Mumblings of a Crazy IT Guy

Nagios: Storing Credentials for Use in Commands

Published on Feb 17, 2012

I don't know about you, but I tend to always read the documentation about everything. I like to be well informed of what my possibilities are, and how I can go about them.

I must've been slightly distracted when I installed Nagios. Or comatose. Anyway, for some reason, I failed to read much of the available documentation on installing and setting up Nagios. This resulted in way too much trial and error for my taste.

So, maybe all of you already knew about what I'm about to say. If so, well good for you! I know I would've like to know before.

Commands Need Privileges, But...

Sometimes, a command will require a username and password to run properly. For example, check_esx and check_wmi_plus both require administrative privileges on a domain level to function correctly.

So, what did my commands look like? Simple. 

command_line    $USER1$/check_esx.pl -D vcenter.domain.com -u "domain\admin" -p AmazingPassword -H $HOSTNAME$.domain.com -l cpu -s usage -w ~:$ARG1$ -c ~:$ARG2$

Nobody has access to the monitoring server. So even if the passwords are visible, it's not so bad. Right?

I tried this for fun:

find -type f | xargs grep -iR "AmazingPassword"

Wow. My password was everywhere. And I mean everywhere. Archives, perfdata.. Nah. This didn't feel right.

There's a Better Way

And of course, it's documented.

The key is a nifty little file called resource.cfg. Open it up. It's generally located in /usr/local/nagios/etc/.

Here's what mine looks like now. It's self-explanatory, really.

###########################################################################
#
# RESOURCE.CFG - Sample Resource File for Nagios 3.3.1
#
# Last Modified: 09-10-2003
#
# You can define $USERx$ macros in this file, which can in turn be used
# in command definitions in your host config file(s).  $USERx$ macros are
# useful for storing sensitive information such as usernames, passwords,
# etc.  They are also handy for specifying the path to plugins and
# event handlers - if you decide to move the plugins or event handlers to
# a different directory in the future, you can just update one or two
# $USERx$ macros, instead of modifying a lot of command definitions.
#
# The CGIs will not attempt to read the contents of resource files, so
# you can set restrictive permissions (600 or 660) on them.
#
# Nagios supports up to 32 $USERx$ macros ($USER1$ through $USER32$)
#
# Resource files may also be used to store configuration directives for
# external data sources like MySQL...
#
###########################################################################
# Sets $USER1$ to be the path to the plugins
$USER1$=/usr/local/nagios/libexec
# Sets $USER2$ to be the path to event handlers
#$USER2$=/usr/local/nagios/libexec/eventhandlers
# Store some usernames and passwords (hidden from the CGIs)
$USER3$=domain
$USER4$=admin
$USER5$=AmazingPassword

Now we're talkin'! All the commands that require credentials now look something like this:

command_line    $USER1$/check_esx.pl -D vcenter.domain.com -u "$USER3$\$USER4$" -p $USER5$ -H $HOSTNAME$.domain.com -l cpu -s usage -w ~:$ARG1$ -c ~:$ARG2$

Much better!

Tags: nagios credentials passwords usernames commands privileges security

<< Go back to the previous page

 
blog comments powered by Disqus