[Nagiosplug-devel] [RFC] Plugins config file

[John P. Rouillard]

In message <EB9D8BC2-1CDA-41B8-BB7C-1D936E1B6E36 at altinity.com>,
Ton Voon writes:
>On 16 Oct 2006, at 12:13, Gavin Carr wrote:
>
>> I've got a perl nagios plugin that performs arbitrary queries against
>> a database and reports status codes based on the number of rows
>> returned i.e.
>>
>>   Usage: check_db_query_rowcount [-v] -q <query> -w <warn-count>
>>             -c <crit-count> -d <dsn> -u <user> -p <pass>
>>
>> An obvious security problem with this is that the user must pass the
>> database credentials on the command line, which typically means
>> they're exposed to any local users via the process list for however
>> long the plugin executes.
>>
>> This must be a problem for lots of other kinds of plugin too -
>> anywhere you need to pass any kind of secret to a plugin. Is there a
>> good way of dealing with this that I'm not aware of?
>
>If you run mysql (I'm on 4.1.11) with -u user -ppassword, the process  
>table will have the password blanked out. I've done that in C (see  
>check_mysql_query), but I don't know how to do that in perl. Would  
>that be sufficient?

The password is available until the application rewrites ARGV, and
rewriting ARGV isn't supported on all platforms. So I'd say no.  (BTW
try writing $ARGV[N] in perl that works IIRC if the platform supports
it.)

>> My suggestion is that we introduce a config file specifically for use
>> by plugins (e.g. /etc/nagios/plugins.cfg or
>> $NAGIOS_HOME/etc/plugins.cfg), for arbitrary per-plugin parameters we
>> don't want to have to pass at the command line.
>
>A design principle I've been following, although it is undocumented  
>and I'm all for starting a discussion about it again, is that plugins  
>should run without any knowledge of state (I think the check_log  
>plugin might break this - I haven't worked closely on that one). A  
>config file for passwords doesn't sound necessary.

Well that depends on what you want to monitor. I wrote tkwatcher
<http://www.cs.umb.edu/~rouilj/tkwatcher/> specifically to manage
prior state to allow testing for things like:

    * has the value increased/decreased by a certain amount from the
      previous run?  
    * has the value increased/decreased by a certain percentage from
      the previous run? 
    * has the value changed or not changed since the last run

and I use it to look for things like:

   did the amount of available space on the disk drop by more than 30%?

if 30% of my available disk space just dissapeared in the last 1
minute I need to know about that NOW before I hit the 10% disk
threshold because I will run out of disk space (and potentially crash
the machine) by the time I respond after the 10% warning.

I do have a method for using tkwatcher as a probe for nagios to get
the enhanced checking methods available but until my advanced
correlation patches for nagios are released I haven't done anything with
it.
 
>However, I guess this is no different from mysql having a my.cnf  
>file, so I don't think security gets any worse.

Agreed.

>My angle is that the userid/password used should only have just
>enough access to do the necessary check and no more. That would be an
>application issue, not a plugin one.

True, it is an issue with the (monitored) application (or syetm in the
case of network load balancer applicanes, remote power control strips
etc).

Some of the systems/apps I have to authenticate to don't have multiple
users or multiple access levels. So I have to have full privs to
totally trash the system even though I want to monitor only 10
variables.  Also what you want to monitor may not be accessible from
the limited access accounts. Even with limited acess accounts the data
that is returned may be sensitive and other's shouldn't have access to
it. So I always have to have some method of protecting the password in
the plugin.

Also I still have to use or write a plugin to monitor it which is
forked and therefore needs some way to get the protected
information. If it has an SSL web interface it would be nice to be
able to use check_http -S or other standard plugin. If it has an SNMP
interface, would be nice to use check_snmp rather than having to write
my own plugin.

				-- rouilj
John Rouillard
===========================================================================
My employers don't acknowledge my existence much less my opinions.