Two down, one remains.
A work thing that we ran into is that Google sometimes updates its root certificates. This can cause some panic on the part of some because they need to keep these up-to-date to facilitate inter-application communication.
So, to that end, I figured it was time to get proactive in a manner by detecting an update so we can at least tell people this particular change has occurred and how to deal with it. The next step might be to actually update the file where it need to live on the system, but let's not get ahead of ourselves.
I work in a hybrid environment and the idea was that we can build this to run as a service or a scheduled job (preferred) is just a given. It's less complicated on a Linux-based system so one solutions is written in bash, but many of our systems run on Windows Server so I figured PowerShell was also wise.
My first attempt was PowerShell and that does the job, but for parity I wrote the bash version to product the same output.
I'm modelling this on a Windows 10 system with the Ubuntu WSL2 for the bash shell. The intent is the script can live in a central location and you'd run it in a folder to capture and store the data/logs.
../pemWatch.sh sh-google.com https://pki.goog/roots.pem
..\pemWatch.ps1 ps-google.com https://pki.google.com/roots.pem
Yes, there is a reason why the URLs are different, it seems PowerShell handles a redirect better as the URL delivers this when I use curl under Linux.
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>301 Moved</TITLE></HEAD><BODY>
<H1>301 Moved</H1>
The document has moved
<A HREF="https://pki.goog/roots.pem">here</A>.
</BODY></HTML>
I guess things change on the Internet ;-) ...
As I have said before, and I will always remind you, I'm not a scripting guru, I just find a way.
The Bash version:
Let's step through the bash script first:
#!/bin/bash
null=""
if [ -n $1 ]
then
name="$1"
else
name=default-test
fi
if [ -n $2 ]
then
url="$2"
else
url=https://pki.goog/roots.pem
fi
This accepts the command-line arguments and stuff in default if they're not present. Theoretically this could be useful for any monitoring of a file you need to pay attention to out there, so...
function main {
rep=.
with=-
name="${name//$rep/$with}"
lastMd5=$(cat ${name}.md5)
md5=$(curl ${url} | md5sum)
md5x=$(echo ${md5} | cut -d' ' -f 1)
if [[ $lastMd5 != $md5x ]]
then
echo $md5x $lastMd5
echo $md5x>$name.md5
curl ${url} --output $name.root_pem > /dev/null 2>&1
triggerAlert
else
echo $name :: $md5x
fi
}
The main Function, and I do like the structured coding of functions, handles reformatting the name to be file-safe (replacing and periods with a dash). We move on to loading the last MD5 value from a file for reference as lastMd5 then we collect the most recent version of the file and collect the MD5 on that into the variable, md5.
We need to tidy of the value by trimming the tail off it and trowing it into the variable md5x and we get into the comparison of it all. The key to this is the simple comparison of the lastMd5 variable with md5x, if they don't match the file has changed. If the file has changed we log it on-screen and into the $name.log file using the function triggerAlert.
function triggerAlert {
echo "Alert!"
date=$(date '+%Y-%m-%d %H:%M:%S')
echo "ALERT:: $date :: $lastMd5 => $md5x" 1>> $name.log
# add any advanced handling here
}
This function, at this time, simply writes a log of the event but it could send an email or potentially trigger some webhook into something more meaningful.
The script wraps up with a call to main because the functions need to precede their call.
# -------------------- MAIN
main
The PowerShell version:
You will see the parallels here in PowerShell to how the bash script was built. First we handle the command-line parameters.
param(
[Parameter(Mandatory = $false, Position = 1)][string]$name = $null,
[Parameter(Mandatory = $false, Position = 2)][string]$url = $null
,[Parameter(Mandatory = $false)][switch]$reset = $null
)
As before the main function is where the bulk of the action happens. We ensure the parameters are present and valid, we normalize the name, then fetch the file into the variable $dl (download). We then call a function I found on the Internet to perform an MD5 hash on the file while in memory.
function main{
if($name + "" -eq ""){
$name = "google.com"
}
if($url +"" -eq ""){
$url = "https://pki.google.com/roots.pem"
}
$name = $name.replace('.','-')
$name = $name.replace(' ','-')
$name = $name.ToLower()
$dl = Invoke-WebRequest -Uri $url -UseBasicParsing
$md5 = Get-StringHash $dl
if(Test-Path -Path $($name + ".md5") -PathType Leaf){
$lastMD5 = Get-Content -Path $($name + ".md5")
} else {
}
if($md5 -ne $lastMD5){
Set-Content -Path $($name + ".root_pem") -value $dl
Set-Content -Path $($name + ".md5") -value $md5
if($lastMD5 + "" -ne ""){
triggerAlert $name $url
write-host "ALERT! Checking on $name..."
} else {
write-host "New! No alert on $name..."
}
}
if($reset){
if(Test-Path -Path $($name + ".root_pem") -Pathtype Leaf){
$devNull = Remove-Item -Path $($name + ".root_pem") -Force
}
if(Test-Path -Path $($name + ".md5") -Pathtype Leaf){
$devNull = Remove-Item -Path $($name + ".md5") -Force
}
} else {
Set-Content -Path $($name + ".root_pem") -Value $dl
}
write-host "$($name.padRight(25,' ')) :: $md5" -ForegroundColor White
}
There's a reset function that I haven't added to the bash script that resets the collected files but that's an extra. The function below, Get-StringHash, will return the MD5 hash for use.
Function Get-StringHash
{
param
(
[String] $String,
$HashName = "MD5"
)
$bytes = [System.Text.Encoding]::UTF8.GetBytes($String)
$algorithm = [System.Security.Cryptography.HashAlgorithm]::Create('MD5')
$StringBuilder = New-Object System.Text.StringBuilder
$algorithm.ComputeHash($bytes) |
ForEach-Object {
$null = $StringBuilder.Append($_.ToString("x2"))
}
$StringBuilder.ToString()
}
Just like the bash script the following should be customized to meet your needs. Right now it writes a log just as the bash script does.
Function triggerAlert{
param(
[Parameter(Mandatory = $true, Position = 1)][string]$name = $null,
[Parameter(Mandatory = $true, Position = 2)][string]$url = $null
)
#Send Email
#Trigger Zabbix
#Write to Log
$logData = $(Get-Date).ToString('yyyy-MM-dd HH:mm:ss') + " :: " + $md5.PadLeft(20,' ')
if(Test-Path -Path $($name + ".log") -PathType Leaf){
Add-Content -Path $($name + ".log") -Value $logData
} else {
Set-Content -Path $($name + ".log") -Value $logData
}
}
And we cannot forget to call main.
main
I hope this helps you see the parallels of scripting languages, that while we may need to learn the nuances of different languages the logic can often remain the same.
My scripts, shared. Also, about that remaining one, I'll do this again in Python, or perhaps even Java or Rust, all languages I'm not terribly familiar with yet.
No comments:
Post a Comment