Главная Обзор Помощь
Вход
LBP
/
nagios_nrpe
зеркало из https://github.com/NagiosEnterprises/nrpe.git
4
0
Ответвить 0
Файлы Задачи 0 Вики
Дерево: cedfdced42
Ветки Метки
nagios_nrpe
/
SECURITY

SECURITY 2.3 KB
История Исходник

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687 
  1. ********************
    2. 

  2. NRPE SECURITY README
    3. 

  3. ********************
    4. 

  4. 

  5. NRPE 2.0 includes the ability for clients to supply arguments to
    6. 

  6. commands which should be run.  Please note that this feature
    7. 

  7. should be considered a security risk, and you should only use
    8. 

  8. it if you know what you're doing!
    9. 

  9. 

  10. 

  11. ENABLING ARGUMENTS
    12. 

  12. ------------------
    13. 

  13. 

  14. To enable support for command argument in the daemon, you must
    15. 

  15. do two things:
    16. 

  16. 

  17.    1.  Run the configure script with the --enable-command-args 
    18. 

  18.        option
    19. 

  19. 

  20.    2.  Set the 'dont_blame_nrpe' directive in the NRPE config
    21. 

  21.        file to 1.
    22. 

  22. 

  23. 

  24. ILLEGAL METACHARS
    25. 

  25. -----------------
    26. 

  26. 

  27. To help prevent some nasty things from being done by evil 
    28. 

  28. clients, the following twelve metacharacters are not allowed
    29. 

  29. in client command arguments:
    30. 

  30. 

  31.    | ` & > < ' " \ [ ] { }
    32. 

  32. 

  33. Any client request which contains the abovementioned metachars
    34. 

  34. is discarded.  Also, the bang character (!) is not allowed, as
    35. 

  35. it is used internally as a delimiter between command arguments.
    36. 

  36. 

  37. 

  38. USER/GROUP RESTRICTIONS
    39. 

  39. -----------------------
    40. 

  40. 

  41. The NRPE daemon cannot be run with (effective) root user/group
    42. 

  42. privileges.  You must run the daemon with an account that does
    43. 

  43. not have superuser rights.  Use the nrpe_user and nrpe_group
    44. 

  44. directives in the config file to specify which user/group the
    45. 

  45. daemon should run as.
    46. 

  46. 

  47. 

  48. ENCRYPTION
    49. 

  49. ----------
    50. 

  50. 

  51. If you do enable support for command arguments in the NRPE daemon,
    52. 

  52. make sure that you encrypt communications either by using:
    53. 

  53. 

  54.    1.  Stunnel (see http://www.stunnel.org for more info)
    55. 

  55.    2.  Native SSL support
    56. 

  56. 

  57. Do NOT assume that just because the daemon is behind a firewall
    58. 

  58. that you are safe!  Always encrypt NRPE traffic!
    59. 

  59. 

  60. 

  61. USING ARGUMENTS
    62. 

  62. ---------------
    63. 

  63. 

  64. How do you use command arguments?  Well, lets say you define a
    65. 

  65. command in the NRPE config file that looks like this:
    66. 

  66. 

  67. 	command[check_users]=/usr/local/nagios/libexec/check_users -w $ARG1$ -c $ARG2$
    68. 

  68. 

  69. You could then call the check_nrpe plugin like this:
    70. 

  70. 

  71. 	./check_nrpe -H <host> -c check_users -a 5 10
    72. 

  72. 

  73. The arguments '5' and '10' get substituted into the appropriate
    74. 

  74. $ARGx$ macros in the command ($ARG1$ and $ARG2$, respectively).
    75. 

  75. The command that would be executed by the NRPE daemon would look
    76. 

  76. like this:
    77. 

  77. 

  78. 	/usr/local/nagios/libexec/check_users -w 5 -c 10
    79. 

  79. 

  80. You can supply up to 16 arguments to be passed to the command
    81. 

  81. for substitution in $ARG$ macros ($ARG1$ - $ARG16$).
    82. 

  82. 

  83. 

  84. 

  85. 

  86.     -- Ethan Galstad (nagios@nagios.org)
    87. 

  87.