In this recipe, we'll learn how to deal with the difficulty of executing permissions for NRPE. The majority of standard Nagios plugins don't require special privileges to run, although this also depends on how stringent your system's security restrictions are. However, some of the plugins require being run as root or perhaps as another user other than nagios. This is sometimes the case with plugins that need to make requests of system-level resources such as checking the integrity of RAID arrays.
There are four general approaches to fixing this:
- Bad: Change the plugins to
setuid, meaning that they will always be run as the user who owns them, no matter who executes them. The problem with this is that setting this bit allows anyone to run the program asroot, not justnrpe, a very common vector for exploits. - Worse: Run
nrpeasrootor as the appropriate user. This is done by changing thenrpe_userandnrpe_groupproperties innrpe.cfg. This is even more dangerous and completely inconsistent with the principle of least privilege—we should confer a user as little permission as possible to allow it to do its job. Never do this! - Better: Use
command_prefixinnrpe.cfgto prepend/usr/bin/sudoto all commands and givenrpefullsudo(8)privileges to run only the plugins in/usr/local/nagios/libexec. This is a bit better, but still quite risky as we likely don't need every single command to be run as root, only one or two. - Best: Use
sudo(8)to allow thenrpeuser limited privileges for a subset of commands, only the ones it needs to run, and only as the user by which it needs to be run.
The last solution is the most likely to be secure, so we'll examine an example here. We'll run the plugin check_procs as root, to get a process count. In most cases, you wouldn't need root privileges to get a complete count of all processes, but it might be needed on a system with a very locked-down grsecurity patch installed, as an example.
You should have a target host configured for checking in a Nagios Core 4.0 or later monitoring server. The target host should be running the nrpe daemon and listening on all interfaces. You can verify that nrpe is running with pgrep(1) or ps(1):
# pgrep nrpe 29964 # ps -e | grep [n]rpe nagios 29964 1 0 21:55 ? 00:00:01 nrpe
You should also have sudo(8) installed and working on the target system and understand what it does. We'll be editing the /etc/sudoers file to confer root privileges to our nrpe user for one program only. This recipe will assume that the nrpe daemon is running as the nagios user in the nagios group.
We can confer limited root privileges for one command to our nrpe user as follows:
- Edit the
/etc/sudoersfile. The safest way to do this is generally with a call tovisudo(8), which will make a temporary copy of the file and check that it makes sense before installing it:# visudo - Add the following line to the file and save it:
nagios ALL=(ALL:ALL) NOPASSWD: /usr/local/nagios/libexec/check_procs
Note that if the
requirettydirective appears anywhere in your/etc/sudoersfile, you may need to remove it to make this work. - Become the
nagiosuser withsudo(8)and test run the command works asroot, with no password prompt:# sudo -s -u nagios $ sudo /usr/local/nagios/libexec/check_procs PROCS OK: 89 processes
- Edit the
nrpedaemon's configuration file. The default location is /usr/local/nagios/etc/nrpe.cfg. Look for the command definition forcheck_total_procs; if there isn't one, create it. Note that/usr/bin/sudohas been added to the start of the command:command[check_total_procs]=/usr/bin/sudo /usr/local/nagios/libexec/check_procs -w 150 -c 200 - Restart the
nrpedaemon. If you have installed aninitscript for it, you may be able to do this with something like:# /etc/init.d/nrpe restartIf not, you can restart the process by sending it a
HUPsignal with thepkill(1)command, which will prompt it to re-read its configuration file and resume running:# pkill -HUP nrpe
With this done, we should now be able to run a check_nrpe call from the monitoring server and get a successful response:
$ /usr/local/nagios/libexec/check_nrpe -H roma.example.net -c check_total_procs PROCS OK: 89 processes
The preceding configuration does not change nrpe daemon's behavior very much; most of the configuration is actually done on its host system. All we changed was the command definition for check_total_procs to run it from within sudo(8).
To make this work without a password, we defined it in the /etc/sudoers file so that no password was required to execute this particular program as root for the nagios user, which is the user that nrpe runs.
This means that when we call the check_total_procs command from the monitoring server, it returns us the full output of the plugin as it was run with root privileges, but the nagios user doesn't have root privileges to run anything else potentially dangerous, such as rm(1) or halt(8).
While this is a much more secure way of allowing privileges as another user for nrpe, it still requires trusting that the plugin that is being run with root privileges is secure and can't easily be exploited. Be very careful running this with custom code or with stray plugins you find on the web!
If you intend to allow the nagios user to run more than a couple of distinct programs, it may look a little tidier to define them in /etc/sudoers with a Cmnd_Alias:
Cmnd_Alias NAGIOS = /usr/local/nagios/libexec/check_procs, /usr/local/nagios/libexec/check_load nagios ALL=(ALL) NOPASSWD: NAGIOS