summaryrefslogtreecommitdiffstats
path: root/doc/04-Scanning.md
blob: 608d18ab87b134b33497fbf6bef0122e9787959f (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
# <a id="Scanning"></a>Scanning

The Icinga Certificate Monitoring provides CLI commands to scan **hosts** and **IPs** in various ways.
These commands are listed below and can be used individually. It is necessary for all commands to know which IP address
ranges and ports to scan. These can be configured as described [here](03-Configuration.md#configure-jobs).

## Scan Command

The scan command, scans targets to find their X.509 certificates and track changes to them.
A **target** is an **IP-port** combination that is generated from the job configuration, taking into account configured
[**SNI**](03-Configuration.md#server-name-indication) maps, so that targets with multiple certificates are also properly
scanned.

By default, successive calls to the scan command perform partial scans, checking both targets not yet scanned and
targets whose scan is older than 24 hours, to ensure that all targets are rescanned over time and new certificates
are collected. This behavior can be customized through the command [options](#usage-1).

> **Note**
>
> When rescanning due targets, they will be rescanned regardless of whether the target previously provided a certificate
> or not, to collect new certificates, track changed certificates, and remove decommissioned certificates.

### Usage

This scan command can be used like any other Icinga Web cli operations like this: `icingacli x509 scan [OPTIONS]`

**Options:**

```
--job=<name>                Scan targets that belong to the specified job. (Required)
--since-last-scan=<time>    Scan targets whose last scan is older than the spcified date/time, which can also be an
                            English textual datetime description like "2 days". Defaults to "-24 hours".
--rescan                    Rescn only targets that have been scanned before.
--full                      (Re)scan all known and unknown targets. This will override the "rescan" and "since-last-scan" options.
--parallel=<number>         Allow parallel scanning of targets up to the specified number. Defaults to 256.
                            May cause **too many open files** error if set to a number higher than the configured one (ulimit).
```

#### Example

Scan all targets that have not yet been scanned, or whose last scan is older than a certain date/time:
```
# icingacli x509 scan --job <name> --since-last-scan '3 days'
```

Scan only **unknown** targets:
```
# icingacli x509 scan --job <name> --since-last-scan=null
```

Scan only known targets:
```
# icingacli x509 scan --job <name> --rescan
```

Scan only known targets whose last scan is older than certain a given date/time:
```
# icingacli x509 scan --job <name> --rescan --since-last-scan '5 days'
```

Scan all known and unknown targets:
```
# icingacli x509 scan --job <name> --full
```

## Scheduling Jobs

The jobs command is similar to the [scan command](#scan-command), but it additionally allows you to schedule your jobs
in a more convenient way. This is used by the default `systemd` service of this module as well. By default, this command
will run all your configured jobs based on their frequency. This behaviour can be customized through the command options
too. Since you can have multiple schedules for a single job, all job schedules can also be scheduled individually.

### Usage

This scan command can be used like any other Icinga Web cli operations like this: `icingacli x509 jobs run [OPTIONS`

**Options:**

```
--job=<name>            Run all configured schedules only of the specified job.
--schedule=<name>       Run only the given schedule of the specified job.
                        Providing a schedule name without a job will fail immediately.
--parallel=<number>     Allow parallel scanning of targets up to the specified number. Defaults to 256.
                        May cause **too many open files** error if set to a number higher than the configured one (ulimit).
```