// vim: set ft=icinga2 et sw=2 ts=2 si ai: /* * Checks the validity of a custom CA certificate (like a Icinga or Puppet CA). */ object CheckCommand "custom_ca_cert" { command = [ PluginContribDir + "/check_ssl_cert" ] arguments = { "-f" = { value = "$ssl_cert_file$" description = "Local file path (works with -H localhost only)" } "-s" = { set_if = "$ssl_cert_selfsigned$" description = "Allow self-signed certificate" } "-A" = { set_if = "$ssl_cert_noauth$" description = "Ignore authority warnings (expiration only)" } "--ignore-maximum-validity" = { set_if = "$ssl_cert_ignore_maximum_validity$" description = "Ignore the certificate maximum validity" } "--allow-empty-san" = { set_if = "$ssl_cert_allow_empty_san$" description = "Allow certificates without Subject Alternative Names (SANs)" } "-w" = { value = "$ssl_cert_warn$" description = "Minimum number of days a certificate has to be valid" } "-c" = { value = "$ssl_cert_critical$" description = "Minimum number of days a certificate has to be valid to issue a critical status" } } vars.ssl_cert_selfsigned = true vars.ssl_cert_noauth = true vars.ssl_cert_ignore_maximum_validity = true vars.ssl_cert_allow_empty_san = true vars.ssl_cert_warn = 456 vars.ssl_cert_critical = 396 } object CheckCommand "custom_ssl_cert" { import "ipv4-or-ipv6" command = [ PluginContribDir + "/check_ssl_cert" ] arguments = { "-H" = { value = "$ssl_cert_address$" description = "The host's address" required = true } "-p" = { value = "$ssl_cert_port$" description = "TCP port number (default: 443)" } "-f" = { value = "$ssl_cert_file$" description = "Local file path (works with -H localhost only)" } "-w" = { value = "$ssl_cert_warn$" description = "Minimum number of days a certificate has to be valid" } "-c" = { value = "$ssl_cert_critical$" description = "Minimum number of days a certificate has to be valid to issue a critical status" } "-m" = { value = "$ssl_cert_cn$" description = "Pattern to match the CN of the certificate" } "--altnames" = { set_if = "$ssl_cert_altnames$" description = "Matches the pattern specified in -n with alternate" } "-i" = { value = "$ssl_cert_issuer$" description = "Pattern to match the issuer of the certificate" } "-o" = { value = "$ssl_cert_org$" description = "Pattern to match the organization of the certificate" } "-e" = { value = "$ssl_cert_email$" description = "Pattern to match the email address contained in the certificate" } "-N" = { set_if = "$ssl_cert_match_host$" description = "Match CN with the host name" } "--serial" = { value = "$ssl_cert_serial$" description = "Pattern to match the serial number" } "-A" = { set_if = "$ssl_cert_noauth$" description = "Ignore authority warnings (expiration only)" } "-s" = { set_if = "$ssl_cert_selfsigned$" description = "Allow self-signed certificate" } "--sni" = { value = "$ssl_cert_sni$" description = "Sets the TLS SNI (Server Name Indication) extension" } "-t" = { value = "$ssl_cert_timeout$" description = "Seconds before connection times out (default: 15)" } "-P" = { value = "$ssl_cert_protocol$" description = "Use the specific protocol {http|smtp|pop3|imap|ftp|xmpp|irc|ldap} (default: http)" } "--clientcert" = { value = "$ssl_cert_clientcert$" description = "Use client certificate to authenticate" } "--clientpass" = { value = "$ssl_cert_clientpass$" description = "Set passphrase for client certificate (for PKCS#12)" } "--clientkey" = { value = "$ssl_cert_clientkey$" description = "Use private key for client certificate to authenticate" } "-L" = { value = "$ssl_cert_ssllabs$" description = "SSL Labs assestment" } "--ignore-ssl-labs-cache" = { set_if = "$ssl_cert_ssllabs_nocache$" description = "Forces a new check by SSL Labs" } "-r" = { value = "$ssl_cert_rootssl_cert$" description = "Root certificate or directory to be used for certificate validation" } "--ssl2" = { set_if = {{ return macro("$ssl_cert_ssl_version$") == "ssl2" }} } "--ssl3" = { set_if = {{ return macro("$ssl_cert_ssl_version$") == "ssl3" }} } "--tls1" = { set_if = {{ return macro("$ssl_cert_ssl_version$") == "tls1" }} } "--tls1_1" = { set_if = {{ return macro("$ssl_cert_ssl_version$") == "tls1_1" }} } "--tls1_2" = { set_if = {{ return macro("$ssl_cert_ssl_version$") == "tls1_2" }} } "--no_ssl2" = { set_if = {{ var disable_versions = macro("$ssl_cert_disable_ssl_versions$") if (typeof(disable_versions) == String) { disable_versions = [ disable_versions ] } return "ssl2" in disable_versions }} } "--no_ssl3" = { set_if = {{ var disable_versions = macro("$ssl_cert_disable_ssl_versions$") if (typeof(disable_versions) == String) { disable_versions = [ disable_versions ] } return "ssl3" in disable_versions }} } "--no_tls1" = { set_if = {{ var disable_versions = macro("$ssl_cert_disable_ssl_versions$") if (typeof(disable_versions) == String) { disable_versions = [ disable_versions ] } return "tls1" in disable_versions }} } "--no_tls1_1" = { set_if = {{ var disable_versions = macro("$ssl_cert_disable_ssl_versions$") if (typeof(disable_versions) == String) { disable_versions = [ disable_versions ] } return "tls1_1" in disable_versions }} } "--no_tls1_2" = { set_if = {{ var disable_versions = macro("$ssl_cert_disable_ssl_versions$") if (typeof(disable_versions) == String) { disable_versions = [ disable_versions ] } return "tls1_2" in disable_versions }} } "--ecdsa" = { set_if = {{ return macro("$ssl_cert_cipher$") == "ecdsa" }} description = "Cipher selection: force ECDSA authentication" } "--rsa" = { set_if = {{ return macro("$ssl_cert_cipher$") == "rsa" }} description = "Cipher selection: force RSA authentication" } "--ignore-sig-alg" = { set_if = "$ssl_cert_ignore_signature$" description = "Do not check if the certificate was signed with SHA1 od MD5" } "--ignore-exp" = { set_if = "$ssl_cert_ignore_expiration$" description = "Ignore expiration date" } "--ignore-ocsp" = { set_if = "$ssl_cert_ignore_ocsp$" description = "Do not check revocation with OCSP" } "--ignore-sct" = { set_if = "$ssl_cert_ignore_sct$" description = "Do not check for signed certificate timestamps" } } vars.ssl_cert_address = "$check_address$" vars.ssl_cert_port = 443 } /* * Local command to check whether the current kernel is the latest installed * kernel. */ object CheckCommand "kernel_status" { command = [ LocalPluginDir + "/check_kernel_status" ] } /* * Checks a local PostgreSQL database. You need to grant the given user * (normally nagios, which is what Icinga is running as) privileges to connect * the specified database (or 'template1') and optionally execute the specified * query. */ object CheckCommand "pgsql_socket" { command = [ PluginDir + "/check_pgsql" ] arguments = { "-d" = { value = "$pgsql_database$" description = "Database to check (default: template1)" } "-l" = { value = "$pgsql_username$" description = "Login name of user" } "-o" = { value = "$pgsql_options$" description = "Connection parameters (keyword = value), see below" } "-w" = { value = "$pgsql_warning$" description = "Response time to result in warning status (seconds)" } "-c" = { value = "$pgsql_critical$" description = "Response time to result in critical status (seconds)" } "-t" = { value = "$pgsql_timeout$" description = "Seconds before connection times out (default: 10)" } "-q" = { value = "$pgsql_query$" description = "SQL query to run. Only first column in first row will be read" } "-W" = { value = "$pgsql_query_warning$" description = "SQL query value to result in warning status (double)" } "-C" = { value = "$pgsql_query_critical$" description = "SQL query value to result in critical status (double)" } } vars.pgsql_username = "nagios" } object CheckCommand "custom_systemd" { command = [ PluginContribDir + "/check_systemd" ] }