scripts / nagios-plugins

nagios-plugins
==============

This repository contains my small collection of modified and custom written
nagios check plugins and scripts for [Nagios](http://www.nagios.org).

Most of these are very custom solutions or modified versions of standard plugins
so distributing them through [NagiosExchange](https://exchange.nagios.org/) is

not really appropriate.  I am publishing them separately so that others may
benefit from these as well. Use them freely and please let me know is you
encounter any issues or require changes.

The latest versions, documentation and bugtracker available on my
[GitLab instance](https://gitlab.lindenaar.net/scripts/privacyidea-checkotp)

Copyright (c) 2015 - 2016 Frederik Lindenaar. free for distribution under
the GNU General Public License, see [below](#license)

contents
========
This repository contains the following scripts:
  * [check_memory](#check_memory)
    patched version of nagios-plugins check_memory script for Linux procps v3.3+
  * [check_multiple_host_addresses](#host_addresses)
    monitor multi-home and dual-stack (i.e. ipv4 and ipv6) servers.
  * [check_otp](#check_otp)
    plugin to monitor PrivacyIDEA (and LinOTP) OTP validation
  * [nagiosstatus](#nagiosstatus)
    CGI-BIN script to report the status of nagios (to monitor nagios itself)

<a name=check_memory>plugins/check_memory</a>
---------------------------------------------

Nagios check script to monitor the memory on Linux systems. Due to changes in

the output of procps v3.3 (the changelog refers to it as modernizing it), it's
output changed and breaks the the check_memory script as shipped with many linux
distributions. This version supports both the old and the new format so that
is indifferent of which version of procps (to date) is used. No other changes
were made to the script.

<a name=host_addresses>plugins/check_multiple_host_addresses</a>
----------------------------------------------------------------

This script is a first attempt to monitor multi-home and dual-stack (i.e. ipv4
and ipv6) servers. In my setup a server should only considered availble if it is
available on all of its primary addresses (i.e. both ipv4 and ipv6). It uses the
excellent check_multi script to perform multiple a ping check to see if a host
is available and reports the consolidated status. Using check_multi has the
advantage that pnp4nagios and other scripting graphing solutions will support
this solution as well.

Installation is straightforward, after installing the script on your server, add
the following to your `commands.cmd` configuration file to make it available:

~~~
  # 'check-host-alive' command definition for multi-homed/dual-stack servers
  define command{
        command_name    check-addresses-alive
        command_line    [install_path]/plugins/check_multiplehost_addresses '$HOSTADDRESS$' '$_HOSTADDRESS6$'
  }
~~~

The example above assumes that the IPv6 address of the host is provided as part
of the host configuration, i.e.:

~~~
  define host {
        ...
        address         192.168.0.1
        _address6       fdf8:f340:ab9d:c213::1
	...
  }
~~~

To use the script either add `check_command check-addresses-alive`

to the specific hosts that should use the check or to the generic host used as
template.

<a name=check_otp>plugins/check_otp</a>
---------------------------------------
Plugin (check) to monitor OTP validation, currently implemented for PrivacyIDEA
(and LinOTP). The check can validate a provided password/secret or calculate an
HOTP or TOTP value and use that to validate (with or without a password). Other
methods and interfaces can be plugged in easily (please raise a request or
provide a patch).

Please run `check_otp -h` for an actual overview of the available options. The
script currently supports 3 modes of operation:

  * password - simply authenticate with the provided secret (no calculations)
  * totp     - calculate the TOTP code using a key and current time
  * hotp     - calculate the HOTP code using a key and a count (automatically
               increments the count in case a count file is used)

Generic parameters (connection parameters, critical/warning thresholds, etc.)
should be provided before the mode of operation is specified, mode-specific
parameters should follow the mode selected. Keys, passwords and HOTP counts can
be read from a file as well. Checks can be performed based on token
serial or a login and a password (only mandatory for password authentication).

HOTP/TOTP modes require a Base16/32/64 encoded key provided on the command-line
or in a file. The generated HOTP/TOTP value is appended to the password/secret
(if provided), the order can be changed with the `-m` command line parameter.

Installation for is straightforward, after installing the script on the server
add the following to your Nagios `commands.cmd` configuration file:

~~~
# 'check_totp_serial' command definition to test TOTP based on token serial (no password)
# parameters: token serial (ARG1), key (ARG2), additional parameters in ARG3
define command {
        command_name    check_totp_serial
        command_line    [install_path]/plugins/check_otp -H $HOSTNAME$ -w 3 -c 8 -P /token totp -s $ARG1$ -k $ARG2$ $ARG3$
}

# 'check_totp_serial' command definition to test TOTP based on token serial and password
# parameters: token serial (ARG1), key (ARG2), password (ARG3), additional parameters in ARG4
define command {
        command_name    check_totp_serial_pwd
        command_line    [install_path]/plugins/check_otp -H $HOSTNAME$ -w 3 -c 8 -P /token totp -s $ARG1$ -k $ARG2$ -p $ARG3$ $ARG4$
}

# 'check_totp_login' command definition to test TOTP based on login and password
# parameters: login (ARG1), key (ARG2), password (ARG3), additional parameters in ARG4
define command {
        command_name    check_totp_login
        command_line    [install_path]/plugins/check_otp -H $HOSTNAME$ -w 3 -c 8 -P /token totp -l $ARG1$ -k $ARG2$ -p $ARG3$ $ARG4$
}

# 'check_totp_serial_dir' command definition to test TOTP based on token serial
# parameters: directory (ARG1), token serial (ARG2) additional parameters in ARG3
define command {
        command_name    check_totp_serial_dir
        command_line    [install_path]/plugins/check_otp -H $HOSTNAME$ -w 3 -c 8 -P /token totp -s $ARG2$ -K $ARG1$/$ARG2$.key $ARG3$
}

# 'check_totp_serial_dir_pwd' command definition to test TOTP based on token serial and password
# parameters: directory (ARG1), token serial (ARG2), additional parameters in ARG3
define command {
        command_name    check_totp_serial_dir_pwd
        command_line    [install_path]/plugins/check_otp -H $HOSTNAME$ -w 3 -c 8 -P /token totp -s $ARG2$ -K $ARG1$/$ARG2$.key -P $ARG1$/$ARG2$.pwd $ARG3$
}

# 'check_totp_login_dir' command definition to test TOTP based on login
# parameters: directory (ARG1), login (ARG2), additional parameters in ARG3
define command {
        command_name    check_totp_login_dir
        command_line    [install_path]/plugins/check_otp -H $HOSTNAME$ -w 3 -c 8 -P /token totp -l $ARG2$ -K $ARG1$/$ARG2$.key $ARG3$
}

# 'check_totp_login_dir_pwd' command definition to test TOTP based on login and password
# parameters: directory (ARG1), login (ARG2) additional parameters in ARG3
define command {
        command_name    check_totp_login_dir_pwd
        command_line    [install_path]/plugins/check_otp -H $HOSTNAME$ -w 3 -c 8 -P /token totp -l $ARG2$ -K $ARG1$/$ARG2$.key -P $ARG1$/$ARG2$.pwd $ARG3$
}

# 'check_hotp_serial_dir' command definition to test HOTP based on token serial
# parameters: directory (ARG1), token serial (ARG2), additional parameters in ARG3
define command {
        command_name    check_hotp_serial_dir
        command_line    [install_path]/plugins/check_otp -H $HOSTNAME$ -w 3 -c 8 -P /token hotp -s $ARG2$ -K $ARG1$/$ARG2$.key -C $ARG1$/$ARG2$.count $ARG3$
}

# 'check_hotp_serial_dir_pwd' command definition to test HOTP based on token serial and password
# parameters: directory (ARG1), token serial (ARG2), additional parameters in ARG3
define command {
        command_name    check_hotp_serial_dir_pwd
        command_line    [install_path]/plugins/check_otp -H $HOSTNAME$ -w 3 -c 8 -P /token hotp -s $ARG2$ -K $ARG1$/$ARG2$.key -C $ARG1$/$ARG2$.count -P $ARG1$/$ARG2$.pwd $ARG3$
}

# 'check_hotp_login_dir' command definition to test HOTP based on login
# parameters: directory (ARG1), login (ARG2), additional parameters in ARG3
define command {
        command_name    check_hotp_login_dir
        command_line    [install_path]/plugins/check_otp -H $HOSTNAME$ -w 3 -c 8 -P /token hotp -l $ARG2$ -K $ARG1$/$ARG2$.key -C $ARG1$/$ARG2$.count $ARG3$
}

# 'check_hotp_login_dir_pwd' command definition to test HOTP based on login and password
# parameters: directory (ARG1), login (ARG2), additional parameters in ARG3
define command {
        command_name    check_hotp_login_dir_pwd
        command_line    [install_path]/plugins/check_otp -H $HOSTNAME$ -w 3 -c 8 -P /token hotp -l $ARG2$ -K $ARG1$/$ARG2$.key -C $ARG1$/$ARG2$.count -P $ARG1$/$ARG2$.pwd $ARG3$
}

~~~

Please check / adjust the following:

  * replace `[install_path]/plugins` with the location of the script
  * assumption is that the `$HOSTNAME$` can be used for an SSL connection (and
    that the certificate is valid for this host, use the -u parameter and an
    URL if this is not the case)
  * path on the server is assumed to be /token (API endpoints will be added)
  * check the thresholds for Warning (3s) and Critical (8s), adjust if needed

The `dir` and `dir_pwd` commands allow to store all sensitive data for tokens in
a folder and hence only require a folder name and token serial or login. This
expects the folder specified to contain the following files:

  * [serial/login].key   - HOTP/TOTP key in Base16/32/64 format on first line
  * [serial/login].pwd   - password (only first line is used)
  * [serial/login].count - numeric HOTP count on first line, autoincremented

Please note that required files must exist or the check will fail with an error.

To use the it define a service check like below:

~~~
# check that TOTP authentication is working for token serial and provided key
define service {
        host                   hostname.mydomain.tld
        service_description    Check TOTP Authentication
        check_command          check_totp_serial!TOTP0001234X!82f37371367b7e8aafb320b2d9b2721f66bbf161
        use                    generic-service
}


# check that TOTP authentication is working for token serial and info from folder
define service {
        host                   hostname.mydomain.tld
        service_description    Check TOTP Authentication
        check_command          check_totp_serial_dir!/etc/nagios3/tokeninfo!TOTP0001234X
        use                    generic-service
}

# check that HOTP authentication is working for token serial and info from folder
define service {
        host                   hostname.mydomain.tld
        service_description    Check TOTP Authentication
        check_command          check_hotp_serial_dir!/etc/nagios3/tokeninfo!HOTP0004321Y
        use                    generic-service
}
~~~


<a name=nagiosstatus>cgi-bin/nagiosstatus.sh</a>
------------------------------------------------

Very simplistic CGI-BIN script that checkes whether nagios is still running and
still updating its status. It wil always return an HTTP Status 200 (OK) and a
simple text page with one of the following texts:

 - `STOPPED` - in case the nagios process is not running
 - `STALLED` - in case the nagios status file has not been updated for 5 minutes
 - `OK` - when Nagios is running and updated its status file < 5 minutes ago

I wrote this script to be used with an external monitoring system, I use it with
the free subscription from [Pingdom](http://www.pingdom.com) to get alerts when
my Nagios monitoring system is no longer reachable.

<a name="license">License</a>
-----------------------------
These scripts, documentation & configration examples are free software: you can
redistribute and/or modify it under the terms of the GNU General Public License
as published by the Free Software Foundation, either version 3 of the License,
or (at your option) any later version.

This script, documenatation and configuration examples are distributed in the
hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied
warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
General Public License for more details.

You should have received a copy of the GNU General Public License along with
this program.  If not, download it from <http://www.gnu.org/licenses/>.