Announce: Check_Yum for RedHat/CentOS server package alerts

Hari Sekhon hpsekhon at googlemail.com
Fri May 2 18:13:21 CEST 2008

Previous message: Announce: Check_Yum for RedHat/CentOS serverpackagealerts
Next message: Nagios does not send service recovery messages
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hugo van der Kooij wrote:
> | There is a design bug:
> | You must be root to run this plugin (otherwise yum cannot access
> | repository information)
>
> And just to be sure. I can even run yum as nagios user:
>
> # su - nagios -c "yum check-update"
> Loading "installonlyn" plugin
> Loading "security" plugin
> Setting up repositories
> Reading repository metadata in from local files
> Skipping security plugin, no data
>
> clamav.i386                              0.93-2.el5.rf          rpmforge
>
> clamav-db.i386                           0.93-2.el5.rf          rpmforge
>
> clamd.i386                               0.93-2.el5.rf          rpmforge
>
> # su - nagios -c "yum update"
> Loading "installonlyn" plugin
> Loading "security" plugin
> You need to be root to perform this command.
>
> So why does this nagios plugin need to run with root priviliges?
>
> Hugo.
>   
I've just found out that running yum check-update as a regular user does 
not report all the available updates and therefore if you want a really 
want to keep track of it, you need to run it as root.

I knew there was a good reason why I had originally done this, I just 
couldn't remember what it was.

Technically this is not the fault of the plugin  itself but of yum and 
I'm not currently sure if this is by design. It appears that the normal 
user account can only see updates from rpmforge, and not from the 
official RHEL repository which is where the vast majority of the updates 
come from.

Why this is I have not yet determined, it may be an intentional thing on 
the part of Redhat in order to try to prevent users from seeing the 
vulnerable components, although this would be very weak.

I have not updated the plugin to force root privileges but I have just 
made a warning note on the NagiosExchange page telling people that it is 
advisable to run the plugin as root to be sure to get all of the 
updates. If I can bend yum to not require root privileges then I'd 
prefer this as well, but most of all I'd prefer to get all the updates 
and not have yum lie to me leaving me with an insecure non-updated 
system. It would have been preferable of the yum writers to make the 
thing fail outright so we could deal with it more easily than to 
silently fail leaving us guessing...

If anyone has any wisdom they care to share on this, I'd be happy to 
hear it and perhaps update the plugin accordingly.

Thanks

-h

-- 
Hari Sekhon

-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference 
Don't miss this year's exciting event. There's still time to save $100. 
Use priority code J8TL2D2. 
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null

Previous message: Announce: Check_Yum for RedHat/CentOS serverpackagealerts
Next message: Nagios does not send service recovery messages
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Users mailing list