Page 1 of 1
Encrypting resource.cfg & NCPA config files?
Posted: Mon May 15, 2017 2:18 pm
by vAJ
Twin City Techies:
I've been hit with SOX audit requirements that we lock down anything in our monitoring infrastructure with cleartext passwords. <sigh>
Since we store passwords in resource.cfg on the Nagios server, even though the file is locked down (660), anyone who can sudo to root would be able to read the passwords stored therein.
By the same right, the NCPA cfg file stores the token in cleartext. Granted everything through the API is read-only, if someone was able to compromise the plugins directory, they could execute any code they want to on the system.
Has anyone been able to secure that file further?
Thanks,
AJ
Re: Encrypting resource.cfg & NCPA config files?
Posted: Mon May 15, 2017 3:16 pm
by tmcdonald
Short answer: Not really something you can fix.
Long answer: Let's say we did encrypt that resource.cfg file and everything in it was gibberish to even the root user. Nagios would still need to decrypt that file in order to read its contents, which means you need a password to decrypt it. That password has to be stored in plain-text in order for Nagios to use it. If you store that password in a file then encrypt that file... you see where this is going.
Short answer again: Until all systems everywhere move to PKI there is no getting around passwords, and even then you have the problem of the key files being accessible.
Even shorter: You can't protect root from root.
Edit/Addendum: One way around this might be to set a password at compile-time that gets compiled into the nagios binary, but even that could fairly easily be ascertained by anyone with a basic understanding of binary formats.
Re: Encrypting resource.cfg & NCPA config files?
Posted: Mon May 15, 2017 3:20 pm
by vAJ
I'm thinking the only way around this is to use all passive checks...
Re: Encrypting resource.cfg & NCPA config files?
Posted: Mon May 15, 2017 3:21 pm
by tmcdonald
Those store the NRDP/NSCA token in clear-text on the client :)
Re: Encrypting resource.cfg & NCPA config files?
Posted: Mon May 15, 2017 3:25 pm
by vAJ
Crap.
Then WMI/SSH (Windows/Linux) and dropping any use of agent is the only way...
Re: Encrypting resource.cfg & NCPA config files?
Posted: Mon May 15, 2017 3:27 pm
by vAJ
Also, having the NRDP token in cleartext is easier to get an exception for. If someone has that, they can't break something on a production server.
Screw up Nagios, for sure, but not our client-facing platform.
Re: Encrypting resource.cfg & NCPA config files?
Posted: Mon May 15, 2017 3:28 pm
by tmcdonald
Maybe. You need the SSH key which could be flagged by security as not being locked down enough, and WMI uses a password which runs into the same issue as resource.cfg.
Re: Encrypting resource.cfg & NCPA config files?
Posted: Mon May 15, 2017 3:32 pm
by vAJ
I'm going to turn in my badge and become a gardener.
Re: Encrypting resource.cfg & NCPA config files?
Posted: Mon May 15, 2017 3:38 pm
by tmcdonald
I just tell people I'm a beet farmer.
Re: Encrypting resource.cfg & NCPA config files?
Posted: Mon May 15, 2017 3:42 pm
by vAJ
Sounds like a plan. I think you can lock this up.