This is a collection of metrics and checks for a Datadog agent deployed on the Venafi Trust Protection Platform server. These metrics provide insight into the health of the Venafi platform, and a live, at-a-glance view into the machine identities active throughout your organization. This repo also includes pre-built dashboards for these metrics that can be imported to an active Datadog account.
The Datadog agent is assumed to be installed on a host running Microsoft Windows.
Place the .py file you want to use in to the checks directory — C:\ProgramData\Datadog\checks.d by default — and the YAML config file in the config directory — C:\ProgramData\Datadog\conf.d by default. Restart the agent to verify that the plugin is working.
To install the project's dependencies, clone this repo to the host machine and run pip install -r requirements.txt.
| Key | Description | Required |
|---|---|---|
| url | The url of the Venafi instance | Yes |
| auth_method | oauth or api_key (Default) |
No |
| username | Venafi tpp username | Yes |
| password | Venafi tpp password | Yes |
| client_id | OAuth client id. Required if auth_method is oauth. |
No |
| scope | OAuth scope. Required if auth_method is oauth. |
No |
| req_limit | Default is 10000. Limits number of records returned from the API. |
No |
| key_sizes | Default is a list of [512, 1024, 2048] |
No |
| key_algorithms | Default is a list of ["RSA", "ECC"] |
No |
| min_collection_interval | Default is 60. Sets the minimum interval of metrics collections when the DataDog agent is running. |
No |
| Key | Description | Required |
|---|---|---|
| url | The url of the Venafi instance | Yes |
| auth_method | oauth or api_key (Default) |
No |
| username | Venafi tpp username | Yes |
| password | Venafi tpp password | Yes |
| client_id | OAuth client id. Required if auth_method is oauth. |
No |
| scope | OAuth scope. Required if auth_method is oauth. |
No |
| req_limit | Default is 10. Limits number of records returned from the API. |
No |
| req_delay | Default is 3. Sets a delay between the fetching of record sets. |
No |
| key_algorithms | Default is a list of ["RSA", "ECC"] |
No |
| min_collection_interval | Default is 60. Sets the minimum interval of metrics collections when the DataDog agent is running. |
No |
| Key | Description | Required |
|---|---|---|
| backup_path | The path to the VenafiTPP.bak file |
Yes |
| min_collection_interval | Default is 60. Sets the minimum interval of metrics collections when the DataDog agent is running. |
No |
Import the dashboards with the following directions:
https://docs.datadoghq.com/dashboards/#copy-import-export
Here's our list of checks!
Provides a status check of windows services running, needed for the Venafi platform.
This uses the built-in check and configured to monitor the following services:
- Venafi services
- Microsoft SQL
Note: Installation only requires copying the conf.d/windows_service.yaml file. There is no check.d/windows_service.py to copy over.
Note: Venafi services and the database may be running on different hosts. In this case, comment out the lines that are not relevant to the host.
Provides the following metrics:
- valid certificates
- expired certificates
- pending certificates
- certificates failed validation
- certificates in error state
- key sizes
- key algorithms
- common names requested
- subject alternative names requested
- certificate requesters
- certificate issuance time
- CA issuance time
venafi.valid_certs.count
Returns the number of certificates that are valid and have not expired. These certificates are between their "ValidFrom" and "ValidTo" dates with respect to the current UTC time.
venafi.expired_certs.count
Returns the number of certificates that are not valid and have expired. These certificates are outside of their "ValidFrom" and "ValidTo" dates with respect to the current UTC time.
venafi.pending_certs.count
Returns the number of certificates in a pending workflow.
venafi.invalid_certs.count
Returns the number of certificates that failed validation.
venafi.inerror_certs.count
Returns the number of certificates in an error state.
venafi.key_size.count
Returns the number of certificates with their respective key size.
For example, there could be 100 certificates with a key length of 1024 bits and 10 certificates with key length of 512 bits.
venafi.key_algorithm.count
Returns the number of certificates with their respective key algorithms.
For example, there could be 100 certificates using the RSA algorithm and 10 certificates using the ECC algorithm.
venafi.common_name.count
Returns the number of occurrences that a domain is requested in the certificate's common name (CN) field.
For example, there could be 100 certificates with common name "dev.local".
venafi.requested_sans.count
Returns the number of occurrences that a domain/ip/email is requested in the certificate's subject alternative names (SANS) field.
For example, there could be 100 certificates that include "dev.local" in the subject alternative names field.
venafi.cert_requester.count
Returns the number of occurences that a user requested a certificate.
venafi.cert_issue_time.avg
Returns the average number of seconds for the Venafi platform to generate a certificate.
venafi.ca_issue_time.avg
Returns the average number of seconds for the Certificate Authority (CA) to respond to a certificate signing request (CSR).
venafi.cert_origins.count
Provides the "Origin" field used in certificates (e.g. web-admin).
venafi.db_backup.mtime
Provides the last modification time for a database backup (e.g. 2020-05-05 0900).
Displays a snap-shot view of Venafi services to quickly see if a service is failing.
Displays the following metrics when a new certificate is requested:
- domains in the cn and sans fields
- origins requested
- users requesting certificates
Displays timeseries of certificate metrics to see historical trends
You will need Docker, Python 3.7+ and PIP installed and in your $PATH as well as a valid DataDog API Key.
- Install the project's dependencies by first cloning this repo to your local machine. Then run
pip install -r requirements.txt. - Run
export DD_API_KEY=YOURKEYHERE. - Run
docker-compose -upin the project directory.
This project thrives on community contributions.
Information about contributing to the project can be found in the Contributing document.
This project is maintained and funded by New Context, which provides "security first" automation to mission critical infrastructure. Founded in 2013, we were doing DevSecOps before it became a buzzword. You can hire us to improve your time-to-market, reduce risk, and boost your security/compliance posture.
We're always looking to hire seasoned engineers, with a mixed background across development, IT infrastructure, automation, and/or security.
This project is distributed under the Apache License.