Re: [Nagios-devel] NRPE Arguments some thoughts and how to disable

Support forum for Nagios Core, Nagios Plugins, NCPA, NRPE, NSCA, NDOUtils and more. Engage with the community of users including those using the open source solutions.
Locked
Guest

Re: [Nagios-devel] NRPE Arguments some thoughts and how to disable

Post by Guest »


On 17 Sep 2009, at 09:26, Jelle Smet wrote:

> I think key in each monitoring system is that you need to be able to
> define your thresholds on the level of your monitoring system
> itself, and not on the clients.
>
> (Whether monitoring results are evaluated by the monitoring system
> or by the monitoring client, that's another story.)
>
> In other words we're using the "dont_blame_nrpe" parameter on all my
> clients, which offers for us a very powerfull and flexible setup.
> I (personally) think is the minimum you can expect of a monitoring
> system is that you don't need to be on the client side to define
> thresholds.
>
I agree - this is the best way of having a centralised configuration
system.
> Anyhow, ... I came to a point where I need to send over regular
> expressions over nrpe to the remote client, which fails of course
> because of the hard coded "illegal metacharacters"
>
> Now my request:
> * It would be nice, if these characters could be defined in the
> config file, giving a user control.
> * How can I change the code so these metachars are ignored?
>
We apply this patch to NRPE: https://secure.opsera.com/wsvn/wsvn/ops ... asty.patch

This is available in the Opsview (our product based on Nagios - http://opsview.org
) Agent, which is available for download at downloads.opsview.org.


You could make the parameter an nrpe.cfg option - that would make
sense. Patches welcome! (Though I don't have commit access to NRPE).

> Isn't there a security design which allows such functionality while
> it being secure?
>
I think shell meta-characters should be ignored, certainly by default.
If you allowed them, I think it would be impossible to evaluate
whether it was invoking other code or not through the shell.

For example, /`\/bin\/file`/ may look like a regexp searching for a
quoted instance of /bin/file, but it would probably get invoked by the
shell and actually run /bin/file (because of the backticks). I think
you are asking for trouble if you allow these characters through.

Alternatively, you could write a wrapper plugin which does contain the
regexp you want, with the knowledge that funny quoting should no
longer apply.

Ton






This post was automatically imported from historical nagios-devel mailing list archives
Original poster: [email protected]
Top
Locked

Return to “Open Source Nagios Projects”