Replace Plugin path with $ARGU$ in nrpe.cfg

[alokispandey]

Hi,

Just wondering if its possible to replace plugin path in nrpe.cfg with $ARG1$? Goal is to use one single line in npre.cfg and Pass plugin path including arguments from nagios server for complete control and flexibility ?.

Eg:-
command[Check_service]=/Path/To/nagios/plugins/check_service.sh $ARG1$ can it be replaced as
command[Check_service]=$ARG1$


It tried but failed.?

Any help will be appreciated,

[hsmith]

I can't say I've ever tried, but the security issues this could open up are pretty endless.

Example of one of the terrible things that could go wrong... Don't run this!:

Code: Select all

./check_nrpe -H x.x.x.x -c /usr/bin/rm -rf /

Is that something you want open in your environment?

[rkennedy]

Yes, though it will not work with all linux commands, and the output is limited. Here's a sample -

Code: Select all

[root@suse11 libexec]# ./check_nrpe -H 192.168.3.42 -c rootterm -a 'uptime'
 10:36:52 up 16 days, 17:44,  1 user,  load average: 0.00, 0.00, 0.00
[root@suse11 libexec]# ./check_nrpe -H 192.168.3.42 -c rootterm -a 'whoami'
nagios
[root@suse11 libexec]# ./check_nrpe -H 192.168.3.42 -c rootterm -a 'uptime'
 10:38:23 up 16 days, 17:45,  1 user,  load average: 0.00, 0.00, 0.00
[root@suse11 libexec]# ./check_nrpe -H 192.168.3.42 -c rootterm -a 'users'
root
[root@suse11 libexec]# ./check_nrpe -H 192.168.3.42 -c rootterm -a 'ps -ef'
UID        PID  PPID  C STIME TTY          TIME CMD
root         1     0  0 Jan25 ?        00:00:01 /sbin/init
root         2     0  0 Jan25 ?        00:00:00 [kthreadd]
root         3     2  0 Jan25 ?        00:00:00 [migration/0]
root         4     2  0 Jan25 ?        00:01:11 [ksoftirqd/0]
root         5     2  0 Jan25 ?        00:00:00 [stopper/0]
root         6     2  0 Jan25 ?        00:05:56 [watchdog/0]
root         7     2  0 Jan25 ?        00:10:39 [events/0]
root         8     2  0 Jan25 ?        00:00:00 [events/0]
root         9     2  0 Jan25 ?        00:00:00 [events_long/0]
root        10     2  0 Jan25 ?        00:00:00 [events_power_ef]
root        11     2  0 Jan25 ?        00:00:00 [cgroup]
root        12     2  0 Jan25 ?        00:00:00 [khelper]
root        13     2  0 Jan25 ?        00:00:00 [netns]
root        14     2  0 Jan25 ?        00:00:00 [async/mgr]
root        15     2  0 Jan25 ?        00:00:00 [pm]
root        16     2  0 Jan25 ?        00:00:05 [sync_supers]
root        17
[root@suse11 libexec]# ./check_nrpe -H 192.168.3.42 -c rootterm -a 'cat /home/nagios/cookie.txt'
# Netscape HTTP Cookie File
# http://curl.haxx.se/rfc/cookie_spec.html
# This file was generated by libcurl! Edit at your own risk.

localhost       FALSE   /       FALSE   1455207162      nagiosxi        m45pjocc5r3ibao92kr742bs75

Modify /usr/local/nagios/etc/nrpe.cfg, and change two fields to reflect below -

Code: Select all

dont_blame_nrpe=1
allow_bash_command_substitution=1

then, add this as the command -

Code: Select all

command[rootterm]=$ARG1$

Restart xinetd (service xinetd restart), and it should be working.

[alokispandey]

Hsmit,
I understand the concerns here..but that is something that can be restricted by adding prefix sudo ( and restricting destructive command for user in sudoers).

Per "rkennedy" it will not support all linux command.. think of advantages, if it starts supporting all command and regex, how easy it will be to manage the nagios client and client changes will become a one time implementation only.

Thank you rkennedy for your steps,I am going to test it in my test env.

[rkennedy]

Code: Select all

Per "rkennedy" it will not support all linux command.. think of advantages, if it starts supporting all command and regex, how easy it will be to manage the nagios client and client changes will become a one time implementation only. 

I see where you're coming from, an alternative could be to execute bash scripts on the remote machine (which then run your full command). I haven't tested this though. While the NRPE output might be skewed, I believe the commands will still run. You'll just need to have your bash script output properly.

Let us know how the testing goes in your environment.