Nagios Support Forum

Support for Nagios products and services
https://support.nagios.com/forum/

MariaDB vulnerabilities

https://support.nagios.com/forum/viewtopic.php?t=63937

Page 1 of 1

MariaDB vulnerabilities

Posted: Mon Nov 08, 2021 2:55 pm
by nevillestyles
Good evening,

As part of our trial of the Nagios products we’re required to subject the products to various security scans. I’ve come across some vulnerabilities of varying severities relating the instances of MariaDB. We’ve installed Nagios on CentOS using the manual installation method.

Nagios XI
• There are two anonymous users defined: ''@localhost and ''@<servername>. Can these be removed?
• Can we remove the 'root'@'::1' IPv6 user?
• Can we remove the test database?
/usr/local/nagiosxi/scripts/restore_xi.sh is world readable and contains the root MySQL password in cleartext. Can we change the permissions on this file?
/usr/local/nagiosxi/var/xi-sys.cfg is world readable and contains the root MySQL password in cleartext. Can we change the permissions on this file?
/usr/local/nagios/etc/ndo.cfg is world readable and contains the ndoutils MySQL password in cleartext. Can we change the permissions on this file?
/usr/local/nagiosxi/html/config.inc.php is world readable and contains the ndoutils, nagiosxi and nagiosql MySQL passwords in cleartext. Can we change the permissions on this file?
/usr/local/nagvis/etc/nagvis.ini.php is world readable and contains the ndoutils MySQL password in cleartext. Can we change the permissions on this file?

Nagios Fusion
• There are two anonymous users defined: ''@localhost and ''@<servername>. Can these be removed?
• Can we remove the 'root'@'::1' IPv6 user?
• Can we remove the test database?
/usr/local/nagiosfusion/scripts/restore_fusion.sh is world readable and contains the root MySQL password in cleartext. Can we change the permissions on this file?
/usr/local/nagiosfusion/var/fusion-sys.cfg is world readable and contains the root MySQL password in cleartext. Can we change the permissions on this file?
/usr/local/nagiosfusion/html/config.inc.php is world readable and contains the fusion MySQL password in cleartext. Can we change the permissions on this file?

Nagios Network Analyzer
• The root MySQL user has no password set. Can we update this to a secure password of our choosing? Do we need to update any files? If there are files containing the password, can we change permissions so they're not world readable?
• Can we set the nagiosna MySQL account password to a password of our choosing? Do we need to update any files? If there are files containing the password, can we change permissions so they're not world readable?
• There are two anonymous users defined: ''@localhost and ''@<servername>. Can these be removed?
• Can we remove the 'root'@'::1' IPv6 user?
• Can we remove the test database?

Regards,
Neville

Re: MariaDB vulnerabilities

Posted: Tue Nov 09, 2021 11:43 am
by ssax
In the future please create new posts under the appropriate sections for each product, this is requested by policy.

Nagios XI:

I tested with removing the users/hardening the permissions on those files and I did not eperience any issues:
- NOTE: You may need to change the -pnagiosxi if you've changed the root mysql password
- NOTE: Change <servername> to the hostname of the XI server

Code: Select all

mysql -uroot -pnagiosxi -e "DROP USER ''@'localhost';"
mysql -uroot -pnagiosxi -e "DROP USER ''@'<servername>';"
mysql -uroot -pnagiosxi -e "DROP USER 'root'@'::1';"
mysql -uroot -pnagiosxi -e "FLUSH PRIVILEGES"
mysql -uroot -pnagiosxi -e "DROP DATABASE test;"
chmod 0750 /usr/local/nagiosxi/scripts/restore_xi.sh
chmod 0640 /usr/local/nagiosxi/var/xi-sys.cfg
chmod 0660 /usr/local/nagios/etc/ndo.cfg
chmod 0640 /usr/local/nagiosxi/html/config.inc.php
chmod 0640 /usr/local/nagvis/etc/nagvis.ini.php
See here as well:

https://assets.nagios.com/downloads/nag ... ios-XI.pdf


Nagios Fusion:

I tested with removing the users/hardening the permissions on those files and I did not eperience any issues:
- NOTE: You may need to change the -pfusion in the top 5 commands if you've changed the root mysql password
- NOTE: Change <servername> to the hostname of the Fusion server

Code: Select all

mysql -uroot -pfusion -e "DROP USER ''@'localhost';"
mysql -uroot -pfusion -e "DROP USER ''@'<servername>';"
mysql -uroot -pfusion -e "DROP USER 'root'@'::1';"
mysql -uroot -pfusion -e "FLUSH PRIVILEGES"
mysql -uroot -pfusion -e "DROP DATABASE test;"
chmod 0750 /usr/local/nagiosfusion/scripts/restore_fusion.sh
chmod 0640 /usr/local/nagiosfusion/var/fusion-sys.cfg
chmod 0640 /usr/local/nagiosfusion/html/config.inc.php
See here as well:

https://assets.nagios.com/downloads/nag ... Fusion.pdf


Nagios Network Analyzer:

You can change the mysql root password like this:

Code: Select all

mysqladmin -uroot password 'NewRootPass'
You can change the nagiosna mysql password like this:

Code: Select all

mysql -uroot -p'NewRootPass' -e "set password for 'nagiosna'@'localhost'=password('NewPassword2');"
Then set the password here:

Code: Select all

/var/www/html/nagiosna/application/config/config.local.php
I tested with removing the users/hardening the permissions on the file and I did not experience any issues:
- NOTE: You will need to change NewRootPass in all the commands to what your new mysql root password is
- NOTE: Change <servername> to the hostname of the NNA server

Code: Select all

mysql -uroot -p'NewRootPass' -e "set password for 'fusion'@localhost= password('NewPassword2');"
mysql -uroot -p'NewRootPass' -e "DROP USER ''@'localhost';"
mysql -uroot -p'NewRootPass' -e "DROP USER ''@'<servername>';"
mysql -uroot -p'NewRootPass' -e "DROP USER 'root'@'::1';"
mysql -uroot -p'NewRootPass' -e "FLUSH PRIVILEGES"
mysql -uroot -p'NewRootPass' -e "DROP DATABASE test;"
EDIT: This one apparently causes bandwidth graphs in NNA to fail so don't run this:

Code: Select all

chmod 0670 /var/www/html/nagiosna/application/config/config.local.php

Re: MariaDB vulnerabilities

Posted: Tue Nov 09, 2021 12:24 pm
by nevillestyles
Many thanks for the quick and comprehensive response, and apologies for posting it all in the XI forum.

We'll make these changes on our trial system in readiness for our production deployment.

Regards,
Neville

Re: MariaDB vulnerabilities

Posted: Wed Nov 10, 2021 10:52 am
by nevillestyles
Hi,

I'll post any follow-ups in the relevant forums. I've changed the file permissions on our test XI host as recommended, but we've noticed the permissions on some of them have reverted to their original settings:

Code: Select all

$ ls -l /usr/local/nagiosxi/scripts/restore_xi.sh
-rwxr-xr-x 1 nagios nagios 15301 Nov 10 13:16 /usr/local/nagiosxi/scripts/restore_xi.sh
$ ls -l /usr/local/nagiosxi/var/xi-sys.cfg
-rw-r----- 1 nagios nagios 948 Nov 10 13:16 /usr/local/nagiosxi/var/xi-sys.cfg
$ ls -l /usr/local/nagios/etc/ndo.cfg
-rw-rw-r-- 1 apache nagios 693 Nov 10 13:17 /usr/local/nagios/etc/ndo.cfg
$ ls -l /usr/local/nagiosxi/html/config.inc.php
-rw-r--r-- 1 root nagios 9330 Nov 10 13:22 /usr/local/nagiosxi/html/config.inc.php
$ ls -l /usr/local/nagvis/etc/nagvis.ini.php
-rw-r----- 1 apache apache 24844 Nov 10 13:19 /usr/local/nagvis/etc/nagvis.ini.php
Is there a mechanism which is correcting these?

Regards,
Neville

Re: MariaDB vulnerabilities

Posted: Wed Nov 10, 2021 10:52 am
by benjaminsmith
Hi Neville,

Glad that's was helpful. And thank you for trying out Nagios XI.

Let us know if you have any other questions after testing these out.

---Benjamin

Re: MariaDB vulnerabilities

Posted: Wed Nov 10, 2021 10:57 am
by nevillestyles
Hi,

It appears our messages crossed in the ether! This is a polite bump to ensure my last comment was seen.

Regards,
Neville

Re: MariaDB vulnerabilities

Posted: Wed Nov 10, 2021 11:03 am
by ssax
It's the apply configuration that is doing it, I'm investigating and will post an update shortly.

Re: MariaDB vulnerabilities

Posted: Wed Nov 10, 2021 11:06 am
by ssax
When you apply configuration the /usr/local/nagiosxi/scripts/reset_config_perms.sh script runs which is changing the permissions on the files back.

The problem with that is that even if you change it in that file when you upgrade it will be overwritten and you'll need to re-implement the script changes after every upgrade.

Re: MariaDB vulnerabilities

Posted: Wed Nov 10, 2021 2:27 pm
by nevillestyles
That's great, thank you for the explanation.

For now we'll update /usr/local/nagiosxi/scripts/reset_config_perms.sh and make a note this change will need applying following any upgrade.

Would you consider making this change a permanent feature of Nagios XI? It seems a sensible idea to protect the cleartext passwords from regular users.

Thanks again,
Neville

Re: MariaDB vulnerabilities

Posted: Thu Nov 11, 2021 1:11 pm
by ssax
I have submitted a feature request to development:

Code: Select all

FR: XI - Harden reset_config_perms.sh to remove "other" permissions
Please keep in mind that the decision to implement the enhancement is at the discretion of our development team.
All times are UTC-05:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited