diff --git a/Template_SSL_Certificates.xml b/Template_SSL_Certificates.xml new file mode 100644 index 0000000..d0e5ab5 --- /dev/null +++ b/Template_SSL_Certificates.xml @@ -0,0 +1,675 @@ + + + 4.2 + 2019-07-04T10:45:43Z + + + HermanekTomas + + + + + + + + {SSL Certificates:ssllabs.certificate.grade.str(A)}=1 + 0 + + Certificate {HOST.HOST} grade is A + 0 + + + 1 + 1 + + 0 + 0 + + + + + {SSL Certificates:ssllabs.certificate.grade.str(A+)}=1 + 0 + + Certificate {HOST.HOST} grade is A+ + 0 + + + 1 + 1 + + 0 + 0 + + + + + {SSL Certificates:ssllabs.certificate.grade.str(B)}=1 + 0 + + Certificate {HOST.HOST} grade is B + 0 + + + 0 + 2 + + 0 + 0 + + + + + {SSL Certificates:ssllabs.certificate.grade.str(C)}=1 + 0 + + Certificate {HOST.HOST} grade is C + 0 + + + 0 + 2 + + 0 + 0 + + + + + {SSL Certificates:ssllabs.certificate.grade.str(D)}=1 + 0 + + Certificate {HOST.HOST} grade is D + 0 + + + 0 + 3 + + 0 + 0 + + + + + {SSL Certificates:ssllabs.certificate.grade.str(F)}=1 + 0 + + Certificate {HOST.HOST} grade is F + 0 + + + 0 + 4 + + 0 + 0 + + + + + {SSL Certificates:zext_ssl_issuer.sh[{HOST.HOST},{$SSL_PORT},{HOST.HOST}].change()}>0 + 0 + + Change in SSL Certificate Issuer + 0 + + https://{$SSL_HOST}:{$SSL_PORT} + 0 + 1 + + 0 + 1 + + + + + {SSL Certificates:net.tcp.service[https].max(5m)}<1 + 0 + + HTTPS Service is Down + 0 + + + 0 + 2 + + 0 + 0 + + + + + {SSL Certificates:zext_ssl_expiry.sh[{HOST.HOST},{$SSL_PORT},{HOST.HOST}].last(0)}<0 + 0 + + SSL certificate on {HOST.HOST} expired + 0 + + + 0 + 5 + + 0 + 0 + + + + + {SSL Certificates:zext_ssl_expiry.sh[{HOST.HOST},{$SSL_PORT},{HOST.HOST}].last(5)}<{$SSL_EXPIRY_AVG} + 0 + + SSL certificate on {HOST.HOST} expires in less than {$SSL_EXPIRY_AVG} days ({ITEM.VALUE} days remaining) + 0 + + + 0 + 3 + + 0 + 0 + + + SSL certificate on {HOST.HOST} expires in less than {$SSL_EXPIRY_HIGH} days ({ITEM.VALUE} days remaining) + {SSL Certificates:zext_ssl_expiry.sh[{HOST.HOST},{$SSL_PORT},{HOST.HOST}].last(5)}<{$SSL_EXPIRY_HIGH} + + + + + + + {SSL Certificates:zext_ssl_expiry.sh[{HOST.HOST},{$SSL_PORT},{HOST.HOST}].last(5)}<{$SSL_EXPIRY_HIGH} + 0 + + SSL certificate on {HOST.HOST} expires in less than {$SSL_EXPIRY_HIGH} days ({ITEM.VALUE} days remaining) + 0 + + + 0 + 4 + + 0 + 0 + + + SSL certificate on {HOST.HOST} expired + {SSL Certificates:zext_ssl_expiry.sh[{HOST.HOST},{$SSL_PORT},{HOST.HOST}].last(0)}<0 + + + + + + + {SSL Certificates:zext_ssl_expiry.sh[{HOST.HOST},{$SSL_PORT},{HOST.HOST}].last(5)}<{$SSL_EXPIRY_INFO} + 0 + + SSL certificate on {HOST.HOST} expires in less than {$SSL_EXPIRY_INFO} days ({ITEM.VALUE} days remaining) + 0 + + + 0 + 1 + + 0 + 0 + + + SSL certificate on {HOST.HOST} expires in less than {$SSL_EXPIRY_WARN} days ({ITEM.VALUE} days remaining) + {SSL Certificates:zext_ssl_expiry.sh[{HOST.HOST},{$SSL_PORT},{HOST.HOST}].last(5)}<{$SSL_EXPIRY_WARN} + + + + + + + {SSL Certificates:zext_ssl_expiry.sh[{HOST.HOST},{$SSL_PORT},{HOST.HOST}].last(5)}<{$SSL_EXPIRY_NOTCLASSIFIED} + 0 + + SSL certificate on {HOST.HOST} expires in less than {$SSL_EXPIRY_NOTCLASSIFIED} days ({ITEM.VALUE} days remaining) + 0 + + + 0 + 0 + + 0 + 0 + + + SSL certificate on {HOST.HOST} expires in less than {$SSL_EXPIRY_INFO} days ({ITEM.VALUE} days remaining) + {SSL Certificates:zext_ssl_expiry.sh[{HOST.HOST},{$SSL_PORT},{HOST.HOST}].last(5)}<{$SSL_EXPIRY_INFO} + + + + + + + {SSL Certificates:zext_ssl_expiry.sh[{HOST.HOST},{$SSL_PORT},{HOST.HOST}].last(5)}<{$SSL_EXPIRY_WARN} + 0 + + SSL certificate on {HOST.HOST} expires in less than {$SSL_EXPIRY_WARN} days ({ITEM.VALUE} days remaining) + 0 + + + 0 + 2 + + 0 + 0 + + + SSL certificate on {HOST.HOST} expires in less than {$SSL_EXPIRY_AVG} days ({ITEM.VALUE} days remaining) + {SSL Certificates:zext_ssl_expiry.sh[{HOST.HOST},{$SSL_PORT},{HOST.HOST}].last(5)}<{$SSL_EXPIRY_AVG} + + + + + + + + + SSL Certificate valid days + 900 + 200 + 0.0000 + 100.0000 + 1 + 1 + 0 + 1 + 0 + 0.0000 + 0.0000 + 0 + 0 + 0 + 0 + + + 0 + 0 + BB00BB + 0 + 2 + 0 + + SSL Certificates + zext_ssl_expiry.sh[{HOST.HOST},{$SSL_PORT},{HOST.HOST}] + + + + + + + + Service state + + + 0 + Down + + + 1 + Up + + + + + diff --git a/ssllabs-scan b/ssllabs-scan new file mode 100644 index 0000000..22b02d9 Binary files /dev/null and b/ssllabs-scan differ diff --git a/ssllabs_checker.sh b/ssllabs_checker.sh new file mode 100644 index 0000000..b685c62 --- /dev/null +++ b/ssllabs_checker.sh @@ -0,0 +1,33 @@ +#!/bin/bash + +# Configuration +HOST=$1 +ZABBIX_SENDER="/usr/bin/zabbix_sender" +ZABBIX_CONFIG="/etc/zabbix/zabbix_agentd.conf" +#ZABBIX_CONFIG="" +ZABBIX_SERVER="127.0.0.1" +ZABBIX_PORT="10051" +ZABBIX_KEY="ssllabs.certificate.grade" + +SSLLAB_SCAN="/usr/lib/zabbix/externalscripts/ssllabs-scan" + +#with cache +#SSLLAB_OPTIONS="-usecache -quiet -grade -maxage 1" +#without cache +SSLLAB_OPTIONS="-quiet -grade" + +# Do the job +set -o errexit +ZABBIX_SENDER_CMD=$ZABBIX_SENDER +if [ -z $ZABBIX_CONFIG ] +then + ZABBIX_SENDER_CMD="$ZABBIX_SENDER_CMD -z $ZABBIX_SERVER -p $ZABBIX_PORT " +else + ZABBIX_SENDER_CMD="$ZABBIX_SENDER_CMD -c $ZABBIX_CONFIG " +fi + +VALUE=$($SSLLAB_SCAN $SSLLAB_OPTIONS $HOST | awk 'BEGIN { FS=":" } /1/ { print $2 }'| sed -e 's/^"//' -e 's/"$//') + +ZABBIX_SENDER_CMD="$ZABBIX_SENDER_CMD -s $HOST -k $ZABBIX_KEY -o $VALUE" + +$ZABBIX_SENDER_CMD 1>/dev/null diff --git a/ssllabs_checker_at.sh b/ssllabs_checker_at.sh new file mode 100644 index 0000000..9640754 --- /dev/null +++ b/ssllabs_checker_at.sh @@ -0,0 +1,4 @@ +#!/bin/bash +EXTERNALSCRIPTS=/usr/lib/zabbix/externalscripts +echo "$EXTERNALSCRIPTS/ssllabs_checker.sh $1" | at now + diff --git a/zext_ssl_expiry.sh b/zext_ssl_expiry.sh new file mode 100644 index 0000000..e37079e --- /dev/null +++ b/zext_ssl_expiry.sh @@ -0,0 +1,23 @@ +#! /bin/sh +SERVER=$1 +TIMEOUT=5 +RETVAL=0 +SNI=$3 +TIMESTAMP=`echo | date` +if [ -z "$2" ] +then +PORT=443; +else +PORT=$2; +fi +EXPIRE_DATE=`timeout $TIMEOUT openssl s_client -connect $SERVER:$PORT -servername $SNI 2>/dev/null | openssl x509 -noout -dates 2>/dev/null | grep notAfter | cut -d'=' -f2` +EXPIRE_SECS=`date -d "${EXPIRE_DATE}" +%s` +EXPIRE_TIME=$(( ${EXPIRE_SECS} - `date +%s` )) +if test $EXPIRE_TIME -lt 0 +then +RETVAL=0 +else +RETVAL=$(( ${EXPIRE_TIME} / 24 / 3600 )) +fi + +echo ${RETVAL} diff --git a/zext_ssl_issuer.sh b/zext_ssl_issuer.sh new file mode 100644 index 0000000..33d67fd --- /dev/null +++ b/zext_ssl_issuer.sh @@ -0,0 +1,9 @@ +#! /bin/sh +SERVER=$1 +TIMEOUT=5 +#RETVAL=0 +#TIMESTAMP=`echo | date` +PORT=$2 +SNI=$3 +ISSUER=`timeout $TIMEOUT openssl s_client -connect ${SERVER}:${PORT} -servername $SNI 2>/dev/null | openssl x509 -noout -issuer 2>/dev/null | grep issuer` +echo ${ISSUER}