root ssh

Engage with the community of users including those using the open source solutions.
Includes Nagios Core, Plugins, and NCPA

root ssh

Postby bradawk » Mon Sep 20, 2021 9:52 am

We are using nagios 4.4.6 and have the nrpe service set up for communication. Recently our security team contacted me and asked why root was ssh'ing to each server in our rack from the nagios server? I have no idea. If Nagios is set up to run through nrpe, is there any reason it would also be ssh'ing in as root?
bradawk
 
Posts: 4
Joined: Wed Sep 15, 2021 10:19 am

Re: root ssh

Postby benjaminsmith » Mon Sep 20, 2021 4:48 pm

Hi,

If you're using NRPE, it should be using the nagios user account on the remote hosts. I would check your service/hosts definitions, maybe you have some commands/checks set up using ssh.

Benjamin
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.

Be sure to check out our Knowledgebase for helpful articles and solutions!
User avatar
benjaminsmith
 
Posts: 5068
Joined: Wed Aug 22, 2018 4:39 pm
Location: saint paul

Re: root ssh

Postby bradawk » Tue Sep 21, 2021 4:37 am

OK. I did find:

Code: Select all
define command {
    command_name    check_ssh
    command_line    $USER1$/check_ssh $ARG1$ $HOSTADDRESS$
}


I do see a binary under /usr/lib64/nagios/plugins called check_ssh. I'm just not sure where $USER1$ and $ARG1$ are defined?
bradawk
 
Posts: 4
Joined: Wed Sep 15, 2021 10:19 am

Re: root ssh

Postby bradawk » Tue Sep 21, 2021 4:46 am

OK. I think I found my answer. USER1 is defined in resources.cfg and points to the above path. ARG1 is defined in services.cfg. In it, I see:

Code: Select all
define service {
   use                  generic-service
   hostgroups           a,b,c
   service_description  SSH
   check_command        check_ssh
}


If I am reading that correctly, then $ARG1$ will be nothing, correct? So, I would assume the ssh session would be done by the user it is running under? Is that correct?
bradawk
 
Posts: 4
Joined: Wed Sep 15, 2021 10:19 am

Re: root ssh

Postby bradawk » Wed Sep 22, 2021 4:27 am

The Nagios service is running under the user nagios. So, why should the audit logs keep seeing root attempting to ssh to each host? Does not make sense.
bradawk
 
Posts: 4
Joined: Wed Sep 15, 2021 10:19 am


Return to Community Support

Who is online

Users browsing this forum: No registered users and 27 guests