mercoledì 29 agosto 2012

Nagios: check remote hosts via SSH with command validation


Nagios server: Fedora release 16 (Verne)
Nagios remote node: Debian GNU/Linux testing (wheezy)


Basic SSH Configuration
Let's allow the access from the nagios server to the nagios node creating a ssh key passphrase-less:

zmo@nagiosSer:~$ cd .ssh/
zmo@nagiosSer:~/.ssh$ ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/home/zmo/.ssh/id_dsa): nagios     
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in nagios.
Your public key has been saved in nagios.pub.
The key fingerprint is:
....

.. so that you will have nagios and nagios.pub from the others

zmo@nagiosSer:~/.ssh$ ls
id_rsa id_rsa.pub nagios nagios.pub

On the remote node create the nagios user and the necessary file

root@nagiosNod:~# adduser nagios
Adding user `nagios' ...
Adding new group `nagios' (1006) ...
Adding new user `nagios' (1006) with group `nagios' ...
...
Enter new UNIX password: xxxxxxxx
Retype new UNIX password: xxxxxxxx
...
root@nagiosNod:~# su - nagios
nagios@nagiosNod:~$ mkdir .ssh
nagios@nagiosNod:~$ touch .ssh/authorized_keys


Paste your pub key, from the nagios server, into the remote nagios authorized_keys file


zmo@nagiosSer:~/.ssh$ cat nagios.pub | ssh nagios@nagiosNod.remote.com 'cat >> /home/nagios/.ssh/authorized_keys'
nagios@nagiosNod.remote.com's password: xxxxxxxx


Have a try

zmo@nagiosSer:~$ ssh -i .ssh/nagios nagios@nagiosNod 
Last login: Tue Aug 28 20:44:54 2012 from nagiosSer
nagios@nagiosNod:~$



On the nagios server


root@nagiosSer:~# yum install nagios-plugins-by_ssh.i686


On the nagios remote node
Install the nagios plugins

root@nagiosNod:~# apt-get install nagios-plugins-basic


NOTE: you can find where the plugins have been stored by 

root@nagiosNod:~# dpkg -L nagios-plugins-basic
...
/usr/lib/nagios/plugins/check_apt
/usr/lib/nagios/plugins/check_tcp
/usr/lib/nagios/plugins/check_dummy
/usr/lib/nagios/plugins/check_ntp
/usr/lib/nagios/plugins/check_nwstat
/usr/lib/nagios/plugins/check_load
/usr/lib/nagios/plugins/check_procs
...


On the nagios server
Let's write a SSH config file

root@nagiosSer:~# cd /etc/nagios
root@nagiosSer:~/etc/nagios# vim check_by_ssh_config


Host nagiosNod 84.68.x.x
	User nagios
	Hostname nagiosNod.remote.com
	IdentityFile /home/zmo/.ssh/nagios

This file will be passed as ssh configuration to check_by_ssh. You can obviously add others hosts.

Configure the commands.cfg

root@nagiosSer:~/etc/nagios# vim objects/commands.cfg


# Check Remote Disk
define command {
        command_name    check_remote_disk
        command_line    $USER1$/check_by_ssh -H $HOSTADDRESS$ -F /etc/nagios/check_by_ssh_config -C "/usr/lib/nagios/plugins/check_disk -w $ARG1$ -c $ARG2$ -p $ARG3$"
}

A little explanation:
* $USER$ - the user which nagios run (nagios)
* $HOSTADDRESS$ - the numeric IP address definied in the server configuration file (/etc/nagios/objects/nagiosNod.cfg), mapped on "address" field
* -F /etc/nagios/check_by_ssh_config - The SSH configuration file previously written
* -C /usr/lib/nagios/.. - The command will execute on the remote node

Its better (not mandatory) to put that services in a different group. So, open /etc/nagios/objects/templates.cfg (or services.cfg) and append:

# Remote service
define service{
	name				remote-service
	use				generic-service
        max_check_attempts              4
        normal_check_interval           5
        retry_check_interval            1
        register                        0
	}


Now in /etc/nagios/objects/nagiosNod.cfg file we could append:

define service {
        use                             remote-service
	host_name			nagiosNod
        service_description             Home Partition
        check_command                   check_remote_disk!20%!10%!/home
	}


SSH validation
This step is for allow just the check_* commands execution from the nagios server on the nagios nod; not other commands, not a login or whatever else.

Create a validation commands file:

nagios@nagiosNod:~# touch /usr/local/bin/validate-nagios-check
nagios@nagiosNod:~# chown nagios.nagios /usr/local/bin/validate-nagios-check
nagios@nagiosNod:~# su - nagios
nagios@nagiosNod:~$ vim /usr/local/bin/validate-nagios-check
#!/bin/sh
# Ensure 
case "$SSH_ORIGINAL_COMMAND" in
	*\&*)
		echo "Rejected"
		;;
	*\;*)
		echo "Rejected"
		;;
	/usr/lib/nagios/plugins/check_*)
		exec $SSH_ORIGINAL_COMMAND
		;;
	*)
		echo "Rejected"
		;;
esac

A little explanation: $SSH_ORIGINAL_COMMAND is our /usr/lib/nagios/plugins/check_* . Using exec here, will prevent to open a shell for the command execution but just to exec the command.

Let's back to our authorized_keys. We have to append in the beginnin of the key definition (ssh-dss or ssh-rsa) the string to execute our validate-nagios-check script from the nagios server.

nagios@nagiosNod:~$ vim .ssh/authorized_keys
from="73.224.x.x",command="/usr/local/bin/validate-nagios-check" 
ssh-dss AAAAB3NzaC1kc3MAAACBAKK3jM9O+cmjPufrn9Ie7q+iJJu+1B0bHH6lhfYC8KandEIWP0gMGz4v...
...


You can test the validation script from the nagios server to the node.

root@nagiosSer:~# ssh -i /home/nagios/.ssh/nagios nagios@nagiosNod.remote.com
Rejected
Connection to nagiosNod.remote.com closed.
root@nagiosSer:~# ssh -i /home/nagios/.ssh/nagios nagios@nagiosNod.remote.com /bin/ls
Rejected
root@nagiosSer:~# ssh -i /home/nagios/.ssh/nagios nagios@nagiosNod.remote.com /usr/lib/nagios/plugins/check_http -hcheck_http v1.4.16 (nagios-plugins 1.4.16)
Copyright (c) 1999 Ethan Galstad 
Copyright (c) 1999-2011 Nagios Plugin Development Team
...
Pubblicato da alle
Etichette: , , ,

Nessun commento:

Posta un commento

Iscriviti a: Commenti sul post (Atom)