Linux – nagios nrpe plugin: permission issue

asterisklinuxnagiospermissionssudo

I have a permission issue that is driving me crazy. I am trying to monitor asterisk on an arch linux virtual machine, using the plugin "check_asterisk_peers". I have installed NRPE (the Nagios remote agent). The relevant section of nrpe.cfg is:

command[check_users]=/usr/lib/monitoring-plugins/check_users -w 5 -c 10
command[check_asterisk_peers]=/usr/lib/monitoring-plugins/check_asterisk_peers -p monika_gigaset

Here is what I am getting:

/usr/lib/monitoring-plugins/check_nrpe -H 10.10.10.10 -c check_users
USERS OK - 2 users currently logged in |users=2;5;10;0

Now, this tells me that the NRPE is working all right, and all permissions are set correctly.

If I simply run the plugin (without invoking check_nrpe) I get:

aag ~ $ /usr/lib/monitoring-plugins/check_asterisk_peers -p monika_gigaset
CRITICAL: Unable to connect to remote asterisk (does /var/run/asterisk/asterisk.ctl exist?)

however if I run it with sudo it works fine (from which I conclude that the plugin does not have sufficient privileges when run as non-root):

aag ~ $ sudo /usr/lib/monitoring-plugins/check_asterisk_peers -p monika_gigaset
 OK: monika_gigaset

If I however run the asterisk plugin, I get:

aag ~ $ /usr/lib/monitoring-plugins/check_nrpe -H 10.10.10.10 -c check_asterisk_peers
CRITICAL: Unable to connect to remote asterisk (does /var/run/asterisk/asterisk.ctl exist?)

same thing if I run it with sudo:

aag ~ $ sudo /usr/lib/monitoring-plugins/check_nrpe -H 10.10.10.10 -c check_asterisk_peers
CRITICAL: Unable to connect to remote asterisk (does /var/run/asterisk/asterisk.ctl exist?)

I am certain that the issue is one of permissions, but am unable to solve it.
The sudoers file (excerpt) reads like:

root ALL=(ALL) ALL
http ALL = NOPASSWD: /usr/sbin/asterisk -rx database *

nrpe ALL=(ALL) NOPASSWD: /usr/sbin/service,/usr/lib/monitoring-plugins/check_asterisk_peers
asterisk ALL=(ALL) ALL

%wheel ALL=(ALL) ALL
%admins ALL= (ALL) ALL
Defaults targetpw  # Ask for the password of the target user
ALL ALL=(ALL) ALL  # WARNING: only use this together with 'Defaults targetpw'

Any hint would be gratefully appreciated! My diagnosis is that the plugin "check_asterisk_peers" does not have the permission to contact asterisk (which runs as root), but I do not understand how I can grant the appropriate permissions to it.

Best Answer

Correct solution:

in /etc/asterisk/asterisk.conf change owner of socket to

[files]
astctlpermissions = 0660
astctlowner = asterisk
astctlgroup = asterisk

And add nrpe or nagios user(user you use you can see in nrpe.cfg) to asterisk group.

Related Solutions

Linux – How to remove root-only access for /var/www files

The simplest way is to change the ownership to your userid. This should not be user id the webserver is accessing the files you are using. Use the chown command recursively. Try a command like:

sudo chown -R $LOGNAME /var/www

This will recursively change the /var/www directory tree to your userid. LOGNAME is normally set to your userid. This can be verified with the command echo $LOGNAME.

Limit write access by the web server to as few directories and files as possible.

Linux – Configuring different SSH ports for each host remotley monitored by Nagios

OK, I've been trawling though the Nagios3 documentation and have answered the port configuration part of my question...

The answer lies in the Object Inheritance model that exists within the Nagios configuration files. Essentially I created a custom variable in each host definition that specifies the unique ssh port on that machine:

define host {
    use              generic-host
    host_name        serverB
    address          10.0.1.3
    _sshport         67382
}

The hosts are grouped together inside the hostgroups_nagios2.cfg file:

# A list of your ssh-accessible servers
define hostgroup {
    hostgroup_name  ssh-servers
    alias           SSH servers
    members         localhost,serverB,serverC
}

This group is referenced inside the services_nagios2.cfg by the block that checks SSH:

# check that ssh services are running
define service {
    hostgroup_name                  ssh-servers
    service_description             SSH
    check_command                   check_ssh_port!$_HOSTSSHPORT
    use                             generic-service
    notification_interval           0 ; set > 0 if you want to be renotified
}

At the end of the check_ssh_port command you can see that I added the sshport variable $_HOSTSSHPORT that is inherited from each host inside the ssh-servers hostgroup as the checks are run.

Now, when adding new servers, I only have to modify my hosts_nagios2.cfg file with the details of the new host.

To enable backward compatibility, I also modified my generic-host_nagios2.cfg file adding the line _sshport 22 so that if for some reason I need to monitor some system running SSH on the default port, the port config will already be inherited from the generic host template.

I hope this helps others who find themselves in the same predicament. I am still trying to understand why the remote checks aren't using the custom config files on the remote servers.

Best Answer

Related Solutions

Linux – How to remove root-only access for /var/www files

Linux – Configuring different SSH ports for each host remotley monitored by Nagios

Related Question