NRPE hardening and Parameter passing
Posted: Fri Jun 12, 2015 12:51 pm
We're currently using the Nagios XI product in a proof of principle mode. I need to defend our design choices on Tuesday.
We're running the Nagios XI server in HTTPS mode, with TCP wrappers, firewalls and SSL-ADH encryption for the NRPE client.
Went through the FAQs and reviewed the documents that came with the product; have some questions.
==
I found running the NRPE client with no parameter passing made the Nagios XI product not really usefull. Is that a correct interpretation? I don't see how parameterless NRPE can be used effectively.
I have to enable dont_blame_nrpe=1; Any guidance on how to more securely implement the NRPE client?
Any methods to further harden the NRPE client? Has anyone implemented randomly restarting the NRPE daemon to pickup a new seed to further harden SSL-ADH encryption?
The CVE-2014-2913 covers this exploit. It's disputed. Would you have any info on why it's disputed?
Command injection via the NRPE client
http://seclists.org/fulldisclosure/2014/Apr/240
And thanks much for your thoughts.
We're running the Nagios XI server in HTTPS mode, with TCP wrappers, firewalls and SSL-ADH encryption for the NRPE client.
Went through the FAQs and reviewed the documents that came with the product; have some questions.
==
I found running the NRPE client with no parameter passing made the Nagios XI product not really usefull. Is that a correct interpretation? I don't see how parameterless NRPE can be used effectively.
I have to enable dont_blame_nrpe=1; Any guidance on how to more securely implement the NRPE client?
Any methods to further harden the NRPE client? Has anyone implemented randomly restarting the NRPE daemon to pickup a new seed to further harden SSL-ADH encryption?
The CVE-2014-2913 covers this exploit. It's disputed. Would you have any info on why it's disputed?
Command injection via the NRPE client
http://seclists.org/fulldisclosure/2014/Apr/240
And thanks much for your thoughts.