Hi,
I am trying to monitr a MSSQL dB using plugin check_xi_mssql_database; my trouble here is that I will have to enter DB credentials which has SA privileges as cleartest in the ARG1 field, which is not so secure.
So any way to not key in the password at XI new service prompt but to save them somewhere in a encrypted form.
MSSQL monitoring credentials
Re: MSSQL monitoring credentials
Not encrypted, but stored on the filesystem and referenced as something like "$USER5$" in the arguments:
https://assets.nagios.com/downloads/nag ... Macros.pdf
https://assets.nagios.com/downloads/nag ... Macros.pdf
Former Nagios employee
Re: MSSQL monitoring credentials
Would have been better if password is encrypted; But this helps. Let me configure with this way for now. Meanwhile please let know If at all a way to encrypt the password like people do in BMC patrol or BPPM tools.
Re: MSSQL monitoring credentials
Please take some time to ensure that the resource.cfg file is only accessible by the 'nagios' user. Unfortunately encryption isn't available for resource.cfg, and would depend on the individual plugins capability.
Re: MSSQL monitoring credentials
may be I will set the permission of this file to be accessible only by Nagios account. If at all you can please put in under the checklist of things to-do to include password encryption.
Thank you.
Thank you.
Re: MSSQL monitoring credentials
The difficulty with password encryption is that if Nagios can decrypt the file, then anyone with access to the machine can decrypt the file. We can certainly look into obfuscation methods, but since Core is open-source then anyone who can read code can look at the decryption routine. Encryption at the XI level would not work since the Core engine would need to request this from XI every time a check is run, and that too can be easily circumvented.
If you have a solution I would be more than happy to bring it to the devs' attention.
If you have a solution I would be more than happy to bring it to the devs' attention.
Former Nagios employee
Re: MSSQL monitoring credentials
I have nothing. I am just a BMC patrol user who is moving the infra to Nagiox XI monitoring.
Understand how things are done in Nagios world. Thanks for explaining.
Understand how things are done in Nagios world. Thanks for explaining.
Re: MSSQL monitoring credentials
I wouldn't say this is a Nagios thing, rather a general security problem:
http://stackoverflow.com/questions/2664 ... plain-text
The hard truth is that if you want/need to use a password in an automated fashion, it gets really difficult to keep things secure. The best you can do is lock the file down from non-nagios user access, but that means anyone with root access will be able to see it. Now granted, if you are concerned about security then nobody should have root but for one person, but this is not a silver bullet.
http://stackoverflow.com/questions/2664 ... plain-text
The hard truth is that if you want/need to use a password in an automated fashion, it gets really difficult to keep things secure. The best you can do is lock the file down from non-nagios user access, but that means anyone with root access will be able to see it. Now granted, if you are concerned about security then nobody should have root but for one person, but this is not a silver bullet.
Former Nagios employee
Re: MSSQL monitoring credentials
Get it now. Thank you.
Re: MSSQL monitoring credentials
I'll be closing this thread now, but feel free to open another if you need anything in the future.
Former Nagios employee