nagios/check_crl: review and debug
This commit is contained in:
parent
7cadcce088
commit
273b6c8631
1 changed files with 41 additions and 95 deletions
134
nagios/check_crl.sh
Normal file → Executable file
134
nagios/check_crl.sh
Normal file → Executable file
|
@ -4,19 +4,27 @@
|
||||||
# GPL v3+
|
# GPL v3+
|
||||||
|
|
||||||
# Default values
|
# Default values
|
||||||
# Warning : 10 days - 10 years
|
# Warning : 7 days - 10 years
|
||||||
RANGE_WARNING="864000:315360000"
|
# (juste because more than 10 years is really far stretched and might be a manipulation error)
|
||||||
# Critical : 4 days
|
RANGE_WARNING="7:3650"
|
||||||
RANGE_CRITICAL="345600:"
|
# Critical : 3 days
|
||||||
|
RANGE_CRITICAL="3:"
|
||||||
|
|
||||||
# Output
|
# Output
|
||||||
OUTPUT_EXIT_STATUS=0
|
OUTPUT_EXIT_STATUS=0
|
||||||
OUTPUT_DETAIL_WARNING=""
|
OUTPUT_DETAIL_WARNING=""
|
||||||
OUTPUT_DETAIL_CRITICAL=""
|
OUTPUT_DETAIL_CRITICAL=""
|
||||||
|
#OUTPUT_PERFDATA=""
|
||||||
|
|
||||||
|
PROGPATH=$( echo $0 | sed -e 's,[\\/][^\\/][^\\/]*$,,' )
|
||||||
|
REVISION="0.2"
|
||||||
|
|
||||||
# Stop at the first non-catched error
|
# Stop at the first non-catched error
|
||||||
set -e
|
set -e
|
||||||
|
|
||||||
|
# Include check_range()
|
||||||
|
. $PROGPATH/utils.sh
|
||||||
|
|
||||||
#
|
#
|
||||||
# Help function
|
# Help function
|
||||||
#
|
#
|
||||||
|
@ -25,7 +33,7 @@ usage() {
|
||||||
Usage :
|
Usage :
|
||||||
$0 [-w warning_range] [-c critical_range] -f file.crl [[-w...] -f file.crl ] ...
|
$0 [-w warning_range] [-c critical_range] -f file.crl [[-w...] -f file.crl ] ...
|
||||||
|
|
||||||
Ranges are in seconds.
|
Thresholds in days.
|
||||||
|
|
||||||
Note: Since the file is checked against the lastest ranges given, order
|
Note: Since the file is checked against the lastest ranges given, order
|
||||||
of the arguments are important.
|
of the arguments are important.
|
||||||
|
@ -36,88 +44,18 @@ Default values:
|
||||||
EOF
|
EOF
|
||||||
}
|
}
|
||||||
|
|
||||||
# TODO: manage non-integer values
|
|
||||||
# Args :
|
|
||||||
# - value
|
|
||||||
# - range warning
|
|
||||||
# - range critical
|
|
||||||
# Return:
|
|
||||||
# 0: ok
|
|
||||||
# 8: syntax error in range
|
|
||||||
# 9: higher threshold lower than lower threshold
|
|
||||||
check_range_syntax() {
|
check_range_syntax() {
|
||||||
local REGEXP LOWER_THRESHOLD HIGHER_THRESHOLD
|
check_range 0 "$1" >/dev/null 2>&1
|
||||||
|
if [ "$?" -eq "2" ]; then
|
||||||
# Check syntax
|
|
||||||
REGEXP='@\?\(-\?[0-9]\+:\|~:\|:\|\)\(-\?[0-9]\+\|~\|\)'
|
|
||||||
test -n "$( echo "$1" | sed -n "/^$REGEXP$/p" )" || return 8
|
|
||||||
|
|
||||||
# Check that lower limit is lower than higher limit :)
|
|
||||||
LOWER_THRESHOLD=$( echo "$1" | sed -n "s/$REGEXP/\1/p" | sed 's/:$//' )
|
|
||||||
HIGHER_THRESHOLD=$( echo "$1" | sed -n "s/$REGEXP/\2/p" )
|
|
||||||
if test -z "$LOWER_THRESHOLD"; then
|
|
||||||
LOWER_THRESHOLD=0
|
|
||||||
fi
|
|
||||||
if test -z "$HIGHER_THRESHOLD"; then
|
|
||||||
HIGHER_THRESHOLD='~'
|
|
||||||
fi
|
|
||||||
if [ "$LOWER_THRESHOLD" != "~" ]; then
|
|
||||||
if [ "$HIGHER_THRESHOLD" != "~" ] && [ "$LOWER_THRESHOLD" -gt "$HIGHER_THRESHOLD" ]; then
|
|
||||||
return 9
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
|
|
||||||
printf "%s\t%s" "$LOWER_THRESHOLD" "$HIGHER_THRESHOLD"
|
|
||||||
return 0
|
|
||||||
}
|
|
||||||
|
|
||||||
# Args :
|
|
||||||
# - value
|
|
||||||
# - range
|
|
||||||
# Return :
|
|
||||||
# 0: ok
|
|
||||||
# 1: not in range
|
|
||||||
# 8-15: see check_range_syntax()
|
|
||||||
# 16: function call problem
|
|
||||||
check_range() {
|
|
||||||
local VALUE LINE RET LOWER_THRESHOLD HIGHER_THRESHOLD
|
|
||||||
# ranges can be empty
|
|
||||||
test -n "$1" || return 16
|
|
||||||
VALUE="$1"
|
|
||||||
RANGE="$2"
|
|
||||||
|
|
||||||
# Analyze range
|
|
||||||
LINE=$( check_range_syntax "$RANGE" )
|
|
||||||
RET="$?"
|
|
||||||
test $RET -eq 0 || return $RET
|
|
||||||
LOWER_THRESHOLD="$( echo "$LINE" | cut -f 1 )"
|
|
||||||
HIGHER_THRESHOLD="$( echo "$LINE" | cut -f 2 )"
|
|
||||||
|
|
||||||
# Check value
|
|
||||||
if [ $( echo "$RANGE" | grep -c "^@" ) -eq 0 ]; then
|
|
||||||
# Normal comparison
|
|
||||||
if [ "$LOWER_THRESHOLD" != "~" ] && [ "$VALUE" -lt "$LOWER_THRESHOLD" ]; then
|
|
||||||
return 1
|
return 1
|
||||||
fi
|
fi
|
||||||
if [ "$HIGHER_THRESHOLD" != "~" ] && [ "$VALUE" -gt "$HIGHER_THRESHOLD" ]; then
|
|
||||||
return 1
|
|
||||||
fi
|
|
||||||
else
|
|
||||||
# Invert range (inside, inclusive)
|
|
||||||
if [ "$LOWER_THRESHOLD" = '~' ] || [ "$VALUE" -ge "$LOWER_THRESHOLD" ]; then
|
|
||||||
if [ "$HIGHER_THRESHOLD" = '~' ] || [ "$VALUE" -le "$HIGHER_THRESHOLD" ]; then
|
|
||||||
return 1
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
|
|
||||||
return 0
|
return 0
|
||||||
}
|
}
|
||||||
|
|
||||||
# Some early checks
|
# Some early checks
|
||||||
if ! which openssl >/dev/null 2>&1 ; then
|
if ! which openssl >/dev/null 2>&1 ; then
|
||||||
echo "UNKNOWN 'openssl' not found."
|
echo "UNKNOWN 'openssl' not found."
|
||||||
exit 1
|
exit $STATE_UNKNOWN
|
||||||
fi
|
fi
|
||||||
|
|
||||||
#
|
#
|
||||||
|
@ -134,8 +72,8 @@ while getopts hw:c:f: OPT; do
|
||||||
if check_range_syntax "$OPTARG" >/dev/null; then
|
if check_range_syntax "$OPTARG" >/dev/null; then
|
||||||
RANGE_WARNING="$OPTARG"
|
RANGE_WARNING="$OPTARG"
|
||||||
else
|
else
|
||||||
echo "UNKNOWN: invalid range."
|
echo "UNKNOWN: invalid range : $OPTARG"
|
||||||
exit 3
|
exit $STATE_UNKNOWN
|
||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
|
|
||||||
|
@ -143,8 +81,8 @@ while getopts hw:c:f: OPT; do
|
||||||
if check_range_syntax "$OPTARG" >/dev/null; then
|
if check_range_syntax "$OPTARG" >/dev/null; then
|
||||||
RANGE_CRITICAL="$OPTARG"
|
RANGE_CRITICAL="$OPTARG"
|
||||||
else
|
else
|
||||||
echo "UNKNOWN: invalid range."
|
echo "UNKNOWN: invalid range : $OPTARG"
|
||||||
exit 3
|
exit $STATE_UNKNOWN
|
||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
|
|
||||||
|
@ -153,27 +91,27 @@ while getopts hw:c:f: OPT; do
|
||||||
# should not be done during params management :)
|
# should not be done during params management :)
|
||||||
CRL_FILE="$OPTARG"
|
CRL_FILE="$OPTARG"
|
||||||
if [ ! -f "$CRL_FILE" ]; then
|
if [ ! -f "$CRL_FILE" ]; then
|
||||||
echo "UNKNOWN: inexistent file."
|
echo "UNKNOWN: inexistent file : $CRL_FILE"
|
||||||
exit 3
|
exit $STATE_UNKNOWN
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Extract time left, in seconds
|
# Extract time left, in seconds
|
||||||
EXPIRATION_DATE="$( openssl crl -noout -text -in "$CRL_FILE" | sed -n "s/^[[:space:]]\+Next Update: \(.*\)$/\1/p" )"
|
EXPIRATION_DATE="$( openssl crl -noout -text -in "$CRL_FILE" | sed -n "s/^[[:space:]]\+Next Update: \(.*\)$/\1/p" )"
|
||||||
if [ -z "$EXPIRATION_DATE" ]; then
|
if [ -z "$EXPIRATION_DATE" ]; then
|
||||||
echo "UNKNOWN: couldn't get expiration date."
|
echo "UNKNOWN: couldn't get expiration date."
|
||||||
exit 3
|
exit $STATE_UNKNOWN
|
||||||
fi
|
fi
|
||||||
TIME_LEFT=$(( $( date +%s ) - $( date --date="$EXPIRATION_DATE" +%s ) ))
|
TIME_LEFT=$(( ( $( date --date="$EXPIRATION_DATE" +%s ) - $( date +%s ) ) / 86400 ))
|
||||||
|
|
||||||
# Check time left against range
|
# Check time left against range
|
||||||
if ! check_range "$TIME_LEFT" "$RANGE_CRITICAL"; then
|
if check_range "$TIME_LEFT" "$RANGE_CRITICAL"; then
|
||||||
OUTPUT_EXIT_STATUS=2
|
OUTPUT_EXIT_STATUS=$STATE_CRITICAL
|
||||||
OUTPUT_DETAIL_CRITICAL="$OUTPUT_DETAIL_CRITICAL crl:$CRL_FILE"
|
OUTPUT_DETAIL_CRITICAL="$OUTPUT_DETAIL_CRITICAL $CRL_FILE ($TIME_LEFT days left)"
|
||||||
elif ! check_range "$CPT" "$RANGE_WARNING"; then
|
elif check_range "$TIME_LEFT" "$RANGE_WARNING"; then
|
||||||
if [ "$OUTPUT_EXIT_STATUS" -eq 0 ]; then
|
if [ "$OUTPUT_EXIT_STATUS" -eq 0 ]; then
|
||||||
OUTPUT_EXIT_STATUS=1
|
OUTPUT_EXIT_STATUS=$STATE_WARNING
|
||||||
fi
|
fi
|
||||||
OUTPUT_DETAIL_WARNING="$OUTPUT_DETAIL_WARNING crl:$CRL_FILE"
|
OUTPUT_DETAIL_WARNING="$OUTPUT_DETAIL_WARNING $CRL_FILE ($TIME_LEFT days left)"
|
||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
|
|
||||||
|
@ -184,6 +122,11 @@ while getopts hw:c:f: OPT; do
|
||||||
esac
|
esac
|
||||||
done
|
done
|
||||||
|
|
||||||
|
if [ -z "$CRL_FILE" ]; then
|
||||||
|
echo "UNKNOWN: no file tested."
|
||||||
|
exit $STATE_UNKNOWN
|
||||||
|
fi
|
||||||
|
|
||||||
case "$OUTPUT_EXIT_STATUS" in
|
case "$OUTPUT_EXIT_STATUS" in
|
||||||
'0')
|
'0')
|
||||||
printf "OK"
|
printf "OK"
|
||||||
|
@ -199,6 +142,9 @@ case "$OUTPUT_EXIT_STATUS" in
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
|
|
||||||
# on supprime les retours à la ligne
|
# Perfdata
|
||||||
exit $RETURN_STATUS
|
#printf "|%s\n" "$OUTPUT_PERFDATA"
|
||||||
|
printf "\n"
|
||||||
|
|
||||||
|
# Exit with return status
|
||||||
|
exit $OUTPUT_EXIT_STATUS
|
||||||
|
|
Loading…
Reference in a new issue