Sensitive Information in Process List

[chicjo01]

Our security team pointed out that user, password, and community strings are showing up in the process list when checks are being performed. Is there a feature to hide or rewrite the process to prevent sensitive information from showing up?

OS: Centos 7.2
Version: 5.2.7

/usr/local/nagios/libexec/check_snmp -H <Remove Server> -C <Comm String> -t 60 -m UCD-SNMP-MIB -o .1.3.6.1.4.1.2021.4.11.0 -w 200000: -c 100000:

/usr/bin/perl -w /usr/local/nagios/libexec/check_wmi_plus.pl -H <Remote Server> -u <domain>/<username>%<password> -m checkmem -t 120 -w 90 -c 95

[tmcdonald]

Short answer: This is not entirely a problem that Nagios can solve.

Long answer: Short of converting every plugin away from user+pass into using cert-based auth, this is more of a Linux/ps output problem than anything. Even if we converted every plugin to cert-based, there are still some things like SNMP that will require a string. That's going to be leaked in the process list. We could store that string in a file and reference it, but then we're talking about modifying system binaries that handle the connection and leak the string, since a lot of our plugins are wrappers around system utilities to make the Nagios-compliant.

[chicjo01]

Thank you for the information. I will pass this along.

[tmcdonald]

If you wanted to get tricky I suppose you could send it all through a transparent proxy, and use dummy values that the proxy then replaces on-the-fly, but that's getting pretty far out there :)

[chicjo01]

If I come up with a solution, I will let you know. Thanks for the suggestion.

[tmcdonald]

Sure thing. For now I am going to close this, but if you come up with something either open a new thread and reference this one, or request that this be re-opened.