Added perl script to add the new SSL parameters

to an existing nrpe.cfg file. Updated the README's to mention
the `update-cfg.pl` script, and changes related to the new
install routines.

README.SSL.md

@@ -46,6 +46,9 @@ connections, or enforce more secure communication as your migration
 progresses. The new options are in the "SSL/TLS OPTIONS" section of
 nrpe.cfg, about two-thirds of the way down.
 
+If you are upgrading NRPE from a prior version, you can run the
+`update-cfg.pl` script to add the new parameters to your nrpe.cfg.
+
 The `ssl_version` directive lets you set which versions of SSL/TLS
 you want to allow. SSLv2, SSLv3, TLSv1, TLSv1.1 and TLSv1.2 are
 allowed, or those litereals with a `+` after them (as in TLSv1.1+).

README.md

@@ -5,6 +5,9 @@ For installation instructions and information on the design overview
 of the NRPE addon, please read the PDF documentation that is found in
 this directory: `docs/NRPE.pdf`
 
+If you are upgrading from a previous version, run 'update-cfg.pl' to
+add the new SSL parameters to your config file.
+
 
 Purpose
 -------
@@ -82,17 +85,13 @@ Running Under INETD or XINETD
 -----------------------------
 
 If you plan on running nrpe under inetd or xinetd and making use
-of TCP wrappers, you need to do the following things:
-
-1) Add a line to your `/etc/services` file as follows (modify the port
-   number as you see fit)
+of TCP wrappers, you need to add a line to your `/etc/services`
+file as follows (modify the port number as you see fit)
 
-    nrpe            5666/tcp    # NRPE
+     nrpe            5666/tcp    # NRPE
 
-2) Add entries for the NRPE daemon to either your inetd or xinetd
-   configuration files.  Which one your use will depend on which
-   superserver is installed on your system.  Both methods are described
-   below.
+The run `make install-inetd` to copy the appropriate file, or
+add the appropriate line to your `/etc/inetd.conf`.
 
    _NOTE: If you run nrpe under inetd or xinetd, the server_port
    and allowed_hosts variables in the nrpe configuration file are
@@ -100,71 +99,67 @@ of TCP wrappers, you need to do the following things:
 
 
 #### INETD
-If your system uses the inetd superserver **with** tcpwrappers, add an entry
-to `/etc/inetd.conf` as follows:
 
-    nrpe   stream   tcp   nowait   <user> /usr/sbin/tcpd <nrpebin> -c <nrpecfg> --inetd
+After running `make install-inetd`, your `/etc/inetd.conf` file will
+contain lines similar to the following:
+
+```
+	#
+	# Enable the following entry to enable the nrpe daemon
+	#nrpe stream tcp nowait nagios /usr/local/nagios/bin/nrpe nrpe -c /usr/local/nagios/etc/nr
+	# Enable the following entry if the nrpe daemon didn't link with libwrap
+	#nrpe stream tcp nowait nagios /usr/sbin/tcpd /usr/local/nagios/bin/nrpe -c /usr/local/nag
+```
+
+Un-comment the appropriate line, then Restart inetd:
 
-If your system uses the inetd superserver **without** tcpwrappers, add an
-entry to `/etc/inetd.conf` as follows:
+    /etc/rc.d/init.d/inet restart
 
-    nrpe   stream   tcp   nowait   <user> <nrpebin> -c <nrpecfg> --inetd
+OpenBSD users can use the following command to restart inetd:
 
+    kill -HUP `cat /var/run/inet.pid`
 
-- Replace `<user>` with the name of the user that the nrpe server should run as.
-  Example: `nagios`
-- Replace `<nrpebin>` with the path to the nrpe binary on your system.
-  Example: `/usr/local/nagios/nrpe`
-- Replace `<nrpecfg>` with the path to the nrpe config file on your system.
-  Example: `/usr/local/nagios/nrpe.cfg`
+Then add entries to your `/etc/hosts.allow` and `/etc/hosts.deny`
+file to enable TCP wrapper protection for the nrpe service.
+This is optional, although highly recommended.
 
 
 #### XINETD
-If your system uses xinetd instead of inetd, you'll probably
-want to create a file called `nrpe` in your `/etc/xinetd.d`
-directory that contains the following entries:
+
+If your system uses xinetd instead of inetd, `make install-inetd`
+will create a file called `nrpe` in your `/etc/xinetd.d`
+directory that contains a file similar to this:
 
 ```
-    # default: on
-    # description: NRPE
+    # default: off
+    # description: NRPE (Nagios Remote Plugin Executor)
     service nrpe
     {
-        flags           = REUSE
+        disable         = yes
         socket_type     = stream
+        port            = @NRPE_PORT@
         wait            = no
-        user            = <user>
-        server          = <nrpebin>
-        server_args     = -c <nrpecfg> --inetd
+        user            = nagios
+        group           = nagios
+        server          = /usr/local/nagios/bin/nrpe
+        server_args     = -c /usr/local/nagios/etc/nrpe.cfg --inetd
+        only_from       = 127.0.0.1
         log_on_failure  += USERID
-        disable         = no
-        only_from       = <ipaddress1> <ipaddress2> ...
     }
 ```
 
-- Replace `<user>` with the name of the user that the nrpe server should run as.
-- Replace `<nrpebin>` with the path to the nrpe binary on your system.
-- Replace `<nrpecfg>` with the path to the nrpe config file on your system.
-- Replace the `<ipaddress>` fields with the IP addresses of hosts which
+- Replace `disable = yes` with `disable = no`
+- Replace the `127.0.0.1` field with the IP addresses of hosts which
   are allowed to connect to the NRPE daemon.  This only works if xinetd was
   compiled with support for tcpwrappers.
+- Add entries to your `/etc/hosts.allow` and `/etc/hosts.deny`
+  file to enable TCP wrapper protection for the nrpe service.
+  This is optional, although highly recommended.
 
-3) Restart inetd or xinetd will the following command (pick the
-   on that is appropriate for your system:
-
-    /etc/rc.d/init.d/inet restart
-
-   or
+Restart xinetd:
 
     /etc/rc.d/init.d/xinetd restart
 
-   OpenBSD users can use the following command to restart inetd:
-
-    kill -HUP `cat /var/run/inet.pid`
-
-4) Add entries to your `/etc/hosts.allow` and `/etc/hosts.deny`
-   file to enable TCP wrapper protection for the nrpe service.
-   This is optional, although highly recommended.
-
 
 Configuring Things On The Nagios Host
 ---------------------------------------

update-cfg.pl

@@ -0,0 +1,144 @@
+#! /usr/bin/perl -w
+
+use strict;
+
+my ($fname_in, $fname_out);
+
+if ($#ARGV != 0) {
+	&usage;
+}
+
+$fname_in = $ARGV[0];
+$fname_out = $fname_in . ".new";
+
+if (&check_ssl) {
+	print "\n'$fname_in' already has some or all of the\n";
+	print "new SSL parameters. No processing will be done.\n\n";
+	exit 0;
+}
+
+open IN, $fname_in or die "Could not open '$fname_in' for reading: $!\n";
+open OUT, ">$fname_out" or die "Could not open '$fname_out' for writing: $!\n";
+
+while (<IN>) {
+	print OUT;
+	&add_ssl if $_ =~ /allow_weak_random_seed/;
+}
+
+print "\nConfig file '$fname_in' was read.\n";
+print "The new SSL comments and parameters were added and the output written to\n";
+print "'$fname_out'\n";
+print "Please check this file for accuracy and rename it when you are satisfied.\n\n";
+
+close IN;
+close OUT;
+
+# ==========================================================================
+
+sub usage
+{
+	print "\nUsage: update-cfg.pl <path-to-nrpe.cfg-file>\n\n";
+	print "This perl script will read the nrpe configuration file\n";
+	print "specified on the command line, and write out a new file\n";
+	print "with the new SSL comments and parameters added.\n\n";
+	exit 1;
+}
+
+# --------------------------------------------------------------------------
+#  check_ssl checks if the config file already has the ssl parameters
+# --------------------------------------------------------------------------
+sub check_ssl
+{
+	my $has_ssl = 0;
+
+	open IN, $fname_in or die "Could not open '$fname_in' for reading: $!\n";
+
+	while (<IN>) {
+		if ($_ =~ /ssl_version=/ or
+			$_ =~ /ssl_use_adh=/ or
+			$_ =~ /ssl_cipher_list=/ or
+			$_ =~ /ssl_cacert_file=/ or
+			$_ =~ /ssl_cert_file=/ or
+			$_ =~ /ssl_privatekey_file=/ or
+			$_ =~ /ssl_client_certs=/ or
+			$_ =~ /ssl_logging=/)
+		{
+			$has_ssl = 1;
+			last;
+		}
+	}
+
+	close IN;
+
+	return $has_ssl;
+}
+
+# --------------------------------------------------------------------------
+#  add_ssl inserts the new SSL comments and parameters into the config file
+# --------------------------------------------------------------------------
+sub add_ssl
+{
+my $txt = <<"END_SSL";
+
+
+
+# SSL/TLS OPTIONS
+# These directives allow you to specify how to use SSL/TLS.
+
+# SSL VERSION
+# This can be any of: SSLv2 (only use SSLv2), SSLv2+ (use any version),
+#        SSLv3 (only use SSLv3), SSLv3+ (use SSLv3 or above), TLSv1 (only use
+#        TLSv1), TLSv1+ (use TLSv1 or above), TLSv1.1 (only use TLSv1.1),
+#        TLSv1.1+ (use TLSv1.1 or above), TLSv1.2 (only use TLSv1.2),
+#        TLSv1.2+ (use TLSv1.2 or above)
+# If an "or above" version is used, the best will be negotiated. So if both
+# ends are able to do TLSv1.2 and use specify SSLv2, you will get TLSv1.2.
+
+#ssl_version=SSLv2+
+
+# SSL USE ADH
+# This is for backward compatibility and is DEPRECATED. Set to 1 to enable
+# ADH or 2 to require ADH. 1 is currently the default but will be changed
+# in a later version.
+
+#ssl_use_adh=1
+
+# SSL CIPHER LIST
+# This lists which ciphers can be used. For backward compatibility, this
+# defaults to 'ssl_cipher_list=ALL:!MD5:\@STRENGTH' in this version but
+# will be changed to something like the example below in a later version of NRPE.
+
+#ssl_cipher_list=ALL:!MD5:\@STRENGTH
+#ssl_cipher_list=ALL:!aNULL:!eNULL:!SSLv2:!LOW:!EXP:!RC4:!MD5:\@STRENGTH
+
+# SSL Certificate and Private Key Files
+
+#ssl_cacert_file=/etc/ssl/servercerts/ca-cert.pem
+#ssl_cert_file=/etc/ssl/servercerts/nagios-cert.pem
+#ssl_privatekey_file=/etc/ssl/servercerts/nagios-key.pem
+
+# SSL USE CLIENT CERTS
+# This options determines client certificate usage.
+# Values: 0 = Don't ask for or require client certificates (default)
+#         1 = Ask for client certificates
+#         2 = Require client certificates
+
+#ssl_client_certs=0
+
+# SSL LOGGING
+# This option determines which SSL messages are send to syslog. OR values
+# together to specify multiple options.
+
+# Values: 0x00 (0)  = No additional logging (default)
+#         0x01 (1)  = Log startup SSL/TLS parameters
+#         0x02 (2)  = Log remote IP address
+#         0x04 (4)  = Log SSL/TLS version of connections
+#         0x08 (8)  = Log which cipher is being used for the connection
+#         0x10 (26) = Log if client has a certificate
+#         0x20 (32) = Log details of client's certificate if it has one
+#         -1 or 0xff or 0x2f = All of the above
+
+#ssl_logging=0x00
+END_SSL
+	print OUT $txt;
+}