Check nextcloud-security-scan

Overview

Checks the security of a Nextcloud (or ownCloud) server using the Nextcloud security scanner at https://scan.nextcloud.com/. Reports the assigned security rating and alerts on known vulnerabilities, missing hardenings, and setup issues.

Important Notes:

• Run it once a day at most. There is an API rate limit at scan.nextcloud.com of less than 100 POST requests per day (exceeding this returns „403 Forbidden“).

• After a re-scan is triggered, it takes about 5 minutes until the new result is available

Data Collection:

• Submits the Nextcloud URL to the scan.nextcloud.com API to obtain a UUID

• Fetches the scan result using that UUID

• Triggers a re-scan if the result is older than the configured number of days (default: 14)

• The check does not need to run on the Nextcloud server itself

Fact Sheet

Fact	Value
Check Plugin Download	https://github.com/Linuxfabrik/monitoring-plugins/tree/main/check-plugins/nextcloud-security-scan
Nagios/Icinga Check Name	check_nextcloud_security_scan
Check Interval Recommendation	Every day
Can be called without parameters	No (--url is required)
Runs on	Cross-platform
Compiled for Windows	No

Help

usage: nextcloud-security-scan [-h] [-V] [--insecure] [--no-proxy]
                               [--timeout TIMEOUT] [--trigger TRIGGER] -u URL

Checks the security of a private Nextcloud server using the Nextcloud security
scanner. Reports the assigned security rating and alerts on known
vulnerabilities in the installed version.

options:
  -h, --help         show this help message and exit
  -V, --version      show program's version number and exit
  --insecure         This option explicitly allows insecure SSL connections.
  --no-proxy         Do not use a proxy.
  --timeout TIMEOUT  Network timeout in seconds. Default: 7 (seconds)
  --trigger TRIGGER  Trigger a re-scan if the result on scan.nextcloud.com is
                     older than this many days. Default: 14 (days)
  -u, --url URL      Nextcloud server URL. Example: `cloud.example.com`.

Usage Examples

./nextcloud-security-scan --url cloud.linuxfabrik.io --timeout 1 --trigger 10

Output:

"A+" rating for cloud.linuxfabrik.io, checked at 2021-06-04, on Nextcloud v21.0.2.1.

States

• OK if the rating is A or A+.

• WARN if the rating is C or D.

• CRIT if the rating is E or F.

Perfdata / Metrics

There is no perfdata.

Credits, License

• Authors: Linuxfabrik GmbH, Zurich

• License: The Unlicense, see LICENSE file.