Unable to restart, change sources, or delete sources

[cdcrawford]

Good morning,

I'm unable to start/stop/restart or remove sources from Nagios Network Analyser.

The error that I'm getting is below:
from /var/log/secure:
Apr 26 12:17:08 nagiosna sudo: pam_unix(sudo:auth): conversation failed
Apr 26 12:17:08 nagiosna sudo: pam_unix(sudo:auth): auth could not identify password for [apache]
Apr 26 12:17:08 nagiosna sudo: apache : user NOT in sudoers ; TTY=unknown ; PWD=/var/www/html/nagiosna/www ; USER=nna ; COMMAND=/usr/local/nagiosna/bin/rc.py stop DC - HH06 - DMZ Switch

This apparently started after the nna account's password expired. We removed the password, and deleted the expiry. But, this issue persists.

Cheers,
Chris

[gsmith]

Hi,

From the log entries you show it looks like the user "apache" is trying to execute some commands
but he is not in the sudoers list.

Can you "sudo su - nna" ?

If so can you run "passwd" ?
Then you can change/update his password.

Please let me know what you find out.

Thanks

[cdcrawford]

Issued the commands as given, and changed the password for NNA.

Code: Select all

[chris@nagiosna ~]$ sudo su - nna
[sudo] password for chris: 
[nna@nagiosna ~]$ 
[nna@nagiosna ~]$ 
[nna@nagiosna ~]$ passwd
Changing password for user nna.
New password: 
Retype new password: 
passwd: all authentication tokens updated successfully.

And then I rebooted the VM.

Following the reboot, I am still unable to stop, delete, or restart sources from the web interface. It appears that Apache is still attempting to use NNA to call the command, but, they are not in the Sudoers file.

Should they be?

Looking at the /etc/sudoers.d/nagiosna file I see that it's different than the one posted in another thread. Mine is below:

Code: Select all

[chris@nagiosna ~]$ sudo cat /etc/sudoers.d/nagiosna
[sudo] password for chris:

Defaults:%nnacmd !requiretty
Defaults:nna !requiretty

nna ALL = NOPASSWD:/usr/local/nagiosna/scripts/change_timezone.sh
nna ALL = NOPASSWD:/usr/local/nagiosna/scripts/upgrade_to_latest.sh

%nnacmd ALL=(ALL) NOPASSWD:/bin/kill *
%nnacmd ALL=(ALL) NOPASSWD:/usr/local/nagiosna/bin/rc.py *
%nnacmd ALL=(ALL) NOPASSWD:/usr/local/nagiosna/scripts/manage_firewall.sh *
%nnacmd ALL=(ALL) NOPASSWD:/usr/local/nagiosna/scripts/remove_source.sh *
%nnacmd ALL=(ALL) NOPASSWD:/usr/bin/systemctl restart httpd

Another version of the file is posted here: https://support.nagios.com/forum/viewto ... 0&p=154634

[ssax]

What is the output of these commands?

Code: Select all

chage -l nna
chage -l apache
grep nna /etc/group

That's what I have too:

Code: Select all

Defaults:%nnacmd !requiretty
Defaults:nna !requiretty

nna ALL = NOPASSWD:/usr/local/nagiosna/scripts/change_timezone.sh
nna ALL = NOPASSWD:/usr/local/nagiosna/scripts/upgrade_to_latest.sh

%nnacmd ALL=(ALL) NOPASSWD:/bin/kill *
%nnacmd ALL=(ALL) NOPASSWD:/usr/local/nagiosna/bin/rc.py *
%nnacmd ALL=(ALL) NOPASSWD:/usr/local/nagiosna/scripts/manage_firewall.sh *
%nnacmd ALL=(ALL) NOPASSWD:/usr/local/nagiosna/scripts/remove_source.sh *
%nnacmd ALL=(ALL) NOPASSWD:/usr/bin/systemctl restart httpd

[cdcrawford]

chage -l nna

Code: Select all

[root@nagiosna chris]# chage -l nna
Last password change                                    : Apr 27, 2021
Password expires                                        : never
Password inactive                                       : never
Account expires                                         : never
Minimum number of days between password change          : 0
Maximum number of days between password change          : -1
Number of days of warning before password expires       : 7

chage -l apache

Code: Select all

[root@nagiosna chris]# chage -l apache
Last password change                                    : Nov 05, 2019
Password expires                                        : never
Password inactive                                       : never
Account expires                                         : never
Minimum number of days between password change          : -1
Maximum number of days between password change          : -1
Number of days of warning before password expires       : -1

group listing for nna

Code: Select all

[root@nagiosna chris]# grep nna /etc/group
apache:x:48:nna
nnacmd:x:1000:nna,apache

[gsmith]

Hi,

On the NNA server, with Network Analyzer running, could you please run from the command line:

ps -ef | grep nagios

and post here. If you have security concerns about exposing this information you can send it to me in a PM.

Additionally, did you restart httpd service? If not, please do.

Thanks

[cdcrawford]

I sent you the requested output for this command, in a PM.

ps -ef | grep nagios

A small annomized snippit of it is here:

Code: Select all

nrpe      1228     1  0 Apr27 ?        00:00:00 /usr/sbin/nrpe -c /etc/nagios/nrpe.cfg -f
nna       2020     1  0 Apr27 ?        00:02:32 /usr/local/bin/nfcapd -I 41 -l /usr/local/nagiosna/var/CORE1/flows -p 9901 -x /usr/local/nagiosna/bin/reap_files.py %d %f %i -P /usr/local/nagiosna/var/CORE1/9901.pid -D -e -w -z -T all
nna       2021  2020  0 Apr27 ?        00:00:14 /usr/local/bin/nfcapd -I 41 -l /usr/local/nagiosna/var/CORE1/flows -p 9901 -x /usr/local/nagiosna/bin/reap_files.py %d %f %i -P /usr/local/nagiosna/var/CORE1/9901.pid -D -e -w -z -T all
[...missing section of the same nfcapd commands, but for different sources and ports...]
nna      28410 28409  0 09:12 ?        00:00:00 /bin/sh -c /usr/bin/php -q /var/www/html/nagiosna/www/index.php cmdsubsys > /usr/local/nagiosna/var/cmdsubsys.log 2>&1
nna      28411 28410  0 09:12 ?        00:00:00 /usr/bin/php -q /var/www/html/nagiosna/www/index.php cmdsubsys
root     28425 28396  0 09:12 pts/0    00:00:00 grep --color=auto nagios

I also restarted httpd, to not affect.

[gsmith]

Hi,

Let's emulate what's supposed to happen.

1. as root user in a shell
2. sudo su - nna
3. /usr/local/nagiosna/bin/rc.py stop DC - HH06 - DMZ Switch

Did that work? If it did go ahead and start the DC - HH06 - DMZ Switch source again
If not reply to us with any output/error messages.

1. as root user in a shell
2. sudo su - apache
3. cd /var/www/html/nagiosna/www
4. sudo /usr/local/nagiosna/bin/rc.py stop DC - HH06 - DMZ Switch

Did this work? If it did go ahead and start the DC - HH06 - DMZ Switch source again
If not reply to us with any output/error messages.

Thanks

[cdcrawford]

I don't think that it worked.

Code: Select all

[root@nagiosna g018r]# sudo su - nna
Last login: Tue Apr 27 08:07:04 ADT 2021 on pts/0
[nna@nagiosna ~]$ /usr/local/nagiosna/bin/rc.py stop DC - HH06 - DMZ Switch
tuple index out of range
Traceback (most recent call last):
  File "/usr/local/nagiosna/bin/rc.py", line 145, in <module>
    main()
  File "/usr/local/nagiosna/bin/rc.py", line 129, in main
    stop(servicename)
  File "/usr/local/nagiosna/bin/rc.py", line 65, in stop
    raise Exception('Unable to find %s in the database, cannot stop it.' % sourcename)
Exception: Unable to find DC in the database, cannot stop it.
None
Unable to find DC in the database, cannot stop it.
### Figured that it didn't like the spaced in the name. So, I'll quote it.
[nna@nagiosna ~]$ /usr/local/nagiosna/bin/rc.py stop "DC - HH06 - DMZ Switch"
nna is not in the sudoers file.  This incident will be reported.
DC - HH06 - DMZ Switch process stopped.

And when I tried to do it as Apache:

Code: Select all

[root@nagiosna g018r]# sudo su - apache
This account is currently not available.

So, I called and audible, and did the following:

Code: Select all

sudo -u apache bash

Here is the output:

Code: Select all

[root@nagiosna g018r]# sudo -u apache bash
bash-4.2$ whoami
apache
bash-4.2$ /usr/local/nagiosna/bin/rc.py stop "DC - HH06 - DMZ Switch"
Traceback (most recent call last):
  File "/usr/local/nagiosna/bin/rc.py", line 30, in <module>
    handler = logging.handlers.RotatingFileHandler('/usr/local/nagiosna/var/backend.log', 'a', 1048576, 10)
  File "/usr/lib64/python2.7/logging/handlers.py", line 117, in __init__
    BaseRotatingHandler.__init__(self, filename, mode, encoding, delay)
  File "/usr/lib64/python2.7/logging/handlers.py", line 64, in __init__
    logging.FileHandler.__init__(self, filename, mode, encoding, delay)
  File "/usr/lib64/python2.7/logging/__init__.py", line 902, in __init__
    StreamHandler.__init__(self, self._open())
  File "/usr/lib64/python2.7/logging/__init__.py", line 925, in _open
    stream = open(self.baseFilename, self.mode)
IOError: [Errno 13] Permission denied: '/usr/local/nagiosna/var/backend.log'
bash-4.2$

[gsmith]

Hi, On the first bit of running the command as the nna user we need quotes around the
device name:

1. as root user in a shell
2. sudo su - nna
3. /usr/local/nagiosna/bin/rc.py stop "DC - HH06 - DMZ Switch"

So please give that another shot.

Nice audible!
The issue with:

Code: Select all

1. as root user in a shell
2. sudo su - apache
3. cd /var/www/html/nagiosna/www
4. sudo /usr/local/nagiosna/bin/rc.py stop DC - HH06 - DMZ Switch

is that the user apache can't write to /usr/local/nagiosna/var/backend.log, and that's OK as user nna
should be doing that.

So for now, try the first part (with using the quotes on the device) and let me know what happens.

In the meantime I am going to look at how the "apache" user is configured.

Thanks