changing installation passwords

[kendallchenoweth]

What's the impact, if any, of changing the Centos nagios password?

What is the "Nagios XI Subsystem Account" account listed in the "Configure/CCM/Manage Config Access"? What is it's default password and what's the impact of changing it?
If I change the nagiosadmin account password in "Configure/CCM/Manage Config Access" and "admin/manage users", do I need to update anything else?
Is there any impact to changing the root password on the centos system?

How do I change the mysql and postgres sql database passwords and, if I've done that, how many other places (and how) do I update them, e.g. a backup script or something like that....

[sreinhardt]

I would suggest looking at my slideshare\youtube presentation from last years conference. Most of those (centos users\root, CCM admin, and nagiosadmin) would have no impact outside of you needing to recall them. The postgres and mysql passwords require a bit more work, but I have covered it all in the slides linked below.

http://www.slideshare.net/nagiosinc/spe ... ios-server

[kendallchenoweth]

What files should I be editing, according to slide 11 of your presentation? (By the way, I really like this presentation... Thanks!)
http://www.slideshare.net/nagiosinc/spe ... ios-server

Code: Select all

[root@nagiosxidev-00-ah conf.d]# ls
https.conf         nagiosql.conf           nrdp.conf  ssl.conf.nagiosxibackup
mrtg.conf          nagiosxi.conf           php.conf   welcome.conf
nagios.conf        nagiosxi.conf.original  README
nagiosmobile.conf  nagvis.conf             ssl.conf

automysqlbackup fails (same error if password is set to mysql Nagios XI default or new password)

Code: Select all

###### WARNING ######
Errors reported during AutoMySQLBackup execution.. Backup failed
Error log below..
-- Warning: Skipping the data of table mysql.event. Specify the --events option explicitly.

What does this mean?

On slide 13, there is a reference to a mysqlpass variable in the backup_xi.sh script. It isn't there and the script appears to be working anyway (I need to confirm).

On slide 14, is there a typo? Should "mysqladmin" be "mysql" instead? Is this a duplicate step of changing the mysql root password above or something different? I'm confused by the introduction of 'ndoutils' in the username. Can you clarify?

For slide 15-16, I assume I should replace n@gweb with my password. Is this password supposed to be the ndoutils password in the earlier slide, the mysql root or is this account account?

On slide 17, I'm not sure how/if this needs changing in restore_xi.sh

Code: Select all

echo "Restoring PostgresQL databases..."
psql -U nagiosxi nagiosxi < pgsql/nagiosxi.sql

Which username/password combo is n@gweb referring to?

What's the impact of changing the postgressql root password? I didn't see that covered in this presentation.

Edit: Edit: I didn't see the following question answered in the linked presentation...

What is the "Nagios XI Subsystem Account" account listed in the "Configure/CCM/Manage Config Access"? What is it's default password and what's the impact of changing it?

Edit: The software upgrade failed after I assigned the self signed certificates. Do you have any advise on how to resolve this?

Code: Select all

[root@nagiosxidev-00-ah nagiosxi]# ./upgrade
OLD VERSION: 319
no crontab for nagios
no crontab for root
PHP Deprecated: Comments starting with '#' are deprecated in /etc/php.ini on line 432 in Unknown on line 0
Archive: sourceguardian/ixed4.lin.x86-64.zip
inflating: /usr/lib64/php/modules/ixed.5.3.lin
Sourceguardian extension found for PHP version 5.3
Sourceguardian extension already in php.ini
Copying over new XI directory...
Building latest perms binary...
Updating NagiosQL...
NAGIOSQL-POST
PHP Deprecated: Comments starting with '#' are deprecated in /etc/php.ini on line 432 in Unknown on line 0
Patching NDOUtils...
NDOUtils already patched at level 103
Updating sequences...
Nagios XI Postgres Database Sequence Information

OLD VALUES
--------------
xi_commands_command_id_seq = 11
xi_events_event_id_seq = 1
xi_meta_meta_id_seq = 5
xi_options_option_id_seq = 136
xi_sysstat_sysstat_id_seq = 100
xi_usermeta_usermeta_id_seq = 414
xi_users_user_id_seq = 49

NEW VALUES
--------------
xi_commands_command_id_seq = 11
xi_events_event_id_seq = 1
xi_meta_meta_id_seq = 5
xi_options_option_id_seq = 136
xi_sysstat_sysstat_id_seq = 100
xi_usermeta_usermeta_id_seq = 414
xi_users_user_id_seq = 49

Installing new PNP templates...
Updating init script...
Enabling large install tweaks...
Fixing config file permissions...
Fixing htpasswd permissions...
Checking group memberships...
Installing new XI templates...
PHP Deprecated: Comments starting with '#' are deprecated in /etc/php.ini on line 432 in Unknown on line 0
URL: http://localhost/nagiosql/index.php
CMDLINE
/usr/bin/wget --save-cookies nagiosql.cookies --keep-session-cookies http://localhost/nagiosql/index.php --no-check-certificate --post-data 'Submit=Login&tfUsername=nagiosxi&tfPassword=n@gweb' -O nagiosql.login--2014-02-19 19:37:08-- http://localhost/nagiosql/index.php
Resolving localhost... ::1, 127.0.0.1
Connecting to localhost|::1|:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://localhost/nagiosql/index.php [following]
--2014-02-19 19:37:08-- https://localhost/nagiosql/index.php
Connecting to localhost|::1|:443... connected.
WARNING: cannot verify localhost’s certificate, issued by “/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=localhost.localdomain/[email protected]”:
Self-signed certificate encountered.
WARNING: certificate common name “localhost.localdomain” doesn’t match requested host name “localhost”.
HTTP request sent, awaiting response... 200 OK
Length: 5259 (5.1K) [text/html]
Saving to: “nagiosql.login”

100%[===========================================================================>] 5,259 --.-K/s in 0s

2014-02-19 19:37:08 (173 MB/s) - “nagiosql.login” saved [5259/5259]

NAGIOSQL LOGIN FAILED!

Edit: I rolled back the SSL changes in /etc/httpd/conf/https.conf and the upgrade worked. I suspect I haven't made the following changes in the right file/place....

Code: Select all

[root@nagiosxidev-00-ah conf.d]# more https.conf
#RewriteEngine On
#RewriteCond %{HTTPS} off
#RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

#<VirtualHost *.443>
# SSL Engine on
# SSL Protocol all-SSLv2
# SSL CipherSuite DHE-RSA-AES256-SHA:ALL:!ADH:!EXPPORT:!SSLv2:!RC2:!CAMELLIA256:!3DES:!DES-CB3-SHA:!RC4:+HIGH:!
MEDIUM:!LOW
# SSL CertificateFile /etc/pki/tls/certs/ca.cert
# SSL CertificateKeyFile /etc/pki/tls/private.ca.key
# <DIRECTORY "/usr/local/nagiosxi/html">
# AllowOverride All
# </DIRECTORY>
#</VirtualHost>

Edit: Okay... sorry for the trouble. Obviously, I've done something wrong (probably stupid). I've reset the mysql database password back to default and supposedly rolled back all of the changes I mean from the presentation link. Within the <url>/nagiosxi, when I click on hosts or services, I get an endless spinning icon, however I can see all the hosts/services in the CCM and in the <url>/nagios, so I suspect that there is some database password for XI that is still not in sync. I will continue to debug this. Can you point me in the right direction? If I resolve it before you read this, I will update the ticket, so you don't spend time on something I've already resolved. Thanks!

Edit: As far as the spinning wheel and no hosts showing up under nagios XI, I found the problem in a mod_security module/setting. I"ll reapply carefully and see if I can avoid this mistake next time. Thanks!

Mod Note - Merged your six posts, please do not double post as that will bump you lower on our "to be replied to" list, it also severely increases page clutter, don't forget to code wrap your code! Warning 1.

[slansing]

Excellent, just a heads up, every time you post a reply after one you sent previously, you drop the time your thread has gone not responded to down to 0 in our system. To assure we get to you as fast as possible please do not double, triple, quadruple, post, instead, I recommend you edit your previous post as long as we have not replied. Thanks!

[kendallchenoweth]

Thanks for your help so far. My questions will be very specific and relate to the security slide show you referred me to

1a) Please confirm that in slide 11, you wanted me to update only ssl.conf with the directory directive for /usr/local/nagiosxi/html. ssl.conf is the only file to contain a virtualhost entry.
1b) The slide show shows a SSLCypherSuite argument different than that in the existing ssl file. Should I replace the entry in the file with the one from the slide show or keep the existing entry?

2) When I install modsecurity extensions (from slide 12, "yum install mod_security_crs-extras mod_security mod_security_crs" along with the exclusions file, I now get a spinning wheel whenever trying to access host or service listings from the Nagios XI web page. Everything shows up in the nagios link. Just installing these files (and restarting nagiosxi/httpd) causes this problem. Can you explain what I'm doing wrong?

Code: Select all

yum install mod_security_crs-extras mod_security mod_security_crs
 wget
cd /var/tmp http://assets.nagios.com/downloads/nagiosxi/misc/mod_security_excluded_rules.conf
cp mod_security_excluded_rules.conf /etc/httpd/conf.d/

3) automysqlbackup produces a warning. The same error occurs using the default mysql root password as when using a changed mysql root password. Should I be concerned about it?

Code: Select all

###### WARNING ######
Errors reported during AutoMySQLBackup execution.. Backup failed
Error log below..
-- Warning: Skipping the data of table mysql.event. Specify the --events option explicitly.

4) If i make changes to scripts in /usr/local/nagiosxi/scripts (e.g. the mysqlpass variable), does this get overridden if I perform a software upgrade? If so, I can make a note for any upgrade to also modify these files.

5) on slide 16 you refer to a file that doesn't exist. It's parent directory /usr/local/navgis also doesn't exist. Is this for a feature not installed by default?

Code: Select all

[root@nagiosxidev-00-ah local]# find / -name navgis.ini.php -ls

6) Somewhere I've missed a database update and it seems to apply only to the page https://nagiosxidev-00-ah/nagiosxi//con ... oscorecfg/, the legacy CCM. Can you tell me which file controls the database access for this? https://nagiosxidev-00-ah/nagiosxi/ and https://nagiosxidev-00-ah/nagios/ do work properly.

7) On a completely different note, we would like to use tungston for mysql database replication which means we'll need the ability to update a nagios instance WITHOUT the mysql database changes on the secondary nagios server? Is this possible?

I'm going to de-install the mod_security stuff for now so I can continue and re-install when I get an update from you when I find out what I'm doing wrong. Thanks!

-Kendall Chenoweth

[sreinhardt]

1) Nope, you would actually want to modify each file relating to nagios configs, so that they all properly use ssl. b) You can or you can leave it be, the arguments I use are the current best ciphers that all browsers and remote agents support, however either way is perfectly fine.

2) You need to be sure to follow the directions to get my exclusion rules and put them in place as well. Out of the box, mod_security blocks a ton of XI functionality. Also note the troubleshooting steps that can help you view any rules that are being activated, it is entirely possible that recent updates to XI could require me to visit the exclusion rules I have created.(all on slide 12)

3) This is something that we will want to correct, it is not an absolute immediate concern as it should not effect anything other than backups, but yes it should be fixed. I will need to do some testing to replicate it though.

4) In current releases of the scripts directory it actually uses /usr/local/nagiosxi/html/config.inc.php to capture all needed passwords, and that file is NEVER overwritten unless you mistakenly do a full install instead of upgrade.

5) This should be installed by defualt on any nagios xi system. If you wish to reinstall\install it, you can download and extract the xi tarball and:

Code: Select all

cd /tmp/nagiosxi/subcomponents/nagvis/nagvis-1.4.4/
./install.sh

Oh and thanks for the kudos, glad you like the presentation!

[kendallchenoweth]

Thanks for your reply. I feel like I'm on the right track and almost there.


1) Somewhere I've missed a database update and it seems to apply only to the page https://nagiosxidev-00-ah/nagiosxi//con ... oscorecfg/, the legacy CCM. Can you tell me which file controls the database access for this? https://nagiosxidev-00-ah/nagiosxi/ and https://nagiosxidev-00-ah/nagios/ do work properly.

2) On a completely different note, we would like to use tungston for mysql database replication which means we'll need the ability to update a nagios instance WITHOUT the mysql database changes on the secondary nagios server? Is this possible?

-Kendall Chenoweth

[slansing]

1) Somewhere I've missed a database update and it seems to apply only to the page https://nagiosxidev-00-ah/nagiosxi//con ... oscorecfg/, the legacy CCM. Can you tell me which file controls the database access for this? https://nagiosxidev-00-ah/nagiosxi/ and https://nagiosxidev-00-ah/nagios/ do work properly.

Not quite sure what you are trying to look for, adding nagiosxi to the address of your XI server will place you on the login page, or the home page if you are still in your current session, placing nagios at the end will bring you to the core login page, or home page. The CCM is a component of Nagios XI which must be accessed when you are within Nagios XI already.

[kendallchenoweth]

It looks like my link that didn't work got mussed up on copy/paste.

The following links works

https://nagiosxidev-00-ah/nagiosxi/
https://nagiosxidev-00-ah/nagiosxi/config/
https://nagiosxidev-00-ah/nagiosxi/incl ... -index.php

The following link for the legacy CCM does not work. Honestly, I'm not sure what I should get (even if I need this link.)

https://nagiosxidev-00-ah/nagiosxi//con ... oscorecfg/ (Clicking on legacy CCM on https://nagiosxidev-00-ah/nagiosxi/config/ (Under Advanced Configuration)

Other pending questions

2) On a completely different note, we would like to use tungston for mysql database replication which means we'll need the ability to update a nagios instance WITHOUT the mysql database changes on the secondary nagios server? Is this possible?

3-NEW) It looks like the link for the aide.conf on assetts.nagios.com is also bad. If you have a new link for the Nagios XI customized file, then great. Otherwise don't worry about it.

AND with this, I've worked through the entire presentation and won't have any more questions/comments on it once these are resolved. Thanks!!

-Kendall Chenoweth

[sreinhardt]

Legacy ccm might have some items catching via mod_security, especially with the double //. I wouldn't worry about it, we are actually deprecating that functionality very shortly.

I am not aware of how to use or what tungston is, short of the metal alloy. You likely could backup the configs, rrds, and plugins and replicate them over to another system if thats what you mean, but otherwise we would need more details on what you are looking to do.

Bummer, I just checked, and it seems someone removed aide.conf. I will add it back shortly.