check_mailq, nrpe, and root perms on client

Kevin Freels kfreels at sendmail.com
Mon Jun 15 21:02:01 CEST 2009
Previous message: check_mailq, nrpe, and root perms on client
Next message: check_mailq, nrpe, and root perms on client
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hi, Mat!

Actually (as below), I did get sudo to work; it's just that I get
bombarded with an email for each command run. For certain clients, the
three services (check_mailq, check_mem, and check_log) all need it, and
when Nagios makes it's checks every five minutes, that's 36 sudo
messages sent to root every hour. Ten nrpe clients, and suddenly it's
360 messages an hour. In a weekend, it would be thousands. 

I've done my research on seeing if sudo can be set to not log certain
commands/users/groups, but haven't found anything. I think that's
because sudo was never meant to be ignored when a command is run; you
*want* to be notified if someone runs a root comand as a mortal user.
It's unwieldable to set up mail filters to filter out those messages,
since, as I said, sudo's purpose it to inform. Add that you'd need to do
this every time a new client is added, and it's simply not an elegant
solution.

Obviously, someone wrote check_mailq and it was included in the
distributions, so it must have worked at one point in time (or there was
a workaround to get it to work).

As for check_mem, it does work just fine on some systems, but not on
others (I think it's the ones that require vmstat as the base for
checking the memory).

....k
-=-=-=-  

> -----Original Message-----
> From: Mat W [mailto:lmw94002 at hotmail.com] 
> Sent: Monday, June 15, 2009 11:27 AM
> To: Kevin Freels; nagios-users at lists.sourceforge.net
> Subject: RE: [Nagios-users] check_mailq, nrpe, and root perms 
> on client
> 
> hrm, i don't run check_mem as root and it works fine.
>  
> Is the check_mem script owned by the nagios user and/or 
> executable by the nagios user?
>  
> As for mailq, I would suggest SUDO as the best route.  You 
> can configure very specific sudo permissions to only allow 
> the Nagios user to run very specific commands.
> 
> --
> Mat W. - http://www.techadre.com <http://www.techadre.com/> 
> 
> 
>  
> > Date: Mon, 15 Jun 2009 10:59:10 -0700
> > From: kfreels at sendmail.com
> > To: nagios-users at lists.sourceforge.net
> > Subject: [Nagios-users] check_mailq, nrpe, and root perms on client
> > 
> > Greetings!!!
> > 
> > Errata: Nagios 3.0
> > 
> > I have nrpe running quite well on several clients, but I am 
> having some
> > problems with running root-perm'd commands on the client 
> via nrpe. The
> > critical one I need is check_mailq, which calls the standard UNIX
> > "mailq" command, but there are also others (check_mem, check_log)
> > 
> > The problem is that mailq requires root priv's to do this. 
> Since I run
> > nrpe in daemon mode under the nagios user, it fails with: 
> > 
> > CRITICAL: Error code 78 returned from /usr/bin/mailq
> > 
> > Just for sanity check, I su'd into the nagios user and 
> tried to run it,
> > and it fails. I was able to get it working with sudo by 
> adding the user
> > nagios to the client's sudoers with only that command, and 
> then adding
> > the appropriate "sudo" in front of the check_mailq command 
> in nrpe.cfg:
> > 
> > command[check_mailq]=sudo 
> /usr/local/nagios/libexec/check_mailq -w 50
> > -c 75
> > 
> > It also works on the client as the nagios user.
> > 
> > However, as sudo is designed to do, it logs every command 
> run under it,
> > so I wind up getting an email for every instance the check is made.
> > Multiply that times several servers and services, and I am 
> now getting
> > flooded with emails that are essentially unnecessary.
> > 
> > I also thought of:
> > 
> > -- running nrpe as "root" (not comfortable with that)
> > -- SUID on check_mailq
> > -- chown'ing check_mailq root:root
> > 
> > I'm stumped....
> > 
> > Any ideas are greatly appreciated! Thanks in advance!!
> > 
> > 
> > ....k 
> > -=-=-=- 
> > Kevin Freels
> > Director of Information Technology
> > Sendmail, Inc.
> > kfreels at sendmail.com 510/594.5572
> > 
> > 
> --------------------------------------------------------------
> ----------------
> > Crystal Reports - New Free Runtime and 30 Day Trial
> > Check out the new simplified licensing option that enables unlimited
> > royalty-free distribution of the report engine for 
> externally facing 
> > server and web deployment.
> > http://p.sf.net/sfu/businessobjects
> > _______________________________________________
> > Nagios-users mailing list
> > Nagios-users at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/nagios-users
> > ::: Please include Nagios version, plugin version (-v) and 
> OS when reporting any issue. 
> > ::: Messages without supporting info will risk being sent 
> to /dev/null
> 
> 
> ________________________________
> 
> Windows Live(tm) SkyDrive(tm): Get 25 GB of free online storage. 
> Get it on your BlackBerry or iPhone. 
> <http://windowslive.com/online/skydrive?ocid=TXT_TAGLM_WL_SD_2
> 5GB_062009> 
> 

------------------------------------------------------------------------------
Crystal Reports - New Free Runtime and 30 Day Trial
Check out the new simplified licensing option that enables unlimited
royalty-free distribution of the report engine for externally facing 
server and web deployment.
http://p.sf.net/sfu/businessobjects
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null
Previous message: check_mailq, nrpe, and root perms on client
Next message: check_mailq, nrpe, and root perms on client
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the Users mailing list