1
0
Fork 0

nagios/check_crl: review and debug

This commit is contained in:
Chl 2019-08-08 01:32:29 +02:00
parent 7cadcce088
commit 273b6c8631

134
nagios/check_crl.sh Normal file → Executable file
View file

@ -4,19 +4,27 @@
# GPL v3+ # GPL v3+
# Default values # Default values
# Warning : 10 days - 10 years # Warning : 7 days - 10 years
RANGE_WARNING="864000:315360000" # (juste because more than 10 years is really far stretched and might be a manipulation error)
# Critical : 4 days RANGE_WARNING="7:3650"
RANGE_CRITICAL="345600:" # Critical : 3 days
RANGE_CRITICAL="3:"
# Output # Output
OUTPUT_EXIT_STATUS=0 OUTPUT_EXIT_STATUS=0
OUTPUT_DETAIL_WARNING="" OUTPUT_DETAIL_WARNING=""
OUTPUT_DETAIL_CRITICAL="" OUTPUT_DETAIL_CRITICAL=""
#OUTPUT_PERFDATA=""
PROGPATH=$( echo $0 | sed -e 's,[\\/][^\\/][^\\/]*$,,' )
REVISION="0.2"
# Stop at the first non-catched error # Stop at the first non-catched error
set -e set -e
# Include check_range()
. $PROGPATH/utils.sh
# #
# Help function # Help function
# #
@ -25,7 +33,7 @@ usage() {
Usage : Usage :
$0 [-w warning_range] [-c critical_range] -f file.crl [[-w...] -f file.crl ] ... $0 [-w warning_range] [-c critical_range] -f file.crl [[-w...] -f file.crl ] ...
Ranges are in seconds. Thresholds in days.
Note: Since the file is checked against the lastest ranges given, order Note: Since the file is checked against the lastest ranges given, order
of the arguments are important. of the arguments are important.
@ -36,88 +44,18 @@ Default values:
EOF EOF
} }
# TODO: manage non-integer values
# Args :
# - value
# - range warning
# - range critical
# Return:
# 0: ok
# 8: syntax error in range
# 9: higher threshold lower than lower threshold
check_range_syntax() { check_range_syntax() {
local REGEXP LOWER_THRESHOLD HIGHER_THRESHOLD check_range 0 "$1" >/dev/null 2>&1
if [ "$?" -eq "2" ]; then
# Check syntax
REGEXP='@\?\(-\?[0-9]\+:\|~:\|:\|\)\(-\?[0-9]\+\|~\|\)'
test -n "$( echo "$1" | sed -n "/^$REGEXP$/p" )" || return 8
# Check that lower limit is lower than higher limit :)
LOWER_THRESHOLD=$( echo "$1" | sed -n "s/$REGEXP/\1/p" | sed 's/:$//' )
HIGHER_THRESHOLD=$( echo "$1" | sed -n "s/$REGEXP/\2/p" )
if test -z "$LOWER_THRESHOLD"; then
LOWER_THRESHOLD=0
fi
if test -z "$HIGHER_THRESHOLD"; then
HIGHER_THRESHOLD='~'
fi
if [ "$LOWER_THRESHOLD" != "~" ]; then
if [ "$HIGHER_THRESHOLD" != "~" ] && [ "$LOWER_THRESHOLD" -gt "$HIGHER_THRESHOLD" ]; then
return 9
fi
fi
printf "%s\t%s" "$LOWER_THRESHOLD" "$HIGHER_THRESHOLD"
return 0
}
# Args :
# - value
# - range
# Return :
# 0: ok
# 1: not in range
# 8-15: see check_range_syntax()
# 16: function call problem
check_range() {
local VALUE LINE RET LOWER_THRESHOLD HIGHER_THRESHOLD
# ranges can be empty
test -n "$1" || return 16
VALUE="$1"
RANGE="$2"
# Analyze range
LINE=$( check_range_syntax "$RANGE" )
RET="$?"
test $RET -eq 0 || return $RET
LOWER_THRESHOLD="$( echo "$LINE" | cut -f 1 )"
HIGHER_THRESHOLD="$( echo "$LINE" | cut -f 2 )"
# Check value
if [ $( echo "$RANGE" | grep -c "^@" ) -eq 0 ]; then
# Normal comparison
if [ "$LOWER_THRESHOLD" != "~" ] && [ "$VALUE" -lt "$LOWER_THRESHOLD" ]; then
return 1 return 1
fi fi
if [ "$HIGHER_THRESHOLD" != "~" ] && [ "$VALUE" -gt "$HIGHER_THRESHOLD" ]; then
return 1
fi
else
# Invert range (inside, inclusive)
if [ "$LOWER_THRESHOLD" = '~' ] || [ "$VALUE" -ge "$LOWER_THRESHOLD" ]; then
if [ "$HIGHER_THRESHOLD" = '~' ] || [ "$VALUE" -le "$HIGHER_THRESHOLD" ]; then
return 1
fi
fi
fi
return 0 return 0
} }
# Some early checks # Some early checks
if ! which openssl >/dev/null 2>&1 ; then if ! which openssl >/dev/null 2>&1 ; then
echo "UNKNOWN 'openssl' not found." echo "UNKNOWN 'openssl' not found."
exit 1 exit $STATE_UNKNOWN
fi fi
# #
@ -134,8 +72,8 @@ while getopts hw:c:f: OPT; do
if check_range_syntax "$OPTARG" >/dev/null; then if check_range_syntax "$OPTARG" >/dev/null; then
RANGE_WARNING="$OPTARG" RANGE_WARNING="$OPTARG"
else else
echo "UNKNOWN: invalid range." echo "UNKNOWN: invalid range : $OPTARG"
exit 3 exit $STATE_UNKNOWN
fi fi
;; ;;
@ -143,8 +81,8 @@ while getopts hw:c:f: OPT; do
if check_range_syntax "$OPTARG" >/dev/null; then if check_range_syntax "$OPTARG" >/dev/null; then
RANGE_CRITICAL="$OPTARG" RANGE_CRITICAL="$OPTARG"
else else
echo "UNKNOWN: invalid range." echo "UNKNOWN: invalid range : $OPTARG"
exit 3 exit $STATE_UNKNOWN
fi fi
;; ;;
@ -153,27 +91,27 @@ while getopts hw:c:f: OPT; do
# should not be done during params management :) # should not be done during params management :)
CRL_FILE="$OPTARG" CRL_FILE="$OPTARG"
if [ ! -f "$CRL_FILE" ]; then if [ ! -f "$CRL_FILE" ]; then
echo "UNKNOWN: inexistent file." echo "UNKNOWN: inexistent file : $CRL_FILE"
exit 3 exit $STATE_UNKNOWN
fi fi
# Extract time left, in seconds # Extract time left, in seconds
EXPIRATION_DATE="$( openssl crl -noout -text -in "$CRL_FILE" | sed -n "s/^[[:space:]]\+Next Update: \(.*\)$/\1/p" )" EXPIRATION_DATE="$( openssl crl -noout -text -in "$CRL_FILE" | sed -n "s/^[[:space:]]\+Next Update: \(.*\)$/\1/p" )"
if [ -z "$EXPIRATION_DATE" ]; then if [ -z "$EXPIRATION_DATE" ]; then
echo "UNKNOWN: couldn't get expiration date." echo "UNKNOWN: couldn't get expiration date."
exit 3 exit $STATE_UNKNOWN
fi fi
TIME_LEFT=$(( $( date +%s ) - $( date --date="$EXPIRATION_DATE" +%s ) )) TIME_LEFT=$(( ( $( date --date="$EXPIRATION_DATE" +%s ) - $( date +%s ) ) / 86400 ))
# Check time left against range # Check time left against range
if ! check_range "$TIME_LEFT" "$RANGE_CRITICAL"; then if check_range "$TIME_LEFT" "$RANGE_CRITICAL"; then
OUTPUT_EXIT_STATUS=2 OUTPUT_EXIT_STATUS=$STATE_CRITICAL
OUTPUT_DETAIL_CRITICAL="$OUTPUT_DETAIL_CRITICAL crl:$CRL_FILE" OUTPUT_DETAIL_CRITICAL="$OUTPUT_DETAIL_CRITICAL $CRL_FILE ($TIME_LEFT days left)"
elif ! check_range "$CPT" "$RANGE_WARNING"; then elif check_range "$TIME_LEFT" "$RANGE_WARNING"; then
if [ "$OUTPUT_EXIT_STATUS" -eq 0 ]; then if [ "$OUTPUT_EXIT_STATUS" -eq 0 ]; then
OUTPUT_EXIT_STATUS=1 OUTPUT_EXIT_STATUS=$STATE_WARNING
fi fi
OUTPUT_DETAIL_WARNING="$OUTPUT_DETAIL_WARNING crl:$CRL_FILE" OUTPUT_DETAIL_WARNING="$OUTPUT_DETAIL_WARNING $CRL_FILE ($TIME_LEFT days left)"
fi fi
;; ;;
@ -184,6 +122,11 @@ while getopts hw:c:f: OPT; do
esac esac
done done
if [ -z "$CRL_FILE" ]; then
echo "UNKNOWN: no file tested."
exit $STATE_UNKNOWN
fi
case "$OUTPUT_EXIT_STATUS" in case "$OUTPUT_EXIT_STATUS" in
'0') '0')
printf "OK" printf "OK"
@ -199,6 +142,9 @@ case "$OUTPUT_EXIT_STATUS" in
;; ;;
esac esac
# on supprime les retours à la ligne # Perfdata
exit $RETURN_STATUS #printf "|%s\n" "$OUTPUT_PERFDATA"
printf "\n"
# Exit with return status
exit $OUTPUT_EXIT_STATUS