Re: [Nagios-devel] nrpe and nrpe_nt development
Posted: Thu Dec 18, 2003 1:51 pm
A nice balancing act is what is needed 
my 2 cents.
I like the configure time option of including blowfish even at the risk of
additional conifguration requirements. Since check_nrpe is only available
thru the NRPE distribution, blowfish doesn't add an extra requirement for
the general plugin dist.
I like being able to send ARGx to the remote plugins via NRPE.
Lastly - if nrpe_nt is to flourish, we need a repository for the Windows
specific plugins. My feeling is that this should be both a binary and a
source repository as not all windows system will have the requisite
toolset.
-sg
On Thu, 18 Dec 2003, Stephen Strudwick wrote:
>
> > This also goes back to whether you are allowing check_nrpe to execute argument$
> > For security we don't we only allow defined checks to run with no arguments and
> > most agree that is the safer option. If there is a feeling that the server
> > should be authenticated by the clients using a cert then that is something I
> > can work on putting in place without much heartache and we would just need to
> > automate the creation of self signed certs in the make process to simplify the
> > procedure.
>
> When we have run netsaint in the past with nrpep we had command line
> arguements, but I planned to stop doing this with nagios mainly because I
> thought it wes unecessary complication as well as a security risk.
>
> We do need more security than the basic IP checks here at pipex because we
> cant be sure our servers will have tcp wrappers on them (mainly NT is the
> problem here) or be behind a firewall.
>
> we have to be as sure as we can (to the poiht of maybe being too zealous)
> that the servers are not compromised in any way.
>
> > If there is a feeling that the server
> > should be authenticated by the clients using a cert then that is something I
> > can work on putting in place without much heartache and we would just need to
> > automate the creation of self signed certs in the make process to simplify the
> > procedure.
>
> something like this would be really good, if you point me in the right
> direction im willing to code something over xmas, because im working to a
> early jan deadline
>
> I really want to make sure whatever is done is accepted into the code base
> so that our operations people can always download the latest version from
> the site and not use a hacked about version that instantly becomes
> static in development.
>
> -
> Stephen Strudwick
> Advanced Development Engineer
> Development Group, Product Development
> PIPEX Communications
> http://www.pipexcommunications.net/
>
> Mobile: 07906 191256
> Direct: 020 8957 1217
>
> On Thu, 18 Dec 2003, local.coder wrote:
>
> >
> > Stephen,
> >
> > When coding in the encyrption the idea was to secure the data between the nagios
> > server and the remote client. The use of passwords and other options were
> > specifically removed to keep out problems with plaintext password management
> > and other fun. This is meant as a data protection scheme only and not an
> > authentication scheme. The IP Address restriction for us is enough to limit
> > remote hosts. With some minor changes the openssl part could be setup to use
> > pre-shared certs but when talking with others that went to a level of
> > complexity that seemed overwhelming for large server bases and updates. I
> > originally was working with the blowfish encryption but at Ethan's and plugin
> > people's request moved to openssl since it is already included in other plugins
> > as a requirement and there was a concern to keep external requirements to a
> > minimum if possible.
> >
> > This also goes back to whether you are allowing check_nrpe to execute arguments.
> > For security we don't we only allow defined checks to run with no arguments and
> > most agree that is the safer option. If there is a feeling that the server
> > should be authenticated by the clients using a cert then that is something I
> > can work on putting in place without much heartache and we would just need to
> > automate the creation of self signed certs in the make process to si
...[email truncated]...
This post was automatically imported from historical nagios-devel mailing list archives
Original poster: [email protected]
my 2 cents.
I like the configure time option of including blowfish even at the risk of
additional conifguration requirements. Since check_nrpe is only available
thru the NRPE distribution, blowfish doesn't add an extra requirement for
the general plugin dist.
I like being able to send ARGx to the remote plugins via NRPE.
Lastly - if nrpe_nt is to flourish, we need a repository for the Windows
specific plugins. My feeling is that this should be both a binary and a
source repository as not all windows system will have the requisite
toolset.
-sg
On Thu, 18 Dec 2003, Stephen Strudwick wrote:
>
> > This also goes back to whether you are allowing check_nrpe to execute argument$
> > For security we don't we only allow defined checks to run with no arguments and
> > most agree that is the safer option. If there is a feeling that the server
> > should be authenticated by the clients using a cert then that is something I
> > can work on putting in place without much heartache and we would just need to
> > automate the creation of self signed certs in the make process to simplify the
> > procedure.
>
> When we have run netsaint in the past with nrpep we had command line
> arguements, but I planned to stop doing this with nagios mainly because I
> thought it wes unecessary complication as well as a security risk.
>
> We do need more security than the basic IP checks here at pipex because we
> cant be sure our servers will have tcp wrappers on them (mainly NT is the
> problem here) or be behind a firewall.
>
> we have to be as sure as we can (to the poiht of maybe being too zealous)
> that the servers are not compromised in any way.
>
> > If there is a feeling that the server
> > should be authenticated by the clients using a cert then that is something I
> > can work on putting in place without much heartache and we would just need to
> > automate the creation of self signed certs in the make process to simplify the
> > procedure.
>
> something like this would be really good, if you point me in the right
> direction im willing to code something over xmas, because im working to a
> early jan deadline
>
> I really want to make sure whatever is done is accepted into the code base
> so that our operations people can always download the latest version from
> the site and not use a hacked about version that instantly becomes
> static in development.
>
> -
> Stephen Strudwick
> Advanced Development Engineer
> Development Group, Product Development
> PIPEX Communications
> http://www.pipexcommunications.net/
>
> Mobile: 07906 191256
> Direct: 020 8957 1217
>
> On Thu, 18 Dec 2003, local.coder wrote:
>
> >
> > Stephen,
> >
> > When coding in the encyrption the idea was to secure the data between the nagios
> > server and the remote client. The use of passwords and other options were
> > specifically removed to keep out problems with plaintext password management
> > and other fun. This is meant as a data protection scheme only and not an
> > authentication scheme. The IP Address restriction for us is enough to limit
> > remote hosts. With some minor changes the openssl part could be setup to use
> > pre-shared certs but when talking with others that went to a level of
> > complexity that seemed overwhelming for large server bases and updates. I
> > originally was working with the blowfish encryption but at Ethan's and plugin
> > people's request moved to openssl since it is already included in other plugins
> > as a requirement and there was a concern to keep external requirements to a
> > minimum if possible.
> >
> > This also goes back to whether you are allowing check_nrpe to execute arguments.
> > For security we don't we only allow defined checks to run with no arguments and
> > most agree that is the safer option. If there is a feeling that the server
> > should be authenticated by the clients using a cert then that is something I
> > can work on putting in place without much heartache and we would just need to
> > automate the creation of self signed certs in the make process to si
...[email truncated]...
This post was automatically imported from historical nagios-devel mailing list archives
Original poster: [email protected]