mdm-service/monitoring-zabbix
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Merge branch 'mdmcertcheck'

Browse Source
This commit is contained in:
Mike D'Morto 2021-02-15 18:38:45 +07:00
commit 870449ca08
6 changed files with 615 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
README.md
View File

@ -1,5 +1,4 @@
tasks:
dirs:
1 - insert here all used scripts
1 mdmcertcheck - scripts for check cert status
2 - write new scripts only here

33
mdmcertcheck/README.md Normal file
View File

@ -0,0 +1,33 @@
mdmcertcheck.sh - main shell script for check cert status
certlist.cfg - configuration file for cert list
zabbix_3.x_template.xml - zabbix 3.x template
mdmsslcertcheck.docker - docker file
build and run docker file
docker run --name certchecker --restart always -v /your/path/to/zabbix:/etc/zabbix/--privileged -d image:1.0
and place zabbix config with scripts directory and configs
and place sh in script
and certlist.cfg and wtire path into script
remember about zabbix config, enable it!!!
####### USER-DEFINED MONITORED PARAMETERS #######
### Option: UnsafeUserParameters
# Allow all characters to be passed in arguments to user-defined parameters.
# The following characters are not allowed:
# \ ' " ` * ? [ ] { } ~ $ ! & ; ( ) < > | # @
# Additionally, newline characters are not allowed.
# 0 - do not allow
# 1 - allow
#
# Mandatory: no
# Range: 0-1
# Default:
# UnsafeUserParameters=0
UnsafeUserParameters=1
have a lot fun!

9
mdmcertcheck/certlist.cfg Normal file
View File

@ -0,0 +1,9 @@
# this is the config file for mdmcertcheck.sh
#
# a record style:
# domain = domain of the cert
# ip = ip target server for taking cert
# port = port of target server for taking cert
# cert=domain|ip|port
# expemple:
# cert=google.com|8.8.8.8|443

133
mdmcertcheck/mdmcertcheck.sh Normal file
View File

@ -0,0 +1,133 @@
#!/bin/bash
# mdmcertcheck.sh is the script for checking a cert status
# author mikedmorto 2021 year
export LC_ALL=""
export LANG="en_US.UTF-8"
VERSION="1.0"
CERTLIST="certlist.cfg"
CTIMEOUT="1"
error(){
echo "-1"
exit 1
}
JSON=""
##### PARAMETERS#####
METRIC="$1"
ITEM="$2"
CERT_DOMAIN=""
CERT_IP=""
CERT_PORT=""
CERT_BODY=""
parse_item(){
TITEM=$1
#parse item
#check empty item
if [ -z "$TITEM" ]
then
error
fi
CERT_DOMAIN=`echo $ITEM | awk -F"|" '{print $1}'`
CERT_IP=`echo $ITEM | awk -F"|" '{print $2}'`
CERT_PORT=`echo $ITEM | awk -F"|" '{print $3}'`
}
get_cert(){
if ! CERT_BODY=$( echo | timeout "$CTIMEOUT" openssl s_client -servername "$CERT_DOMAIN" -verify_hostname "$CERT_DOMAIN" -connect "$CERT_IP":"$CERT_PORT" 2>/dev/null )
then
error
fi
}
case "$METRIC" in
discovery)
#records from the config file
RECS=`cat $CERTLIST | awk -F: '/^[^#]/ { print $1 }' | grep -e "^cert=.*" | cut -f 2 -d "="`
JSON="{ \"data\":["
# append data
for REC_I in ${RECS}; do
JSON=${JSON}" {\"{#CERT}\":\"${REC_I}\"},"
done
# delete last simbol and add the end
JSON=${JSON::-1}
JSON=${JSON}"]}"
echo ${JSON}
exit 0
;;
isexist)
#validating the cert
parse_item $ITEM
get_cert
# if get_cert has not en error then all is ok.
echo 1
;;
valid)
#validating the cert
parse_item $ITEM
get_cert
# Note: new openssl versions can print multiple return codes for post-handshake session tickets, so we need to get only the first one
RET=$( echo "$CERT_BODY" | grep -E '^ *Verify return code:' | sed -n 1p | sed 's/^ *//' | tr -s ' ' | cut -d' ' -f4 )
if [ "$RET" -eq "0" ]; then echo "1"; else echo "0"; fi
;;
valid_status)
#validating the cert
parse_item $ITEM
get_cert
# Note: new openssl versions can print multiple return codes for post-handshake session tickets, so we need to get only the first one
RET=$( echo "$CERT_BODY" | grep -E '^ *Verify return code:')
echo $RET;
;;
expire)
#calculate expire days
parse_item $ITEM
get_cert
expire_date=$( echo "$CERT_BODY" | openssl x509 -noout -dates | grep '^notAfter' | cut -d'=' -f2 )
expire_date_epoch=$(date -d "$expire_date" +%s) || error "Failed to get expire date"
current_date_epoch=$(date +%s)
RET=$(( (expire_date_epoch - current_date_epoch)/(3600*24) ))
echo $RET
;;
certholder)
#get cert holder string
parse_item $ITEM
get_cert
# Note: new openssl versions can print multiple return codes for post-handshake session tickets, so we need to get only the first one
RET=$( echo "$CERT_BODY" | sed -n '/BEGIN CERTIFICATE/,/END CERT/p' | openssl x509 -text 2>/dev/null | sed -n 's/ *Issuer: *//p' | sed -n 's/.*CN=*//p')
echo $RET;
;;
script.version)
echo $VERSION
;;
help)
echo "please use these params
{
discovery - discovery items from config file
isexist - the script has access to server with cert
valid - the cert is valid (1|0)
valid_status - the cert status in full text
expire - how many days for an unvalid state
certholder - certholder text
script.version - current version of this script
}"
;;
*)
echo ""
;;
esac

24
mdmcertcheck/mdmsslcertcheck.docker Normal file
View File

@ -0,0 +1,24 @@
# Используем centos7 в качестве основы
FROM centos:7
# Сообщаем ОС, что она в докере
ENV container docker
# Включаем systemd
RUN (cd /lib/systemd/system/sysinit.target.wants/; for i in *; do [ $i == \
systemd-tmpfiles-setup.service ] || rm -f $i; done); \
rm -f /lib/systemd/system/multi-user.target.wants/*;\
rm -f /etc/systemd/system/*.wants/*;\
rm -f /lib/systemd/system/local-fs.target.wants/*; \
rm -f /lib/systemd/system/sockets.target.wants/*udev*; \
rm -f /lib/systemd/system/sockets.target.wants/*initctl*; \
rm -f /lib/systemd/system/basic.target.wants/*;\
rm -f /lib/systemd/system/anaconda.target.wants/*;
# Сообщаем, что этот раздел будет монтироваться при включении контейнера
VOLUME [ "/sys/fs/cgroup" ]
# Обновляемся и устанавливаем нужные пакеты для сборки\старта
RUN yum update -y --nogpgcheck
# install soft
RUN yum install -y --nogpgcheck epel-release
RUN yum install -y --nogpgcheck vim git cmake3 openssh-clients boost-devel gcc make gcc-c++ wget fish
RUN yum install -y zabbix30-agent
CMD ["/usr/sbin/init"]

414
mdmcertcheck/zabbix_3.x_template.xml Normal file
View File

@ -0,0 +1,414 @@
<?xml version="1.0" encoding="UTF-8"?>
<zabbix_export>
<version>3.4</version>
<date>2021-02-15T11:33:22Z</date>
<groups>
<group>
<name>TEMPLATES</name>
</group>
<group>
<name>test</name>
</group>
</groups>
<templates>
<template>
<template>mdmcertchek-active-test</template>
<name>mdmcertchek-active-test</name>
<description>this is the test</description>
<groups>
<group>
<name>TEMPLATES</name>
</group>
<group>
<name>test</name>
</group>
</groups>
<applications>
<application>
<name>mdmcertcheck</name>
</application>
<application>
<name>mdmcertcheck-cert</name>
</application>
</applications>
<items>
<item>
<name>script.version</name>
<type>7</type>
<snmp_community/>
<snmp_oid/>
<key>mdmcertcheck[script.version]</key>
<delay>30s</delay>
<history>90d</history>
<trends>0</trends>
<status>0</status>
<value_type>4</value_type>
<allowed_hosts/>
<units/>
<snmpv3_contextname/>
<snmpv3_securityname/>
<snmpv3_securitylevel>0</snmpv3_securitylevel>
<snmpv3_authprotocol>0</snmpv3_authprotocol>
<snmpv3_authpassphrase/>
<snmpv3_privprotocol>0</snmpv3_privprotocol>
<snmpv3_privpassphrase/>
<params/>
<ipmi_sensor/>
<authtype>0</authtype>
<username/>
<password/>
<publickey/>
<privatekey/>
<port/>
<description/>
<inventory_link>0</inventory_link>
<applications>
<application>
<name>mdmcertcheck</name>
</application>
</applications>
<valuemap/>
<logtimefmt/>
<preprocessing/>
<jmx_endpoint/>
<master_item/>
</item>
</items>
<discovery_rules>
<discovery_rule>
<name>mdmcertcheck discovery</name>
<type>7</type>
<snmp_community/>
<snmp_oid/>
<key>mdmcertcheck[discovery]</key>
<delay>30s</delay>
<status>0</status>
<allowed_hosts/>
<snmpv3_contextname/>
<snmpv3_securityname/>
<snmpv3_securitylevel>0</snmpv3_securitylevel>
<snmpv3_authprotocol>0</snmpv3_authprotocol>
<snmpv3_authpassphrase/>
<snmpv3_privprotocol>0</snmpv3_privprotocol>
<snmpv3_privpassphrase/>
<params/>
<ipmi_sensor/>
<authtype>0</authtype>
<username/>
<password/>
<publickey/>
<privatekey/>
<port/>
<filter>
<evaltype>0</evaltype>
<formula/>
<conditions/>
</filter>
<lifetime>1d</lifetime>
<description/>
<item_prototypes>
<item_prototype>
<name>Cert $2 certholder</name>
<type>7</type>
<snmp_community/>
<snmp_oid/>
<key>mdmcertcheck[certholder,{#CERT}]</key>
<delay>30s</delay>
<history>90d</history>
<trends>0</trends>
<status>0</status>
<value_type>4</value_type>
<allowed_hosts/>
<units/>
<snmpv3_contextname/>
<snmpv3_securityname/>
<snmpv3_securitylevel>0</snmpv3_securitylevel>
<snmpv3_authprotocol>0</snmpv3_authprotocol>
<snmpv3_authpassphrase/>
<snmpv3_privprotocol>0</snmpv3_privprotocol>
<snmpv3_privpassphrase/>
<params/>
<ipmi_sensor/>
<authtype>0</authtype>
<username/>
<password/>
<publickey/>
<privatekey/>
<port/>
<description/>
<inventory_link>0</inventory_link>
<applications>
<application>
<name>mdmcertcheck-cert</name>
</application>
</applications>
<valuemap/>
<logtimefmt/>
<preprocessing/>
<jmx_endpoint/>
<application_prototypes/>
<master_item_prototype/>
</item_prototype>
<item_prototype>
<name>Cert $2 expire</name>
<type>7</type>
<snmp_community/>
<snmp_oid/>
<key>mdmcertcheck[expire,{#CERT}]</key>
<delay>30s</delay>
<history>90d</history>
<trends>365d</trends>
<status>0</status>
<value_type>0</value_type>
<allowed_hosts/>
<units/>
<snmpv3_contextname/>
<snmpv3_securityname/>
<snmpv3_securitylevel>0</snmpv3_securitylevel>
<snmpv3_authprotocol>0</snmpv3_authprotocol>
<snmpv3_authpassphrase/>
<snmpv3_privprotocol>0</snmpv3_privprotocol>
<snmpv3_privpassphrase/>
<params/>
<ipmi_sensor/>
<authtype>0</authtype>
<username/>
<password/>
<publickey/>
<privatekey/>
<port/>
<description/>
<inventory_link>0</inventory_link>
<applications>
<application>
<name>mdmcertcheck-cert</name>
</application>
</applications>
<valuemap/>
<logtimefmt/>
<preprocessing/>
<jmx_endpoint/>
<application_prototypes/>
<master_item_prototype/>
</item_prototype>
<item_prototype>
<name>Cert $2 isexist</name>
<type>7</type>
<snmp_community/>
<snmp_oid/>
<key>mdmcertcheck[isexist,{#CERT}]</key>
<delay>30s</delay>
<history>90d</history>
<trends>365d</trends>
<status>0</status>
<value_type>0</value_type>
<allowed_hosts/>
<units/>
<snmpv3_contextname/>
<snmpv3_securityname/>
<snmpv3_securitylevel>0</snmpv3_securitylevel>
<snmpv3_authprotocol>0</snmpv3_authprotocol>
<snmpv3_authpassphrase/>
<snmpv3_privprotocol>0</snmpv3_privprotocol>
<snmpv3_privpassphrase/>
<params/>
<ipmi_sensor/>
<authtype>0</authtype>
<username/>
<password/>
<publickey/>
<privatekey/>
<port/>
<description/>
<inventory_link>0</inventory_link>
<applications>
<application>
<name>mdmcertcheck-cert</name>
</application>
</applications>
<valuemap/>
<logtimefmt/>
<preprocessing/>
<jmx_endpoint/>
<application_prototypes/>
<master_item_prototype/>
</item_prototype>
<item_prototype>
<name>Cert $2 valid</name>
<type>7</type>
<snmp_community/>
<snmp_oid/>
<key>mdmcertcheck[valid,{#CERT}]</key>
<delay>30s</delay>
<history>90d</history>
<trends>365d</trends>
<status>0</status>
<value_type>0</value_type>
<allowed_hosts/>
<units/>
<snmpv3_contextname/>
<snmpv3_securityname/>
<snmpv3_securitylevel>0</snmpv3_securitylevel>
<snmpv3_authprotocol>0</snmpv3_authprotocol>
<snmpv3_authpassphrase/>
<snmpv3_privprotocol>0</snmpv3_privprotocol>
<snmpv3_privpassphrase/>
<params/>
<ipmi_sensor/>
<authtype>0</authtype>
<username/>
<password/>
<publickey/>
<privatekey/>
<port/>
<description/>
<inventory_link>0</inventory_link>
<applications>
<application>
<name>mdmcertcheck-cert</name>
</application>
</applications>
<valuemap/>
<logtimefmt/>
<preprocessing/>
<jmx_endpoint/>
<application_prototypes/>
<master_item_prototype/>
</item_prototype>
<item_prototype>
<name>Cert $2 valid_status</name>
<type>7</type>
<snmp_community/>
<snmp_oid/>
<key>mdmcertcheck[valid_status,{#CERT}]</key>
<delay>30s</delay>
<history>90d</history>
<trends>0</trends>
<status>0</status>
<value_type>4</value_type>
<allowed_hosts/>
<units/>
<snmpv3_contextname/>
<snmpv3_securityname/>
<snmpv3_securitylevel>0</snmpv3_securitylevel>
<snmpv3_authprotocol>0</snmpv3_authprotocol>
<snmpv3_authpassphrase/>
<snmpv3_privprotocol>0</snmpv3_privprotocol>
<snmpv3_privpassphrase/>
<params/>
<ipmi_sensor/>
<authtype>0</authtype>
<username/>
<password/>
<publickey/>
<privatekey/>
<port/>
<description/>
<inventory_link>0</inventory_link>
<applications>
<application>
<name>mdmcertcheck-cert</name>
</application>
</applications>
<valuemap/>
<logtimefmt/>
<preprocessing/>
<jmx_endpoint/>
<application_prototypes/>
<master_item_prototype/>
</item_prototype>
</item_prototypes>
<trigger_prototypes>
<trigger_prototype>
<expression>{mdmcertchek-active-test:mdmcertcheck[expire,{#CERT}].last()}&lt;1</expression>
<recovery_mode>0</recovery_mode>
<recovery_expression/>
<name>Cert {#CERT} expire 1 days</name>
<correlation_mode>0</correlation_mode>
<correlation_tag/>
<url/>
<status>0</status>
<priority>5</priority>
<description/>
<type>0</type>
<manual_close>0</manual_close>
<dependencies/>
<tags/>
</trigger_prototype>
<trigger_prototype>
<expression>{mdmcertchek-active-test:mdmcertcheck[expire,{#CERT}].last()}&lt;3</expression>
<recovery_mode>0</recovery_mode>
<recovery_expression/>
<name>Cert {#CERT} expire 3 days</name>
<correlation_mode>0</correlation_mode>
<correlation_tag/>
<url/>
<status>0</status>
<priority>4</priority>
<description/>
<type>0</type>
<manual_close>0</manual_close>
<dependencies/>
<tags/>
</trigger_prototype>
<trigger_prototype>
<expression>{mdmcertchek-active-test:mdmcertcheck[expire,{#CERT}].last()}&lt;5</expression>
<recovery_mode>0</recovery_mode>
<recovery_expression/>
<name>Cert {#CERT} expire 5 days</name>
<correlation_mode>0</correlation_mode>
<correlation_tag/>
<url/>
<status>0</status>
<priority>3</priority>
<description/>
<type>0</type>
<manual_close>0</manual_close>
<dependencies/>
<tags/>
</trigger_prototype>
<trigger_prototype>
<expression>{mdmcertchek-active-test:mdmcertcheck[valid,{#CERT}].last()}=0</expression>
<recovery_mode>0</recovery_mode>
<recovery_expression/>
<name>Cert {#CERT} is not valid</name>
<correlation_mode>0</correlation_mode>
<correlation_tag/>
<url/>
<status>0</status>
<priority>5</priority>
<description/>
<type>0</type>
<manual_close>0</manual_close>
<dependencies/>
<tags/>
</trigger_prototype>
<trigger_prototype>
<expression>{mdmcertchek-active-test:mdmcertcheck[isexist,{#CERT}].last()}&lt;&gt;1</expression>
<recovery_mode>0</recovery_mode>
<recovery_expression/>
<name>cert {#CERT} not found</name>
<correlation_mode>0</correlation_mode>
<correlation_tag/>
<url/>
<status>0</status>
<priority>4</priority>
<description/>
<type>0</type>
<manual_close>0</manual_close>
<dependencies/>
<tags/>
</trigger_prototype>
</trigger_prototypes>
<graph_prototypes/>
<host_prototypes/>
<jmx_endpoint/>
</discovery_rule>
</discovery_rules>
<httptests/>
<macros/>
<templates/>
<screens/>
</template>
</templates>
</zabbix_export>