ADAPTIVE CHECK CHANGE_SVC_CHECK_COMMAND

[Javier Garces Asensio]

Thanks you
So if the CHANGE_ commands aren't expected to work in Nagios anymore, in the future, there will be a way in nagios to use dynamic thresholds?
I wanted to use a check with warning and critical values specific in hours of production and other values outside production hours

-----Mensaje original-----
De: Andreas Ericsson [mailto:ae at op5.se] 
Enviado el: lunes, 14 de enero de 2013 11:05
Para: Nagios Developers List
CC: Javier Garces Asensio
Asunto: Re: [Nagios-devel] ADAPTIVE CHECK CHANGE_SVC_CHECK_COMMAND

On 01/14/2013 09:36 AM, Javier Garces Asensio wrote:
> Hello everybody
> 
> First, I don´t know if this is the most appropriate list to send this 
> message because I’m not a developer but I’ve send it to the 
> nagios-user list but I have not gotten any response,…
> 
> I would like to use the external command change_svc_check_command to 
> change dinamically the warning and critical values of the checks.
> However it doesn´t work
> I think the cause that it doesn't work is the modification introduced 
> in the version 3.0.6 (Disabled adaptive check and eventhandler 
> commands for security reasons ) as you can see in the URL:
> 
> http://www.nagios.org/projects/nagiosco ... ry/core-3x 
> <http://www.nagios.org/projects/nagioscore/history/core-3x>
> 
> I’m using the 3.2.1 version.
> In this version and also in the latest version 3.4.3, I can see the 
> next source code in the base/commands.c file
> 
> /* SECURITY PATCH - disable these for the time being */
> switch(cmd) {
> case CMD_CHANGE_GLOBAL_HOST_EVENT_HANDLER:
> case CMD_CHANGE_GLOBAL_SVC_EVENT_HANDLER:
> case CMD_CHANGE_HOST_EVENT_HANDLER:
> case CMD_CHANGE_SVC_EVENT_HANDLER:
> case CMD_CHANGE_HOST_CHECK_COMMAND:
> case CMD_CHANGE_SVC_CHECK_COMMAND:
> return ERROR;
> }
> 
> I guess if I delete the above code, the external command 
> change_svc_check_command will work
> 
> Is not recommended to enable this external command?
> Why was it disabled in the version 3.0.6? This is not resolved in the 
> latest version?

Enabling it allows scheduled remote execution of commands due to a combination of bugs in the Nagios CGI's that were present in early versions of the 3.x series. The full fix includes hashing code and in-form security tokens, but that part of the patch was dropped (understandably, as it included quite a major change and still didn't fully block the issue), so keeping the "CHANGE_" commands disabled is the safest possible default.

By removing the above code (as you mentioned), things should work out pretty well, but then you should take some other measures to protect against cross-site request forgeries to prevent your system being compromised.

I have to note that an attack is unlikely though, as the CHANGE_ commands aren't expected to work in Nagios anymore, so noone's really targeting them.


> I haven´t found any official documentation about this
> 

There's plenty over at cve.mitre.org, but you'll have to dig that up yourself. I handled the matter on behalf of Nagios Core, so a search for my name, CVE and Nagios will most likely yield some info.

-- 
Andreas Ericsson                   andreas.ericsson at op5.se
OP5 AB                             www.op5.se
Tel: +46 8-230225                  Fax: +46 8-230231

Considering the successes of the wars on alcohol, poverty, drugs and terror, I think we should give some serious thought to declaring war on peace.


------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. SALE $99.99 this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122412
_______________________________________________
Nagios-devel mailing list
Nagios-devel at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-devel