Unable to suppress alerts after 2014R2.6 update

[highness]

Did an upgrade from 2014R2.4 to 2014R2.6 yesterday. Things seemed to be fine, but we noticed this morning that all administrators are unable to schedule downtime. When they try to do that, they get the following message:

Sorry, but you are not authorized to commit the specified command.

Read the section of the documentation that deals with authentication and authorization.


When I review all the administrators, their accounts all look similar:

[cmerchant]

What are the permissions on the following files/directories?

Code: Select all

ls -la /usr/local/nagios/var/rw/nagios.cmd
ls -la /usr/local/nagios/var/rw/

[highness]

What are the permissions on the following files/directories?

Code: Select all

ls -la /usr/local/nagios/var/rw/nagios.cmd

root@fe1(Linux) $ ls -la /usr/local/nagios/var/rw/nagios.cmd
prw-rw---- 1 nagios nagios 0 Apr 14 11:33 /usr/local/nagios/var/rw/nagios.cmd

Code: Select all

ls -la /usr/local/nagios/var/rw/

root@fe1(Linux) $ ls -la /usr/local/nagios/var/rw/
total 12
drwxrwsr-x 2 nagios nagios 4096 Apr 14 11:22 .
drwxrwxr-x 6 nagios nagios 4096 Apr 14 11:34 ..
prw-rw---- 1 nagios nagios 0 Apr 14 11:33 nagios.cmd
srw-rw---- 1 nagios nagios 0 Apr 14 11:22 nagios.qh
-rw-rw-r-- 1 nagios nagios 1067 Dec 19 15:01 nsca.dump

[cmerchant]

could you issue the following:

Code: Select all

grep nag /etc/group

Could you run the following commands: (to reset the file permissions)

Code: Select all

cd /usr/local/nagiosxi/scripts/
./reset_config_perms

[highness]

could you issue the following:

Code: Select all

grep nag /etc/group

root@fe1(Linux) $ grep nag /etc/group
nagios500:nagios,apache,snmptt
nagcmd501:nagios,apache,snmptt


Could you run the following commands: (to reset the file permissions)

Code: Select all

cd /usr/local/nagiosxi/scripts/
./reset_config_perms

SETUID ROOT OK
RESETTING PERMS

Did that. Still can't suppress.

[cmerchant]

Could you check for us your sudoer file and /etc/sudoers.d/:

Code: Select all

ls -l /etc/sudo*

and

Code: Select all

cat /etc/sudoers

[highness]

Could you check for us your sudoer file and /etc/sudoers.d/:

Code: Select all

ls -l /etc/sudo*

root@fe1(Linux) $ ls -l /etc/sudo*
-rw-r----- 1 root root 1786 Sep 25 2012 /etc/sudo.conf
-r--r----- 1 root root 6842 Apr 13 12:22 /etc/sudoers
-rw-r----- 1 root root 3181 Jul 31 2014 /etc/sudo-ldap.conf

and
cat /etc/sudoers

Code: Select all

root@fe1(Linux) $ cat /etc/sudoers
## Sudoers allows particular users to run various commands as
## the root user, without needing the root password.
##
## Examples are provided at the bottom of the file for collections
## of related commands, which can then be delegated out to particular
## users or groups.
##
## This file must be edited with the 'visudo' command.

## Host Aliases
## Groups of machines. You may prefer to use hostnames (perhaps using
## wildcards for entire domains) or IP addresses instead.
# Host_Alias     FILESERVERS = fs1, fs2
# Host_Alias     MAILSERVERS = smtp, smtp2

## User Aliases
## These aren't often necessary, as you can use regular groups
## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname
## rather than USERALIAS
# User_Alias ADMINS = jsmith, mikem


## Command Aliases
## These are groups of related commands...

## Networking
# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool

## Installation and management of software
# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum

## Services
# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig

## Updating the locate database
# Cmnd_Alias LOCATE = /usr/bin/updatedb

## Storage
# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount

## Delegating permissions
# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp

## Processes
# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall

## Drivers
# Cmnd_Alias DRIVERS = /sbin/modprobe

# Defaults specification

#
# Disable "ssh hostname sudo <cmd>", because it will show the password in clear.
#         You have to run "ssh -t hostname sudo <cmd>".
#
############Defaults    requiretty

#
# Refuse to run if unable to disable echo on the tty. This setting should also be
# changed in order to be able to use sudo without a tty. See requiretty above.
#
Defaults   !visiblepw

#
# Preserving HOME has security implications since many programs
# use it when searching for configuration files. Note that HOME
# is already set when the the env_reset option is enabled, so
# this option is only effective for configurations where either
# env_reset is disabled or HOME is present in the env_keep list.
#
Defaults    always_set_home

Defaults    env_reset
Defaults    env_keep =  "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS"
Defaults    env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
Defaults    env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
Defaults    env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
Defaults    env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"

#
# Adding HOME to env_keep may enable a user to run unrestricted
# commands via sudo.
#
# Defaults   env_keep += "HOME"

Defaults    secure_path = /sbin:/bin:/usr/sbin:/usr/bin

## Next comes the main part: which users can run what software on
## which machines (the sudoers file can be shared between multiple
## systems).
## Syntax:
##
## 	user	MACHINE=COMMANDS
##
## The COMMANDS section may have other options added to it.
##
## Allow root to run any commands anywhere
root	ALL=(ALL) 	ALL
%lnxadms        ALL=(ALL)       NOPASSWD: ALL
%sudoers        ALL=(ALL)       NOPASSWD: ALL



## Allows members of the 'sys' group to run networking, software,
## service management apps and more.
# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS

## Allows people in group wheel to run all commands
# %wheel	ALL=(ALL)	ALL

## Same thing without a password
# %wheel	ALL=(ALL)	NOPASSWD: ALL

## Allows members of the users group to mount and unmount the
## cdrom as root
# %users  ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom

## Allows members of the users group to shutdown this system
# %users  localhost=/sbin/shutdown -h now

## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
#includedir /etc/sudoers.d

# NEEDED TO ALLOW NAGIOS TO CHECK SERVICE STATUS
Defaults:nagios !requiretty
nagios ALL=NOPASSWD: /usr/local/nagios/libexec/check_init_service

# ASTERISK-SPECIFIC CHECKS
# NOTE: You can uncomment the following line if you are monitoring Asterisk locally
#nagios ALL=NOPASSWD: /usr/local/nagios/libexec/check_asterisk_sip_peers.sh, /usr/local/nagios/libexec/nagisk.pl, /usr/sbin/asterisk


# NEEDED TO ALLOW NAGIOS TO CHECK SERVICE STATUS
Defaults:nagios !requiretty
nagios ALL=NOPASSWD: /usr/local/nagios/libexec/check_init_service

# ASTERISK-SPECIFIC CHECKS
# NOTE: You can uncomment the following line if you are monitoring Asterisk locally
#nagios ALL=NOPASSWD: /usr/local/nagios/libexec/check_asterisk_sip_peers.sh, /usr/local/nagios/libexec/nagisk.pl, /usr/sbin/asterisk


# NEEDED TO ALLOW NAGIOS TO CHECK SERVICE STATUS
Defaults:nagios !requiretty
nagios ALL=NOPASSWD: /usr/local/nagios/libexec/check_init_service

# ASTERISK-SPECIFIC CHECKS
# NOTE: You can uncomment the following line if you are monitoring Asterisk locally
#nagios ALL=NOPASSWD: /usr/local/nagios/libexec/check_asterisk_sip_peers.sh, /usr/local/nagios/libexec/nagisk.pl, /usr/sbin/asterisk





User_Alias      NAGIOSXI=nagios
User_Alias		NAGIOSXIWEB=apache
NAGIOSXI ALL = NOPASSWD:/etc/init.d/nagios start
NAGIOSXI ALL = NOPASSWD:/etc/init.d/nagios stop
NAGIOSXI ALL = NOPASSWD:/etc/init.d/nagios restart
NAGIOSXI ALL = NOPASSWD:/etc/init.d/nagios reload
NAGIOSXI ALL = NOPASSWD:/etc/init.d/nagios status
NAGIOSXI ALL = NOPASSWD:/etc/init.d/nagios checkconfig
NAGIOSXI ALL = NOPASSWD:/etc/init.d/ndo2db start
NAGIOSXI ALL = NOPASSWD:/etc/init.d/ndo2db stop
NAGIOSXI ALL = NOPASSWD:/etc/init.d/ndo2db restart
NAGIOSXI ALL = NOPASSWD:/etc/init.d/ndo2db reload
NAGIOSXI ALL = NOPASSWD:/etc/init.d/ndo2db status
NAGIOSXI ALL = NOPASSWD:/etc/init.d/npcd start
NAGIOSXI ALL = NOPASSWD:/etc/init.d/npcd stop
NAGIOSXI ALL = NOPASSWD:/etc/init.d/npcd restart
NAGIOSXI ALL = NOPASSWD:/etc/init.d/npcd reload
NAGIOSXI ALL = NOPASSWD:/etc/init.d/npcd status
NAGIOSXI ALL = NOPASSWD:/usr/bin/nmap *
NAGIOSXI ALL = NOPASSWD:/usr/local/nagiosxi/scripts/upgrade_to_latest.sh
NAGIOSXI ALL = NOPASSWD:/usr/local/nagiosxi/scripts/change_timezone.sh
NAGIOSXI ALL = NOPASSWD:/usr/local/nagiosxi/scripts/manage_services.sh *
NAGIOSXIWEB ALL = NOPASSWD:/usr/bin/tail -100 /var/log/messages
NAGIOSXIWEB ALL = NOPASSWD:/usr/bin/tail -100 /var/log/httpd/error_log
NAGIOSXIWEB ALL = NOPASSWD:/usr/bin/tail -100 /var/log/mysqld.log
NAGIOSXIWEB ALL = NOPASSWD:/usr/bin/nmap *
NAGIOSXIWEB ALL = NOPASSWD:/etc/init.d/snmptt restart
NAGIOSXIWEB ALL = NOPASSWD:/usr/local/nagiosxi/scripts/repair_databases.sh
NAGIOSXIWEB ALL = NOPASSWD:/usr/local/nagiosxi/scripts/manage_services.sh *

[ssax]

You may already know this, the text box for host is case sensitive, are you sure you're using the proper case?

[cmerchant]

Can you tail your apache error log and show us the output after attempting the scheduled downtime.

Code: Select all

tail -f /var/log/httpd/error_log

It is a obscure error, anything unusual in the upgrade log?

Code: Select all

cat /tmp/nagiosxi/upgrade.log

There is a related forum post with the same error message:

http://support.nagios.com/forum/viewtop ... 60#p104312

[highness]

Can you tail your apache error log and show us the output after attempting the scheduled downtime.

Code: Select all

tail -f /var/log/httpd/error_log

suppress.txt

It is a obscure error, anything unusual in the upgrade log?

Code: Select all

cat /tmp/nagiosxi/upgrade.log

upgrade.log

There is a related forum post with the same error message:

http://support.nagios.com/forum/viewtop ... 60#p104312

I'll check that thread out as well...