sensu-plugins-ssl 1.3.1 → 1.4.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (6) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +9 -2
  3. data/README.md +19 -0
  4. data/bin/check-ssl-anchor.rb +101 -0
  5. data/lib/sensu-plugins-ssl/version.rb +2 -2
  6. metadata +4 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 38aee874f86178e7ea8be52e0856bd678b05ff57
4
- data.tar.gz: a86b4dadf3d7c19effdf38dca39a8661b9780f0d
3
+ metadata.gz: 4bb08666a55b083ef5b2e8c252152420e943da99
4
+ data.tar.gz: c32e3f6fd49c1436073833748c619c571f7d0947
5
5
  SHA512:
6
- metadata.gz: cb791eaf20f5af33e4e955de621c3a4f0d77db5a276070c0a39286e33781ef935d058c002093a2b6cb602c61cb8e2e00412af91529c12f7effdeffd9161c802c
7
- data.tar.gz: a89a11c728c9967c5c5f568101948cb23d5fbd42ecd2af0347403130b18a1afd0c7bff97c54c3de48101736455aad7d50313cf059d6f5e0a9d63a538ade4e007
6
+ metadata.gz: 7999f8f52dd451240c33c68c3f8d5ed1b9c2e7fe6777b7462cde2d3aedf7f290121c2761233a48e67205929b26a1a5a25fa2dbde8b0b5e34338059bf78dca699
7
+ data.tar.gz: f1e7d24517dcae4ab6ad0098e951a9bed7ab8cdfab4b71f90db73c4c0965595bc3016161a962bc5e865a1736cffb60d45191eed9b06354bf5dbd4b6f6901e311
data/CHANGELOG.md CHANGED
@@ -1,9 +1,15 @@
1
- #Change Log
1
+ # Change Log
2
2
  This project adheres to [Semantic Versioning](http://semver.org/).
3
3
 
4
4
  This CHANGELOG follows the format listed at [Keep A Changelog](http://keepachangelog.com/)
5
5
 
6
6
  ## [Unreleased]
7
+
8
+ ## [1.4.0] - 2017-06-20
9
+ ### Added
10
+ - `check-ssl-anchor.rb`: Add check for a specific root certificate signature. (@pgporada)
11
+ - `check-ssl-anchor_spec.rb`: Tests for the `check-ssl-anchor.rb` script (@pgporada)
12
+
7
13
  ## [1.3.1] - 2017-05-30
8
14
  ### Fixed
9
15
  - `check-ssl-qualys.rb`: Fix missing `net/http` require that prevented the check from executing (@eheydrick)
@@ -72,7 +78,8 @@ This CHANGELOG follows the format listed at [Keep A Changelog](http://keepachang
72
78
  ### Added
73
79
  - initial release
74
80
 
75
- [Unreleased]: https://github.com/sensu-plugins/sensu-plugins-ssl/compare/1.3.1...HEAD
81
+ [Unreleased]: https://github.com/sensu-plugins/sensu-plugins-ssl/compare/1.4.0...HEAD
82
+ [1.4.0]: https://github.com/sensu-plugins/sensu-plugins-ssl/compare/1.3.1...1.4.0
76
83
  [1.3.1]: https://github.com/sensu-plugins/sensu-plugins-ssl/compare/1.3.0...1.3.1
77
84
  [1.3.0]: https://github.com/sensu-plugins/sensu-plugins-ssl/compare/1.2.0...1.3.0
78
85
  [1.2.0]: https://github.com/sensu-plugins/sensu-plugins-ssl/compare/1.1.0...1.2.0
data/README.md CHANGED
@@ -10,6 +10,7 @@
10
10
 
11
11
  ## Files
12
12
  * bin/check-java-keystore-cert.rb
13
+ * bin/check-ssl-anchor.rb
13
14
  * bin/check-ssl-crl.rb
14
15
  * bin/check-ssl-cert.rb
15
16
  * bin/check-ssl-host.rb
@@ -17,6 +18,14 @@
17
18
 
18
19
  ## Usage
19
20
 
21
+ ### `bin/check-ssl-anchor.rb`
22
+
23
+ Check that a specific website is chained to a specific root certificate (Let's Encrypt for instance).
24
+
25
+ ```
26
+ ./bin/check-ssl-anchor.rb -u example.com -a "i:/O=Digital Signature Trust Co./CN=DST Root CA X3"
27
+ ```
28
+
20
29
  ### `bin/check-ssl-crl.rb`
21
30
 
22
31
  Checks a CRL has not or is not expiring by inspecting it's next update value.
@@ -39,4 +48,14 @@ Critical and Warning thresholds are specified in minutes.
39
48
 
40
49
  [Installation and Setup](http://sensu-plugins.io/docs/installation_instructions.html)
41
50
 
51
+ ## Testing
52
+
53
+ To run the testing suite, you'll need to have a working `ruby` environment, `gem`, and `bundler` installed. We use `rake` to run the `rspec` tests automatically.
54
+
55
+ bundle install
56
+ bundle update
57
+ bundle exec rake
58
+
42
59
  ## Notes
60
+
61
+ `bin/check-ssl-anchor.rb` and `bin/check-ssl-host.rb` would be good to run in combination with each other to test that the chain is anchored to a specific certificate and each certificate in the chain is correctly signed.
data/bin/check-ssl-anchor.rb ADDED
@@ -0,0 +1,101 @@
1
+ #! /usr/bin/env ruby
2
+ #
3
+ # check-ssl-anchor
4
+ #
5
+ # DESCRIPTION:
6
+ # Check that a certificate is chained to a specific root certificate
7
+ #
8
+ # OUTPUT:
9
+ # plain text
10
+ #
11
+ # PLATFORMS:
12
+ # Linux
13
+ #
14
+ # DEPENDENCIES:
15
+ # gem: sensu-plugin
16
+ #
17
+ # USAGE:
18
+ #
19
+ # Check that a specific website is chained to a specific root certificate (Let's Encrypt for instance)
20
+ # ./check-ssl-anchor.rb \
21
+ # -u example.com \
22
+ # -a "i:/O=Digital Signature Trust Co./CN=DST Root CA X3"
23
+ #
24
+ # NOTES:
25
+ # This is basically a ruby wrapper around the following openssl command.
26
+ #
27
+ # openssl s_client -connect example.com:443 -servername example.com
28
+ #
29
+ #
30
+ #
31
+ # Use the -s flag if you need to override SNI (Server Name Indication). If you
32
+ # are seeing discrepencies between `openssl s_client` and browser, that's a good
33
+ # indication to use this flag.
34
+ #
35
+ # LICENSE:
36
+ # Copyright 2017 Phil Porada <philporada@gmail.com>
37
+ #
38
+ # Released under the same terms as Sensu (the MIT license); see LICENSE
39
+ # for details.
40
+ #
41
+
42
+ require 'sensu-plugin/check/cli'
43
+
44
+ #
45
+ # Check certificate is anchored to a specific root
46
+ #
47
+ class CheckSSLAnchor < Sensu::Plugin::Check::CLI
48
+ option :host,
49
+ description: 'Host to check',
50
+ short: '-h',
51
+ long: '--host HOST',
52
+ required: true
53
+
54
+ option :anchor,
55
+ description: 'An anchor looks something like /O=Digital Signature Trust Co./CN=DST Root CA X3',
56
+ short: '-a',
57
+ long: '--anchor ANCHOR_VAL',
58
+ required: true
59
+
60
+ option :servername,
61
+ description: 'Set the TLS SNI (Server Name Indication) extension',
62
+ short: '-s',
63
+ long: '--servername SERVER'
64
+
65
+ option :port,
66
+ description: 'Port on server to check',
67
+ short: '-p',
68
+ long: '--port PORT',
69
+ default: 443
70
+
71
+ def validate_opts
72
+ config[:servername] = config[:host] unless config[:servername]
73
+ end
74
+
75
+ # Do the actual work and massage some data
76
+ def anchor_information
77
+ data = `openssl s_client \
78
+ -connect #{config[:host]}:#{config[:port]} \
79
+ -servername #{config[:servername]} < /dev/null 2>&1`.match(/Certificate chain(.*)---\nServer certificate/m)[1].split(/$/).map(&:strip)
80
+ data = data.reject(&:empty?)
81
+
82
+ unless data[0] =~ /0 s:\/CN=.*/m
83
+ data = 'NOTOK'
84
+ end
85
+ data
86
+ end
87
+
88
+ def run
89
+ validate_opts
90
+ data = anchor_information
91
+ if data == 'NOTOK'
92
+ critical 'An error was encountered while trying to retrieve the certificate chain.'
93
+ end
94
+
95
+ if data[-1] == config[:anchor].to_s
96
+ ok 'Root anchor has been found.'
97
+ else
98
+ critical 'Root anchor did not match. Found "' + data[-1] + '" instead.'
99
+ end
100
+ end
101
+ end
data/lib/sensu-plugins-ssl/version.rb CHANGED
@@ -1,8 +1,8 @@
1
1
  module SensuPluginsSSL
2
2
  module Version
3
3
  MAJOR = 1
4
- MINOR = 3
5
- PATCH = 1
4
+ MINOR = 4
5
+ PATCH = 0
6
6
 
7
7
  VER_STRING = [MAJOR, MINOR, PATCH].compact.join('.')
8
8
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: sensu-plugins-ssl
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.3.1
4
+ version: 1.4.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Sensu-Plugins and contributors
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2017-05-31 00:00:00.000000000 Z
11
+ date: 2017-06-21 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: sensu-plugin
@@ -171,6 +171,7 @@ description: |-
171
171
  email: "<sensu-users@googlegroups.com>"
172
172
  executables:
173
173
  - check-java-keystore-cert.rb
174
+ - check-ssl-anchor.rb
174
175
  - check-ssl-cert.rb
175
176
  - check-ssl-crl.rb
176
177
  - check-ssl-host.rb
@@ -182,6 +183,7 @@ files:
182
183
  - LICENSE
183
184
  - README.md
184
185
  - bin/check-java-keystore-cert.rb
186
+ - bin/check-ssl-anchor.rb
185
187
  - bin/check-ssl-cert.rb
186
188
  - bin/check-ssl-crl.rb
187
189
  - bin/check-ssl-host.rb