKwwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQAwEQYDVR0gBAow 172 | CDAGBgRVHSAAMEQGA1UdHwQ9MDswOaA3oDWGM2h0dHA6Ly9jcmwudXNlcnRydXN0 173 | LmNvbS9BZGRUcnVzdEV4dGVybmFsQ0FSb290LmNybDCBswYIKwYBBQUHAQEEgaYw 174 | gaMwPwYIKwYBBQUHMAKGM2h0dHA6Ly9jcnQudXNlcnRydXN0LmNvbS9BZGRUcnVz 175 | dEV4dGVybmFsQ0FSb290LnA3YzA5BggrBgEFBQcwAoYtaHR0cDovL2NydC51c2Vy 176 | dHJ1c3QuY29tL0FkZFRydXN0VVROU0dDQ0EuY3J0MCUGCCsGAQUFBzABhhlodHRw 177 | Oi8vb2NzcC51c2VydHJ1c3QuY29tMA0GCSqGSIb3DQEBBQUAA4IBAQCcNuNOrvGK 178 | u2yXjI9LZ9Cf2ISqnyFfNaFbxCtjDei8d12nxDf9Sy2e6B1pocCEzNFti/OBy59L 179 | dLBJKjHoN0DrH9mXoxoR1Sanbg+61b4s/bSRZNy+OxlQDXqV8wQTqbtHD4tc0azC 180 | e3chUN1bq+70ptjUSlNrTa24yOfmUlhNQ0zCoiNPDsAgOa/fT0JbHtMJ9BgJWSrZ 181 | 6EoYvzL7+i1ki4fKWyvouAt+vhcSxwOCKa9Yr4WEXT0K3yNRw82vEL+AaXeRCk/l 182 | uuGtm87fM04wO+mPZn+C+mv626PAcwDj1hKvTfIPWhRRH224hoFiB85ccsJP81cq 183 | cdnUl4XmGFO3 184 | -----END CERTIFICATE-----' 185 | 186 | # If no cert was specified, we use the one that is hardcoded 187 | # in the script 188 | if [ -z $CERT ]; then 189 | CERT=`mktemp` 190 | echo "$CERTTOCHECK" > $CERT 191 | trap "rm -f $CERT" EXIT 192 | fi 193 | 194 | # If there is no issuer specified, we use the one that is hardcoded in the script 195 | if [ -z $ISSUER ]; then 196 | ISSUER=`mktemp` 197 | echo "$ISSUERCERT" > $ISSUER 198 | trap "rm -f $ISSUER" EXIT 199 | fi 200 | 201 | # Fail if certificate file does not exist 202 | if [ ! -f "$CERT" ]; then 203 | echo "Certificate to check not found: $CERT" 204 | exit $UNKNOWN 205 | fi 206 | 207 | # Fail if issuer file does not exist 208 | if [ ! -f "$ISSUER" ]; then 209 | echo "Issuer certificate not found: $ISSUER" 210 | exit $UNKNOWN 211 | fi 212 | 213 | # If no URL provided from command line, generate a sensible one from hostname and port 214 | if [ -z "$OCSPURL" ]; then 215 | OCSPURL="http://$HOSTNAME:$PORT" 216 | fi 217 | 218 | # If openssl command was not specified in arguments, then generate a sensible one 219 | if [ -z "$OPENSSL_COMMAND" ]; then 220 | OPENSSL_COMMAND="$OPENSSL ocsp $OPTIONS -nonce -issuer $ISSUER -cert $CERT -url "$OCSPURL" 2>&1" 221 | fi 222 | 223 | # If verbose is specified, print out our actual openssl command 224 | if [ ! -z $VERBOSE ]; then 225 | echo "DEBUG: Executing: $OPENSSL_COMMAND" 226 | fi 227 | 228 | 229 | OCSPRESPONSE=$($OPENSSL_COMMAND) 230 | RESULT=$? 231 | if [[ $RESULT -ne 0 ]]; then 232 | if [[ "$OCSPRESPONSE" =~ "OCSP_parse_url:error parsing url" ]]; then 233 | echo "CRITICAL: OCSP URL parse error." 234 | echo $OCSPRESPONSE 235 | exit $CRITICAL 236 | fi 237 | if [[ "$OCSPRESPONSE" =~ "Connection refused" ]]; then 238 | echo "CRITICAL: OCSP refused connection." 239 | echo $OCSPRESPONSE 240 | exit $CRITICAL 241 | fi 242 | if [[ "$OCSPRESPONSE" =~ "Code=404" ]]; then 243 | echo "CRITICAL: OCSP returns HTTP error 404 (Not Found)." 244 | echo $OCSPRESPONSE 245 | exit $CRITICAL 246 | fi 247 | echo -n "CRITICAL: OCSP check FAILED for OCSP: ${OCSPURL}. " 248 | echo $OCSPRESPONSE 249 | exit $CRITICAL 250 | fi 251 | 252 | echo "$OCSPRESPONSE" | grep -q ": revoked" 253 | if [[ $? -eq 0 ]]; then 254 | echo -n "CRITICAL: certificate for ${CERTCN} REVOKED by OCSP: ${OCSPURL} " 255 | echo $OCSPRESPONSE 256 | exit $CRITICAL 257 | fi 258 | 259 | echo "$OCSPRESPONSE" | grep -q ": unknown" 260 | if [[ $? -eq 0 ]]; then 261 | echo -n "WARNING: status of certificate for ${CERTCN} UNKNOWN by OCSP: ${OCSPURL} " 262 | echo $OCSPRESPONSE 263 | exit 1 264 | fi 265 | 266 | echo "$OCSPRESPONSE" | grep -q "WARNING" 267 | if [[ $? -eq 0 ]]; then 268 | echo -n "WARNING received from ${OCSPURL}: $OCSPRESPONSE" 269 | exit $WARNING 270 | fi 271 | 272 | echo "$OCSPRESPONSE" | grep -q ": good" 273 | if [[ $? -eq 0 ]]; then 274 | echo -n "OK: OCSP up and running - status of certificate for ${CERTCN} GOOD by OCSP: ${OCSPURL} " 275 | echo $OCSPRESPONSE 276 | exit $OK 277 | fi 278 | 279 | echo "$OCSPRESPONSE" | grep -q "unauthorized" 280 | if [[ $? -eq 0 ]]; then 281 | echo -n "WARNING: OCSP Responder Error: unauthorized (6) " 282 | echo $OCSPRESPONSE 283 | exit $WARNING 284 | fi 285 | 286 | 287 | # If we get here, then openssl propably ran with exit code 0, but we did not recognize the output 288 | echo "Could not parse output from openssl command" 289 | echo $OCSPRESPONSE 290 | echo "----" 291 | echo "Command used: $OPENSSL_COMMAND" 292 | exit $UNKNOWN 293 | 294 | 295 | --------------------------------------------------------------------------------