Hi,
We need the following information
1) Whats the use of Nagios account on the Linux servers for Linux agent, and why is this account created
2) This account was "nologin" account, when we checked on the Linux host after agent installation
3) what is the default password set for this Nagios account?
4) we have a situation in our organization, that Nagios account is more vulnerable for attacks, and we have been asked to change this password on all the Linux hosts.
if we change the password (if it exists) will there be any communication lost between Nagios Management server and the remote Linux hosts
5) are there any cases of such security issues with the Nagios account
we are waiting for your response on this, before taking any action on the production environment. Please help
Thanks,
Beena
Nagios user account on Linux hosts - Urgent
-
Beena_Jogin
- Posts: 54
- Joined: Fri Jan 22, 2016 4:58 am
Re: Nagios user account on Linux hosts - Urgent
This account is used for the nagios plugins and nrpe daemon. It is safer than running it as root.Beena_Jogin wrote:1) Whats the use of Nagios account on the Linux servers for Linux agent, and why is this account created
Can you show me the entry in /etc/passwd? How did you install NRPE? Did you use the fullinstall script?Beena_Jogin wrote:2) This account was "nologin" account, when we checked on the Linux host after agent installation
There is not one.Beena_Jogin wrote:what is the default password set for this Nagios account?
There's not a password currently, most likely. Can you please explain how the Nagios account is more vulnerable to attacks?Beena_Jogin wrote:4) we have a situation in our organization, that Nagios account is more vulnerable for attacks, and we have been asked to change this password on all the Linux hosts.
There shouldn't be, but I have not tested this personally.Beena_Jogin wrote:if we change the password (if it exists) will there be any communication lost between Nagios Management server and the remote Linux hosts
Not to my knowledge.Beena_Jogin wrote:5) are there any cases of such security issues with the Nagios account
Former Nagios Employee.
me.
me.
Re: Nagios user account on Linux hosts - Urgent
Regarding security, I'd like to add that if one does a generic search for 'Nagios NRPE Security Vulnerability' they will find this:
http://seclists.org/fulldisclosure/2014/Apr/240
This has already been addressed by my colleague tmcdonald in this forum https://support.nagios.com/forum/viewto ... 7&p=144419. Here is his response:
http://seclists.org/fulldisclosure/2014/Apr/240
This has already been addressed by my colleague tmcdonald in this forum https://support.nagios.com/forum/viewto ... 7&p=144419. Here is his response:
The problem with that article is that we make it very clear ourselves that allowing arguments makes your NRPE install vulnerable.
What you are doing when you allow arguments is, on the surface, making configuration easier. Instead of defining warning and critical levels on the remote machine's config, you can define them in Nagios. That's great and all, but under the surface you are allowing basically any arguments regardless of their intent. So in a Linux example, your intent might be to have a check that runs check_load and pass in -w 2 -c 5 from Nagios, but nothing is stopping you from passing in -w 2 -c 5 && rm -rf / and hosing your system.
As such, I can't call this a vulnerability as much as I can call it a dangerous feature.
So to answer your questions directly:
1.) The feature is still around, but with arguments disabled it is not exploitable (barring, of course, any 0-day attacks)
2.) Ideally you are only letting certain IP addresses query port 5667 (did you mean to say 5666?), so any attacks (short of an exploit on your firewall) would need to come from the Nagios machine. That being said, if you have arguments enabled then you will still face the possibility of malicious arguments.
3.) Disabling arguments will make NRPE more secure, but increase the configuration time required. Security never simplifies anything, and NRPE is no exception. NCPA is only a bit more locked down (requiring an auth token), but the argument parsing is somewhat broken at the moment.
Be sure to check out the Knowledgebase for helpful articles and solutions!
-
Beena_Jogin
- Posts: 54
- Joined: Fri Jan 22, 2016 4:58 am
Re: Nagios user account on Linux hosts - Urgent
Thanks for the information.
The contents of /etc/passwd below -
nagios
103:158::/var/spool/nagios:/sbin/nologin
The contents of /etc/passwd below -
nagios
103:158::/var/spool/nagios:/sbin/nologinRe: Nagios user account on Linux hosts - Urgent
Ok, so you installed nrpe via epel, and your /etc/passwd contents are default. Did you have any other questions?
Be sure to check out the Knowledgebase for helpful articles and solutions!
-
Beena_Jogin
- Posts: 54
- Joined: Fri Jan 22, 2016 4:58 am
Re: Nagios user account on Linux hosts - Urgent
yes,
While installing Nagios agent on a client machine, the Nagios account gets created, with the default password Nagios.
where is this account used further? Do we have to login with this account and do something related to NRPE and Nagios plugins?
I think This account is not used in FUll installation script, its only created. Please clarify
Thanks,
Beena
While installing Nagios agent on a client machine, the Nagios account gets created, with the default password Nagios.
where is this account used further? Do we have to login with this account and do something related to NRPE and Nagios plugins?
I think This account is not used in FUll installation script, its only created. Please clarify
Thanks,
Beena
Re: Nagios user account on Linux hosts - Urgent
Can you post the output of this command?
It will help us answer your other questions.
Code: Select all
find / -name "nrpe.cfg" -exec cat {} \; | grep -Ev '(#.*$)|(^$)'It will help us answer your other questions.
Former Nagios Employee.
me.
me.
-
Beena_Jogin
- Posts: 54
- Joined: Fri Jan 22, 2016 4:58 am
Re: Nagios user account on Linux hosts - Urgent
Please close this thread.