NRPE communication via weak ciphers audit findings

[rajasegar]

Nagios 2014R1.2
RHEL 6.5 64bit

NRPE Agent V2.15
Client OS Solaris 10

We have a few audit findings relating to weak cipher communication via port 5666
SSL Weak Cipher Suites Supported
SSL Medium Strength Cipher Suites Supported
SSL RC4 Cipher Suites Supported

My question
1) Is this due to the nrpe agent compiled to support weak ciphers or the client host?
2) Is this due to Nagios itself communicating using weak ciphers?

16-10-2014 11-32-22 AM.png

"[Applies to both affected IPs and Port]
Here is the list of weak SSL ciphers supported by the remote server :
Low Strength Ciphers (< 56-bit key)
TLSv1
EXP-ADH-DES-CBC-SHA Kx=DH(512) Au=None Enc=DES-CBC(40) Mac=SHA1 export
EXP-ADH-RC4-MD5 Kx=DH(512) Au=None Enc=RC4(40) Mac=MD5 export
The fields above are :
{OpenSSL ciphername}
Kx={key exchange}
Au={authentication}
Enc={symmetric encryption method}
Mac={message authentication code}
{export flag}"

Thanks

[abrist]

1) Is this due to the nrpe agent compiled to support weak ciphers or the client host?
2) Is this due to Nagios itself communicating using weak ciphers?

NRPE itself (the nrpe daemon and check_nrpe) use a rather weak DH cipher. If this is a concern in your environment, I would suggest looking at using check_by_ssh instead. We are aware of the issues with NRPE, SSL, and the weak ciphers. We do want to implement better encryption for nrpe, but we currently do not have a roadmap for fix.

[rajasegar]

1) Is this due to the nrpe agent compiled to support weak ciphers or the client host?
2) Is this due to Nagios itself communicating using weak ciphers?

NRPE itself (the nrpe daemon and check_nrpe) use a rather weak DH cipher. If this is a concern in your environment, I would suggest looking at using check_by_ssh instead. We are aware of the issues with NRPE, SSL, and the weak ciphers. We do want to implement better encryption for nrpe, but we currently do not have a roadmap for fix.

No roadmap for a fix is not an acceptable answer.
This will cause a red flag in all pentest and cause issues for nagios customers.

check_by_ssh is not usable under windows env as we dont have ssh running in the windows servers.

Can check_by_ssh support all of check_nrpe features?
Is there any examples for check_by_ssh as a check_nrpe replacement?
My concern is load factor on Nagios server and it does not have the -u option that returns unknown for timeout errors.

Thanks

[tmcdonald]

No roadmap for a fix is not an acceptable answer.

Acceptable or not, that's the current state of things - we do not have a date set in stone for when NRPE will be worked on. I wish I could say otherwise, but that is simply the truth and I do not want to lie to you for the sake of giving you a more appealing answer.

This will cause a red flag in all pentest and cause issues for nagios customers.

While I agree that security is always an important issue, there are other methods to run checks (ssh, NCPA, nsclient, WMI) that support stronger encryption which should be able to work as well or better for the same checks. I understand that is is a pain to switch over the agents, but if you must use NRPE and it isn't supporting strong enough ciphers then there simply is nothing I can do for you personally at this precise moment. There is always custom development if you want to put top priority on a project, but you would need to talk to our sales team about that.

check_by_ssh is not usable under windows env as we dont have ssh running in the windows servers.

In a case like this I would use NCPA or nsclient instead then. NCPA I believe uses SSL as it is a HTTP-based API, and nsclient should support a variety of methods as outlined on this page regarding integration with NSCA:

http://www.nsclient.org/nscp/wiki/NSCAAgent

Can check_by_ssh support all of check_nrpe features?

I can't say that SSH supports *all* NRPE features because they are two separate projects, however within the realm of monitoring with Nagios it essentially comes down to what commands can be run. In this regard they are almost the same, since both have the ability to run arbitrary commands.

Is there any examples for check_by_ssh as a check_nrpe replacement?

NRPE check:

Code: Select all

./check_nrpe -H 192.168.1.100 -c 'check_load'

Equivalent check_by_ssh check:

Code: Select all

./check_by_ssh -H 192.168.1.100 -C '/usr/local/nagios/libexec/check_load -w 2,3,4 -c 4,5,6'

These are of course just examples I came up with for demonstration purposes, and assumes that SSH keys are already set up between systems, but otherwise they function the same. The check_load NRPE command in this case would be defined on the remote machine.

My concern is load factor on Nagios server and it does not have the -u option that returns unknown for timeout errors.

check_by_ssh does have a reputation for being somewhat resource-heavy, but if your checks are not timing out it is usually manageable. How many checks would you potentially be using it for, and how often do they time out?

Thanks

[rajasegar]

What other agent options are there for unix machines besides nrpe & check_by_shh?

We probably have about 7000 plus checks with nrpe. MOst of them dont time out unless there is an issue with network or the client machine.

[lmiltchev]

What other agent options are there for unix machines besides nrpe & check_by_shh?

SNMP, NCPA, NRDS (passive checks).

[tmcdonald]

I would actually suggest passive checks if you have the option. With that many services it will greatly decrease the load on the server.

[rajasegar]

I would actually suggest passive checks if you have the option. With that many services it will greatly decrease the load on the server.

Passive checks is not reliable as we are depending on the client to send back details.
What happens if for some reason it does not? How will we know about it?

Does NCPA have agent for Solaris, AIX?

[tmcdonald]

If the passive checks are not coming back you can set what is called a Freshness Check on them, which is essentially a forced Active check that is run if a passive result is not received in a certain amount of time. This can be a check that does something like check_by_ssh to get the data, or it can simply go critical and alert you that not result was received.

As for NCPA, I would have to defer to someone with more experience running Solaris or AIX. I have not personally spoken with anyone who runs it on Solaris or AIX, but since it is python-based it should work assuming the underlying OS-specific functionality is still the same as in a Linux OS.

[rajasegar]

What is the dependency of ncpa on the client?
Does it need python runtime to be installed?

I still cannot find any resource for installing / building ncpa in Solaris & AIX.