dont_blame_nrpe?

[gormank]

Originally when our system was installed, dont_blame_nrpe was set to 1 after a bit. Now we have a new system to be built and a request that it be set to 0 to enhance security.

I actually had to reread what the dont_blame_nrpe meant. So it looks like w/ 0 $ARGs aren't allowed and the args would be moved to a commands.cfg file. Then if I wanted to for example check 2 FSs w/ 2 services, I'd need 2 commands in the cfg on each host, and 2 services in XI. Now I have 2 services in XI with different args. The latter is easier but less secure.

It seems I would need puppet to manage distributing the nrpe.cfg and restart xinetd.

How vital is dont_blame_nrpe=0 in a very large company data center sort of environment on a private network?
How concerned should I be about the systems allowing args at this time?

[dwhitfield]

That's a really difficult question to answer without knowing the internals of your organization. Your security team can review the NRPE code at https://github.com/NagiosEnterprises/nrpe. We do also offer consulting, if it is needed.

Also, we have the check_by_ssh plugin, if security is a huge concern. Unfortunately, that will increase load compared to NRPE, and will require some re-architecting.

Personally, the main question I would be asking myself is: do I trust the company firewall?

If you have a specific question about the security measures in NRPE, we should be able to tackle those. Thanks!

[gormank]

Is the following true?

I actually had to reread what the dont_blame_nrpe meant. So it looks like w/ 0 $ARGs aren't allowed and the args would be moved to a commands.cfg file. Then if I wanted to for example check 2 FSs w/ 2 services, I'd need 2 commands in the cfg on each host, and 2 services in XI. Now I have 2 services in XI with different args. The latter is easier but less secure.

What is your impression as to the count of systems out there using either setting? Say a guestimate of percentage?

[tmcdonald]

I actually had to reread what the dont_blame_nrpe meant. So it looks like w/ 0 $ARGs aren't allowed and the args would be moved to a commands.cfg file. Then if I wanted to for example check 2 FSs w/ 2 services, I'd need 2 commands in the cfg on each host, and 2 services in XI. Now I have 2 services in XI with different args. The latter is easier but less secure.

This is correct.

What is your impression as to the count of systems out there using either setting? Say a guestimate of percentage?

Even as a blind shot with a musket in a very, very large ballpark at night, the closest I could even imagine would be a 50/50 split. Not only do we not collect this metric, but even if we did in our commercial solutions there are just so many more installations that we would not be collecting from that I couldn't trust those numbers.

[gormank]

You sound like you're afraid of being sued. I just asked for a few opinions.

[dwhitfield]

This was kinda addressed in the "commercial solutions" bit of the post, but part of the problem in getting stats is that various versions of Linux and BSD package Nagios Core and NRPE. We really don't have any idea what people are doing with those unless they report problems to the forums.

That being said, did you have any specific questions about the security measures in NRPE? We can get you confident answers on that.

Of course, we can leave this open, and other customers can contribute what they are doing with NRPE security.

[gormank]

Yeah, I guess things have to be stated in such a way that it won't come back and bite you.
Obviously I can only hope for an answer based on support queries, not on the larger world of Core or people that haven't asked a question.

[tmcdonald]

[...] part of the problem in getting stats is that various versions of Linux and BSD package Nagios Core and NRPE. We really don't have any idea what people are doing with those unless they report problems to the forums.

Exactly this. You asked for "a guestimate of percentage" and we truly are not able to give one any more accurate than a guess because we simply do not (and currently cannot) track that usage. I don't see how that translates to "afraid of being sued" - it's an honest answer from a technical support team. I'm not going to lie or stretch the truth to try and close a ticket or make a sale, because that would waste everyone's time.

If you want my opinion, it is that dont_blame_nrpe is fine to use as long as you properly lock down which machines are allowed to proxy checks through NRPE.

[gormank]

That's pretty much my opinion as well (yes, an opinion is what I was looking for). We define the hosts that can run checks rather than say, define a subnet or range of addresses. It seems unlikely that someone would try to use arguments to try and inject arbitrary commands, and even more unlikely that it would work.

I'll not worry about the current system, and set up the new system to not use args in order to placate those paranoid about security. I've been frantically studying puppet after work so I don't have to update 300 nrpe.cfg files whenever I want to tweak monitoring. :)

Might as well close this one...

Thanks

[dwhitfield]

Glad to hear it is resolved. I am going to lock the thread.

As a complete aside, there is some testing going on about your NLS security thread.