diff options
Diffstat (limited to 'update-cfg.pl')
-rwxr-xr-x | update-cfg.pl | 144 |
1 files changed, 144 insertions, 0 deletions
diff --git a/update-cfg.pl b/update-cfg.pl new file mode 100755 index 0000000..dadc0e8 --- /dev/null +++ b/update-cfg.pl @@ -0,0 +1,144 @@ +#! /usr/bin/perl -w + +use strict; + +my ($fname_in, $fname_out); + +if ($#ARGV != 0) { + &usage; +} + +$fname_in = $ARGV[0]; +$fname_out = $fname_in . ".new"; + +if (&check_ssl) { + print "\n'$fname_in' already has some or all of the\n"; + print "new SSL parameters. No processing will be done.\n\n"; + exit 0; +} + +open IN, $fname_in or die "Could not open '$fname_in' for reading: $!\n"; +open OUT, ">$fname_out" or die "Could not open '$fname_out' for writing: $!\n"; + +while (<IN>) { + print OUT; + &add_ssl if $_ =~ /allow_weak_random_seed/; +} + +print "\nConfig file '$fname_in' was read.\n"; +print "The new SSL comments and parameters were added and the output written to\n"; +print "'$fname_out'\n"; +print "Please check this file for accuracy and rename it when you are satisfied.\n\n"; + +close IN; +close OUT; + +# ========================================================================== + +sub usage +{ + print "\nUsage: update-cfg.pl <path-to-nrpe.cfg-file>\n\n"; + print "This perl script will read the nrpe configuration file\n"; + print "specified on the command line, and write out a new file\n"; + print "with the new SSL comments and parameters added.\n\n"; + exit 1; +} + +# -------------------------------------------------------------------------- +# check_ssl checks if the config file already has the ssl parameters +# -------------------------------------------------------------------------- +sub check_ssl +{ + my $has_ssl = 0; + + open IN, $fname_in or die "Could not open '$fname_in' for reading: $!\n"; + + while (<IN>) { + if ($_ =~ /ssl_version=/ or + $_ =~ /ssl_use_adh=/ or + $_ =~ /ssl_cipher_list=/ or + $_ =~ /ssl_cacert_file=/ or + $_ =~ /ssl_cert_file=/ or + $_ =~ /ssl_privatekey_file=/ or + $_ =~ /ssl_client_certs=/ or + $_ =~ /ssl_logging=/) + { + $has_ssl = 1; + last; + } + } + + close IN; + + return $has_ssl; +} + +# -------------------------------------------------------------------------- +# add_ssl inserts the new SSL comments and parameters into the config file +# -------------------------------------------------------------------------- +sub add_ssl +{ +my $txt = <<"END_SSL"; + + + +# SSL/TLS OPTIONS +# These directives allow you to specify how to use SSL/TLS. + +# SSL VERSION +# This can be any of: SSLv2 (only use SSLv2), SSLv2+ (use any version), +# SSLv3 (only use SSLv3), SSLv3+ (use SSLv3 or above), TLSv1 (only use +# TLSv1), TLSv1+ (use TLSv1 or above), TLSv1.1 (only use TLSv1.1), +# TLSv1.1+ (use TLSv1.1 or above), TLSv1.2 (only use TLSv1.2), +# TLSv1.2+ (use TLSv1.2 or above) +# If an "or above" version is used, the best will be negotiated. So if both +# ends are able to do TLSv1.2 and use specify SSLv2, you will get TLSv1.2. + +#ssl_version=SSLv2+ + +# SSL USE ADH +# This is for backward compatibility and is DEPRECATED. Set to 1 to enable +# ADH or 2 to require ADH. 1 is currently the default but will be changed +# in a later version. + +#ssl_use_adh=1 + +# SSL CIPHER LIST +# This lists which ciphers can be used. For backward compatibility, this +# defaults to 'ssl_cipher_list=ALL:!MD5:\@STRENGTH' in this version but +# will be changed to something like the example below in a later version of NRPE. + +#ssl_cipher_list=ALL:!MD5:\@STRENGTH +#ssl_cipher_list=ALL:!aNULL:!eNULL:!SSLv2:!LOW:!EXP:!RC4:!MD5:\@STRENGTH + +# SSL Certificate and Private Key Files + +#ssl_cacert_file=/etc/ssl/servercerts/ca-cert.pem +#ssl_cert_file=/etc/ssl/servercerts/nagios-cert.pem +#ssl_privatekey_file=/etc/ssl/servercerts/nagios-key.pem + +# SSL USE CLIENT CERTS +# This options determines client certificate usage. +# Values: 0 = Don't ask for or require client certificates (default) +# 1 = Ask for client certificates +# 2 = Require client certificates + +#ssl_client_certs=0 + +# SSL LOGGING +# This option determines which SSL messages are send to syslog. OR values +# together to specify multiple options. + +# Values: 0x00 (0) = No additional logging (default) +# 0x01 (1) = Log startup SSL/TLS parameters +# 0x02 (2) = Log remote IP address +# 0x04 (4) = Log SSL/TLS version of connections +# 0x08 (8) = Log which cipher is being used for the connection +# 0x10 (26) = Log if client has a certificate +# 0x20 (32) = Log details of client's certificate if it has one +# -1 or 0xff or 0x2f = All of the above + +#ssl_logging=0x00 +END_SSL + print OUT $txt; +} |