Nagios Support Forum

Support for Nagios products and services
https://support.nagios.com/forum/

NCPA_Security

https://support.nagios.com/forum/viewtopic.php?t=59342

Page 1 of 1

NCPA_Security

Posted: Wed Jul 15, 2020 4:23 am
by ybadrou
Hello Dear community,

I have just installed NCPA_Agent on a set of equipements. My question is about NCPA security. I have noticed that NCPA had provided a better level of security through SSL/TLS encryption.
- So my question is what is the limit of this amelioration! and what must be done to keep this security strong. I was wondering of it is a necessity to change the auto-signed certificates as they come by default after the installation of the NCPA Agent and so provide my own certificates?
- what other security vulnerabilities still exist on NCPA agent ?

Thank you

Re: NCPA_Security

Posted: Wed Jul 15, 2020 3:59 pm
by benjaminsmith
Hi @ybadrou,

Thank you for trying out Nagios! Out of the box, NCPA uses a self-signed certificate, but you have the option to set your own if you'd like. This is done using the certificate option in the configuration file.

See: https://www.nagios.org/ncpa/help/2.0/configuration.html

In regards to other vulnerabilities, we work hard to keep everything secure. The best practice is to keep everything up-to-date, both NCPA and Nagios XI.

Let us know if you have more questions.

Re: NCPA_Security

Posted: Fri Jul 17, 2020 4:49 am
by ybadrou
hi @benjaminsmith

Thank you for your answer.
-I have another two questions about SSL certificate. As I will leave the default certificates provided by Nagios after the NCPA installation, does this present a security vulnerability ? In other word, are they the same in every host ? I wanna now if all NCPA agent come with the same certificate or does it change in every installation?
- How the exchange of certificates between Nagios server and NCPA Client is performed. Is it while trying to pair the client to the server or what ?

Thank you so much

Re: NCPA_Security

Posted: Fri Jul 17, 2020 2:11 pm
by benjaminsmith
HI @yabadrou,

Your welcome. In regards to your other questions, see below:

1. It's a self-signed certificate, and but in this use case, it's acceptable for most users since the certificate is used between components of the same system, and not between a server and unknown agents, so there really isn't a need for a 3rd party. When you install NCPA, a certificate is generated, so it's not the same for every installation.

Regarding, the HTTP handshake between check_ncpa.py and NCPA(server), that's handled by the SSL module in python.

See: https://docs.python.org/3/library/ssl.html#ssl-security

2. As far as other vulnerabilities, I would recommend keeping everything updates to date. We are quick to respond to any CVE, you can follow the project on GitHub for the latest as well.

https://github.com/NagiosEnterprises/nc ... HANGES.rst

Reference:
Security at Nagios
All times are UTC-05:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited