From 5e92209e5b284e0f0d99c30e555cc498a39c396e Mon Sep 17 00:00:00 2001 From: mh Date: Mon, 12 Oct 2015 23:23:44 +0200 Subject: introduce gpg checks --- files/plugins/check_gpg | 113 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 113 insertions(+) create mode 100644 files/plugins/check_gpg (limited to 'files/plugins') diff --git a/files/plugins/check_gpg b/files/plugins/check_gpg new file mode 100644 index 0000000..bf4b930 --- /dev/null +++ b/files/plugins/check_gpg @@ -0,0 +1,113 @@ +#!/bin/bash +# +# Nagios plugin that checks whether a key ID has expired, or will expire within +# a certain time. +# +# note: the plugin will issue a critical state if the required key has been +# revoked. +# +# usage: check_gpg [-w ] [--gnupg-homedir ] +# +# is any PGP key ID that GnuPG accepts with "gpg --list-key " +# +# The option -w parameter lets you specify the number of days within which key +# expiry will trigger a warning. e.g. if expires within +# days, make nagios issue a warning. +# +# num_days must be an integer value +# +# optionally, if the keyring directory you want GPG to use is not located in +# the user's ~/.gnupg, you can specify the path to the keyring directory with +# the --gnupg-homedir parameter. +# +# Thanks a bunch to Daniel Kahn Gillmor for providing example commands that +# made up most of the core of this plugin. +# +# Copyleft Gabriel Filion +# +# This plugin is released under the GPL v3+ license. To get a copy of the +# license text visit: https://www.gnu.org/licenses/gpl-3.0.txt +# +SECS_IN_DAY=86400 + +function debug () { + if [ -n "$DEBUG" ]; then + echo "$1" >&2 + fi +} + +debug "got args: $*" + +now=$(date +%s) +debug "current timestamp: $now" + +warning_threshold= +homedir= +for arg in $*; do + case $arg in + "-w") + if [ -z "$2" ]; then + echo "UNKNOWN: argument -w got no value. integer needed" + exit 3 + fi + if [ "`echo $2 | egrep ^[[:digit:]]+$`" = "" ]; then + echo "UNKNOWN: invalid value '$2' passed to -w. integer needed" + exit 3 + fi + warning_threshold=$(( $now + ($2*$SECS_IN_DAY) )) + debug "setting warning_threshold to '$warning_threshold'" + + shift 2 + ;; + "--gnupg-homedir") + if [ -z "$2" ]; then + echo "UNKNOWN: argument --gnupg-homedir got no value. path needed" + exit 3 + fi + if [ ! -d "$2" ]; then + echo "UNKNOWN: homedir '$2' does not exist or is not a directory" + exit 3 + fi + homedir="--homedir $2" + debug "setting homedir to '$homedir'" + + shift 2 + ;; + esac +done + +if [ -z "$1" ]; then + echo "UNKNOWN: must provide a key ID" + exit 3 +fi +key="$1" + +# GPG is too stupid to error out when asked to refresh a key that's not in the +# local keyring so we need to perform another call to verify this first. +output=$( { gpg $homedir --list-key "$key" >/dev/null && gpg $homedir --refresh "$key" >/dev/null; } 2>&1 ) +if [ $? -ne 0 ]; then + echo "UNKNOWN: $output" + exit 3 +fi + +if [ "$(gpg $homedir --check-sig "$key" | grep "^rev!")" != "" ]; then + echo "CRITICAL: key '$key' has been revoked!" + exit 1 +fi + +for expiry in $(gpg $homedir --with-colons --fixed-list-mode --list-key "$key" 2>/dev/null | awk -F: '/^pub:/{ print $7 }'); +do + debug "expiry value: $expiry" + + if [ "$now" -gt "$expiry" ] ; then + printf "CRITICAL: %s has expired on %s\n" "$key" "$(date -d "$expiry seconds")"; + exit 1; + fi; + if [ -n "$warning_threshold" ] && [ "$warning_threshold" -gt "$expiry" ]; then + remaining=$(( ($expiry-$now) / $SECS_IN_DAY )) + printf "WARNING: %s expires in %s days\n" "$key" "$remaining"; + exit 2; + fi +done + +echo "OK: key '$key' has not expired." -- cgit v1.2.3 From bbda7cef0b0d6d68c9d2c393592cbfbef9f3534e Mon Sep 17 00:00:00 2001 From: mh Date: Mon, 12 Oct 2015 23:26:10 +0200 Subject: introduce horde_login checks --- files/plugins/check_horde_login | 69 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 69 insertions(+) create mode 100644 files/plugins/check_horde_login (limited to 'files/plugins') diff --git a/files/plugins/check_horde_login b/files/plugins/check_horde_login new file mode 100644 index 0000000..4c63daa --- /dev/null +++ b/files/plugins/check_horde_login @@ -0,0 +1,69 @@ +#!/bin/env python +# vi:si:et:sw=4:sts=4:ts=4 +# -*- coding: UTF-8 -*- +# -*- Mode: Python -*- +# +# Copyright (C) 2015 mh + +# This file may be distributed and/or modified under the terms of +# the GNU General Public License version 2 as published by +# the Free Software Foundation. +# This file is distributed without any warranty; without even the implied +# warranty of merchantability or fitness for a particular purpose. +# + +import sys, os, requests, getopt + +def usage(): + print sys.argv[0] + " -u username "+ \ + "-p password " + \ + "-s server path" + sys.exit(1) + +def main(): + try: + opts, args = getopt.getopt(sys.argv[1:], "u:p:s:h") + except getopt.GetoptError: + usage() + return 3 + + user = url = password = None + + for o, a in opts: + if o == "-u": + user = a + elif o == "-p": + password = a + elif o == "-s": + url = a + "/login.php" + elif o == '-h': + usage() + + if user == None or password == None or url == None: + usage() + + params = { 'horde_user': user, + 'horde_pass': password, + 'horde_select_view': 'auto', + 'anchor_string': '', + 'app': '', + 'login_post': 1, + 'new_lang': 'en_US', + 'url': '', + } + + + r = requests.post(url, data=params, allow_redirects=False) + # on a successfully login we are redirected to the mailbox + if r.status_code == 302: + print "OK" + sys.exit(0) + else: + print "Error" + sys.exit(2) + + +if __name__ == "__main__": + sys.exit(main()) + + -- cgit v1.2.3 From ffca95a6b0281ab49f4a626a1ee6a68257769388 Mon Sep 17 00:00:00 2001 From: mh Date: Tue, 13 Oct 2015 00:45:01 +0200 Subject: this is handled outside & centrally --- files/plugins/check_gpg | 8 -------- 1 file changed, 8 deletions(-) (limited to 'files/plugins') diff --git a/files/plugins/check_gpg b/files/plugins/check_gpg index bf4b930..1a8df84 100644 --- a/files/plugins/check_gpg +++ b/files/plugins/check_gpg @@ -82,14 +82,6 @@ if [ -z "$1" ]; then fi key="$1" -# GPG is too stupid to error out when asked to refresh a key that's not in the -# local keyring so we need to perform another call to verify this first. -output=$( { gpg $homedir --list-key "$key" >/dev/null && gpg $homedir --refresh "$key" >/dev/null; } 2>&1 ) -if [ $? -ne 0 ]; then - echo "UNKNOWN: $output" - exit 3 -fi - if [ "$(gpg $homedir --check-sig "$key" | grep "^rev!")" != "" ]; then echo "CRITICAL: key '$key' has been revoked!" exit 1 -- cgit v1.2.3 From 9a02e527e1803093e25166cdbac753253909065f Mon Sep 17 00:00:00 2001 From: mh Date: Fri, 16 Oct 2015 15:17:48 +0200 Subject: Revert "this is handled outside & centrally" This reverts commit ffca95a6b0281ab49f4a626a1ee6a68257769388. --- files/plugins/check_gpg | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'files/plugins') diff --git a/files/plugins/check_gpg b/files/plugins/check_gpg index 1a8df84..bf4b930 100644 --- a/files/plugins/check_gpg +++ b/files/plugins/check_gpg @@ -82,6 +82,14 @@ if [ -z "$1" ]; then fi key="$1" +# GPG is too stupid to error out when asked to refresh a key that's not in the +# local keyring so we need to perform another call to verify this first. +output=$( { gpg $homedir --list-key "$key" >/dev/null && gpg $homedir --refresh "$key" >/dev/null; } 2>&1 ) +if [ $? -ne 0 ]; then + echo "UNKNOWN: $output" + exit 3 +fi + if [ "$(gpg $homedir --check-sig "$key" | grep "^rev!")" != "" ]; then echo "CRITICAL: key '$key' has been revoked!" exit 1 -- cgit v1.2.3 From 3a39c6e693a835d98ed382bdc3ce72eac31ea664 Mon Sep 17 00:00:00 2001 From: mh Date: Fri, 16 Oct 2015 15:38:20 +0200 Subject: fetch things over hkps and on every check --- files/plugins/check_gpg | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'files/plugins') diff --git a/files/plugins/check_gpg b/files/plugins/check_gpg index bf4b930..efc17e3 100644 --- a/files/plugins/check_gpg +++ b/files/plugins/check_gpg @@ -84,7 +84,7 @@ key="$1" # GPG is too stupid to error out when asked to refresh a key that's not in the # local keyring so we need to perform another call to verify this first. -output=$( { gpg $homedir --list-key "$key" >/dev/null && gpg $homedir --refresh "$key" >/dev/null; } 2>&1 ) +output=$( { gpg $homedir --list-key "$key" >/dev/null && gpg $homedir --refresh --keyserver hkps://hkps.pool.sks-keyservers.net --keyserver-options ca-cert-file=$homedir/sks-keyservers.netCA.pem "$key" >/dev/null; } 2>&1 ) if [ $? -ne 0 ]; then echo "UNKNOWN: $output" exit 3 -- cgit v1.2.3 From e182d1ba09b9d7689c1dfb137b8ca8771bc00dd0 Mon Sep 17 00:00:00 2001 From: mh Date: Fri, 16 Oct 2015 16:10:56 +0200 Subject: fixing path --- files/plugins/check_gpg | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) (limited to 'files/plugins') diff --git a/files/plugins/check_gpg b/files/plugins/check_gpg index efc17e3..eb9fa51 100644 --- a/files/plugins/check_gpg +++ b/files/plugins/check_gpg @@ -43,6 +43,7 @@ debug "current timestamp: $now" warning_threshold= homedir= +homedir_path=~/.gnupg for arg in $*; do case $arg in "-w") @@ -68,8 +69,9 @@ for arg in $*; do echo "UNKNOWN: homedir '$2' does not exist or is not a directory" exit 3 fi - homedir="--homedir $2" - debug "setting homedir to '$homedir'" + homedir_path=$2 + homedir="--homedir ${homedir_path}" + debug "setting homedir to '$homedir_path'" shift 2 ;; @@ -84,7 +86,7 @@ key="$1" # GPG is too stupid to error out when asked to refresh a key that's not in the # local keyring so we need to perform another call to verify this first. -output=$( { gpg $homedir --list-key "$key" >/dev/null && gpg $homedir --refresh --keyserver hkps://hkps.pool.sks-keyservers.net --keyserver-options ca-cert-file=$homedir/sks-keyservers.netCA.pem "$key" >/dev/null; } 2>&1 ) +output=$( { gpg $homedir --list-key "$key" >/dev/null && gpg $homedir --refresh --keyserver hkps://hkps.pool.sks-keyservers.net --keyserver-options ca-cert-file=$homedir_path/sks-keyservers.netCA.pem "$key" >/dev/null; } 2>&1 ) if [ $? -ne 0 ]; then echo "UNKNOWN: $output" exit 3 -- cgit v1.2.3 From e66581b620d89e81ec02754005f3e3fa2bc603cf Mon Sep 17 00:00:00 2001 From: mh Date: Sun, 25 Oct 2015 16:28:46 +0100 Subject: add an imap_login check --- files/plugins/check_imap_login | 80 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 80 insertions(+) create mode 100644 files/plugins/check_imap_login (limited to 'files/plugins') diff --git a/files/plugins/check_imap_login b/files/plugins/check_imap_login new file mode 100644 index 0000000..d059822 --- /dev/null +++ b/files/plugins/check_imap_login @@ -0,0 +1,80 @@ +#!/usr/bin/python +# -*- coding: UTF-8 -*- +# -*- Mode: Python -*- +# +# Copyright (C) 2006 Bertera Pietro +# Response time monitoring with perfdata modification by Ivan Savcic and Milos Buncic, 2012. +# From: https://github.com/isavcic/check_imap_login + +# This file may be distributed and/or modified under the terms of +# the GNU General Public License version 2 as published by +# the Free Software Foundation. +# This file is distributed without any warranty; without even the implied +# warranty of merchantability or fitness for a particular purpose. + +import sys, os, imaplib, getopt +from time import time + +def usage(): + print sys.argv[0] + " -u -p -H [-s] -w -c \n -s is for using IMAPS" + +def main(): + try: + opts, args = getopt.getopt(sys.argv[1:], "u:p:sH:w:c:") + except getopt.GetoptError: + usage() + return 3 + + user = host = password = use_ssl = warning = critical = None + + for o, a in opts: + if o == "-u": + user = a + elif o == "-p": + password = a + elif o == "-s": + use_ssl = True + elif o == "-H": + host = a + elif o == "-w": + warning = float(a) + elif o == "-c": + critical = float(a) + + if user == None or password == None or host == None or warning == None or critical == None: + usage() + return 1 + + if use_ssl: + M = imaplib.IMAP4_SSL(host=host) + else: + M = imaplib.IMAP4(host) + + timestamp = time() + + try: + M.login(user, password) + except Exception, e: + print "CRITICAL IMAP Login Failed: %s" % e + return 2 + + M.logout() + + timestamp = time() - timestamp + + if timestamp < warning: + status = "OK" + exitcode = 0 + if timestamp >= warning: + status = "WARNING" + exitcode = 1 + if timestamp >= critical: + status = "CRITICAL" + exitcode = 2 + + print '%s IMAP Login | response_time=%.3fs;%.3f;%.3f' % (status, timestamp, warning, critical) + + return exitcode + +if __name__ == "__main__": + sys.exit(main()) -- cgit v1.2.3 From 2c4f69e1ea1656edf7c7d39fa90d200f901404df Mon Sep 17 00:00:00 2001 From: mh Date: Sat, 31 Oct 2015 10:14:18 +0100 Subject: add some metrics to the horde check --- files/plugins/check_horde_login | 41 +++++++++++++++++++++++++++++++++-------- 1 file changed, 33 insertions(+), 8 deletions(-) (limited to 'files/plugins') diff --git a/files/plugins/check_horde_login b/files/plugins/check_horde_login index 4c63daa..8c821e4 100644 --- a/files/plugins/check_horde_login +++ b/files/plugins/check_horde_login @@ -13,27 +13,36 @@ # import sys, os, requests, getopt +from time import time def usage(): print sys.argv[0] + " -u username "+ \ "-p password " + \ - "-s server path" + "-s server path" + \ + "[-w warning_in_s] " + \ + "[-c critical_in_s]" sys.exit(1) def main(): try: - opts, args = getopt.getopt(sys.argv[1:], "u:p:s:h") + opts, args = getopt.getopt(sys.argv[1:], "u:p:s:h:w:c") except getopt.GetoptError: usage() return 3 user = url = password = None + warning = 5 + critical = 10 for o, a in opts: if o == "-u": user = a elif o == "-p": password = a + elif o == "-w": + warning = a + elif o == "-c": + critical = a elif o == "-s": url = a + "/login.php" elif o == '-h': @@ -53,14 +62,30 @@ def main(): } - r = requests.post(url, data=params, allow_redirects=False) - # on a successfully login we are redirected to the mailbox + timestamp = time() + try: + r = requests.post(url, data=params, allow_redirects=False) + except Exception, e: + print "CRITICAL Horde Login Failed: %s" % e + sys.exit(2) + + timestamp = time() - timestamp if r.status_code == 302: - print "OK" - sys.exit(0) + if timestamp < warning: + status = "OK" + exitcode = 0 + if timestamp >= warning: + status = "WARNING" + exitcode = 1 + if timestamp >= critical: + status = "CRITICAL" + exitcode = 2 else: - print "Error" - sys.exit(2) + status = "ERROR" + exitcode = 2 + # on a successfully login we are redirected to the mailbox + print '%s Horde Login | response_time=%.3fs;%.3f;%.3f' % (status, timestamp, warning, critical) + sys.exit(exitcode) if __name__ == "__main__": -- cgit v1.2.3 From c3ca4ac25d7cdfd5826149445f2946d64d968f97 Mon Sep 17 00:00:00 2001 From: mh Date: Sat, 31 Oct 2015 10:26:05 +0100 Subject: also add pop3 login checks --- files/plugins/check_pop3_login | 83 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 83 insertions(+) create mode 100644 files/plugins/check_pop3_login (limited to 'files/plugins') diff --git a/files/plugins/check_pop3_login b/files/plugins/check_pop3_login new file mode 100644 index 0000000..4eb29b8 --- /dev/null +++ b/files/plugins/check_pop3_login @@ -0,0 +1,83 @@ +#!/usr/bin/python +# -*- coding: UTF-8 -*- +# -*- Mode: Python -*- +# +# Copyright (C) 2006 Bertera Pietro +# Copyright (C) 2015 mh +# Response time monitoring with perfdata modification by Ivan Savcic and Milos Buncic, 2012. +# Derived from: https://github.com/isavcic/check_imap_login + +# This file may be distributed and/or modified under the terms of +# the GNU General Public License version 2 as published by +# the Free Software Foundation. +# This file is distributed without any warranty; without even the implied +# warranty of merchantability or fitness for a particular purpose. + +import sys, os, poplib, getopt +from time import time + +def usage(): + print sys.argv[0] + " -u -p -H [-s] -w -c \n -s is for using POP3s" + +def main(): + try: + opts, args = getopt.getopt(sys.argv[1:], "u:p:sH:w:c:") + except getopt.GetoptError: + usage() + return 3 + + user = host = password = use_ssl = warning = critical = None + + for o, a in opts: + if o == "-u": + user = a + elif o == "-p": + password = a + elif o == "-s": + use_ssl = True + elif o == "-H": + host = a + elif o == "-w": + warning = float(a) + elif o == "-c": + critical = float(a) + + if user == None or password == None or host == None or warning == None or critical == None: + usage() + return 1 + + if use_ssl: + M = poplib.POP3_SSL(host=host) + else: + M = poplib.POP3(host) + + timestamp = time() + + try: + M.getwelcome() + M.user(user) + M.pass_(password) + except Exception, e: + print "CRITICAL POP3 Login Failed: %s" % e + return 2 + + M.quit() + + timestamp = time() - timestamp + + if timestamp < warning: + status = "OK" + exitcode = 0 + if timestamp >= warning: + status = "WARNING" + exitcode = 1 + if timestamp >= critical: + status = "CRITICAL" + exitcode = 2 + + print '%s POP3 Login | response_time=%.3fs;%.3f;%.3f' % (status, timestamp, warning, critical) + + return exitcode + +if __name__ == "__main__": + sys.exit(main()) -- cgit v1.2.3