hide ncpa token

[senky]

Hi,all

During a penetration test in our company, they found out that the NCPA agent shows the token in cleartext during execution (using ps).
This is now a finding and as to be fixed somehow.

Code: Select all

python /usr/local/nagios/libexec/check_ncpa.py -H somehost -t test123pw -P 5693 -M disk/logical/|opt|IBM -w 80 -c 90

We use resource.cfg for the token:

Code: Select all

# token for ncpa check
$USER12$=test123pw 

Service Definition

Code: Select all

check_command            check_xi_ncpa!-t $USER12$ -P 5693 -M cpu/percent -w '50' -c '70' -q 'aggregate=avg'!!!!!!!

We can run the check on the command line with the variable, but during execution, it is shown in the process list. Is there any way to hide the token during execution?

The system is RHEL 9. Besides this, I will also check the /proc hidepid option; maybe this is a way to deal with this."

thx

[lgute]

Hi @senky,

Thanks for reaching out. After doing a quick search, it sounds like there are 2 ways to hide passwords from ps. The AI generated example code is bit sketchy.

• Environment Variables: Set the password as an environment variable before running the command:

  Code: Select all

  read -s -p "Enter password: " password
  export PASSWORD="$password"
  command
  

  The password will not appear in the command line, but it may still be visible in ps output if the application (command) exposes it.

• Temporary Files or File Descriptors: Use a temporary file or /dev/fd to pass the secret:

  Code: Select all

  read -s -p "Enter password: " password
  command < <(echo "$password")
  

  This method avoids command-line exposure and can be combined with secure file deletion using shred or wipe to prevent recovery.

One way to do it might be to modify the plugin script(s) you use to pull the password from an environment variable or file, with the name of the environment variable or filename passed in from NCPA.