gist

Using Nagios to check Github MFA users

We still have a few users to work down before we can run full speed with this, but now we know who to bother.

We still have a few users to work down before we can run full speed with this, but now we know who to bother.

We want all of our users to be using multi-factor authentication to log into our more sensitive things, Github being high among that. We wanted a way to continually check to make sure our users were using MFA, which would catch both new users as well as anyone that had turned theirs off.

Our intern, Caleb, wrote up a Nagios check for us that did just this. Now the number of non-MFA users will display in Nagios and turn our system yellow if someone disables their MFA. We're now alerted whenever someone doesn't have it and can track that user down, without us having to periodically check the Github site.

The below script can be put on a Nagios server and it can keep some additional attention to security in your org as well. 


Automating Evernote

Here's an AppleScript script I wrote that runs periodically for me. It goes through my "triage" notebook in Evernote and looks for items I'm regularly putting in there.

While this particular script won't help you, it may be able to be used as a base to see how you can go through your default notebook, pick out items you add to Evernote regularly, and reformat them according to whatever rules you'd like to add.

Note in here, I'm moving notes, adding tags, and renaming the notes to a more standard format (particularly handy for things like paystubs that don't have date info in the original title).

Close applications on a Mac

At the end of the day, I like to close all of the apps on my Mac to start the day fresh. Before I started doing this, I'd have web pages left up that were open for days - long enough for me to lose the context of why I was even on that particular page. 

Now, each day can start a bit cleaner and without debris from the previous day.

This is the little script I use to do this:


Exposing Dashing widget data

When troubleshooting Dashing widgets, I love being able to see what data Dashing really has about various widgets. This really helped troubleshoot the ability to check for stale widget data, among other things.

What I did was create a very simple dashboard called widgetdata. It has this code in it:

Which then creates a dashboard with some global widgets, followed by the raw data of all of the widgets. This list can get long, but I've found it invaluable to be able to search through this data to see what's going on. At the top are two widgets built from prior posts: Marking a widget as stale and Dashing widget to show widget count.

A small clip of some of the raw widget data

A small clip of some of the raw widget data

Dashing widgets for Active Directory

A list of about to expire passwords.

A list of about to expire passwords.

Here's a set of Dashing widgets that give us some visibility to users with expiring passwords. This should run as a scheduled job on a domain controller. It queries through PowerShell the users and their password expirations.

The three widgets created are:

expiring_users

A list of expiring users, defaulting to all users within the next 14 days

expired_users

All expired users

locked_users

All users who have locked out their accounts

For expiring_users and expired_users, the widget doesn't need to update very often, but if you want to use locked_users, you may want to have the scheduled job run more frequently so you can respond more quickly when a user locks themselves out.

Additionally, a fourth widget is made that is essentially a set of all three of those in one:

Looks like Brian reset his password in time, but not Patrick.

Looks like Brian reset his password in time, but not Patrick.

active_directory_users

This one then will turn to a yellow/warning status if there's an expired user, and red/critical if there is a locked out user.

 

Below is the PowerShell script. Then just add the list widget to your Dashing dashboard as desired.

Mark Dashing widget data as stale

I wanted an easy way to know if a Dashing widget hadn't been updated in a while to know if that data was stale. There's a little "last updated" line in the widget, but it's only really useful if I walk up to our dashboard. I want something that's obvious from a distance, but invisible when things are going well.

The below gist files can help set this up. The stale-widgets.rb file can go in your jobs/ folder and will run and go through each widget. If it's older than the threshold (set, here, at two hours), then it changes the status of that widget to "stale". The application.scss changes (just add those lines into your application.css file, or change to suit) then create a new status called "status-stale" which determine what a stale widget looks like.

Beware, though, that a status isn't changed until a new status shows up. All of our widgets push "status:normal" when all is good, which clears other status messages. If your widget updates don't push something similar, the widget may stay marked stale if it gets a future update.


Displaying Nagios in a Dashing dashboard

We have a nice Dashing dashboard, but also have Nagios checking our general network environment, and wanted a way to combine them both - Dashing can display the general statistics, and Nagios can tell us if something is wrong on the network somewhere.

This is fairly easily accomplished using Dashing's iframe widget.

This makes a widget take up three columns (our NOC dashboards are three tiles wide...) and shows our Naglite3 Nagios board. Everything's in one, nice, easy-to-glance-at screen.

Nagios status integrated into the Dashing dashboard.

Nagios status integrated into the Dashing dashboard.


Dashing widget to show widget count

We build a lot of Dashing widgets dynamically, and discard just as many (see clearing Dashing widgets). As a part of that, I like seeing how many widgets we currently have, since each dashboard only displays a small faction of our total widgets.

We have the following file in our jobs/ directory:

 

This goes through the widget list and updates a widget called widget_count with the total number, which can be displayed in a nice little number widget.

Delete a Dashing dashboard widget

Every once in a while it's nice to be able to remove a Dashing widget. Maybe the data's stale, or otherwise may have bad data. This is a short snip that can be added into another Dashing job. Obviously this sort of job isn't what you'd want, but it should give you the info enough to put this into your own solution.

Widgets using this data will still exist, but just not have that data to pull from. Forcing a refresh of the dashboard (if it's up constantly) can then have it re-poll for the non-existant data, causing the widgets to revert to their "no data" state.