dsa-nagios-checks/checks/dsa-check-soas

   1 #!/usr/bin/ruby
   2
   3 # Copyright 2006, 2012, 2014 Peter Palfrader
   4 #           2012  Uli Martens
   5 #
   6 # Permission is hereby granted, free of charge, to any person obtaining
   7 # a copy of this software and associated documentation files (the
   8 # "Software"), to deal in the Software without restriction, including
   9 # without limitation the rights to use, copy, modify, merge, publish,
  10 # distribute, sublicense, and/or sell copies of the Software, and to
  11 # permit persons to whom the Software is furnished to do so, subject to
  12 # the following conditions:
  13 #
  14 # The above copyright notice and this permission notice shall be
  15 # included in all copies or substantial portions of the Software.
  16 #
  17 # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
  18 # EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
  19 # MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
  20 # NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
  21 # LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
  22 # OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
  23 # WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
  24
  25
  26 # the each_resource function is lifted from ruby 1.9.1's resolv.rb, with the
  27 # minor modification that we do not unconditionally set the message's RD flag
  28 # to 1.  Its license is:
  29 #
  30 # Copyright (C) 1993-2010 Yukihiro Matsumoto. All rights reserved.
  31 #
  32 # Redistribution and use in source and binary forms, with or without
  33 # modification, are permitted provided that the following conditions
  34 # are met:
  35 # 1. Redistributions of source code must retain the above copyright
  36 # notice, this list of conditions and the following disclaimer.
  37 # 2. Redistributions in binary form must reproduce the above copyright
  38 # notice, this list of conditions and the following disclaimer in the
  39 # documentation and/or other materials provided with the distribution.
  40 #
  41 # THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
  42 # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  43 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  44 # ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
  45 # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  46 # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  47 # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  48 # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  49 # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  50 # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  51 # SUCH DAMAGE.
  52
  53
  54 require 'ipaddr'
  55 require 'resolv'
  56 require 'optparse'
  57 require 'yaml'
  58
  59 NAGIOS_STATUS = { :OK => 0, :WARNING => 1, :CRITICAL => 2, :UNKNOWN => -1 };
  60 @verbose = 0;
  61 @additional_nameservers = []
  62 @check_soa_nameservers = true;
  63
  64 def show_help(parser, code=0, io=STDOUT)
  65   program_name = File.basename($0, '.*')
  66   io.puts "Usage: #{program_name} [options] <domainname> [<domainname> ...]"
  67   io.puts parser.summarize
  68   exit(code)
  69 end
  70 ARGV.options do |opts|
  71         opts.on_tail("-h", "--help" , "Display this help screen")                               { show_help(opts) }
  72         opts.on("-v", "--verbose"   , String, "Be verbose")                                     { @verbose += 1 }
  73         opts.on("-a", "--add=HOST"  , String, "Also check SOA on <nameserver>")                 { |val| @additional_nameservers << val }
  74         opts.on("-n", "--no-soa-ns" , String, "Don't query SOA record for list of nameservers") { @check_soa_nameservers = false }
  75         opts.parse!
  76 end
  77 show_help(ARGV.options, 1, STDERR) if ARGV.length == 0
  78
  79 if @additional_nameservers.count <= 1 and not @check_soa_nameservers
  80         program_name = File.basename($0, '.*')
  81         STDERR.puts "#{program_name}: Only know about #{@additional_nameservers.count} nameserver(s) and --no-soa-ns specified.  I want at least two."
  82         exit(1)
  83 end
  84
  85 class DSADNS < Resolv::DNS
  86         attr_reader :rd
  87         attr_writer :rd
  88
  89         def initialize(*args)
  90                 super
  91                 @rd = 1
  92         end
  93
  94         def each_resource(name, typeclass, &proc)
  95                 lazy_initialize
  96                 requester = make_udp_requester
  97                 senders = {}
  98                 begin
  99                         @config.resolv(name) {|candidate, tout, nameserver, port|
 100                                 msg = Message.new
 101                                 msg.rd = @rd
 102                                 msg.add_question(candidate, typeclass)
 103                                 unless sender = senders[[candidate, nameserver, port]]
 104                                         sender = senders[[candidate, nameserver, port]] =
 105                                                 requester.sender(msg, candidate, nameserver, port)
 106                                 end
 107                                 reply, reply_name = requester.request(sender, tout)
 108                                 case reply.rcode
 109                                 when RCode::NoError
 110                                         if reply.tc == 1 and not Requester::TCP === requester
 111                                                 requester.close
 112                                                 # Retry via TCP:
 113                                                 requester = make_tcp_requester(nameserver, port)
 114                                                 senders = {}
 115                                                 # This will use TCP for all remaining candidates (assuming the
 116                                                 # current candidate does not already respond successfully via
 117                                                 # TCP). This makes sense because we already know the full
 118                                                 # response will not fit in an untruncated UDP packet.
 119                                                 redo
 120                                         else
 121                                                 extract_resources(reply, reply_name, typeclass, &proc)
 122                                         end
 123                                         return
 124                                 when RCode::NXDomain
 125                                         raise Config::NXDomain.new(reply_name.to_s)
 126                                 else
 127                                         raise Config::OtherResolvError.new(reply_name.to_s)
 128                                 end
 129                         }
 130                 ensure
 131                         requester.close
 132                 end
 133         end
 134 end
 135
 136 @warnings = []
 137 @oks = []
 138
 139 def resolve_ns(dns, domain, nameserver)
 140         puts "Getting A record for nameserver #{nameserver} for #{domain}" if @verbose > 0
 141         arecords = dns.getresources(nameserver, Resolv::DNS::Resource::IN::A)
 142         @warnings << "Nameserver #{nameserver} for #{domain} has #{arecords.length} A records" if arecords.length != 1
 143         addresses = arecords.map { |a| a.address.to_s }
 144         puts "Addresses for nameserver #{nameserver} for #{domain}: #{addresses.join(', ')}" if @verbose > 0
 145         return addresses
 146 end
 147
 148 dns = Resolv::DNS.new
 149 ARGV.each{ |domain|
 150         serial = {}
 151         nameserver_addresses = {}
 152         if @check_soa_nameservers
 153                 nameservers = dns.getresources(domain, Resolv::DNS::Resource::IN::NS)
 154                 nameservernames = nameservers.collect{ |ns| ns.name.to_s }
 155                 nameservernames.each do |nameserver|
 156                         addrs = resolve_ns(dns, domain, nameserver)
 157                         @warnings << "Duplicate nameserver #{nameserver} for #{domain}" if nameserver_addresses[nameserver]
 158                         nameserver_addresses[nameserver] = addrs
 159                 end
 160         end
 161         @additional_nameservers.each do |ns|
 162                 begin
 163                         ipa = IPAddr.new(ns)  # check if it's an address
 164                         addrs = [ns]
 165                 rescue ArgumentError
 166                         addrs = resolve_ns(dns, domain, ns)
 167                 end
 168                 @warnings << "Duplicate nameserver #{ns} for #{domain}" if nameserver_addresses[ns]
 169                 nameserver_addresses[ns] = addrs
 170         end
 171
 172         nameserver_addresses.each_pair do |nameserver, addrs|
 173                 puts "Testing nameserver #{nameserver} for #{domain}" if @verbose > 0
 174                 addrs.each do |a|
 175                         puts " Nameserver #{nameserver} is at #{a}" if @verbose > 0
 176                         begin
 177                                 resolver = DSADNS.new({:nameserver => a})
 178                                 resolver.rd = 0
 179                                 soas = resolver.getresources(domain, Resolv::DNS::Resource::IN::SOA)
 180                         rescue SystemCallError => e
 181                                 @warnings << "Could not resolve #{domain} on #{nameserver}: #{e.message}"
 182                         else
 183                                 resolver.close
 184                                 @warnings << "Nameserver #{nameserver} for #{domain} returns #{soas.length} SOAs" if soas.length != 1
 185                                 soas.each do |soa|
 186                                         puts " Nameserver #{nameserver} returns serial #{soa.serial} for #{domain}" if @verbose > 0
 187                                         sn = soa.serial.to_i
 188                                         if serial.has_key? sn then
 189                                                 serial[sn] << nameserver
 190                                         else
 191                                                 serial[sn] = [nameserver]
 192                                         end
 193                                 end
 194                         end
 195                 end
 196         end
 197         case serial.keys.length
 198                 when 0
 199                         @warnings << "Found no serials for #{domain}"
 200                 when 1
 201                         @oks << "#{domain} is at #{serial.keys.first}"
 202                 else
 203                         text = []
 204                         serial.keys.sort.each do |sn|
 205                                 text << "#{sn} (#{serial[sn].join(', ')})"
 206                         end
 207                         @warnings << "Nameservers disagree on serials for #{domain}: found #{text.join(', ')}"
 208         end
 209 }
 210 dns.close
 211
 212 if @warnings.length > 0
 213         puts @warnings.join('; ')
 214         exit NAGIOS_STATUS[:WARNING]
 215 else
 216         puts @oks.join('; ')
 217         exit NAGIOS_STATUS[:OK]
 218 end