-
Notifications
You must be signed in to change notification settings - Fork 5.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
sslcheck module: (remote) SSL certificate expiry time check #5365
Conversation
This pull request introduces 2 alerts when merging 6f3a58b into 527b53c - view on LGTM.com new alerts:
Comment posted by LGTM.com |
@p-thurner i think we need something like this https://github.com/influxdata/telegraf/tree/master/plugins/inputs/x509_cert What do you think? And since we have go.d.plugin we are willing to add new modules to it, if there is no limitations. So, the question, are you willing to rewrite it in go? |
@p-thurner gj btw, we definitely need this one 👍 |
@ilyam8 hm I'd rather keep it in python as I didn't learn golang yet.. Is it ok to keep this one in python? I'd be super happy to get this working (invested some hours into just getting the graph into the webui with no luck) :(
Then I have pretty much what my previous monitoring solution had. So I would be very thankful for any help to get this working.. Will commit more plugins then! |
It is ok to have them in python, but i'd prefer to have new modules in go. It is very easy/fast to write Please describe how the other 3 modules works (how they fetch data - http req/file read). WIll see, maybe some of them would be ok to have in python. |
in general - use
|
Monitoring cronjobs@ilyam8, check-mk is another monitoring system. It has a shell script called
This will create a simple file in
Here is the shell script: https://github.com/opinkerfi/check_mk/blob/master/agents/mk-job Monitoring apt security upgradesApt security upgrades is simple, just count the number of security upgrades.. With the Monitoring how well you setup SSL on your webserverNow you may know this: https://www.ssllabs.com/ssltest/analyze.html?d=my%2dnetdata.io&s=104.28.3.248&latest (one of many I suppose) |
btw if anyone can still help me debug my sslcheck plugin it would still be awesome :) I would still want to get it working to learn. |
@p-thurner
|
One note from my side, |
On the note of the SSL configuration thing, it might be worth looking at https://observatory.mozilla.org, they provide a clear quantifiable score (currently on the range of 0 to 135), and check some useful security aspects beyond just SSL configuration, including various security related HTTP headers. They cache results for 5 minutes though, so that's probably the absolute minimum polling period (I think SSLLabs caches less aggressively). For the APT security updates, on systems that have a recent version of APT, you can list all upgradeable packages with |
My thougths: SSL certificate expiry time checkOk, lets do it in python. Monitoring cronjobsAccording your descriptions is a super specific thing. It is not monitoring cron job actually, it is parsing files produced by some scripts. Job couldbe executed once a day, once a week etc. There is nothing to chart. I think we don't need this module in core. We can make a link on the third-party modules page tho. Monitoring how well you setup SSL on your webserver
Same. tl;dr
|
I would tend to agree with @ilyam8 on the SSL server configuration (I think it would be neat to have, you could get an alert when your server configuration falls out of BCP) and the cron jobs (also, would be kind of neat to have, but I don't consider it critical (if you have a proper email server set up, any sensible cron system will email you if there are errors)). I do, however, think having a module that reports how many updates are pending on the system (not necessarily just security updates, and not necessarily just APT either) would be awesome, but I think that's probably something that should only be exposed as a counter, not a graph, and I also think the check frequency should be significantly longer for it by default than Netdata normally tracks (at least 30 minutes, possibly even longer). It's not something that is likely to change with high frequency, so it just doesn't make sense to track historical data in most cases except for triggering alarms on changes or non-zero values. If we do decide to do such a module, I can provide some help to get it working for Gentoo, as well as being able to help with testing on Debian and a couple of other distros. |
Cronjobs
I would like to politely disagree here. I run a bunch of servers with PHP websites. My customers use a lot of PHP written scripts / cron jobs. Sometimes these jobs behave weirdly, use way more ressources and take much longer than they usually do. Having thing monitoring for this is a very vital thing in my opinion.
All of this is of course not monitoring the actual cronjob.. But it is close enough in my opinion to detect:
SSL "score"The mozilla thing sounds very cool, especially the score.. Caching only 5 mins of course is a bit less.. SSLLabs caches the result a bit longer I think. I also just found this: https://github.com/ssllabs/ssllabs-scan which we maybe could use for more simplicity. AptI agree with you guys, regular and security upgrades can be a counter (I would not mind a graph either).
Sadly the second one doesn't output anything for me as I don't have any server where not all security upgrades are installed x) But according to this thread it should work: https://askubuntu.com/questions/774805/how-to-get-a-list-of-all-pending-security-updates I can only join the conversation with Debian / Ubuntu, I'm not very familiar with other distros.. I assume having several plugins for zypper / apt / rpm / whatnot wouldn't hurt and increase readability of the plugins. I would also like to note that checking every 30 minutes is totally ok here. I "sometimes" have the case where customers shoot apt in the head by doing weird things.. Then apt itself has broken dependencies or what not and the check itself can not execute anymore (you run apt-get --simulate upgrade and it exits != 0 with some error message). Detecting that would also be very nifty, as in this case the system won't install security upgrades anymore (and often it doesn't tell you - the unattended-upgrades cronjob is a bit hidden so that people don't adjust the time for it I think (to many servers pulling upgrades at the same time problem for Debian repos) and for some reason, for me, the cronjob never sends me any emails if it fails (yes, I have setup my mails on the servers correctly so stderr of cronjobs is send by mails). |
I will get back to working on the sslcheck this evening. |
Having charts that updating once a day is confusing imo and kind of alien for netdata. I agree that we need to support collecting data without actually charting it, but now we can't And no, it is not that easy as you think. Your cronjob monigtoring script should read |
On the note of cronjobs, what you're talking about checking other than exit status can actually be done a couple of different ways without needing a new plugin for Netdata. One option would be to use the existing For the upgrade related stuff, it looks like the command I had posted generically works correctly for regular users too, though it still doesn't appear to provide an easy way to identify security updates. I'd kind of like to avoid depending on classic |
From my Ubuntu 18.04 Laptop:
I think |
Yeah, I'd forgotten that they still complain if you use it in a pipe. I seriously doubt that the interface of the particular sub-command we would be using will change, but it probably is better to follow the official advice and use |
Howdy fellas, sorry didn't find time the last few days. So I did this on a fresh Debian 9 installation with no firewall configured:
I then tried the debug command:
Looks good so far - not sure why the debug command wasn't outputting anything for me the last time. Now that |
@p-thurner (not in definitions == not in CHARTS)
|
There is a bug in calculation update time netdata/collectors/python.d.plugin/python_modules/bases/FrameworkServices/SimpleService.py Lines 41 to 43 in 6f0d13f
In [1]: import time
In [2]: def c(i):
: t = time.monotonic()
: d = t - (t%i) + i
: return t, d, d - t
:
In [3]: c(60)
Out[3]: (84688.099451557, 84720.0, 31.900548442994477)
In [4]: c(60)
Out[4]: (84689.748439694, 84720.0, 30.25156030600192)
In [5]: c(60)
Out[5]: (84693.18335048, 84720.0, 26.816649519998464)
In [6]: c(60)
Out[6]: (84702.413057355, 84720.0, 17.58694264499354)
In [7]: c(60)
Out[7]: (84720.166530715, 84780.0, 59.83346928500396) That means that module first poll can be delayed up to Will be fixed in a separate PR. |
👍 and thanks a lot for the help @ilyam8 !! :) |
##### Summary rename > health/health.d/sslcheck.conf → health/health.d/x509check.conf **Why** sslcheck module (#5365) was removed(#5626) because of memory leak bug (#5624). The module was rewritten in go (#5631, netdata/go.d.plugin#166). New module name - `x509check`. This PR changes name of the alarm.
…5365) * added WIP ssl certificate expiry time check plugin * fixing bugs * more bugfixes * cleaned up * fixed graphing * More pretty readme * cleaned up style * change author * simplify * add days_until_expiration_warn and correctly calc seconds * update config * config update * readme update * return false from check if module failed to collect data * set default update_every to 60 * add alarm * add sslcheck to makefile * fix indentation * add crit to alarm * update conf * update readme * add days_until_expiration_critical * change default days_until_expiration_warning to 14 * minor
##### Summary rename > health/health.d/sslcheck.conf → health/health.d/x509check.conf **Why** sslcheck module (netdata#5365) was removed(netdata#5626) because of memory leak bug (netdata#5624). The module was rewritten in go (netdata#5631, netdata/go.d.plugin#166). New module name - `x509check`. This PR changes name of the alarm.
Summary
Hi Netdata community!
So I think we need to graph the days until ssl certificates expire. I have forked the portcheck plugin to do that.
Component Name
collector/sslcheck
Additional Information
After lots of trying around, reading the doc and some similar issues I can just not get this plugin to graph anything.
I have done this on a fresh netdata setup with
curl | bash
setup of netdata on a Debian 9 server:/etc/netdata/python.d/sslcheck.conf
git clone https://github.com/blunix/netdata-plugin-sslcheck /usr/src/netdata/collectors/python.d.plugin/sslcheck/
- thats the same code there as in this PRsystemctl restart netdata.service
But it neither shows errors or any mention of the sslcheck plugin in the logs, nor does it show anything in the WebUI. I must be missing something.. Do you guys have any idea?
Thanks a lot in advance!