Check_client_cert_CAs

Security

Write a Review

Description:

This check uses OpenSSL to connect to a host:port and either confirm that it is specifying at least one accepted client certificate CA name, or compare the accepted CA names list returned by the host to a list supplied to the check. The purpose being that if you have a service that is supposed to accept client certificates but is not, or the list has changed you may want to detect this.

Current Version

1.0.0

Last Release Date

2016-01-07

Compatible With

Nagios XI

Owner

CWSI

Website

http://www.cwsi.ie

File	Description
CWSI_check_client_cert_CAs_sent.php

Help output from the check - CWSI_check_client_cert_CAs_sent.php - v1.0.0 This plugin checks that the host sends a list of acceptable client certificate CAs and optionally that the accepted list supplied by the host matches a list specified to this command Usage: CWSI_check_client_cert_CAs_sent.php -h | -H -p -n [[-f ] | [-l [-m ]]] Options: -h Print this help and usage message -H Host to query (REQUIRED) -p Port on the host to query (REQUIRED) -n The code to be returned if connection is successful but host does not accept any client certs, must be OK, WARNING or CRITICAL (REQUIRED) -f The code to be returned if the host provides a list of accepted certs -l Comma separated list expected client certificate CAs the host is expected to return, if the list matches OK will be returned, otherwise the return code will be as specified with -m -m The code to be returned if the host provides a list of accepted certs that does not match the list specified with -l, must be WARNING or CRITICAL. Defaults to WARNING if not specified This plugin will use OpenSSL to get the client certificate information from the host Examples: $./CWSI_check_client_cert_CAs_sent.php -H www.google.com -p 443 -n WARNING Returns WARNING if this host is not listing any acceptable client certificate CAs, OK if it is returning some $./CWSI_check_client_cert_CAs_sent.php -H www.google.com -p 443 -n OK -f WARNING Returns OK if this host is not listing any acceptable client certificate CAs, WARNING if it is returning any $./CWSI_check_client_cert_CAs_sent.php -H www.google.com -p 443 -n WARNING -l 'CN=CA1O=Google,CN=CA2O=Google' -m WARNING Returns WARNING if the host returns no acceptable client certificates, OK if the hosts list matches the supplied list or WARNING if the hosts list does not match the supplied list ----------------------------------------------- Some Command/Service definitions you might use - define command { command_name CWSI_check_client_cert_CAs_sent command_line /usr/local/nagios/resources/scripts/CWSI_check_client_cert_CAs_sent.php -H $HOSTADDRESS$ -p $ARG1$ -n $ARG2$ } define service { name CWSI_check_client_cert_CAs_sent_service service_description CWSI_check_client_cert_CAs_sent_service check_command CWSI_check_client_cert_CAs_sent!443!WARNING!!!!!! register 0 } OR define command { command_name CWSI_check_client_cert_CAs_sent command_line /usr/local/nagios/resources/scripts/CWSI_check_client_cert_CAs_sent.php -H $HOSTADDRESS$ -p $ARG1$ -n $ARG2$ -l "$ARG3$" -m $ARG4$ } define service { name CWSI_check_client_cert_CAs_sent_service service_description CWSI_check_client_cert_CAs_sent_service check_command CWSI_check_client_cert_CAs_sent!443!WARNING!CN=CA1O=Google,CN=CA2O=Google!WARNING!!!! register 0 } Watch out for the "" on $ARG3$ as many CA DNs will have spaces so these are required. ----------------------------------------------- Tested with NagiosXI but no reason it will not work with other versions. Requires OpenSSL.

You must be logged in to submit a review.

Your review has been submitted and is pending approval.

Your recommendation has been sent.

Check_client_cert_CAs_sent

Project Files

Project Notes

Add a Review

Thank you for your review!

Page Sections

Project Stats