Check crypto-policy¶
Overview¶
Verifies that the system-wide cryptographic policy (as reported by update-crypto-policies) matches the expected setting. Returns WARN if the current policy differs from the desired one (default: "DEFAULT"). Useful for ensuring consistent TLS and cipher configurations across a fleet of servers.
Important Notes:
- RHEL/CentOS/Fedora and other distributions that ship
update-crypto-policies
Data Collection:
- Runs
update-crypto-policies --showto determine the active system-wide crypto policy - Compares the result against the expected policy name (case-insensitive)
Fact Sheet¶
| Fact | Value |
|---|---|
| Check Plugin Download | https://github.com/Linuxfabrik/monitoring-plugins/tree/main/check-plugins/crypto-policy |
| Nagios/Icinga Check Name | check_crypto_policy |
| Check Interval Recommendation | Every 15 minutes |
| Can be called without parameters | Yes |
| Runs on | Linux |
| Compiled for Windows | No |
Help¶
usage: crypto-policy [-h] [-V] [--always-ok] [--policy CRYPTO_POLICY]
Verifies that the system-wide cryptographic policy (as reported by update-
crypto-policies) matches the expected setting. Returns WARN if the current
policy differs from the desired one (default: "DEFAULT"). Useful for ensuring
consistent TLS and cipher configurations across a fleet of servers.
options:
-h, --help show this help message and exit
-V, --version show program's version number and exit
--always-ok Always returns OK.
--policy CRYPTO_POLICY
Expected crypto policy name. Case-insensitive.
Example: `FUTURE`. Default: DEFAULT
Usage Examples¶
./crypto-policy --policy FUTURE
Output:
Crypto policy is "DEFAULT" (as expected).
States¶
- OK if the current crypto policy matches the expected one (case-insensitive).
- WARN if the current crypto policy does not match the expected one.
- UNKNOWN if
update-crypto-policiesis not available on the system. --always-oksuppresses all alerts and always returns OK.
Perfdata / Metrics¶
There is no perfdata.
Credits, License¶
- Authors: Linuxfabrik GmbH, Zurich
- License: The Unlicense, see LICENSE file.