nagios/check_crl: review and debug
This commit is contained in:
parent
7cadcce088
commit
273b6c8631
1 changed files with 41 additions and 95 deletions
134
nagios/check_crl.sh
Normal file → Executable file
134
nagios/check_crl.sh
Normal file → Executable file
|
@ -4,19 +4,27 @@
|
|||
# GPL v3+
|
||||
|
||||
# Default values
|
||||
# Warning : 10 days - 10 years
|
||||
RANGE_WARNING="864000:315360000"
|
||||
# Critical : 4 days
|
||||
RANGE_CRITICAL="345600:"
|
||||
# Warning : 7 days - 10 years
|
||||
# (juste because more than 10 years is really far stretched and might be a manipulation error)
|
||||
RANGE_WARNING="7:3650"
|
||||
# Critical : 3 days
|
||||
RANGE_CRITICAL="3:"
|
||||
|
||||
# Output
|
||||
OUTPUT_EXIT_STATUS=0
|
||||
OUTPUT_DETAIL_WARNING=""
|
||||
OUTPUT_DETAIL_CRITICAL=""
|
||||
#OUTPUT_PERFDATA=""
|
||||
|
||||
PROGPATH=$( echo $0 | sed -e 's,[\\/][^\\/][^\\/]*$,,' )
|
||||
REVISION="0.2"
|
||||
|
||||
# Stop at the first non-catched error
|
||||
set -e
|
||||
|
||||
# Include check_range()
|
||||
. $PROGPATH/utils.sh
|
||||
|
||||
#
|
||||
# Help function
|
||||
#
|
||||
|
@ -25,7 +33,7 @@ usage() {
|
|||
Usage :
|
||||
$0 [-w warning_range] [-c critical_range] -f file.crl [[-w...] -f file.crl ] ...
|
||||
|
||||
Ranges are in seconds.
|
||||
Thresholds in days.
|
||||
|
||||
Note: Since the file is checked against the lastest ranges given, order
|
||||
of the arguments are important.
|
||||
|
@ -36,88 +44,18 @@ Default values:
|
|||
EOF
|
||||
}
|
||||
|
||||
# TODO: manage non-integer values
|
||||
# Args :
|
||||
# - value
|
||||
# - range warning
|
||||
# - range critical
|
||||
# Return:
|
||||
# 0: ok
|
||||
# 8: syntax error in range
|
||||
# 9: higher threshold lower than lower threshold
|
||||
check_range_syntax() {
|
||||
local REGEXP LOWER_THRESHOLD HIGHER_THRESHOLD
|
||||
|
||||
# Check syntax
|
||||
REGEXP='@\?\(-\?[0-9]\+:\|~:\|:\|\)\(-\?[0-9]\+\|~\|\)'
|
||||
test -n "$( echo "$1" | sed -n "/^$REGEXP$/p" )" || return 8
|
||||
|
||||
# Check that lower limit is lower than higher limit :)
|
||||
LOWER_THRESHOLD=$( echo "$1" | sed -n "s/$REGEXP/\1/p" | sed 's/:$//' )
|
||||
HIGHER_THRESHOLD=$( echo "$1" | sed -n "s/$REGEXP/\2/p" )
|
||||
if test -z "$LOWER_THRESHOLD"; then
|
||||
LOWER_THRESHOLD=0
|
||||
fi
|
||||
if test -z "$HIGHER_THRESHOLD"; then
|
||||
HIGHER_THRESHOLD='~'
|
||||
fi
|
||||
if [ "$LOWER_THRESHOLD" != "~" ]; then
|
||||
if [ "$HIGHER_THRESHOLD" != "~" ] && [ "$LOWER_THRESHOLD" -gt "$HIGHER_THRESHOLD" ]; then
|
||||
return 9
|
||||
fi
|
||||
fi
|
||||
|
||||
printf "%s\t%s" "$LOWER_THRESHOLD" "$HIGHER_THRESHOLD"
|
||||
return 0
|
||||
}
|
||||
|
||||
# Args :
|
||||
# - value
|
||||
# - range
|
||||
# Return :
|
||||
# 0: ok
|
||||
# 1: not in range
|
||||
# 8-15: see check_range_syntax()
|
||||
# 16: function call problem
|
||||
check_range() {
|
||||
local VALUE LINE RET LOWER_THRESHOLD HIGHER_THRESHOLD
|
||||
# ranges can be empty
|
||||
test -n "$1" || return 16
|
||||
VALUE="$1"
|
||||
RANGE="$2"
|
||||
|
||||
# Analyze range
|
||||
LINE=$( check_range_syntax "$RANGE" )
|
||||
RET="$?"
|
||||
test $RET -eq 0 || return $RET
|
||||
LOWER_THRESHOLD="$( echo "$LINE" | cut -f 1 )"
|
||||
HIGHER_THRESHOLD="$( echo "$LINE" | cut -f 2 )"
|
||||
|
||||
# Check value
|
||||
if [ $( echo "$RANGE" | grep -c "^@" ) -eq 0 ]; then
|
||||
# Normal comparison
|
||||
if [ "$LOWER_THRESHOLD" != "~" ] && [ "$VALUE" -lt "$LOWER_THRESHOLD" ]; then
|
||||
check_range 0 "$1" >/dev/null 2>&1
|
||||
if [ "$?" -eq "2" ]; then
|
||||
return 1
|
||||
fi
|
||||
if [ "$HIGHER_THRESHOLD" != "~" ] && [ "$VALUE" -gt "$HIGHER_THRESHOLD" ]; then
|
||||
return 1
|
||||
fi
|
||||
else
|
||||
# Invert range (inside, inclusive)
|
||||
if [ "$LOWER_THRESHOLD" = '~' ] || [ "$VALUE" -ge "$LOWER_THRESHOLD" ]; then
|
||||
if [ "$HIGHER_THRESHOLD" = '~' ] || [ "$VALUE" -le "$HIGHER_THRESHOLD" ]; then
|
||||
return 1
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
# Some early checks
|
||||
if ! which openssl >/dev/null 2>&1 ; then
|
||||
echo "UNKNOWN 'openssl' not found."
|
||||
exit 1
|
||||
exit $STATE_UNKNOWN
|
||||
fi
|
||||
|
||||
#
|
||||
|
@ -134,8 +72,8 @@ while getopts hw:c:f: OPT; do
|
|||
if check_range_syntax "$OPTARG" >/dev/null; then
|
||||
RANGE_WARNING="$OPTARG"
|
||||
else
|
||||
echo "UNKNOWN: invalid range."
|
||||
exit 3
|
||||
echo "UNKNOWN: invalid range : $OPTARG"
|
||||
exit $STATE_UNKNOWN
|
||||
fi
|
||||
;;
|
||||
|
||||
|
@ -143,8 +81,8 @@ while getopts hw:c:f: OPT; do
|
|||
if check_range_syntax "$OPTARG" >/dev/null; then
|
||||
RANGE_CRITICAL="$OPTARG"
|
||||
else
|
||||
echo "UNKNOWN: invalid range."
|
||||
exit 3
|
||||
echo "UNKNOWN: invalid range : $OPTARG"
|
||||
exit $STATE_UNKNOWN
|
||||
fi
|
||||
;;
|
||||
|
||||
|
@ -153,27 +91,27 @@ while getopts hw:c:f: OPT; do
|
|||
# should not be done during params management :)
|
||||
CRL_FILE="$OPTARG"
|
||||
if [ ! -f "$CRL_FILE" ]; then
|
||||
echo "UNKNOWN: inexistent file."
|
||||
exit 3
|
||||
echo "UNKNOWN: inexistent file : $CRL_FILE"
|
||||
exit $STATE_UNKNOWN
|
||||
fi
|
||||
|
||||
# Extract time left, in seconds
|
||||
EXPIRATION_DATE="$( openssl crl -noout -text -in "$CRL_FILE" | sed -n "s/^[[:space:]]\+Next Update: \(.*\)$/\1/p" )"
|
||||
if [ -z "$EXPIRATION_DATE" ]; then
|
||||
echo "UNKNOWN: couldn't get expiration date."
|
||||
exit 3
|
||||
exit $STATE_UNKNOWN
|
||||
fi
|
||||
TIME_LEFT=$(( $( date +%s ) - $( date --date="$EXPIRATION_DATE" +%s ) ))
|
||||
TIME_LEFT=$(( ( $( date --date="$EXPIRATION_DATE" +%s ) - $( date +%s ) ) / 86400 ))
|
||||
|
||||
# Check time left against range
|
||||
if ! check_range "$TIME_LEFT" "$RANGE_CRITICAL"; then
|
||||
OUTPUT_EXIT_STATUS=2
|
||||
OUTPUT_DETAIL_CRITICAL="$OUTPUT_DETAIL_CRITICAL crl:$CRL_FILE"
|
||||
elif ! check_range "$CPT" "$RANGE_WARNING"; then
|
||||
if check_range "$TIME_LEFT" "$RANGE_CRITICAL"; then
|
||||
OUTPUT_EXIT_STATUS=$STATE_CRITICAL
|
||||
OUTPUT_DETAIL_CRITICAL="$OUTPUT_DETAIL_CRITICAL $CRL_FILE ($TIME_LEFT days left)"
|
||||
elif check_range "$TIME_LEFT" "$RANGE_WARNING"; then
|
||||
if [ "$OUTPUT_EXIT_STATUS" -eq 0 ]; then
|
||||
OUTPUT_EXIT_STATUS=1
|
||||
OUTPUT_EXIT_STATUS=$STATE_WARNING
|
||||
fi
|
||||
OUTPUT_DETAIL_WARNING="$OUTPUT_DETAIL_WARNING crl:$CRL_FILE"
|
||||
OUTPUT_DETAIL_WARNING="$OUTPUT_DETAIL_WARNING $CRL_FILE ($TIME_LEFT days left)"
|
||||
fi
|
||||
;;
|
||||
|
||||
|
@ -184,6 +122,11 @@ while getopts hw:c:f: OPT; do
|
|||
esac
|
||||
done
|
||||
|
||||
if [ -z "$CRL_FILE" ]; then
|
||||
echo "UNKNOWN: no file tested."
|
||||
exit $STATE_UNKNOWN
|
||||
fi
|
||||
|
||||
case "$OUTPUT_EXIT_STATUS" in
|
||||
'0')
|
||||
printf "OK"
|
||||
|
@ -199,6 +142,9 @@ case "$OUTPUT_EXIT_STATUS" in
|
|||
;;
|
||||
esac
|
||||
|
||||
# on supprime les retours à la ligne
|
||||
exit $RETURN_STATUS
|
||||
# Perfdata
|
||||
#printf "|%s\n" "$OUTPUT_PERFDATA"
|
||||
printf "\n"
|
||||
|
||||
# Exit with return status
|
||||
exit $OUTPUT_EXIT_STATUS
|
||||
|
|
Loading…
Reference in a new issue