root ssh
root ssh
We are using nagios 4.4.6 and have the nrpe service set up for communication. Recently our security team contacted me and asked why root was ssh'ing to each server in our rack from the nagios server? I have no idea. If Nagios is set up to run through nrpe, is there any reason it would also be ssh'ing in as root?
-
- Posts: 5324
- Joined: Wed Aug 22, 2018 4:39 pm
- Location: saint paul
Re: root ssh
Hi,
If you're using NRPE, it should be using the nagios user account on the remote hosts. I would check your service/hosts definitions, maybe you have some commands/checks set up using ssh.
Benjamin
If you're using NRPE, it should be using the nagios user account on the remote hosts. I would check your service/hosts definitions, maybe you have some commands/checks set up using ssh.
Benjamin
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
Be sure to check out our Knowledgebase for helpful articles and solutions!
Be sure to check out our Knowledgebase for helpful articles and solutions!
Re: root ssh
OK. I did find:
I do see a binary under /usr/lib64/nagios/plugins called check_ssh. I'm just not sure where $USER1$ and $ARG1$ are defined?
Code: Select all
define command {
command_name check_ssh
command_line $USER1$/check_ssh $ARG1$ $HOSTADDRESS$
}
Re: root ssh
OK. I think I found my answer. USER1 is defined in resources.cfg and points to the above path. ARG1 is defined in services.cfg. In it, I see:
If I am reading that correctly, then $ARG1$ will be nothing, correct? So, I would assume the ssh session would be done by the user it is running under? Is that correct?
Code: Select all
define service {
use generic-service
hostgroups a,b,c
service_description SSH
check_command check_ssh
}
Re: root ssh
The Nagios service is running under the user nagios. So, why should the audit logs keep seeing root attempting to ssh to each host? Does not make sense.