Re: Nagios check_by_ssh
On 2022-01-11, Nick Holland wrote: > On 1/10/22 6:33 PM, F Bax wrote: >> nagios install creates user _nagios with login = /sbin/nologin >> I have some OpenBSD systems not configured to send email to external >> addresses; there is one system (host0) that is configured to send email >> outside. I wish to use nagios on host0 to monitor the other systems and >> send notifications to an offsite email address. I was thinking that some >> sort of restricted shell (only access to /usr/local/libexec/nagios/) would >> be appropriate. Anyone able to provide a clue how this can be accomplished? >> Is there a best practices document for using check_by_ssh in OpenBSD? >> Frank > > ok, I'm totally lost as to what e-mail has to do with your question. > > Been a while since I managed setting up new services on Nagios, but if you > are having your nagios server monitor other systems by SSH, you probably > want to have passwords disabled on the monitored node accounts, use keys > and IP address restrictions. Setting up a restricted shell or a chroot is > probably going to be very frustrating and in the end, not very productive. > > What you ask for is basically what the nagios nrpe modules are about -- > avoiding full logins. NRPE runs various tests and answers queries about > the results. Strongly recommend not using NRPE. If it's something that can be monitored via SNMP (e.g. cpu, memory, process counts, disk space, network interfaces) then that's often not a bad way to do it, there are scripts that work with nagios/icinga that will do this nicely in the "manubulon-snmp" package. Then you can just run snmpd(8) on the monitored node. Icinga has quite nice distributed monitoring where it has its own methods to distribute check jobs to agents, which might be appropriate for setups that aren't wedded to nagios. For check_by_ssh probably the best way to go is to generate separate keys for different checks and use ForceCommand so each key can only run the relevant check.
Re: Nagios check_by_ssh
On 1/10/22 6:33 PM, F Bax wrote: nagios install creates user _nagios with login = /sbin/nologin I have some OpenBSD systems not configured to send email to external addresses; there is one system (host0) that is configured to send email outside. I wish to use nagios on host0 to monitor the other systems and send notifications to an offsite email address. I was thinking that some sort of restricted shell (only access to /usr/local/libexec/nagios/) would be appropriate. Anyone able to provide a clue how this can be accomplished? Is there a best practices document for using check_by_ssh in OpenBSD? Frank ok, I'm totally lost as to what e-mail has to do with your question. Been a while since I managed setting up new services on Nagios, but if you are having your nagios server monitor other systems by SSH, you probably want to have passwords disabled on the monitored node accounts, use keys and IP address restrictions. Setting up a restricted shell or a chroot is probably going to be very frustrating and in the end, not very productive. What you ask for is basically what the nagios nrpe modules are about -- avoiding full logins. NRPE runs various tests and answers queries about the results. The monitoring service account on the monitored nodes should be unpriv'd, no doas access. If you need to monitor something only root can tell you, have a process run periodically as root on the monitored machine and drop a status report in some place the monitor service account can read it, then digest it on the nagios server. I look at monitoring systems as "read only" apps. Some people disagree with me...but I consider those people wrong. :) Nick.
Nagios check_by_ssh
nagios install creates user _nagios with login = /sbin/nologin I have some OpenBSD systems not configured to send email to external addresses; there is one system (host0) that is configured to send email outside. I wish to use nagios on host0 to monitor the other systems and send notifications to an offsite email address. I was thinking that some sort of restricted shell (only access to /usr/local/libexec/nagios/) would be appropriate. Anyone able to provide a clue how this can be accomplished? Is there a best practices document for using check_by_ssh in OpenBSD? Frank