diff options
| author |  William Leibzon <william@leibzon.org>
| 2012-05-21 18:46:45 -0700 |
|---|---|---|
| committer |  Sven Nierlein <sven@nierlein.de>
| 2012-06-25 12:05:16 +0200 |
| commit | fa3d2a4074e1bd8526e37ba5e1a214ae4a1774cf (patch) | |
| tree | 1d0c780a61db8e719502aed2a7bd9311afd23ac4 /plugins | |
| parent | 88fdf3a8a8e17f9212e10befe1f24ff3fa1aa8e6 (diff) | |
| download | monitoring-plugins-fa3d2a4074e1bd8526e37ba5e1a214ae4a1774cf.tar.gz | |
applied patch that adds both critical and warning thresholds to certificate expiration checks of check_tcp, check_http, check_smtp
Diffstat (limited to 'plugins')
| -rw-r--r-- | plugins/check_http.c | 38 | ||||
| -rw-r--r-- | plugins/check_smtp.c | 37 | ||||
| -rw-r--r-- | plugins/check_tcp.c | 27 | ||||
| -rw-r--r-- | plugins/netutils.h | 2 | ||||
| -rw-r--r-- | plugins/sslutils.c | 18 |
5 files changed, 89 insertions, 33 deletions
diff --git a/plugins/check_http.c b/plugins/check_http.c index 315848fc..703e3174 100644 --- a/plugins/check_http.c +++ b/plugins/check_http.c @@ -58,8 +58,8 @@ enum { #ifdef HAVE_SSL int check_cert = FALSE; -int days_till_exp; int ssl_version; +int days_till_exp_warn, days_till_exp_crit; char *randbuff; X509 *server_cert; # define my_recv(buf, len) ((use_ssl) ? np_net_ssl_read(buf, len) : read(sd, buf, len)) @@ -178,6 +178,7 @@ process_arguments (int argc, char **argv) { int c = 1; char *p; + char *temp; enum { INVERT_REGEX = CHAR_MAX + 1, @@ -282,13 +283,25 @@ process_arguments (int argc, char **argv) break; case 'C': /* Check SSL cert validity */ #ifdef HAVE_SSL - if (!is_intnonneg (optarg)) - usage2 (_("Invalid certificate expiration period"), optarg); + if ((temp=strchr(optarg,','))!=NULL) { + *temp='\0'; + if (!is_intnonneg (temp)) + usage2 (_("Invalid certificate expiration period"), optarg); + days_till_exp_warn = atoi(optarg); + *temp=','; + temp++; + if (!is_intnonneg (temp)) + usage2 (_("Invalid certificate expiration period"), temp); + days_till_exp_crit = atoi (temp); + } else { - days_till_exp = atoi (optarg); - check_cert = TRUE; + days_till_exp_crit=0; + if (!is_intnonneg (optarg)) + usage2 (_("Invalid certificate expiration period"), optarg); + days_till_exp_warn = atoi (optarg); } - /* Fall through to -S option */ + check_cert = TRUE; + /* Fall through to -S option */ #endif case 'S': /* use SSL */ #ifndef HAVE_SSL @@ -810,7 +823,7 @@ check_http (void) if (result != STATE_OK) return result; if (check_cert == TRUE) { - result = np_net_ssl_check_cert(days_till_exp); + result = np_net_ssl_check_cert(days_till_exp_warn, days_till_exp_crit); np_net_ssl_cleanup(); if (sd) close(sd); return result; @@ -1427,6 +1440,13 @@ print_help (void) printf (" %s\n", _("a STATE_OK is returned. When the certificate is still valid, but for less than")); printf (" %s\n", _("14 days, a STATE_WARNING is returned. A STATE_CRITICAL will be returned when")); printf (" %s\n", _("the certificate is expired.")); + + printf (" %s\n\n", "CHECK CERTIFICATE: check_http -H www.verisign.com -C 30,14"); + printf (" %s\n", _("When the certificate of 'www.verisign.com' is valid for more than 30 days,")); + printf (" %s\n", _("a STATE_OK is returned. When the certificate is still valid, but for less than")); + printf (" %s\n", _("30 days, but more than 14 days, a STATE_WARNING is returned.")); + printf (" %s\n", _("A STATE_CRITICAL will be returned when certificate expires in less than 14 days")); + #endif printf (UT_SUPPORT); @@ -1444,6 +1464,6 @@ print_usage (void) printf (" [-b proxy_auth] [-f <ok|warning|critcal|follow|sticky|stickyport>]\n"); printf (" [-e <expect>] [-s string] [-l] [-r <regex> | -R <case-insensitive regex>]\n"); printf (" [-P string] [-m <min_pg_size>:<max_pg_size>] [-4|-6] [-N] [-M <age>]\n"); - printf (" [-A string] [-k string] [-S <version>] [--sni] [-C <age>] [-T <content-type>]\n"); - printf (" [-j method]\n"); + printf (" [-A string] [-k string] [-S <version>] [--sni] [-C <warn_age>[,<crit_age>]]\n"); + printf (" [-T <content-type>] [-j method]\n"); } diff --git a/plugins/check_smtp.c b/plugins/check_smtp.c index 494bc2cd..0af50e32 100644 --- a/plugins/check_smtp.c +++ b/plugins/check_smtp.c @@ -41,7 +41,7 @@ const char *email = "nagiosplug-devel@lists.sourceforge.net"; #ifdef HAVE_SSL int check_cert = FALSE; -int days_till_exp; +int days_till_exp_warn, days_till_exp_crit; # define my_recv(buf, len) ((use_ssl && ssl_established) ? np_net_ssl_read(buf, len) : read(sd, buf, len)) # define my_send(buf, len) ((use_ssl && ssl_established) ? np_net_ssl_write(buf, len) : send(sd, buf, len, 0)) #else /* ifndef HAVE_SSL */ @@ -275,7 +275,7 @@ main (int argc, char **argv) # ifdef USE_OPENSSL if ( check_cert ) { - result = np_net_ssl_check_cert(days_till_exp); + result = np_net_ssl_check_cert(days_till_exp_warn, days_till_exp_crit); my_close(); return result; } @@ -454,6 +454,7 @@ int process_arguments (int argc, char **argv) { int c; + char* temp; int option = 0; static struct option longopts[] = { @@ -600,12 +601,26 @@ process_arguments (int argc, char **argv) case 'D': /* Check SSL cert validity */ #ifdef USE_OPENSSL - if (!is_intnonneg (optarg)) - usage2 ("Invalid certificate expiration period",optarg); - days_till_exp = atoi (optarg); - check_cert = TRUE; + if ((temp=strchr(optarg,','))!=NULL) { + *temp='\0'; + if (!is_intnonneg (temp)) + usage2 ("Invalid certificate expiration period", optarg); + days_till_exp_warn = atoi(optarg); + *temp=','; + temp++; + if (!is_intnonneg (temp)) + usage2 (_("Invalid certificate expiration period"), temp); + days_till_exp_crit = atoi (temp); + } + else { + days_till_exp_crit=0; + if (!is_intnonneg (optarg)) + usage2 ("Invalid certificate expiration period", optarg); + days_till_exp_warn = atoi (optarg); + } + check_cert = TRUE; #else - usage (_("SSL support not available - install OpenSSL and recompile")); + usage (_("SSL support not available - install OpenSSL and recompile")); #endif break; case '4': @@ -802,7 +817,7 @@ print_help (void) printf (" %s\n", "-F, --fqdn=STRING"); printf (" %s\n", _("FQDN used for HELO")); #ifdef HAVE_SSL - printf (" %s\n", "-D, --certificate=INTEGER"); + printf (" %s\n", "-D, --certificate=INTEGER[,INTEGER]"); printf (" %s\n", _("Minimum number of days a certificate has to be valid.")); printf (" %s\n", "-S, --starttls"); printf (" %s\n", _("Use STARTTLS for the connection.")); @@ -838,8 +853,8 @@ void print_usage (void) { printf ("%s\n", _("Usage:")); - printf ("%s -H host [-p port] [-e expect] [-C command] [-f from addr]", progname); - printf ("[-A authtype -U authuser -P authpass] [-w warn] [-c crit] [-t timeout]\n"); - printf ("[-F fqdn] [-S] [-D days] [-v] [-4|-6] [-q]\n"); + printf ("%s -H host [-p port] [-4|-6] [-e expect] [-C command] [-f from addr]", progname); + printf ("[-A authtype -U authuser -P authpass] [-w warn] [-c crit] [-t timeout] [-q]\n"); + printf ("[-F fqdn] [-S] [-D warn days cert expire[,crit days cert expire]] [-v] \n"); } diff --git a/plugins/check_tcp.c b/plugins/check_tcp.c index d3c92a49..7b0f7f8a 100644 --- a/plugins/check_tcp.c +++ b/plugins/check_tcp.c @@ -39,7 +39,7 @@ const char *email = "nagiosplug-devel@lists.sourceforge.net"; #ifdef HAVE_SSL static int check_cert = FALSE; -static int days_till_exp; +static int days_till_exp_warn, days_till_exp_crit; # define my_recv(buf, len) ((flags & FLAG_SSL) ? np_net_ssl_read(buf, len) : read(sd, buf, len)) # define my_send(buf, len) ((flags & FLAG_SSL) ? np_net_ssl_write(buf, len) : send(sd, buf, len, 0)) #else @@ -235,7 +235,7 @@ main (int argc, char **argv) if (flags & FLAG_SSL){ result = np_net_ssl_init(sd); if (result == STATE_OK && check_cert == TRUE) { - result = np_net_ssl_check_cert(days_till_exp); + result = np_net_ssl_check_cert(days_till_exp_warn, days_till_exp_crit); } } if(result != STATE_OK || check_cert == TRUE){ @@ -380,6 +380,7 @@ process_arguments (int argc, char **argv) { int c; int escape = 0; + char *temp; int option = 0; static struct option longopts[] = { @@ -552,9 +553,22 @@ process_arguments (int argc, char **argv) case 'D': /* Check SSL cert validity - days 'til certificate expiration */ #ifdef HAVE_SSL # ifdef USE_OPENSSL /* XXX */ - if (!is_intnonneg (optarg)) + if ((temp=strchr(optarg,','))!=NULL) { + *temp='\0'; + if (!is_intnonneg (temp)) + usage2 (_("Invalid certificate expiration period"), optarg); days_till_exp_warn = atoi(optarg); + *temp=','; + temp++; + if (!is_intnonneg (temp)) + usage2 (_("Invalid certificate expiration period"), temp); + days_till_exp_crit = atoi (temp); + } + else { + days_till_exp_crit=0; + if (!is_intnonneg (optarg)) usage2 (_("Invalid certificate expiration period"), optarg); - days_till_exp = atoi (optarg); + days_till_exp_warn = atoi (optarg); + } check_cert = TRUE; flags |= FLAG_SSL; break; @@ -626,8 +640,9 @@ print_help (void) printf (" %s\n", _("Seconds to wait between sending string and polling for response")); #ifdef HAVE_SSL - printf (" %s\n", "-D, --certificate=INTEGER"); + printf (" %s\n", "-D, --certificate=INTEGER[,INTEGER]"); printf (" %s\n", _("Minimum number of days a certificate has to be valid.")); + printf (" %s\n", _("1st is #days for warning, 2nd is critical (if not specified - 0).")); printf (" %s\n", "-S, --ssl"); printf (" %s\n", _("Use SSL for the connection.")); #endif @@ -649,6 +664,6 @@ print_usage (void) printf ("%s -H host -p port [-w <warning time>] [-c <critical time>] [-s <send string>]\n",progname); printf ("[-e <expect string>] [-q <quit string>][-m <maximum bytes>] [-d <delay>]\n"); printf ("[-t <timeout seconds>] [-r <refuse state>] [-M <mismatch state>] [-v] [-4|-6] [-j]\n"); - printf ("[-D <days to cert expiry>] [-S <use SSL>] [-E]\n"); + printf ("[-D <warn days cert expire>[,<crit days cert expire>]] [-S <use SSL>] [-E]\n"); } diff --git a/plugins/netutils.h b/plugins/netutils.h index 572a3ae2..21017f1f 100644 --- a/plugins/netutils.h +++ b/plugins/netutils.h @@ -103,7 +103,7 @@ int np_net_ssl_init_with_hostname(int sd, char *host_name); void np_net_ssl_cleanup(); int np_net_ssl_write(const void *buf, int num); int np_net_ssl_read(void *buf, int num); -int np_net_ssl_check_cert(int days_till_exp); +int np_net_ssl_check_cert(int days_till_exp_warn, int days_till_exp_crit); #endif /* HAVE_SSL */ #endif /* _NETUTILS_H_ */ diff --git a/plugins/sslutils.c b/plugins/sslutils.c index 5425bb2c..fe31b562 100644 --- a/plugins/sslutils.c +++ b/plugins/sslutils.c @@ -126,7 +126,7 @@ int np_net_ssl_read(void *buf, int num) { return SSL_read(s, buf, num); } -int np_net_ssl_check_cert(int days_till_exp) { +int np_net_ssl_check_cert(int days_till_exp_warn, int days_till_exp_crit){ # ifdef USE_OPENSSL X509 *certificate=NULL; X509_NAME *subj=NULL; @@ -202,15 +202,21 @@ int np_net_ssl_check_cert(int days_till_exp) { stamp.tm_mon + 1, stamp.tm_mday, stamp.tm_year + 1900, stamp.tm_hour, stamp.tm_min); - if (days_left > 0 && days_left <= days_till_exp) { - printf(_("WARNING - Certificate '%s' expires in %d day(s) (%s).\n"), cn, days_left, timestamp); - status=STATE_WARNING; + if (days_left > 0 && days_left <= days_till_exp_warn) { + printf (_("%s - Certificate '%s' expires in %d day(s) (%s).\n"), (days_left>days_till_exp_crit)?"CRITICAL":"WARNING", cn, days_left, timestamp); + if (days_left > days_till_exp_crit) + return STATE_WARNING; + else + return STATE_CRITICAL; } else if (time_left < 0) { printf(_("CRITICAL - Certificate '%s' expired on %s.\n"), cn, timestamp); status=STATE_CRITICAL; } else if (days_left == 0) { - printf(_("WARNING - Certificate '%s' expires today (%s).\n"), cn, timestamp); - status=STATE_WARNING; + printf (_("%s - Certificate '%s' expires today (%s).\n"), (days_left>days_till_exp_crit)?"CRITICAL":"WARNING", cn, timestamp); + if (days_left > days_till_exp_crit) + return STATE_WARNING; + else + return STATE_CRITICAL; } else { printf(_("OK - Certificate '%s' will expire on %s.\n"), cn, timestamp); status=STATE_OK; |