Add kernel and certificate checks

10 months ago · 9abf259773
parent 1c2e40578e
commit 9abf259773
3 changed files with 94 additions and 0 deletions
--- a/global-templates/commands.conf
+++ b/global-templates/commands.conf
@ -1,5 +1,58 @@
 // vim: set ft=icinga2 et sw=2 ts=2 si ai:

+/*
+* Checks the validity of a custom CA certificate (like a Icinga or Puppet CA).
+*/
+object CheckCommand "custom_ca_cert" {
+  command = [ PluginContribDir + "/check_ssl_cert" ]
+
+  arguments = [
+    "-f" = {
+      value = "$ssl_cert_file$"
+      description = "Local file path (works with -H localhost only)"
+    }
+    "-s" = {
+      set_if = "$ssl_cert_selfsigned$"
+      description = "Allow self-signed certificate"
+    }
+    "-A" = {
+      set_if = "$ssl_cert_noauth$"
+      description = "Ignore authority warnings (expiration only)"
+    }
+    "--ignore-maximum-validity" = {
+      set_if = "$ssl_cert_ignore_maximum_validity$"
+      description = "Ignore the certificate maximum validity"
+    }
+    "--allow-empty-san" = {
+      set_if = "$ssl_allow_empty_san$"
+      description = "Allow certificates without Subject Alternative Names (SANs)"
+    }
+    "-w" = {
+      value = "$ssl_cert_warn$"
+      description = "Minimum number of days a certificate has to be valid"
+    }
+    "-c" = {
+      value = "$ssl_cert_critical$"
+      description = "Minimum number of days a certificate has to be valid to issue a critical status"
+    }
+  ]
+
+  vars.ssl_cert_selfsigned = true
+  vars.ssl_cert_noauth = true
+  vars.ssl_cert_ignore_maximum_validity = true
+  vars.ssl_cert_allow_empty_san = true
+  vars.ssl_cert_warn = 90
+  vars.ssl_cert_critical = 30
+}
+
+/*
+* Local command to check whether the current kernel is the latest installed
+* kernel.
+*/
+object CheckCommand "kernel_status" {
+  command = [ LocalPluginDir + "/check_kernel_status" ]
+}
+
 /*
 * Checks a local PostgreSQL database. You need to grant the given user
 * (normally nagios, which is what Icinga is running as) privileges to connect
--- a/global-templates/services.conf
+++ b/global-templates/services.conf
@ -12,6 +12,26 @@ apply Service "apt" {
  assign where host.vars.osfamily == "Debian"
 }

+apply Service "certificate " for (name => config in host.vars.x509_certs) {
+  import "generic-service"
+
+  check_command = "check_ssl_cert"
+  check_interval = 6h
+  retry_interval = 15m
+
+  vars += config
+}
+
+apply Service "ca-certificate " for (name => config in host.vars.ca_certs) {
+  import "generic-service"
+
+  check_command = "custom_ca_cert"
+  check_interval = 1d
+  retry_interval = 6h
+
+  vars += config
+}
+
 apply Service "disk " for (disk => config in host.vars.disks) {
  import "generic-service"

@ -36,6 +56,14 @@ apply Service "icinga" {
  assign where host.name == NodeName
 }

+apply Service "kernel-status" {
+  import "generic-service"
+
+  check_command = "kernel_status"
+
+  assign where !host.vars.is_container
+}
+
 apply Service "load" {
  import "generic-service"

--- a/master/hosts.conf
+++ b/master/hosts.conf
@ -8,6 +8,8 @@ object Host "beholder" {
  address = "127.0.0.1"
  address6 = "::1"

+  vars.is_container = false
+
  vars.disks["/"] = {
    disk_partitions = "/"
  }
@ -111,4 +113,15 @@ object Host "beholder" {
    pgsql_database = "icingadb"
    pgsql_query = "SELECT COUNT(*) FROM host"
  }
+
+  vars.x509_certs["monitoring client"] = {
+    ssl_cert_address = "localhost"
+    ssl_cert_file = "/etc/ssl/public/beholder-client.crt.pem"
+    ssl_cert_ignore_sct = true
+    ssl_cert_warn = 30
+  }
+
+  vars.ca_certs["Icinga"] = {
+    ssl_cert_file = "/var/lib/icinga2/ca/ca.crt"
+  }
 }