2016-06-24 12:21:25 +02:00
|
|
|
NRPE SECURITY README
|
2017-05-04 11:53:58 +02:00
|
|
|
====================
|
2016-06-24 12:21:25 +02:00
|
|
|
|
2017-05-04 11:53:58 +02:00
|
|
|
---
|
2016-06-24 12:21:25 +02:00
|
|
|
|
2017-05-04 11:53:58 +02:00
|
|
|
### TCP WRAPPER SUPPORT ###
|
2016-06-24 12:21:25 +02:00
|
|
|
|
|
|
|
|
2017-05-04 11:53:58 +02:00
|
|
|
NRPE 2.x includes native support for TCP wrappers. Once you
|
|
|
|
compile NRPE you can check to see if it has wrapper support
|
|
|
|
built in by running the daemon from the command line without
|
|
|
|
any arguments like this:
|
2016-06-24 12:21:25 +02:00
|
|
|
|
2017-05-04 11:53:58 +02:00
|
|
|
./nrpe --help
|
2016-06-24 12:21:25 +02:00
|
|
|
|
|
|
|
|
2017-05-04 11:53:58 +02:00
|
|
|
#### COMMAND ARGUMENTS ####
|
2016-06-24 12:21:25 +02:00
|
|
|
|
|
|
|
NRPE 2.0 includes the ability for clients to supply arguments to
|
|
|
|
commands which should be run. Please note that this feature
|
|
|
|
should be considered a security risk, and you should only use
|
|
|
|
it if you know what you're doing!
|
|
|
|
|
|
|
|
|
2017-05-04 11:53:58 +02:00
|
|
|
#### BASH COMMAND SUBSTITUTION ####
|
2016-06-24 12:21:25 +02:00
|
|
|
|
|
|
|
Even with the metacharacter restrictions below, if command arguments
|
2017-05-04 11:53:58 +02:00
|
|
|
are enabled, it is still possible to send bash command substitutions
|
|
|
|
in the form `$(...)` as an argument. This is explicitly disabled by
|
2016-06-24 12:21:25 +02:00
|
|
|
default, but can be enabled by a configure-time option and a
|
2017-05-04 11:53:58 +02:00
|
|
|
configuration file option. Enabling this option is **VERY RISKY**
|
|
|
|
and its use is **HIGHLY DISCOURAGED**.
|
2016-06-24 12:21:25 +02:00
|
|
|
|
|
|
|
|
2017-05-04 11:53:58 +02:00
|
|
|
#### ENABLING ARGUMENTS ####
|
2016-06-24 12:21:25 +02:00
|
|
|
|
|
|
|
To enable support for command argument in the daemon, you must
|
|
|
|
do two things:
|
|
|
|
|
2017-05-04 11:53:58 +02:00
|
|
|
1. Run the configure script with the `--enable-command-args`
|
2016-06-24 12:21:25 +02:00
|
|
|
option
|
|
|
|
|
2017-05-04 11:53:58 +02:00
|
|
|
2. Set the `dont_blame_nrpe` directive in the NRPE config
|
|
|
|
file to `1`.
|
2016-06-24 12:21:25 +02:00
|
|
|
|
|
|
|
|
2017-05-04 11:53:58 +02:00
|
|
|
#### ENABLING BASH COMMAND SUBSTITUTION ####
|
2016-06-24 12:21:25 +02:00
|
|
|
|
2017-05-13 13:05:54 +02:00
|
|
|
To enable support for arguments containing bash command substitutions,
|
2016-06-24 12:21:25 +02:00
|
|
|
you must do two things:
|
|
|
|
|
|
|
|
1. Enable arguments as described above
|
|
|
|
|
2017-05-04 11:53:58 +02:00
|
|
|
2. Include the `--enable-bash-command-substitution` configure
|
2016-06-24 12:21:25 +02:00
|
|
|
option when running the configure script
|
|
|
|
|
2017-05-04 11:53:58 +02:00
|
|
|
3. Set the `allow_bash_command_substitutions` directive in the
|
|
|
|
NRPE config file to `1`.
|
2016-06-24 12:21:25 +02:00
|
|
|
|
|
|
|
|
2017-05-04 11:53:58 +02:00
|
|
|
#### ILLEGAL METACHARS ####
|
2016-06-24 12:21:25 +02:00
|
|
|
|
|
|
|
To help prevent some nasty things from being done by evil
|
|
|
|
clients, the following metacharacters are not allowed
|
|
|
|
in client command arguments:
|
|
|
|
|
2017-05-13 13:05:54 +02:00
|
|
|
| ` & > < ' \ [ ] { } ; ! \r \n
|
2016-06-24 12:21:25 +02:00
|
|
|
|
2017-05-04 11:53:58 +02:00
|
|
|
Any client request which contains the above mentioned metachars
|
2016-06-24 12:21:25 +02:00
|
|
|
is discarded.
|
|
|
|
|
|
|
|
|
2017-05-04 11:53:58 +02:00
|
|
|
#### USER/GROUP RESTRICTIONS ####
|
2016-06-24 12:21:25 +02:00
|
|
|
|
|
|
|
The NRPE daemon cannot be run with (effective) root user/group
|
|
|
|
privileges. You must run the daemon with an account that does
|
|
|
|
not have superuser rights. Use the nrpe_user and nrpe_group
|
|
|
|
directives in the config file to specify which user/group the
|
|
|
|
daemon should run as.
|
|
|
|
|
|
|
|
|
2017-05-04 11:53:58 +02:00
|
|
|
#### ENCRYPTION ####
|
2016-06-24 12:21:25 +02:00
|
|
|
|
|
|
|
If you do enable support for command arguments in the NRPE daemon,
|
|
|
|
make sure that you encrypt communications either by using:
|
|
|
|
|
|
|
|
1. Stunnel (see http://www.stunnel.org for more info)
|
2017-05-04 11:53:58 +02:00
|
|
|
2. Native SSL support (See the `README.SSL.md` file for more info)
|
2016-06-24 12:21:25 +02:00
|
|
|
|
2017-05-04 11:53:58 +02:00
|
|
|
*Do NOT* assume that just because the daemon is behind a firewall
|
2016-06-24 12:21:25 +02:00
|
|
|
that you are safe! Always encrypt NRPE traffic!
|
|
|
|
|
|
|
|
|
2017-05-04 11:53:58 +02:00
|
|
|
#### USING ARGUMENTS ####
|
2016-06-24 12:21:25 +02:00
|
|
|
|
|
|
|
How do you use command arguments? Well, lets say you define a
|
|
|
|
command in the NRPE config file that looks like this:
|
|
|
|
|
|
|
|
command[check_users]=/usr/local/nagios/libexec/check_users -w $ARG1$ -c $ARG2$
|
|
|
|
|
|
|
|
You could then call the check_nrpe plugin like this:
|
|
|
|
|
|
|
|
./check_nrpe -H <host> -c check_users -a 5 10
|
|
|
|
|
|
|
|
The arguments '5' and '10' get substituted into the appropriate
|
|
|
|
$ARGx$ macros in the command ($ARG1$ and $ARG2$, respectively).
|
|
|
|
The command that would be executed by the NRPE daemon would look
|
|
|
|
like this:
|
|
|
|
|
|
|
|
/usr/local/nagios/libexec/check_users -w 5 -c 10
|
|
|
|
|
|
|
|
You can supply up to 16 arguments to be passed to the command
|
|
|
|
for substitution in $ARG$ macros ($ARG1$ - $ARG16$).
|