added first implementation of check_otp supporting HOTP and TOTP checks against PrivacyIDEA/LinOTP

2016-10-10 11:27:24 +02:00
parent ed63fa9140
commit d9efd3954e
2 changed files with 666 additions and 11 deletions
--- a/README.md
+++ b/README.md
@@ -1,7 +1,7 @@
 nagios-plugins
 ==============
-This repository contains my collection of modified and custom written check
-plugins and scripts for [Nagios](http://www.nagios.org).
+This repository contains my small collection of modified and custom written
+nagios check plugins and scripts for [Nagios](http://www.nagios.org).

 Most of these are very custom solutions or modified versions of standard plugins
 so distributing them through [NagiosExchange](https://exchange.nagios.org/) is
@@ -12,12 +12,23 @@ encounter any issues or require changes.
 The latest versions, documentation and bugtracker available on my
 [GitLab instance](https://gitlab.lindenaar.net/scripts/privacyidea-checkotp)

-Copyright (c) 2015 Frederik Lindenaar. free for distribution under the GNU
-License, see [below](#license)
+Copyright (c) 2015 - 2016 Frederik Lindenaar. free for distribution under
+the GNU General Public License, see [below](#license)

+contents
+========
+This repository contains the following scripts:
+  * [check_memory](#check_memory)
+    patched version of nagios-plugins check_memory script for Linux procps v3.3+
+  * [check_multiple_host_addresses](#host_addresses)
+    monitor multi-home and dual-stack (i.e. ipv4 and ipv6) servers.
+  * [check_otp](#check_otp)
+    plugin to monitor PrivacyIDEA (and LinOTP) OTP validation
+  * [nagiosstatus](#nagiosstatus)
+    CGI-BIN script to report the status of nagios (to monitor nagios itself)

-plugins/check_memory
--------------------
+<a name=check_memory>plugins/check_memory</a>
+---------------------------------------------
 Nagios check script to monitor the memory on Linux systems. Due to changes in
 the output of procps v3.3 (the changelog refers to it as modernizing it), it's
 output changed and breaks the the check_memory script as shipped with many linux
@@ -26,8 +37,8 @@ is indifferent of which version of procps (to date) is used. No other changes
 were made to the script.


-plugins/plugins/check_multiple_host_addresses
---------------------------------------------
+<a name=host_addresses>plugins/check_multiple_host_addresses</a>
+----------------------------------------------------------------
 This script is a first attempt to monitor multi-home and dual-stack (i.e. ipv4
 and ipv6) servers. In my setup a server should only considered availble if it is
 available on all of its primary addresses (i.e. both ipv4 and ipv6). It uses the
@@ -38,6 +49,7 @@ this solution as well.

 Installation is straightforward, after installing the script on your server, add
 the following to your `commands.cmd` configuration file to make it available:
+
 ~~~
  # 'check-host-alive' command definition for multi-homed/dual-stack servers
  define command{
@@ -45,8 +57,10 @@ the following to your `commands.cmd` configuration file to make it available:
        command_line    [install_path]/plugins/check_multiplehost_addresses '$HOSTADDRESS$' '$_HOSTADDRESS6$'
  }
 ~~~
+
 The example above assumes that the IPv6 address of the host is provided as part
 of the host configuration, i.e.:
+
 ~~~
  define host {
        ...
@@ -55,13 +69,172 @@ of the host configuration, i.e.:
 	...
  }
 ~~~
-To use the script either add ` check_command		check-addresses-alive`
+
+To use the script either add `check_command check-addresses-alive`
 to the specific hosts that should use the check or to the generic host used as
 template.


-cgi-bin/nagiosstatus.sh
-----------------------
+<a name=check_otp>plugins/check_otp</a>
+---------------------------------------
+Plugin (check) to monitor OTP validation, currently implemented for PrivacyIDEA
+(and LinOTP). The check can validate a provided password/secret or calculate an
+HOTP or TOTP value and use that to validate (with or without a password). Other
+methods and interfaces can be plugged in easily (please raise a request or
+provide a patch).
+
+Please run `check_otp -h` for an actual overview of the available options. The
+script currently supports 3 modes of operation:
+
+  * password - simply authenticate with the provided secret (no calculations)
+  * totp     - calculate the TOTP code using a key and current time
+  * hotp     - calculate the HOTP code using a key and a count (automatically
+               increments the count in case a count file is used)
+
+Generic parameters (connection parameters, critical/warning thresholds, etc.)
+should be provided before the mode of operation is specified, mode-specific
+parameters should follow the mode selected. Keys, passwords and HOTP counts can
+be read from a file as well. Checks can be performed based on token
+serial or a login and a password (only mandatory for password authentication).
+
+HOTP/TOTP modes require a Base16/32/64 encoded key provided on the command-line
+or in a file. The generated HOTP/TOTP value is appended to the password/secret
+(if provided), the order can be changed with the `-m` command line parameter.
+
+Installation for is straightforward, after installing the script on the server
+add the following to your Nagios `commands.cmd` configuration file:
+
+~~~
+# 'check_totp_serial' command definition to test TOTP based on token serial (no password)
+# parameters: token serial (ARG1), key (ARG2), additional parameters in ARG3
+define command {
+        command_name    check_totp_serial
+        command_line    [install_path]/plugins/check_otp -H $HOSTNAME$ -w 3 -c 8 -P /token totp -s $ARG1$ -k $ARG2$ $ARG3$
+}
+
+# 'check_totp_serial' command definition to test TOTP based on token serial and password
+# parameters: token serial (ARG1), key (ARG2), password (ARG3), additional parameters in ARG4
+define command {
+        command_name    check_totp_serial_pwd
+        command_line    [install_path]/plugins/check_otp -H $HOSTNAME$ -w 3 -c 8 -P /token totp -s $ARG1$ -k $ARG2$ -p $ARG3$ $ARG4$
+}
+
+# 'check_totp_login' command definition to test TOTP based on login and password
+# parameters: login (ARG1), key (ARG2), password (ARG3), additional parameters in ARG4
+define command {
+        command_name    check_totp_login
+        command_line    [install_path]/plugins/check_otp -H $HOSTNAME$ -w 3 -c 8 -P /token totp -l $ARG1$ -k $ARG2$ -p $ARG3$ $ARG4$
+}
+
+# 'check_totp_serial_dir' command definition to test TOTP based on token serial
+# parameters: directory (ARG1), token serial (ARG2) additional parameters in ARG3
+define command {
+        command_name    check_totp_serial_dir
+        command_line    [install_path]/plugins/check_otp -H $HOSTNAME$ -w 3 -c 8 -P /token totp -s $ARG2$ -K $ARG1$/$ARG2$.key $ARG3$
+}
+
+# 'check_totp_serial_dir_pwd' command definition to test TOTP based on token serial and password
+# parameters: directory (ARG1), token serial (ARG2), additional parameters in ARG3
+define command {
+        command_name    check_totp_serial_dir_pwd
+        command_line    [install_path]/plugins/check_otp -H $HOSTNAME$ -w 3 -c 8 -P /token totp -s $ARG2$ -K $ARG1$/$ARG2$.key -P $ARG1$/$ARG2$.pwd $ARG3$
+}
+
+# 'check_totp_login_dir' command definition to test TOTP based on login
+# parameters: directory (ARG1), login (ARG2), additional parameters in ARG3
+define command {
+        command_name    check_totp_login_dir
+        command_line    [install_path]/plugins/check_otp -H $HOSTNAME$ -w 3 -c 8 -P /token totp -l $ARG2$ -K $ARG1$/$ARG2$.key $ARG3$
+}
+
+# 'check_totp_login_dir_pwd' command definition to test TOTP based on login and password
+# parameters: directory (ARG1), login (ARG2) additional parameters in ARG3
+define command {
+        command_name    check_totp_login_dir_pwd
+        command_line    [install_path]/plugins/check_otp -H $HOSTNAME$ -w 3 -c 8 -P /token totp -l $ARG2$ -K $ARG1$/$ARG2$.key -P $ARG1$/$ARG2$.pwd $ARG3$
+}
+
+# 'check_hotp_serial_dir' command definition to test HOTP based on token serial
+# parameters: directory (ARG1), token serial (ARG2), additional parameters in ARG3
+define command {
+        command_name    check_hotp_serial_dir
+        command_line    [install_path]/plugins/check_otp -H $HOSTNAME$ -w 3 -c 8 -P /token hotp -s $ARG2$ -K $ARG1$/$ARG2$.key -C $ARG1$/$ARG2$.count $ARG3$
+}
+
+# 'check_hotp_serial_dir_pwd' command definition to test HOTP based on token serial and password
+# parameters: directory (ARG1), token serial (ARG2), additional parameters in ARG3
+define command {
+        command_name    check_hotp_serial_dir_pwd
+        command_line    [install_path]/plugins/check_otp -H $HOSTNAME$ -w 3 -c 8 -P /token hotp -s $ARG2$ -K $ARG1$/$ARG2$.key -C $ARG1$/$ARG2$.count -P $ARG1$/$ARG2$.pwd $ARG3$
+}
+
+# 'check_hotp_login_dir' command definition to test HOTP based on login
+# parameters: directory (ARG1), login (ARG2), additional parameters in ARG3
+define command {
+        command_name    check_hotp_login_dir
+        command_line    [install_path]/plugins/check_otp -H $HOSTNAME$ -w 3 -c 8 -P /token hotp -l $ARG2$ -K $ARG1$/$ARG2$.key -C $ARG1$/$ARG2$.count $ARG3$
+}
+
+# 'check_hotp_login_dir_pwd' command definition to test HOTP based on login and password
+# parameters: directory (ARG1), login (ARG2), additional parameters in ARG3
+define command {
+        command_name    check_hotp_login_dir_pwd
+        command_line    [install_path]/plugins/check_otp -H $HOSTNAME$ -w 3 -c 8 -P /token hotp -l $ARG2$ -K $ARG1$/$ARG2$.key -C $ARG1$/$ARG2$.count -P $ARG1$/$ARG2$.pwd $ARG3$
+}
+
+~~~
+
+Please check / adjust the following:
+
+  * replace `[install_path]/plugins` with the location of the script
+  * assumption is that the `$HOSTNAME$` can be used for an SSL connection (and
+    that the certificate is valid for this host, use the -u parameter and an
+    URL if this is not the case)
+  * path on the server is assumed to be /token (API endpoints will be added)
+  * check the thresholds for Warning (3s) and Critical (8s), adjust if needed
+
+The `dir` and `dir_pwd` commands allow to store all sensitive data for tokens in
+a folder and hence only require a folder name and token serial or login. This
+expects the folder specified to contain the following files:
+
+  * [serial/login].key   - HOTP/TOTP key in Base16/32/64 format on first line
+  * [serial/login].pwd   - password (only first line is used)
+  * [serial/login].count - numeric HOTP count on first line, autoincremented
+
+Please note that required files must exist or the check will fail with an error.
+
+To use the it define a service check like below:
+
+~~~
+# check that TOTP authentication is working for token serial and provided key
+define service {
+        host                   hostname.mydomain.tld
+        service_description    Check TOTP Authentication
+        check_command          check_totp_serial!TOTP0001234X!82f37371367b7e8aafb320b2d9b2721f66bbf161
+        use                    generic-service
+}
+
+
+# check that TOTP authentication is working for token serial and info from folder
+define service {
+        host                   hostname.mydomain.tld
+        service_description    Check TOTP Authentication
+        check_command          check_totp_serial_dir!/etc/nagios3/tokeninfo!TOTP0001234X
+        use                    generic-service
+}
+
+# check that HOTP authentication is working for token serial and info from folder
+define service {
+        host                   hostname.mydomain.tld
+        service_description    Check TOTP Authentication
+        check_command          check_hotp_serial_dir!/etc/nagios3/tokeninfo!HOTP0004321Y
+        use                    generic-service
+}
+~~~
+
+
+<a name=nagiosstatus>cgi-bin/nagiosstatus.sh</a>
+------------------------------------------------
 Very simplistic CGI-BIN script that checkes whether nagios is still running and
 still updating its status. It wil always return an HTTP Status 200 (OK) and a
 simple text page with one of the following texts: