Nagios Support Forum

Hi,

With respect to the security remediation, there is a finding to remove world writeable permissions from the following files on our Nagios XI monitoring server.

Can we remove the world writeable permission or should we add it as an exception?

# ls -ld /usr/lib/vmware-vcli/bin/esxcli/esxcli /usr/lib/vmware-vcli/bin/vmware-dcli/dcli /usr/local/nagios/var/Nagios.host.java.config.ser /usr/local/nagios/var/profile.csv /usr/local/nagiosxi/html/includes/components/autodiscovery/jobs /usr/local/nagiosxi/var/NXTI_Write_Test
--wxrw--wt. 1 root root 9320 Nov 17 2020 /usr/lib/vmware-vcli/bin/esxcli/esxcli
--wxrw--wt. 1 root root 823592 Nov 17 2020 /usr/lib/vmware-vcli/bin/vmware-dcli/dcli
-rw-rw-rw-. 1 root root 263 Aug 14 2020 /usr/local/nagios/var/Nagios.host.java.config.ser
-rw-rw-rw-. 1 root root 483 Jun 17 2020 /usr/local/nagios/var/profile.csv
drwxrwxrw-. 2 nagios nagios 4096 Jan 16 2018 /usr/local/nagiosxi/html/includes/components/autodiscovery/jobs
-rw-rw-rw-. 1 nagios nagios 18 May 17 2019 /usr/local/nagiosxi/var/NXTI_Write_Test

Hi steph007,

Sorry for the delay. It appears that a number of the files are from third party components and you should probably consult the provider of the plugin in those cases. You should be able to remove the world permissions on the autodiscovery directory however the group permissions need to remain (770). This directory is used for discovery processes which most organizations often only use on initial deployment.
These appear to belong to the VMWare: These two appear to be produced by IBM's plugin for the series i https://github.com/IBM/nagios-for-i/blo ... gInfo.java

The permissions for NXTI_Write_Test are set correctly: Thanks and Best Regards,
Keith