security & suid/sudo plugins

julien Touche julien.touche at touche.fr.st
Thu Aug 31 23:39:01 CEST 2006

Previous message: security & suid/sudo plugins
Next message: SMART hard-disk monitoring
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Alexander Harvey wrote on 31/08/2006 16:10:
> I have a difficult customer who won't sign off changes based on the
> security
> risk using suid plugins, for example, check_logfiles. What does one do
> about
> this situation?

$ cat /usr/local/share/doc/nagios-plugins/README.OpenBSD
Some nagios plugins need elevated privileges to run properly. As the code
quality of these plugins is not really good, they are not installed suid
root by default, but instead I suggest running them with systrace's
privilege elevation feature. This way they are run as _nagios, but single
syscalls are run as root.

1) Create a preliminary systrace policy for the plugin.

# cd ${PREFIX}/libexec/nagios
# systrace -A -d /tmp ./<plugin> <plugin arguments>

This creates a policy for the plugin <plugin> in /tmp.

2) Refine the policy and configure privilege elevation as required. This
is an example, permitting the bind(2) syscall as root.

native-bind: sockaddr eq "inet-[0.0.0.0]:68" then permit as root

3) Copy the systrace policy to /etc/systrace.

4) Run visudo as root and configure sudo for user _nagios like this.

_nagios ALL=NOPASSWD: /bin/systrace -a -c 550\:550 \
    ${PREFIX}/libexec/nagios/<plugin> <plugin arguments>

5) Configure the respective command in nagios.

define command {
        command_name check_dhcp
        command_line sudo /bin/systrace -a -c 550:550 $USER1$/<plugin>
<plugin arguments>
}

6) In case of problems, systrace will log to /var/log/messages.

Regards


		Julien


-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null

Previous message: security & suid/sudo plugins
Next message: SMART hard-disk monitoring
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Users mailing list