Predefined check types reference

Infracheck comes by default with some standard checks, there is a list of them:

http

Performs a HTTP call using curl.

Example:

{
    "type": "http",
    "input": {
        "url": "http://iwa-ait.org",
        "expect_keyword": "iwa",
        "not_expect_keyword": "Server error"
    }
}

Parameters:

  • url
  • expect_keyword
  • not_expect_keyword

rkd://

Infracheck can execute RiotKit-Do tasks. RKD is a task executor, similar to Makefile or Gradle. It’s essential feature is a possibility to load tasks from PyPI (Python packages).

Using RKD you can write a Python class, version and release it to PyPI with a list of dependencies, and install in any place with PIP. A packaged task can require extra dependencies you do not want always to install eg. MySQL, PostgreSQL, Redis or other clients you want to selectively install on your Infracheck instances.

More information on how to write RKD tasks: in RiotKit-Do’s documentation

{
    "type": "rkd://rkd.standardlib.shell:sh",
    "input": {
        "-c": "ps aux |grep X11"
    }
}
{
    "type": "rkd://my_rkd_check:mysql:temporary-table-size-check",
    "input": {
        "--max": "100000",
        "--host: "localhost",
        "--port": 3306,
        "--user": "infracheck",
        "--password": "${TEMP_TABLE_SIZE_CHECK_PASSWORD}"
    }
}

dir-present

Checks whenever a directory exists.

Parameters:

  • dir

file-present

Checks if file is present.

Parameters:

  • file_path

docker-health

Checks if containers are healthy.

Parameters:

  • docker_env_name (it’s a prefix, to check only containers that names begins with this - idea of docker-compose)

port-open

Checks if the port is open.

Parameters:

  • po_host
  • po_port (in seconds)
  • po_timeout (in seconds)

replication-running

Checks if the MySQL replication is in good state. Works with Docker only.

Parameters:

  • container
  • mysql_root_password

free-ram

Monitors RAM memory usage to notify that a maximum percent of memory was used.

Parameters:

  • max_ram_percentage (in percents eg. 80)

domain-expiration

Check if the domain is close to expiration date or if it is already expired.

Notice: Multiple usage of this check can cause a “request limit exceeded” error to happen

Warning: Due to limits per IP on whois usage we recommend to strongly cache the health check ex. 1-2 days cache, and in case of checking multiple domains to use feature called “wait time” to sleep between checks, to not send too many requests a once

Parameters:

  • domain (domain name)
  • alert_days_before (number of days before expiration date to start alerting)

disk-space

Monitors disk space.

Parameters:

  • min_req_space (in gigabytes)
  • dir (path)

Example JSON:

{
    "type": "disk-space",
    "input": {
        "dir": "/",
        "min_req_space": "6"
    }
}

ovh-expiration

Checks if a VPS is not expired. Grab credentials at https://api.ovh.com/createToken/index.cgi

Required privileges on OVH API: “GET /vps*”

Parameters:

  • endpoint (ex. ovh-eu)
  • app_key
  • app_secret
  • app_consumer_key
  • service_name (ex. somevps.ovh.net)
  • days_to_alert (ex. 30 for 30 days)

Example JSON:

{
    "type": "ovh-expiration",
    "input": {
        "endpoint": "ovh-eu",
        "app_key": "xyyyyyyyyyyyyzz",
        "app_secret": "xyxyxyxyyxyxyxyxyxyxxyyxyxyxyxy",
        "app_consumer_key": "xyxyyxyxyxyxyxyxyxyyxyxyxyxyxy",
        "service_name": "vps12345678.ovh.net",
        "days_to_alert": 5
    }
}

ssh-fingerprint

Verifies if remote host fingerprint matches. Helps detecting man-in-the-middle and server takeover attacks.

Parameters:

  • expected_fingerprint (example: zsp.net.pl ssh-rsa SOMESOMESOMESOMESOMEKEYHERE)
  • method (default: rsa)
  • host (example: zsp.net.pl)
  • port (example: 22)

ssh-files-checksum

Calls remote process using SSH and expects: the listed files and checksums will be matching

Parameters:

  • user (default: root)
  • host
  • port (default: 22)
  • private_key
  • password
  • ssh_bin (default: ssh)
  • sshpass_bin (default: sshpass)
  • ssh_opts (example: -o StrictHostKeyChecking=no)
  • known_hosts_file (default: ~/.ssh/known_hosts)
  • command (default: uname -a)
  • timeout: (default: 15, unit: seconds)
  • method (default: sha256sum)
  • expects (json dict, example: {“/usr/bin/bahub”: “d6e85b50756a08e24c1d46f07b68e288c9e7e565fd662a15baca214f576c34be”})

ssh-command

Calls remote process using SSH and expects: exit code, keywords in the output

Parameters:

  • user (default: root)
  • host
  • port (default: 22)
  • private_key
  • password
  • ssh_bin (default: ssh)
  • sshpass_bin (default: sshpass)
  • ssh_opts (example: -o StrictHostKeyChecking=no)
  • known_hosts_file (default: ~/.ssh/known_hosts)
  • command (default: uname -a)
  • timeout: (default: 15, unit: seconds)
  • expected_keywords (Keywords expected to be in stdout/stderr. Separated by “;”)
  • unexpected_keywords (Keywords not expected to be present in stdout/stderr. Separated by “;”)
  • expected_exit_code (default: 0)

reminder

Reminds about the recurring date. Example: To extend validity of your hosting account

Parameters:

  • ref_date (example: 2019-05-01 for a 1th of May 2019)
  • each (values: week; month; year, default: year)
  • alert_days_before (default: 5, the health check will be red when there will be 5 days before)

load-average-auto

Checks if the load average is not more than 100%

Parameters:

  • maximum_above (unit: processor cores, default: 0.5 - half of a core)
  • timing (default: 15. The load average time: 1, 5, 15)

load-average

Checks if the load average is not below specified number

Parameters:

  • max_load (unit: processor cores, example: 5.0, default: 1)
  • timing (default: 15. The load average time: 1, 5, 15)

swap-usage-max-percent

Defines maximum percentage of allowed swap usage

Parameters:

  • max_allowed_percentage (default: 0.0)

influxdb-query

Queries an InfluxDB database and compares results.

Parameters:

  • host
  • port (default: 8086)
  • user
  • password
  • database
  • query
  • expected: A json serialized result (not pretty formatted)

Example of JSON serialized result for query ‘select value from cpu_load_short;’:

[
    [
        {"time": "2009-11-10T23:00:10Z", "value": 10.64},
        {"time": "2009-11-10T23:00:20Z", "value": 20.64},
        {"time": "2009-11-10T23:00:30Z", "value": 30.64},
        {"time": "2009-11-10T23:00:40Z", "value": 40.64}
    ]
]

postgres

Uses pg_isready tool to verify if PostgreSQL is up and ready to connect.

Parameters:

  • pg_host (hostname or socket path, defaults to “localhost” which will use local unix socket, use IP address eg. 127.0.0.1 to connect via tcp)
  • pg_port (port, defaults to 5432)
  • pg_db_name (database name to connect to, defaults to “postgres”)
  • pg_user (username, defaults to “postgres”)
  • pg_conn_timeout (defaults to 15 which means 15 seconds)

postgres-primary-streaming-status

Verifies if local PostgreSQL instance is currently serving WALs to a specified replica. The SQL command that is validated: select * from pg_stat_replication;

Parameters:

  • pg_host (hostname or socket path, defaults to “localhost” which will use local unix socket, use IP address eg. 127.0.0.1 to connect via tcp)
  • pg_port (port, defaults to 5432)
  • pg_db_name (database name to connect to, defaults to “postgres”)
  • pg_user (username, defaults to “postgres”)
  • pg_password
  • pg_conn_timeout (defaults to 15 which means 15 seconds)
  • expected_status (defaults to “streaming”)
  • expected_replication_user: Expected user that will be used for replication connection (defaults to “replication”)

postgres-replica-status

Checks if local PostgreSQL server acts as a replication server, by validating the list of active wal receivers. The SQL command that is validated: select * from pg_stat_wal_receiver;

Parameters:

  • pg_host (hostname or socket path, defaults to “localhost” which will use local unix socket, use IP address eg. 127.0.0.1 to connect via tcp)
  • pg_port (port, defaults to 5432)
  • pg_db_name (database name to connect to, defaults to “postgres”)
  • pg_user (username, defaults to “postgres”)
  • pg_password
  • pg_conn_timeout (defaults to 15 which means 15 seconds)
  • expected_status (defaults to “streaming”)
  • expected_replication_user: Expected user that will be used for replication connection (defaults to “replication”)

docker-container-log

Searches docker container logs for matching given regular expression.

Parameters:

  • container: Docker container name
  • regexp: Regular expression
  • max_lines: Number of last lines to check (defaults to 5)
  • since_seconds: Get only logs since this time (eg. last 5 minutes = 5 * 60 = 300) (defaults to 300)
  • present: Boolean, if the string should be present in the output or not

smtp_credentials_check.py

Verifies connection, TLS certificate and credentials to a SMTP server by doing a ping + authorization try.

Parameters:

  • smtp_host (example: bakunin.example.org)
  • smtp_port (example: 25)
  • smtp_user (example: noreply@example.org)
  • smtp_password (example: bakunin-1936)
  • smtp_encryption (example: starttls. Values: “”, “ssl”, “starttls”)
  • smtp_timeout (default: 30, unit: seconds)

tls

TLS/SSL certificate expiration validation

Parameters:

  • domain: TLS certificate domain for which the certificate was created
  • host: IP address or DNS hostname from which the certificate should be downloaded (defaults to domain value)
  • port: Port (defaults to 443)
  • alert_days_before: Number of days before expiration date to start alerting (defaults to 3)

tls-docker-network

Automated TLS certificate verification for docker-based flows like docker-gen. Scans list of docker containers basing on a label or environment variable that contains a domain name.

Parameters:

  • parameter_type: Label or environment variable
  • parameter_name: Name of the label or environment variable
  • alert_days_before: Number of days before expiration date to start alerting (defaults to 3)
  • docker_host: (Optional) The URL to the Docker host.
  • docker_tls_verify: (Optional) Verify the host against a CA certificate.
  • docker_cert_path: (Optional) A path to a directory containing TLS certificates to use when connecting to the Docker host
  • debug: (Optional) Debugging mode