forked from lelutin/nagios-plugins
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathcheck_gpg
executable file
·134 lines (120 loc) · 3.89 KB
/
check_gpg
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
#!/bin/bash
#
# Nagios plugin that checks whether a key ID has expired, or will expire within
# a certain time.
#
# note: the plugin will issue a critical state if the required key has been
# revoked.
#
# usage: check_gpg [--no-refresh] [-w <num_days>] [--gnupg-homedir <path>] <key_id>
#
# <key_id> is any PGP key ID that GnuPG accepts with "gpg --list-key <key_id>"
#
# The option -w parameter lets you specify the number of days within which key
# expiry will trigger a warning. e.g. if <key_id> expires within <num_days>
# days, make nagios issue a warning.
#
# num_days must be an integer value
#
# optionally, if the keyring directory you want GPG to use is not located in
# the user's ~/.gnupg, you can specify the path to the keyring directory with
# the --gnupg-homedir parameter. With the parameter --no-refresh you can disable
# refreshing key from keyservers and just validate local keyring.
#
# Thanks a bunch to Daniel Kahn Gillmor for providing example commands that
# made up most of the core of this plugin.
#
# Copyleft Gabriel Filion
#
# This plugin is released under the GPL v3+ license. To get a copy of the
# license text visit: https://www.gnu.org/licenses/gpl-3.0.txt
#
STATE_OK=0
STATE_WARNING=1
STATE_CRITICAL=2
STATE_UNKNOWN=3
STATE_DEPENDENT=4
SECS_IN_DAY=86400
function debug () {
if [ -n "$DEBUG" ]; then
echo "$1" >&2
fi
}
debug "got args: $*"
now=$(date +%s)
debug "current timestamp: $now"
warning_threshold=
homedir=
refresh=1
for arg in $*; do
case $arg in
"-w")
if [ -z "$2" ]; then
echo "UNKNOWN: argument -w got no value. integer needed"
exit $STATE_UNKNOWN
fi
if [ "`echo $2 | egrep ^[[:digit:]]+$`" = "" ]; then
echo "UNKNOWN: invalid value '$2' passed to -w. integer needed"
exit $STATE_UNKNOWN
fi
warning_threshold=$(( $now + ($2*$SECS_IN_DAY) ))
debug "setting warning_threshold to '$warning_threshold'"
shift 2
;;
"--no-refresh")
refresh=0
shift 1
;;
"--gnupg-homedir")
if [ -z "$2" ]; then
echo "UNKNOWN: argument --gnupg-homedir got no value. path needed"
exit $STATE_UNKNOWN
fi
if [ ! -d "$2" ]; then
echo "UNKNOWN: homedir '$2' does not exist or is not a directory"
exit $STATE_UNKNOWN
fi
homedir="--homedir $2"
debug "setting homedir to '$homedir'"
shift 2
;;
esac
done
if [ -z "$1" ]; then
echo "UNKNOWN: must provide a key ID"
exit $STATE_UNKNOWN
fi
key="$1"
# GPG is too stupid to error out when asked to refresh a key that's not in the
# local keyring so we need to perform another call to verify this first.
output=$( gpg $homedir --list-key "$key" >/dev/null 2>&1 )
if [ $? -ne 0 ]; then
echo "UNKNOWN: $output"
exit $STATE_UNKNOWN
fi
# Refresh key if not disabled
if [ $refresh -eq 1 ]; then
output=$( gpg $homedir --refresh "$key" >/dev/null; 2>&1 )
if [ $? -ne 0 ]; then
echo "UNKNOWN: $output"
exit $STATE_UNKNOWN
fi
fi
if [ "$(gpg $homedir --check-sig "$key" | grep "^rev!")" != "" ]; then
echo "CRITICAL: key '$key' has been revoked!"
exit $STATE_CRITICAL
fi
for expiry in $(gpg $homedir --with-colons --fixed-list-mode --list-key "$key" 2>/dev/null | awk -F: '/^pub:/{ print $7 }');
do
debug "expiry value: $expiry"
if [ "$now" -gt "$expiry" ]; then
printf "CRITICAL: %s has expired on %s\n" "$key" "$(date -d "$expiry seconds")"
exit $STATE_CRITICAL
fi;
if [ -n "$warning_threshold" ] && [ "$warning_threshold" -gt "$expiry" ]; then
remaining=$(( ($expiry-$now) / $SECS_IN_DAY ))
printf "WARNING: %s expires in %s days\n" "$key" "$remaining"
exit $STATE_WARNING
fi
done
echo "OK: key '$key' has not expired."