Nagios XI check_wmi_plus.pl clear text passwords

This board serves as an open discussion and support collaboration point for Nagios XI. NOTE: Nagios XI customers should use the Customer Support forum to obtain expedited support.

Nagios XI check_wmi_plus.pl clear text passwords

Postby oskargaboda » Wed Sep 18, 2019 8:37 am

Hi,

We're implementing some WMI based checks on a new XI install, we've found that the WMI method exposes clear text passwords in both the authfile or resource.cfg file when using user macros. When running a "ps -ef" these are also exposed to all users from the Linux shell. We have implemented openssl encrypt/decrypt within the perl script however this still shows in the "ps -ef" output where the perl script executes the wmic commands, this shows it in 2 instead of 3 of the command outputs now. Has anyone got a solution to this problem that our InfoSec team has with this risk.

Code: Select all
$ grep password check_wmi_plus.pl
our $opt_password=`/bin/openssl rsautl -decrypt -inkey /home/nagios/nagiosxi_priv.pem -in /home/nagios/svcNagios.encrypt`;


substituted " DOMAIN/USER%PASS" in the below example for the real values.
Code: Select all
nagios   14190 14187  0 14:11 pts/1    00:00:00 /usr/bin/perl -w /usr/local/nagios/libexec/check_wmi_plus.pl -H hostname -u DOMAIN/USER -d -m checkcpu -w 80 -c 90
nagios   14267 14190  0 14:11 pts/1    00:00:00 sh -c /usr/bin/wmic '-U' DOMAIN/USER%PASS' '--namespace' 'root/cimv2' '//hostname' 'select PercentProcessorTime,Timestamp_Sys100NS from Win32_PerfRawData_PerfOS_Processor where Name="_Total"' 2>&1
nagios   14271 14267  0 14:11 pts/1    00:00:00 /usr/bin/wmic -U  DOMAIN/USER%PASS --namespace root/cimv2 //hostname select PercentProcessorTime,Timestamp_Sys100NS from Win32_PerfRawData_PerfOS_Processor where Name="_Total"
oskargaboda
 
Posts: 2
Joined: Mon Aug 27, 2018 5:45 am

Re: Nagios XI check_wmi_plus.pl clear text passwords

Postby mbellerue » Wed Sep 18, 2019 4:25 pm

If you have solved this issue up to the point where the only problem is the credentials showing in a ps command, then what you may want to do is enforce hidepid on /proc. This shouldn't affect Nagios, but please test this change before making a permanent switch.

Make the change temporarily (change will be reset on a reboot)
Code: Select all
mount -o remount,rw,hidepid=2 /proc


To make the change persist through reboots, edit /etc/fstab and add the following line.
Code: Select all
proc    /proc    proc    defaults,hidepid=2     0     0
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.

Be sure to check out our Knowledgebase for helpful articles and solutions!
User avatar
mbellerue
 
Posts: 766
Joined: Fri Jul 12, 2019 11:10 am

Re: Nagios XI check_wmi_plus.pl clear text passwords

Postby mcapra » Wed Sep 18, 2019 10:36 pm

I did a Python implementation of executing generic WQL queries a while back:
https://github.com/mcapra/nagios-check_wmi

It's not quite as feature rich as check_wmi_plus, but it does circumvent the "executing wmic on the back-end" problem. You could just as well feed an encrypted password in as a command-line argument and decrypt it in the Python execution -- no need to hand off the plain-text password to something like wmic. Though to be clear, my POC doesn't currently do that ;)
Former Nagios employee
http://www.mcapra.com/
User avatar
mcapra
 
Posts: 3584
Joined: Thu May 05, 2016 3:54 pm

Re: Nagios XI check_wmi_plus.pl clear text passwords

Postby mbellerue » Thu Sep 19, 2019 11:25 am

Thanks for jumping in with that additional plugin, Matt!

oskargaboda, let us know if there's anything else we can help with.
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.

Be sure to check out our Knowledgebase for helpful articles and solutions!
User avatar
mbellerue
 
Posts: 766
Joined: Fri Jul 12, 2019 11:10 am

Re: Nagios XI check_wmi_plus.pl clear text passwords

Postby oskargaboda » Thu Sep 19, 2019 5:29 pm

Thanks mbellerue, unfortunately our Linux team states RHEL SOE is running kernel 3.1 and therefore doesn't support the hidepid method.

Hi mcapra , i'll take a look at that and see if we can implement that as a alternative.
oskargaboda
 
Posts: 2
Joined: Mon Aug 27, 2018 5:45 am

Re: Nagios XI check_wmi_plus.pl clear text passwords

Postby mbellerue » Fri Sep 20, 2019 9:34 am

As an alternative plan, we do also support running Nagios XI on Ubuntu 18.04 which will support the hidepid option.
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.

Be sure to check out our Knowledgebase for helpful articles and solutions!
User avatar
mbellerue
 
Posts: 766
Joined: Fri Jul 12, 2019 11:10 am


Return to Nagios XI

Who is online

Users browsing this forum: MSN [Bot] and 12 guests