NRPE Arguments some thoughts and how to disable "Request contained illegal metachars!"

Ton Voon ton.voon at opsera.com
Thu Sep 17 10:53:09 CEST 2009


On 17 Sep 2009, at 09:26, Jelle Smet wrote:

> I think key in each monitoring system is that you need to be able to  
> define your thresholds on the level of your monitoring system  
> itself, and not on the clients.
>
> (Whether monitoring results are evaluated by the monitoring system  
> or by the monitoring client, that's another story.)
>
> In other words we're using the "dont_blame_nrpe" parameter on all my  
> clients, which offers for us a very powerfull and flexible setup.
> I (personally) think is the minimum you can expect of a monitoring  
> system is that you don't need to be on the client side to define  
> thresholds.
>
I agree - this is the best way of having a centralised configuration  
system.
> Anyhow, ... I came to a point where I need to send over regular  
> expressions over nrpe to the remote client, which fails of course  
> because of the hard coded "illegal metacharacters"
>
> Now my request:
> * It would be nice, if these characters could be defined in the  
> config file, giving a user control.
> * How can I change the code so these metachars are ignored?
>
We apply this patch to NRPE: https://secure.opsera.com/wsvn/wsvn/opsview/branches/BRAN-3.3/opsview-base/patches/nrpe_remove_double_quotes_as_nasty.patch

This is available in the Opsview (our product based on Nagios - http://opsview.org 
) Agent, which is available for download at downloads.opsview.org.


You could make the parameter an nrpe.cfg option - that would make  
sense. Patches welcome! (Though I don't have commit access to NRPE).

> Isn't there a security design which allows such functionality while  
> it being secure?
>
I think shell meta-characters should be ignored, certainly by default.  
If you allowed them, I think it would be impossible to evaluate  
whether it was invoking other code or not through the shell.

For example, /`\/bin\/file`/ may look like a regexp searching for a  
quoted instance of /bin/file, but it would probably get invoked by the  
shell and actually run /bin/file (because of the backticks). I think  
you are asking for trouble if you allow these characters through.

Alternatively, you could write a wrapper plugin which does contain the  
regexp you want, with the knowledge that funny quoting should no  
longer apply.

Ton


------------------------------------------------------------------------------
Come build with us! The BlackBerry® Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay 
ahead of the curve. Join us from November 9-12, 2009. Register now!
http://p.sf.net/sfu/devconf




More information about the Developers mailing list