# HG changeset patch # User Matthias Förste # Date 1303286520 -7200 # Node ID 7e623fe1e9e5f61b6a023d4c2673875af5acefca # Parent 3c725372a1ceaa7e5459a8573bb83a4a61427cf0 added nagios check diff -r 3c725372a1ce -r 7e623fe1e9e5 dnsnagios/check_dnssec --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/dnsnagios/check_dnssec Wed Apr 20 10:02:00 2011 +0200 @@ -0,0 +1,214 @@ +#! /usr/bin/perl -w + +# Copyright (C) 2011 Matthias Förste +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# +# Matthias Förste + +use strict; +use warnings; + +use File::Basename qw(basename); +use Getopt::Long; +use Net::DNS; + +# for rrsig handling +require Net::DNS::SEC; +use Pod::Usage; + +my $ME = basename $0; +my $VERSION = "0.1"; + +my $opt = { + 'index-host' => '84.19.194.5', + 'index-zone' => 'idx.net.schlittermann.de', + warning => 12, + critical => 72 +}; + +my $rv = { + OK => 0, + WARNING => 1, + CRITICAL => 2, + UNKNOWN => 3 +}; + +Getopt::Long::Configure('no_ignore_case_always'); +GetOptions( + "w|warning=i" => \$opt->{warning}, + "c|critical=i" => \$opt->{critical}, + "H|index-host=s" => \$opt->{'index-host'}, + "Z|index-zone=s" => \$opt->{'index-zone'}, + "h|help" => sub { pod2usage( -verbose => 1, -exitval => $rv->{OK} ) }, + "m|man" => sub { pod2usage( -verbose => 2, -exitval => $rv->{OK} ) }, + "V|version" => sub { version( $ME, $VERSION ); exit $rv->{OK}; } +) or pod2usage( -verbose => 1, -exitval => $rv->{CRITICAL} ); + +my $rc = 'OK'; +my $res = Net::DNS::Resolver->new; +my $ires = Net::DNS::Resolver->new( nameservers => [ $opt->{'index-host'} ] ); + +my ( $r, @a ); +unless ( defined( $r = $ires->query( $opt->{'index-zone'}, 'txt' ) ) + && ( @a = $r->answer ) ) +{ + + print "No zones found"; + exit $rv->{UNKNOWN}; + +} + +my $now = time; +my $dates; +for (qw(critical warning)) { + my @d = gmtime $opt->{$_} * 3600; + $dates->{$_} = sprintf "%04d" . "%02d" x 5, $d[5] + 1900, $d[4] + 1, + reverse @d[ 0 .. 3 ]; +} + +my $counter; +@{$counter}{qw(critical warning ok total)} = (0) x 4; + +for my $txt (@a) { + + next unless $txt->rdatastr =~ /^"ZONE::(.*)::sec-on"$/; + my $z = $1; + + my ( $r, @a ); + unless ( defined( $r = $res->query( $z, 'rrsig' ) ) + && ( @a = $r->answer ) ) + { + + print "No RRSIGs found for zone '$z'"; + exit $rv->{UNKNOWN}; + + } + + for my $rrsig (@a) { + + $counter->{total}++; + my $e = $rrsig->sigexpiration; + + if ( $e < $dates->{critical} ) { + + $counter->{critical}++; + $rc = 'CRITICAL'; + + } + elsif ( $e < $dates->{warning} ) { + + $counter->{warning}++; + $rc = 'WARNING' unless $rv->{$rc} > $rv->{WARNING}; + + } + else { + + $counter->{ok}++; + next; + } + + warn "Signature for ", $rrsig->typecovered, + " Record(s) in zone '$z' expires at ", + ( join '.', reverse unpack 'A4A2A2', $e ), " ($e)\n"; + + } + +} + +print "DNSSEC $rc: ", $counter->{critical}, " critical, ", $counter->{warning}, + " warning, ", $counter->{ok}, " ok, ", $counter->{total}, " total.\n"; +exit $rv->{$rc}; + +sub version($$) { + my ( $progname, $version ) = @_; + + print <<_VERSION; +$progname version $version +Copyright (C) 2011 by Matthias Förste and Schlittermann internet & unix support. + +$ME comes with ABSOLUTELY NO WARRANTY. This is free software, +and you are welcome to redistribute it under certain conditions. +See the GNU General Public Licence for details. +_VERSION +} + +__END__ + +=head1 NAME + +check_dnssec - nagios plugin to warn about rrsig expiry + +=head1 SYNOPSIS + +check_dnssec [-H|--index-host string] + [-Z|--index-zone string] + [-w|--warning int] + [-c|--critical int] + [-h|--help] + [-m|--man] + [-V|--version] + +=head1 OPTIONS + +=over + +=item B<-H>|B<--index-host> I + +Hostname or IP of a DNS Server knowing our index zone. + +=item B<-Z>|B<--index-zone> I + +Name of a zone listing our DNSSEC enabled zone (and other records). + +=item B<-w>|B<--warning> I + +Return with warning status if any RRSIG Record in any of the above zones +expires in less than that many hours. + +=item B<-c>|B<--critical> I + +Return with critical status if any RRSIG Record in any of the above zones +expires in less than that many hours. + +=item B<-h>|B<--help> + +Print detailed help screen. + +=item B<-m>|B<--man> + +Print manual page. + +=item B<-V>|B<--version> + +Print version information. + +=back + +=head1 DESCRIPTION + +This plugin reads a list of DNSSEC enabled zones from our index zone and checks +for expiry of any of the RRSIG Records. + +=head1 AUTHOR + +Written by Matthias Förste L + +=head1 COPYRIGHT + +Copyright (C) 2011 by Matthias Förste and Schlittermann internet & unix +support. This is free software, and you are welcome to redistribute it under +certain conditions. See the GNU General Public Licence for details. + +=cut