1
0
Fork 0

nagios/check_crl: review and debug

This commit is contained in:
Chl 2019-08-08 01:32:29 +02:00
parent 7cadcce088
commit 273b6c8631

134
nagios/check_crl.sh Normal file → Executable file
View file

@ -4,19 +4,27 @@
# GPL v3+
# Default values
# Warning : 10 days - 10 years
RANGE_WARNING="864000:315360000"
# Critical : 4 days
RANGE_CRITICAL="345600:"
# Warning : 7 days - 10 years
# (juste because more than 10 years is really far stretched and might be a manipulation error)
RANGE_WARNING="7:3650"
# Critical : 3 days
RANGE_CRITICAL="3:"
# Output
OUTPUT_EXIT_STATUS=0
OUTPUT_DETAIL_WARNING=""
OUTPUT_DETAIL_CRITICAL=""
#OUTPUT_PERFDATA=""
PROGPATH=$( echo $0 | sed -e 's,[\\/][^\\/][^\\/]*$,,' )
REVISION="0.2"
# Stop at the first non-catched error
set -e
# Include check_range()
. $PROGPATH/utils.sh
#
# Help function
#
@ -25,7 +33,7 @@ usage() {
Usage :
$0 [-w warning_range] [-c critical_range] -f file.crl [[-w...] -f file.crl ] ...
Ranges are in seconds.
Thresholds in days.
Note: Since the file is checked against the lastest ranges given, order
of the arguments are important.
@ -36,88 +44,18 @@ Default values:
EOF
}
# TODO: manage non-integer values
# Args :
# - value
# - range warning
# - range critical
# Return:
# 0: ok
# 8: syntax error in range
# 9: higher threshold lower than lower threshold
check_range_syntax() {
local REGEXP LOWER_THRESHOLD HIGHER_THRESHOLD
# Check syntax
REGEXP='@\?\(-\?[0-9]\+:\|~:\|:\|\)\(-\?[0-9]\+\|~\|\)'
test -n "$( echo "$1" | sed -n "/^$REGEXP$/p" )" || return 8
# Check that lower limit is lower than higher limit :)
LOWER_THRESHOLD=$( echo "$1" | sed -n "s/$REGEXP/\1/p" | sed 's/:$//' )
HIGHER_THRESHOLD=$( echo "$1" | sed -n "s/$REGEXP/\2/p" )
if test -z "$LOWER_THRESHOLD"; then
LOWER_THRESHOLD=0
fi
if test -z "$HIGHER_THRESHOLD"; then
HIGHER_THRESHOLD='~'
fi
if [ "$LOWER_THRESHOLD" != "~" ]; then
if [ "$HIGHER_THRESHOLD" != "~" ] && [ "$LOWER_THRESHOLD" -gt "$HIGHER_THRESHOLD" ]; then
return 9
fi
fi
printf "%s\t%s" "$LOWER_THRESHOLD" "$HIGHER_THRESHOLD"
return 0
}
# Args :
# - value
# - range
# Return :
# 0: ok
# 1: not in range
# 8-15: see check_range_syntax()
# 16: function call problem
check_range() {
local VALUE LINE RET LOWER_THRESHOLD HIGHER_THRESHOLD
# ranges can be empty
test -n "$1" || return 16
VALUE="$1"
RANGE="$2"
# Analyze range
LINE=$( check_range_syntax "$RANGE" )
RET="$?"
test $RET -eq 0 || return $RET
LOWER_THRESHOLD="$( echo "$LINE" | cut -f 1 )"
HIGHER_THRESHOLD="$( echo "$LINE" | cut -f 2 )"
# Check value
if [ $( echo "$RANGE" | grep -c "^@" ) -eq 0 ]; then
# Normal comparison
if [ "$LOWER_THRESHOLD" != "~" ] && [ "$VALUE" -lt "$LOWER_THRESHOLD" ]; then
check_range 0 "$1" >/dev/null 2>&1
if [ "$?" -eq "2" ]; then
return 1
fi
if [ "$HIGHER_THRESHOLD" != "~" ] && [ "$VALUE" -gt "$HIGHER_THRESHOLD" ]; then
return 1
fi
else
# Invert range (inside, inclusive)
if [ "$LOWER_THRESHOLD" = '~' ] || [ "$VALUE" -ge "$LOWER_THRESHOLD" ]; then
if [ "$HIGHER_THRESHOLD" = '~' ] || [ "$VALUE" -le "$HIGHER_THRESHOLD" ]; then
return 1
fi
fi
fi
return 0
}
# Some early checks
if ! which openssl >/dev/null 2>&1 ; then
echo "UNKNOWN 'openssl' not found."
exit 1
exit $STATE_UNKNOWN
fi
#
@ -134,8 +72,8 @@ while getopts hw:c:f: OPT; do
if check_range_syntax "$OPTARG" >/dev/null; then
RANGE_WARNING="$OPTARG"
else
echo "UNKNOWN: invalid range."
exit 3
echo "UNKNOWN: invalid range : $OPTARG"
exit $STATE_UNKNOWN
fi
;;
@ -143,8 +81,8 @@ while getopts hw:c:f: OPT; do
if check_range_syntax "$OPTARG" >/dev/null; then
RANGE_CRITICAL="$OPTARG"
else
echo "UNKNOWN: invalid range."
exit 3
echo "UNKNOWN: invalid range : $OPTARG"
exit $STATE_UNKNOWN
fi
;;
@ -153,27 +91,27 @@ while getopts hw:c:f: OPT; do
# should not be done during params management :)
CRL_FILE="$OPTARG"
if [ ! -f "$CRL_FILE" ]; then
echo "UNKNOWN: inexistent file."
exit 3
echo "UNKNOWN: inexistent file : $CRL_FILE"
exit $STATE_UNKNOWN
fi
# Extract time left, in seconds
EXPIRATION_DATE="$( openssl crl -noout -text -in "$CRL_FILE" | sed -n "s/^[[:space:]]\+Next Update: \(.*\)$/\1/p" )"
if [ -z "$EXPIRATION_DATE" ]; then
echo "UNKNOWN: couldn't get expiration date."
exit 3
exit $STATE_UNKNOWN
fi
TIME_LEFT=$(( $( date +%s ) - $( date --date="$EXPIRATION_DATE" +%s ) ))
TIME_LEFT=$(( ( $( date --date="$EXPIRATION_DATE" +%s ) - $( date +%s ) ) / 86400 ))
# Check time left against range
if ! check_range "$TIME_LEFT" "$RANGE_CRITICAL"; then
OUTPUT_EXIT_STATUS=2
OUTPUT_DETAIL_CRITICAL="$OUTPUT_DETAIL_CRITICAL crl:$CRL_FILE"
elif ! check_range "$CPT" "$RANGE_WARNING"; then
if check_range "$TIME_LEFT" "$RANGE_CRITICAL"; then
OUTPUT_EXIT_STATUS=$STATE_CRITICAL
OUTPUT_DETAIL_CRITICAL="$OUTPUT_DETAIL_CRITICAL $CRL_FILE ($TIME_LEFT days left)"
elif check_range "$TIME_LEFT" "$RANGE_WARNING"; then
if [ "$OUTPUT_EXIT_STATUS" -eq 0 ]; then
OUTPUT_EXIT_STATUS=1
OUTPUT_EXIT_STATUS=$STATE_WARNING
fi
OUTPUT_DETAIL_WARNING="$OUTPUT_DETAIL_WARNING crl:$CRL_FILE"
OUTPUT_DETAIL_WARNING="$OUTPUT_DETAIL_WARNING $CRL_FILE ($TIME_LEFT days left)"
fi
;;
@ -184,6 +122,11 @@ while getopts hw:c:f: OPT; do
esac
done
if [ -z "$CRL_FILE" ]; then
echo "UNKNOWN: no file tested."
exit $STATE_UNKNOWN
fi
case "$OUTPUT_EXIT_STATUS" in
'0')
printf "OK"
@ -199,6 +142,9 @@ case "$OUTPUT_EXIT_STATUS" in
;;
esac
# on supprime les retours à la ligne
exit $RETURN_STATUS
# Perfdata
#printf "|%s\n" "$OUTPUT_PERFDATA"
printf "\n"
# Exit with return status
exit $OUTPUT_EXIT_STATUS