Page 1 of 1
Create command not working
Posted: Thu Feb 06, 2014 2:20 pm
by Bionic___
I have created a script that checks for password expiration on the Nagios XI server. It works like a charm from the command line:
Code: Select all
/usr/local/nagios/libexec/check_password_expire.sh root
OK: User root has time available. 83 days remaining. RC=0 Password validity period for root is 90 days.
I created a command in the Nagios XI command wizard named check_password_expire_local
Code: Select all
$USER1$/check_password_expire.sh $ARG1$
as a check command.
I created a service that passes $ARG1$ with the user id I am looking for (root in the example above).
All changes applied.
When I test the service I get no response at all; just blanks.
I do not see what I am doing wrong. Any help is appreciated.
Re: Create command not working
Posted: Thu Feb 06, 2014 2:23 pm
by abrist
Can you post the script here? I would like to test it locally.
Re: Create command not working
Posted: Thu Feb 06, 2014 2:24 pm
by slansing
Can you also provide the output of:
Code: Select all
ls -la /usr/local/nagios/libexec/check_password_expire.sh
Re: Create command not working
Posted: Thu Feb 06, 2014 2:42 pm
by Bionic___
Script for check_password_expire.sh
Code: Select all
#!/bin/bash
# check_password_expire.sh
# This script is used with NRPE to report password status for the passed userID and sets
# password expiration warning and critical alert periods.
# Adapted from a script from
# www.chesterproductions.net.nz/blogs/it/code/finding-expiring-or-soon-to-expire-accounts-in-linux/582/
# Change Log ====================================================
# 2014-01-30 Wayne Talbot Initial programming
user_name="$1"
if [[ $user_name == "" ]] ; then
echo "No user name provided for review"
echo "No user name provided." >> /tmp/pwstate.log
exit 3
fi
# default key file locations
_l="/etc/login.defs"
_p="/etc/passwd"
# get mini UID limit
l=$(grep "^UID_MIN" $_l)
# get max UID limit
l1=$(grep "^UID_MAX" $_l)
# Message string
MSG=/tmp/pwstate.msg
echo "" > $MSG
# Configure return codes for alert levels
# RC=0 = OK: Everyting is fine.
# RC=1 = WARNING: Something is wrong but not yet fatal.
# RC=3 = CRITICAL: Something has failed or is failing and requires immediate attention.
# RC=4 = UNKNOWN: The script has returned an unknown state or did not complete before timeout.
RC=0
## get the user password configuration
# retrieve the day of the lasåt password change (lastchanged) in days since Jan 1, 1970 that password was last changed
last_password_change=`grep $user_name /etc/shadow | cut -d: -f3`
# retrieve the number of days that a password is valid which that user is forced to change his/her password
validity_period=`grep $user_name /etc/shadow | cut -d: -f5`
# retrieve the number of days before password is to expire that user is warned that his/her password must be changed
warning_period=`grep $user_name /etc/shadow | cut -d: -f6`
# get the current day in days since Jan 1, 1970
current_day=`perl -e 'print int(time/(60*60*24))'`
# compute the age of the user's password
password_age=`echo $current_day - $last_password_change + 1 | bc`
# calculate the number of days until the password expires
days_until_expired=`echo $validity_period - $password_age | bc`
# warn if the number of days to go in the validity period is less than the warning period
if [ $days_until_expired -lt 8 ] ; then
RC=1
echo -n "WARNING: User $user_name is in the password grace period and must change their password. " > $MSG
fi
# alert if the password has expired
if [ $days_until_expired -lt 1 ] ; then
RC=2
echo -n "CRITICAL: User $user_name password has expired! CHANGE PASSWORD NOW! RC=$RC " > $MSG
echo -n "Password expired for $user_name $days_until_expired days ago. " >> $MSG
fi
# check to see if the user's password does not expire
if [ `chage -l $user_name | grep "Password expires" | grep -c "never"` -eq 1 ] ; then
RC=2
echo -n "CRITICAL: Password never expires for $user_name. RC=$RC " > $MSG
fi
# no error conditions detected so everything is ok
if [ $RC -eq 0 ] ; then
echo -n "OK: User $user_name has time available. $days_until_expired days remaining. RC=$RC " > $MSG
fi
echo "Password validity period for $user_name is $validity_period days." >> $MSG
# return text to calling program
cat $MSG
# clean message and user name
echo "" > $MSG
user_name=""
## set up return codes
# everything is ok
if [ $RC -eq 0 ] ; then
exit 0
fi
# WARNING not so ok
if [ $RC -eq 1 ] ; then
exit 1
fi
# CRITICAL fix it now
if [ $RC -eq 2 ] ; then
exit 2
fi
# UNKNOWN (it should never be in this state)
exit 3
Code: Select all
ls -la /usr/local/nagios/libexec/check_password_expire.sh
-rwxr-xr-x 1 root root 3475 Feb 6 12:26 /usr/local/nagios/libexec/check_password_expire.sh
Re: Create command not working
Posted: Thu Feb 06, 2014 3:42 pm
by lmiltchev
Most probably this is a permissions issue. Can you run the command as nagios user?
Code: Select all
su -l nagios -c '/usr/local/nagios/libexec/check_password_expire.sh'
Re: Create command not working
Posted: Thu Feb 06, 2014 3:45 pm
by BanditBBS
1.) What user were you when you tried it from CLI?
2.) if you "sudo su nagios" and try to run as the nagios user, does it work? if not, you may need to change the script to sudo and give the nagios user sudo no password rights to the command used.
Or what lmiltchev just said as I typed my reply
Re: Create command not working
Posted: Thu Feb 06, 2014 5:41 pm
by lmiltchev
This is probably not the best way to do it, but here's a "workaround".
1. I added the following lines to the sudoers file:
Code: Select all
Defaults:nagios !requiretty
nagios ALL=NOPASSWD: /usr/local/nagios/libexec/check_password_expire.sh
2. I set up my command:
Code: Select all
define command {
command_name check_password_expire
command_line sudo /usr/local/nagios/libexec/check_password_expire.sh $ARG1$
}
3. I set up my service definition:
Code: Select all
define service {
host_name localhost
service_description Check Password Expire
check_command check_password_expire!nagios!!!!!!!
...
register 1
}
4. In the CLI, I get:
Code: Select all
[root@testbox libexec]# su -l nagios -c 'sudo /usr/local/nagios/libexec/check_password_expire.sh nagios'
CRITICAL: Password never expires for nagios. RC=2 Password validity period for nagios is 99999 days.
5. It works in the GUI we well.
Re: Create command not working
Posted: Fri Feb 07, 2014 9:18 am
by Bionic___
YES it worked. Not hard to implement.
Thanks for all your help.
I will be submitting the script to the exchange after a couple of tweaks and obtaining permission for the bits of code I borrowed.
Re: Create command not working
Posted: Fri Feb 07, 2014 12:43 pm
by tmcdonald
Bionic___ wrote:YES it worked. Not hard to implement.
Thanks for all your help.
I will be submitting the script to the exchange after a couple of tweaks and obtaining permission for the bits of code I borrowed.
Well hey, thanks for the contribution! Always appreciate getting new code. Gonna lock this up now, feel free to open a new thread if you need help with anything else.