Adaptive Monitoring: Broken?
Andreas Ericsson
ae at op5.se
Thu Apr 9 00:34:21 CEST 2009
Marc Powell wrote:
> On Apr 7, 2009, at 1:26 PM, Patrick Morris wrote:
>
>> Here are the important stats:
>>
>> Nagios Version: Version 3.1.0
>> Proficiency Level: Pretty damned high
>
>> While the first command works fine, and sets the service to an OK
>> state,
>> the next two (which I've tried in various combinations) show up in the
>> Nagios logs as having been sent, but do nothing. The check that
>> appears
>> in the config files keeps running instead of my check_ok check.
>>
>> Here's how it shows up in the logs:
>>
>> [1239128528] EXTERNAL COMMAND: CHANGE_SVC_EVENT_HANDLER;dummy-
>> host;DNS;check_ok
>> [1239128528] EXTERNAL COMMAND: CHANGE_SVC_CHECK_COMMAND;dummy-
>> host;DNS;check_ok
>>
>> I've noticed the message is different if I use an invalid command, so
>> I'm relatively sure I'm using the right ones; they just don't do
>> anything.
>>
>> Event handlers are enabled for these services, but even if they
>> weren't
>> the check command should change, right?
>>
>> Am I doing something wrong here, or have I run into a bug?
>
> I'm not using 3.x yet but just to provide some feedback, what you're
> doing looks reasonable from my reading of the documentation. I do see
> this in 3.1.0's commands.c though --
>
> /* SECURITY PATCH - disable these for the time being */
> switch(cmd){
> case CMD_CHANGE_GLOBAL_HOST_EVENT_HANDLER:
> case CMD_CHANGE_GLOBAL_SVC_EVENT_HANDLER:
> case CMD_CHANGE_HOST_EVENT_HANDLER:
> case CMD_CHANGE_SVC_EVENT_HANDLER:
> case CMD_CHANGE_HOST_CHECK_COMMAND:
> case CMD_CHANGE_SVC_CHECK_COMMAND:
> return ERROR;
> }
>
> That's in the right section and my reading of the code is that it does
> exactly that; prevent changing of those values... Maybe it's something
> being worked on in the development branch?
>
It's not. That snippet comes from Nov 30 2008 as a measure to prevent
CVE-2008-5027 (cmd.cgi authorization bypass vulnerability) and
CVE-2008-5028 (cross-site request forgery) from becoming remote command
execution vulnerabilities.
Ethan added that snippet as an extra security measure. It's been in
Nagios since 3.0.4.
Assuming both the patches I sent are applied, it's safe to remove that
particular snippet and recompile Nagios.
I wrote about the two vulnerabilities here in case anyone needs to
refresh their memory:
http://blogs.op5.org/blog4.php/2008/11/11/nagios-cmd-cgi-authorization-bypass-vuln
http://blogs.op5.org/blog4.php/2008/11/11/cross-site-request-forgery-vulnerability-6
The patches to prevent them are available here:
http://git.op5.org/git/?p=nagios.git;a=shortlog;h=refs/heads/security
--
Andreas Ericsson andreas.ericsson at op5.se
OP5 AB www.op5.se
Tel: +46 8-230225 Fax: +46 8-230231
Considering the successes of the wars on alcohol, poverty, drugs and
terror, I think we should give some serious thought to declaring war
on peace.
------------------------------------------------------------------------------
This SF.net email is sponsored by:
High Quality Requirements in a Collaborative Environment.
Download a free trial of Rational Requirements Composer Now!
http://p.sf.net/sfu/www-ibm-com
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue.
::: Messages without supporting info will risk being sent to /dev/null
More information about the Users
mailing list