NRPE enhancement

Carroll, Jim P [Contractor] jcarro10 at sprintspectrum.com
Fri Dec 27 20:46:06 CET 2002


I'm not a C programmer by profession, so I defer your query to those who
have a strong background, both in C code and system/network security.  It
does presume that every other link in the chain is bulletproof.  [Insert
ObRef to Bugtraq here.]

At any rate, I'm curious to hear why Ethan didn't choose that approach to
begin with.

jc

> -----Original Message-----
> From: Dave Viner [mailto:dviner at yahoo-inc.com]
> Sent: Friday, December 27, 2002 12:49 PM
> To: Nagios-users at lists.sourceforge.net
> Subject: RE: [Nagios-users] NRPE enhancement
> 
> 
> This sounds interesting, but I have a question about the 
> security implications of this code.  I'm not a security 
> expert, so please excuse the somewhat basic question.  The 
> struct packet as defined in common/common.h has an argv 
> member which is a character array of length 2048.   I believe 
> this means that if the incoming packet has an argv member 
> whose length is greater than 2048 chars, then the  
> 	rc=recvall(sock,(char 
> *)&receive_packet,&bytes_to_recv,socket_timeout);
> should fail, should it not?  
> 
> However, I think your suggestions regarding stunnel, and 
> encryption are good ones, regardless of the inclusion of this code.
> 
> thanks
> 
> dave
> 
> 
> -----Original Message-----
> From: Carroll, Jim P [Contractor] [mailto:jcarro10 at sprintspectrum.com]
> Sent: Friday, December 27, 2002 10:20 AM
> To: 'Dave Viner'; Nagios-users at lists.sourceforge.net
> Subject: RE: [Nagios-users] NRPE enhancement
> 
> 
> I think it's a good idea, but with the following provisions:
> 
> - This should not be enabled by default.
> 
> - The configure script, the Makefile and any/all NRPE docs 
> should explicitly
> state the security risks in forcing the non-default (added feature)
> behaviour.
> 
> - If the daemon is compiled with this option, anytime the 
> daemon starts, it
> should briefly mention that it has been compiled for this 
> behaviour, and a
> quick remark about the increased risks.  (Sent to stderr if 
> standalone, else
> sent to syslog if running under (x)inetd).  It should scream 
> loud and clear
> if it's started under root; preferably it would simply not 
> run as root, full
> stop.
> 
> - Perhaps a reference to implementing NRPE with stunnel (and 
> only permitting
> connections from localhost, as defined in nrpe.cfg) would be 
> desireable.
> 
> I'm not a security guru, but it seems to me that facilitating 
> this feature
> would open oneself up to a buffer overflow attack.  If you're 
> on a trusted
> network, it's a non-issue.
> 
> On a related note, I'd be much more comfy with this feature 
> if there were a
> facility to enforce some level of native encryption, such as 
> what NSCA uses.
> If you don't have the keys to the house, you get dropped on 
> the floor.  (I
> have a similar wish for NSClient.)
> 
> Food for thought.
> 
> jc
> 
> > -----Original Message-----
> > From: Dave Viner [mailto:dviner at yahoo-inc.com]
> > Sent: Friday, December 27, 2002 11:48 AM
> > To: Nagios-users at lists.sourceforge.net
> > Subject: RE: [Nagios-users] NRPE enhancement
> > 
> > 
> > In order to clarify the idea that I'm proposing, I've made a 
> > patch to the nrpe source that implements what I'm describing. 
> >  This patch is made against the nrpe-1.5.tar.gz from sourceforge.
> > 
> > Essentially, these changes allow us to specify in the 
> > nrpe.cfg file lines like this:
> >   command[check_disk_gen]=/usr/local/libexec/nagios/check_disk
> > 
> > Then when invoking check_nrpe, you can invoke it like this:
> >   ./check_nrpe 127.0.0.1 -V 2 -c check_disk_gen -a "-w 50000 
> > -c 10000 -p /dev/ad0s1e"
> > 
> > And the effect is that /usr/local/libexec/nagios/check_disk 
> > is invoked with the -w 50000 -c 10000 -p /dev/ad0s1e as the 
> > argument string.  For example:
> > 
> > ~/nagios/nrpe-1.5.new/src>./check_nrpe 127.0.0.1 -V 2 -c 
> > check_disk_gen -a "-w 50000 -c 10000 -p /dev/ad0s1e"
> > DISK OK - [1484108 kB (9%) free on /dev/ad0s1e]
> > ~/nagios/nrpe-1.5.new/src>
> > 
> > I think this is really useful and would greatly reduce the 
> > size of the nrpe.cfg and, more importantly, would reduce the 
> > number of times you'd need to modify that configuration file. 
> >  Instead the modifications would occur on the centralized 
> > Nagios server's configuration file.
> > 
> > What does everyone think?  Should we add this to the main 
> > source for NRPE-1.6?
> > 
> > dave
> > 
> > 
> > -----Original Message-----
> > From: nagios-users-admin at lists.sourceforge.net
> > [mailto:nagios-users-admin at lists.sourceforge.net]On Behalf Of 
> > Dave Viner
> > Sent: Monday, December 23, 2002 8:51 AM
> > To: Naios Users
> > Subject: RE: [Nagios-users] NRPE enhancement
> > 
> > 
> > Hi Rue,
> > 	Security is a great reason for limiting the commands 
> > that NRPE is able to execute.  But my suggested enhancement 
> > wouldn't allow NRPE to execute any command that isn't listed 
> > in the cfg file.  That is, the NRPE would still need to find 
> > the path to the executable in the nrpe.cfg file, then use any 
> > remaining information as arguments passed to the executable.  
> > It is true that this is less secure that forcing the entire 
> > command line (executable and arguments) in the config file.  
> > But, so long as the executables are well authored and handle 
> > unexpected arguments well, I think this enhancement would not 
> > significantly decrease security.  Do you think that 
> > specifying arguments would make NRPE significantly less secure?
> > 
> > 
> > Dave
> > 
> > 
> > -----Original Message-----
> > From: nagios-users-admin at lists.sourceforge.net
> > [mailto:nagios-users-admin at lists.sourceforge.net]On Behalf Of 
> > Rue Turner
> > Sent: Friday, December 20, 2002 1:33 PM
> > To: Naios Users
> > Subject: Re: [Nagios-users] NRPE enhancement
> > 
> > 
> > dave,
> > 
> > I think the reson for this choice of configuration is 
> security. If the
> > nrpe was allowed to run whatever it was asked it would be easy to
> > compromise your machines. This way although your configs are 
> > hefty (mine
> > have almost a hundred lines in) you can only ask it to run 
> > commands from
> > this library.
> > 
> > rue
> > 
> > 
> > On Fri, 2002-12-20 at 17:35, Dave Viner wrote:
> > > Hi,
> > > 	I'd like to suggest an enhancement to NRPE, and if 
> > people think this is a
> > > good idea, I'll try to make a patch to support my 
> > suggestion.  Currently the
> > > nrpe.cfg file specifies all the commands in this fashion:
> > > 	
> > command[check_disk1]=/usr/local/nagios/libexec/check_disk 80 
> > 95 /dev/hda1
> > > As result of this design is that if you want to check 
> something like
> > > /dev/hda1 and /dev/hdb1, you need two seperate lines in the 
> > nrpe.cfg file.
> > > 	So, I'd like to propose that we extend NRPE to allow 
> > for the arguments to a
> > > command to be specified by the central Nagios server 
> > instead of in the
> > > nrpe.cfg.  The idea is that the nrpe.cfg would have one 
> > command line which
> > > maps a key, 'check_disk', to a local executable,
> > > '/usr/local/nagios/libexec/check_disk'.  The rest would be 
> > specified from
> > > the central Nagios server in some manner.
> > > 	I think this would great simplify the nrpe.cfg files, 
> > and reduce a lot of
> > > redundant command definitions that differ only in the 
> arguments they
> > > require.  Also, it would mean that you'd need to update 
> > your nrpe.cfg very
> > > rarely.  In fact, you'd only need to update it when you add 
> > a new plugin.
> > > 	I don't have a concrete suggestion for implementing 
> > this yet, because I
> > > want to see if the community is interested in this idea 
> > first.  Has this
> > > idea been suggested previously?  Is anyone currently 
> > interested in the idea
> > > or would I be the only consumer of such a service?
> > > 
> > > thanks
> > > dave
> > > 
> > > 
> > > 
> > > -------------------------------------------------------
> > > This SF.NET email is sponsored by:  The Best Geek Holiday Gifts!
> > > Time is running out!  Thinkgeek.com has the coolest gifts for
> > > your favorite geek.   Let your fingers do the typing.   Visit Now.
> > > T H I N K G E E K . C O M        http://www.thinkgeek.com/sf/
> > > _______________________________________________
> > > Nagios-users mailing list
> > > Nagios-users at lists.sourceforge.net
> > > https://lists.sourceforge.net/lists/listinfo/nagios-users
> > 
> > 
> >                       r u e  t u r n e r
> >   · t · h · i · n · l · a · y · e · r · 
> >  
> > -- index, n.: Alphabetical list of words of no possible 
> interest where
> > an alphabetical list of subjects with references ought to be.
> > 
> > 
> > -------------------------------------------------------
> > This SF.NET email is sponsored by:  The Best Geek Holiday Gifts!
> > Time is running out!  Thinkgeek.com has the coolest gifts for
> > your favorite geek.   Let your fingers do the typing.   Visit Now.
> > T H I N K G E E K . C O M        http://www.thinkgeek.com/sf/
> > _______________________________________________
> > Nagios-users mailing list
> > Nagios-users at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/nagios-users
> > 
> > 
> > 
> > 
> > -------------------------------------------------------
> > This sf.net email is sponsored by:ThinkGeek
> > Welcome to geek heaven.
> > http://thinkgeek.com/sf
> > _______________________________________________
> > Nagios-users mailing list
> > Nagios-users at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/nagios-users
> > 
> > 
> 
> 
> 
> 
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Nagios-users mailing list
> Nagios-users at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/nagios-users
> 


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf




More information about the Users mailing list