sensu-plugins-ssl-boutetnico 1.0.0

data/bin/check-ssl-qualys.rb

@@ -0,0 +1,193 @@
+#!/usr/bin/env ruby
+#
+#  check-ssl-qualys.rb
+#
+# DESCRIPTION:
+#   Runs a report using the Qualys SSL Labs API and then alerts if a
+#   domain does not meet the grade specified for *ALL* hosts that are
+#   reachable from that domian.
+#
+#   The checks that are performed are documented on
+#   https://www.ssllabs.com/index.html as are the range of grades.
+#
+# OUTPUT:
+#   plain text
+#
+# PLATFORMS:
+#   Linux
+#
+# DEPENDENCIES:
+#   gem: sensu-plugin
+#
+# USAGE:
+#   # Basic usage
+#   check-ssl-qualys.rb -d <domain_name>
+#   # Specify the CRITICAL and WARNING grades to a specific grade
+#   check-ssl-qualys.rb -d <domain_name> -c <critical_grade> -w <warning_grade>
+#   # Use --api-url to specify an alternate api host
+#   check-ssl-qualys.rb -d <domain_name> -api-url <alternate_host>
+#
+#  NOTE: This check takes a rather long time to run and will timeout if you're using
+#  the default sensu check timeout.  Make sure to set a longer timeout period in the
+#  check definition.  Two minutes or longer may be a good starting point as checks
+#  regularly take 90+ seconds to run.
+#
+# LICENSE:
+#   Copyright 2015 William Cooke <will@bruisyard.eu>
+#   Released under the same terms as Sensu (the MIT license); see LICENSE for
+#   details.
+#
+
+require 'sensu-plugin/check/cli'
+require 'json'
+require 'net/http'
+require 'timeout'
+
+# Checks a single DNS entry has a rating above a certain level
+class CheckSSLQualys < Sensu::Plugin::Check::CLI
+  # Current grades that are avaialble from the API
+  GRADE_OPTIONS = ['A+', 'A', 'A-', 'B', 'C', 'D', 'E', 'F', 'T', 'M'].freeze
+
+  option :domain,
+         description: 'The domain to run the test against',
+         short: '-d DOMAIN',
+         long: '--domain DOMAIN',
+         required: true
+
+  option :api_url,
+         description: 'The URL of the API to run against',
+         long: '--api-url URL',
+         default: 'https://api.ssllabs.com/api/v3/'
+
+  option :warn,
+         short: '-w GRADE',
+         long: '--warn GRADE',
+         description: 'WARNING if below this grade',
+         proc: proc { |g| GRADE_OPTIONS.index(g) },
+         default: 2 # 'A-'
+
+  option :critical,
+         short: '-c GRADE',
+         long: '--critical GRADE',
+         description: 'CRITICAL if below this grade',
+         proc: proc { |g| GRADE_OPTIONS.index(g) },
+         default: 3 # 'B'
+
+  option :debug,
+         long: '--debug BOOL',
+         description: 'toggles extra debug printing',
+         boolean: true,
+         default: false
+
+  option :num_checks,
+         short: '-n NUM_CHECKS',
+         long: '--number-checks NUM_CHECKS',
+         description: 'The number of checks to make before giving up (timeout of check)',
+         proc: proc { |t| t.to_i },
+         default: 24
+
+  option :between_checks,
+         short: '-t SECONDS',
+         long: '--time-between SECONDS',
+         description: 'The fallback time between each poll of the API, when an ETA is given by the previous response and is higher than this value it is used',
+         proc: proc { |t| t.to_i },
+         default: 10
+
+  option :timeout,
+         long: '--timeout SECONDS',
+         descriptions: 'the amount of seconds that this is allowed to run for',
+         proc: proc(&:to_i),
+         default: 300
+
+  def ssl_api_request(from_cache)
+    params = { host: config[:domain] }
+    params[:startNew] = if from_cache == true
+                          'off'
+                        else
+                          'on'
+                        end
+
+    uri       = URI("#{config[:api_url]}analyze")
+    uri.query = URI.encode_www_form(params)
+    begin
+      response = Net::HTTP.get_response(uri)
+    rescue StandardError => e
+      warning e
+    end
+
+    warning 'Bad response recieved from API' unless response.is_a?(Net::HTTPSuccess)
+
+    JSON.parse(response.body)
+  end
+
+  def ssl_check(from_cache)
+    json = ssl_api_request(from_cache)
+    warning "ERROR on #{config[:domain]} check" if json['status'] == 'ERROR'
+    json
+  end
+
+  def ssl_recheck
+    1.upto(config[:num_checks]) do |step|
+      p "step: #{step}" if config[:debug]
+      start_time = Time.now
+      p "start_time: #{start_time}" if config[:debug]
+      json = if step == 1
+               ssl_check(false)
+             else
+               ssl_check(true)
+             end
+      return json if json['status'] == 'READY'
+
+      if json['endpoints']&.is_a?(Array)
+        p "endpoints: #{json['endpoints']}" if config[:debug]
+        # The api response sometimes has low eta (which seems unrealistic) from
+        # my tests that can be 0 or low numbers which would imply it is done...
+        # Basically we check if present and if its higher than the specified
+        # time to wait between checks. If so we use the eta from the api get
+        # response otherwise we use the time between check values. We have an
+        # overall timeout that protects us from the api telling us to wait for
+        # insanely long time periods. The highest I have seen the eta go was
+        # around 250 seconds but put it in just in case as the api has very
+        # erratic response times.
+        if json['endpoints'].first.is_a?(Hash) && json['endpoints'].first.key?('eta') && json['endpoints'].first['eta'] > config[:between_checks]
+          p "eta: #{json['endpoints'].first['eta']}" if config[:debug]
+          sleep(json['endpoints'].first['eta'])
+        else
+          p "sleeping with default: #{config[:between_checks]}" if config[:debug]
+          sleep(config[:between_checks])
+        end
+      end
+      p "elapsed: #{Time.now - start_time}" if config[:debug]
+      warning 'Timeout waiting for check to finish' if step == config[:num_checks]
+    end
+  end
+
+  def ssl_grades
+    ssl_recheck['endpoints'].map do |endpoint|
+      endpoint['grade']
+    end
+  end
+
+  def lowest_grade
+    ssl_grades.sort_by! { |g| GRADE_OPTIONS.index(g) }.reverse![0]
+  end
+
+  def run
+    Timeout.timeout(config[:timeout]) do
+      grade = lowest_grade
+      unless grade
+        message "#{config[:domain]} not rated"
+        critical
+      end
+      message "#{config[:domain]} rated #{grade}"
+      grade_rank = GRADE_OPTIONS.index(grade)
+      if grade_rank > config[:critical]
+        critical
+      elsif grade_rank > config[:warn]
+        warning
+      else
+        ok
+      end
+    end
+  end
+end

data/bin/check-ssl-root-issuer.rb

@@ -0,0 +1,126 @@
+#! /usr/bin/env ruby
+#
+#   check-ssl-root-issuer
+#
+# DESCRIPTION:
+#   Check that a certificate is chained to a specific root certificate issuer
+#
+# OUTPUT:
+#   plain text
+#
+# PLATFORMS:
+#   Linux
+#
+# DEPENDENCIES:
+#   gem: sensu-plugin
+#
+# USAGE:
+#
+#   Check that a specific website is chained to a specific root certificate
+#       ./check-ssl-root-issuer.rb \
+#           -u https://example.com \
+#           -i "CN=DST Root CA X3,O=Digital Signature Trust Co."
+#
+# LICENSE:
+#   Copyright Jef Spaleta (jspaleta@gmail.com) 2020
+#   Released under the same terms as Sensu (the MIT license); see LICENSE
+#   for details.
+#
+
+require 'sensu-plugin/check/cli'
+require 'openssl'
+require 'uri'
+require 'net/http'
+require 'net/https'
+
+#
+# Check root certificate has specified issuer name
+#
+class CheckSSLRootIssuer < Sensu::Plugin::Check::CLI
+  option :url,
+         description: 'Url to check: Ex "https://google.com"',
+         short: '-u',
+         long: '--url URL',
+         required: true
+
+  option :issuer,
+         description: 'An X509 certificate issuer name, RFC2253 format Ex: "CN=DST Root CA X3,O=Digital Signature Trust Co."',
+         short: '-i',
+         long: '--issuer ISSUER_NAME',
+         required: true
+
+  option :regexp,
+         description: 'Treat the issuer name as a regexp',
+         short: '-r',
+         long: '--regexp',
+         default: false,
+         boolean: true,
+         required: false
+
+  option :format,
+         description: 'optional issuer name format.',
+         short: '-f',
+         long: '--format FORMAT_VAL',
+         default: 'RFC2253',
+         in: %w[RFC2253 ONELINE COMPAT],
+         required: false
+
+  def cert_name_format
+    # Note: because format argument is pre-validated by mixin 'in' logic eval is safe to use
+    eval "OpenSSL::X509::Name::#{config[:format]}" # rubocop:disable Lint/Eval
+  end
+
+  def validate_issuer(cert)
+    issuer = cert.issuer.to_s(cert_name_format)
+    if config[:regexp]
+      issuer_regexp = Regexp.new(config[:issuer].to_s)
+      issuer =~ issuer_regexp
+    else
+      issuer == config[:issuer].to_s
+    end
+  end
+
+  def find_root_cert(uri)
+    root_cert = nil
+    http = Net::HTTP.new(uri.host, uri.port)
+    http.open_timeout = 10
+    http.read_timeout = 10
+    http.use_ssl = true
+    http.cert_store = OpenSSL::X509::Store.new
+    http.cert_store.set_default_paths
+    http.verify_mode = OpenSSL::SSL::VERIFY_PEER
+
+    http.verify_callback = lambda { |verify_ok, store_context|
+      root_cert ||= store_context.current_cert
+      unless verify_ok
+        @failed_cert = store_context.current_cert
+        @failed_cert_reason = [store_context.error, store_context.error_string] if store_context.error != 0
+      end
+      verify_ok
+    }
+    http.start {}
+    root_cert
+  end
+
+  # Do the actual work and massage some data
+
+  def run
+    @fail_cert = nil
+    @failed_cert_reason = 'Unknown'
+    uri = URI.parse(config[:url])
+    critical "url protocol must be https, you specified #{url}" if uri.scheme != 'https'
+    root_cert = find_root_cert(uri)
+    if @failed_cert
+      msg = "Certificate verification failed.\n Reason: #{@failed_cert_reason}"
+      critical msg
+    end
+
+    if validate_issuer(root_cert)
+      msg = 'Root certificate in chain has expected issuer name'
+      ok msg
+    else
+      msg = "Root certificate issuer did not match expected name.\nFound: \"#{root_cert.issuer.to_s(config[:issuer_format])}\""
+      critical msg
+    end
+  end
+end

data/lib/sensu-plugins-ssl.rb

@@ -0,0 +1 @@
+require 'sensu-plugins-ssl/version'

data/lib/sensu-plugins-ssl/version.rb

@@ -0,0 +1,9 @@
+module SensuPluginsSSL
+  module Version
+    MAJOR = 1
+    MINOR = 0
+    PATCH = 0
+
+    VER_STRING = [MAJOR, MINOR, PATCH].compact.join('.')
+  end
+end

metadata

@@ -0,0 +1,229 @@
+--- !ruby/object:Gem::Specification
+name: sensu-plugins-ssl-boutetnico
+version: !ruby/object:Gem::Version
+  version: 1.0.0
+platform: ruby
+authors:
+- Sensu-Plugins and contributors
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2020-06-29 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: sensu-plugin
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '4.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '4.0'
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.1'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.1'
+- !ruby/object:Gem::Dependency
+  name: codeclimate-test-reporter
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+- !ruby/object:Gem::Dependency
+  name: github-markup
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+- !ruby/object:Gem::Dependency
+  name: pry
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.13'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.13'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '13.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '13.0'
+- !ruby/object:Gem::Dependency
+  name: redcarpet
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.5'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.5'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.9'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.9'
+- !ruby/object:Gem::Dependency
+  name: rubocop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.85.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.85.0
+- !ruby/object:Gem::Dependency
+  name: timecop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.9.1
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.9.1
+- !ruby/object:Gem::Dependency
+  name: yard
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.9.25
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.9.25
+description: |-
+  This plugin provides native SSL instrumentation
+                                for monitoring, including: hostname and chain
+                                verification, cert and crl expiry, and Qualys SSL Labs reporting
+email: "<sensu-users@googlegroups.com>"
+executables:
+- check-ssl-anchor.rb
+- check-java-keystore-cert.rb
+- check-ssl-cert.rb
+- check-ssl-crl.rb
+- check-ssl-qualys.rb
+- check-ssl-host.rb
+- check-ssl-root-issuer.rb
+- check-ssl-hsts-preloadable.rb
+- check-ssl-hsts-status.rb
+extensions: []
+extra_rdoc_files: []
+files:
+- CHANGELOG.md
+- LICENSE
+- README.md
+- bin/check-java-keystore-cert.rb
+- bin/check-ssl-anchor.rb
+- bin/check-ssl-cert.rb
+- bin/check-ssl-crl.rb
+- bin/check-ssl-host.rb
+- bin/check-ssl-hsts-preloadable.rb
+- bin/check-ssl-hsts-status.rb
+- bin/check-ssl-qualys.rb
+- bin/check-ssl-root-issuer.rb
+- lib/sensu-plugins-ssl.rb
+- lib/sensu-plugins-ssl/version.rb
+homepage: https://github.com/boutetnico/sensu-plugins-ssl
+licenses:
+- MIT
+metadata:
+  maintainer: sensu-plugin
+  development_status: active
+  production_status: unstable - testing recommended
+  release_draft: 'false'
+  release_prerelease: 'false'
+post_install_message: You can use the embedded Ruby by setting EMBEDDED_RUBY=true
+  in /etc/default/sensu
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 2.4.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.6.14.4
+signing_key: 
+specification_version: 4
+summary: Sensu plugins for SSL
+test_files: []