nagios/check_crl: review and debug

Makefile-dnssec-nsec3

@@ -1,3 +1,12 @@
+# Small memento to get things up with BIND 9
+#  cd /etc/bind/keys
+#  dnssec-keygen -a RSASHA512 -3 -b 2048 -n ZONE -f KSK -L 172800 example.org
+#  dnssec-keygen -a RSASHA512 -3 -b 2048 -n ZONE        -L 172800 example.org
+# then, add the two INCLUDE in the zone file :
+#  $INCLUDE ../keys/Kexample.org.+010+31182.key ; 257 = KSK
+#  $INCLUDE ../keys/Kexample.org.+010+61130.key ; 256 = ZSK
+# finally, launch the make to generate the db.xxxxx.signed file.
+
 # For NSEC3 records, we need 8 random bytes, which means a 16 hexa string
 SALT := $(shell dd if=/dev/random bs=13 count=1 2>/dev/null | hexdump -v -e '"%02x"' | cut -c 1-16 )
 
@@ -8,6 +17,11 @@ reload: db.*.signed
 	service bind9 reload
 	# Ou nsdc rebuild && nsdc reload pour NSD
 
+# Look up for any db.xxx / db.xxx.signed pair and launch
+# the signing if db.xxx.signed is older than db.xxx
+# memento :
+# - $* = "db.xxx.signed"
+# - $^ = "db.xxx"
 db.%.signed: db.%
 	@echo Signing requires a lot of entropy in /dev/random, do not hesitate to load the machine...
 	# 5356800 seconds = two months of validity

nagios/check_crl.sh

@@ -4,19 +4,27 @@
 # GPL v3+
 
 # Default values
-# Warning : 10 days - 10 years
-RANGE_WARNING="864000:315360000"
-# Critical : 4 days
-RANGE_CRITICAL="345600:"
+# Warning : 7 days - 10 years
+# (juste because more than 10 years is really far stretched and might be a manipulation error)
+RANGE_WARNING="7:3650"
+# Critical : 3 days
+RANGE_CRITICAL="3:"
 
 # Output
 OUTPUT_EXIT_STATUS=0
 OUTPUT_DETAIL_WARNING=""
 OUTPUT_DETAIL_CRITICAL=""
+#OUTPUT_PERFDATA=""
+
+PROGPATH=$( echo $0 | sed -e 's,[\\/][^\\/][^\\/]*$,,' )
+REVISION="0.2"
 
 # Stop at the first non-catched error
 set -e
 
+# Include check_range()
+. $PROGPATH/utils.sh
+
 #
 # Help function
 #
@@ -25,7 +33,7 @@ usage() {
 Usage :
   $0 [-w warning_range] [-c critical_range] -f file.crl [[-w...] -f file.crl ] ...
 
-Ranges are in seconds.
+Thresholds in days.
 
 Note: Since the file is checked against the lastest ranges given, order
       of the arguments are important.
@@ -36,88 +44,18 @@ Default values:
 EOF
 }
 
-# TODO: manage non-integer values
-# Args :
-# - value
-# - range warning
-# - range critical
-# Return:
-# 0: ok
-# 8: syntax error in range
-# 9: higher threshold lower than lower threshold
 check_range_syntax() {
-	local REGEXP LOWER_THRESHOLD HIGHER_THRESHOLD
-
-	# Check syntax
-	REGEXP='@\?\(-\?[0-9]\+:\|~:\|:\|\)\(-\?[0-9]\+\|~\|\)'
-	test -n "$( echo "$1" | sed -n "/^$REGEXP$/p" )" || return 8
-
-	# Check that lower limit is lower than higher limit :)
-	LOWER_THRESHOLD=$( echo "$1" | sed -n "s/$REGEXP/\1/p" | sed 's/:$//' )
-	HIGHER_THRESHOLD=$( echo "$1" | sed -n "s/$REGEXP/\2/p" )
-	if test -z "$LOWER_THRESHOLD"; then
-		LOWER_THRESHOLD=0
+	check_range 0 "$1" >/dev/null 2>&1
+	if [ "$?" -eq "2" ]; then
+		return 1
 	fi
-	if test -z "$HIGHER_THRESHOLD"; then
-		HIGHER_THRESHOLD='~'
-	fi
-	if [ "$LOWER_THRESHOLD" != "~" ]; then
-		if [ "$HIGHER_THRESHOLD" != "~" ] && [ "$LOWER_THRESHOLD" -gt "$HIGHER_THRESHOLD" ]; then
-			return 9
-		fi
-	fi
-
-	printf "%s\t%s" "$LOWER_THRESHOLD" "$HIGHER_THRESHOLD"
-	return 0
-}
-
-# Args :
-# - value
-# - range
-# Return :
-# 0: ok
-# 1: not in range
-# 8-15: see check_range_syntax()
-# 16: function call problem
-check_range() {
-	local VALUE LINE RET LOWER_THRESHOLD HIGHER_THRESHOLD
-	# ranges can be empty
-	test -n "$1" || return 16
-	VALUE="$1"
-	RANGE="$2"
-
-	# Analyze range
-	LINE=$( check_range_syntax "$RANGE" )
-	RET="$?"
-	test $RET -eq 0 || return $RET
-	LOWER_THRESHOLD="$( echo "$LINE" | cut -f 1 )"
-	HIGHER_THRESHOLD="$( echo "$LINE" | cut -f 2 )"
-
-	# Check value
-	if [ $( echo "$RANGE" | grep -c "^@" ) -eq 0 ]; then
-		# Normal comparison
-		if [ "$LOWER_THRESHOLD" != "~" ] && [ "$VALUE" -lt "$LOWER_THRESHOLD" ]; then
-			return 1
-		fi
-		if [ "$HIGHER_THRESHOLD" != "~" ] && [ "$VALUE" -gt "$HIGHER_THRESHOLD" ]; then
-			return 1
-		fi
-	else
-		# Invert range (inside, inclusive)
-		if [ "$LOWER_THRESHOLD" = '~' ] || [ "$VALUE" -ge "$LOWER_THRESHOLD" ]; then
-			if [ "$HIGHER_THRESHOLD" = '~' ] || [ "$VALUE" -le "$HIGHER_THRESHOLD" ]; then
-				return 1
-			fi
-		fi
-	fi
-
 	return 0
 }
 
 # Some early checks
 if ! which openssl >/dev/null 2>&1 ; then
 	echo "UNKNOWN 'openssl' not found."
-	exit 1
+	exit $STATE_UNKNOWN
 fi
 
 #
@@ -134,8 +72,8 @@ while getopts hw:c:f: OPT; do
 			if check_range_syntax "$OPTARG" >/dev/null; then
 				RANGE_WARNING="$OPTARG"
 			else
-				echo "UNKNOWN: invalid range."
-				exit 3
+				echo "UNKNOWN: invalid range : $OPTARG"
+				exit $STATE_UNKNOWN
 			fi
 			;;
 
@@ -143,8 +81,8 @@ while getopts hw:c:f: OPT; do
 			if check_range_syntax "$OPTARG" >/dev/null; then
 				RANGE_CRITICAL="$OPTARG"
 			else
-				echo "UNKNOWN: invalid range."
-				exit 3
+				echo "UNKNOWN: invalid range : $OPTARG"
+				exit $STATE_UNKNOWN
 			fi
 			;;
 
@@ -153,27 +91,27 @@ while getopts hw:c:f: OPT; do
 			# should not be done during params management :)
 			CRL_FILE="$OPTARG"
 			if [ ! -f "$CRL_FILE" ]; then
-				echo "UNKNOWN: inexistent file."
-				exit 3
+				echo "UNKNOWN: inexistent file : $CRL_FILE"
+				exit $STATE_UNKNOWN
 			fi
 
 			# Extract time left, in seconds
 			EXPIRATION_DATE="$( openssl crl -noout -text -in "$CRL_FILE" | sed -n "s/^[[:space:]]\+Next Update: \(.*\)$/\1/p" )"
 			if [ -z "$EXPIRATION_DATE" ]; then
 				echo "UNKNOWN: couldn't get expiration date."
-				exit 3
+				exit $STATE_UNKNOWN
 			fi
-			TIME_LEFT=$(( $( date +%s ) - $( date --date="$EXPIRATION_DATE" +%s ) ))
+			TIME_LEFT=$(( ( $( date --date="$EXPIRATION_DATE" +%s ) - $( date +%s ) ) / 86400 ))
 
 			# Check time left against range
-			if ! check_range "$TIME_LEFT" "$RANGE_CRITICAL"; then
-				OUTPUT_EXIT_STATUS=2
-				OUTPUT_DETAIL_CRITICAL="$OUTPUT_DETAIL_CRITICAL crl:$CRL_FILE"
-			elif ! check_range "$CPT" "$RANGE_WARNING"; then
+			if check_range "$TIME_LEFT" "$RANGE_CRITICAL"; then
+				OUTPUT_EXIT_STATUS=$STATE_CRITICAL
+				OUTPUT_DETAIL_CRITICAL="$OUTPUT_DETAIL_CRITICAL $CRL_FILE ($TIME_LEFT days left)"
+			elif check_range "$TIME_LEFT" "$RANGE_WARNING"; then
 				if [ "$OUTPUT_EXIT_STATUS" -eq 0 ]; then
-					OUTPUT_EXIT_STATUS=1
+					OUTPUT_EXIT_STATUS=$STATE_WARNING
 				fi
-				OUTPUT_DETAIL_WARNING="$OUTPUT_DETAIL_WARNING crl:$CRL_FILE"
+				OUTPUT_DETAIL_WARNING="$OUTPUT_DETAIL_WARNING $CRL_FILE ($TIME_LEFT days left)"
 			fi
 			;;
 
@@ -184,6 +122,11 @@ while getopts hw:c:f: OPT; do
 	esac
 done
 
+if [ -z "$CRL_FILE" ]; then
+	echo "UNKNOWN: no file tested."
+	exit $STATE_UNKNOWN
+fi
+
 case "$OUTPUT_EXIT_STATUS" in
 	'0')
 		printf "OK"
@@ -199,6 +142,9 @@ case "$OUTPUT_EXIT_STATUS" in
 		;;
 esac
 
-# on supprime les retours à la ligne
-exit $RETURN_STATUS
+# Perfdata
+#printf "|%s\n" "$OUTPUT_PERFDATA"
+printf "\n"
 
+# Exit with return status
+exit $OUTPUT_EXIT_STATUS