scripts / nagios-plugins

Name Last Update
cgi-bin Loading commit data...
plugins Loading commit data...
.gitignore Loading commit data...
LICENSE.txt Loading commit data...
README.md Loading commit data...

README.md

nagios-plugins

This repository contains my small collection of modified and custom written nagios check plugins and scripts for Nagios.

Most of these are very custom solutions or modified versions of standard plugins so distributing them through NagiosExchange is not really appropriate. I am publishing them separately so that others may benefit from these as well. Use them freely and please let me know is you encounter any issues or require changes.

The latest versions, documentation and bugtracker available on my GitLab instance

Copyright (c) 2015 - 2016 Frederik Lindenaar. free for distribution under the GNU General Public License, see below

contents

This repository contains the following scripts:

  • check_memory patched version of nagios-plugins check_memory script for Linux procps v3.3+
  • check_multiple_host_addresses monitor multi-home and dual-stack (i.e. ipv4 and ipv6) servers.
  • check_otp plugin to monitor PrivacyIDEA (and LinOTP) OTP validation
  • nagiosstatus CGI-BIN script to report the status of nagios (to monitor nagios itself)

plugins/check_memory

Nagios check script to monitor the memory on Linux systems. Due to changes in the output of procps v3.3 (the changelog refers to it as modernizing it), it's output changed and breaks the the check_memory script as shipped with many linux distributions. This version supports both the old and the new format so that is indifferent of which version of procps (to date) is used. No other changes were made to the script.

plugins/check_multiple_host_addresses

This script is a first attempt to monitor multi-home and dual-stack (i.e. ipv4 and ipv6) servers. In my setup a server should only considered availble if it is available on all of its primary addresses (i.e. both ipv4 and ipv6). It uses the excellent check_multi script to perform multiple a ping check to see if a host is available and reports the consolidated status. Using check_multi has the advantage that pnp4nagios and other scripting graphing solutions will support this solution as well.

Installation is straightforward, after installing the script on your server, add the following to your commands.cmd configuration file to make it available:

  # 'check-host-alive' command definition for multi-homed/dual-stack servers
  define command{
        command_name    check-addresses-alive
        command_line    [install_path]/plugins/check_multiplehost_addresses '$HOSTADDRESS$' '$_HOSTADDRESS6$'
  }

The example above assumes that the IPv6 address of the host is provided as part of the host configuration, i.e.:

  define host {
        ...
        address         192.168.0.1
        _address6       fdf8:f340:ab9d:c213::1
    ...
  }

To use the script either add check_command check-addresses-alive to the specific hosts that should use the check or to the generic host used as template.

plugins/check_otp

Plugin (check) to monitor OTP validation, currently implemented for PrivacyIDEA (and LinOTP). The check can validate a provided password/secret or calculate an HOTP or TOTP value and use that to validate (with or without a password). Other methods and interfaces can be plugged in easily (please raise a request or provide a patch).

Please run check_otp -h for an actual overview of the available options. The script currently supports 3 modes of operation:

  • password - simply authenticate with the provided secret (no calculations)
  • totp - calculate the TOTP code using a key and current time
  • hotp - calculate the HOTP code using a key and a count (automatically increments the count in case a count file is used)

Generic parameters (connection parameters, critical/warning thresholds, etc.) should be provided before the mode of operation is specified, mode-specific parameters should follow the mode selected. Keys, passwords and HOTP counts can be read from a file as well. Checks can be performed based on token serial or a login and a password (only mandatory for password authentication).

HOTP/TOTP modes require a Base16/32/64 encoded key provided on the command-line or in a file. The generated HOTP/TOTP value is appended to the password/secret (if provided), the order can be changed with the -m command line parameter.

Installation for is straightforward, after installing the script on the server add the following to your Nagios commands.cmd configuration file:

# 'check_totp_serial' command definition to test TOTP based on token serial (no password)
# parameters: token serial (ARG1), key (ARG2), additional parameters in ARG3
define command {
        command_name    check_totp_serial
        command_line    [install_path]/plugins/check_otp -H $HOSTNAME$ -w 3 -c 8 -P /token totp -s $ARG1$ -k $ARG2$ $ARG3$
}

# 'check_totp_serial' command definition to test TOTP based on token serial and password
# parameters: token serial (ARG1), key (ARG2), password (ARG3), additional parameters in ARG4
define command {
        command_name    check_totp_serial_pwd
        command_line    [install_path]/plugins/check_otp -H $HOSTNAME$ -w 3 -c 8 -P /token totp -s $ARG1$ -k $ARG2$ -p $ARG3$ $ARG4$
}

# 'check_totp_login' command definition to test TOTP based on login and password
# parameters: login (ARG1), key (ARG2), password (ARG3), additional parameters in ARG4
define command {
        command_name    check_totp_login
        command_line    [install_path]/plugins/check_otp -H $HOSTNAME$ -w 3 -c 8 -P /token totp -l $ARG1$ -k $ARG2$ -p $ARG3$ $ARG4$
}

# 'check_totp_serial_dir' command definition to test TOTP based on token serial
# parameters: directory (ARG1), token serial (ARG2) additional parameters in ARG3
define command {
        command_name    check_totp_serial_dir
        command_line    [install_path]/plugins/check_otp -H $HOSTNAME$ -w 3 -c 8 -P /token totp -s $ARG2$ -K $ARG1$/$ARG2$.key $ARG3$
}

# 'check_totp_serial_dir_pwd' command definition to test TOTP based on token serial and password
# parameters: directory (ARG1), token serial (ARG2), additional parameters in ARG3
define command {
        command_name    check_totp_serial_dir_pwd
        command_line    [install_path]/plugins/check_otp -H $HOSTNAME$ -w 3 -c 8 -P /token totp -s $ARG2$ -K $ARG1$/$ARG2$.key -P $ARG1$/$ARG2$.pwd $ARG3$
}

# 'check_totp_login_dir' command definition to test TOTP based on login
# parameters: directory (ARG1), login (ARG2), additional parameters in ARG3
define command {
        command_name    check_totp_login_dir
        command_line    [install_path]/plugins/check_otp -H $HOSTNAME$ -w 3 -c 8 -P /token totp -l $ARG2$ -K $ARG1$/$ARG2$.key $ARG3$
}

# 'check_totp_login_dir_pwd' command definition to test TOTP based on login and password
# parameters: directory (ARG1), login (ARG2) additional parameters in ARG3
define command {
        command_name    check_totp_login_dir_pwd
        command_line    [install_path]/plugins/check_otp -H $HOSTNAME$ -w 3 -c 8 -P /token totp -l $ARG2$ -K $ARG1$/$ARG2$.key -P $ARG1$/$ARG2$.pwd $ARG3$
}

# 'check_hotp_serial_dir' command definition to test HOTP based on token serial
# parameters: directory (ARG1), token serial (ARG2), additional parameters in ARG3
define command {
        command_name    check_hotp_serial_dir
        command_line    [install_path]/plugins/check_otp -H $HOSTNAME$ -w 3 -c 8 -P /token hotp -s $ARG2$ -K $ARG1$/$ARG2$.key -C $ARG1$/$ARG2$.count $ARG3$
}

# 'check_hotp_serial_dir_pwd' command definition to test HOTP based on token serial and password
# parameters: directory (ARG1), token serial (ARG2), additional parameters in ARG3
define command {
        command_name    check_hotp_serial_dir_pwd
        command_line    [install_path]/plugins/check_otp -H $HOSTNAME$ -w 3 -c 8 -P /token hotp -s $ARG2$ -K $ARG1$/$ARG2$.key -C $ARG1$/$ARG2$.count -P $ARG1$/$ARG2$.pwd $ARG3$
}

# 'check_hotp_login_dir' command definition to test HOTP based on login
# parameters: directory (ARG1), login (ARG2), additional parameters in ARG3
define command {
        command_name    check_hotp_login_dir
        command_line    [install_path]/plugins/check_otp -H $HOSTNAME$ -w 3 -c 8 -P /token hotp -l $ARG2$ -K $ARG1$/$ARG2$.key -C $ARG1$/$ARG2$.count $ARG3$
}

# 'check_hotp_login_dir_pwd' command definition to test HOTP based on login and password
# parameters: directory (ARG1), login (ARG2), additional parameters in ARG3
define command {
        command_name    check_hotp_login_dir_pwd
        command_line    [install_path]/plugins/check_otp -H $HOSTNAME$ -w 3 -c 8 -P /token hotp -l $ARG2$ -K $ARG1$/$ARG2$.key -C $ARG1$/$ARG2$.count -P $ARG1$/$ARG2$.pwd $ARG3$
}

Please check / adjust the following:

  • replace [install_path]/plugins with the location of the script
  • assumption is that the $HOSTNAME$ can be used for an SSL connection (and that the certificate is valid for this host, use the -u parameter and an URL if this is not the case)
  • path on the server is assumed to be /token (API endpoints will be added)
  • check the thresholds for Warning (3s) and Critical (8s), adjust if needed

The dir and dir_pwd commands allow to store all sensitive data for tokens in a folder and hence only require a folder name and token serial or login. This expects the folder specified to contain the following files:

  • [serial/login].key - HOTP/TOTP key in Base16/32/64 format on first line
  • [serial/login].pwd - password (only first line is used)
  • [serial/login].count - numeric HOTP count on first line, autoincremented

Please note that required files must exist or the check will fail with an error.

To use the it define a service check like below:

# check that TOTP authentication is working for token serial and provided key
define service {
        host                   hostname.mydomain.tld
        service_description    Check TOTP Authentication
        check_command          check_totp_serial!TOTP0001234X!82f37371367b7e8aafb320b2d9b2721f66bbf161
        use                    generic-service
}


# check that TOTP authentication is working for token serial and info from folder
define service {
        host                   hostname.mydomain.tld
        service_description    Check TOTP Authentication
        check_command          check_totp_serial_dir!/etc/nagios3/tokeninfo!TOTP0001234X
        use                    generic-service
}

# check that HOTP authentication is working for token serial and info from folder
define service {
        host                   hostname.mydomain.tld
        service_description    Check TOTP Authentication
        check_command          check_hotp_serial_dir!/etc/nagios3/tokeninfo!HOTP0004321Y
        use                    generic-service
}

cgi-bin/nagiosstatus.sh

Very simplistic CGI-BIN script that checkes whether nagios is still running and still updating its status. It wil always return an HTTP Status 200 (OK) and a simple text page with one of the following texts:

  • STOPPED - in case the nagios process is not running
  • STALLED - in case the nagios status file has not been updated for 5 minutes
  • OK - when Nagios is running and updated its status file < 5 minutes ago

I wrote this script to be used with an external monitoring system, I use it with the free subscription from Pingdom to get alerts when my Nagios monitoring system is no longer reachable.

License

These scripts, documentation & configration examples are free software: you can redistribute and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

This script, documenatation and configuration examples are distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with this program. If not, download it from http://www.gnu.org/licenses/.