From 3a39c6e693a835d98ed382bdc3ce72eac31ea664 Mon Sep 17 00:00:00 2001 From: mh Date: Fri, 16 Oct 2015 15:38:20 +0200 Subject: fetch things over hkps and on every check --- files/plugin_data/sks-keyservers.netCA.pem | 32 ++++++++++++++++++++++++++++++ files/plugins/check_gpg | 2 +- manifests/plugins/gpg.pp | 27 ++++++------------------- manifests/service/gpgkey.pp | 12 +++++------ 4 files changed, 45 insertions(+), 28 deletions(-) create mode 100644 files/plugin_data/sks-keyservers.netCA.pem diff --git a/files/plugin_data/sks-keyservers.netCA.pem b/files/plugin_data/sks-keyservers.netCA.pem new file mode 100644 index 0000000..24a2ad2 --- /dev/null +++ b/files/plugin_data/sks-keyservers.netCA.pem @@ -0,0 +1,32 @@ +-----BEGIN CERTIFICATE----- +MIIFizCCA3OgAwIBAgIJAK9zyLTPn4CPMA0GCSqGSIb3DQEBBQUAMFwxCzAJBgNV +BAYTAk5PMQ0wCwYDVQQIDARPc2xvMR4wHAYDVQQKDBVza3Mta2V5c2VydmVycy5u +ZXQgQ0ExHjAcBgNVBAMMFXNrcy1rZXlzZXJ2ZXJzLm5ldCBDQTAeFw0xMjEwMDkw +MDMzMzdaFw0yMjEwMDcwMDMzMzdaMFwxCzAJBgNVBAYTAk5PMQ0wCwYDVQQIDARP +c2xvMR4wHAYDVQQKDBVza3Mta2V5c2VydmVycy5uZXQgQ0ExHjAcBgNVBAMMFXNr +cy1rZXlzZXJ2ZXJzLm5ldCBDQTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoC +ggIBANdsWy4PXWNUCkS3L//nrd0GqN3dVwoBGZ6w94Tw2jPDPifegwxQozFXkG6I +6A4TK1CJLXPvfz0UP0aBYyPmTNadDinaB9T4jIwd4rnxl+59GiEmqkN3IfPsv5Jj +MkKUmJnvOT0DEVlEaO1UZIwx5WpfprB3mR81/qm4XkAgmYrmgnLXd/pJDAMk7y1F +45b5zWofiD5l677lplcIPRbFhpJ6kDTODXh/XEdtF71EAeaOdEGOvyGDmCO0GWqS +FDkMMPTlieLA/0rgFTcz4xwUYj/cD5e0ZBuSkYsYFAU3hd1cGfBue0cPZaQH2HYx +Qk4zXD8S3F4690fRhr+tki5gyG6JDR67aKp3BIGLqm7f45WkX1hYp+YXywmEziM4 +aSbGYhx8hoFGfq9UcfPEvp2aoc8u5sdqjDslhyUzM1v3m3ZGbhwEOnVjljY6JJLx +MxagxnZZSAY424ZZ3t71E/Mn27dm2w+xFRuoy8JEjv1d+BT3eChM5KaNwrj0IO/y +u8kFIgWYA1vZ/15qMT+tyJTfyrNVV/7Df7TNeWyNqjJ5rBmt0M6NpHG7CrUSkBy9 +p8JhimgjP5r0FlEkgg+lyD+V79H98gQfVgP3pbJICz0SpBQf2F/2tyS4rLm+49rP +fcOajiXEuyhpcmzgusAj/1FjrtlynH1r9mnNaX4e+rLWzvU5AgMBAAGjUDBOMB0G +A1UdDgQWBBTkwyoJFGfYTVISTpM8E+igjdq28zAfBgNVHSMEGDAWgBTkwyoJFGfY +TVISTpM8E+igjdq28zAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4ICAQAR +OXnYwu3g1ZjHyley3fZI5aLPsaE17cOImVTehC8DcIphm2HOMR/hYTTL+V0G4P+u +gH+6xeRLKSHMHZTtSBIa6GDL03434y9CBuwGvAFCMU2GV8w92/Z7apkAhdLToZA/ +X/iWP2jeaVJhxgEcH8uPrnSlqoPBcKC9PrgUzQYfSZJkLmB+3jEa3HKruy1abJP5 +gAdQvwvcPpvYRnIzUc9fZODsVmlHVFBCl2dlu/iHh2h4GmL4Da2rRkUMlbVTdioB +UYIvMycdOkpH5wJftzw7cpjsudGas0PARDXCFfGyKhwBRFY7Xp7lbjtU5Rz0Gc04 +lPrhDf0pFE98Aw4jJRpFeWMjpXUEaG1cq7D641RpgcMfPFvOHY47rvDTS7XJOaUT +BwRjmDt896s6vMDcaG/uXJbQjuzmmx3W2Idyh3s5SI0GTHb0IwMKYb4eBUIpQOnB +cE77VnCYqKvN1NVYAqhWjXbY7XasZvszCRcOG+W3FqNaHOK/n/0ueb0uijdLan+U +f4p1bjbAox8eAOQS/8a3bzkJzdyBNUKGx1BIK2IBL9bn/HravSDOiNRSnZ/R3l9G +ZauX0tu7IIDlRCILXSyeazu0aj/vdT3YFQXPcvt5Fkf5wiNTo53f72/jYEJd6qph +WrpoKqrwGwTpRUCMhYIUt65hsTxCiJJ5nKe39h46sg== +-----END CERTIFICATE----- diff --git a/files/plugins/check_gpg b/files/plugins/check_gpg index bf4b930..efc17e3 100644 --- a/files/plugins/check_gpg +++ b/files/plugins/check_gpg @@ -84,7 +84,7 @@ key="$1" # GPG is too stupid to error out when asked to refresh a key that's not in the # local keyring so we need to perform another call to verify this first. -output=$( { gpg $homedir --list-key "$key" >/dev/null && gpg $homedir --refresh "$key" >/dev/null; } 2>&1 ) +output=$( { gpg $homedir --list-key "$key" >/dev/null && gpg $homedir --refresh --keyserver hkps://hkps.pool.sks-keyservers.net --keyserver-options ca-cert-file=$homedir/sks-keyservers.netCA.pem "$key" >/dev/null; } 2>&1 ) if [ $? -ne 0 ]; then echo "UNKNOWN: $output" exit 3 diff --git a/manifests/plugins/gpg.pp b/manifests/plugins/gpg.pp index 632ad1f..a09736a 100644 --- a/manifests/plugins/gpg.pp +++ b/manifests/plugins/gpg.pp @@ -1,8 +1,6 @@ # check_gpg from # https://github.com/lelutin/nagios-plugins/blob/master/check_gpg -class nagios::plugins::gpg( - $keyserver = 'hkp://keys.mayfirst.org', -) { +class nagios::plugins::gpg { require ::gpg nagios::plugin{'check_gpg': source => 'nagios/plugins/check_gpg', @@ -16,25 +14,12 @@ class nagios::plugins::gpg( group => nagios, mode => '0600', require => Nagios::Plugin['check_gpg']; - '/etc/cron.daily/update_nagios_gpgkeys': - content => "#!/bin/bash -function gpg() { - cmd=\$1 - outout=\$(su - nagios -s /bin/bash -c 'gpg --homedir ${gpg_home} --logger-fd 1 \${cmd}') - if [ \$? -gt 0 ]; then - echo \$output - exit 1 - fi -} - -su - nagios -s /bin/bash -c 'gpg --homedir ${gpg_home} --with-fingerprint --list-keys --with-colons | grep \"^pub\" -A 1 | tail -n 1 | cut -f10 -d\":\" | sort --random-sort | while read key; do - gpg \"--keyserver ${keyserver} --recv-keys \${key}\" -done -", - owner => root, + "${gpg_home}/sks-keyservers.netCA.pem": + source => 'puppet:///modules/nagios/plugin_data/sks-keyservers.netCA.pem', + owner => nagios, group => 0, - mode => '0700', - require => File[$gpg_home]; + mode => '0400', + before => Nagios_command['check_gpg']; } nagios_command { 'check_gpg': diff --git a/manifests/service/gpgkey.pp b/manifests/service/gpgkey.pp index 08b7473..f04352a 100644 --- a/manifests/service/gpgkey.pp +++ b/manifests/service/gpgkey.pp @@ -6,8 +6,8 @@ define nagios::service::gpgkey( ){ validate_slength($name,40,40) require ::nagios::plugins::gpg - $gpg_home = $nagios::plugins::gpg::gpg_home - $gpg_keyserver = $nagios::plugins::gpg::keyserver + $gpg_home = $nagios::plugins::gpg::gpg_home + $gpg_cmd = "gpg --homedir ${gpg_home}" exec{"manage_key_${name}": user => nagios, @@ -20,8 +20,8 @@ define nagios::service::gpgkey( if $ensure == 'present' { Exec["manage_key_${name}"]{ - command => "gpg --keyserver ${gpg_keyserver} --homedir ${gpg_home} --recv-keys ${name}", - unless => "gpg --homedir ${gpg_home} --list-keys ${name}", + command => "${gpg_cmd} --keyserver hkps://hkps.pool.sks-keyservers.net --keyserver-options ca-cert-file=${gpg_home}/sks-keyservers.netCA.pem --recv-keys ${name}", + unless => "${gpg_cmd} --list-keys ${name}", before => Nagios::Service["check_gpg_${name}"], } @@ -39,8 +39,8 @@ define nagios::service::gpgkey( } } else { Exec["manage_key_${name}"]{ - command => "gpg --batch --homedir ${gpg_home} --delete-key ${name}", - onlyif => "gpg --homedir ${gpg_home} --list-keys ${name}", + command => "${gpg_cmd} --batch --delete-key ${name}", + onlyif => "${gpg_cmd} --list-keys ${name}", require => Nagios::Service["check_gpg_${name}"], } } -- cgit v1.2.3