NRPE Configuration Question

[BanditBBS]

I started another thread asking some questions about NRDS, but I'd really prefer to continue using NRPE and have active checks instead of passive. The major issue isn't getting to scripts copied up to the servers, the issue is having to update nrpe.cfg and restart NRPE when adding a completely new command.

My question is, is there a way to add new command definitions without having to restart NRPE?

• I see in the config file a, "include" variable that will include definitions from an external file. If I use that an modify the definitions in the included file, does NRPE need restarted?

• The other option I thought of was adding a command definition of "command[check_whatever]=/usr/opt/nagios/libexec/$ARG1$ $ARG2$ $ARG3$" I think that would work, but I'd prefer the include option if it works as I hope.

Thanks again!

[abrist]

If I use that an modify the definitions in the included file, does NRPE need restarted?

I am just full of bad news today. NRPE reads the configs on startup of the service, these are retained in memory as the service is running. During startup, it will follow the include tree defined in the nrpe.cfg, but only during startup. This is why it requires a restart.

The other option I thought of was adding a command definition of "command[check_whatever]=/usr/opt/nagios/libexec/$ARG1$ $ARG2$ $ARG3$" I think that would work, but I'd prefer the include option if it works as I hope.

This is quite clever, I am interested as to whether this works or not. Though your security team may be less than happy with the implementation as it would widen the potential security problems of nrpe. I would suggest that you make sure that there are no plugins of the "dangerous" sort in libexec before deployment, or maybe create a nested directory in libexec for the additional scripts:

Code: Select all

command[check_whatever]=/usr/opt/nagios/libexec/bandits_scripts/$ARG1$ $ARG2$ $ARG3$

[BanditBBS]

I have mentioned my security dept a few times, haven't I?

What they don't know won't hurt them! Actually, locked down by IP and other measures of security should be good. I'll be testing this just as soon as one of the AIX admins gets back and restarts NRPE so I can test.

Jim

[sreinhardt]

Just to add a hopeful note to abrist's depression inducing line of answers. Starting with core, and potentially moving to agents, this may be something I am going to look at remedying after the conference, depending on how we are handling it in memory. If the structures are similar to objects.cache, and I just need to modify a few additional functions and lists, it should be done relatively shortly.

[abrist]

I have mentioned my security dept a few times, haven't I?

We have the memories of elephants up here in MN.

I'll be testing this just as soon as one of the AIX admins gets back and restarts NRPE so I can test.

How many admins does it take to restart a benign service?

Only one, because there is only one true admin, but he works in mysterious ways. Have you prostrated recently?

[BanditBBS]

That command definition works! I will no longer need to restart NRPE after one final update to the config file. The other security on this is, a 'hacker' would have to know the command definition name to even execute it, si I could call it check_jhsgjhfgfghasdfhgadf. Good luck guessing that Thats if you can get past the allowed_from directive also.

Jim/Bandit

[abrist]

I started a doc concerning advanced nrpe tips a while back - this one is definitely getting added before it hits the nagios library.

The other security on this is, a 'hacker' would have to know the command definition name to even execute it, si I could call it check_jhsgjhfgfghasdfhgadf. Good luck guessing that Thats if you can get past the allowed_from directive also.

Even if they knew the command, compromised your network, and mitm'ed the connection, they would still have the ssl issue to get around. You do use ssl right?

One other security hole I thought about - could you pass relative paths through it? For example:

Code: Select all

command[check_whatever]=/usr/opt/nagios/libexec/$ARG1$ $ARG2$ $ARG3$
$ARG1$ = "../../../../bin/bash"
$ARG2$ = "<nasty shell code here>"

I would assume you could pass relative paths like the command above. The best way to implement this, may be to pass the command to a wrapper script that can attempt to do some sanity checking/scrubbing of the input before passing it to the shell. But then again, that would be pita, and would nearly reproduce what nrpe already does. If you trust your network, it is probably not a big deal, though it would be an abdication of my responsibility to at least not mention it.

[BanditBBS]

I plead the 5th about ssl and I trust my network for the other issues mentioned.

Jim

[abrist]

And on that note - should we lock this up proper?

[BanditBBS]

And on that note - should we lock this up proper?

Yes sir, I'm good with this being locked.