The Sensu assets packaged from this repository are built against the Sensu Ruby runtime environment. When using these assets as part of a Sensu Go resource (check, mutator or handler), make sure you include the corresponding Sensu Ruby runtime asset in the list of assets needed by the resource. The current ruby-runtime assets can be found here in the Bonsai Asset Index.
- bin/check-java-keystore-cert.rb
- bin/check-ssl-anchor.rb
- bin/check-ssl-crl.rb
- bin/check-ssl-cert.rb
- bin/check-ssl-host.rb
- bin/check-ssl-hsts-preload.rb
- bin/check-ssl-hsts-preloadable.rb
- bin/check-ssl-qualys.rb
- bin/check-ssl-root-issuer.rb
Check that a specific website is chained to a specific root certificate (Let's Encrypt for instance). Requires the openssl
commandline tool to be available on the system.
./bin/check-ssl-anchor.rb -u example.com -a "i:/O=Digital Signature Trust Co./CN=DST Root CA X3"
Checks a CRL has not or is not expiring by inspecting it's next update value.
You can check against a CRL file on disk:
./bin/check-ssl-crl -c 300 -w 600 -u /path/to/crl
or an online CRL:
./bin/check-ssl-crl -c 300 -w 600 -u http://www.website.com/file.crl
Critical and Warning thresholds are specified in minutes.
Checks the ssllabs qualysis api for grade of your server, this check can be quite long so it should not be scheduled with a low interval and will probably need to adjust the check timeout
options per the check attributes spec based on my tests you should expect this to take around 3 minutes.
./bin/check-ssl-qualys.rb -d google.com
Check that a specific website is chained to a specific root certificate issuer. This is a pure Ruby implementation, does not require the openssl cmdline client tool to be installed.
./bin/check-ssl-root-issuer.rb -u example.com -a "CN=DST Root CA X3,O=Digital Signature Trust Co."
To run the testing suite, you'll need to have a working ruby
environment, gem
, and bundler
installed. We use rake
to run the rspec
tests automatically.
bundle install
bundle update
bundle exec rake
bin/check-ssl-anchor.rb
and bin/check-ssl-host.rb
would be good to run in combination with each other to test that the chain is anchored to a specific certificate and each certificate in the chain is correctly signed.