Nagios Support Forum

Hi,all

During a penetration test in our company, they found out that the NCPA agent shows the token in cleartext during execution (using ps).
This is now a finding and as to be fixed somehow.
We use resource.cfg for the token: Service Definition We can run the check on the command line with the variable, but during execution, it is shown in the process list. Is there any way to hide the token during execution?

The system is RHEL 9. Besides this, I will also check the /proc hidepid option; maybe this is a way to deal with this."

thx

Hi @senky,

Thanks for reaching out. After doing a quick search, it sounds like there are 2 ways to hide passwords from ps. The AI generated example code is bit sketchy.

• Environment Variables: Set the password as an environment variable before running the command:

  Code: Select all

  read -s -p "Enter password: " password
  export PASSWORD="$password"
  command
  

  The password will not appear in the command line, but it may still be visible in ps output if the application (command) exposes it.

• Temporary Files or File Descriptors: Use a temporary file or /dev/fd to pass the secret:

  Code: Select all

  read -s -p "Enter password: " password
  command < <(echo "$password")
  

  This method avoids command-line exposure and can be combined with secure file deletion using shred or wipe to prevent recovery.

One way to do it might be to modify the plugin script(s) you use to pull the password from an environment variable or file, with the name of the environment variable or filename passed in from NCPA.