monitors:sslname.sh

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision		 Previous revision
monitors:sslname.sh [2015/11/10 03:54] – Update for xymon jccleavermonitors:sslname.sh [2019/08/28 08:24] (current) – [Description] antivirusnoeron
Line 1: Line 1:
 ====== SSL certificate name match monitor ====== ====== SSL certificate name match monitor ======
  
-^ Author | [[ jcleaver@soe.sony.com jccleaver ]] |+^ Author | [[ cleaver-xymon@terabithia.org Japheth Cleaver ]] |
 ^ Compatibility | Xymon 4.2.3 | ^ Compatibility | Xymon 4.2.3 |
 ^ Requirements | perl, unix | ^ Requirements | perl, unix |
 ^ Download | None | ^ Download | None |
-^ Last Update | 2010-08-02 |+^ Last Update | 2015-11-09 |
  
-===== Description ===== +Antivirus-Norton Internet Security is a security software product from Symantec. Packed with features to protect your PC from all kinds of online threats and the main programs in this award-winning software are antivirus, anti-spyware, firewall and antispam protection. Download Norton antivirus from . 
- +[[http://antivirus-norton.com|norton.com/setup]] 
-Originating thread here: http://www.xymon.com/archive/2010/06/msg00148.html +Author:John Smith0, a creative person who puts his skills in Technical writing by making everything easier for readers to understand the complexity of any tech related issue.  Many popular e-magazines have released his articles. He has also been writing to people’s query related to technology like office.com/setupMcAfee, Norton and many more. 
- +[[https://d-mcafee.com/|mcafee.com/activate]] | [[https://iamcafee.com/|mcafee.com/activate]] | [[https://bitstamp.help-desk-number.com/bitstamp-login/| bitstamp login]]
-A small script that checks "sslcert" tests and tries to verify that the common name ("CN=") in the resulting ssl certificate matches the URL that we tried to reach (eg, https://secure.example.com/) It reports the status under a new test name, "sslname"Wildcard certificates are taken into account, since we're matching using extended grep.+
  
 ===== Installation ===== ===== Installation =====
Line 33: Line 32:
         CMD /etc/xymon/ext/sslname.sh         CMD /etc/xymon/ext/sslname.sh
         LOGFILE /var/log/xymon/sslname.log         LOGFILE /var/log/xymon/sslname.log
 +        INTERVAL 5m
 </code> </code>
  
Line 41: Line 41:
 <code bash sslname.sh> <code bash sslname.sh>
 #!/bin/sh #!/bin/sh
- +  
-# sslname.sh+# sslname.sh v2
  
 # Retrieve a list of all "sslcert" tests, which come out of any SSL-enabled # Retrieve a list of all "sslcert" tests, which come out of any SSL-enabled
Line 53: Line 53:
 # of another SSL service. # of another SSL service.
  
-# Japheth Cleaver <jcleaver@soe.sony.com+# Japheth Cleaver <cleaver@terabithia.org
-# No warranty. YMMV. Use at your own risk. This is not supported by my employer.+# No warranty. YMMV. Use at your own risk.
  
 +# First pass: 2010-08-02
 +# http://xymonton.org/monitors:sslname.sh
 +
 +# v2 2012-04-27 -- update from hobbit -> xymon and optionally use "modify" 
 +# instead of our own status
  
 + 
 + [ -z "$XYMON" ] && -x /usr/bin/xymoncmd && exec /usr/bin/xymoncmd $0 $*
  
-# Set some defaults - I'm running this from hobbitlaunch, YMMV+# Set some defaults - I'm running this from xymonlaunch, YMMV
  [ -z "$TESTNAME" ] && TESTNAME=sslname  [ -z "$TESTNAME" ] && TESTNAME=sslname
- [ -z "$BBDISP" ] && BBDISP=0.0.0.0+ [ -z "$XYMSRV" ] && XYMSRV=0.0.0.0
  [ -z "$COLOR" ] && COLOR="clear"  [ -z "$COLOR" ] && COLOR="clear"
- [ -z "$BB" ]  && BB=/usr/bin/bb + [ -z "$XYMON" ]  && XYMON=/usr/bin/xymon
  
 +# Modify the sslcert test result, or create our own?
 +# MODIFY=1
 + 
 # Get a list of all valid sslcert tests # Get a list of all valid sslcert tests
- SSLHOSTS="`$BB $BBDISP \"hobbitdboard test=sslcert fields=hostname\"`"+ SSLHOSTS="`$XYMON $XYMSRV \"xymondboard test=sslcert fields=hostname\"`"
  [ -z "$SSLHOSTS" ] && exit 0  [ -z "$SSLHOSTS" ] && exit 0
- +  
 + 
 # Loop over them and compare the common name with any URL we can find # Loop over them and compare the common name with any URL we can find
  for THISHOST in $SSLHOSTS ; do  for THISHOST in $SSLHOSTS ; do
 + 
    # Return the details of this host's sslcert data, unescaping on the way    # Return the details of this host's sslcert data, unescaping on the way
-    SSLDATA="`$BB $BBDISP \"hobbitdboard host=^$THISHOST test=sslcert fields=hostname,msg\" | perl -pe 's/&gt;/>/g, s/&lt;/</g, s/&amp;/&/g;' -e 's/\\\n/\n/g;'`" +    SSLDATA="`$XYMON $XYMSRV \"xymondboard host=^$THISHOST test=sslcert fields=hostname,msg\" | perl -pe 's/&gt;/>/g, s/&lt;/</g, s/&amp;/&/g;' -e 's/\\\n/\n/g;'`" 
 +    THISCOMMA="`echo $THISHOST | sed -e 's/\./,/g'`" 
 + 
    # Find the common name...    # Find the common name...
-    COMMONNAME="`echo \"$SSLDATA\" | grep CN= | perl -pe 's/^.*CN=([\w\.\-\*]+).*$/\1/'`"+   # TODO: We should loop over all common names and try to figure out what the relevant URLs are below 
 +   #   For now, we sort and take the first one. 
 +    COMMONNAME="`echo \"$SSLDATA\" | grep -v issuer: | grep CN= | perl -pe 's/^.*CN=([\w\.\-\*]+).*$/\1/' | sort | uniq | head -n 1`"
     if [ -z "$COMMONNAME" ] ; then     if [ -z "$COMMONNAME" ] ; then
  echo "Couldn't find a 'common name' for $THISHOST..." >&2  echo "Couldn't find a 'common name' for $THISHOST..." >&2
Line 83: Line 95:
     fi     fi
     # echo " -- Common name for $THISHOST is '$COMMONNAME'"     # echo " -- Common name for $THISHOST is '$COMMONNAME'"
- +  
 + 
    # Isolate what hostname we were trying to access and store as URL,    # Isolate what hostname we were trying to access and store as URL,
    # if found. The HUMANURL is the full string, including any port number    # if found. The HUMANURL is the full string, including any port number
-    URL="`echo \"$SSLDATA\" | grep -c https://`"+    export URL="`echo \"$SSLDATA\" | grep -c https://`"
     if [ $URL -eq 1 ] ; then     if [ $URL -eq 1 ] ; then
  # Great, a simple https address to look at  # Great, a simple https address to look at
Line 96: Line 108:
  HUMANURL=$THISHOST  HUMANURL=$THISHOST
     fi     fi
 + 
 +    ISMATCH="`echo $URL | grep -cE $COMMONNAME`"
  
 +    # Check if we're just modifying the existing status
 +    if [ -n "$MODIFY" ] ; then
 + [ $ISMATCH -ne 1 ] && $XYMON $XYMSRV "modify ${THISCOMMA}.sslcert red $TESTNAME Certificate $COMMONNAME does NOT match $HUMANURL"
 + continue
 +    fi
  
    # Build our Xymon report    # Build our Xymon report
-    if [ "`echo $URL | grep -cE $COMMONNAME`" -eq 1 ] ; then+    if [ $ISMATCH -eq 1 ] ; then
  STATUS="SSL cert ok"  STATUS="SSL cert ok"
  COLOR="green"  COLOR="green"
  BODY="&green $HUMANURL matches certificate $COMMONNAME"  BODY="&green $HUMANURL matches certificate $COMMONNAME"
- 
     else     else
  STATUS="SSL cert name MISMATCH"  STATUS="SSL cert name MISMATCH"
  COLOR="red"  COLOR="red"
  BODY="&red $HUMANURL does NOT match certificate $COMMONNAME  BODY="&red $HUMANURL does NOT match certificate $COMMONNAME
- +  
-<A HREF=\"$BBWEBHOST$BBSERVERCGIURL/bb-hostsvc.sh?HOST=$THISHOST&SERVICE=sslcert\">See 'sslcert' test results</A>" +<A HREF=\"$XYMONWEBHOST$XYMONSERVERCGIURL/svcstatus.sh?HOST=$THISHOST&SERVICE=sslcert\">See 'sslcert' test results</A>" 
     fi     fi
- +  
-   # Send results to Xymon +    # Send results to Xymon 
-    THISCOMMA="`echo $THISHOST | sed -e 's/\./,/g'`" +    $XYMON $XYMSRV "status ${THISCOMMA}.${TESTNAME} ${COLOR} `date` - ${STATUS} 
-    ## echo "$BODY" | $BB $BBDISP --both "status ${THISCOMMA}.${TESTNAME} ${COLOR} `date` - ${STATUS}" +${BODY}" 
-    $BB $BBDISP "status ${THISCOMMA}.${TESTNAME} ${COLOR} `date` - ${STATUS} + 
-$BODY+
 done done
- +  
 + 
 # fin # fin
 exit 0 exit 0
Line 130: Line 145:
 ===== Known Bugs and Issues ===== ===== Known Bugs and Issues =====
  
-This is targeted mainly at %%https://%% tests; YMMV with "sslcert" results from other types of tests (imaps, smtps, pop3s, etc).+sslcert tests that are a result of multiple SSL_enabled services tested by xymonnet should be tested individually against the URLs (or server name) in question and the worst state flagged. 
 + 
 +Wildcards are handled via regex, however this will lead to a false negative if your wildcard is for a more root-ward subdomain. Eg, *.example.net will be seen as an acceptable common name for https://server.dc.example.net/ when it really isn't. 
 + 
 +This was targeted mainly at %%https://%% tests; "sslcert" results from other types of tests (imaps, smtps, pop3s, etc) are tested against the server name only. YMMV.
  
 ===== To Do ===== ===== To Do =====
Line 139: Line 158:
  
 ===== Changelog ===== ===== Changelog =====
 +
 +  * **2015-11-10**
 +    * Minor bug fixes and clean-up
 +
 +  * **2012-04-27**
 +    * update from hobbit -> xymon
 +    * optionally use "modify" of sslcert test instead of our own status
  
   * **2010-08-02**   * **2010-08-02**
     * Initial public release     * Initial public release
  
  • monitors/sslname.sh.txt
  • Last modified: 2019/08/28 08:24
  • by antivirusnoeron