summaryrefslogtreecommitdiffstats
path: root/update-cfg.pl
diff options
context:
space:
mode:
Diffstat (limited to '')
-rwxr-xr-xupdate-cfg.pl144
1 files changed, 144 insertions, 0 deletions
diff --git a/update-cfg.pl b/update-cfg.pl
new file mode 100755
index 0000000..dadc0e8
--- /dev/null
+++ b/update-cfg.pl
@@ -0,0 +1,144 @@
+#! /usr/bin/perl -w
+
+use strict;
+
+my ($fname_in, $fname_out);
+
+if ($#ARGV != 0) {
+ &usage;
+}
+
+$fname_in = $ARGV[0];
+$fname_out = $fname_in . ".new";
+
+if (&check_ssl) {
+ print "\n'$fname_in' already has some or all of the\n";
+ print "new SSL parameters. No processing will be done.\n\n";
+ exit 0;
+}
+
+open IN, $fname_in or die "Could not open '$fname_in' for reading: $!\n";
+open OUT, ">$fname_out" or die "Could not open '$fname_out' for writing: $!\n";
+
+while (<IN>) {
+ print OUT;
+ &add_ssl if $_ =~ /allow_weak_random_seed/;
+}
+
+print "\nConfig file '$fname_in' was read.\n";
+print "The new SSL comments and parameters were added and the output written to\n";
+print "'$fname_out'\n";
+print "Please check this file for accuracy and rename it when you are satisfied.\n\n";
+
+close IN;
+close OUT;
+
+# ==========================================================================
+
+sub usage
+{
+ print "\nUsage: update-cfg.pl <path-to-nrpe.cfg-file>\n\n";
+ print "This perl script will read the nrpe configuration file\n";
+ print "specified on the command line, and write out a new file\n";
+ print "with the new SSL comments and parameters added.\n\n";
+ exit 1;
+}
+
+# --------------------------------------------------------------------------
+# check_ssl checks if the config file already has the ssl parameters
+# --------------------------------------------------------------------------
+sub check_ssl
+{
+ my $has_ssl = 0;
+
+ open IN, $fname_in or die "Could not open '$fname_in' for reading: $!\n";
+
+ while (<IN>) {
+ if ($_ =~ /ssl_version=/ or
+ $_ =~ /ssl_use_adh=/ or
+ $_ =~ /ssl_cipher_list=/ or
+ $_ =~ /ssl_cacert_file=/ or
+ $_ =~ /ssl_cert_file=/ or
+ $_ =~ /ssl_privatekey_file=/ or
+ $_ =~ /ssl_client_certs=/ or
+ $_ =~ /ssl_logging=/)
+ {
+ $has_ssl = 1;
+ last;
+ }
+ }
+
+ close IN;
+
+ return $has_ssl;
+}
+
+# --------------------------------------------------------------------------
+# add_ssl inserts the new SSL comments and parameters into the config file
+# --------------------------------------------------------------------------
+sub add_ssl
+{
+my $txt = <<"END_SSL";
+
+
+
+# SSL/TLS OPTIONS
+# These directives allow you to specify how to use SSL/TLS.
+
+# SSL VERSION
+# This can be any of: SSLv2 (only use SSLv2), SSLv2+ (use any version),
+# SSLv3 (only use SSLv3), SSLv3+ (use SSLv3 or above), TLSv1 (only use
+# TLSv1), TLSv1+ (use TLSv1 or above), TLSv1.1 (only use TLSv1.1),
+# TLSv1.1+ (use TLSv1.1 or above), TLSv1.2 (only use TLSv1.2),
+# TLSv1.2+ (use TLSv1.2 or above)
+# If an "or above" version is used, the best will be negotiated. So if both
+# ends are able to do TLSv1.2 and use specify SSLv2, you will get TLSv1.2.
+
+#ssl_version=SSLv2+
+
+# SSL USE ADH
+# This is for backward compatibility and is DEPRECATED. Set to 1 to enable
+# ADH or 2 to require ADH. 1 is currently the default but will be changed
+# in a later version.
+
+#ssl_use_adh=1
+
+# SSL CIPHER LIST
+# This lists which ciphers can be used. For backward compatibility, this
+# defaults to 'ssl_cipher_list=ALL:!MD5:\@STRENGTH' in this version but
+# will be changed to something like the example below in a later version of NRPE.
+
+#ssl_cipher_list=ALL:!MD5:\@STRENGTH
+#ssl_cipher_list=ALL:!aNULL:!eNULL:!SSLv2:!LOW:!EXP:!RC4:!MD5:\@STRENGTH
+
+# SSL Certificate and Private Key Files
+
+#ssl_cacert_file=/etc/ssl/servercerts/ca-cert.pem
+#ssl_cert_file=/etc/ssl/servercerts/nagios-cert.pem
+#ssl_privatekey_file=/etc/ssl/servercerts/nagios-key.pem
+
+# SSL USE CLIENT CERTS
+# This options determines client certificate usage.
+# Values: 0 = Don't ask for or require client certificates (default)
+# 1 = Ask for client certificates
+# 2 = Require client certificates
+
+#ssl_client_certs=0
+
+# SSL LOGGING
+# This option determines which SSL messages are send to syslog. OR values
+# together to specify multiple options.
+
+# Values: 0x00 (0) = No additional logging (default)
+# 0x01 (1) = Log startup SSL/TLS parameters
+# 0x02 (2) = Log remote IP address
+# 0x04 (4) = Log SSL/TLS version of connections
+# 0x08 (8) = Log which cipher is being used for the connection
+# 0x10 (26) = Log if client has a certificate
+# 0x20 (32) = Log details of client's certificate if it has one
+# -1 or 0xff or 0x2f = All of the above
+
+#ssl_logging=0x00
+END_SSL
+ print OUT $txt;
+}