sensu-plugins-ssl 1.3.1 → 1.4.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +9 -2
- data/README.md +19 -0
- data/bin/check-ssl-anchor.rb +101 -0
- data/lib/sensu-plugins-ssl/version.rb +2 -2
- metadata +4 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 4bb08666a55b083ef5b2e8c252152420e943da99
|
4
|
+
data.tar.gz: c32e3f6fd49c1436073833748c619c571f7d0947
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 7999f8f52dd451240c33c68c3f8d5ed1b9c2e7fe6777b7462cde2d3aedf7f290121c2761233a48e67205929b26a1a5a25fa2dbde8b0b5e34338059bf78dca699
|
7
|
+
data.tar.gz: f1e7d24517dcae4ab6ad0098e951a9bed7ab8cdfab4b71f90db73c4c0965595bc3016161a962bc5e865a1736cffb60d45191eed9b06354bf5dbd4b6f6901e311
|
data/CHANGELOG.md
CHANGED
@@ -1,9 +1,15 @@
|
|
1
|
-
#Change Log
|
1
|
+
# Change Log
|
2
2
|
This project adheres to [Semantic Versioning](http://semver.org/).
|
3
3
|
|
4
4
|
This CHANGELOG follows the format listed at [Keep A Changelog](http://keepachangelog.com/)
|
5
5
|
|
6
6
|
## [Unreleased]
|
7
|
+
|
8
|
+
## [1.4.0] - 2017-06-20
|
9
|
+
### Added
|
10
|
+
- `check-ssl-anchor.rb`: Add check for a specific root certificate signature. (@pgporada)
|
11
|
+
- `check-ssl-anchor_spec.rb`: Tests for the `check-ssl-anchor.rb` script (@pgporada)
|
12
|
+
|
7
13
|
## [1.3.1] - 2017-05-30
|
8
14
|
### Fixed
|
9
15
|
- `check-ssl-qualys.rb`: Fix missing `net/http` require that prevented the check from executing (@eheydrick)
|
@@ -72,7 +78,8 @@ This CHANGELOG follows the format listed at [Keep A Changelog](http://keepachang
|
|
72
78
|
### Added
|
73
79
|
- initial release
|
74
80
|
|
75
|
-
[Unreleased]: https://github.com/sensu-plugins/sensu-plugins-ssl/compare/1.
|
81
|
+
[Unreleased]: https://github.com/sensu-plugins/sensu-plugins-ssl/compare/1.4.0...HEAD
|
82
|
+
[1.4.0]: https://github.com/sensu-plugins/sensu-plugins-ssl/compare/1.3.1...1.4.0
|
76
83
|
[1.3.1]: https://github.com/sensu-plugins/sensu-plugins-ssl/compare/1.3.0...1.3.1
|
77
84
|
[1.3.0]: https://github.com/sensu-plugins/sensu-plugins-ssl/compare/1.2.0...1.3.0
|
78
85
|
[1.2.0]: https://github.com/sensu-plugins/sensu-plugins-ssl/compare/1.1.0...1.2.0
|
data/README.md
CHANGED
@@ -10,6 +10,7 @@
|
|
10
10
|
|
11
11
|
## Files
|
12
12
|
* bin/check-java-keystore-cert.rb
|
13
|
+
* bin/check-ssl-anchor.rb
|
13
14
|
* bin/check-ssl-crl.rb
|
14
15
|
* bin/check-ssl-cert.rb
|
15
16
|
* bin/check-ssl-host.rb
|
@@ -17,6 +18,14 @@
|
|
17
18
|
|
18
19
|
## Usage
|
19
20
|
|
21
|
+
### `bin/check-ssl-anchor.rb`
|
22
|
+
|
23
|
+
Check that a specific website is chained to a specific root certificate (Let's Encrypt for instance).
|
24
|
+
|
25
|
+
```
|
26
|
+
./bin/check-ssl-anchor.rb -u example.com -a "i:/O=Digital Signature Trust Co./CN=DST Root CA X3"
|
27
|
+
```
|
28
|
+
|
20
29
|
### `bin/check-ssl-crl.rb`
|
21
30
|
|
22
31
|
Checks a CRL has not or is not expiring by inspecting it's next update value.
|
@@ -39,4 +48,14 @@ Critical and Warning thresholds are specified in minutes.
|
|
39
48
|
|
40
49
|
[Installation and Setup](http://sensu-plugins.io/docs/installation_instructions.html)
|
41
50
|
|
51
|
+
## Testing
|
52
|
+
|
53
|
+
To run the testing suite, you'll need to have a working `ruby` environment, `gem`, and `bundler` installed. We use `rake` to run the `rspec` tests automatically.
|
54
|
+
|
55
|
+
bundle install
|
56
|
+
bundle update
|
57
|
+
bundle exec rake
|
58
|
+
|
42
59
|
## Notes
|
60
|
+
|
61
|
+
`bin/check-ssl-anchor.rb` and `bin/check-ssl-host.rb` would be good to run in combination with each other to test that the chain is anchored to a specific certificate and each certificate in the chain is correctly signed.
|
@@ -0,0 +1,101 @@
|
|
1
|
+
#! /usr/bin/env ruby
|
2
|
+
#
|
3
|
+
# check-ssl-anchor
|
4
|
+
#
|
5
|
+
# DESCRIPTION:
|
6
|
+
# Check that a certificate is chained to a specific root certificate
|
7
|
+
#
|
8
|
+
# OUTPUT:
|
9
|
+
# plain text
|
10
|
+
#
|
11
|
+
# PLATFORMS:
|
12
|
+
# Linux
|
13
|
+
#
|
14
|
+
# DEPENDENCIES:
|
15
|
+
# gem: sensu-plugin
|
16
|
+
#
|
17
|
+
# USAGE:
|
18
|
+
#
|
19
|
+
# Check that a specific website is chained to a specific root certificate (Let's Encrypt for instance)
|
20
|
+
# ./check-ssl-anchor.rb \
|
21
|
+
# -u example.com \
|
22
|
+
# -a "i:/O=Digital Signature Trust Co./CN=DST Root CA X3"
|
23
|
+
#
|
24
|
+
# NOTES:
|
25
|
+
# This is basically a ruby wrapper around the following openssl command.
|
26
|
+
#
|
27
|
+
# openssl s_client -connect example.com:443 -servername example.com
|
28
|
+
#
|
29
|
+
#
|
30
|
+
#
|
31
|
+
# Use the -s flag if you need to override SNI (Server Name Indication). If you
|
32
|
+
# are seeing discrepencies between `openssl s_client` and browser, that's a good
|
33
|
+
# indication to use this flag.
|
34
|
+
#
|
35
|
+
# LICENSE:
|
36
|
+
# Copyright 2017 Phil Porada <philporada@gmail.com>
|
37
|
+
#
|
38
|
+
# Released under the same terms as Sensu (the MIT license); see LICENSE
|
39
|
+
# for details.
|
40
|
+
#
|
41
|
+
|
42
|
+
require 'sensu-plugin/check/cli'
|
43
|
+
|
44
|
+
#
|
45
|
+
# Check certificate is anchored to a specific root
|
46
|
+
#
|
47
|
+
class CheckSSLAnchor < Sensu::Plugin::Check::CLI
|
48
|
+
option :host,
|
49
|
+
description: 'Host to check',
|
50
|
+
short: '-h',
|
51
|
+
long: '--host HOST',
|
52
|
+
required: true
|
53
|
+
|
54
|
+
option :anchor,
|
55
|
+
description: 'An anchor looks something like /O=Digital Signature Trust Co./CN=DST Root CA X3',
|
56
|
+
short: '-a',
|
57
|
+
long: '--anchor ANCHOR_VAL',
|
58
|
+
required: true
|
59
|
+
|
60
|
+
option :servername,
|
61
|
+
description: 'Set the TLS SNI (Server Name Indication) extension',
|
62
|
+
short: '-s',
|
63
|
+
long: '--servername SERVER'
|
64
|
+
|
65
|
+
option :port,
|
66
|
+
description: 'Port on server to check',
|
67
|
+
short: '-p',
|
68
|
+
long: '--port PORT',
|
69
|
+
default: 443
|
70
|
+
|
71
|
+
def validate_opts
|
72
|
+
config[:servername] = config[:host] unless config[:servername]
|
73
|
+
end
|
74
|
+
|
75
|
+
# Do the actual work and massage some data
|
76
|
+
def anchor_information
|
77
|
+
data = `openssl s_client \
|
78
|
+
-connect #{config[:host]}:#{config[:port]} \
|
79
|
+
-servername #{config[:servername]} < /dev/null 2>&1`.match(/Certificate chain(.*)---\nServer certificate/m)[1].split(/$/).map(&:strip)
|
80
|
+
data = data.reject(&:empty?)
|
81
|
+
|
82
|
+
unless data[0] =~ /0 s:\/CN=.*/m
|
83
|
+
data = 'NOTOK'
|
84
|
+
end
|
85
|
+
data
|
86
|
+
end
|
87
|
+
|
88
|
+
def run
|
89
|
+
validate_opts
|
90
|
+
data = anchor_information
|
91
|
+
if data == 'NOTOK'
|
92
|
+
critical 'An error was encountered while trying to retrieve the certificate chain.'
|
93
|
+
end
|
94
|
+
|
95
|
+
if data[-1] == config[:anchor].to_s
|
96
|
+
ok 'Root anchor has been found.'
|
97
|
+
else
|
98
|
+
critical 'Root anchor did not match. Found "' + data[-1] + '" instead.'
|
99
|
+
end
|
100
|
+
end
|
101
|
+
end
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: sensu-plugins-ssl
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 1.
|
4
|
+
version: 1.4.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Sensu-Plugins and contributors
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2017-
|
11
|
+
date: 2017-06-21 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: sensu-plugin
|
@@ -171,6 +171,7 @@ description: |-
|
|
171
171
|
email: "<sensu-users@googlegroups.com>"
|
172
172
|
executables:
|
173
173
|
- check-java-keystore-cert.rb
|
174
|
+
- check-ssl-anchor.rb
|
174
175
|
- check-ssl-cert.rb
|
175
176
|
- check-ssl-crl.rb
|
176
177
|
- check-ssl-host.rb
|
@@ -182,6 +183,7 @@ files:
|
|
182
183
|
- LICENSE
|
183
184
|
- README.md
|
184
185
|
- bin/check-java-keystore-cert.rb
|
186
|
+
- bin/check-ssl-anchor.rb
|
185
187
|
- bin/check-ssl-cert.rb
|
186
188
|
- bin/check-ssl-crl.rb
|
187
189
|
- bin/check-ssl-host.rb
|