sensu-plugins-ssl-boutetnico 1.0.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 16378e5222efd774d58d33c47dfa46facac0b2cd
+  data.tar.gz: 55dd9684c413e0b36ed44e6a89e83a571a0742d3
+SHA512:
+  metadata.gz: cebae6d1239bcae312147ce8f4df7acc5bb01698c39da3a4f5ff351031fde0ab2e0fe16f54a49d980db5d80731f8a1020a64a74ce0a230b8283a17323ac5f53a
+  data.tar.gz: f1f9c483b7dc9e4769651de62277b2abaa9d6b1571cdf6f5cf2469acab557746bd344832ad8c2aaecdc654ae9082265304738ad312f8f8da216567c24595b0e5

data/CHANGELOG.md

@@ -0,0 +1 @@
+Can be found at [https://github.com/boutetnico/sensu-plugins-ssl/releases](https://github.com/boutetnico/sensu-plugins-ssl/releases).

data/LICENSE

@@ -0,0 +1,22 @@
+Copyright (c) 2015 Sensu-Plugins
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,78 @@
+## Sensu-Plugins-SSL
+
+[![Gem Version](https://badge.fury.io/rb/sensu-plugins-ssl-boutetnico.svg)](https://badge.fury.io/rb/sensu-plugins-ssl-boutetnico.svg)
+[![Sensu Bonsai Asset](https://img.shields.io/badge/Bonsai-Download%20Me-brightgreen.svg?colorB=89C967&logo=sensu)](https://bonsai.sensu.io/assets/boutetnico/sensu-plugins-ssl)
+
+## This is an unofficial fork
+
+This fork is automatically tested, built and published to [RubyGems](https://rubygems.org/gems/sensu-plugins-ssl-boutetnico/) and [Bonsai](https://bonsai.sensu.io/assets/boutetnico/sensu-plugins-ssl).
+
+## Files
+ * bin/check-java-keystore-cert.rb
+ * bin/check-ssl-anchor.rb
+ * bin/check-ssl-crl.rb
+ * bin/check-ssl-cert.rb
+ * bin/check-ssl-host.rb
+ * bin/check-ssl-hsts-preload.rb
+ * bin/check-ssl-hsts-preloadable.rb
+ * bin/check-ssl-qualys.rb
+ * bin/check-ssl-root-issuer.rb
+
+## Usage
+
+### `bin/check-ssl-anchor.rb`
+
+Check that a specific website is chained to a specific root certificate (Let's Encrypt for instance). Requires the `openssl` commandline tool to be available on the system.
+
+```
+./bin/check-ssl-anchor.rb -u example.com -a "i:/O=Digital Signature Trust Co./CN=DST Root CA X3"
+```
+
+### `bin/check-ssl-crl.rb`
+
+Checks a CRL has not or is not expiring by inspecting it's next update value.
+
+You can check against a CRL file on disk:
+
+```
+./bin/check-ssl-crl -c 300 -w 600 -u /path/to/crl
+```
+
+or an online CRL:
+
+```
+./bin/check-ssl-crl -c 300 -w 600 -u http://www.website.com/file.crl
+```
+
+Critical and Warning thresholds are specified in minutes.
+
+### `bin/check-ssl-qualys.rb`
+
+Checks the ssllabs qualysis api for grade of your server, this check can be quite long so it should not be scheduled with a low interval and will probably need to adjust the check `timeout` options per the [check attributes spec](https://docs.sensu.io/sensu-core/1.2/reference/checks/#check-attributes) based on my tests you should expect this to take around 3 minutes.
+```
+./bin/check-ssl-qualys.rb -d google.com
+```
+
+### `bin/check-ssl-root-issuer.rb`
+
+Check that a specific website is chained to a specific root certificate issuer. This is a pure Ruby implementation, does not require the openssl cmdline client tool to be installed.
+
+```
+./bin/check-ssl-root-issuer.rb -u example.com -a "CN=DST Root CA X3,O=Digital Signature Trust Co."
+```
+
+## Installation
+
+[Installation and Setup](http://sensu-plugins.io/docs/installation_instructions.html)
+
+## Testing
+
+To run the testing suite, you'll need to have a working `ruby` environment, `gem`, and `bundler` installed. We use `rake` to run the `rspec` tests automatically.
+
+    bundle install
+    bundle update
+    bundle exec rake
+
+## Notes
+
+`bin/check-ssl-anchor.rb` and `bin/check-ssl-host.rb` would be good to run in combination with each other to test that the chain is anchored to a specific certificate and each certificate in the chain is correctly signed.

data/bin/check-java-keystore-cert.rb

@@ -0,0 +1,88 @@
+#!/usr/bin/env ruby
+#
+#   check-java-keystore-cert
+#
+# DESCRIPTION:
+#   Check when a certificate stored in a Java Keystore will expire
+#
+# OUTPUT:
+#   plain text
+#
+# PLATFORMS:
+#   Linux
+#
+# DEPENDENCIES:
+#   gem: sensu-plugin
+#
+# USAGE:
+#   example commands
+#
+# NOTES:
+#   Does it behave differently on specific platforms, specific use cases, etc
+#
+
+require 'date'
+require 'shellwords'
+require 'sensu-plugin/check/cli'
+
+class CheckJavaKeystoreCert < Sensu::Plugin::Check::CLI
+  option :path,
+         long: '--path PATH',
+         description: '',
+         required: true
+
+  option :alias,
+         long: '--alias ALIAS',
+         description: '',
+         required: true
+
+  option :password,
+         long: '--password PASSWORD',
+         description: '',
+         required: true
+
+  option :warning,
+         long: '--warning DAYS',
+         description: '',
+         proc: proc { |v| v.to_i },
+         required: true
+
+  option :critical,
+         long: '--critical DAYS',
+         description: '',
+         proc: proc { |v| v.to_i },
+         required: true
+
+  def certificate_expiration_date
+    result = `keytool -keystore #{Shellwords.escape(config[:path])} \
+                      -export -alias #{Shellwords.escape(config[:alias])} \
+                      -storepass #{Shellwords.escape(config[:password])} -rfc 2>&1 | \
+              openssl x509 -enddate -noout 2>&1`
+
+    # rubocop:disable Style/SpecialGlobalVars
+    unknown 'could not get certificate from keystore' unless $?.success?
+    # rubocop:enable Style/SpecialGlobalVars
+
+    Date.parse(result.split('=').last)
+  end
+
+  def validate_opts
+    unknown 'warning cannot be less than critical' if config[:warning] < config[:critical]
+  end
+
+  def run
+    validate_opts
+
+    days_until = (certificate_expiration_date - Date.today).to_i
+
+    if days_until.negative?
+      critical "Expired #{days_until.abs} days ago"
+    elsif days_until < config[:critical]
+      critical "#{days_until} days left"
+    elsif days_until < config[:warning]
+      warning "#{days_until} days left"
+    end
+
+    ok "#{days_until} days left"
+  end
+end

data/bin/check-ssl-anchor.rb

@@ -0,0 +1,120 @@
+#! /usr/bin/env ruby
+#
+#   check-ssl-anchor
+#
+# DESCRIPTION:
+#   Check that a certificate is chained to a specific root certificate
+#
+# OUTPUT:
+#   plain text
+#
+# PLATFORMS:
+#   Linux
+#
+# DEPENDENCIES:
+#   gem: sensu-plugin
+#
+# USAGE:
+#
+#   Check that a specific website is chained to a specific root certificate (Let's Encrypt for instance)
+#       ./check-ssl-anchor.rb \
+#           -u example.com \
+#           -a "i:/O=Digital Signature Trust Co./CN=DST Root CA X3"
+#
+# NOTES:
+#   This is basically a ruby wrapper around the following openssl command.
+#
+#       openssl s_client -connect example.com:443 -servername example.com
+#
+#
+#
+#   Use the -s flag if you need to override SNI (Server Name Indication). If you
+#   are seeing discrepencies between `openssl s_client` and browser, that's a good
+#   indication to use this flag.
+#
+# LICENSE:
+#   Copyright 2017 Phil Porada <philporada@gmail.com>
+#
+#   Released under the same terms as Sensu (the MIT license); see LICENSE
+#   for details.
+#
+
+require 'sensu-plugin/check/cli'
+
+#
+# Check certificate is anchored to a specific root
+#
+class CheckSSLAnchor < Sensu::Plugin::Check::CLI
+  option :host,
+         description: 'Host to check',
+         short: '-h',
+         long: '--host HOST',
+         required: true
+
+  option :anchor,
+         description: 'An anchor looks something like /O=Digital Signature Trust Co./CN=DST Root CA X3',
+         short: '-a',
+         long: '--anchor ANCHOR_VAL',
+         required: true
+
+  option :regexp,
+         description: 'Treat the anchor as a regexp',
+         short: '-r',
+         long: '--regexp',
+         default: false,
+         boolean: true,
+         required: false
+
+  option :servername,
+         description: 'Set the TLS SNI (Server Name Indication) extension',
+         short: '-s',
+         long: '--servername SERVER'
+
+  option :port,
+         description: 'Port on server to check',
+         short: '-p',
+         long: '--port PORT',
+         default: 443
+
+  def validate_opts
+    config[:servername] = config[:host] unless config[:servername]
+  end
+
+  # Do the actual work and massage some data
+  def anchor_information
+    data = `openssl s_client \
+                -connect #{config[:host]}:#{config[:port]} \
+                -servername #{config[:servername]} < /dev/null 2>&1`.match(/Certificate chain(.*)---\nServer certificate/m)[1].split(/$/).map(&:strip)
+    data = data.reject(&:empty?)
+
+    unless data[0] =~ /0 s:\/?CN ?=.*/m
+      data = 'NOTOK'
+    end
+    data
+  end
+
+  def run
+    validate_opts
+    data = anchor_information
+    if data == 'NOTOK'
+      critical 'An error was encountered while trying to retrieve the certificate chain.'
+    end
+    puts config[:regexp]
+    # rubocop:disable Style/IfInsideElse
+    if config[:regexp]
+      anchor_regexp = Regexp.new(config[:anchor].to_s)
+      if data[-1] =~ anchor_regexp
+        ok 'Root anchor has been found.'
+      else
+        critical 'Root anchor did not match regexp /' + config[:anchor].to_s + "/\nFound \"" + data[-1] + '" instead.'
+      end
+    else
+      if data[-1] == config[:anchor].to_s
+        ok 'Root anchor has been found.'
+      else
+        critical 'Root anchor did not match string "' + config[:anchor].to_s + "\"\nFound \"" + data[-1] + '" instead.'
+      end
+    end
+    # rubocop:enable Style/IfInsideElse
+  end
+end

data/bin/check-ssl-cert.rb

@@ -0,0 +1,130 @@
+#! /usr/bin/env ruby
+#
+#   check-ssl-cert
+#
+# DESCRIPTION:
+#   Check when a SSL certificate will expire.
+#
+# OUTPUT:
+#   plain text
+#
+# PLATFORMS:
+#   Linux
+#
+# DEPENDENCIES:
+#   gem: sensu-plugin
+#
+# USAGE:
+#   example commands
+#
+# NOTES:
+#   Does it behave differently on specific platforms, specific use cases, etc
+#
+# LICENSE:
+#   Jean-Francois Theroux <me@failshell.io>
+#   Nathan Williams <nath.e.will@gmail.com>
+#   Released under the same terms as Sensu (the MIT license); see LICENSE
+#   for details.
+#
+
+require 'date'
+require 'openssl'
+require 'sensu-plugin/check/cli'
+
+#
+# Check SSL Cert
+#
+class CheckSSLCert < Sensu::Plugin::Check::CLI
+  option :critical,
+         description: 'Numbers of days left',
+         short: '-c',
+         long: '--critical DAYS',
+         required: true
+
+  option :warning,
+         description: 'Numbers of days left',
+         short: '-w',
+         long: '--warning DAYS',
+         required: true
+
+  option :pem,
+         description: 'Path to PEM file',
+         short: '-P',
+         long: '--pem PEM'
+
+  option :host,
+         description: 'Host to validate',
+         short: '-h',
+         long: '--host HOST'
+
+  option :port,
+         description: 'Port to validate',
+         short: '-p',
+         long: '--port PORT'
+
+  option :servername,
+         description: 'Set the TLS SNI (Server Name Indication) extension',
+         short: '-s',
+         long: '--servername SERVER'
+
+  option :pkcs12,
+         description: 'Path to PKCS#12 certificate',
+         short: '-C',
+         long: '--cert P12'
+
+  option :pass,
+         description: 'Pass phrase for the private key in PKCS#12 certificate',
+         short: '-S',
+         long: '--pass '
+
+  def ssl_cert_expiry
+    `openssl s_client -servername #{config[:servername]} -connect #{config[:host]}:#{config[:port]} < /dev/null 2>&1 | openssl x509 -enddate -noout`.split('=').last
+  end
+
+  def ssl_pem_expiry
+    OpenSSL::X509::Certificate.new(File.read config[:pem]).not_after # rubocop:disable Style/NestedParenthesizedCalls
+  end
+
+  def ssl_pkcs12_expiry
+    `openssl pkcs12 -in #{config[:pkcs12]} -nokeys -nomacver -passin pass:"#{config[:pass]}" | openssl x509 -noout -enddate | grep -v MAC`.split('=').last
+  end
+
+  def validate_opts
+    if !config[:pem] && !config[:pkcs12]
+      unknown 'Host and port required' unless config[:host] && config[:port]
+    elsif config[:pem]
+      unknown 'No such cert' unless File.exist? config[:pem]
+    elsif config[:pkcs12]
+      if !config[:pass]
+        unknown 'No pass phrase specified for PKCS#12 certificate'
+      else
+        unknown 'No such cert' unless File.exist? config[:pkcs12]
+      end
+    end
+    config[:servername] = config[:host] unless config[:servername]
+  end
+
+  def run
+    validate_opts
+
+    expiry = if config[:pem]
+               ssl_pem_expiry
+             elsif config[:pkcs12]
+               ssl_pkcs12_expiry
+             else
+               ssl_cert_expiry
+             end
+
+    days_until = (Date.parse(expiry.to_s) - Date.today).to_i
+
+    if days_until.negative?
+      critical "Expired #{days_until.abs} days ago"
+    elsif days_until < config[:critical].to_i
+      critical "#{days_until} days left"
+    elsif days_until < config[:warning].to_i
+      warning "#{days_until} days left"
+    else
+      ok "#{days_until} days left"
+    end
+  end
+end