| 1 | There is a great plugin for Nagios to do signature verification. |
|---|
| 2 | |
|---|
| 3 | http://dns.measurement-factory.com/tools/nagios-plugins/check_zone_rrsig_expiration.html |
|---|
| 4 | |
|---|
| 5 | $ cd /usr/local/libexec/nagios |
|---|
| 6 | |
|---|
| 7 | Grab a copy from our local repository: |
|---|
| 8 | |
|---|
| 9 | $ sudo fetch http://noc.ws.nsrc.org/downloads/check_zone_rrsig_expiration |
|---|
| 10 | |
|---|
| 11 | Make the plugin executable |
|---|
| 12 | |
|---|
| 13 | $ sudo chmod +x check_zone_rrsig_expiration |
|---|
| 14 | |
|---|
| 15 | Test the plugin works, manually: |
|---|
| 16 | |
|---|
| 17 | ./check_zone_rrsig_expiration -Z MYTLD -W 120 -C 60 |
|---|
| 18 | |
|---|
| 19 | Ok, now we're going to create a Nagios command to use the plugin: |
|---|
| 20 | |
|---|
| 21 | $ cd /usr/local/etc/nagios/objects |
|---|
| 22 | |
|---|
| 23 | $ sudo vi commands.cfg |
|---|
| 24 | |
|---|
| 25 | Add the following lines: |
|---|
| 26 | |
|---|
| 27 | - - - - - - - - - - - - copy below - - - - - - - - - - - - |
|---|
| 28 | |
|---|
| 29 | # Copy the command_line below is one long line, not two! |
|---|
| 30 | |
|---|
| 31 | define command { |
|---|
| 32 | command_name check-zone-rrsig |
|---|
| 33 | command_line /usr/local/libexec/nagios/check_zone_rrsig_expiration -Z $HOSTADDRESS$ -W 90 -C 60 |
|---|
| 34 | } |
|---|
| 35 | |
|---|
| 36 | - - - - - - - - - - - - copy above - - - - - - - - - - - - |
|---|
| 37 | |
|---|
| 38 | |
|---|
| 39 | Save the file, and now we're going to create a "Host" - in reality, |
|---|
| 40 | it's our zone, but we make Nagios believe it's testing a machine: |
|---|
| 41 | |
|---|
| 42 | $ sudo vi objects/dns-servers.cfg |
|---|
| 43 | |
|---|
| 44 | |
|---|
| 45 | - - - - - - - - - - - - copy below - - - - - - - - - - - - |
|---|
| 46 | |
|---|
| 47 | ## Define new service for checking signatures! |
|---|
| 48 | |
|---|
| 49 | define service { |
|---|
| 50 | use generic-service |
|---|
| 51 | hostgroup_name my-zones ; The group using this service |
|---|
| 52 | service_description DNS RRSIG ; The name of our group |
|---|
| 53 | check_command check-zone-rrsig ; Command to check the SIGs ? |
|---|
| 54 | } |
|---|
| 55 | |
|---|
| 56 | # Host group for zones |
|---|
| 57 | |
|---|
| 58 | define hostgroup { |
|---|
| 59 | hostgroup_name my-zones ; Our new hostgroup |
|---|
| 60 | members MYDOMAIN ; The zones ("hosts") - replace! |
|---|
| 61 | } |
|---|
| 62 | |
|---|
| 63 | # Zone 'phil' |
|---|
| 64 | |
|---|
| 65 | define host { |
|---|
| 66 | use generic-host |
|---|
| 67 | max_check_attempts 3 |
|---|
| 68 | contact_groups admins |
|---|
| 69 | host_name MYDOMAIN ; replace with your zone! |
|---|
| 70 | } |
|---|
| 71 | |
|---|
| 72 | - - - - - - - - - - - - copy above - - - - - - - - - - - - |
|---|
| 73 | |
|---|
| 74 | Now, time to verify the nagios configuration works |
|---|
| 75 | |
|---|
| 76 | $ sudo nagios -v nagios.cfg |
|---|
| 77 | |
|---|
| 78 | Check that there are no errors! |
|---|
| 79 | |
|---|
| 80 | Time to restart Nagios |
|---|
| 81 | |
|---|
| 82 | $ sudo service nagios restart |
|---|
| 83 | |
|---|
| 84 | Go to the web interface, and check the services! |
|---|
| 85 | |
|---|
| 86 | http://10.10.X.1/nagios/ |
|---|
| 87 | |
|---|
