Page 1 of 1
root ssh
Posted: Mon Sep 20, 2021 9:52 am
by bradawk
We are using nagios 4.4.6 and have the nrpe service set up for communication. Recently our security team contacted me and asked why root was ssh'ing to each server in our rack from the nagios server? I have no idea. If Nagios is set up to run through nrpe, is there any reason it would also be ssh'ing in as root?
Re: root ssh
Posted: Mon Sep 20, 2021 4:48 pm
by benjaminsmith
Hi,
If you're using NRPE, it should be using the nagios user account on the remote hosts. I would check your service/hosts definitions, maybe you have some commands/checks set up using ssh.
Benjamin
Re: root ssh
Posted: Tue Sep 21, 2021 4:37 am
by bradawk
OK. I did find:
Code: Select all
define command {
command_name check_ssh
command_line $USER1$/check_ssh $ARG1$ $HOSTADDRESS$
}
I do see a binary under /usr/lib64/nagios/plugins called check_ssh. I'm just not sure where $USER1$ and $ARG1$ are defined?
Re: root ssh
Posted: Tue Sep 21, 2021 4:46 am
by bradawk
OK. I think I found my answer. USER1 is defined in resources.cfg and points to the above path. ARG1 is defined in services.cfg. In it, I see:
Code: Select all
define service {
use generic-service
hostgroups a,b,c
service_description SSH
check_command check_ssh
}
If I am reading that correctly, then $ARG1$ will be nothing, correct? So, I would assume the ssh session would be done by the user it is running under? Is that correct?
Re: root ssh
Posted: Wed Sep 22, 2021 4:27 am
by bradawk
The Nagios service is running under the user nagios. So, why should the audit logs keep seeing root attempting to ssh to each host? Does not make sense.