diff options
| author | Ben Copeland <ben.copeland@linaro.org> | 2014-03-11 12:20:15 +0000 |
|---|---|---|
| committer | Ben Copeland <ben.copeland@linaro.org> | 2014-03-11 12:20:15 +0000 |
| commit | a19836fc7cadc40f48ecf14e152b14b93e6b6fe8 (patch) | |
| tree | 71f01ef0b4fc70c0232843678f0b9a9c4ff36446 | |
init
| -rw-r--r-- | README.md | 51 | ||||
| -rw-r--r-- | crontab | 3 | ||||
| -rwxr-xr-x | scripts/gethosts.sh | 16 | ||||
| -rwxr-xr-x | scripts/sslcheck.sh | 60 | ||||
| -rwxr-xr-x | scripts/sslcheck_manual.sh | 14 | ||||
| -rw-r--r-- | zabbix_agentd.d/userparameter_sslcheck.conf | 3 | ||||
| -rw-r--r-- | zabbix_template_sslcheck.xml | 143 |
7 files changed, 290 insertions, 0 deletions
diff --git a/README.md b/README.md new file mode 100644 index 0000000..5467cfe --- /dev/null +++ b/README.md @@ -0,0 +1,51 @@ +Ben Copeland 10/01/2014 + +- Description + + - Retrieve expiry dates on SSL certificates using CLI53 and Zabbix Descovery to automatically generate alerts + + The script uses cli53 (command line route53) to get our hostnames. + Using the retrieves hostnames, openssl retrieves the certificates + from the given host and exports the results into a json file. + + This file is fed through another script to export only hostnames + to zabbix. Zabbix uses the hostname field to discover the hosts + that have ssl certicates. Using Zabbix discovery rules the hosts + and days left on the ssl certificate are import into zabbix. + +- Files explained + +- sslcheck.sh + - The scripts that uses cli53 and gets the certificate + - Runs in location /etc/zabbix/scripts/ + - Must export file ssldays.json for sslcheck.sh +- gethosts.sh + - Discovery script for zabbix. Exports hostnames in json format + - Depends on exported json file from sslcheck.sh (/etc/zabbix/scripts/ssldays.json) +- zabbix_template_sslcheck.xml + - Zabbix template file. Holds the descovery rules and triggers. + + +- Dependencies + +- CLI53 (https://github.com/barnybug/cli53) + - /etc/boto.cfg (aws_access_key and aws_secert_key) IAM user dns-editor + - pythonpip +- zabbix_template_sslcheck.xml (zabbix template, descovery rules + triggers) + - /etc/zabbix/scripts/sslcheck.sh + - /etc/zabbix/scripts/ssldays.json + - cronjob (0 0 * * * /bin/bash /etc/zabbix/scripts/sslcheck.sh linaro.org 443 > /etc/zabbix/scripts/ssldays.json) + - Script MUST run at midnight and not overlap zabbix retreving the json file, others zabbix will fail. + - /etc/zabbix/scripts/gethosts.sh + - userparameter_sslcheck.conf - parameters set on zabbix-agent for the zabbix server + + +- Limitations/Improvements + - Openssl does not support timeout. This means bash command "timeout" has to be used, which results in the bash script running slowly. + - Maybe look into using SSL3 (http://thinkinginsoftware.blogspot.co.uk/2013/01/openssl-hanging-connected00000003.html) + - zabbix CANNOT access ssldays.json when sslcheck.sh is running, since it will NOT be a complete json file + - have to login into zabbix and click every SSL certifcate and "reenable" the unsupported item. Or delete and recreate the template on the host + - crontab runs at midnight + - Look into only writing file once the list is complete + - When SSL has over 1000days zabbix reports "kdays". + - Patch to fix problem: https://support.zabbix.com/browse/ZBXNEXT-768
\ No newline at end of file @@ -0,0 +1,3 @@ +0 8 * * * /bin/bash /etc/zabbix/scripts/sslcheck.sh linaro.org 443 > /etc/zabbix/scripts/ssldays_cron.json +0 */5 * * * /bin/bash cp /etc/zabbix/scripts/ssldays_cron.json /etc/zabbix/scripts/ssldays.json +0 */5 * * * /bin/bash /usr/local/share/zabbix/externalscripts/zbx-exim-stats.sh &> /dev/null
\ No newline at end of file diff --git a/scripts/gethosts.sh b/scripts/gethosts.sh new file mode 100755 index 0000000..1891999 --- /dev/null +++ b/scripts/gethosts.sh @@ -0,0 +1,16 @@ +#!/bin/bash +echo -e "{\n\t\"data\":[" + cat /etc/zabbix/scripts/ssldays.json | grep {#HOST} | cut -f4 -d '"' | while read line + do + XHOST=`echo $line | awk '{print $1}'` + #echo -e "\t{ \"{#HOST}\":\t\"${XHOST}\" }," + + + echo "${final:+,}" + final=, + printf "\t{\n" + printf "\t\t\"{#HOST}\":\"${XHOST}\"\n" + printf "\t}\n" + + done + echo -e "\t]\n}" diff --git a/scripts/sslcheck.sh b/scripts/sslcheck.sh new file mode 100755 index 0000000..f92b76b --- /dev/null +++ b/scripts/sslcheck.sh @@ -0,0 +1,60 @@ +#!/bin/bash +################################################################################ +# Description: +# Retrieves SSL certificate from remote server and returns the remaining number +# of valid days. +# +# Usage: +# zext_ssl_cert.sh <hostname_or_IP> <port> +# +# Zabbix item: +# Type : external check +# Key : zext_ssl_cert.sh[port] +# Type of information: Numeric (float) +################################################################################ +SHELL=/bin/bash PATH=/bin:/sbin:/usr/bin:/usr/sbin +PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin +domain=$1 +getport=$2 +getdomain=`cli53 export $domain | awk '{ print $1 }' | sed 's/[^a-z|0-9|.-]//g; ' | sed '/^$/d' | uniq ` +fqdn=`echo "$getdomain" | while read a; do echo $a.$domain; done` +port=`echo "$fqdn" | while read b; do echo $getport; done` +IFS=" " +set -- $fqdn +N=0 + +first=1 + + + #json header +echo -n '{ + "data":[' + + +echo $fqdn | while read LINE;do + N=$((N+1)) + #####TIMEOUT is important. Due to openssl having no timeout options, hosts can hang for a long time. + end_date=`timeout 15 openssl s_client -ssl3 -host $LINE -port $getport -showcerts </dev/null 2>/dev/null | + sed -n '/BEGIN CERTIFICATE/,/END CERT/p' | + openssl x509 -text 2>/dev/null | + sed -n 's/ *Not After : *//p'` + + if [ -n "$end_date" ] + then + end_date_seconds=`date '+%s' --date "$end_date"` + now_seconds=`date '+%s'` + days=`echo "($end_date_seconds-$now_seconds)/24/3600" | bc` + first=0 + + echo "${final:+,}" + final=, + printf "\t{\n" + printf "\t\t\"{#HOST}\":\"$LINE\",\n" + printf "\t\t\"{#DAYS}\":\"$days\"\n" + printf "\t}\n" + fi +done + + echo ' + ] + }' diff --git a/scripts/sslcheck_manual.sh b/scripts/sslcheck_manual.sh new file mode 100755 index 0000000..b50a2de --- /dev/null +++ b/scripts/sslcheck_manual.sh @@ -0,0 +1,14 @@ +#! /bin/sh +host=$1 +port=$2 +end_date=`openssl s_client -host $host -port $port -showcerts </dev/null 2>/dev/null | + sed -n '/BEGIN CERTIFICATE/,/END CERT/p' | + openssl x509 -text 2>/dev/null | + sed -n 's/ *Not After : *//p'` + +if [ -n "$end_date" ] +then + end_date_seconds=`date '+%s' --date "$end_date"` + now_seconds=`date '+%s'` + echo "($end_date_seconds-$now_seconds)/24/3600" | bc +fi diff --git a/zabbix_agentd.d/userparameter_sslcheck.conf b/zabbix_agentd.d/userparameter_sslcheck.conf new file mode 100644 index 0000000..15980a6 --- /dev/null +++ b/zabbix_agentd.d/userparameter_sslcheck.conf @@ -0,0 +1,3 @@ +UserParameter=sslmanual[*],/etc/zabbix/scripts/sslcheck_manual.sh $1 $2 +UserParameter=ssldiscover,/etc/zabbix/scripts/gethosts.sh +UserParameter=ssldays[*],cat /etc/zabbix/scripts/ssldays.json | sed -n '/\"$1\"/{n;p}' | sed 's/[^a-z|0-9|.-]//g;' diff --git a/zabbix_template_sslcheck.xml b/zabbix_template_sslcheck.xml new file mode 100644 index 0000000..8f96408 --- /dev/null +++ b/zabbix_template_sslcheck.xml @@ -0,0 +1,143 @@ +<?xml version="1.0" encoding="UTF-8"?> +<zabbix_export> + <version>2.0</version> + <date>2014-01-13T16:00:25Z</date> + <groups> + <group> + <name>Templates</name> + </group> + </groups> + <templates> + <template> + <template>Template_SSLCheck</template> + <name>Template_SSLCheck</name> + <groups> + <group> + <name>Templates</name> + </group> + </groups> + <applications> + <application> + <name>SSL certificate</name> + </application> + </applications> + <items/> + <discovery_rules> + <discovery_rule> + <name>SSL Discovery</name> + <type>0</type> + <snmp_community/> + <snmp_oid/> + <key>ssldiscover</key> + <delay>60</delay> + <status>0</status> + <allowed_hosts/> + <snmpv3_securityname/> + <snmpv3_securitylevel>0</snmpv3_securitylevel> + <snmpv3_authpassphrase/> + <snmpv3_privpassphrase/> + <delay_flex/> + <params/> + <ipmi_sensor/> + <authtype>0</authtype> + <username/> + <password/> + <publickey/> + <privatekey/> + <port/> + <filter>:</filter> + <lifetime>30</lifetime> + <description/> + <item_prototypes> + <item_prototype> + <name>{#HOST} SSL Expiry</name> + <type>0</type> + <snmp_community/> + <multiplier>0</multiplier> + <snmp_oid/> + <key>ssldays[{#HOST}]</key> + <delay>21600</delay> + <history>90</history> + <trends>365</trends> + <status>0</status> + <value_type>3</value_type> + <allowed_hosts/> + <units>!days</units> + <delta>0</delta> + <snmpv3_securityname/> + <snmpv3_securitylevel>0</snmpv3_securitylevel> + <snmpv3_authpassphrase/> + <snmpv3_privpassphrase/> + <formula>1</formula> + <delay_flex/> + <params/> + <ipmi_sensor/> + <data_type>0</data_type> + <authtype>0</authtype> + <username/> + <password/> + <publickey/> + <privatekey/> + <port/> + <description/> + <inventory_link>0</inventory_link> + <applications> + <application> + <name>SSL certificate</name> + </application> + </applications> + <valuemap/> + </item_prototype> + </item_prototypes> + <trigger_prototypes> + <trigger_prototype> + <expression>{Template_SSLCheck:ssldays[{#HOST}].last(0)}<3</expression> + <name>SSL Expiry Date on {#HOST} less than 3 days</name> + <url/> + <status>0</status> + <priority>5</priority> + <description/> + <type>0</type> + </trigger_prototype> + <trigger_prototype> + <expression>{Template_SSLCheck:ssldays[{#HOST}].last(0)}<7</expression> + <name>SSL Expiry Date on {#HOST} less than 7 days</name> + <url/> + <status>0</status> + <priority>4</priority> + <description/> + <type>0</type> + </trigger_prototype> + <trigger_prototype> + <expression>{Template_SSLCheck:ssldays[{#HOST}].last(0)}<15</expression> + <name>SSL Expiry Date on {#HOST} less than 15 days</name> + <url/> + <status>0</status> + <priority>3</priority> + <description/> + <type>0</type> + </trigger_prototype> + <trigger_prototype> + <expression>{Template_SSLCheck:ssldays[{#HOST}].last(0)}<30</expression> + <name>SSL Expiry Date on {#HOST} less than 30 days</name> + <url/> + <status>0</status> + <priority>2</priority> + <description/> + <type>0</type> + </trigger_prototype> + </trigger_prototypes> + <graph_prototypes/> + </discovery_rule> + </discovery_rules> + <macros> + <macro> + <macro>{$SSL_PORT}</macro> + <value>443</value> + </macro> + </macros> + <templates/> + <screens/> + </template> + </templates> +</zabbix_export> |