check_xs, Random Monitoring Check Plugins

This is a collection of opinionated monitoring check plugins designed for use with Nagios, Icinga, and similar systems. The aim is not to provide a complete collection of plugins, but rather to fill specific gaps that I personally need.

Plugins

The following plugins are available, all bundled into one single binary.

• by_ssh: Execute a remote check via SSH.
• geohash: Distance to nearby xkcd Geohashes and Globalhashes.
• openbsd_checkrestart: Check services to be restarted on OpenBSD.
• openbsd_updates: Syspatches and port updates on OpenBSD.
• restic: Checks the age of last local restic backup.
• ssh_key_confirm: Verify SSH login is possible on another host via a public key.
• whois_expiry: Domain expiration date from whois.

Usage And Documentation

The check_xs binary comes a small -help output, providing enough information to get you started.

• check_xs -help for an overview of the plugins and options and
• check_xs $PLUGIN -help for a plugin-specific overview.

Furthermore, there is an extensive man page with more details. It can be generated via check_xs -scdoc and pipeing the output into scdoc(1).

$ ./check_xs -scdoc | scdoc | mandoc | less

A prebuilt man page is also available for each release.

Build And Install

The only requirement is a recent version of Go, equal to or greater than the one specified in the go.mod file. After cloning this git repository, you can compile the check plugin.

go build

The plugin installation depends on your monitoring setup. On some systems, all check plugins are located within /usr/local/libexec/nagios/, but this may vary.

In addition, pre-built binaries are available here on Codeberg for each tagged release. Since this is my personal playground, I am building binaries only for architectures I target. However, this can be changed.

Each released binary is signed with my ed25519 SSH key, same as used to sign git commits and tags. It is available in the allowed_signers file, defined in ssh-keygen(1), ALLOWED SIGNERS.

To use it with git:

$ git config gpg.format ssh
$ git config gpg.ssh.allowedSignersFile allowed_signers
$ git verify-commit HEAD  # or whatever
Good "git" signature for post@0x21.biz with ED25519 key SHA256:plwxRk3c7Mf2Xd4sE1Ar0o5z19ICPSOLWedLEXb2KgI

To verify the release binaries:

$ ssh-keygen -Y verify -f allowed_signers -I post@0x21.biz -n file -s check_xs_openbsd_amd64.sig < check_xs_openbsd_amd64
Good "file" signature for post@0x21.biz with ED25519 key SHA256:plwxRk3c7Mf2Xd4sE1Ar0o5z19ICPSOLWedLEXb2KgI

For people who are not me, the problem might be how to get my public key securely without being MITMed first. But that might be a you-problem unless we know each other and have a secure channel to exchange keys.

If Icinga 2 CheckCommands are required, they can be generated via check_xs -icinga-cfg.

Contributing

Although this is a personal collection of check plugins written to satisfy my monitoring needs, contributions are welcome!

The software is licensed under the MIT license, which is included in the LICENSES/MIT.txt file. The authorship is tracked using REUSE. There are parts being reused from other sources, being indicated by a SPDX header, or either being dual-licensed, also indicated through headers and maybe a comment.

To keep things simple, small, and not open the gates to Supply Chain Attacks™, no unnecessary Go dependencies should be introduced. This is not an absolute, just a general rule of thumb.

Patches can be submitted either through Pull Requests here at Codeberg.org or via email to the email address of the initial commit in the git log (sorry for this lame ass spam protection).