check_mailq, nrpe, and root perms on client
Kevin Freels
kfreels at sendmail.com
Mon Jun 15 21:07:49 CEST 2009
> Where are the e-mails coming from? sudo logs normally but
> only sends an e-mail if you've specifically configured it to
> do so (mail_always).
> That's off by default in all the distributions I have
> experience with (and that I can recall)... If that's
> something you don't really need then turn it off. If you're
> concerned about security then perhaps some of the other
> mail_* settings in sudoers might be more useful.
Yes, it does come from sudo. And, yes, we are pretty stringient about
security. Although I was not the one who config'd sudo on the systems
I'm monitoring, some of them are of a sensitive nature and I agree that
they should be tracked. But I'll investigate the other mail_* options; I
didn't see anything that could be turned off in the sudoers file for
commands/users/grounps.
> > I also thought of:
> >
> > -- running nrpe as "root" (not comfortable with that)
> > -- SUID on check_mailq
> > -- chown'ing check_mailq root:root
>
> I personally don't like any of those options. I don't use
> check_mailq and wrote my own that fits our environment better
> but at the heart of it, I use 'sudo /usr/lib/sendmail...' so
> there's my vote ;)
I don't like them either for the security risks that they entail.
However, I would be interested in your solution.
> Marc
Thanks!!!!!!
....k
------------------------------------------------------------------------------
Crystal Reports - New Free Runtime and 30 Day Trial
Check out the new simplified licensing option that enables unlimited
royalty-free distribution of the report engine for externally facing
server and web deployment.
http://p.sf.net/sfu/businessobjects
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue.
::: Messages without supporting info will risk being sent to /dev/null
More information about the Users
mailing list