My security officer asked to complete the following document:
https://assets.nagios.com/downloads/nag ... urity.html
to secure our NagiosXI 5.4.2 build on RHEL 6. I've gotten everything, but was confused by the 8th step:
Hide Sensitive Information With $USERn$ Macros. The CGIs read the main config file and object config file(s), so you don't want to keep any sensitive information (usernames, passwords, etc) in there. If you need to specify a username and/or password in a command definition use a $USERn$ macro to hide it. $USERn$ macros are defined in one or more resource files. The CGIs will not attempt to read the contents of resource files, so you can set more restrictive permissions (600 or 660) on them. See the sample resource.cfg file in the base of the Nagios distribution for an example of how to define $USERn$ macros.
I followed the links in the paragraph but still am not sure what I'm looking for to change to make more secure. We have about 200 hosts and 1500 services on our NagiosXI setup and I'm not sure what I would be changing to match this document.
Security Considerations - Macros
Re: Security Considerations - Macros
Some plugins may require the use of sensitive information, such as passwords. In the case of WMI checks, you might be including your password for a particular Windows account in the command definition:
The idea behind macros is that, instead of having my credentials in plain-text visible from the GUI (admin, welcome123), I could define a macro to represent my WMI username and password like so:
This means that, in order for someone to get the credentials for the WMI account I am leveraging, they would need access to the file system directly. They wouldn't be able to retrieve sensitive information via the GUI.
The idea behind macros is that, instead of having my credentials in plain-text visible from the GUI (admin, welcome123), I could define a macro to represent my WMI username and password like so:
Code: Select all
$WMI_USER$=admin
$WMI_PASS$=welcome123You do not have the required permissions to view the files attached to this post.
Former Nagios employee
https://www.mcapra.com/
https://www.mcapra.com/
Re: Security Considerations - Macros
Oh, ok. So adding those macros in the core config manager, but then setting the passwords, etc in the actual .cfg file on the backend?
Re: Security Considerations - Macros
If you're using the "User Macros" component in the Core Config Manager, that should do just fine since it writes to resource.cfg directly.
You won't be able to write to this while the "Redact Displayed Values" option is enabled though. You can enable/disable this setting with the little gear on the "User Macros Component" page:
And only those users with the "Admin" access level can access that page to change the settings.
You won't be able to write to this while the "Redact Displayed Values" option is enabled though. You can enable/disable this setting with the little gear on the "User Macros Component" page:
And only those users with the "Admin" access level can access that page to change the settings.
You do not have the required permissions to view the files attached to this post.
Former Nagios employee
https://www.mcapra.com/
https://www.mcapra.com/