zabbix_export: version: '7.0' template_groups: - uuid: 2fdce7293a314718bbeb9a302dd7533f name: Templates/Custom templates: - uuid: eaa75d8e6bb44b0e8fca872ab5ea6001 template: Template SSL Checker Relaxed name: Template SSL Checker Relaxed groups: - name: Templates/Custom macros: - macro: '{$SSL_CONFIG}' value: /etc/zabbix/ssl_targets.json - macro: '{$SSL_CHECK_TIMEOUT}' value: '10' discovery_rules: - uuid: eebfdbd1e6f94de0abe6b014d652679e name: SSL target discovery type: EXTERNAL key: 'ssl_discovery.py["--config","{$SSL_CONFIG}"]' delay: 1h item_prototypes: - uuid: 9cbb898647f74b4f8865f65b036f88cb name: 'SSL raw check [{#SSL_NAME}]' type: EXTERNAL key: 'ssl_check.py["--config","{$SSL_CONFIG}","--host","{#SSL_HOST}","--port","{#SSL_PORT}"]' delay: 15m history: 7d trends: '0' value_type: TEXT tags: - tag: component value: raw - tag: scope value: ssl - tag: owner value: '{#SSL_OWNER}' - tag: profile value: '{#SSL_PROFILE}' - uuid: 742b8b1630e048d2b73d95e846165bec name: 'SSL reachable [{#SSL_NAME}]' type: DEPENDENT key: 'ssl.reachable[{#SSL_HOST},{#SSL_PORT}]' history: 30d trends: 365d value_type: UNSIGNED valuemap: name: SSL boolean preprocessing: - type: JSONPATH parameters: - $.reachable - type: JAVASCRIPT parameters: - 'return value === true || value === "true" ? 1 : 0;' master_item: key: 'ssl_check.py["--config","{$SSL_CONFIG}","--host","{#SSL_HOST}","--port","{#SSL_PORT}"]' - uuid: a44af3b1e4c547d59f9e6e7c5c9186d4 name: 'SSL days left [{#SSL_NAME}]' type: DEPENDENT key: 'ssl.days_left[{#SSL_HOST},{#SSL_PORT}]' history: 30d trends: 365d value_type: UNSIGNED preprocessing: - type: JSONPATH parameters: - $.days_left master_item: key: 'ssl_check.py["--config","{$SSL_CONFIG}","--host","{#SSL_HOST}","--port","{#SSL_PORT}"]' - uuid: fbd0960d21154c18928ad36afae14c40 name: 'SSL valid now [{#SSL_NAME}]' type: DEPENDENT key: 'ssl.valid_now[{#SSL_HOST},{#SSL_PORT}]' history: 30d trends: 365d value_type: UNSIGNED valuemap: name: SSL boolean preprocessing: - type: JSONPATH parameters: - $.valid_now - type: JAVASCRIPT parameters: - 'return value === true || value === "true" ? 1 : 0;' master_item: key: 'ssl_check.py["--config","{$SSL_CONFIG}","--host","{#SSL_HOST}","--port","{#SSL_PORT}"]' - uuid: 35dc642cbe92420da0631a68f48c4662 name: 'SSL hostname match [{#SSL_NAME}]' type: DEPENDENT key: 'ssl.hostname_match[{#SSL_HOST},{#SSL_PORT}]' history: 30d trends: 365d value_type: UNSIGNED valuemap: name: SSL boolean preprocessing: - type: JSONPATH parameters: - $.hostname_match - type: JAVASCRIPT parameters: - 'return value === true || value === "true" ? 1 : 0;' master_item: key: 'ssl_check.py["--config","{$SSL_CONFIG}","--host","{#SSL_HOST}","--port","{#SSL_PORT}"]' - uuid: 3ce5bba7f2b340dcbe74641b318cb08f name: 'SSL chain valid [{#SSL_NAME}]' type: DEPENDENT key: 'ssl.chain_valid[{#SSL_HOST},{#SSL_PORT}]' history: 30d trends: 365d value_type: UNSIGNED valuemap: name: SSL boolean preprocessing: - type: JSONPATH parameters: - $.chain_valid - type: JAVASCRIPT parameters: - 'return value === true || value === "true" ? 1 : 0;' master_item: key: 'ssl_check.py["--config","{$SSL_CONFIG}","--host","{#SSL_HOST}","--port","{#SSL_PORT}"]' - uuid: ad0aff7a23b9447ea573a6cc4fd03209 name: 'SSL self signed [{#SSL_NAME}]' type: DEPENDENT key: 'ssl.self_signed[{#SSL_HOST},{#SSL_PORT}]' history: 30d trends: 365d value_type: UNSIGNED valuemap: name: SSL boolean preprocessing: - type: JSONPATH parameters: - $.self_signed - type: JAVASCRIPT parameters: - 'return value === true || value === "true" ? 1 : 0;' master_item: key: 'ssl_check.py["--config","{$SSL_CONFIG}","--host","{#SSL_HOST}","--port","{#SSL_PORT}"]' - uuid: 489a246318764ad39ec9effd8d7f5c3f name: 'SSL not yet valid [{#SSL_NAME}]' type: DEPENDENT key: 'ssl.not_yet_valid[{#SSL_HOST},{#SSL_PORT}]' history: 30d trends: 365d value_type: UNSIGNED valuemap: name: SSL boolean preprocessing: - type: JSONPATH parameters: - $.not_yet_valid - type: JAVASCRIPT parameters: - 'return value === true || value === "true" ? 1 : 0;' master_item: key: 'ssl_check.py["--config","{$SSL_CONFIG}","--host","{#SSL_HOST}","--port","{#SSL_PORT}"]' - uuid: 8dc650b706c340a996a80238f775e324 name: 'SSL expired [{#SSL_NAME}]' type: DEPENDENT key: 'ssl.expired[{#SSL_HOST},{#SSL_PORT}]' history: 30d trends: 365d value_type: UNSIGNED valuemap: name: SSL boolean preprocessing: - type: JSONPATH parameters: - $.expired - type: JAVASCRIPT parameters: - 'return value === true || value === "true" ? 1 : 0;' master_item: key: 'ssl_check.py["--config","{$SSL_CONFIG}","--host","{#SSL_HOST}","--port","{#SSL_PORT}"]' - uuid: 204862fd4f8342b7bf3fc6337f5df6d0 name: 'SSL issuer org [{#SSL_NAME}]' type: DEPENDENT key: 'ssl.issuer_org[{#SSL_HOST},{#SSL_PORT}]' history: 30d trends: '0' value_type: TEXT preprocessing: - type: JSONPATH parameters: - $.issuer_org master_item: key: 'ssl_check.py["--config","{$SSL_CONFIG}","--host","{#SSL_HOST}","--port","{#SSL_PORT}"]' - uuid: 246a068f7f3745a5a1cb0f725a499426 name: 'SSL issuer CN [{#SSL_NAME}]' type: DEPENDENT key: 'ssl.issuer_cn[{#SSL_HOST},{#SSL_PORT}]' history: 30d trends: '0' value_type: TEXT preprocessing: - type: JSONPATH parameters: - $.issuer_cn master_item: key: 'ssl_check.py["--config","{$SSL_CONFIG}","--host","{#SSL_HOST}","--port","{#SSL_PORT}"]' - uuid: 46a8211952364d3bbd7c359a0f7ebc62 name: 'SSL subject CN [{#SSL_NAME}]' type: DEPENDENT key: 'ssl.subject_cn[{#SSL_HOST},{#SSL_PORT}]' history: 30d trends: '0' value_type: TEXT preprocessing: - type: JSONPATH parameters: - $.subject_cn master_item: key: 'ssl_check.py["--config","{$SSL_CONFIG}","--host","{#SSL_HOST}","--port","{#SSL_PORT}"]' - uuid: db6d8a182d6b4e28915cd2c1937d3ba7 name: 'SSL SAN names [{#SSL_NAME}]' type: DEPENDENT key: 'ssl.san_names[{#SSL_HOST},{#SSL_PORT}]' history: 30d trends: '0' value_type: TEXT preprocessing: - type: JSONPATH parameters: - $.san_names - type: JAVASCRIPT parameters: - 'try { return JSON.stringify(JSON.parse(value)); } catch (e) { return value; }' master_item: key: 'ssl_check.py["--config","{$SSL_CONFIG}","--host","{#SSL_HOST}","--port","{#SSL_PORT}"]' - uuid: 3ae58996de784502816d1cd27a722de3 name: 'SSL fingerprint SHA256 [{#SSL_NAME}]' type: DEPENDENT key: 'ssl.fingerprint_sha256[{#SSL_HOST},{#SSL_PORT}]' history: 30d trends: '0' value_type: TEXT preprocessing: - type: JSONPATH parameters: - $.fingerprint_sha256 master_item: key: 'ssl_check.py["--config","{$SSL_CONFIG}","--host","{#SSL_HOST}","--port","{#SSL_PORT}"]' - uuid: 8cc55e450c064a698053967f8dfd3f35 name: 'SSL expected issuer match [{#SSL_NAME}]' type: DEPENDENT key: 'ssl.expected_issuer_match[{#SSL_HOST},{#SSL_PORT}]' history: 30d trends: 365d value_type: UNSIGNED valuemap: name: SSL boolean preprocessing: - type: JSONPATH parameters: - $.expected_issuer_match - type: JAVASCRIPT parameters: - 'return value === true || value === "true" ? 1 : 0;' master_item: key: 'ssl_check.py["--config","{$SSL_CONFIG}","--host","{#SSL_HOST}","--port","{#SSL_PORT}"]' - uuid: 5e74e1d762a9420395448d9d02b3b3e9 name: 'TLS negotiated version [{#SSL_NAME}]' type: DEPENDENT key: 'ssl.tls_version_negotiated[{#SSL_HOST},{#SSL_PORT}]' history: 30d trends: '0' value_type: TEXT preprocessing: - type: JSONPATH parameters: - $.tls_version_negotiated master_item: key: 'ssl_check.py["--config","{$SSL_CONFIG}","--host","{#SSL_HOST}","--port","{#SSL_PORT}"]' - uuid: 715157395cf24e738c275e5d99c585d2 name: 'TLS 1.0 supported [{#SSL_NAME}]' type: DEPENDENT key: 'ssl.tls10_supported[{#SSL_HOST},{#SSL_PORT}]' history: 30d trends: 365d value_type: UNSIGNED valuemap: name: SSL boolean preprocessing: - type: JSONPATH parameters: - $.tls10_supported - type: JAVASCRIPT parameters: - 'if (value === null || value === "null") { return 0; } return value === true || value === "true" ? 1 : 0;' master_item: key: 'ssl_check.py["--config","{$SSL_CONFIG}","--host","{#SSL_HOST}","--port","{#SSL_PORT}"]' - uuid: 7931bd3a2a434be38548fd6867e8473d name: 'TLS 1.1 supported [{#SSL_NAME}]' type: DEPENDENT key: 'ssl.tls11_supported[{#SSL_HOST},{#SSL_PORT}]' history: 30d trends: 365d value_type: UNSIGNED valuemap: name: SSL boolean preprocessing: - type: JSONPATH parameters: - $.tls11_supported - type: JAVASCRIPT parameters: - 'if (value === null || value === "null") { return 0; } return value === true || value === "true" ? 1 : 0;' master_item: key: 'ssl_check.py["--config","{$SSL_CONFIG}","--host","{#SSL_HOST}","--port","{#SSL_PORT}"]' - uuid: a20fbc15a8ea4cb7a3c3c4dbfc7789e1 name: 'TLS 1.2 supported [{#SSL_NAME}]' type: DEPENDENT key: 'ssl.tls12_supported[{#SSL_HOST},{#SSL_PORT}]' history: 30d trends: 365d value_type: UNSIGNED valuemap: name: SSL boolean preprocessing: - type: JSONPATH parameters: - $.tls12_supported - type: JAVASCRIPT parameters: - 'return value === true || value === "true" ? 1 : 0;' master_item: key: 'ssl_check.py["--config","{$SSL_CONFIG}","--host","{#SSL_HOST}","--port","{#SSL_PORT}"]' - uuid: e633e097a3294860853e9f66fc1cc6a8 name: 'TLS 1.3 supported [{#SSL_NAME}]' type: DEPENDENT key: 'ssl.tls13_supported[{#SSL_HOST},{#SSL_PORT}]' history: 30d trends: 365d value_type: UNSIGNED valuemap: name: SSL boolean preprocessing: - type: JSONPATH parameters: - $.tls13_supported - type: JAVASCRIPT parameters: - 'if (value === null || value === "null") { return 0; } return value === true || value === "true" ? 1 : 0;' master_item: key: 'ssl_check.py["--config","{$SSL_CONFIG}","--host","{#SSL_HOST}","--port","{#SSL_PORT}"]' - uuid: f97fb439d4e04ad38e2dd0311fd144c7 name: 'HTTP reachable [{#SSL_NAME}]' type: DEPENDENT key: 'ssl.http_reachable[{#SSL_HOST},{#SSL_PORT}]' history: 30d trends: 365d value_type: UNSIGNED valuemap: name: SSL boolean preprocessing: - type: JSONPATH parameters: - $.http_reachable - type: JAVASCRIPT parameters: - 'return value === true || value === "true" ? 1 : 0;' master_item: key: 'ssl_check.py["--config","{$SSL_CONFIG}","--host","{#SSL_HOST}","--port","{#SSL_PORT}"]' - uuid: 58242f0618944f57a925a3d59c871e39 name: 'HTTP status [{#SSL_NAME}]' type: DEPENDENT key: 'ssl.http_status[{#SSL_HOST},{#SSL_PORT}]' history: 30d trends: 365d value_type: UNSIGNED preprocessing: - type: JSONPATH parameters: - $.http_status master_item: key: 'ssl_check.py["--config","{$SSL_CONFIG}","--host","{#SSL_HOST}","--port","{#SSL_PORT}"]' - uuid: b8475311fa4e4594bd8a4340b60b6937 name: 'HTTP status expected [{#SSL_NAME}]' type: DEPENDENT key: 'ssl.http_status_expected[{#SSL_HOST},{#SSL_PORT}]' history: 30d trends: 365d value_type: UNSIGNED valuemap: name: SSL boolean preprocessing: - type: JSONPATH parameters: - $.http_status_expected - type: JAVASCRIPT parameters: - 'return value === true || value === "true" ? 1 : 0;' master_item: key: 'ssl_check.py["--config","{$SSL_CONFIG}","--host","{#SSL_HOST}","--port","{#SSL_PORT}"]' - uuid: 1a3cf22a1f9a4aa6b9219fb091d2eaf1 name: 'HTTP response time [{#SSL_NAME}]' type: DEPENDENT key: 'ssl.http_response_time_ms[{#SSL_HOST},{#SSL_PORT}]' history: 30d trends: 365d value_type: UNSIGNED preprocessing: - type: JSONPATH parameters: - $.http_response_time_ms master_item: key: 'ssl_check.py["--config","{$SSL_CONFIG}","--host","{#SSL_HOST}","--port","{#SSL_PORT}"]' - uuid: 5ae12b7986ea485b908c9e61f49c4e9e name: 'HTTP HSTS [{#SSL_NAME}]' type: DEPENDENT key: 'ssl.http_hsts[{#SSL_HOST},{#SSL_PORT}]' history: 30d trends: 365d value_type: UNSIGNED valuemap: name: SSL boolean preprocessing: - type: JSONPATH parameters: - $.http_hsts - type: JAVASCRIPT parameters: - 'return value === true || value === "true" ? 1 : 0;' master_item: key: 'ssl_check.py["--config","{$SSL_CONFIG}","--host","{#SSL_HOST}","--port","{#SSL_PORT}"]' - uuid: 91101608a78846f2b6d6c6fcce8d7648 name: 'HTTP security headers score [{#SSL_NAME}]' type: DEPENDENT key: 'ssl.http_security_headers_score[{#SSL_HOST},{#SSL_PORT}]' history: 30d trends: 365d value_type: UNSIGNED preprocessing: - type: JSONPATH parameters: - $.http_security_headers_score master_item: key: 'ssl_check.py["--config","{$SSL_CONFIG}","--host","{#SSL_HOST}","--port","{#SSL_PORT}"]' - uuid: df341fd63eda4d2e8dc457d3fa4d91f7 name: 'HTTP server header [{#SSL_NAME}]' type: DEPENDENT key: 'ssl.http_server_header[{#SSL_HOST},{#SSL_PORT}]' history: 30d trends: '0' value_type: TEXT preprocessing: - type: JSONPATH parameters: - $.http_server_header master_item: key: 'ssl_check.py["--config","{$SSL_CONFIG}","--host","{#SSL_HOST}","--port","{#SSL_PORT}"]' - uuid: 8bfc3b3d13da40b2a77ac180e910eaa0 name: 'SSL error [{#SSL_NAME}]' type: DEPENDENT key: 'ssl.error[{#SSL_HOST},{#SSL_PORT}]' history: 30d trends: '0' value_type: TEXT preprocessing: - type: JSONPATH parameters: - $.error master_item: key: 'ssl_check.py["--config","{$SSL_CONFIG}","--host","{#SSL_HOST}","--port","{#SSL_PORT}"]' trigger_prototypes: - uuid: edb8b81e8f334c56890f44ff209c011e expression: 'last(/Template SSL Checker Relaxed/ssl.reachable[{#SSL_HOST},{#SSL_PORT}])=0' name: 'SSL target unreachable [{#SSL_NAME}]' priority: WARNING tags: - tag: scope value: ssl - tag: owner value: '{#SSL_OWNER}' - tag: profile value: '{#SSL_PROFILE}' - tag: notify value: delayed - uuid: b6614d7a41184f5c8785e549012782cda expression: 'last(/Template SSL Checker Relaxed/ssl.days_left[{#SSL_HOST},{#SSL_PORT}])<30 and last(/Template SSL Checker Relaxed/ssl.days_left[{#SSL_HOST},{#SSL_PORT}])>=14' name: 'SSL expires within 30 days [{#SSL_NAME}]' priority: INFO tags: - tag: notify value: 'no' - uuid: d049184a61514835ad9530e7e6fbc3b3 expression: 'last(/Template SSL Checker Relaxed/ssl.days_left[{#SSL_HOST},{#SSL_PORT}])<14 and last(/Template SSL Checker Relaxed/ssl.days_left[{#SSL_HOST},{#SSL_PORT}])>=7' name: 'SSL expires within 14 days [{#SSL_NAME}]' priority: WARNING tags: - tag: notify value: owner - uuid: 82dd7417fc32470085073ef5ed6cc671 expression: 'last(/Template SSL Checker Relaxed/ssl.days_left[{#SSL_HOST},{#SSL_PORT}])<7 and last(/Template SSL Checker Relaxed/ssl.days_left[{#SSL_HOST},{#SSL_PORT}])>=2' name: 'SSL expires within 7 days [{#SSL_NAME}]' priority: AVERAGE tags: - tag: notify value: 'yes' - uuid: 5eea97943e164f9b9b7bf42d1e7f5723 expression: 'last(/Template SSL Checker Relaxed/ssl.days_left[{#SSL_HOST},{#SSL_PORT}])<2' name: 'SSL expires within 2 days [{#SSL_NAME}]' priority: HIGH tags: - tag: notify value: 'yes' - uuid: 9d187f28d1dd43e9bca055333b7fb5a1 expression: 'last(/Template SSL Checker Relaxed/ssl.hostname_match[{#SSL_HOST},{#SSL_PORT}])=0' name: 'SSL hostname mismatch [{#SSL_NAME}]' priority: HIGH tags: - tag: notify value: 'yes' - uuid: a7dfbb0250f84d04baf634674b4dbb20 expression: 'last(/Template SSL Checker Relaxed/ssl.chain_valid[{#SSL_HOST},{#SSL_PORT}])=0' name: 'SSL chain invalid [{#SSL_NAME}]' priority: AVERAGE tags: - tag: notify value: 'yes' - uuid: e23bd53ed8c142ef9798e4062f97f2df expression: 'last(/Template SSL Checker Relaxed/ssl.self_signed[{#SSL_HOST},{#SSL_PORT}])=1' name: 'SSL is self-signed [{#SSL_NAME}]' priority: WARNING tags: - tag: notify value: owner - uuid: fb93047326ff4bd5bed32c9783d90ce9 expression: 'last(/Template SSL Checker Relaxed/ssl.not_yet_valid[{#SSL_HOST},{#SSL_PORT}])=1' name: 'SSL not yet valid [{#SSL_NAME}]' priority: HIGH tags: - tag: notify value: 'yes' - uuid: 19c2314c9daa4326b48e5e263eb70c4c expression: 'last(/Template SSL Checker Relaxed/ssl.tls10_supported[{#SSL_HOST},{#SSL_PORT}])=1' name: 'TLS 1.0 supported [{#SSL_NAME}]' priority: WARNING tags: - tag: scope value: tls - tag: notify value: owner - uuid: 3bce8d223f0d443393f407dd0c81f444 expression: 'last(/Template SSL Checker Relaxed/ssl.tls11_supported[{#SSL_HOST},{#SSL_PORT}])=1' name: 'TLS 1.1 supported [{#SSL_NAME}]' priority: WARNING tags: - tag: scope value: tls - tag: notify value: owner - uuid: b484f5ff1d974e499a8f765a8e63a7c0 expression: 'last(/Template SSL Checker Relaxed/ssl.http_status_expected[{#SSL_HOST},{#SSL_PORT}])=0' name: 'HTTP status not expected [{#SSL_NAME}]' priority: WARNING tags: - tag: scope value: http - tag: notify value: delayed - uuid: 4149f1a7f8bc45aa8b6a1b9953978df5 expression: 'last(/Template SSL Checker Relaxed/ssl.http_hsts[{#SSL_HOST},{#SSL_PORT}])=0' name: 'HSTS missing [{#SSL_NAME}]' priority: INFO tags: - tag: scope value: http - tag: notify value: 'no' - uuid: 7c0b3de5aec14b538df5495945c72719 expression: 'last(/Template SSL Checker Relaxed/ssl.http_security_headers_score[{#SSL_HOST},{#SSL_PORT}])<2' name: 'HTTP security headers score low [{#SSL_NAME}]' priority: INFO tags: - tag: scope value: http - tag: notify value: 'no' valuemaps: - uuid: 7f0d5857156543cf9808cad8c3328e4d name: SSL boolean mappings: - value: '0' newvalue: 'No' - value: '1' newvalue: 'Yes'