Add Zabbix SSL checker

This commit is contained in:
2026-05-21 19:20:49 +02:00
commit 76f1f36d97
9 changed files with 1829 additions and 0 deletions
+94
View File
@@ -0,0 +1,94 @@
# Handmatige Zabbix-template stappen
Gebruik dit bestand alleen als je Zabbix-versie of importpolicy de YAML-export weigert.
## Template
1. Ga naar **Data collection -> Templates**.
2. Maak template **Template SSL Checker Relaxed**.
3. Zet de groep op **Templates/Custom**.
4. Voeg macros toe:
- `{$SSL_CONFIG}` = `/etc/zabbix/ssl_targets.json`
- `{$SSL_CHECK_TIMEOUT}` = `10`
## Discovery rule
Maak een discovery rule:
- Name: `SSL target discovery`
- Type: `External check`
- Key: `ssl_discovery.py["--config","{$SSL_CONFIG}"]`
- Update interval: `1h`
De discovery output bevat de LLD macros direct in het `data` object:
- `{#SSL_NAME}`
- `{#SSL_HOST}`
- `{#SSL_PORT}`
- `{#SSL_OWNER}`
- `{#SSL_PROFILE}`
## Master item prototype
Maak onder de discovery rule een item prototype:
- Name: `SSL raw check [{#SSL_NAME}]`
- Type: `External check`
- Key: `ssl_check.py["--config","{$SSL_CONFIG}","--host","{#SSL_HOST}","--port","{#SSL_PORT}"]`
- Type of information: `Text`
- Update interval: `15m`
- History: `7d`
- Trends: `0`
## Dependent item prototypes
Maak dependent item prototypes met het master item hierboven als bron. Gebruik JSONPath preprocessing per veld, bijvoorbeeld:
- `ssl.reachable[{#SSL_HOST},{#SSL_PORT}]` -> `$.reachable` -> JavaScript `return value === true || value === "true" ? 1 : 0;`
- `ssl.days_left[{#SSL_HOST},{#SSL_PORT}]` -> `$.days_left`
- `ssl.valid_now[{#SSL_HOST},{#SSL_PORT}]` -> `$.valid_now` -> boolean JavaScript
- `ssl.hostname_match[{#SSL_HOST},{#SSL_PORT}]` -> `$.hostname_match` -> boolean JavaScript
- `ssl.chain_valid[{#SSL_HOST},{#SSL_PORT}]` -> `$.chain_valid` -> boolean JavaScript
- `ssl.self_signed[{#SSL_HOST},{#SSL_PORT}]` -> `$.self_signed` -> boolean JavaScript
- `ssl.not_yet_valid[{#SSL_HOST},{#SSL_PORT}]` -> `$.not_yet_valid` -> boolean JavaScript
- `ssl.expired[{#SSL_HOST},{#SSL_PORT}]` -> `$.expired` -> boolean JavaScript
- `ssl.issuer_org[{#SSL_HOST},{#SSL_PORT}]` -> `$.issuer_org`
- `ssl.issuer_cn[{#SSL_HOST},{#SSL_PORT}]` -> `$.issuer_cn`
- `ssl.subject_cn[{#SSL_HOST},{#SSL_PORT}]` -> `$.subject_cn`
- `ssl.san_names[{#SSL_HOST},{#SSL_PORT}]` -> `$.san_names`
- `ssl.fingerprint_sha256[{#SSL_HOST},{#SSL_PORT}]` -> `$.fingerprint_sha256`
- `ssl.expected_issuer_match[{#SSL_HOST},{#SSL_PORT}]` -> `$.expected_issuer_match` -> boolean JavaScript
- `ssl.tls_version_negotiated[{#SSL_HOST},{#SSL_PORT}]` -> `$.tls_version_negotiated`
- `ssl.tls10_supported[{#SSL_HOST},{#SSL_PORT}]` -> `$.tls10_supported` -> boolean JavaScript
- `ssl.tls11_supported[{#SSL_HOST},{#SSL_PORT}]` -> `$.tls11_supported` -> boolean JavaScript
- `ssl.tls12_supported[{#SSL_HOST},{#SSL_PORT}]` -> `$.tls12_supported` -> boolean JavaScript
- `ssl.tls13_supported[{#SSL_HOST},{#SSL_PORT}]` -> `$.tls13_supported` -> boolean JavaScript
- `ssl.http_reachable[{#SSL_HOST},{#SSL_PORT}]` -> `$.http_reachable` -> boolean JavaScript
- `ssl.http_status[{#SSL_HOST},{#SSL_PORT}]` -> `$.http_status`
- `ssl.http_status_expected[{#SSL_HOST},{#SSL_PORT}]` -> `$.http_status_expected` -> boolean JavaScript
- `ssl.http_response_time_ms[{#SSL_HOST},{#SSL_PORT}]` -> `$.http_response_time_ms`
- `ssl.http_hsts[{#SSL_HOST},{#SSL_PORT}]` -> `$.http_hsts` -> boolean JavaScript
- `ssl.http_security_headers_score[{#SSL_HOST},{#SSL_PORT}]` -> `$.http_security_headers_score`
- `ssl.http_server_header[{#SSL_HOST},{#SSL_PORT}]` -> `$.http_server_header`
- `ssl.error[{#SSL_HOST},{#SSL_PORT}]` -> `$.error`
## Triggers
Maak trigger prototypes op de dependent item prototypes:
- SSL target unreachable: reachable = 0, Warning
- SSL expires within 30 days: days_left < 30 and >= 14, Information
- SSL expires within 14 days: days_left < 14 and >= 7, Warning
- SSL expires within 7 days: days_left < 7 and >= 2, Average
- SSL expires within 2 days: days_left < 2, High
- SSL hostname mismatch: hostname_match = 0, High
- SSL chain invalid: chain_valid = 0, Average
- SSL is self-signed: self_signed = 1, Warning
- SSL not yet valid: not_yet_valid = 1, High
- TLS 1.0 supported: tls10_supported = 1, Warning
- TLS 1.1 supported: tls11_supported = 1, Warning
- HTTP status not expected: http_status_expected = 0, Warning
- HSTS missing: http_hsts = 0, Information
- HTTP security headers score low: score < 2, Information
Text-item change triggers voor issuer/fingerprint zijn bewust niet opgenomen, omdat importeerbaarheid per Zabbix 7.x minor release kan verschillen.
@@ -0,0 +1,592 @@
zabbix_export:
version: '7.0'
template_groups:
- uuid: 2fdce7293a314718bbeb9a302dd7533f
name: Templates/Custom
templates:
- uuid: eaa75d8e6bb44b0e8fca872ab5ea6001
template: Template SSL Checker Relaxed
name: Template SSL Checker Relaxed
groups:
- name: Templates/Custom
macros:
- macro: '{$SSL_CONFIG}'
value: /etc/zabbix/ssl_targets.json
- macro: '{$SSL_CHECK_TIMEOUT}'
value: '10'
discovery_rules:
- uuid: eebfdbd1e6f94de0abe6b014d652679e
name: SSL target discovery
type: EXTERNAL
key: 'ssl_discovery.py["--config","{$SSL_CONFIG}"]'
delay: 1h
item_prototypes:
- uuid: 9cbb898647f74b4f8865f65b036f88cb
name: 'SSL raw check [{#SSL_NAME}]'
type: EXTERNAL
key: 'ssl_check.py["--config","{$SSL_CONFIG}","--host","{#SSL_HOST}","--port","{#SSL_PORT}"]'
delay: 15m
history: 7d
trends: '0'
value_type: TEXT
tags:
- tag: component
value: raw
- tag: scope
value: ssl
- tag: owner
value: '{#SSL_OWNER}'
- tag: profile
value: '{#SSL_PROFILE}'
- uuid: 742b8b1630e048d2b73d95e846165bec
name: 'SSL reachable [{#SSL_NAME}]'
type: DEPENDENT
key: 'ssl.reachable[{#SSL_HOST},{#SSL_PORT}]'
history: 30d
trends: 365d
value_type: UNSIGNED
valuemap:
name: SSL boolean
preprocessing:
- type: JSONPATH
parameters:
- $.reachable
- type: JAVASCRIPT
parameters:
- 'return value === true || value === "true" ? 1 : 0;'
master_item:
key: 'ssl_check.py["--config","{$SSL_CONFIG}","--host","{#SSL_HOST}","--port","{#SSL_PORT}"]'
- uuid: a44af3b1e4c547d59f9e6e7c5c9186d4
name: 'SSL days left [{#SSL_NAME}]'
type: DEPENDENT
key: 'ssl.days_left[{#SSL_HOST},{#SSL_PORT}]'
history: 30d
trends: 365d
value_type: UNSIGNED
preprocessing:
- type: JSONPATH
parameters:
- $.days_left
master_item:
key: 'ssl_check.py["--config","{$SSL_CONFIG}","--host","{#SSL_HOST}","--port","{#SSL_PORT}"]'
- uuid: fbd0960d21154c18928ad36afae14c40
name: 'SSL valid now [{#SSL_NAME}]'
type: DEPENDENT
key: 'ssl.valid_now[{#SSL_HOST},{#SSL_PORT}]'
history: 30d
trends: 365d
value_type: UNSIGNED
valuemap:
name: SSL boolean
preprocessing:
- type: JSONPATH
parameters:
- $.valid_now
- type: JAVASCRIPT
parameters:
- 'return value === true || value === "true" ? 1 : 0;'
master_item:
key: 'ssl_check.py["--config","{$SSL_CONFIG}","--host","{#SSL_HOST}","--port","{#SSL_PORT}"]'
- uuid: 35dc642cbe92420da0631a68f48c4662
name: 'SSL hostname match [{#SSL_NAME}]'
type: DEPENDENT
key: 'ssl.hostname_match[{#SSL_HOST},{#SSL_PORT}]'
history: 30d
trends: 365d
value_type: UNSIGNED
valuemap:
name: SSL boolean
preprocessing:
- type: JSONPATH
parameters:
- $.hostname_match
- type: JAVASCRIPT
parameters:
- 'return value === true || value === "true" ? 1 : 0;'
master_item:
key: 'ssl_check.py["--config","{$SSL_CONFIG}","--host","{#SSL_HOST}","--port","{#SSL_PORT}"]'
- uuid: 3ce5bba7f2b340dcbe74641b318cb08f
name: 'SSL chain valid [{#SSL_NAME}]'
type: DEPENDENT
key: 'ssl.chain_valid[{#SSL_HOST},{#SSL_PORT}]'
history: 30d
trends: 365d
value_type: UNSIGNED
valuemap:
name: SSL boolean
preprocessing:
- type: JSONPATH
parameters:
- $.chain_valid
- type: JAVASCRIPT
parameters:
- 'return value === true || value === "true" ? 1 : 0;'
master_item:
key: 'ssl_check.py["--config","{$SSL_CONFIG}","--host","{#SSL_HOST}","--port","{#SSL_PORT}"]'
- uuid: ad0aff7a23b9447ea573a6cc4fd03209
name: 'SSL self signed [{#SSL_NAME}]'
type: DEPENDENT
key: 'ssl.self_signed[{#SSL_HOST},{#SSL_PORT}]'
history: 30d
trends: 365d
value_type: UNSIGNED
valuemap:
name: SSL boolean
preprocessing:
- type: JSONPATH
parameters:
- $.self_signed
- type: JAVASCRIPT
parameters:
- 'return value === true || value === "true" ? 1 : 0;'
master_item:
key: 'ssl_check.py["--config","{$SSL_CONFIG}","--host","{#SSL_HOST}","--port","{#SSL_PORT}"]'
- uuid: 489a246318764ad39ec9effd8d7f5c3f
name: 'SSL not yet valid [{#SSL_NAME}]'
type: DEPENDENT
key: 'ssl.not_yet_valid[{#SSL_HOST},{#SSL_PORT}]'
history: 30d
trends: 365d
value_type: UNSIGNED
valuemap:
name: SSL boolean
preprocessing:
- type: JSONPATH
parameters:
- $.not_yet_valid
- type: JAVASCRIPT
parameters:
- 'return value === true || value === "true" ? 1 : 0;'
master_item:
key: 'ssl_check.py["--config","{$SSL_CONFIG}","--host","{#SSL_HOST}","--port","{#SSL_PORT}"]'
- uuid: 8dc650b706c340a996a80238f775e324
name: 'SSL expired [{#SSL_NAME}]'
type: DEPENDENT
key: 'ssl.expired[{#SSL_HOST},{#SSL_PORT}]'
history: 30d
trends: 365d
value_type: UNSIGNED
valuemap:
name: SSL boolean
preprocessing:
- type: JSONPATH
parameters:
- $.expired
- type: JAVASCRIPT
parameters:
- 'return value === true || value === "true" ? 1 : 0;'
master_item:
key: 'ssl_check.py["--config","{$SSL_CONFIG}","--host","{#SSL_HOST}","--port","{#SSL_PORT}"]'
- uuid: 204862fd4f8342b7bf3fc6337f5df6d0
name: 'SSL issuer org [{#SSL_NAME}]'
type: DEPENDENT
key: 'ssl.issuer_org[{#SSL_HOST},{#SSL_PORT}]'
history: 30d
trends: '0'
value_type: TEXT
preprocessing:
- type: JSONPATH
parameters:
- $.issuer_org
master_item:
key: 'ssl_check.py["--config","{$SSL_CONFIG}","--host","{#SSL_HOST}","--port","{#SSL_PORT}"]'
- uuid: 246a068f7f3745a5a1cb0f725a499426
name: 'SSL issuer CN [{#SSL_NAME}]'
type: DEPENDENT
key: 'ssl.issuer_cn[{#SSL_HOST},{#SSL_PORT}]'
history: 30d
trends: '0'
value_type: TEXT
preprocessing:
- type: JSONPATH
parameters:
- $.issuer_cn
master_item:
key: 'ssl_check.py["--config","{$SSL_CONFIG}","--host","{#SSL_HOST}","--port","{#SSL_PORT}"]'
- uuid: 46a8211952364d3bbd7c359a0f7ebc62
name: 'SSL subject CN [{#SSL_NAME}]'
type: DEPENDENT
key: 'ssl.subject_cn[{#SSL_HOST},{#SSL_PORT}]'
history: 30d
trends: '0'
value_type: TEXT
preprocessing:
- type: JSONPATH
parameters:
- $.subject_cn
master_item:
key: 'ssl_check.py["--config","{$SSL_CONFIG}","--host","{#SSL_HOST}","--port","{#SSL_PORT}"]'
- uuid: db6d8a182d6b4e28915cd2c1937d3ba7
name: 'SSL SAN names [{#SSL_NAME}]'
type: DEPENDENT
key: 'ssl.san_names[{#SSL_HOST},{#SSL_PORT}]'
history: 30d
trends: '0'
value_type: TEXT
preprocessing:
- type: JSONPATH
parameters:
- $.san_names
- type: JAVASCRIPT
parameters:
- 'try { return JSON.stringify(JSON.parse(value)); } catch (e) { return value; }'
master_item:
key: 'ssl_check.py["--config","{$SSL_CONFIG}","--host","{#SSL_HOST}","--port","{#SSL_PORT}"]'
- uuid: 3ae58996de784502816d1cd27a722de3
name: 'SSL fingerprint SHA256 [{#SSL_NAME}]'
type: DEPENDENT
key: 'ssl.fingerprint_sha256[{#SSL_HOST},{#SSL_PORT}]'
history: 30d
trends: '0'
value_type: TEXT
preprocessing:
- type: JSONPATH
parameters:
- $.fingerprint_sha256
master_item:
key: 'ssl_check.py["--config","{$SSL_CONFIG}","--host","{#SSL_HOST}","--port","{#SSL_PORT}"]'
- uuid: 8cc55e450c064a698053967f8dfd3f35
name: 'SSL expected issuer match [{#SSL_NAME}]'
type: DEPENDENT
key: 'ssl.expected_issuer_match[{#SSL_HOST},{#SSL_PORT}]'
history: 30d
trends: 365d
value_type: UNSIGNED
valuemap:
name: SSL boolean
preprocessing:
- type: JSONPATH
parameters:
- $.expected_issuer_match
- type: JAVASCRIPT
parameters:
- 'return value === true || value === "true" ? 1 : 0;'
master_item:
key: 'ssl_check.py["--config","{$SSL_CONFIG}","--host","{#SSL_HOST}","--port","{#SSL_PORT}"]'
- uuid: 5e74e1d762a9420395448d9d02b3b3e9
name: 'TLS negotiated version [{#SSL_NAME}]'
type: DEPENDENT
key: 'ssl.tls_version_negotiated[{#SSL_HOST},{#SSL_PORT}]'
history: 30d
trends: '0'
value_type: TEXT
preprocessing:
- type: JSONPATH
parameters:
- $.tls_version_negotiated
master_item:
key: 'ssl_check.py["--config","{$SSL_CONFIG}","--host","{#SSL_HOST}","--port","{#SSL_PORT}"]'
- uuid: 715157395cf24e738c275e5d99c585d2
name: 'TLS 1.0 supported [{#SSL_NAME}]'
type: DEPENDENT
key: 'ssl.tls10_supported[{#SSL_HOST},{#SSL_PORT}]'
history: 30d
trends: 365d
value_type: UNSIGNED
valuemap:
name: SSL boolean
preprocessing:
- type: JSONPATH
parameters:
- $.tls10_supported
- type: JAVASCRIPT
parameters:
- 'if (value === null || value === "null") { return 0; } return value === true || value === "true" ? 1 : 0;'
master_item:
key: 'ssl_check.py["--config","{$SSL_CONFIG}","--host","{#SSL_HOST}","--port","{#SSL_PORT}"]'
- uuid: 7931bd3a2a434be38548fd6867e8473d
name: 'TLS 1.1 supported [{#SSL_NAME}]'
type: DEPENDENT
key: 'ssl.tls11_supported[{#SSL_HOST},{#SSL_PORT}]'
history: 30d
trends: 365d
value_type: UNSIGNED
valuemap:
name: SSL boolean
preprocessing:
- type: JSONPATH
parameters:
- $.tls11_supported
- type: JAVASCRIPT
parameters:
- 'if (value === null || value === "null") { return 0; } return value === true || value === "true" ? 1 : 0;'
master_item:
key: 'ssl_check.py["--config","{$SSL_CONFIG}","--host","{#SSL_HOST}","--port","{#SSL_PORT}"]'
- uuid: a20fbc15a8ea4cb7a3c3c4dbfc7789e1
name: 'TLS 1.2 supported [{#SSL_NAME}]'
type: DEPENDENT
key: 'ssl.tls12_supported[{#SSL_HOST},{#SSL_PORT}]'
history: 30d
trends: 365d
value_type: UNSIGNED
valuemap:
name: SSL boolean
preprocessing:
- type: JSONPATH
parameters:
- $.tls12_supported
- type: JAVASCRIPT
parameters:
- 'return value === true || value === "true" ? 1 : 0;'
master_item:
key: 'ssl_check.py["--config","{$SSL_CONFIG}","--host","{#SSL_HOST}","--port","{#SSL_PORT}"]'
- uuid: e633e097a3294860853e9f66fc1cc6a8
name: 'TLS 1.3 supported [{#SSL_NAME}]'
type: DEPENDENT
key: 'ssl.tls13_supported[{#SSL_HOST},{#SSL_PORT}]'
history: 30d
trends: 365d
value_type: UNSIGNED
valuemap:
name: SSL boolean
preprocessing:
- type: JSONPATH
parameters:
- $.tls13_supported
- type: JAVASCRIPT
parameters:
- 'if (value === null || value === "null") { return 0; } return value === true || value === "true" ? 1 : 0;'
master_item:
key: 'ssl_check.py["--config","{$SSL_CONFIG}","--host","{#SSL_HOST}","--port","{#SSL_PORT}"]'
- uuid: f97fb439d4e04ad38e2dd0311fd144c7
name: 'HTTP reachable [{#SSL_NAME}]'
type: DEPENDENT
key: 'ssl.http_reachable[{#SSL_HOST},{#SSL_PORT}]'
history: 30d
trends: 365d
value_type: UNSIGNED
valuemap:
name: SSL boolean
preprocessing:
- type: JSONPATH
parameters:
- $.http_reachable
- type: JAVASCRIPT
parameters:
- 'return value === true || value === "true" ? 1 : 0;'
master_item:
key: 'ssl_check.py["--config","{$SSL_CONFIG}","--host","{#SSL_HOST}","--port","{#SSL_PORT}"]'
- uuid: 58242f0618944f57a925a3d59c871e39
name: 'HTTP status [{#SSL_NAME}]'
type: DEPENDENT
key: 'ssl.http_status[{#SSL_HOST},{#SSL_PORT}]'
history: 30d
trends: 365d
value_type: UNSIGNED
preprocessing:
- type: JSONPATH
parameters:
- $.http_status
master_item:
key: 'ssl_check.py["--config","{$SSL_CONFIG}","--host","{#SSL_HOST}","--port","{#SSL_PORT}"]'
- uuid: b8475311fa4e4594bd8a4340b60b6937
name: 'HTTP status expected [{#SSL_NAME}]'
type: DEPENDENT
key: 'ssl.http_status_expected[{#SSL_HOST},{#SSL_PORT}]'
history: 30d
trends: 365d
value_type: UNSIGNED
valuemap:
name: SSL boolean
preprocessing:
- type: JSONPATH
parameters:
- $.http_status_expected
- type: JAVASCRIPT
parameters:
- 'return value === true || value === "true" ? 1 : 0;'
master_item:
key: 'ssl_check.py["--config","{$SSL_CONFIG}","--host","{#SSL_HOST}","--port","{#SSL_PORT}"]'
- uuid: 1a3cf22a1f9a4aa6b9219fb091d2eaf1
name: 'HTTP response time [{#SSL_NAME}]'
type: DEPENDENT
key: 'ssl.http_response_time_ms[{#SSL_HOST},{#SSL_PORT}]'
history: 30d
trends: 365d
value_type: UNSIGNED
preprocessing:
- type: JSONPATH
parameters:
- $.http_response_time_ms
master_item:
key: 'ssl_check.py["--config","{$SSL_CONFIG}","--host","{#SSL_HOST}","--port","{#SSL_PORT}"]'
- uuid: 5ae12b7986ea485b908c9e61f49c4e9e
name: 'HTTP HSTS [{#SSL_NAME}]'
type: DEPENDENT
key: 'ssl.http_hsts[{#SSL_HOST},{#SSL_PORT}]'
history: 30d
trends: 365d
value_type: UNSIGNED
valuemap:
name: SSL boolean
preprocessing:
- type: JSONPATH
parameters:
- $.http_hsts
- type: JAVASCRIPT
parameters:
- 'return value === true || value === "true" ? 1 : 0;'
master_item:
key: 'ssl_check.py["--config","{$SSL_CONFIG}","--host","{#SSL_HOST}","--port","{#SSL_PORT}"]'
- uuid: 91101608a78846f2b6d6c6fcce8d7648
name: 'HTTP security headers score [{#SSL_NAME}]'
type: DEPENDENT
key: 'ssl.http_security_headers_score[{#SSL_HOST},{#SSL_PORT}]'
history: 30d
trends: 365d
value_type: UNSIGNED
preprocessing:
- type: JSONPATH
parameters:
- $.http_security_headers_score
master_item:
key: 'ssl_check.py["--config","{$SSL_CONFIG}","--host","{#SSL_HOST}","--port","{#SSL_PORT}"]'
- uuid: df341fd63eda4d2e8dc457d3fa4d91f7
name: 'HTTP server header [{#SSL_NAME}]'
type: DEPENDENT
key: 'ssl.http_server_header[{#SSL_HOST},{#SSL_PORT}]'
history: 30d
trends: '0'
value_type: TEXT
preprocessing:
- type: JSONPATH
parameters:
- $.http_server_header
master_item:
key: 'ssl_check.py["--config","{$SSL_CONFIG}","--host","{#SSL_HOST}","--port","{#SSL_PORT}"]'
- uuid: 8bfc3b3d13da40b2a77ac180e910eaa0
name: 'SSL error [{#SSL_NAME}]'
type: DEPENDENT
key: 'ssl.error[{#SSL_HOST},{#SSL_PORT}]'
history: 30d
trends: '0'
value_type: TEXT
preprocessing:
- type: JSONPATH
parameters:
- $.error
master_item:
key: 'ssl_check.py["--config","{$SSL_CONFIG}","--host","{#SSL_HOST}","--port","{#SSL_PORT}"]'
trigger_prototypes:
- uuid: edb8b81e8f334c56890f44ff209c011e
expression: 'last(/Template SSL Checker Relaxed/ssl.reachable[{#SSL_HOST},{#SSL_PORT}])=0'
name: 'SSL target unreachable [{#SSL_NAME}]'
priority: WARNING
tags:
- tag: scope
value: ssl
- tag: owner
value: '{#SSL_OWNER}'
- tag: profile
value: '{#SSL_PROFILE}'
- tag: notify
value: delayed
- uuid: b6614d7a41184f5c8785e549012782cda
expression: 'last(/Template SSL Checker Relaxed/ssl.days_left[{#SSL_HOST},{#SSL_PORT}])<30 and last(/Template SSL Checker Relaxed/ssl.days_left[{#SSL_HOST},{#SSL_PORT}])>=14'
name: 'SSL expires within 30 days [{#SSL_NAME}]'
priority: INFO
tags:
- tag: notify
value: 'no'
- uuid: d049184a61514835ad9530e7e6fbc3b3
expression: 'last(/Template SSL Checker Relaxed/ssl.days_left[{#SSL_HOST},{#SSL_PORT}])<14 and last(/Template SSL Checker Relaxed/ssl.days_left[{#SSL_HOST},{#SSL_PORT}])>=7'
name: 'SSL expires within 14 days [{#SSL_NAME}]'
priority: WARNING
tags:
- tag: notify
value: owner
- uuid: 82dd7417fc32470085073ef5ed6cc671
expression: 'last(/Template SSL Checker Relaxed/ssl.days_left[{#SSL_HOST},{#SSL_PORT}])<7 and last(/Template SSL Checker Relaxed/ssl.days_left[{#SSL_HOST},{#SSL_PORT}])>=2'
name: 'SSL expires within 7 days [{#SSL_NAME}]'
priority: AVERAGE
tags:
- tag: notify
value: 'yes'
- uuid: 5eea97943e164f9b9b7bf42d1e7f5723
expression: 'last(/Template SSL Checker Relaxed/ssl.days_left[{#SSL_HOST},{#SSL_PORT}])<2'
name: 'SSL expires within 2 days [{#SSL_NAME}]'
priority: HIGH
tags:
- tag: notify
value: 'yes'
- uuid: 9d187f28d1dd43e9bca055333b7fb5a1
expression: 'last(/Template SSL Checker Relaxed/ssl.hostname_match[{#SSL_HOST},{#SSL_PORT}])=0'
name: 'SSL hostname mismatch [{#SSL_NAME}]'
priority: HIGH
tags:
- tag: notify
value: 'yes'
- uuid: a7dfbb0250f84d04baf634674b4dbb20
expression: 'last(/Template SSL Checker Relaxed/ssl.chain_valid[{#SSL_HOST},{#SSL_PORT}])=0'
name: 'SSL chain invalid [{#SSL_NAME}]'
priority: AVERAGE
tags:
- tag: notify
value: 'yes'
- uuid: e23bd53ed8c142ef9798e4062f97f2df
expression: 'last(/Template SSL Checker Relaxed/ssl.self_signed[{#SSL_HOST},{#SSL_PORT}])=1'
name: 'SSL is self-signed [{#SSL_NAME}]'
priority: WARNING
tags:
- tag: notify
value: owner
- uuid: fb93047326ff4bd5bed32c9783d90ce9
expression: 'last(/Template SSL Checker Relaxed/ssl.not_yet_valid[{#SSL_HOST},{#SSL_PORT}])=1'
name: 'SSL not yet valid [{#SSL_NAME}]'
priority: HIGH
tags:
- tag: notify
value: 'yes'
- uuid: 19c2314c9daa4326b48e5e263eb70c4c
expression: 'last(/Template SSL Checker Relaxed/ssl.tls10_supported[{#SSL_HOST},{#SSL_PORT}])=1'
name: 'TLS 1.0 supported [{#SSL_NAME}]'
priority: WARNING
tags:
- tag: scope
value: tls
- tag: notify
value: owner
- uuid: 3bce8d223f0d443393f407dd0c81f444
expression: 'last(/Template SSL Checker Relaxed/ssl.tls11_supported[{#SSL_HOST},{#SSL_PORT}])=1'
name: 'TLS 1.1 supported [{#SSL_NAME}]'
priority: WARNING
tags:
- tag: scope
value: tls
- tag: notify
value: owner
- uuid: b484f5ff1d974e499a8f765a8e63a7c0
expression: 'last(/Template SSL Checker Relaxed/ssl.http_status_expected[{#SSL_HOST},{#SSL_PORT}])=0'
name: 'HTTP status not expected [{#SSL_NAME}]'
priority: WARNING
tags:
- tag: scope
value: http
- tag: notify
value: delayed
- uuid: 4149f1a7f8bc45aa8b6a1b9953978df5
expression: 'last(/Template SSL Checker Relaxed/ssl.http_hsts[{#SSL_HOST},{#SSL_PORT}])=0'
name: 'HSTS missing [{#SSL_NAME}]'
priority: INFO
tags:
- tag: scope
value: http
- tag: notify
value: 'no'
- uuid: 7c0b3de5aec14b538df5495945c72719
expression: 'last(/Template SSL Checker Relaxed/ssl.http_security_headers_score[{#SSL_HOST},{#SSL_PORT}])<2'
name: 'HTTP security headers score low [{#SSL_NAME}]'
priority: INFO
tags:
- tag: scope
value: http
- tag: notify
value: 'no'
valuemaps:
- uuid: 7f0d5857156543cf9808cad8c3328e4d
name: SSL boolean
mappings:
- value: '0'
newvalue: 'No'
- value: '1'
newvalue: 'Yes'