Add dnssec

author: Ismaël Bouya <ismael.bouya@normalesup.org> 2023-10-10 10:44:24 +0200
committer: Ismaël Bouya <ismael.bouya@normalesup.org> 2023-10-12 00:24:46 +0200
commit: 97787a9dd8b136c8dc327fab42aedf2aa1109ec0 (patch)
tree: 4b7ea0d889a4c2c27bfec351693995f1fcba2bbb /flakes
parent: 450e0db1a1ad900f93519c00f0ef132ec42a3728 (diff)
download: Nix-97787a9dd8b136c8dc327fab42aedf2aa1109ec0.tar.gz
Nix-97787a9dd8b136c8dc327fab42aedf2aa1109ec0.tar.zst
Nix-97787a9dd8b136c8dc327fab42aedf2aa1109ec0.zip
3 files changed, 229 insertions, 11 deletions
diff --git a/flakes/flake.lock b/flakes/flake.lock
index 751316c..090ef48 100644
--- a/flakes/flake.lock
+++ b/flakes/flake.lock
@@ -2815,7 +2815,7 @@
      },
      "locked": {
        "lastModified": 1,
-        "narHash": "sha256-rybO4c9UB9a34Xgoh+ToYz36Dz2OM1sgYxi3m00+W+E=",
+        "narHash": "sha256-DN3hgnw6hXCrSGXep4mumwksWSggsuyyaKXuKvswXl8=",
        "path": "../../flakes/private/monitoring",
        "type": "path"
      },
@@ -2833,7 +2833,7 @@
      },
      "locked": {
        "lastModified": 1,
-        "narHash": "sha256-rybO4c9UB9a34Xgoh+ToYz36Dz2OM1sgYxi3m00+W+E=",
+        "narHash": "sha256-DN3hgnw6hXCrSGXep4mumwksWSggsuyyaKXuKvswXl8=",
        "path": "../../flakes/private/monitoring",
        "type": "path"
      },
@@ -2851,7 +2851,7 @@
      },
      "locked": {
        "lastModified": 1,
-        "narHash": "sha256-rybO4c9UB9a34Xgoh+ToYz36Dz2OM1sgYxi3m00+W+E=",
+        "narHash": "sha256-DN3hgnw6hXCrSGXep4mumwksWSggsuyyaKXuKvswXl8=",
        "path": "../../flakes/private/monitoring",
        "type": "path"
      },
@@ -2869,7 +2869,7 @@
      },
      "locked": {
        "lastModified": 1,
-        "narHash": "sha256-rybO4c9UB9a34Xgoh+ToYz36Dz2OM1sgYxi3m00+W+E=",
+        "narHash": "sha256-DN3hgnw6hXCrSGXep4mumwksWSggsuyyaKXuKvswXl8=",
        "path": "../../flakes/private/monitoring",
        "type": "path"
      },
@@ -3753,7 +3753,7 @@
      },
      "locked": {
        "lastModified": 1,
-        "narHash": "sha256-yqURiQf32DNTy5zfAIatoWwFTqvsGDQd+221BoSfsCY=",
+        "narHash": "sha256-KR4/Na/SqEfg9PNnBLk17lTn4LUU7irZGrgvw7TEUYQ=",
        "path": "../systems/backup-2",
        "type": "path"
      },
@@ -3776,7 +3776,7 @@
      },
      "locked": {
        "lastModified": 1,
-        "narHash": "sha256-2Q1QywPMmeYtlrSNE869LwUJQjtbRUXbDhNFT4WBRJE=",
+        "narHash": "sha256-7B/UHUhGyJRBRjEms+zI8ZhBAN1vE365GZw2ciJVg1M=",
        "path": "../systems/dilion",
        "type": "path"
      },
@@ -3824,7 +3824,7 @@
      },
      "locked": {
        "lastModified": 1,
-        "narHash": "sha256-E88xTYPerBoKGo+EB6RThKwM1AxuhPWhs583WxwD8cA=",
+        "narHash": "sha256-q1+zzXLioBDjua4Omke9ki0hUaW2rtqTMRUXZ/+uHwU=",
        "path": "../systems/eldiron",
        "type": "path"
      },
@@ -3850,7 +3850,7 @@
      },
      "locked": {
        "lastModified": 1,
-        "narHash": "sha256-Ejc4fEaRV8u1yWV+u4z6F2SAGDBYEubbgRoG7tE3ctM=",
+        "narHash": "sha256-tsZO/C4md/8qRfxIsvVgeMkB0iAEl4IJC5/i8t/li2I=",
        "path": "../systems/monitoring-1",
        "type": "path"
      },
@@ -3875,7 +3875,7 @@
      },
      "locked": {
        "lastModified": 1,
-        "narHash": "sha256-6hR+IuCejk0AIiwggSgrvCQXiRzbF5IiMFr3YqbBwZI=",
+        "narHash": "sha256-UrrTxZeyqV2cFsC3XKVrJoay7LdnE6OTZnBJfimPle4=",
        "path": "../systems/quatresaisons",
        "type": "path"
      },
@@ -7384,7 +7384,7 @@
      },
      "locked": {
        "lastModified": 1,
-        "narHash": "sha256-rybO4c9UB9a34Xgoh+ToYz36Dz2OM1sgYxi3m00+W+E=",
+        "narHash": "sha256-DN3hgnw6hXCrSGXep4mumwksWSggsuyyaKXuKvswXl8=",
        "path": "../../flakes/private/monitoring",
        "type": "path"
      },
@@ -8294,7 +8294,7 @@
      },
      "locked": {
        "lastModified": 1,
-        "narHash": "sha256-rybO4c9UB9a34Xgoh+ToYz36Dz2OM1sgYxi3m00+W+E=",
+        "narHash": "sha256-DN3hgnw6hXCrSGXep4mumwksWSggsuyyaKXuKvswXl8=",
        "path": "./private/monitoring",
        "type": "path"
      },
diff --git a/flakes/private/monitoring/myplugins.nix b/flakes/private/monitoring/myplugins.nix
index 35730bb..f76f2c1 100644
--- a/flakes/private/monitoring/myplugins.nix
+++ b/flakes/private/monitoring/myplugins.nix
@@ -69,8 +69,31 @@ in
  dns = {
    commands = {
      check_dns = "$USER1$/check_dns -H $ARG1$ -s $HOSTADDRESS$ $ARG2$";
+      check_dns_soa = "$USER2$/check_dns_soa -H $ARG1$ -z $ARG2$ -M $ARG3$";
+      check_dnssec = "$USER2$/check_dnssec -z $ARG1$";
      check_external_dns = "$USER1$/check_dns -H $ARG2$ -s $ARG1$ $ARG3$";
    };
+    chunk = let
+      soa_plugin = pkgs.fetchurl {
+        name = "check_dns_soa";
+        url = "https://exchange.nagios.org/components/com_mtree/attachment.php?link_id=1429&cf_id=24";
+        sha256 = "sha256-Yy4XO19Fb7WdHZZmhUfyyAGBnxJyFWwc7U3HiWyE8wc=";
+      };
+    in ''
+      cp ${./plugins}/check_dnssec $out/
+      patchShebangs $out/check_dnssec
+      wrapProgram $out/check_dnssec --prefix PATH : ${lib.makeBinPath [
+        pkgs.bind.dnsutils pkgs.gnugrep pkgs.gawk pkgs.which pkgs.coreutils
+      ]}
+      cp ${soa_plugin} $out/check_dns_soa
+      chmod +xw $out/check_dns_soa
+      patchShebangs $out/check_dns_soa
+      sed -i -e 's/^use utils qw.*$/my %ERRORS = ("OK" => 0, "WARNING" => 1, "CRITICAL" => 2, "UNKNOWN" => 3);my $TIMEOUT = 10;/' -e '/^use lib /d' $out/check_dns_soa
+      wrapProgram $out/check_dns_soa --prefix PERL5LIB : ${pkgs.perlPackages.makePerlPath [
+        pkgs.perlPackages.NetDNS
+      ]}
+    '';
  };
  mdadm = {
    commands = {
diff --git a/flakes/private/monitoring/plugins/check_dnssec b/flakes/private/monitoring/plugins/check_dnssec
new file mode 100755
index 0000000..a6e408d
--- /dev/null
+++ b/flakes/private/monitoring/plugins/check_dnssec
@@ -0,0 +1,195 @@
+#!/usr/bin/env bash
+# check_dnssec_expiry.sh
+#
+# Copyright 2017 by Mario Rimann <mario@rimann.org>
+# Licensed under the permissive MIT license, see LICENSE.md
+#
+# Development of this script was partially sponsored by my
+# employer internezzo, see http://www.internezzo.ch
+#
+# If this script helps you to make your work easier, please consider
+# to give feedback or do something good, see https://rimann.org/support
+usage() {
+        cat - >&2 << _EOT_
+usage $0 -z <zone> [-w <warning %>] [-c <critical %>] [-r <resolver>] [-f <always failing domain>]
+        -z <zone>
+                specify zone to check
+        -w <critical %>
+                warning time left percentage
+        -c <critical %>
+                critical time left percentage
+        -r <resolver>
+                specify which resolver to use.
+        -f <always failing domain>
+                specify a domain that will always fail DNSSEC.
+                used to test if DNSSEC is supported in used tools.
+        -t <DNS record type to check>
+                specify a DNS record type for calculating the remaining lifetime.
+                For example SOA, A, etc.
+_EOT_
+        exit 255
+}
+# Parse the input options
+while getopts ":z:w:c:r:f:h:t:" opt; do
+  case $opt in
+    z)
+      zone=$OPTARG
+      ;;
+    w)
+      warning=$OPTARG
+      ;;
+    c)
+      critical=$OPTARG
+      ;;
+    r)
+      resolver=$OPTARG
+      ;;
+    f)
+      alwaysFailingDomain=$OPTARG
+      ;;
+    t)
+      recordType=$OPTARG
+      ;;
+    h)
+      usage ;;
+  esac
+done
+# Check if dig is available at all - fail hard if not
+pathToDig=$( which dig )
+if [[ ! -e $pathToDig ]]; then
+        echo "No executable of dig found, cannot proceed without dig. Sorry!"
+        exit 1
+fi
+# Check if we got a zone to validate - fail hard if not
+if [[ -z $zone ]]; then
+        echo "Missing zone to test - please provide a zone via the -z parameter."
+        usage
+        exit 3
+fi
+# Check if we got warning/critical percentage values, use defaults if not
+if [[ -z $warning ]]; then
+        warning=20
+fi
+if [[ -z $critical ]]; then
+        critical=10
+fi
+# Use Google's 8.8.8.8 resolver as fallback if none is provided
+if [[ -z $resolver ]]; then
+        resolver="8.8.8.8"
+fi
+if [[ -z $alwaysFailingDomain ]]; then
+        alwaysFailingDomain="dnssec-failed.org"
+fi
+# Use SOA record type as fallback
+if [[ -z $recordType ]]; then
+        recordType="SOA"
+fi
+# Check the resolver to properly validate DNSSEC at all (if he doesn't, every further test is futile and a waste of bandwith)
+checkResolverDoesDnssecValidation=$(dig +nocmd +nostats +noquestion $alwaysFailingDomain @${resolver} | grep "opcode: QUERY" | grep "status: SERVFAIL")
+if [[ -z $checkResolverDoesDnssecValidation ]]; then
+        echo "WARNING: Resolver seems to not validate DNSSEC signatures - going further seems hopeless right now."
+        exit 1
+fi
+# Check if the resolver delivers an answer for the domain to test
+checkDomainResolvableWithDnssecEnabledResolver=$(dig +short @${resolver} SOA $zone)
+if [[ -z $checkDomainResolvableWithDnssecEnabledResolver ]]; then
+        checkDomainResolvableWithDnssecValidationExplicitelyDisabled=$(dig +short @${resolver} SOA $zone +cd)
+        if [[ ! -z $checkDomainResolvableWithDnssecValidationExplicitelyDisabled ]]; then
+                echo "CRITICAL: The domain $zone can be validated without DNSSEC validation - but will fail on resolvers that do validate DNSSEC."
+                exit 2
+        else
+                echo "CRITICAL: The domain $zone cannot be resolved via $resolver as resolver while DNSSEC validation is active."
+                exit 2
+        fi
+fi
+# Check if the domain is DNSSEC signed at all
+# (and emerge a WARNING in that case, since this check is about testing DNSSEC being "present" and valid which is not the case for an unsigned zone)
+checkZoneItselfIsSignedAtAll=$( dig $zone @$resolver DS +short )
+if [[ -z $checkZoneItselfIsSignedAtAll ]]; then
+        echo "WARNING: Zone $zone seems to be unsigned itself (= resolvable, but no DNSSEC involved at all)"
+        exit 1
+fi
+# Check if there are multiple RRSIG responses and check them one after the other
+now=$(date +"%s")
+rrsigEntries=$( dig @$resolver $recordType $zone +dnssec | grep RRSIG )
+if [[ -z $rrsigEntries ]]; then
+        echo "CRITICAL: There is no RRSIG for the SOA of your zone."
+        exit 2
+else
+        while read -r rrsig; do
+                # Get the RRSIG entry and extract the date out of it
+                expiryDateOfSignature=$( echo $rrsig | awk '{print $9}')
+                checkValidityOfExpirationTimestamp=$( echo $expiryDateOfSignature | egrep '[0-9]{14}')
+                if [[ -z $checkValidityOfExpirationTimestamp ]]; then
+                        echo "UNKNOWN: Something went wrong while checking the expiration of the RRSIG entry - investigate please".
+                        exit 3
+                fi
+                inceptionDateOfSignature=$( echo $rrsig | awk '{print $10}')
+                checkValidityOfInceptionTimestamp=$( echo $inceptionDateOfSignature | egrep '[0-9]{14}')
+                if [[ -z $checkValidityOfInceptionTimestamp ]]; then
+                        echo "UNKNOWN: Something went wrong while checking the inception date of the RRSIG entry - investigate please".
+                        exit 3
+                fi
+                # Fiddle out the expiry and inceptiondate of the signature to have a base to do some calculations afterwards
+                expiryDateAsString="${expiryDateOfSignature:0:4}-${expiryDateOfSignature:4:2}-${expiryDateOfSignature:6:2} ${expiryDateOfSignature:8:2}:${expiryDateOfSignature:10:2}:00"
+                expiryDateOfSignatureAsUnixTime=$( date -u -d "$expiryDateAsString" +"%s" 2>/dev/null )
+                if [[ $? -ne 0 ]]; then
+                        # if we come to this place, something must have gone wrong converting the date-string. This can happen as e.g. MacOS X and Linux don't behave the same way in this topic...
+                        expiryDateOfSignatureAsUnixTime=$( date -j -u -f "%Y-%m-%d %T" "$expiryDateAsString" +"%s" )
+                fi
+                inceptionDateAsString="${inceptionDateOfSignature:0:4}-${inceptionDateOfSignature:4:2}-${inceptionDateOfSignature:6:2} ${inceptionDateOfSignature:8:2}:${inceptionDateOfSignature:10:2}:00"
+                inceptionDateOfSignatureAsUnixTime=$( date -u -d "$inceptionDateAsString" +"%s" 2>/dev/null )
+                if [[ $? -ne 0 ]]; then
+                        # if we come to this place, something must have gone wrong converting the date-string. This can happen as e.g. MacOS X and Linux don't behave the same way in this topic...
+                        inceptionDateOfSignatureAsUnixTime=$( date -j -u -f "%Y-%m-%d %T" "$inceptionDateAsString" +"%s" )
+                fi
+                # calculate the remaining lifetime of the signature
+                totalLifetime=$( expr $expiryDateOfSignatureAsUnixTime - $inceptionDateOfSignatureAsUnixTime)
+                remainingLifetimeOfSignature=$( expr $expiryDateOfSignatureAsUnixTime - $now)
+                remainingPercentage=$( expr "100" \* $remainingLifetimeOfSignature / $totalLifetime)
+                # store the result of this single RRSIG's check
+                if [[ -z $maxRemainingLifetime || $remainingLifetimeOfSignature -gt $maxRemainingLifetime ]]; then
+                        maxRemainingLifetime=$remainingLifetimeOfSignature
+                        maxRemainingPercentage=$remainingPercentage
+                fi
+        done <<< "$rrsigEntries"
+fi
+# determine if we need to alert, and if so, how loud to cry, depending on warning/critial threshholds provided
+if [[ $maxRemainingPercentage -lt $critical ]]; then
+        echo "CRITICAL: DNSSEC signature for $zone is very short before expiration! ($maxRemainingPercentage% remaining) | sig_lifetime=$maxRemainingLifetime  sig_lifetime_percentage=$remainingPercentage%;$warning;$critical"
+        exit 2
+elif [[ $remainingPercentage -lt $warning ]]; then
+        echo "WARNING: DNSSEC signature for $zone is short before expiration! ($maxRemainingPercentage% remaining) | sig_lifetime=$maxRemainingLifetime  sig_lifetime_percentage=$remainingPercentage%;$warning;$critical"
+        exit 1
+else
+        echo "OK: DNSSEC signatures for $zone seem to be valid and not expired ($maxRemainingPercentage% remaining) | sig_lifetime=$maxRemainingLifetime  sig_lifetime_percentage=$remainingPercentage%;$warning;$critical"
+        exit 0
+fi
author	Ismaël Bouya <ismael.bouya@normalesup.org>	2023-10-10 10:44:24 +0200
committer	Ismaël Bouya <ismael.bouya@normalesup.org>	2023-10-12 00:24:46 +0200
commit	97787a9dd8b136c8dc327fab42aedf2aa1109ec0 (patch)
tree	4b7ea0d889a4c2c27bfec351693995f1fcba2bbb /flakes
parent	450e0db1a1ad900f93519c00f0ef132ec42a3728 (diff)
download	Nix-97787a9dd8b136c8dc327fab42aedf2aa1109ec0.tar.gz Nix-97787a9dd8b136c8dc327fab42aedf2aa1109ec0.tar.zst Nix-97787a9dd8b136c8dc327fab42aedf2aa1109ec0.zip

diff --git a/flakes/flake.lock b/flakes/flake.lock index 751316c..090ef48 100644 --- a/flakes/flake.lock +++ b/flakes/flake.lock
@@ -2815,7 +2815,7 @@
2815	},	2815	},
2816	"locked": {	2816	"locked": {
2817	"lastModified": 1,	2817	"lastModified": 1,
2818	"narHash": "sha256-rybO4c9UB9a34Xgoh+ToYz36Dz2OM1sgYxi3m00+W+E=",	2818	"narHash": "sha256-DN3hgnw6hXCrSGXep4mumwksWSggsuyyaKXuKvswXl8=",
2819	"path": "../../flakes/private/monitoring",	2819	"path": "../../flakes/private/monitoring",
2820	"type": "path"	2820	"type": "path"
2821	},	2821	},
@@ -2833,7 +2833,7 @@
2833	},	2833	},
2834	"locked": {	2834	"locked": {
2835	"lastModified": 1,	2835	"lastModified": 1,
2836	"narHash": "sha256-rybO4c9UB9a34Xgoh+ToYz36Dz2OM1sgYxi3m00+W+E=",	2836	"narHash": "sha256-DN3hgnw6hXCrSGXep4mumwksWSggsuyyaKXuKvswXl8=",
2837	"path": "../../flakes/private/monitoring",	2837	"path": "../../flakes/private/monitoring",
2838	"type": "path"	2838	"type": "path"
2839	},	2839	},
@@ -2851,7 +2851,7 @@
2851	},	2851	},
2852	"locked": {	2852	"locked": {
2853	"lastModified": 1,	2853	"lastModified": 1,
2854	"narHash": "sha256-rybO4c9UB9a34Xgoh+ToYz36Dz2OM1sgYxi3m00+W+E=",	2854	"narHash": "sha256-DN3hgnw6hXCrSGXep4mumwksWSggsuyyaKXuKvswXl8=",
2855	"path": "../../flakes/private/monitoring",	2855	"path": "../../flakes/private/monitoring",
2856	"type": "path"	2856	"type": "path"
2857	},	2857	},
@@ -2869,7 +2869,7 @@
2869	},	2869	},
2870	"locked": {	2870	"locked": {
2871	"lastModified": 1,	2871	"lastModified": 1,
2872	"narHash": "sha256-rybO4c9UB9a34Xgoh+ToYz36Dz2OM1sgYxi3m00+W+E=",	2872	"narHash": "sha256-DN3hgnw6hXCrSGXep4mumwksWSggsuyyaKXuKvswXl8=",
2873	"path": "../../flakes/private/monitoring",	2873	"path": "../../flakes/private/monitoring",
2874	"type": "path"	2874	"type": "path"
2875	},	2875	},
@@ -3753,7 +3753,7 @@
3753	},	3753	},
3754	"locked": {	3754	"locked": {
3755	"lastModified": 1,	3755	"lastModified": 1,
3756	"narHash": "sha256-yqURiQf32DNTy5zfAIatoWwFTqvsGDQd+221BoSfsCY=",	3756	"narHash": "sha256-KR4/Na/SqEfg9PNnBLk17lTn4LUU7irZGrgvw7TEUYQ=",
3757	"path": "../systems/backup-2",	3757	"path": "../systems/backup-2",
3758	"type": "path"	3758	"type": "path"
3759	},	3759	},
@@ -3776,7 +3776,7 @@
3776	},	3776	},
3777	"locked": {	3777	"locked": {
3778	"lastModified": 1,	3778	"lastModified": 1,
3779	"narHash": "sha256-2Q1QywPMmeYtlrSNE869LwUJQjtbRUXbDhNFT4WBRJE=",	3779	"narHash": "sha256-7B/UHUhGyJRBRjEms+zI8ZhBAN1vE365GZw2ciJVg1M=",
3780	"path": "../systems/dilion",	3780	"path": "../systems/dilion",
3781	"type": "path"	3781	"type": "path"
3782	},	3782	},
@@ -3824,7 +3824,7 @@
3824	},	3824	},
3825	"locked": {	3825	"locked": {
3826	"lastModified": 1,	3826	"lastModified": 1,
3827	"narHash": "sha256-E88xTYPerBoKGo+EB6RThKwM1AxuhPWhs583WxwD8cA=",	3827	"narHash": "sha256-q1+zzXLioBDjua4Omke9ki0hUaW2rtqTMRUXZ/+uHwU=",
3828	"path": "../systems/eldiron",	3828	"path": "../systems/eldiron",
3829	"type": "path"	3829	"type": "path"
3830	},	3830	},
@@ -3850,7 +3850,7 @@
3850	},	3850	},
3851	"locked": {	3851	"locked": {
3852	"lastModified": 1,	3852	"lastModified": 1,
3853	"narHash": "sha256-Ejc4fEaRV8u1yWV+u4z6F2SAGDBYEubbgRoG7tE3ctM=",	3853	"narHash": "sha256-tsZO/C4md/8qRfxIsvVgeMkB0iAEl4IJC5/i8t/li2I=",
3854	"path": "../systems/monitoring-1",	3854	"path": "../systems/monitoring-1",
3855	"type": "path"	3855	"type": "path"
3856	},	3856	},
@@ -3875,7 +3875,7 @@
3875	},	3875	},
3876	"locked": {	3876	"locked": {
3877	"lastModified": 1,	3877	"lastModified": 1,
3878	"narHash": "sha256-6hR+IuCejk0AIiwggSgrvCQXiRzbF5IiMFr3YqbBwZI=",	3878	"narHash": "sha256-UrrTxZeyqV2cFsC3XKVrJoay7LdnE6OTZnBJfimPle4=",
3879	"path": "../systems/quatresaisons",	3879	"path": "../systems/quatresaisons",
3880	"type": "path"	3880	"type": "path"
3881	},	3881	},
@@ -7384,7 +7384,7 @@
7384	},	7384	},
7385	"locked": {	7385	"locked": {
7386	"lastModified": 1,	7386	"lastModified": 1,
7387	"narHash": "sha256-rybO4c9UB9a34Xgoh+ToYz36Dz2OM1sgYxi3m00+W+E=",	7387	"narHash": "sha256-DN3hgnw6hXCrSGXep4mumwksWSggsuyyaKXuKvswXl8=",
7388	"path": "../../flakes/private/monitoring",	7388	"path": "../../flakes/private/monitoring",
7389	"type": "path"	7389	"type": "path"
7390	},	7390	},
@@ -8294,7 +8294,7 @@
8294	},	8294	},
8295	"locked": {	8295	"locked": {
8296	"lastModified": 1,	8296	"lastModified": 1,
8297	"narHash": "sha256-rybO4c9UB9a34Xgoh+ToYz36Dz2OM1sgYxi3m00+W+E=",	8297	"narHash": "sha256-DN3hgnw6hXCrSGXep4mumwksWSggsuyyaKXuKvswXl8=",
8298	"path": "./private/monitoring",	8298	"path": "./private/monitoring",
8299	"type": "path"	8299	"type": "path"
8300	},	8300	},


diff --git a/flakes/private/monitoring/myplugins.nix b/flakes/private/monitoring/myplugins.nix index 35730bb..f76f2c1 100644 --- a/flakes/private/monitoring/myplugins.nix +++ b/flakes/private/monitoring/myplugins.nix
@@ -69,8 +69,31 @@ in
69	dns = {	69	dns = {
70	commands = {	70	commands = {
71	check_dns = "$USER1$/check_dns -H $ARG1$ -s $HOSTADDRESS$ $ARG2$";	71	check_dns = "$USER1$/check_dns -H $ARG1$ -s $HOSTADDRESS$ $ARG2$";
		72	check_dns_soa = "$USER2$/check_dns_soa -H $ARG1$ -z $ARG2$ -M $ARG3$";
		73	check_dnssec = "$USER2$/check_dnssec -z $ARG1$";
72	check_external_dns = "$USER1$/check_dns -H $ARG2$ -s $ARG1$ $ARG3$";	74	check_external_dns = "$USER1$/check_dns -H $ARG2$ -s $ARG1$ $ARG3$";
73	};	75	};
		76	chunk = let
		77	soa_plugin = pkgs.fetchurl {
		78	name = "check_dns_soa";
		79	url = "https://exchange.nagios.org/components/com_mtree/attachment.php?link_id=1429&cf_id=24";
		80	sha256 = "sha256-Yy4XO19Fb7WdHZZmhUfyyAGBnxJyFWwc7U3HiWyE8wc=";
		81	};
		82	in ''
		83	cp ${./plugins}/check_dnssec $out/
		84	patchShebangs $out/check_dnssec
		85	wrapProgram $out/check_dnssec --prefix PATH : ${lib.makeBinPath [
		86	pkgs.bind.dnsutils pkgs.gnugrep pkgs.gawk pkgs.which pkgs.coreutils
		87	]}
		88
		89	cp ${soa_plugin} $out/check_dns_soa
		90	chmod +xw $out/check_dns_soa
		91	patchShebangs $out/check_dns_soa
		92	sed -i -e 's/^use utils qw.*$/my %ERRORS = ("OK" => 0, "WARNING" => 1, "CRITICAL" => 2, "UNKNOWN" => 3);my $TIMEOUT = 10;/' -e '/^use lib /d' $out/check_dns_soa
		93	wrapProgram $out/check_dns_soa --prefix PERL5LIB : ${pkgs.perlPackages.makePerlPath [
		94	pkgs.perlPackages.NetDNS
		95	]}
		96	'';
74	};	97	};
75	mdadm = {	98	mdadm = {
76	commands = {	99	commands = {


diff --git a/flakes/private/monitoring/plugins/check_dnssec b/flakes/private/monitoring/plugins/check_dnssec new file mode 100755 index 0000000..a6e408d --- /dev/null +++ b/flakes/private/monitoring/plugins/check_dnssec
@@ -0,0 +1,195 @@
		1	#!/usr/bin/env bash
		2
		3	# check_dnssec_expiry.sh
		4	#
		5	# Copyright 2017 by Mario Rimann <mario@rimann.org>
		6	# Licensed under the permissive MIT license, see LICENSE.md
		7	#
		8	# Development of this script was partially sponsored by my
		9	# employer internezzo, see http://www.internezzo.ch
		10	#
		11	# If this script helps you to make your work easier, please consider
		12	# to give feedback or do something good, see https://rimann.org/support
		13
		14	usage() {
		15	cat - >&2 << _EOT_
		16	usage $0 -z <zone> [-w <warning %>] [-c <critical %>] [-r <resolver>] [-f <always failing domain>]
		17
		18	-z <zone>
		19	specify zone to check
		20	-w <critical %>
		21	warning time left percentage
		22	-c <critical %>
		23	critical time left percentage
		24	-r <resolver>
		25	specify which resolver to use.
		26	-f <always failing domain>
		27	specify a domain that will always fail DNSSEC.
		28	used to test if DNSSEC is supported in used tools.
		29	-t <DNS record type to check>
		30	specify a DNS record type for calculating the remaining lifetime.
		31	For example SOA, A, etc.
		32	_EOT_
		33	exit 255
		34	}
		35
		36	# Parse the input options
		37	while getopts ":z:w:c:r:f:h:t:" opt; do
		38	case $opt in
		39	z)
		40	zone=$OPTARG
		41	;;
		42	w)
		43	warning=$OPTARG
		44	;;
		45	c)
		46	critical=$OPTARG
		47	;;
		48	r)
		49	resolver=$OPTARG
		50	;;
		51	f)
		52	alwaysFailingDomain=$OPTARG
		53	;;
		54	t)
		55	recordType=$OPTARG
		56	;;
		57	h)
		58	usage ;;
		59	esac
		60	done
		61
		62
		63	# Check if dig is available at all - fail hard if not
		64	pathToDig=$( which dig )
		65	if [[ ! -e $pathToDig ]]; then
		66	echo "No executable of dig found, cannot proceed without dig. Sorry!"
		67	exit 1
		68	fi
		69
		70	# Check if we got a zone to validate - fail hard if not
		71	if [[ -z $zone ]]; then
		72	echo "Missing zone to test - please provide a zone via the -z parameter."
		73	usage
		74	exit 3
		75	fi
		76
		77	# Check if we got warning/critical percentage values, use defaults if not
		78	if [[ -z $warning ]]; then
		79	warning=20
		80	fi
		81	if [[ -z $critical ]]; then
		82	critical=10
		83	fi
		84
		85
		86	# Use Google's 8.8.8.8 resolver as fallback if none is provided
		87	if [[ -z $resolver ]]; then
		88	resolver="8.8.8.8"
		89	fi
		90
		91	if [[ -z $alwaysFailingDomain ]]; then
		92	alwaysFailingDomain="dnssec-failed.org"
		93	fi
		94
		95	# Use SOA record type as fallback
		96	if [[ -z $recordType ]]; then
		97	recordType="SOA"
		98	fi
		99
		100	# Check the resolver to properly validate DNSSEC at all (if he doesn't, every further test is futile and a waste of bandwith)
		101	checkResolverDoesDnssecValidation=$(dig +nocmd +nostats +noquestion $alwaysFailingDomain @${resolver} \| grep "opcode: QUERY" \| grep "status: SERVFAIL")
		102	if [[ -z $checkResolverDoesDnssecValidation ]]; then
		103	echo "WARNING: Resolver seems to not validate DNSSEC signatures - going further seems hopeless right now."
		104	exit 1
		105	fi
		106
		107	# Check if the resolver delivers an answer for the domain to test
		108	checkDomainResolvableWithDnssecEnabledResolver=$(dig +short @${resolver} SOA $zone)
		109	if [[ -z $checkDomainResolvableWithDnssecEnabledResolver ]]; then
		110
		111	checkDomainResolvableWithDnssecValidationExplicitelyDisabled=$(dig +short @${resolver} SOA $zone +cd)
		112
		113	if [[ ! -z $checkDomainResolvableWithDnssecValidationExplicitelyDisabled ]]; then
		114	echo "CRITICAL: The domain $zone can be validated without DNSSEC validation - but will fail on resolvers that do validate DNSSEC."
		115	exit 2
		116	else
		117	echo "CRITICAL: The domain $zone cannot be resolved via $resolver as resolver while DNSSEC validation is active."
		118	exit 2
		119	fi
		120	fi
		121
		122	# Check if the domain is DNSSEC signed at all
		123	# (and emerge a WARNING in that case, since this check is about testing DNSSEC being "present" and valid which is not the case for an unsigned zone)
		124	checkZoneItselfIsSignedAtAll=$( dig $zone @$resolver DS +short )
		125	if [[ -z $checkZoneItselfIsSignedAtAll ]]; then
		126	echo "WARNING: Zone $zone seems to be unsigned itself (= resolvable, but no DNSSEC involved at all)"
		127	exit 1
		128	fi
		129
		130
		131	# Check if there are multiple RRSIG responses and check them one after the other
		132	now=$(date +"%s")
		133	rrsigEntries=$( dig @$resolver $recordType $zone +dnssec \| grep RRSIG )
		134	if [[ -z $rrsigEntries ]]; then
		135	echo "CRITICAL: There is no RRSIG for the SOA of your zone."
		136	exit 2
		137	else
		138	while read -r rrsig; do
		139	# Get the RRSIG entry and extract the date out of it
		140	expiryDateOfSignature=$( echo $rrsig \| awk '{print $9}')
		141	checkValidityOfExpirationTimestamp=$( echo $expiryDateOfSignature \| egrep '[0-9]{14}')
		142	if [[ -z $checkValidityOfExpirationTimestamp ]]; then
		143	echo "UNKNOWN: Something went wrong while checking the expiration of the RRSIG entry - investigate please".
		144	exit 3
		145	fi
		146
		147	inceptionDateOfSignature=$( echo $rrsig \| awk '{print $10}')
		148	checkValidityOfInceptionTimestamp=$( echo $inceptionDateOfSignature \| egrep '[0-9]{14}')
		149	if [[ -z $checkValidityOfInceptionTimestamp ]]; then
		150	echo "UNKNOWN: Something went wrong while checking the inception date of the RRSIG entry - investigate please".
		151	exit 3
		152	fi
		153
		154	# Fiddle out the expiry and inceptiondate of the signature to have a base to do some calculations afterwards
		155	expiryDateAsString="${expiryDateOfSignature:0:4}-${expiryDateOfSignature:4:2}-${expiryDateOfSignature:6:2} ${expiryDateOfSignature:8:2}:${expiryDateOfSignature:10:2}:00"
		156	expiryDateOfSignatureAsUnixTime=$( date -u -d "$expiryDateAsString" +"%s" 2>/dev/null )
		157	if [[ $? -ne 0 ]]; then
		158	# if we come to this place, something must have gone wrong converting the date-string. This can happen as e.g. MacOS X and Linux don't behave the same way in this topic...
		159	expiryDateOfSignatureAsUnixTime=$( date -j -u -f "%Y-%m-%d %T" "$expiryDateAsString" +"%s" )
		160	fi
		161	inceptionDateAsString="${inceptionDateOfSignature:0:4}-${inceptionDateOfSignature:4:2}-${inceptionDateOfSignature:6:2} ${inceptionDateOfSignature:8:2}:${inceptionDateOfSignature:10:2}:00"
		162	inceptionDateOfSignatureAsUnixTime=$( date -u -d "$inceptionDateAsString" +"%s" 2>/dev/null )
		163	if [[ $? -ne 0 ]]; then
		164	# if we come to this place, something must have gone wrong converting the date-string. This can happen as e.g. MacOS X and Linux don't behave the same way in this topic...
		165	inceptionDateOfSignatureAsUnixTime=$( date -j -u -f "%Y-%m-%d %T" "$inceptionDateAsString" +"%s" )
		166	fi
		167
		168
		169	# calculate the remaining lifetime of the signature
		170	totalLifetime=$( expr $expiryDateOfSignatureAsUnixTime - $inceptionDateOfSignatureAsUnixTime)
		171	remainingLifetimeOfSignature=$( expr $expiryDateOfSignatureAsUnixTime - $now)
		172	remainingPercentage=$( expr "100" \* $remainingLifetimeOfSignature / $totalLifetime)
		173
		174	# store the result of this single RRSIG's check
		175	if [[ -z $maxRemainingLifetime \|\| $remainingLifetimeOfSignature -gt $maxRemainingLifetime ]]; then
		176	maxRemainingLifetime=$remainingLifetimeOfSignature
		177	maxRemainingPercentage=$remainingPercentage
		178	fi
		179	done <<< "$rrsigEntries"
		180	fi
		181
		182
		183
		184
		185	# determine if we need to alert, and if so, how loud to cry, depending on warning/critial threshholds provided
		186	if [[ $maxRemainingPercentage -lt $critical ]]; then
		187	echo "CRITICAL: DNSSEC signature for $zone is very short before expiration! ($maxRemainingPercentage% remaining) \| sig_lifetime=$maxRemainingLifetime sig_lifetime_percentage=$remainingPercentage%;$warning;$critical"
		188	exit 2
		189	elif [[ $remainingPercentage -lt $warning ]]; then
		190	echo "WARNING: DNSSEC signature for $zone is short before expiration! ($maxRemainingPercentage% remaining) \| sig_lifetime=$maxRemainingLifetime sig_lifetime_percentage=$remainingPercentage%;$warning;$critical"
		191	exit 1
		192	else
		193	echo "OK: DNSSEC signatures for $zone seem to be valid and not expired ($maxRemainingPercentage% remaining) \| sig_lifetime=$maxRemainingLifetime sig_lifetime_percentage=$remainingPercentage%;$warning;$critical"
		194	exit 0
		195	fi