Adding domain monitoring for TLSA/SSHFP/CAA records
This commit is contained in:
8
roles/Sharingan/files/monit/checks/domain
Normal file
8
roles/Sharingan/files/monit/checks/domain
Normal file
@@ -0,0 +1,8 @@
|
|||||||
|
check program domain-tlsa with path "/etc/monit.d/scripts/check-domain aninix.net tlsa aninix.net-0002"
|
||||||
|
if status != 0 for 5 times within 5 cycles then exec "/etc/monit.d/scripts/critical TLSA records do not match -- regenerate and update"
|
||||||
|
|
||||||
|
check program domain-sshfp with path "/etc/monit.d/scripts/check-domain aninix.net sshfp"
|
||||||
|
if status != 0 for 5 times within 5 cycles then exec "/etc/monit.d/scripts/critical SSHFP records do not match -- regenerate and update"
|
||||||
|
|
||||||
|
check program domain-caa with path "/etc/monit.d/scripts/check-domain aninix.net caa"
|
||||||
|
if status != 0 for 5 times within 5 cycles then exec "/etc/monit.d/scripts/critical CAA record does not match -- regenerate and update"
|
||||||
@@ -3,3 +3,4 @@ include "/etc/monit.d/checks/watcher-of-watchers"
|
|||||||
include "/etc/monit.d/checks/warrant-canary"
|
include "/etc/monit.d/checks/warrant-canary"
|
||||||
include "/etc/monit.d/checks/grimoire"
|
include "/etc/monit.d/checks/grimoire"
|
||||||
include "/etc/monit.d/checks/automated_response"
|
include "/etc/monit.d/checks/automated_response"
|
||||||
|
include "/etc/monit.d/checks/domain"
|
||||||
|
|||||||
32
roles/Sharingan/files/monit/scripts/check-domain
Executable file
32
roles/Sharingan/files/monit/scripts/check-domain
Executable file
@@ -0,0 +1,32 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
source /opt/aninix/Uniglot/Bash/dns.bash
|
||||||
|
|
||||||
|
domain="$1"
|
||||||
|
|
||||||
|
function checkTLSA() {
|
||||||
|
### Usage: $0 "${domain}" tlsa _443._tcp
|
||||||
|
identity="$1"
|
||||||
|
git diff --no-index <(GenerateTLSA "${identity}" | sed 's/\s\+//g' | tr '[[:upper:]]' '[[:lower:]]' | sort) <(dig _443._tcp."${domain}" TLSA +short | sed 's/\s\+//g' | tr '[[:upper:]]' '[[:lower:]]' | sort)
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
function checkSSHFP() {
|
||||||
|
git diff --no-index <(GenerateSSHFP | sed 's/\s\+//g' | tr '[[:upper:]]' '[[:lower:]]' | sort) <(dig "${domain}" SSHFP +short | sed 's/\s\+//g' | tr '[[:upper:]]' '[[:lower:]]' | sort)
|
||||||
|
}
|
||||||
|
|
||||||
|
function checkCAA() {
|
||||||
|
### Usage: $0 "${domain}" caa
|
||||||
|
caa="$(dig "${domain}" CAA +short)"
|
||||||
|
if [ "$caa" != '128 issue "letsencrypt.org"' ]; then
|
||||||
|
exit 1
|
||||||
|
else
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
case "$2" in
|
||||||
|
"tlsa") checkTLSA "$3" ;;
|
||||||
|
"sshfp") checkSSHFP ;;
|
||||||
|
"caa") checkCAA ;;
|
||||||
|
esac
|
||||||
@@ -3,7 +3,7 @@
|
|||||||
- name: Generate monitoring from inventory
|
- name: Generate monitoring from inventory
|
||||||
delegate_to: localhost
|
delegate_to: localhost
|
||||||
run_once: true
|
run_once: true
|
||||||
command: "python3 ../bin/generate-monitoring.py {{ inventory_file }}"
|
command: "../bin/generate-monitoring.py {{ inventory_file }}"
|
||||||
|
|
||||||
- name: Sharingan-Eval service copy
|
- name: Sharingan-Eval service copy
|
||||||
become: yes
|
become: yes
|
||||||
|
|||||||
Reference in New Issue
Block a user