Security Concerns about the nsca daemon

Marc Haber mh+nagios-devel at zugschlus.de
Mon Feb 20 22:48:51 CET 2006


Hi,

I'm having a headache about using nsca to receive passive service
checks. My concern is possible bugs which could lead to a local user
compromise on the nagios host, which in turn could be escalated to
root privileges by exploiting one of the numerous kernel bugs that
today's Linux systems are plagued with.

Since Nagios systems are usually allowed to connect to important
systems to be able to conduct active service checks, the nagios host
could then be abused to stage attacks against productive services
holding valuable data.

I would be more comfortable if it would be easily possible to run nsca
chrooted. If the chroot is sufficiently minimal, exploting privilege
escalation bugs from inside the chroot is significantly harder than if
a full system including all binaries would be visible.

I am dreaming of an option which would make nsca chroot itself after
starting up like bind9 does. This greatly decreases the number of
files that need to be visible in the chroot, but nsca would need to be
started with root privileges to allow it to chroot itself. It would
then need to drop privileges after chrooting itself. The code needed
to do so can probably be pulled from bind.

For the interface to nagios, it would be extremely handy if the nagios
daemon would be able to establish more than one named pipe as a
command file. In that case, one could place one extra named pipe
inside the nsca chroot, allowing nsca and nagios to communicate
without any extra scripting effort.

Unfortunately, I do not have the coding expertise to submit a patch.

I would therefore like to see my suggestion discussed - maybe I am
completely misled. Any comments will be greatly appreciated.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835


-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642




More information about the Developers mailing list