Fresh Install
Red Hat Enterprise Linux release 8.4 (Ootpa)
Nagios Core 4.4.6
Plugins 2.3.3
NIST 800-171 CUI security profile
Followed: https://support.nagios.com/kb/article/n ... .html#RHEL
All works well (with some tweaks because of security profile), except it appears none on the plugins are working
(No output on stdout) stderr: execvp(/usr/local/nagios/libexec/check_ping, ...) failed. errno is 1: Operation not permitted
Logs: No real errors
[1625104330] Unable to send check for host 'localhost' to worker (ret=-2)
[1625104363] Unable to run check for service 'Root Partition' on host 'localhost'
[1625104368] Unable to run check for service 'Total Processes' on host 'localhost'
[1625104480] Unable to run check for service 'HTTP' on host 'localhost'
[1625104489] Unable to run check for service 'Current Load' on host 'localhost'
[1625104498] Unable to run check for service 'SSH' on host 'localhost'
[1625104499] Unable to run check for service 'PING' on host 'localhost'
[1625104510] Unable to run check for service 'Swap Usage' on host 'localhost'
[1625104527] Unable to run check for service 'Current Users' on host 'localhost'
CHECKED|TRIED:
Plugins in right location
Plugins default permissions and user looks correct
SELINUX is disabled
[Tried] changing the permissions to 777 for plugins, no success
[Tried] Making nagios user Sudoer
[Tried]
su - nagios -s /bin/bash
cd /usr/local/nagios/libexec/
./check_ping -H 127.0.0.1 -w 10,2% -c 20,5%
bash: ./check_ping: Operation not permitted
-BUT-
sudo ./check_ping -H localhost -w 10,2% -c 20,5%
PING OK - Packet loss = 0%, RTA = 0.10 ms|rta=0.098000ms;10.000000;20.000000;0.000000 pl=0%;2;5;0
Leaves me to believe it is a permissions issue, but I do not know how to fix it.
Any suggestions?
failed. errno is 1: Operation not permitted
-
- Posts: 5
- Joined: Mon Sep 08, 2014 1:15 pm
Re: failed. errno is 1: Operation not permitted
Hello,
Thanks for reaching out.
Lets check on the permissions and ownership on /usr/local/nagios/libexec/ by entering:
Please let me know the results,
Perry
Thanks for reaching out.
Lets check on the permissions and ownership on /usr/local/nagios/libexec/ by entering:
Code: Select all
ls -l /usr/local/nagios/libexec/
Code: Select all
chmod 755 /usr/local/nagios/libexec/
chown nagios:nagios /usr/local/nagios/libexec/
Perry
-
- Posts: 5
- Joined: Mon Sep 08, 2014 1:15 pm
Re: failed. errno is 1: Operation not permitted
Thank you for working with me on this, however, is a no go!
drwxr-xr-x. 2 nagios nagios 4096 Jun 30 14:36 libexec
-rwxr-xr-x 1 nagios nagios 229032 Jun 30 14:36 check_ping
-rwxr-xr-x 1 nagios nagios 162552 Jun 30 14:36 check_cluster
-rwxr-xr-x 1 nagios nagios 218680 Jun 30 14:36 check_dhcp
-rwxr-xr-x 1 nagios nagios 213512 Jun 30 14:36 check_dig
-rwxr-xr-x 1 nagios nagios 375896 Jun 30 14:36 check_disk
-rwxr-xr-x 1 nagios nagios 10134 Jun 30 14:36 check_disk_smb
-rwxr-xr-x 1 nagios nagios 236792 Jun 30 14:36 check_dns
-rwxr-xr-x 1 nagios nagios 113168 Jun 30 14:36 check_dummy
-rwxr-xr-x 1 nagios nagios 5066 Jun 30 14:36 check_file_age
-rwxr-xr-x 1 nagios nagios 6504 Jun 30 14:36 check_flexlm
[nagios@nagios libexec]$ whoami
nagios
[nagios@nagios libexec]$ ./check_ping -H 127.0.0.1 -w 10,2% -c 20,5%
-bash: ./check_ping: Operation not permitted
[nagios@nagios libexec]$ sudo ./check_ping -H localhost -w 10,2% -c 20,5%
PING OK - Packet loss = 0%, RTA = 0.11 ms|rta=0.107000ms;10.000000;20.000000;0.000000 pl=0%;2;5;0
HERE IS SOMETHING TO CONSIDER:
(regular user)
[alincoln@nagios libexec]$ whoami
alincoln
[alincoln@nagios libexec]$ ./check_ping -H 127.0.0.1 -w 10,2% -c 20,5%
-bash: ./check_ping: Operation not permitted
[alincoln@nagios libexec]$ sudo ./check_ping -H 127.0.0.1 -w 10,2% -c 20,5%
PING OK - Packet loss = 0%, RTA = 0.09 ms|rta=0.088000ms;10.000000;20.000000;0.000000 pl=0%;2;5;0
AS ROOT
[root@nagios ~]# whoami
root
[root@nagios ~]# cd /usr/local/nagios/libexec/
[root@nagios libexec]# ./check_ping -H 127.0.0.1 -w 10,2% -c 20,5%
PING OK - Packet loss = 0%, RTA = 0.09 ms|rta=0.090000ms;10.000000;20.000000;0.000000 pl=0%;2;5;0
As long as sudo is placed there the commands seem to work.
It has to do something with elevating the privileges... I think!
I tried adding "nagios" to the sudoers group with the NOPASSWD: ALL
but it doesn't seem to matter.
In the end I do not want to give "Nagios" god rights, I am aiming to allow Nagios to run the commands that it needs, and that is it.
drwxr-xr-x. 2 nagios nagios 4096 Jun 30 14:36 libexec
-rwxr-xr-x 1 nagios nagios 229032 Jun 30 14:36 check_ping
-rwxr-xr-x 1 nagios nagios 162552 Jun 30 14:36 check_cluster
-rwxr-xr-x 1 nagios nagios 218680 Jun 30 14:36 check_dhcp
-rwxr-xr-x 1 nagios nagios 213512 Jun 30 14:36 check_dig
-rwxr-xr-x 1 nagios nagios 375896 Jun 30 14:36 check_disk
-rwxr-xr-x 1 nagios nagios 10134 Jun 30 14:36 check_disk_smb
-rwxr-xr-x 1 nagios nagios 236792 Jun 30 14:36 check_dns
-rwxr-xr-x 1 nagios nagios 113168 Jun 30 14:36 check_dummy
-rwxr-xr-x 1 nagios nagios 5066 Jun 30 14:36 check_file_age
-rwxr-xr-x 1 nagios nagios 6504 Jun 30 14:36 check_flexlm
[nagios@nagios libexec]$ whoami
nagios
[nagios@nagios libexec]$ ./check_ping -H 127.0.0.1 -w 10,2% -c 20,5%
-bash: ./check_ping: Operation not permitted
[nagios@nagios libexec]$ sudo ./check_ping -H localhost -w 10,2% -c 20,5%
PING OK - Packet loss = 0%, RTA = 0.11 ms|rta=0.107000ms;10.000000;20.000000;0.000000 pl=0%;2;5;0
HERE IS SOMETHING TO CONSIDER:
(regular user)
[alincoln@nagios libexec]$ whoami
alincoln
[alincoln@nagios libexec]$ ./check_ping -H 127.0.0.1 -w 10,2% -c 20,5%
-bash: ./check_ping: Operation not permitted
[alincoln@nagios libexec]$ sudo ./check_ping -H 127.0.0.1 -w 10,2% -c 20,5%
PING OK - Packet loss = 0%, RTA = 0.09 ms|rta=0.088000ms;10.000000;20.000000;0.000000 pl=0%;2;5;0
AS ROOT
[root@nagios ~]# whoami
root
[root@nagios ~]# cd /usr/local/nagios/libexec/
[root@nagios libexec]# ./check_ping -H 127.0.0.1 -w 10,2% -c 20,5%
PING OK - Packet loss = 0%, RTA = 0.09 ms|rta=0.090000ms;10.000000;20.000000;0.000000 pl=0%;2;5;0
As long as sudo is placed there the commands seem to work.
It has to do something with elevating the privileges... I think!
I tried adding "nagios" to the sudoers group with the NOPASSWD: ALL
but it doesn't seem to matter.
In the end I do not want to give "Nagios" god rights, I am aiming to allow Nagios to run the commands that it needs, and that is it.
-
- Posts: 5
- Joined: Mon Sep 08, 2014 1:15 pm
Re: failed. errno is 1: Operation not permitted
--UPDATE--
Stumbled across this:
[alincoln@nagios ~]$ sudo -u nagios -g nagios sudo /usr/local/nagios/libexec/check_ping -H 127.0.0.1 -w 10,2% -c 20,5%
PING OK - Packet loss = 0%, RTA = 0.09 ms|rta=0.094000ms;10.000000;20.000000;0.000000 pl=0%;2;5;0
So I thought if I add the same Sudo command to the commands.cfg that might help
--EXAMPLE--
define command {
command_name check-host-alive
command_line sudo -u nagios -g nagios sudo $USER1$/check_ping sudo -H $HOSTADDRESS$ -w 3000.0,80% -c 5000.0,100% -p 5
}
define command {
command_name check_ping
command_line sudo -u nagios -g nagios sudo $USER1$/check_ping sudo -H $HOSTADDRESS$ -w $ARG1$ -c $ARG2$ -p 5
}
Strange thing happened. on the host page, I get a green saying up, but still get the same error:
(No output on stdout) stderr: execvp(/usr/local/nagios/libexec/check_ping, ...) failed. errno is 1: Operation not permitted
but the Ping service still show yellow with the same errors.
I added screen shots now
Stumbled across this:
[alincoln@nagios ~]$ sudo -u nagios -g nagios sudo /usr/local/nagios/libexec/check_ping -H 127.0.0.1 -w 10,2% -c 20,5%
PING OK - Packet loss = 0%, RTA = 0.09 ms|rta=0.094000ms;10.000000;20.000000;0.000000 pl=0%;2;5;0
So I thought if I add the same Sudo command to the commands.cfg that might help
--EXAMPLE--
define command {
command_name check-host-alive
command_line sudo -u nagios -g nagios sudo $USER1$/check_ping sudo -H $HOSTADDRESS$ -w 3000.0,80% -c 5000.0,100% -p 5
}
define command {
command_name check_ping
command_line sudo -u nagios -g nagios sudo $USER1$/check_ping sudo -H $HOSTADDRESS$ -w $ARG1$ -c $ARG2$ -p 5
}
Strange thing happened. on the host page, I get a green saying up, but still get the same error:
(No output on stdout) stderr: execvp(/usr/local/nagios/libexec/check_ping, ...) failed. errno is 1: Operation not permitted
but the Ping service still show yellow with the same errors.
I added screen shots now
-
- Posts: 5
- Joined: Mon Sep 08, 2014 1:15 pm
Re: failed. errno is 1: Operation not permitted
--UPDATE--
Continued on my same thought and modified the Commands.cfg and visudo
Added "sudo -u nagios -g nagios sudo" in front of all the commands
--COMMANDS.CFG--
define command {
command_name check-host-alive
command_line sudo -u nagios -g nagios sudo $USER1$/check_ping sudo -H $HOSTADDRESS$ -w 3000.0,80% -c 5000.0,100% -p 5
}
Added nagios to run all commands without password
--VISUDO--
nagios ALL=(ALL) NOPASSWD: ALL
Then Rebooted
Everything started working.
I don't think this is the proper fix.
Anyone who stumbles upon this thread, please...offer up suggestions, don't let this be the FIX!
Continued on my same thought and modified the Commands.cfg and visudo
Added "sudo -u nagios -g nagios sudo" in front of all the commands
--COMMANDS.CFG--
define command {
command_name check-host-alive
command_line sudo -u nagios -g nagios sudo $USER1$/check_ping sudo -H $HOSTADDRESS$ -w 3000.0,80% -c 5000.0,100% -p 5
}
Added nagios to run all commands without password
--VISUDO--
nagios ALL=(ALL) NOPASSWD: ALL
Then Rebooted
Everything started working.
I don't think this is the proper fix.
Anyone who stumbles upon this thread, please...offer up suggestions, don't let this be the FIX!
-
- Posts: 5
- Joined: Mon Sep 08, 2014 1:15 pm
Re: failed. errno is 1: Operation not permitted
--UPDATE--
Made changes to Commands.cfg and visudo
Add a line at the end of VISUDO
--VISUDO--
## Allow nagios user to run needed commands
nagios ALL= NOPASSWD:/usr/local/nagios/libexec/*
Just added sudo in front of the commands
--COMMANDS--
define command {
command_name check_local_disk
command_line sudo $USER1$/check_disk -w $ARG1$ -c $ARG2$ -p $ARG3$
}
Rebooted.
Looks better, still not sure if it the fix
Made changes to Commands.cfg and visudo
Add a line at the end of VISUDO
--VISUDO--
## Allow nagios user to run needed commands
nagios ALL= NOPASSWD:/usr/local/nagios/libexec/*
Just added sudo in front of the commands
--COMMANDS--
define command {
command_name check_local_disk
command_line sudo $USER1$/check_disk -w $ARG1$ -c $ARG2$ -p $ARG3$
}
Rebooted.
Looks better, still not sure if it the fix