Skip to content

CheckSecurity

CheckSecurity checks host security posture: certificate expiry and (on Windows) the firewall profile state.

Enable module

To enable this module and and allow using the commands you need to ass CheckSecurity = enabled to the [/modules] section in nsclient.ini:

[/modules]
CheckSecurity = enabled

Queries

A quick reference for all available queries (check commands) in the CheckSecurity module.

List of commands:

A list of all available queries (check commands)

Command Description
check_antivirus Check registered antivirus products' enabled/up-to-date state (Windows Security Center). Windows only.
check_bitlocker Check BitLocker drive-encryption protection status per volume. Windows only.
check_certificate Check X.509 certificate expiry/validity/hygiene from files (all platforms) or the Windows certificate store.
check_firewall Check the Windows firewall profile (Domain/Private/Public) enabled state. Windows only.
check_nla Check the Network Location Awareness profile (public/private/domain) per network. Windows only.
check_secureboot Check whether UEFI Secure Boot is enabled. Windows only.
check_users Check the count and detail of logged-on / RDP sessions (Windows and Linux).

check_antivirus

Check registered antivirus products' enabled/up-to-date state (Windows Security Center). Windows only.

About check_antivirus

check_antivirus reports the antivirus products registered with the Windows Security Center (WMI root\SecurityCenter2 AntiVirusProduct), including third-party AV and Windows Defender. This is distinct from check_os_updates (which counts pending OS/Defender updates) — this check answers "is AV actually running and current."

Keywords:

Keyword Type Meaning
name string Product display name.
enabled bool Real-time protection is on.
up_to_date bool Virus definitions are current.
product_state int Raw Security Center productState bitfield.

enabled/up_to_date are decoded from productState using the well-known heuristic (the 0x1000 bit = real-time protection on, the 0x10 bit = stale definitions); the raw value is exposed as product_state for auditing. Default threshold: critical if any product has enabled = 0 or up_to_date = 0. Windows only.

Jump to section:

Sample Commands

Check that antivirus is enabled and up to date (Windows)

The default is critical if any registered product has real-time protection off or stale definitions.

check_antivirus
L        cli OK: 1 antivirus product(s) healthy
check_antivirus
L        cli CRITICAL: Windows Defender (enabled=1 up_to_date=0)

Only require definitions to be current

check_antivirus "crit=up_to_date = 0"
L        cli OK: 1 antivirus product(s) healthy

Show each product's state

check_antivirus "top-syntax=${list}" "detail-syntax=${name}: enabled=${enabled} current=${up_to_date} state=${product_state}"
L        cli OK: Windows Defender: enabled=1 current=1 state=397568

On non-Windows platforms

check_antivirus
L        cli UNKNOWN: check_antivirus is not supported on this platform (Windows Security Center only)

Command-line Arguments

Option Default Value Description
filter Filter which marks interesting items.
warning Filter which marks items which generates a warning state.
warn Short alias for warning
critical enabled = 0 or up_to_date = 0 Filter which marks items which generates a critical state.
crit Short alias for critical.
ok Filter which marks items which generates an ok state.
debug N/A Show debugging information in the log
show-all N/A Show details for all matches regardless of status (normally details are only showed for warnings and criticals).
empty-state unknown Return status to use when nothing matched filter.
perf-config Performance data generation configuration
escape-html N/A Escape any < and > characters to prevent HTML encoding
help N/A Show help screen (this screen)
help-pb N/A Show help screen as a protocol buffer payload
show-default N/A Show default values for a given command
help-short N/A Show help screen (short format).
top-syntax ${status}: ${list} Top level syntax.
ok-syntax ${status}: ${count} antivirus product(s) healthy ok syntax.
empty-syntax No antivirus product registered Empty syntax.
detail-syntax ${name} (enabled=${enabled} up_to_date=${up_to_date}) Detail level syntax.
perf-syntax ${name} Performance alias syntax.
filter:

Filter which marks interesting items. Interesting items are items which will be included in the check. They do not denote warning or critical state instead it defines which items are relevant and you can remove unwanted items.

warning:

Filter which marks items which generates a warning state. If anything matches this filter the return status will be escalated to warning.

critical:

Filter which marks items which generates a critical state. If anything matches this filter the return status will be escalated to critical.

Default Value: enabled = 0 or up_to_date = 0

ok:

Filter which marks items which generates an ok state. If anything matches this any previous state for this item will be reset to ok.

empty-state:

Return status to use when nothing matched filter. If no filter is specified this will never happen unless the file is empty.

Default Value: unknown

perf-config:

Performance data generation configuration TODO: obj ( key: value; key: value) obj (key:valuer;key:value)

top-syntax:

Top level syntax. Used to format the message to return can include text as well as special keywords which will include information from the checks. To add a keyword to the message you can use two syntaxes either ${keyword} or %(keyword) (there is no difference between them apart from ${} can be difficult to escape on linux).

Default Value: ${status}: ${list}

ok-syntax:

ok syntax. DEPRECATED! This is the syntax for when an ok result is returned. This value will not be used if your syntax contains %(list) or %(count).

Default Value: ${status}: ${count} antivirus product(s) healthy

empty-syntax:

Empty syntax. DEPRECATED! This is the syntax for when nothing matches the filter.

Default Value: No antivirus product registered

detail-syntax:

Detail level syntax. Used to format each resulting item in the message. %(list) will be replaced with all the items formated by this syntax string in the top-syntax. To add a keyword to the message you can use two syntaxes either ${keyword} or %(keyword) (there is no difference between them apart from ${} can be difficult to escape on linux).

Default Value: ${name} (enabled=${enabled} up_to_date=${up_to_date})

perf-syntax:

Performance alias syntax. This is the syntax for the base names of the performance data.

Default Value: ${name}

Filter keywords

Option Description
enabled True if real-time protection is enabled
name Antivirus product display name
product_state Raw Security Center productState bitfield
up_to_date True if virus definitions are current

Common options for all checks:

Option Description
count Number of items matching the filter.
crit_count Number of items matched the critical criteria.
crit_list A list of all items which matched the critical criteria.
detail_list A special list with critical, then warning and finally ok.
list A list of all items which matched the filter.
ok_count Number of items matched the ok criteria.
ok_list A list of all items which matched the ok criteria.
problem_count Number of items matched either warning or critical criteria.
problem_list A list of all items which matched either the critical or the warning criteria.
status The returned status (OK/WARN/CRIT/UNKNOWN).
total Total number of items.
warn_count Number of items matched the warning criteria.
warn_list A list of all items which matched the warning criteria.

check_bitlocker

Check BitLocker drive-encryption protection status per volume. Windows only.

About check_bitlocker

check_bitlocker reports the BitLocker protection state of each encryptable volume (WMI Win32_EncryptableVolume in root\CIMV2\Security\MicrosoftVolumeEncryption). Use it to confirm disk encryption is actually on where policy requires it.

Keywords:

Keyword Type Meaning
drive string Drive letter (may be empty for non-lettered volumes).
protected bool True when protection_status == 1 (BitLocker on).
protection_status int Raw status: 0 off, 1 on, 2 unknown.
conversion_status int Raw conversion status (0 decrypted, 1 encrypted, …).

Default threshold: critical if any volume has protected = 0. Filter to the volumes you care about (e.g. filter=drive = 'C:') to avoid alerting on recovery/utility partitions. Windows only. Reading this class requires elevation, so the agent service must run with sufficient privilege.

Jump to section:

Sample Commands

Check that all volumes are BitLocker-protected (Windows)

The default is critical if any encryptable volume is not protected.

check_bitlocker
L        cli OK: all 2 volume(s) protected
check_bitlocker
L        cli CRITICAL: D: protected=0

Only require the system drive to be protected

check_bitlocker "filter=drive = 'C:'" "crit=protected = 0"
L        cli OK: all 1 volume(s) protected

Show each volume's protection state

check_bitlocker "top-syntax=${list}" "detail-syntax=${drive} protected=${protected} status=${protection_status}"
L        cli OK: C: protected=1 status=1, D: protected=1 status=1

On non-Windows platforms

check_bitlocker
L        cli UNKNOWN: check_bitlocker is not supported on this platform (Windows BitLocker only)

Command-line Arguments

Option Default Value Description
filter Filter which marks interesting items.
warning Filter which marks items which generates a warning state.
warn Short alias for warning
critical protected = 0 Filter which marks items which generates a critical state.
crit Short alias for critical.
ok Filter which marks items which generates an ok state.
debug N/A Show debugging information in the log
show-all N/A Show details for all matches regardless of status (normally details are only showed for warnings and criticals).
empty-state unknown Return status to use when nothing matched filter.
perf-config Performance data generation configuration
escape-html N/A Escape any < and > characters to prevent HTML encoding
help N/A Show help screen (this screen)
help-pb N/A Show help screen as a protocol buffer payload
show-default N/A Show default values for a given command
help-short N/A Show help screen (short format).
top-syntax ${status}: ${list} Top level syntax.
ok-syntax ${status}: all ${count} volume(s) protected ok syntax.
empty-syntax No encryptable volumes found Empty syntax.
detail-syntax ${drive} protected=${protected} Detail level syntax.
perf-syntax ${drive} Performance alias syntax.
filter:

Filter which marks interesting items. Interesting items are items which will be included in the check. They do not denote warning or critical state instead it defines which items are relevant and you can remove unwanted items.

warning:

Filter which marks items which generates a warning state. If anything matches this filter the return status will be escalated to warning.

critical:

Filter which marks items which generates a critical state. If anything matches this filter the return status will be escalated to critical.

Default Value: protected = 0

ok:

Filter which marks items which generates an ok state. If anything matches this any previous state for this item will be reset to ok.

empty-state:

Return status to use when nothing matched filter. If no filter is specified this will never happen unless the file is empty.

Default Value: unknown

perf-config:

Performance data generation configuration TODO: obj ( key: value; key: value) obj (key:valuer;key:value)

top-syntax:

Top level syntax. Used to format the message to return can include text as well as special keywords which will include information from the checks. To add a keyword to the message you can use two syntaxes either ${keyword} or %(keyword) (there is no difference between them apart from ${} can be difficult to escape on linux).

Default Value: ${status}: ${list}

ok-syntax:

ok syntax. DEPRECATED! This is the syntax for when an ok result is returned. This value will not be used if your syntax contains %(list) or %(count).

Default Value: ${status}: all ${count} volume(s) protected

empty-syntax:

Empty syntax. DEPRECATED! This is the syntax for when nothing matches the filter.

Default Value: No encryptable volumes found

detail-syntax:

Detail level syntax. Used to format each resulting item in the message. %(list) will be replaced with all the items formated by this syntax string in the top-syntax. To add a keyword to the message you can use two syntaxes either ${keyword} or %(keyword) (there is no difference between them apart from ${} can be difficult to escape on linux).

Default Value: ${drive} protected=${protected}

perf-syntax:

Performance alias syntax. This is the syntax for the base names of the performance data.

Default Value: ${drive}

Filter keywords

Option Description
conversion_status Raw conversion status (0 decrypted, 1 encrypted, ...)
drive Drive letter of the volume
protected True if BitLocker protection is on
protection_status Raw protection status (0 off, 1 on, 2 unknown)

Common options for all checks:

Option Description
count Number of items matching the filter.
crit_count Number of items matched the critical criteria.
crit_list A list of all items which matched the critical criteria.
detail_list A special list with critical, then warning and finally ok.
list A list of all items which matched the filter.
ok_count Number of items matched the ok criteria.
ok_list A list of all items which matched the ok criteria.
problem_count Number of items matched either warning or critical criteria.
problem_list A list of all items which matched either the critical or the warning criteria.
status The returned status (OK/WARN/CRIT/UNKNOWN).
total Total number of items.
warn_count Number of items matched the warning criteria.
warn_list A list of all items which matched the warning criteria.

check_certificate

Check X.509 certificate expiry/validity/hygiene from files (all platforms) or the Windows certificate store.

About check_certificate

check_certificate inspects X.509 certificates at rest and alerts on expiry, validity and TLS hygiene (weak keys/signatures, trust). It reads certificates from:

  • Files on disk (file=/path=) — PEM (including multi-certificate bundles), DER, and PKCS#12 (.pfx/.p12, with password=). A directory is scanned (add recursive=true to descend). This works on all platforms (parsing is OpenSSL-based).
  • The Windows certificate store (store=, e.g. My, Root, CA) at a location= of LocalMachine (default) or CurrentUser. Windows only — on other platforms store= returns a clear "not supported" message.

This is distinct from check_http's ssl_expiry_days, which checks the certificate a live TLS endpoint serves. Use check_http for "is my website's cert expiring"; use check_certificate for certificates in the store or on disk that are not served over HTTP (code-signing, RDP, client-auth, service certs, CA certs, or files a service loads at start-up).

Default thresholds: warn when expires_in < 30 days, critical when expires_in < 10 days.

Filter/threshold keywords:

Keyword Type Meaning
expires_in / expires_in_days int Whole days until expiry (negative if expired). Emitted as perfdata (unit d).
expires_in_sec int Seconds until expiry.
expired bool True if already past the not-after date.
not_yet_valid bool True if the not-before date is in the future.
not_after / not_before date The validity window boundaries.
subject / issuer string Distinguished names.
thumbprint string SHA-1 fingerprint (lower-case hex).
serial string Serial number (hex).
source string File path or store descriptor the cert came from.
store string file or the Windows store descriptor.
trusted bool True if the cert chains to a trusted CA (ca= bundle, else the system store). Time validity is ignored here — use expired/not_yet_valid for that.
self_signed bool True if the certificate is self-signed.
signature_algorithm string e.g. sha256WithRSAEncryption.
weak_signature bool True if signed with MD5 or SHA-1.
key_type string Public key type (RSA, EC, DSA, …).
key_size int Public key size in bits.
weak_key bool True if RSA/DSA < 2048 bits, or EC < 256 bits.

Options: ca= supplies a CA bundle for the trusted check (defaults to the system trust store); password= unlocks a PKCS#12 file. When neither file= nor store= is given, or nothing matches, the check returns UNKNOWN rather than a silent OK.

Trust caveat: trusted requires the issuing chain to be resolvable — either present in the same file/batch (e.g. a full-chain PEM or a .pfx that bundles its CA) or reachable from the ca=/system store. A lone leaf whose intermediates are absent will read as trusted=0. Chain time validity is not checked here by design; combine with expired.

Jump to section:

Sample Commands

Check a certificate file's expiry (default thresholds)

The default thresholds warn when a certificate expires within 30 days and go critical within 10 days (matching common practice).

check_certificate file=/etc/ssl/certs/mysite.pem
L        cli OK: all 1 certificate(s) are ok

A certificate close to expiry trips the default critical

check_certificate file=/etc/ssl/certs/soon.pem
L        cli CRITICAL: /CN=soon.example.com expires in 5d (2026-07-09 19:16:12)

Custom thresholds and perfdata

expires_in is the number of whole days until expiry (negative once expired) and is emitted as perfdata (unit d).

check_certificate file=/etc/ssl/certs/mysite.pem warning=expires_in<900
L        cli  Performance data: '/CN=valid.example.com'=825d;900;10

Scan a directory of certificates

check_certificate file=/etc/ssl/certs recursive=true "detail-syntax=${subject}: ${expires_in}d"
L        cli OK: all 137 certificate(s) are ok

Alert only on already-expired certificates

check_certificate file=/etc/pki/tls/certs critical=expired=1
L        cli OK: all 4 certificate(s) are ok

Flag weak keys or signatures (TLS hygiene)

check_certificate file=/etc/ssl/certs/mysite.pem "crit=weak_signature = 1 or weak_key = 1"
L        cli CRITICAL: /CN=legacy.example.com expires in 40d (2026-08-14 00:00:00)

Show the crypto detail for an audit:

check_certificate file=/etc/ssl/certs/mysite.pem "top-syntax=${list}" "detail-syntax=${subject}: ${signature_algorithm}, ${key_type}/${key_size}"
L        cli OK: /CN=mysite.example.com: sha256WithRSAEncryption, RSA/2048

Verify the certificate is trusted

trusted checks that the chain resolves to a trusted CA (time validity is ignored — combine with expired). Point ca= at a bundle, or omit it to use the system trust store:

check_certificate file=/etc/nginx/fullchain.pem "crit=not trusted or expired = 1"
check_certificate file=/etc/ssl/leaf.pem ca=/etc/ssl/corp-ca.pem "crit=not trusted"

Read a PKCS#12 (.pfx) file

check_certificate file=/opt/app/keystore.pfx password=changeit "crit=expires_in < 14"
L        cli OK: all 1 certificate(s) are ok

Windows certificate store (Windows only)

On Windows, store= enumerates a system certificate store; location= selects LocalMachine (default) or CurrentUser.

check_certificate store=My location=LocalMachine
L        cli OK: all 6 certificate(s) are ok
check_certificate store=My "filter=subject like 'CN=*.example.com'" "crit=expires_in < 14"
L        cli WARNING: CN=web.example.com expires in 9d (2026-07-13 00:00:00)

On non-Windows platforms store= is rejected with a clear message:

check_certificate store=My
L        cli UNKNOWN: store= (certificate store) is only supported on Windows; use file= on this platform

Command-line Arguments

Option Default Value Description
filter Filter which marks interesting items.
warning expires_in < 30 Filter which marks items which generates a warning state.
warn Short alias for warning
critical expires_in < 10 Filter which marks items which generates a critical state.
crit Short alias for critical.
ok Filter which marks items which generates an ok state.
debug N/A Show debugging information in the log
show-all N/A Show details for all matches regardless of status (normally details are only showed for warnings and criticals).
empty-state unknown Return status to use when nothing matched filter.
perf-config Performance data generation configuration
escape-html N/A Escape any < and > characters to prevent HTML encoding
help N/A Show help screen (this screen)
help-pb N/A Show help screen as a protocol buffer payload
show-default N/A Show default values for a given command
help-short N/A Show help screen (short format).
top-syntax ${status}: ${problem_list} Top level syntax.
ok-syntax %(status): all %(count) certificate(s) are ok ok syntax.
empty-syntax No certificates found Empty syntax.
detail-syntax ${subject} expires in ${expires_in}d (${valid_to}) Detail level syntax.
perf-syntax ${subject} Performance alias syntax.
file A certificate file (PEM or DER) or a directory of them. Can be given multiple times.
path Alias for file.
recursive 1)] (=0 Recurse into directories given via file=/path=.
password Password for PKCS#12 (.pfx/.p12) files.
ca CA bundle to evaluate the 'trusted' keyword against (defaults to the system trust store).
store Windows certificate store to enumerate (e.g. My, Root, CA). Windows only.
location LocalMachine Windows store location: LocalMachine or CurrentUser. Windows only.
filter:

Filter which marks interesting items. Interesting items are items which will be included in the check. They do not denote warning or critical state instead it defines which items are relevant and you can remove unwanted items.

warning:

Filter which marks items which generates a warning state. If anything matches this filter the return status will be escalated to warning.

Default Value: expires_in < 30

critical:

Filter which marks items which generates a critical state. If anything matches this filter the return status will be escalated to critical.

Default Value: expires_in < 10

ok:

Filter which marks items which generates an ok state. If anything matches this any previous state for this item will be reset to ok.

empty-state:

Return status to use when nothing matched filter. If no filter is specified this will never happen unless the file is empty.

Default Value: unknown

perf-config:

Performance data generation configuration TODO: obj ( key: value; key: value) obj (key:valuer;key:value)

top-syntax:

Top level syntax. Used to format the message to return can include text as well as special keywords which will include information from the checks. To add a keyword to the message you can use two syntaxes either ${keyword} or %(keyword) (there is no difference between them apart from ${} can be difficult to escape on linux).

Default Value: ${status}: ${problem_list}

ok-syntax:

ok syntax. DEPRECATED! This is the syntax for when an ok result is returned. This value will not be used if your syntax contains %(list) or %(count).

Default Value: %(status): all %(count) certificate(s) are ok

empty-syntax:

Empty syntax. DEPRECATED! This is the syntax for when nothing matches the filter.

Default Value: No certificates found

detail-syntax:

Detail level syntax. Used to format each resulting item in the message. %(list) will be replaced with all the items formated by this syntax string in the top-syntax. To add a keyword to the message you can use two syntaxes either ${keyword} or %(keyword) (there is no difference between them apart from ${} can be difficult to escape on linux).

Default Value: ${subject} expires in ${expires_in}d (${valid_to})

perf-syntax:

Performance alias syntax. This is the syntax for the base names of the performance data.

Default Value: ${subject}

recursive:

Recurse into directories given via file=/path=.

Default Value: 1)] (=0

location:

Windows store location: LocalMachine or CurrentUser. Windows only.

Default Value: LocalMachine

Filter keywords

Option Description
expired True if the certificate has already expired
expires_in Whole days until the certificate expires (negative if already expired)
expires_in_days Alias for expires_in
expires_in_sec Seconds until the certificate expires (negative if already expired)
issuer Certificate issuer distinguished name
key_size Public key size in bits
key_type Public key type (RSA, EC, DSA, ...)
not_after The not-after / expiry date
not_before The not-before date
not_yet_valid True if the certificate is not yet valid (not-before is in the future)
self_signed True if the certificate is self-signed
serial Certificate serial number (hex)
signature_algorithm Signature algorithm (e.g. sha256WithRSAEncryption)
source Where the certificate was read from (file path or store)
store The store/source type (file or a Windows store name)
subject Certificate subject (e.g. /CN=host.example.com)
thumbprint SHA-1 fingerprint (lower-case hex)
trusted True if the certificate chains to a trusted CA (system store or ca=; time validity is ignored — use expired/not_yet_valid for that)
valid_from Not-before date (UTC)
valid_to Not-after / expiry date (UTC)
weak_key True if the key is weak (RSA/DSA < 2048 bits, or EC < 256 bits)
weak_signature True if signed with a weak algorithm (MD5 or SHA-1)

Common options for all checks:

Option Description
count Number of items matching the filter.
crit_count Number of items matched the critical criteria.
crit_list A list of all items which matched the critical criteria.
detail_list A special list with critical, then warning and finally ok.
list A list of all items which matched the filter.
ok_count Number of items matched the ok criteria.
ok_list A list of all items which matched the ok criteria.
problem_count Number of items matched either warning or critical criteria.
problem_list A list of all items which matched either the critical or the warning criteria.
status The returned status (OK/WARN/CRIT/UNKNOWN).
total Total number of items.
warn_count Number of items matched the warning criteria.
warn_list A list of all items which matched the warning criteria.

check_firewall

Check the Windows firewall profile (Domain/Private/Public) enabled state. Windows only.

About check_firewall

check_firewall reports the state of the Windows firewall profiles (Domain, Private, Public), the same data Get-NetFirewallProfile exposes. It reads them through the INetFwPolicy2 COM interface, so it needs no WMI.

Each profile is one row with these keywords:

Keyword Type Meaning
profile string Profile name: Domain, Private or Public.
enabled bool True if the firewall is enabled for that profile. Emitted as perfdata.
active bool True if the profile is currently applied to a connected network. Emitted as perfdata (<profile> active).
inbound string Default inbound action (allow/block).
outbound string Default outbound action (allow/block).

Default threshold: critical if any profile has enabled = 0.

active reflects which profile(s) Network Location Awareness currently applies (INetFwPolicy2::CurrentProfileTypes). More than one profile can be active when several networks are connected; with no connected network Windows reports the Public profile as active. Its main use is catching a machine silently dropping from Domain/Private to Public after a router/adapter change — firewall rules scoped to the domain or private profile stop applying and services start getting blocked. This is opt-in via a warn/crit expression (see the samples) since being on the public profile is perfectly normal for e.g. laptops.

This check is Windows only. It models Windows' fixed three-profile firewall, which does not map onto Linux firewalls (firewalld zones, ufw, nftables/iptables default policies); on non-Windows platforms it returns UNKNOWN with a clear message rather than pretending to check something equivalent.

Jump to section:

Sample Commands

Check that all Windows firewall profiles are enabled (Windows only)

By default the check is critical if any of the three profiles (Domain, Private, Public) has its firewall disabled.

check_firewall
L        cli OK: all 3 firewall profile(s) enabled
check_firewall
L        cli CRITICAL: Public=0

Only require a specific profile to be enabled

check_firewall "filter=profile = 'Domain'" crit=enabled=0
L        cli OK: all 1 firewall profile(s) enabled

Warn when the machine is on the Public profile

Network Location Awareness can silently re-categorise a network to public after a router or connection change; rules scoped to the domain/private profiles then stop applying and services get blocked. Warn on that (opt-in — on e.g. laptops the public profile is normal):

check_firewall "warn=active = 1 and profile = 'Public'" "detail-syntax=${profile} profile is active"
L        cli WARNING: Public profile is active

The active flags are also available for display and perfdata:

check_firewall "detail-syntax=${profile}: enabled=${enabled} active=${active}" top-syntax=${list}
L        cli OK: Domain: enabled=1 active=0, Private: enabled=1 active=0, Public: enabled=1 active=1

Show the default inbound/outbound actions

check_firewall "detail-syntax=${profile}: enabled=${enabled} in=${inbound} out=${outbound}" top-syntax=${list}
L        cli OK: Domain: enabled=1 in=block out=allow, Private: enabled=1 in=block out=allow, Public: enabled=1 in=block out=allow

On non-Windows platforms

check_firewall models the Windows three-profile firewall and is not implemented on Linux (whose firewalld/ufw/nftables model differs):

check_firewall
L        cli UNKNOWN: check_firewall is not supported on this platform (Windows-only; the Linux firewall model differs)

Command-line Arguments

Option Default Value Description
filter Filter which marks interesting items.
warning Filter which marks items which generates a warning state.
warn Short alias for warning
critical enabled = 0 Filter which marks items which generates a critical state.
crit Short alias for critical.
ok Filter which marks items which generates an ok state.
debug N/A Show debugging information in the log
show-all N/A Show details for all matches regardless of status (normally details are only showed for warnings and criticals).
empty-state unknown Return status to use when nothing matched filter.
perf-config Performance data generation configuration
escape-html N/A Escape any < and > characters to prevent HTML encoding
help N/A Show help screen (this screen)
help-pb N/A Show help screen as a protocol buffer payload
show-default N/A Show default values for a given command
help-short N/A Show help screen (short format).
top-syntax ${status}: ${problem_list} Top level syntax.
ok-syntax %(status): all %(count) firewall profile(s) enabled ok syntax.
empty-syntax No firewall profiles found Empty syntax.
detail-syntax ${profile}=${enabled} Detail level syntax.
perf-syntax ${profile} Performance alias syntax.
filter:

Filter which marks interesting items. Interesting items are items which will be included in the check. They do not denote warning or critical state instead it defines which items are relevant and you can remove unwanted items.

warning:

Filter which marks items which generates a warning state. If anything matches this filter the return status will be escalated to warning.

critical:

Filter which marks items which generates a critical state. If anything matches this filter the return status will be escalated to critical.

Default Value: enabled = 0

ok:

Filter which marks items which generates an ok state. If anything matches this any previous state for this item will be reset to ok.

empty-state:

Return status to use when nothing matched filter. If no filter is specified this will never happen unless the file is empty.

Default Value: unknown

perf-config:

Performance data generation configuration TODO: obj ( key: value; key: value) obj (key:valuer;key:value)

top-syntax:

Top level syntax. Used to format the message to return can include text as well as special keywords which will include information from the checks. To add a keyword to the message you can use two syntaxes either ${keyword} or %(keyword) (there is no difference between them apart from ${} can be difficult to escape on linux).

Default Value: ${status}: ${problem_list}

ok-syntax:

ok syntax. DEPRECATED! This is the syntax for when an ok result is returned. This value will not be used if your syntax contains %(list) or %(count).

Default Value: %(status): all %(count) firewall profile(s) enabled

empty-syntax:

Empty syntax. DEPRECATED! This is the syntax for when nothing matches the filter.

Default Value: No firewall profiles found

detail-syntax:

Detail level syntax. Used to format each resulting item in the message. %(list) will be replaced with all the items formated by this syntax string in the top-syntax. To add a keyword to the message you can use two syntaxes either ${keyword} or %(keyword) (there is no difference between them apart from ${} can be difficult to escape on linux).

Default Value: ${profile}=${enabled}

perf-syntax:

Performance alias syntax. This is the syntax for the base names of the performance data.

Default Value: ${profile}

Filter keywords

Option Description
active True if the profile is currently applied to a connected network (e.g. NLA re-categorising a network to public makes the Public profile active)
enabled True if the profile's firewall is enabled
inbound Default inbound action (allow/block)
outbound Default outbound action (allow/block)
profile Firewall profile name (Domain, Private or Public)

Common options for all checks:

Option Description
count Number of items matching the filter.
crit_count Number of items matched the critical criteria.
crit_list A list of all items which matched the critical criteria.
detail_list A special list with critical, then warning and finally ok.
list A list of all items which matched the filter.
ok_count Number of items matched the ok criteria.
ok_list A list of all items which matched the ok criteria.
problem_count Number of items matched either warning or critical criteria.
problem_list A list of all items which matched either the critical or the warning criteria.
status The returned status (OK/WARN/CRIT/UNKNOWN).
total Total number of items.
warn_count Number of items matched the warning criteria.
warn_list A list of all items which matched the warning criteria.
Option Description
enabled True if the profile's firewall is enabled
inbound Default inbound action (allow/block)
outbound Default outbound action (allow/block)
profile Firewall profile name (Domain, Private or Public)

Common options for all checks:

Option Description
count Number of items matching the filter.
crit_count Number of items matched the critical criteria.
crit_list A list of all items which matched the critical criteria.
detail_list A special list with critical, then warning and finally ok.
list A list of all items which matched the filter.
ok_count Number of items matched the ok criteria.
ok_list A list of all items which matched the ok criteria.
problem_count Number of items matched either warning or critical criteria.
problem_list A list of all items which matched either the critical or the warning criteria.
status The returned status (OK/WARN/CRIT/UNKNOWN).
total Total number of items.
warn_count Number of items matched the warning criteria.
warn_list A list of all items which matched the warning criteria.

check_nla

Check the Network Location Awareness profile (public/private/domain) per network. Windows only.

About check_nla

check_nla reports the Network Location Awareness profile of each network the machine knows about (the same classification Windows uses to pick a firewall profile), via the COM INetworkListManager interface. It is a security-posture check: confirm a domain-joined machine is on the domain category and not accidentally treating a network as private/public.

Keywords:

Keyword Type Meaning
network string Network name.
category string public, private or domain.
connected bool True if the network is currently connected.

There is no default threshold — assert the expected posture, e.g. crit=connected = 1 and category != 'domain'. Windows only; on other platforms it returns UNKNOWN with a clear message (Linux has no equivalent network-profile concept).

Jump to section:

Sample Commands

Assert the active network is the domain profile (Windows)

check_nla reports each network's Location Awareness category. There is no default threshold — assert the posture you expect:

check_nla "crit=connected = 1 and category != 'domain'" "detail-syntax=${network}=${category}"
L        cli OK: all networks ok

Alert if any connected network is classified Public

check_nla "crit=connected = 1 and category = 'public'"
L        cli CRITICAL: Wi-Fi=public

List every known network and its category

check_nla "top-syntax=${list}" "detail-syntax=${network}: ${category} (connected=${connected})"
L        cli OK: Corp.example.com: domain (connected=1), Café-WiFi: public (connected=0)

On non-Windows platforms

check_nla
L        cli UNKNOWN: check_nla is not supported on this platform (Windows Network Location Awareness only)

Command-line Arguments

Option Default Value Description
filter Filter which marks interesting items.
warning Filter which marks items which generates a warning state.
warn Short alias for warning
critical Filter which marks items which generates a critical state.
crit Short alias for critical.
ok Filter which marks items which generates an ok state.
debug N/A Show debugging information in the log
show-all N/A Show details for all matches regardless of status (normally details are only showed for warnings and criticals).
empty-state ok Return status to use when nothing matched filter.
perf-config Performance data generation configuration
escape-html N/A Escape any < and > characters to prevent HTML encoding
help N/A Show help screen (this screen)
help-pb N/A Show help screen as a protocol buffer payload
show-default N/A Show default values for a given command
help-short N/A Show help screen (short format).
top-syntax ${status}: ${list} Top level syntax.
ok-syntax ${status}: all networks ok ok syntax.
empty-syntax No networks found Empty syntax.
detail-syntax ${network}=${category} Detail level syntax.
perf-syntax ${network} Performance alias syntax.
filter:

Filter which marks interesting items. Interesting items are items which will be included in the check. They do not denote warning or critical state instead it defines which items are relevant and you can remove unwanted items.

warning:

Filter which marks items which generates a warning state. If anything matches this filter the return status will be escalated to warning.

critical:

Filter which marks items which generates a critical state. If anything matches this filter the return status will be escalated to critical.

ok:

Filter which marks items which generates an ok state. If anything matches this any previous state for this item will be reset to ok.

empty-state:

Return status to use when nothing matched filter. If no filter is specified this will never happen unless the file is empty.

Default Value: ok

perf-config:

Performance data generation configuration TODO: obj ( key: value; key: value) obj (key:valuer;key:value)

top-syntax:

Top level syntax. Used to format the message to return can include text as well as special keywords which will include information from the checks. To add a keyword to the message you can use two syntaxes either ${keyword} or %(keyword) (there is no difference between them apart from ${} can be difficult to escape on linux).

Default Value: ${status}: ${list}

ok-syntax:

ok syntax. DEPRECATED! This is the syntax for when an ok result is returned. This value will not be used if your syntax contains %(list) or %(count).

Default Value: ${status}: all networks ok

empty-syntax:

Empty syntax. DEPRECATED! This is the syntax for when nothing matches the filter.

Default Value: No networks found

detail-syntax:

Detail level syntax. Used to format each resulting item in the message. %(list) will be replaced with all the items formated by this syntax string in the top-syntax. To add a keyword to the message you can use two syntaxes either ${keyword} or %(keyword) (there is no difference between them apart from ${} can be difficult to escape on linux).

Default Value: ${network}=${category}

perf-syntax:

Performance alias syntax. This is the syntax for the base names of the performance data.

Default Value: ${network}

Filter keywords

Option Description
category Network category: public, private or domain
connected True if the network is currently connected
network Network name

Common options for all checks:

Option Description
count Number of items matching the filter.
crit_count Number of items matched the critical criteria.
crit_list A list of all items which matched the critical criteria.
detail_list A special list with critical, then warning and finally ok.
list A list of all items which matched the filter.
ok_count Number of items matched the ok criteria.
ok_list A list of all items which matched the ok criteria.
problem_count Number of items matched either warning or critical criteria.
problem_list A list of all items which matched either the critical or the warning criteria.
status The returned status (OK/WARN/CRIT/UNKNOWN).
total Total number of items.
warn_count Number of items matched the warning criteria.
warn_list A list of all items which matched the warning criteria.

check_secureboot

Check whether UEFI Secure Boot is enabled. Windows only.

About check_secureboot

check_secureboot reports whether UEFI Secure Boot is enabled, read from the registry value HKLM\SYSTEM\CurrentControlSet\Control\SecureBoot\State\UEFISecureBootEnabled (the same source Confirm-SecureBootUEFI uses). It returns a single result.

Keywords:

Keyword Type Meaning
enabled bool True if UEFI Secure Boot is enabled.
supported bool True if the platform exposes a Secure Boot state (UEFI); false on legacy BIOS boots.

Default threshold: critical if enabled = 0. On legacy-BIOS machines the value is absent, so both enabled and supported are 0 — use supported to tell "off" apart from "not applicable" on mixed fleets. Windows only.

Jump to section:

Sample Commands

Check that UEFI Secure Boot is enabled (Windows)

The default is critical if Secure Boot is not enabled.

check_secureboot
L        cli OK: secure boot is enabled
check_secureboot
L        cli CRITICAL: secure boot enabled=0 supported=1

Distinguish "disabled" from "not supported" (legacy BIOS)

supported is 0 when the platform does not expose a Secure Boot state (legacy BIOS boot). Treat that as WARNING rather than CRITICAL if you monitor mixed fleets:

check_secureboot "warn=supported = 0" "crit=supported = 1 and enabled = 0"
L        cli WARNING: secure boot enabled=0 supported=0

On non-Windows platforms

check_secureboot
L        cli UNKNOWN: check_secureboot is not supported on this platform (Windows/UEFI only)

Command-line Arguments

Option Default Value Description
filter Filter which marks interesting items.
warning Filter which marks items which generates a warning state.
warn Short alias for warning
critical enabled = 0 Filter which marks items which generates a critical state.
crit Short alias for critical.
ok Filter which marks items which generates an ok state.
debug N/A Show debugging information in the log
show-all N/A Show details for all matches regardless of status (normally details are only showed for warnings and criticals).
empty-state unknown Return status to use when nothing matched filter.
perf-config Performance data generation configuration
escape-html N/A Escape any < and > characters to prevent HTML encoding
help N/A Show help screen (this screen)
help-pb N/A Show help screen as a protocol buffer payload
show-default N/A Show default values for a given command
help-short N/A Show help screen (short format).
top-syntax ${status}: ${list} Top level syntax.
ok-syntax ${status}: secure boot is enabled ok syntax.
empty-syntax No Secure Boot state Empty syntax.
detail-syntax secure boot enabled=${enabled} supported=${supported} Detail level syntax.
perf-syntax secureboot Performance alias syntax.
filter:

Filter which marks interesting items. Interesting items are items which will be included in the check. They do not denote warning or critical state instead it defines which items are relevant and you can remove unwanted items.

warning:

Filter which marks items which generates a warning state. If anything matches this filter the return status will be escalated to warning.

critical:

Filter which marks items which generates a critical state. If anything matches this filter the return status will be escalated to critical.

Default Value: enabled = 0

ok:

Filter which marks items which generates an ok state. If anything matches this any previous state for this item will be reset to ok.

empty-state:

Return status to use when nothing matched filter. If no filter is specified this will never happen unless the file is empty.

Default Value: unknown

perf-config:

Performance data generation configuration TODO: obj ( key: value; key: value) obj (key:valuer;key:value)

top-syntax:

Top level syntax. Used to format the message to return can include text as well as special keywords which will include information from the checks. To add a keyword to the message you can use two syntaxes either ${keyword} or %(keyword) (there is no difference between them apart from ${} can be difficult to escape on linux).

Default Value: ${status}: ${list}

ok-syntax:

ok syntax. DEPRECATED! This is the syntax for when an ok result is returned. This value will not be used if your syntax contains %(list) or %(count).

Default Value: ${status}: secure boot is enabled

empty-syntax:

Empty syntax. DEPRECATED! This is the syntax for when nothing matches the filter.

Default Value: No Secure Boot state

detail-syntax:

Detail level syntax. Used to format each resulting item in the message. %(list) will be replaced with all the items formated by this syntax string in the top-syntax. To add a keyword to the message you can use two syntaxes either ${keyword} or %(keyword) (there is no difference between them apart from ${} can be difficult to escape on linux).

Default Value: secure boot enabled=${enabled} supported=${supported}

perf-syntax:

Performance alias syntax. This is the syntax for the base names of the performance data.

Default Value: secureboot

Filter keywords

Option Description
enabled True if UEFI Secure Boot is enabled
supported True if the platform reports a Secure Boot state (UEFI)

Common options for all checks:

Option Description
count Number of items matching the filter.
crit_count Number of items matched the critical criteria.
crit_list A list of all items which matched the critical criteria.
detail_list A special list with critical, then warning and finally ok.
list A list of all items which matched the filter.
ok_count Number of items matched the ok criteria.
ok_list A list of all items which matched the ok criteria.
problem_count Number of items matched either warning or critical criteria.
problem_list A list of all items which matched either the critical or the warning criteria.
status The returned status (OK/WARN/CRIT/UNKNOWN).
total Total number of items.
warn_count Number of items matched the warning criteria.
warn_list A list of all items which matched the warning criteria.

check_users

Check the count and detail of logged-on / RDP sessions (Windows and Linux).

About check_users

check_users reports the interactive logon sessions on the host — count and per-session detail. It works on both platforms:

  • Windows — via the Remote Desktop Services (WTS) API, so it distinguishes console from RDP and active from disconnected sessions (no WMI needed).
  • Linux — via the utmp database (the same source as who); network logins (ssh) carry the remote host in client.

Filter/threshold keywords (plus the built-in count summary variable):

Keyword Type Meaning
count int Number of matching sessions (built-in summary variable).
user string Account name.
session_state string active, disconnected, connected, … (Windows). Linux logins are always active.
session_type string console, rdp, remote, ica, …
client string Client name (Windows) or remote host (Linux); empty for local console.

There is no default threshold — this is a count/inventory check, so supply your own, e.g. crit=count > 10 or crit=session_state = 'disconnected'. Sessions with no user (services, the RDP listener) are not counted.

Jump to section:

Sample Commands

Count the logged-on users

check_users
L        cli OK: 2 user(s) logged on: mickem, root

Alert when too many sessions are open

count is a built-in summary variable.

check_users "warn=count > 5" "crit=count > 10"
L        cli OK: 2 user(s) logged on: mickem, root

Alert on any interactive session (e.g. a locked-down server)

check_users "crit=count > 0"
L        cli CRITICAL: 2 user(s) logged on: mickem, root

Only count RDP / remote sessions

check_users "filter=session_type = 'rdp'" "crit=count > 0"

On Linux, network logins (ssh) have session_type = 'remote':

check_users "filter=session_type = 'remote'" "detail-syntax=${user}@${client}" "top-syntax=${list}"
L        cli OK: [email protected]

Alert on a disconnected-but-open RDP session (Windows)

check_users "crit=session_state = 'disconnected'" "detail-syntax=${user} (${session_state})"

Command-line Arguments

Option Default Value Description
filter Filter which marks interesting items.
warning Filter which marks items which generates a warning state.
warn Short alias for warning
critical Filter which marks items which generates a critical state.
crit Short alias for critical.
ok Filter which marks items which generates an ok state.
debug N/A Show debugging information in the log
show-all N/A Show details for all matches regardless of status (normally details are only showed for warnings and criticals).
empty-state ok Return status to use when nothing matched filter.
perf-config Performance data generation configuration
escape-html N/A Escape any < and > characters to prevent HTML encoding
help N/A Show help screen (this screen)
help-pb N/A Show help screen as a protocol buffer payload
show-default N/A Show default values for a given command
help-short N/A Show help screen (short format).
top-syntax ${status}: ${count} user(s) logged on: ${list} Top level syntax.
ok-syntax ${status}: ${count} user(s) logged on ok syntax.
empty-syntax No users logged on Empty syntax.
detail-syntax ${user} Detail level syntax.
perf-syntax ${user} Performance alias syntax.
filter:

Filter which marks interesting items. Interesting items are items which will be included in the check. They do not denote warning or critical state instead it defines which items are relevant and you can remove unwanted items.

warning:

Filter which marks items which generates a warning state. If anything matches this filter the return status will be escalated to warning.

critical:

Filter which marks items which generates a critical state. If anything matches this filter the return status will be escalated to critical.

ok:

Filter which marks items which generates an ok state. If anything matches this any previous state for this item will be reset to ok.

empty-state:

Return status to use when nothing matched filter. If no filter is specified this will never happen unless the file is empty.

Default Value: ok

perf-config:

Performance data generation configuration TODO: obj ( key: value; key: value) obj (key:valuer;key:value)

top-syntax:

Top level syntax. Used to format the message to return can include text as well as special keywords which will include information from the checks. To add a keyword to the message you can use two syntaxes either ${keyword} or %(keyword) (there is no difference between them apart from ${} can be difficult to escape on linux).

Default Value: ${status}: ${count} user(s) logged on: ${list}

ok-syntax:

ok syntax. DEPRECATED! This is the syntax for when an ok result is returned. This value will not be used if your syntax contains %(list) or %(count).

Default Value: ${status}: ${count} user(s) logged on

empty-syntax:

Empty syntax. DEPRECATED! This is the syntax for when nothing matches the filter.

Default Value: No users logged on

detail-syntax:

Detail level syntax. Used to format each resulting item in the message. %(list) will be replaced with all the items formated by this syntax string in the top-syntax. To add a keyword to the message you can use two syntaxes either ${keyword} or %(keyword) (there is no difference between them apart from ${} can be difficult to escape on linux).

Default Value: ${user}

perf-syntax:

Performance alias syntax. This is the syntax for the base names of the performance data.

Default Value: ${user}

Filter keywords

Option Description
client Client name or remote host (may be empty)
session_state Session state (active, disconnected, ...)
session_type Session type (console, rdp, remote, ...)
user The account name of the logged-on user

Common options for all checks:

Option Description
count Number of items matching the filter.
crit_count Number of items matched the critical criteria.
crit_list A list of all items which matched the critical criteria.
detail_list A special list with critical, then warning and finally ok.
list A list of all items which matched the filter.
ok_count Number of items matched the ok criteria.
ok_list A list of all items which matched the ok criteria.
problem_count Number of items matched either warning or critical criteria.
problem_list A list of all items which matched either the critical or the warning criteria.
status The returned status (OK/WARN/CRIT/UNKNOWN).
total Total number of items.
warn_count Number of items matched the warning criteria.
warn_list A list of all items which matched the warning criteria.