From 5e92209e5b284e0f0d99c30e555cc498a39c396e Mon Sep 17 00:00:00 2001 From: mh Date: Mon, 12 Oct 2015 23:23:44 +0200 Subject: introduce gpg checks --- files/plugins/check_gpg | 113 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 113 insertions(+) create mode 100644 files/plugins/check_gpg (limited to 'files/plugins/check_gpg') diff --git a/files/plugins/check_gpg b/files/plugins/check_gpg new file mode 100644 index 0000000..bf4b930 --- /dev/null +++ b/files/plugins/check_gpg @@ -0,0 +1,113 @@ +#!/bin/bash +# +# Nagios plugin that checks whether a key ID has expired, or will expire within +# a certain time. +# +# note: the plugin will issue a critical state if the required key has been +# revoked. +# +# usage: check_gpg [-w ] [--gnupg-homedir ] +# +# is any PGP key ID that GnuPG accepts with "gpg --list-key " +# +# The option -w parameter lets you specify the number of days within which key +# expiry will trigger a warning. e.g. if expires within +# days, make nagios issue a warning. +# +# num_days must be an integer value +# +# optionally, if the keyring directory you want GPG to use is not located in +# the user's ~/.gnupg, you can specify the path to the keyring directory with +# the --gnupg-homedir parameter. +# +# Thanks a bunch to Daniel Kahn Gillmor for providing example commands that +# made up most of the core of this plugin. +# +# Copyleft Gabriel Filion +# +# This plugin is released under the GPL v3+ license. To get a copy of the +# license text visit: https://www.gnu.org/licenses/gpl-3.0.txt +# +SECS_IN_DAY=86400 + +function debug () { + if [ -n "$DEBUG" ]; then + echo "$1" >&2 + fi +} + +debug "got args: $*" + +now=$(date +%s) +debug "current timestamp: $now" + +warning_threshold= +homedir= +for arg in $*; do + case $arg in + "-w") + if [ -z "$2" ]; then + echo "UNKNOWN: argument -w got no value. integer needed" + exit 3 + fi + if [ "`echo $2 | egrep ^[[:digit:]]+$`" = "" ]; then + echo "UNKNOWN: invalid value '$2' passed to -w. integer needed" + exit 3 + fi + warning_threshold=$(( $now + ($2*$SECS_IN_DAY) )) + debug "setting warning_threshold to '$warning_threshold'" + + shift 2 + ;; + "--gnupg-homedir") + if [ -z "$2" ]; then + echo "UNKNOWN: argument --gnupg-homedir got no value. path needed" + exit 3 + fi + if [ ! -d "$2" ]; then + echo "UNKNOWN: homedir '$2' does not exist or is not a directory" + exit 3 + fi + homedir="--homedir $2" + debug "setting homedir to '$homedir'" + + shift 2 + ;; + esac +done + +if [ -z "$1" ]; then + echo "UNKNOWN: must provide a key ID" + exit 3 +fi +key="$1" + +# GPG is too stupid to error out when asked to refresh a key that's not in the +# local keyring so we need to perform another call to verify this first. +output=$( { gpg $homedir --list-key "$key" >/dev/null && gpg $homedir --refresh "$key" >/dev/null; } 2>&1 ) +if [ $? -ne 0 ]; then + echo "UNKNOWN: $output" + exit 3 +fi + +if [ "$(gpg $homedir --check-sig "$key" | grep "^rev!")" != "" ]; then + echo "CRITICAL: key '$key' has been revoked!" + exit 1 +fi + +for expiry in $(gpg $homedir --with-colons --fixed-list-mode --list-key "$key" 2>/dev/null | awk -F: '/^pub:/{ print $7 }'); +do + debug "expiry value: $expiry" + + if [ "$now" -gt "$expiry" ] ; then + printf "CRITICAL: %s has expired on %s\n" "$key" "$(date -d "$expiry seconds")"; + exit 1; + fi; + if [ -n "$warning_threshold" ] && [ "$warning_threshold" -gt "$expiry" ]; then + remaining=$(( ($expiry-$now) / $SECS_IN_DAY )) + printf "WARNING: %s expires in %s days\n" "$key" "$remaining"; + exit 2; + fi +done + +echo "OK: key '$key' has not expired." -- cgit v1.2.3 From ffca95a6b0281ab49f4a626a1ee6a68257769388 Mon Sep 17 00:00:00 2001 From: mh Date: Tue, 13 Oct 2015 00:45:01 +0200 Subject: this is handled outside & centrally --- files/plugins/check_gpg | 8 -------- 1 file changed, 8 deletions(-) (limited to 'files/plugins/check_gpg') diff --git a/files/plugins/check_gpg b/files/plugins/check_gpg index bf4b930..1a8df84 100644 --- a/files/plugins/check_gpg +++ b/files/plugins/check_gpg @@ -82,14 +82,6 @@ if [ -z "$1" ]; then fi key="$1" -# GPG is too stupid to error out when asked to refresh a key that's not in the -# local keyring so we need to perform another call to verify this first. -output=$( { gpg $homedir --list-key "$key" >/dev/null && gpg $homedir --refresh "$key" >/dev/null; } 2>&1 ) -if [ $? -ne 0 ]; then - echo "UNKNOWN: $output" - exit 3 -fi - if [ "$(gpg $homedir --check-sig "$key" | grep "^rev!")" != "" ]; then echo "CRITICAL: key '$key' has been revoked!" exit 1 -- cgit v1.2.3 From 9a02e527e1803093e25166cdbac753253909065f Mon Sep 17 00:00:00 2001 From: mh Date: Fri, 16 Oct 2015 15:17:48 +0200 Subject: Revert "this is handled outside & centrally" This reverts commit ffca95a6b0281ab49f4a626a1ee6a68257769388. --- files/plugins/check_gpg | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'files/plugins/check_gpg') diff --git a/files/plugins/check_gpg b/files/plugins/check_gpg index 1a8df84..bf4b930 100644 --- a/files/plugins/check_gpg +++ b/files/plugins/check_gpg @@ -82,6 +82,14 @@ if [ -z "$1" ]; then fi key="$1" +# GPG is too stupid to error out when asked to refresh a key that's not in the +# local keyring so we need to perform another call to verify this first. +output=$( { gpg $homedir --list-key "$key" >/dev/null && gpg $homedir --refresh "$key" >/dev/null; } 2>&1 ) +if [ $? -ne 0 ]; then + echo "UNKNOWN: $output" + exit 3 +fi + if [ "$(gpg $homedir --check-sig "$key" | grep "^rev!")" != "" ]; then echo "CRITICAL: key '$key' has been revoked!" exit 1 -- cgit v1.2.3 From 3a39c6e693a835d98ed382bdc3ce72eac31ea664 Mon Sep 17 00:00:00 2001 From: mh Date: Fri, 16 Oct 2015 15:38:20 +0200 Subject: fetch things over hkps and on every check --- files/plugins/check_gpg | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'files/plugins/check_gpg') diff --git a/files/plugins/check_gpg b/files/plugins/check_gpg index bf4b930..efc17e3 100644 --- a/files/plugins/check_gpg +++ b/files/plugins/check_gpg @@ -84,7 +84,7 @@ key="$1" # GPG is too stupid to error out when asked to refresh a key that's not in the # local keyring so we need to perform another call to verify this first. -output=$( { gpg $homedir --list-key "$key" >/dev/null && gpg $homedir --refresh "$key" >/dev/null; } 2>&1 ) +output=$( { gpg $homedir --list-key "$key" >/dev/null && gpg $homedir --refresh --keyserver hkps://hkps.pool.sks-keyservers.net --keyserver-options ca-cert-file=$homedir/sks-keyservers.netCA.pem "$key" >/dev/null; } 2>&1 ) if [ $? -ne 0 ]; then echo "UNKNOWN: $output" exit 3 -- cgit v1.2.3 From e182d1ba09b9d7689c1dfb137b8ca8771bc00dd0 Mon Sep 17 00:00:00 2001 From: mh Date: Fri, 16 Oct 2015 16:10:56 +0200 Subject: fixing path --- files/plugins/check_gpg | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) (limited to 'files/plugins/check_gpg') diff --git a/files/plugins/check_gpg b/files/plugins/check_gpg index efc17e3..eb9fa51 100644 --- a/files/plugins/check_gpg +++ b/files/plugins/check_gpg @@ -43,6 +43,7 @@ debug "current timestamp: $now" warning_threshold= homedir= +homedir_path=~/.gnupg for arg in $*; do case $arg in "-w") @@ -68,8 +69,9 @@ for arg in $*; do echo "UNKNOWN: homedir '$2' does not exist or is not a directory" exit 3 fi - homedir="--homedir $2" - debug "setting homedir to '$homedir'" + homedir_path=$2 + homedir="--homedir ${homedir_path}" + debug "setting homedir to '$homedir_path'" shift 2 ;; @@ -84,7 +86,7 @@ key="$1" # GPG is too stupid to error out when asked to refresh a key that's not in the # local keyring so we need to perform another call to verify this first. -output=$( { gpg $homedir --list-key "$key" >/dev/null && gpg $homedir --refresh --keyserver hkps://hkps.pool.sks-keyservers.net --keyserver-options ca-cert-file=$homedir/sks-keyservers.netCA.pem "$key" >/dev/null; } 2>&1 ) +output=$( { gpg $homedir --list-key "$key" >/dev/null && gpg $homedir --refresh --keyserver hkps://hkps.pool.sks-keyservers.net --keyserver-options ca-cert-file=$homedir_path/sks-keyservers.netCA.pem "$key" >/dev/null; } 2>&1 ) if [ $? -ne 0 ]; then echo "UNKNOWN: $output" exit 3 -- cgit v1.2.3