icinga-zones/global-templates/commands.conf

// vim: set ft=icinga2 et sw=2 ts=2 si ai:

/*
* Checks the validity of a custom CA certificate (like a Icinga or Puppet CA).
*/
object CheckCommand "custom_ca_cert" {
  command = [ PluginContribDir + "/check_ssl_cert" ]

  arguments = {
    "-f" = {
      value = "$ssl_cert_file$"
      description = "Local file path (works with -H localhost only)"
    }
    "-s" = {
      set_if = "$ssl_cert_selfsigned$"
      description = "Allow self-signed certificate"
    }
    "-A" = {
      set_if = "$ssl_cert_noauth$"
      description = "Ignore authority warnings (expiration only)"
    }
    "--ignore-maximum-validity" = {
      set_if = "$ssl_cert_ignore_maximum_validity$"
      description = "Ignore the certificate maximum validity"
    }
    "--allow-empty-san" = {
      set_if = "$ssl_cert_allow_empty_san$"
      description = "Allow certificates without Subject Alternative Names (SANs)"
    }
    "-w" = {
      value = "$ssl_cert_warn$"
      description = "Minimum number of days a certificate has to be valid"
    }
    "-c" = {
      value = "$ssl_cert_critical$"
      description = "Minimum number of days a certificate has to be valid to issue a critical status"
    }
  }

  vars.ssl_cert_selfsigned = true
  vars.ssl_cert_noauth = true
  vars.ssl_cert_ignore_maximum_validity = true
  vars.ssl_cert_allow_empty_san = true
  vars.ssl_cert_warn = 456
  vars.ssl_cert_critical = 396
}

object CheckCommand "custom_ssl_cert" {
  import "ipv4-or-ipv6"

  command = [ PluginContribDir + "/check_ssl_cert" ]

  arguments = {
    "-H" = {
      value = "$ssl_cert_address$"
      description = "The host's address"
      required = true
    }
    "-p" = {
      value = "$ssl_cert_port$"
      description = "TCP port number (default: 443)"
    }
    "-f" = {
      value = "$ssl_cert_file$"
      description = "Local file path (works with -H localhost only)"
    }
    "-w" = {
      value = "$ssl_cert_warn$"
      description = "Minimum number of days a certificate has to be valid"
    }
    "-c" = {
      value = "$ssl_cert_critical$"
      description = "Minimum number of days a certificate has to be valid to issue a critical status"
    }
    "-m" = {
      value = "$ssl_cert_cn$"
      description = "Pattern to match the CN of the certificate"
    }
    "--altnames" = {
      set_if = "$ssl_cert_altnames$"
      description = "Matches the pattern specified in -n with alternate"
    }
    "-i" = {
      value = "$ssl_cert_issuer$"
      description = "Pattern to match the issuer of the certificate"
    }
    "-o" = {
      value = "$ssl_cert_org$"
      description = "Pattern to match the organization of the certificate"
    }
    "-e" = {
      value = "$ssl_cert_email$"
      description = "Pattern to match the email address contained in the certificate"
    }
    "-N" = {
      set_if = "$ssl_cert_match_host$"
      description = "Match CN with the host name"
    }
    "--serial" = {
      value = "$ssl_cert_serial$"
      description = "Pattern to match the serial number"
    }
    "-A" = {
      set_if = "$ssl_cert_noauth$"
      description = "Ignore authority warnings (expiration only)"
    }
    "-s" = {
      set_if = "$ssl_cert_selfsigned$"
      description = "Allow self-signed certificate"
    }
    "--sni" = {
      value = "$ssl_cert_sni$"
      description = "Sets the TLS SNI (Server Name Indication) extension"
    }
    "-t" = {
      value = "$ssl_cert_timeout$"
      description = "Seconds before connection times out (default: 15)"
    }
    "-P" = {
      value = "$ssl_cert_protocol$"
      description = "Use the specific protocol {http|smtp|pop3|imap|ftp|xmpp|irc|ldap} (default: http)"
    }
    "--clientcert" = {
      value = "$ssl_cert_clientcert$"
      description = "Use client certificate to authenticate"
    }
    "--clientpass" = {
      value = "$ssl_cert_clientpass$"
      description = "Set passphrase for client certificate (for PKCS#12)"
    }
    "--clientkey" = {
      value = "$ssl_cert_clientkey$"
      description = "Use private key for client certificate to authenticate"
    }
    "-L" = {
      value = "$ssl_cert_ssllabs$"
      description = "SSL Labs assestment"
    }
    "--ignore-ssl-labs-cache" = {
      set_if = "$ssl_cert_ssllabs_nocache$"
      description = "Forces a new check by SSL Labs"
    }
    "-r" = {
      value = "$ssl_cert_rootssl_cert$"
      description = "Root certificate or directory to be used for certificate validation"
    }
    "--ssl2" = {
      set_if = {{
        return macro("$ssl_cert_ssl_version$") == "ssl2"
      }}
    }
    "--ssl3" = {
      set_if = {{
        return macro("$ssl_cert_ssl_version$") == "ssl3"
      }}
    }
    "--tls1" = {
      set_if = {{
        return macro("$ssl_cert_ssl_version$") == "tls1"
      }}
    }
    "--tls1_1" = {
      set_if = {{
        return macro("$ssl_cert_ssl_version$") == "tls1_1"
      }}
    }
    "--tls1_2" = {
      set_if = {{
        return macro("$ssl_cert_ssl_version$") == "tls1_2"
      }}
    }
    "--no_ssl2" = {
      set_if = {{
        var disable_versions = macro("$ssl_cert_disable_ssl_versions$")
        if (typeof(disable_versions) == String) {
          disable_versions = [ disable_versions ]
        }
        return "ssl2" in disable_versions
      }}
    }
    "--no_ssl3" = {
      set_if = {{
        var disable_versions = macro("$ssl_cert_disable_ssl_versions$")
        if (typeof(disable_versions) == String) {
          disable_versions = [ disable_versions ]
        }
        return "ssl3" in disable_versions
      }}
    }
    "--no_tls1" = {
      set_if = {{
        var disable_versions = macro("$ssl_cert_disable_ssl_versions$")
        if (typeof(disable_versions) == String) {
          disable_versions = [ disable_versions ]
        }
        return "tls1" in disable_versions
      }}
    }
    "--no_tls1_1" = {
      set_if = {{
        var disable_versions = macro("$ssl_cert_disable_ssl_versions$")
        if (typeof(disable_versions) == String) {
          disable_versions = [ disable_versions ]
        }
        return "tls1_1" in disable_versions
      }}
    }
    "--no_tls1_2" = {
      set_if = {{
        var disable_versions = macro("$ssl_cert_disable_ssl_versions$")
        if (typeof(disable_versions) == String) {
          disable_versions = [ disable_versions ]
        }
        return "tls1_2" in disable_versions
      }}
    }
    "--ecdsa" = {
      set_if = {{
        return macro("$ssl_cert_cipher$") == "ecdsa"
      }}
      description = "Cipher selection: force ECDSA authentication"
    }
    "--rsa" = {
      set_if = {{
        return macro("$ssl_cert_cipher$") == "rsa"
      }}
      description = "Cipher selection: force RSA authentication"
    }
    "--ignore-sig-alg" = {
      set_if = "$ssl_cert_ignore_signature$"
      description = "Do not check if the certificate was signed with SHA1 od MD5"
    }
    "--ignore-exp" = {
      set_if = "$ssl_cert_ignore_expiration$"
      description = "Ignore expiration date"
    }
    "--ignore-ocsp" = {
      set_if = "$ssl_cert_ignore_ocsp$"
      description = "Do not check revocation with OCSP"
    }
    "--ignore-sct" = {
      set_if = "$ssl_cert_ignore_sct$"
      description = "Do not check for signed certificate timestamps"
    }
  }

  vars.ssl_cert_address = "$check_address$"
  vars.ssl_cert_port = 443
}

/*
* Local command to check whether the current kernel is the latest installed
* kernel.
*/
object CheckCommand "kernel_status" {
  command = [ LocalPluginDir + "/check_kernel_status" ]
}

/*
* Checks a local PostgreSQL database. You need to grant the given user
* (normally nagios, which is what Icinga is running as) privileges to connect
* the specified database (or 'template1') and optionally execute the specified
* query.
*/
object CheckCommand "pgsql_socket" {
  command = [ PluginDir + "/check_pgsql" ]

  arguments = {
    "-d" = {
      value = "$pgsql_database$"
      description = "Database to check (default: template1)"
    }
    "-l" = {
      value = "$pgsql_username$"
      description = "Login name of user"
    }
    "-o" = {
      value = "$pgsql_options$"
      description = "Connection parameters (keyword = value), see below"
    }
    "-w" = {
      value = "$pgsql_warning$"
      description = "Response time to result in warning status (seconds)"
    }
    "-c" = {
      value = "$pgsql_critical$"
      description = "Response time to result in critical status (seconds)"
    }
    "-t" = {
      value = "$pgsql_timeout$"
      description = "Seconds before connection times out (default: 10)"
    }
    "-q" = {
      value = "$pgsql_query$"
      description = "SQL query to run. Only first column in first row will be read"
    }
    "-W" = {
      value = "$pgsql_query_warning$"
      description = "SQL query value to result in warning status (double)"
    }
    "-C" = {
      value = "$pgsql_query_critical$"
      description = "SQL query value to result in critical status (double)"
    }
  }

  vars.pgsql_username = "nagios"
}

object CheckCommand "custom_systemd" {
  command = [ PluginContribDir + "/check_systemd" ]
}