Add scripts to monitor PHPki certificates
This commit is contained in:
parent
bf3f46a436
commit
2928b5fdbe
|
@ -6,7 +6,8 @@ use esmith::Build::CreateLinks qw(:all);
|
||||||
foreach my $conf (qw!zabbix_agent.conf zabbix_agentd.conf zabbix_agentd.conf.d/asterisk.conf
|
foreach my $conf (qw!zabbix_agent.conf zabbix_agentd.conf zabbix_agentd.conf.d/asterisk.conf
|
||||||
zabbix_agentd.conf.d/deprecated_cpunum.conf zabbix_agentd.conf.d/deprecated_memory.conf
|
zabbix_agentd.conf.d/deprecated_cpunum.conf zabbix_agentd.conf.d/deprecated_memory.conf
|
||||||
zabbix_agentd.conf.d/deprecated_netstat.conf zabbix_agentd.conf.d/deprecated_swap.conf
|
zabbix_agentd.conf.d/deprecated_netstat.conf zabbix_agentd.conf.d/deprecated_swap.conf
|
||||||
zabbix_agentd.conf.d/extip.conf zabbix_agentd.conf.d/mail.conf zabbix_agentd.conf.d/mysql.conf!){
|
zabbix_agentd.conf.d/extip.conf zabbix_agentd.conf.d/mail.conf zabbix_agentd.conf.d/mysql.conf
|
||||||
|
zabbix_agentd.conf.d/phpki_certs.conf!){
|
||||||
templates2events("/etc/zabbix/$conf", qw(zabbix-agent-update bootstrap-console-save));
|
templates2events("/etc/zabbix/$conf", qw(zabbix-agent-update bootstrap-console-save));
|
||||||
}
|
}
|
||||||
templates2events("/etc/sudoers", "zabbix-agent-update");
|
templates2events("/etc/sudoers", "zabbix-agent-update");
|
||||||
|
|
|
@ -0,0 +1,23 @@
|
||||||
|
{
|
||||||
|
|
||||||
|
if (-e '/opt/phpki/phpki-store/CA/index.txt'){
|
||||||
|
$OUT .=<<'EOF';
|
||||||
|
|
||||||
|
# Discovery of certificates and their status
|
||||||
|
# Key: pki.certs.discovery
|
||||||
|
# Macro:
|
||||||
|
# - {#CRTCN} : contains the common name
|
||||||
|
# - {#CRTSERIAL} : the serial number
|
||||||
|
# - {#CRTSTATUS} : the status, as a string (valid, revoked, expired)
|
||||||
|
# Available arguments:
|
||||||
|
# --index : path to the index file
|
||||||
|
# --path : directory where certificatres are stored, certificates should be named $serial.pem (in PEM format)
|
||||||
|
|
||||||
|
UserParameter=pki.certs.discovery,/usr/bin/sudo /var/lib/zabbix/bin/disco_certs_sudo --index=/opt/phpki/phpki-store/CA/index.txt --path=/opt/phpki/phpki-store/CA/newcerts/
|
||||||
|
UserParameter=pki.certs[*],/usr/bin/sudo /var/lib/zabbix/bin/check_certs_sudo --what=$1 --cert=$2
|
||||||
|
|
||||||
|
EOF
|
||||||
|
}
|
||||||
|
$OUT .= '';
|
||||||
|
|
||||||
|
}
|
33
root/var/lib/zabbix/bin/check_certs_sudo
Normal file
33
root/var/lib/zabbix/bin/check_certs_sudo
Normal file
|
@ -0,0 +1,33 @@
|
||||||
|
#!/usr/bin/perl -w
|
||||||
|
|
||||||
|
# Check a PEM certificate
|
||||||
|
# --what: what to monitor. Only expire is supported for now, and returns the number of day before expiration
|
||||||
|
# --cert: the path to the certificate you want to check
|
||||||
|
|
||||||
|
use strict;
|
||||||
|
use warnings;
|
||||||
|
use Crypt::OpenSSL::X509;
|
||||||
|
use Date::Parse;
|
||||||
|
use Getopt::Long;
|
||||||
|
|
||||||
|
my $what = 'expire';
|
||||||
|
my $cert = '';
|
||||||
|
|
||||||
|
GetOptions(
|
||||||
|
"cert=s" => \$cert,
|
||||||
|
"what=s" => \$what
|
||||||
|
);
|
||||||
|
|
||||||
|
die "Usage: $0 --what=status --cert=/path/to/pem/certificate\n" unless
|
||||||
|
(-f $cert);
|
||||||
|
|
||||||
|
$cert = Crypt::OpenSSL::X509->new_from_file( "$cert" );
|
||||||
|
my $expire_in = int ((str2time($cert->notAfter())-time())/(3600*24));
|
||||||
|
|
||||||
|
if ($what eq 'expire'){
|
||||||
|
print $expire_in;
|
||||||
|
}
|
||||||
|
else{
|
||||||
|
die "Only expire is supported for now";
|
||||||
|
}
|
||||||
|
|
49
root/var/lib/zabbix/bin/disco_certs_sudo
Normal file
49
root/var/lib/zabbix/bin/disco_certs_sudo
Normal file
|
@ -0,0 +1,49 @@
|
||||||
|
#!/usr/bin/perl -w
|
||||||
|
|
||||||
|
use strict;
|
||||||
|
use warnings;
|
||||||
|
use Crypt::OpenSSL::X509;
|
||||||
|
use Date::Parse;
|
||||||
|
use Getopt::Long;
|
||||||
|
use JSON;
|
||||||
|
|
||||||
|
my $index = '/opt/phpki/phpki-store/CA/index.txt';
|
||||||
|
my $path = '/opt/phpki/phpki-store/CA/newcerts';
|
||||||
|
|
||||||
|
GetOptions(
|
||||||
|
"index=s" => \$index,
|
||||||
|
"path=s" => \$path
|
||||||
|
);
|
||||||
|
|
||||||
|
open INDEX, "$index" or die "Couldn't open $index\n";
|
||||||
|
|
||||||
|
my $json;
|
||||||
|
|
||||||
|
foreach my $l (<INDEX>){
|
||||||
|
next unless $l =~ m/^([VR])\t\d+Z\t(\d+Z)?\t(\w+)\tunknown\t.*/;
|
||||||
|
my $status = $1;
|
||||||
|
my $serial = $3;
|
||||||
|
my $cert = Crypt::OpenSSL::X509->new_from_file( "$path/$serial.pem" );
|
||||||
|
|
||||||
|
my $expire_in = int ((str2time($cert->notAfter())-time())/(3600*24));
|
||||||
|
if ($status eq 'V'){
|
||||||
|
$status = 'valid';
|
||||||
|
}
|
||||||
|
elsif ($expire_in lt 0){
|
||||||
|
$status = 'expired';
|
||||||
|
}
|
||||||
|
else{
|
||||||
|
$status = 'revoked';
|
||||||
|
}
|
||||||
|
my $subject = $cert->subject;
|
||||||
|
$subject =~ m/.*\sCN=(.*),/;
|
||||||
|
my $cn = $1;
|
||||||
|
|
||||||
|
push @{$json->{data}}, {
|
||||||
|
"{#CRTCN}" => $cn,
|
||||||
|
"{#CRTSERIAL}" => $serial,
|
||||||
|
"{#CRTSTATUS}" => $status,
|
||||||
|
};
|
||||||
|
}
|
||||||
|
close INDEX;
|
||||||
|
print to_json($json);
|
Loading…
Reference in New Issue
Block a user