Mercurial Mercurial > hg > ius > nagios > nagios-plugin-cert / comparison
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
check_cert.pl
changeset 2 b4dbae8f141c
parent 1 8c08150c2371
child 3 50f5a78ba6fa
equal deleted inserted replaced
1:8c08150c2371 2:b4dbae8f141c 
    13 
    13 
    14 sub print_help();
 
    14 sub print_help();
 
    15 sub print_usage();
 
    15 sub print_usage();
 
    16 
    16 
    17 my $ME = basename $0;
 
    17 my $ME = basename $0;
 
    18 my ($opt_w, $opt_c, $opt_V, $opt_h, $opt_b, @opt_certfiles);
 
    18 my ($opt_w, $opt_c, $opt_V, $opt_h, $opt_b, $opt_s, @opt_certfiles);
 
    19 my ($w_time, $c_time, $result, $message, %certs);
 
    19 my ($w_time, $c_time, $result, $message, %certs);
 
    20 my (@critical, @warning);
 
    20 my (@critical, @warning);
 
    21 
    21 
    22 $opt_w = "1month";
 
    22 $opt_w = "1month";
 
    23 $opt_c = "1week";
 
    23 $opt_c = "1week";
 
    24 $opt_b = "/usr/bin/openssl";
 
    24 $opt_b = "/usr/bin/openssl";
 
       
    25 $opt_s = "md5WithRSAEncryption";
 
    25 
    26 
    26 Getopt::Long::Configure('bundling');
 
    27 Getopt::Long::Configure('bundling');
 
    27 GetOptions(
 
    28 GetOptions(
 
    28     "V"   => \$opt_V, "version"    => \$opt_V,
 
    29     "V"   => \$opt_V, "version"    => \$opt_V,
 
    29     "h"   => \$opt_h, "help"       => \$opt_h,
 
    30     "h"   => \$opt_h, "help"       => \$opt_h,
 
    30     "b=s" => \$opt_b, "binary"     => \$opt_b,
 
    31     "b=s" => \$opt_b, "binary"     => \$opt_b,
 
    31     "w=s" => \$opt_w, "warning=s"  => \$opt_w,
 
    32     "w=s" => \$opt_w, "warning=s"  => \$opt_w,
 
    32     "c=s" => \$opt_c, "critical=s" => \$opt_c,
 
    33     "c=s" => \$opt_c, "critical=s" => \$opt_c,
 
       
    34     "s=s" => \$opt_s, "signature=s" => \$opt_s,
 
    33     "f=s" => \@opt_certfiles, "certfile=s" => \@opt_certfiles);
 
    35     "f=s" => \@opt_certfiles, "certfile=s" => \@opt_certfiles);
 
    34 
    36 
    35 if ($opt_V) {
 
    37 if ($opt_V) {
 
    36     print_revision($ME, "0.1");
 
    38     print_revision($ME, "0.1");
 
    37     exit $ERRORS{"OK"};
 
    39     exit $ERRORS{"OK"};
 
    59 foreach my $file (@opt_certfiles) {
 
    61 foreach my $file (@opt_certfiles) {
 
    60     unless (-r $file) {
 
    62     unless (-r $file) {
 
    61 	print "CERT CRITICAL: $file - not exists or not read permission is granted\n";
 
    63 	print "CERT CRITICAL: $file - not exists or not read permission is granted\n";
 
    62 	exit $ERRORS{"CRITICAL"};
 
    64 	exit $ERRORS{"CRITICAL"};
 
    63     }
 
    65     }
 
    64     my @cmd_x509 = ($opt_b, "x509", "-in", $file, "-noout", "-subject", "-enddate");
 
    66     my $no_print = "no_header,no_version,no_serial,no_validity,no_subject,no_issuer,no_pubkey,no_sigdump,no_extensions";
 
       
    67     my @cmd_x509 = ($opt_b, "x509", "-in", $file, "-noout", "-text", "-certopt", $no_print, "-subject", "-enddate");
 
    65     my @cmd_pkcs12 = ($opt_b, "pkcs12", "-in", $file, "-clcerts", "-nokeys", "-nomacver", "-passin", "pass:");
 
    68     my @cmd_pkcs12 = ($opt_b, "pkcs12", "-in", $file, "-clcerts", "-nokeys", "-nomacver", "-passin", "pass:");
 
    66     my @cmd_pipe = ($opt_b, "x509", "-noout", "-subject", "-enddate");
 
    69     my @cmd_pipe = ($opt_b, "x509", "-noout", "-text", "-certopt", $no_print, "-subject", "-enddate");
 
    67     my ($temp, $cn, $enddate, $rc);
 
    70     my ($temp, $sig, $cn, $enddate, $rc);
 
    68     open(CERT, "-|") or do {
 
    71     open(CERT, "-|") or do {
 
    69 	open(STDERR, ">&STDOUT");
 
    72 	open(STDERR, ">&STDOUT");
 
    70 	exec(@cmd_x509);
 
    73 	exec(@cmd_x509);
 
    71     };
 
    74     };
 
    72 
    75 
    73     # check x509 certificates
 
    76     # check x509 certificates
 
    74     while(<CERT>) {
 
    77     while(<CERT>) {
 
    75 	/unable to load certificate/ and $rc = 1 and last;
 
    78 	/unable to load certificate/ and $rc = 1 and last;
 
       
    79 	/Signature\sAlgorithm:\s($opt_s)\s+$/ and $sig = $1;
 
    76 	/^subject=\s.*CN=(.*)\s+$/ and $cn = $1;
 
    80 	/^subject=\s.*CN=(.*)\s+$/ and $cn = $1;
 
    77 	/^notAfter=(.*)\s+$/ and $enddate = $1;
 
    81 	/^notAfter=(.*)\s+$/ and $enddate = $1;
 
    78     }
 
    82     }
 
    79     close(CERT);
 
    83     close(CERT);
 
    80 
    84 
    92 	print WRITE $temp;
 
    96 	print WRITE $temp;
 
    93 	close(WRITE);
 
    97 	close(WRITE);
 
    94 
    98 
    95 	while(<READ>) {
 
    99 	while(<READ>) {
 
    96 	    /unable to load certificate/ and print "CERT CRITICAL: unable to load certificate\n" and exit $ERRORS{"CRITICAL"};
 
   100 	    /unable to load certificate/ and print "CERT CRITICAL: unable to load certificate\n" and exit $ERRORS{"CRITICAL"};
 
       
   101 	    /Signature\sAlgorithm:\s($opt_s)\s+$/ and $sig = $1;
 
    97 	    /^subject=\s.*CN=(.*)\s+$/ and $cn = $1;
 
   102 	    /^subject=\s.*CN=(.*)\s+$/ and $cn = $1;
 
    98 	    /^notAfter=(.*)\s+$/ and $enddate = $1;
 
   103 	    /^notAfter=(.*)\s+$/ and $enddate = $1;
 
    99 	}
 
   104 	}
 
   100 	close(READ);
 
   105 	close(READ);
 
   101     }
 
   106     }
 
   102     # fill the hash
 
   107     # fill the hash
 
   103     push ( @{$certs{$file}}, ($cn, $enddate) );
 
   108     push ( @{$certs{$file}}, ($cn, $enddate, $sig) );
 
   104 }
 
   109 }
 
   105 
   110 
   106 # calculate the time
 
   111 # calculate the time
 
   107 $w_time = DateCalc("today", "+ $opt_w");
 
   112 $w_time = DateCalc("today", "+ $opt_w");
 
   108 $c_time = DateCalc("today", "+ $opt_c");
 
   113 $c_time = DateCalc("today", "+ $opt_c");
 
   122     push (@{$certs{$_}}, "CRITICAL");
 
   127     push (@{$certs{$_}}, "CRITICAL");
 
   123 }
 
   128 }
 
   124 
   129 
   125 # looking for stats
 
   130 # looking for stats
 
   126 foreach (sort keys %certs) {
 
   131 foreach (sort keys %certs) {
 
   127     if (@{$certs{$_}}[2] eq "WARNING") {
 
   132     if (@{$certs{$_}}[2]) {
 
       
   133         if (@{$certs{$_}}[2] eq "$opt_s") {
 
       
   134             push (@critical, "file: $_, CN=@{$certs{$_}}[0] Signature Algorithm: @{$certs{$_}}[2]");
 
       
   135         }
 
       
   136     }
 
       
   137 
       
   138     if (@{$certs{$_}}[3] eq "WARNING") {
 
   128 	push (@warning, "file: $_, CN=@{$certs{$_}}[0] expires @{$certs{$_}}[1]");
 
   139 	push (@warning, "file: $_, CN=@{$certs{$_}}[0] expires @{$certs{$_}}[1]");
 
   129     } elsif (@{$certs{$_}}[2] eq "CRITICAL") {
 
   140     } elsif (@{$certs{$_}}[3] eq "CRITICAL") {
 
   130 	push (@critical, "file: $_, CN=@{$certs{$_}}[0] expires @{$certs{$_}}[1]");
 
   141 	push (@critical, "file: $_, CN=@{$certs{$_}}[0] expires @{$certs{$_}}[1]");
 
   131     }
 
   142     }
 
   132 }
 
   143 }
 
   133 
   144 
   134 # return the state
 
   145 # return the state
 
   143     exit $ERRORS{"OK"};
 
   154     exit $ERRORS{"OK"};
 
   144 }
 
   155 }
 
   145 
   156 
   146 sub print_usage() {
 
   157 sub print_usage() {
 
   147     print "Usage:\n";
 
   158     print "Usage:\n";
 
   148     print "  $ME [-b <binary>] [-w <time>] [-c <time>] [-f <file,file,file,...>]\n";
 
   159     print "  $ME [-b <binary>] [-w <time>] [-c <time>] [-s <signature algorithm>] [-f <file,file,file,...>]\n";
 
   149     print "  $ME [-h | --help]\n";
 
   160     print "  $ME [-h | --help]\n";
 
   150     print "  $ME [-V | --version]\n";
 
   161     print "  $ME [-V | --version]\n";
 
   151 }
 
   162 }
 
   152 
   163 
   153 sub print_help() {
 
   164 sub print_help() {
 
   162     print "     Certificat should not be more than this time older (default: 1month)\n";
 
   173     print "     Certificat should not be more than this time older (default: 1month)\n";
 
   163     print "     For time can be used year, month, day, hour, minute, second and weeks.\n";
 
   174     print "     For time can be used year, month, day, hour, minute, second and weeks.\n";
 
   164     print "  -c, --critical <time>\n";
 
   175     print "  -c, --critical <time>\n";
 
   165     print "     Certificat should not be more than this time older (default: 1week)\n";
 
   176     print "     Certificat should not be more than this time older (default: 1week)\n";
 
   166     print "     For time can be used year, month, day, hour, minute, second and weeks.\n";
 
   177     print "     For time can be used year, month, day, hour, minute, second and weeks.\n";
 
       
   178     print "  -s, --signature <signature algorithm>\n";
 
       
   179     print "     Return CRITICAL stauts if <signature algorithm> is used.\n";
 
   167     print "  -f, --certfile <file,file,file, ...>\n";
 
   180     print "  -f, --certfile <file,file,file, ...>\n";
 
   168     print "     Absolute path of x509 or pkcs12 openssl certificate files, use comma-separated lists for multiple files.\n";
 
   181     print "     Absolute path of x509 or pkcs12 openssl certificate files, use comma-separated lists for multiple files.\n";
 
   169     print "  -h, --help\n";
 
   182     print "  -h, --help\n";
 
   170     print "     Print detailed help screen\n";
 
   183     print "     Print detailed help screen\n";
 
   171     print "  -V, --version\n";
 
   184     print "  -V, --version\n";
ius/nagios/nagios-plugin-cert