Nagios Support Forum

Support for Nagios products and services
https://support.nagios.com/forum/

Nagios XI check_wmi_plus.pl clear text passwords

https://support.nagios.com/forum/viewtopic.php?t=55635

Page 1 of 1

Nagios XI check_wmi_plus.pl clear text passwords

Posted: Wed Sep 18, 2019 8:37 am
by oskargaboda
Hi,

We're implementing some WMI based checks on a new XI install, we've found that the WMI method exposes clear text passwords in both the authfile or resource.cfg file when using user macros. When running a "ps -ef" these are also exposed to all users from the Linux shell. We have implemented openssl encrypt/decrypt within the perl script however this still shows in the "ps -ef" output where the perl script executes the wmic commands, this shows it in 2 instead of 3 of the command outputs now. Has anyone got a solution to this problem that our InfoSec team has with this risk.

Code: Select all

$ grep password check_wmi_plus.pl
our $opt_password=`/bin/openssl rsautl -decrypt -inkey /home/nagios/nagiosxi_priv.pem -in /home/nagios/svcNagios.encrypt`;
substituted " DOMAIN/USER%PASS" in the below example for the real values.

Code: Select all

nagios   14190 14187  0 14:11 pts/1    00:00:00 /usr/bin/perl -w /usr/local/nagios/libexec/check_wmi_plus.pl -H hostname -u DOMAIN/USER -d -m checkcpu -w 80 -c 90
nagios   14267 14190  0 14:11 pts/1    00:00:00 sh -c /usr/bin/wmic '-U' DOMAIN/USER%PASS' '--namespace' 'root/cimv2' '//hostname' 'select PercentProcessorTime,Timestamp_Sys100NS from Win32_PerfRawData_PerfOS_Processor where Name="_Total"' 2>&1
nagios   14271 14267  0 14:11 pts/1    00:00:00 /usr/bin/wmic -U  DOMAIN/USER%PASS --namespace root/cimv2 //hostname select PercentProcessorTime,Timestamp_Sys100NS from Win32_PerfRawData_PerfOS_Processor where Name="_Total"

Re: Nagios XI check_wmi_plus.pl clear text passwords

Posted: Wed Sep 18, 2019 4:25 pm
by mbellerue
If you have solved this issue up to the point where the only problem is the credentials showing in a ps command, then what you may want to do is enforce hidepid on /proc. This shouldn't affect Nagios, but please test this change before making a permanent switch.

Make the change temporarily (change will be reset on a reboot)

Code: Select all

mount -o remount,rw,hidepid=2 /proc
To make the change persist through reboots, edit /etc/fstab and add the following line.

Code: Select all

proc    /proc    proc    defaults,hidepid=2     0     0

Re: Nagios XI check_wmi_plus.pl clear text passwords

Posted: Wed Sep 18, 2019 10:36 pm
by mcapra
I did a Python implementation of executing generic WQL queries a while back:
https://github.com/mcapra/nagios-check_wmi

It's not quite as feature rich as check_wmi_plus, but it does circumvent the "executing wmic on the back-end" problem. You could just as well feed an encrypted password in as a command-line argument and decrypt it in the Python execution -- no need to hand off the plain-text password to something like wmic. Though to be clear, my POC doesn't currently do that ;)

Re: Nagios XI check_wmi_plus.pl clear text passwords

Posted: Thu Sep 19, 2019 11:25 am
by mbellerue
Thanks for jumping in with that additional plugin, Matt!

oskargaboda, let us know if there's anything else we can help with.

Re: Nagios XI check_wmi_plus.pl clear text passwords

Posted: Thu Sep 19, 2019 5:29 pm
by oskargaboda
Thanks mbellerue, unfortunately our Linux team states RHEL SOE is running kernel 3.1 and therefore doesn't support the hidepid method.

Hi mcapra , i'll take a look at that and see if we can implement that as a alternative.

Re: Nagios XI check_wmi_plus.pl clear text passwords

Posted: Fri Sep 20, 2019 9:34 am
by mbellerue
As an alternative plan, we do also support running Nagios XI on Ubuntu 18.04 which will support the hidepid option.
All times are UTC-05:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited