Auditing External Commands

Andreas Ericsson ae at op5.se
Thu Sep 18 22:13:41 CEST 2008


Laack,Jacob C wrote:
> All-
> I'm running Nagios 3.0.3 with httpd on RHEL 5.  I have CGI Authentication enabled for a couple dozen users.  Some of them make "mistakes" when issuing External Commands and I'm looking for a way to log or know who turned of notifications for a server that shouldn't have been modified, etc.  I see that the /usr/local/nagios/var/nagios.log file shows...
> 
> [1221748066] EXTERNAL COMMAND: DISABLE_SVC_NOTIFICATIONS;fileserv;Download-WellsFargoBP
> 
> ...while the apache logs show...
> 
> 160.76.51.177 - ekaj [18/Sep/2008:09:27:46 -0500] "POST /cgi-bin/cmd.cgi HTTP/1.1" 200 1961
> 
> Is there a native way for Nagios to attach to attach the CGI user, ekaj in this case, to the DISABLE_SVC_NOTIFICATIONS command in either the nagios.log file or somewhere else?  Any non-native way to do it?
> 

Nagios (the daemon) only knows what the CGI's tell it. If the CGI's
don't pass the username to Nagios and the command has no free-form
section, there's no way to let Nagios know about it without hacking
the Nagios core. Eventbroker modules can't hijack external commands
yet, otherwise that could have been used to make the core accept
a username parameter from the CGI's.

-- 
Andreas Ericsson                   andreas.ericsson at op5.se
OP5 AB                             www.op5.se
Tel: +46 8-230225                  Fax: +46 8-230231

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null





More information about the Users mailing list