Twin City Techies:
I've been hit with SOX audit requirements that we lock down anything in our monitoring infrastructure with cleartext passwords. <sigh>
Since we store passwords in resource.cfg on the Nagios server, even though the file is locked down (660), anyone who can sudo to root would be able to read the passwords stored therein.
By the same right, the NCPA cfg file stores the token in cleartext. Granted everything through the API is read-only, if someone was able to compromise the plugins directory, they could execute any code they want to on the system.
Has anyone been able to secure that file further?
Thanks,
AJ
Encrypting resource.cfg & NCPA config files?
Encrypting resource.cfg & NCPA config files?
Andrew J. - Do you even grok?
Re: Encrypting resource.cfg & NCPA config files?
Short answer: Not really something you can fix.
Long answer: Let's say we did encrypt that resource.cfg file and everything in it was gibberish to even the root user. Nagios would still need to decrypt that file in order to read its contents, which means you need a password to decrypt it. That password has to be stored in plain-text in order for Nagios to use it. If you store that password in a file then encrypt that file... you see where this is going.
Short answer again: Until all systems everywhere move to PKI there is no getting around passwords, and even then you have the problem of the key files being accessible.
Even shorter: You can't protect root from root.
Edit/Addendum: One way around this might be to set a password at compile-time that gets compiled into the nagios binary, but even that could fairly easily be ascertained by anyone with a basic understanding of binary formats.
Long answer: Let's say we did encrypt that resource.cfg file and everything in it was gibberish to even the root user. Nagios would still need to decrypt that file in order to read its contents, which means you need a password to decrypt it. That password has to be stored in plain-text in order for Nagios to use it. If you store that password in a file then encrypt that file... you see where this is going.
Short answer again: Until all systems everywhere move to PKI there is no getting around passwords, and even then you have the problem of the key files being accessible.
Even shorter: You can't protect root from root.
Edit/Addendum: One way around this might be to set a password at compile-time that gets compiled into the nagios binary, but even that could fairly easily be ascertained by anyone with a basic understanding of binary formats.
Former Nagios employee
Re: Encrypting resource.cfg & NCPA config files?
I'm thinking the only way around this is to use all passive checks...
Andrew J. - Do you even grok?
Re: Encrypting resource.cfg & NCPA config files?
Those store the NRDP/NSCA token in clear-text on the client :)
Former Nagios employee
Re: Encrypting resource.cfg & NCPA config files?
Crap.
Then WMI/SSH (Windows/Linux) and dropping any use of agent is the only way...
Then WMI/SSH (Windows/Linux) and dropping any use of agent is the only way...
Andrew J. - Do you even grok?
Re: Encrypting resource.cfg & NCPA config files?
Also, having the NRDP token in cleartext is easier to get an exception for. If someone has that, they can't break something on a production server.
Screw up Nagios, for sure, but not our client-facing platform.
Screw up Nagios, for sure, but not our client-facing platform.
Andrew J. - Do you even grok?
Re: Encrypting resource.cfg & NCPA config files?
Maybe. You need the SSH key which could be flagged by security as not being locked down enough, and WMI uses a password which runs into the same issue as resource.cfg.
Former Nagios employee
Re: Encrypting resource.cfg & NCPA config files?
I'm going to turn in my badge and become a gardener.
Andrew J. - Do you even grok?
Re: Encrypting resource.cfg & NCPA config files?
I just tell people I'm a beet farmer.
Former Nagios employee
Re: Encrypting resource.cfg & NCPA config files?
Sounds like a plan. I think you can lock this up.
Andrew J. - Do you even grok?