[Nagiosplug-devel] [RFC] Plugins config file
Gavin Carr
gavin at openfusion.com.au
Mon Oct 16 13:13:50 CEST 2006
I've got a perl nagios plugin that performs arbitrary queries against
a database and reports status codes based on the number of rows
returned i.e.
Usage: check_db_query_rowcount [-v] -q <query> -w <warn-count>
-c <crit-count> -d <dsn> -u <user> -p <pass>
An obvious security problem with this is that the user must pass the
database credentials on the command line, which typically means
they're exposed to any local users via the process list for however
long the plugin executes.
This must be a problem for lots of other kinds of plugin too -
anywhere you need to pass any kind of secret to a plugin. Is there a
good way of dealing with this that I'm not aware of?
My suggestion is that we introduce a config file specifically for use
by plugins (e.g. /etc/nagios/plugins.cfg or
$NAGIOS_HOME/etc/plugins.cfg), for arbitrary per-plugin parameters we
don't want to have to pass at the command line. Perhaps an INI-style
format would make sense, with per-plugin sections, or arbitrary
section names specified explicitly e.g.
[ check_db_query_rowcount ]
dsn = db:Pg:database=foo
user = fred
pass = secret
or perhaps if I want to check multiple different databases, or share
the credentials across plugins:
[ foo_db ]
dsn = db:Pg:database=foo
user = fred
pass = secret
Then my plugin could have a usage pattern like this:
Usage: check_db_query_rowcount [-v] -q <query> -w <warn-count>
-c <crit-count> [--auth=<auth-section>]
where auth-section might default to the plugin name if not specified
(and the plugin would fail if an appropriate auth section could not
be found).
Thoughts/comments?
Cheers,
Gavin
--
Gavin Carr
Open Fusion - Open Source Business Solutions [ Linux - Perl - Apache ]
http://www.openfusion.com.au
- Fashion is a variable, but style is a constant - Programming Perl
More information about the Devel
mailing list