L’objectif de ce plugin pour Nagios est de superviser l’état des certificats, et leur date d’expiration en particulier (oui, je ne fais pas que du SCOM malgré un ouvrage ENI dessus!)
J’utilise l’agent nsclient++ sur les serveurs afin de pouvoir exécuter des scripts PowerShell entre autre. On a donc:
Nagios => check_nrpe => script powershell => retour nagios
Cela fonctionne également sur les serveurs Core.
Windows contient des certificats déjà expiré depuis longtemps. Le script contient une blacklist afin de les ignorer.
Configuration testée
Linux:
- Centos 6.4 x64
- Nagios 3.4.4
- check_nrpe 2.13
- Centreon 2.4.2
Windows:
- Windows Server 2003 / 2008 R2 / 2012
- nsclient++ 0.4.1 x64 et x86
- Serveurs Core et normaux
Arguments du script
- checkMyStore (oui par défaut)
- checkRootStore (oui par défaut)
- checkCAStore (oui par défaut)
- checkAuthRootStore (oui par défaut)
- checkSharePointStore (oui par défaut)
- expireInDays (60 jours par défaut)
- maxWarn (avertissement si supérieur)
- maxCrit (Critique si supérieur)
Pour chaque store, la réponse doit être un booléen ($true /$false ou 1/0)
expireInDays,maxWarn et maxCrit doivent être des entiers
Exemples d’utilisation
Exemple en exécution directe PowerShell:
PS C:Program FilesNSClient++scripts> . .lotp_check_certificates.ps1 CRITICAL: www.lotp.fr:2013/06/30 PS C:Program FilesNSClient++scripts>
Exécution NRPE:
[root~]# /usr/lib64/nagios/plugins/check_nrpe -H myserver -n -c check_certificate -a $true $true $true $true $true 60 0 0 CRITICAL: www.lotp.fr:2013/06/30 [root~]#
Installation:
Sur les Windows:
- Activer l’exécution de scripts PowerShell non signés : Set-ExecutionPolicy RemoteSigned
- copier le script dans C:Program FilesNSClient++scripts
- Ajouter dans le fichier nsclient.ini:
- [/settings/external scripts/wrapped scripts]
check_certificate=lotp_check_certificate.ps1 $ARG1$ $ARG2$ $ARG3$ $ARG4$ $ARG5$ $ARG6$ $ARG7$ $ARG8$
- [/settings/external scripts/wrapped scripts]
Configuration:
Par exemple, sur Centreon, en ajoutant la commande:
$USER1$/check_nrpe -H $HOSTADDRESS$ -n -c check_certificate -a $ARG1$ $ARG2$ $ARG3$ $ARG4$ $ARG5$ $ARG6$ $ARG7$ $ARG8$
Téléchargement
(enlever le .txt à la fin)
Code source en direct si le téléchargement ne passe pas:
# ====================================================================
# Check certificates health state
# Author: Mathieu Chateau - LOTP
# mail: mathieu.chateau@lotp.fr
# version 0.1
# ====================================================================
#
# Require Set-ExecutionPolicy RemoteSigned.. or sign this script with your PKI
#
# ============================================================
#
# Do not change anything behind that line!
#
param
(
[bool]$checkMyStore=$true,
[bool]$checkRootStore=$true,
[bool]$checkCAStore=$true,
[bool]$checkAuthRootStore=$true,
[bool]$checkSharePointStore=$true,
[int]$expireInDays=60,
[int]$maxWarn = 1,
[int]$maxError = 0
)
# blacklist all third party known expired certificates in root & co, on Windows Server 2003, 2008 & 2012
$blacklist=@(
"109F1CAED645BB78B3EA2B94C0697C740733031C",
"12519AE9CD777A560184F1FBD54215222E95E71F",
"127633A94F39CBF6EDF7C7BF64C4B535E9706E9A",
"18F7C1FCC3090203FD5BAA2F861A754976C8DD25",
"23EF3384E21F70F034C467D4CBA6EB61429F174E",
"245C97DF7514E7CF2DF8BE72AE957B9E04741E85",
"24A40A1F573643A67F0A4B0749F6A22BF28ABB6B",
"24BA6D6C8A5B5837A48DB5FAE919EA675C94D217",
"2B84BFBB34EE2EF949FE1CBE30AA026416EB2216",
"3A850044D8A195CD401A680C012CB0A3B5F8DC08",
"4463C531D7CCC1006794612BB656D3BF8257846F",
"47AFB915CDA26D82467B97FA42914468726138DD",
"4BA7B9DDD68788E12FF852E1A024204BF286A8F6",
"4D8547B7F864132A7F62D9B75B068521F10B68E3",
"4DF13947493CFF69CDE554881C5F114E97C3D03B",
"4EF2E6670AC9B5091FE06BE0E5483EAAD6BA32D9",
"4F65566336DB6598581D584A596C87934D5F2AB4",
"51C3247D60F356C7CA3BAF4C3F429DAC93EE7B74",
"53DECDF3BC1BDE7C9D1CEDAE718468CA20CC43E7",
"587B59FB52D8A683CBE1CA00E6393D7BB923BC92",
"5E997CA5945AAB75FFD14804A974BF2AE1DFE7E1",
"637162CC59A3A1E25956FA5FA8F60D2E1C52EAC6",
"6690C02B922CBD3FF0D0A5994DBD336592887E3F",
"67EB337B684CEB0EC2B0760AB488278CDD9597DD",
"687EC17E0602E3CD3F7DFBD7E28D57A0199A3F44",
"688B6EB807E8EDA5C7B17C4393D0795F0FAE155F",
"68ED18B309CD5291C0D3357C1D1141BF883866B1",
"720FC15DDC27D456D098FABF3CDD78D31EF5A8DA",
"7613BF0BA261006CAC3ED2DDBEF343425357F18B",
"7A74410FB0CD5C972A364B71BF031D88A6510E9E",
"7AC5FFF8DCBC5583176877073BF751735E9BD358",
"7B02312BACC59EC388FEAE12FD277F6A9FB4FAC1",
"7CA04FD8064C1CAA32A37AA94375038E8DF8DDC0",
"7D7F4414CCEF168ADF6BF40753B5BECD78375931",
"7F88CD7223F3C813818C994614A89C99FA3B5247",
"838E30F77FDD14AA385ED145009C0E2236494FAA",
"8977E8569D2A633AF01D0394851681CE122683A6",
"8B24CD8D8B58C6DA72ACE097C7B1E3CEA4DC3DC6",
"9078C5A28F9A4325C2A7C73813CDFE13C20F934E",
"90DEDE9E4C4E9F6FD88617579DD391BC65A68964",
"96974CD6B663A7184526B1D648AD815CF51E801A",
"9845A431D51959CAF225322B4A4FE9F223CE6D15",
"9BACF3B664EAC5A17BED08437C72E4ACDA12F7E7",
"9FC796E8F8524F863AE1496D381242105F1B78F5",
"A1505D9843C826DD67ED4EA5209804BDBB0DF502",
"A399F76F0CBF4C9DA55E4AC24E8960984B2905B6",
"A3E31E20B2E46A328520472D0CDE9523E7260C6D",
"A5EC73D48C34FCBEF1005AEB85843524BBFAB727",
"B19DD096DCD4E3E0FD676885505A672C438D4E9C",
"B533345D06F64516403C00DA03187D3BFEF59156",
"B6AF5BE5F878A00114C3D7FEF8C775C34CCD17B6",
"B72FFF92D2CE43DE0A8D4C548C503726A81E2B93",
"CFDEFE102FDA05BBE4C78D2E4423589005B2571D",
"D29F6C98BEFC6D986521543EE8BE56CEBC288CF3",
"DBAC3C7AA4254DA1AA5CAAD68468CB88EEDDEEA8",
"E38A2B7663B86796436D8DF5898D9FAA6835B238",
"EC0C3716EA9EDFADD35DFBD55608E60A05D3CBF3",
"EF2DACCBEABB682D32CE4ABD6CB90025236C07BC",
"F5A874F3987EB0A9961A564B669A9050F770308A",
"F88015D3F98479E1DA553D24FD42BA3F43886AEF")
$output=""
$outputNames=""
$countMyStore=0
$countRootStore=0
$countCAStore=0
$countAuthRootStore=0
$countSharePointStore=0
$countTotal=0
$allCerts=Get-ChildItem -Path cert: -Recurse | ? {
($_.Notafter -lt (get-date).AddDays($expireInDays)) -and
($_.PSPParentPath -notmatch "Disallowed") -and
($blacklist -notcontains $_.Thumbprint)} | select NotAfter,FriendlyName,PSParentPath
function outputCert ($temp)
{
$outputTemp=""
foreach ($t in $temp)
{
$outputTemp+=$t.FriendlyName+":"+(get-date -Date $t.NotAfter -format "yyyy/MM/dd")+" "
}
return $outputTemp
}
# check params if provided
if($checkMyStore)
{
$temp=@($allCerts | ? {$_.PSParentPath -match "\My$"})
$countMyStore=$temp.Count
if($temp.Count -gt 0)
{
$outputNames+=outputCert $temp
}
}
if($checkRootStore)
{
$temp=@($allCerts | ? {$_.PSParentPath -match "\Root$"})
$countRootStore=$temp.Count
if($temp.Count -gt 0)
{
$outputNames+=outputCert $temp
}
}
if($checkCAStore)
{
$temp=@($allCerts | ? {$_.PSParentPath -match "\CA$"})
$countCAStore=$temp.Count
if($temp.Count -gt 0)
{
$outputNames+=outputCert $temp
}
}
if($checkAuthRootStore)
{
$temp=@($allCerts | ? {$_.PSParentPath -match "\AuthRoot$"})
$countAuthRootStore=$temp.Count
if($temp.Count -gt 0)
{
$outputNames+=outputCert $temp
}
}
if($checkSharePointStore)
{
$temp=@($allCerts | ? {$_.PSParentPath -match "\SharePoint$"})
$countSharePointStore=$temp.Count
if($temp.Count -gt 0)
{
$outputNames+=outputCert $temp
}
}
foreach ($var in (Get-Variable -Name "count*Store"))
{
$countTotal+=$($var).Value
}
if($countTotal -gt $maxError)
{
$state="CRITICAL"
$exitcode=2
}
elseif($countTotal -gt $maxWarn)
{
$state="WARNING"
$exitcode=1
}
else
{
$state="OK"
$exitcode=0
}
$output=$state+": "+$outputNames
Write-Host $output
exit $exitcode