From 1e2387474a449452b78520b9ad96a8b4b5e99722 Mon Sep 17 00:00:00 2001 From: Harald Pfeiffer Date: Wed, 17 Apr 2019 19:07:19 +0200 Subject: initial commit of source fetch --- .../dsa/checks/dsa-check-soas | 218 +++++++++++++++++++++ 1 file changed, 218 insertions(+) create mode 100644 nagios-plugins-contrib-24.20190301~bpo9+1/dsa/checks/dsa-check-soas (limited to 'nagios-plugins-contrib-24.20190301~bpo9+1/dsa/checks/dsa-check-soas') diff --git a/nagios-plugins-contrib-24.20190301~bpo9+1/dsa/checks/dsa-check-soas b/nagios-plugins-contrib-24.20190301~bpo9+1/dsa/checks/dsa-check-soas new file mode 100644 index 0000000..eb28d8c --- /dev/null +++ b/nagios-plugins-contrib-24.20190301~bpo9+1/dsa/checks/dsa-check-soas @@ -0,0 +1,218 @@ +#!/usr/bin/ruby + +# Copyright 2006, 2012, 2014 Peter Palfrader +# 2012 Uli Martens +# +# Permission is hereby granted, free of charge, to any person obtaining +# a copy of this software and associated documentation files (the +# "Software"), to deal in the Software without restriction, including +# without limitation the rights to use, copy, modify, merge, publish, +# distribute, sublicense, and/or sell copies of the Software, and to +# permit persons to whom the Software is furnished to do so, subject to +# the following conditions: +# +# The above copyright notice and this permission notice shall be +# included in all copies or substantial portions of the Software. +# +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, +# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND +# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE +# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION +# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION +# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + + +# the each_resource function is lifted from ruby 1.9.1's resolv.rb, with the +# minor modification that we do not unconditionally set the message's RD flag +# to 1. Its license is: +# +# Copyright (C) 1993-2010 Yukihiro Matsumoto. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. + + +require 'ipaddr' +require 'resolv' +require 'optparse' +require 'yaml' + +NAGIOS_STATUS = { :OK => 0, :WARNING => 1, :CRITICAL => 2, :UNKNOWN => -1 }; +@verbose = 0; +@additional_nameservers = [] +@check_soa_nameservers = true; + +def show_help(parser, code=0, io=STDOUT) + program_name = File.basename($0, '.*') + io.puts "Usage: #{program_name} [options] [ ...]" + io.puts parser.summarize + exit(code) +end +ARGV.options do |opts| + opts.on_tail("-h", "--help" , "Display this help screen") { show_help(opts) } + opts.on("-v", "--verbose" , String, "Be verbose") { @verbose += 1 } + opts.on("-a", "--add=HOST" , String, "Also check SOA on ") { |val| @additional_nameservers << val } + opts.on("-n", "--no-soa-ns" , String, "Don't query SOA record for list of nameservers") { @check_soa_nameservers = false } + opts.parse! +end +show_help(ARGV.options, 1, STDERR) if ARGV.length == 0 + +if @additional_nameservers.count <= 1 and not @check_soa_nameservers + program_name = File.basename($0, '.*') + STDERR.puts "#{program_name}: Only know about #{@additional_nameservers.count} nameserver(s) and --no-soa-ns specified. I want at least two." + exit(1) +end + +class DSADNS < Resolv::DNS + attr_reader :rd + attr_writer :rd + + def initialize(*args) + super + @rd = 1 + end + + def each_resource(name, typeclass, &proc) + lazy_initialize + requester = make_udp_requester + senders = {} + begin + @config.resolv(name) {|candidate, tout, nameserver, port| + msg = Message.new + msg.rd = @rd + msg.add_question(candidate, typeclass) + unless sender = senders[[candidate, nameserver, port]] + sender = senders[[candidate, nameserver, port]] = + requester.sender(msg, candidate, nameserver, port) + end + reply, reply_name = requester.request(sender, tout) + case reply.rcode + when RCode::NoError + if reply.tc == 1 and not Requester::TCP === requester + requester.close + # Retry via TCP: + requester = make_tcp_requester(nameserver, port) + senders = {} + # This will use TCP for all remaining candidates (assuming the + # current candidate does not already respond successfully via + # TCP). This makes sense because we already know the full + # response will not fit in an untruncated UDP packet. + redo + else + extract_resources(reply, reply_name, typeclass, &proc) + end + return + when RCode::NXDomain + raise Config::NXDomain.new(reply_name.to_s) + else + raise Config::OtherResolvError.new(reply_name.to_s) + end + } + ensure + requester.close + end + end +end + +warnings = [] +oks = [] + +def resolve_ns(dns, domain, nameserver) + puts "Getting A record for nameserver #{nameserver} for #{domain}" if @verbose > 0 + arecords = dns.getresources(nameserver, Resolv::DNS::Resource::IN::A) + warnings << "Nameserver #{nameserver} for #{domain} has #{arecords.length} A records" if arecords.length != 1 + addresses = arecords.map { |a| a.address.to_s } + puts "Addresses for nameserver #{nameserver} for #{domain}: #{addresses.join(', ')}" if @verbose > 0 + return addresses +end + +dns = Resolv::DNS.new +ARGV.each{ |domain| + serial = {} + nameserver_addresses = {} + if @check_soa_nameservers + nameservers = dns.getresources(domain, Resolv::DNS::Resource::IN::NS) + nameservernames = nameservers.collect{ |ns| ns.name.to_s } + nameservernames.each do |nameserver| + addrs = resolve_ns(dns, domain, nameserver) + warnings << "Duplicate nameserver #{nameserver} for #{domain}" if nameserver_addresses[nameserver] + nameserver_addresses[nameserver] = addrs + end + end + @additional_nameservers.each do |ns| + begin + ipa = IPAddr.new(ns) # check if it's an address + addrs = [ns] + rescue ArgumentError + addrs = resolve_ns(dns, domain, ns) + end + warnings << "Duplicate nameserver #{ns} for #{domain}" if nameserver_addresses[ns] + nameserver_addresses[ns] = addrs + end + + nameserver_addresses.each_pair do |nameserver, addrs| + puts "Testing nameserver #{nameserver} for #{domain}" if @verbose > 0 + addrs.each do |a| + puts " Nameserver #{nameserver} is at #{a}" if @verbose > 0 + begin + resolver = DSADNS.new({:nameserver => a}) + resolver.rd = 0 + soas = resolver.getresources(domain, Resolv::DNS::Resource::IN::SOA) + rescue SystemCallError => e + warnings << "Could not resolve #{domain} on #{nameserver}: #{e.message}" + else + resolver.close + warnings << "Nameserver #{nameserver} for #{domain} returns #{soas.length} SOAs" if soas.length != 1 + soas.each do |soa| + puts " Nameserver #{nameserver} returns serial #{soa.serial} for #{domain}" if @verbose > 0 + sn = soa.serial.to_i + if serial.has_key? sn then + serial[sn] << nameserver + else + serial[sn] = [nameserver] + end + end + end + end + end + case serial.keys.length + when 0 + warnings << "Found no serials for #{domain}" + when 1 + oks << "#{domain} is at #{serial.keys.first}" + else + text = [] + serial.keys.sort.each do |sn| + text << "#{sn} (#{serial[sn].join(', ')})" + end + warnings << "Nameservers disagree on serials for #{domain}: found #{text.join(', ')}" + end +} +dns.close + +if warnings.length > 0 + puts warnings.join('; ') + exit NAGIOS_STATUS[:WARNING] +else + puts oks.join('; ') + exit NAGIOS_STATUS[:OK] +end -- cgit v1.2.3