sensu-plugins-ssl 1.3.1 → 1.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 38aee874f86178e7ea8be52e0856bd678b05ff57
4
- data.tar.gz: a86b4dadf3d7c19effdf38dca39a8661b9780f0d
3
+ metadata.gz: 4bb08666a55b083ef5b2e8c252152420e943da99
4
+ data.tar.gz: c32e3f6fd49c1436073833748c619c571f7d0947
5
5
  SHA512:
6
- metadata.gz: cb791eaf20f5af33e4e955de621c3a4f0d77db5a276070c0a39286e33781ef935d058c002093a2b6cb602c61cb8e2e00412af91529c12f7effdeffd9161c802c
7
- data.tar.gz: a89a11c728c9967c5c5f568101948cb23d5fbd42ecd2af0347403130b18a1afd0c7bff97c54c3de48101736455aad7d50313cf059d6f5e0a9d63a538ade4e007
6
+ metadata.gz: 7999f8f52dd451240c33c68c3f8d5ed1b9c2e7fe6777b7462cde2d3aedf7f290121c2761233a48e67205929b26a1a5a25fa2dbde8b0b5e34338059bf78dca699
7
+ data.tar.gz: f1e7d24517dcae4ab6ad0098e951a9bed7ab8cdfab4b71f90db73c4c0965595bc3016161a962bc5e865a1736cffb60d45191eed9b06354bf5dbd4b6f6901e311
data/CHANGELOG.md CHANGED
@@ -1,9 +1,15 @@
1
- #Change Log
1
+ # Change Log
2
2
  This project adheres to [Semantic Versioning](http://semver.org/).
3
3
 
4
4
  This CHANGELOG follows the format listed at [Keep A Changelog](http://keepachangelog.com/)
5
5
 
6
6
  ## [Unreleased]
7
+
8
+ ## [1.4.0] - 2017-06-20
9
+ ### Added
10
+ - `check-ssl-anchor.rb`: Add check for a specific root certificate signature. (@pgporada)
11
+ - `check-ssl-anchor_spec.rb`: Tests for the `check-ssl-anchor.rb` script (@pgporada)
12
+
7
13
  ## [1.3.1] - 2017-05-30
8
14
  ### Fixed
9
15
  - `check-ssl-qualys.rb`: Fix missing `net/http` require that prevented the check from executing (@eheydrick)
@@ -72,7 +78,8 @@ This CHANGELOG follows the format listed at [Keep A Changelog](http://keepachang
72
78
  ### Added
73
79
  - initial release
74
80
 
75
- [Unreleased]: https://github.com/sensu-plugins/sensu-plugins-ssl/compare/1.3.1...HEAD
81
+ [Unreleased]: https://github.com/sensu-plugins/sensu-plugins-ssl/compare/1.4.0...HEAD
82
+ [1.4.0]: https://github.com/sensu-plugins/sensu-plugins-ssl/compare/1.3.1...1.4.0
76
83
  [1.3.1]: https://github.com/sensu-plugins/sensu-plugins-ssl/compare/1.3.0...1.3.1
77
84
  [1.3.0]: https://github.com/sensu-plugins/sensu-plugins-ssl/compare/1.2.0...1.3.0
78
85
  [1.2.0]: https://github.com/sensu-plugins/sensu-plugins-ssl/compare/1.1.0...1.2.0
data/README.md CHANGED
@@ -10,6 +10,7 @@
10
10
 
11
11
  ## Files
12
12
  * bin/check-java-keystore-cert.rb
13
+ * bin/check-ssl-anchor.rb
13
14
  * bin/check-ssl-crl.rb
14
15
  * bin/check-ssl-cert.rb
15
16
  * bin/check-ssl-host.rb
@@ -17,6 +18,14 @@
17
18
 
18
19
  ## Usage
19
20
 
21
+ ### `bin/check-ssl-anchor.rb`
22
+
23
+ Check that a specific website is chained to a specific root certificate (Let's Encrypt for instance).
24
+
25
+ ```
26
+ ./bin/check-ssl-anchor.rb -u example.com -a "i:/O=Digital Signature Trust Co./CN=DST Root CA X3"
27
+ ```
28
+
20
29
  ### `bin/check-ssl-crl.rb`
21
30
 
22
31
  Checks a CRL has not or is not expiring by inspecting it's next update value.
@@ -39,4 +48,14 @@ Critical and Warning thresholds are specified in minutes.
39
48
 
40
49
  [Installation and Setup](http://sensu-plugins.io/docs/installation_instructions.html)
41
50
 
51
+ ## Testing
52
+
53
+ To run the testing suite, you'll need to have a working `ruby` environment, `gem`, and `bundler` installed. We use `rake` to run the `rspec` tests automatically.
54
+
55
+ bundle install
56
+ bundle update
57
+ bundle exec rake
58
+
42
59
  ## Notes
60
+
61
+ `bin/check-ssl-anchor.rb` and `bin/check-ssl-host.rb` would be good to run in combination with each other to test that the chain is anchored to a specific certificate and each certificate in the chain is correctly signed.
@@ -0,0 +1,101 @@
1
+ #! /usr/bin/env ruby
2
+ #
3
+ # check-ssl-anchor
4
+ #
5
+ # DESCRIPTION:
6
+ # Check that a certificate is chained to a specific root certificate
7
+ #
8
+ # OUTPUT:
9
+ # plain text
10
+ #
11
+ # PLATFORMS:
12
+ # Linux
13
+ #
14
+ # DEPENDENCIES:
15
+ # gem: sensu-plugin
16
+ #
17
+ # USAGE:
18
+ #
19
+ # Check that a specific website is chained to a specific root certificate (Let's Encrypt for instance)
20
+ # ./check-ssl-anchor.rb \
21
+ # -u example.com \
22
+ # -a "i:/O=Digital Signature Trust Co./CN=DST Root CA X3"
23
+ #
24
+ # NOTES:
25
+ # This is basically a ruby wrapper around the following openssl command.
26
+ #
27
+ # openssl s_client -connect example.com:443 -servername example.com
28
+ #
29
+ #
30
+ #
31
+ # Use the -s flag if you need to override SNI (Server Name Indication). If you
32
+ # are seeing discrepencies between `openssl s_client` and browser, that's a good
33
+ # indication to use this flag.
34
+ #
35
+ # LICENSE:
36
+ # Copyright 2017 Phil Porada <philporada@gmail.com>
37
+ #
38
+ # Released under the same terms as Sensu (the MIT license); see LICENSE
39
+ # for details.
40
+ #
41
+
42
+ require 'sensu-plugin/check/cli'
43
+
44
+ #
45
+ # Check certificate is anchored to a specific root
46
+ #
47
+ class CheckSSLAnchor < Sensu::Plugin::Check::CLI
48
+ option :host,
49
+ description: 'Host to check',
50
+ short: '-h',
51
+ long: '--host HOST',
52
+ required: true
53
+
54
+ option :anchor,
55
+ description: 'An anchor looks something like /O=Digital Signature Trust Co./CN=DST Root CA X3',
56
+ short: '-a',
57
+ long: '--anchor ANCHOR_VAL',
58
+ required: true
59
+
60
+ option :servername,
61
+ description: 'Set the TLS SNI (Server Name Indication) extension',
62
+ short: '-s',
63
+ long: '--servername SERVER'
64
+
65
+ option :port,
66
+ description: 'Port on server to check',
67
+ short: '-p',
68
+ long: '--port PORT',
69
+ default: 443
70
+
71
+ def validate_opts
72
+ config[:servername] = config[:host] unless config[:servername]
73
+ end
74
+
75
+ # Do the actual work and massage some data
76
+ def anchor_information
77
+ data = `openssl s_client \
78
+ -connect #{config[:host]}:#{config[:port]} \
79
+ -servername #{config[:servername]} < /dev/null 2>&1`.match(/Certificate chain(.*)---\nServer certificate/m)[1].split(/$/).map(&:strip)
80
+ data = data.reject(&:empty?)
81
+
82
+ unless data[0] =~ /0 s:\/CN=.*/m
83
+ data = 'NOTOK'
84
+ end
85
+ data
86
+ end
87
+
88
+ def run
89
+ validate_opts
90
+ data = anchor_information
91
+ if data == 'NOTOK'
92
+ critical 'An error was encountered while trying to retrieve the certificate chain.'
93
+ end
94
+
95
+ if data[-1] == config[:anchor].to_s
96
+ ok 'Root anchor has been found.'
97
+ else
98
+ critical 'Root anchor did not match. Found "' + data[-1] + '" instead.'
99
+ end
100
+ end
101
+ end
@@ -1,8 +1,8 @@
1
1
  module SensuPluginsSSL
2
2
  module Version
3
3
  MAJOR = 1
4
- MINOR = 3
5
- PATCH = 1
4
+ MINOR = 4
5
+ PATCH = 0
6
6
 
7
7
  VER_STRING = [MAJOR, MINOR, PATCH].compact.join('.')
8
8
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: sensu-plugins-ssl
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.3.1
4
+ version: 1.4.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Sensu-Plugins and contributors
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2017-05-31 00:00:00.000000000 Z
11
+ date: 2017-06-21 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: sensu-plugin
@@ -171,6 +171,7 @@ description: |-
171
171
  email: "<sensu-users@googlegroups.com>"
172
172
  executables:
173
173
  - check-java-keystore-cert.rb
174
+ - check-ssl-anchor.rb
174
175
  - check-ssl-cert.rb
175
176
  - check-ssl-crl.rb
176
177
  - check-ssl-host.rb
@@ -182,6 +183,7 @@ files:
182
183
  - LICENSE
183
184
  - README.md
184
185
  - bin/check-java-keystore-cert.rb
186
+ - bin/check-ssl-anchor.rb
185
187
  - bin/check-ssl-cert.rb
186
188
  - bin/check-ssl-crl.rb
187
189
  - bin/check-ssl-host.rb