From c4cecc0ff10390d8fec0ffb29878050357c8ea1f Mon Sep 17 00:00:00 2001 From: Peter Palfrader Date: Sun, 7 Dec 2014 10:56:54 +0100 Subject: [PATCH] dsa-check-config: check if existing ed25519 host keys are in ldap --- dsa-nagios-checks/checks/dsa-check-config | 21 +++++++++++++++++++++ dsa-nagios-checks/debian/changelog | 3 ++- 2 files changed, 23 insertions(+), 1 deletion(-) diff --git a/dsa-nagios-checks/checks/dsa-check-config b/dsa-nagios-checks/checks/dsa-check-config index 4a59c65..ae5fa74 100755 --- a/dsa-nagios-checks/checks/dsa-check-config +++ b/dsa-nagios-checks/checks/dsa-check-config @@ -57,8 +57,29 @@ check_ldap_conf() { log warn "ldap.conf does not have URI, BASE, TLS_CACERT, TLS_REQCERT all configured correctly" } +check_ssh_hostkeys() { + if [ -e /etc/ssh/ssh_host_ed25519_key ] ; then + if ! [ -e /etc/ssh/ssh_host_ed25519_key.pub ]; then + log warn "Have /etc/ssh/ssh_host_ed25519_key without .pub" + return + fi + if cat /etc/ssh/ssh_known_hosts | awk -v hostname=$(hostname -f) '{split($1,a,","); if (a[1] == hostname) { print } }' | grep -q -F -f /etc/ssh/ssh_host_ed25519_key.pub; then + log ok "ed25519 host key in known_hosts" + return + else + log warn "ed25519 host key missing from known_hosts" + return + fi + else + log ok "no ed25519 host key." + return + fi +} + + check_aliases check_ldap_conf +check_ssh_hostkeys [ "$critical" = "" ] || echo -n "Critical: $critical; " [ "$warn" = "" ] || echo -n "Warning: $warn; " diff --git a/dsa-nagios-checks/debian/changelog b/dsa-nagios-checks/debian/changelog index 79c3ba3..f6276c5 100644 --- a/dsa-nagios-checks/debian/changelog +++ b/dsa-nagios-checks/debian/changelog @@ -11,12 +11,13 @@ dsa-nagios-checks (101) UNRELEASED; urgency=low * dsa-check-running-kernel: in cat_vmlinux(), only consider the first 5 hits for the magic start sequence. This makes running times bearable on our new octeons. + * dsa-check-config: check if existing ed25519 host keys are in ldap. [ Hendrik Köhler ] * Extend dsa-check-entropy output so Icinga2 can process performance data (e.g. used by Graphite). - -- Peter Palfrader Wed, 05 Nov 2014 14:57:51 +0100 + -- Peter Palfrader Sun, 07 Dec 2014 10:56:34 +0100 dsa-nagios-checks (100) unstable; urgency=low -- 2.20.1