Nagios XI check_wmi_plus.pl clear text passwords

This support forum board is for support questions relating to Nagios XI, our flagship commercial network monitoring solution.
Locked
oskargaboda
Posts: 14
Joined: Mon Aug 27, 2018 5:45 am

Nagios XI check_wmi_plus.pl clear text passwords

Post by oskargaboda »

Hi,

We're implementing some WMI based checks on a new XI install, we've found that the WMI method exposes clear text passwords in both the authfile or resource.cfg file when using user macros. When running a "ps -ef" these are also exposed to all users from the Linux shell. We have implemented openssl encrypt/decrypt within the perl script however this still shows in the "ps -ef" output where the perl script executes the wmic commands, this shows it in 2 instead of 3 of the command outputs now. Has anyone got a solution to this problem that our InfoSec team has with this risk.

Code: Select all

$ grep password check_wmi_plus.pl
our $opt_password=`/bin/openssl rsautl -decrypt -inkey /home/nagios/nagiosxi_priv.pem -in /home/nagios/svcNagios.encrypt`;
substituted " DOMAIN/USER%PASS" in the below example for the real values.

Code: Select all

nagios   14190 14187  0 14:11 pts/1    00:00:00 /usr/bin/perl -w /usr/local/nagios/libexec/check_wmi_plus.pl -H hostname -u DOMAIN/USER -d -m checkcpu -w 80 -c 90
nagios   14267 14190  0 14:11 pts/1    00:00:00 sh -c /usr/bin/wmic '-U' DOMAIN/USER%PASS' '--namespace' 'root/cimv2' '//hostname' 'select PercentProcessorTime,Timestamp_Sys100NS from Win32_PerfRawData_PerfOS_Processor where Name="_Total"' 2>&1
nagios   14271 14267  0 14:11 pts/1    00:00:00 /usr/bin/wmic -U  DOMAIN/USER%PASS --namespace root/cimv2 //hostname select PercentProcessorTime,Timestamp_Sys100NS from Win32_PerfRawData_PerfOS_Processor where Name="_Total"
User avatar
mbellerue
Posts: 1403
Joined: Fri Jul 12, 2019 11:10 am

Re: Nagios XI check_wmi_plus.pl clear text passwords

Post by mbellerue »

If you have solved this issue up to the point where the only problem is the credentials showing in a ps command, then what you may want to do is enforce hidepid on /proc. This shouldn't affect Nagios, but please test this change before making a permanent switch.

Make the change temporarily (change will be reset on a reboot)

Code: Select all

mount -o remount,rw,hidepid=2 /proc
To make the change persist through reboots, edit /etc/fstab and add the following line.

Code: Select all

proc    /proc    proc    defaults,hidepid=2     0     0
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.

Be sure to check out our Knowledgebase for helpful articles and solutions!
User avatar
mcapra
Posts: 3739
Joined: Thu May 05, 2016 3:54 pm

Re: Nagios XI check_wmi_plus.pl clear text passwords

Post by mcapra »

I did a Python implementation of executing generic WQL queries a while back:
https://github.com/mcapra/nagios-check_wmi

It's not quite as feature rich as check_wmi_plus, but it does circumvent the "executing wmic on the back-end" problem. You could just as well feed an encrypted password in as a command-line argument and decrypt it in the Python execution -- no need to hand off the plain-text password to something like wmic. Though to be clear, my POC doesn't currently do that ;)
Former Nagios employee
https://www.mcapra.com/
User avatar
mbellerue
Posts: 1403
Joined: Fri Jul 12, 2019 11:10 am

Re: Nagios XI check_wmi_plus.pl clear text passwords

Post by mbellerue »

Thanks for jumping in with that additional plugin, Matt!

oskargaboda, let us know if there's anything else we can help with.
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.

Be sure to check out our Knowledgebase for helpful articles and solutions!
oskargaboda
Posts: 14
Joined: Mon Aug 27, 2018 5:45 am

Re: Nagios XI check_wmi_plus.pl clear text passwords

Post by oskargaboda »

Thanks mbellerue, unfortunately our Linux team states RHEL SOE is running kernel 3.1 and therefore doesn't support the hidepid method.

Hi mcapra , i'll take a look at that and see if we can implement that as a alternative.
User avatar
mbellerue
Posts: 1403
Joined: Fri Jul 12, 2019 11:10 am

Re: Nagios XI check_wmi_plus.pl clear text passwords

Post by mbellerue »

As an alternative plan, we do also support running Nagios XI on Ubuntu 18.04 which will support the hidepid option.
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.

Be sure to check out our Knowledgebase for helpful articles and solutions!
Locked