From 273b6c8631322e12143dcfbb57cb80c955dc0037 Mon Sep 17 00:00:00 2001 From: Chl Date: Thu, 8 Aug 2019 01:32:29 +0200 Subject: [PATCH] nagios/check_crl: review and debug --- nagios/check_crl.sh | 136 +++++++++++++------------------------------- 1 file changed, 41 insertions(+), 95 deletions(-) mode change 100644 => 100755 nagios/check_crl.sh diff --git a/nagios/check_crl.sh b/nagios/check_crl.sh old mode 100644 new mode 100755 index 0e8dcc5..a7db388 --- a/nagios/check_crl.sh +++ b/nagios/check_crl.sh @@ -4,19 +4,27 @@ # GPL v3+ # Default values -# Warning : 10 days - 10 years -RANGE_WARNING="864000:315360000" -# Critical : 4 days -RANGE_CRITICAL="345600:" +# Warning : 7 days - 10 years +# (juste because more than 10 years is really far stretched and might be a manipulation error) +RANGE_WARNING="7:3650" +# Critical : 3 days +RANGE_CRITICAL="3:" # Output OUTPUT_EXIT_STATUS=0 OUTPUT_DETAIL_WARNING="" OUTPUT_DETAIL_CRITICAL="" +#OUTPUT_PERFDATA="" + +PROGPATH=$( echo $0 | sed -e 's,[\\/][^\\/][^\\/]*$,,' ) +REVISION="0.2" # Stop at the first non-catched error set -e +# Include check_range() +. $PROGPATH/utils.sh + # # Help function # @@ -25,7 +33,7 @@ usage() { Usage : $0 [-w warning_range] [-c critical_range] -f file.crl [[-w...] -f file.crl ] ... -Ranges are in seconds. +Thresholds in days. Note: Since the file is checked against the lastest ranges given, order of the arguments are important. @@ -36,88 +44,18 @@ Default values: EOF } -# TODO: manage non-integer values -# Args : -# - value -# - range warning -# - range critical -# Return: -# 0: ok -# 8: syntax error in range -# 9: higher threshold lower than lower threshold check_range_syntax() { - local REGEXP LOWER_THRESHOLD HIGHER_THRESHOLD - - # Check syntax - REGEXP='@\?\(-\?[0-9]\+:\|~:\|:\|\)\(-\?[0-9]\+\|~\|\)' - test -n "$( echo "$1" | sed -n "/^$REGEXP$/p" )" || return 8 - - # Check that lower limit is lower than higher limit :) - LOWER_THRESHOLD=$( echo "$1" | sed -n "s/$REGEXP/\1/p" | sed 's/:$//' ) - HIGHER_THRESHOLD=$( echo "$1" | sed -n "s/$REGEXP/\2/p" ) - if test -z "$LOWER_THRESHOLD"; then - LOWER_THRESHOLD=0 + check_range 0 "$1" >/dev/null 2>&1 + if [ "$?" -eq "2" ]; then + return 1 fi - if test -z "$HIGHER_THRESHOLD"; then - HIGHER_THRESHOLD='~' - fi - if [ "$LOWER_THRESHOLD" != "~" ]; then - if [ "$HIGHER_THRESHOLD" != "~" ] && [ "$LOWER_THRESHOLD" -gt "$HIGHER_THRESHOLD" ]; then - return 9 - fi - fi - - printf "%s\t%s" "$LOWER_THRESHOLD" "$HIGHER_THRESHOLD" - return 0 -} - -# Args : -# - value -# - range -# Return : -# 0: ok -# 1: not in range -# 8-15: see check_range_syntax() -# 16: function call problem -check_range() { - local VALUE LINE RET LOWER_THRESHOLD HIGHER_THRESHOLD - # ranges can be empty - test -n "$1" || return 16 - VALUE="$1" - RANGE="$2" - - # Analyze range - LINE=$( check_range_syntax "$RANGE" ) - RET="$?" - test $RET -eq 0 || return $RET - LOWER_THRESHOLD="$( echo "$LINE" | cut -f 1 )" - HIGHER_THRESHOLD="$( echo "$LINE" | cut -f 2 )" - - # Check value - if [ $( echo "$RANGE" | grep -c "^@" ) -eq 0 ]; then - # Normal comparison - if [ "$LOWER_THRESHOLD" != "~" ] && [ "$VALUE" -lt "$LOWER_THRESHOLD" ]; then - return 1 - fi - if [ "$HIGHER_THRESHOLD" != "~" ] && [ "$VALUE" -gt "$HIGHER_THRESHOLD" ]; then - return 1 - fi - else - # Invert range (inside, inclusive) - if [ "$LOWER_THRESHOLD" = '~' ] || [ "$VALUE" -ge "$LOWER_THRESHOLD" ]; then - if [ "$HIGHER_THRESHOLD" = '~' ] || [ "$VALUE" -le "$HIGHER_THRESHOLD" ]; then - return 1 - fi - fi - fi - return 0 } # Some early checks if ! which openssl >/dev/null 2>&1 ; then echo "UNKNOWN 'openssl' not found." - exit 1 + exit $STATE_UNKNOWN fi # @@ -134,8 +72,8 @@ while getopts hw:c:f: OPT; do if check_range_syntax "$OPTARG" >/dev/null; then RANGE_WARNING="$OPTARG" else - echo "UNKNOWN: invalid range." - exit 3 + echo "UNKNOWN: invalid range : $OPTARG" + exit $STATE_UNKNOWN fi ;; @@ -143,8 +81,8 @@ while getopts hw:c:f: OPT; do if check_range_syntax "$OPTARG" >/dev/null; then RANGE_CRITICAL="$OPTARG" else - echo "UNKNOWN: invalid range." - exit 3 + echo "UNKNOWN: invalid range : $OPTARG" + exit $STATE_UNKNOWN fi ;; @@ -153,27 +91,27 @@ while getopts hw:c:f: OPT; do # should not be done during params management :) CRL_FILE="$OPTARG" if [ ! -f "$CRL_FILE" ]; then - echo "UNKNOWN: inexistent file." - exit 3 + echo "UNKNOWN: inexistent file : $CRL_FILE" + exit $STATE_UNKNOWN fi # Extract time left, in seconds EXPIRATION_DATE="$( openssl crl -noout -text -in "$CRL_FILE" | sed -n "s/^[[:space:]]\+Next Update: \(.*\)$/\1/p" )" if [ -z "$EXPIRATION_DATE" ]; then echo "UNKNOWN: couldn't get expiration date." - exit 3 + exit $STATE_UNKNOWN fi - TIME_LEFT=$(( $( date +%s ) - $( date --date="$EXPIRATION_DATE" +%s ) )) + TIME_LEFT=$(( ( $( date --date="$EXPIRATION_DATE" +%s ) - $( date +%s ) ) / 86400 )) # Check time left against range - if ! check_range "$TIME_LEFT" "$RANGE_CRITICAL"; then - OUTPUT_EXIT_STATUS=2 - OUTPUT_DETAIL_CRITICAL="$OUTPUT_DETAIL_CRITICAL crl:$CRL_FILE" - elif ! check_range "$CPT" "$RANGE_WARNING"; then + if check_range "$TIME_LEFT" "$RANGE_CRITICAL"; then + OUTPUT_EXIT_STATUS=$STATE_CRITICAL + OUTPUT_DETAIL_CRITICAL="$OUTPUT_DETAIL_CRITICAL $CRL_FILE ($TIME_LEFT days left)" + elif check_range "$TIME_LEFT" "$RANGE_WARNING"; then if [ "$OUTPUT_EXIT_STATUS" -eq 0 ]; then - OUTPUT_EXIT_STATUS=1 + OUTPUT_EXIT_STATUS=$STATE_WARNING fi - OUTPUT_DETAIL_WARNING="$OUTPUT_DETAIL_WARNING crl:$CRL_FILE" + OUTPUT_DETAIL_WARNING="$OUTPUT_DETAIL_WARNING $CRL_FILE ($TIME_LEFT days left)" fi ;; @@ -184,6 +122,11 @@ while getopts hw:c:f: OPT; do esac done +if [ -z "$CRL_FILE" ]; then + echo "UNKNOWN: no file tested." + exit $STATE_UNKNOWN +fi + case "$OUTPUT_EXIT_STATUS" in '0') printf "OK" @@ -199,6 +142,9 @@ case "$OUTPUT_EXIT_STATUS" in ;; esac -# on supprime les retours à la ligne -exit $RETURN_STATUS +# Perfdata +#printf "|%s\n" "$OUTPUT_PERFDATA" +printf "\n" +# Exit with return status +exit $OUTPUT_EXIT_STATUS