diff --git a/README.md b/README.md index c93348d..fd84f47 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,4 @@ -tasks: +dirs: -1 - insert here all used scripts +1 mdmcertcheck - scripts for check cert status -2 - write new scripts only here diff --git a/mdmcertcheck/README.md b/mdmcertcheck/README.md new file mode 100644 index 0000000..4655297 --- /dev/null +++ b/mdmcertcheck/README.md @@ -0,0 +1,33 @@ +mdmcertcheck.sh - main shell script for check cert status +certlist.cfg - configuration file for cert list +zabbix_3.x_template.xml - zabbix 3.x template +mdmsslcertcheck.docker - docker file + + +build and run docker file + +docker run --name certchecker --restart always -v /your/path/to/zabbix:/etc/zabbix/--privileged -d image:1.0 + +and place zabbix config with scripts directory and configs +and place sh in script +and certlist.cfg and wtire path into script + +remember about zabbix config, enable it!!! + +####### USER-DEFINED MONITORED PARAMETERS ####### + +### Option: UnsafeUserParameters +# Allow all characters to be passed in arguments to user-defined parameters. +# The following characters are not allowed: +# \ ' " ` * ? [ ] { } ~ $ ! & ; ( ) < > | # @ +# Additionally, newline characters are not allowed. +# 0 - do not allow +# 1 - allow +# +# Mandatory: no +# Range: 0-1 +# Default: +# UnsafeUserParameters=0 +UnsafeUserParameters=1 + +have a lot fun! diff --git a/mdmcertcheck/certlist.cfg b/mdmcertcheck/certlist.cfg new file mode 100644 index 0000000..3ced7cf --- /dev/null +++ b/mdmcertcheck/certlist.cfg @@ -0,0 +1,9 @@ +# this is the config file for mdmcertcheck.sh +# +# a record style: +# domain = domain of the cert +# ip = ip target server for taking cert +# port = port of target server for taking cert +# cert=domain|ip|port +# expemple: +# cert=google.com|8.8.8.8|443 diff --git a/mdmcertcheck/mdmcertcheck.sh b/mdmcertcheck/mdmcertcheck.sh new file mode 100644 index 0000000..4f89bd3 --- /dev/null +++ b/mdmcertcheck/mdmcertcheck.sh @@ -0,0 +1,133 @@ +#!/bin/bash +# mdmcertcheck.sh is the script for checking a cert status +# author mikedmorto 2021 year + +export LC_ALL="" +export LANG="en_US.UTF-8" +VERSION="1.0" + +CERTLIST="certlist.cfg" +CTIMEOUT="1" + +error(){ + echo "-1" + exit 1 +} + +JSON="" +##### PARAMETERS##### +METRIC="$1" +ITEM="$2" + +CERT_DOMAIN="" +CERT_IP="" +CERT_PORT="" +CERT_BODY="" + +parse_item(){ + TITEM=$1 + #parse item + #check empty item + if [ -z "$TITEM" ] + then + error + fi + CERT_DOMAIN=`echo $ITEM | awk -F"|" '{print $1}'` + CERT_IP=`echo $ITEM | awk -F"|" '{print $2}'` + CERT_PORT=`echo $ITEM | awk -F"|" '{print $3}'` +} + +get_cert(){ + if ! CERT_BODY=$( echo | timeout "$CTIMEOUT" openssl s_client -servername "$CERT_DOMAIN" -verify_hostname "$CERT_DOMAIN" -connect "$CERT_IP":"$CERT_PORT" 2>/dev/null ) + then + error + fi +} + +case "$METRIC" in +discovery) + #records from the config file + RECS=`cat $CERTLIST | awk -F: '/^[^#]/ { print $1 }' | grep -e "^cert=.*" | cut -f 2 -d "="` + JSON="{ \"data\":[" + + # append data + for REC_I in ${RECS}; do + JSON=${JSON}" {\"{#CERT}\":\"${REC_I}\"}," + done + + # delete last simbol and add the end + JSON=${JSON::-1} + JSON=${JSON}"]}" + echo ${JSON} + exit 0 +;; + +isexist) + #validating the cert + parse_item $ITEM + get_cert + # if get_cert has not en error then all is ok. + echo 1 +;; + +valid) + #validating the cert + parse_item $ITEM + get_cert + # Note: new openssl versions can print multiple return codes for post-handshake session tickets, so we need to get only the first one + RET=$( echo "$CERT_BODY" | grep -E '^ *Verify return code:' | sed -n 1p | sed 's/^ *//' | tr -s ' ' | cut -d' ' -f4 ) + if [ "$RET" -eq "0" ]; then echo "1"; else echo "0"; fi + +;; + +valid_status) + #validating the cert + parse_item $ITEM + get_cert + # Note: new openssl versions can print multiple return codes for post-handshake session tickets, so we need to get only the first one + RET=$( echo "$CERT_BODY" | grep -E '^ *Verify return code:') + echo $RET; +;; + +expire) + #calculate expire days + parse_item $ITEM + get_cert + expire_date=$( echo "$CERT_BODY" | openssl x509 -noout -dates | grep '^notAfter' | cut -d'=' -f2 ) + expire_date_epoch=$(date -d "$expire_date" +%s) || error "Failed to get expire date" + current_date_epoch=$(date +%s) + RET=$(( (expire_date_epoch - current_date_epoch)/(3600*24) )) + echo $RET +;; + +certholder) + #get cert holder string + parse_item $ITEM + get_cert + # Note: new openssl versions can print multiple return codes for post-handshake session tickets, so we need to get only the first one + RET=$( echo "$CERT_BODY" | sed -n '/BEGIN CERTIFICATE/,/END CERT/p' | openssl x509 -text 2>/dev/null | sed -n 's/ *Issuer: *//p' | sed -n 's/.*CN=*//p') + echo $RET; +;; + +script.version) + echo $VERSION +;; + +help) +echo "please use these params +{ +discovery - discovery items from config file +isexist - the script has access to server with cert +valid - the cert is valid (1|0) +valid_status - the cert status in full text +expire - how many days for an unvalid state +certholder - certholder text +script.version - current version of this script +}" +;; + +*) + echo "" +;; +esac + diff --git a/mdmcertcheck/mdmsslcertcheck.docker b/mdmcertcheck/mdmsslcertcheck.docker new file mode 100644 index 0000000..fb3bfe1 --- /dev/null +++ b/mdmcertcheck/mdmsslcertcheck.docker @@ -0,0 +1,24 @@ +# Используем centos7 в качестве основы +FROM centos:7 +# Сообщаем ОС, что она в докере +ENV container docker +# Включаем systemd +RUN (cd /lib/systemd/system/sysinit.target.wants/; for i in *; do [ $i == \ +systemd-tmpfiles-setup.service ] || rm -f $i; done); \ +rm -f /lib/systemd/system/multi-user.target.wants/*;\ +rm -f /etc/systemd/system/*.wants/*;\ +rm -f /lib/systemd/system/local-fs.target.wants/*; \ +rm -f /lib/systemd/system/sockets.target.wants/*udev*; \ +rm -f /lib/systemd/system/sockets.target.wants/*initctl*; \ +rm -f /lib/systemd/system/basic.target.wants/*;\ +rm -f /lib/systemd/system/anaconda.target.wants/*; +# Сообщаем, что этот раздел будет монтироваться при включении контейнера +VOLUME [ "/sys/fs/cgroup" ] +# Обновляемся и устанавливаем нужные пакеты для сборки\старта +RUN yum update -y --nogpgcheck +# install soft +RUN yum install -y --nogpgcheck epel-release +RUN yum install -y --nogpgcheck vim git cmake3 openssh-clients boost-devel gcc make gcc-c++ wget fish +RUN yum install -y zabbix30-agent + +CMD ["/usr/sbin/init"] diff --git a/mdmcertcheck/zabbix_3.x_template.xml b/mdmcertcheck/zabbix_3.x_template.xml new file mode 100644 index 0000000..05f3ece --- /dev/null +++ b/mdmcertcheck/zabbix_3.x_template.xml @@ -0,0 +1,414 @@ + + + 3.4 + 2021-02-15T11:33:22Z + + + TEMPLATES + + + test + + + + + +