check_mailq, nrpe, and root perms on client

Kevin Freels kfreels at sendmail.com
Mon Jun 15 21:07:49 CEST 2009


> Where are the e-mails coming from? sudo logs normally but 
> only sends an e-mail if you've specifically configured it to 
> do so (mail_always).  
> That's off by default in all the distributions I have 
> experience with (and that I can recall)... If that's 
> something you don't really need then turn it off. If you're 
> concerned about security then perhaps some of the other 
> mail_* settings in sudoers might be more useful.

Yes, it does come from sudo. And, yes, we are pretty stringient about
security. Although I was not the one who config'd sudo on the systems
I'm monitoring, some of them are of a sensitive nature and I agree that
they should be tracked. But I'll investigate the other mail_* options; I
didn't see anything that could be turned off in the sudoers file for
commands/users/grounps.

> > I also thought of:
> >
> > -- running nrpe as "root" (not comfortable with that)
> > -- SUID on check_mailq
> > -- chown'ing check_mailq root:root
> 
> I personally don't like any of those options. I don't use 
> check_mailq and wrote my own that fits our environment better 
> but at the heart of it, I use 'sudo /usr/lib/sendmail...' so 
> there's my vote ;)

I don't like them either for the security risks that they entail.
However, I would be interested in your solution.

> Marc

Thanks!!!!!!

....k

------------------------------------------------------------------------------
Crystal Reports - New Free Runtime and 30 Day Trial
Check out the new simplified licensing option that enables unlimited
royalty-free distribution of the report engine for externally facing 
server and web deployment.
http://p.sf.net/sfu/businessobjects
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null





More information about the Users mailing list