Nagios monitoring problem

Support forum for Nagios Core, Nagios Plugins, NCPA, NRPE, NSCA, NDOUtils and more. Engage with the community of users including those using the open source solutions.
jolson
Attack Rabbit
Posts: 2560
Joined: Thu Feb 12, 2015 12:40 pm

Re: Nagios monitoring problem

Post by jolson »

Let's take a look at your audit log in addition to your permissions all the way down. Your user and group settings could also be useful. Feel free to hide anything you don't want us to see.

Code: Select all

tail -n30 /var/log/audit/audit.log
namei -mo /usr/local/nagios/var/*
egrep 'nag|apach' /etc/passwd
egrep 'nag|apach' /etc/group
Twits Blog
Show me a man who lives alone and has a perpetually clean kitchen, and 8 times out of 9 I'll show you a man with detestable spiritual qualities.
LPTFabio
Posts: 8
Joined: Thu Jan 22, 2015 4:40 am

Re: Nagios monitoring problem

Post by LPTFabio »

jolson wrote:Let's take a look at your audit log in addition to your permissions all the way down. Your user and group settings could also be useful. Feel free to hide anything you don't want us to see.

Code: Select all

tail -n30 /var/log/audit/audit.log
namei -mo /usr/local/nagios/var/*
egrep 'nag|apach' /etc/passwd
egrep 'nag|apach' /etc/group
Here you have nothing to hide.

Code: Select all


[root@nagiosesjal ~]# tail -n30 /var/log/audit/audit.log
type=CRYPTO_SESSION msg=audit(1435864143.256:306): user pid=1574 uid=0 auid=0 ses=2 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=start direction=from-server cipher=aes256-ctr ksize=256 spid=1574 suid=0 rport=49836 laddr=192.168.1.100 lport=22  exe="/usr/sbin/sshd" hostname=? addr=192.168.1.1 terminal=? res=success'
type=CRYPTO_KEY_USER msg=audit(1435864144.771:307): user pid=1574 uid=0 auid=0 ses=2 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=session fp=? direction=from-client spid=1574 suid=0 rport=49836 laddr=192.168.1.100 lport=22  exe="/usr/sbin/sshd" hostname=? addr=192.168.1.1 terminal=? res=success'
type=CRYPTO_KEY_USER msg=audit(1435864146.172:308): user pid=1574 uid=0 auid=0 ses=2 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=session fp=? direction=from-server spid=1574 suid=0 rport=49836 laddr=192.168.1.100 lport=22  exe="/usr/sbin/sshd" hostname=? addr=192.168.1.1 terminal=? res=success'
type=DAEMON_START msg=audit(1435917901.398:2637): auditd start, ver=2.2 format=raw kernel=2.6.32-431.el6.i686 auid=4294967295 pid=1155 subj=system_u:system_r:auditd_t:s0 res=success
type=CONFIG_CHANGE msg=audit(1435917901.504:4): audit_backlog_limit=320 old=64 auid=4294967295 ses=4294967295 subj=system_u:system_r:auditctl_t:s0 res=1
type=USER_START msg=audit(1435917903.445:5): user pid=1367 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:initrc_t:s0 msg='op=PAM:session_open acct="nagios" exe="/sbin/runuser" hostname=? addr=? terminal=console res=success'
type=CRED_ACQ msg=audit(1435917903.446:6): user pid=1367 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:initrc_t:s0 msg='op=PAM:setcred acct="nagios" exe="/sbin/runuser" hostname=? addr=? terminal=console res=success'
type=CRED_DISP msg=audit(1435917903.657:7): user pid=1367 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:initrc_t:s0 msg='op=PAM:setcred acct="nagios" exe="/sbin/runuser" hostname=? addr=? terminal=console res=success'
type=USER_END msg=audit(1435917903.657:8): user pid=1367 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:initrc_t:s0 msg='op=PAM:session_close acct="nagios" exe="/sbin/runuser" hostname=? addr=? terminal=console res=success'
type=USER_START msg=audit(1435917903.675:9): user pid=1390 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:initrc_t:s0 msg='op=PAM:session_open acct="nagios" exe="/sbin/runuser" hostname=? addr=? terminal=console res=success'
type=CRED_ACQ msg=audit(1435917903.675:10): user pid=1390 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:initrc_t:s0 msg='op=PAM:setcred acct="nagios" exe="/sbin/runuser" hostname=? addr=? terminal=console res=success'
type=CRED_DISP msg=audit(1435917903.691:11): user pid=1390 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:initrc_t:s0 msg='op=PAM:setcred acct="nagios" exe="/sbin/runuser" hostname=? addr=? terminal=console res=success'
type=USER_END msg=audit(1435917903.691:12): user pid=1390 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:initrc_t:s0 msg='op=PAM:session_close acct="nagios" exe="/sbin/runuser" hostname=? addr=? terminal=console res=success'
type=CRYPTO_KEY_USER msg=audit(1435918075.757:13): user pid=1432 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=56:2e:a2:74:75:75:a4:81:f2:a1:8c:9b:df:b4:b1:a9 direction=? spid=1432 suid=0  exe="/usr/sbin/sshd" hostname=? addr=192.168.1.1 terminal=? res=success'
type=CRYPTO_KEY_USER msg=audit(1435918075.757:14): user pid=1432 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=5b:45:e1:a6:05:65:e7:18:f2:68:8c:69:89:dc:a4:33 direction=? spid=1432 suid=0  exe="/usr/sbin/sshd" hostname=? addr=192.168.1.1 terminal=? res=success'
type=CRYPTO_SESSION msg=audit(1435918075.759:15): user pid=1431 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=start direction=from-client cipher=aes256-ctr ksize=256 spid=1432 suid=74 rport=49380 laddr=192.168.1.100 lport=22  exe="/usr/sbin/sshd" hostname=? addr=192.168.1.1 terminal=? res=success'
type=CRYPTO_SESSION msg=audit(1435918075.759:16): user pid=1431 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=start direction=from-server cipher=aes256-ctr ksize=256 spid=1432 suid=74 rport=49380 laddr=192.168.1.100 lport=22  exe="/usr/sbin/sshd" hostname=? addr=192.168.1.1 terminal=? res=success'
type=USER_AUTH msg=audit(1435918080.278:17): user pid=1431 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:authentication acct="root" exe="/usr/sbin/sshd" hostname=192.168.1.1 addr=192.168.1.1 terminal=ssh res=success'
type=USER_ACCT msg=audit(1435918080.281:18): user pid=1431 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:accounting acct="root" exe="/usr/sbin/sshd" hostname=192.168.1.1 addr=192.168.1.1 terminal=ssh res=success'
type=CRYPTO_KEY_USER msg=audit(1435918080.281:19): user pid=1431 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=session fp=? direction=both spid=1432 suid=74 rport=49380 laddr=192.168.1.100 lport=22  exe="/usr/sbin/sshd" hostname=? addr=192.168.1.1 terminal=? res=success'
type=USER_AUTH msg=audit(1435918080.282:20): user pid=1431 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=success acct="root" exe="/usr/sbin/sshd" hostname=? addr=192.168.1.1 terminal=ssh res=success'
type=CRED_ACQ msg=audit(1435918080.282:21): user pid=1431 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="root" exe="/usr/sbin/sshd" hostname=192.168.1.1 addr=192.168.1.1 terminal=ssh res=success'
type=LOGIN msg=audit(1435918080.282:22): pid=1431 uid=0 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 old auid=4294967295 new auid=0 old ses=4294967295 new ses=1
type=USER_ROLE_CHANGE msg=audit(1435918080.364:23): user pid=1431 uid=0 auid=0 ses=1 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='pam: default-context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 selected-context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 exe="/usr/sbin/sshd" hostname=192.168.1.1 addr=192.168.1.1 terminal=ssh res=success'
type=USER_START msg=audit(1435918080.367:24): user pid=1431 uid=0 auid=0 ses=1 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:session_open acct="root" exe="/usr/sbin/sshd" hostname=192.168.1.1 addr=192.168.1.1 terminal=ssh res=success'
type=USER_LOGIN msg=audit(1435918080.521:25): user pid=1435 uid=0 auid=0 ses=1 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=0 exe="/usr/sbin/sshd" hostname=192.168.1.1 addr=192.168.1.1 terminal=/dev/pts/0 res=success'
type=USER_START msg=audit(1435918080.521:26): user pid=1435 uid=0 auid=0 ses=1 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=0 exe="/usr/sbin/sshd" hostname=192.168.1.1 addr=192.168.1.1 terminal=/dev/pts/0 res=success'
type=CRYPTO_KEY_USER msg=audit(1435918080.528:27): user pid=1435 uid=0 auid=0 ses=1 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=56:2e:a2:74:75:75:a4:81:f2:a1:8c:9b:df:b4:b1:a9 direction=? spid=1435 suid=0  exe="/usr/sbin/sshd" hostname=? addr=192.168.1.1 terminal=pts/0 res=success'
type=CRYPTO_KEY_USER msg=audit(1435918080.528:28): user pid=1435 uid=0 auid=0 ses=1 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=5b:45:e1:a6:05:65:e7:18:f2:68:8c:69:89:dc:a4:33 direction=? spid=1435 suid=0  exe="/usr/sbin/sshd" hostname=? addr=192.168.1.1 terminal=pts/0 res=success'
type=CRED_REFR msg=audit(1435918080.528:29): user pid=1435 uid=0 auid=0 ses=1 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="root" exe="/usr/sbin/sshd" hostname=192.168.1.1 addr=192.168.1.1 terminal=ssh res=success'



[root@nagiosesjal ~]# namei -mo /usr/local/nagios/var/*
f: /usr/local/nagios/var/archives
 dr-xr-xr-x root root /
 drwsrwsrwt root root usr
 drwsrwsrwt root root local
 drwsrwsrwt root root nagios
 drwsrwsrwt root root var
 drwsrwsrwt root root archives
f: /usr/local/nagios/var/nagios.lock
 dr-xr-xr-x root   root /
 drwsrwsrwt root   root usr
 drwsrwsrwt root   root local
 drwsrwsrwt root   root nagios
 drwsrwsrwt root   root var
 -rw-r--r-- nagios root nagios.lock
f: /usr/local/nagios/var/nagios.log
 dr-xr-xr-x root   root /
 drwsrwsrwt root   root usr
 drwsrwsrwt root   root local
 drwsrwsrwt root   root nagios
 drwsrwsrwt root   root var
 -rwxrwxrwt root   root nagios.log
f: /usr/local/nagios/var/objects.cache
 dr-xr-xr-x root   root /
 drwsrwsrwt root   root usr
 drwsrwsrwt root   root local
 drwsrwsrwt root   root nagios
 drwsrwsrwt root   root var
 -rwxrwxrwt root   root objects.cache
f: /usr/local/nagios/var/objects.precache
 dr-xr-xr-x root   root /
 drwsrwsrwt root   root usr
 drwsrwsrwt root   root local
 drwsrwsrwt root   root nagios
 drwsrwsrwt root   root var
 -rwxrwxrwt root   root objects.precache
f: /usr/local/nagios/var/retention.dat
 dr-xr-xr-x root   root /
 drwsrwsrwt root   root usr
 drwsrwsrwt root   root local
 drwsrwsrwt root   root nagios
 drwsrwsrwt root   root var
 -rwxrwxrwt root   root retention.dat
f: /usr/local/nagios/var/rw
 dr-xr-xr-x root   root /
 drwsrwsrwt root   root usr
 drwsrwsrwt root   root local
 drwsrwsrwt root   root nagios
 drwsrwsrwt root   root var
 drwsrwsrwt root   root rw
f: /usr/local/nagios/var/spool
 dr-xr-xr-x root   root /
 drwsrwsrwt root   root usr
 drwsrwsrwt root   root local
 drwsrwsrwt root   root nagios
 drwsrwsrwt root   root var
 drwsrwsrwt root   root spool
f: /usr/local/nagios/var/status.dat
 dr-xr-xr-x root   root /
 drwsrwsrwt root   root usr
 drwsrwsrwt root   root local
 drwsrwsrwt root   root nagios
 drwsrwsrwt root   root var
 -rwxrwxrwt root   root status.dat



[root@nagiosesjal ~]# egrep 'nag|apach' /etc/passwd
apache:x:48:48:Apache:/var/www:/sbin/nologin
nagios:x:500:500::/home/nagios:/bin/bash


[root@nagiosesjal ~]# egrep 'nag|apach' /etc/group
apache:x:48:
nagios:x:500:apache
nagcmd:x:501:nagios
LPTFabio
Posts: 8
Joined: Thu Jan 22, 2015 4:40 am

Re: Nagios monitoring problem

Post by LPTFabio »

Problem fix.

the problem was: all files permission of nagios have been changed to be used by root instead of nagios/group
fix: changed permissions for nagios and group

i dont know why it changed but its all working now thx for help guys :D
Locked