nagios vs nrpe user in sudoers file - rhel7

[jenglish]

Greetings,

We are using a cert checker plugin on various RHEL hosts. I have a discrepancy between my configurations on RHEL{6,7} hosts and I cannot figure out why.

nagios-server:

Code: Select all

[jenglish@boy-adams ~]$ /usr/lib/nagios/plugins/check_nrpe -H ftm-opdevods01 -c check_java_keystore -t 1000 -a /opt/app/ods-np2/keystore/ssl.keystore JCEKS "oIw1d90caP" 90 45
NRPE: Unable to read output

RHEL7 nagios-client:

Code: Select all

(DEV-FM|jenglish@ftm-opdevods01 ~)$ sudo grep 'nagios\|nrpe' /etc/sudoers | grep -v '^#'
nagios  ALL=NOPASSWD:!ALL, /sbin/multipath -ll, /sbin/service iptables status, /usr/sbin/hpacucli, /usr/sbin/dmidecode, /bin/egrep, /usr/sbin/ethtool -S *, /sbin/service * restart, /usr/lib/nagios/plugins/check_java_keystore

Aug 23 10:25:57 ftm-opdevods01 sudo:    nrpe : user NOT in sudoers ; TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/lib/nagios/plugins/check_java_keystore --keystore /opt/app/ods-np2/keystore/ssl.keystore --storetype JCEKS --password oIw1d90caP -w 90 -c 45

RHEL6 nagios-client:

So if I run the same NRPE command from the nagios-server against a RHEL6 host I get this ...

Code: Select all

(DEV-FTM|jenglish@ftm-opdevapp08 ~)$ sudo grep 'nagios\|nrpe' /etc/sudoers | grep -v '^#'
nagios  ALL=NOPASSWD:!ALL, /sbin/multipath -ll, /sbin/service iptables status, /usr/sbin/hpacucli, /usr/sbin/dmidecode, /bin/egrep, /usr/sbin/ethtool -S *, /sbin/service * restart, /usr/lib/nagios/plugins/check_java_keystore

Aug 23 10:27:54 ftm-opdevapp08 sudo:   nagios : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/lib/nagios/plugins/check_java_keystore --keystore /opt/share/sv1/TOBE/alf_data/keystore/ssl.truststore --storetype JCEKS --password oIw1d90caP -w 90 -c 45

My question is why is the nrpe user being used instead of the nagios user? The only difference here (that I see) is the OS versions are different.

Thanks!

[cdienger]

Have you checked for differences in the client's nrpe.cfg? Is the nrpe_user option set to use the same account name?

[lmiltchev]

Did you install NRPE on both machines using the same method, e.g. installing NRPE from a repo, from source, or using our official Linux Agent installer?

What user you have in sudoers would depend on what user NRPE is running under. What is the output of the following command run from the CLI on both machines?

Code: Select all

grep 'nrpe_user\|nrpe_group' /usr/local/nagios/etc/nrpe.cfg

Note: Modify the path to nrpe.cfg if yours is different.

FYI, our official installer added nagios to sudoers:

Code: Select all

# Some checks require root privileges to be executed.  In order to accomplish this, you must modify the /etc/sudoers file:
cat >>/etc/sudoers <<-EOF

	# NEEDED TO ALLOW NAGIOS TO CHECK SERVICE STATUS
	Defaults:nagios !requiretty
	nagios ALL=NOPASSWD: /usr/local/nagios/libexec/check_init_service

	# ASTERISK-SPECIFIC CHECKS
	# NOTE: You can uncomment the following line if you are monitoring Asterisk locally
	#nagios ALL=NOPASSWD: /usr/local/nagios/libexec/check_asterisk_sip_peers.sh, /usr/local/nagios/libexec/nagisk.pl, /usr/sbin/asterisk

EOF

[jenglish]

Have you checked for differences in the client's nrpe.cfg? Is the nrpe_user option set to use the same account name?

The only noticeable differences I see here are varying commands. The user and user group are set the same.

Code: Select all

[jenglish@boy-adams nrpe.cfg]$ diff -y rhel6.nrpe.cfg rhel7.nrpe.cfg

#Nagios NRPE Configuration                                      #Nagios NRPE Configuration

server_port=5666                                                server_port=5666
allowed_hosts=127.0.0.1,10.0.130.70,172.25.17.40,172.27.18.40 | allowed_hosts=127.0.0.1,10.0.130.70,172.27.17.133,172.24.17.1
nrpe_user=nagios                                                nrpe_user=nagios
nrpe_group=nagios                                               nrpe_group=nagios
dont_blame_nrpe=1                                               dont_blame_nrpe=1
debug=1                                                         debug=1
command_timeout=900                                             command_timeout=900
connection_timeout=900                                        <
command[check_users]=/usr/lib/nagios/plugins/check_users -w $   command[check_users]=/usr/lib/nagios/plugins/check_users -w $
command[check_load]=/usr/lib/nagios/plugins/check_load -w $AR   command[check_load]=/usr/lib/nagios/plugins/check_load -w $AR
command[check_disk]=/usr/lib/nagios/plugins/check_disk -e -E  | command[check_disk]=/usr/lib/nagios/plugins/check_disk -E -w
command[check_temp]=/usr/lib/nagios/plugins/check_temp -w $AR   command[check_temp]=/usr/lib/nagios/plugins/check_temp -w $AR
command[check_procs]=/usr/lib/nagios/plugins/check_procs -C $   command[check_procs]=/usr/lib/nagios/plugins/check_procs -C $
command[check_lock_age]=/usr/lib/nagios/plugins/check_file_ag   command[check_lock_age]=/usr/lib/nagios/plugins/check_file_ag
command[check_ntp_time]=/usr/lib/nagios/plugins/check_ntp_tim   command[check_ntp_time]=/usr/lib/nagios/plugins/check_ntp_tim
command[check_file_age]=/usr/lib/nagios/plugins/check_file_ag   command[check_file_age]=/usr/lib/nagios/plugins/check_file_ag
command[check_init]=/usr/lib/nagios/plugins/check_init.sh $AR   command[check_init]=/usr/lib/nagios/plugins/check_init.sh $AR
command[check_swap]=/usr/lib/nagios/plugins/check_swap -w $AR   command[check_swap]=/usr/lib/nagios/plugins/check_swap -w $AR
command[check_generic]=/usr/lib/nagios/plugins/$ARG1$ $ARG2$    command[check_generic]=/usr/lib/nagios/plugins/$ARG1$ $ARG2$
command[check_tcp]=/usr/lib/nagios/plugins/check_tcp -p $ARG1   command[check_tcp]=/usr/lib/nagios/plugins/check_tcp -p $ARG1
command[check_large_file]=/usr/lib/nagios/plugins/check_file_   command[check_large_file]=/usr/lib/nagios/plugins/check_file_
command[check_file_size]=/usr/lib/nagios/plugins/check_file_a   command[check_file_size]=/usr/lib/nagios/plugins/check_file_a
command[check_postqueue]=/usr/lib/nagios/plugins/check_postqu   command[check_postqueue]=/usr/lib/nagios/plugins/check_postqu
command[check_ntp_procs]=/usr/lib/nagios/plugins/check_procs    command[check_ntp_procs]=/usr/lib/nagios/plugins/check_procs
command[check_all_disk]=/usr/lib/nagios/plugins/check_disk -e | #command[check_all_disk]=/usr/lib/nagios/plugins/check_disk -
                                                              > command[check_all_disk]=/usr/lib/nagios/plugins/check_disk -l
command[check_proc_string]=/usr/lib/nagios/plugins/check_proc   command[check_proc_string]=/usr/lib/nagios/plugins/check_proc
command[check_linux_kernel]=/usr/lib/nagios/plugins/check_lin   command[check_linux_kernel]=/usr/lib/nagios/plugins/check_lin
                                                              > #command[check_iptables_getenforce]=/usr/lib/nagios/plugins/c
command[check_iptables_getenforce]=/usr/lib/nagios/plugins/ch   command[check_iptables_getenforce]=/usr/lib/nagios/plugins/ch
command[check_bond]=/usr/lib/nagios/plugins/check_bond.sh       command[check_bond]=/usr/lib/nagios/plugins/check_bond.sh
command[check_multipath]=/usr/lib/nagios/plugins/check_multip   command[check_multipath]=/usr/lib/nagios/plugins/check_multip
command[check_md5sum]=/usr/lib/nagios/plugins/check_md5sum.sh   command[check_md5sum]=/usr/lib/nagios/plugins/check_md5sum.sh
command[check_procs_string]=/usr/lib/nagios/plugins/check_pro   command[check_procs_string]=/usr/lib/nagios/plugins/check_pro
command[restart_service]=/usr/lib/nagios/plugins/restart_serv   command[restart_service]=/usr/lib/nagios/plugins/restart_serv
command[check_ssl_cert]=sudo /usr/lib/nagios/plugins/check_ss <
command[check_java_keystore]=sudo /usr/lib/nagios/plugins/che   command[check_java_keystore]=sudo /usr/lib/nagios/plugins/che
[jenglish@boy-adams nrpe.cfg]$

Did you install NRPE on both machines using the same method, e.g. installing NRPE from a repo, from source, or using our official Linux Agent installer?

They are both using the epel repo

Code: Select all

ftm-opdevapp08:
Name        : nrpe
Version     : 3.2.0
Repo        : OPM-NM_nm-epel_nm_epel_Server6
ftm-opdevods01:
Name        : nrpe
Version     : 3.2.0
From repo   : OPM-NM_nm-epel_nm_epel_Server7

What user you have in sudoers would depend on what user NRPE is running under. What is the output of the following command run from the CLI on both machines?

Code: Select all

[jenglish@boy-adams ~]$ for i in ftm-opdevapp08 ftm-opdevods01 ; do echo "$i: " ; ssh $i cat /etc/redhat-release ; grep 'nrpe_user\|nrpe_group' /etc/nagios/nrpe.cfg ; done
ftm-opdevapp08:
Red Hat Enterprise Linux Server release 6.10 (Santiago)
nrpe_user=nagios
nrpe_group=nagios
ftm-opdevods01:
Red Hat Enterprise Linux Server release 7.5 (Maipo)
nrpe_user=nagios
nrpe_group=nagios

[lmiltchev]

When you install from a repo, the nrpe user/group is set to "nrpe", NOT nagios...

Code: Select all

# cat /etc/redhat-release ; grep 'nrpe_user\|nrpe_group' /etc/nagios/nrpe.cfg
Red Hat Enterprise Linux Server release 6.10 (Santiago)
nrpe_user=nrpe
nrpe_group=nrpe

# cat /etc/redhat-release ; grep 'nrpe_user\|nrpe_group' /etc/nagios/nrpe.cfg
Red Hat Enterprise Linux Server release 7.5 (Maipo)
nrpe_user=nrpe
nrpe_group=nrpe

In addition to this, as far as I know, sudoers is NOT modified in any way.

You must have a mixture of different installs, or you modified configs, sudoers, etc. after the fact. Perhaps you copied some configs over from a different system?

[jenglish]

Interesting. The installation/process of Nagios in our environment predates me. Looking at over 400 servers, every nrpe.cfg user/group specified is 'nagios.'

As my first post shows, the sudoers entries for the nagios/nrpe are identical on both RHEL6 and RHEL7.

Is there someplace else that the user may be specified? Something specific to RHEL7? We use kickstart scripts to provision hosts so in theory, everything should be the same.

[scottwilkerson]

I'd have to see the kickstart info because if it is installing the package from epel, the user has been nrpe for something like 11 years

https://src.fedoraproject.org/rpms/nrpe ... c4c2bbe992

[jenglish]

The only thing that's changed (to my knowledge) is RHEL6 -> RHEL7. We use the 'nagios' user instead of 'nrpe' in RHEL6 and it works fine. Why not in RHEL7?

Here is part of the kickstart:

Code: Select all

echo
echo "***** I50_nrpe.sh *****"
set -x

SERVICE="nrpe"
echo "Configuring nrpe"

NRPECONF="/etc/nagios/nrpe.cfg"

#yum install -y nagios-nrpe nagios-plugins-all opmnag
yum -y -t -e0 -d1 install nrpe.x86_64 nagios-plugins-all nagios-plugins-nrpe nagios-plugins-uptime
ln -s /usr/lib64/nagios /usr/lib/nagios
systemctl enable nrpe

chmod 755 /usr/lib64/nagios/plugins/*.sh
chcon --type=nagios_services_plugin_exec_t /usr/lib64/nagios/plugins/*

SaveFile $NRPECONF
cat > $NRPECONF << EOF_NRPE

#Nagios NRPE Configuration

server_port=5666
allowed_hosts=127.0.0.1,10.0.130.70,172.27.17.133,172.24.17.133
nrpe_user=nagios
nrpe_group=nagios
dont_blame_nrpe=1
debug=1
command_timeout=900
command[check_users]=/usr/lib/nagios/plugins/check_users -w \$ARG1\$ -c \$ARG2\$
command[check_load]=/usr/lib/nagios/plugins/check_load -w \$ARG1\$ -c \$ARG2\$
command[check_disk]=/usr/lib/nagios/plugins/check_disk -E -w \$ARG1\$ -c \$ARG2\$ -p \$ARG3\$
command[check_temp]=/usr/lib/nagios/plugins/check_temp -w \$ARG1\$ -c \$ARG2\$
command[check_procs]=/usr/lib/nagios/plugins/check_procs -C \$ARG1\$ -c \$ARG2\$
command[check_lock_age]=/usr/lib/nagios/plugins/check_file_age_wrapper.sh
command[check_ntp_time]=/usr/lib/nagios/plugins/check_ntp_time -H 192.168.5.2 -w 0.5 -c 1
command[check_file_age]=sudo /usr/lib/nagios/plugins/check_file_age -f \$ARG1\$ -W \$ARG2\$ -C \$ARG3\$ -w \$ARG4\$ -c \$ARG5\$
command[check_init]=/usr/lib/nagios/plugins/check_init.sh \$ARG1\$ "\$ARG2\$"
command[check_swap]=/usr/lib/nagios/plugins/check_swap -w \$ARG1\$ -c \$ARG2\$
#command[check_swap]=/usr/lib/nagios/plugins/check_swap -w $ARG1$ -c $ARG2$
command[check_generic]=/usr/lib/nagios/plugins/\$ARG1\$ \$ARG2\$ \$ARG3\$
command[check_tcp]=/usr/lib/nagios/plugins/check_tcp -p \$ARG1\$ -w \$ARG2\$ -c \$ARG3\$
command[check_large_file]=/usr/lib/nagios/plugins/check_file_size.sh --maxwarn \$ARG1\$ --maxcrit \$ARG2\$ \$ARG3\$
command[check_file_size]=/usr/lib/nagios/plugins/check_file_age -f \$ARG1\$ -W \$ARG2\$ -C \$ARG3\$ -w \$ARG4\$ -c \$ARG5\$
command[check_postqueue]=/usr/lib/nagios/plugins/check_postqueue
command[check_ntp_procs]=/usr/lib/nagios/plugins/check_procs -w 1:1 -c 0:2 -C ntpd
#command[check_all_disk]=/usr/lib/nagios/plugins/check_disk -l -w $ARG1$ -c $ARG2$  -A -i /sys/kernel/config 
command[check_all_disk]=/usr/lib/nagios/plugins/check_disk -e -l -w \$ARG1\$ -c \$ARG2\$ -W \$ARG1\$ -K \$ARG2\$ -A -i /sys/kernel/config
command[check_proc_string]=/usr/lib/nagios/plugins/check_procs -a \$ARG1\$ -c \$ARG2\$
command[check_linux_kernel]=/usr/lib/nagios/plugins/check_linux_kernel.sh
#command[check_iptables_getenforce]=/usr/lib/nagios/plugins/check_iptables_getenforce.sh
command[check_iptables_getenforce]=/usr/lib/nagios/plugins/check_iptables_getenforce.sh \$ARG1\$
command[check_bond]=/usr/lib/nagios/plugins/check_bond.sh
command[check_multipath]=/usr/lib/nagios/plugins/check_multipath.sh
command[check_md5sum]=/usr/lib/nagios/plugins/check_md5sum.sh \$ARG1\$
command[check_procs_string]=/usr/lib/nagios/plugins/check_procs -a \$ARG1\$ -w \$ARG2\$
command[check_oracle]=/usr/lib/nagios/plugins/check_oracle --db \$ARG1\$
command[restart_service]=/usr/lib/nagios/plugins/restart_service.sh \$ARG1\$
command[check_mem]=/usr/lib/nagios/plugins/check_mem.pl
command[check_ssl_cert]=sudo /usr/lib/nagios/plugins/check_ssl_cert -H localhost -f \$ARG1\$ -w \$ARG2\$ -c \$ARG3\$
EOF_NRPE

if [ "$KS_TYPE" == "int" ]; then
    
    cat >> $NRPECONF << EOF_NRPE
command[check_dir]=/usr/lib/nagios/plugins/check_dir \$ARG1\$ \$ARG2\$ \$ARG3\$
command[check_postqueue]=/usr/lib/nagios/plugins/check_postqueue
command[check_sentry]=/usr/lib/nagios/plugins/check_tcp -H sentry -p 25
command[check_file_size]=/usr/lib/nagios/plugins/check_file_age -f \$ARG1\$ -W \$ARG2\$ -C \$ARG3\$ -w \$ARG4\$ -c \$ARG5\$
command[check_zero_length_files]=/usr/lib/nagios/plugins/check_zero_length_files.sh \$ARG1\$
command[check_snmp]=/usr/lib/nagios/plugins/check_snmp -H \$ARG1\$ -C \$ARG2\$ -o \$ARG3\$ -w \$ARG4\$ -c \$ARG5\$
command[check_pips_age]=/usr/lib/nagios/plugins/check_pips_age.pl
command[check_raddb]=/usr/lib/nagios/plugins/check_raddb.pl
command[check_pfile]=/usr/lib/nagios/plugins/check_pfile.pl
EOF_NRPE

elif [ "$KS_TYPE" == "avs" ]; then

   cat >> $NRPECONF << EOF_NRPE
command[check_files]=/usr/lib/nagios/plugins/check_files.sh -d \$ARG1\$ -w \$ARG2\$ -c \$ARG3\$ -m \$ARG4\$
command[check_radius]=/usr/lib/nagios/plugins/check_radius.pl
EOF_NRPE

fi


    
set +x

Also, all of the hosts are using the same version of nrpe:

Code: Select all

[jenglish@boy-adams ~]$ less nrpe_version_all.hosts | grep Version | wc -l ; less nrpe_version_all.hosts | grep Version | uniq
363
Version     : 3.2.0

[scottwilkerson]

On RHEL 7 you likely need to also adjust the nrpe.service systemd file to change users as well.

[jenglish]

Brilliant!

That was the fix. Please lock topic. Thanks so much!