On Mon, Jun 13, 2016 at 9:48 AM, Tahir Hafiz <[email protected] <javascript:>>
wrote:
We have a situation in which nagios, to do it's nrpe checks, has to
constantly read the /var/log/syslog.
Therefore, we constantly have alerts at level 3 such as:
Rule: 5502 (level 3) -> 'Login session closed.'
Rule: 5501 (level 3) -> 'Login session opened.'
which involve sessions opening and closing for user root (as the nagios user
sudo's to read the syslog file).
We don't want to have to whitelist these types of alerts as we want to have
warning if someone escalates their privileges. Therefore, is it acceptable
to have nagios user added to the adm group as the adm group can read the
syslog file? What are the right ways to solve this?
On one particular server I have both Nagios and OSSEC (as a manager)
installed but I don't see the same issue you see. Is SELinux enabled on
your system? You may need to add a SELinux policy to enable Nagios access
to the logs without having to sudo. Here's a TE file I use to generate a
Nagios plugin SELinux policy:
module nagios_plugin 1.0;
require {
type nagios_t;
type nagios_log_t;
type var_t;
type ping_t;
type httpd_t;
type httpd_sys_content_t;
type httpd_nagios_script_t;
type httpd_sys_script_t;
type usr_t;
type procmail_t;
type system_mail_t;
class process { signal sigkill ptrace };
class dir { read write search add_name remove_name };
# class file manage_file_perms;
class file write;
class fifo_file { read write create open getattr };
type dhcpd_port_t;
type nagios_services_plugin_t;
class udp_socket name_bind;
type nagios_system_plugin_t;
type nagios_services_plugin_exec_t;
class file getattr;
}
#============= httpd_nagios_script_t =================
allow httpd_nagios_script_t var_t:file { getattr };
allow httpd_nagios_script_t var_t:fifo_file { write getattr };
#============= httpd_t ==============
allow httpd_t var_t:file { getattr };
#============= nagios_t ==============
#allow nagios_t self:process ptrace;
allow nagios_t system_mail_t:process { signal sigkill };
allow nagios_t httpd_sys_content_t:file { write getattr };
allow nagios_t var_t:dir { read write add_name remove_name };
allow nagios_t var_t:fifo_file { read write create open getattr };
#allow nagios_t var_t:file manage_file_perms;
#============= ping_t ==============
allow ping_t var_t:file { write };
allow ping_t usr_t:file write;
#============= httpd_sys_script_t ==============
allow httpd_sys_script_t usr_t:fifo_file { getattr write open };
#============= procmail_t ==============
allow procmail_t nagios_log_t:dir search;
#============= nagios_services_plugin_t ==============
#!!!! This avc can be allowed using the boolean 'allow_ypbind'
allow nagios_services_plugin_t dhcpd_port_t:udp_socket name_bind;
#============= nagios_system_plugin_t ==============
allow nagios_system_plugin_t nagios_services_plugin_exec_t:file getattr;
Antonio Querubin
e-mail: [email protected]
xmpp: [email protected]
