NRPE Arguments some thoughts and how to disable "Request contained illegal metachars!"
Ton Voon
ton.voon at opsera.com
Thu Sep 17 10:53:09 CEST 2009
On 17 Sep 2009, at 09:26, Jelle Smet wrote:
> I think key in each monitoring system is that you need to be able to
> define your thresholds on the level of your monitoring system
> itself, and not on the clients.
>
> (Whether monitoring results are evaluated by the monitoring system
> or by the monitoring client, that's another story.)
>
> In other words we're using the "dont_blame_nrpe" parameter on all my
> clients, which offers for us a very powerfull and flexible setup.
> I (personally) think is the minimum you can expect of a monitoring
> system is that you don't need to be on the client side to define
> thresholds.
>
I agree - this is the best way of having a centralised configuration
system.
> Anyhow, ... I came to a point where I need to send over regular
> expressions over nrpe to the remote client, which fails of course
> because of the hard coded "illegal metacharacters"
>
> Now my request:
> * It would be nice, if these characters could be defined in the
> config file, giving a user control.
> * How can I change the code so these metachars are ignored?
>
We apply this patch to NRPE: https://secure.opsera.com/wsvn/wsvn/opsview/branches/BRAN-3.3/opsview-base/patches/nrpe_remove_double_quotes_as_nasty.patch
This is available in the Opsview (our product based on Nagios - http://opsview.org
) Agent, which is available for download at downloads.opsview.org.
You could make the parameter an nrpe.cfg option - that would make
sense. Patches welcome! (Though I don't have commit access to NRPE).
> Isn't there a security design which allows such functionality while
> it being secure?
>
I think shell meta-characters should be ignored, certainly by default.
If you allowed them, I think it would be impossible to evaluate
whether it was invoking other code or not through the shell.
For example, /`\/bin\/file`/ may look like a regexp searching for a
quoted instance of /bin/file, but it would probably get invoked by the
shell and actually run /bin/file (because of the backticks). I think
you are asking for trouble if you allow these characters through.
Alternatively, you could write a wrapper plugin which does contain the
regexp you want, with the knowledge that funny quoting should no
longer apply.
Ton
------------------------------------------------------------------------------
Come build with us! The BlackBerry® Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay
ahead of the curve. Join us from November 9-12, 2009. Register now!
http://p.sf.net/sfu/devconf
More information about the Developers
mailing list