| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
This commits removes the detection of IPv6 availability.
The IPv6 code in the plugins is used unconditionally now.
|
|
OpenBSD's pledge(2) system call allows the current process to
self-restrict itself, being reduced to promised pledges. For example,
unless a process says it wants to write to files, it is not allowed to
do so any longer.
This change starts by calling pledge(2) in some network-facing checks,
removing the more dangerous privileges, such as executing other files.
My initial motivation came from check_icmp, being installed as a setuid
binary and (temporarily) running with root privileges. There, the
pledge(2) calls result in check_icmp to only being allowed to interact
with the network and to setuid(2) to the calling user later on.
Afterwards, I went through my most commonly used monitoring plugins
directly interacting with the network. Thus, I continued with
pledge(2)-ing check_curl - having a huge codebase and all -,
check_ntp_time, check_smtp, check_ssh, and check_tcp.
For most of those, the changes were quite similar: start with
network-friendly promises, parse the configuration, give up file access,
and proceed with the actual check.
|
|
This library is glibc-only and not necessary at this point. The
getopt_long function is provided by "getopt.h", included via "common.h".
Similar to #2159.
|
|
This is a breaking change.
Testing whether a TLS certificate is still valid (expiration wise)
is now the default in check_smtp.
The reasoning is, that in most scenarios an expired certificate
will effectively mean that the service is not working anymore due to
the refusal of other software to talk to it.
There is a new cli parameter though to explicitly ignore that.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
regarding -D and TLS
|
|
|
|
|
|
Otherwise -s/--ssl would overwrite a port given with -p if it comes
after it, e. g.
check_smtp -H mailhost.example.com -p 4465 --ssl
Found-By: Lorenz Kästle
|
|
This is an alias for -s/--ssl.
|
|
|
|
The port can still be set with -p.
|
|
This is commonly used on smtps (465) port.
PROXY protocol is not implemented with TLS in check_smtp.c, yet.
Backported from nagios-plugins:
https://github.com/nagios-plugins/nagios-plugins/commit/0a8cf08ebb0740aa55d6c60d3b79fcab282604fb
|
|
|
|
Add support for SSL/TLS hostname extension support (SNI) for check_smtp
plugin.
Backported from nagios-plugins:
https://github.com/nagios-plugins/nagios-plugins/commit/9f1628f4b5525335ce1d6e48e8ac8b07d0757f82
|
|
|
|
|
|
This enables checks of SMTP servers that expect the haproxy
PROXY protocol: -o smtpd_upstream_proxy_protocol=haproxy.
Backported from nagios-plugins:
https://github.com/nagios-plugins/nagios-plugins/commit/3246efe923b5482c5024c40e593ce942e628a3cb
|
|
|
|
|
|
|
|
When SSL is enabled, n is assigned the size of the server's second EHLO
response (I think in bytes), which will usually be significantly higher
than the command passed. As such, no commands are executed and no responses
are checked, which - silently - defeats the desired checks and results in a
success value.
|
|
|
|
check_smtp: extended support for expect option
|
|
* monitoring-plugins/pr/1443:
add openssl 1.1 support
|
|
The radcli library no longer offers the rc_get_ipaddr(),
rc_good_ipaddr(), and rc_own_ipaddress() functions.
|
|
changes:
- CRYPTO_lock detection replaced in configure.ac. We don't use that
function anywhere, so just replace it with the suggested one from
https://wiki.openssl.org/index.php/Library_Initialization#Autoconf
- OPENSSL_NO_SSL2 is no longer defined while ssl2 is not included.
Set it ourself using the suggested openssl 1.1 version check from
https://wiki.openssl.org/index.php/1.1_API_Changes#Backward_compatibility
- openssl 1.1 sends a sigpipe if the connection is still open when
calling SSL_shutdown(), so move the close before the shutdown.
Signed-off-by: Sven Nierlein <sven@nierlein.de>
|
|
expect option (-e) supported only first response, so checking for
any other response like 250-xxx would never match. This fix stores
return of relevant buffer
closes #1381
|
|
- currently STARTTLS check does not work with -e if there's text
like '220 hostname ESMTP*'. This is caused by SMTP answer from
host. Postfix answer: 220 2.0.0 Ready to start TLS, Exchange
2010: 220 2.0.0 SMTP server ready. This fix checks against 220
closes #1093
|
|
|
|
Don't forget to issue an SMTP QUIT command when the -D/--certificate
option is specified. This avoids undesired MTA log messages.
|
|
Signed-off-by: Sven Nierlein <sven@nierlein.de>
|
|
|
|
.c file changes for misleading timeout messages in help functions. Solution to pull request #1209 tracker by awiddersheim.
Files: plugins/check_apt.c, plugins/check_by_ssh.c, plugins/check_dbi.c, plugins/check_dig.c, plugins/check_disk.c, plugins/check_dns.c, plugins/check_game.c, plugins/check_http.c, plugins/check_ldap.c, plugins/check_ntp.c, plugins/check_ntp_peer.c, plugins/check_ntp_time.c, plugins/check_nwstat.c, plugins/check_overcr.c, plugins/check_pgsql.c, plugins/check_ping.c, plugins/check_procs.c, plugins/check_radius.c, plugins/check_real.c, plugins/check_smtp.c, plugins/check_snmp.c, plugins/check_ssh.c, plugins/check_tcp.c, plugins/check_time.c, plugins/check_ups.c, plugins/negate.c
|
|
|
|
This is an initial take at renaming the project to Monitoring Plugins.
It's not expected to be fully complete, and it is expected to break
things (The perl module for instance). More testing will be required
before this goes mainline.
|
|
Thanks to Roman Fiedler for reporting the issue and providing a fix
|
|
threshold data
|
