sensu-plugins-ssl 1.3.1 → 1.4.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +9 -2
- data/README.md +19 -0
- data/bin/check-ssl-anchor.rb +101 -0
- data/lib/sensu-plugins-ssl/version.rb +2 -2
- metadata +4 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 4bb08666a55b083ef5b2e8c252152420e943da99
|
4
|
+
data.tar.gz: c32e3f6fd49c1436073833748c619c571f7d0947
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 7999f8f52dd451240c33c68c3f8d5ed1b9c2e7fe6777b7462cde2d3aedf7f290121c2761233a48e67205929b26a1a5a25fa2dbde8b0b5e34338059bf78dca699
|
7
|
+
data.tar.gz: f1e7d24517dcae4ab6ad0098e951a9bed7ab8cdfab4b71f90db73c4c0965595bc3016161a962bc5e865a1736cffb60d45191eed9b06354bf5dbd4b6f6901e311
|
data/CHANGELOG.md
CHANGED
@@ -1,9 +1,15 @@
|
|
1
|
-
#Change Log
|
1
|
+
# Change Log
|
2
2
|
This project adheres to [Semantic Versioning](http://semver.org/).
|
3
3
|
|
4
4
|
This CHANGELOG follows the format listed at [Keep A Changelog](http://keepachangelog.com/)
|
5
5
|
|
6
6
|
## [Unreleased]
|
7
|
+
|
8
|
+
## [1.4.0] - 2017-06-20
|
9
|
+
### Added
|
10
|
+
- `check-ssl-anchor.rb`: Add check for a specific root certificate signature. (@pgporada)
|
11
|
+
- `check-ssl-anchor_spec.rb`: Tests for the `check-ssl-anchor.rb` script (@pgporada)
|
12
|
+
|
7
13
|
## [1.3.1] - 2017-05-30
|
8
14
|
### Fixed
|
9
15
|
- `check-ssl-qualys.rb`: Fix missing `net/http` require that prevented the check from executing (@eheydrick)
|
@@ -72,7 +78,8 @@ This CHANGELOG follows the format listed at [Keep A Changelog](http://keepachang
|
|
72
78
|
### Added
|
73
79
|
- initial release
|
74
80
|
|
75
|
-
[Unreleased]: https://github.com/sensu-plugins/sensu-plugins-ssl/compare/1.
|
81
|
+
[Unreleased]: https://github.com/sensu-plugins/sensu-plugins-ssl/compare/1.4.0...HEAD
|
82
|
+
[1.4.0]: https://github.com/sensu-plugins/sensu-plugins-ssl/compare/1.3.1...1.4.0
|
76
83
|
[1.3.1]: https://github.com/sensu-plugins/sensu-plugins-ssl/compare/1.3.0...1.3.1
|
77
84
|
[1.3.0]: https://github.com/sensu-plugins/sensu-plugins-ssl/compare/1.2.0...1.3.0
|
78
85
|
[1.2.0]: https://github.com/sensu-plugins/sensu-plugins-ssl/compare/1.1.0...1.2.0
|
data/README.md
CHANGED
@@ -10,6 +10,7 @@
|
|
10
10
|
|
11
11
|
## Files
|
12
12
|
* bin/check-java-keystore-cert.rb
|
13
|
+
* bin/check-ssl-anchor.rb
|
13
14
|
* bin/check-ssl-crl.rb
|
14
15
|
* bin/check-ssl-cert.rb
|
15
16
|
* bin/check-ssl-host.rb
|
@@ -17,6 +18,14 @@
|
|
17
18
|
|
18
19
|
## Usage
|
19
20
|
|
21
|
+
### `bin/check-ssl-anchor.rb`
|
22
|
+
|
23
|
+
Check that a specific website is chained to a specific root certificate (Let's Encrypt for instance).
|
24
|
+
|
25
|
+
```
|
26
|
+
./bin/check-ssl-anchor.rb -u example.com -a "i:/O=Digital Signature Trust Co./CN=DST Root CA X3"
|
27
|
+
```
|
28
|
+
|
20
29
|
### `bin/check-ssl-crl.rb`
|
21
30
|
|
22
31
|
Checks a CRL has not or is not expiring by inspecting it's next update value.
|
@@ -39,4 +48,14 @@ Critical and Warning thresholds are specified in minutes.
|
|
39
48
|
|
40
49
|
[Installation and Setup](http://sensu-plugins.io/docs/installation_instructions.html)
|
41
50
|
|
51
|
+
## Testing
|
52
|
+
|
53
|
+
To run the testing suite, you'll need to have a working `ruby` environment, `gem`, and `bundler` installed. We use `rake` to run the `rspec` tests automatically.
|
54
|
+
|
55
|
+
bundle install
|
56
|
+
bundle update
|
57
|
+
bundle exec rake
|
58
|
+
|
42
59
|
## Notes
|
60
|
+
|
61
|
+
`bin/check-ssl-anchor.rb` and `bin/check-ssl-host.rb` would be good to run in combination with each other to test that the chain is anchored to a specific certificate and each certificate in the chain is correctly signed.
|
@@ -0,0 +1,101 @@
|
|
1
|
+
#! /usr/bin/env ruby
|
2
|
+
#
|
3
|
+
# check-ssl-anchor
|
4
|
+
#
|
5
|
+
# DESCRIPTION:
|
6
|
+
# Check that a certificate is chained to a specific root certificate
|
7
|
+
#
|
8
|
+
# OUTPUT:
|
9
|
+
# plain text
|
10
|
+
#
|
11
|
+
# PLATFORMS:
|
12
|
+
# Linux
|
13
|
+
#
|
14
|
+
# DEPENDENCIES:
|
15
|
+
# gem: sensu-plugin
|
16
|
+
#
|
17
|
+
# USAGE:
|
18
|
+
#
|
19
|
+
# Check that a specific website is chained to a specific root certificate (Let's Encrypt for instance)
|
20
|
+
# ./check-ssl-anchor.rb \
|
21
|
+
# -u example.com \
|
22
|
+
# -a "i:/O=Digital Signature Trust Co./CN=DST Root CA X3"
|
23
|
+
#
|
24
|
+
# NOTES:
|
25
|
+
# This is basically a ruby wrapper around the following openssl command.
|
26
|
+
#
|
27
|
+
# openssl s_client -connect example.com:443 -servername example.com
|
28
|
+
#
|
29
|
+
#
|
30
|
+
#
|
31
|
+
# Use the -s flag if you need to override SNI (Server Name Indication). If you
|
32
|
+
# are seeing discrepencies between `openssl s_client` and browser, that's a good
|
33
|
+
# indication to use this flag.
|
34
|
+
#
|
35
|
+
# LICENSE:
|
36
|
+
# Copyright 2017 Phil Porada <philporada@gmail.com>
|
37
|
+
#
|
38
|
+
# Released under the same terms as Sensu (the MIT license); see LICENSE
|
39
|
+
# for details.
|
40
|
+
#
|
41
|
+
|
42
|
+
require 'sensu-plugin/check/cli'
|
43
|
+
|
44
|
+
#
|
45
|
+
# Check certificate is anchored to a specific root
|
46
|
+
#
|
47
|
+
class CheckSSLAnchor < Sensu::Plugin::Check::CLI
|
48
|
+
option :host,
|
49
|
+
description: 'Host to check',
|
50
|
+
short: '-h',
|
51
|
+
long: '--host HOST',
|
52
|
+
required: true
|
53
|
+
|
54
|
+
option :anchor,
|
55
|
+
description: 'An anchor looks something like /O=Digital Signature Trust Co./CN=DST Root CA X3',
|
56
|
+
short: '-a',
|
57
|
+
long: '--anchor ANCHOR_VAL',
|
58
|
+
required: true
|
59
|
+
|
60
|
+
option :servername,
|
61
|
+
description: 'Set the TLS SNI (Server Name Indication) extension',
|
62
|
+
short: '-s',
|
63
|
+
long: '--servername SERVER'
|
64
|
+
|
65
|
+
option :port,
|
66
|
+
description: 'Port on server to check',
|
67
|
+
short: '-p',
|
68
|
+
long: '--port PORT',
|
69
|
+
default: 443
|
70
|
+
|
71
|
+
def validate_opts
|
72
|
+
config[:servername] = config[:host] unless config[:servername]
|
73
|
+
end
|
74
|
+
|
75
|
+
# Do the actual work and massage some data
|
76
|
+
def anchor_information
|
77
|
+
data = `openssl s_client \
|
78
|
+
-connect #{config[:host]}:#{config[:port]} \
|
79
|
+
-servername #{config[:servername]} < /dev/null 2>&1`.match(/Certificate chain(.*)---\nServer certificate/m)[1].split(/$/).map(&:strip)
|
80
|
+
data = data.reject(&:empty?)
|
81
|
+
|
82
|
+
unless data[0] =~ /0 s:\/CN=.*/m
|
83
|
+
data = 'NOTOK'
|
84
|
+
end
|
85
|
+
data
|
86
|
+
end
|
87
|
+
|
88
|
+
def run
|
89
|
+
validate_opts
|
90
|
+
data = anchor_information
|
91
|
+
if data == 'NOTOK'
|
92
|
+
critical 'An error was encountered while trying to retrieve the certificate chain.'
|
93
|
+
end
|
94
|
+
|
95
|
+
if data[-1] == config[:anchor].to_s
|
96
|
+
ok 'Root anchor has been found.'
|
97
|
+
else
|
98
|
+
critical 'Root anchor did not match. Found "' + data[-1] + '" instead.'
|
99
|
+
end
|
100
|
+
end
|
101
|
+
end
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: sensu-plugins-ssl
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 1.
|
4
|
+
version: 1.4.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Sensu-Plugins and contributors
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2017-
|
11
|
+
date: 2017-06-21 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: sensu-plugin
|
@@ -171,6 +171,7 @@ description: |-
|
|
171
171
|
email: "<sensu-users@googlegroups.com>"
|
172
172
|
executables:
|
173
173
|
- check-java-keystore-cert.rb
|
174
|
+
- check-ssl-anchor.rb
|
174
175
|
- check-ssl-cert.rb
|
175
176
|
- check-ssl-crl.rb
|
176
177
|
- check-ssl-host.rb
|
@@ -182,6 +183,7 @@ files:
|
|
182
183
|
- LICENSE
|
183
184
|
- README.md
|
184
185
|
- bin/check-java-keystore-cert.rb
|
186
|
+
- bin/check-ssl-anchor.rb
|
185
187
|
- bin/check-ssl-cert.rb
|
186
188
|
- bin/check-ssl-crl.rb
|
187
189
|
- bin/check-ssl-host.rb
|