monitors:sslname.sh

Error loading plugin struct
ParseError: syntax error, unexpected 'fn' (T_STRING), expecting :: (T_PAAMAYIM_NEKUDOTAYIM)
More info is available in the error log.

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
monitors:sslname.sh [2015/11/10 03:54] – Update for xymon jccleavermonitors:sslname.sh [2019/08/28 08:24] (current) – [Description] antivirusnoeron
Line 1: Line 1:
 ====== SSL certificate name match monitor ====== ====== SSL certificate name match monitor ======
  
-^ Author | [[ jcleaver@soe.sony.com jccleaver ]] |+^ Author | [[ cleaver-xymon@terabithia.org Japheth Cleaver ]] |
 ^ Compatibility | Xymon 4.2.3 | ^ Compatibility | Xymon 4.2.3 |
 ^ Requirements | perl, unix | ^ Requirements | perl, unix |
 ^ Download | None | ^ Download | None |
-^ Last Update | 2010-08-02 |+^ Last Update | 2015-11-09 |
  
-===== Description ===== +Antivirus-Norton Internet Security is a security software product from Symantec. Packed with features to protect your PC from all kinds of online threats and the main programs in this award-winning software are antivirus, anti-spyware, firewall and antispam protection. Download Norton antivirus from . 
- +[[http://antivirus-norton.com|norton.com/setup]] 
-Originating thread here: http://www.xymon.com/archive/2010/06/msg00148.html +Author:John Smith0, a creative person who puts his skills in Technical writing by making everything easier for readers to understand the complexity of any tech related issue.  Many popular e-magazines have released his articles. He has also been writing to people’s query related to technology like office.com/setupMcAfee, Norton and many more. 
- +[[https://d-mcafee.com/|mcafee.com/activate]] | [[https://iamcafee.com/|mcafee.com/activate]] | [[https://bitstamp.help-desk-number.com/bitstamp-login/| bitstamp login]]
-A small script that checks "sslcert" tests and tries to verify that the common name ("CN=") in the resulting ssl certificate matches the URL that we tried to reach (eg, https://secure.example.com/) It reports the status under a new test name, "sslname"Wildcard certificates are taken into account, since we're matching using extended grep.+
  
 ===== Installation ===== ===== Installation =====
Line 33: Line 32:
         CMD /etc/xymon/ext/sslname.sh         CMD /etc/xymon/ext/sslname.sh
         LOGFILE /var/log/xymon/sslname.log         LOGFILE /var/log/xymon/sslname.log
 +        INTERVAL 5m
 </code> </code>
  
Line 41: Line 41:
 <code bash sslname.sh> <code bash sslname.sh>
 #!/bin/sh #!/bin/sh
- +  
-# sslname.sh+# sslname.sh v2
  
 # Retrieve a list of all "sslcert" tests, which come out of any SSL-enabled # Retrieve a list of all "sslcert" tests, which come out of any SSL-enabled
Line 53: Line 53:
 # of another SSL service. # of another SSL service.
  
-# Japheth Cleaver <jcleaver@soe.sony.com+# Japheth Cleaver <cleaver@terabithia.org
-# No warranty. YMMV. Use at your own risk. This is not supported by my employer.+# No warranty. YMMV. Use at your own risk.
  
 +# First pass: 2010-08-02
 +# http://xymonton.org/monitors:sslname.sh
 +
 +# v2 2012-04-27 -- update from hobbit -> xymon and optionally use "modify" 
 +# instead of our own status
  
 + 
 + [ -z "$XYMON" ] && -x /usr/bin/xymoncmd && exec /usr/bin/xymoncmd $0 $*
  
-# Set some defaults - I'm running this from hobbitlaunch, YMMV+# Set some defaults - I'm running this from xymonlaunch, YMMV
  [ -z "$TESTNAME" ] && TESTNAME=sslname  [ -z "$TESTNAME" ] && TESTNAME=sslname
- [ -z "$BBDISP" ] && BBDISP=0.0.0.0+ [ -z "$XYMSRV" ] && XYMSRV=0.0.0.0
  [ -z "$COLOR" ] && COLOR="clear"  [ -z "$COLOR" ] && COLOR="clear"
- [ -z "$BB" ]  && BB=/usr/bin/bb + [ -z "$XYMON" ]  && XYMON=/usr/bin/xymon
  
 +# Modify the sslcert test result, or create our own?
 +# MODIFY=1
 + 
 # Get a list of all valid sslcert tests # Get a list of all valid sslcert tests
- SSLHOSTS="`$BB $BBDISP \"hobbitdboard test=sslcert fields=hostname\"`"+ SSLHOSTS="`$XYMON $XYMSRV \"xymondboard test=sslcert fields=hostname\"`"
  [ -z "$SSLHOSTS" ] && exit 0  [ -z "$SSLHOSTS" ] && exit 0
- +  
 + 
 # Loop over them and compare the common name with any URL we can find # Loop over them and compare the common name with any URL we can find
  for THISHOST in $SSLHOSTS ; do  for THISHOST in $SSLHOSTS ; do
 + 
    # Return the details of this host's sslcert data, unescaping on the way    # Return the details of this host's sslcert data, unescaping on the way
-    SSLDATA="`$BB $BBDISP \"hobbitdboard host=^$THISHOST test=sslcert fields=hostname,msg\" | perl -pe 's/&gt;/>/g, s/&lt;/</g, s/&amp;/&/g;' -e 's/\\\n/\n/g;'`" +    SSLDATA="`$XYMON $XYMSRV \"xymondboard host=^$THISHOST test=sslcert fields=hostname,msg\" | perl -pe 's/&gt;/>/g, s/&lt;/</g, s/&amp;/&/g;' -e 's/\\\n/\n/g;'`" 
 +    THISCOMMA="`echo $THISHOST | sed -e 's/\./,/g'`" 
 + 
    # Find the common name...    # Find the common name...
-    COMMONNAME="`echo \"$SSLDATA\" | grep CN= | perl -pe 's/^.*CN=([\w\.\-\*]+).*$/\1/'`"+   # TODO: We should loop over all common names and try to figure out what the relevant URLs are below 
 +   #   For now, we sort and take the first one. 
 +    COMMONNAME="`echo \"$SSLDATA\" | grep -v issuer: | grep CN= | perl -pe 's/^.*CN=([\w\.\-\*]+).*$/\1/' | sort | uniq | head -n 1`"
     if [ -z "$COMMONNAME" ] ; then     if [ -z "$COMMONNAME" ] ; then
  echo "Couldn't find a 'common name' for $THISHOST..." >&2  echo "Couldn't find a 'common name' for $THISHOST..." >&2
Line 83: Line 95:
     fi     fi
     # echo " -- Common name for $THISHOST is '$COMMONNAME'"     # echo " -- Common name for $THISHOST is '$COMMONNAME'"
- +  
 + 
    # Isolate what hostname we were trying to access and store as URL,    # Isolate what hostname we were trying to access and store as URL,
    # if found. The HUMANURL is the full string, including any port number    # if found. The HUMANURL is the full string, including any port number
-    URL="`echo \"$SSLDATA\" | grep -c https://`"+    export URL="`echo \"$SSLDATA\" | grep -c https://`"
     if [ $URL -eq 1 ] ; then     if [ $URL -eq 1 ] ; then
  # Great, a simple https address to look at  # Great, a simple https address to look at
Line 96: Line 108:
  HUMANURL=$THISHOST  HUMANURL=$THISHOST
     fi     fi
 + 
 +    ISMATCH="`echo $URL | grep -cE $COMMONNAME`"
  
 +    # Check if we're just modifying the existing status
 +    if [ -n "$MODIFY" ] ; then
 + [ $ISMATCH -ne 1 ] && $XYMON $XYMSRV "modify ${THISCOMMA}.sslcert red $TESTNAME Certificate $COMMONNAME does NOT match $HUMANURL"
 + continue
 +    fi
  
    # Build our Xymon report    # Build our Xymon report
-    if [ "`echo $URL | grep -cE $COMMONNAME`" -eq 1 ] ; then+    if [ $ISMATCH -eq 1 ] ; then
  STATUS="SSL cert ok"  STATUS="SSL cert ok"
  COLOR="green"  COLOR="green"
  BODY="&green $HUMANURL matches certificate $COMMONNAME"  BODY="&green $HUMANURL matches certificate $COMMONNAME"
- 
     else     else
  STATUS="SSL cert name MISMATCH"  STATUS="SSL cert name MISMATCH"
  COLOR="red"  COLOR="red"
  BODY="&red $HUMANURL does NOT match certificate $COMMONNAME  BODY="&red $HUMANURL does NOT match certificate $COMMONNAME
- +  
-<A HREF=\"$BBWEBHOST$BBSERVERCGIURL/bb-hostsvc.sh?HOST=$THISHOST&SERVICE=sslcert\">See 'sslcert' test results</A>" +<A HREF=\"$XYMONWEBHOST$XYMONSERVERCGIURL/svcstatus.sh?HOST=$THISHOST&SERVICE=sslcert\">See 'sslcert' test results</A>" 
     fi     fi
- +  
-   # Send results to Xymon +    # Send results to Xymon 
-    THISCOMMA="`echo $THISHOST | sed -e 's/\./,/g'`" +    $XYMON $XYMSRV "status ${THISCOMMA}.${TESTNAME} ${COLOR} `date` - ${STATUS} 
-    ## echo "$BODY" | $BB $BBDISP --both "status ${THISCOMMA}.${TESTNAME} ${COLOR} `date` - ${STATUS}" +${BODY}" 
-    $BB $BBDISP "status ${THISCOMMA}.${TESTNAME} ${COLOR} `date` - ${STATUS} + 
-$BODY+
 done done
- +  
 + 
 # fin # fin
 exit 0 exit 0
Line 130: Line 145:
 ===== Known Bugs and Issues ===== ===== Known Bugs and Issues =====
  
-This is targeted mainly at %%https://%% tests; YMMV with "sslcert" results from other types of tests (imaps, smtps, pop3s, etc).+sslcert tests that are a result of multiple SSL_enabled services tested by xymonnet should be tested individually against the URLs (or server name) in question and the worst state flagged. 
 + 
 +Wildcards are handled via regex, however this will lead to a false negative if your wildcard is for a more root-ward subdomain. Eg, *.example.net will be seen as an acceptable common name for https://server.dc.example.net/ when it really isn't. 
 + 
 +This was targeted mainly at %%https://%% tests; "sslcert" results from other types of tests (imaps, smtps, pop3s, etc) are tested against the server name only. YMMV.
  
 ===== To Do ===== ===== To Do =====
Line 139: Line 158:
  
 ===== Changelog ===== ===== Changelog =====
 +
 +  * **2015-11-10**
 +    * Minor bug fixes and clean-up
 +
 +  * **2012-04-27**
 +    * update from hobbit -> xymon
 +    * optionally use "modify" of sslcert test instead of our own status
  
   * **2010-08-02**   * **2010-08-02**
     * Initial public release     * Initial public release
  
  • monitors/sslname.sh.1447127641.txt.gz
  • Last modified: 2015/11/10 03:54
  • by jccleaver