Using sudo with NRPE requests

NRPE diagram

NRPE diagram

I want to receive an alert whenever root’s crontab of a machine has been updated.

In RHEL (Red Hat Enterprise Linux) 6 the crontab is stored in /var/spool/cron/root and it is only readable/writable for root itself.

After installing the required yum packages (examples: nagios-plugins-all, nagios-plugins-nrpe, nrpe) you can begin this implementation by checking if the file is older than 15 minutes (900 seconds):

# /usr/lib64/nagios/plugins/check_file_age -c 900 -f /var/spool/cron/root

And, then, negate its output to check if the file is newer than the previous period:

# /usr/lib64/nagios/plugins/negate -o CRITICAL -c OK -u UNKNOWN -s /usr/lib64/nagios/plugins/check_file_age -c 900 -f /var/spool/cron/root

where:

-o, --ok=STATUS
-w, --warning=STATUS
-c, --critical=STATUS
-u, --unknown=STATUS
-s, --substitute

Let’s check this:

# ls -l /var/spool/cron/root ; echo '# test' >> /var/spool/cron/root ; ls -l /var/spool/cron/root

NOTE: be sure to append (>>) the random text to the contrab file rather than overwriting (>) it.

FILE_AGE CRITICAL: /var/spool/cron/root is 1 seconds old and 212 bytes

OK. That’s the desired output. We can go on but… remember, by default NRPE commands will be executed by nrpe user:

# grep '^nrpe_user=' /etc/nagios/nrpe.cfg 
nrpe_user=nrpe

and such user doesn’t have permissions to read root’s crontab file.

# su - nrpe
$ /usr/lib64/nagios/plugins/check_file_age -c 900 -f /var/spool/cron/root
FILE_AGE CRITICAL: File not found - /var/spool/cron/root

NOTE: I was able to log as nrpe user because I updated /etc/passwd file and changed the nrpe’s shell from /sbin/nologin to /bin/bash.

You can:

  • Give permissions to nrpe to read root’s crontab, or
  • Grant sudo permissions to run the check as root

both of them involve security issues, but having to choose, I prefer the second one so I edit the sudoers permissions file using visudo command to add the following lines:

Cmnd_Alias NRPE = /usr/lib64/nagios/plugins/check_root_cron_file_age
nrpe ALL=(ALL) NOPASSWD: NRPE

As you can see, I wrote a simple script for this check (/usr/lib64/nagios/plugins/check_root_cron_file_age), since it is easier to maintain this way.

In order to let NRPE daemon know how to answer this check you have to define it as a command (/etc/nagios/nrpe.cfg):

command[check_root_cron_file_age]=/usr/bin/sudo /usr/lib64/nagios/plugins/check_root_cron_file_age

restart the daemon:

# /etc/init.d/nrpe restart

and check it via NRPE:

# /usr/lib64/nagios/plugins/check_nrpe -H localhost -c check_root_cron_file_age

at this point you will probably get some errors like the following ones:

sudo: sorry, you must have a tty to run sudo
sudo: no tty present and no askpass program specified

To avoid the tty and password related problems you have to update the sudo configuration file again:

Defaults !requiretty
Defaults !visiblepw

Setting this check in Nagios is out of the scope of this post but the rest of the procedure is straightforward.

Links:

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: