Skip to content

Latest commit

 

History

History
155 lines (88 loc) · 2.28 KB

README.markdown

File metadata and controls

155 lines (88 loc) · 2.28 KB

Description

ct_mon monitors Certificate Trasparency logs by specified regexp in CN or SAN, sends mail notifications/stores certificate details in MongoDB.

How to run

$ git clone https://github.com/kyprizel/ct_mon.git ct_mon

$ cd ct_mon

$ vi conf/config.json

$ docker build -t ct_mon .

$ docker run ct_mon

I recommend to setup MongoDB to store the monitoring states and/or certificate matches.

Configuration params

match_subject_regex

**default:**required param

example:"(?i)(yandex\.|yandex-team)"

Regexp to search certificates

notify_persons

default:[]

example:["eldar@kyprizel.net"]

List of emails to notify about new certificates

mongo_uri

**default:**required param

**example:**localhost

MongoDB connection parameters, will be used to store matched certificate entries and monitor state

store_matches

**default:**false

**example:**true

If true - store found certificates in DB

save_state

**default:**30

**example:**600

Number of seconds after which monitor state will be stored to DB

smtp_from

**default:**empty

**example:**user@domain.com

SMTP From value

smtp_host

**default:**empty

**example:**localhost

SMTP host

smtp_user

**default:**empty

**example:**pki@yourdomain.com

SMTP user

smtp_password

**default:**empty

SMTP password

smtp_port

**default:**25 **example:**25

SMTP port

smtp_subject

default:"Certificate Transparency monitor notification"

example:"CT monitor notification"

Mail subject

notify_on_match

**default:**false

**example:**true

If true - persons listed in notify_persons will be notified on every matched certificate

ca_whitelist

default:[]

example:[YandexExternalCA", "GlobalSign Organization Validation CA - G2", "Yandex CA"]

Whitelist of CAs, certificates signed by this CAs will pass the test

start_index

**default:**0

**example:**102780000

CT index to start fetching from, bigger value overrides DB state

rescan_period

**default:**0

**example:**30

Number of seconds to launch a rescan, if not set - daemon will exit on reaching the end of log.