Create command not working

[Bionic___]

I have created a script that checks for password expiration on the Nagios XI server. It works like a charm from the command line:

Code: Select all

/usr/local/nagios/libexec/check_password_expire.sh root
OK: User root has time available. 83 days remaining. RC=0  Password validity period for root is 90 days.

I created a command in the Nagios XI command wizard named check_password_expire_local

Code: Select all

$USER1$/check_password_expire.sh $ARG1$

as a check command.
I created a service that passes $ARG1$ with the user id I am looking for (root in the example above).
All changes applied.
When I test the service I get no response at all; just blanks.
I do not see what I am doing wrong. Any help is appreciated.

[abrist]

Can you post the script here? I would like to test it locally.

[slansing]

Can you also provide the output of:

Code: Select all

ls -la /usr/local/nagios/libexec/check_password_expire.sh

[Bionic___]

Script for check_password_expire.sh

Code: Select all

#!/bin/bash
# check_password_expire.sh
# This script is used with NRPE to report password status for the passed userID and sets
# password expiration warning and critical alert periods.
# Adapted from a script from
# www.chesterproductions.net.nz/blogs/it/code/finding-expiring-or-soon-to-expire-accounts-in-linux/582/
# Change Log ====================================================
# 2014-01-30 Wayne Talbot       Initial programming

user_name="$1"
if [[ $user_name == "" ]] ; then
        echo "No user name provided for review"
        echo "No user name provided." >> /tmp/pwstate.log
        exit 3
fi

# default key file locations
_l="/etc/login.defs"
_p="/etc/passwd"

# get mini UID limit
l=$(grep "^UID_MIN" $_l)

# get max UID limit
l1=$(grep "^UID_MAX" $_l)

# Message string
MSG=/tmp/pwstate.msg
echo "" > $MSG

# Configure return codes for alert levels
# RC=0 = OK: Everyting is fine.
# RC=1 = WARNING: Something is wrong but not yet fatal.
# RC=3 = CRITICAL: Something has failed or is failing and requires immediate attention.
# RC=4 = UNKNOWN: The script has returned an unknown state or did not complete before timeout.
RC=0

## get the user password configuration

# retrieve the day of the lasåt password change (lastchanged) in days since Jan 1, 1970 that password was last changed
last_password_change=`grep $user_name /etc/shadow | cut -d: -f3`

# retrieve the number of days that a password is valid which that user is forced to change his/her password
validity_period=`grep $user_name /etc/shadow | cut -d: -f5`

# retrieve the number of days before password is to expire that user is warned that his/her password must be changed
warning_period=`grep $user_name /etc/shadow | cut -d: -f6`

# get the current day in days since Jan 1, 1970
current_day=`perl -e 'print int(time/(60*60*24))'`

# compute the age of the user's password
password_age=`echo $current_day - $last_password_change + 1 | bc`

# calculate the number of days until the password expires
days_until_expired=`echo $validity_period - $password_age | bc`

# warn if the number of days to go in the validity period is less than the warning period
if [ $days_until_expired -lt 8 ] ; then
        RC=1
        echo -n "WARNING: User $user_name is in the password grace period and must change their password. " > $MSG
fi

# alert if the password has expired
if [ $days_until_expired -lt 1 ] ; then
        RC=2
        echo -n "CRITICAL: User $user_name password has expired! CHANGE PASSWORD NOW! RC=$RC " > $MSG
        echo -n "Password expired for $user_name $days_until_expired days ago. " >> $MSG
fi

# check to see if the user's password does not expire
if [ `chage -l $user_name | grep "Password expires" | grep -c "never"` -eq 1 ] ; then
        RC=2
        echo -n "CRITICAL: Password never expires for $user_name. RC=$RC " > $MSG
fi

# no error conditions detected so everything is ok
if [ $RC -eq 0 ] ; then
        echo -n "OK: User $user_name has time available. $days_until_expired days remaining. RC=$RC  " > $MSG
fi

echo "Password validity period for $user_name is $validity_period days." >> $MSG

# return text to calling program
cat $MSG

# clean message and user name
echo "" > $MSG
user_name=""

## set up return codes
# everything is ok
if [ $RC -eq 0 ] ; then
        exit 0
fi
# WARNING not so ok
if [ $RC -eq 1 ] ; then
        exit 1
fi
# CRITICAL fix it now
if [ $RC -eq 2 ] ; then
        exit 2
fi
# UNKNOWN (it should never be in this state)
exit 3

Code: Select all

ls -la /usr/local/nagios/libexec/check_password_expire.sh
-rwxr-xr-x 1 root root 3475 Feb  6 12:26 /usr/local/nagios/libexec/check_password_expire.sh

[lmiltchev]

Most probably this is a permissions issue. Can you run the command as nagios user?

Code: Select all

su -l nagios -c '/usr/local/nagios/libexec/check_password_expire.sh'

[BanditBBS]

1.) What user were you when you tried it from CLI?

2.) if you "sudo su nagios" and try to run as the nagios user, does it work? if not, you may need to change the script to sudo and give the nagios user sudo no password rights to the command used.

Or what lmiltchev just said as I typed my reply

[lmiltchev]

This is probably not the best way to do it, but here's a "workaround".

1. I added the following lines to the sudoers file:

Code: Select all

Defaults:nagios !requiretty
nagios ALL=NOPASSWD: /usr/local/nagios/libexec/check_password_expire.sh

2. I set up my command:

Code: Select all

define command {
       command_name                  	check_password_expire
       command_line                  		sudo /usr/local/nagios/libexec/check_password_expire.sh $ARG1$
}

3. I set up my service definition:

Code: Select all

define service {
	host_name				localhost
	service_description		Check Password Expire
	check_command			check_password_expire!nagios!!!!!!!
	...
	register				1
	}

4. In the CLI, I get:

Code: Select all

[root@testbox libexec]# su -l nagios -c 'sudo /usr/local/nagios/libexec/check_password_expire.sh nagios'
CRITICAL: Password never expires for nagios. RC=2 Password validity period for nagios is 99999 days.

5. It works in the GUI we well.

[Bionic___]

YES it worked. Not hard to implement.
Thanks for all your help.
I will be submitting the script to the exchange after a couple of tweaks and obtaining permission for the bits of code I borrowed.

[tmcdonald]

YES it worked. Not hard to implement.
Thanks for all your help.
I will be submitting the script to the exchange after a couple of tweaks and obtaining permission for the bits of code I borrowed.

Well hey, thanks for the contribution! Always appreciate getting new code. Gonna lock this up now, feel free to open a new thread if you need help with anything else.