check_expiry

Support forum for Nagios Core, Nagios Plugins, NCPA, NRPE, NSCA, NDOUtils and more. Engage with the community of users including those using the open source solutions.
hardik185
Posts: 5
Joined: Wed May 15, 2019 11:44 am

check_expiry

Post by hardik185 »

Hi, I am using check_expiry on Linux (RHEL 6) but while running it with check_nrpe, I always get "NRPE: Unable to read output"

I can see nagios is not able to execute this script to check user's password expiry information. any idea on how this can be achieved?
User avatar
cdienger
Support Tech
Posts: 5045
Joined: Tue Feb 07, 2017 11:26 am

Re: check_expiry

Post by cdienger »

Edit line 15 to look like:

Code: Select all

        if [[ $get_expiry_date == *"Never"*  ]]
Test again and let us know the results. If it still fails, try running the script directly on the host and not using check_nrpe:

Code: Select all

bash -x ./check_expiry <username>
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
npolovenko
Support Tech
Posts: 3457
Joined: Mon May 15, 2017 5:00 pm

Re: check_expiry

Post by npolovenko »

@hardik185, On top of what Craig recommended, I suggest adding the following entries to the /etc/sudoers file on the nrpe server.

Code: Select all

nagios ALL = NOPASSWD:/tmp/check_expiry.sh
nagios ALL = NOPASSWD:/usr/sbin/lchage
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
hardik185
Posts: 5
Joined: Wed May 15, 2019 11:44 am

Re: check_expiry

Post by hardik185 »

Hi,

Thanks for your response.
I have tried both but I still get the same error.

strace does not really help. If I run the script as nagios user I get the right output. It is just check_nrpe does not give.

/usr/local/nagios/libexec/check_nrpe -H 127.0.0.1 -c check_appuser
NRPE: Unable to read output

Any idea?
npolovenko
Support Tech
Posts: 3457
Joined: Mon May 15, 2017 5:00 pm

Re: check_expiry

Post by npolovenko »

@hardik185, Can you show us the check_appuser command in the nrpe.cfg file? Please upload the whole npre.cfg file so I could examine your settings.

Also, if your plugin is in the /usr/local/nagios/etc/libexec/ folder, then you need to adjust entries in the sudoers file to reflect that:

Code: Select all

nagios ALL = NOPASSWD:/usr/local/nagios/etc/libexec/check_expiry.sh
nagios ALL = NOPASSWD:/usr/sbin/lchage
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
hardik185
Posts: 5
Joined: Wed May 15, 2019 11:44 am

Re: check_expiry

Post by hardik185 »

Hi @npolovenko,
Sure. I have added the entries as suggested in /etc/sudoers but still same output. Please find attached nrpe.cfg and suggest if there is any way to enable this check.
Attachments
nrpe.cfg
(10.35 KiB) Downloaded 302 times
npolovenko
Support Tech
Posts: 3457
Joined: Mon May 15, 2017 5:00 pm

Re: check_expiry

Post by npolovenko »

@hardik185, Open the /etc/sudoers file and add the following entries instead of just two entries that I recommended earlier.
Defaults: nrpe !requiretty
Defaults: nagios !requiretty

nagios ALL = NOPASSWD:/usr/local/nagios/etc/libexec/check_expiry.sh
nagios ALL = NOPASSWD:/usr/sbin/lchage
nagios ALL = NOPASSWD: /sbin/service,/usr/bin/systemctl,/usr/sbin/service
nrpe ALL = NOPASSWD: /sbin/service,/usr/bin/systemctl,/usr/sbin/service
Open the /usr/local/nagios/libexec/check_expiry.sh script on the line 14, and change it to look like this:

Code: Select all

 get_expiry_date=$(sudo /usr/sbin/lchage -l $1 | grep 'Password Expires' | cut -d: -f2)
I added "sudo".

Let me know if this fixes the issue.
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
hardik185
Posts: 5
Joined: Wed May 15, 2019 11:44 am

Re: check_expiry

Post by hardik185 »

hi @npolovenko ,
I have added entries in sudoer file as suggested but did not help. not sure what is still missing.
npolovenko
Support Tech
Posts: 3457
Joined: Mon May 15, 2017 5:00 pm

Re: check_expiry

Post by npolovenko »

@hardik185, Please switch to the nagios user, run the plugin and show us the output:

Code: Select all

su - nagios
/usr/local/nagios/libexec/check_expiry.sh
Please upload the /etc/sudoers file and upload the plugin with the modifications we suggested here as well.
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
hardik185
Posts: 5
Joined: Wed May 15, 2019 11:44 am

Re: check_expiry

Post by hardik185 »

sorry for replying late @npolovenko

I am able to run it successfully with "su - nagios"

-bash-4.1$ /usr/local/nagios/libexec/check_expiry.sh appuser1
OK - Password never expires
-bash-4.1$ vim /usr/local/nagios/etc/nrpe.cfg
-bash-4.1$ /usr/local/nagios/libexec/check_expiry.sh appuser2
OK - Password is 61 days from expiry
-bash-4.1$ /usr/local/nagios/libexec/check_nrpe -H 127.0.0.1 -c check_appuser
NRPE: Unable to read output
-bash-4.1$

Below are the entries added in /etc/sudoers,
nagios ALL = NOPASSWD:/usr/local/nagios/etc/libexec/check_expiry.sh *
nagios ALL = NOPASSWD:/usr/sbin/lchage -l *
nagios ALL = NOPASSWD: /sbin/service,/usr/bin/systemctl,/usr/sbin/service
nrpe ALL = NOPASSWD: /sbin/service,/usr/bin/systemctl,/usr/sbin/service

Below is the line updated in plugin,
function calculate_days_till_expiry {
get_expiry_date=$(sudo /usr/sbin/lchage -l $1 | grep 'Password Expires' | awk '{print $3}')

Can you review and suggest?
Locked