Nagios Support Forum

Posted: **Wed Aug 07, 2013 10:21 am**

I started another thread asking some questions about NRDS, but I'd really prefer to continue using NRPE and have active checks instead of passive. The major issue isn't getting to scripts copied up to the servers, the issue is having to update nrpe.cfg and restart NRPE when adding a completely new command.

My question is, is there a way to add new command definitions without having to restart NRPE?

I see in the config file a, "include" variable that will include definitions from an external file. If I use that an modify the definitions in the included file, does NRPE need restarted?

The other option I thought of was adding a command definition of "command[check_whatever]=/usr/opt/nagios/libexec/$ARG1$ $ARG2$ $ARG3$" I think that would work, but I'd prefer the include option if it works as I hope.

Thanks again!

Posted: **Wed Aug 07, 2013 10:36 am**

BanditBBS wrote: If I use that an modify the definitions in the included file, does NRPE need restarted?

I am just full of bad news today. NRPE reads the configs on startup of the service, these are retained in memory as the service is running. During startup, it will follow the include tree defined in the nrpe.cfg, but only during startup. This is why it requires a restart.

BanditBBS wrote:The other option I thought of was adding a command definition of "command[check_whatever]=/usr/opt/nagios/libexec/$ARG1$ $ARG2$ $ARG3$" I think that would work, but I'd prefer the include option if it works as I hope.

This is quite clever, I am interested as to whether this works or not. Though your security team may be less than happy with the implementation as it would widen the potential security problems of nrpe. I would suggest that you make sure that there are no plugins of the "dangerous" sort in libexec before deployment, or maybe create a nested directory in libexec for the additional scripts:

Code: Select all

command[check_whatever]=/usr/opt/nagios/libexec/bandits_scripts/$ARG1$ $ARG2$ $ARG3$

Posted: **Wed Aug 07, 2013 10:54 am**

I have mentioned my security dept a few times, haven't I?

What they don't know won't hurt them! Actually, locked down by IP and other measures of security should be good. I'll be testing this just as soon as one of the AIX admins gets back and restarts NRPE so I can test.

Jim

Posted: **Wed Aug 07, 2013 11:11 am**

Just to add a hopeful note to abrist's depression inducing line of answers. Starting with core, and potentially moving to agents, this may be something I am going to look at remedying after the conference, depending on how we are handling it in memory. If the structures are similar to objects.cache, and I just need to modify a few additional functions and lists, it should be done relatively shortly.

Posted: **Wed Aug 07, 2013 11:17 am**

BanditBBS wrote:I have mentioned my security dept a few times, haven't I?

We have the memories of elephants up here in MN.

BanditBBS wrote: I'll be testing this just as soon as one of the AIX admins gets back and restarts NRPE so I can test.

How many admins does it take to restart a benign service?

Only one, because there is only one true admin, but he works in mysterious ways. Have you prostrated recently?

Posted: **Wed Aug 07, 2013 1:15 pm**

That command definition works! I will no longer need to restart NRPE after one final update to the config file. The other security on this is, a 'hacker' would have to know the command definition name to even execute it, si I could call it check_jhsgjhfgfghasdfhgadf. Good luck guessing that

Thats if you can get past the allowed_from directive also.

Jim/Bandit

Posted: **Wed Aug 07, 2013 1:51 pm**

I started a doc concerning advanced nrpe tips a while back - this one is definitely getting added before it hits the nagios library.

BanditBBS wrote: The other security on this is, a 'hacker' would have to know the command definition name to even execute it, si I could call it check_jhsgjhfgfghasdfhgadf. Good luck guessing that Thats if you can get past the allowed_from directive also.

Even if they knew the command, compromised your network, and mitm'ed the connection, they would still have the ssl issue to get around. You do use ssl right?

One other security hole I thought about - could you pass relative paths through it? For example:

Code: Select all

command[check_whatever]=/usr/opt/nagios/libexec/$ARG1$ $ARG2$ $ARG3$
$ARG1$ = "../../../../bin/bash"
$ARG2$ = "<nasty shell code here>"

I would assume you could pass relative paths like the command above. The best way to implement this, may be to pass the command to a wrapper script that can attempt to do some sanity checking/scrubbing of the input before passing it to the shell. But then again, that would be pita, and would nearly reproduce what nrpe already does. If you trust your network, it is probably not a big deal, though it would be an abdication of my responsibility to at least not mention it.

Posted: **Wed Aug 07, 2013 1:54 pm**

I plead the 5th about ssl and I trust my network for the other issues mentioned.

Jim

Posted: **Wed Aug 07, 2013 2:32 pm**

And on that note - should we lock this up proper?

Posted: **Wed Aug 07, 2013 2:40 pm**

abrist wrote:And on that note - should we lock this up proper?

Yes sir, I'm good with this being locked.

Nagios Support Forum

NRPE Configuration Question

NRPE Configuration Question

Re: NRPE Configuration Question

Re: NRPE Configuration Question

Re: NRPE Configuration Question

Re: NRPE Configuration Question

Re: NRPE Configuration Question

Re: NRPE Configuration Question

Re: NRPE Configuration Question

Re: NRPE Configuration Question

Re: NRPE Configuration Question