permission problem with nrpe

[elade]

Hi,

I have a script which run on linux machine (Ubuntu 18.04) and I need to run as root user.
I did the following configuration:

Code: Select all

/etc/sudoers.d/nagios
nagios ALL=NOPASSWD: /usr/local/nagios/libexec/check_test.py

Code: Select all

/usr/local/nagios/etc/nrpe/nagios.cfg ( I added the dir in nrpe.cfg configuration)
command[check_test]=sudo -S /usr/local/nagios/libexec/check_test.py

in the service I get this info:

Code: Select all

Dec 30 12:10:04 test-server nrpe[1659]: is_an_allowed_host (AF_INET): host is in allowed host list!
Dec 30 12:10:04 test-server nrpe[1659]: Host address is in allowed_hosts
Dec 30 12:10:04 test-server nrpe[1659]: Host 10.10.10.10 is asking for command 'check_test' to be run...
Dec 30 12:10:04 test-server nrpe[1659]: Running command: /usr/bin/sudo -S /usr/local/nagios/libexec/check_test.py
Dec 30 12:10:04 test-server sudo[1662]:   nagios : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/local/nagios/libexec/check_test.py
Dec 30 12:10:04 test-server sudo[1662]: pam_unix(sudo:session): session opened for user root by (uid=0)
Dec 30 12:10:04 test-server sudo[1662]: pam_unix(sudo:session): session closed for user root
Dec 30 12:10:04 test-server nrpe[1659]: Command completed with return code 0 and output: OK: no errors
Dec 30 12:10:04 test-server nrpe[1659]: Return Code: 0, Output: OK: no errors
Dec 30 12:10:04 test-server nrpe[1659]: Connection from 10.10.10.10 closed.

In shell command I get the error result - "Critical - check status" but in the GUI I get OK even when there are errors.

XI version 5.5.8
NRPE Plugin for Nagios
Version: 3.2.1

From user nagios I get the same result from shell command.

Any idea?

[mbellerue]

Can you send me the check_test.py script? I am wondering if it's just not returning the proper exit code.

[elade]

Hi it’s not a problem with the exit code. I already check it.

I will ask if it’s ok to publish the script.

Other than that all the configuration is OK?

[mbellerue]

In looking over what you posted, I just saw this.

Code: Select all

command[check_test]=sudo -S /usr/local/nagios/libexec/check_test.py

sudo -S forces sudo to read the password from standard input. Is this supposed to be sudo -s?

[elade]

I'm using it in all my monitor script which I need to run as root and I haven't got any problem until now.

I send to you PM with the script

[mbellerue]

Try adding this to your /etc/sudoers.d/nagios file, above your NOPASSWD line.

Code: Select all

Defaults:nagios !requiretty

When I added this, I was able to run the command using sudo without a password.

[elade]

I added it to /etc/sudoers.d/nagios even when it was already in /etc/sudoers and I get the same output.

[lmiltchev]

Restart apache on the remote box, then run the following commands from the command line, and show the output:

On the client (remote machine)

Code: Select all

ls -la /usr/local/nagios/libexec/check_test.py
grep -s -R 'check_test.py\|requiretty' /etc
grep 'check_test.py\|nrpe_' /usr/local/nagios/etc/nrpe.cfg
su - nagios
sudo -S /usr/local/nagios/libexec/check_test.py
echo $?

On the Nagios XI server

Code: Select all

su - nagios
/usr/local/nagios/libexec/check_nrpe -H <client ip>
/usr/local/nagios/libexec/check_nrpe -H <client ip> -c check_test
echo $?

[elade]

On the client (remote machine)
CODE: SELECT ALL
ls -la /usr/local/nagios/libexec/check_test.py
grep -s -R 'check_test.py\|requiretty' /etc
grep 'check_test.py\|nrpe_' /usr/local/nagios/etc/nrpe.cfg
su - nagios
sudo -S /usr/local/nagios/libexec/check_test.py
echo $?

Code: Select all

root@test01:/usr/local/nagios/libexec# ls -la /usr/local/nagios/libexec/check_test.py
-rwxr-xr-x 1 root root 1021 Jan  7 17:14 /usr/local/nagios/libexec/check_test.py

root@test01:/usr/local/nagios/libexec# grep -s -R 'check_test.py\|requiretty' /etc
/etc/sudoers.d/nagios:Defaults:nagios !requiretty
/etc/sudoers.d/nagios:nagios ALL=(user) NOPASSWD:/usr/local/nagios/libexec/check_test.py
/etc/sudoers:Defaults:nagios !requiretty
/etc/ansible/ansible.cfg:# first disable 'requiretty' in /etc/sudoers
/etc/ansible/ansible.cfg:# sudoers configurations that have requiretty (the default on many distros).

root@test01:/usr/local/nagios/libexec# grep 'check_test.py\|nrpe_' /usr/local/nagios/etc/nrpe/nagios.cfg
command[check_test]=sudo -S -u user /usr/local/nagios/libexec/check_test.py

root@test01:/usr/local/nagios/libexec# su - nagios
No directory, logging in with HOME=/
$ bash
nagios@test01:/$ sudo -S /usr/local/nagios/libexec/check_test.py
[sudo] password for nagios:
Sorry, try again.
[sudo] password for nagios:
Sorry, try again.
[sudo] password for nagios:
sudo: 2 incorrect password attempts
nagios@test01:/$ sudo -S -u user /usr/local/nagios/libexec/check_test.py
The connection to the server localhost:8080 was refused - did you specify the right host or port?
All are Running
nagios@test01:/$ echo $?
0
nagios@test01:/$

On the Nagios XI server
CODE: SELECT ALL
su - nagios
/usr/local/nagios/libexec/check_nrpe -H <client ip>
/usr/local/nagios/libexec/check_nrpe -H <client ip> -c check_test
echo $?

Code: Select all

root@ubuntu:~# su - nagios
No directory, logging in with HOME=/
$ bash
nagios@ubuntu:/$ /usr/local/nagios/libexec/check_nrpe -H 10.10.10.10
NRPE v3.2.1
nagios@ubuntu:/$ /usr/local/nagios/libexec/check_nrpe -H 10.10.10.10 -c check_test
All are Running
nagios@ubuntu:/$ echo $?
0

I added permission for script to run as "user" (remote machine username) without it the script is asking for nagios user's password.

Code: Select all

nagios ALL=(user) NOPASSWD:/usr/local/nagios/libexec/test.py

from user on the remote machine there are errors which i need to show in the alert.

[lmiltchev]

This is definitely NOT a standard (vanilla) setup. Your Nagios XI has been modified... It seems like you removed the nagios home page... What is the output of the command below, run on the Nagios XI server?

Code: Select all

grep nagios /etc/passwd

The "default" output should look something like this:

Code: Select all

nagios:x:500:500::/home/nagios:/bin/bash

Also, NRPE runs as nagios user, not some other user... Change this line in the nrpe.cfg:

Code: Select all

command[check_test]=sudo -S -u user /usr/local/nagios/libexec/check_test.py

to this:

Code: Select all

command[check_test]=sudo -S /usr/local/nagios/libexec/check_test.py

Save, exit and restart nrpe.

Also, change this line in "/etc/sudoers.d/nagios" file:

Code: Select all

nagios ALL=(user) NOPASSWD:/usr/local/nagios/libexec/check_test.py

to this:

Code: Select all

nagios ALL=NOPASSWD: /usr/local/nagios/libexec/check_test.py

Lastly, change the permissions on the check_test.py file:

Code: Select all

chown root.nagios /usr/local/nagios/libexec/check_test.py

Try your check again. Did it work now?