Merge remote-tracking branch 'shared/master' into leap_master

8 files changed, 462 insertions, 18 deletions

diff --git a/files/configs/CentOS/nagios.cfg b/files/configs/CentOS/nagios.cfg
index 1354bf8..b88e3db 100644
--- a/files/configs/CentOS/nagios.cfg
+++ b/files/configs/CentOS/nagios.cfg
@@ -31,9 +31,22 @@ log_file=/var/log/nagios/nagios.log
 # separate from host and contact definitions...
 
 # Puppet-managed configuration files
-cfg_dir=/etc/nagios/conf.d
-
-
+cfg_file=/etc/nagios/nagios_templates.cfg
+cfg_file=/etc/nagios/nagios_command.cfg
+cfg_file=/etc/nagios/nagios_contact.cfg
+cfg_file=/etc/nagios/nagios_contactgroup.cfg
+cfg_file=/etc/nagios/nagios_host.cfg
+cfg_file=/etc/nagios/nagios_hostdependency.cfg
+cfg_file=/etc/nagios/nagios_hostescalation.cfg
+cfg_file=/etc/nagios/nagios_hostextinfo.cfg
+cfg_file=/etc/nagios/nagios_hostgroup.cfg
+cfg_file=/etc/nagios/nagios_hostgroupescalation.cfg
+cfg_file=/etc/nagios/nagios_service.cfg
+cfg_file=/etc/nagios/nagios_servicedependency.cfg
+cfg_file=/etc/nagios/nagios_serviceescalation.cfg
+cfg_file=/etc/nagios/nagios_serviceextinfo.cfg
+cfg_file=/etc/nagios/nagios_servicegroup.cfg
+cfg_file=/etc/nagios/nagios_timeperiod.cfg
 
 # OBJECT CACHE FILE
 # This option determines where object definitions are cached when
diff --git a/files/configs/Debian/nagios.cfg b/files/configs/Debian/nagios.cfg
index 68e03bb..291a474 100644
--- a/files/configs/Debian/nagios.cfg
+++ b/files/configs/Debian/nagios.cfg
@@ -23,7 +23,22 @@ log_file=/var/log/nagios3/nagios.log
 #cfg_file=/etc/nagios3/commands.cfg
 
 # Puppet-managed configuration files
-cfg_dir=/etc/nagios3/conf.d
+cfg_file=/etc/nagios3/nagios_templates.cfg
+cfg_file=/etc/nagios3/nagios_command.cfg
+cfg_file=/etc/nagios3/nagios_contact.cfg
+cfg_file=/etc/nagios3/nagios_contactgroup.cfg
+cfg_file=/etc/nagios3/nagios_host.cfg
+cfg_file=/etc/nagios3/nagios_hostdependency.cfg
+cfg_file=/etc/nagios3/nagios_hostescalation.cfg
+cfg_file=/etc/nagios3/nagios_hostextinfo.cfg
+cfg_file=/etc/nagios3/nagios_hostgroup.cfg
+cfg_file=/etc/nagios3/nagios_hostgroupescalation.cfg
+cfg_file=/etc/nagios3/nagios_service.cfg
+cfg_file=/etc/nagios3/nagios_servicedependency.cfg
+cfg_file=/etc/nagios3/nagios_serviceescalation.cfg
+cfg_file=/etc/nagios3/nagios_serviceextinfo.cfg
+cfg_file=/etc/nagios3/nagios_servicegroup.cfg
+cfg_file=/etc/nagios3/nagios_timeperiod.cfg
 
 # Debian also defaults to using the check commands defined by the debian
 # nagios-plugins package
diff --git a/files/configs/apache2.conf b/files/configs/apache2.conf
index 14bb38b..f0f8b2f 100644
--- a/files/configs/apache2.conf
+++ b/files/configs/apache2.conf
@@ -1,8 +1,8 @@
 # apache configuration for nagios 3.x
 # note to users of nagios 1.x and 2.x:
-#   throughout this file are commented out sections which preserve
-#   backwards compatibility with bookmarks/config for older nagios versios.
-#   simply look for lines following "nagios 1.x:" and "nagios 2.x" comments.
+#	throughout this file are commented out sections which preserve
+#	backwards compatibility with bookmarks/config for older nagios versios.
+#	simply look for lines following "nagios 1.x:" and "nagios 2.x" comments.
 
 ScriptAlias /cgi-bin/nagios3 /usr/lib/cgi-bin/nagios3
 ScriptAlias /nagios3/cgi-bin /usr/lib/cgi-bin/nagios3
@@ -28,22 +28,34 @@ Alias /nagios3 /usr/share/nagios3/htdocs
 #Alias /nagios /usr/share/nagios3/htdocs
 
 <DirectoryMatch (/usr/share/nagios3/htdocs|/usr/lib/cgi-bin/nagios3|/etc/nagios3/stylesheets)>
-    Options FollowSymLinks
+	Options FollowSymLinks
 
-    DirectoryIndex index.php index.html
+	DirectoryIndex index.php index.html
 
-    AllowOverride AuthConfig
-    Order Allow,Deny
-    Allow From All
+	AllowOverride AuthConfig
 
-    AuthName "Nagios Access"
-    AuthType Basic
-    AuthUserFile /etc/nagios3/htpasswd.users
-    # nagios 1.x:
-    #AuthUserFile /etc/nagios/htpasswd.users
-    require valid-user
+
+    <IfVersion < 2.3>
+        Order Allow,Deny
+        Allow From All
+    </IfVersion>
+
+    <IfVersion >= 2.3>
+        Require all denied
+    </IfVersion>
+
+	AuthName "Nagios Access"
+	AuthType Basic
+	AuthUserFile /etc/nagios3/htpasswd.users
+	# nagios 1.x:
+	#AuthUserFile /etc/nagios/htpasswd.users
+	require valid-user
 </DirectoryMatch>
 
+<Directory /usr/share/nagios3/htdocs>
+	Options	+ExecCGI	
+</Directory>
+
 # Enable this ScriptAlias if you want to enable the grouplist patch.
 # See http://apan.sourceforge.net/download.html for more info
 # It allows you to see a clickable list of all hostgroups in the
diff --git a/files/plugin_data/sks-keyservers.netCA.pem b/files/plugin_data/sks-keyservers.netCA.pem
new file mode 100644
index 0000000..24a2ad2
--- /dev/null
+++ b/files/plugin_data/sks-keyservers.netCA.pem
@@ -0,0 +1,32 @@
+-----BEGIN CERTIFICATE-----
+MIIFizCCA3OgAwIBAgIJAK9zyLTPn4CPMA0GCSqGSIb3DQEBBQUAMFwxCzAJBgNV
+BAYTAk5PMQ0wCwYDVQQIDARPc2xvMR4wHAYDVQQKDBVza3Mta2V5c2VydmVycy5u
+ZXQgQ0ExHjAcBgNVBAMMFXNrcy1rZXlzZXJ2ZXJzLm5ldCBDQTAeFw0xMjEwMDkw
+MDMzMzdaFw0yMjEwMDcwMDMzMzdaMFwxCzAJBgNVBAYTAk5PMQ0wCwYDVQQIDARP
+c2xvMR4wHAYDVQQKDBVza3Mta2V5c2VydmVycy5uZXQgQ0ExHjAcBgNVBAMMFXNr
+cy1rZXlzZXJ2ZXJzLm5ldCBDQTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoC
+ggIBANdsWy4PXWNUCkS3L//nrd0GqN3dVwoBGZ6w94Tw2jPDPifegwxQozFXkG6I
+6A4TK1CJLXPvfz0UP0aBYyPmTNadDinaB9T4jIwd4rnxl+59GiEmqkN3IfPsv5Jj
+MkKUmJnvOT0DEVlEaO1UZIwx5WpfprB3mR81/qm4XkAgmYrmgnLXd/pJDAMk7y1F
+45b5zWofiD5l677lplcIPRbFhpJ6kDTODXh/XEdtF71EAeaOdEGOvyGDmCO0GWqS
+FDkMMPTlieLA/0rgFTcz4xwUYj/cD5e0ZBuSkYsYFAU3hd1cGfBue0cPZaQH2HYx
+Qk4zXD8S3F4690fRhr+tki5gyG6JDR67aKp3BIGLqm7f45WkX1hYp+YXywmEziM4
+aSbGYhx8hoFGfq9UcfPEvp2aoc8u5sdqjDslhyUzM1v3m3ZGbhwEOnVjljY6JJLx
+MxagxnZZSAY424ZZ3t71E/Mn27dm2w+xFRuoy8JEjv1d+BT3eChM5KaNwrj0IO/y
+u8kFIgWYA1vZ/15qMT+tyJTfyrNVV/7Df7TNeWyNqjJ5rBmt0M6NpHG7CrUSkBy9
+p8JhimgjP5r0FlEkgg+lyD+V79H98gQfVgP3pbJICz0SpBQf2F/2tyS4rLm+49rP
+fcOajiXEuyhpcmzgusAj/1FjrtlynH1r9mnNaX4e+rLWzvU5AgMBAAGjUDBOMB0G
+A1UdDgQWBBTkwyoJFGfYTVISTpM8E+igjdq28zAfBgNVHSMEGDAWgBTkwyoJFGfY
+TVISTpM8E+igjdq28zAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4ICAQAR
+OXnYwu3g1ZjHyley3fZI5aLPsaE17cOImVTehC8DcIphm2HOMR/hYTTL+V0G4P+u
+gH+6xeRLKSHMHZTtSBIa6GDL03434y9CBuwGvAFCMU2GV8w92/Z7apkAhdLToZA/
+X/iWP2jeaVJhxgEcH8uPrnSlqoPBcKC9PrgUzQYfSZJkLmB+3jEa3HKruy1abJP5
+gAdQvwvcPpvYRnIzUc9fZODsVmlHVFBCl2dlu/iHh2h4GmL4Da2rRkUMlbVTdioB
+UYIvMycdOkpH5wJftzw7cpjsudGas0PARDXCFfGyKhwBRFY7Xp7lbjtU5Rz0Gc04
+lPrhDf0pFE98Aw4jJRpFeWMjpXUEaG1cq7D641RpgcMfPFvOHY47rvDTS7XJOaUT
+BwRjmDt896s6vMDcaG/uXJbQjuzmmx3W2Idyh3s5SI0GTHb0IwMKYb4eBUIpQOnB
+cE77VnCYqKvN1NVYAqhWjXbY7XasZvszCRcOG+W3FqNaHOK/n/0ueb0uijdLan+U
+f4p1bjbAox8eAOQS/8a3bzkJzdyBNUKGx1BIK2IBL9bn/HravSDOiNRSnZ/R3l9G
+ZauX0tu7IIDlRCILXSyeazu0aj/vdT3YFQXPcvt5Fkf5wiNTo53f72/jYEJd6qph
+WrpoKqrwGwTpRUCMhYIUt65hsTxCiJJ5nKe39h46sg==
+-----END CERTIFICATE-----
diff --git a/files/plugins/check_gpg b/files/plugins/check_gpg
new file mode 100644
index 0000000..eb9fa51
--- /dev/null
+++ b/files/plugins/check_gpg
@@ -0,0 +1,115 @@
+#!/bin/bash
+#
+# Nagios plugin that checks whether a key ID has expired, or will expire within
+# a certain time.
+#
+# note: the plugin will issue a critical state if the required key has been
+# revoked.
+#
+# usage: check_gpg [-w <num_days>] [--gnupg-homedir <path>] <key_id>
+#
+# <key_id> is any PGP key ID that GnuPG accepts with "gpg --list-key <key_id>"
+#
+# The option -w parameter lets you specify the number of days within which key
+# expiry will trigger a warning. e.g. if <key_id> expires within <num_days>
+# days, make nagios issue a warning.
+#
+# num_days must be an integer value
+#
+# optionally, if the keyring directory you want GPG to use is not located in
+# the user's ~/.gnupg, you can specify the path to the keyring directory with
+# the --gnupg-homedir parameter.
+#
+# Thanks a bunch to Daniel Kahn Gillmor for providing example commands that
+# made up most of the core of this plugin.
+#
+# Copyleft Gabriel Filion
+#
+# This plugin is released under the GPL v3+ license. To get a copy of the
+# license text visit: https://www.gnu.org/licenses/gpl-3.0.txt
+#
+SECS_IN_DAY=86400
+
+function debug () {
+  if [ -n "$DEBUG" ]; then
+      echo "$1" >&2
+  fi
+}
+
+debug "got args: $*"
+
+now=$(date +%s)
+debug "current timestamp: $now"
+
+warning_threshold=
+homedir=
+homedir_path=~/.gnupg
+for arg in $*; do
+    case $arg in
+        "-w")
+            if [ -z "$2" ]; then
+                echo "UNKNOWN: argument -w got no value. integer needed"
+                exit 3
+            fi
+            if [ "`echo $2 | egrep ^[[:digit:]]+$`" = "" ]; then
+                echo "UNKNOWN: invalid value '$2' passed to -w. integer needed"
+                exit 3
+            fi
+            warning_threshold=$(( $now + ($2*$SECS_IN_DAY) ))
+            debug "setting warning_threshold to '$warning_threshold'"
+
+            shift 2
+        ;;
+        "--gnupg-homedir")
+            if [ -z "$2" ]; then
+                echo "UNKNOWN: argument --gnupg-homedir got no value. path needed"
+                exit 3
+            fi
+            if [ ! -d "$2" ]; then
+                echo "UNKNOWN: homedir '$2' does not exist or is not a directory"
+                exit 3
+            fi
+            homedir_path=$2
+            homedir="--homedir ${homedir_path}"
+            debug "setting homedir to '$homedir_path'"
+
+            shift 2
+        ;;
+    esac
+done
+
+if [ -z "$1" ]; then
+    echo "UNKNOWN: must provide a key ID"
+    exit 3
+fi
+key="$1"
+
+# GPG is too stupid to error out when asked to refresh a key that's not in the
+# local keyring so we need to perform another call to verify this first.
+output=$( { gpg $homedir --list-key "$key" >/dev/null && gpg $homedir --refresh --keyserver hkps://hkps.pool.sks-keyservers.net --keyserver-options ca-cert-file=$homedir_path/sks-keyservers.netCA.pem "$key" >/dev/null; } 2>&1 )
+if [ $? -ne 0 ]; then
+    echo "UNKNOWN: $output"
+    exit 3
+fi
+
+if [ "$(gpg $homedir --check-sig "$key" | grep "^rev!")" != "" ]; then
+    echo "CRITICAL: key '$key' has been revoked!"
+    exit 1
+fi
+
+for expiry in $(gpg $homedir --with-colons --fixed-list-mode --list-key "$key" 2>/dev/null | awk -F: '/^pub:/{ print $7 }');
+do
+    debug "expiry value: $expiry"
+
+    if [ "$now" -gt "$expiry" ] ; then
+        printf "CRITICAL: %s has expired on %s\n" "$key" "$(date -d "$expiry seconds")";
+        exit 1;
+    fi;
+    if [ -n "$warning_threshold" ] && [ "$warning_threshold" -gt "$expiry" ]; then
+        remaining=$(( ($expiry-$now) / $SECS_IN_DAY ))
+        printf "WARNING: %s expires in %s days\n" "$key" "$remaining";
+        exit 2;
+    fi
+done
+
+echo "OK: key '$key' has not expired."
diff --git a/files/plugins/check_horde_login b/files/plugins/check_horde_login
new file mode 100644
index 0000000..8c821e4
--- /dev/null
+++ b/files/plugins/check_horde_login
@@ -0,0 +1,94 @@
+#!/bin/env python
+# vi:si:et:sw=4:sts=4:ts=4
+# -*- coding: UTF-8 -*-
+# -*- Mode: Python -*-
+#
+# Copyright (C) 2015 mh <mh@immerda.ch>
+
+# This file may be distributed and/or modified under the terms of
+# the GNU General Public License version 2 as published by
+# the Free Software Foundation.
+# This file is distributed without any warranty; without even the implied
+# warranty of merchantability or fitness for a particular purpose.
+#
+
+import sys, os, requests, getopt
+from time import time
+
+def usage():
+    print sys.argv[0] + " -u username "+ \
+                          "-p password " + \
+                          "-s server path" + \
+                          "[-w warning_in_s] " + \
+                          "[-c critical_in_s]"
+    sys.exit(1)
+
+def main():
+    try:
+        opts, args = getopt.getopt(sys.argv[1:], "u:p:s:h:w:c")
+    except getopt.GetoptError:
+        usage()
+        return 3
+
+    user = url = password = None
+    warning = 5
+    critical = 10
+
+    for o, a in opts:
+        if o == "-u":
+            user = a
+        elif o == "-p":
+            password = a
+        elif o == "-w":
+            warning = a
+        elif o == "-c":
+            critical = a
+        elif o == "-s":
+            url = a + "/login.php"
+        elif o == '-h':
+            usage()
+
+    if user == None or password == None or url == None:
+        usage()
+
+    params = { 'horde_user':         user,
+               'horde_pass':         password,
+               'horde_select_view':  'auto',
+               'anchor_string':      '',
+               'app':                '',
+               'login_post':         1,
+               'new_lang':           'en_US',
+               'url':                '',
+             }
+
+
+    timestamp = time()
+    try:
+      r = requests.post(url, data=params, allow_redirects=False)
+    except Exception, e:
+      print "CRITICAL Horde Login Failed: %s" % e
+      sys.exit(2)
+
+    timestamp = time() - timestamp
+    if r.status_code == 302:
+        if timestamp < warning:
+          status = "OK"
+          exitcode = 0
+        if timestamp >= warning:
+          status = "WARNING"
+          exitcode = 1
+        if timestamp >= critical:
+          status = "CRITICAL"
+          exitcode = 2
+    else:
+        status   = "ERROR"
+        exitcode = 2
+    # on a successfully login we are redirected to the mailbox
+    print '%s Horde Login | response_time=%.3fs;%.3f;%.3f' % (status, timestamp, warning, critical)
+    sys.exit(exitcode)
+
+
+if __name__ == "__main__":
+    sys.exit(main())
+
+
diff --git a/files/plugins/check_imap_login b/files/plugins/check_imap_login
new file mode 100644
index 0000000..d059822
--- /dev/null
+++ b/files/plugins/check_imap_login
@@ -0,0 +1,80 @@
+#!/usr/bin/python
+# -*- coding: UTF-8 -*-
+# -*- Mode: Python -*-
+#
+# Copyright (C) 2006 Bertera Pietro <pietro@bertera.it>
+# Response time monitoring with perfdata modification by Ivan Savcic <isavcic@gmail.com> and Milos Buncic, 2012.
+# From: https://github.com/isavcic/check_imap_login
+
+# This file may be distributed and/or modified under the terms of
+# the GNU General Public License version 2 as published by
+# the Free Software Foundation.
+# This file is distributed without any warranty; without even the implied
+# warranty of merchantability or fitness for a particular purpose.
+
+import sys, os, imaplib, getopt
+from time import time
+
+def usage():
+	print sys.argv[0] + " -u <user> -p <password> -H <host> [-s] -w <warning threshold (sec)> -c <critical threshold (sec)>\n -s is for using IMAPS"
+
+def main():
+	try:
+		opts, args = getopt.getopt(sys.argv[1:], "u:p:sH:w:c:")
+	except getopt.GetoptError:
+		usage()
+		return 3
+    
+	user = host = password = use_ssl = warning = critical = None
+
+	for o, a in opts:
+		if o == "-u":
+			user = a
+		elif o == "-p":
+			password = a
+		elif o == "-s":
+			use_ssl = True
+		elif o == "-H":
+			host = a
+		elif o == "-w":
+			warning = float(a)
+		elif o == "-c":
+			critical = float(a)
+
+	if user == None or password == None or host == None or warning == None or critical == None:
+		usage()
+		return 1
+    
+	if use_ssl:
+		M = imaplib.IMAP4_SSL(host=host)
+	else:
+		M = imaplib.IMAP4(host)
+    
+	timestamp = time()
+	
+	try:	
+		M.login(user, password)
+	except Exception, e:
+		print "CRITICAL IMAP Login Failed: %s" % e
+		return 2
+
+	M.logout()
+
+	timestamp = time() - timestamp
+
+	if timestamp < warning:
+		status = "OK"
+		exitcode = 0
+	if timestamp >= warning:
+		status = "WARNING"
+		exitcode = 1
+	if timestamp >= critical:
+		status = "CRITICAL"
+		exitcode = 2
+
+	print '%s IMAP Login | response_time=%.3fs;%.3f;%.3f' % (status, timestamp, warning, critical)
+
+	return exitcode
+
+if __name__ == "__main__":
+	sys.exit(main())
diff --git a/files/plugins/check_pop3_login b/files/plugins/check_pop3_login
new file mode 100644
index 0000000..4eb29b8
--- /dev/null
+++ b/files/plugins/check_pop3_login
@@ -0,0 +1,83 @@
+#!/usr/bin/python
+# -*- coding: UTF-8 -*-
+# -*- Mode: Python -*-
+#
+# Copyright (C) 2006 Bertera Pietro <pietro@bertera.it>
+# Copyright (C) 2015 mh <mh@immerda.ch>
+# Response time monitoring with perfdata modification by Ivan Savcic <isavcic@gmail.com> and Milos Buncic, 2012.
+# Derived from: https://github.com/isavcic/check_imap_login
+
+# This file may be distributed and/or modified under the terms of
+# the GNU General Public License version 2 as published by
+# the Free Software Foundation.
+# This file is distributed without any warranty; without even the implied
+# warranty of merchantability or fitness for a particular purpose.
+
+import sys, os, poplib, getopt
+from time import time
+
+def usage():
+  print sys.argv[0] + " -u <user> -p <password> -H <host> [-s] -w <warning threshold (sec)> -c <critical threshold (sec)>\n -s is for using POP3s"
+
+def main():
+  try:
+    opts, args = getopt.getopt(sys.argv[1:], "u:p:sH:w:c:")
+  except getopt.GetoptError:
+    usage()
+    return 3
+
+  user = host = password = use_ssl = warning = critical = None
+
+  for o, a in opts:
+    if o == "-u":
+      user = a
+    elif o == "-p":
+      password = a
+    elif o == "-s":
+      use_ssl = True
+    elif o == "-H":
+      host = a
+    elif o == "-w":
+      warning = float(a)
+    elif o == "-c":
+      critical = float(a)
+
+  if user == None or password == None or host == None or warning == None or critical == None:
+    usage()
+    return 1
+
+  if use_ssl:
+    M = poplib.POP3_SSL(host=host)
+  else:
+    M = poplib.POP3(host)
+
+  timestamp = time()
+
+  try:
+    M.getwelcome()
+    M.user(user)
+    M.pass_(password)
+  except Exception, e:
+    print "CRITICAL POP3 Login Failed: %s" % e
+    return 2
+
+  M.quit()
+
+  timestamp = time() - timestamp
+
+  if timestamp < warning:
+    status = "OK"
+    exitcode = 0
+  if timestamp >= warning:
+    status = "WARNING"
+    exitcode = 1
+  if timestamp >= critical:
+    status = "CRITICAL"
+    exitcode = 2
+
+  print '%s POP3 Login | response_time=%.3fs;%.3f;%.3f' % (status, timestamp, warning, critical)
+
+  return exitcode
+
+if __name__ == "__main__":
+  sys.exit(main())