Nagios Support Forum

We're currently moving from Nagios to Nagios XI and whilst troubleshooting a separate issue I noticed something concerning.

Whenever a user logs into XI the following commands are added to the /usr/local/nagiosxi/var/cmdsubsys.log file


PROCESS COMMAND: CMD=1100, DATA=a:2:{s:8:"username";s:2:"bob";s:8:"password";s:8:"mypassword";}
CMDLINE=/usr/bin/htpasswd -b /usr/local/nagiosxi/etc/htpasswd.users bob mypassword
Updating password for user bob
OUTPUT=
RETURNCODE=0

Where mypassword is obviously my password in plaintext. I've observed this even when using LDAP authentication.

From a security POV this is obviously not desirable, as it seems pointless to ensure that connections to the web server and ldap server are secure if my password appears as plaintext in file, even if it is transient.

My questions are:

• Is this something I've inadvertently enabled, and if so, can I turn it off?
  If this is the standard process, can I turn it off?
  Are there any alternatives to logging in that won't do this?

I did try editing the /etc/httpd/conf.d/nagiosxi.conf file to enable ldap auth at the apache level, which does seem to mostly work. However a few things glitch, such as applying a new config. Even though the config is validated and applied successfully (verified through watching cmdsubsys.log) the progress indicator just spins forever at validating config.

Any suggestions?

Cheers, Ian

You can go to: Admin->Performance Settings->Subsystem tab->clear the "Enable Subsystem Logging" check-mark box->click on "Update Settings". It will still show the username/password for a very short time, but then it will get truncated. I believe this should be fixed, so I will be filing a bug report on our bug tracker.

Hope this helps.

I just filed a bug report on our tracker. You can view it here:

http://tracker.nagios.com/view.php?id=282