nagios-plugins/check_gpg at master · Rohlik/nagios-plugins · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
#!/bin/bash
#
# Nagios plugin that checks whether a key ID has expired, or will expire within
# a certain time.
#
# note: the plugin will issue a critical state if the required key has been
# revoked.
#
# usage: check_gpg [--no-refresh] [-w <num_days>] [--gnupg-homedir <path>]
#
#
#
# The option -c parameter lets you specify the number of days within which key
# expiry will trigger a critical. e.g. if <key_id> expires within <num_days>
# days, make nagios issue a critical.
#
# num_days must be an integer value
#
# optionally, if the keyring directory you want GPG to use is not located in
# the user's ~/.gnupg, you can specify the path to the keyring directory with
# the --gnupg-homedir parameter. With the parameter --no-refresh you can disable
# refreshing key from keyservers and just validate local keyring.
#
# Thanks a bunch to Daniel Kahn Gillmor for providing example commands that
# made up most of the core of this plugin.
#
# Copyleft Gabriel Filion
#
# This plugin is released under the GPL v3+ license. To get a copy of the
# license text visit: https://www.gnu.org/licenses/gpl-3.0.txt
#
STATE_OK=0
STATE_WARNING=1
STATE_CRITICAL=2
STATE_UNKNOWN=3
STATE_DEPENDENT=4

SECS_IN_DAY=86400

function debug () {
  if [ -n "$DEBUG" ]; then
      echo "$1" >&2
  fi
}

function showUsage () {
  echo "Usage: $0 [--no-refresh] [-c <num_days>] [--gnupg-homedir <path>]"
}

debug "got args: $*"

now=$(date +%s)
debug "current timestamp: $now"

critical_threshold=
homedir=
refresh=1
for arg in $*; do
    case $arg in
        "-c")
            if [ -z "$2" ]; then
                echo "UNKNOWN: argument -c got no value. integer needed"
                showUsage
                exit $STATE_UNKNOWN
            fi
            if [ "`echo $2 | egrep ^[[:digit:]]+$`" = "" ]; then
                echo "UNKNOWN: invalid value '$2' passed to -c. integer needed"
                showUsage
                exit $STATE_UNKNOWN
            fi
            critical_threshold=$(( $now + ($2*$SECS_IN_DAY) ))
            debug "setting critical_threshold to '$critical_threshold'"

            shift 2
        ;;
        "--no-refresh")
            refresh=0
            shift 1
        ;;
        "--gnupg-homedir")
            if [ -z "$2" ]; then
                echo "UNKNOWN: argument --gnupg-homedir got no value. path needed"
                showUsage
                exit $STATE_UNKNOWN
            fi
            if [ ! -d "$2" ]; then
                echo "UNKNOWN: homedir '$2' does not exist or is not a directory"
                showUsage
                exit $STATE_UNKNOWN
            fi
            homedir="--homedir $2"
            debug "setting homedir to '$homedir'"

            shift 2
        ;;
        "-h"|"--help")
            showUsage
            exit $STATE_OK
        ;;
        -*)
            echo "UNKNOWN: invalid parameter \"$arg\""
            showUsage
            exit $STATE_UNKNOWN
        ;;
    esac
done

keys=`gpg2 --with-colons --fixed-list-mode --list-keys | grep "^pub:" | cut -d':' -f5 | tr '\n' ' '`
if [ -z "$keys" ]; then
        echo "There are no PGP keys. Is it good?"
        exit $STATE_UNKNOWN
fi

# GPG is too stupid to error out when asked to refresh a key that's not in the
# local keyring so we need to perform another call to verify this first.
for key in $keys; do
output=$( gpg2 $homedir --list-key -- "$key" 2>&1 >/dev/null )
        if [ $? -ne 0 ]; then
            echo "UNKNOWN: $output"
            exit $STATE_UNKNOWN
        fi
done

# Refresh key if not disabled
for key in $keys; do
        if [ $refresh -eq 1 ]; then
            output=$( gpg2 $homedir --refresh -- "$key" 2>&1 >/dev/null )
            if [ $? -ne 0 ]; then
                echo "UNKNOWN: $output"
                exit $STATE_UNKNOWN
            fi
        fi
done

for key in $keys; do
        if [ "$(gpg2 $homedir --check-sig -- "$key" 2>/dev/null | grep "^rev!")" != "" ]; then
            echo "CRITICAL: key '$key' has been revoked!"
            exit $STATE_CRITICAL
        fi
done

for key in $keys; do
        for expiry in $(gpg2 $homedir --with-colons --fixed-list-mode --list-key -- "$key" 2>/dev/null | awk -F: '/^pub:/{ print $7 }');
        do
            debug "expiry value: $expiry"

            if [ "$now" -gt "$expiry" ]; then
                printf "CRITICAL: %s has expired on %s\n" "$key" "$(date -d "$expiry seconds")"
                exit $STATE_CRITICAL
            fi
            if [ -n "$critical_threshold" ] && [ "$critical_threshold" -gt "$expiry" ]; then
                remaining=$(( ($expiry-$now) / $SECS_IN_DAY ))
                printf "CRITICAL: %s expires in %s days\n" "$key" "$remaining"
                exit $STATE_CRITICAL
            fi
        done
done

echo "OK: key $keys has not expired."