Auditing External Commands

Ton Voon ton.voon at altinity.com
Thu Sep 18 22:36:20 CEST 2008


On 18 Sep 2008, at 20:15, Laack,Jacob C wrote:
> I'm running Nagios 3.0.3 with httpd on RHEL 5.  I have CGI  
> Authentication enabled for a couple dozen users.  Some of them make  
> "mistakes" when issuing External Commands and I'm looking for a way  
> to log or know who turned of notifications for a server that  
> shouldn't have been modified, etc.  I see that the /usr/local/nagios/ 
> var/nagios.log file shows…
>
>
>
> [1221748066] EXTERNAL COMMAND:  
> DISABLE_SVC_NOTIFICATIONS;fileserv;Download-WellsFargoBP
>
>
>
> …while the apache logs show…
>
>
>
> 160.76.51.177 - ekaj [18/Sep/2008:09:27:46 -0500] "POST /cgi-bin/ 
> cmd.cgi HTTP/1.1" 200 1961
>
>
>
> Is there a native way for Nagios to attach to attach the CGI user,  
> ekaj in this case, to the DISABLE_SVC_NOTIFICATIONS command in  
> either the nagios.log file or somewhere else?  Any non-native way to  
> do it?
>
We had this request from a customer to add into Opsview. Patch is  
here: http://trac.opsview.org/browser/trunk/opsview-base/patches/nagios_store_cmd_cgi_submissions.patch

This tells the CGIs to write an additional line API LOG: to the  
nagios.log file and includes the user's name.

Beware, you need to provide permissions to the nagios.log file for the  
apache user to write to it.

Ton

http://www.altinity.com
UK: +44 (0)870 787 9243
US: +1 866 879 9184
Fax: +44 (0)845 280 1725
Skype: tonvoon


-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null





More information about the Users mailing list