blob: eb9fa51fbbc5cf6e9998dec2c6926ec5e49673db (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
|
#!/bin/bash
#
# Nagios plugin that checks whether a key ID has expired, or will expire within
# a certain time.
#
# note: the plugin will issue a critical state if the required key has been
# revoked.
#
# usage: check_gpg [-w <num_days>] [--gnupg-homedir <path>] <key_id>
#
# <key_id> is any PGP key ID that GnuPG accepts with "gpg --list-key <key_id>"
#
# The option -w parameter lets you specify the number of days within which key
# expiry will trigger a warning. e.g. if <key_id> expires within <num_days>
# days, make nagios issue a warning.
#
# num_days must be an integer value
#
# optionally, if the keyring directory you want GPG to use is not located in
# the user's ~/.gnupg, you can specify the path to the keyring directory with
# the --gnupg-homedir parameter.
#
# Thanks a bunch to Daniel Kahn Gillmor for providing example commands that
# made up most of the core of this plugin.
#
# Copyleft Gabriel Filion
#
# This plugin is released under the GPL v3+ license. To get a copy of the
# license text visit: https://www.gnu.org/licenses/gpl-3.0.txt
#
SECS_IN_DAY=86400
function debug () {
if [ -n "$DEBUG" ]; then
echo "$1" >&2
fi
}
debug "got args: $*"
now=$(date +%s)
debug "current timestamp: $now"
warning_threshold=
homedir=
homedir_path=~/.gnupg
for arg in $*; do
case $arg in
"-w")
if [ -z "$2" ]; then
echo "UNKNOWN: argument -w got no value. integer needed"
exit 3
fi
if [ "`echo $2 | egrep ^[[:digit:]]+$`" = "" ]; then
echo "UNKNOWN: invalid value '$2' passed to -w. integer needed"
exit 3
fi
warning_threshold=$(( $now + ($2*$SECS_IN_DAY) ))
debug "setting warning_threshold to '$warning_threshold'"
shift 2
;;
"--gnupg-homedir")
if [ -z "$2" ]; then
echo "UNKNOWN: argument --gnupg-homedir got no value. path needed"
exit 3
fi
if [ ! -d "$2" ]; then
echo "UNKNOWN: homedir '$2' does not exist or is not a directory"
exit 3
fi
homedir_path=$2
homedir="--homedir ${homedir_path}"
debug "setting homedir to '$homedir_path'"
shift 2
;;
esac
done
if [ -z "$1" ]; then
echo "UNKNOWN: must provide a key ID"
exit 3
fi
key="$1"
# GPG is too stupid to error out when asked to refresh a key that's not in the
# local keyring so we need to perform another call to verify this first.
output=$( { gpg $homedir --list-key "$key" >/dev/null && gpg $homedir --refresh --keyserver hkps://hkps.pool.sks-keyservers.net --keyserver-options ca-cert-file=$homedir_path/sks-keyservers.netCA.pem "$key" >/dev/null; } 2>&1 )
if [ $? -ne 0 ]; then
echo "UNKNOWN: $output"
exit 3
fi
if [ "$(gpg $homedir --check-sig "$key" | grep "^rev!")" != "" ]; then
echo "CRITICAL: key '$key' has been revoked!"
exit 1
fi
for expiry in $(gpg $homedir --with-colons --fixed-list-mode --list-key "$key" 2>/dev/null | awk -F: '/^pub:/{ print $7 }');
do
debug "expiry value: $expiry"
if [ "$now" -gt "$expiry" ] ; then
printf "CRITICAL: %s has expired on %s\n" "$key" "$(date -d "$expiry seconds")";
exit 1;
fi;
if [ -n "$warning_threshold" ] && [ "$warning_threshold" -gt "$expiry" ]; then
remaining=$(( ($expiry-$now) / $SECS_IN_DAY ))
printf "WARNING: %s expires in %s days\n" "$key" "$remaining";
exit 2;
fi
done
echo "OK: key '$key' has not expired."
|
