[Nagios-users] NRPE Arguments
Hi all, I was wondering if someone could give a quick run-down of the security issues surrounding argument passing to NRPE? If my systems (including the monitoring server) are all going to be on a trusted, internal network, and if I configure my NRPE agents to only accept connections from my monitoring server, what other security precautions should I take when using argument passing? Cheers, Chris -- The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your production scanning environment may not be a perfect world - but thanks to Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700 Series Scanner you'll get full speed at 300 dpi even with all image processing features enabled. http://p.sf.net/sfu/kodak-com ___ Nagios-users mailing list Nagios-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null
[Nagios-users] nrpe arguments
Hi,I want to launch event hancler on a remote windows host. The active nagios checks are checking exchange IS, MTA and SA and i want services to be restarted if they stop.Event handlers are enabled.I see in eventlog [09-03-2006 10:43:28] SERVICE EVENT HANDLER: ussfrsv02;Exchange IS;CRITICAL;SOFT;3;restart_exchangeI put a service eventhandler in nagios services.cfg fileevent_handler restart_exchangeand put a definition in miscommands.cfg fileEvent-Handlers#define command { command_name restart_exchange command_line $USER1$/check_nrpe -H $HOSTADDRESS$ -c restart_exchange $SERVICESTATE$ $STATETYPE$ $SERVICEATTEMPT$ }I am wondering if the concept is ok. On the windows side the nrpe.cfg file got a definition for restart_exchange: # Values: 0=do not allow arguments, 1=allow command argumentsdont_blame_nrpe=1command[restart_exchange]=C:\nrpe\bin\RestartExchangeServices.cmd $ARG1$ $ARG2$ $ARG3$ And my RestartExchangeServices.cmd file contains this and at least it works in command line@ECHO offIF %1 == 'HARD' GOTO :1 ELSE GOTO :999:1IF %2 == 'SOFT' GOTO :2 ELSE GOTO :999:2 IF %3 == '3' GOTO :3:3 net start MSExchangeISnet start MSExchangeMTAnet start MSExchangeSAECHO "Services Exchange IS, MTA ans SA have been started"REM EXIT exitCode 0GOTO :999 I commented the Exitcode because it dont see the need for eventhandler.Anyway it is not working at all :( I would greatly appreciate some thoughts, comments, help or solutions. -- Le bon sens est la chose du monde la mieux partagée.
RE: [Nagios-users] NRPE arguments
> Hi, I'm trying to pass arguments from one system to another > and am having some trouble. I have rebuilt nrpe with the > command-args option enabled, yet i am still getting "Error: > Request contained command arguments, but argument option is > not enabled" in our log entries. For the NRPE daemon to accept arguments to the requested commands, you need to do 3 things. 1) Compile NRPE with argument support. 2) Enable arguments in the nrpe.cfg (dont_blame_nrpe = 1) 3) Define the command with arguments in the nrpe.cfg I suspect your problem is number (2). This is disabled by default as it is a security problem. If you enable this, I strongly recommend you do all of the following: 1) Make sure that all NRPE command definitions have QUOTES around the arguments, to prevent people sending metacharacters or spaces in the parameters and cracking your system. Very important. 2) Use the allowed_hosts option in the nrpe.cfg, or else tcpwrappers or xinetd (unix), to restrict access to the daemon to only your nagios host. 3) Run the daemon as an unprivileged account created for this purpose only (unix) If you look into it for a short while, you will realise why this option is disabled by default - and how much chaos you could cause on a system which doesn't take these precautions. Steve --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642 ___ Nagios-users mailing list Nagios-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null
RE: [Nagios-users] NRPE arguments
> -Original Message- > From: [EMAIL PROTECTED] [mailto:nagios-users- > [EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] > Sent: Tuesday, January 31, 2006 1:12 PM > To: nagios-users@lists.sourceforge.net > Subject: [Nagios-users] NRPE arguments > > Hi, I'm trying to pass arguments from one system to another and am having > some > trouble. I have rebuilt nrpe with the command-args option enabled, yet i > am > still getting "Error: Request contained command arguments, but argument > option > is not enabled" in our log entries. I'm having some trouble finding > documentaion on this, so any help would be awsome. Thanks in advance >From the SECURITY file -- ENABLING ARGUMENTS -- To enable support for command argument in the daemon, you must do two things: 1. Run the configure script with the --enable-command-args option 2. Set the 'dont_blame_nrpe' directive in the NRPE config file to 1. Did you perform _both_ actions? -- Marc --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid3432&bid#0486&dat1642 ___ Nagios-users mailing list Nagios-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null
[Nagios-users] NRPE arguments
Hi, I'm trying to pass arguments from one system to another and am having some trouble. I have rebuilt nrpe with the command-args option enabled, yet i am still getting "Error: Request contained command arguments, but argument option is not enabled" in our log entries. I'm having some trouble finding documentaion on this, so any help would be awsome. Thanks in advance -- Jeff Rooney [EMAIL PROTECTED] --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642 ___ Nagios-users mailing list Nagios-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null