205 lines
4.3 KiB
Bash
205 lines
4.3 KiB
Bash
#!/bin/sh
|
|
|
|
# Small script to survey CRL
|
|
# GPL v3+
|
|
|
|
# Default values
|
|
# Warning : 10 days - 10 years
|
|
RANGE_WARNING="864000:315360000"
|
|
# Critical : 4 days
|
|
RANGE_CRITICAL="345600:"
|
|
|
|
# Output
|
|
OUTPUT_EXIT_STATUS=0
|
|
OUTPUT_DETAIL_WARNING=""
|
|
OUTPUT_DETAIL_CRITICAL=""
|
|
|
|
# Stop at the first non-catched error
|
|
set -e
|
|
|
|
#
|
|
# Help function
|
|
#
|
|
usage() {
|
|
cat <<EOF
|
|
Usage :
|
|
$0 [-w warning_range] [-c critical_range] -f file.crl [[-w...] -f file.crl ] ...
|
|
|
|
Ranges are in seconds.
|
|
|
|
Note: Since the file is checked against the lastest ranges given, order
|
|
of the arguments are important.
|
|
|
|
Default values:
|
|
warning_range: $RANGE_WARNING
|
|
critical_range: $RANGE_CRITICAL
|
|
EOF
|
|
}
|
|
|
|
# TODO: manage non-integer values
|
|
# Args :
|
|
# - value
|
|
# - range warning
|
|
# - range critical
|
|
# Return:
|
|
# 0: ok
|
|
# 8: syntax error in range
|
|
# 9: higher threshold lower than lower threshold
|
|
check_range_syntax() {
|
|
local REGEXP LOWER_THRESHOLD HIGHER_THRESHOLD
|
|
|
|
# Check syntax
|
|
REGEXP='@\?\(-\?[0-9]\+:\|~:\|:\|\)\(-\?[0-9]\+\|~\|\)'
|
|
test -n "$( echo "$1" | sed -n "/^$REGEXP$/p" )" || return 8
|
|
|
|
# Check that lower limit is lower than higher limit :)
|
|
LOWER_THRESHOLD=$( echo "$1" | sed -n "s/$REGEXP/\1/p" | sed 's/:$//' )
|
|
HIGHER_THRESHOLD=$( echo "$1" | sed -n "s/$REGEXP/\2/p" )
|
|
if test -z "$LOWER_THRESHOLD"; then
|
|
LOWER_THRESHOLD=0
|
|
fi
|
|
if test -z "$HIGHER_THRESHOLD"; then
|
|
HIGHER_THRESHOLD='~'
|
|
fi
|
|
if [ "$LOWER_THRESHOLD" != "~" ]; then
|
|
if [ "$HIGHER_THRESHOLD" != "~" ] && [ "$LOWER_THRESHOLD" -gt "$HIGHER_THRESHOLD" ]; then
|
|
return 9
|
|
fi
|
|
fi
|
|
|
|
printf "%s\t%s" "$LOWER_THRESHOLD" "$HIGHER_THRESHOLD"
|
|
return 0
|
|
}
|
|
|
|
# Args :
|
|
# - value
|
|
# - range
|
|
# Return :
|
|
# 0: ok
|
|
# 1: not in range
|
|
# 8-15: see check_range_syntax()
|
|
# 16: function call problem
|
|
check_range() {
|
|
local VALUE LINE RET LOWER_THRESHOLD HIGHER_THRESHOLD
|
|
# ranges can be empty
|
|
test -n "$1" || return 16
|
|
VALUE="$1"
|
|
RANGE="$2"
|
|
|
|
# Analyze range
|
|
LINE=$( check_range_syntax "$RANGE" )
|
|
RET="$?"
|
|
test $RET -eq 0 || return $RET
|
|
LOWER_THRESHOLD="$( echo "$LINE" | cut -f 1 )"
|
|
HIGHER_THRESHOLD="$( echo "$LINE" | cut -f 2 )"
|
|
|
|
# Check value
|
|
if [ $( echo "$RANGE" | grep -c "^@" ) -eq 0 ]; then
|
|
# Normal comparison
|
|
if [ "$LOWER_THRESHOLD" != "~" ] && [ "$VALUE" -lt "$LOWER_THRESHOLD" ]; then
|
|
return 1
|
|
fi
|
|
if [ "$HIGHER_THRESHOLD" != "~" ] && [ "$VALUE" -gt "$HIGHER_THRESHOLD" ]; then
|
|
return 1
|
|
fi
|
|
else
|
|
# Invert range (inside, inclusive)
|
|
if [ "$LOWER_THRESHOLD" = '~' ] || [ "$VALUE" -ge "$LOWER_THRESHOLD" ]; then
|
|
if [ "$HIGHER_THRESHOLD" = '~' ] || [ "$VALUE" -le "$HIGHER_THRESHOLD" ]; then
|
|
return 1
|
|
fi
|
|
fi
|
|
fi
|
|
|
|
return 0
|
|
}
|
|
|
|
# Some early checks
|
|
if ! which openssl >/dev/null 2>&1 ; then
|
|
echo "UNKNOWN 'openssl' not found."
|
|
exit 1
|
|
fi
|
|
|
|
#
|
|
# Parameters management
|
|
#
|
|
while getopts hw:c:f: OPT; do
|
|
case "$OPT" in
|
|
'h')
|
|
usage
|
|
exit
|
|
;;
|
|
|
|
'w')
|
|
if check_range_syntax "$OPTARG" >/dev/null; then
|
|
RANGE_WARNING="$OPTARG"
|
|
else
|
|
echo "UNKNOWN: invalid range."
|
|
exit 3
|
|
fi
|
|
;;
|
|
|
|
'c')
|
|
if check_range_syntax "$OPTARG" >/dev/null; then
|
|
RANGE_CRITICAL="$OPTARG"
|
|
else
|
|
echo "UNKNOWN: invalid range."
|
|
exit 3
|
|
fi
|
|
;;
|
|
|
|
'f')
|
|
# I'm not very proud of this one : aesthetically speaking, treatments
|
|
# should not be done during params management :)
|
|
CRL_FILE="$OPTARG"
|
|
if [ ! -f "$CRL_FILE" ]; then
|
|
echo "UNKNOWN: inexistent file."
|
|
exit 3
|
|
fi
|
|
|
|
# Extract time left, in seconds
|
|
EXPIRATION_DATE="$( openssl crl -noout -text -in "$CRL_FILE" | sed -n "s/^[[:space:]]\+Next Update: \(.*\)$/\1/p" )"
|
|
if [ -z "$EXPIRATION_DATE" ]; then
|
|
echo "UNKNOWN: couldn't get expiration date."
|
|
exit 3
|
|
fi
|
|
TIME_LEFT=$(( $( date +%s ) - $( date --date="$EXPIRATION_DATE" +%s ) ))
|
|
|
|
# Check time left against range
|
|
if ! check_range "$TIME_LEFT" "$RANGE_CRITICAL"; then
|
|
OUTPUT_EXIT_STATUS=2
|
|
OUTPUT_DETAIL_CRITICAL="$OUTPUT_DETAIL_CRITICAL crl:$CRL_FILE"
|
|
elif ! check_range "$CPT" "$RANGE_WARNING"; then
|
|
if [ "$OUTPUT_EXIT_STATUS" -eq 0 ]; then
|
|
OUTPUT_EXIT_STATUS=1
|
|
fi
|
|
OUTPUT_DETAIL_WARNING="$OUTPUT_DETAIL_WARNING crl:$CRL_FILE"
|
|
fi
|
|
;;
|
|
|
|
\?)
|
|
usage
|
|
exit 1
|
|
;;
|
|
esac
|
|
done
|
|
|
|
case "$OUTPUT_EXIT_STATUS" in
|
|
'0')
|
|
printf "OK"
|
|
;;
|
|
'1')
|
|
printf "WARNING %s" "$OUTPUT_DETAIL_WARNING"
|
|
;;
|
|
'2')
|
|
printf "CRITICAL %s" "$OUTPUT_DETAIL_CRITICAL"
|
|
;;
|
|
*)
|
|
printf "UNKNOWN"
|
|
;;
|
|
esac
|
|
|
|
# on supprime les retours à la ligne
|
|
exit $RETURN_STATUS
|
|
|