Thanks you
So if the CHANGE_ commands aren't expected to work in Nagios anymore, in =
the future, there will be a way in nagios to use dynamic thresholds?
I wanted to use a check with warning and critical values specific in =
hours of production and other values outside production hours
-----Mensaje original-----
De: Andreas Ericsson [mailto:ae@op5.se]=20
Enviado el: lunes, 14 de enero de 2013 11:05
Para: Nagios Developers List
CC: Javier Garces Asensio
Asunto: Re: [Nagios-devel] ADAPTIVE CHECK CHANGE_SVC_CHECK_COMMAND
On 01/14/2013 09:36 AM, Javier Garces Asensio wrote:
> Hello everybody
>=20
> First, I don=C2=B4t know if this is the most appropriate list to send =
this=20
> message because I=E2=80=99m not a developer but I=E2=80=99ve send it =
to the=20
> nagios-user list but I have not gotten any response,=E2=80=A6
>=20
> I would like to use the external command change_svc_check_command to=20
> change dinamically the warning and critical values of the checks.
> However it doesn=C2=B4t work
> I think the cause that it doesn't work is the modification introduced=20
> in the version 3.0.6 (Disabled adaptive check and eventhandler=20
> commands for security reasons ) as you can see in the URL:
>=20
> http://www.nagios.org/projects/nagiosco ... ry/core-3x=20
>
>=20
> I=E2=80=99m using the 3.2.1 version.
> In this version and also in the latest version 3.4.3, I can see the=20
> next source code in the base/commands.c file
>=20
> /* SECURITY PATCH - disable these for the time being */
> switch(cmd) {
> case CMD_CHANGE_GLOBAL_HOST_EVENT_HANDLER:
> case CMD_CHANGE_GLOBAL_SVC_EVENT_HANDLER:
> case CMD_CHANGE_HOST_EVENT_HANDLER:
> case CMD_CHANGE_SVC_EVENT_HANDLER:
> case CMD_CHANGE_HOST_CHECK_COMMAND:
> case CMD_CHANGE_SVC_CHECK_COMMAND:
> return ERROR;
> }
>=20
> I guess if I delete the above code, the external command=20
> change_svc_check_command will work
>=20
> Is not recommended to enable this external command?
> Why was it disabled in the version 3.0.6? This is not resolved in the=20
> latest version?
Enabling it allows scheduled remote execution of commands due to a =
combination of bugs in the Nagios CGI's that were present in early =
versions of the 3.x series. The full fix includes hashing code and =
in-form security tokens, but that part of the patch was dropped =
(understandably, as it included quite a major change and still didn't =
fully block the issue), so keeping the "CHANGE_" commands disabled is =
the safest possible default.
By removing the above code (as you mentioned), things should work out =
pretty well, but then you should take some other measures to protect =
against cross-site request forgeries to prevent your system being =
compromised.
I have to note that an attack is unlikely though, as the CHANGE_ =
commands aren't expected to work in Nagios anymore, so noone's really =
targeting them.
> I haven=C2=B4t found any official documentation about this
>=20
There's plenty over at cve.mitre.org, but you'll have to dig that up =
yourself. I handled the matter on behalf of Nagios Core, so a search for =
my name, CVE and Nagios will most likely yield some info.
--=20
Andreas Ericsson andreas.ericsson@op5.se
OP5 AB www.op5.se
Tel: +46 8-230225 Fax: +46 8-230231
Considering the successes of the wars on alcohol, poverty, drugs and =
terror, I think we should give some serious thought to declaring war on =
peace.
This post was automatically imported from historical nagios-devel mailing list archives
Original poster: javier.garces@ehu.es