[sort of SOLVED] Script (plugin) not working as expected

[darthcolo]

Hello guys!

We are developing a script in our Nagiso Server to check a Host by "check_by_ssh" plugin. We have everything correctly configured.
This is the script (modificated for preserve delicate information):

Code: Select all

#!/bin/bash

RESPUESTA=`/usr/lib/nagios/plugins/check_by_ssh -H 10.xx.xx.xx -C /usr/opt/something/command | grep SOMETHING1 | grep SOMETHING-MORE`
# RESPUESTA will be like: "17561 something 123 SOMETHING1 /usr/opt/something/SOMETHING-MORE"

if [[ "$RESPUESTA" == *SOMETHING-MORE* ]]
then
        echo "Evryting working OK:" $RESPUESTA
        exit 0
elif [[ "$RESPUESTA" != *SOMETHING-MORE* ]]
then
        echo "### Error: check_by_ssh failed ###"
        exit 2
else
        echo "### Script error ###"
        exit 3
fi

When we run this script as "root" in the command line, it returns:

Code: Select all

root@nagios03:/usr/lib/nagios/plugins# ./script
Evryting working OK: 17561 something 123 SOMETHING1 /usr/opt/something/SOMETHING-MORE

But in the web interface in Nagios, it shows:

Code: Select all

### Error: check_by_ssh failed ###

We have tried to run the script like this:

Code: Select all

root@nagios03:/usr/lib/nagios/plugins# su nagios -c './script'

and nothing is returned.

Does anyone has a clue about how to solve this issue?

Thanks!

[darthcolo]

Answer to myself:

In order to work, I had to:

1) Assign a Shell to user nagios:

Code: Select all

usermod -s /bin/bash nagios

2) Include user nagios in sudoers list:

Code: Select all

nagios ALL=(ALL) NOPASSWD: /usr/lib/nagios/plugins/check_by_ssh

3) Edit the script:

Code: Select all

RESPUESTA=`sudo /usr/lib/nagios/plugins/check_by_ssh -H 10.xx.xx.xx -C /usr/opt/something/command | grep SOMETHING1 | grep SOMETHING-MORE`

Now... this is a major security concern.

Can you figure out a better way to do this?

[mguthrie]

Would it have been simpler to do a:

Code: Select all

chmod +x check_by_ssh

Are there other system commands being called by that script that require root permissions?
For the ssh login, is the nagios user attempting to login to the remote machine and not having access?

Are you developing your own check_by_ssh plugin, or having issues with the remote command that's being run after the ssh login? There's a check_by_ssh plugin that ships with the nagios-plugins package that's already had years of development on it. If you're developing your own, I would look at what's already been built and tested instead of recreating the wheel.

[darthcolo]

Thanks for the response.

These are the current settings of check_by_ssh:

Code: Select all

-rwxr-xr-x 1 root root 39796 may 22  2011 check_by_ssh

The command executed in the remote Host (.../usr/opt/something/command | grep SOMETHING1 | grep SOMETHING-MORE...) needs root privileges.

Nagios user can login through ssh just fine (I think...).

I'm having issues with the remote command that's being run after the ssh login.

Thanks for your comments.

[mguthrie]

OH ok, I think I see what you're saying. So what you should probably do is add a special sudoers line for the nagios user, giving him permission to run your :

Code: Select all

/usr/opt/something/command 

command.

Or if that's a home-grown script, then just give it executable permissions for the nagios user.

[darthcolo]

This:

Code: Select all

/usr/opt/something/command

is on the remote Host, and I can't touch it for something else that diagnosis commands.

We cannot change anything about that command.

[mguthrie]

Can you add something to that remote machine's sudoers file so the nagios user can't log in, but they can run that particular command?

Code: Select all

User_Alias      NAGIOS=nagios

# Nagios Core
NAGIOS ALL = NOPASSWD:/usr/opt/something/command

[darthcolo]

Nope. I can't do anything in the remote machine, because is a production server.

But thank you!

[dpnctl]

I am sorry but I am new to this forum, not able to locate a link to post a new one

[mguthrie]

Can you post this as a new thread? This is not the same issue at all.