Ana Sayfa Keşfet Yardım
Giriş Yap
LBP
/
nagios_nrpe
şunun yansıması https://github.com/NagiosEnterprises/nrpe.git
4
0
Çatalla 0
Dosyalar Sorunlar 0 Wiki
Ağaç: 4021e144e1
Dallar Biçim İmleri
nagios_nrpe
/
SECURITY

SECURITY 2.0 KB
Geçmiş Ham

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677 
  1. ********************
    2. 

  2. NRPE SECURITY README
    3. 

  3. ********************
    4. 

  4. 

  5. NRPE 2.0 includes the ability for clients to supply arguments to
    6. 

  6. commands which should be run.  Please note that this feature
    7. 

  7. should be considered a security risk, and you should only use
    8. 

  8. it if you know what you're doing!
    9. 

  9. 

  10. 

  11. ENABLING ARGUMENTS
    12. 

  12. ------------------
    13. 

  13. 

  14. To enable support for command argument in the daemon, you must
    15. 

  15. do two things:
    16. 

  16. 

  17.    1.  Run the configure script with the --enable-command-args 
    18. 

  18.        option
    19. 

  19. 

  20.    2.  Set the 'dont_blame_nrpe' directive in the NRPE config
    21. 

  21.        file to 1.
    22. 

  22. 

  23. 

  24. ILLEGAL METACHARS
    25. 

  25. -----------------
    26. 

  26. 

  27. To help prevent some nasty things from being done by evil 
    28. 

  28. clients, the following twelve metacharacters are not allowed
    29. 

  29. in client command arguments:
    30. 

  30. 

  31.    | ` & > < ' " \ [ ] { }
    32. 

  32. 

  33. Any client request which contains the abovementioned metachars
    34. 

  34. is discarded.  Also, the bang character (!) is not allowed, as
    35. 

  35. it is used internally as a delimiter between command arguments.
    36. 

  36. 

  37. 

  38. ENCRYPTION
    39. 

  39. ----------
    40. 

  40. 

  41. If you do enable support for command arguments in the NRPE daemon,
    42. 

  42. make sure that you encrypt communications either by using:
    43. 

  43. 

  44.    1.  Stunnel (see http://www.stunnel.org for more info)
    45. 

  45.    2.  Native SSL support
    46. 

  46. 

  47. Do NOT assume that just because the daemon is behind a firewall
    48. 

  48. that you are safe!  Always encrypt NRPE traffic!
    49. 

  49. 

  50. 

  51. USING ARGUMENTS
    52. 

  52. ---------------
    53. 

  53. 

  54. How do you use command arguments?  Well, lets say you define a
    55. 

  55. command in the NRPE config file that looks like this:
    56. 

  56. 

  57. 	command[check_users]=/usr/local/nagios/libexec/check_users -w $ARG1$ -c $ARG2$
    58. 

  58. 

  59. You could then call the check_nrpe plugin like this:
    60. 

  60. 

  61. 	./check_nrpe -H <host> -c check_users -a 5 10
    62. 

  62. 

  63. The arguments '5' and '10' get substituted into the appropriate
    64. 

  64. $ARGx$ macros in the command ($ARG1$ and $ARG2$, respectively).
    65. 

  65. The command that would be executed by the NRPE daemon would look
    66. 

  66. like this:
    67. 

  67. 

  68. 	/usr/local/nagios/libexec/check_users -w 5 -c 10
    69. 

  69. 

  70. You can supply up to 16 arguments to be passed to the command
    71. 

  71. for substitution in $ARG$ macros ($ARG1$ - $ARG16$).
    72. 

  72. 

  73. 

  74. 

  75. 

  76.     -- Ethan Galstad (nagios@nagios.org)
    77. 

  77.