From 3e63ce3c71620433dc135959b2743aa010b28fe1 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 17 May 2016 12:52:57 +0200 Subject: update submodules so "rake test" doesnt complain anymore --- puppet/modules/nagios | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules/nagios/files/plugins/check_gpg') diff --git a/puppet/modules/nagios b/puppet/modules/nagios index 68dab01a..e6fee3c7 160000 --- a/puppet/modules/nagios +++ b/puppet/modules/nagios @@ -1 +1 @@ -Subproject commit 68dab01a85996e14efcccf856b623a2caf257823 +Subproject commit e6fee3c731f68ccf8b6add8ada2162c7ad2b8407 -- cgit v1.2.3 From 7ce3190986cf8e5fe037a7ccd4c1076505b117f4 Mon Sep 17 00:00:00 2001 From: Micah Date: Tue, 12 Jul 2016 16:41:59 -0400 Subject: remove submodules in preparation for move to subrepos Change-Id: Ia7655153b556337f676e3d909559c4a7306bedd6 --- puppet/modules/nagios | 1 - 1 file changed, 1 deletion(-) delete mode 160000 puppet/modules/nagios (limited to 'puppet/modules/nagios/files/plugins/check_gpg') diff --git a/puppet/modules/nagios b/puppet/modules/nagios deleted file mode 160000 index e6fee3c7..00000000 --- a/puppet/modules/nagios +++ /dev/null @@ -1 +0,0 @@ -Subproject commit e6fee3c731f68ccf8b6add8ada2162c7ad2b8407 -- cgit v1.2.3 From 26aac7ccf240b06d65616bdd00ae472d980aaea9 Mon Sep 17 00:00:00 2001 From: Micah Date: Tue, 12 Jul 2016 16:46:11 -0400 Subject: git subrepo clone https://leap.se/git/puppet_nagios puppet/modules/nagios subrepo: subdir: "puppet/modules/nagios" merged: "e6fee3c" upstream: origin: "https://leap.se/git/puppet_nagios" branch: "master" commit: "e6fee3c" git-subrepo: version: "0.3.0" origin: "https://github.com/ingydotnet/git-subrepo" commit: "1e79595" Change-Id: Ib7105f359ea2c3ae6490bff4fcecbede2511eaf0 --- puppet/modules/nagios/files/plugins/check_gpg | 115 ++++++++++++++++++++++++++ 1 file changed, 115 insertions(+) create mode 100644 puppet/modules/nagios/files/plugins/check_gpg (limited to 'puppet/modules/nagios/files/plugins/check_gpg') diff --git a/puppet/modules/nagios/files/plugins/check_gpg b/puppet/modules/nagios/files/plugins/check_gpg new file mode 100644 index 00000000..eb9fa51f --- /dev/null +++ b/puppet/modules/nagios/files/plugins/check_gpg @@ -0,0 +1,115 @@ +#!/bin/bash +# +# Nagios plugin that checks whether a key ID has expired, or will expire within +# a certain time. +# +# note: the plugin will issue a critical state if the required key has been +# revoked. +# +# usage: check_gpg [-w ] [--gnupg-homedir ] +# +# is any PGP key ID that GnuPG accepts with "gpg --list-key " +# +# The option -w parameter lets you specify the number of days within which key +# expiry will trigger a warning. e.g. if expires within +# days, make nagios issue a warning. +# +# num_days must be an integer value +# +# optionally, if the keyring directory you want GPG to use is not located in +# the user's ~/.gnupg, you can specify the path to the keyring directory with +# the --gnupg-homedir parameter. +# +# Thanks a bunch to Daniel Kahn Gillmor for providing example commands that +# made up most of the core of this plugin. +# +# Copyleft Gabriel Filion +# +# This plugin is released under the GPL v3+ license. To get a copy of the +# license text visit: https://www.gnu.org/licenses/gpl-3.0.txt +# +SECS_IN_DAY=86400 + +function debug () { + if [ -n "$DEBUG" ]; then + echo "$1" >&2 + fi +} + +debug "got args: $*" + +now=$(date +%s) +debug "current timestamp: $now" + +warning_threshold= +homedir= +homedir_path=~/.gnupg +for arg in $*; do + case $arg in + "-w") + if [ -z "$2" ]; then + echo "UNKNOWN: argument -w got no value. integer needed" + exit 3 + fi + if [ "`echo $2 | egrep ^[[:digit:]]+$`" = "" ]; then + echo "UNKNOWN: invalid value '$2' passed to -w. integer needed" + exit 3 + fi + warning_threshold=$(( $now + ($2*$SECS_IN_DAY) )) + debug "setting warning_threshold to '$warning_threshold'" + + shift 2 + ;; + "--gnupg-homedir") + if [ -z "$2" ]; then + echo "UNKNOWN: argument --gnupg-homedir got no value. path needed" + exit 3 + fi + if [ ! -d "$2" ]; then + echo "UNKNOWN: homedir '$2' does not exist or is not a directory" + exit 3 + fi + homedir_path=$2 + homedir="--homedir ${homedir_path}" + debug "setting homedir to '$homedir_path'" + + shift 2 + ;; + esac +done + +if [ -z "$1" ]; then + echo "UNKNOWN: must provide a key ID" + exit 3 +fi +key="$1" + +# GPG is too stupid to error out when asked to refresh a key that's not in the +# local keyring so we need to perform another call to verify this first. +output=$( { gpg $homedir --list-key "$key" >/dev/null && gpg $homedir --refresh --keyserver hkps://hkps.pool.sks-keyservers.net --keyserver-options ca-cert-file=$homedir_path/sks-keyservers.netCA.pem "$key" >/dev/null; } 2>&1 ) +if [ $? -ne 0 ]; then + echo "UNKNOWN: $output" + exit 3 +fi + +if [ "$(gpg $homedir --check-sig "$key" | grep "^rev!")" != "" ]; then + echo "CRITICAL: key '$key' has been revoked!" + exit 1 +fi + +for expiry in $(gpg $homedir --with-colons --fixed-list-mode --list-key "$key" 2>/dev/null | awk -F: '/^pub:/{ print $7 }'); +do + debug "expiry value: $expiry" + + if [ "$now" -gt "$expiry" ] ; then + printf "CRITICAL: %s has expired on %s\n" "$key" "$(date -d "$expiry seconds")"; + exit 1; + fi; + if [ -n "$warning_threshold" ] && [ "$warning_threshold" -gt "$expiry" ]; then + remaining=$(( ($expiry-$now) / $SECS_IN_DAY )) + printf "WARNING: %s expires in %s days\n" "$key" "$remaining"; + exit 2; + fi +done + +echo "OK: key '$key' has not expired." -- cgit v1.2.3