root ssh

Support forum for Nagios Core, Nagios Plugins, NCPA, NRPE, NSCA, NDOUtils and more. Engage with the community of users including those using the open source solutions.
Locked
bradawk
Posts: 4
Joined: Wed Sep 15, 2021 10:19 am

root ssh

Post by bradawk »

We are using nagios 4.4.6 and have the nrpe service set up for communication. Recently our security team contacted me and asked why root was ssh'ing to each server in our rack from the nagios server? I have no idea. If Nagios is set up to run through nrpe, is there any reason it would also be ssh'ing in as root?
benjaminsmith
Posts: 5324
Joined: Wed Aug 22, 2018 4:39 pm
Location: saint paul

Re: root ssh

Post by benjaminsmith »

Hi,

If you're using NRPE, it should be using the nagios user account on the remote hosts. I would check your service/hosts definitions, maybe you have some commands/checks set up using ssh.

Benjamin
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.

Be sure to check out our Knowledgebase for helpful articles and solutions!
bradawk
Posts: 4
Joined: Wed Sep 15, 2021 10:19 am

Re: root ssh

Post by bradawk »

OK. I did find:

Code: Select all

define command {
    command_name    check_ssh
    command_line    $USER1$/check_ssh $ARG1$ $HOSTADDRESS$
}
I do see a binary under /usr/lib64/nagios/plugins called check_ssh. I'm just not sure where $USER1$ and $ARG1$ are defined?
bradawk
Posts: 4
Joined: Wed Sep 15, 2021 10:19 am

Re: root ssh

Post by bradawk »

OK. I think I found my answer. USER1 is defined in resources.cfg and points to the above path. ARG1 is defined in services.cfg. In it, I see:

Code: Select all

define service {
   use                  generic-service
   hostgroups           a,b,c
   service_description  SSH
   check_command        check_ssh
}
If I am reading that correctly, then $ARG1$ will be nothing, correct? So, I would assume the ssh session would be done by the user it is running under? Is that correct?
bradawk
Posts: 4
Joined: Wed Sep 15, 2021 10:19 am

Re: root ssh

Post by bradawk »

The Nagios service is running under the user nagios. So, why should the audit logs keep seeing root attempting to ssh to each host? Does not make sense.
Locked