Hi all,
I got a request to do a MSSQL2000 replication status check via Nagios.
I got this sorted using a query and executing it via the check_mssql plugin. The expected result (0 or 1) is returned to Nagios.
It was brought to my attention that this method is a possible security breach for this SQL version, because a username and password are visible in plain text for everyone with access to this Nagios server and possibly via packet sniffing.
I've looked around in Exchange for various plugins which offer SQL checks, but they all apear to use this method of authentication.
Is there a workaround for this?
wrap mssql query
Re: wrap mssql query
You could use a couple $USERn$ macros in resource.cfg to hide the login credentials. See:
http://assets.nagios.com/downloads/nagi ... Macros.pdf
http://assets.nagios.com/downloads/nagi ... Macros.pdf
Former Nagios employee
"It is turtles. All. The. Way. Down. . . .and maybe an elephant or two."
VI VI VI - The editor of the Beast!
Come to the Dark Side.
"It is turtles. All. The. Way. Down. . . .and maybe an elephant or two."
VI VI VI - The editor of the Beast!
Come to the Dark Side.
Re: wrap mssql query
Hello,
If encryption is a concern, you could use a different framework for communication - there are several, but the one that comes to mind is NCPA. Please keep in mind that NCPA is still in development, so there may be a few glitches. If you use NCPA for communication, the communication between Nagios and your Windows Server can be encrypted, and NCPA allows Nagios to remotely launch custom plugins on the Windows Server in question.
The only issue with this is that the plugin you are currently using (check_mssql) is not supported by the NCPA Agent on Windows. It looks like the supported formats (currently) are .sh, .ps1, and .vbs. Python support may also be added eventually. If you have a script that can run the check you want in any of the above formats, it should work through NCPA and will therefore be encrypted.
Please refer to the following tutorial if you plan on executing a custom plugin through NCPA: http://assets.nagios.com/downloads/ncpa ... ctive.html
You command on the Nagios side may looks something like this:
If you wanted to obscure the username and password in the above code, you could replace them with $USER$ variables defined in /usr/local/nagios/etc/resource.cfg
If you cannot find a plugin, you may have to define one.
Does that help answer your question?
If encryption is a concern, you could use a different framework for communication - there are several, but the one that comes to mind is NCPA. Please keep in mind that NCPA is still in development, so there may be a few glitches. If you use NCPA for communication, the communication between Nagios and your Windows Server can be encrypted, and NCPA allows Nagios to remotely launch custom plugins on the Windows Server in question.
The only issue with this is that the plugin you are currently using (check_mssql) is not supported by the NCPA Agent on Windows. It looks like the supported formats (currently) are .sh, .ps1, and .vbs. Python support may also be added eventually. If you have a script that can run the check you want in any of the above formats, it should work through NCPA and will therefore be encrypted.
Please refer to the following tutorial if you plan on executing a custom plugin through NCPA: http://assets.nagios.com/downloads/ncpa ... ctive.html
You command on the Nagios side may looks something like this:
Code: Select all
$USER1$/check_ncpa.py -H 192.168.1.1 -t test -M agent/plugin/check_microsoft_cluster.vbs -a "-U 'username' -P 'password' -D 'database'"If you cannot find a plugin, you may have to define one.
Does that help answer your question?
Re: wrap mssql query
NCPA is not a preferred option at this moment.
Correct me if I'm wrong: Using the resource.cfg still means that the credentials are stored on my Nagios server in plain text (just another location) and they're sent across the net that way.
That is exactly what I'm trying to avoid.
The ideal situation is an (encrypted) authentication filed stored on the remote host which is in turn read and processed by Nagios.
Correct me if I'm wrong: Using the resource.cfg still means that the credentials are stored on my Nagios server in plain text (just another location) and they're sent across the net that way.
That is exactly what I'm trying to avoid.
The ideal situation is an (encrypted) authentication filed stored on the remote host which is in turn read and processed by Nagios.
Re: wrap mssql query
You can probably use a custom script to run the check locally on the remote host, then send the results to nagios.The ideal situation is an (encrypted) authentication filed stored on the remote host which is in turn read and processed by Nagios.
Be sure to check out our Knowledgebase for helpful articles and solutions!