Testing check_by_ssh commands with UI

[asmgiadmin]

The following works from command line:

/usr/local/nagios/libexec/check_by_ssh -H x.x.x.x -i /home/nagios/.ssh/id_rsa -l nagios -C /usr/lib64/nagios/plugins/check_cpu_stats.sh

CPU STATISTICS OK : user=0.00% system=0.00% iowait=0.00% idle=100.00% nice=0.00% steal=0.00% | CpuUser=0.00;CpuSystem=0.00;CpuIoWait=0.00;CpuIdle=100.00;CpuNice=0.00;CpuSteal=0.00;30;100

But when testing from UI

COMMAND: /usr/local/nagios/libexec/check_by_ssh -H x.x.x.x -i /home/nagios/.ssh/id_rsa -l nagios -C "/usr/lib64/nagios/plugins/check_cpu_stats.sh"
OUTPUT: Remote command execution failed: Warning: Identity file /home/nagios/.ssh/id_rsa not accessible: Permission denied.

The command also displays results properly in service detail.

How can I enable command testing from UI, using "Test Check Command" button? Some googling has suggested some php issue.

[sreinhardt]

Have you tried su-ing to the nagios user and attempting to run the command from there instead of root? Also what are the permissions on the ssh key that you are trying to use? If that was put in place by root, nagios may not have access to it. That seems to be what the error is referencing from the check output.

I don't believe php should have much to do with this as nagios does not use php to execute checks unless it is specifically a php script.
Edit: Oh I see this is when running from test command button in CCM. In that case you may have to be sure that apache user\group has access to the file and folders above it.

[asmgiadmin]

Please re-read my post, the command is not the issue.

[asmgiadmin]

Edit: Oh I see this is when running from test command button in CCM. In that case you may have to be sure that apache user\group has access to the file and folders above it.

Can you please elaborate?

[abrist]

You need to check the permission to: /home/nagios/.ssh/id_rsa

Code: Select all

ls -la  /home/nagios/.ssh/id_rsa 
ls -la  /home/nagios/.ssh/
ls -la  /home/nagios/

RSA keys are usually created with fairly restrictive permissions. One other thing to note is that the test check command in the ui has issues with macros and escaping. Just an fyi.

[asmgiadmin]

There isn't issue with public key authentication, please read post in detail.

Is it possible to use "Test Check Command" with check_by_ssh service checks?

[abrist]

There isn't issue with public key authentication, please read post in detail.

Is it possible to use "Test Check Command" with check_by_ssh service checks?

I was not alluding to auth issues, but permission issues. The test check command runs these checks as user "apache" whereas the actual checks are run as user "nagios". You will need to make sure the ssh key is readable by user or group "apache" and this may include the parent directory of the key as well.

[asmgiadmin]

There isn't issue with public key authentication, please read post in detail.

Is it possible to use "Test Check Command" with check_by_ssh service checks?

I was not alluding to auth issues, but permission issues. The test check command runs these checks as user "apache" whereas the actual checks are run as user "nagios". You will need to make sure the ssh key is readable by user or group "apache" and this may include the parent directory of the key as well.

This sounds like a pretty large security vulnerability. How can exploiting the Apache user be prevented? With this config, couldn't anyone executing as apache essentially obtain the keys to kingdom, so to speak?

[abrist]

Well, XI is a web frontend, as such, the apache user is already really important. If the apache user gets compromised, you have much larger problems than the test check command opening up vulnerabilities. I personally do not use the test check command for anything important because it can just be tested on the cli. I do agree that loosening the restrictions on the .ssh folder is not best practice. But if you wish to use the check_by_ssh plugin from the "test command" interface, loosening up restrictions on the key file is the only way to go.

The only alternative is too run the test check command as users "nagios" or "root" from the web interface and that opens up a whole new realm of security concerns. The test check command utility was not made for testing checks that require locked down permissions, as those should be tested from the cli as user "nagios".

As with most web servers, if the local "apache" user has been compromised, the attacker pretty much have the "keys to the kingdom". With nagios, we try to segregate as much as we can into the "nagios" user, but "apache" does need some rights as well.

My suggestion would be just test your check_by_ssh plugin from the cli or to understand the risks of giving apache rights to the keys.

[asmgiadmin]

Thanks, abrist.