NRPE enhancement

Jolet, John John.Jolet at misyshealthcare.com
Fri Dec 27 19:06:31 CET 2002
Previous message: NRPE enhancement
Next message: NRPE enhancement
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
I agree, it would be more consistent with the non-nrpe checks if the nrpe
config file didn't have the thresholds in them, instead getting them passed
in with the call to check_nrpe.

-----Original Message-----
From: Dave Viner [mailto:dviner at yahoo-inc.com]
Sent: Friday, December 27, 2002 11:48 AM
To: Nagios-users at lists.sourceforge.net
Subject: RE: [Nagios-users] NRPE enhancement


In order to clarify the idea that I'm proposing, I've made a patch to the
nrpe source that implements what I'm describing.  This patch is made against
the nrpe-1.5.tar.gz from sourceforge.

Essentially, these changes allow us to specify in the nrpe.cfg file lines
like this:
  command[check_disk_gen]=/usr/local/libexec/nagios/check_disk

Then when invoking check_nrpe, you can invoke it like this:
  ./check_nrpe 127.0.0.1 -V 2 -c check_disk_gen -a "-w 50000 -c 10000 -p
/dev/ad0s1e"

And the effect is that /usr/local/libexec/nagios/check_disk is invoked with
the -w 50000 -c 10000 -p /dev/ad0s1e as the argument string.  For example:

~/nagios/nrpe-1.5.new/src>./check_nrpe 127.0.0.1 -V 2 -c check_disk_gen -a
"-w 50000 -c 10000 -p /dev/ad0s1e"
DISK OK - [1484108 kB (9%) free on /dev/ad0s1e]
~/nagios/nrpe-1.5.new/src>

I think this is really useful and would greatly reduce the size of the
nrpe.cfg and, more importantly, would reduce the number of times you'd need
to modify that configuration file.  Instead the modifications would occur on
the centralized Nagios server's configuration file.

What does everyone think?  Should we add this to the main source for
NRPE-1.6?

dave


-----Original Message-----
From: nagios-users-admin at lists.sourceforge.net
[mailto:nagios-users-admin at lists.sourceforge.net]On Behalf Of Dave Viner
Sent: Monday, December 23, 2002 8:51 AM
To: Naios Users
Subject: RE: [Nagios-users] NRPE enhancement


Hi Rue,
	Security is a great reason for limiting the commands that NRPE is
able to execute.  But my suggested enhancement wouldn't allow NRPE to
execute any command that isn't listed in the cfg file.  That is, the NRPE
would still need to find the path to the executable in the nrpe.cfg file,
then use any remaining information as arguments passed to the executable.
It is true that this is less secure that forcing the entire command line
(executable and arguments) in the config file.  But, so long as the
executables are well authored and handle unexpected arguments well, I think
this enhancement would not significantly decrease security.  Do you think
that specifying arguments would make NRPE significantly less secure?


Dave


-----Original Message-----
From: nagios-users-admin at lists.sourceforge.net
[mailto:nagios-users-admin at lists.sourceforge.net]On Behalf Of Rue Turner
Sent: Friday, December 20, 2002 1:33 PM
To: Naios Users
Subject: Re: [Nagios-users] NRPE enhancement


dave,

I think the reson for this choice of configuration is security. If the
nrpe was allowed to run whatever it was asked it would be easy to
compromise your machines. This way although your configs are hefty (mine
have almost a hundred lines in) you can only ask it to run commands from
this library.

rue


On Fri, 2002-12-20 at 17:35, Dave Viner wrote:
> Hi,
> 	I'd like to suggest an enhancement to NRPE, and if people think this
is a
> good idea, I'll try to make a patch to support my suggestion.  Currently
the
> nrpe.cfg file specifies all the commands in this fashion:
> 	command[check_disk1]=/usr/local/nagios/libexec/check_disk 80 95
/dev/hda1
> As result of this design is that if you want to check something like
> /dev/hda1 and /dev/hdb1, you need two seperate lines in the nrpe.cfg file.
> 	So, I'd like to propose that we extend NRPE to allow for the
arguments to a
> command to be specified by the central Nagios server instead of in the
> nrpe.cfg.  The idea is that the nrpe.cfg would have one command line which
> maps a key, 'check_disk', to a local executable,
> '/usr/local/nagios/libexec/check_disk'.  The rest would be specified from
> the central Nagios server in some manner.
> 	I think this would great simplify the nrpe.cfg files, and reduce a
lot of
> redundant command definitions that differ only in the arguments they
> require.  Also, it would mean that you'd need to update your nrpe.cfg very
> rarely.  In fact, you'd only need to update it when you add a new plugin.
> 	I don't have a concrete suggestion for implementing this yet,
because I
> want to see if the community is interested in this idea first.  Has this
> idea been suggested previously?  Is anyone currently interested in the
idea
> or would I be the only consumer of such a service?
> 
> thanks
> dave
> 
> 
> 
> -------------------------------------------------------
> This SF.NET email is sponsored by:  The Best Geek Holiday Gifts!
> Time is running out!  Thinkgeek.com has the coolest gifts for
> your favorite geek.   Let your fingers do the typing.   Visit Now.
> T H I N K G E E K . C O M        http://www.thinkgeek.com/sf/
> _______________________________________________
> Nagios-users mailing list
> Nagios-users at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/nagios-users


                      r u e  t u r n e r
  · t · h · i · n · l · a · y · e · r · 
 
-- index, n.: Alphabetical list of words of no possible interest where
an alphabetical list of subjects with references ought to be.


-------------------------------------------------------
This SF.NET email is sponsored by:  The Best Geek Holiday Gifts!
Time is running out!  Thinkgeek.com has the coolest gifts for
your favorite geek.   Let your fingers do the typing.   Visit Now.
T H I N K G E E K . C O M        http://www.thinkgeek.com/sf/
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users




-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
Previous message: NRPE enhancement
Next message: NRPE enhancement
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the Users mailing list