Re: what is nagios 'SECURITY information'?

Top Page
Attachments:
Message as email
+ (text/plain)
+ signature.asc (application/pgp-signature)
+ (text/plain)
Delete this message
Reply to this message
Author: Jason Holtzapple
Date:  
To: Main PLUG discussion list
Subject: Re: what is nagios 'SECURITY information'?
On 11/30/2010 07:52 AM, Alex Dean wrote:
>
> On Nov 29, 2010, at 3:04 PM, Jason Holtzapple wrote:
>
>> On 11/29/2010 12:45 PM, Alex Dean wrote:
>>> I have Nagios running on a local server, and I occasionally get some emails from it with the subject "*** SECURITY information for <hostname>***". The body of the message is just a few characters. I've done some searching in my Nagios logs and online, and I have no idea what these emails are or what they mean.
>>>
>>> The latest instance was last night. I had my local network torn apart for a few hours, and when I reconnected everything, I had about 40 of these emails waiting for me.
>>>
>>> The Nagios I'm using is from Ubuntu 9.10. I'm using only a very few HTTP, ssh, & ping monitors. Nothing complex at all.
>>
>> sudo creates emails with subjects like that if there are security
>> issues, but the body of your mail is not typical of sudo. Do any of your
>> nagios checks use sudo as part of the check?
>
> Nice fine. My checks using check_ide_smart do use sudo.
> ... pruned...
> /etc/sudoers
> nagios ALL = NOPASSWD: /usr/lib/nagios/plugins/check_ide_smart
>
>
> For the example SECURITY email I sent (dated Nov 28, 21:29:59), /var/log/auth.log has a record:
> Nov 28 21:29:59 artichoke sudo: nagios : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/lib/nagios/plugins/check_ide_smart -d /dev/disk/by-id/scsi-SATA_WDC_WD6401AALS-_WD-WCASY7715793 -n
>
> As far as I can tell, that looks normal. The smartd checks were never in error while my network was down. I'm only using local passwd/group/shadow files for authentication, no LDAP or yp or other external authentication service.


This looks fine to me. The only thing I can think of is that sudo might
be complaining about permissions on /etc/sudoers (usually root:root,
perms 0440). But if that were the case you'd get an email every time the
check ran.

You might try becoming the nagios user and run the check from the
command line exactly as nagios would do it

$ /usr/bin/sudo /usr/lib/nagios/plugins/check_ide_smart -d
/dev/disk/by-id/scsi-SATA_WDC_WD6401AALS-_WD-WCASY7715793 -n

and see if you can learn anything interesting from the console output.

---------------------------------------------------
PLUG-discuss mailing list -
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss