[Nagiosplug-devel] RFC: Plugins config file (final proposal) (Nagios V3 object macros)
Ethan Galstad
nagios at nagios.org
Tue Jan 30 05:33:17 CET 2007
John P. Rouillard wrote:
> In message <8CF3E17D-4692-4AFB-9EBC-27C3C15C23FD at altinity.com>,
> Ton Voon writes:
>
>> I'm trying to wrap up this RFC from October last year (http://
>> thread.gmane.org/gmane.network.nagios.plugins.devel/4199) so that we
>> can have some text written in the developer-guidelines before
>> starting work on implementing it.
>>
>> This is a summary of the thread on it. I think I have all the angles
>> covered, but please let me know if not.
>>
>>
>> PROBLEM
>>
>> There are security issues with passing user authentication
>> information into some plugins via the command line. We would like the
>> use of configuration files, secured at the file level, allowing
>> configuration variables on a per-plugin basis.
>>
>> PROPOSED SOLUTION
>>
>> A new option is allowed: --extra-opts. The idea is this option is
>> "replaced" with configuration options within a configuration file.
>
> Well, one thing that was discussed on the nagios list for nagios 3 was
> the ability to use host object specific macros
> (e.g. _snmp_community=private) to keep this data associated with the
> host as different hosts may have different info. My idea was to flag
> some of these macros to be sent on stdin and not passed in the
> environment. So the plugin would get:
>
> _snmp--community=private
> _snmp--username=fred
>
> on standard in to set '--community=private' and '--username=fred'.
>
> Could the RFC be extended to allow:
>
> --extra_opts=-
>
> that will read on stdin lines of the form above and parse them using
> the last -- seperated segment as the option name.
>
> It seems that there is a 1:1 correspondance between arguments to a
> plugin and the host object macro so that each macro would be used for
> only one plugin invocation. If there was a case where the same
> username had to be passed as various parameters: --name, --username,
> --account etc for different plugins then a small shell filter could be
> used:
>
> define host {
> name foo
> _admin-login-account nagios
> ...
> }
>
> define command {
> command_line filter mysql | check_mysql --extra-opts=- ....
> ...
> command_input _admin-login-account
> }
>
> define command {
> command_line filter snmp | check_snmp -v 3 --extra-opts=- ....
> ...
> command_input _admin-login-account
> }
>
>
> where "filter" is responsible for changing an input value of:
>
> _admin-login-account=nagios
>
> to '--username=nagios' when given the "mysql" argument,
> '--secname=nagios' when given the argument snmp etc. (or we may be
> able to define some mapping mechanism that can be done by nagios
> without the need for the filter:
> e.g. secname=$_admin-login-account(default)$ would produce
> secname=nagios if _admin-login-account is defined for the host or
> secname=default if the mcro is undefined.)
>
> Being able to inherit this info from nagios means that managemnt
> interfaces developed for nagios can display (and change) this info
> without having to develop an add on mechanism. The data is kept with
> the host allowing nice printouts of the data and automatic generation
> from higher level management tools (e.g. inventory databases).
>
> Granted using --extra-opts=$HOSTNAME$ also allows for per host
> definitions files, but being able to use the nagios provided
> capability when they are available would also be a big win.
>
> -- rouilj
> John Rouillard
I prefer using the proposed config file solution to store passwords,
etc. over the idea of passing this info via stdin. In my opinion, the
config file option is a much simpler/elegant solution.
It requires no mods to the Nagios daemon or plugin API. Super-secret
info can be stored in the config file and locked down with standard file
permissions. And a standard library/function set can be created to
allow Perl/C plugins to grab their appropriate entries out of the config
file.
Now that I'm thinking about it, this type of file format seems like it
must be used by a number of apps. There's probably a GPL'ed library out
there that can read/write config entries to a file in the proposed format.
As for loosing the ability to keep private information in the Nagios
host/service definitions... I guess that's a good reason to make sure
the monitoring server isn't used by normal users. If its a dedicated
box, it shouldn't matter what information is being passed on the command
lines between the daemon and the plugins.
Ethan Galstad,
Nagios Developer
---
Email: nagios at nagios.org
Website: http://www.nagios.org
More information about the Devel
mailing list