We are trying to figure out a way to monitor all of our websites to make sure Chrome does not filter them as "Site is not fully secured". Need assistance for this to see if it's possible or only through external tools.
Chrome et all will post "site is not secured" when you have no SSL, or when your SSL certificate is not signed by a trusted CA or when your certificates are expired.
So , to monitor for this, you need to have some mechanism open each of your web sites, parse the certificate that the web site is presenting into Splunk Indexes and then alert when the data is not as expected.
The easiest way I can think of to do this would be to write a script that uses the openssl binaries to open your website.
A one line example to get this data would be:
# One liner CLI to get cert info from a web site:
echo | openssl s_client -showcerts -servername website.domain.com -connect website.domain.com:443 2>/dev/null | openssl x509 -inform pem -noout -text
When i run that against my Splunk server, i get output like the following:
Certificate:
Data:
Version: 1 (0x0)
Serial Number: 15712124552693347650 (0xda0cae08c5faf542)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, ST=CA, L=San Francisco, O=Splunk, CN=Splunk CommonCA/emailAddress=support@splunk.com
Validity
Not Before: Dec 2 22:07:37 2016 GMT
Not After : Dec 2 22:07:37 2019 GMT
Subject: CN=SplunkServerDefaultCert, O=SplunkUser
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:ba:a6:4e:0a:a2:1c:17:c0:b1:63:57:3d:0e:f2:
34:5c:82:21:ae:a1:d4:3c:3e:15:2c:8b:77:9c:c8:
c2:92:d1:aa:05:e1:b7:8e:b8:a2:05:fa:6d:a4:0f:
cc:fe:84:b4:75:eb:f2:3e:59:8f:15:85:84:de:81:
b0:b2:bf:cf:a8:10:55:9c:d3:4a:4f:db:bc:e3:5c:
d4:ce:74:af:96:fa:98:ec:81:be:76:aa:cb:9f:ba:
00:92:15:b0:a4:f1:5a:d0:c1:e2:52:10:ba:7c:2a:
33:36:c9:73:e3:c0:8f:1f:a8:79:dd:05:51:92:e3:
78:9c:fb:b4:b2:df:fd:be:f1
Exponent: 65537 (0x10001)
Signature Algorithm: sha1WithRSAEncryption
32:09:ab:35:32:af:17:d2:ee:94:ef:ca:18:33:4c:bf:0e:a1:
ea:f4:08:4f:c1:ff:ea:e4:3e:64:23:c7:f5:2d:46:11:83:4b:
ec:70:99:c9:1f:fa:9d:53:50:c4:f0:a5:e8:f2:aa:f3:a4:11:
c2:68:51:72:b1:67:de:86:86:69:96:f3:35:84:84:ca:99:dd:
67:e7:32:3a:ca:b6:3d:f0:77:b0:c7:25:f4:e0:35:2e:d5:79:
1d:50:38:45:b0:ad:c5:86:db:73:5f:63:82:05:8c:d8:7f:28:
45:2a:17:84:13:de:b5:f2:2e:07:dc:70:de:87:38:2b:ca:d2:
6e:fc
so, if you create a shell script for each of your web sites, output the appropriate data from the script to index, you can then alert when the dates are close or expired, if the signing information is showing different than you expect or if the SSL is turned off for some reason.
...is this what you are looking for ... or did i miss the mark?
We have something similar with a Python script which already does this and it is being logged in our Splunk server, plus we also have alerts setup for the same.
The idea is to pretty much have an overview of our websites where sometimes "Mixed Content" is triggered due to an external .css or .js file is loaded through HTTP instead of HTTPs, therefore it will generate a message saying "The site is not fully secured". This is what we are trying to detect.
Best Regards!