6 May
2013
6 May
'13
9:03 a.m.
Module: check_mk
Branch: master
Commit: 2d278af967a45554e595a2f0e5dac49e263e952b
URL:
http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=2d278af967a455…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Mon May 6 11:03:18 2013 +0200
jar_signature: New check to monitor wether or not a jar is signed and certificate is not
expired
---
ChangeLog | 2 +
agents/plugins/jar_signature | 45 ++++++++++++++++++++++
checks/jar_signature | 86 ++++++++++++++++++++++++++++++++++++++++++
3 files changed, 133 insertions(+)
diff --git a/ChangeLog b/ChangeLog
index e6c07e1..dcc0a28 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -55,6 +55,8 @@
* oracle_asm_diskgroups: Added missing agent plugin + asmcmd wrapper script
* oracle_jobs: New check to monitor oracle database job execution
* oracle_rman_backups: New check to monitor state of ORACLE RMAN backups
+ * jar_signature: New check to monitor wether or not a jar is signed and
+ certificate is not expired
* cisco_qos: adhere qos-bandwidth policies
* check_disk_smb: WATO formalization for active check check_disk_smb
* if.include: new configurable parameters for assumed input and output speed
diff --git a/agents/plugins/jar_signature b/agents/plugins/jar_signature
new file mode 100755
index 0000000..76bb431
--- /dev/null
+++ b/agents/plugins/jar_signature
@@ -0,0 +1,45 @@
+#!/bin/bash
+# +------------------------------------------------------------------+
+# | ____ _ _ __ __ _ __ |
+# | / ___| |__ ___ ___| | __ | \/ | |/ / |
+# | | | | '_ \ / _ \/ __| |/ / | |\/| | ' / |
+# | | |___| | | | __/ (__| < | | | | . \ |
+# | \____|_| |_|\___|\___|_|\_\___|_| |_|_|\_\ |
+# | |
+# | Copyright Mathias Kettner 2013 mk(a)mathias-kettner.de |
+# +------------------------------------------------------------------+
+#
+# This file is part of Check_MK.
+# The official homepage is at http://mathias-kettner.de/check_mk.
+#
+# check_mk is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by
+# the Free Software Foundation in version 2. check_mk is distributed
+# in the hope that it will be useful, but WITHOUT ANY WARRANTY; with-
+# out even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE. See the GNU General Public License for more de-
+# ails. You should have received a copy of the GNU General Public
+# License along with GNU Make; see the file COPYING. If not, write
+# to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor,
+# Boston, MA 02110-1301 USA.
+
+# This agent uses the program "jarsigner" to read ssl certificate
+# information of jar files and outputs the information to stdout
+# for the Check_MK check.
+# We assume that all files in the jar archive are signed with the
+# same certificate. So we only deal with the last signed file here.
+
+JAVA_HOME=/home/oracle/bin/jdk_latest_version
+JAR_PATH=/home/oracle/fmw/11gR2/as_1/forms/java/*.jar
+
+PATH=$JAVA_HOME/bin:$PATH
+
+echo "<<<jar_signature>>>"
+for JAR in $JAR_PATH; do
+ echo "[[[${JAR##*/}]]]"
+ OUTPUT=$(jarsigner -verify -verbose -certs "$JAR")
+ LINE=$(echo "$OUTPUT" | grep -n ^s | tail -n1 | cut -d: -f1)
+ echo "$(echo "$OUTPUT" | tail -n +$LINE)"
+ echo
+done
+
diff --git a/checks/jar_signature b/checks/jar_signature
new file mode 100644
index 0000000..2247d0d
--- /dev/null
+++ b/checks/jar_signature
@@ -0,0 +1,86 @@
+#!/usr/bin/python
+# -*- encoding: utf-8; py-indent-offset: 4 -*-
+# +------------------------------------------------------------------+
+# | ____ _ _ __ __ _ __ |
+# | / ___| |__ ___ ___| | __ | \/ | |/ / |
+# | | | | '_ \ / _ \/ __| |/ / | |\/| | ' / |
+# | | |___| | | | __/ (__| < | | | | . \ |
+# | \____|_| |_|\___|\___|_|\_\___|_| |_|_|\_\ |
+# | |
+# | Copyright Mathias Kettner 2013 mk(a)mathias-kettner.de |
+# +------------------------------------------------------------------+
+#
+# This file is part of Check_MK.
+# The official homepage is at http://mathias-kettner.de/check_mk.
+#
+# check_mk is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by
+# the Free Software Foundation in version 2. check_mk is distributed
+# in the hope that it will be useful, but WITHOUT ANY WARRANTY; with-
+# out even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE. See the GNU General Public License for more de-
+# ails. You should have received a copy of the GNU General Public
+# License along with GNU Make; see the file COPYING. If not, write
+# to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor,
+# Boston, MA 02110-1301 USA.
+
+import datetime, time
+
+def inventory_jar_signature(info):
+ inventory = []
+ for line in info:
+ if line[0].startswith("[[["):
+ f = line[0][3:-3]
+ inventory.append((f, {}))
+ return inventory
+
+def check_jar_signature(item, params, info):
+ in_block = False
+ details = []
+ in_cert = False
+ cert = []
+ for line in info:
+ line = (" ".join(line)).strip()
+ if line == "[[[%s]]]" % item:
+ in_block = True
+ elif in_block and line.startswith("[[["):
+ break
+ elif in_block and line.startswith("X.509"):
+ in_cert = True
+ cert = [line]
+ elif in_block and in_cert and line.startswith("[") and not
line.startswith("[entry was signed on"):
+ in_cert = False
+ cert.append(line)
+ details.append(cert)
+
+ if not details:
+ return (2, "No certificate found")
+
+ cert_dn, cert_valid = details[0]
+
+ # [certificate is valid from 3/26/12 11:26 AM to 3/26/17 11:36 AM]
+ # [certificate will expire on 7/4/13 4:13 PM]
+ if "will expire on " in cert_valid:
+ to = cert_valid.split("will expire on ", 1)[1][:-1]
+ else:
+ to = cert_valid.split("to ", 1)[1][:-1]
+ to_dt = datetime.datetime(*time.strptime(to, '%m/%d/%y %I:%M %p')[:6])
+
+ warn, crit = 60, 30
+
+ state = 0
+ status_txt = ""
+ if to_dt < datetime.datetime.now() + datetime.timedelta(days = crit):
+ state = 2
+ status_txt = " (less than %d days)" % crit
+ elif to_dt < datetime.datetime.now() + datetime.timedelta(days = warn):
+ state = 1
+ status_txt = " (less than %d days)" % warn
+
+ return state, "Certificate expires on %s%s (%s)" % (to, status_txt,
cert_dn)
+
+check_info['jar_signature'] = {
+ "service_description" : "Jar-Signature %s",
+ "check_function" : check_jar_signature,
+ "inventory_function" : inventory_jar_signature,
+}