Users disabling notifications or active checks

[stryder77]

Hey everyone,

I have been using Nagios Core for a long time and I'm sure this question has been asked but I can't seem to find any information on it.

I am on a team of admins that manage several servers. I have certain admins that will go in and disable the checks on servers or even disable notifications when they aren't supposed to. I am curious if anyone has found a way to set the cgi.cfg so that only certain admins can disable those notifications or active checks. I want these guys to be able to acknowledge when a host or service goes down but the rest they really don't need to be able to mess with.

I know I've read that the security for this kind of thing isn't that granular but it would really help a nagios admin like me out.

Thanks in advance

Jeff

[dwhitfield]

What version of Core are you running? That will help us determine what options are available to us. Also what is the OS and version on the Nagios server?

[stryder77]

Nagios Core 4.2.1
Centos 6.7

[bwallace]

For restricting user access and what they can do in Nagios Core, refer to:
https://assets.nagios.com/downloads/nag ... igcgi.html

It depends on the level of permission you want to grant, but I'd focus on these areas for starters:

System/Process Information Access
This is a comma-delimited list of names of authenticated users who can view system/process information in the extended information CGI. Users in this list are not automatically authorized to issue system/process commands. If you want users to be able to issue system/process commands as well, you must add them to the authorized_for_system_commands variable.

Read-Only Users
A comma-delimited list of usernames that have read-only rights in the CGIs. This will block any service or host commands normally shown on the extinfo CGI pages. It will also block comments from being shown to read-only users.

[stryder77]

Thanks for the link but i've probably read that 20 times over the past two days trying to make sense of it. I still need these guys to acknowledge issues that nagios detects. If i stop them from accessing that page then they can't do that. I also read that because I have contacts/contact groups set up for each host those contacts can manipulate settings the hosts they are responsible for. I need to turn that stuff off. They only need to be able to acknowledge or schedule downtime. The rest should be turned off for those users.

I want people i specify as nagios admins to be able to manipulate everything.

I hope that makes a bit more sense.

[dwhitfield]

We have a few potential options for you that at least might get you headed in the right direction.

1. https://gist.github.com/oogali/1386011
You will see at the bottom that I posted asking where this has been tested. If I get a response while this thread is still open, I will post it here.

2. http://www.techopsguys.com/2010/01/05/a ... l-replies/
This is from 2010 and I have not tested it. However, I am not aware of anything new that will break it, aside from the comment that mentioned that the procmail code should be
* ^Subject: [ ]*\/[^ ].* instead of * ^Subject:[ ]*\/[^ ].*

3. Nagios XI Rapid Response
There is a feature in Nagios XI called Rapid Response. It is not without issues (https://support.nagios.com/forum/viewto ... 12&p=55738), but if this is of critical importance you might give our 60-day trial of XI a shot: https://www.nagios.com/downloads/nagios-xi/

[stryder77]

I appreciate the reply but i don't see how that has anything to do with limiting users from disabling notifications on hosts or stopping them from disabling checks on hosts.

I have ldap set up in my apache so our admins have to login with the domain admin credentials to access our nagios core boxes. I want to take it a step further and limit those users to only able to acknowledge their problems with comments or schedule down time.

I want to have the two nagios admins have full control over the interfaces.

[dwhitfield]

All three of these address having the users acknowledge without having access to Nagios. Acknowledgements disable notifications. I wasn't suggesting this was exactly what you wanted, but I thought it might offer a workaround.

That said, it sounds like you want them to be able to disable all notifications, even if there is a new problem. Is that correct?

[stryder77]

No, i dont' want them disabling notifications or checks.

[dwhitfield]

I want to take it a step further and limit those users to only able to acknowledge their problems with comments or schedule down time.

I think the previous post addresses the acknowledgement piece, but it does not address the scheduled down time piece. Unfortunately, working with scheduled downtime in that way is not currently a feature in Core.

The functionality you want exists in XI: https://assets.nagios.com/downloads/nag ... Rights.pdf. The custom development costs are going to exceed the licensing costs. My immediate thought is you could do something with htaccess (or the httpd server config file).

That said, you are free to submit a feature request on github: https://github.com/NagiosEnterprises/na ... issues/new.