Tag Archives: bash

Certificates, Monitoring, Script, Tools, Zabbix

Zabbix Monitor CRL for renewal

Leave a comment

Operating an offline Certificate Authority (CA) requires meticulous management of the Certificate Revocation List (CRL), which must be periodically updated to maintain security integrity. Relying on calendar reminders to track CRL expiration is prone to human error, potentially resulting in an expired CRL that disrupts validation processes. While not critical, an expired CRL can cause operational issues and should be proactively avoided. A more robust solution is to leverage Zabbix for automated monitoring and alerting of CRL expiration dates.

To implement this, deploy the accompanying script into the externalscripts directory on your Zabbix Server or Proxy—typically located at:

/usr/lib/zabbix/externalscripts

This enables Zabbix to regularly check CRL status and send timely notifications, ensuring uninterrupted certificate validation.

#!/usr/bin/env bash

url=$1

if [ -z $url ];
then

echo "Parameter1 for URL missing!"
exit 1
fi


if [[ $(curl -s -o /dev/null -w "%{http_code}" http://pki.forensik.justiz.gv.at/ForensikRootCA.crl) -ne 200 ]];
then
echo "URL does not return a valid return-code"
exit 1
fi


timestamp=$(openssl crl -in $url -noout -nextupdate | cut -d= -f2 | xargs -I{} date -d "{}" +%s)

echo $timestamp

Template example:

<?xml version="1.0" encoding="UTF-8"?>
<zabbix_export>
    <version>7.0</version>
    <template_groups>
        <template_group>
            <uuid>d425d61f4e974282812817affe7836b2</uuid>
            <name>FAWCS Templates</name>
        </template_group>
    </template_groups>
    <templates>
        <template>
            <uuid>4d00efa818484e048020a73a2331c9b9</uuid>
            <template>Monitor_CRL_for_next_Update</template>
            <name>Monitor_CRL_for_next_Update</name>
            <groups>
                <group>
                    <name>FAWCS Templates</name>
                </group>
            </groups>
            <items>
                <item>
                    <uuid>b09fc8a561934a768bc100290f4832f1</uuid>
                    <name>Root-CA - CRL ExpirationDate</name>
                    <type>EXTERNAL</type>
                    <key>checkCRL.sh[http://address.to/your/RootCA.crl]</key>
                    <delay>1d</delay>
                    <units>unixtime</units>
                    <description>Uses a shell script to get the timestamp of a CRLs nextupdatedate (CRL should be a http-address</description>
                    <tags>
                        <tag>
                            <tag>CRL</tag>
                        </tag>
                    </tags>
                    <triggers>
                        <trigger>
                            <uuid>1ba5a78e5eaf4ed9b3a14d1b88321d5a</uuid>
                            <expression>last(/Monitor_CRL_for_next_Update/checkCRL.sh[http://address.to/your/RootCA.crl],#1)&lt;(now()+3600*24*7)</expression>
                            <name>CRL Update Required in 7d</name>
                            <priority>DISASTER</priority>
                            <description>CRL needs to be updated in the next 7d!</description>
                        </trigger>
                        <trigger>
                            <uuid>8985748a1b9542f2879915941e36a009</uuid>
                            <expression>last(/Monitor_CRL_for_next_Update/checkCRL.sh[http://address.to/your/RootCA.crl],#1)&lt;(now()+3600*24*15)</expression>
                            <name>CRL Update Required in 15d</name>
                            <priority>HIGH</priority>
                            <description>CRL needs to be updated in the next 15d!</description>
                        </trigger>
                        <trigger>
                            <uuid>85ece5ff79654f6e82b757d5e72cd143</uuid>
                            <expression>last(/Monitor_CRL_for_next_Update/checkCRL.sh[http://address.to/your/RootCA.crl],#1)&lt;(now()+3600*24*30)</expression>
                            <name>CRL Update Required in 30d</name>
                            <priority>AVERAGE</priority>
                            <description>CRL needs to be updated in the next 30d!</description>
                        </trigger>
                    </triggers>
                </item>
            </items>
        </template>
    </templates>
</zabbix_export>

example
Linux, Script

Nerdfonts in zsh for exa

Leave a comment

After switching to exa as an ls-replacement i also wanted to make use of the nerd-font support ho have icons displayed for files.

alias etree='exa --color --tree --icons=always'

However, in reality the fonts never looked the same in my terminal as in the web preview

So, to easy things up (getting the zip, unzipping it in ~/.local/share/fonts and updateing the fonts-cache) there is a little function which can be placed in the .zshrc/.bashrc to automate things.

#Function to install NerdFonts
function install_nerdfont()
{
	if [ -not $1 ];
	then	
		echo -e "\e[91mParameter missing!\e[0m"
	fi

	cd ~/.local/share/fonts
	wget $1
	unzip -u *.zip
	rm *.zip
	fc-cache -fv	
	cd -

}

Once executed with the download-URL as a paremeter, the font will be installed to your home directory.

If the fonts should be installed system-wide, this can be archived by placing them in /usr/local/share/fonts (folder might needs to be created if it does not exist).

Once the fonts are installed – the terminal-profile must be configured to use the newly installed fonts and that’s it.

Linux, Tools

Bash – Monitor directory size for change

Leave a comment

A simple bash-script to easily monitor if a directory has grown or shrunk in size:

while [ 1 ]; do result=$(du -s * | egrep "bitcoin-0.21.1$"); echo -e "\e[95m$result\e[0m"; curSize=$(echo $result | cut -d" " -f1); if [ $curSize -lt $oldSize ]; then echo -e
 "\e[92mShrunk: $curSize\e[0m"; else echo -e "\e[91mGrown: $curSize\e[0m"; fi; oldSize=$curSize; sleep 5; done

Script needs to be executed in the parrent directory of the monitored dir and directory name must be adapted: bitcoin-0.21.1$ -> to whatever you want to grep for

Linux, Security, Tools

Get CVE information from NIST NVD and RHEL

Leave a comment

Just two littel scripts that come handy if you want to download all the CVE info in JSON format for offline use.

[pastacode lang=”bash” manual=”%23!%2Fbin%2Fbash%0Aurls%3D%24(curl%20https%3A%2F%2Fnvd.nist.gov%2Fvuln%2Fdata-feeds%23JSON_FEED%20%7C%20grep%20’https%3A%2F%2F’%20%7C%20grep%20-i%20json.gz%20%7C%20sed%20’s%2F.*href%3D%2F%2Fg’%20%7C%20cut%20-d%5C’%20%20-f2)%0A%0Amkdir%20-p%20.%2FnistNvdJson%0Acd%20nistNvdJson%0Afor%20l%20in%20%24urls%3B%0Ado%0Awget%20%24l%0Adone%0Agunzip%20*%0A” message=”Donwload NIST NVD CVEs in JSON” highlight=”” provider=”manual”/]

 

[pastacode lang=”bash” manual=”%23!%2Fbin%2Fbash%0A%0A%0AloopVar%3D1%0AdataDir%3D%22rhelCveData%22%0Amkdir%20%24dataDir%20-p%0Aecho%20%22getting%20data%3A%22%0AT%3D%22%24(date%20%2B%25s)%22%0Awhile%20%5B%5B%20%24loopVar%20-ne%200%20%5D%5D%3B%0Ado%0A%20%20%20%20%20%20%20%20echo%20-n%20%22-%24loopVar-%20%22%0A%20%20%20%20%20%20%20%20data%3D%24(curl%20-s%20https%3A%2F%2Faccess.redhat.com%2Flabs%2Fsecuritydataapi%2Fcve.json%3Fpage%3D%24loopVar)%0A%20%20%20%20%20%20%20%20if%20%5B%5B%20%22%24data%22%20%3D%3D%20%22%5B%5D%22%20%5D%5D%3B%20then%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20loopVar%3D0%0A%20%20%20%20%20%20%20%20else%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20toFile%3D%24toFile%24%7Bdata%3A1%3A-1%7D%22%2C%20%22%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20let%20loopVar%3DloopVar%2B1%0A%20%20%20%20%20%20%20%20fi%0Adone%0AT%3D%22%24((%24(date%20%2B%25s)-T))%22%0Aecho%20%22%5B%24%7BtoFile%3A%3A-2%7D%5D%22%20%3E%3E%20%22%24dataDir%2FrhelCve.json%22%0Ased%20-i%20’s%2F%5E%5C%5B%5C%5D%24%2F%2Fg’%20%22%24dataDir%2FrhelCve.json%22%0Aprintf%20%22Got%20data%20in%3A%20%2502dd%3A%2502dh%3A%2502dm%3A%2502ds%5Cn%22%20%22%24((T%2F86400))%22%20%22%24((T%2F3600%2524))%22%20%22%24((T%2F60%2560))%22%20%22%24((T%2560))%22%0A” message=”Get CVE infos for RHEL” highlight=”” provider=”manual”/]

 

Additional information:
If you query the NIST NVD Data and search for RHEL CPEs you won’t get a lot of hits as only a smal percentage of the CVEs that affect Red Hat software has the correct CPE attached. However – NIST NVD is nice to have because in the Red Hat CVEs only the total CVSS score is listed but no detailed vulnerability metrics are included.