[Pkg-nagios-changes] [pkg-nagios-plugins-contrib] 10/14: Updating checks from DSA.
Bernd Zeimetz
bernd at bzed.de
Fri Jan 13 13:26:50 UTC 2017
This is an automated email from the git hooks/post-receive script.
bzed pushed a commit to branch master
in repository pkg-nagios-plugins-contrib.
commit 6083eb6b13ae8ff2fed279f6da4cff2e9e872912
Author: Bernd Zeimetz <bernd at bzed.de>
Date: Fri Jan 13 11:37:11 2017 +0100
Updating checks from DSA.
---
dsa/checks/dsa-check-cert-expire-dir | 90 ++++++++++++++++++++++++++++
dsa/checks/dsa-check-dnssec-delegation | 8 ++-
dsa/checks/dsa-check-entropy | 7 ++-
dsa/checks/dsa-check-running-kernel | 30 +++-------
dsa/checks/dsa-check-soas | 104 ++++++++++++++++++++++++++++++---
dsa/control | 5 +-
dsa/copyright | 5 +-
7 files changed, 214 insertions(+), 35 deletions(-)
diff --git a/dsa/checks/dsa-check-cert-expire-dir b/dsa/checks/dsa-check-cert-expire-dir
new file mode 100755
index 0000000..2c8eaa1
--- /dev/null
+++ b/dsa/checks/dsa-check-cert-expire-dir
@@ -0,0 +1,90 @@
+#!/bin/bash
+
+# Checks if any of the *.crt files in a directory on disk will expire soon
+
+# Copyright 2009,2016 Peter Palfrader
+#
+# Permission is hereby granted, free of charge, to any person obtaining
+# a copy of this software and associated documentation files (the
+# "Software"), to deal in the Software without restriction, including
+# without limitation the rights to use, copy, modify, merge, publish,
+# distribute, sublicense, and/or sell copies of the Software, and to
+# permit persons to whom the Software is furnished to do so, subject to
+# the following conditions:
+#
+# The above copyright notice and this permission notice shall be
+# included in all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+
+sn="$0"
+if [ "${sn%/*}" = "$sn" ]; then
+ CERT_CHECK=dsa-check-cert-expire
+else
+ CERT_CHECK="${sn%/*}/dsa-check-cert-expire"
+fi
+
+if [ "$#" != 1 ] ; then
+ echo >&2 "Usage: $0 <directory>"
+ exit 1
+fi
+
+DIR="$1"
+
+if ! [ -d "$DIR" ]; then
+ echo "Not a directory: $DIR"
+ exit 1
+fi
+
+OK=""
+WARN=""
+CRIT=""
+UNKNOWN=""
+cOK=0
+cWARN=0
+cCRIT=0
+cUNKNOWN=0
+
+t=$(tempfile)
+trap "rm -f '$t'" EXIT
+
+for i in "$DIR"/*.crt; do
+ d="${i%.crt}"
+ d="${d##*/}"
+ echo -n "$d: " >> "$t"
+ "$CERT_CHECK" "$i" >> "$t" 2>&1
+ rc=$?
+ if [ "$rc" = 0 ]; then
+ OK="$OK $d"
+ cOK=$(( cOK + 1 ))
+ elif [ "$rc" = 1 ]; then
+ WARN="$WARN $d"
+ cWARN=$(( cWARN + 1 ))
+ elif [ "$rc" = 2 ]; then
+ CRIT="$CRIT $d"
+ cCRIT=$(( cCRIT + 1 ))
+ else
+ UNKNOWN="$UNKNOWN $d"
+ cUNKNOWN=$(( cUNKNOWN + 1 ))
+ fi
+done
+
+if [ -n "$CRIT" ]; then rc=2;
+elif [ -n "$WARN" ]; then rc=1;
+elif [ -n "$UNKNOWN" ]; then rc=3;
+else rc=0;
+fi
+
+[ -n "$CRIT" ] && echo "CRITICAL ($cCRIT):$CRIT, "
+[ -n "$WARN" ] && echo "WARN ($cWARN):$WARN, "
+[ -n "$UNKNOWN" ] && echo "UNKNOWN ($cUNKNOWN):$UNKNOWN, "
+[ -n "$OK" ] && echo "OK ($cOK):$OK."
+cat "$t"
+exit $rc
diff --git a/dsa/checks/dsa-check-dnssec-delegation b/dsa/checks/dsa-check-dnssec-delegation
index 676dce1..e614bf2 100644
--- a/dsa/checks/dsa-check-dnssec-delegation
+++ b/dsa/checks/dsa-check-dnssec-delegation
@@ -1,6 +1,6 @@
#!/usr/bin/perl
-# Copyright (c) 2010 Peter Palfrader <peter at palfrader.org>
+# Copyright (c) 2010, 2014, 2015 Peter Palfrader <peter at palfrader.org>
#
# Permission is hereby granted, free of charge, to any person obtaining
# a copy of this software and associated documentation files (the
@@ -70,6 +70,12 @@ sub get_tag_generic {
next unless (lc($rr->name) eq lc($zone));
my $tag = $options{'pretty'} ? sprintf("%5d(%d)", $rr->keytag, $rr->algorithm) : $rr->keytag;
+
+ if ($type eq 'DNSKEY' && ($rr->{'flags'} & (1<<(15-8)))) {
+ # key is revoked
+ next;
+ }
+
# for now only handle KSKs, i.e. keys with the SEP flag set
if ($type eq 'DNSKEY' && !($rr->is_sep)) {
push @zsks, $tag;
diff --git a/dsa/checks/dsa-check-entropy b/dsa/checks/dsa-check-entropy
index e2c61e2..ddf1d92 100644
--- a/dsa/checks/dsa-check-entropy
+++ b/dsa/checks/dsa-check-entropy
@@ -1,6 +1,7 @@
#!/usr/bin/python
# Copyright 2011 Peter Palfrader
+# Copyright 2014 Hendrik Koehler
#
# Permission is hereby granted, free of charge, to any person obtaining
# a copy of this software and associated documentation files (the
@@ -64,16 +65,16 @@ while tries <= options.retries:
if avail >= options.watermark:
if tries > 0:
- print "OK: %d bytes in the pool after %d attempts."%(avail, tries)
+ print "OK: %d bytes in the pool after %d attempts.|entropy=%d bytes"%(avail, tries, avail)
else:
- print "OK: %d bytes in the pool."%(avail)
+ print "OK: %d bytes in the pool.|entropy=%d bytes"%(avail, avail)
sys.exit(0)
values.append(avail)
time.sleep(1.0 * options.sleep / 1000)
tries += 1
-print "WARNING: Too little entropy in the pool (min: %d, max: %d in %d reads)"%(min(values), max(values), tries-1)
+print "WARNING: Too little entropy in the pool (min: %d, max: %d in %d reads)|entropy=%d bytes"%(min(values), max(values), tries-1, avail)
sys.exit(1)
# vim:set et:
diff --git a/dsa/checks/dsa-check-running-kernel b/dsa/checks/dsa-check-running-kernel
index 40fd3b7..80f45bf 100644
--- a/dsa/checks/dsa-check-running-kernel
+++ b/dsa/checks/dsa-check-running-kernel
@@ -37,15 +37,13 @@ get_offset() {
file="$1"
needle="$2"
- pos="$3"
perl -e '
undef $/;
- $i = index(<>, "'"$needle"'", '"$pos"');
- if ($i < 0) {
- exit 1;
- };
- print $i,"\n"' < "$file"
+ $i = 0; $k=<>;
+ while (($i = index($k, "'"$needle"'", $i)) >= 0) {
+ print $i++,"\n";
+ }; ' < "$file"
}
get_avail() {
@@ -60,7 +58,7 @@ get_avail() {
# DSA uses kernel versions of the form 2.6.29.3-dsa-dl380-oldxeon, where
# Debian uses versions of the form 2.6.29-2-amd64
if [ "${kervers#3}" != "$kervers" ]; then
- metavers=$(echo $kervers | sed -r -e 's/^3\.[0-9].[0-9]+-[A-Za-z0-9\.]+-(.*)/\1/')
+ metavers=$(echo $kervers | sed -r -e 's/^3\.[0-9]+(\.[0-9])?+-[A-Za-z0-9\.]+-(.*)/\2/')
elif [ "${kervers//dsa}" != "$kervers" ]; then
metavers=$(echo $kervers | sed -r -e 's/^2\.(4|6)\.[0-9]+([\.0-9]+?)-(.*)/2.\1-\3/')
else
@@ -130,23 +128,13 @@ cat_vmlinux() {
header="$2"
filter="$3"
hdroff="$4"
- nextoff=0
-
- while : ; do
- off=`get_offset "$image" $header $nextoff`
- local ret="$?"
- if [ "$ret" != 0 ]; then
- # not found, exit
- return 1
- fi
+ get_offset "$image" $header | head -n 5 | while read off; do
(if [ "$off" != 0 ]; then
dd ibs="$((off+hdroff))" skip=1 count=0
fi &&
dd bs=512k) < "$image" 2>/dev/null | $filter 2>/dev/null
- nextoff=$((off + 1))
done
- return 0
}
get_image_linux() {
@@ -172,11 +160,11 @@ freebsd_check_running_version() {
local imagefile="$1"; shift
local r="$(uname -r)"
- local v="$(uname -v| sed -e 's/^#[0-9]*/&:/' -e 's/\+/\\+/g')"
+ local v="$(uname -v| sed -e 's/^#[0-9]*/&:/')"
- local q='@\(#\)FreeBSD '"$r $v"
+ local q='@(#)FreeBSD '"$r $v"
- if zcat "$imagefile" | $STRINGS | egrep -q "$q"; then
+ if zcat "$imagefile" | $STRINGS | grep -F -q "$q"; then
echo "OK"
else
echo "not OK"
diff --git a/dsa/checks/dsa-check-soas b/dsa/checks/dsa-check-soas
index 3b8e546..eb28d8c 100644
--- a/dsa/checks/dsa-check-soas
+++ b/dsa/checks/dsa-check-soas
@@ -1,6 +1,6 @@
#!/usr/bin/ruby
-# Copyright 2006, 2012 Peter Palfrader
+# Copyright 2006, 2012, 2014 Peter Palfrader
# 2012 Uli Martens
#
# Permission is hereby granted, free of charge, to any person obtaining
@@ -22,6 +22,35 @@
# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+# the each_resource function is lifted from ruby 1.9.1's resolv.rb, with the
+# minor modification that we do not unconditionally set the message's RD flag
+# to 1. Its license is:
+#
+# Copyright (C) 1993-2010 Yukihiro Matsumoto. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in the
+# documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+
+
require 'ipaddr'
require 'resolv'
require 'optparse'
@@ -53,6 +82,57 @@ if @additional_nameservers.count <= 1 and not @check_soa_nameservers
exit(1)
end
+class DSADNS < Resolv::DNS
+ attr_reader :rd
+ attr_writer :rd
+
+ def initialize(*args)
+ super
+ @rd = 1
+ end
+
+ def each_resource(name, typeclass, &proc)
+ lazy_initialize
+ requester = make_udp_requester
+ senders = {}
+ begin
+ @config.resolv(name) {|candidate, tout, nameserver, port|
+ msg = Message.new
+ msg.rd = @rd
+ msg.add_question(candidate, typeclass)
+ unless sender = senders[[candidate, nameserver, port]]
+ sender = senders[[candidate, nameserver, port]] =
+ requester.sender(msg, candidate, nameserver, port)
+ end
+ reply, reply_name = requester.request(sender, tout)
+ case reply.rcode
+ when RCode::NoError
+ if reply.tc == 1 and not Requester::TCP === requester
+ requester.close
+ # Retry via TCP:
+ requester = make_tcp_requester(nameserver, port)
+ senders = {}
+ # This will use TCP for all remaining candidates (assuming the
+ # current candidate does not already respond successfully via
+ # TCP). This makes sense because we already know the full
+ # response will not fit in an untruncated UDP packet.
+ redo
+ else
+ extract_resources(reply, reply_name, typeclass, &proc)
+ end
+ return
+ when RCode::NXDomain
+ raise Config::NXDomain.new(reply_name.to_s)
+ else
+ raise Config::OtherResolvError.new(reply_name.to_s)
+ end
+ }
+ ensure
+ requester.close
+ end
+ end
+end
+
warnings = []
oks = []
@@ -67,7 +147,7 @@ end
dns = Resolv::DNS.new
ARGV.each{ |domain|
- serial = []
+ serial = {}
nameserver_addresses = {}
if @check_soa_nameservers
nameservers = dns.getresources(domain, Resolv::DNS::Resource::IN::NS)
@@ -94,7 +174,8 @@ ARGV.each{ |domain|
addrs.each do |a|
puts " Nameserver #{nameserver} is at #{a}" if @verbose > 0
begin
- resolver = Resolv::DNS.new({:nameserver => a})
+ resolver = DSADNS.new({:nameserver => a})
+ resolver.rd = 0
soas = resolver.getresources(domain, Resolv::DNS::Resource::IN::SOA)
rescue SystemCallError => e
warnings << "Could not resolve #{domain} on #{nameserver}: #{e.message}"
@@ -103,18 +184,27 @@ ARGV.each{ |domain|
warnings << "Nameserver #{nameserver} for #{domain} returns #{soas.length} SOAs" if soas.length != 1
soas.each do |soa|
puts " Nameserver #{nameserver} returns serial #{soa.serial} for #{domain}" if @verbose > 0
- serial << soa.serial unless serial.include? soa.serial
+ sn = soa.serial.to_i
+ if serial.has_key? sn then
+ serial[sn] << nameserver
+ else
+ serial[sn] = [nameserver]
+ end
end
end
end
end
- case serial.length
+ case serial.keys.length
when 0
warnings << "Found no serials for #{domain}"
when 1
- oks << "#{domain} is at #{serial.first}"
+ oks << "#{domain} is at #{serial.keys.first}"
else
- warnings << "Nameservers disagree on serials for #{domain}: found #{serial.join(', ')}" if serial.length != 1
+ text = []
+ serial.keys.sort.each do |sn|
+ text << "#{sn} (#{serial[sn].join(', ')})"
+ end
+ warnings << "Nameservers disagree on serials for #{domain}: found #{text.join(', ')}"
end
}
dns.close
diff --git a/dsa/control b/dsa/control
index 5bba9f2..7d383b5 100644
--- a/dsa/control
+++ b/dsa/control
@@ -1,9 +1,11 @@
-Homepage: http://anonscm.debian.org/gitweb/?p=mirror/dsa-nagios.git;a=tree;f=dsa-nagios-checks;hb=HEAD
+Homepage: https://anonscm.debian.org/cgit/mirror/dsa-nagios.git/
Uploaders: Bernd Zeimetz <bzed at debian.org>
Description: plugins from the Debian System Administrators
nagios plugins repository.
* check_cert_expire: check for certificate expiration
using openssl on the certificate file
+ * check_cert_expire_dir: checks if any of the *.crt files in
+ a directory on disk will expire soon
* check_dnssec_delegation: check for correct DNSSEC
delegation
* check_entropy: check if there is enough entropy available.
@@ -15,3 +17,4 @@ Description: plugins from the Debian System Administrators
* check_statusfile: deliver the content of a status file
as check result
Recommends: ruby | ruby-interpreter, openssl, libnet-dns-perl, binutils
+Version: 1c0b9ec
diff --git a/dsa/copyright b/dsa/copyright
index 6f58a53..6006f7a 100644
--- a/dsa/copyright
+++ b/dsa/copyright
@@ -1,6 +1,7 @@
checks/dsa-check-cert-expire:# Copyright 2009 Peter Palfrader
-checks/dsa-check-dnssec-delegation:# Copyright (c) 2010 Peter Palfrader <peter at palfrader.org>
-checks/dsa-check-entropy:# Copyright 2011 Peter Palfrader
+checks/dsa-check-cert-expire-dir:# Copyright 2009,2016 Peter Palfrader
+checks/dsa-check-dnssec-delegation:# Copyright (c) 2010, 2014, 2015 Peter Palfrader <peter at palfrader.org>
+checks/dsa-check-entropy:# Copyright 2011 Peter Palfrader, Copyright 2014 Hendrik Koehler
checks/dsa-check-soas:# Copyright 2006, 2012 Peter Palfrader
checks/dsa-check-packages:# Copyright (C) 2008, 2009 Peter Palfrader <peter at palfrader.org>
checks/dsa-check-statusfile:# Copyright 2008, 2012 Peter Palfrader
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-nagios/pkg-nagios-plugins-contrib.git
More information about the Pkg-nagios-changes
mailing list