Add Zabbix SSL checker
This commit is contained in:
@@ -0,0 +1,94 @@
|
||||
# Handmatige Zabbix-template stappen
|
||||
|
||||
Gebruik dit bestand alleen als je Zabbix-versie of importpolicy de YAML-export weigert.
|
||||
|
||||
## Template
|
||||
|
||||
1. Ga naar **Data collection -> Templates**.
|
||||
2. Maak template **Template SSL Checker Relaxed**.
|
||||
3. Zet de groep op **Templates/Custom**.
|
||||
4. Voeg macros toe:
|
||||
- `{$SSL_CONFIG}` = `/etc/zabbix/ssl_targets.json`
|
||||
- `{$SSL_CHECK_TIMEOUT}` = `10`
|
||||
|
||||
## Discovery rule
|
||||
|
||||
Maak een discovery rule:
|
||||
|
||||
- Name: `SSL target discovery`
|
||||
- Type: `External check`
|
||||
- Key: `ssl_discovery.py["--config","{$SSL_CONFIG}"]`
|
||||
- Update interval: `1h`
|
||||
|
||||
De discovery output bevat de LLD macros direct in het `data` object:
|
||||
|
||||
- `{#SSL_NAME}`
|
||||
- `{#SSL_HOST}`
|
||||
- `{#SSL_PORT}`
|
||||
- `{#SSL_OWNER}`
|
||||
- `{#SSL_PROFILE}`
|
||||
|
||||
## Master item prototype
|
||||
|
||||
Maak onder de discovery rule een item prototype:
|
||||
|
||||
- Name: `SSL raw check [{#SSL_NAME}]`
|
||||
- Type: `External check`
|
||||
- Key: `ssl_check.py["--config","{$SSL_CONFIG}","--host","{#SSL_HOST}","--port","{#SSL_PORT}"]`
|
||||
- Type of information: `Text`
|
||||
- Update interval: `15m`
|
||||
- History: `7d`
|
||||
- Trends: `0`
|
||||
|
||||
## Dependent item prototypes
|
||||
|
||||
Maak dependent item prototypes met het master item hierboven als bron. Gebruik JSONPath preprocessing per veld, bijvoorbeeld:
|
||||
|
||||
- `ssl.reachable[{#SSL_HOST},{#SSL_PORT}]` -> `$.reachable` -> JavaScript `return value === true || value === "true" ? 1 : 0;`
|
||||
- `ssl.days_left[{#SSL_HOST},{#SSL_PORT}]` -> `$.days_left`
|
||||
- `ssl.valid_now[{#SSL_HOST},{#SSL_PORT}]` -> `$.valid_now` -> boolean JavaScript
|
||||
- `ssl.hostname_match[{#SSL_HOST},{#SSL_PORT}]` -> `$.hostname_match` -> boolean JavaScript
|
||||
- `ssl.chain_valid[{#SSL_HOST},{#SSL_PORT}]` -> `$.chain_valid` -> boolean JavaScript
|
||||
- `ssl.self_signed[{#SSL_HOST},{#SSL_PORT}]` -> `$.self_signed` -> boolean JavaScript
|
||||
- `ssl.not_yet_valid[{#SSL_HOST},{#SSL_PORT}]` -> `$.not_yet_valid` -> boolean JavaScript
|
||||
- `ssl.expired[{#SSL_HOST},{#SSL_PORT}]` -> `$.expired` -> boolean JavaScript
|
||||
- `ssl.issuer_org[{#SSL_HOST},{#SSL_PORT}]` -> `$.issuer_org`
|
||||
- `ssl.issuer_cn[{#SSL_HOST},{#SSL_PORT}]` -> `$.issuer_cn`
|
||||
- `ssl.subject_cn[{#SSL_HOST},{#SSL_PORT}]` -> `$.subject_cn`
|
||||
- `ssl.san_names[{#SSL_HOST},{#SSL_PORT}]` -> `$.san_names`
|
||||
- `ssl.fingerprint_sha256[{#SSL_HOST},{#SSL_PORT}]` -> `$.fingerprint_sha256`
|
||||
- `ssl.expected_issuer_match[{#SSL_HOST},{#SSL_PORT}]` -> `$.expected_issuer_match` -> boolean JavaScript
|
||||
- `ssl.tls_version_negotiated[{#SSL_HOST},{#SSL_PORT}]` -> `$.tls_version_negotiated`
|
||||
- `ssl.tls10_supported[{#SSL_HOST},{#SSL_PORT}]` -> `$.tls10_supported` -> boolean JavaScript
|
||||
- `ssl.tls11_supported[{#SSL_HOST},{#SSL_PORT}]` -> `$.tls11_supported` -> boolean JavaScript
|
||||
- `ssl.tls12_supported[{#SSL_HOST},{#SSL_PORT}]` -> `$.tls12_supported` -> boolean JavaScript
|
||||
- `ssl.tls13_supported[{#SSL_HOST},{#SSL_PORT}]` -> `$.tls13_supported` -> boolean JavaScript
|
||||
- `ssl.http_reachable[{#SSL_HOST},{#SSL_PORT}]` -> `$.http_reachable` -> boolean JavaScript
|
||||
- `ssl.http_status[{#SSL_HOST},{#SSL_PORT}]` -> `$.http_status`
|
||||
- `ssl.http_status_expected[{#SSL_HOST},{#SSL_PORT}]` -> `$.http_status_expected` -> boolean JavaScript
|
||||
- `ssl.http_response_time_ms[{#SSL_HOST},{#SSL_PORT}]` -> `$.http_response_time_ms`
|
||||
- `ssl.http_hsts[{#SSL_HOST},{#SSL_PORT}]` -> `$.http_hsts` -> boolean JavaScript
|
||||
- `ssl.http_security_headers_score[{#SSL_HOST},{#SSL_PORT}]` -> `$.http_security_headers_score`
|
||||
- `ssl.http_server_header[{#SSL_HOST},{#SSL_PORT}]` -> `$.http_server_header`
|
||||
- `ssl.error[{#SSL_HOST},{#SSL_PORT}]` -> `$.error`
|
||||
|
||||
## Triggers
|
||||
|
||||
Maak trigger prototypes op de dependent item prototypes:
|
||||
|
||||
- SSL target unreachable: reachable = 0, Warning
|
||||
- SSL expires within 30 days: days_left < 30 and >= 14, Information
|
||||
- SSL expires within 14 days: days_left < 14 and >= 7, Warning
|
||||
- SSL expires within 7 days: days_left < 7 and >= 2, Average
|
||||
- SSL expires within 2 days: days_left < 2, High
|
||||
- SSL hostname mismatch: hostname_match = 0, High
|
||||
- SSL chain invalid: chain_valid = 0, Average
|
||||
- SSL is self-signed: self_signed = 1, Warning
|
||||
- SSL not yet valid: not_yet_valid = 1, High
|
||||
- TLS 1.0 supported: tls10_supported = 1, Warning
|
||||
- TLS 1.1 supported: tls11_supported = 1, Warning
|
||||
- HTTP status not expected: http_status_expected = 0, Warning
|
||||
- HSTS missing: http_hsts = 0, Information
|
||||
- HTTP security headers score low: score < 2, Information
|
||||
|
||||
Text-item change triggers voor issuer/fingerprint zijn bewust niet opgenomen, omdat importeerbaarheid per Zabbix 7.x minor release kan verschillen.
|
||||
@@ -0,0 +1,592 @@
|
||||
zabbix_export:
|
||||
version: '7.0'
|
||||
template_groups:
|
||||
- uuid: 2fdce7293a314718bbeb9a302dd7533f
|
||||
name: Templates/Custom
|
||||
templates:
|
||||
- uuid: eaa75d8e6bb44b0e8fca872ab5ea6001
|
||||
template: Template SSL Checker Relaxed
|
||||
name: Template SSL Checker Relaxed
|
||||
groups:
|
||||
- name: Templates/Custom
|
||||
macros:
|
||||
- macro: '{$SSL_CONFIG}'
|
||||
value: /etc/zabbix/ssl_targets.json
|
||||
- macro: '{$SSL_CHECK_TIMEOUT}'
|
||||
value: '10'
|
||||
discovery_rules:
|
||||
- uuid: eebfdbd1e6f94de0abe6b014d652679e
|
||||
name: SSL target discovery
|
||||
type: EXTERNAL
|
||||
key: 'ssl_discovery.py["--config","{$SSL_CONFIG}"]'
|
||||
delay: 1h
|
||||
item_prototypes:
|
||||
- uuid: 9cbb898647f74b4f8865f65b036f88cb
|
||||
name: 'SSL raw check [{#SSL_NAME}]'
|
||||
type: EXTERNAL
|
||||
key: 'ssl_check.py["--config","{$SSL_CONFIG}","--host","{#SSL_HOST}","--port","{#SSL_PORT}"]'
|
||||
delay: 15m
|
||||
history: 7d
|
||||
trends: '0'
|
||||
value_type: TEXT
|
||||
tags:
|
||||
- tag: component
|
||||
value: raw
|
||||
- tag: scope
|
||||
value: ssl
|
||||
- tag: owner
|
||||
value: '{#SSL_OWNER}'
|
||||
- tag: profile
|
||||
value: '{#SSL_PROFILE}'
|
||||
- uuid: 742b8b1630e048d2b73d95e846165bec
|
||||
name: 'SSL reachable [{#SSL_NAME}]'
|
||||
type: DEPENDENT
|
||||
key: 'ssl.reachable[{#SSL_HOST},{#SSL_PORT}]'
|
||||
history: 30d
|
||||
trends: 365d
|
||||
value_type: UNSIGNED
|
||||
valuemap:
|
||||
name: SSL boolean
|
||||
preprocessing:
|
||||
- type: JSONPATH
|
||||
parameters:
|
||||
- $.reachable
|
||||
- type: JAVASCRIPT
|
||||
parameters:
|
||||
- 'return value === true || value === "true" ? 1 : 0;'
|
||||
master_item:
|
||||
key: 'ssl_check.py["--config","{$SSL_CONFIG}","--host","{#SSL_HOST}","--port","{#SSL_PORT}"]'
|
||||
- uuid: a44af3b1e4c547d59f9e6e7c5c9186d4
|
||||
name: 'SSL days left [{#SSL_NAME}]'
|
||||
type: DEPENDENT
|
||||
key: 'ssl.days_left[{#SSL_HOST},{#SSL_PORT}]'
|
||||
history: 30d
|
||||
trends: 365d
|
||||
value_type: UNSIGNED
|
||||
preprocessing:
|
||||
- type: JSONPATH
|
||||
parameters:
|
||||
- $.days_left
|
||||
master_item:
|
||||
key: 'ssl_check.py["--config","{$SSL_CONFIG}","--host","{#SSL_HOST}","--port","{#SSL_PORT}"]'
|
||||
- uuid: fbd0960d21154c18928ad36afae14c40
|
||||
name: 'SSL valid now [{#SSL_NAME}]'
|
||||
type: DEPENDENT
|
||||
key: 'ssl.valid_now[{#SSL_HOST},{#SSL_PORT}]'
|
||||
history: 30d
|
||||
trends: 365d
|
||||
value_type: UNSIGNED
|
||||
valuemap:
|
||||
name: SSL boolean
|
||||
preprocessing:
|
||||
- type: JSONPATH
|
||||
parameters:
|
||||
- $.valid_now
|
||||
- type: JAVASCRIPT
|
||||
parameters:
|
||||
- 'return value === true || value === "true" ? 1 : 0;'
|
||||
master_item:
|
||||
key: 'ssl_check.py["--config","{$SSL_CONFIG}","--host","{#SSL_HOST}","--port","{#SSL_PORT}"]'
|
||||
- uuid: 35dc642cbe92420da0631a68f48c4662
|
||||
name: 'SSL hostname match [{#SSL_NAME}]'
|
||||
type: DEPENDENT
|
||||
key: 'ssl.hostname_match[{#SSL_HOST},{#SSL_PORT}]'
|
||||
history: 30d
|
||||
trends: 365d
|
||||
value_type: UNSIGNED
|
||||
valuemap:
|
||||
name: SSL boolean
|
||||
preprocessing:
|
||||
- type: JSONPATH
|
||||
parameters:
|
||||
- $.hostname_match
|
||||
- type: JAVASCRIPT
|
||||
parameters:
|
||||
- 'return value === true || value === "true" ? 1 : 0;'
|
||||
master_item:
|
||||
key: 'ssl_check.py["--config","{$SSL_CONFIG}","--host","{#SSL_HOST}","--port","{#SSL_PORT}"]'
|
||||
- uuid: 3ce5bba7f2b340dcbe74641b318cb08f
|
||||
name: 'SSL chain valid [{#SSL_NAME}]'
|
||||
type: DEPENDENT
|
||||
key: 'ssl.chain_valid[{#SSL_HOST},{#SSL_PORT}]'
|
||||
history: 30d
|
||||
trends: 365d
|
||||
value_type: UNSIGNED
|
||||
valuemap:
|
||||
name: SSL boolean
|
||||
preprocessing:
|
||||
- type: JSONPATH
|
||||
parameters:
|
||||
- $.chain_valid
|
||||
- type: JAVASCRIPT
|
||||
parameters:
|
||||
- 'return value === true || value === "true" ? 1 : 0;'
|
||||
master_item:
|
||||
key: 'ssl_check.py["--config","{$SSL_CONFIG}","--host","{#SSL_HOST}","--port","{#SSL_PORT}"]'
|
||||
- uuid: ad0aff7a23b9447ea573a6cc4fd03209
|
||||
name: 'SSL self signed [{#SSL_NAME}]'
|
||||
type: DEPENDENT
|
||||
key: 'ssl.self_signed[{#SSL_HOST},{#SSL_PORT}]'
|
||||
history: 30d
|
||||
trends: 365d
|
||||
value_type: UNSIGNED
|
||||
valuemap:
|
||||
name: SSL boolean
|
||||
preprocessing:
|
||||
- type: JSONPATH
|
||||
parameters:
|
||||
- $.self_signed
|
||||
- type: JAVASCRIPT
|
||||
parameters:
|
||||
- 'return value === true || value === "true" ? 1 : 0;'
|
||||
master_item:
|
||||
key: 'ssl_check.py["--config","{$SSL_CONFIG}","--host","{#SSL_HOST}","--port","{#SSL_PORT}"]'
|
||||
- uuid: 489a246318764ad39ec9effd8d7f5c3f
|
||||
name: 'SSL not yet valid [{#SSL_NAME}]'
|
||||
type: DEPENDENT
|
||||
key: 'ssl.not_yet_valid[{#SSL_HOST},{#SSL_PORT}]'
|
||||
history: 30d
|
||||
trends: 365d
|
||||
value_type: UNSIGNED
|
||||
valuemap:
|
||||
name: SSL boolean
|
||||
preprocessing:
|
||||
- type: JSONPATH
|
||||
parameters:
|
||||
- $.not_yet_valid
|
||||
- type: JAVASCRIPT
|
||||
parameters:
|
||||
- 'return value === true || value === "true" ? 1 : 0;'
|
||||
master_item:
|
||||
key: 'ssl_check.py["--config","{$SSL_CONFIG}","--host","{#SSL_HOST}","--port","{#SSL_PORT}"]'
|
||||
- uuid: 8dc650b706c340a996a80238f775e324
|
||||
name: 'SSL expired [{#SSL_NAME}]'
|
||||
type: DEPENDENT
|
||||
key: 'ssl.expired[{#SSL_HOST},{#SSL_PORT}]'
|
||||
history: 30d
|
||||
trends: 365d
|
||||
value_type: UNSIGNED
|
||||
valuemap:
|
||||
name: SSL boolean
|
||||
preprocessing:
|
||||
- type: JSONPATH
|
||||
parameters:
|
||||
- $.expired
|
||||
- type: JAVASCRIPT
|
||||
parameters:
|
||||
- 'return value === true || value === "true" ? 1 : 0;'
|
||||
master_item:
|
||||
key: 'ssl_check.py["--config","{$SSL_CONFIG}","--host","{#SSL_HOST}","--port","{#SSL_PORT}"]'
|
||||
- uuid: 204862fd4f8342b7bf3fc6337f5df6d0
|
||||
name: 'SSL issuer org [{#SSL_NAME}]'
|
||||
type: DEPENDENT
|
||||
key: 'ssl.issuer_org[{#SSL_HOST},{#SSL_PORT}]'
|
||||
history: 30d
|
||||
trends: '0'
|
||||
value_type: TEXT
|
||||
preprocessing:
|
||||
- type: JSONPATH
|
||||
parameters:
|
||||
- $.issuer_org
|
||||
master_item:
|
||||
key: 'ssl_check.py["--config","{$SSL_CONFIG}","--host","{#SSL_HOST}","--port","{#SSL_PORT}"]'
|
||||
- uuid: 246a068f7f3745a5a1cb0f725a499426
|
||||
name: 'SSL issuer CN [{#SSL_NAME}]'
|
||||
type: DEPENDENT
|
||||
key: 'ssl.issuer_cn[{#SSL_HOST},{#SSL_PORT}]'
|
||||
history: 30d
|
||||
trends: '0'
|
||||
value_type: TEXT
|
||||
preprocessing:
|
||||
- type: JSONPATH
|
||||
parameters:
|
||||
- $.issuer_cn
|
||||
master_item:
|
||||
key: 'ssl_check.py["--config","{$SSL_CONFIG}","--host","{#SSL_HOST}","--port","{#SSL_PORT}"]'
|
||||
- uuid: 46a8211952364d3bbd7c359a0f7ebc62
|
||||
name: 'SSL subject CN [{#SSL_NAME}]'
|
||||
type: DEPENDENT
|
||||
key: 'ssl.subject_cn[{#SSL_HOST},{#SSL_PORT}]'
|
||||
history: 30d
|
||||
trends: '0'
|
||||
value_type: TEXT
|
||||
preprocessing:
|
||||
- type: JSONPATH
|
||||
parameters:
|
||||
- $.subject_cn
|
||||
master_item:
|
||||
key: 'ssl_check.py["--config","{$SSL_CONFIG}","--host","{#SSL_HOST}","--port","{#SSL_PORT}"]'
|
||||
- uuid: db6d8a182d6b4e28915cd2c1937d3ba7
|
||||
name: 'SSL SAN names [{#SSL_NAME}]'
|
||||
type: DEPENDENT
|
||||
key: 'ssl.san_names[{#SSL_HOST},{#SSL_PORT}]'
|
||||
history: 30d
|
||||
trends: '0'
|
||||
value_type: TEXT
|
||||
preprocessing:
|
||||
- type: JSONPATH
|
||||
parameters:
|
||||
- $.san_names
|
||||
- type: JAVASCRIPT
|
||||
parameters:
|
||||
- 'try { return JSON.stringify(JSON.parse(value)); } catch (e) { return value; }'
|
||||
master_item:
|
||||
key: 'ssl_check.py["--config","{$SSL_CONFIG}","--host","{#SSL_HOST}","--port","{#SSL_PORT}"]'
|
||||
- uuid: 3ae58996de784502816d1cd27a722de3
|
||||
name: 'SSL fingerprint SHA256 [{#SSL_NAME}]'
|
||||
type: DEPENDENT
|
||||
key: 'ssl.fingerprint_sha256[{#SSL_HOST},{#SSL_PORT}]'
|
||||
history: 30d
|
||||
trends: '0'
|
||||
value_type: TEXT
|
||||
preprocessing:
|
||||
- type: JSONPATH
|
||||
parameters:
|
||||
- $.fingerprint_sha256
|
||||
master_item:
|
||||
key: 'ssl_check.py["--config","{$SSL_CONFIG}","--host","{#SSL_HOST}","--port","{#SSL_PORT}"]'
|
||||
- uuid: 8cc55e450c064a698053967f8dfd3f35
|
||||
name: 'SSL expected issuer match [{#SSL_NAME}]'
|
||||
type: DEPENDENT
|
||||
key: 'ssl.expected_issuer_match[{#SSL_HOST},{#SSL_PORT}]'
|
||||
history: 30d
|
||||
trends: 365d
|
||||
value_type: UNSIGNED
|
||||
valuemap:
|
||||
name: SSL boolean
|
||||
preprocessing:
|
||||
- type: JSONPATH
|
||||
parameters:
|
||||
- $.expected_issuer_match
|
||||
- type: JAVASCRIPT
|
||||
parameters:
|
||||
- 'return value === true || value === "true" ? 1 : 0;'
|
||||
master_item:
|
||||
key: 'ssl_check.py["--config","{$SSL_CONFIG}","--host","{#SSL_HOST}","--port","{#SSL_PORT}"]'
|
||||
- uuid: 5e74e1d762a9420395448d9d02b3b3e9
|
||||
name: 'TLS negotiated version [{#SSL_NAME}]'
|
||||
type: DEPENDENT
|
||||
key: 'ssl.tls_version_negotiated[{#SSL_HOST},{#SSL_PORT}]'
|
||||
history: 30d
|
||||
trends: '0'
|
||||
value_type: TEXT
|
||||
preprocessing:
|
||||
- type: JSONPATH
|
||||
parameters:
|
||||
- $.tls_version_negotiated
|
||||
master_item:
|
||||
key: 'ssl_check.py["--config","{$SSL_CONFIG}","--host","{#SSL_HOST}","--port","{#SSL_PORT}"]'
|
||||
- uuid: 715157395cf24e738c275e5d99c585d2
|
||||
name: 'TLS 1.0 supported [{#SSL_NAME}]'
|
||||
type: DEPENDENT
|
||||
key: 'ssl.tls10_supported[{#SSL_HOST},{#SSL_PORT}]'
|
||||
history: 30d
|
||||
trends: 365d
|
||||
value_type: UNSIGNED
|
||||
valuemap:
|
||||
name: SSL boolean
|
||||
preprocessing:
|
||||
- type: JSONPATH
|
||||
parameters:
|
||||
- $.tls10_supported
|
||||
- type: JAVASCRIPT
|
||||
parameters:
|
||||
- 'if (value === null || value === "null") { return 0; } return value === true || value === "true" ? 1 : 0;'
|
||||
master_item:
|
||||
key: 'ssl_check.py["--config","{$SSL_CONFIG}","--host","{#SSL_HOST}","--port","{#SSL_PORT}"]'
|
||||
- uuid: 7931bd3a2a434be38548fd6867e8473d
|
||||
name: 'TLS 1.1 supported [{#SSL_NAME}]'
|
||||
type: DEPENDENT
|
||||
key: 'ssl.tls11_supported[{#SSL_HOST},{#SSL_PORT}]'
|
||||
history: 30d
|
||||
trends: 365d
|
||||
value_type: UNSIGNED
|
||||
valuemap:
|
||||
name: SSL boolean
|
||||
preprocessing:
|
||||
- type: JSONPATH
|
||||
parameters:
|
||||
- $.tls11_supported
|
||||
- type: JAVASCRIPT
|
||||
parameters:
|
||||
- 'if (value === null || value === "null") { return 0; } return value === true || value === "true" ? 1 : 0;'
|
||||
master_item:
|
||||
key: 'ssl_check.py["--config","{$SSL_CONFIG}","--host","{#SSL_HOST}","--port","{#SSL_PORT}"]'
|
||||
- uuid: a20fbc15a8ea4cb7a3c3c4dbfc7789e1
|
||||
name: 'TLS 1.2 supported [{#SSL_NAME}]'
|
||||
type: DEPENDENT
|
||||
key: 'ssl.tls12_supported[{#SSL_HOST},{#SSL_PORT}]'
|
||||
history: 30d
|
||||
trends: 365d
|
||||
value_type: UNSIGNED
|
||||
valuemap:
|
||||
name: SSL boolean
|
||||
preprocessing:
|
||||
- type: JSONPATH
|
||||
parameters:
|
||||
- $.tls12_supported
|
||||
- type: JAVASCRIPT
|
||||
parameters:
|
||||
- 'return value === true || value === "true" ? 1 : 0;'
|
||||
master_item:
|
||||
key: 'ssl_check.py["--config","{$SSL_CONFIG}","--host","{#SSL_HOST}","--port","{#SSL_PORT}"]'
|
||||
- uuid: e633e097a3294860853e9f66fc1cc6a8
|
||||
name: 'TLS 1.3 supported [{#SSL_NAME}]'
|
||||
type: DEPENDENT
|
||||
key: 'ssl.tls13_supported[{#SSL_HOST},{#SSL_PORT}]'
|
||||
history: 30d
|
||||
trends: 365d
|
||||
value_type: UNSIGNED
|
||||
valuemap:
|
||||
name: SSL boolean
|
||||
preprocessing:
|
||||
- type: JSONPATH
|
||||
parameters:
|
||||
- $.tls13_supported
|
||||
- type: JAVASCRIPT
|
||||
parameters:
|
||||
- 'if (value === null || value === "null") { return 0; } return value === true || value === "true" ? 1 : 0;'
|
||||
master_item:
|
||||
key: 'ssl_check.py["--config","{$SSL_CONFIG}","--host","{#SSL_HOST}","--port","{#SSL_PORT}"]'
|
||||
- uuid: f97fb439d4e04ad38e2dd0311fd144c7
|
||||
name: 'HTTP reachable [{#SSL_NAME}]'
|
||||
type: DEPENDENT
|
||||
key: 'ssl.http_reachable[{#SSL_HOST},{#SSL_PORT}]'
|
||||
history: 30d
|
||||
trends: 365d
|
||||
value_type: UNSIGNED
|
||||
valuemap:
|
||||
name: SSL boolean
|
||||
preprocessing:
|
||||
- type: JSONPATH
|
||||
parameters:
|
||||
- $.http_reachable
|
||||
- type: JAVASCRIPT
|
||||
parameters:
|
||||
- 'return value === true || value === "true" ? 1 : 0;'
|
||||
master_item:
|
||||
key: 'ssl_check.py["--config","{$SSL_CONFIG}","--host","{#SSL_HOST}","--port","{#SSL_PORT}"]'
|
||||
- uuid: 58242f0618944f57a925a3d59c871e39
|
||||
name: 'HTTP status [{#SSL_NAME}]'
|
||||
type: DEPENDENT
|
||||
key: 'ssl.http_status[{#SSL_HOST},{#SSL_PORT}]'
|
||||
history: 30d
|
||||
trends: 365d
|
||||
value_type: UNSIGNED
|
||||
preprocessing:
|
||||
- type: JSONPATH
|
||||
parameters:
|
||||
- $.http_status
|
||||
master_item:
|
||||
key: 'ssl_check.py["--config","{$SSL_CONFIG}","--host","{#SSL_HOST}","--port","{#SSL_PORT}"]'
|
||||
- uuid: b8475311fa4e4594bd8a4340b60b6937
|
||||
name: 'HTTP status expected [{#SSL_NAME}]'
|
||||
type: DEPENDENT
|
||||
key: 'ssl.http_status_expected[{#SSL_HOST},{#SSL_PORT}]'
|
||||
history: 30d
|
||||
trends: 365d
|
||||
value_type: UNSIGNED
|
||||
valuemap:
|
||||
name: SSL boolean
|
||||
preprocessing:
|
||||
- type: JSONPATH
|
||||
parameters:
|
||||
- $.http_status_expected
|
||||
- type: JAVASCRIPT
|
||||
parameters:
|
||||
- 'return value === true || value === "true" ? 1 : 0;'
|
||||
master_item:
|
||||
key: 'ssl_check.py["--config","{$SSL_CONFIG}","--host","{#SSL_HOST}","--port","{#SSL_PORT}"]'
|
||||
- uuid: 1a3cf22a1f9a4aa6b9219fb091d2eaf1
|
||||
name: 'HTTP response time [{#SSL_NAME}]'
|
||||
type: DEPENDENT
|
||||
key: 'ssl.http_response_time_ms[{#SSL_HOST},{#SSL_PORT}]'
|
||||
history: 30d
|
||||
trends: 365d
|
||||
value_type: UNSIGNED
|
||||
preprocessing:
|
||||
- type: JSONPATH
|
||||
parameters:
|
||||
- $.http_response_time_ms
|
||||
master_item:
|
||||
key: 'ssl_check.py["--config","{$SSL_CONFIG}","--host","{#SSL_HOST}","--port","{#SSL_PORT}"]'
|
||||
- uuid: 5ae12b7986ea485b908c9e61f49c4e9e
|
||||
name: 'HTTP HSTS [{#SSL_NAME}]'
|
||||
type: DEPENDENT
|
||||
key: 'ssl.http_hsts[{#SSL_HOST},{#SSL_PORT}]'
|
||||
history: 30d
|
||||
trends: 365d
|
||||
value_type: UNSIGNED
|
||||
valuemap:
|
||||
name: SSL boolean
|
||||
preprocessing:
|
||||
- type: JSONPATH
|
||||
parameters:
|
||||
- $.http_hsts
|
||||
- type: JAVASCRIPT
|
||||
parameters:
|
||||
- 'return value === true || value === "true" ? 1 : 0;'
|
||||
master_item:
|
||||
key: 'ssl_check.py["--config","{$SSL_CONFIG}","--host","{#SSL_HOST}","--port","{#SSL_PORT}"]'
|
||||
- uuid: 91101608a78846f2b6d6c6fcce8d7648
|
||||
name: 'HTTP security headers score [{#SSL_NAME}]'
|
||||
type: DEPENDENT
|
||||
key: 'ssl.http_security_headers_score[{#SSL_HOST},{#SSL_PORT}]'
|
||||
history: 30d
|
||||
trends: 365d
|
||||
value_type: UNSIGNED
|
||||
preprocessing:
|
||||
- type: JSONPATH
|
||||
parameters:
|
||||
- $.http_security_headers_score
|
||||
master_item:
|
||||
key: 'ssl_check.py["--config","{$SSL_CONFIG}","--host","{#SSL_HOST}","--port","{#SSL_PORT}"]'
|
||||
- uuid: df341fd63eda4d2e8dc457d3fa4d91f7
|
||||
name: 'HTTP server header [{#SSL_NAME}]'
|
||||
type: DEPENDENT
|
||||
key: 'ssl.http_server_header[{#SSL_HOST},{#SSL_PORT}]'
|
||||
history: 30d
|
||||
trends: '0'
|
||||
value_type: TEXT
|
||||
preprocessing:
|
||||
- type: JSONPATH
|
||||
parameters:
|
||||
- $.http_server_header
|
||||
master_item:
|
||||
key: 'ssl_check.py["--config","{$SSL_CONFIG}","--host","{#SSL_HOST}","--port","{#SSL_PORT}"]'
|
||||
- uuid: 8bfc3b3d13da40b2a77ac180e910eaa0
|
||||
name: 'SSL error [{#SSL_NAME}]'
|
||||
type: DEPENDENT
|
||||
key: 'ssl.error[{#SSL_HOST},{#SSL_PORT}]'
|
||||
history: 30d
|
||||
trends: '0'
|
||||
value_type: TEXT
|
||||
preprocessing:
|
||||
- type: JSONPATH
|
||||
parameters:
|
||||
- $.error
|
||||
master_item:
|
||||
key: 'ssl_check.py["--config","{$SSL_CONFIG}","--host","{#SSL_HOST}","--port","{#SSL_PORT}"]'
|
||||
trigger_prototypes:
|
||||
- uuid: edb8b81e8f334c56890f44ff209c011e
|
||||
expression: 'last(/Template SSL Checker Relaxed/ssl.reachable[{#SSL_HOST},{#SSL_PORT}])=0'
|
||||
name: 'SSL target unreachable [{#SSL_NAME}]'
|
||||
priority: WARNING
|
||||
tags:
|
||||
- tag: scope
|
||||
value: ssl
|
||||
- tag: owner
|
||||
value: '{#SSL_OWNER}'
|
||||
- tag: profile
|
||||
value: '{#SSL_PROFILE}'
|
||||
- tag: notify
|
||||
value: delayed
|
||||
- uuid: b6614d7a41184f5c8785e549012782cda
|
||||
expression: 'last(/Template SSL Checker Relaxed/ssl.days_left[{#SSL_HOST},{#SSL_PORT}])<30 and last(/Template SSL Checker Relaxed/ssl.days_left[{#SSL_HOST},{#SSL_PORT}])>=14'
|
||||
name: 'SSL expires within 30 days [{#SSL_NAME}]'
|
||||
priority: INFO
|
||||
tags:
|
||||
- tag: notify
|
||||
value: 'no'
|
||||
- uuid: d049184a61514835ad9530e7e6fbc3b3
|
||||
expression: 'last(/Template SSL Checker Relaxed/ssl.days_left[{#SSL_HOST},{#SSL_PORT}])<14 and last(/Template SSL Checker Relaxed/ssl.days_left[{#SSL_HOST},{#SSL_PORT}])>=7'
|
||||
name: 'SSL expires within 14 days [{#SSL_NAME}]'
|
||||
priority: WARNING
|
||||
tags:
|
||||
- tag: notify
|
||||
value: owner
|
||||
- uuid: 82dd7417fc32470085073ef5ed6cc671
|
||||
expression: 'last(/Template SSL Checker Relaxed/ssl.days_left[{#SSL_HOST},{#SSL_PORT}])<7 and last(/Template SSL Checker Relaxed/ssl.days_left[{#SSL_HOST},{#SSL_PORT}])>=2'
|
||||
name: 'SSL expires within 7 days [{#SSL_NAME}]'
|
||||
priority: AVERAGE
|
||||
tags:
|
||||
- tag: notify
|
||||
value: 'yes'
|
||||
- uuid: 5eea97943e164f9b9b7bf42d1e7f5723
|
||||
expression: 'last(/Template SSL Checker Relaxed/ssl.days_left[{#SSL_HOST},{#SSL_PORT}])<2'
|
||||
name: 'SSL expires within 2 days [{#SSL_NAME}]'
|
||||
priority: HIGH
|
||||
tags:
|
||||
- tag: notify
|
||||
value: 'yes'
|
||||
- uuid: 9d187f28d1dd43e9bca055333b7fb5a1
|
||||
expression: 'last(/Template SSL Checker Relaxed/ssl.hostname_match[{#SSL_HOST},{#SSL_PORT}])=0'
|
||||
name: 'SSL hostname mismatch [{#SSL_NAME}]'
|
||||
priority: HIGH
|
||||
tags:
|
||||
- tag: notify
|
||||
value: 'yes'
|
||||
- uuid: a7dfbb0250f84d04baf634674b4dbb20
|
||||
expression: 'last(/Template SSL Checker Relaxed/ssl.chain_valid[{#SSL_HOST},{#SSL_PORT}])=0'
|
||||
name: 'SSL chain invalid [{#SSL_NAME}]'
|
||||
priority: AVERAGE
|
||||
tags:
|
||||
- tag: notify
|
||||
value: 'yes'
|
||||
- uuid: e23bd53ed8c142ef9798e4062f97f2df
|
||||
expression: 'last(/Template SSL Checker Relaxed/ssl.self_signed[{#SSL_HOST},{#SSL_PORT}])=1'
|
||||
name: 'SSL is self-signed [{#SSL_NAME}]'
|
||||
priority: WARNING
|
||||
tags:
|
||||
- tag: notify
|
||||
value: owner
|
||||
- uuid: fb93047326ff4bd5bed32c9783d90ce9
|
||||
expression: 'last(/Template SSL Checker Relaxed/ssl.not_yet_valid[{#SSL_HOST},{#SSL_PORT}])=1'
|
||||
name: 'SSL not yet valid [{#SSL_NAME}]'
|
||||
priority: HIGH
|
||||
tags:
|
||||
- tag: notify
|
||||
value: 'yes'
|
||||
- uuid: 19c2314c9daa4326b48e5e263eb70c4c
|
||||
expression: 'last(/Template SSL Checker Relaxed/ssl.tls10_supported[{#SSL_HOST},{#SSL_PORT}])=1'
|
||||
name: 'TLS 1.0 supported [{#SSL_NAME}]'
|
||||
priority: WARNING
|
||||
tags:
|
||||
- tag: scope
|
||||
value: tls
|
||||
- tag: notify
|
||||
value: owner
|
||||
- uuid: 3bce8d223f0d443393f407dd0c81f444
|
||||
expression: 'last(/Template SSL Checker Relaxed/ssl.tls11_supported[{#SSL_HOST},{#SSL_PORT}])=1'
|
||||
name: 'TLS 1.1 supported [{#SSL_NAME}]'
|
||||
priority: WARNING
|
||||
tags:
|
||||
- tag: scope
|
||||
value: tls
|
||||
- tag: notify
|
||||
value: owner
|
||||
- uuid: b484f5ff1d974e499a8f765a8e63a7c0
|
||||
expression: 'last(/Template SSL Checker Relaxed/ssl.http_status_expected[{#SSL_HOST},{#SSL_PORT}])=0'
|
||||
name: 'HTTP status not expected [{#SSL_NAME}]'
|
||||
priority: WARNING
|
||||
tags:
|
||||
- tag: scope
|
||||
value: http
|
||||
- tag: notify
|
||||
value: delayed
|
||||
- uuid: 4149f1a7f8bc45aa8b6a1b9953978df5
|
||||
expression: 'last(/Template SSL Checker Relaxed/ssl.http_hsts[{#SSL_HOST},{#SSL_PORT}])=0'
|
||||
name: 'HSTS missing [{#SSL_NAME}]'
|
||||
priority: INFO
|
||||
tags:
|
||||
- tag: scope
|
||||
value: http
|
||||
- tag: notify
|
||||
value: 'no'
|
||||
- uuid: 7c0b3de5aec14b538df5495945c72719
|
||||
expression: 'last(/Template SSL Checker Relaxed/ssl.http_security_headers_score[{#SSL_HOST},{#SSL_PORT}])<2'
|
||||
name: 'HTTP security headers score low [{#SSL_NAME}]'
|
||||
priority: INFO
|
||||
tags:
|
||||
- tag: scope
|
||||
value: http
|
||||
- tag: notify
|
||||
value: 'no'
|
||||
valuemaps:
|
||||
- uuid: 7f0d5857156543cf9808cad8c3328e4d
|
||||
name: SSL boolean
|
||||
mappings:
|
||||
- value: '0'
|
||||
newvalue: 'No'
|
||||
- value: '1'
|
||||
newvalue: 'Yes'
|
||||
Reference in New Issue
Block a user