Nagios Support Forum

Support for Nagios products and services
https://support.nagios.com/forum/

Re: [Nagios-devel] NRPE Arguments some thoughts and how to disable

https://support.nagios.com/forum/viewtopic.php?t=13689

Page 1 of 1

Re: [Nagios-devel] NRPE Arguments some thoughts and how to disable

Posted: Thu Sep 17, 2009 7:53 am
by Guest

On 17 Sep 2009, at 09:26, Jelle Smet wrote:

> I think key in each monitoring system is that you need to be able to
> define your thresholds on the level of your monitoring system
> itself, and not on the clients.
>
> (Whether monitoring results are evaluated by the monitoring system
> or by the monitoring client, that's another story.)
>
> In other words we're using the "dont_blame_nrpe" parameter on all my
> clients, which offers for us a very powerfull and flexible setup.
> I (personally) think is the minimum you can expect of a monitoring
> system is that you don't need to be on the client side to define
> thresholds.
>
I agree - this is the best way of having a centralised configuration
system.
> Anyhow, ... I came to a point where I need to send over regular
> expressions over nrpe to the remote client, which fails of course
> because of the hard coded "illegal metacharacters"
>
> Now my request:
> * It would be nice, if these characters could be defined in the
> config file, giving a user control.
> * How can I change the code so these metachars are ignored?
>
We apply this patch to NRPE: https://secure.opsera.com/wsvn/wsvn/ops ... asty.patch

This is available in the Opsview (our product based on Nagios - http://opsview.org
) Agent, which is available for download at downloads.opsview.org.


You could make the parameter an nrpe.cfg option - that would make
sense. Patches welcome! (Though I don't have commit access to NRPE).

> Isn't there a security design which allows such functionality while
> it being secure?
>
I think shell meta-characters should be ignored, certainly by default.
If you allowed them, I think it would be impossible to evaluate
whether it was invoking other code or not through the shell.

For example, /`\/bin\/file`/ may look like a regexp searching for a
quoted instance of /bin/file, but it would probably get invoked by the
shell and actually run /bin/file (because of the backticks). I think
you are asking for trouble if you allow these characters through.

Alternatively, you could write a wrapper plugin which does contain the
regexp you want, with the knowledge that funny quoting should no
longer apply.

Ton






This post was automatically imported from historical nagios-devel mailing list archives
Original poster: [email protected]
All times are UTC-05:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited