Module: check_mk
Branch: master
Commit: f9af84396a271e46d1020f8101bfbb09f705beb3
URL:
http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=f9af84396a271e…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Sun Jan 6 00:48:38 2019 +0100
livestatus_status: Check for site SSL certificate validity
The check now warns about expiring SSL certificates. The thresholds
default to a WARNING once 30 days are left and CRITICAL when only 7
days are left.
CMK-1535
Change-Id: I8959dbe98d60dbbc097618c3a22d9fed76a7408c
---
agents/check_mk_agent.linux | 14 ++++++++
checks/livestatus_status | 42 ++++++++++++++++++++--
.../wato/check_parameters/livestatus_status.py | 21 +++++++++++
3 files changed, 74 insertions(+), 3 deletions(-)
diff --git a/agents/check_mk_agent.linux b/agents/check_mk_agent.linux
index f0fc7f4..adc18e5 100755
--- a/agents/check_mk_agent.linux
+++ b/agents/check_mk_agent.linux
@@ -937,6 +937,20 @@ then
waitmax 3 "/omd/sites/$site/bin/unixcat"
"/omd/sites/$site/tmp/run/live"
fi
done
+
+ echo '<<<livestatus_ssl_certs:sep(124)>>>'
+ for site in *
+ do
+ echo "[$site]"
+ for PEM_PATH in "/omd/sites/$site/etc/ssl/ca.pem"
"/omd/sites/$site/etc/ssl/sites/$site.pem"; do
+ if [ -f "$PEM_PATH" ]; then
+ CERT_DATE=$(openssl x509 -enddate -noout -in "$PEM_PATH")
+ CERT_DATE=${CERT_DATE/notAfter=/}
+ echo "$PEM_PATH|$(date --date="$CERT_DATE" --utc
+%s)"
+ fi
+ done
+ done
+
echo '<<<mkeventd_status:sep(0)>>>'
for site in *
do
diff --git a/checks/livestatus_status b/checks/livestatus_status
index 70d552e..d05c5ff 100644
--- a/checks/livestatus_status
+++ b/checks/livestatus_status
@@ -44,6 +44,7 @@ factory_settings["livestatus_status_default_levels"] = {
"enable_notifications": 2,
"process_performance_data": 1,
"check_external_commands": 2,
+ "site_cert_days": (30, 7),
}
@@ -65,11 +66,31 @@ def parse_livestatus_status(info):
return parsed
-def inventory_livestatus_status(parsed):
- return [(site, {}) for (site, status) in parsed.items() if status is not None]
+def parse_livestatus_ssl_certs(info):
+ if not info:
+ return {}
+ parsed = {}
+ site = None
+ for line in info:
+ if line and line[0][0] == "[" and line[0][-1] == "]":
+ site = line[0][1:-1]
+ parsed[site] = {}
+
+ elif site and len(line) == 2:
+ pem_path, valid_until = line
+ parsed[site][pem_path] = valid_until
+
+ return parsed
+
+
+def inventory_livestatus_status(sections):
+ return [(site, {}) for (site, status) in sections[0].items() if status is not None]
+
+
+def check_livestatus_status(item, params, sections):
+ parsed, ssl_certs = sections[0], parse_livestatus_ssl_certs(sections[1])
-def check_livestatus_status(item, params, parsed):
if item not in parsed:
return
status = parsed[item]
@@ -121,6 +142,20 @@ def check_livestatus_status(item, params, parsed):
yield 0, "Core version: %s" % status["program_version"]
yield 0, "Livestatus version: %s" % status["livestatus_version"]
+ pem_path = "/omd/sites/%s/etc/ssl/sites/%s.pem" % (item, item)
+ cert_valid_until = ssl_certs.get(item, {}).get(pem_path)
+ if cert_valid_until is not None:
+ days_left = (int(cert_valid_until) - time.time()) / 86400.0
+ valid_until_formatted = time.strftime("%Y-%m-%d %H:%M:%S",
+ time.localtime(int(cert_valid_until)))
+ yield check_levels(
+ value=days_left,
+ dsname="site_cert_days",
+ infoname="Site certificate validity (until %s)" %
valid_until_formatted,
+ unit="days",
+ params=(None, None, params["site_cert_days"][0],
params["site_cert_days"][1]),
+ )
+
settings = [
("execute_host_checks", "Active host checks are disabled"),
("execute_service_checks", "Active service checks are
disabled"),
@@ -162,4 +197,5 @@ check_info['livestatus_status'] = {
"has_perfdata": True,
"group": "livestatus_status",
"default_levels_variable": "livestatus_status_default_levels",
+ "extra_sections": ["livestatus_ssl_certs"],
}
diff --git a/cmk/gui/plugins/wato/check_parameters/livestatus_status.py
b/cmk/gui/plugins/wato/check_parameters/livestatus_status.py
index 0f12203..4c4ab08 100644
--- a/cmk/gui/plugins/wato/check_parameters/livestatus_status.py
+++ b/cmk/gui/plugins/wato/check_parameters/livestatus_status.py
@@ -29,6 +29,8 @@ from cmk.gui.valuespec import (
Dictionary,
MonitoringState,
TextAscii,
+ Tuple,
+ Integer,
)
from cmk.gui.plugins.wato import (
RulespecGroupCheckParametersApplications,
@@ -70,6 +72,25 @@ register_check_parameters(
MonitoringState(title="State when performance data is disabled",
default_value=1)),
("check_external_commands",
MonitoringState(title="State when not checking external commands",
default_value=2)),
+ ("site_cert_days",
+ Tuple(
+ title=_("Site certificate validity"),
+ help=_("Minimum number of days a certificate has to be
valid."),
+ elements=[
+ Integer(
+ title=_("Warning at or below"),
+ minvalue=0,
+ unit=_("days"),
+ default_value=30,
+ ),
+ Integer(
+ title=_("Critical at or below"),
+ minvalue=0,
+ unit=_("days"),
+ default_value=7,
+ ),
+ ],
+ ))
]),
TextAscii(title=_("Name of the monitoring site"),),
match_type="dict",