How to Disable (some of) Nagios' Functionality

[Lateralus]

Hi folks,

I have an interesting question.
Some of the IT members in our company disobey my instructions and constantly disable notifications/active-checks for hosts and services, when I simply ask them to schedule downtime or acknowledge.

I'm interested in a way to sabotage the buttons of "Disable Active checks for this service/host" and the "Disable notifications for ..." button.
I don't care if the page will show 404 error code when clicking on the link that disables notifications/active-checks. I just want them not to be able to use that functionality, while still being able to acknowledge and schedule downtime for hosts and services.

Your answer means a lot to me, as I'm fighting the dickheads at work who can't listen that that's being told by yours truly.

Thanks in advance,
Ido

[sreinhardt]

It is absolutely possible, although likely requires modification to the cgi C code and a recompilation of nagios. Do you just want the disable notifications and disable checks buttons removed\made unworkable? I can probably write you a patch this weekend without issue, I just want to be sure of exactly what you would like done.

[Lateralus]

It is absolutely possible, although likely requires modification to the cgi C code and a recompilation of nagios. Do you just want the disable notifications and disable checks buttons removed\made unworkable? I can probably write you a patch this weekend without issue, I just want to be sure of exactly what you would like done.

Wow mate, thanks a lot for the offer!!!

My "dream" is to have only certain users have the ability to disable notifications or active checks for hosts/services.
I assume that's out of the question.

For now, I'd like to have the "Disable notifications for service/host" link to redirect to "Schedule Downtime" automatically.
And to have the "Disable active checks for this host/service" redirect to the same "Schedule Downtime" function.

So the only way to disable notifications would be via command-line (a right that's reserved only to me).

Thanks a million!

[millisa]

If you are using an apache web server, you could use mod_rewrite to short circuit things.

First, create a 'bad user, stop doing that' file in your webroot (mine is at /var/www/html):

echo 'bad user - stop doing that'>/var/www/html/baduser.txt

In your apache config, make sure you are loading mod rewrite:

Code: Select all

LoadModule rewrite_module modules/mod_rewrite.so

(check your version of linux if you don't see it - redhat/centos variants usually have it turned on by default)

In the nagios apache config (mine is at /etc/httpd/conf.d/nagios.conf , in the section for the cgi-bin directory, you'll need to add some rewrites and allow followsymlinks.

Before making modifications, mine looks like this:

Code: Select all

<Directory "/usr/lib64/nagios/cgi-bin/">
#  SSLRequireSSL
   Options ExecCGI
   AllowOverride None	
   Order allow,deny
   Allow from all
#  Order deny,allow
#  Deny from all
#  Allow from 127.0.0.1
   AuthName "Nagios Access"
   AuthType Basic
   AuthUserFile /etc/nagios/passwd
   Require valid-user
</Directory>

First, change that Options line to

Code: Select all

Options ExecCgi FollowSymLinks

Then, add this bit above the closing </directory>:

Code: Select all

RewriteEngine On
RewriteCond %{QUERY_STRING} (.*)cmd_typ=6&(.*)
RewriteRule ^(.*)$ /baduser.txt [L]

So, the entire directory section looks something like this:

Code: Select all

<Directory "/usr/lib64/nagios/cgi-bin/">
#  SSLRequireSSL
   Options ExecCGI FollowSymLinks
   AllowOverride None
   Order allow,deny
   Allow from all
#  Order deny,allow
#  Deny from all
#  Allow from 127.0.0.1
   AuthName "Nagios Access"
   AuthType Basic
   AuthUserFile /etc/nagios/passwd
   Require valid-user

RewriteEngine On
RewriteCond %{QUERY_STRING} (.*)cmd_typ=6&(.*)
RewriteRule ^(.*)$ /baduser.txt [L]

</Directory>

Check your apache config with a 'apachectl configtest' and if it comes back ok, restart apache and check your nagios setup out.

What it should do is intercept any query string with 'cmd_typ=6&' in it and serve up the contents of your baduser.txt instead. cmd_type=6 is disabling a service's active checks.

Drawbacks to this method - a savvy user could open the 'disable service check' in a new window, cut the cmd_typ=6& off the front of the query string, and put it at the end of the query string with &cmd_typ=6 and still get to the page. (This could be your secret way to get around your roadblock, shh, we won't tell). This could also match things like supercmd_typ=6 (if there ever was such a thing).

To add other query string types to block, just add more RewriteCond and RewriteRule pairs:

Code: Select all

RewriteEngine On
#stop jerks using disable active service checks
RewriteCond %{QUERY_STRING} (.*)cmd_typ=6&(.*)
RewriteRule ^(.*)$ /baduser.txt [L]

#stop jerks from disabling notifications for service check
RewriteCond %{QUERY_STRING} (.*)cmd_typ=23&(.*)
RewriteRule ^(.*)$ /baduser.txt [L]

#now those jerks are trying disable host checks
RewriteCond %{QUERY_STRING} (.*)cmd_typ=48&(.*)
RewriteRule ^(.*)$ /baduser.txt [L]

#host notifications
RewriteCond %{QUERY_STRING} (.*)cmd_typ=25&(.*)
RewriteRule ^(.*)$ /baduser.txt [L]

#they thought they were clever and disabled all notifications for the whole system
# note - these don't have trailing ampersands normally, so you don't get a secret workaround
RewriteCond %{QUERY_STRING} (.*)cmd_typ=11(.*)
RewriteRule ^(.*)$ /baduser.txt [L]

#then tried to disable all service notifications
RewriteCond %{QUERY_STRING} (.*)cmd_typ=36(.*)
RewriteRule ^(.*)$ /baduser.txt [L]

#would you believe those IT jerks tried to disable host checks
RewriteCond %{QUERY_STRING} (.*)cmd_typ=89(.*)
RewriteRule ^(.*)$ /baduser.txt [L]

That should stop them from mostly disabling notifications and checks and let you keep using the stock cgi...
It's not really a nagios solution and you'll probably have to take it out if you needed support or were troubleshooting something, but it sounds like it'll mostly do what you are looking for.

Make backups of your configs before you change them in case you need to back out.

Edit1 - there may be other cmd_typ's you'd want to grab.
29 = disable notifications for all services on this host.
16 = disable checks of all services on this host

If you wanted to get fancy, you could use multiple rewritecond's in a chain with [OR]; more info about rewrite here: http://httpd.apache.org/docs/2.2/mod/mod_rewrite.html

[Lateralus]

Superb stuff, millisa!

I was thinking about limiting this option via Apache before I opened this thread. I was playing with "ScriptAliasMatch" directive and it didn't work.
Now I understand what I did wrong. Works like a charm!

This is excellent mate! Thanks a lot, you've just saved me a lot of work produced by my lazy-ass IT team members.

Cheers!

[tmcdonald]

millisa, that's what we like to call a "5-Star Doing It Right" post. Thanks for the contribution!

Lateralus, did you need anything else related to this or should I close this thread up?

[Lateralus]

millisa, that's what we like to call a "5-Star Doing It Right" post. Thanks for the contribution!

Lateralus, did you need anything else related to this or should I close this thread up?

All is well. You can close the case.
Thanks!