Sie befinden sich hier: start » hr » Interna dokumentacija » WvdS Kripto-biblioteka » 6. Scenariji » Operatorski scenariji » Dnevne operacije » Runbook: Health Check

Inhaltsverzeichnis

Runbook: Health Check

Trajanje: ~5 minuta
Uloga: PKI operator
Učestalost: Dnevno (preporučeno: ujutro)

Workflow

flowchart LR subgraph CHECKS["🔍 PROVJERE"] C1[Dostupnost CA] C2[Valjanost CRL-a] C3[OCSP status] C4[Certifikati koji ističu] C5[Prostor na disku] end subgraph STATUS["📊 STATUS"] S1{OK?} S2[Dashboard] end subgraph ACTION["⚡ AKCIJA"] A1[Kreiranje ticketa] A2[Eskalacija] end C1 --> S1 C2 --> S1 C3 --> S1 C4 --> S1 C5 --> S1 S1 -->|Da| S2 S1 -->|Ne| A1 A1 -->|Kritično| A2 style S1 fill:#fff3e0 style A2 fill:#ffebee

Brza provjera (1 naredba)

#!/bin/bash
# pki-health-check.sh - Dnevna PKI provjera
 
echo "=== PKI Health Check $(date -Iseconds) ==="
 
# 1. Provjera CA certifikata
echo -e "\n[1] CA certifikati:"
for ca in /etc/pki/CA/ca-*.pem; do
    days=$(( ($(openssl x509 -enddate -noout -in "$ca" | cut -d= -f2 | date -f - +%s) - $(date +%s)) / 86400 ))
    status="OK"
    [ "$days" -lt 365 ] && status="UPOZORENJE"
    [ "$days" -lt 90 ] && status="KRITIČNO"
    echo "  $(basename $ca): $days dana [$status]"
done
 
# 2. Valjanost CRL-a
echo -e "\n[2] CRL status:"
for crl in /var/www/pki/*.crl; do
    next=$(openssl crl -in "$crl" -nextupdate -noout 2>/dev/null | cut -d= -f2)
    if [ -n "$next" ]; then
        days=$(( ($(date -d "$next" +%s) - $(date +%s)) / 86400 ))
        status="OK"
        [ "$days" -lt 3 ] && status="UPOZORENJE"
        [ "$days" -lt 1 ] && status="KRITIČNO"
        echo "  $(basename $crl): $days dana do ažuriranja [$status]"
    fi
done
 
# 3. OCSP responder
echo -e "\n[3] OCSP responder:"
ocsp_status=$(curl -s -o /dev/null -w "%{http_code}" http://ocsp.example.com/status)
[ "$ocsp_status" = "200" ] && echo "  Status: OK" || echo "  Status: GREŠKA ($ocsp_status)"
 
# 4. Certifikati koji ističu (30 dana)
echo -e "\n[4] Certifikati koji ističu (<30 dana):"
count=$(find /etc/ssl/certs -name "*.pem" -exec openssl x509 -checkend 2592000 -noout -in {} \; 2>/dev/null | grep -c "will expire")
echo "  Broj: $count"
 
# 5. Prostor na disku
echo -e "\n[5] Prostor na disku:"
df -h /etc/pki /var/log | tail -n +2
 
echo -e "\n=== Kraj Health Check-a ==="

Detaljne provjere

1. CA certifikati

# Valjanost Root-CA
openssl x509 -in /etc/pki/CA/root-ca.pem -enddate -noout
# Očekivani rezultat: > 10 godina
 
# Valjanost Intermediate-CA
openssl x509 -in /etc/pki/CA/intermediate-ca.pem -enddate -noout
# Očekivani rezultat: > 2 godine
 
# Provjera lanca certifikata
openssl verify -CAfile /etc/pki/CA/root-ca.pem /etc/pki/CA/intermediate-ca.pem
# Očekivani rezultat: OK

Pragovi:

Tip CA Upozorenje Kritično
——–———————-
Root-CA < 5 godina < 2 godine
Intermediate-CA < 1 godina < 6 mjeseci

2. Valjanost CRL-a

# CRL metapodaci
openssl crl -in /var/www/pki/crl.pem -text -noout | head -20
 
# Provjera Next Update
openssl crl -in /var/www/pki/crl.pem -nextupdate -noout
 
# Dohvat CRL-a s CDP-a
curl -s http://crl.example.com/crl.der | openssl crl -inform DER -text -noout

Pragovi:

Metrika Upozorenje Kritično
——————————-
Next Update < 3 dana < 1 dan
Veličina CRL-a > 10 MB > 50 MB

3. OCSP responder

# Dostupnost OCSP-a
curl -s -o /dev/null -w "HTTP: %{http_code}, Vrijeme: %{time_total}s\n" http://ocsp.example.com/status
 
# OCSP odgovor za test certifikat
openssl ocsp \
    -issuer /etc/pki/CA/intermediate-ca.pem \
    -cert /etc/ssl/certs/test.pem \
    -url http://ocsp.example.com \
    -resp_text
# Očekivani rezultat: "Cert Status: good" (ili "revoked" ako je opozvan)

Pragovi:

Metrika Upozorenje Kritično
——————————-
Vrijeme odziva > 500ms > 2s
HTTP status != 200 Timeout

4. Certifikati koji ističu

# Server certifikati (30 dana)
find /etc/ssl/certs -name "*.pem" -exec sh -c '
    if openssl x509 -checkend 2592000 -noout -in "$1" 2>/dev/null | grep -q "will expire"; then
        echo "ISTIČE: $1"
    fi
' _ {} \;
 
# CA certifikati (1 godina)
for ca in /etc/pki/CA/*.pem; do
    if openssl x509 -checkend 31536000 -noout -in "$ca" 2>/dev/null | grep -q "will expire"; then
        echo "CA UPOZORENJE: $ca"
    fi
done
# PowerShell: Certifikati koji ističu
Get-ChildItem Cert:\LocalMachine\My | Where-Object {
    $_.NotAfter -lt (Get-Date).AddDays(30)
} | Format-Table Subject, NotAfter, Thumbprint -AutoSize

5. Sistemski resursi

# Prostor na disku za PKI direktorije
df -h /etc/pki /var/log/pki /var/www/pki
 
# Veličina log datoteka
du -sh /var/log/pki/*
 
# Procesi
ps aux | grep -E "(ocsp|openssl)"

Pragovi:

Resurs Upozorenje Kritično
——–———————-
Zauzeće diska > 80% > 95%
Veličina logova > 1 GB > 5 GB

Automatizacija

Cron Job

# /etc/cron.d/pki-health-check
# Dnevno u 08:00
0 8 * * * root /usr/local/bin/pki-health-check.sh | mail -s "PKI Health Check $(date +%Y-%m-%d)" pki-team@example.com

Prometheus Exporter (Opcionalno)

# prometheus-pki-exporter.yml
- job_name: 'pki'
  static_configs:
    - targets: ['pki-server:9115']
  metrics_path: /probe
  params:
    module: [certificate]

Predložak nadzorne ploče

Metrika Status Vrijednost Prag
—————–——————
Valjanost Root-CA 🟢 15 godina > 5 godina
Valjanost Intermediate-CA 🟡 8 mjeseci > 1 godina
CRL Next Update 🟢 5 dana > 3 dana
OCSP odziv 🟢 120ms < 500ms
Certifikati koji ističu 🟡 3 0
Disk /etc/pki 🟢 45% < 80%

Legenda:

  • 🟢 OK
  • 🟡 Upozorenje
  • 🔴 Kritično

Matrica eskalacije

Nalaz Akcija Vremenski okvir
——-——–—————–
CA < 6 mjeseci Planiranje obnove CA 1 tjedan
CRL istekao Hitna obnova CRL-a 1 sat
OCSP nedostupan Ponovno pokretanje respondera 30 min
> 10 certifikata ističe Sprint obnove 1 dan
Disk > 95% Rotacija/brisanje logova Odmah

Povezani runbookovi

« ← Opoziv certifikata | → Operator scenariji »

Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional

, , ,
Zuletzt geändert: 30.01.2026. u 06:34

Seiten-Werkzeuge