Nagios Installation Failed

[rajasegar]

I'm jumping in here because we get asked this all the time. You can't simply follow someone else's directions for hardening a system without knowing what the results will be for your specific installation. For instance, "Remove HTTP server" will pretty much kill any chance of you being able to use Nagios XI, as it is configured, managed, and used through a web server.

So you need to understand what steps are required for your configuration that would override any generic hardening document. In a nutshell, Nagios is a web application that makes use of databases, filesystem pipes, outbound connections to other machines, and various third-party software for tasks like graphing, reporting, and capacity monitoring. Anything that impedes its ability to use these broad categories of topics should not be done.

Edit: Even if they were written specifically by your company, it still would make no sense to disable a web server for a web app.

Some of them is pretty obvious to get exemption for like httpd. Since nagios instance has compilers etc in it, exec access to the world writable directories like /tmp is certainly a no no. However nagios seems to need it enable as highlighted by tmcdonald. No way security folks will budge on this considering the risks.

It is up to us to update the security folks what cannot be implemented for their consideration. You can see the challenge in this.

[rajasegar]

Can you also show the output of the following commands?

Code: Select all

ls -lad /usr/local/nagios/
ls -la /usr/local/nagios/

I think /usr/local/nagios was owned by root and the permission was 700.
I changed it to 777 for troubleshooting, still same problem.

Code: Select all

[root@MYUCBPNAGIAPP01 ~]# ls -lad /usr/local/nagios/
drwxrwxrwx. 9 nagios nagios 4096 Mar 23 12:40 /usr/local/nagios/
[root@MYUCBPNAGIAPP01 ~]# ls -la /usr/local/nagios/
total 36
drwxrw-rw-.  9 nagios nagios 4096 Mar 23 12:40 .
drwxr-xr-x. 18 root   root   4096 Mar 23 13:02 ..
drwxrwxr-x.  2 nagios nagios 4096 Mar 23 12:41 bin
drwsrwsr-x.  7 apache nagios 4096 Mar 23 12:41 etc
drwxr-xr-x.  2 root   root   4096 Mar 23 12:40 include
drwxrwsr-x.  2 nagios nagios 4096 Mar 23 12:50 libexec
drwxrwxr-x.  2 nagios nagios 4096 Mar 23 12:39 sbin
drwxrwxr-x. 18 nagios nagios 4096 Mar 23 12:42 share
drwxrwxr-x.  6 nagios nagios 4096 Mar 25 09:15 var

[rajasegar]

To cut the long story short, I convinced them to let me install nagiosxi first and then let them harden the server part by part and checking at each checkpoint.
Good thing it is running in a VM and we can use snapshots.

Do your guys have any health checklist to verify nagiosxi functionality in OK?

[rajasegar]

Fresh install of CentOS 6.7, no harderning.
Installation still failed on this line

/usr/bin/wget --save-cookies nagiosql.cookies --keep-session-cookies http://localhost/nagiosxi/includes/components/ccm/ --no-check-certificate --post-data 'submit=Login&hidelog=true&loginSubmitted=true&username=nagiosxi&password=n@gweb' -O nagiosql.login--2016-03-25 05:56:32-- http://localhost/nagiosxi/includes/components/ccm/

httpd is running fine, nagiosxi GUI comes up just fine, service is down though. Please assist

Code: Select all

SETUP COMPLETED
===============
Nagios XI base files installed OK
RESULT=0
Running './C-cronjobs'...
Crontabs installed OK
RESULT=0
Running './D-chkconfigalldaemons'...
Daemons configured to start OK
RESULT=0
Running './E-importnagiosql'...
httpd: no process killed
Starting httpd: httpd: Could not reliably determine the server's fully qualified domain name, using 10.17.19.228 for Ser                                                verName
                                                           [  OK  ]
Sleeping...
NOTE: If prompted, enter the MySQL root password
NagiosQL database appears OK - continuing...
NDOUtils database appears OK - continuing...
Found config files to import - continuing...
URL: http://localhost/nagiosxi/includes/components/ccm/
CMDLINE
/usr/bin/wget --save-cookies nagiosql.cookies --keep-session-cookies http://localhost/nagiosxi/includes/components/ccm/ --no-check-certificate --post-data 'submit=Login&hidelog=true&loginSubmitted=true&username=nagiosxi&password=n@gweb' -O  nagiosql.login--2016-03-25 05:56:32--  http://localhost/nagiosxi/includes/components/ccm/
Connecting to 172.16.19.95:8080... connected.
Proxy request sent, awaiting response... 404 Not Found
2016-03-25 05:56:32 ERROR 404: Not Found.

NAGIOSQL LOGIN FAILED!
RESULT=1

===================
INSTALLATION ERROR!
===================

install.log

[rajasegar]

Solved the above problem by unsetting the http_proxy environment variable.

Code: Select all

unset http_proxy

The installation is fine now. Now comes the hardening portion.

[hsmith]

Apologies for the lack of response, our hours seem quite opposite. Glad to see you got the installation taken care of so far.

[rajasegar]

Apologies for the lack of response, our hours seem quite opposite. Glad to see you got the installation taken care of so far.

Do your guys have any health checklist to verify nagiosxi functionality in OK?

[tmcdonald]

Not exactly, no.

There are various things we check depending on the symptoms we are seeing:

• Checks not running? Make sure service nagios status returns okay, active checks are enabled, object configs valid
• Emails not sending? See if they show up under Home -> Notifications, and look over SMTP and contact/user settings
• Web interface not accurate? Make sure NDO is running and DB is readable/writable, check apache settings

and there are some obvious indicators that things are not working:

• Red check marks under Admin -> System Status
• PHP errors in the web interface
• Pages taking 10+ seconds to load in a small environment

but we do not have a "172-point checklist" that we go through.

Even if we did have such a checklist, it would have been generated against a clean, minimal, unmodified install of CentOS, and in a hardened environment your XI could be running fine and the checks come back dirty, or worse, vice-versa.

[rajasegar]

Not exactly, no.

There are various things we check depending on the symptoms we are seeing:

• Checks not running? Make sure service nagios status returns okay, active checks are enabled, object configs valid
• Emails not sending? See if they show up under Home -> Notifications, and look over SMTP and contact/user settings
• Web interface not accurate? Make sure NDO is running and DB is readable/writable, check apache settings

and there are some obvious indicators that things are not working:

• Red check marks under Admin -> System Status
• PHP errors in the web interface
• Pages taking 10+ seconds to load in a small environment

but we do not have a "172-point checklist" that we go through.

Even if we did have such a checklist, it would have been generated against a clean, minimal, unmodified install of CentOS, and in a hardened environment your XI could be running fine and the checks come back dirty, or worse, vice-versa.

Noted. Thanks.

[hsmith]

Did you have any other questions before we close this thread?