Added new certificate health check

Deploy-Application.ps1

@@ -62,14 +62,14 @@ Try {
 	[string]$appArch = ''
 	[string]$appLang = 'EN'
 	[string]$appRevision = '01'
-	[string]$appScriptVersion = '1.0.0.1'
+	[string]$appScriptVersion = '1.0.0.2'
 	[string]$appScriptDate = '23/01/2019'
 	[string]$appScriptAuthor = 'Gardar Thorsteinsson<[email protected]>'
 	##*===============================================
 	## Variables: Install Titles (Only set here to override defaults set by the toolkit)
 	[string]$installName = 'NSClient++ Deployment'
 	[string]$installTitle = ''
-	[version]$AdagiosAgentVersion = [version]'1.0.0.1'
+	[version]$AdagiosAgentVersion = [version]'1.0.0.2'
 	## Variables: System architecture detection
 	#If([IntPtr]::Size -eq 8)
 	#{
@@ -191,7 +191,7 @@ Try {
 		## <Perform Post-Installation tasks here>
 
 		# nscp settings --path /adagios --key "adagios_agent_version" --show
-		# nscp settings --path /adagios --key "adagios_agent_version" --set "1.0.0.1"
+		# nscp settings --path /adagios --key "adagios_agent_version" --set "1.0.0.2"
 		Stop-ServiceAndDependencies -Name 'nscp'
 		Copy-File -Path "$dirSupportFiles\*.*" -Destination "$envProgramFiles\NSClient++\"
 		Copy-File -Path "$dirSupportFiles\Scripts" -Destination "$envProgramFiles\NSClient++" -Recurse

SupportFiles/adagios.ini

@@ -1,5 +1,5 @@
 ; Adagios agent configuration
 ; nscp.exe settings --path /adagios --key "adagios_agent_version" --show
-; nscp.exe settings --path /adagios --key "adagios_agent_version" --set "1.0.0.1"
+; nscp.exe settings --path /adagios --key "adagios_agent_version" --set "1.0.0.2"
 [/adagios]
-adagios_agent_version = 1.0.0.1
+adagios_agent_version = 1.0.0.2

SupportFiles/nsclient.ini

@@ -178,7 +178,6 @@ alias_windows_services = check_service "filter=start_type in ('auto')" "top-synt
 ; default - Alias for default. To configure this item add a section called: /settings/external scripts/alias/default
 default = 
 
-
 ; A list of scripts available to run from the CheckExternalScripts module. Syntax is: <command>=<script> <arguments>
 [/settings/external scripts/scripts]
 get_disks=scripts/df.exe -b -r
@@ -204,6 +203,10 @@ check_hp_smartarray = okconfig\check_hp_smartarray\check_hp_smartarray.ps1 -Blac
 check_hpacucli = okconfig\check_hp_smartarray\check_hp_smartarray.ps1 -Blacklist "Nothing"
 ; This can be used instead of check_hpacucli
 check_hpraid=hpraid.ps1
+; Check DHCP scopes health
+check_dhcp_scopes = okconfig\check_dhcp\check_dhcp_scopes.ps1 -Warning $ARG1$ -Critical $ARG2$
+; Check Azure AD Connect Sync
+check_azureadconnectsync = okconfig\check_azureadconnectsync\check_azureadconnectsync.ps1
 
 ; A list of templates for wrapped scripts
 [/settings/external scripts/wrappings]

SupportFiles/scripts/okconfig/check_azureadconnectsync/check_azureadconnectsync.ps1

@@ -0,0 +1,58 @@
+<#
+.SYNOPSIS
+	Check Azure AD Connect Sync.
+.DESCRIPTION
+	Check Azure AD Connect Sync status and returns Nagios output and code.
+.PARAMETER Hours
+	Hours since the last synchronization.
+	Default: 3
+.OUTPUTS
+	OK: Azure AD Connect Sync sync cycle enabled and not synced within last -Hours.
+	WARNING: Azure AD Connect Sync sync cycle enabled and not synced within last -Hours.
+	CRITICAL: Azure AD Connect Sync sync cycle not enabled.
+.NOTES 
+	Author:	Juan Granados 
+	Date:	January 2018
+#>
+Param(	
+	[Parameter(Mandatory=$false,Position=0)] 
+	[ValidateNotNullOrEmpty()]
+	[int]$Hours=3
+)
+
+$Output = ""
+$ExitCode = 0
+
+$pingEvents = Get-EventLog -LogName "Application" -Source "Directory Synchronization" -InstanceId 654  -After (Get-Date).AddHours(-$($Hours)) -ErrorAction SilentlyContinue |
+	Sort-Object { $_.Time } -Descending
+if ($pingEvents -ne $null) {
+	$Output = "Latest heart beat event (within last $($Hours) hours). Time $($pingEvents[0].TimeWritten)."
+}
+else{
+	$Output = "No ping event found within last $($Hours) hours."
+	$ExitCode = 1
+}
+
+$ADSyncScheduler = Get-ADSyncScheduler
+If (!$ADSyncScheduler.SyncCycleEnabled){
+	$ExitCode = 2
+}
+
+If ($ADSyncScheduler.StagingModeEnabled){
+	$Output = "Server is in stand by mode. $($Output)"
+}
+Else{
+	$Output = "Server is in active mode. $($Output)"
+}
+
+If ($ExitCode -eq 0){
+	Write-Host "OK: Azure AD Connect Sync is up and running. $($Output)"
+}
+ElseIf($ExitCode -eq 1){
+	Write-Host "WARNING: Azure AD Connect Sync is enabled, but not syncing. $($Output)"
+}
+ElseIf($ExitCode -eq 2){
+	Write-Host "CRITICAL: Azure AD Connect Sync is disabled. $($Output)"
+}
+
+$Host.SetShouldExit($ExitCode)

SupportFiles/scripts/okconfig/check_certificate/CertificateHealth.psm1

@@ -0,0 +1,34 @@
+# Source all ps1 scripts in current directory.
+Get-ChildItem (Join-Path $PSScriptRoot *.ps1) | foreach {. $_.FullName}
+
+<# Making Parent Functions Available
+Export-ModuleMember -Function Get-CertificateFile
+Export-ModuleMember -Function Get-CertificateHealth
+Export-ModuleMember -Function Get-UnhealthyCertificate
+Export-ModuleMember -Function Get-UnhealthyCertificateNagios
+#>
+
+<# Get Excluded certificate thumbprints if present
+ If you have a list of certificate thumbprints you want to exclude from the checks
+ put them in a ExcludedThumbprint.txt in the root of the module. Format of the
+ text file is one thumbprint per line.
+ The variable is scoped globally so that it can be used with various functions
+ in the module. Specify the variable by name $ExcludedThumbprint when calling
+ the functions.
+
+ Example:
+ Get-UnhealthyCertificate -ExcludedThumbprint $ExcludedThumbprint
+#>
+
+$ExcludedThumbprintFilePath = "$PSScriptRoot\ExcludedThumbprint.txt"
+if (Test-Path $ExcludedThumbprintFilePath) {
+
+    # Exporting variable to global scope to be used with module.
+    $global:ExcludedThumbprint = Get-Content -Path $ExcludedThumbprintFilePath
+
+    # Setting default parameter.
+    if ($PSVersionTable.PSVersion.Major -ge 3) {
+        $PSDefaultParameterValues.remove("*:ExcludedThumbprint")
+        $PSDefaultParameterValues.Add("Get-UnhealthyCertificate:ExcludedThumbprint",$ExcludedThumbprint)
+        }
+    }

SupportFiles/scripts/okconfig/check_certificate/ExcludedThumbprint-example.txt

@@ -0,0 +1,2 @@
+DFE816240B40151BBCD7529D4C55627A8CE1671C
+9FE90CA8A4138F65E9E2C67D1F37B9D5B9919384

SupportFiles/scripts/okconfig/check_certificate/Get-CertificateFile.ps1

@@ -0,0 +1,166 @@
+<#
+.Synopsis
+   Get certificate files from a specified path or paths and
+   return an object of the certificate including File name, Subject name,
+   the signature algorithm used, validity dates, and thumbprint.
+.DESCRIPTION
+   Get certificate files from a specified path or paths and
+   return an object of the certificate including file name, subject name,
+   the signature algorithm used, validity dates, and thumbprint. The 
+   script requires the certutil.exe to read the certificate files
+   and parse the text output.
+
+   Certificates in the file system used by applications may need to
+   be monitored and checked for expiriation as well as deprecated 
+   cipher suites/signature algorithm (i.e. sha1, md5). 
+.NOTES
+   Created by: Jason Wasser @wasserja
+   Modified Date: 10/12/2015 10:56:05 AM 
+
+   Changelog:
+   * Version 1.2
+        * Added Key size property
+   * Version 1.1
+        * Fixes to work with PowerShell 2.0
+   * Version 1.0
+        * Initial Script
+.EXAMPLE
+   Get-CertificateFile
+   Outputs a list of certificate files in the current path.
+.EXAMPLE
+   Get-CertificateFile -Path c:\temp
+   Outputs a list of certificate files from c:\temp.
+.EXAMPLE
+   Get-CertificateFile -Path C:\inetpub -Recurse
+   Outputs a list of certificate files from c:\inetpub including subdirectories.
+.LINK
+   https://gallery.technet.microsoft.com/scriptcenter/Certificate-Health-b646aeff
+#>
+function Get-CertificateFile
+{
+    [CmdletBinding()]
+    Param
+    (
+        [Parameter(ValueFromPipeline=$true)]
+        [string[]]$Path = '.',
+        [string]$CertUtilPath = 'C:\Windows\System32\certutil.exe',
+        [string[]]$CertificateFileType = ('*.cer','*.crt','*.p7b'),
+        [switch]$Recurse = $false
+    )
+
+    Begin
+    {
+    }
+    Process
+    {
+        foreach ($CertPath in $Path) {
+
+            # Gather certificates from the $CertPath
+            if (Test-Path -Path $CertPath) {
+
+                Write-Verbose "$CertPath exists. Checking for certificate files."
+
+                # Get certificate files from a supplied path. Currently requires a folder. 
+                $Certificates = Get-ChildItem -Path $CertPath\* -Include $CertificateFileType -Recurse:([bool]$Recurse.IsPresent)
+                if ($Certificates) {
+                    foreach ($Certificate in $Certificates) {
+                        Write-Verbose "Found $Certificate"
+
+                        # Certificate Dump using certutil.exe
+                        $CertificateDump = Invoke-Expression -Command "$CertUtilPath -dump '$($Certificate.fullname)'"
+
+                        # Certificate NotBefore
+                        Write-Verbose 'Getting NotBefore time stamp.'
+                        if ([bool]($CertificateDump | Select-String -Pattern 'NotBefore')) { 
+                            $NotBefore = [datetime]($CertificateDump | Select-String -Pattern 'NotBefore' | Select-Object -First 1).ToString().Split(':',2)[1].Trim()
+                            Write-Verbose "NotBefore $NotBefore"
+                            }
+                        else {
+                            $NotBefore = $null
+                            Write-Verbose "NotBefore $NotBefore"
+                            }
+
+                        # Certificate NotAfter
+                        Write-Verbose 'Getting NotAfter time stamp.'
+                        if ([bool]($CertificateDump | Select-String -Pattern 'NotAfter')) {
+                            $NotAfter = [datetime]($CertificateDump | Select-String -Pattern 'NotAfter' | Select-Object -First 1).ToString().Split(':',2)[1].Trim()
+                            Write-Verbose "NotAfter $NotAfter"
+                            $Days = ($NotAfter - (Get-Date)).Days
+                            Write-Verbose "Days $Days"
+                            }
+                        else {
+                            $NotAfter = $null
+                            Write-Verbose "NotAfter $NotAfter"
+                            $Days = $null
+                            Write-Verbose "Days $Days"
+                            }
+
+                        # Certificate Subject 
+                        $Subject = ($CertificateDump | Select-String -Pattern 'CN=' | Select-Object -First 1).ToString().TrimStart()
+                        Write-Verbose "Subject $Subject"
+
+                        # Certificate Signature Algorithm
+                        $Signaturealgorithm = ($CertificateDump | Select-String -Pattern 'Signature Algorithm' -Context 0,1 | Select-Object -First 1).tostring().trim().Split(' ')[11] 
+                        Write-Verbose "SignatureAlgorithm $Signaturealgorithm"
+
+                        # Certificate Thumbprint
+                        if (($CertificateDump | Select-String -SimpleMatch 'Cert Hash(sha1)')) {
+                            $Thumbprint = ($CertificateDump | Select-String -SimpleMatch 'Cert Hash(sha1)' | Select-Object -First 1).ToString().split(':')[1].trim() -replace ' ',''
+                            Write-Verbose "Thumbprint $Thumbprint"
+                            }
+
+                        # Certificate Key Length
+                        if (($CertificateDump | Select-String 'Public Key Length')) {
+                            $KeySize = [int]($CertificateDump | Select-String -Pattern 'Public Key Length' | Select-Object -First 1).tostring().trim().split(':')[1].split(' ')[1]
+                            Write-Verbose "Keysize $KeySize"
+                            }
+
+                        # Custom object property hash table
+                        if ($PSVersionTable.PSVersion.Major -lt 3) {
+                            $CertificateProperties = @{
+                                FileName           = $Certificate.FullName
+                                Subject            = $Subject
+                                SignatureAlgorithm = $SignatureAlgorithm
+                                NotBefore          = $NotBefore
+                                NotAfter           = $NotAfter
+                                Days               = $Days
+                                Thumbprint         = $Thumbprint
+                                KeySize            = $KeySize
+                                }
+                            }
+                        else {
+                            $CertificateProperties = [ordered]@{
+                                FileName           = $Certificate.FullName
+                                Subject            = $Subject
+                                SignatureAlgorithm = $SignatureAlgorithm
+                                NotBefore          = $NotBefore
+                                NotAfter           = $NotAfter
+                                Days               = $Days
+                                Thumbprint         = $Thumbprint
+                                KeySize            = $KeySize
+                                }
+                            }
+
+                        $objCertificate = New-Object PSObject -Property $CertificateProperties
+                        if ($PSVersionTable.PSVersion.Major -lt 3) {
+                            $objCertificate | Select-Object FileName,Subject,SignatureAlgorithm,NotBefore,NotAfter,Days,Thumbprint,KeySize
+                            }
+                        else {
+                            $objCertificate
+                            }
+                        }
+                    }
+                else {
+                    Write-Verbose "No certificates found in $CertPath"
+                    }
+                }
+            else {
+                Write-Error "Unable to access $CertPath"
+                }
+            }
+    }
+    End
+    {
+    }
+}
+