debmon/nagios-nrpe
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Compare commits

base: debmon:upstream/3.1.0
Branches Tags
debmon:master debmon:pristine-tar debmon:upstream
debmon:upstream/3.2.1 debmon:upstream/3.1.1 debmon:debian/3.1.1-1 debmon:upstream/3.1.0 debmon:debian/3.0.1-3 debmon:upstream/3.0.1 debmon:debian/2.15-200 debmon:debian/2.15-20 debmon:upstream/2.15 debmon:debian/2.15-1.1 debmon:debian/2.15-1
..
compare: debmon:debian/3.1.1-1
Branches Tags
debmon:master debmon:pristine-tar debmon:upstream
debmon:upstream/3.2.1 debmon:upstream/3.1.1 debmon:debian/3.1.1-1 debmon:upstream/3.1.0 debmon:debian/3.0.1-3 debmon:upstream/3.0.1 debmon:debian/2.15-200 debmon:debian/2.15-20 debmon:upstream/2.15 debmon:debian/2.15-1.1 debmon:debian/2.15-1

11 Commits
upstream/3 ... debian/3.1

Author SHA1 Message Date
Bas Couwenberg
4fa3978984 Imported Debian patch 3.1.1-1 2017-06-20 10:37:07 +02:00
Mario Fetka
02b430a86c Imported Upstream version 3.1.1 2017-06-20 10:37:07 +02:00
Mario Fetka
006f9bb7a7 repro 2017-05-15 18:15:06 +02:00
Mario Fetka
0c237de993 no need for reproduciable builds 2017-05-15 17:44:13 +02:00
Mario Fetka
3329da6517 make compatible with wheezy 2017-05-04 12:11:39 +02:00
Mario Fetka
a8ad76cab8 activate commadn args 2017-05-04 11:55:17 +02:00
Bas Couwenberg
9a2dafa86c Imported Debian patch 3.0.1-3 2017-05-04 11:53:59 +02:00
Mario Fetka
373f63f6da Bump 2016-06-24 15:52:55 +02:00
Mario Fetka
0afb0709bc Bump 2016-06-24 15:26:31 +02:00
Mario Fetka
b07a1cc554 add command args 2016-06-24 12:24:47 +02:00
Alexander Wirt
3864e8204a Imported Debian patch 2.15-1 2016-06-24 12:21:25 +02:00
43 changed files with 1211 additions and 89 deletions
Expand all files Collapse all files

17
Changelog
View File

@@ -2,7 +2,22 @@
NRPE Changelog
**************
3.x.x - 201x-xx-xx
3.1.1 - 2017-05-24
------------------
FIXES
- The '--log-file=' or '-g' option is missing from the help (John Frickson)
- check_nrpe = segfault when specifying a config file (John Frickson)
- Alternate log file not being used soon enough (John Frickson)
- Unable to compile v3.1.0rc1 with new SSL checks on rh5 (John Frickson)
- Unable to compile nrpe-3.1.0 - undefined references to va_start, va_end (John Frickson)
- Can't build on Debian Stretch, openssl 1.1.0c (John Frickson)
- Fix build failure with -Werror=format-security (Bas Couwenberg)
- Fixed a typo in `nrpe.spec.in` (John Frickson)
- More detailed error logging for SSL (John Frickson)
- Fix infinite loop when unresolvable host is in allowed_hosts (Nick / John Frickson)
3.1.0 - 2017-04-17
------------------
ENHANCEMENTS
- Added option to nrpe.cfg.in that can override hard-coded NASTY_METACHARS (John Frickson)

66
configure vendored
View File

@@ -1,6 +1,6 @@
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
# Generated by GNU Autoconf 2.69 for nrpe 3.1.0-rc1.
# Generated by GNU Autoconf 2.69 for nrpe 3.1.1.
#
# Report bugs to <nagios-users@lists.sourceforge.net>.
#
@@ -580,8 +580,8 @@ MAKEFLAGS=
# Identity of this package.
PACKAGE_NAME='nrpe'
PACKAGE_TARNAME='nrpe'
PACKAGE_VERSION='3.1.0-rc1'
PACKAGE_STRING='nrpe 3.1.0-rc1'
PACKAGE_VERSION='3.1.1'
PACKAGE_STRING='nrpe 3.1.1'
PACKAGE_BUGREPORT='nagios-users@lists.sourceforge.net'
PACKAGE_URL='https://www.nagios.org/downloads/nagios-core-addons/'
@@ -757,6 +757,7 @@ with_logdir
with_piddir
with_pipedir
enable_ssl
with_need_dh
with_ssl
with_ssl_inc
with_ssl_lib
@@ -1319,7 +1320,7 @@ if test "$ac_init_help" = "long"; then
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
\`configure' configures nrpe 3.1.0-rc1 to adapt to many kinds of systems.
\`configure' configures nrpe 3.1.1 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -1369,7 +1370,7 @@ fi
if test -n "$ac_init_help"; then
case $ac_init_help in
short | recursive ) echo "Configuration of nrpe 3.1.0-rc1:";;
short | recursive ) echo "Configuration of nrpe 3.1.1:";;
esac
cat <<\_ACEOF
@@ -1422,6 +1423,7 @@ Optional Packages:
--with-logdir=DIR where log files should be placed
--with-piddir=DIR where the PID file should be placed
--with-pipedir=DIR where socket and pipe files should be placed
--with-need-dh set to 'no' to not include Diffie-Hellman SSL logic
--with-ssl=DIR sets location of the SSL installation
--with-ssl-inc=DIR sets location of the SSL include files
--with-ssl-lib=DIR sets location of the SSL libraries
@@ -1514,7 +1516,7 @@ fi
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
nrpe configure 3.1.0-rc1
nrpe configure 3.1.1
generated by GNU Autoconf 2.69
Copyright (C) 2012 Free Software Foundation, Inc.
@@ -2120,7 +2122,7 @@ cat >config.log <<_ACEOF
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
It was created by nrpe $as_me 3.1.0-rc1, which was
It was created by nrpe $as_me 3.1.1, which was
generated by GNU Autoconf 2.69. Invocation command line was
$ $0 $@
@@ -2485,9 +2487,9 @@ ac_configure="$SHELL $ac_aux_dir/configure" # Please don't use this var.
PKG_NAME=nrpe
PKG_VERSION="3.1.0-rc1"
PKG_VERSION="3.1.1"
PKG_HOME_URL="http://www.nagios.org/"
PKG_REL_DATE="2017-04-06"
PKG_REL_DATE="2017-05-24"
RPM_RELEASE=1
LANG=C
@@ -3020,29 +3022,29 @@ fi
inetd_disabled=""
if test x"$init_type" = "xupstart"; then
inetd_type="upstart"
elif test "$opsys" = "osx"; then
inetd_type="launchd"
fi
if test x"$inetd_type" = x; then
case $dist_type in #(
case $dist_type in #(
solaris) :
if test x"$init_type" = "xsmf10" -o x"$init_type" = "xsmf11"; then
inetd_type="$init_type"
else
inetd_type="inetd"
fi ;; #(
inetd_type="$init_type"
else
inetd_type="inetd"
fi ;; #(
*bsd*) :
inetd_type=`ps -A -o comm -c | grep inetd` ;; #(
osx) :
inetd_type=`launchd` ;; #(
aix|hp-ux) :
inetd_type=`UNIX95= ps -A -o comm | grep inetd | head -1` ;; #(
*) :
inetd_type=`ps -C "inetd,xinetd" -o fname | grep -vi COMMAND` ;; #(
inetd_type=`ps -C "inetd,xinetd" -o fname | grep -vi COMMAND | head -1` ;; #(
*) :
;;
esac
if test x"$inetd_type" = x; then
if test x"$init_type" = "xupstart"; then
inetd_type="upstart"
fi
fi
if test x"$inetd_type" = x; then
@@ -4346,7 +4348,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
This file was extended by nrpe $as_me 3.1.0-rc1, which was
This file was extended by nrpe $as_me 3.1.1, which was
generated by GNU Autoconf 2.69. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@@ -4400,7 +4402,7 @@ _ACEOF
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\
nrpe config.status 3.1.0-rc1
nrpe config.status 3.1.1
configured by $0, generated by GNU Autoconf 2.69,
with options \\"\$ac_cs_config\\"
@@ -7278,9 +7280,19 @@ else
fi
need_dh=yes
# Check whether --with-need_dh was given.
if test "${with_need_dh+set}" = set; then :
withval=$with_need_dh; need_dh=$withval
else
nrpe_group=need_dh
fi
if test x$check_for_ssl = xyes; then
# need_dh should only be set for NRPE
need_dh=yes
# need_dh=yes
# -------------------------------
@@ -8272,7 +8284,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
This file was extended by nrpe $as_me 3.1.0-rc1, which was
This file was extended by nrpe $as_me 3.1.1, which was
generated by GNU Autoconf 2.69. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@@ -8335,7 +8347,7 @@ _ACEOF
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\
nrpe config.status 3.1.0-rc1
nrpe config.status 3.1.1
configured by $0, generated by GNU Autoconf 2.69,
with options \\"\$ac_cs_config\\"

14
configure.ac
View File

@@ -5,15 +5,15 @@ define([AC_CACHE_LOAD],)
define([AC_CACHE_SAVE],)
m4_include([build-aux/custom_help.m4])
AC_INIT([nrpe],[3.1.0-rc1],[nagios-users@lists.sourceforge.net],[nrpe],[https://www.nagios.org/downloads/nagios-core-addons/])
AC_INIT([nrpe],[3.1.1],[nagios-users@lists.sourceforge.net],[nrpe],[https://www.nagios.org/downloads/nagios-core-addons/])
AC_CONFIG_SRCDIR([src/nrpe.c])
AC_CONFIG_AUX_DIR([build-aux])
AC_PREFIX_DEFAULT(/usr/local/nagios)
PKG_NAME=nrpe
PKG_VERSION="3.1.0-rc1"
PKG_VERSION="3.1.1"
PKG_HOME_URL="http://www.nagios.org/"
PKG_REL_DATE="2017-04-06"
PKG_REL_DATE="2017-05-24"
RPM_RELEASE=1
LANG=C
@@ -304,10 +304,16 @@ AC_ARG_ENABLE([ssl],
fi
],check_for_ssl=yes)
need_dh=yes
AC_ARG_WITH([need_dh],
AS_HELP_STRING([--with-need-dh],[set to 'no' to not include Diffie-Hellman SSL logic]),
[need_dh=$withval],
[nrpe_group=need_dh])
dnl Optional SSL library and include paths
if test x$check_for_ssl = xyes; then
# need_dh should only be set for NRPE
need_dh=yes
# need_dh=yes
AC_NAGIOS_GET_SSL
fi

67
debian/NEWS vendored Normal file
View File

@@ -0,0 +1,67 @@
nagios-nrpe (3.0.1-1) unstable; urgency=medium
The check_nrpe command definition has been updated to remove the
arguments option, because nagios-nrpe-server does not support
command arguments since 2.15-1. And the check_nrpe_1arg command
definition has been removed.
If you're using the check_nrpe_1arg command in your Nagios/Icinga
configuration, you need to replace it with check_nrpe.
SSL support is disabled by default, the reworked SSL/TLS support in
NRPE requires configuration before it can be used. Read the
instructions in /usr/share/doc/nagios-nrpe-server/README.SSL.md.gz
before enabling SSL support in /etc/default/nagios-nrpe-server.
The default check_nrpe command in check_nrpe.cfg has been updated
to disable SSL by default too. The check_nrpe_ssl command has been
added to connect to the NRPE daemon over SSL.
Beware that the new NRPE daemon only works with old check_nrpe
plugins when SSL support is disabled on both sides, likewise the
new check_nrpe plugin only works with the old NRPE daemon when SSL
support is disabled.
To use SSL between the NRPE client and server, configuring Stunnel
is recommended.
-- Bas Couwenberg <sebastic@debian.org> Mon, 05 Dec 2016 01:16:46 +0100
nagios-nrpe (2.15-1) unstable; urgency=high
This update disables the command-args support in nrpe. The feature
has several security problems and is often used wrong. If you have to
use this feature recompile the package with --enable-command-args
in debian/rules.
-- Alexander Wirt <formorer@debian.org> Tue, 15 Jul 2014 09:52:48 +0200
nagios-nrpe (2.12-4) unstable; urgency=low
The pidfile creation mechanism changed with this update. If you do not
add "pid_file=/var/run/nagios/nrpe.pid" to you nrpe config take care that
the user "nagios" is able to write to your pidfile location. You can also
change the initscript to create the pid directory on your own.
-- Alexander Wirt <formorer@debian.org> Tue, 07 Jul 2009 07:42:13 +0200
nagios-nrpe (2.12-3) unstable; urgency=low
The homedirectory of the nagios user moved to /var/lib/nagios
which is now common on all nagios related packages. Its recommended
that you migrate an already existing nagios user to use /var/lib/nagios
as homedirectory.
-- Alexander Wirt <formorer@debian.org> Sat, 21 Mar 2009 09:08:58 +0100
nagios-nrpe (2.4-1) unstable; urgency=low
the nagios-nrpe-doc package is no longer provided. the documentation
can now be found in /usr/share/doc/nagios-nrpe-{server|plugins}. new
versions of the plugin and server packages conflict with the doc
package to prevent the old (and possibly incorrect in the future)
documentation from remaining. to fully purge all information about
the package you should run:
dpkg -P nagios-nrpe-doc
-- sean finney <seanius@debian.org> Mon, 13 Mar 2006 15:47:47 +0100

23
debian/README.Debian vendored Normal file
View File

@@ -0,0 +1,23 @@
NRPE
----
Put any local check command you need into /etc/nagios/nrpe_local.cfg or
as a *.cfg file in /etc/nagios/nrpe.d/
These files are included from the /etc/nagios/nrpe.cfg
This package is built without support for command argument processing. If you
want to enable it, you will have to rebuild this package with
--enable-command-args in debian/rules.
The feature has several security problems and should not be used. If you
really need some dynamic argument processing try check_by_ssh or something
similar.
Do not rely on SSL mode for security
------------------------------------
NRPE contains an SSL mode which encrypts the data over the NRPE channel.
The current implementation does not verify client or server and uses
pregenerated key data by default. It cannot be fixed right away because
it would break the existing NRPE protocol.
Please refer to the file SECURITY.md in this directory for more information.

5
debian/TODO vendored Normal file
View File

@@ -0,0 +1,5 @@
TODO
====
Add a nagios-common package which ships a user and homedir

424
debian/changelog vendored Normal file
View File

@@ -0,0 +1,424 @@
nagios-nrpe (3.1.1-1) unstable; urgency=medium
* Move from experimental to unstable.
-- Bas Couwenberg <sebastic@debian.org> Sun, 18 Jun 2017 13:39:05 +0200
nagios-nrpe (3.1.1-1~exp1) experimental; urgency=medium
* New upstream release.
* Drop format-security.patch, applied upstream.
* Use --with-need-dh=no configure option instead of patch.
-- Bas Couwenberg <sebastic@debian.org> Sat, 27 May 2017 10:57:03 +0200
nagios-nrpe (3.1.0-1~exp1) experimental; urgency=medium
* New upstream release.
(closes: #849417, #445976, #691328)
* Fix typo in manpage.
(closes: #856658)
* Drop 10_reproducible_build.patch, applied upstream.
Refresh remaining patches.
* Update build dependency for OpenSSL 1.1.0.
(closes: #859223)
* Add patch to fix FTBFS with -Werror=format-security.
-- Bas Couwenberg <sebastic@debian.org> Wed, 19 Apr 2017 19:28:05 +0200
nagios-nrpe (3.0.1-3) unstable; urgency=medium
* Add reload command to systemd service file.
* Make missing EnvironmentFile non-fatal in systemd service.
-- Bas Couwenberg <sebastic@debian.org> Sat, 24 Dec 2016 10:24:09 +0100
nagios-nrpe (3.0.1-2) unstable; urgency=medium
* Add systemd service file and tmpfiles.d configuration.
(closes: #665422)
* Update nrpe manpage to include new options.
-- Bas Couwenberg <sebastic@debian.org> Fri, 23 Dec 2016 23:15:19 +0100
nagios-nrpe (3.0.1-1) unstable; urgency=medium
* Update check_nrpe.cfg to remove command with arguments.
(LP: #975918)
* Disable SSL support by default, requires configuration.
It also doesn't work well with old check_nrpe versions.
* Move from experimental to unstable.
-- Bas Couwenberg <sebastic@debian.org> Fri, 09 Dec 2016 00:15:29 +0100
nagios-nrpe (3.0.1-1~exp1) experimental; urgency=medium
[ Alexander Wirt ]
* Sync uploaders with reality.
(closes: #773441)
[ Bas Couwenberg ]
* New upstream release.
- Reworked SSL/TLS. See the README.SSL.md file for full info.
(closes: #547092)
* Add myself to Uploaders.
* Add Vcs-* fields to control file.
(closes: #755507)
* Change nagios-plugins dependencies to monitoring-plugins.
* Switch from dpatch to source format 3.0 (quilt).
(closes: #756410)
* Drop obsolete patch: 04_weird_output.dpatch.
* Restructure control file with cme.
* Reorder (build) dependencies.
* Add Homepage field to control file.
* Update copyright file using copyright-format 1.0.
* Add gbp.conf to use pristine-tar by default.
* Update build dependency to use openssl 1.0.
* Enable all hardening buildflags.
(closes: #728218)
* Enable parallel builds.
* Suggest xinetd | inetd.
(closes: #662247)
* Include PDF & ODT documentation in docs.
(closes: #662249)
* Update watch file to handle common issues.
* Add upstream metadata.
* Merge nrpe.cfg patches into single patch.
(closes: #660583)
* Use configure option to set custom PID directory instead of patch.
* Drop 09_noremove_pid.patch, fixed upstream. Refresh remaining patches.
* Add patch to use pre-generated dh.h for reproducible builds.
* Override dh_auto_build to build all targets.
* Use dh-autoreconf instead of autotools-dev.
* Use exit status 0 in init script when inetd is configured.
(closes: #775924)
* Include README.SSL.md in docs.
* Bump Standards-Version to 3.9.8, changes:
Vcs-* fields, copyright-format 1.0.
[ Benjamin Drung ]
* Use dh_auto_configure to enable default hardening flags.
(closes: #843805)
* Fix copyright-refers-to-symlink-license.
(closes: #756414)
[ Chris Lamb ]
* Make the build reproducible.
(closes: #834857)
-- Bas Couwenberg <sebastic@debian.org> Sun, 04 Dec 2016 18:36:54 +0100
nagios-nrpe (2.15-1) unstable; urgency=high
* [f2cea9f] Imported Upstream version 2.15
* [023e909] Disable command-args in nrpe. (Closes: #745272)
* [6369220] Use restorecon to set SE Linux context on $PIDDIR
(Closes: #679241)
* [a484e7d] Switch order of nagios-plugins recommends to prefer -basic.
(Closes: #752243)
* [b1ef043] Don't recommend a core implementation for the plugin
* [16dbf01] Remove obsolete patch
* [694b804] Remove luk from uploaders. (Closes: #719636)
* [28d9004] Remove obsolete patch
* [86ea67e] 08_CVE-2013-1362.dpatch is now obsolete
* [74e3b07] Refresh patches
* [1258ab2] Reword NEWS entry
* [744eec6] configure is buggy: --disable- in fact enables a feautre.
* [eec54b6] Adjust README.Debian for the removal or argument processing
-- Alexander Wirt <formorer@debian.org> Tue, 15 Jul 2014 18:30:36 +0200
nagios-nrpe (2.13-4) unstable; urgency=low
* [dcffec6] Do not remove the PID file after a connection error.
Original patch from Hiren Patel. (Closes: #716949)
-- Bernd Zeimetz <bzed@debian.org> Mon, 15 Jul 2013 16:07:54 +0200
nagios-nrpe (2.13-3) unstable; urgency=high
* [e55afd1] Add 08_CVE-2013-1362.dpatch patch.
If command arguments are enabled in the NRPE configuration, it was
possible to pass $() as arguments as the checking for nasty caracters
was not strict enough to catch $(). This allowed executing shell
commands under a subprocess and pass the output as a parameter to the
called script (if run under bash). CVE-2013-1362 (Closes: #701227)
-- Alexander Wirt <formorer@debian.org> Sat, 09 Mar 2013 08:42:05 +0100
nagios-nrpe (2.13-2) unstable; urgency=high
[ Thijs Kinkhorst ]
* Add warning about the inadequateness of the 'ssl' option.
-- Alexander Wirt <formorer@debian.org> Mon, 11 Feb 2013 17:45:20 +0100
nagios-nrpe (2.13-1) unstable; urgency=low
* [3e113b5] Imported Upstream version 2.13
* [acc152b] Bump standards version
* [c707bce] Use dh9 for hardening
* Updated patches
-- Alexander Wirt <formorer@debian.org> Sat, 30 Jun 2012 11:08:22 +0200
nagios-nrpe (2.12-6) unstable; urgency=low
* [36b1062] Add add icinga to the list of recommends
* [a698acb] Don't remove homedirectory of the nagios user (Closes: #665845)
* [4dc53fb] Use retry argument for start-stop-daemon when stopping nrpe
(Closes: #650464)
-- Alexander Wirt <formorer@debian.org> Mon, 30 Apr 2012 09:25:45 +0200
nagios-nrpe (2.12-5) unstable; urgency=low
[ Alexander Wirt ]
* [e3af3bd] Bump compat to 8
* [4f9e892] Add versioned depends to dpatch for sequence support
* [5ec5a3b] Install example nrpe_local.cfg
* [69ea7b9] Move rules file to dh
* [298f725] Use autotools_dev dh sequence helper
* [10da37d] Bump debhelper dependency to 8
* [2b009ae] Bump standards version
* [4d093e3] Ignore usermod failure (Closes: #538894)
* [e776f7b] Use pidfile for start-stop-daemon and fix pidfile deletion
(Closes: #548157, #639523)
* [8050c97] Support multiarch in rulesfile (Closes: #642790)
* [027274f] Use pidfile for start-stop-daemon in start()
* [1f69c63] Support status in nrpe initscript
* [42ccdcc] Add a comment to nrpe.cfg that snipplets have to end .cfg
(Closes: #641933)
[ Jan Wagner ]
* [0a80fdb] Update debian/README.Debian about conf.d/
-- Alexander Wirt <formorer@debian.org> Sun, 25 Sep 2011 08:35:48 +0200
nagios-nrpe (2.12-4) unstable; urgency=low
* Build against libwrap0-dev (Closes: #412705)
* Remove 'last modified header' from nrpe config (Closes: #499280)
* Create /etc/nagios/nrpe.d (Closes: #505700, #474333)
* Fix pidfile handling (Closes: #411046)
* Add newer config.{guess,sub} (Closes: #535737)
- Build-depend on autotools-dev
* Delete /var/lib/nagios if empty after purge (Closes: #527069)
* Bump standards version (add README.source)
* Bump dh_compat version (remove -k from dh_clean)
-- Alexander Wirt <formorer@debian.org> Mon, 06 Jul 2009 07:08:26 +0200
nagios-nrpe (2.12-3.1) unstable; urgency=low
* Non-maintainer upload.
* Fix bashism (Closes: #530149).
-- Raphael Geissert <geissert@debian.org> Sat, 04 Jul 2009 20:23:23 -0500
nagios-nrpe (2.12-3) unstable; urgency=low
* Sync homedirectory of the nagios user with the nagios3 package
(Closes: #479051)
* Removed now empty nagios-nrpe-plugins.post* scripts
-- Alexander Wirt <formorer@debian.org> Sat, 21 Mar 2009 09:33:39 +0100
nagios-nrpe (2.12-2) unstable; urgency=low
* Add myself to uploaders.
* Clean buffer before use (Closes: #498749).
* Remove pid file before creating a new ones (Closes: #411046).
* Include inetd support (Closes: #409772).
-- Luk Claes <luk@debian.org> Sun, 14 Sep 2008 16:04:17 +0200
nagios-nrpe (2.12-1) unstable; urgency=low
* Support an nrpe.d config directory in addition to nrpe_local.cfg
(Closes: #474333)
* Add myself to uploaders
* Add watch file
* New upstream version (Closes: #475081)
* Acknowledge NMU from Chris Lamb (Closes: #484412)
* Recommend Nagios 3 instead of Nagios 2
* Update copyright file
* Use the same homedir as nagios3 (Closes: #479051)
-- Alexander Wirt <formorer@debian.org> Wed, 06 Aug 2008 20:33:57 +0200
nagios-nrpe (2.8.1-1.1) unstable; urgency=medium
* Non-maintainer upload.
* Fix bashism in debian/rules (Closes: #484412)
* Bump Standards-Version to 3.8.0.
-- Chris Lamb <chris@chris-lamb.co.uk> Sat, 12 Jul 2008 01:09:21 +0100
nagios-nrpe (2.8.1-1) unstable; urgency=low
* New upstream release
* bump Recommends to nagios2, thanks to Henning Sprang
for suggesting this (closes: #399856).
* fix typo in package description, thanks to Tilman Koschnick for
noticing this (closes: #419130).
-- sean finney <seanius@debian.org> Sat, 12 May 2007 12:27:30 +0200
nagios-nrpe (2.5.1-3) unstable; urgency=high
* apparently we were already including another default file
without installing it, and some people were using it. so
now we include this one as well as the new default, with this
one taking precedence since it was there first. thanks to
Peter Palfrader for catching this (closes: #398914).
-- sean finney <seanius@debian.org> Fri, 17 Nov 2006 09:17:55 +0100
nagios-nrpe (2.5.1-2) unstable; urgency=low
* include a /etc/default/nagios-nrpe-server where variables
such as DAEMON_OPTS can be set (closes: #396709).
* bump standards version to 3.7.2
* add pre-depends on adduser
* LSB-ize init script, and add dependency on lsb-base
-- sean finney <seanius@debian.org> Sat, 04 Nov 2006 17:38:34 +0100
nagios-nrpe (2.5.1-1) unstable; urgency=low
* new upstream release. includes fix from Peter Palfrader to catch
invalid free()'s when nrpe is called with --no-ssl (closes: #361233).
-- sean finney <seanius@debian.org> Sun, 14 May 2006 21:38:48 -0500
nagios-nrpe (2.4-2) unstable; urgency=low
[sean finney]
* removing nrpe_local.cfg caused trouble for some people, so
i've added it back in (closes: #360093).
-- sean finney <seanius@debian.org> Fri, 31 Mar 2006 07:02:31 +0200
nagios-nrpe (2.4-1) unstable; urgency=low
* new upstream release.
[sean finney]
* (NEEDS TESTING) move away from cdbs for my own sanity.
* add build-dependency on dpatch.
* no longer create nrpe_local.cfg. no reason to have it.
* remove postinst script for nagios-nrpe-server, as all it
did was touch the previously mentioned file.
* upstream has incorporated the following patches:
- 02_global-cmd-prefix.dpatch
- 03_nrpe-trailing-whitespace.dpatch
* check_nrpe -h provides what "-a" does, but i've gone ahead and
added a comment in check_nrpe.cfg too, because it can't hurt
to do so :) (closes: #351714).
* no longer generate the nagios-nrpe-doc package, and move copies of
the documentation into the plugin and server packages. add a
Conflicts: nagios-nrpe-doc to the remaining packages to ensure
that the stale package doesn't remain. NEWS.Debian also mentions
this and instructs the admin to purge the package too.
-- sean finney <seanius@debian.org> Tue, 24 Jan 2006 18:16:54 +0100
nagios-nrpe (2.2-1) unstable; urgency=low
* new upstream release.
[sean finney]
* debian packaging source repository is now migrated to svn.
* updated 01_nodevrandom-and-docoptions.dpatch and
02_global-cmd-prefix.dpatch to apply against the latest
upstream version.
* nrpe.cfg has moved location in the upstream tarball.
* introduced 03_nrpe-trailing-whitespace.dpatch to fix regression
in config file parsing until upstream incorporates it.
-- sean finney <seanius@debian.org> Tue, 24 Jan 2006 17:52:54 +0100
nagios-nrpe (2.0-9) unstable; urgency=low
* Sean Finney:
- nagios-nrpe has now joined forces with the debian pkg-nagios
project, updated Maintainer and Uploaders field accordingly.
- provide check_nrpe_1arg command definition so that one can call
check_nrpe both with and without arguments to the cmds
(closes: #248424).
- changed nagios-nrpe-server's Recommends on nagios-plugins to reflect
the upcoming new nagios-plugins layout.
- changed nagios-nrpe-plugin's Depends on nagios to a Recommends.
- building issues seem to be resolved on arm now (closes: #259442).
- updated Standards-Version to 3.6.2
- included patch from joerg and weasel to document some cmdline options
and provide a better alternative to reading a random byte from
/dev/random (closes: #333552).
- included "global command prefix" patch from joerg jaspert
(closes: #332253).
-- sean finney <seanius@debian.org> Tue, 25 Oct 2005 10:04:59 -0400
nagios-nrpe (2.0-8) unstable; urgency=low
* debian/control: change depends on nagios-plugins, to recommends.
(closes: #327199)
-- Jason Thomas <jason@debian.org> Mon, 10 Oct 2005 08:07:57 +1000
nagios-nrpe (2.0-7) unstable; urgency=high
* The previous upload fixes a bug that breaks the install of this package so
this is a new upload with a high urgency to try and get it into sarge.
-- Jason Thomas <jason@debian.org> Thu, 19 Aug 2004 22:47:40 +1000
nagios-nrpe (2.0-6) unstable; urgency=low
* nagios plugin config dir changed to etc/nagios-plugins/configs/
(closes: #266826)
-- Jason Thomas <jason@debian.org> Thu, 19 Aug 2004 21:17:28 +1000
nagios-nrpe (2.0-5) unstable; urgency=low
* debian/nagios-nrpe-server.preinst: added code to create nagios user and
group.
(closes: #248995, #241168)
-- Jason Thomas <jason@debian.org> Sat, 15 May 2004 12:02:35 +1000
nagios-nrpe (2.0-4) unstable; urgency=low
* debian/nagios-nrpe-server.init.d: added missing -d to restart.
(closes: #248797)
* debian/nrpe.1: renamed to nrpe.8
* debian/nagios-nrpe-server.manpages: changed nrpe.1 to nrpe.8
* debian/dirs: deleted it as its not needed.
-- Jason Thomas <jason@debian.org> Fri, 14 May 2004 14:05:03 +1000
nagios-nrpe (2.0-3) unstable; urgency=low
* debian/nagios-nrpe-server.init.d: added --oknodo to stop commands which
will make upgrades and purges clean.
-- Jason Thomas <jason@debian.org> Wed, 24 Mar 2004 13:09:00 +1100
nagios-nrpe (2.0-2) unstable; urgency=low
* debian/control: added build-depends cdbs
(closes: #230943)
* debian/control: nagios-nrpe-server now conflicts netsaint-nrpe-server
(closes: #230303)
-- Jason Thomas <jason@debian.org> Wed, 11 Feb 2004 09:27:01 +1100
nagios-nrpe (2.0-1) unstable; urgency=low
* Initial Release.
(closes: #209124)
-- Jason Thomas <jason@debian.org> Wed, 14 Jan 2004 16:13:36 +1100

11
debian/check_nrpe.cfg vendored Normal file
View File

@@ -0,0 +1,11 @@
# this command runs a program $ARG1$ with no arguments and disables SSL support
define command {
command_name check_nrpe
command_line /usr/lib/nagios/plugins/check_nrpe -H $HOSTADDRESS$ -c $ARG1$ -n
}
# this command runs a program $ARG1$ with no arguments and enables SSL support
define command {
command_name check_nrpe_ssl
command_line /usr/lib/nagios/plugins/check_nrpe -H $HOSTADDRESS$ -c $ARG1$
}

1
debian/compat vendored Normal file
View File

@@ -0,0 +1 @@
9

47
debian/control vendored Normal file
View File

@@ -0,0 +1,47 @@
Source: nagios-nrpe
Maintainer: Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>
Uploaders: Bas Couwenberg <sebastic@debian.org>
Section: net
Priority: optional
Build-Depends: debhelper (>= 9),
dh-autoreconf,
dh-systemd,
libssl-dev,
libwrap0-dev,
openssl
Standards-Version: 3.9.8
Vcs-Browser: https://anonscm.debian.org/cgit/pkg-nagios/pkg-nrpe.git
Vcs-Git: https://anonscm.debian.org/git/pkg-nagios/pkg-nrpe.git
Homepage: https://github.com/NagiosEnterprises/nrpe
Package: nagios-nrpe-server
Architecture: any
Depends: lsb-base,
${shlibs:Depends},
${misc:Depends}
Recommends: monitoring-plugins-basic | monitoring-plugins
Suggests: xinetd | inetd
Pre-Depends: adduser
Conflicts: nagios-nrpe-doc
Description: Nagios Remote Plugin Executor Server
Nagios is a host/service/network monitoring and management system.
.
The purpose of this addon is to allow you to execute Nagios plugins on a
remote host in as transparent a manner as possible.
.
This program runs as a background process on the remote host and processes
command execution requests from the check_nrpe plugin on the Nagios host.
Package: nagios-nrpe-plugin
Architecture: any
Depends: ${shlibs:Depends},
${misc:Depends}
Conflicts: nagios-nrpe-doc
Description: Nagios Remote Plugin Executor Plugin
Nagios is a host/service/network monitoring and management system.
.
The purpose of this addon is to allow you to execute Nagios plugins on a
remote host in as transparent a manner as possible.
.
This is a plugin that is run on the Nagios host and is used to contact the
NRPE process on remote hosts.

78
debian/copyright vendored Normal file
View File

@@ -0,0 +1,78 @@
Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
Upstream-Name: NRPE
Upstream-Contact: Nagios Users List <nagios-users@lists.nagios.com>
Source: https://github.com/NagiosEnterprises/nrpe
Files: *
Copyright: 1999-2008, Ethan Galstad (nagios@nagios.org)
2009, Nagios Core Development Team and Community Contributors
License: GPL-2+ with OpenSSL exception
Files: include/acl.h
src/acl.c
Copyright: 2011, Kaspersky Lab ZAO
License: GPL-2+
Files: src/snprintf.c
Copyright: Patrick Powell 1995
License: attribution
This code is based on code written by Patrick Powell (papowell@astart.com)
It may be used for any purpose as long as this notice remains intact
on all source code distributions
Files: debian/*
Copyright: 2004, Jason Thomas <jason@debian.org>
License: GPL-2+
License: GPL-2+
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
.
You should have received a copy of the GNU General Public License along
with this program; if not, write to the Free Software Foundation, Inc.,
51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
.
On Debian systems, the complete text of version 2 of the GNU General
Public License can be found in `/usr/share/common-licenses/GPL-2'.
License: GPL-2+ with OpenSSL exception
This program is free software; you can redistribute it
and/or modify it under the terms of the GNU General Public
License as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later
version.
.
In addition, as a special exception, the author of this
program gives permission to link the code of its
release with the OpenSSL project's "OpenSSL" library (or
with modified versions of it that use the same license as
the "OpenSSL" library), and distribute the linked
executables. You must obey the GNU General Public
License in all respects for all of the code used other
than "OpenSSL". If you modify this file, you may extend
this exception to your version of the file, but you are
not obligated to do so. If you do not wish to do so,
delete this exception statement from your version.
.
This program is distributed in the hope that it will be
useful, but WITHOUT ANY WARRANTY; without even the implied
warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
PURPOSE. See the GNU General Public License for more
details.
.
You should have received a copy of the GNU General Public
License along with this package; if not, write to the Free
Software Foundation, Inc., 51 Franklin St, Fifth Floor,
Boston, MA 02110-1301 USA
.
On Debian systems, the full text of the GNU General Public
License version 2 can be found in the file
`/usr/share/common-licenses/GPL-2'.

1
debian/dirs vendored Normal file
View File

@@ -0,0 +1 @@
/etc/nagios/nrpe.d

16
debian/gbp.conf vendored Normal file
View File

@@ -0,0 +1,16 @@
[DEFAULT]
# The default name for the upstream branch is "upstream".
# Change it if the name is different (for instance, "master").
upstream-branch = upstream
# The default name for the Debian branch is "master".
# Change it if the name is different (for instance, "debian/unstable").
debian-branch = master
# git-import-orig uses the following names for the upstream tags.
# Change the value if you are not using git-import-orig
upstream-tag = upstream/%(version)s
# Always use pristine-tar.
pristine-tar = True

2
debian/nagios-nrpe-plugin.install vendored Normal file
View File

@@ -0,0 +1,2 @@
src/check_nrpe usr/lib/nagios/plugins/
debian/check_nrpe.cfg etc/nagios-plugins/config/

9
debian/nagios-nrpe-plugin.postrm vendored Normal file
View File

@@ -0,0 +1,9 @@
#!/bin/sh
set -e
if [ "$1" = purge ]; then
test -d /var/lib/nagios && rmdir /var/lib/nagios || true #ignore non-failure errors
fi
#DEBHELPER#

18
debian/nagios-nrpe-server.default vendored Normal file
View File

@@ -0,0 +1,18 @@
# defaults file for nagios-nrpe-server
# (this file is a /bin/sh compatible fragment)
# NRPE_OPTS are any extra cmdline parameters you'd like to pass along to the
# nrpe daemon.
#
# The -n option disables SSL support.
# Don't remove this option before configuring SSL in /etc/nagios/nrpe.cfg!
# See /usr/share/doc/nagios-nrpe-server/README.SSL.md.gz for instructions.
NRPE_OPTS="-n"
# NICENESS is if you want to run the server at a different nice() priority.
# (only used by the init script)
#NICENESS=5
# INETD is if you want to run the server via inetd (default=0, run as daemon).
# (only used by the init script)
#INETD=0

6
debian/nagios-nrpe-server.doc-base vendored Normal file
View File

@@ -0,0 +1,6 @@
Document: nagios-nrpe
Title: NRPE Documentation
Section: Network/Monitoring
Format: PDF
Files: /usr/share/doc/nagios-nrpe-server/*.pdf.gz

5
debian/nagios-nrpe-server.docs vendored Normal file
View File

@@ -0,0 +1,5 @@
LEGAL
README.md
README.SSL.md
SECURITY.md
docs/*

85
debian/nagios-nrpe-server.init vendored Normal file
View File

@@ -0,0 +1,85 @@
#! /bin/sh
#
### BEGIN INIT INFO
# Provides: nagios-nrpe-server
# Required-Start: $local_fs $remote_fs $syslog $named $network $time
# Required-Stop: $local_fs $remote_fs $syslog $named $network
# Should-Start:
# Should-Stop:
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Start/Stop the Nagios remote plugin execution daemon
### END INIT INFO
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
DAEMON=/usr/sbin/nrpe
NAME=nagios-nrpe
DESC=nagios-nrpe
CONFIG=/etc/nagios/nrpe.cfg
PIDDIR=/var/run/nagios
test -x $DAEMON || exit 0
if ! [ -x "/lib/lsb/init-functions" ]; then
. /lib/lsb/init-functions
else
echo "E: /lib/lsb/init-functions not found, lsb-base (>= 3.0-6) needed"
exit 1
fi
# Include nagios-nrpe defaults if available
if [ -f /etc/default/nagios-nrpe-server ] ; then
. /etc/default/nagios-nrpe-server
fi
# we also used to include this file, so if it's there
# we include it as well
if [ -f /etc/default/nagios-nrpe ]; then
. /etc/default/nagios-nrpe
fi
if [ "$NICENESS" ]; then NICENESS="-n $NICENESS"; fi
#since /var/run can be wiped completly we create our run directory here
if [ ! -d "$PIDDIR" ]; then
mkdir "$PIDDIR"
chown nagios "$PIDDIR"
[ -x /sbin/restorecon ] && /sbin/restorecon "$PIDDIR"
fi
set -e
case "$1" in
start)
if [ "$INETD" = 1 ]; then
exit 0
fi
log_daemon_msg "Starting $DESC" "$NAME"
start_daemon -p $PIDDIR/nrpe.pid $NICENESS $DAEMON -c $CONFIG -d $NRPE_OPTS
log_end_msg $?
;;
stop)
log_daemon_msg "Stopping $DESC" "$NAME"
start-stop-daemon --stop --quiet --oknodo --pidfile $PIDDIR/nrpe.pid --retry 15
log_end_msg $?
;;
reload|force-reload)
log_daemon_msg "Reloading $DESC configuration files" "$NAME"
start-stop-daemon --stop --signal HUP --quiet --pidfile $PIDDIR/nrpe.pid
log_end_msg $?
;;
status)
status_of_proc -p $PIDDIR/nrpe.pid "$DAEMON" "$NAME" && exit 0 || exit $?
;;
restart)
$0 stop
sleep 1
$0 start
;;
*)
log_failure_msg "Usage: $N {start|stop|restart|reload|force-reload}"
exit 1
;;
esac
exit 0

3
debian/nagios-nrpe-server.install vendored Normal file
View File

@@ -0,0 +1,3 @@
src/nrpe usr/sbin
sample-config/nrpe.cfg etc/nagios
debian/nrpe_local.cfg etc/nagios

1
debian/nagios-nrpe-server.manpages vendored Normal file
View File

@@ -0,0 +1 @@
debian/nrpe.8

55
debian/nagios-nrpe-server.preinst vendored Normal file
View File

@@ -0,0 +1,55 @@
#! /bin/sh
# preinst script for nagios-nrpe-server
#
# see: dh_installdeb(1)
set -e
# summary of how this script can be called:
# * <new-preinst> `install'
# * <new-preinst> `install' <old-version>
# * <new-preinst> `upgrade' <old-version>
# * <old-preinst> `abort-upgrade' <new-version>
#
# for details, see http://www.debian.org/doc/debian-policy/ or
# the debian-policy package
case "$1" in
install|upgrade)
if id nagios >/dev/null 2>&1 ; then
# We have a nagios user.
if [ `id nagios -g -n` != "nagios" ] ; then
addgroup --system nagios || true
#this can fail sometimes (i.e. with LDAP) so ignore it
usermod -g nagios nagios || true
fi
else
adduser --system --group --home /var/lib/nagios --quiet nagios
fi
# if [ "$1" = "upgrade" ]
# then
# start-stop-daemon --stop --quiet --oknodo \
# --pidfile /var/run/bud.pid \
# --exec /usr/sbin/bud 2>/dev/null || true
# fi
;;
abort-upgrade)
;;
*)
echo "preinst called with unknown argument \`$1'" >&2
exit 1
;;
esac
# dh_installdeb will replace this with shell code automatically
# generated by other debhelper scripts.
#DEBHELPER#
exit 0

23
debian/nagios-nrpe-server.service vendored Normal file
View File

@@ -0,0 +1,23 @@
[Unit]
Description=Nagios Remote Plugin Executor
Documentation=http://www.nagios.org/documentation
After=var-run.mount nss-lookup.target network.target local-fs.target remote-fs.target time-sync.target
Before=getty@tty1.service plymouth-quit.service xdm.service
Conflicts=nrpe.socket
[Install]
WantedBy=multi-user.target
[Service]
Type=simple
Restart=on-abort
PIDFile=/var/run/nagios/nrpe.pid
EnvironmentFile=-/etc/default/nagios-nrpe-server
ExecStart=/usr/sbin/nrpe -c /etc/nagios/nrpe.cfg -f $NRPE_OPTS
ExecReload=/bin/kill -HUP $MAINPID
ExecStopPost=/bin/rm -f /var/run/nagios/nrpe.pid
TimeoutStopSec=60
User=nagios
Group=nagios
PrivateTmp=true
OOMScoreAdjust=-500

2
debian/nagios-nrpe-server.tmpfile vendored Normal file
View File

@@ -0,0 +1,2 @@
#Type Path Mode UID GID Age Argument
d /var/run/nagios 0755 nagios nagios - -

60
debian/nrpe.8 vendored Normal file
View File

@@ -0,0 +1,60 @@
.\" Hey, EMACS: -*- nroff -*-
.\" First parameter, NAME, should be all caps
.\" Second parameter, SECTION, should be 1-8, maybe w/ subsection
.\" other parameters are allowed: see man(7), man(1)
.TH NAGIOS-NRPE 8 "January 14, 2004"
.\" Please adjust this date whenever revising the manpage.
.\"
.\" Some roff macros, for reference:
.\" .nh disable hyphenation
.\" .hy enable hyphenation
.\" .ad l left justify
.\" .ad b justify to both left and right margins
.\" .nf disable filling
.\" .fi enable filling
.\" .br insert line break
.\" .sp <n> insert n+1 empty lines
.\" for manpage-specific macros, see man(7)
.SH NAME
nrpe \- Nagios Remote Plugin Executor - Server
.SH SYNOPSIS
.B nagios-nrpe
\fI[-n] -c <config_file> [-4|-6] <mode>\fR
.SH DESCRIPTION
.PP
The purpose of this addon is to allow you to execute Nagios plugins on a
remote host in as transparent a manner as possible.
.PP
This program runs as a background process on the remote host and processes
command execution requests from the check_nrpe plugin on the Nagios host.
.SH OPTIONS
.TP
\fB\-n\fR = Do not use SSL
.TP
\fB\-c\fR <config_file> = Name of config file to use
.TP
\fB\-4\fR = Use IPv4 only
.TP
\fB\-6\fR = Use IPv6 only
.TP
<mode> = One of the following two operating modes:
.TP
\fB\-i\fR = Run as a service under inetd or xinetd
.TP
\fB\-d\fR = Run as a standalone daemon
.TP
\fB\-d \-s\fR = Run as a subsystem under AIX
.TP
\fB\-f\fR = Don't fork() for systemd, launchd, etc.
.PP
Notes:
This program is designed to process requests from the check_nrpe
plugin on the host(s) running Nagios. It can run as a service
under inetd or xinetd (read the docs for info on this), or as a
standalone daemon. Once a request is received from an authorized
host, NRPE will execute the command/plugin (as defined in the
config file) and return the plugin output and return code to the
check_nrpe plugin.
.SH AUTHOR
This manual page was written by Jason Thomas <jason@debian.org>,
for the Debian project (but may be used by others).

3
debian/nrpe_local.cfg vendored Normal file
View File

@@ -0,0 +1,3 @@
######################################
# Do any local nrpe configuration here
######################################

22
debian/patches/02_nrpe.cfg_local-include_support_nrpe.d.patch vendored Normal file
View File

@@ -0,0 +1,22 @@
Description: Support nrpe_local.cfg & nrpe.d directory.
Author: Sean Finney <seanius@debian.org>
Author: Alexander Wirt <formorer@debian.org>
Forwarded: not-needed
--- a/sample-config/nrpe.cfg.in
+++ b/sample-config/nrpe.cfg.in
@@ -317,3 +317,14 @@ command[check_total_procs]=@pluginsdir@/
#command[check_load]=@pluginsdir@/check_load -w $ARG1$ -c $ARG2$
#command[check_disk]=@pluginsdir@/check_disk -w $ARG1$ -c $ARG2$ -p $ARG3$
#command[check_procs]=@pluginsdir@/check_procs -w $ARG1$ -c $ARG2$ -s $ARG3$
+
+# local configuration:
+# if you'd prefer, you can instead place directives here
+
+include=/etc/nagios/nrpe_local.cfg
+
+# you can place your config snipplets into nrpe.d/
+# only snipplets ending in .cfg will get included
+
+include_dir=/etc/nagios/nrpe.d/
+

28
debian/patches/07_warn_ssloption.patch vendored Normal file
View File

@@ -0,0 +1,28 @@
Description: Warn against inadequateness of NRPE's own SSL option.
Author: Thijs Kinkhorst <thijs@debian.org>
Forwarded: not-needed
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -82,14 +82,17 @@ daemon should run as.
#### ENCRYPTION ####
If you do enable support for command arguments in the NRPE daemon,
-make sure that you encrypt communications either by using:
-
- 1. Stunnel (see http://www.stunnel.org for more info)
- 2. Native SSL support (See the `README.SSL.md` file for more info)
+make sure that you encrypt communications by using, for example,
+Stunnel (see http://www.stunnel.org for more info).
*Do NOT* assume that just because the daemon is behind a firewall
that you are safe! Always encrypt NRPE traffic!
+NOTE: the currently shipped native SSL support of NRPE is not an
+adequante protection, because it does not verify clients and
+server, and uses pregenerated key material. NRPE's SSL option is
+advised against. For more information, see Debian bug #547092.
+
#### USING ARGUMENTS ####

2
debian/patches/series vendored Normal file
View File

@@ -0,0 +1,2 @@
02_nrpe.cfg_local-include_support_nrpe.d.patch
07_warn_ssloption.patch

31
debian/rules vendored Executable file
View File

@@ -0,0 +1,31 @@
#!/usr/bin/make -f
# newer dpkg set this by default.
DEB_HOST_MULTIARCH ?= $(shell dpkg-architecture -qDEB_HOST_MULTIARCH)
# Enable hardening build flags
export DEB_BUILD_MAINT_OPTIONS=hardening=+all
CFLAGS += $(CPPFLAGS)
export AUTOHEADER=true
%:
dh $@ --with autoreconf,systemd --parallel
override_dh_auto_configure:
dh_auto_configure -- \
--prefix=/usr \
--sysconfdir=/etc \
--libdir=/usr/lib/nagios \
--libexecdir=/usr/lib/nagios/plugins \
--localstatedir=/var \
--enable-ssl \
--with-need-dh=no \
--with-ssl-lib=/usr/lib/$(DEB_HOST_MULTIARCH) \
--with-piddir=/var/run/nagios
override_dh_auto_build:
dh_auto_build -- all
override_dh_auto_install:

1
debian/source/format vendored Normal file
View File

@@ -0,0 +1 @@
3.0 (quilt)

6
debian/upstream/metadata vendored Normal file
View File

@@ -0,0 +1,6 @@
---
Bug-Database: https://github.com/NagiosEnterprises/nrpe/issues
Bug-Submit: https://github.com/NagiosEnterprises/nrpe/issues/new
Name: NRPE
Repository: https://github.com/NagiosEnterprises/nrpe.git
Repository-Browse: https://github.com/NagiosEnterprises/nrpe

5
debian/watch vendored Normal file
View File

@@ -0,0 +1,5 @@
version=3
opts=\
dversionmangle=s/\+(debian|dfsg|ds|deb)\d*$//,\
uversionmangle=s/(\d)[_\.\-\+]?((RC|rc|pre|dev|beta|alpha)\d*)$/$1~$2/;s/RC/rc/;s/-/./g \
http://sf.net/nagios/nrpe-([\d\.]+)\.(?:tgz|tbz|txz|(?:tar\.(?:gz|bz2|xz)))

BIN
docs/NRPE.odt
View File

Binary file not shown.

BIN
docs/NRPE.pdf
View File

Binary file not shown.

6
include/common.h.in
View File

@@ -2,7 +2,7 @@
*
* COMMON.H - NRPE Common Include File
* Copyright (c) 1999-2007 Ethan Galstad (nagios@nagios.org)
* Last Modified: 2017-04-06
* Last Modified: 2017-05-24
*
* License:
*
@@ -33,8 +33,8 @@
# endif
#endif
#define PROGRAM_VERSION "3.1.0-rc1"
#define MODIFICATION_DATE "2017-04-06"
#define PROGRAM_VERSION "3.1.1"
#define MODIFICATION_DATE "2017-05-24"
#define OK 0
#define ERROR -1

43
macros/ax_nagios_get_inetd
View File

@@ -93,29 +93,30 @@ AC_SUBST(inetd_type)
inetd_disabled=""
if test x"$init_type" = "xupstart"; then
inetd_type="upstart"
elif test "$opsys" = "osx"; then
inetd_type="launchd"
fi
AS_CASE([$dist_type],
[solaris],
if test x"$init_type" = "xsmf10" -o x"$init_type" = "xsmf11"; then
inetd_type="$init_type"
else
inetd_type="inetd"
fi,
[*bsd*],
inetd_type=`ps -A -o comm -c | grep inetd`,
[osx],
inetd_type=`launchd`,
[aix|hp-ux],
inetd_type=`UNIX95= ps -A -o comm | grep inetd | head -1`,
[*],
inetd_type=[`ps -C "inetd,xinetd" -o fname | grep -vi COMMAND | head -1`])
if test x"$inetd_type" = x; then
AS_CASE([$dist_type],
[solaris],
if test x"$init_type" = "xsmf10" -o x"$init_type" = "xsmf11"; then
inetd_type="$init_type"
else
inetd_type="inetd"
fi,
[*bsd*],
inetd_type=`ps -A -o comm -c | grep inetd`,
[aix|hp-ux],
inetd_type=`UNIX95= ps -A -o comm | grep inetd | head -1`,
[*],
inetd_type=[`ps -C "inetd,xinetd" -o fname | grep -vi COMMAND | head -1`])
if test x"$init_type" = "xupstart"; then
inetd_type="upstart"
fi
fi
if test x"$inetd_type" = x; then

4
nrpe.spec.in
View File

@@ -9,7 +9,7 @@
%endif
%if %{islinux}
%define _init_dir @initdir@
%define _init_tyhpe @init_type@
%define _init_type @init_type@
%define _exec_prefix %{_prefix}/sbin
%define _bindir %{_prefix}/sbin
%define _sbindir %{_prefix}/lib/nagios/cgi
@@ -22,7 +22,7 @@
%define _sysconfdir /etc/nagios
%define name @PACKAGE_NAME@
%define version 3.1.0-rc1
%define version 3.1.1
%define release @RPM_RELEASE@
%define nsusr @nrpe_user@
%define nsgrp @nrpe_group@

4
src/acl.c
View File

@@ -565,9 +565,9 @@ int is_an_allowed_host(int family, void *host)
break;
}
}
dns_acl_curr = dns_acl_curr->next;
}
dns_acl_curr = dns_acl_curr->next;
}
return 0;
}

55
src/check_nrpe.c
View File

@@ -4,7 +4,7 @@
* Copyright (c) 1999-2008 Ethan Galstad (nagios@nagios.org)
* License: GPL
*
* Last Modified: 2017-04-06
* Last Modified: 2017-05-24
*
* Command line: CHECK_NRPE -H <host_address> [-p port] [-c command] [-to to_sec]
*
@@ -116,8 +116,6 @@ int main(int argc, char **argv)
result = process_arguments(argc, argv, 0);
open_log_file();
if (result != OK || show_help == TRUE || show_license == TRUE || show_version == TRUE)
usage(result); /* usage() will call exit() */
@@ -466,6 +464,7 @@ int process_arguments(int argc, char **argv, int from_config_file)
break;
}
log_file = strdup(optarg);
open_log_file();
break;
default:
@@ -558,10 +557,10 @@ int read_config_file(char *fname)
bufp = buf;
while (argc < 50) {
while (*bufp && strchr(delims, *bufp))
++bufp;
if (*bufp == '\0')
break;
while (strchr(delims, *bufp))
++bufp;
argv[argc] = my_strsep(&bufp, delims);
if (!argv[argc++])
break;
@@ -667,7 +666,7 @@ void usage(int result)
printf("Usage: check_nrpe -H <host> [-2] [-4] [-6] [-n] [-u] [-V] [-l] [-d <dhopt>]\n"
" [-P <size>] [-S <ssl version>] [-L <cipherlist>] [-C <clientcert>]\n"
" [-K <key>] [-A <ca-certificate>] [-s <logopts>] [-b <bindaddr>]\n"
" [-f <cfg-file>] [-p <port>] [-t <interval>:<state>]\n"
" [-f <cfg-file>] [-p <port>] [-t <interval>:<state>] [-g <log-file>]\n"
" [-c <command>] [-a <arglist...>]\n");
printf("\n");
printf("Options:\n");
@@ -704,6 +703,7 @@ void usage(int result)
printf(" <logopts> = SSL Logging Options\n");
printf(" <bindaddr> = bind to local address\n");
printf(" <cfg-file> = configuration file to use\n");
printf(" <log-file> = full path to the log file to write to\n");
printf(" [port] = The port on which the daemon is running (default=%d)\n",
DEFAULT_SERVER_PORT);
printf(" [command] = The name of the command that the remote daemon should run\n");
@@ -743,7 +743,7 @@ void usage(int result)
void setup_ssl()
{
#ifdef HAVE_SSL
int vrfy;
int vrfy, x;
if (sslprm.log_opts & SSL_LogStartup) {
char *val;
@@ -878,7 +878,9 @@ void setup_ssl()
break;
case TLSv1_2:
case TLSv1_2_plus:
#ifdef SSL_OP_NO_TLSv1_1
ssl_opts |= SSL_OP_NO_TLSv1_1;
#endif
case TLSv1_1:
case TLSv1_1_plus:
ssl_opts |= SSL_OP_NO_TLSv1;
@@ -897,14 +899,23 @@ void setup_ssl()
if (sslprm.cert_file != NULL && sslprm.privatekey_file != NULL) {
if (!SSL_CTX_use_certificate_file(ctx, sslprm.cert_file, SSL_FILETYPE_PEM)) {
SSL_CTX_free(ctx);
printf("Error: could not use certificate file '%s'.\n", sslprm.cert_file);
while ((x = ERR_get_error_line_data(NULL, NULL, NULL, NULL)) != 0) {
printf("Error: could not use certificate file '%s': %s\n",
sslprm.cert_file, ERR_reason_error_string(x));
}
SSL_CTX_free(ctx);
exit(STATE_CRITICAL);
}
if (!SSL_CTX_use_PrivateKey_file(ctx, sslprm.privatekey_file, SSL_FILETYPE_PEM)) {
SSL_CTX_free(ctx);
printf("Error: could not use private key file '%s'.\n",
sslprm.privatekey_file);
while ((x = ERR_get_error_line_data(NULL, NULL, NULL, NULL)) != 0) {
printf("Error: could not use private key file '%s': %s\n",
sslprm.privatekey_file, ERR_reason_error_string(x));
}
SSL_CTX_free(ctx);
exit(STATE_CRITICAL);
}
}
@@ -913,8 +924,12 @@ void setup_ssl()
vrfy = SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
SSL_CTX_set_verify(ctx, vrfy, verify_callback);
if (!SSL_CTX_load_verify_locations(ctx, sslprm.cacert_file, NULL)) {
SSL_CTX_free(ctx);
printf("Error: could not use CA certificate '%s'.\n", sslprm.cacert_file);
while ((x = ERR_get_error_line_data(NULL, NULL, NULL, NULL)) != 0) {
printf("Error: could not use CA certificate '%s': %s\n",
sslprm.privatekey_file, ERR_reason_error_string(x));
}
SSL_CTX_free(ctx);
exit(STATE_CRITICAL);
}
}
@@ -932,8 +947,12 @@ void setup_ssl()
}
if (SSL_CTX_set_cipher_list(ctx, sslprm.cipher_list) == 0) {
SSL_CTX_free(ctx);
printf("Error: Could not set SSL/TLS cipher list: %s\n", sslprm.cipher_list);
while ((x = ERR_get_error_line_data(NULL, NULL, NULL, NULL)) != 0) {
printf("Could not set SSL/TLS cipher list '%s': %s\n",
sslprm.cipher_list, ERR_reason_error_string(x));
}
SSL_CTX_free(ctx);
exit(STATE_CRITICAL);
}
}
@@ -965,7 +984,7 @@ int connect_to_remote()
struct sockaddr addr;
struct in_addr *inaddr;
socklen_t addrlen;
int result, rc, ssl_err, ern;
int result, rc, ssl_err, ern, x, nerrs = 0;
/* try to connect to the host at the given port number */
if ((sd =
@@ -1004,7 +1023,6 @@ int connect_to_remote()
ssl_err = SSL_get_error(ssl, rc);
if (sslprm.log_opts & (SSL_LogCertDetails | SSL_LogIfClientCert)) {
int x, nerrs = 0;
rc = 0;
while ((x = ERR_get_error_line_data(NULL, NULL, NULL, NULL)) != 0) {
logit(LOG_ERR, "Error: Could not complete SSL handshake with %s: %s",
@@ -1015,9 +1033,16 @@ int connect_to_remote()
logit(LOG_ERR, "Error: Could not complete SSL handshake with %s: rc=%d SSL-error=%d",
rem_host, rc, ssl_err);
} else
logit(LOG_ERR, "Error: Could not complete SSL handshake with %s: rc=%d SSL-error=%d",
rem_host, rc, ssl_err);
} else {
while ((x = ERR_get_error_line_data(NULL, NULL, NULL, NULL)) != 0) {
logit(LOG_ERR, "Error: Could not complete SSL handshake with %s: %s",
rem_host, ERR_reason_error_string(x));
++nerrs;
}
if (nerrs == 0)
logit(LOG_ERR, "Error: Could not complete SSL handshake with %s: "
"rc=%d SSL-error=%d", rem_host, rc, ssl_err);
}
if (ssl_err == 5) {
/* Often, errno will be zero, so print a generic message here */

38
src/nrpe.c
View File

@@ -186,8 +186,6 @@ int main(int argc, char **argv)
return STATE_CRITICAL;
}
open_log_file();
if (!nasty_metachars)
nasty_metachars = strdup(NASTY_METACHARS);
@@ -244,6 +242,7 @@ void init_ssl(void)
#ifdef HAVE_SSL
DH *dh;
char seedfile[FILENAME_MAX];
char errstr[120] = { "" };
int i, c, x, vrfy;
unsigned long ssl_opts = SSL_OP_ALL | SSL_OP_SINGLE_DH_USE;
@@ -315,7 +314,10 @@ void init_ssl(void)
ctx = SSL_CTX_new(meth);
if (ctx == NULL) {
logit(LOG_ERR, "Error: could not create SSL context");
while ((x = ERR_get_error()) != 0) {
ERR_error_string(x, errstr);
logit(LOG_ERR, "Error: could not create SSL context : %s", errstr);
}
SSL_CTX_free(ctx);
exit(STATE_CRITICAL);
}
@@ -359,7 +361,9 @@ void init_ssl(void)
break;
case TLSv1_2:
case TLSv1_2_plus:
#ifdef SSL_OP_NO_TLSv1_1
ssl_opts |= SSL_OP_NO_TLSv1_1;
#endif
case TLSv1_1:
case TLSv1_1_plus:
ssl_opts |= SSL_OP_NO_TLSv1;
@@ -377,7 +381,6 @@ void init_ssl(void)
SSL_CTX_set_options(ctx, ssl_opts);
if (sslprm.cert_file != NULL) {
char errstr[120] = { "" };
if (!SSL_CTX_use_certificate_file(ctx, sslprm.cert_file, SSL_FILETYPE_PEM)) {
SSL_CTX_free(ctx);
while ((x = ERR_get_error()) != 0) {
@@ -388,9 +391,12 @@ void init_ssl(void)
exit(STATE_CRITICAL);
}
if (!SSL_CTX_use_PrivateKey_file(ctx, sslprm.privatekey_file, SSL_FILETYPE_PEM)) {
while ((x = ERR_get_error()) != 0) {
ERR_error_string(x, errstr);
logit(LOG_ERR, "Error: could not use private key file '%s' : %s",
sslprm.privatekey_file, errstr);
}
SSL_CTX_free(ctx);
logit(LOG_ERR, "Error: could not use private key file '%s'",
sslprm.privatekey_file);
exit(STATE_CRITICAL);
}
}
@@ -401,6 +407,10 @@ void init_ssl(void)
vrfy |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
SSL_CTX_set_verify(ctx, vrfy, verify_callback);
if (!SSL_CTX_load_verify_locations(ctx, sslprm.cacert_file, NULL)) {
while ((x = ERR_get_error_line_data(NULL, NULL, NULL, NULL)) != 0) {
logit(LOG_ERR, "Error: could not use certificate file '%s': %s\n",
sslprm.cacert_file, ERR_reason_error_string(x));
}
SSL_CTX_free(ctx);
logit(LOG_ERR, "Error: could not use CA certificate '%s'", sslprm.cacert_file);
exit(STATE_CRITICAL);
@@ -651,13 +661,13 @@ void cleanup(void)
free_memory(); /* free all memory we allocated */
if (sigrestart == TRUE && sigshutdown == FALSE) {
close_log_file();
result = read_config_file(config_file); /* read the config file */
if (result == ERROR) { /* exit if there are errors... */
logit(LOG_ERR, "Config file '%s' contained errors, bailing out...", config_file);
exit(STATE_CRITICAL);
}
open_log_file();
return;
}
@@ -950,10 +960,11 @@ int read_config_file(char *filename)
else if (!strcmp(varname, "nasty_metachars"))
nasty_metachars = strdup(varvalue);
else if (!strcmp(varname, "log_file"))
else if (!strcmp(varname, "log_file")) {
log_file = strdup(varvalue);
open_log_file();
else {
} else {
logit(LOG_WARNING, "Unknown option specified in config file '%s' - Line %d\n",
filename, line);
continue;
@@ -1852,6 +1863,7 @@ int handle_conn_ssl(int sock, void *ssl_ptr)
#else
const SSL_CIPHER *c;
#endif
const char *errmsg = NULL;
char buffer[MAX_INPUT_BUFFER];
SSL *ssl = (SSL*)ssl_ptr;
X509 *peer;
@@ -1869,8 +1881,14 @@ int handle_conn_ssl(int sock, void *ssl_ptr)
int nerrs = 0;
rc = 0;
while ((x = ERR_get_error_line_data(NULL, NULL, NULL, NULL)) != 0) {
errmsg = ERR_reason_error_string(x);
logit(LOG_ERR, "Error: Could not complete SSL handshake with %s: %s",
remote_host, ERR_reason_error_string(x));
remote_host, errmsg);
if (errmsg && !strcmp(errmsg, "no shared cipher")) {
if (sslprm.cert_file == NULL || sslprm.cacert_file == NULL)
logit(LOG_ERR, "Error: This could be because you have not "
"specified certificate or ca-certificate files");
}
++nerrs;
}
if (nerrs == 0)

9
src/utils.c
View File

@@ -31,6 +31,7 @@
#include "../include/common.h"
#include "../include/utils.h"
#include <stdarg.h>
#ifdef HAVE_PATHS_H
#include <paths.h>
#endif
@@ -469,6 +470,7 @@ char *my_strsep(char **stringp, const char *delim)
void open_log_file()
{
int fh;
int flags = O_RDWR|O_APPEND|O_CREAT;
struct stat st;
close_log_file();
@@ -476,7 +478,10 @@ void open_log_file()
if (!log_file)
return;
if ((fh = open(log_file, O_RDWR|O_APPEND|O_CREAT|O_NOFOLLOW, S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH)) == -1) {
#ifdef O_NOFOLLOW
flags |= O_NOFOLLOW;
#endif
if ((fh = open(log_file, flags, S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH)) == -1) {
printf("Warning: Cannot open log file '%s' for writing\n", log_file);
logit(LOG_WARNING, "Warning: Cannot open log file '%s' for writing", log_file);
return;
@@ -527,7 +532,7 @@ void logit(int priority, const char *format, ...)
fflush(log_fp);
} else
syslog(priority, buffer);
syslog(priority, "%s", buffer);
free(buffer);
}

4
update-version
View File

@@ -28,10 +28,10 @@ else
fi
# Current version number
CURRENTVERSION=3.1.0-rc1
CURRENTVERSION=3.1.1
# Last date
LASTDATE=2017-04-06
LASTDATE=2017-05-24
if [ "x$1" = "x" ]
then