nagios2 plugin output sanitization

Andreas Ericsson ae at op5.se
Thu Nov 8 11:05:13 CET 2007


Matthias Flacke wrote:
> 
> The question is how to ensure that the plugin output which Nagios receives is 
> really the same the plugin sent. There are multiple causes in between which 
> might change it: cutting off due to small buffers, or misconfiguration, 
> filtering, escaping, quoting issues...
> 

Nagios should (and does) do a byte-by-byte copy of whatever the plugin returns.
Stripping malicious output is an exercise left to the medium where it's
used. After all, plugin output could just as well contain shell characters, and
Nagios dabbles in that area too (when sending notifications, notably). Escaping
html output in the core will btw add many such shell control chars.

There is also database logging modules. They ofcourse have to make sure no sql
injection attempt slips past.

> A solution could be that the plugin provides a CRC for its output which is 
> checked afterwards. This could be included in the sanitized_output option.
> 

This is a big nono. A very large part of Nagios' success is that it's really,
really easy to add functionality to it by providing a plugin that does
something, prints something and then exits with one of four well-defined
exit codes.

> Generally I would say that it's Nagios part to validate the sanity of the 
> transport and raise UNKNOWN if not ok.
> 

You're wrong. Nagios needs to validate (and fix) the strings it uses depending
on the context where it's used. The output from the plugins is written to a
file as far as Nagios core is concerned, so there's really no need to mangle
them at all.

Whatever's used to display the output on the web is responsible for mangling
all content that could possibly carry a malign payload.

-- 
Andreas Ericsson                   andreas.ericsson at op5.se
OP5 AB                             www.op5.se
Tel: +46 8-230225                  Fax: +46 8-230231

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/




More information about the Developers mailing list