--- a/check-cert.pl Mon Sep 14 17:18:46 2009 +0200
+++ b/check-cert.pl Wed Sep 16 16:41:57 2009 +0200
@@ -14,16 +14,16 @@
use lib "/usr/lib/nagios/plugins";
use utils qw (%ERRORS &print_revision &support);
-my $ME = basename $0;
+my $ME = basename $0;
my $USAGE = <<EOF;
Usage: $ME [-b <binary>] [-i init] [-d <path>] [-w <time>] [-c <time>] [-s <signature algorithm>] [-e <file,file,file,...>]
$ME [-h | --help]
$ME [-V | --version]
+
+ Consult „--help“ for even more options.
EOF
-my $VERSION = "0.4";
-my $hash_file = "/var/tmp/" . basename($0) . ".known.db";
-my (%known, %excluded);
-my %certs = ();
+my $VERSION = "0.4";
+
my $no_print =
"no_header,no_version,no_serial,no_validity,no_subject,no_issuer,no_pubkey,no_sigdump,no_extensions";
my @cmd_x509 = (
@@ -31,25 +31,23 @@
"-certopt", "$no_print", "-subject", "-enddate"
);
my @cmd_pkcs12 = qw(openssl pkcs12 -clcerts -nokeys -nomacver -passin pass:);
-my @cmd_pipe = (
+my @cmd_pipe = (
"openssl", "x509", "-noout", "-text",
"-certopt", $no_print, "-subject", "-enddate"
);
-my (
- $opt_debug, $opt_init, $opt_signature, $opt_version,
- $opt_help, $opt_warning, $opt_directory, $opt_critical,
- $opt_binary, @opt_exclude
-);
-my ($file, $w_time, $c_time);
+my (%cache, %excluded, %certs);
-my (@critical, @warning);
+my $opt_binary = "/usr/bin/openssl";
+my $opt_signature = "md5WithRSAEncryption";
+my $opt_warning = "1month";
+my $opt_critical = "1week";
+my $opt_directory = "/etc";
+my $opt_debug = 0;
+my $opt_init = undef;
+my @opt_exclude = ();
-$opt_binary = "/usr/bin/openssl";
-$opt_signature = "md5WithRSAEncryption";
-$opt_warning = "1month";
-$opt_critical = "1week";
-$opt_directory = "/etc";
+my $opt_cache = "/var/tmp/@{[basename($0)]}.known.db";
sub process_file();
sub print_help();
@@ -57,12 +55,14 @@
sub get_id(;$);
MAIN: {
+ my ($w_time, $c_time);
+ my (@critical, @warning);
Getopt::Long::Configure('bundling');
GetOptions(
- "i|init" => \$opt_init,
- "h|help" => \$opt_help,
- "V|version" => \$opt_version,
+ "i|init" => \$opt_init,
+ "h|help" => sub { print_help(); exit $ERRORS{OK}; },
+ "V|version" => sub { print_revision($ME, $VERSION); exit $ERRORS{OK}; },
"b|binary=s" => \$opt_binary,
"d|directory=s" => \$opt_directory,
"w|warning=s" => \$opt_warning,
@@ -70,24 +70,22 @@
"s|signature" => \$opt_signature,
"e|exclude=s" => \@opt_exclude,
"d|debug" => \$opt_debug,
+ "cache=s" => \$opt_cache,
);
- print_revision($ME, $VERSION) and exit $ERRORS{"OK"} if $opt_version;
- print_help() and exit $ERRORS{"OK"} if $opt_help;
-
- tie(%known, DB_File => $hash_file, O_RDWR | O_CREAT, 0600)
- or die "Couldn't tie hash to file $hash_file: $!; aborting";
+ tie(%cache, DB_File => $opt_cache, O_RDWR | O_CREAT, 0600)
+ or die "Couldn't tie hash to file $opt_cache: $!; aborting";
# initiate file-data hash
- %known = () if $opt_init;
- @excluded{@opt_exclude} = ();
+ %cache = () if $opt_init;
+ @excluded{@opt_exclude} = ();
find({ wanted => \&process_file }, $opt_directory);
- exit;
+ exit;
# calculate the time
- # $w_time = time() + 4 * 7 * 86400;
+ # $w_time = time() + 4 * 7 * 86400;
$w_time = DateCalc("today", "+ $opt_warning");
$c_time = DateCalc("today", "+ $opt_critical");
@@ -143,7 +141,7 @@
exit $ERRORS{"OK"};
}
- untie %known;
+ untie %cache;
exit;
}
@@ -152,7 +150,7 @@
sub process_file() {
- return if exists $excluded{$File::Find::name};
+ return if exists $excluded{$File::Find::name};
return if not -f;
my $id = get_id();
@@ -162,99 +160,98 @@
my ($rc, $temp, $signature, $subject, $enddate);
# excluded files
- # @opt_exclude = split(/,/, join(',', @opt_exclude)) if @opt_exclude;
+ # @opt_exclude = split(/,/, join(',', @opt_exclude)) if @opt_exclude;
return
- if exists $known{$File::Find::name}
- and $known{$File::Find::name} eq $id;
+ if exists $cache{$File::Find::name}
+ and $cache{$File::Find::name} eq $id;
- #say $File::Find::name;
+ #say $File::Find::name;
# checking for pkcs12 certificates
- if (0) {
- my @cmd_pkcs12_current = @cmd_pkcs12;
- push @cmd_pkcs12_current, "-in", $File::Find::name, "2>/dev/null";
- my $cid = open(FILE, "@cmd_pkcs12_current |") || die "Can't fork: $!";
+ if (0) {
+ my @cmd_pkcs12_current = @cmd_pkcs12;
+ push @cmd_pkcs12_current, "-in", $File::Find::name, "2>/dev/null";
+ my $cid = open(FILE, "@cmd_pkcs12_current |") || die "Can't fork: $!";
+
+ while (<FILE>) {
+ /^$cid:error:.*/ and last;
+ $temp .= $_;
+ }
+ close(FILE);
- while (<FILE>) {
- /^$cid:error:.*/ and last;
- $temp .= $_;
+ if ($temp) {
+ local (*READ, *WRITE);
+ my $cid = open2(\*READ, \*WRITE, @cmd_pipe)
+ or die "Can't fork: $!\n";
+ print WRITE $temp;
+ close(WRITE);
+ while (<READ>) {
+ /Signature\sAlgorithm:\s(.*)\s+$/ and $signature = $1;
+ /^subject=\s+(.*)\s+$/ and $subject = $1;
+ /^notAfter=(.*)\s+$/ and $enddate = $1;
+ }
+ close(READ);
+
+ # waiting for child processes
+ do {
+ $cid = waitpid(-1, WNOHANG);
+ } while $cid > 0;
+
+ $is_certificate = 1;
+ push(
+ @{ $certs{$File::Find::name} },
+ ($subject, $enddate, $signature)
+ );
+
+ $cache{$File::Find::name} = $id if not($is_certificate);
+ return;
+ }
}
+
+ open(FILE, $_) or die "can't open $File::Find::name: $!";
+ my $file = join "", <FILE>;
close(FILE);
- if ($temp) {
+ while ($file =~ /^(-+BEGIN CERTIFICATE.*?-+END CERTIFICATE-+)$/msg) {
+
+ # open filehandles (for read and write)
local (*READ, *WRITE);
- my $cid = open2(\*READ, \*WRITE, @cmd_pipe)
- or die "Can't fork: $!\n";
- print WRITE $temp;
+ my $cid = open2(\*READ, \*WRITE, @cmd_x509)
+ or die "Can' fork: $!\n";
+ print WRITE $1;
close(WRITE);
+
while (<READ>) {
/Signature\sAlgorithm:\s(.*)\s+$/ and $signature = $1;
- /^subject=\s+(.*)\s+$/ and $subject = $1;
+ /^subject=\s+(.*)$/ and $subject = $1;
/^notAfter=(.*)\s+$/ and $enddate = $1;
}
close(READ);
- # waiting for child processes
- do {
- $cid = waitpid(-1, WNOHANG);
- } while $cid > 0;
+ waitpid($cid, 0) < 0 and die "no child with pid $cid\n";
+
+ if ($opt_debug) {
+ print "-----\n";
+ print "$File::Find::name\n";
+ print "Signature Algorithm: $signature\n" if ($signature);
+ print "subject: $subject\n" if ($subject);
+ print "enddate: $enddate\n" if ($enddate);
+ }
+
+ push(@{ $certs{$File::Find::name} }, ($subject, $enddate, $signature));
$is_certificate = 1;
- push(@{ $certs{$File::Find::name} }, ($subject, $enddate, $signature));
+ }
- $known{$File::Find::name} = $id if not($is_certificate);
- return;
- }
+ $cache{$File::Find::name} = $id if not($is_certificate);
}
- open(FILE, $_) or die "can't open $File::Find::name: $!";
- my $file = join "", <FILE>;
- close(FILE);
-
- while ($file =~ /^(-+BEGIN CERTIFICATE.*?-+END CERTIFICATE-+)$/msg) {
-
- # open filehandles (for read and write)
- local (*READ, *WRITE);
- my $cid = open2(\*READ, \*WRITE, @cmd_x509)
- or die "Can' fork: $!\n";
- print WRITE $1;
- close(WRITE);
-
- while (<READ>) {
- /Signature\sAlgorithm:\s(.*)\s+$/ and $signature = $1;
- /^subject=\s+(.*)$/ and $subject = $1;
- /^notAfter=(.*)\s+$/ and $enddate = $1;
- }
- close(READ);
-
- waitpid($cid, 0) < 0 and die "no child with pid $cid\n";
-
- if ($opt_debug) {
- print "-----\n";
- print "$File::Find::name\n";
- print "Signature Algorithm: $signature\n" if ($signature);
- print "subject: $subject\n" if ($subject);
- print "enddate: $enddate\n" if ($enddate);
- }
-
- push(
- @{ $certs{$File::Find::name} },
- ($subject, $enddate, $signature)
- );
-
- $is_certificate = 1;
- }
-
- $known{$File::Find::name} = $id if not($is_certificate);
-}
-
-
-sub print_usage() { print $USAGE };
+sub print_usage() { print $USAGE }
sub print_help() {
print_revision($ME, $VERSION);
-print <<EOF;
+ print <<EOF;
Copyright (c) 2009 Christian Arnold
This plugin checks the expire date for openssl certificates.
@@ -263,9 +260,12 @@
-b, --binary <binary>
Path of openssl binary (default: /usr/bin/openssl)
-d, --directory <path>
+
+ … --cache=s db file where the known files are stored
EOF
-print "Absolute directory path in which will be recursively search for certificate files (default: /etc).\n";
+ print
+"Absolute directory path in which will be recursively search for certificate files (default: /etc).\n";
print " -w, --warning <time>\n";
print
" Certificat should not be more than this time older (default: 1month).\n";