[Nagios-users] NRPE permissions problem
I have a Nagios server 3.0.6 running on Ubuntu 8.04 Server. It is monitoring all things fine on multiple targets except the one below. On a certain target, I am trying to monitor my /var/log/auth.log file for bad activity, such as failed password attempts, or attempts to login as invalid users, etc. I am trying to do this via the check_log plugin via nrpe, but, I get a "Log check error: Log file /var/log/auth.log is not readable!" when the server checks on it. The easiest way I have to reproduce the error is the following manually executed command from the host server: /usr/local/nagios/libexec/check_nrpe -H target -c check_badpw I know that it means that the file cannot be opened during the check, but, I don't understand why. ls -l of /var/log/auth.log: -rw-r- 1 syslog adm 1590863 2009-05-12 10:47 /var/log/auth.log In /etc/groups, I have added the "nagios" user to the adm group, so I would think it should work. Further, if I am logged in as root on the target, and do "su - nagios", I can read /var/log/auth.log Further, if I "chmod o+r /var/log/auth.log", the command executes properly. Additionally, when I am logged into the target as root, and su to nagios and execute the command as defined in nrpe.cfg: /usr/local/nagios/libexec/check_log -F /var/log/auth.log -O /usr/local/nagios/auth.badpasswords.log -q ": Failed password for" it works fine. So, I know it will work if I loosen the permissions on /var/log/auth.log, but, I'd prefer to keep them as tight as possible. When I am logged into the target as nagios and execute "id", I get, uid=5308(nagios) gid=5309(nagios) groups=4(adm),5309(nagios) When I embed "id" into the check_log script, I get: uid=5308(nagios) gid=5309(nagios) so, it would seem that it does not inherit the groups as I would assume it would. More configuration information: nrpe runs under xinetd on the target: service nrpe { flags = REUSE socket_type = stream port= 5666 wait= no user= nagios group = nagios server = /usr/local/nagios/bin/nrpe server_args = -c /usr/local/nagios/etc/nrpe.cfg --inetd log_on_failure += USERID disable = no only_from = 127.0.0.1 x.x.x.226 } How can I determine why the check_nrpe command does not allow for reading of the /var/log/auth.log file on the target machine? -- The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your production scanning environment may not be a perfect world - but thanks to Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700 Series Scanner you'll get full speed at 300 dpi even with all image processing features enabled. http://p.sf.net/sfu/kodak-com___ Nagios-users mailing list Nagios-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null
[Nagios-users] NRPE permissions problem
I have a Nagios server 3.0.6 running on Ubuntu 8.04 Server. It is monitoring all things fine on multiple targets except the one below. On a certain target, I am trying to monitor my /var/log/auth.log file for bad activity, such as failed password attempts, or attempts to login as invalid users, etc. I am trying to do this via the check_log plugin via nrpe, but, I get a "Log check error: Log file /var/log/auth.log is not readable!" when the server checks on it. The easiest way I have to reproduce the error is the following manually executed command from the host server: /usr/local/nagios/libexec/check_nrpe -H target -c check_badpw I know that it means that the file cannot be opened during the check, but, I don't understand why. ls -l of /var/log/auth.log: -rw-r- 1 syslog adm 1590863 2009-05-12 10:47 /var/log/auth.log In /etc/groups, I have added the "nagios" user to the adm group, so I would think it should work. Further, if I am logged in as root on the target, and do "su - nagios", I can read /var/log/auth.log Further, if I "chmod o+r /var/log/auth.log", the command executes properly. Additionally, when I am logged into the target as root, and su to nagios and execute the command as defined in nrpe.cfg: /usr/local/nagios/libexec/check_log -F /var/log/auth.log -O /usr/local/nagios/auth.badpasswords.log -q ": Failed password for" it works fine. So, I know it will work if I loosen the permissions on /var/log/auth.log, but, I'd prefer to keep them as tight as possible. When I am logged into the target as nagios and execute "id", I get, uid=5308(nagios) gid=5309(nagios) groups=4(adm),5309(nagios) When I embed "id" into the check_log script, I get: uid=5308(nagios) gid=5309(nagios) so, it would seem that it does not inherit the groups as I would assume it would. More configuration information: nrpe runs under xinetd on the target: service nrpe { flags = REUSE socket_type = stream port= 5666 wait= no user= nagios group = nagios server = /usr/local/nagios/bin/nrpe server_args = -c /usr/local/nagios/etc/nrpe.cfg --inetd log_on_failure += USERID disable = no only_from = 127.0.0.1 x.x.x.226 } How can I determine why the check_nrpe command does not allow for reading of the /var/log/auth.log file on the target machine? -- The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your production scanning environment may not be a perfect world - but thanks to Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700 Series Scanner you'll get full speed at 300 dpi even with all image processing features enabled. http://p.sf.net/sfu/kodak-com ___ Nagios-users mailing list Nagios-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null
Re: [Nagios-users] NRPE permissions problem
On May 13, 2009, at 7:17 AM, Thomas Stearn wrote: > I have a Nagios server 3.0.6 running on Ubuntu 8.04 Server. It is > monitoring all things fine on multiple targets except the one below. > > On a certain target, I am trying to monitor my /var/log/auth.log > file for bad activity, such as failed password attempts, or attempts > to login as invalid users, etc. > > I am trying to do this via the check_log plugin via nrpe, but, I get > a "Log check error: Log file /var/log/auth.log is not readable!" > when the server checks on it. > > The easiest way I have to reproduce the error is the following > manually executed command from the host server: > /usr/local/nagios/libexec/check_nrpe -H target -c check_badpw > > I know that it means that the file cannot be opened during the > check, but, I don't understand why. > > ls -l of /var/log/auth.log: > -rw-r- 1 syslog adm 1590863 2009-05-12 10:47 /var/log/auth.log > > In /etc/groups, I have added the "nagios" user to the adm group, so > I would think it should work. [chop] > So, I know it will work if I loosen the permissions on /var/log/ > auth.log, but, I'd prefer to keep them as tight as possible. > > When I am logged into the target as nagios and execute "id", I get, > uid=5308(nagios) gid=5309(nagios) groups=4(adm),5309(nagios) > > When I embed "id" into the check_log script, I get: > uid=5308(nagios) gid=5309(nagios) > > so, it would seem that it does not inherit the groups as I would > assume it would. I'm certain this was recently discussed but my search-fu is weak this morning. It might have been on -devel or nagios-plugins though... I didn't follow closely but the gist of it (I believe) is that xinetd drops/ignores any secondary groups the user is a member of before starting the server. No secondary groups, no access in your case. Looking at my xinetd.conf man page, I see the following which may help. You may also have better search-fu than me and can find the original thread... groups Takes either "yes" or "no". If the groups attribute is set to "yes", then the server is executed with access to the groups that the server's effective UID has access to. If the groups attribute is set to "no", then the server runs with no supplementary groups. This attribute must be set to "yes" for many BSD systems. This attribute can be set in the defaults section as well. -- Marc -- The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your production scanning environment may not be a perfect world - but thanks to Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700 Series Scanner you'll get full speed at 300 dpi even with all image processing features enabled. http://p.sf.net/sfu/kodak-com ___ Nagios-users mailing list Nagios-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null
Re: [Nagios-users] NRPE permissions problem
Thank you! That was so simple, and yet, no matter where I tried searching, I could not come up with it!!! It worked like a champ! Tom And, thanks again for the previous help ;-) On Wed, May 13, 2009 at 10:44 AM, Marc Powell wrote: > > On May 13, 2009, at 7:17 AM, Thomas Stearn wrote: > > > I have a Nagios server 3.0.6 running on Ubuntu 8.04 Server. It is > > monitoring all things fine on multiple targets except the one below. > > > > On a certain target, I am trying to monitor my /var/log/auth.log > > file for bad activity, such as failed password attempts, or attempts > > to login as invalid users, etc. > > > > I am trying to do this via the check_log plugin via nrpe, but, I get > > a "Log check error: Log file /var/log/auth.log is not readable!" > > when the server checks on it. > > > > The easiest way I have to reproduce the error is the following > > manually executed command from the host server: > > /usr/local/nagios/libexec/check_nrpe -H target -c check_badpw > > > > I know that it means that the file cannot be opened during the > > check, but, I don't understand why. > > > > ls -l of /var/log/auth.log: > > -rw-r- 1 syslog adm 1590863 2009-05-12 10:47 /var/log/auth.log > > > > In /etc/groups, I have added the "nagios" user to the adm group, so > > I would think it should work. > > [chop] > > > So, I know it will work if I loosen the permissions on /var/log/ > > auth.log, but, I'd prefer to keep them as tight as possible. > > > > When I am logged into the target as nagios and execute "id", I get, > > uid=5308(nagios) gid=5309(nagios) groups=4(adm),5309(nagios) > > > > When I embed "id" into the check_log script, I get: > > uid=5308(nagios) gid=5309(nagios) > > > > so, it would seem that it does not inherit the groups as I would > > assume it would. > > I'm certain this was recently discussed but my search-fu is weak this > morning. It might have been on -devel or nagios-plugins though... I > didn't follow closely but the gist of it (I believe) is that xinetd > drops/ignores any secondary groups the user is a member of before > starting the server. No secondary groups, no access in your case. > Looking at my xinetd.conf man page, I see the following which may > help. You may also have better search-fu than me and can find the > original thread... > >groups Takes either "yes" or "no". If the groups > attribute > is set to "yes", then the server is > executed with > access to the groups that the server's > effective UID > has access to. If the groups attribute > is set to > "no", then the server runs with no > supplementary > groups. This attribute must be set to "yes" > for many > BSD systems. This attribute can be > set in the > defaults section as well. > > > -- > Marc > > > > -- > The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your > production scanning environment may not be a perfect world - but thanks to > Kodak, there's a perfect scanner to get the job done! With the NEW KODAK > i700 > Series Scanner you'll get full speed at 300 dpi even with all image > processing features enabled. http://p.sf.net/sfu/kodak-com > ___ > Nagios-users mailing list > Nagios-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/nagios-users > ::: Please include Nagios version, plugin version (-v) and OS when > reporting any issue. > ::: Messages without supporting info will risk being sent to /dev/null > -- The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your production scanning environment may not be a perfect world - but thanks to Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700 Series Scanner you'll get full speed at 300 dpi even with all image processing features enabled. http://p.sf.net/sfu/kodak-com___ Nagios-users mailing list Nagios-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null