#!/bin/bash # # Nagios plugin that checks whether a key ID has expired, or will expire within # a certain time. # # note: the plugin will issue a critical state if the required key has been # revoked. # # usage: check_gpg [-w ] [--gnupg-homedir ] # # is any PGP key ID that GnuPG accepts with "gpg --list-key " # # The option -w parameter lets you specify the number of days within which key # expiry will trigger a warning. e.g. if expires within # days, make nagios issue a warning. # # num_days must be an integer value # # optionally, if the keyring directory you want GPG to use is not located in # the user's ~/.gnupg, you can specify the path to the keyring directory with # the --gnupg-homedir parameter. # # Thanks a bunch to Daniel Kahn Gillmor for providing example commands that # made up most of the core of this plugin. # # Copyleft Gabriel Filion # # This plugin is released under the GPL v3+ license. To get a copy of the # license text visit: https://www.gnu.org/licenses/gpl-3.0.txt # SECS_IN_DAY=86400 function debug () { if [ -n "$DEBUG" ]; then echo "$1" >&2 fi } debug "got args: $*" now=$(date +%s) debug "current timestamp: $now" warning_threshold= homedir= homedir_path=~/.gnupg for arg in $*; do case $arg in "-w") if [ -z "$2" ]; then echo "UNKNOWN: argument -w got no value. integer needed" exit 3 fi if [ "`echo $2 | egrep ^[[:digit:]]+$`" = "" ]; then echo "UNKNOWN: invalid value '$2' passed to -w. integer needed" exit 3 fi warning_threshold=$(( $now + ($2*$SECS_IN_DAY) )) debug "setting warning_threshold to '$warning_threshold'" shift 2 ;; "--gnupg-homedir") if [ -z "$2" ]; then echo "UNKNOWN: argument --gnupg-homedir got no value. path needed" exit 3 fi if [ ! -d "$2" ]; then echo "UNKNOWN: homedir '$2' does not exist or is not a directory" exit 3 fi homedir_path=$2 homedir="--homedir ${homedir_path}" debug "setting homedir to '$homedir_path'" shift 2 ;; esac done if [ -z "$1" ]; then echo "UNKNOWN: must provide a key ID" exit 3 fi key="$1" # GPG is too stupid to error out when asked to refresh a key that's not in the # local keyring so we need to perform another call to verify this first. output=$( { gpg $homedir --list-key "$key" >/dev/null && gpg $homedir --refresh --keyserver hkps://hkps.pool.sks-keyservers.net --keyserver-options ca-cert-file=$homedir_path/sks-keyservers.netCA.pem "$key" >/dev/null; } 2>&1 ) if [ $? -ne 0 ]; then echo "UNKNOWN: $output" exit 3 fi if [ "$(gpg $homedir --check-sig "$key" | grep "^rev!")" != "" ]; then echo "CRITICAL: key '$key' has been revoked!" exit 1 fi for expiry in $(gpg $homedir --with-colons --fixed-list-mode --list-key "$key" 2>/dev/null | awk -F: '/^pub:/{ print $7 }'); do debug "expiry value: $expiry" if [ "$now" -gt "$expiry" ] ; then printf "CRITICAL: %s has expired on %s\n" "$key" "$(date -d "$expiry seconds")"; exit 1; fi; if [ -n "$warning_threshold" ] && [ "$warning_threshold" -gt "$expiry" ]; then remaining=$(( ($expiry-$now) / $SECS_IN_DAY )) printf "WARNING: %s expires in %s days\n" "$key" "$remaining"; exit 2; fi done echo "OK: key '$key' has not expired."