├── README.md ├── check_nextcloud.php ├── icingaexchange.yml └── screenshot.png /README.md: -------------------------------------------------------------------------------- 1 | # check_nextcloud 2 | 3 | This is a monitoring plugin for [icinga](https://www.icinga.com) to check the status of the [nextcloud](https://nextcloud.com) [security scan](https://scan.nextcloud.com) for a given URL. 4 | 5 | ![Icingaweb2 screenshot showing the check_nextcloud script](/screenshot.png?raw=true "Icingaweb2 screenshot") 6 | 7 | 8 | ### Usage 9 | Try the plugin at the command line like this: 10 | ``` 11 | /usr/bin/php ./check_nextcloud.php -H cloud.example.com -u / 12 | ``` 13 | 14 | You can define the icinga2 check command as follows: 15 | ``` 16 | /* Define check command for check_nextcloud */ 17 | object CheckCommand "nextcloud" { 18 | import "plugin-check-command" 19 | command = [ LocalPluginDir + "/check_nextcloud.php" ] 20 | 21 | arguments = { 22 | "-H" = { 23 | "required" = true 24 | "value" = "$nc_host$" 25 | } 26 | "-u" = { 27 | "required" = true 28 | "value" = "$nc_url$" 29 | } 30 | } 31 | 32 | vars.nc_url = "/" 33 | } 34 | ``` 35 | 36 | Please don't run this check too often. There is an API limit at the scan.nextcloud.com server at the /api/queue endpoint with arround 250 POST requests a day. I personally run it every 24h: 37 | ``` 38 | /* Define apply rule for check_nextcloud */ 39 | apply Service "nextcloud-" for (instance => config in host.vars.nextcloud) { 40 | display_name = name 41 | assign where host.vars.nextcloud 42 | command_endpoint = host.vars.remote_endpoint 43 | check_command = "nextcloud" 44 | vars += config 45 | max_check_attempts = 3 46 | check_interval = 24h 47 | retry_interval = 15m 48 | enable_notifications = true 49 | } 50 | ``` 51 | 52 | 53 | ### Changelog 54 | * 2017-03-22: split hostname and url into separate parameters (sumnerboy12) 55 | * 2017-03-18: initial version (janvonde) 56 | 57 | 58 | ### Authors 59 | * [Jan Vonde](https://github.com/janvonde) 60 | * [Ben Jones](https://github.com/sumnerboy12) 61 | 62 | 63 | ### License 64 | This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. 65 | 66 | This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. 67 | 68 | You should have received a copy of the GNU General Public License along with this program. If not, see http://www.gnu.org/licenses/. 69 | -------------------------------------------------------------------------------- /check_nextcloud.php: -------------------------------------------------------------------------------- 1 | #!/usr/bin/php 2 | 9 | * 10 | * 11 | * Usage: /usr/bin/php ./check_nextcloud.php -H cloud.example.com -u /nextcloud -z "Europe/Berlin" 12 | * 13 | * 14 | * Don't run this check too often. You could run into an API limit on the 15 | * nextcloud scan server. Once a day is good. 16 | * 17 | * 18 | * For more information visit https://github.com/janvonde/check_nextcloud 19 | * 20 | * Changelog 21 | * 2019-01-26 Christian Wirtz , Added timezone handling 22 | * 23 | ***/ 24 | 25 | 26 | 27 | 28 | 29 | // get commands passed as arguments 30 | $options = getopt("H:u:z:"); 31 | if (!is_array($options) ) { 32 | print "There was a problem reading the passed option.\n\n"; 33 | exit(1); 34 | } 35 | 36 | if (count($options) != "3") { 37 | print "check_nextcloud.php - Monitoring plugin to check the status of nextcloud security scan for a given hostname + URI.\n 38 | You need to specify the following parameters: 39 | -H: hostname of the nextcloud instance, for example cloud.example.com 40 | -u: uri of the nextcloud instance, for example / or /nextcloud 41 | -z: timezone of the nextcloud instance, for example Europe/Berlin \n\n"; 42 | exit(2); 43 | } 44 | 45 | $nchost = trim($options['H']); 46 | $ncuri = trim($options['u']); 47 | $ncurl = $nchost . $ncuri; 48 | $nctz = trim($options['z']); 49 | 50 | date_default_timezone_set("$nctz"); 51 | 52 | // get UUID from scan.nextcloud.com service 53 | $url = 'https://scan.nextcloud.com/api/queue'; 54 | $data = array("url" => "$ncurl"); 55 | $options = array( 56 | 'http' => array( 57 | 'header' => "Content-type: application/x-www-form-urlencoded\r\nX-CSRF: true\r\n", 58 | 'method' => 'POST', 59 | 'content' => http_build_query($data), 60 | ) 61 | ); 62 | $postcontext = stream_context_create($options); 63 | $answer = @file_get_contents($url, false, $postcontext); 64 | if ($answer === FALSE) { 65 | echo "WARNING: Could not get get UUID for given host $ncurl. Aborting. \n"; 66 | exit (1); 67 | } 68 | $result = json_decode($answer, true); 69 | $uuid = $result['uuid']; 70 | 71 | 72 | 73 | // get information for the uuid 74 | $getcontext = stream_context_create(array( 75 | 'http' => array( 76 | 'timeout' => 3 77 | ) 78 | ) 79 | ); 80 | $uuidresult_fetch = @file_get_contents("https://scan.nextcloud.com/api/result/$uuid", false, $getcontext); 81 | if ($uuidresult_fetch === FALSE) { 82 | echo "WARNING: Could not get information for given host $ncurl. Aborting. \n"; 83 | exit (1); 84 | } 85 | $uuidresult = json_decode($uuidresult_fetch, true); 86 | 87 | 88 | 89 | // if ithe result is older than 24h requeue the host for rescanning 90 | if (strtotime($uuidresult['scannedAt']['date']) <= strtotime('-24 hours')) { 91 | // use the same parameters from queue call, just change url 92 | $url = 'https://scan.nextcloud.com/api/requeue'; 93 | $result = json_decode(file_get_contents($url, false, $postcontext), true); 94 | } 95 | 96 | 97 | 98 | // print output for icinga 99 | $rating = $uuidresult['rating']; 100 | $vulns = count($uuidresult['vulnerabilities']); 101 | $lastscan = date("d.m.Y - H:i:s\h", strtotime($uuidresult['scannedAt']['date'])); 102 | 103 | if ($rating == 5) { $tr = "A+"; } 104 | if ($rating == 4) { $tr = "A"; } 105 | if ($rating == 3) { $tr = "C"; } 106 | if ($rating == 2) { $tr = "D"; } 107 | if ($rating == 1) { $tr = "E"; } 108 | if ($rating == 0) { $tr = "F"; } 109 | 110 | 111 | if ($rating == 5 || $rating == 4) { 112 | echo "OK: $tr rating for $ncurl, $vulns vulnerabilities identified, last scan: $lastscan | badrating=0, vulnerabilities=$vulns\n"; 113 | exit(0); 114 | } 115 | 116 | if ($rating == 3 || $rating == 2) { 117 | echo "WARNING: $tr rating for $ncurl, $vulns vulnerabilities identified, last scan: $lastscan. Please see https://scan.nextcloud.com/results/$uuid | badrating=1, vulnerabilities=$vulns\n"; 118 | exit(1); 119 | } 120 | 121 | 122 | if ($rating == 1 || $rating == 0) { 123 | echo "CRITICAL: $tr rating for $ncurl, $vulns vulnerabilities identified, last scan: $lastscan. Immediate action required! See https://scan.nextcloud.com/results/$uuid | badrating=2, vulnerabilities=$vulns\n"; 124 | exit(2); 125 | } 126 | ?> 127 | -------------------------------------------------------------------------------- /icingaexchange.yml: -------------------------------------------------------------------------------- 1 | name: check_nextcloud 2 | description: "file:///README.md" 3 | url: "https://github.com/janvonde/check_nextcloud" 4 | tags: nextcloud,owncloud,php 5 | vendor: Linux 6 | target: Website 7 | type: Plugin 8 | license: gplv3 9 | releases: 10 | - 11 | name: 1.1 12 | description: "1.1 Release" 13 | files: 14 | - 15 | name: check_nextcloud.php 16 | url: "file:///check_nextcloud.php" 17 | description: "1.1 release" 18 | checksum: 591a3bd08d86a8ac3270a66eef6df07f 19 | -------------------------------------------------------------------------------- /screenshot.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/janvonde/check_nextcloud/e640031903ce4f69e10a3dbe366bc5a1a0b41b48/screenshot.png --------------------------------------------------------------------------------