Nagios Support Forum

Fresh Install
Red Hat Enterprise Linux release 8.4 (Ootpa)
Nagios Core 4.4.6
Plugins 2.3.3
NIST 800-171 CUI security profile

Followed: https://support.nagios.com/kb/article/n ... .html#RHEL

All works well (with some tweaks because of security profile), except it appears none on the plugins are working
(No output on stdout) stderr: execvp(/usr/local/nagios/libexec/check_ping, ...) failed. errno is 1: Operation not permitted

Logs: No real errors
[1625104330] Unable to send check for host 'localhost' to worker (ret=-2)
[1625104363] Unable to run check for service 'Root Partition' on host 'localhost'
[1625104368] Unable to run check for service 'Total Processes' on host 'localhost'
[1625104480] Unable to run check for service 'HTTP' on host 'localhost'
[1625104489] Unable to run check for service 'Current Load' on host 'localhost'
[1625104498] Unable to run check for service 'SSH' on host 'localhost'
[1625104499] Unable to run check for service 'PING' on host 'localhost'
[1625104510] Unable to run check for service 'Swap Usage' on host 'localhost'
[1625104527] Unable to run check for service 'Current Users' on host 'localhost'

CHECKED|TRIED:
Plugins in right location
Plugins default permissions and user looks correct
SELINUX is disabled
[Tried] changing the permissions to 777 for plugins, no success
[Tried] Making nagios user Sudoer

[Tried]
su - nagios -s /bin/bash
cd /usr/local/nagios/libexec/
./check_ping -H 127.0.0.1 -w 10,2% -c 20,5%
bash: ./check_ping: Operation not permitted

-BUT-

sudo ./check_ping -H localhost -w 10,2% -c 20,5%
PING OK - Packet loss = 0%, RTA = 0.10 ms|rta=0.098000ms;10.000000;20.000000;0.000000 pl=0%;2;5;0

Leaves me to believe it is a permissions issue, but I do not know how to fix it.

Any suggestions?

Hello,

Thanks for reaching out.

Lets check on the permissions and ownership on /usr/local/nagios/libexec/ by entering:
Please let me know the results,
Perry

Thank you for working with me on this, however, is a no go!
drwxr-xr-x. 2 nagios nagios 4096 Jun 30 14:36 libexec

-rwxr-xr-x 1 nagios nagios 229032 Jun 30 14:36 check_ping
-rwxr-xr-x 1 nagios nagios 162552 Jun 30 14:36 check_cluster
-rwxr-xr-x 1 nagios nagios 218680 Jun 30 14:36 check_dhcp
-rwxr-xr-x 1 nagios nagios 213512 Jun 30 14:36 check_dig
-rwxr-xr-x 1 nagios nagios 375896 Jun 30 14:36 check_disk
-rwxr-xr-x 1 nagios nagios 10134 Jun 30 14:36 check_disk_smb
-rwxr-xr-x 1 nagios nagios 236792 Jun 30 14:36 check_dns
-rwxr-xr-x 1 nagios nagios 113168 Jun 30 14:36 check_dummy
-rwxr-xr-x 1 nagios nagios 5066 Jun 30 14:36 check_file_age
-rwxr-xr-x 1 nagios nagios 6504 Jun 30 14:36 check_flexlm


[nagios@nagios libexec]$ whoami
nagios
[nagios@nagios libexec]$ ./check_ping -H 127.0.0.1 -w 10,2% -c 20,5%
-bash: ./check_ping: Operation not permitted
[nagios@nagios libexec]$ sudo ./check_ping -H localhost -w 10,2% -c 20,5%
PING OK - Packet loss = 0%, RTA = 0.11 ms|rta=0.107000ms;10.000000;20.000000;0.000000 pl=0%;2;5;0

HERE IS SOMETHING TO CONSIDER:
(regular user)
[alincoln@nagios libexec]$ whoami
alincoln
[alincoln@nagios libexec]$ ./check_ping -H 127.0.0.1 -w 10,2% -c 20,5%
-bash: ./check_ping: Operation not permitted
[alincoln@nagios libexec]$ sudo ./check_ping -H 127.0.0.1 -w 10,2% -c 20,5%
PING OK - Packet loss = 0%, RTA = 0.09 ms|rta=0.088000ms;10.000000;20.000000;0.000000 pl=0%;2;5;0

AS ROOT
[root@nagios ~]# whoami
root
[root@nagios ~]# cd /usr/local/nagios/libexec/
[root@nagios libexec]# ./check_ping -H 127.0.0.1 -w 10,2% -c 20,5%
PING OK - Packet loss = 0%, RTA = 0.09 ms|rta=0.090000ms;10.000000;20.000000;0.000000 pl=0%;2;5;0

As long as sudo is placed there the commands seem to work.
It has to do something with elevating the privileges... I think!

I tried adding "nagios" to the sudoers group with the NOPASSWD: ALL
but it doesn't seem to matter.

In the end I do not want to give "Nagios" god rights, I am aiming to allow Nagios to run the commands that it needs, and that is it.

--UPDATE--
Stumbled across this:

[alincoln@nagios ~]$ sudo -u nagios -g nagios sudo /usr/local/nagios/libexec/check_ping -H 127.0.0.1 -w 10,2% -c 20,5%
PING OK - Packet loss = 0%, RTA = 0.09 ms|rta=0.094000ms;10.000000;20.000000;0.000000 pl=0%;2;5;0

So I thought if I add the same Sudo command to the commands.cfg that might help
--EXAMPLE--
define command {

command_name check-host-alive
command_line sudo -u nagios -g nagios sudo $USER1$/check_ping sudo -H $HOSTADDRESS$ -w 3000.0,80% -c 5000.0,100% -p 5
}

define command {

command_name check_ping
command_line sudo -u nagios -g nagios sudo $USER1$/check_ping sudo -H $HOSTADDRESS$ -w $ARG1$ -c $ARG2$ -p 5
}


Strange thing happened. on the host page, I get a green saying up, but still get the same error:
(No output on stdout) stderr: execvp(/usr/local/nagios/libexec/check_ping, ...) failed. errno is 1: Operation not permitted

but the Ping service still show yellow with the same errors.
I added screen shots now

--UPDATE--

Continued on my same thought and modified the Commands.cfg and visudo

Added "sudo -u nagios -g nagios sudo" in front of all the commands
--COMMANDS.CFG--
define command {
command_name check-host-alive
command_line sudo -u nagios -g nagios sudo $USER1$/check_ping sudo -H $HOSTADDRESS$ -w 3000.0,80% -c 5000.0,100% -p 5
}

Added nagios to run all commands without password
--VISUDO--
nagios ALL=(ALL) NOPASSWD: ALL

Then Rebooted
Everything started working.

I don't think this is the proper fix.
Anyone who stumbles upon this thread, please...offer up suggestions, don't let this be the FIX!

--UPDATE--

Made changes to Commands.cfg and visudo

Add a line at the end of VISUDO
--VISUDO--
## Allow nagios user to run needed commands
nagios ALL= NOPASSWD:/usr/local/nagios/libexec/*

Just added sudo in front of the commands
--COMMANDS--
define command {
command_name check_local_disk
command_line sudo $USER1$/check_disk -w $ARG1$ -c $ARG2$ -p $ARG3$
}

Rebooted.

Looks better, still not sure if it the fix