NCPA (Nagios Cross Platform Agent) Security Evaluation

[onegative]

G 'Day Nagios Support,

I was wondering any anyone on your team or development has subjected the NCPA to any security evaluations. I am trying to determine whether or not something already exists that can help my case in standardizing NCPA on all servers throughout my organization. Please let me know if any such study or evaluation has been researched to show ITS Security of Organizations the low risk advantages of using NCPA.

Thanks and have a great day,
Danny

[dwhitfield]

The 8 CVE that show up at
https://nvd.nist.gov/vuln/search/result ... query=ncpa

are not actually NCPA. NCPA is built on python, so you will want to make sure you have a secure version of python (and the python libraries NCPA uses). On what OS are you planning to use NCPA?

[onegative]

Thanks I am already using it own Windows 2008, 2012, 2016, RHEL 5, 6, 7 and have a few other OS's (AIX, Debian, Solaris) that I may need to compile against. I find the NCPA to be very secure especially seeing it uses SSL and no local/AD credentials to pass/pull metric data. I was just hoping for some formal evaluation data for its overall use in an Enterprise. This type of vetting really silences the nay Sayers...if you know what I mean.

Thanks,
Danny

[dwhitfield]

You will not *need* to compile for AIX (under Linux despite this being obviously incorrect) or Debian: https://www.nagios.org/ncpa/#downloads

Solaris is on the list to build packages, so I'd do that last. I can't really give an ETA on when that might happen. We just don't have a lot of people asking for it.

https://www.sans.org/reading-room/white ... gios-35762 does speak about the decisions for choosing NCPA, but it's a month and a half away from being 3 years old, which means they were using NCPA 1.7.2 or a pre-release of 1.8.0.

You may want to ask the devs directly about security by submitting a question at https://github.com/NagiosEnterprises/ncpa/issues/new