nrpe options - confused
Rob Moss
robmossrm at aol.com
Fri Oct 21 13:09:13 CEST 2005
Albert Whale wrote:
> command[check_disk]=/usr/lib/nagios/plugins/check_disk -w $ARG1$ -c
> $ARG2$ -p $ARG3$
Be advised that using the argument passing capabilities of NRPE is
highly insecure from a security perspective.
For example, someone connects to your NRPE port, runs a default check
such as check_disk as follows:
check_disk `cat /etc/passwd; cat /etc/shadow` `rm -rf /` `cat /dev/zero
> /dev/hda`
Or even worse, insert buffer overflow shellcode to gain access to your
server with the priviledges of the NRPE daemon (should be nagios, some
run as root though).
While you can implement TCPwrappers and NRPE's internal IP ACLs, it's
still not total security
I recommend that you set up several check_disk commands for each
disk/partition that you want to monitor (even if there are 20 or so).
dont_blame_nrpe=0
debug=1
command[check_disk1]=/usr/local/nagios/libexec/check_disk -w 20 -c 10 -p /
command[check_disk2]=/usr/local/nagios/libexec/check_disk -w 20 -c 10 -p
/usr
command[check_disk3]=/usr/local/nagios/libexec/check_disk -w 20 -c 10 -p
/var
command[check_disk4]=/usr/local/nagios/libexec/check_disk -w 20 -c 10 -p
/opt
command[check_disk5]=/usr/local/nagios/libexec/check_disk -w 20 -c 10 -p
/data
command[check_disk6]=/usr/local/nagios/libexec/check_disk -w 20 -c 10 -p /db
....etc....
rob.
-------------------------------------------------------
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue.
::: Messages without supporting info will risk being sent to /dev/null
More information about the Users
mailing list