Page 1 of 1
Something wrote host names to /etc/sssd/sssd.conf
Posted: Tue Mar 02, 2021 1:26 pm
by MonitorGuy
During this past weekends scheduled patching, our Linux admin noted something wrote all the monitored host names in Nagios to this file: /etc/sssd/sssd.conf
hostname01 Not Found
hostname02 Not Found
hostname03 Not Found
hostname04 Not Found
hostname05 Not Found
I guess the changes to the file caused a process not to startup after reboot, and removing the "hostname Not Found" entries resolved the issue.
I searched logfiles on the Nagios server and came up empty, so checking here to see if anyone else noticed this behavior, or knows how this might happen?
Just updated Nagios XI to 5.8.1
Previously on 5.7.5
RHEL 7.9
Thanks!
Re: Something wrote host names to /etc/sssd/sssd.conf
Posted: Wed Mar 03, 2021 4:41 pm
by cdienger
Very odd and the only time I've heard of something like this. sssd.conf is a configuration file so it wouldn't be surprising that the service that uses it wouldn't start if it had unrecognized entries like this. Do you have any Nagios checks that work with the file or service?
Re: Something wrote host names to /etc/sssd/sssd.conf
Posted: Thu Mar 04, 2021 1:14 pm
by MonitorGuy
Here are the service monitors:
check_ssh
check_xi_service_status
check_local_mem
check_local_load
check_http
check_local_disk
check_mailq
Checked the scripts, nothing stood out as having anything to do with sssh.conf
We know the file got updated on Feb 9th, but that's all we have so far...
Craig
Re: Something wrote host names to /etc/sssd/sssd.conf
Posted: Fri Mar 05, 2021 5:00 pm
by ssax
There's nothing that I know of that would write anything in there.
Considering sssd is using for directory services/authentication it could be related if your system is ad/ldap integrated but none of our product should touch that file.
Were they under a specific column or anything? Can you PM me the file with how it looked?
Re: Something wrote host names to /etc/sssd/sssd.conf
Posted: Mon Mar 08, 2021 9:55 am
by MonitorGuy
PM Submitted...
Re: Something wrote host names to /etc/sssd/sssd.conf
Posted: Tue Mar 09, 2021 5:55 pm
by benjaminsmith
Hi Craig,
We went over the files here that you sent, and there's nothing in Nagios XI by default that would touch that file. Do you have any custom or automated processes (ie. chef, puppet..etc.) that be writing there?
Benjamin
Re: Something wrote host names to /etc/sssd/sssd.conf
Posted: Wed Mar 10, 2021 10:18 am
by MonitorGuy
That was the first thing I checked, all the custom scripts have been checked and nothing related to sssd was found.
Could a setting in the Nagios XI GUI touch that file for any reason?
Thanks,
Craig
Re: Something wrote host names to /etc/sssd/sssd.conf
Posted: Wed Mar 10, 2021 6:16 pm
by ssax
I grepped our entire codebase and nothing was found.
I'm also very familiar with our code and I've never seen anything touch that file.
You can try searching the entire server to see if you can find anything but we have no idea how they got in that file: