In this recipe, we'll learn how to deal with the difficulty of executing permissions for NRPE. The majority of standard Nagios plugins don't require special privileges to run, although this also depends on how stringent your system's security restrictions are. However, some of the plugins require being run as root
or perhaps as another user other than nagios
. This is sometimes the case with plugins that need to make requests of system-level resources such as checking the integrity of RAID arrays.
There are four general approaches to fixing this:
setuid
, meaning that they will always be run as the user who owns them, no matter who executes them. The problem with this is that setting this bit allows anyone to run the program as root
, not just nrpe
, a very common vector for exploits.nrpe
as root
or as the appropriate user. This is done by changing the nrpe_user
and nrpe_group
properties in nrpe.cfg
. This is even more dangerous and completely inconsistent with the principle of least privilege—we should confer a user as little permission as possible to allow it to do its job. Never do this!command_prefix
in nrpe.cfg
to prepend /usr/bin/sudo
to all commands and give nrpe
full sudo(8)
privileges to run only the plugins in /usr/local/nagios/libexec
. This is a bit better, but still quite risky as we likely don't need every single command to be run as root, only one or two.sudo(8)
to allow the nrpe
user limited privileges for a subset of commands, only the ones it needs to run, and only as the user by which it needs to be run.The last solution is the most likely to be secure, so we'll examine an example here. We'll run the plugin check_procs
as root
, to get a process count. In most cases, you wouldn't need root
privileges to get a complete count of all processes, but it might be needed on a system with a very locked-down grsecurity
patch installed, as an example.
You should have a target host configured for checking in a Nagios Core 4.0 or later monitoring server. The target host should be running the nrpe
daemon and listening on all interfaces. You can verify that nrpe
is running with pgrep(1)
or ps(1)
:
# pgrep nrpe 29964 # ps -e | grep [n]rpe nagios 29964 1 0 21:55 ? 00:00:01 nrpe
You should also have sudo(8)
installed and working on the target system and understand what it does. We'll be editing the /etc/sudoers
file to confer root
privileges to our nrpe
user for one program only. This recipe will assume that the nrpe
daemon is running as the nagios
user in the nagios
group.
We can confer limited root privileges for one command to our nrpe
user as follows:
/etc/sudoers
file. The safest way to do this is generally with a call to visudo(8)
, which will make a temporary copy of the file and check that it makes sense before installing it:# visudo
nagios ALL=(ALL:ALL) NOPASSWD: /usr/local/nagios/libexec/check_procs
Note that if the requiretty
directive appears anywhere in your /etc/sudoers
file, you may need to remove it to make this work.
nagios
user with sudo(8)
and test run the command works as root
, with no password prompt:# sudo -s -u nagios $ sudo /usr/local/nagios/libexec/check_procs PROCS OK: 89 processes
nrpe
daemon's configuration file. The default location is /usr/local/nagios/etc/nrpe.cfg
. Look for the command definition for check_total_procs
; if there isn't one, create it. Note that /usr/bin/sudo
has been added to the start of the command:command[check_total_procs]=/usr/bin/sudo /usr/local/nagios/libexec/check_procs -w 150 -c 200
nrpe
daemon. If you have installed an init
script for it, you may be able to do this with something like:# /etc/init.d/nrpe restart
If not, you can restart the process by sending it a HUP
signal with the pkill(1)
command, which will prompt it to re-read its configuration file and resume running:
# pkill -HUP nrpe
With this done, we should now be able to run a check_nrpe
call from the monitoring server and get a successful response:
$ /usr/local/nagios/libexec/check_nrpe -H roma.example.net -c check_total_procs PROCS OK: 89 processes
The preceding configuration does not change nrpe
daemon's behavior very much; most of the configuration is actually done on its host system. All we changed was the command definition for check_total_procs
to run it from within sudo(8)
.
To make this work without a password, we defined it in the /etc/sudoers
file so that no password was required to execute this particular program as root
for the nagios
user, which is the user that nrpe
runs.
This means that when we call the check_total_procs
command from the monitoring server, it returns us the full output of the plugin as it was run with root
privileges, but the nagios
user doesn't have root
privileges to run anything else potentially dangerous, such as rm(1)
or halt(8)
.
While this is a much more secure way of allowing privileges as another user for nrpe
, it still requires trusting that the plugin that is being run with root
privileges is secure and can't easily be exploited. Be very careful running this with custom code or with stray plugins you find on the web!
If you intend to allow the nagios
user to run more than a couple of distinct programs, it may look a little tidier to define them in /etc/sudoers
with a Cmnd_Alias
:
Cmnd_Alias NAGIOS = /usr/local/nagios/libexec/check_procs, /usr/local/nagios/libexec/check_load nagios ALL=(ALL) NOPASSWD: NAGIOS
13.58.82.79