git.lirion.de

Of git, get, and gud

summaryrefslogtreecommitdiffstats
path: root/nagios-plugins-contrib-24.20190301~bpo9+1/dsa/checks
diff options
context:
space:
mode:
Diffstat (limited to 'nagios-plugins-contrib-24.20190301~bpo9+1/dsa/checks')
-rw-r--r--nagios-plugins-contrib-24.20190301~bpo9+1/dsa/checks/dsa-check-cert-expire77
-rw-r--r--nagios-plugins-contrib-24.20190301~bpo9+1/dsa/checks/dsa-check-cert-expire-dir90
-rw-r--r--nagios-plugins-contrib-24.20190301~bpo9+1/dsa/checks/dsa-check-dnssec-delegation301
-rw-r--r--nagios-plugins-contrib-24.20190301~bpo9+1/dsa/checks/dsa-check-entropy82
-rw-r--r--nagios-plugins-contrib-24.20190301~bpo9+1/dsa/checks/dsa-check-packages362
-rw-r--r--nagios-plugins-contrib-24.20190301~bpo9+1/dsa/checks/dsa-check-running-kernel255
-rw-r--r--nagios-plugins-contrib-24.20190301~bpo9+1/dsa/checks/dsa-check-soas218
-rw-r--r--nagios-plugins-contrib-24.20190301~bpo9+1/dsa/checks/dsa-check-statusfile90
8 files changed, 1475 insertions, 0 deletions
diff --git a/nagios-plugins-contrib-24.20190301~bpo9+1/dsa/checks/dsa-check-cert-expire b/nagios-plugins-contrib-24.20190301~bpo9+1/dsa/checks/dsa-check-cert-expire
new file mode 100644
index 0000000..98a04a2
--- /dev/null
+++ b/nagios-plugins-contrib-24.20190301~bpo9+1/dsa/checks/dsa-check-cert-expire
@@ -0,0 +1,77 @@
+#!/bin/sh
+
+# Checks if a given cert on disk will expire soon
+
+# Copyright 2009 Peter Palfrader
+#
+# Permission is hereby granted, free of charge, to any person obtaining
+# a copy of this software and associated documentation files (the
+# "Software"), to deal in the Software without restriction, including
+# without limitation the rights to use, copy, modify, merge, publish,
+# distribute, sublicense, and/or sell copies of the Software, and to
+# permit persons to whom the Software is furnished to do so, subject to
+# the following conditions:
+#
+# The above copyright notice and this permission notice shall be
+# included in all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+set -u
+set -e
+
+# warn if expires within 2 weeks, critical if within a day or already is expired
+warn=1209600
+crit=86400
+
+usage() {
+ echo "Usage: $0 [-w seconds] [-c seconds] <certfile>" >&2
+ exit 3
+}
+
+
+OPTS=`getopt -o w:c: -n "$0" -- "$@"` || usage
+
+eval set -- "$OPTS"
+
+while :; do
+ case "$1" in
+ -w) warn=$2; shift 2 ;;
+ -c) crit=$2; shift 2 ;;
+ --) shift; break; ;;
+ *) usage ;;
+ esac
+done
+if test "$crit" -gt "$warn"; then
+ warn=$crit
+fi
+
+if [ "$#" != 1 ]; then
+ usage
+fi
+
+cert="$1"
+
+if ! [ -r "$cert" ] ; then
+ echo "Cert file ($cert) does not exist or is not readable" >&2
+ exit 3
+fi
+
+expires=`openssl x509 -enddate -noout < "$cert"`
+
+if openssl x509 -checkend "$warn" -noout < "$cert" ; then
+ echo "OK: $expires"
+ exit 0
+fi
+if openssl x509 -checkend "$crit" -noout < "$cert" ; then
+ echo "WARN: $expires"
+ exit 1
+fi
+echo "CRITICAL: $expires"
+exit 2
diff --git a/nagios-plugins-contrib-24.20190301~bpo9+1/dsa/checks/dsa-check-cert-expire-dir b/nagios-plugins-contrib-24.20190301~bpo9+1/dsa/checks/dsa-check-cert-expire-dir
new file mode 100644
index 0000000..2c8eaa1
--- /dev/null
+++ b/nagios-plugins-contrib-24.20190301~bpo9+1/dsa/checks/dsa-check-cert-expire-dir
@@ -0,0 +1,90 @@
+#!/bin/bash
+
+# Checks if any of the *.crt files in a directory on disk will expire soon
+
+# Copyright 2009,2016 Peter Palfrader
+#
+# Permission is hereby granted, free of charge, to any person obtaining
+# a copy of this software and associated documentation files (the
+# "Software"), to deal in the Software without restriction, including
+# without limitation the rights to use, copy, modify, merge, publish,
+# distribute, sublicense, and/or sell copies of the Software, and to
+# permit persons to whom the Software is furnished to do so, subject to
+# the following conditions:
+#
+# The above copyright notice and this permission notice shall be
+# included in all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+
+sn="$0"
+if [ "${sn%/*}" = "$sn" ]; then
+ CERT_CHECK=dsa-check-cert-expire
+else
+ CERT_CHECK="${sn%/*}/dsa-check-cert-expire"
+fi
+
+if [ "$#" != 1 ] ; then
+ echo >&2 "Usage: $0 <directory>"
+ exit 1
+fi
+
+DIR="$1"
+
+if ! [ -d "$DIR" ]; then
+ echo "Not a directory: $DIR"
+ exit 1
+fi
+
+OK=""
+WARN=""
+CRIT=""
+UNKNOWN=""
+cOK=0
+cWARN=0
+cCRIT=0
+cUNKNOWN=0
+
+t=$(tempfile)
+trap "rm -f '$t'" EXIT
+
+for i in "$DIR"/*.crt; do
+ d="${i%.crt}"
+ d="${d##*/}"
+ echo -n "$d: " >> "$t"
+ "$CERT_CHECK" "$i" >> "$t" 2>&1
+ rc=$?
+ if [ "$rc" = 0 ]; then
+ OK="$OK $d"
+ cOK=$(( cOK + 1 ))
+ elif [ "$rc" = 1 ]; then
+ WARN="$WARN $d"
+ cWARN=$(( cWARN + 1 ))
+ elif [ "$rc" = 2 ]; then
+ CRIT="$CRIT $d"
+ cCRIT=$(( cCRIT + 1 ))
+ else
+ UNKNOWN="$UNKNOWN $d"
+ cUNKNOWN=$(( cUNKNOWN + 1 ))
+ fi
+done
+
+if [ -n "$CRIT" ]; then rc=2;
+elif [ -n "$WARN" ]; then rc=1;
+elif [ -n "$UNKNOWN" ]; then rc=3;
+else rc=0;
+fi
+
+[ -n "$CRIT" ] && echo "CRITICAL ($cCRIT):$CRIT, "
+[ -n "$WARN" ] && echo "WARN ($cWARN):$WARN, "
+[ -n "$UNKNOWN" ] && echo "UNKNOWN ($cUNKNOWN):$UNKNOWN, "
+[ -n "$OK" ] && echo "OK ($cOK):$OK."
+cat "$t"
+exit $rc
diff --git a/nagios-plugins-contrib-24.20190301~bpo9+1/dsa/checks/dsa-check-dnssec-delegation b/nagios-plugins-contrib-24.20190301~bpo9+1/dsa/checks/dsa-check-dnssec-delegation
new file mode 100644
index 0000000..65b48b0
--- /dev/null
+++ b/nagios-plugins-contrib-24.20190301~bpo9+1/dsa/checks/dsa-check-dnssec-delegation
@@ -0,0 +1,301 @@
+#!/usr/bin/perl
+
+# Copyright (c) 2010, 2014, 2015, 2017 Peter Palfrader <peter@palfrader.org>
+#
+# Permission is hereby granted, free of charge, to any person obtaining
+# a copy of this software and associated documentation files (the
+# "Software"), to deal in the Software without restriction, including
+# without limitation the rights to use, copy, modify, merge, publish,
+# distribute, sublicense, and/or sell copies of the Software, and to
+# permit persons to whom the Software is furnished to do so, subject to
+# the following conditions:
+#
+# The above copyright notice and this permission notice shall be
+# included in all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+use strict;
+use warnings;
+use English;
+use Net::DNS::Resolver;
+use Getopt::Long;
+use File::Basename;
+
+# taken from Array::Utils
+# http://cpansearch.perl.org/src/ZMIJ/Array-Utils-0.5/Utils.pm
+# This module is Copyright (c) 2007 Sergei A. Fedorov.
+# You may distribute under the terms of either the GNU General Public
+# License or the Artistic License, as specified in the Perl README file.
+#
+sub intersect(\@\@) {
+ my %e = map { $_ => undef } @{$_[0]};
+ return grep { exists( $e{$_} ) } @{$_[1]};
+}
+sub array_diff(\@\@) {
+ my %e = map { $_ => undef } @{$_[1]};
+ return @{[ ( grep { (exists $e{$_}) ? ( delete $e{$_} ) : ( 1 ) } @{ $_[0] } ), keys %e ] };
+}
+sub array_minus(\@\@) {
+ my %e = map{ $_ => undef } @{$_[1]};
+ return grep( ! exists( $e{$_} ), @{$_[0]} );
+}
+
+
+$SIG{'__DIE__'} = sub { print @_; exit 4; };
+
+my $RES = Net::DNS::Resolver->new;
+my $DLV = 'dlv.isc.org';
+my $params;
+
+sub get_tag_generic {
+ my $zone = shift;
+ my $type = shift;
+ my %options = @_;
+
+ my @result;
+ my @zsks;
+ print "Querying $type $zone\n" if $params->{'verbose'};
+ my $pkt = $RES->send($zone, $type);
+ return () unless $pkt;
+ return () unless $pkt->answer;
+ for my $rr ($pkt->answer) {
+ next unless ($rr->type eq $type);
+ next unless (lc($rr->name) eq lc($zone));
+
+ my $tag = $options{'pretty'} ? sprintf("%5d(%d)", $rr->keytag, $rr->algorithm) : $rr->keytag;
+
+ if ($type eq 'DNSKEY' && ($rr->{'flags'} & (1<<(15-8)))) {
+ # key is revoked
+ next;
+ }
+
+ # for now only handle KSKs, i.e. keys with the SEP flag set
+ if ($type eq 'DNSKEY' && !($rr->sep)) {
+ push @zsks, $tag;
+ next;
+ }
+
+ push @result, $tag;
+ };
+ if ($type eq 'DNSKEY' && (scalar @result) == 0) {
+ # use remaining keys if no keys with the SEP bit are present
+ @result = @zsks;
+ }
+ my %unique = ();
+ @result = sort {$a cmp $b} grep {!$unique{$_}++} @result;
+ return @result
+};
+
+sub get_dnskeytags {
+ my $zone = shift;
+ my %options = @_;
+ return get_tag_generic($zone, 'DNSKEY', %options);
+};
+sub get_dstags {
+ my $zone = shift;
+ my %options = @_;
+ return get_tag_generic($zone, 'DS', %options);
+};
+sub get_dlvtags {
+ my $zone = shift;
+ my %options = @_;
+ $zone .= ".".$DLV;
+ return get_tag_generic($zone, 'DLV', %options);
+};
+sub has_dnskey_parent {
+ my $zone = shift;
+
+ my $potential_parent;
+ if ($zone =~ m/\./) {
+ $potential_parent = $zone;
+ $potential_parent =~ s/^[^.]+\.//;
+ } else {
+ $potential_parent = '.';
+ }
+
+ print "Querying DNSKEY $potential_parent\n" if $params->{'verbose'};
+ my $pkt = $RES->send($potential_parent, 'DNSKEY');
+ return undef unless $pkt;
+ return undef unless $pkt->header;
+
+ unless ($pkt->answer) {
+ return undef unless $pkt->authority;
+ for my $rr ($pkt->authority) {
+ next unless ($rr->type eq 'SOA');
+
+ $potential_parent = $rr->name;
+ print "Querying DNSKEY $potential_parent\n" if $params->{'verbose'};
+ $pkt = $RES->send($potential_parent, 'DNSKEY');
+ return undef unless $pkt;
+ last;
+ };
+ };
+
+ return (0, $potential_parent) unless $pkt->answer;
+ for my $rr ($pkt->answer) {
+ next unless ($rr->type eq 'DNSKEY');
+ return (1, $potential_parent);
+ };
+}
+sub get_parent_dnssec_status {
+ my $zone = shift;
+ my @result;
+
+ while (1) {
+ my ($status, $parent) = has_dnskey_parent($zone);
+ last unless defined $status;
+ push @result, ($status ? "yes" : "no") . ("($parent)");
+ $zone = $parent;
+ last if $zone eq "" || $zone eq '.';
+ };
+
+ return join(', ', @result);
+};
+
+sub usage {
+ my $fd = shift;
+ my $exit = shift;
+
+ print $fd "Usage: $PROGRAM_NAME [--dir <dir>] overview|check-dlv|check-ds|check-header zone [zone...]\n";
+ print $fd " $PROGRAM_NAME --dir <dir> overview|check-dlv|check-ds|check-header\n";
+ print $fd " $PROGRAM_NAME --help\n";
+ exit $exit;
+}
+
+sub what_to_check {
+ my $zone = shift;
+ my $zonefile = shift;
+
+ my $do_dlv = 0;
+ my $do_ds = 0;
+
+ open(F, "<", $zonefile) or die ("Cannot open zonefile $zonefile for $zone: $!\n");
+ while (<F>) {
+ if (/^[#;]\s*dlv-submit\s*=\s*yes\s*$/) { $do_dlv = 1; }
+ if (/^[#;]\s*ds-in-parent\s*=\s*yes\s*$/) { $do_ds = 1; }
+ }
+ close(F);
+
+ return { 'dlv' => $do_dlv,
+ 'ds' => $do_ds };
+}
+sub diff_spec {
+ my $a = shift;
+ my $b = shift;
+
+ my @elems = intersect(@$a, @$b);
+ push @elems, map { '-'.$_ } array_minus(@$a, @$b);
+ push @elems, map { '+'.$_ } array_minus(@$b, @$a);
+ return join(',', @elems);
+}
+
+Getopt::Long::config('bundling');
+GetOptions (
+ '--help' => \$params->{'help'},
+ '--dir=s@' => \$params->{'dir'},
+ '--dlv=s' => \$params->{'dlv'},
+ '--verbose' => \$params->{'verbose'},
+) or usage(\*STDERR, 1);
+usage(\*STDOUT, 0) if ($params->{'help'});
+
+my $mode = shift @ARGV;
+usage(\*STDOUT, 0) unless (defined $mode && $mode =~ /^(overview|check-dlv|check-ds|check-header)$/);
+die ("check-header needs --dir") if ($mode eq 'check-header' && !defined $params->{'dir'});
+
+my %zones;
+if (scalar @ARGV) {
+ if (defined $params->{'dir'} && $mode ne 'check-header') {
+ warn "--dir option ignored"
+ }
+ %zones = map { $_ => $_} @ARGV;
+} else {
+ my $dirs = $params->{'dir'};
+ usage(\*STDOUT, 0) unless (defined $dirs);
+
+ for my $dir (@$dirs) {
+ chdir $dir or die "chdir $dir failed? $!\n";
+ opendir DIR, '.' or die ("Cannot opendir $dir\n");
+ for my $file (readdir DIR) {
+ next if ( -l "$file" );
+ next unless ( -f "$file" );
+ next if $file =~ /^(dsset|keyset)-/;
+
+ my $zone = $file;
+ if ($file =~ /\.zone$/) { # it's one of our yaml things
+ $zone = basename($file, '.zone');
+ };
+ $zones{$zone} = "$dir/$file";
+ }
+ closedir(DIR);
+ };
+};
+
+$DLV = $params->{'dlv'} if $params->{'dlv'};
+
+
+if ($mode eq 'overview') {
+ my %data;
+ for my $zone (keys %zones) {
+ $data{$zone} = { 'dnskey' => join(', ', get_dnskeytags($zone, pretty=>1)),
+ 'ds' => join(', ', get_dstags($zone, pretty=>1)),
+ 'dlv' => join(', ', get_dlvtags($zone, pretty=>1)),
+ 'parent_dnssec' => get_parent_dnssec_status($zone) };
+ }
+
+ my $format = "%60s %-20s %-15s %-3s %-10s\n";
+ printf $format, "zone", "DNSKEY", "DS\@parent", "DLV", "dnssec\@parent";
+ printf $format, "-"x 60, "-"x 20, "-"x 15, "-"x 3, "-"x 10;
+ for my $zone (sort {$a cmp $b} keys %data) {
+ printf $format, $zone,
+ $data{$zone}->{'dnskey'},
+ $data{$zone}->{'ds'},
+ $data{$zone}->{'dlv'},
+ $data{$zone}->{'parent_dnssec'};
+ }
+ exit(0);
+} elsif ($mode eq 'check-dlv' || $mode eq 'check-ds' || $mode eq 'check-header') {
+ my @to_check;
+ push @to_check, 'dlv' if $mode eq 'check-header' || $mode eq 'check-dlv';
+ push @to_check, 'ds' if $mode eq 'check-header' || $mode eq 'check-ds';
+
+ my @warn;
+ my @ok;
+ for my $zone (sort {$a cmp $b} keys %zones) {
+ my $require = { map { $_ => 1 } @to_check };
+ if ($mode eq 'check-header') {
+ $require = what_to_check($zone, $zones{$zone})
+ }
+
+ my @dnskey = get_dnskeytags($zone);
+ for my $thiskey (@to_check) {
+ my @target = $thiskey eq 'ds' ? get_dstags($zone) : get_dlvtags($zone);
+
+ my $spec = diff_spec(\@target, \@dnskey);
+ # if the intersection between DS and KEY is empty,
+ # or if there are DS records for keys we do not have, that's an issue.
+ if (intersect(@dnskey, @target) == 0 || array_minus(@target, @dnskey)) {
+ if ($require->{$thiskey} || scalar @target > 0) {
+ push @warn, "$zone ($spec)";
+ }
+ } else {
+ if ($require->{$thiskey}) {
+ push @ok, "$zone ($spec)";
+ }
+ };
+ }
+ }
+ print "WARNING: ", join(", ", @warn), "\n" if (scalar @warn);
+ print "OK: ", join(", ", @ok), "\n" if (scalar @ok);
+ exit (1) if (scalar @warn);
+ exit (0);
+} else {
+ die ("Invalid mode '$mode'\n");
+};
+
diff --git a/nagios-plugins-contrib-24.20190301~bpo9+1/dsa/checks/dsa-check-entropy b/nagios-plugins-contrib-24.20190301~bpo9+1/dsa/checks/dsa-check-entropy
new file mode 100644
index 0000000..ddf1d92
--- /dev/null
+++ b/nagios-plugins-contrib-24.20190301~bpo9+1/dsa/checks/dsa-check-entropy
@@ -0,0 +1,82 @@
+#!/usr/bin/python
+
+# Copyright 2011 Peter Palfrader
+# Copyright 2014 Hendrik Koehler
+#
+# Permission is hereby granted, free of charge, to any person obtaining
+# a copy of this software and associated documentation files (the
+# "Software"), to deal in the Software without restriction, including
+# without limitation the rights to use, copy, modify, merge, publish,
+# distribute, sublicense, and/or sell copies of the Software, and to
+# permit persons to whom the Software is furnished to do so, subject to
+# the following conditions:
+#
+# The above copyright notice and this permission notice shall be
+# included in all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+import sys
+import os
+import time
+import optparse
+
+AVAIL = '/proc/sys/kernel/random/entropy_avail'
+
+parser = optparse.OptionParser()
+parser.add_option("-r", "--retries", dest="retries", metavar="NUM",
+ type="int", default=10,
+ help="Max number of retries [10].")
+parser.add_option("-s", "--sleep", dest="sleep", metavar="MSECS",
+ type="int", default=250,
+ help="Amount of time to wait between reads [250msec].")
+parser.add_option("-w", "--watermark", dest="watermark", metavar="BYTES",
+ type="int", default=800,
+ help="Minimum number of expected bytes in the entropy pool [800].")
+(options, args) = parser.parse_args()
+
+if len(args) != 0:
+ parser.print_help()
+ sys.exit(4)
+
+if not os.path.exists(AVAIL):
+ print "File %s does not exist."%(AVAIL)
+ sys.exit(4)
+
+tries = 0
+values = []
+while tries <= options.retries:
+ f = open('/proc/sys/kernel/random/entropy_avail')
+ avail = f.readline().rstrip()
+ if len(avail) == 0:
+ print "Could not read anything from %s"%(AVAIL)
+ sys.exit(4)
+ try:
+ avail = int(avail)
+ except ValueError:
+ print "Did not read a number from %s, got '%s' instead"%(AVAIL, avail)
+ sys.exit(4)
+
+ if avail >= options.watermark:
+ if tries > 0:
+ print "OK: %d bytes in the pool after %d attempts.|entropy=%d bytes"%(avail, tries, avail)
+ else:
+ print "OK: %d bytes in the pool.|entropy=%d bytes"%(avail, avail)
+ sys.exit(0)
+
+ values.append(avail)
+ time.sleep(1.0 * options.sleep / 1000)
+ tries += 1
+
+print "WARNING: Too little entropy in the pool (min: %d, max: %d in %d reads)|entropy=%d bytes"%(min(values), max(values), tries-1, avail)
+sys.exit(1)
+
+# vim:set et:
+# vim:set ts=4:
+# vim:set shiftwidth=4:
diff --git a/nagios-plugins-contrib-24.20190301~bpo9+1/dsa/checks/dsa-check-packages b/nagios-plugins-contrib-24.20190301~bpo9+1/dsa/checks/dsa-check-packages
new file mode 100644
index 0000000..28844e5
--- /dev/null
+++ b/nagios-plugins-contrib-24.20190301~bpo9+1/dsa/checks/dsa-check-packages
@@ -0,0 +1,362 @@
+#!/usr/bin/perl
+
+# dsa-check-packages
+
+# checks for obsolete/local and upgradeable packages.
+#
+# packages for the obsolete/local check can be ignored, by
+# listing their full name in /etc/nagios/obsolete-packages-ignore
+# or by having a regex (starting a line with "/") that matches
+# the packagename in said file.
+#
+# Takes one optional argument, the location of the ignore file.
+
+
+# Copyright (C) 2008, 2009 Peter Palfrader <peter@palfrader.org>
+#
+# Permission is hereby granted, free of charge, to any person obtaining
+# a copy of this software and associated documentation files (the
+# "Software"), to deal in the Software without restriction, including
+# without limitation the rights to use, copy, modify, merge, publish,
+# distribute, sublicense, and/or sell copies of the Software, and to
+# permit persons to whom the Software is furnished to do so, subject to
+# the following conditions:
+#
+# The above copyright notice and this permission notice shall be
+# included in all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+use strict;
+use warnings;
+use English;
+
+my $IGNORE = "/etc/nagios/obsolete-packages-ignore";
+my $IGNORED = "/etc/nagios/obsolete-packages-ignore.d";
+
+my %CODE = (
+ 'OK' => 0,
+ 'WARNING' => 1,
+ 'CRITICAL' => 2,
+ 'UNKNOWN' => 3
+);
+my $EXITCODE = 'OK';
+sub record($) {
+ my ($newexit) = @_;
+ die "code $newexit not defined\n" unless defined $CODE{$newexit};
+
+ if ($CODE{$newexit} > $CODE{$EXITCODE}) {
+ $EXITCODE = $newexit;
+ };
+}
+
+
+
+sub get_packages {
+ $ENV{'COLUMNS'} = 1000;
+ $ENV{'LC_ALL'} = 'C';
+ open(F, "dpkg -l|") or die ("Cannot run dpkg: $!\n");
+ my @lines = <F>;
+ close(F);
+ chomp(@lines);
+
+ my $line;
+ my $has_arch = 0;
+ while (defined($line = shift @lines) && ($line !~ /\+\+\+/)) {
+ if ($line =~ /Architecture/) { $has_arch = 1; }
+ }
+
+ my %pkgs;
+ for $line (@lines) {
+ my ($state, $pkg, $version, $arch, undef) = split(/ */, $line);
+ $arch = '' unless $has_arch;
+ $pkgs{$state}{$pkg} = { 'installed' => $version, arch => $arch }
+ }
+
+ my $installed = $pkgs{'ii'};
+ delete $pkgs{'ii'};
+
+ my @installed_packages = keys(%$installed);
+ my @cmd = ("apt-cache", "policy", @installed_packages);
+
+ open my $olderr, ">&STDERR" or die "Can't dup STDERR: $!";
+ open STDERR, ">/dev/null" or die "Can't dup STDOUT: $!";
+ open (F, "-|", @cmd) or die ("Cannot run apt-cache policy: $!\n");
+ @lines = <F>;
+ close(F);
+ open STDERR, ">&", $olderr or die "Can't dup OLDERR: $!";
+ chomp(@lines);
+
+ my $pkgname = undef;
+ my $candidate_found = 0;
+ while (defined($line = shift @lines)) {
+ if ($line =~ /^([^ ]*):$/) {
+ # when we have multi-arch capable fu, we require that
+ # apt-cache policy output is in the same order as its
+ # arguments.
+ #
+ # We needs thi, because the output block in apt-cache
+ # policy does not show the arch:
+ #
+ # | weasel@stanley:~$ apt-cache policy libedit2:amd64
+ # | libedit2:
+ # | Installed: 2.11-20080614-5
+ # | Candidate: 2.11-20080614-5
+ #
+ # We replace the package name in the output with the
+ # one we asked for ($pkg:$arch) - but to match this up
+ # sanely we need the order to be correct.
+ #
+ # For squeeze systems (no m-a), apt-cache policy output
+ # is all different.
+ $pkgname = $1;
+ $candidate_found = 0;
+ if ($has_arch) {
+ my $from_list = shift @installed_packages;
+ next if ($pkgname eq $from_list); # no :$arch in pkgname we asked for
+
+ my $ma_fix_pkgname = $pkgname.':'.$installed->{$from_list}->{'arch'};
+ my $ma_fix_from_list = $from_list.':'.$installed->{$from_list}->{'arch'};
+
+ if ($pkgname eq $ma_fix_from_list || # e.g. ia32-libs-i386. dpkg -l: ia32-libs-i386, apt-cache policy: ia32-libs-i386:i386
+ $ma_fix_pkgname eq $from_list) {
+ $pkgname = $from_list;
+ } else {
+ die "Unexpected order mismatch in apt-cache policy output (apt-cache policy name: $pkgname - dpkg -l name: $from_list)\n";
+ }
+ }
+ } elsif ($line =~ /^ +Installed: (.*)$/) {
+ # etch dpkg -l does not print epochs, so use this info, it's better
+ $installed->{$pkgname}{'installed'} = $1;
+ # initialize security-update
+ $installed->{$pkgname}{'security-update'} = 0;
+ } elsif ($line =~ /^ +Candidate: (.*)$/) {
+ $installed->{$pkgname}{'candidate'} = $1;
+ } elsif ($line =~ / ([^ ]+) [0-9]+/) {
+ # check if the next lines show the sources of our candidate
+ if ($1 eq $installed->{$pkgname}{'candidate'}) {
+ $candidate_found = 1;
+ }
+ } elsif (($line =~ / +[0-9]+ [^ ]+\/(security\.([^ ]+\.)?debian\.org|debian-security).*\/updates\//) && $candidate_found ) {
+ $installed->{$pkgname}{'security-update'} = 1;
+ } elsif ($line =~ /^ +\*\*\*/) {
+ $line = shift @lines;
+ my @l = split(/ +/, $line);
+ $installed->{$pkgname}{'origin'} = $l[2];
+ $candidate_found = 0;
+ }
+ }
+
+ my (%current, %obsolete, %outofdate, %security_outofdate);
+ for my $pkgname (keys %$installed) {
+ my $pkg = $installed->{$pkgname};
+
+ unless (defined($pkg->{'candidate'}) && defined($pkg->{'origin'})) {
+ $obsolete{$pkgname} = $pkg;
+ next;
+ }
+
+ if ($pkg->{'candidate'} ne $pkg->{'installed'}) {
+ if ($pkg->{'security-update'}) {
+ $security_outofdate{$pkgname} = $pkg;
+ } else {
+ $outofdate{$pkgname} = $pkg;
+ }
+ next;
+ };
+ if ($pkg->{'origin'} eq '/var/lib/dpkg/status') {
+ $obsolete{$pkgname} = $pkg;
+ next;
+ }
+ $current{$pkgname} = $pkg;
+ }
+
+ $pkgs{'current'} = \%current;
+ $pkgs{'outofdate'} = \%outofdate;
+ $pkgs{'security_outofdate'} = \%security_outofdate;
+ $pkgs{'obsolete'} = \%obsolete;
+ return \%pkgs;
+}
+
+sub load_ignores {
+ my ($ignorefiles, $require_file) = @_;
+
+ my @ignores;
+
+ for my $ignoreitem (@$ignorefiles) {
+ next if (!$require_file and ! -e $ignoreitem);
+
+ my @filestoopen;
+ if (-d $ignoreitem) {
+ opendir(DIR, $ignoreitem) or die ("Cannot open dir $ignoreitem: $!\n");
+ @filestoopen = readdir(DIR);
+ closedir(DIR);
+
+ @filestoopen = grep { -f ($ignoreitem.'/'.$_) } @filestoopen;
+ @filestoopen = grep { /^([a-z0-9_.-]+)+[a-z0-9]+$/i } @filestoopen;
+ @filestoopen = grep { !/dpkg-(old|dist|new|tmp)$/ } @filestoopen;
+ @filestoopen = map { ($ignoreitem.'/'.$_) } @filestoopen;
+ } else {
+ push @filestoopen, $ignoreitem;
+ }
+
+ for my $f (@filestoopen) {
+ open (F, "< $f") or die ("Cannot open $f: $!\n");
+ push @ignores, <F>;
+ close F;
+ }
+ }
+ chomp(@ignores);
+ return \@ignores;
+}
+
+sub check_ignore {
+ my ($pkg, $ignores) = @_;
+
+ my $ignore_this = 0;
+ for my $ignore (@$ignores) {
+ my $ig = $ignore;
+ return 1 if ($ig eq $pkg);
+ if (substr($ig,0,1) eq '/') {
+ substr($ig, 0, 1, '');
+ $ig =~ s,/$,,;
+ return 1 if ($pkg =~ /$ig/);
+ }
+ }
+ return 0
+}
+
+sub filter_ignored {
+ my ($packages, $ignores) = @_;
+
+ my $obs = $packages->{'obsolete'};
+
+ my (%ignored, %bad);
+ for my $pkg (keys %$obs) {
+ if (check_ignore($pkg, $ignores)) {
+ $ignored{$pkg} = $obs->{$pkg};
+ } else {
+ $bad{$pkg} = $obs->{$pkg};
+ };
+ }
+ delete $packages->{'obsolete'};
+ $packages->{'obsolete'} = \%bad;
+ $packages->{'obsolete-ignored'} = \%ignored;
+};
+
+sub usage {
+ my ($fd, $exit) = @_;
+ print $fd "Usage: $PROGRAM_NAME [<ignorefile|dir> [<ignorefile|dir> ...]]\n";
+ exit $exit;
+}
+
+my $ignorefiles = [$IGNORE, $IGNORED];
+my $ignorefile_userset = 0;
+if (@ARGV >= 1) {
+ usage(\*STDOUT, 0) if ($ARGV[0] eq "-h");
+ usage(\*STDOUT, 0) if ($ARGV[0] eq "--help");
+ $ignorefile_userset = 1;
+ $ignorefiles = \@ARGV;
+};
+
+my $ignores = load_ignores($ignorefiles, $ignorefile_userset);
+my $packages = get_packages();
+
+filter_ignored($packages, $ignores);
+
+
+
+my @reportform = (
+ { 'key' => 'obsolete',
+ 'listpackages' => 1,
+ 'long' => "%d local or obsolete packages: %s",
+ 'short' => "%d obs/loc",
+ 'perf' => "obs_loc=%d;1;5;0",
+ 'status' => 'WARNING' },
+ { 'key' => 'outofdate',
+ 'listpackages' => 1,
+ 'long' => "%d out of date packages: %s",
+ 'short' => "%d updates",
+ 'perf' => "outdated=%d;1;5;0",
+ 'status' => 'WARNING' },
+ { 'key' => 'current',
+ 'listpackages' => 0,
+ 'long' => "%d packages current.",
+ 'short' => "%d ok",
+ 'perf' => "current=%d;;;0",
+ 'status' => 'OK' },
+ { 'key' => 'obsolete-ignored',
+ 'listpackages' => 1,
+ 'long' => "%d whitelisted local or obsolete packages: %s",
+ 'short' => "%d obs/loc(ignored)",
+ 'perf' => "obs_ign=%d;;;0",
+ 'status' => 'OK' },
+ { 'key' => 'rc',
+ 'listpackages' => 1,
+ 'long' => "%d packages removed but not purged: %s",
+ 'short' => "%d rc",
+ 'perf' => "rm_unprg=%d;;;0",
+ 'status' => 'OK' },
+ { 'key' => 'hi',
+ 'listpackages' => 1,
+ 'long' => "%d packages on hold: %s",
+ 'short' => "%d hi",
+ 'perf' => "hold=%d;;;0",
+ 'status' => 'OK' },
+ { 'key' => 'pc',
+ 'listpackages' => 1,
+ 'long' => "%d packages requested to be purged but conffiles still installed: %s",
+ 'short' => "%d pc",
+ 'perf' => "prg_conf=%d;1;;0",
+ 'status' => 'WARNING' },
+ { 'key' => 'security_outofdate',
+ 'listpackages' => 1,
+ 'long' => "%d packages with outstanding security updates: %s",
+ 'short' => "%d security-updates",
+ 'perf' => "security_outdated=%d;;1;0",
+ 'status' => 'CRITICAL' },
+ );
+
+my @longout;
+my @perfout;
+my @shortout;
+for my $form (@reportform) {
+ my $pkgs = $packages->{$form->{'key'}};
+ delete $packages->{$form->{'key'}};
+ my $num = scalar keys %$pkgs;
+ push @perfout, sprintf($form->{'perf'}, $num);
+ next unless ($num > 0);
+ if ($form->{'listpackages'}) {
+ my $list = join(", ", keys %$pkgs);
+ push @longout, sprintf($form->{'long'}, $num, $list);
+ } else {
+ push @longout, sprintf($form->{'long'}, $num);
+ };
+ push @shortout, sprintf($form->{'short'}, $num);
+ record($form->{'status'});
+};
+if (scalar keys %$packages) {
+ record('WARNING');
+ unshift @shortout, "unk: ".join(", ", keys %$packages);
+ for my $status (sort {$b cmp $a} keys %$packages) {
+ my $pkgs = $packages->{$status};
+ my $list = join(", ", keys %$pkgs);
+ unshift @longout, "Unknown package status $status: $list";
+ };
+}
+
+my $shortout = $EXITCODE.": ".join(", ", @shortout);
+my $longout = join("\n", @longout);
+my $perfout = "|".join(" ", @perfout);
+
+print $shortout,"\n";
+print $longout,"\n";
+print $perfout,"\n";
+
+exit $CODE{$EXITCODE};
diff --git a/nagios-plugins-contrib-24.20190301~bpo9+1/dsa/checks/dsa-check-running-kernel b/nagios-plugins-contrib-24.20190301~bpo9+1/dsa/checks/dsa-check-running-kernel
new file mode 100644
index 0000000..467c219
--- /dev/null
+++ b/nagios-plugins-contrib-24.20190301~bpo9+1/dsa/checks/dsa-check-running-kernel
@@ -0,0 +1,255 @@
+#!/bin/bash
+
+# Check if the running kernel has the same version string as the on-disk
+# kernel image.
+
+# Copyright 2008,2009,2011,2012,2013,2014 Peter Palfrader
+# Copyright 2009 Stephen Gran
+# Copyright 2010,2012,2013 Uli Martens
+# Copyright 2011 Alexander Reichle-Schmehl
+#
+# Permission is hereby granted, free of charge, to any person obtaining
+# a copy of this software and associated documentation files (the
+# "Software"), to deal in the Software without restriction, including
+# without limitation the rights to use, copy, modify, merge, publish,
+# distribute, sublicense, and/or sell copies of the Software, and to
+# permit persons to whom the Software is furnished to do so, subject to
+# the following conditions:
+#
+# The above copyright notice and this permission notice shall be
+# included in all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+OK=0;
+WARNING=1;
+CRITICAL=2;
+UNKNOWN=3;
+
+get_offset() {
+ local file needle
+
+ file="$1"
+ needle="$2"
+
+ perl -e '
+ undef $/;
+ $i = 0; $k=<>;
+ while (($i = index($k, "'"$needle"'", $i)) >= 0) {
+ print $i++,"\n";
+ }; ' < "$file"
+}
+
+get_avail() {
+ # This is wrong, but leaves room for when we have to care for machines running
+ # myfirstunix-image-0.1-dsa-arm
+ local prefix="$1"; shift
+
+ local kervers=$(uname -r)
+
+ local metavers=''
+
+ # DSA uses kernel versions of the form 2.6.29.3-dsa-dl380-oldxeon, where
+ # Debian uses versions of the form 2.6.29-2-amd64
+ if [ "${kervers#2}" != "$kervers" ]; then
+ if [ "${kervers//dsa}" != "$kervers" ]; then
+ metavers=$(echo $kervers | sed -r -e 's/^2\.(4|6)\.[0-9]+([\.0-9]+?)-(.*)/2.\1-\3/')
+ else
+ metavers=$(echo $kervers | sed -r -e 's/^2\.(4|6)\.[0-9]+-[A-Za-z0-9\.]+-(.*)/2.\1-\2/')
+ fi
+ else
+ metavers=$(echo $kervers | sed -r -e 's/^[0-9]+\.[0-9]+(\.[0-9])?+-[A-Za-z0-9\.]+-(.*)/\2/')
+ fi
+
+ # Attempt to track back to a metapackage failed. bail
+ if [ "$metavers" = "$kervers" ]; then
+ return 2
+ fi
+
+ # We're just going to give up if we can't find a matching metapackage
+ # I tried being strict once, and it just caused a lot of headaches. We'll see how
+ # being lax does for us
+
+ local output=$(apt-cache policy ${prefix}-image-${metavers} 2>/dev/null)
+ local metaavailvers=$(echo "$output" | grep '^ Candidate:' | awk '{print $2}')
+ local metainstavers=$(echo "$output" | grep '^ Installed:' | awk '{print $2}')
+
+ if [ -z "$metaavailvers" ] || [ "$metaavailvers" = '(none)' ]; then
+ return 2
+ fi
+ if [ -z "$metainstavers" ] || [ "$metainstavers" = '(none)' ]; then
+ return 2
+ fi
+
+ if [ "$metaavailvers" != "$metainstavers" ] ; then
+ echo "${prefix}-image-${metavers} $metaavailvers available but $metainstavers installed"
+ return 1
+ fi
+
+ local imagename=0
+ # --no-all-versions show shows only the candidate
+ for vers in $(apt-cache --no-all-versions show ${prefix}-image-${metavers} | sed -n 's/^Depends: //p' | tr ',' '\n' | tr -d ' ' | grep ${prefix}-image | awk '{print $1}' | sort -u); do
+ if dpkg --compare-versions "1.$vers" gt "1.$imagename"; then
+ imagename=$vers
+ fi
+ done
+
+ if [ -z "$imagename" ] || [ "$imagename" = 0 ]; then
+ return 2
+ fi
+
+ if [ "$imagename" != "${prefix}-image-${kervers}" ]; then
+ if dpkg --compare-versions 1."$imagename" lt 1."${prefix}-image-${kervers}"; then
+ return 2
+ fi
+ echo "$imagename" != "${prefix}-image-${kervers}"
+ return 1
+ fi
+
+ local availvrs=$(apt-cache policy ${imagename} 2>/dev/null | grep '^ Candidate' | awk '{print $2}')
+ local kernelversion
+ for kernelversion in $(apt-cache policy ${prefix}-image-${kervers} ${prefix}-image-${kervers}-unsigned 2>/dev/null | grep '^ Installed:' | awk '{print $2}' | grep -F -v '(none)' ); do
+ if [ "$availvrs" = "$kernelversion" ]; then
+ return 0
+ fi
+ done
+
+ echo "$kernelversion != $availvrs"
+ return 1
+}
+
+cat_vmlinux() {
+ local image header filter hdroff
+
+ image="$1"
+ header="$2"
+ filter="$3"
+ hdroff="$4"
+
+ get_offset "$image" $header | head -n 5 | while read off; do
+ (if [ "$off" != 0 ]; then
+ dd ibs="$((off+hdroff))" skip=1 count=0
+ fi &&
+ dd bs=512k) < "$image" 2>/dev/null | $filter 2>/dev/null
+ done
+}
+
+get_image_linux() {
+ local image
+
+ image="$1"
+
+ # gzip compressed image
+ cat_vmlinux "$image" "\x1f\x8b\x08\x00" "zcat" 0
+ cat_vmlinux "$image" "\x1f\x8b\x08\x08" "zcat" 0
+ # lzma compressed image
+ cat_vmlinux "$image" "\x00\x00\x00\x02\xff" "xzcat" -1
+ cat_vmlinux "$image" "\x00\x00\x00\x04\xff" "xzcat" -1
+ # xz compressed image
+ cat_vmlinux "$image" "\xfd\x37\x7a\x58\x5a " "xzcat" 0
+
+ echo "ERROR: Unable to extract kernel image." 2>&1
+ exit 1
+}
+
+
+freebsd_check_running_version() {
+ local imagefile="$1"; shift
+
+ local r="$(uname -r)"
+ local v="$(uname -v| sed -e 's/^#[0-9]*/&:/')"
+
+ local q='@(#)FreeBSD '"$r $v"
+
+ if zcat "$imagefile" | $STRINGS | grep -F -q "$q"; then
+ echo "OK"
+ else
+ echo "not OK"
+ fi
+}
+
+STRINGS="";
+if [ -x "$(which strings)" ]; then
+ STRINGS="$(which strings)"
+elif [ -x "$(which busybox)" -a "$( echo foobar | $(which busybox) strings 2>/dev/null)" = "foobar" ]; then
+ STRINGS="$(which busybox) strings"
+fi
+
+searched=""
+for on_disk in \
+ "/boot/vmlinuz-`uname -r`"\
+ "/boot/vmlinux-`uname -r`"\
+ "/boot/kfreebsd-`uname -r`.gz"; do
+
+ if [ -e "$on_disk" ]; then
+ if [ -z "$STRINGS" ]; then
+ echo "UNKNOWN: 'strings' command missing, perhaps install binutils or busybox?"
+ exit $UNKNOWN
+ fi
+ if [ "${on_disk/vmlinu}" != "$on_disk" ]; then
+ on_disk_version="`get_image_linux "$on_disk" | $STRINGS | grep 'Linux version' | head -n1`"
+ if [ -x /usr/bin/lsb_release ] ; then
+ vendor=$(lsb_release -i -s)
+ if [ -n "$vendor" ] && [ "xDebian" != "x$vendor" ] ; then
+ on_disk_version=$( echo $on_disk_version|sed -e "s/ ($vendor [[:alnum:]\.-]\+ [[:alnum:]\.]\+)//")
+ fi
+ fi
+ [ -z "$on_disk_version" ] || break
+ on_disk_version="`cat "$on_disk" | $STRINGS | grep 'Linux version' | head -n1`"
+ [ -z "$on_disk_version" ] || break
+
+ echo "UNKNOWN: Failed to get a version string from image $on_disk"
+ exit $UNKNOWN
+ else
+ on_disk_version="$(zcat $on_disk | $STRINGS | grep Debian | head -n 1 | sed -e 's/Debian [[:alnum:]]\+ (\(.*\))/\1/')"
+ fi
+ fi
+ searched="$searched $on_disk"
+done
+
+if ! [ -e "$on_disk" ]; then
+ echo "WARNING: Did not find a kernel image (checked$searched) - I have no idea which kernel I am running"
+ exit $WARNING
+fi
+
+if [ "$(uname -s)" = "Linux" ]; then
+ running_version="`cat /proc/version`"
+ if [ -z "$running_version" ] ; then
+ echo "UNKNOWN: Failed to get a version string from running system"
+ exit $UNKNOWN
+ fi
+
+ if [ "$running_version" != "$on_disk_version" ]; then
+ echo "WARNING: Running kernel does not match on-disk kernel image: [$running_version != $on_disk_version]"
+ exit $WARNING
+ fi
+
+ ret="$(get_avail linux)"
+ if [ $? = 1 ]; then
+ echo "WARNING: Kernel needs upgrade [$ret]"
+ exit $WARNING
+ fi
+else
+ image_current=$(freebsd_check_running_version $on_disk)
+ running_version="`uname -s` `uname -r` `uname -v`"
+ if [ "$image_current" != "OK" ]; then
+ approx_time="$(date -d "@`stat -c '%Y' "$on_disk"`" +"%Y-%m-%d %H:%M:%S")"
+ echo "WARNING: Currently running kernel ($running_version) does not match on disk image (~ $approx_time)"
+ exit $WARNING;
+ fi
+
+ ret="$(get_avail linux)"
+ if [ $? = 1 ]; then
+ echo "WARNING: Kernel needs upgrade [$ret]"
+ exit $WARNING
+ fi
+fi
+
+echo "OK: Running kernel matches on disk image: [$running_version]"
+exit $OK
diff --git a/nagios-plugins-contrib-24.20190301~bpo9+1/dsa/checks/dsa-check-soas b/nagios-plugins-contrib-24.20190301~bpo9+1/dsa/checks/dsa-check-soas
new file mode 100644
index 0000000..eb28d8c
--- /dev/null
+++ b/nagios-plugins-contrib-24.20190301~bpo9+1/dsa/checks/dsa-check-soas
@@ -0,0 +1,218 @@
+#!/usr/bin/ruby
+
+# Copyright 2006, 2012, 2014 Peter Palfrader
+# 2012 Uli Martens
+#
+# Permission is hereby granted, free of charge, to any person obtaining
+# a copy of this software and associated documentation files (the
+# "Software"), to deal in the Software without restriction, including
+# without limitation the rights to use, copy, modify, merge, publish,
+# distribute, sublicense, and/or sell copies of the Software, and to
+# permit persons to whom the Software is furnished to do so, subject to
+# the following conditions:
+#
+# The above copyright notice and this permission notice shall be
+# included in all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+
+# the each_resource function is lifted from ruby 1.9.1's resolv.rb, with the
+# minor modification that we do not unconditionally set the message's RD flag
+# to 1. Its license is:
+#
+# Copyright (C) 1993-2010 Yukihiro Matsumoto. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in the
+# documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+
+
+require 'ipaddr'
+require 'resolv'
+require 'optparse'
+require 'yaml'
+
+NAGIOS_STATUS = { :OK => 0, :WARNING => 1, :CRITICAL => 2, :UNKNOWN => -1 };
+@verbose = 0;
+@additional_nameservers = []
+@check_soa_nameservers = true;
+
+def show_help(parser, code=0, io=STDOUT)
+ program_name = File.basename($0, '.*')
+ io.puts "Usage: #{program_name} [options] <domainname> [<domainname> ...]"
+ io.puts parser.summarize
+ exit(code)
+end
+ARGV.options do |opts|
+ opts.on_tail("-h", "--help" , "Display this help screen") { show_help(opts) }
+ opts.on("-v", "--verbose" , String, "Be verbose") { @verbose += 1 }
+ opts.on("-a", "--add=HOST" , String, "Also check SOA on <nameserver>") { |val| @additional_nameservers << val }
+ opts.on("-n", "--no-soa-ns" , String, "Don't query SOA record for list of nameservers") { @check_soa_nameservers = false }
+ opts.parse!
+end
+show_help(ARGV.options, 1, STDERR) if ARGV.length == 0
+
+if @additional_nameservers.count <= 1 and not @check_soa_nameservers
+ program_name = File.basename($0, '.*')
+ STDERR.puts "#{program_name}: Only know about #{@additional_nameservers.count} nameserver(s) and --no-soa-ns specified. I want at least two."
+ exit(1)
+end
+
+class DSADNS < Resolv::DNS
+ attr_reader :rd
+ attr_writer :rd
+
+ def initialize(*args)
+ super
+ @rd = 1
+ end
+
+ def each_resource(name, typeclass, &proc)
+ lazy_initialize
+ requester = make_udp_requester
+ senders = {}
+ begin
+ @config.resolv(name) {|candidate, tout, nameserver, port|
+ msg = Message.new
+ msg.rd = @rd
+ msg.add_question(candidate, typeclass)
+ unless sender = senders[[candidate, nameserver, port]]
+ sender = senders[[candidate, nameserver, port]] =
+ requester.sender(msg, candidate, nameserver, port)
+ end
+ reply, reply_name = requester.request(sender, tout)
+ case reply.rcode
+ when RCode::NoError
+ if reply.tc == 1 and not Requester::TCP === requester
+ requester.close
+ # Retry via TCP:
+ requester = make_tcp_requester(nameserver, port)
+ senders = {}
+ # This will use TCP for all remaining candidates (assuming the
+ # current candidate does not already respond successfully via
+ # TCP). This makes sense because we already know the full
+ # response will not fit in an untruncated UDP packet.
+ redo
+ else
+ extract_resources(reply, reply_name, typeclass, &proc)
+ end
+ return
+ when RCode::NXDomain
+ raise Config::NXDomain.new(reply_name.to_s)
+ else
+ raise Config::OtherResolvError.new(reply_name.to_s)
+ end
+ }
+ ensure
+ requester.close
+ end
+ end
+end
+
+warnings = []
+oks = []
+
+def resolve_ns(dns, domain, nameserver)
+ puts "Getting A record for nameserver #{nameserver} for #{domain}" if @verbose > 0
+ arecords = dns.getresources(nameserver, Resolv::DNS::Resource::IN::A)
+ warnings << "Nameserver #{nameserver} for #{domain} has #{arecords.length} A records" if arecords.length != 1
+ addresses = arecords.map { |a| a.address.to_s }
+ puts "Addresses for nameserver #{nameserver} for #{domain}: #{addresses.join(', ')}" if @verbose > 0
+ return addresses
+end
+
+dns = Resolv::DNS.new
+ARGV.each{ |domain|
+ serial = {}
+ nameserver_addresses = {}
+ if @check_soa_nameservers
+ nameservers = dns.getresources(domain, Resolv::DNS::Resource::IN::NS)
+ nameservernames = nameservers.collect{ |ns| ns.name.to_s }
+ nameservernames.each do |nameserver|
+ addrs = resolve_ns(dns, domain, nameserver)
+ warnings << "Duplicate nameserver #{nameserver} for #{domain}" if nameserver_addresses[nameserver]
+ nameserver_addresses[nameserver] = addrs
+ end
+ end
+ @additional_nameservers.each do |ns|
+ begin
+ ipa = IPAddr.new(ns) # check if it's an address
+ addrs = [ns]
+ rescue ArgumentError
+ addrs = resolve_ns(dns, domain, ns)
+ end
+ warnings << "Duplicate nameserver #{ns} for #{domain}" if nameserver_addresses[ns]
+ nameserver_addresses[ns] = addrs
+ end
+
+ nameserver_addresses.each_pair do |nameserver, addrs|
+ puts "Testing nameserver #{nameserver} for #{domain}" if @verbose > 0
+ addrs.each do |a|
+ puts " Nameserver #{nameserver} is at #{a}" if @verbose > 0
+ begin
+ resolver = DSADNS.new({:nameserver => a})
+ resolver.rd = 0
+ soas = resolver.getresources(domain, Resolv::DNS::Resource::IN::SOA)
+ rescue SystemCallError => e
+ warnings << "Could not resolve #{domain} on #{nameserver}: #{e.message}"
+ else
+ resolver.close
+ warnings << "Nameserver #{nameserver} for #{domain} returns #{soas.length} SOAs" if soas.length != 1
+ soas.each do |soa|
+ puts " Nameserver #{nameserver} returns serial #{soa.serial} for #{domain}" if @verbose > 0
+ sn = soa.serial.to_i
+ if serial.has_key? sn then
+ serial[sn] << nameserver
+ else
+ serial[sn] = [nameserver]
+ end
+ end
+ end
+ end
+ end
+ case serial.keys.length
+ when 0
+ warnings << "Found no serials for #{domain}"
+ when 1
+ oks << "#{domain} is at #{serial.keys.first}"
+ else
+ text = []
+ serial.keys.sort.each do |sn|
+ text << "#{sn} (#{serial[sn].join(', ')})"
+ end
+ warnings << "Nameservers disagree on serials for #{domain}: found #{text.join(', ')}"
+ end
+}
+dns.close
+
+if warnings.length > 0
+ puts warnings.join('; ')
+ exit NAGIOS_STATUS[:WARNING]
+else
+ puts oks.join('; ')
+ exit NAGIOS_STATUS[:OK]
+end
diff --git a/nagios-plugins-contrib-24.20190301~bpo9+1/dsa/checks/dsa-check-statusfile b/nagios-plugins-contrib-24.20190301~bpo9+1/dsa/checks/dsa-check-statusfile
new file mode 100644
index 0000000..4654731
--- /dev/null
+++ b/nagios-plugins-contrib-24.20190301~bpo9+1/dsa/checks/dsa-check-statusfile
@@ -0,0 +1,90 @@
+#!/usr/bin/python
+
+# Relay the status of a check that was previously run and which stored
+# its result in a file to nagios.
+#
+# Copyright 2008, 2012 Peter Palfrader
+#
+# Permission is hereby granted, free of charge, to any person obtaining
+# a copy of this software and associated documentation files (the
+# "Software"), to deal in the Software without restriction, including
+# without limitation the rights to use, copy, modify, merge, publish,
+# distribute, sublicense, and/or sell copies of the Software, and to
+# permit persons to whom the Software is furnished to do so, subject to
+# the following conditions:
+#
+# The above copyright notice and this permission notice shall be
+# included in all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+import optparse
+import os
+import re
+import sys
+import time
+
+NAGIOS_STATUS = { "OK": 0, "WARNING": 1, "CRITICAL": 2, "UNKNOWN": 3 }
+UNITS_TO_SECONDS = { 's': 1, 'm': 60, 'h': 60*60, 'd': 24*60*60 }
+
+parser = optparse.OptionParser()
+parser.set_usage("%prog [options] <statusfile>")
+parser.add_option("-a", "--age", dest="age", metavar="AGE",
+ type="string", default="26h",
+ help="maximum age, in seconds (or use Nm, Nh or Nd) - default is 26h.")
+(options, args) = parser.parse_args()
+
+if len(args) != 1:
+ parser.print_help(file=sys.stderr)
+ sys.exit(1)
+
+statusfile = args[0]
+
+# find out what the max age is that we accept
+m = re.match('([0-9]+)([smhd])?$', options.age)
+if not m:
+ print >> sys.stderr, "Invalid age %s"%(options.age)
+ parser.print_help(file=sys.stderr)
+ sys.exit(1)
+(count, unit) = m.groups()
+if unit is None: unit = 's'
+max_age = int(count) * UNITS_TO_SECONDS[unit]
+
+# let's see if it exists
+if not os.path.exists(statusfile):
+ print "UNKNOWN: %s does not exist."%(statusfile)
+ sys.exit(NAGIOS_STATUS['UNKNOWN'])
+
+
+mtime = os.path.getmtime(statusfile)
+if mtime + max_age < time.time():
+ print "WARNING: %s is old: %.1f hours."%(statusfile, (time.time() - mtime)/3600)
+ sys.exit(NAGIOS_STATUS['WARNING'])
+
+status = open(statusfile, "r")
+returnvalue = status.readline().strip()
+
+if not returnvalue in NAGIOS_STATUS:
+ print "UNKNOWN: %s has invalid return value: %s."%(statusfile, returnvalue)
+ sys.exit(NAGIOS_STATUS['UNKNOWN'])
+
+linecnt = 0
+for line in status:
+ print line,
+ linecnt += 1
+
+if linecnt == 0:
+ print "Found no output. Something is probably wrong"
+ sys.exit(NAGIOS_STATUS['UNKNOWN'])
+
+sys.exit(NAGIOS_STATUS[returnvalue])
+
+# vim:set et:
+# vim:set ts=4:
+# vim:set shiftwidth=4: