Page 1 of 1

root ssh

Posted: Mon Sep 20, 2021 9:52 am
by bradawk
We are using nagios 4.4.6 and have the nrpe service set up for communication. Recently our security team contacted me and asked why root was ssh'ing to each server in our rack from the nagios server? I have no idea. If Nagios is set up to run through nrpe, is there any reason it would also be ssh'ing in as root?

Re: root ssh

Posted: Mon Sep 20, 2021 4:48 pm
by benjaminsmith
Hi,

If you're using NRPE, it should be using the nagios user account on the remote hosts. I would check your service/hosts definitions, maybe you have some commands/checks set up using ssh.

Benjamin

Re: root ssh

Posted: Tue Sep 21, 2021 4:37 am
by bradawk
OK. I did find:

Code: Select all

define command {
    command_name    check_ssh
    command_line    $USER1$/check_ssh $ARG1$ $HOSTADDRESS$
}
I do see a binary under /usr/lib64/nagios/plugins called check_ssh. I'm just not sure where $USER1$ and $ARG1$ are defined?

Re: root ssh

Posted: Tue Sep 21, 2021 4:46 am
by bradawk
OK. I think I found my answer. USER1 is defined in resources.cfg and points to the above path. ARG1 is defined in services.cfg. In it, I see:

Code: Select all

define service {
   use                  generic-service
   hostgroups           a,b,c
   service_description  SSH
   check_command        check_ssh
}
If I am reading that correctly, then $ARG1$ will be nothing, correct? So, I would assume the ssh session would be done by the user it is running under? Is that correct?

Re: root ssh

Posted: Wed Sep 22, 2021 4:27 am
by bradawk
The Nagios service is running under the user nagios. So, why should the audit logs keep seeing root attempting to ssh to each host? Does not make sense.