Skip to content

Instantly share code, notes, and snippets.

@northox

northox/nagios-ssh.md

Last active August 7, 2017 20:17
Show Gist options
  • Save northox/9709438 to your computer and use it in GitHub Desktop.
Save northox/9709438 to your computer and use it in GitHub Desktop.
Download ZIP
Nagios's SSH check
Raw
nagios-ssh.md

Principle

At no point should the Nagios server be able to run arbitrary command on monitored systems (aka only non-logonable ids), i.e. no value can be dynamically pass between the client and the server. The SSH server (i.e. munin-client) must use the SSH key to define which command to execute.

Client side - Nagios server

Define per-command ssh keys - ssh-keygen.

e.g. /home/nagios/dns

#!/bin/bash
echo `ssh -i /home/nagios/.ssh/bacula_rsa -q nagios@octroiyor.mantor.org`
exit $?

Server side - system to pull

simple command

If the command is simple, put it right within the forced command= of the authorized_keys file

e.g. /home/nagios/.ssh/authorized_keys - dns check - dig ...

no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty,command="dig @192.168.2.92 soa mantor.org -p5353 +multiline +dnssec | egrep 'serial|status: '" ssh-rsa AAAA...Z7 nagios

complex/sudo command

If the command is too complex to stand in the command= field or if sudo is needed,

without sudo

e.g. /home/nagios/.ssh/authorized_keys - xyz - ~/the-script

no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty,command="~/xyz" ssh-rsa AAAA....21 nagios

with sudo

e.g. /home/nagios/.ssh/authorized_keys - mysqlreq - sudo ~/the-script

no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty,command="sudo ~/mysqlreq" ssh-rsa AAAA....21 nagios

sudoers config

All script within ~/nagios/sudo directory can be run with sudo with the following sudoers config:

i.e. /usr/local/etc/sudoers.d/nagios

nagios   ALL=(root) NOPASSWD: /home/nagios/sudo/*
Defaults:nagios !requiretty

The last line remove the need to disable no-pty for sudo commands.

e.g. /home/nagios/.ssh/authorized_keys - mysqlreq - sudo ~/sudo/myqlreq

no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty,command="sudo ~/sudo/mysqlreq" ssh-rsa AAAA....EA nagios

BIG BOLD WARNING HERE

The security of this mechanism depends on the control root has over the scripts authorized by sudo to be actually controlled by root.

  1. files within /home/nagios/sudo MUST only be writable by root -rwxr-xr-x root
  2. the directory /home/nagios/sudo MUST only be writable by root -rwxr-xr-x root
  3. the user's directory /home/nagios MUST only be writable by root -rwxr-xr-x root

Assume everything in this directory can be executed by anyone as root.

p.s. Yes, that's a bit overkill since nagios user is really an administrator and nothing else then this get executed by this user but anyway, doing it like this keeps a clean distinction between a privilege id root and a non-privilege id nagios.

jail command

Use with sudo config and divert the command back to the jail using something like this:

e.g. /home/nagios/sudo/mysqlreq

#!/bin/sh
jexec `jls | grep secor | awk '{print $1}'` /home/nagios/mysqlrep

n.b. jids are dynamically pulled

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment