Alternative to NRPE for Linux monitoring with Nagios Core

[neworderfac33]

Good afternoon,
I have been tasked with extending our existing Nagios Core installation to monitoring a number of Linux servers.
I asked our Security team to download NRPE for us, but they won't' because of the following:

Code: Select all

Description :

 The version of Nagios Remote Plugin Executor (NRPE) running on the
 remote host has command argument processing enabled and accepts the
 newline character. An unauthenticated, remote attacker can exploit
 this issue to execute arbitrary commands within the context of the
 vulnerable application by appending those commands via a newline
 character in the '-a' option to libexec/check_nrpe.

 See also :

 http://legalhackers.com/advisories/nagios-nrpe.txt
 http://www.nessus.org/u?dd566434

 Solution :

 Disable command argument processing in the NRPE configuration.

 Risk factor :

 High / CVSS Base Score : 7.5
 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
 CVSS Temporal Score : 6.8
 (CVSS2#E:POC/RL:U/RC:ND)
 Public Exploit Available : true
 

In the absence of a patch to remove this vulnerability, can anyone suggest an alternative to NRPE? We currently use NSClient on our remote Windows hosts.

Please note - I'm only interested in disk space threshold monitoring, if that helps.

Thanks in advance

Pete

[rhassing]

Use SNMP. Especially net-snmp can do a lot.
I hope the security team will allow SNMP.

See http://mona.deltics.info/snmp-execute-remote-script/

[romeor]

Simple solution:
Why not to use firewall to enable access from authorized IP address only?

[amprantino]

- You can always disable remote commands or parameters and hardcode the check commands.
- You can always use authentication and/or encryption to secure the connection

[bwallace]

To directly address the articles/links you posted:

1.) With arguments disabled the 'vulnerability' is not exploitable (barring, of course, any 0-day attacks)
2.) Ideally you are only letting certain IP addresses query port 5666 (as romeor suggested), so any attacks (short of an exploit on your firewall) would need to come from the Nagios machine. That being said, if you have arguments enabled then you will still face the possibility of malicious arguments.
3.) Disabling arguments will make NRPE more secure, but increase the configuration time required. Security never simplifies anything, and NRPE is no exception. NCPA is only a bit more locked down (requiring an auth token), but the argument parsing is somewhat broken at the moment.

- The above points are actually from this thread, see reply from 'tmcdonald'
https://support.nagios.com/forum/viewto ... 1456514247

Hopefully this answers all your questions, let us know, thanks.

[neworderfac33]

Thank you all for your valuable suggestions!

Security have relented, providing that I ensure that the dont_blame_nrpe (best setting name in the WORLD - EVER! ) setting in the configuration file is set to 0.

So, assuming I do that, provide them with a copy of the config file to PROVE that i've done it and upgrade to the next version of NRPE when it comes out, I'm good to go.

Can anyone now point me in the direction of a guide on how to install and configure NRPE?

I have ascertained that I need to have the plugin installed in the same folder as my other plugins (/usr/local/nagios/libexec) and that I need to add the following to my commands.cfg file:

Code: Select all

define command{
        command_name    check_nrpe
        command_line    /usr/local/nagios/libexec/check_nrpe -H $HOSTADDRESS -c $ARG1%
}

I also need the following

Code: Select all

define service {
    host_name     MYSERVERID
    service_description     someremoteservice
    check_command         check_nrpe!
}

but where does it go? All the other services i have are defined in windows.cfg - can I put them here or should I put them in linux.cfg (for example) and do I have to ensure that this new config file is recognized, or do ALL .cfg files in /usr/local/nagios/etc/objects get recognized automatically?

The only thing I'm interested in monitoring is disk space, but is there anywhere i can find a complete list of NRPE functionality and syntax?

Finally I get that I need to have an NRPE daemon installed on each machine that I need to monitor, but the readme seems to suggest that I need to compile files on the target machines in order to create the daemon, and the room started spinning around at that point...

As usual, all advice gratefully received!

Pete

[bwallace]

You can use this guide for installing/configuring NRPE https://assets.nagios.com/downloads/nag ... e/NRPE.pdf

Download latest NRPE here https://sourceforge.net/projects/nagios/files/nrpe-2.x/

You do not have to put NRPE in ../libexec. Once you extract NRPE it's own directory will be created. Later, you'll configure the NRPE daemon as a service under xinetd - all of this is on page 6 in the 1st doc, above, and it also covers troubleshooting steps and examples for configuring host & service definitions. In other words I believe it should answer all of your questions, but of course let us know if otherwise - thanks -

[neworderfac33]

Right - I'm getting there slowly.
I have installed both the check_nrpe addin and the daemon on the Nagios host.
I have confirmed that the daemon is running correctly, as per the document (most helpful, thank you!)
Now, I want to monitor the drives /dev/sda and dev/sdb to give a warning at 90% and a critical at 95%
How and where do I specify this? I'm familiar with how to monitor drives (C/E etc) on Windows servers, but the correct syntax for a Linux server is beyond me!
Thanks in advance
Pete

[lmiltchev]

You could set up a commands in the nrpe.cfg on the remote box as such:

Code: Select all

command[check_sda]=/usr/local/nagios/libexec/check_disk -w 15% -c 10% -p /dev/sda
command[check_sdb]=/usr/local/nagios/libexec/check_disk -w 15% -c 10% -p /dev/sdb

save, exit, and restart xinetd (or the NRPE service if NRPE is running as a standalone daemon).

Then test your checks from the nagios server:

Code: Select all

/usr/local/nagios/libexec/check_nrpe -H <client ip> -c check_sda
/usr/local/nagios/libexec/check_nrpe -H <client ip> -c check_sdb

Hope this helps.

[bwallace]

For reference, here's the Man page for check_disk (and others)
http://nagios-plugins.org/doc/man/index.html