Linux-Server Error

[tonyyarusso]

Clarification: check_init_service will exist on the target host, not the XI server, and is installed by the steps of the Installing The XI Linux Agent instructions.

[jcmanous]

It's been a couple of months and I'm just getting back around to this. Even with the sudo'er modification, I'm still getting the same error. Has anyone found a workaround for this?

Thanks!

Jason Manous

[rdedon]

Could you run setroubleshootd and see what results you get? I happened to stumble across this:
http://danwalsh.livejournal.com/7995.html

[anritter6281]

I am getting this error as well. It would appear to happen on CentOS 5.5 systems, but not RHEL v4 (and possibly v5) systems. I installed the agent per the documentation.

I ran the check_init_service on the remote server and the command runs fine. The checked /var/run/syslogd.pid and the pid matches the running pids as well as the pids detected by the check_init_service plugin.

I am not running selinux.

I would like to get this fixed, so let me know what other steps you would like me to take.

[anritter6281]

When I run the check_init_service as user nagios on the remote system, I get the following output:

[root@remote-server libexec]# su - nagios
[nagios@remote-server ~]$ cd /usr/local/nagios/libexec/
[nagios@remote-server libexec]$ ./check_init_service syslog
/etc/init.d/functions: line 141: /var/run/syslogd.pid: Permission denied
syslogd dead but pid file exists
/etc/init.d/functions: line 141: /var/run/klogd.pid: Permission denied
klogd dead but pid file exists
[nagios@remote-server libexec]$

So this appears to be a permission issue where the nagios user can't read files in the /var/run directory. The permissions for the directory are ok, but the syslogd.pid file are not.

What is the suggested way to fix this? I thought that check commands were run via sudo by the agent.

[mguthrie]

We'll have to do some investigating on this and see if we can recreate it. We'll let you know what we find out.

[tonyyarusso]

Oh, in addition to my sudoers file edit, you need to preface the check command with 'sudo' when you actually run it. As in, 'sudo /usr/local/nagios/libexec/check_init_service blahblaharguments'. This includes the command definition in the NRPE config on the target server once you've tested directly.

[anritter6281]

I get an "NRPE: unable to read output" error in the NagiosXI web interface for the service. This error occurs when I preface the check_init_service command in /usr/local/nagios/etc/nrpe/common.cfg with either sudo or /usr/bin/sudo, was that the correct place to edit it?

I "su - nagios" on the remote server and ran the service command prefaced with sudo and did not get the permissions error. So prefacing with sudo would do the trick, but I think my sudoers file is not right. My sudoers file has:

# NEEDED TO ALLOW NAGIOS TO CHECK SERVICE STATUS
nagios ALL=NOPASSWD: /sbin/service
nagios ALL=(ALL) NOPASSWD:/usr/local/nagios/libexec/check_init_service

Is this correct, am I editing things correctly relative to you post?

[anritter6281]

I also tried uncommenting the sudo related line in nrpe.cfg, but now I get the same error about unable to read output.

[anritter6281]

I figured it out.

I had to do the following:

In nrpe.cfg on remote server:
--uncomment the line: command_prefix=/usr/bin/sudo

In sudoers file:
add: nagios ALL=(ALL) NOPASSWD:/usr/local/nagios/libexec/
change: Defaults requiretty to: Defaults !requiretty

The primary problem is that Centos was not allowing nagios/nrpe user to sudo run a command as root because it was not connecting to a tty (the default requiretty statement causes this issue.)

The above changes make the command work, although the "defaults !requiretty" may be all that is needed, but I didn't test that. Overall this can create a security problem on the remote server if stuff is editable in /use/local/nagios/libexec by a malicious user.