From 1e2387474a449452b78520b9ad96a8b4b5e99722 Mon Sep 17 00:00:00 2001 From: Harald Pfeiffer Date: Wed, 17 Apr 2019 19:07:19 +0200 Subject: initial commit of source fetch --- .../dsa/Makefile | 23 ++ .../dsa/checks/dsa-check-cert-expire | 77 +++++ .../dsa/checks/dsa-check-cert-expire-dir | 90 +++++ .../dsa/checks/dsa-check-dnssec-delegation | 301 +++++++++++++++++ .../dsa/checks/dsa-check-entropy | 82 +++++ .../dsa/checks/dsa-check-packages | 362 +++++++++++++++++++++ .../dsa/checks/dsa-check-running-kernel | 255 +++++++++++++++ .../dsa/checks/dsa-check-soas | 218 +++++++++++++ .../dsa/checks/dsa-check-statusfile | 90 +++++ .../dsa/control | 20 ++ .../dsa/copyright | 33 ++ .../dsa/etc/obsolete-packages-ignore | 4 + .../dsa/sbin/dsa-update-apt-status | 100 ++++++ .../dsa/sbin/dsa-update-unowned-file-status | 53 +++ .../dsa/update-files.sh | 13 + 15 files changed, 1721 insertions(+) create mode 100644 nagios-plugins-contrib-24.20190301~bpo9+1/dsa/Makefile create mode 100644 nagios-plugins-contrib-24.20190301~bpo9+1/dsa/checks/dsa-check-cert-expire create mode 100644 nagios-plugins-contrib-24.20190301~bpo9+1/dsa/checks/dsa-check-cert-expire-dir create mode 100644 nagios-plugins-contrib-24.20190301~bpo9+1/dsa/checks/dsa-check-dnssec-delegation create mode 100644 nagios-plugins-contrib-24.20190301~bpo9+1/dsa/checks/dsa-check-entropy create mode 100644 nagios-plugins-contrib-24.20190301~bpo9+1/dsa/checks/dsa-check-packages create mode 100644 nagios-plugins-contrib-24.20190301~bpo9+1/dsa/checks/dsa-check-running-kernel create mode 100644 nagios-plugins-contrib-24.20190301~bpo9+1/dsa/checks/dsa-check-soas create mode 100644 nagios-plugins-contrib-24.20190301~bpo9+1/dsa/checks/dsa-check-statusfile create mode 100644 nagios-plugins-contrib-24.20190301~bpo9+1/dsa/control create mode 100644 nagios-plugins-contrib-24.20190301~bpo9+1/dsa/copyright create mode 100644 nagios-plugins-contrib-24.20190301~bpo9+1/dsa/etc/obsolete-packages-ignore create mode 100755 nagios-plugins-contrib-24.20190301~bpo9+1/dsa/sbin/dsa-update-apt-status create mode 100755 nagios-plugins-contrib-24.20190301~bpo9+1/dsa/sbin/dsa-update-unowned-file-status create mode 100755 nagios-plugins-contrib-24.20190301~bpo9+1/dsa/update-files.sh (limited to 'nagios-plugins-contrib-24.20190301~bpo9+1/dsa') diff --git a/nagios-plugins-contrib-24.20190301~bpo9+1/dsa/Makefile b/nagios-plugins-contrib-24.20190301~bpo9+1/dsa/Makefile new file mode 100644 index 0000000..18c87c2 --- /dev/null +++ b/nagios-plugins-contrib-24.20190301~bpo9+1/dsa/Makefile @@ -0,0 +1,23 @@ +#!/usr/bin/make -f + +PLUGIN:=$(shell cd checks; ls -1 | sed 's,^dsa-,,;s,-,_,g') +CRONJOBS:=$(shell cd sbin; ls -1 | sed 's,^dsa-,,') +INIFILES:=etc/obsolete-packages-ignore +DOCFILES:=$(wildcard *.cmd) + +check_%: + cp checks/dsa-`echo $@ | sed 's,_,-,g'` $@ + chmod 755 $@ + +update-%-status: + cp sbin/dsa-$@ $@ + chmod 755 $@ + +CLEANFILES=$(PLUGIN) $(CRONJOBS) + + +include ../common.mk + +install:: + install -d $(DESTDIR)$(INIDIR)/obsolete-packages-ignore.d + diff --git a/nagios-plugins-contrib-24.20190301~bpo9+1/dsa/checks/dsa-check-cert-expire b/nagios-plugins-contrib-24.20190301~bpo9+1/dsa/checks/dsa-check-cert-expire new file mode 100644 index 0000000..98a04a2 --- /dev/null +++ b/nagios-plugins-contrib-24.20190301~bpo9+1/dsa/checks/dsa-check-cert-expire @@ -0,0 +1,77 @@ +#!/bin/sh + +# Checks if a given cert on disk will expire soon + +# Copyright 2009 Peter Palfrader +# +# Permission is hereby granted, free of charge, to any person obtaining +# a copy of this software and associated documentation files (the +# "Software"), to deal in the Software without restriction, including +# without limitation the rights to use, copy, modify, merge, publish, +# distribute, sublicense, and/or sell copies of the Software, and to +# permit persons to whom the Software is furnished to do so, subject to +# the following conditions: +# +# The above copyright notice and this permission notice shall be +# included in all copies or substantial portions of the Software. +# +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, +# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND +# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE +# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION +# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION +# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + +set -u +set -e + +# warn if expires within 2 weeks, critical if within a day or already is expired +warn=1209600 +crit=86400 + +usage() { + echo "Usage: $0 [-w seconds] [-c seconds] " >&2 + exit 3 +} + + +OPTS=`getopt -o w:c: -n "$0" -- "$@"` || usage + +eval set -- "$OPTS" + +while :; do + case "$1" in + -w) warn=$2; shift 2 ;; + -c) crit=$2; shift 2 ;; + --) shift; break; ;; + *) usage ;; + esac +done +if test "$crit" -gt "$warn"; then + warn=$crit +fi + +if [ "$#" != 1 ]; then + usage +fi + +cert="$1" + +if ! [ -r "$cert" ] ; then + echo "Cert file ($cert) does not exist or is not readable" >&2 + exit 3 +fi + +expires=`openssl x509 -enddate -noout < "$cert"` + +if openssl x509 -checkend "$warn" -noout < "$cert" ; then + echo "OK: $expires" + exit 0 +fi +if openssl x509 -checkend "$crit" -noout < "$cert" ; then + echo "WARN: $expires" + exit 1 +fi +echo "CRITICAL: $expires" +exit 2 diff --git a/nagios-plugins-contrib-24.20190301~bpo9+1/dsa/checks/dsa-check-cert-expire-dir b/nagios-plugins-contrib-24.20190301~bpo9+1/dsa/checks/dsa-check-cert-expire-dir new file mode 100644 index 0000000..2c8eaa1 --- /dev/null +++ b/nagios-plugins-contrib-24.20190301~bpo9+1/dsa/checks/dsa-check-cert-expire-dir @@ -0,0 +1,90 @@ +#!/bin/bash + +# Checks if any of the *.crt files in a directory on disk will expire soon + +# Copyright 2009,2016 Peter Palfrader +# +# Permission is hereby granted, free of charge, to any person obtaining +# a copy of this software and associated documentation files (the +# "Software"), to deal in the Software without restriction, including +# without limitation the rights to use, copy, modify, merge, publish, +# distribute, sublicense, and/or sell copies of the Software, and to +# permit persons to whom the Software is furnished to do so, subject to +# the following conditions: +# +# The above copyright notice and this permission notice shall be +# included in all copies or substantial portions of the Software. +# +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, +# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND +# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE +# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION +# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION +# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + + +sn="$0" +if [ "${sn%/*}" = "$sn" ]; then + CERT_CHECK=dsa-check-cert-expire +else + CERT_CHECK="${sn%/*}/dsa-check-cert-expire" +fi + +if [ "$#" != 1 ] ; then + echo >&2 "Usage: $0 " + exit 1 +fi + +DIR="$1" + +if ! [ -d "$DIR" ]; then + echo "Not a directory: $DIR" + exit 1 +fi + +OK="" +WARN="" +CRIT="" +UNKNOWN="" +cOK=0 +cWARN=0 +cCRIT=0 +cUNKNOWN=0 + +t=$(tempfile) +trap "rm -f '$t'" EXIT + +for i in "$DIR"/*.crt; do + d="${i%.crt}" + d="${d##*/}" + echo -n "$d: " >> "$t" + "$CERT_CHECK" "$i" >> "$t" 2>&1 + rc=$? + if [ "$rc" = 0 ]; then + OK="$OK $d" + cOK=$(( cOK + 1 )) + elif [ "$rc" = 1 ]; then + WARN="$WARN $d" + cWARN=$(( cWARN + 1 )) + elif [ "$rc" = 2 ]; then + CRIT="$CRIT $d" + cCRIT=$(( cCRIT + 1 )) + else + UNKNOWN="$UNKNOWN $d" + cUNKNOWN=$(( cUNKNOWN + 1 )) + fi +done + +if [ -n "$CRIT" ]; then rc=2; +elif [ -n "$WARN" ]; then rc=1; +elif [ -n "$UNKNOWN" ]; then rc=3; +else rc=0; +fi + +[ -n "$CRIT" ] && echo "CRITICAL ($cCRIT):$CRIT, " +[ -n "$WARN" ] && echo "WARN ($cWARN):$WARN, " +[ -n "$UNKNOWN" ] && echo "UNKNOWN ($cUNKNOWN):$UNKNOWN, " +[ -n "$OK" ] && echo "OK ($cOK):$OK." +cat "$t" +exit $rc diff --git a/nagios-plugins-contrib-24.20190301~bpo9+1/dsa/checks/dsa-check-dnssec-delegation b/nagios-plugins-contrib-24.20190301~bpo9+1/dsa/checks/dsa-check-dnssec-delegation new file mode 100644 index 0000000..65b48b0 --- /dev/null +++ b/nagios-plugins-contrib-24.20190301~bpo9+1/dsa/checks/dsa-check-dnssec-delegation @@ -0,0 +1,301 @@ +#!/usr/bin/perl + +# Copyright (c) 2010, 2014, 2015, 2017 Peter Palfrader +# +# Permission is hereby granted, free of charge, to any person obtaining +# a copy of this software and associated documentation files (the +# "Software"), to deal in the Software without restriction, including +# without limitation the rights to use, copy, modify, merge, publish, +# distribute, sublicense, and/or sell copies of the Software, and to +# permit persons to whom the Software is furnished to do so, subject to +# the following conditions: +# +# The above copyright notice and this permission notice shall be +# included in all copies or substantial portions of the Software. +# +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, +# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND +# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE +# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION +# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION +# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + +use strict; +use warnings; +use English; +use Net::DNS::Resolver; +use Getopt::Long; +use File::Basename; + +# taken from Array::Utils +# http://cpansearch.perl.org/src/ZMIJ/Array-Utils-0.5/Utils.pm +# This module is Copyright (c) 2007 Sergei A. Fedorov. +# You may distribute under the terms of either the GNU General Public +# License or the Artistic License, as specified in the Perl README file. +# +sub intersect(\@\@) { + my %e = map { $_ => undef } @{$_[0]}; + return grep { exists( $e{$_} ) } @{$_[1]}; +} +sub array_diff(\@\@) { + my %e = map { $_ => undef } @{$_[1]}; + return @{[ ( grep { (exists $e{$_}) ? ( delete $e{$_} ) : ( 1 ) } @{ $_[0] } ), keys %e ] }; +} +sub array_minus(\@\@) { + my %e = map{ $_ => undef } @{$_[1]}; + return grep( ! exists( $e{$_} ), @{$_[0]} ); +} + + +$SIG{'__DIE__'} = sub { print @_; exit 4; }; + +my $RES = Net::DNS::Resolver->new; +my $DLV = 'dlv.isc.org'; +my $params; + +sub get_tag_generic { + my $zone = shift; + my $type = shift; + my %options = @_; + + my @result; + my @zsks; + print "Querying $type $zone\n" if $params->{'verbose'}; + my $pkt = $RES->send($zone, $type); + return () unless $pkt; + return () unless $pkt->answer; + for my $rr ($pkt->answer) { + next unless ($rr->type eq $type); + next unless (lc($rr->name) eq lc($zone)); + + my $tag = $options{'pretty'} ? sprintf("%5d(%d)", $rr->keytag, $rr->algorithm) : $rr->keytag; + + if ($type eq 'DNSKEY' && ($rr->{'flags'} & (1<<(15-8)))) { + # key is revoked + next; + } + + # for now only handle KSKs, i.e. keys with the SEP flag set + if ($type eq 'DNSKEY' && !($rr->sep)) { + push @zsks, $tag; + next; + } + + push @result, $tag; + }; + if ($type eq 'DNSKEY' && (scalar @result) == 0) { + # use remaining keys if no keys with the SEP bit are present + @result = @zsks; + } + my %unique = (); + @result = sort {$a cmp $b} grep {!$unique{$_}++} @result; + return @result +}; + +sub get_dnskeytags { + my $zone = shift; + my %options = @_; + return get_tag_generic($zone, 'DNSKEY', %options); +}; +sub get_dstags { + my $zone = shift; + my %options = @_; + return get_tag_generic($zone, 'DS', %options); +}; +sub get_dlvtags { + my $zone = shift; + my %options = @_; + $zone .= ".".$DLV; + return get_tag_generic($zone, 'DLV', %options); +}; +sub has_dnskey_parent { + my $zone = shift; + + my $potential_parent; + if ($zone =~ m/\./) { + $potential_parent = $zone; + $potential_parent =~ s/^[^.]+\.//; + } else { + $potential_parent = '.'; + } + + print "Querying DNSKEY $potential_parent\n" if $params->{'verbose'}; + my $pkt = $RES->send($potential_parent, 'DNSKEY'); + return undef unless $pkt; + return undef unless $pkt->header; + + unless ($pkt->answer) { + return undef unless $pkt->authority; + for my $rr ($pkt->authority) { + next unless ($rr->type eq 'SOA'); + + $potential_parent = $rr->name; + print "Querying DNSKEY $potential_parent\n" if $params->{'verbose'}; + $pkt = $RES->send($potential_parent, 'DNSKEY'); + return undef unless $pkt; + last; + }; + }; + + return (0, $potential_parent) unless $pkt->answer; + for my $rr ($pkt->answer) { + next unless ($rr->type eq 'DNSKEY'); + return (1, $potential_parent); + }; +} +sub get_parent_dnssec_status { + my $zone = shift; + my @result; + + while (1) { + my ($status, $parent) = has_dnskey_parent($zone); + last unless defined $status; + push @result, ($status ? "yes" : "no") . ("($parent)"); + $zone = $parent; + last if $zone eq "" || $zone eq '.'; + }; + + return join(', ', @result); +}; + +sub usage { + my $fd = shift; + my $exit = shift; + + print $fd "Usage: $PROGRAM_NAME [--dir ] overview|check-dlv|check-ds|check-header zone [zone...]\n"; + print $fd " $PROGRAM_NAME --dir overview|check-dlv|check-ds|check-header\n"; + print $fd " $PROGRAM_NAME --help\n"; + exit $exit; +} + +sub what_to_check { + my $zone = shift; + my $zonefile = shift; + + my $do_dlv = 0; + my $do_ds = 0; + + open(F, "<", $zonefile) or die ("Cannot open zonefile $zonefile for $zone: $!\n"); + while () { + if (/^[#;]\s*dlv-submit\s*=\s*yes\s*$/) { $do_dlv = 1; } + if (/^[#;]\s*ds-in-parent\s*=\s*yes\s*$/) { $do_ds = 1; } + } + close(F); + + return { 'dlv' => $do_dlv, + 'ds' => $do_ds }; +} +sub diff_spec { + my $a = shift; + my $b = shift; + + my @elems = intersect(@$a, @$b); + push @elems, map { '-'.$_ } array_minus(@$a, @$b); + push @elems, map { '+'.$_ } array_minus(@$b, @$a); + return join(',', @elems); +} + +Getopt::Long::config('bundling'); +GetOptions ( + '--help' => \$params->{'help'}, + '--dir=s@' => \$params->{'dir'}, + '--dlv=s' => \$params->{'dlv'}, + '--verbose' => \$params->{'verbose'}, +) or usage(\*STDERR, 1); +usage(\*STDOUT, 0) if ($params->{'help'}); + +my $mode = shift @ARGV; +usage(\*STDOUT, 0) unless (defined $mode && $mode =~ /^(overview|check-dlv|check-ds|check-header)$/); +die ("check-header needs --dir") if ($mode eq 'check-header' && !defined $params->{'dir'}); + +my %zones; +if (scalar @ARGV) { + if (defined $params->{'dir'} && $mode ne 'check-header') { + warn "--dir option ignored" + } + %zones = map { $_ => $_} @ARGV; +} else { + my $dirs = $params->{'dir'}; + usage(\*STDOUT, 0) unless (defined $dirs); + + for my $dir (@$dirs) { + chdir $dir or die "chdir $dir failed? $!\n"; + opendir DIR, '.' or die ("Cannot opendir $dir\n"); + for my $file (readdir DIR) { + next if ( -l "$file" ); + next unless ( -f "$file" ); + next if $file =~ /^(dsset|keyset)-/; + + my $zone = $file; + if ($file =~ /\.zone$/) { # it's one of our yaml things + $zone = basename($file, '.zone'); + }; + $zones{$zone} = "$dir/$file"; + } + closedir(DIR); + }; +}; + +$DLV = $params->{'dlv'} if $params->{'dlv'}; + + +if ($mode eq 'overview') { + my %data; + for my $zone (keys %zones) { + $data{$zone} = { 'dnskey' => join(', ', get_dnskeytags($zone, pretty=>1)), + 'ds' => join(', ', get_dstags($zone, pretty=>1)), + 'dlv' => join(', ', get_dlvtags($zone, pretty=>1)), + 'parent_dnssec' => get_parent_dnssec_status($zone) }; + } + + my $format = "%60s %-20s %-15s %-3s %-10s\n"; + printf $format, "zone", "DNSKEY", "DS\@parent", "DLV", "dnssec\@parent"; + printf $format, "-"x 60, "-"x 20, "-"x 15, "-"x 3, "-"x 10; + for my $zone (sort {$a cmp $b} keys %data) { + printf $format, $zone, + $data{$zone}->{'dnskey'}, + $data{$zone}->{'ds'}, + $data{$zone}->{'dlv'}, + $data{$zone}->{'parent_dnssec'}; + } + exit(0); +} elsif ($mode eq 'check-dlv' || $mode eq 'check-ds' || $mode eq 'check-header') { + my @to_check; + push @to_check, 'dlv' if $mode eq 'check-header' || $mode eq 'check-dlv'; + push @to_check, 'ds' if $mode eq 'check-header' || $mode eq 'check-ds'; + + my @warn; + my @ok; + for my $zone (sort {$a cmp $b} keys %zones) { + my $require = { map { $_ => 1 } @to_check }; + if ($mode eq 'check-header') { + $require = what_to_check($zone, $zones{$zone}) + } + + my @dnskey = get_dnskeytags($zone); + for my $thiskey (@to_check) { + my @target = $thiskey eq 'ds' ? get_dstags($zone) : get_dlvtags($zone); + + my $spec = diff_spec(\@target, \@dnskey); + # if the intersection between DS and KEY is empty, + # or if there are DS records for keys we do not have, that's an issue. + if (intersect(@dnskey, @target) == 0 || array_minus(@target, @dnskey)) { + if ($require->{$thiskey} || scalar @target > 0) { + push @warn, "$zone ($spec)"; + } + } else { + if ($require->{$thiskey}) { + push @ok, "$zone ($spec)"; + } + }; + } + } + print "WARNING: ", join(", ", @warn), "\n" if (scalar @warn); + print "OK: ", join(", ", @ok), "\n" if (scalar @ok); + exit (1) if (scalar @warn); + exit (0); +} else { + die ("Invalid mode '$mode'\n"); +}; + diff --git a/nagios-plugins-contrib-24.20190301~bpo9+1/dsa/checks/dsa-check-entropy b/nagios-plugins-contrib-24.20190301~bpo9+1/dsa/checks/dsa-check-entropy new file mode 100644 index 0000000..ddf1d92 --- /dev/null +++ b/nagios-plugins-contrib-24.20190301~bpo9+1/dsa/checks/dsa-check-entropy @@ -0,0 +1,82 @@ +#!/usr/bin/python + +# Copyright 2011 Peter Palfrader +# Copyright 2014 Hendrik Koehler +# +# Permission is hereby granted, free of charge, to any person obtaining +# a copy of this software and associated documentation files (the +# "Software"), to deal in the Software without restriction, including +# without limitation the rights to use, copy, modify, merge, publish, +# distribute, sublicense, and/or sell copies of the Software, and to +# permit persons to whom the Software is furnished to do so, subject to +# the following conditions: +# +# The above copyright notice and this permission notice shall be +# included in all copies or substantial portions of the Software. +# +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, +# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND +# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE +# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION +# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION +# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + +import sys +import os +import time +import optparse + +AVAIL = '/proc/sys/kernel/random/entropy_avail' + +parser = optparse.OptionParser() +parser.add_option("-r", "--retries", dest="retries", metavar="NUM", + type="int", default=10, + help="Max number of retries [10].") +parser.add_option("-s", "--sleep", dest="sleep", metavar="MSECS", + type="int", default=250, + help="Amount of time to wait between reads [250msec].") +parser.add_option("-w", "--watermark", dest="watermark", metavar="BYTES", + type="int", default=800, + help="Minimum number of expected bytes in the entropy pool [800].") +(options, args) = parser.parse_args() + +if len(args) != 0: + parser.print_help() + sys.exit(4) + +if not os.path.exists(AVAIL): + print "File %s does not exist."%(AVAIL) + sys.exit(4) + +tries = 0 +values = [] +while tries <= options.retries: + f = open('/proc/sys/kernel/random/entropy_avail') + avail = f.readline().rstrip() + if len(avail) == 0: + print "Could not read anything from %s"%(AVAIL) + sys.exit(4) + try: + avail = int(avail) + except ValueError: + print "Did not read a number from %s, got '%s' instead"%(AVAIL, avail) + sys.exit(4) + + if avail >= options.watermark: + if tries > 0: + print "OK: %d bytes in the pool after %d attempts.|entropy=%d bytes"%(avail, tries, avail) + else: + print "OK: %d bytes in the pool.|entropy=%d bytes"%(avail, avail) + sys.exit(0) + + values.append(avail) + time.sleep(1.0 * options.sleep / 1000) + tries += 1 + +print "WARNING: Too little entropy in the pool (min: %d, max: %d in %d reads)|entropy=%d bytes"%(min(values), max(values), tries-1, avail) +sys.exit(1) + +# vim:set et: +# vim:set ts=4: +# vim:set shiftwidth=4: diff --git a/nagios-plugins-contrib-24.20190301~bpo9+1/dsa/checks/dsa-check-packages b/nagios-plugins-contrib-24.20190301~bpo9+1/dsa/checks/dsa-check-packages new file mode 100644 index 0000000..28844e5 --- /dev/null +++ b/nagios-plugins-contrib-24.20190301~bpo9+1/dsa/checks/dsa-check-packages @@ -0,0 +1,362 @@ +#!/usr/bin/perl + +# dsa-check-packages + +# checks for obsolete/local and upgradeable packages. +# +# packages for the obsolete/local check can be ignored, by +# listing their full name in /etc/nagios/obsolete-packages-ignore +# or by having a regex (starting a line with "/") that matches +# the packagename in said file. +# +# Takes one optional argument, the location of the ignore file. + + +# Copyright (C) 2008, 2009 Peter Palfrader +# +# Permission is hereby granted, free of charge, to any person obtaining +# a copy of this software and associated documentation files (the +# "Software"), to deal in the Software without restriction, including +# without limitation the rights to use, copy, modify, merge, publish, +# distribute, sublicense, and/or sell copies of the Software, and to +# permit persons to whom the Software is furnished to do so, subject to +# the following conditions: +# +# The above copyright notice and this permission notice shall be +# included in all copies or substantial portions of the Software. +# +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, +# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND +# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE +# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION +# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION +# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + +use strict; +use warnings; +use English; + +my $IGNORE = "/etc/nagios/obsolete-packages-ignore"; +my $IGNORED = "/etc/nagios/obsolete-packages-ignore.d"; + +my %CODE = ( + 'OK' => 0, + 'WARNING' => 1, + 'CRITICAL' => 2, + 'UNKNOWN' => 3 +); +my $EXITCODE = 'OK'; +sub record($) { + my ($newexit) = @_; + die "code $newexit not defined\n" unless defined $CODE{$newexit}; + + if ($CODE{$newexit} > $CODE{$EXITCODE}) { + $EXITCODE = $newexit; + }; +} + + + +sub get_packages { + $ENV{'COLUMNS'} = 1000; + $ENV{'LC_ALL'} = 'C'; + open(F, "dpkg -l|") or die ("Cannot run dpkg: $!\n"); + my @lines = ; + close(F); + chomp(@lines); + + my $line; + my $has_arch = 0; + while (defined($line = shift @lines) && ($line !~ /\+\+\+/)) { + if ($line =~ /Architecture/) { $has_arch = 1; } + } + + my %pkgs; + for $line (@lines) { + my ($state, $pkg, $version, $arch, undef) = split(/ */, $line); + $arch = '' unless $has_arch; + $pkgs{$state}{$pkg} = { 'installed' => $version, arch => $arch } + } + + my $installed = $pkgs{'ii'}; + delete $pkgs{'ii'}; + + my @installed_packages = keys(%$installed); + my @cmd = ("apt-cache", "policy", @installed_packages); + + open my $olderr, ">&STDERR" or die "Can't dup STDERR: $!"; + open STDERR, ">/dev/null" or die "Can't dup STDOUT: $!"; + open (F, "-|", @cmd) or die ("Cannot run apt-cache policy: $!\n"); + @lines = ; + close(F); + open STDERR, ">&", $olderr or die "Can't dup OLDERR: $!"; + chomp(@lines); + + my $pkgname = undef; + my $candidate_found = 0; + while (defined($line = shift @lines)) { + if ($line =~ /^([^ ]*):$/) { + # when we have multi-arch capable fu, we require that + # apt-cache policy output is in the same order as its + # arguments. + # + # We needs thi, because the output block in apt-cache + # policy does not show the arch: + # + # | weasel@stanley:~$ apt-cache policy libedit2:amd64 + # | libedit2: + # | Installed: 2.11-20080614-5 + # | Candidate: 2.11-20080614-5 + # + # We replace the package name in the output with the + # one we asked for ($pkg:$arch) - but to match this up + # sanely we need the order to be correct. + # + # For squeeze systems (no m-a), apt-cache policy output + # is all different. + $pkgname = $1; + $candidate_found = 0; + if ($has_arch) { + my $from_list = shift @installed_packages; + next if ($pkgname eq $from_list); # no :$arch in pkgname we asked for + + my $ma_fix_pkgname = $pkgname.':'.$installed->{$from_list}->{'arch'}; + my $ma_fix_from_list = $from_list.':'.$installed->{$from_list}->{'arch'}; + + if ($pkgname eq $ma_fix_from_list || # e.g. ia32-libs-i386. dpkg -l: ia32-libs-i386, apt-cache policy: ia32-libs-i386:i386 + $ma_fix_pkgname eq $from_list) { + $pkgname = $from_list; + } else { + die "Unexpected order mismatch in apt-cache policy output (apt-cache policy name: $pkgname - dpkg -l name: $from_list)\n"; + } + } + } elsif ($line =~ /^ +Installed: (.*)$/) { + # etch dpkg -l does not print epochs, so use this info, it's better + $installed->{$pkgname}{'installed'} = $1; + # initialize security-update + $installed->{$pkgname}{'security-update'} = 0; + } elsif ($line =~ /^ +Candidate: (.*)$/) { + $installed->{$pkgname}{'candidate'} = $1; + } elsif ($line =~ / ([^ ]+) [0-9]+/) { + # check if the next lines show the sources of our candidate + if ($1 eq $installed->{$pkgname}{'candidate'}) { + $candidate_found = 1; + } + } elsif (($line =~ / +[0-9]+ [^ ]+\/(security\.([^ ]+\.)?debian\.org|debian-security).*\/updates\//) && $candidate_found ) { + $installed->{$pkgname}{'security-update'} = 1; + } elsif ($line =~ /^ +\*\*\*/) { + $line = shift @lines; + my @l = split(/ +/, $line); + $installed->{$pkgname}{'origin'} = $l[2]; + $candidate_found = 0; + } + } + + my (%current, %obsolete, %outofdate, %security_outofdate); + for my $pkgname (keys %$installed) { + my $pkg = $installed->{$pkgname}; + + unless (defined($pkg->{'candidate'}) && defined($pkg->{'origin'})) { + $obsolete{$pkgname} = $pkg; + next; + } + + if ($pkg->{'candidate'} ne $pkg->{'installed'}) { + if ($pkg->{'security-update'}) { + $security_outofdate{$pkgname} = $pkg; + } else { + $outofdate{$pkgname} = $pkg; + } + next; + }; + if ($pkg->{'origin'} eq '/var/lib/dpkg/status') { + $obsolete{$pkgname} = $pkg; + next; + } + $current{$pkgname} = $pkg; + } + + $pkgs{'current'} = \%current; + $pkgs{'outofdate'} = \%outofdate; + $pkgs{'security_outofdate'} = \%security_outofdate; + $pkgs{'obsolete'} = \%obsolete; + return \%pkgs; +} + +sub load_ignores { + my ($ignorefiles, $require_file) = @_; + + my @ignores; + + for my $ignoreitem (@$ignorefiles) { + next if (!$require_file and ! -e $ignoreitem); + + my @filestoopen; + if (-d $ignoreitem) { + opendir(DIR, $ignoreitem) or die ("Cannot open dir $ignoreitem: $!\n"); + @filestoopen = readdir(DIR); + closedir(DIR); + + @filestoopen = grep { -f ($ignoreitem.'/'.$_) } @filestoopen; + @filestoopen = grep { /^([a-z0-9_.-]+)+[a-z0-9]+$/i } @filestoopen; + @filestoopen = grep { !/dpkg-(old|dist|new|tmp)$/ } @filestoopen; + @filestoopen = map { ($ignoreitem.'/'.$_) } @filestoopen; + } else { + push @filestoopen, $ignoreitem; + } + + for my $f (@filestoopen) { + open (F, "< $f") or die ("Cannot open $f: $!\n"); + push @ignores, ; + close F; + } + } + chomp(@ignores); + return \@ignores; +} + +sub check_ignore { + my ($pkg, $ignores) = @_; + + my $ignore_this = 0; + for my $ignore (@$ignores) { + my $ig = $ignore; + return 1 if ($ig eq $pkg); + if (substr($ig,0,1) eq '/') { + substr($ig, 0, 1, ''); + $ig =~ s,/$,,; + return 1 if ($pkg =~ /$ig/); + } + } + return 0 +} + +sub filter_ignored { + my ($packages, $ignores) = @_; + + my $obs = $packages->{'obsolete'}; + + my (%ignored, %bad); + for my $pkg (keys %$obs) { + if (check_ignore($pkg, $ignores)) { + $ignored{$pkg} = $obs->{$pkg}; + } else { + $bad{$pkg} = $obs->{$pkg}; + }; + } + delete $packages->{'obsolete'}; + $packages->{'obsolete'} = \%bad; + $packages->{'obsolete-ignored'} = \%ignored; +}; + +sub usage { + my ($fd, $exit) = @_; + print $fd "Usage: $PROGRAM_NAME [ [ ...]]\n"; + exit $exit; +} + +my $ignorefiles = [$IGNORE, $IGNORED]; +my $ignorefile_userset = 0; +if (@ARGV >= 1) { + usage(\*STDOUT, 0) if ($ARGV[0] eq "-h"); + usage(\*STDOUT, 0) if ($ARGV[0] eq "--help"); + $ignorefile_userset = 1; + $ignorefiles = \@ARGV; +}; + +my $ignores = load_ignores($ignorefiles, $ignorefile_userset); +my $packages = get_packages(); + +filter_ignored($packages, $ignores); + + + +my @reportform = ( + { 'key' => 'obsolete', + 'listpackages' => 1, + 'long' => "%d local or obsolete packages: %s", + 'short' => "%d obs/loc", + 'perf' => "obs_loc=%d;1;5;0", + 'status' => 'WARNING' }, + { 'key' => 'outofdate', + 'listpackages' => 1, + 'long' => "%d out of date packages: %s", + 'short' => "%d updates", + 'perf' => "outdated=%d;1;5;0", + 'status' => 'WARNING' }, + { 'key' => 'current', + 'listpackages' => 0, + 'long' => "%d packages current.", + 'short' => "%d ok", + 'perf' => "current=%d;;;0", + 'status' => 'OK' }, + { 'key' => 'obsolete-ignored', + 'listpackages' => 1, + 'long' => "%d whitelisted local or obsolete packages: %s", + 'short' => "%d obs/loc(ignored)", + 'perf' => "obs_ign=%d;;;0", + 'status' => 'OK' }, + { 'key' => 'rc', + 'listpackages' => 1, + 'long' => "%d packages removed but not purged: %s", + 'short' => "%d rc", + 'perf' => "rm_unprg=%d;;;0", + 'status' => 'OK' }, + { 'key' => 'hi', + 'listpackages' => 1, + 'long' => "%d packages on hold: %s", + 'short' => "%d hi", + 'perf' => "hold=%d;;;0", + 'status' => 'OK' }, + { 'key' => 'pc', + 'listpackages' => 1, + 'long' => "%d packages requested to be purged but conffiles still installed: %s", + 'short' => "%d pc", + 'perf' => "prg_conf=%d;1;;0", + 'status' => 'WARNING' }, + { 'key' => 'security_outofdate', + 'listpackages' => 1, + 'long' => "%d packages with outstanding security updates: %s", + 'short' => "%d security-updates", + 'perf' => "security_outdated=%d;;1;0", + 'status' => 'CRITICAL' }, + ); + +my @longout; +my @perfout; +my @shortout; +for my $form (@reportform) { + my $pkgs = $packages->{$form->{'key'}}; + delete $packages->{$form->{'key'}}; + my $num = scalar keys %$pkgs; + push @perfout, sprintf($form->{'perf'}, $num); + next unless ($num > 0); + if ($form->{'listpackages'}) { + my $list = join(", ", keys %$pkgs); + push @longout, sprintf($form->{'long'}, $num, $list); + } else { + push @longout, sprintf($form->{'long'}, $num); + }; + push @shortout, sprintf($form->{'short'}, $num); + record($form->{'status'}); +}; +if (scalar keys %$packages) { + record('WARNING'); + unshift @shortout, "unk: ".join(", ", keys %$packages); + for my $status (sort {$b cmp $a} keys %$packages) { + my $pkgs = $packages->{$status}; + my $list = join(", ", keys %$pkgs); + unshift @longout, "Unknown package status $status: $list"; + }; +} + +my $shortout = $EXITCODE.": ".join(", ", @shortout); +my $longout = join("\n", @longout); +my $perfout = "|".join(" ", @perfout); + +print $shortout,"\n"; +print $longout,"\n"; +print $perfout,"\n"; + +exit $CODE{$EXITCODE}; diff --git a/nagios-plugins-contrib-24.20190301~bpo9+1/dsa/checks/dsa-check-running-kernel b/nagios-plugins-contrib-24.20190301~bpo9+1/dsa/checks/dsa-check-running-kernel new file mode 100644 index 0000000..467c219 --- /dev/null +++ b/nagios-plugins-contrib-24.20190301~bpo9+1/dsa/checks/dsa-check-running-kernel @@ -0,0 +1,255 @@ +#!/bin/bash + +# Check if the running kernel has the same version string as the on-disk +# kernel image. + +# Copyright 2008,2009,2011,2012,2013,2014 Peter Palfrader +# Copyright 2009 Stephen Gran +# Copyright 2010,2012,2013 Uli Martens +# Copyright 2011 Alexander Reichle-Schmehl +# +# Permission is hereby granted, free of charge, to any person obtaining +# a copy of this software and associated documentation files (the +# "Software"), to deal in the Software without restriction, including +# without limitation the rights to use, copy, modify, merge, publish, +# distribute, sublicense, and/or sell copies of the Software, and to +# permit persons to whom the Software is furnished to do so, subject to +# the following conditions: +# +# The above copyright notice and this permission notice shall be +# included in all copies or substantial portions of the Software. +# +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, +# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND +# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE +# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION +# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION +# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + +OK=0; +WARNING=1; +CRITICAL=2; +UNKNOWN=3; + +get_offset() { + local file needle + + file="$1" + needle="$2" + + perl -e ' + undef $/; + $i = 0; $k=<>; + while (($i = index($k, "'"$needle"'", $i)) >= 0) { + print $i++,"\n"; + }; ' < "$file" +} + +get_avail() { + # This is wrong, but leaves room for when we have to care for machines running + # myfirstunix-image-0.1-dsa-arm + local prefix="$1"; shift + + local kervers=$(uname -r) + + local metavers='' + + # DSA uses kernel versions of the form 2.6.29.3-dsa-dl380-oldxeon, where + # Debian uses versions of the form 2.6.29-2-amd64 + if [ "${kervers#2}" != "$kervers" ]; then + if [ "${kervers//dsa}" != "$kervers" ]; then + metavers=$(echo $kervers | sed -r -e 's/^2\.(4|6)\.[0-9]+([\.0-9]+?)-(.*)/2.\1-\3/') + else + metavers=$(echo $kervers | sed -r -e 's/^2\.(4|6)\.[0-9]+-[A-Za-z0-9\.]+-(.*)/2.\1-\2/') + fi + else + metavers=$(echo $kervers | sed -r -e 's/^[0-9]+\.[0-9]+(\.[0-9])?+-[A-Za-z0-9\.]+-(.*)/\2/') + fi + + # Attempt to track back to a metapackage failed. bail + if [ "$metavers" = "$kervers" ]; then + return 2 + fi + + # We're just going to give up if we can't find a matching metapackage + # I tried being strict once, and it just caused a lot of headaches. We'll see how + # being lax does for us + + local output=$(apt-cache policy ${prefix}-image-${metavers} 2>/dev/null) + local metaavailvers=$(echo "$output" | grep '^ Candidate:' | awk '{print $2}') + local metainstavers=$(echo "$output" | grep '^ Installed:' | awk '{print $2}') + + if [ -z "$metaavailvers" ] || [ "$metaavailvers" = '(none)' ]; then + return 2 + fi + if [ -z "$metainstavers" ] || [ "$metainstavers" = '(none)' ]; then + return 2 + fi + + if [ "$metaavailvers" != "$metainstavers" ] ; then + echo "${prefix}-image-${metavers} $metaavailvers available but $metainstavers installed" + return 1 + fi + + local imagename=0 + # --no-all-versions show shows only the candidate + for vers in $(apt-cache --no-all-versions show ${prefix}-image-${metavers} | sed -n 's/^Depends: //p' | tr ',' '\n' | tr -d ' ' | grep ${prefix}-image | awk '{print $1}' | sort -u); do + if dpkg --compare-versions "1.$vers" gt "1.$imagename"; then + imagename=$vers + fi + done + + if [ -z "$imagename" ] || [ "$imagename" = 0 ]; then + return 2 + fi + + if [ "$imagename" != "${prefix}-image-${kervers}" ]; then + if dpkg --compare-versions 1."$imagename" lt 1."${prefix}-image-${kervers}"; then + return 2 + fi + echo "$imagename" != "${prefix}-image-${kervers}" + return 1 + fi + + local availvrs=$(apt-cache policy ${imagename} 2>/dev/null | grep '^ Candidate' | awk '{print $2}') + local kernelversion + for kernelversion in $(apt-cache policy ${prefix}-image-${kervers} ${prefix}-image-${kervers}-unsigned 2>/dev/null | grep '^ Installed:' | awk '{print $2}' | grep -F -v '(none)' ); do + if [ "$availvrs" = "$kernelversion" ]; then + return 0 + fi + done + + echo "$kernelversion != $availvrs" + return 1 +} + +cat_vmlinux() { + local image header filter hdroff + + image="$1" + header="$2" + filter="$3" + hdroff="$4" + + get_offset "$image" $header | head -n 5 | while read off; do + (if [ "$off" != 0 ]; then + dd ibs="$((off+hdroff))" skip=1 count=0 + fi && + dd bs=512k) < "$image" 2>/dev/null | $filter 2>/dev/null + done +} + +get_image_linux() { + local image + + image="$1" + + # gzip compressed image + cat_vmlinux "$image" "\x1f\x8b\x08\x00" "zcat" 0 + cat_vmlinux "$image" "\x1f\x8b\x08\x08" "zcat" 0 + # lzma compressed image + cat_vmlinux "$image" "\x00\x00\x00\x02\xff" "xzcat" -1 + cat_vmlinux "$image" "\x00\x00\x00\x04\xff" "xzcat" -1 + # xz compressed image + cat_vmlinux "$image" "\xfd\x37\x7a\x58\x5a " "xzcat" 0 + + echo "ERROR: Unable to extract kernel image." 2>&1 + exit 1 +} + + +freebsd_check_running_version() { + local imagefile="$1"; shift + + local r="$(uname -r)" + local v="$(uname -v| sed -e 's/^#[0-9]*/&:/')" + + local q='@(#)FreeBSD '"$r $v" + + if zcat "$imagefile" | $STRINGS | grep -F -q "$q"; then + echo "OK" + else + echo "not OK" + fi +} + +STRINGS=""; +if [ -x "$(which strings)" ]; then + STRINGS="$(which strings)" +elif [ -x "$(which busybox)" -a "$( echo foobar | $(which busybox) strings 2>/dev/null)" = "foobar" ]; then + STRINGS="$(which busybox) strings" +fi + +searched="" +for on_disk in \ + "/boot/vmlinuz-`uname -r`"\ + "/boot/vmlinux-`uname -r`"\ + "/boot/kfreebsd-`uname -r`.gz"; do + + if [ -e "$on_disk" ]; then + if [ -z "$STRINGS" ]; then + echo "UNKNOWN: 'strings' command missing, perhaps install binutils or busybox?" + exit $UNKNOWN + fi + if [ "${on_disk/vmlinu}" != "$on_disk" ]; then + on_disk_version="`get_image_linux "$on_disk" | $STRINGS | grep 'Linux version' | head -n1`" + if [ -x /usr/bin/lsb_release ] ; then + vendor=$(lsb_release -i -s) + if [ -n "$vendor" ] && [ "xDebian" != "x$vendor" ] ; then + on_disk_version=$( echo $on_disk_version|sed -e "s/ ($vendor [[:alnum:]\.-]\+ [[:alnum:]\.]\+)//") + fi + fi + [ -z "$on_disk_version" ] || break + on_disk_version="`cat "$on_disk" | $STRINGS | grep 'Linux version' | head -n1`" + [ -z "$on_disk_version" ] || break + + echo "UNKNOWN: Failed to get a version string from image $on_disk" + exit $UNKNOWN + else + on_disk_version="$(zcat $on_disk | $STRINGS | grep Debian | head -n 1 | sed -e 's/Debian [[:alnum:]]\+ (\(.*\))/\1/')" + fi + fi + searched="$searched $on_disk" +done + +if ! [ -e "$on_disk" ]; then + echo "WARNING: Did not find a kernel image (checked$searched) - I have no idea which kernel I am running" + exit $WARNING +fi + +if [ "$(uname -s)" = "Linux" ]; then + running_version="`cat /proc/version`" + if [ -z "$running_version" ] ; then + echo "UNKNOWN: Failed to get a version string from running system" + exit $UNKNOWN + fi + + if [ "$running_version" != "$on_disk_version" ]; then + echo "WARNING: Running kernel does not match on-disk kernel image: [$running_version != $on_disk_version]" + exit $WARNING + fi + + ret="$(get_avail linux)" + if [ $? = 1 ]; then + echo "WARNING: Kernel needs upgrade [$ret]" + exit $WARNING + fi +else + image_current=$(freebsd_check_running_version $on_disk) + running_version="`uname -s` `uname -r` `uname -v`" + if [ "$image_current" != "OK" ]; then + approx_time="$(date -d "@`stat -c '%Y' "$on_disk"`" +"%Y-%m-%d %H:%M:%S")" + echo "WARNING: Currently running kernel ($running_version) does not match on disk image (~ $approx_time)" + exit $WARNING; + fi + + ret="$(get_avail linux)" + if [ $? = 1 ]; then + echo "WARNING: Kernel needs upgrade [$ret]" + exit $WARNING + fi +fi + +echo "OK: Running kernel matches on disk image: [$running_version]" +exit $OK diff --git a/nagios-plugins-contrib-24.20190301~bpo9+1/dsa/checks/dsa-check-soas b/nagios-plugins-contrib-24.20190301~bpo9+1/dsa/checks/dsa-check-soas new file mode 100644 index 0000000..eb28d8c --- /dev/null +++ b/nagios-plugins-contrib-24.20190301~bpo9+1/dsa/checks/dsa-check-soas @@ -0,0 +1,218 @@ +#!/usr/bin/ruby + +# Copyright 2006, 2012, 2014 Peter Palfrader +# 2012 Uli Martens +# +# Permission is hereby granted, free of charge, to any person obtaining +# a copy of this software and associated documentation files (the +# "Software"), to deal in the Software without restriction, including +# without limitation the rights to use, copy, modify, merge, publish, +# distribute, sublicense, and/or sell copies of the Software, and to +# permit persons to whom the Software is furnished to do so, subject to +# the following conditions: +# +# The above copyright notice and this permission notice shall be +# included in all copies or substantial portions of the Software. +# +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, +# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND +# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE +# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION +# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION +# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + + +# the each_resource function is lifted from ruby 1.9.1's resolv.rb, with the +# minor modification that we do not unconditionally set the message's RD flag +# to 1. Its license is: +# +# Copyright (C) 1993-2010 Yukihiro Matsumoto. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. + + +require 'ipaddr' +require 'resolv' +require 'optparse' +require 'yaml' + +NAGIOS_STATUS = { :OK => 0, :WARNING => 1, :CRITICAL => 2, :UNKNOWN => -1 }; +@verbose = 0; +@additional_nameservers = [] +@check_soa_nameservers = true; + +def show_help(parser, code=0, io=STDOUT) + program_name = File.basename($0, '.*') + io.puts "Usage: #{program_name} [options] [ ...]" + io.puts parser.summarize + exit(code) +end +ARGV.options do |opts| + opts.on_tail("-h", "--help" , "Display this help screen") { show_help(opts) } + opts.on("-v", "--verbose" , String, "Be verbose") { @verbose += 1 } + opts.on("-a", "--add=HOST" , String, "Also check SOA on ") { |val| @additional_nameservers << val } + opts.on("-n", "--no-soa-ns" , String, "Don't query SOA record for list of nameservers") { @check_soa_nameservers = false } + opts.parse! +end +show_help(ARGV.options, 1, STDERR) if ARGV.length == 0 + +if @additional_nameservers.count <= 1 and not @check_soa_nameservers + program_name = File.basename($0, '.*') + STDERR.puts "#{program_name}: Only know about #{@additional_nameservers.count} nameserver(s) and --no-soa-ns specified. I want at least two." + exit(1) +end + +class DSADNS < Resolv::DNS + attr_reader :rd + attr_writer :rd + + def initialize(*args) + super + @rd = 1 + end + + def each_resource(name, typeclass, &proc) + lazy_initialize + requester = make_udp_requester + senders = {} + begin + @config.resolv(name) {|candidate, tout, nameserver, port| + msg = Message.new + msg.rd = @rd + msg.add_question(candidate, typeclass) + unless sender = senders[[candidate, nameserver, port]] + sender = senders[[candidate, nameserver, port]] = + requester.sender(msg, candidate, nameserver, port) + end + reply, reply_name = requester.request(sender, tout) + case reply.rcode + when RCode::NoError + if reply.tc == 1 and not Requester::TCP === requester + requester.close + # Retry via TCP: + requester = make_tcp_requester(nameserver, port) + senders = {} + # This will use TCP for all remaining candidates (assuming the + # current candidate does not already respond successfully via + # TCP). This makes sense because we already know the full + # response will not fit in an untruncated UDP packet. + redo + else + extract_resources(reply, reply_name, typeclass, &proc) + end + return + when RCode::NXDomain + raise Config::NXDomain.new(reply_name.to_s) + else + raise Config::OtherResolvError.new(reply_name.to_s) + end + } + ensure + requester.close + end + end +end + +warnings = [] +oks = [] + +def resolve_ns(dns, domain, nameserver) + puts "Getting A record for nameserver #{nameserver} for #{domain}" if @verbose > 0 + arecords = dns.getresources(nameserver, Resolv::DNS::Resource::IN::A) + warnings << "Nameserver #{nameserver} for #{domain} has #{arecords.length} A records" if arecords.length != 1 + addresses = arecords.map { |a| a.address.to_s } + puts "Addresses for nameserver #{nameserver} for #{domain}: #{addresses.join(', ')}" if @verbose > 0 + return addresses +end + +dns = Resolv::DNS.new +ARGV.each{ |domain| + serial = {} + nameserver_addresses = {} + if @check_soa_nameservers + nameservers = dns.getresources(domain, Resolv::DNS::Resource::IN::NS) + nameservernames = nameservers.collect{ |ns| ns.name.to_s } + nameservernames.each do |nameserver| + addrs = resolve_ns(dns, domain, nameserver) + warnings << "Duplicate nameserver #{nameserver} for #{domain}" if nameserver_addresses[nameserver] + nameserver_addresses[nameserver] = addrs + end + end + @additional_nameservers.each do |ns| + begin + ipa = IPAddr.new(ns) # check if it's an address + addrs = [ns] + rescue ArgumentError + addrs = resolve_ns(dns, domain, ns) + end + warnings << "Duplicate nameserver #{ns} for #{domain}" if nameserver_addresses[ns] + nameserver_addresses[ns] = addrs + end + + nameserver_addresses.each_pair do |nameserver, addrs| + puts "Testing nameserver #{nameserver} for #{domain}" if @verbose > 0 + addrs.each do |a| + puts " Nameserver #{nameserver} is at #{a}" if @verbose > 0 + begin + resolver = DSADNS.new({:nameserver => a}) + resolver.rd = 0 + soas = resolver.getresources(domain, Resolv::DNS::Resource::IN::SOA) + rescue SystemCallError => e + warnings << "Could not resolve #{domain} on #{nameserver}: #{e.message}" + else + resolver.close + warnings << "Nameserver #{nameserver} for #{domain} returns #{soas.length} SOAs" if soas.length != 1 + soas.each do |soa| + puts " Nameserver #{nameserver} returns serial #{soa.serial} for #{domain}" if @verbose > 0 + sn = soa.serial.to_i + if serial.has_key? sn then + serial[sn] << nameserver + else + serial[sn] = [nameserver] + end + end + end + end + end + case serial.keys.length + when 0 + warnings << "Found no serials for #{domain}" + when 1 + oks << "#{domain} is at #{serial.keys.first}" + else + text = [] + serial.keys.sort.each do |sn| + text << "#{sn} (#{serial[sn].join(', ')})" + end + warnings << "Nameservers disagree on serials for #{domain}: found #{text.join(', ')}" + end +} +dns.close + +if warnings.length > 0 + puts warnings.join('; ') + exit NAGIOS_STATUS[:WARNING] +else + puts oks.join('; ') + exit NAGIOS_STATUS[:OK] +end diff --git a/nagios-plugins-contrib-24.20190301~bpo9+1/dsa/checks/dsa-check-statusfile b/nagios-plugins-contrib-24.20190301~bpo9+1/dsa/checks/dsa-check-statusfile new file mode 100644 index 0000000..4654731 --- /dev/null +++ b/nagios-plugins-contrib-24.20190301~bpo9+1/dsa/checks/dsa-check-statusfile @@ -0,0 +1,90 @@ +#!/usr/bin/python + +# Relay the status of a check that was previously run and which stored +# its result in a file to nagios. +# +# Copyright 2008, 2012 Peter Palfrader +# +# Permission is hereby granted, free of charge, to any person obtaining +# a copy of this software and associated documentation files (the +# "Software"), to deal in the Software without restriction, including +# without limitation the rights to use, copy, modify, merge, publish, +# distribute, sublicense, and/or sell copies of the Software, and to +# permit persons to whom the Software is furnished to do so, subject to +# the following conditions: +# +# The above copyright notice and this permission notice shall be +# included in all copies or substantial portions of the Software. +# +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, +# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND +# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE +# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION +# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION +# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + +import optparse +import os +import re +import sys +import time + +NAGIOS_STATUS = { "OK": 0, "WARNING": 1, "CRITICAL": 2, "UNKNOWN": 3 } +UNITS_TO_SECONDS = { 's': 1, 'm': 60, 'h': 60*60, 'd': 24*60*60 } + +parser = optparse.OptionParser() +parser.set_usage("%prog [options] ") +parser.add_option("-a", "--age", dest="age", metavar="AGE", + type="string", default="26h", + help="maximum age, in seconds (or use Nm, Nh or Nd) - default is 26h.") +(options, args) = parser.parse_args() + +if len(args) != 1: + parser.print_help(file=sys.stderr) + sys.exit(1) + +statusfile = args[0] + +# find out what the max age is that we accept +m = re.match('([0-9]+)([smhd])?$', options.age) +if not m: + print >> sys.stderr, "Invalid age %s"%(options.age) + parser.print_help(file=sys.stderr) + sys.exit(1) +(count, unit) = m.groups() +if unit is None: unit = 's' +max_age = int(count) * UNITS_TO_SECONDS[unit] + +# let's see if it exists +if not os.path.exists(statusfile): + print "UNKNOWN: %s does not exist."%(statusfile) + sys.exit(NAGIOS_STATUS['UNKNOWN']) + + +mtime = os.path.getmtime(statusfile) +if mtime + max_age < time.time(): + print "WARNING: %s is old: %.1f hours."%(statusfile, (time.time() - mtime)/3600) + sys.exit(NAGIOS_STATUS['WARNING']) + +status = open(statusfile, "r") +returnvalue = status.readline().strip() + +if not returnvalue in NAGIOS_STATUS: + print "UNKNOWN: %s has invalid return value: %s."%(statusfile, returnvalue) + sys.exit(NAGIOS_STATUS['UNKNOWN']) + +linecnt = 0 +for line in status: + print line, + linecnt += 1 + +if linecnt == 0: + print "Found no output. Something is probably wrong" + sys.exit(NAGIOS_STATUS['UNKNOWN']) + +sys.exit(NAGIOS_STATUS[returnvalue]) + +# vim:set et: +# vim:set ts=4: +# vim:set shiftwidth=4: diff --git a/nagios-plugins-contrib-24.20190301~bpo9+1/dsa/control b/nagios-plugins-contrib-24.20190301~bpo9+1/dsa/control new file mode 100644 index 0000000..ae028ba --- /dev/null +++ b/nagios-plugins-contrib-24.20190301~bpo9+1/dsa/control @@ -0,0 +1,20 @@ +Homepage: https://salsa.debian.org/dsa-team/mirror/dsa-nagios +Uploaders: Bernd Zeimetz +Description: plugins from the Debian System Administrators + nagios plugins repository. + * check_cert_expire: check for certificate expiration + using openssl on the certificate file + * check_cert_expire_dir: checks if any of the *.crt files in + a directory on disk will expire soon + * check_dnssec_delegation: check for correct DNSSEC + delegation + * check_entropy: check if there is enough entropy available. + * check_packages: replacement for check_apt; needs a cronjob + to update the apt database regularly + * check_running_kernel: check if a system was rebooted after + a kernel upgrade + * check_soas: check SOA records + * check_statusfile: deliver the content of a status file + as check result +Recommends: ruby | ruby-interpreter, openssl, libnet-dns-perl, binutils +Version: 2300473 diff --git a/nagios-plugins-contrib-24.20190301~bpo9+1/dsa/copyright b/nagios-plugins-contrib-24.20190301~bpo9+1/dsa/copyright new file mode 100644 index 0000000..6006f7a --- /dev/null +++ b/nagios-plugins-contrib-24.20190301~bpo9+1/dsa/copyright @@ -0,0 +1,33 @@ +checks/dsa-check-cert-expire:# Copyright 2009 Peter Palfrader +checks/dsa-check-cert-expire-dir:# Copyright 2009,2016 Peter Palfrader +checks/dsa-check-dnssec-delegation:# Copyright (c) 2010, 2014, 2015 Peter Palfrader +checks/dsa-check-entropy:# Copyright 2011 Peter Palfrader, Copyright 2014 Hendrik Koehler +checks/dsa-check-soas:# Copyright 2006, 2012 Peter Palfrader +checks/dsa-check-packages:# Copyright (C) 2008, 2009 Peter Palfrader +checks/dsa-check-statusfile:# Copyright 2008, 2012 Peter Palfrader +checks/dsa-check-running-kernel:# Copyright 2008,2009,2011 Peter Palfrader +checks/dsa-check-running-kernel:# Copyright 2009 Stephen Gran +checks/dsa-check-running-kernel:# Copyright 2010 Uli Martens +checks/dsa-check-running-kernel:# Copyright 2011 Alexander Reichle-Schmehl +sbin/dsa-update-apt-status:# Copyright 2009 Peter Palfrader +sbin/dsa-update-unowned-file-status:# Copyright 2012 Peter Palfrader + +Permission is hereby granted, free of charge, to any person obtaining +a copy of this software and associated documentation files (the +"Software"), to deal in the Software without restriction, including +without limitation the rights to use, copy, modify, merge, publish, +distribute, sublicense, and/or sell copies of the Software, and to +permit persons to whom the Software is furnished to do so, subject to +the following conditions: + +The above copyright notice and this permission notice shall be +included in all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, +EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF +MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND +NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE +LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION +OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION +WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + diff --git a/nagios-plugins-contrib-24.20190301~bpo9+1/dsa/etc/obsolete-packages-ignore b/nagios-plugins-contrib-24.20190301~bpo9+1/dsa/etc/obsolete-packages-ignore new file mode 100644 index 0000000..7dd79e5 --- /dev/null +++ b/nagios-plugins-contrib-24.20190301~bpo9+1/dsa/etc/obsolete-packages-ignore @@ -0,0 +1,4 @@ +/linux-image-.*/ +/kernel-image-.*/ +buildd +sbuild diff --git a/nagios-plugins-contrib-24.20190301~bpo9+1/dsa/sbin/dsa-update-apt-status b/nagios-plugins-contrib-24.20190301~bpo9+1/dsa/sbin/dsa-update-apt-status new file mode 100755 index 0000000..c506fea --- /dev/null +++ b/nagios-plugins-contrib-24.20190301~bpo9+1/dsa/sbin/dsa-update-apt-status @@ -0,0 +1,100 @@ +#!/bin/bash + +# Copyright 2009 Peter Palfrader +# +# Permission is hereby granted, free of charge, to any person obtaining +# a copy of this software and associated documentation files (the +# "Software"), to deal in the Software without restriction, including +# without limitation the rights to use, copy, modify, merge, publish, +# distribute, sublicense, and/or sell copies of the Software, and to +# permit persons to whom the Software is furnished to do so, subject to +# the following conditions: +# +# The above copyright notice and this permission notice shall be +# included in all copies or substantial portions of the Software. +# +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, +# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND +# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE +# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION +# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION +# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + +UPDATE_RUNS=3 +STATUSDIR=/var/cache/dsa/nagios +STATUS="${STATUSDIR}"/apt +SLEEP_MAX=$(( 15 * 60 )) +MAX_AGE=$(( 23 * 60 * 60 )) + +# we want to run if any of the following things is true +# - we have never run before +# - var/lib/dpkg/status has been touched since the last run +# - var/cache/apt/pkgcache.bin has been touched since the last run +# - our last run ended with 'apt-get update failed' +# - our last run has been more than MAX_AGE (23hrs) ago +run_required() { + local run=0 + local norun=1 + + [ -e "$STATUS" ] || return $run + [ /var/lib/dpkg/status -nt "$STATUS" ] && return $run + [ /var/cache/apt/pkgcache.bin -nt "$STATUS" ] && return $run + grep "apt-get update failed" "$STATUS" > /dev/null && return $run + + local last_mod + last_mod=`stat -c "%Y" "$STATUS"` + now=`date +%s` + age=$(( $now - $last_mod )) + [ "$age" -gt "$MAX_AGE" ] && return $run + + return $norun +} + +mkdir -p "${STATUSDIR}" + +# do stuff only when required, or when asked to +if [ "${1:-""}" != "-f" ] ; then + run_required || exit 0 +fi + +# sleep if called non-interactively +if [ -z "$TERM" -o "$TERM" = "dumb" ]; then + sleep $(( $RANDOM % $SLEEP_MAX )) +fi + +# run apt-get update, retry a few times if it fails +count=0 +while [ "$count" -lt "$UPDATE_RUNS" ]; do + flock -e /var/lib/apt/lists apt-get update -qq >/dev/null >&2 + if [ "$?" = "0" ]; then break; fi + sleep $(( $RANDOM % 600 )) + count="$(( $count + 1 ))" +done +if [ "$count" -ge "$UPDATE_RUNS" ]; then + (echo "WARNING" + echo "apt-get update failed") > "$STATUS" + exit 1 +fi + +# run the apt check itself +tmp=`tempfile` +trap "rm -f '$tmp'" exit +#/usr/share/dsa/apt-status-check --noupdate --timeout=600 > "$tmp" +/usr/lib/nagios/plugins/dsa-check-packages > "$tmp" +result="$?" +case "$result" in + 0) + st="OK" + ;; + 1) + st="WARNING" + ;; + 2) + st="CRITICAL" + ;; + *) + st="UNKNOWN" + ;; +esac +(echo "$st"; cat "$tmp") > "$STATUS" diff --git a/nagios-plugins-contrib-24.20190301~bpo9+1/dsa/sbin/dsa-update-unowned-file-status b/nagios-plugins-contrib-24.20190301~bpo9+1/dsa/sbin/dsa-update-unowned-file-status new file mode 100755 index 0000000..56331ef --- /dev/null +++ b/nagios-plugins-contrib-24.20190301~bpo9+1/dsa/sbin/dsa-update-unowned-file-status @@ -0,0 +1,53 @@ +#!/bin/bash + +# Copyright 2012 Peter Palfrader +# +# Permission is hereby granted, free of charge, to any person obtaining +# a copy of this software and associated documentation files (the +# "Software"), to deal in the Software without restriction, including +# without limitation the rights to use, copy, modify, merge, publish, +# distribute, sublicense, and/or sell copies of the Software, and to +# permit persons to whom the Software is furnished to do so, subject to +# the following conditions: +# +# The above copyright notice and this permission notice shall be +# included in all copies or substantial portions of the Software. +# +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, +# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND +# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE +# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION +# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION +# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + +CUTOFF=40 +STATUSDIR=/var/cache/dsa/nagios +STATUS="${STATUSDIR}"/nouser + +mkdir -p "${STATUSDIR}" + +tmp=`tempfile` +trap "rm -f '$tmp'" exit + +if command -v ionice >/dev/null 2>&1; then + prefix="ionice -c 3 -t" # idle priority, ignore errors +fi + +$prefix find / -ignore_readdir_race \( -fstype proc -o -fstype sysfs -o -fstype fdescfs -o -fstype autofs -o -fstype nfs4 \) -prune -o \( -nouser -print \) | head -n "$CUTOFF" > "$tmp" + +if [ -s "$tmp" ]; then + echo "WARN" + c="$(wc -l < "$tmp")" + if [ "$c" -lt "$CUTOFF" ] ; then + echo "Warn: $c unowned files on system." + cat "$tmp" + else + echo "Warn: Lots of unowned files on system:" + cat "$tmp" + echo "..." + fi +else + echo "OK" + echo "OK: No unowned files on system." +fi > "$STATUS" diff --git a/nagios-plugins-contrib-24.20190301~bpo9+1/dsa/update-files.sh b/nagios-plugins-contrib-24.20190301~bpo9+1/dsa/update-files.sh new file mode 100755 index 0000000..6539cf3 --- /dev/null +++ b/nagios-plugins-contrib-24.20190301~bpo9+1/dsa/update-files.sh @@ -0,0 +1,13 @@ +#!/bin/bash + +# update all files from the dsa nagios git +find checks sbin share etc -type f | while read i; do + tmp=`mktemp` + if wget -O "${tmp}" "https://salsa.debian.org/dsa-team/mirror/dsa-nagios/raw/master/dsa-nagios-checks/${i}"; then + mv "${tmp}" "$i" + else + rm -f "${tmp}" + fi +done + +chmod 755 sbin/* -- cgit v1.2.3