Page 1 of 2
permission problem with nrpe
Posted: Mon Dec 30, 2019 11:20 am
by elade
Hi,
I have a script which run on linux machine (Ubuntu 18.04) and I need to run as root user.
I did the following configuration:
Code: Select all
/etc/sudoers.d/nagios
nagios ALL=NOPASSWD: /usr/local/nagios/libexec/check_test.py
Code: Select all
/usr/local/nagios/etc/nrpe/nagios.cfg ( I added the dir in nrpe.cfg configuration)
command[check_test]=sudo -S /usr/local/nagios/libexec/check_test.py
in the service I get this info:
Code: Select all
Dec 30 12:10:04 test-server nrpe[1659]: is_an_allowed_host (AF_INET): host is in allowed host list!
Dec 30 12:10:04 test-server nrpe[1659]: Host address is in allowed_hosts
Dec 30 12:10:04 test-server nrpe[1659]: Host 10.10.10.10 is asking for command 'check_test' to be run...
Dec 30 12:10:04 test-server nrpe[1659]: Running command: /usr/bin/sudo -S /usr/local/nagios/libexec/check_test.py
Dec 30 12:10:04 test-server sudo[1662]: nagios : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/local/nagios/libexec/check_test.py
Dec 30 12:10:04 test-server sudo[1662]: pam_unix(sudo:session): session opened for user root by (uid=0)
Dec 30 12:10:04 test-server sudo[1662]: pam_unix(sudo:session): session closed for user root
Dec 30 12:10:04 test-server nrpe[1659]: Command completed with return code 0 and output: OK: no errors
Dec 30 12:10:04 test-server nrpe[1659]: Return Code: 0, Output: OK: no errors
Dec 30 12:10:04 test-server nrpe[1659]: Connection from 10.10.10.10 closed.
In shell command I get the error result - "Critical - check status" but in the GUI I get OK even when there are errors.
XI version 5.5.8
NRPE Plugin for Nagios
Version: 3.2.1
From user nagios I get the same result from shell command.
Any idea?
Re: permission problem with nrpe
Posted: Mon Dec 30, 2019 12:44 pm
by mbellerue
Can you send me the check_test.py script? I am wondering if it's just not returning the proper exit code.
Re: permission problem with nrpe
Posted: Mon Dec 30, 2019 3:52 pm
by elade
Hi it’s not a problem with the exit code. I already check it.
I will ask if it’s ok to publish the script.
Other than that all the configuration is OK?
Re: permission problem with nrpe
Posted: Mon Dec 30, 2019 4:12 pm
by mbellerue
In looking over what you posted, I just saw this.
Code: Select all
command[check_test]=sudo -S /usr/local/nagios/libexec/check_test.py
sudo -S forces sudo to read the password from standard input. Is this supposed to be sudo -s?
Re: permission problem with nrpe
Posted: Tue Dec 31, 2019 10:22 am
by elade
I'm using it in all my monitor script which I need to run as root and I haven't got any problem until now.
I send to you PM with the script
Re: permission problem with nrpe
Posted: Thu Jan 02, 2020 11:46 am
by mbellerue
Try adding this to your /etc/sudoers.d/nagios file, above your NOPASSWD line.
When I added this, I was able to run the command using sudo without a password.
Re: permission problem with nrpe
Posted: Sun Jan 05, 2020 4:23 am
by elade
I added it to /etc/sudoers.d/nagios even when it was already in /etc/sudoers and I get the same output.
Re: permission problem with nrpe
Posted: Mon Jan 06, 2020 11:55 am
by lmiltchev
Restart apache on the remote box, then run the following commands from the command line, and show the output:
On the client (remote machine)
Code: Select all
ls -la /usr/local/nagios/libexec/check_test.py
grep -s -R 'check_test.py\|requiretty' /etc
grep 'check_test.py\|nrpe_' /usr/local/nagios/etc/nrpe.cfg
su - nagios
sudo -S /usr/local/nagios/libexec/check_test.py
echo $?
Code: Select all
su - nagios
/usr/local/nagios/libexec/check_nrpe -H <client ip>
/usr/local/nagios/libexec/check_nrpe -H <client ip> -c check_test
echo $?
Re: permission problem with nrpe
Posted: Tue Jan 07, 2020 12:30 pm
by elade
On the client (remote machine)
CODE: SELECT ALL
ls -la /usr/local/nagios/libexec/check_test.py
grep -s -R 'check_test.py\|requiretty' /etc
grep 'check_test.py\|nrpe_' /usr/local/nagios/etc/nrpe.cfg
su - nagios
sudo -S /usr/local/nagios/libexec/check_test.py
echo $?
Code: Select all
root@test01:/usr/local/nagios/libexec# ls -la /usr/local/nagios/libexec/check_test.py
-rwxr-xr-x 1 root root 1021 Jan 7 17:14 /usr/local/nagios/libexec/check_test.py
root@test01:/usr/local/nagios/libexec# grep -s -R 'check_test.py\|requiretty' /etc
/etc/sudoers.d/nagios:Defaults:nagios !requiretty
/etc/sudoers.d/nagios:nagios ALL=(user) NOPASSWD:/usr/local/nagios/libexec/check_test.py
/etc/sudoers:Defaults:nagios !requiretty
/etc/ansible/ansible.cfg:# first disable 'requiretty' in /etc/sudoers
/etc/ansible/ansible.cfg:# sudoers configurations that have requiretty (the default on many distros).
root@test01:/usr/local/nagios/libexec# grep 'check_test.py\|nrpe_' /usr/local/nagios/etc/nrpe/nagios.cfg
command[check_test]=sudo -S -u user /usr/local/nagios/libexec/check_test.py
root@test01:/usr/local/nagios/libexec# su - nagios
No directory, logging in with HOME=/
$ bash
nagios@test01:/$ sudo -S /usr/local/nagios/libexec/check_test.py
[sudo] password for nagios:
Sorry, try again.
[sudo] password for nagios:
Sorry, try again.
[sudo] password for nagios:
sudo: 2 incorrect password attempts
nagios@test01:/$ sudo -S -u user /usr/local/nagios/libexec/check_test.py
The connection to the server localhost:8080 was refused - did you specify the right host or port?
All are Running
nagios@test01:/$ echo $?
0
nagios@test01:/$
On the Nagios XI server
CODE: SELECT ALL
su - nagios
/usr/local/nagios/libexec/check_nrpe -H <client ip>
/usr/local/nagios/libexec/check_nrpe -H <client ip> -c check_test
echo $?
Code: Select all
root@ubuntu:~# su - nagios
No directory, logging in with HOME=/
$ bash
nagios@ubuntu:/$ /usr/local/nagios/libexec/check_nrpe -H 10.10.10.10
NRPE v3.2.1
nagios@ubuntu:/$ /usr/local/nagios/libexec/check_nrpe -H 10.10.10.10 -c check_test
All are Running
nagios@ubuntu:/$ echo $?
0
I added permission for script to run as "user" (remote machine username) without it the script is asking for nagios user's password.
Code: Select all
nagios ALL=(user) NOPASSWD:/usr/local/nagios/libexec/test.py
from user on the remote machine there are errors which i need to show in the alert.
Re: permission problem with nrpe
Posted: Tue Jan 07, 2020 12:48 pm
by lmiltchev
This is definitely NOT a standard (vanilla) setup. Your Nagios XI has been modified... It seems like you removed the nagios home page... What is the output of the command below, run on the Nagios XI server?
The "default" output should look something like this:
Code: Select all
nagios:x:500:500::/home/nagios:/bin/bash
Also, NRPE runs as nagios user, not some other user... Change this line in the nrpe.cfg:
Code: Select all
command[check_test]=sudo -S -u user /usr/local/nagios/libexec/check_test.py
to this:
Code: Select all
command[check_test]=sudo -S /usr/local/nagios/libexec/check_test.py
Save, exit and restart nrpe.
Also, change this line in "/etc/sudoers.d/nagios" file:
Code: Select all
nagios ALL=(user) NOPASSWD:/usr/local/nagios/libexec/check_test.py
to this:
Code: Select all
nagios ALL=NOPASSWD: /usr/local/nagios/libexec/check_test.py
Lastly, change the permissions on the check_test.py file:
Code: Select all
chown root.nagios /usr/local/nagios/libexec/check_test.py
Try your check again. Did it work now?