[nagiosplug] applied patch that adds both critical and warning ...
Nagios Plugin Development
nagios-plugins at users.sourceforge.net
Mon Jun 25 13:00:49 CEST 2012
Module: nagiosplug
Branch: master
Commit: fa3d2a4074e1bd8526e37ba5e1a214ae4a1774cf
Author: William Leibzon <william at leibzon.org>
Committer: Sven Nierlein <sven at nierlein.de>
Date: Mon May 21 18:46:45 2012 -0700
URL: http://nagiosplug.git.sf.net/git/gitweb.cgi?p=nagiosplug/nagiosplug;a=commit;h=fa3d2a4
applied patch that adds both critical and warning thresholds to certificate expiration checks of check_tcp, check_http, check_smtp
---
plugins/check_http.c | 38 +++++++++++++++++++++++++++++---------
plugins/check_smtp.c | 37 ++++++++++++++++++++++++++-----------
plugins/check_tcp.c | 27 +++++++++++++++++++++------
plugins/netutils.h | 2 +-
plugins/sslutils.c | 18 ++++++++++++------
5 files changed, 89 insertions(+), 33 deletions(-)
diff --git a/plugins/check_http.c b/plugins/check_http.c
index 315848f..703e317 100644
--- a/plugins/check_http.c
+++ b/plugins/check_http.c
@@ -58,8 +58,8 @@ enum {
#ifdef HAVE_SSL
int check_cert = FALSE;
-int days_till_exp;
int ssl_version;
+int days_till_exp_warn, days_till_exp_crit;
char *randbuff;
X509 *server_cert;
# define my_recv(buf, len) ((use_ssl) ? np_net_ssl_read(buf, len) : read(sd, buf, len))
@@ -178,6 +178,7 @@ process_arguments (int argc, char **argv)
{
int c = 1;
char *p;
+ char *temp;
enum {
INVERT_REGEX = CHAR_MAX + 1,
@@ -282,13 +283,25 @@ process_arguments (int argc, char **argv)
break;
case 'C': /* Check SSL cert validity */
#ifdef HAVE_SSL
- if (!is_intnonneg (optarg))
- usage2 (_("Invalid certificate expiration period"), optarg);
+ if ((temp=strchr(optarg,','))!=NULL) {
+ *temp='\0';
+ if (!is_intnonneg (temp))
+ usage2 (_("Invalid certificate expiration period"), optarg);
+ days_till_exp_warn = atoi(optarg);
+ *temp=',';
+ temp++;
+ if (!is_intnonneg (temp))
+ usage2 (_("Invalid certificate expiration period"), temp);
+ days_till_exp_crit = atoi (temp);
+ }
else {
- days_till_exp = atoi (optarg);
- check_cert = TRUE;
+ days_till_exp_crit=0;
+ if (!is_intnonneg (optarg))
+ usage2 (_("Invalid certificate expiration period"), optarg);
+ days_till_exp_warn = atoi (optarg);
}
- /* Fall through to -S option */
+ check_cert = TRUE;
+ /* Fall through to -S option */
#endif
case 'S': /* use SSL */
#ifndef HAVE_SSL
@@ -810,7 +823,7 @@ check_http (void)
if (result != STATE_OK)
return result;
if (check_cert == TRUE) {
- result = np_net_ssl_check_cert(days_till_exp);
+ result = np_net_ssl_check_cert(days_till_exp_warn, days_till_exp_crit);
np_net_ssl_cleanup();
if (sd) close(sd);
return result;
@@ -1427,6 +1440,13 @@ print_help (void)
printf (" %s\n", _("a STATE_OK is returned. When the certificate is still valid, but for less than"));
printf (" %s\n", _("14 days, a STATE_WARNING is returned. A STATE_CRITICAL will be returned when"));
printf (" %s\n", _("the certificate is expired."));
+
+ printf (" %s\n\n", "CHECK CERTIFICATE: check_http -H www.verisign.com -C 30,14");
+ printf (" %s\n", _("When the certificate of 'www.verisign.com' is valid for more than 30 days,"));
+ printf (" %s\n", _("a STATE_OK is returned. When the certificate is still valid, but for less than"));
+ printf (" %s\n", _("30 days, but more than 14 days, a STATE_WARNING is returned."));
+ printf (" %s\n", _("A STATE_CRITICAL will be returned when certificate expires in less than 14 days"));
+
#endif
printf (UT_SUPPORT);
@@ -1444,6 +1464,6 @@ print_usage (void)
printf (" [-b proxy_auth] [-f <ok|warning|critcal|follow|sticky|stickyport>]\n");
printf (" [-e <expect>] [-s string] [-l] [-r <regex> | -R <case-insensitive regex>]\n");
printf (" [-P string] [-m <min_pg_size>:<max_pg_size>] [-4|-6] [-N] [-M <age>]\n");
- printf (" [-A string] [-k string] [-S <version>] [--sni] [-C <age>] [-T <content-type>]\n");
- printf (" [-j method]\n");
+ printf (" [-A string] [-k string] [-S <version>] [--sni] [-C <warn_age>[,<crit_age>]]\n");
+ printf (" [-T <content-type>] [-j method]\n");
}
diff --git a/plugins/check_smtp.c b/plugins/check_smtp.c
index 494bc2c..0af50e3 100644
--- a/plugins/check_smtp.c
+++ b/plugins/check_smtp.c
@@ -41,7 +41,7 @@ const char *email = "nagiosplug-devel at lists.sourceforge.net";
#ifdef HAVE_SSL
int check_cert = FALSE;
-int days_till_exp;
+int days_till_exp_warn, days_till_exp_crit;
# define my_recv(buf, len) ((use_ssl && ssl_established) ? np_net_ssl_read(buf, len) : read(sd, buf, len))
# define my_send(buf, len) ((use_ssl && ssl_established) ? np_net_ssl_write(buf, len) : send(sd, buf, len, 0))
#else /* ifndef HAVE_SSL */
@@ -275,7 +275,7 @@ main (int argc, char **argv)
# ifdef USE_OPENSSL
if ( check_cert ) {
- result = np_net_ssl_check_cert(days_till_exp);
+ result = np_net_ssl_check_cert(days_till_exp_warn, days_till_exp_crit);
my_close();
return result;
}
@@ -454,6 +454,7 @@ int
process_arguments (int argc, char **argv)
{
int c;
+ char* temp;
int option = 0;
static struct option longopts[] = {
@@ -600,12 +601,26 @@ process_arguments (int argc, char **argv)
case 'D':
/* Check SSL cert validity */
#ifdef USE_OPENSSL
- if (!is_intnonneg (optarg))
- usage2 ("Invalid certificate expiration period",optarg);
- days_till_exp = atoi (optarg);
- check_cert = TRUE;
+ if ((temp=strchr(optarg,','))!=NULL) {
+ *temp='\0';
+ if (!is_intnonneg (temp))
+ usage2 ("Invalid certificate expiration period", optarg);
+ days_till_exp_warn = atoi(optarg);
+ *temp=',';
+ temp++;
+ if (!is_intnonneg (temp))
+ usage2 (_("Invalid certificate expiration period"), temp);
+ days_till_exp_crit = atoi (temp);
+ }
+ else {
+ days_till_exp_crit=0;
+ if (!is_intnonneg (optarg))
+ usage2 ("Invalid certificate expiration period", optarg);
+ days_till_exp_warn = atoi (optarg);
+ }
+ check_cert = TRUE;
#else
- usage (_("SSL support not available - install OpenSSL and recompile"));
+ usage (_("SSL support not available - install OpenSSL and recompile"));
#endif
break;
case '4':
@@ -802,7 +817,7 @@ print_help (void)
printf (" %s\n", "-F, --fqdn=STRING");
printf (" %s\n", _("FQDN used for HELO"));
#ifdef HAVE_SSL
- printf (" %s\n", "-D, --certificate=INTEGER");
+ printf (" %s\n", "-D, --certificate=INTEGER[,INTEGER]");
printf (" %s\n", _("Minimum number of days a certificate has to be valid."));
printf (" %s\n", "-S, --starttls");
printf (" %s\n", _("Use STARTTLS for the connection."));
@@ -838,8 +853,8 @@ void
print_usage (void)
{
printf ("%s\n", _("Usage:"));
- printf ("%s -H host [-p port] [-e expect] [-C command] [-f from addr]", progname);
- printf ("[-A authtype -U authuser -P authpass] [-w warn] [-c crit] [-t timeout]\n");
- printf ("[-F fqdn] [-S] [-D days] [-v] [-4|-6] [-q]\n");
+ printf ("%s -H host [-p port] [-4|-6] [-e expect] [-C command] [-f from addr]", progname);
+ printf ("[-A authtype -U authuser -P authpass] [-w warn] [-c crit] [-t timeout] [-q]\n");
+ printf ("[-F fqdn] [-S] [-D warn days cert expire[,crit days cert expire]] [-v] \n");
}
diff --git a/plugins/check_tcp.c b/plugins/check_tcp.c
index d3c92a4..7b0f7f8 100644
--- a/plugins/check_tcp.c
+++ b/plugins/check_tcp.c
@@ -39,7 +39,7 @@ const char *email = "nagiosplug-devel at lists.sourceforge.net";
#ifdef HAVE_SSL
static int check_cert = FALSE;
-static int days_till_exp;
+static int days_till_exp_warn, days_till_exp_crit;
# define my_recv(buf, len) ((flags & FLAG_SSL) ? np_net_ssl_read(buf, len) : read(sd, buf, len))
# define my_send(buf, len) ((flags & FLAG_SSL) ? np_net_ssl_write(buf, len) : send(sd, buf, len, 0))
#else
@@ -235,7 +235,7 @@ main (int argc, char **argv)
if (flags & FLAG_SSL){
result = np_net_ssl_init(sd);
if (result == STATE_OK && check_cert == TRUE) {
- result = np_net_ssl_check_cert(days_till_exp);
+ result = np_net_ssl_check_cert(days_till_exp_warn, days_till_exp_crit);
}
}
if(result != STATE_OK || check_cert == TRUE){
@@ -380,6 +380,7 @@ process_arguments (int argc, char **argv)
{
int c;
int escape = 0;
+ char *temp;
int option = 0;
static struct option longopts[] = {
@@ -552,9 +553,22 @@ process_arguments (int argc, char **argv)
case 'D': /* Check SSL cert validity - days 'til certificate expiration */
#ifdef HAVE_SSL
# ifdef USE_OPENSSL /* XXX */
- if (!is_intnonneg (optarg))
+ if ((temp=strchr(optarg,','))!=NULL) {
+ *temp='\0';
+ if (!is_intnonneg (temp))
+ usage2 (_("Invalid certificate expiration period"), optarg); days_till_exp_warn = atoi(optarg);
+ *temp=',';
+ temp++;
+ if (!is_intnonneg (temp))
+ usage2 (_("Invalid certificate expiration period"), temp);
+ days_till_exp_crit = atoi (temp);
+ }
+ else {
+ days_till_exp_crit=0;
+ if (!is_intnonneg (optarg))
usage2 (_("Invalid certificate expiration period"), optarg);
- days_till_exp = atoi (optarg);
+ days_till_exp_warn = atoi (optarg);
+ }
check_cert = TRUE;
flags |= FLAG_SSL;
break;
@@ -626,8 +640,9 @@ print_help (void)
printf (" %s\n", _("Seconds to wait between sending string and polling for response"));
#ifdef HAVE_SSL
- printf (" %s\n", "-D, --certificate=INTEGER");
+ printf (" %s\n", "-D, --certificate=INTEGER[,INTEGER]");
printf (" %s\n", _("Minimum number of days a certificate has to be valid."));
+ printf (" %s\n", _("1st is #days for warning, 2nd is critical (if not specified - 0)."));
printf (" %s\n", "-S, --ssl");
printf (" %s\n", _("Use SSL for the connection."));
#endif
@@ -649,6 +664,6 @@ print_usage (void)
printf ("%s -H host -p port [-w <warning time>] [-c <critical time>] [-s <send string>]\n",progname);
printf ("[-e <expect string>] [-q <quit string>][-m <maximum bytes>] [-d <delay>]\n");
printf ("[-t <timeout seconds>] [-r <refuse state>] [-M <mismatch state>] [-v] [-4|-6] [-j]\n");
- printf ("[-D <days to cert expiry>] [-S <use SSL>] [-E]\n");
+ printf ("[-D <warn days cert expire>[,<crit days cert expire>]] [-S <use SSL>] [-E]\n");
}
diff --git a/plugins/netutils.h b/plugins/netutils.h
index 572a3ae..21017f1 100644
--- a/plugins/netutils.h
+++ b/plugins/netutils.h
@@ -103,7 +103,7 @@ int np_net_ssl_init_with_hostname(int sd, char *host_name);
void np_net_ssl_cleanup();
int np_net_ssl_write(const void *buf, int num);
int np_net_ssl_read(void *buf, int num);
-int np_net_ssl_check_cert(int days_till_exp);
+int np_net_ssl_check_cert(int days_till_exp_warn, int days_till_exp_crit);
#endif /* HAVE_SSL */
#endif /* _NETUTILS_H_ */
diff --git a/plugins/sslutils.c b/plugins/sslutils.c
index 5425bb2..fe31b56 100644
--- a/plugins/sslutils.c
+++ b/plugins/sslutils.c
@@ -126,7 +126,7 @@ int np_net_ssl_read(void *buf, int num) {
return SSL_read(s, buf, num);
}
-int np_net_ssl_check_cert(int days_till_exp) {
+int np_net_ssl_check_cert(int days_till_exp_warn, int days_till_exp_crit){
# ifdef USE_OPENSSL
X509 *certificate=NULL;
X509_NAME *subj=NULL;
@@ -202,15 +202,21 @@ int np_net_ssl_check_cert(int days_till_exp) {
stamp.tm_mon + 1,
stamp.tm_mday, stamp.tm_year + 1900, stamp.tm_hour, stamp.tm_min);
- if (days_left > 0 && days_left <= days_till_exp) {
- printf(_("WARNING - Certificate '%s' expires in %d day(s) (%s).\n"), cn, days_left, timestamp);
- status=STATE_WARNING;
+ if (days_left > 0 && days_left <= days_till_exp_warn) {
+ printf (_("%s - Certificate '%s' expires in %d day(s) (%s).\n"), (days_left>days_till_exp_crit)?"CRITICAL":"WARNING", cn, days_left, timestamp);
+ if (days_left > days_till_exp_crit)
+ return STATE_WARNING;
+ else
+ return STATE_CRITICAL;
} else if (time_left < 0) {
printf(_("CRITICAL - Certificate '%s' expired on %s.\n"), cn, timestamp);
status=STATE_CRITICAL;
} else if (days_left == 0) {
- printf(_("WARNING - Certificate '%s' expires today (%s).\n"), cn, timestamp);
- status=STATE_WARNING;
+ printf (_("%s - Certificate '%s' expires today (%s).\n"), (days_left>days_till_exp_crit)?"CRITICAL":"WARNING", cn, timestamp);
+ if (days_left > days_till_exp_crit)
+ return STATE_WARNING;
+ else
+ return STATE_CRITICAL;
} else {
printf(_("OK - Certificate '%s' will expire on %s.\n"), cn, timestamp);
status=STATE_OK;
More information about the Commits
mailing list