nrpe options - confused

Rob Moss robmossrm at aol.com
Fri Oct 21 13:09:13 CEST 2005


Albert Whale wrote:

> command[check_disk]=/usr/lib/nagios/plugins/check_disk -w $ARG1$ -c 
> $ARG2$ -p $ARG3$


Be advised that using the argument passing capabilities of NRPE is 
highly insecure from a security perspective.

For example, someone connects to your NRPE port, runs a default check 
such as check_disk as follows:
check_disk `cat /etc/passwd; cat /etc/shadow` `rm -rf /` `cat /dev/zero 
 > /dev/hda`

Or even worse, insert buffer overflow shellcode to gain access to your 
server with the priviledges of the NRPE daemon (should be nagios, some 
run as root though).

While you can implement TCPwrappers and NRPE's internal IP ACLs, it's 
still not total security

I recommend that you set up several check_disk commands for each 
disk/partition that you want to monitor (even if there are 20 or so).

dont_blame_nrpe=0
debug=1
command[check_disk1]=/usr/local/nagios/libexec/check_disk -w 20 -c 10 -p /
command[check_disk2]=/usr/local/nagios/libexec/check_disk -w 20 -c 10 -p 
/usr
command[check_disk3]=/usr/local/nagios/libexec/check_disk -w 20 -c 10 -p 
/var
command[check_disk4]=/usr/local/nagios/libexec/check_disk -w 20 -c 10 -p 
/opt
command[check_disk5]=/usr/local/nagios/libexec/check_disk -w 20 -c 10 -p 
/data
command[check_disk6]=/usr/local/nagios/libexec/check_disk -w 20 -c 10 -p /db
....etc....

rob.



-------------------------------------------------------
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null





More information about the Users mailing list