Nagios Support Forum

Support for Nagios products and services
https://support.nagios.com/forum/

Security Considerations - Macros

https://support.nagios.com/forum/viewtopic.php?t=42774

Page 1 of 1

Security Considerations - Macros

Posted: Thu Mar 02, 2017 8:04 pm
by akepley
My security officer asked to complete the following document:

https://assets.nagios.com/downloads/nag ... urity.html

to secure our NagiosXI 5.4.2 build on RHEL 6. I've gotten everything, but was confused by the 8th step:

Hide Sensitive Information With $USERn$ Macros. The CGIs read the main config file and object config file(s), so you don't want to keep any sensitive information (usernames, passwords, etc) in there. If you need to specify a username and/or password in a command definition use a $USERn$ macro to hide it. $USERn$ macros are defined in one or more resource files. The CGIs will not attempt to read the contents of resource files, so you can set more restrictive permissions (600 or 660) on them. See the sample resource.cfg file in the base of the Nagios distribution for an example of how to define $USERn$ macros.

I followed the links in the paragraph but still am not sure what I'm looking for to change to make more secure. We have about 200 hosts and 1500 services on our NagiosXI setup and I'm not sure what I would be changing to match this document.

Re: Security Considerations - Macros

Posted: Fri Mar 03, 2017 10:56 am
by mcapra
Some plugins may require the use of sensitive information, such as passwords. In the case of WMI checks, you might be including your password for a particular Windows account in the command definition:
2017_03_03_09_50_07_CCM_Nagios_XI.png
The idea behind macros is that, instead of having my credentials in plain-text visible from the GUI (admin, welcome123), I could define a macro to represent my WMI username and password like so:

Code: Select all

$WMI_USER$=admin
$WMI_PASS$=welcome123
This means that, in order for someone to get the credentials for the WMI account I am leveraging, they would need access to the file system directly. They wouldn't be able to retrieve sensitive information via the GUI.

Re: Security Considerations - Macros

Posted: Fri Mar 03, 2017 2:41 pm
by akepley
Oh, ok. So adding those macros in the core config manager, but then setting the passwords, etc in the actual .cfg file on the backend?

Re: Security Considerations - Macros

Posted: Fri Mar 03, 2017 3:16 pm
by mcapra
If you're using the "User Macros" component in the Core Config Manager, that should do just fine since it writes to resource.cfg directly.

You won't be able to write to this while the "Redact Displayed Values" option is enabled though. You can enable/disable this setting with the little gear on the "User Macros Component" page:
2017_03_03_14_15_32_CCM_Nagios_XI.png
And only those users with the "Admin" access level can access that page to change the settings.
All times are UTC-05:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited