Merge branch 'simple-task/7546-icinga-check-für-ablaufende-gitlab-tokens' into 'master'

Simple task/7546 icinga check für ablaufende gitlab tokens See merge request !297

Merge branch 'simple-task/7546-icinga-check-für-ablaufende-gitlab-tokens' into 'master'
d13c92ef · Hahn Axel (hahn) · 6776e7db · 13d0fa56 · d13c92ef · d13c92ef
Commit d13c92ef authored 4 months ago by Hahn Axel (hahn)
--- a/check_ceph_diskfree
+++ b/check_ceph_diskfree
@@ -22,11 +22,12 @@
 # 2023-06-19  v1.4  <axel.hahn@unibe.ch>      no more tmpfile
 # 2023-07-27  v1.5  <axel.hahn@unibe.ch>      update help page
 # 2023-10-20  v1.6  <axel.hahn@unibe.ch>      harden sudo command execution
+# 2025-02-12  v1.7  <axel.hahn@unibe.ch>      Show -w and -c param in help
 # ======================================================================

 . $(dirname $0)/inc_pluginfunctions

-export self_APPVERSION=1.6
+export self_APPVERSION=1.7

 typeset -i iWarning=0
 typeset -i iCritical=0
@@ -48,6 +49,9 @@ $(basename $0)
 OPTIONS:
    -h or --help   show this help.

+    -w VALUE       warning level  (default: 70)
+    -c VALUE       critical level (default: 90)
+  
 EOF
 }

@@ -68,8 +72,8 @@ esac
 ph.require ceph

 # set default / override from command line params
-typeset -i iWarnLimit=$(     ph.getValueWithParam 70 w "$@")
-typeset -i iCriticalLimit=$( ph.getValueWithParam 90 c "$@")
+typeset -i iWarnLimit;     iWarnLimit=$(     ph.getValueWithParam 70 w "$@")
+typeset -i iCriticalLimit; iCriticalLimit=$( ph.getValueWithParam 90 c "$@")

 if ! data=$( sudo -n /bin/ceph df 2>&1 )
 then

--- a/check_ssl
+++ b/check_ssl
@@ -18,17 +18,18 @@
 # 2020-03-05  v1.1  <axel.hahn@iml.unibe.ch>  switch to ph.* helper functions
 # 2023-02-13  v1.2  <axel.hahn@unibe.ch>      some shell fixes
 # 2023-08-23  v1.3  <axel.hahn@unibe.ch>      fix wrong exitcode to "critical"
+# 2025-02-12  v1.4  <axel.hahn@unibe.ch>      add IML header in help; add warning and critical level
 # ======================================================================


 . $(dirname $0)/inc_pluginfunctions

+self_APPNAME=$( basename $0 | tr [:lower:] [:upper:] )
+self_APPVERSION=1.4
+
 sDomain=
 iPort=443

-
-iWarnDaysBefore=60
-
 typeset -i iErrors=0
 typeset -i iWarnings=0

@@ -40,13 +41,36 @@ sStatus=

 # show help with syntax
 function showHelp(){
-  echo
-  echo ----- SSL Check v1.0
-  echo
-  echo "SYNTAX: $(basename $0) [domain] [[port]]"
-  echo "   domain - domain to verify the ssl vertificate from (required)"
-  echo "   port   - port number to connect (default: 443)"
-  echo
+    _self=$( basename $0 )
+cat <<EOH
+$( ph.showImlHelpHeader )
+
+Check if ssl certificate of a given domain is still valid.
+You can check https or any other port of a ssl enabled service like LDAPS, 
+IMPAS and others.
+
+You can customize the values for warning and critical level.
+
+SYNTAX: $_self [options] DOMAIN [PORT]
+
+OPTIONS
+    -w VALUE  warning level for expiration in days (default: 28)
+    -c VALUE  critical level for expiration in days (default: 7)
+
+PARAMETERS
+    DOMAIN    domain to verify the ssl vertificate from (required)
+    PORT      optional: port number to connect (default: 443)
+
+
+EXAMPLES
+
+    $_self www.iml.unibe.ch 443
+        check https port 443
+
+    $_self -w 30 -c 14 ldap.example.com 636
+        check ldaps port 636 and set custom warning and critical level
+
+EOH
 }


@@ -57,73 +81,81 @@ function showHelp(){

 # --- check requirements

-  ph.require openssl
+ph.require openssl

-  if [ $# -eq 0 ]; then
+if [ $# -eq 0 ]; then
    showHelp
-    ph.abort
-  fi
+    exit 0
+fi

 # --- start

-  sDomain=$1
-  if [ ! -z $2 ]; then
-    iPort=$2
-  fi
+# set default / override from command line params
+typeset -i iWarnLimit;     iWarnLimit=$(     ph.getValueWithParam 28 w "$@")
+typeset -i iCriticalLimit; iCriticalLimit=$( ph.getValueWithParam 7  c "$@")
+
+sParams="$*"
+sP1="$( rev <<< $sParams | cut -f 2 -d ' ' | rev )"
+sP2="$( rev <<< $sParams | cut -f 1 -d ' ' | rev )"

+if grep -q "^[0-9]*$" <<< $sP2; then
+    sDomain=$sP1
+    iPort=$sP2
+else
+    sDomain=$sP2
+fi

 # --- try to connect

-  echo | openssl s_client -connect ${sDomain}:${iPort} >/dev/null 2>&1  
-  if [ $? -ne 0 ]; then
+echo | openssl s_client -connect ${sDomain}:${iPort} >/dev/null 2>&1  
+if [ $? -ne 0 ]; then
    ph.setStatus "critical"
    ph.status "unable to connect to ${sDomain} via port :${iPort} - maybe wrong host ... or port ... wrong chaining"
    # repeat the last command without redirecting output
    echo | openssl s_client -connect ${sDomain}:${iPort}
    ph.exit
-  fi
+fi

-  echo | openssl s_client -connect ${sDomain}:${iPort} 2>/dev/null | openssl x509 -noout -subject | grep -F ${sDomain} >/dev/null
-  if [ $? -ne 0 ]; then
+echo | openssl s_client -connect ${sDomain}:${iPort} 2>/dev/null | openssl x509 -noout -subject | grep -F ${sDomain} >/dev/null
+if [ $? -ne 0 ]; then
    ph.setStatus "unknown"
    echo SORRY, openssl was unable to fetch the right certificate - this happens on multiple ssl webs - it finds
    echo | openssl s_client -connect ${sDomain}:${iPort} 2>/dev/null | openssl x509 -noout -subject
    ph.exit
-  fi
+fi

 # --- unix timestamps valid from .. to

-  dateFrom=$(echo | openssl s_client -connect ${sDomain}:${iPort} 2>/dev/null | openssl x509 -noout -startdate | cut -f 2 -d "=")
-  dateTo=$(echo   | openssl s_client -connect ${sDomain}:${iPort} 2>/dev/null | openssl x509 -noout -enddate   | cut -f 2 -d "=")
-
-  tsFrom=$(date -d "${dateFrom}" +%s)
-  tsTo=$(date -d "${dateTo}" +%s)
+dateFrom=$(echo | openssl s_client -connect ${sDomain}:${iPort} 2>/dev/null | openssl x509 -noout -startdate | cut -f 2 -d "=")
+dateTo=$(echo   | openssl s_client -connect ${sDomain}:${iPort} 2>/dev/null | openssl x509 -noout -enddate   | cut -f 2 -d "=")

-  tsNow=$(date +%s)
-  typeset -i iDaysLeft=($tsTo-$tsNow)/60/60/24
+tsFrom=$(date -d "${dateFrom}" +%s)
+tsTo=$(date -d "${dateTo}" +%s)

+tsNow=$(date +%s)
+typeset -i iDaysLeft=($tsTo-$tsNow)/60/60/24

 # --- check date

-  if [ ${tsFrom} -gt ${tsNow} ]; then
+if [ ${tsFrom} -gt ${tsNow} ]; then
    ph.setStatus "critical"
    ph.status "certificate ${sDomain}:${iPort} is not valid yet - ${dateFrom}"
-  else
-    if [ ${tsTo} -lt ${tsNow} ]; then
-      ph.setStatus "critical"
-      ph.status "certificate ${sDomain}:${iPort} is out of date - ${dateTo} - ${iDaysLeft} days"
    else
-      # --- check close ending day
-      if [ ${iDaysLeft} -lt ${iWarnDaysBefore} ]; then
-        ph.setStatus "warning"
-        ph.status "certificate ${sDomain}:${iPort} is out of date - ${dateTo} - ${iDaysLeft} days"
-      else
-        ph.setStatus "ok"
-        ph.status "${sDomain}:${iPort} - valid to ${dateTo} (${iDaysLeft} days left)"
-      fi
+        if [ ${tsTo} -lt ${tsNow} ]||[ ${iDaysLeft} -le $iCriticalLimit ]; then
+            ph.setStatus "critical"
+            ph.status "certificate ${sDomain}:${iPort} is out of date - ${dateTo} - ${iDaysLeft} days"
+        else
+            # --- check close ending day
+            if [ ${iDaysLeft} -lt ${iWarnLimit} ]; then
+                ph.setStatus "warning"
+                ph.status "certificate ${sDomain}:${iPort} is out of date - ${dateTo} - ${iDaysLeft} days"
+            else
+                ph.setStatus "ok"
+                ph.status "${sDomain}:${iPort} - valid to ${dateTo} (${iDaysLeft} days left)"
+        fi
    fi
-  fi
+fi

-  ph.exit
+ph.exit

 # ----------------------------------------------------------------------
--- a/docs/20_Checks/_index.md
+++ b/docs/20_Checks/_index.md
@@ -47,7 +47,7 @@
 * [check_snmp_data](check_snmp_data.md)
 * [check_snmp_printer](check_snmp_printer.md)
 * [check_snmp_synology](check_snmp_synology.md)
-* check_ssl
+* [check_ssl](check_ssl.md)
 * [check_ssl_certs](check_ssl_certs.md)
 * check_systemdservices
 * [check_systemdunit](check_systemdunit.md)

--- a/docs/20_Checks/check_ceph_diskfree.md
+++ b/docs/20_Checks/check_ceph_diskfree.md
@@ -27,11 +27,13 @@ From this repository ypu need next to this script:
 $ check_ceph_diskfree -h
 ______________________________________________________________________

-CHECK_CEPH_DISKFREE 
-v1.6
+CHECK_CEPH_DISKFREE
+v1.7

 (c) Institute for Medical Education - University of Bern
 Licence: GNU GPL 3
+
+https://os-docs.iml.unibe.ch/icinga-checks/Checks/check_ceph_diskfree.html
 ______________________________________________________________________

 Show available and free space on a ceph cluster.
@@ -44,6 +46,10 @@ check_ceph_diskfree

 OPTIONS:
    -h or --help   show this help.
+
+    -w VALUE       warning level  (default: 70)
+    -c VALUE       critical level (default: 90)
+
 ```

 ### Parameters

--- a/docs/20_Checks/check_ssl.md
+++ b/docs/20_Checks/check_ssl.md
+## Check ssl
+
+Script: `check_ssl`
+
+**check_ssl_certs** is a plugin to check an ssl connection to a host on given port.
+
+## Requirements
+
+* openssl client
+
+## Standalone installation
+
+From this repository ypu need next to this script:
+
+* `inc_pluginfunctions` shared function for all IML checks written in bash
+
+## Syntax
+
+Start the script without params to get the help.
+
+```txt
+______________________________________________________________________
+
+CHECK_SSL
+v1.4
+
+(c) Institute for Medical Education - University of Bern
+Licence: GNU GPL 3
+
+https://os-docs.iml.unibe.ch/icinga-checks/Checks/check_ssl.html
+______________________________________________________________________
+
+Check if ssl certificate of a given domain is still valid.
+You can check https or any other port of a ssl enabled service like LDAPS, 
+IMPAS and others.
+
+You can customize the values for warning and critical level.
+
+SYNTAX: check_ssl [options] DOMAIN [PORT]
+
+OPTIONS
+    -w VALUE  warning level for expiration in days (default: 28)
+    -c VALUE  critical level for expiration in days (default: 7)
+
+PARAMETERS
+    DOMAIN    domain to verify the ssl vertificate from (required)
+    PORT      optional: port number to connect (default: 443)
+
+
+EXAMPLES
+
+    check_ssl www.iml.unibe.ch 443
+        check https port 443
+
+    check_ssl -w 30 -c 14 ldap.example.com 636
+        check ldaps port 636 and set custom warning and critical level
+
+```
+
+## Examples
+
+### Check Website with https
+
+To check a domain name on port 443 add the domain to connect as parameter. The port number 443 is default and not needed.
+
+```txt
+./check_ssl www.iml.unibe.ch
+OK: www.iml.unibe.ch:443 - valid to Apr 23 00:38:13 2025 GMT (69 days left)
+```
+
+### Check Ldaps
+
+```txt
+./check_ssl ldap.example.com 636
+OK: ldap.example.com:636 - valid to Apr  6 00:44:42 2025 GMT (52 days left)
+```
--- a/docs/30_Shared_functions/inc_pluginfunctions.md
+++ b/docs/30_Shared_functions/inc_pluginfunctions.md
@@ -163,7 +163,7 @@ Return default value or its override from command line.
 Syntax:

 ```text
-ph.getFileAge VALUE PARAMNAME "$@"
+ph.getValueWithParam VALUE PARAMNAME "$@"
 ```

 Parameters:
@@ -176,8 +176,8 @@ Example:

 ```shell
 # set default / override from command line params
-typeset -i iWarnLimit=$(     ph.getValueWithParam 75 w "$@")
-typeset -i iCriticalLimit=$( ph.getValueWithParam 90 c "$@")
+typeset -i iWarnLimit;     iWarnLimit=$(     ph.getValueWithParam 70 w "$@")
+typeset -i iCriticalLimit; iCriticalLimit=$( ph.getValueWithParam 90 c "$@")
 ```

 This will set variable iWarnLimit based on CLI parameter -w [value] ... if it does not exist it gets the default 75.