On 1/10/22 6:33 PM, F Bax wrote:
nagios install creates user _nagios with login = /sbin/nologin I have some OpenBSD systems not configured to send email to external addresses; there is one system (host0) that is configured to send email outside. I wish to use nagios on host0 to monitor the other systems and send notifications to an offsite email address. I was thinking that some sort of restricted shell (only access to /usr/local/libexec/nagios/) would be appropriate. Anyone able to provide a clue how this can be accomplished? Is there a best practices document for using check_by_ssh in OpenBSD? Frank
ok, I'm totally lost as to what e-mail has to do with your question. Been a while since I managed setting up new services on Nagios, but if you are having your nagios server monitor other systems by SSH, you probably want to have passwords disabled on the monitored node accounts, use keys and IP address restrictions. Setting up a restricted shell or a chroot is probably going to be very frustrating and in the end, not very productive. What you ask for is basically what the nagios nrpe modules are about -- avoiding full logins. NRPE runs various tests and answers queries about the results. The monitoring service account on the monitored nodes should be unpriv'd, no doas access. If you need to monitor something only root can tell you, have a process run periodically as root on the monitored machine and drop a status report in some place the monitor service account can read it, then digest it on the nagios server. I look at monitoring systems as "read only" apps. Some people disagree with me...but I consider those people wrong. :) Nick.
