From 09102027435256891bed940f56ddc9962b84cdff Mon Sep 17 00:00:00 2001 From: Peter Palfrader Date: Mon, 14 Nov 2016 15:36:26 +0100 Subject: [PATCH] Add dsa-check-zone-signature-all --- .../checks/dsa-check-zone-signature-all | 72 +++++++++++++++++++ dsa-nagios-checks/debian/changelog | 3 +- 2 files changed, 74 insertions(+), 1 deletion(-) create mode 100755 dsa-nagios-checks/checks/dsa-check-zone-signature-all diff --git a/dsa-nagios-checks/checks/dsa-check-zone-signature-all b/dsa-nagios-checks/checks/dsa-check-zone-signature-all new file mode 100755 index 0000000..45e4399 --- /dev/null +++ b/dsa-nagios-checks/checks/dsa-check-zone-signature-all @@ -0,0 +1,72 @@ +#!/bin/bash + +# For each zone (each file in $BASE), fetches the zone from the +# nameserver via AXFR and feeds it to bind's dnssec-verify to see of things are +# sane. +# +# By default BASE is set via the indir option from the yaml file /etc/dns-helpers.yaml + +# Copyright 2016 Peter Palfrader +# +# Permission is hereby granted, free of charge, to any person obtaining +# a copy of this software and associated documentation files (the +# "Software"), to deal in the Software without restriction, including +# without limitation the rights to use, copy, modify, merge, publish, +# distribute, sublicense, and/or sell copies of the Software, and to +# permit persons to whom the Software is furnished to do so, subject to +# the following conditions: +# +# The above copyright notice and this permission notice shall be +# included in all copies or substantial portions of the Software. +# +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, +# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND +# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE +# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION +# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION +# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + +set -e +set -u + +BASE=$(perl -mYAML -e 'my ($hashref, $arrayref, $string) = YAML::LoadFile($ARGV[0]); print $hashref->{'indir'},"\n"' /etc/dns-helpers.yaml) +if [ -z "$BASE" ] || ! [ -d "$BASE" ] ; then + echo "Basedir $BASE is not a directory." + exit 3 +fi + +EXTRA="-b 127.0.0.1" +MASTER=$(hostname -f) + +zones=$(mktemp) +tmp=$(mktemp) +extra=$(mktemp) +trap "rm -f '$zones' '$tmp' '$extra'" EXIT + +err=0 +errmsg="" +num=0 + +for zone in $(find "$BASE" -maxdepth 1 -mindepth 1 -type f -printf "%f\n" | sort); do + if dig $EXTRA -t axfr @"$MASTER" "$zone" | /usr/sbin/dnssec-verify -o "$zone" /dev/stdin > "$tmp" 2>&1; then + num=$((num + 1)) + else + err=2 + errmsg="$errmsg $zone" + cat "$tmp" >> "$extra" + fi +done < "$zones" + +if [ "$err" = 0 ]; then + if [ "$num" = 0 ]; then + echo "OK: No zones found?" + err=1 + else + echo "OK: $num zones appear to be OK." + fi +else + echo "CRITICAL:$errmsg" + cat "$extra" +fi +exit "$err" diff --git a/dsa-nagios-checks/debian/changelog b/dsa-nagios-checks/debian/changelog index d3b1647..c4626d0 100644 --- a/dsa-nagios-checks/debian/changelog +++ b/dsa-nagios-checks/debian/changelog @@ -35,6 +35,7 @@ dsa-nagios-checks (108+XXXX) UNRELEASED; urgency=medium * dsa-check-zone-rrsig-expiration-many: remove | (which starts performance data) in detail output. * dsa-check-zone-rrsig-expiration-many: sort zone details by state. + * dsa-check-zone-signature-all: add. [ Tollef Fog Heen ] * dsa-update-unowned-file-status: ignore fdescfs, used for /dev/fd on @@ -47,7 +48,7 @@ dsa-nagios-checks (108+XXXX) UNRELEASED; urgency=medium * Add dsa-check-hpssacli, replaces hpacucli for new hosts. * dsa-check-hpssacli: accept 12.0Gbps as transfer speed for SAS - -- Peter Palfrader Wed, 27 Jul 2016 10:31:06 +0200 + -- Peter Palfrader Mon, 14 Nov 2016 15:36:09 +0100 dsa-nagios-checks (108) unstable; urgency=medium -- 2.20.1