[转]Nagios: How to Enable check_nrpe Command Line Arguments

转自:http://www.thegeekstuff.com/2010/12/enable-nrpe-command-arguments/

 

Question: When I execute check_nrpe command with some arguments, I get the message “CHECK_NRPE: Received 0 bytes from daemon. Check the remote server logs for error messages.”. How do I fix this issue?

Answer: The issue is very straight forward. check_nrpe doesn’t take any arguments by default. You should enable the command line arguments for check_nrpe as shown below.

Verify the check_nrpe error message

Just for testing purpose, let us assume that you are execuing the following check_nrpe command that displays the “CHECK_NRPE: Received 0 bytes from daemon.” error message.

$ /usr/local/nagios/libexec/check_nrpe -H 192.168.1.20 -c check_disk -a 60 80 /dev/sdb1
CHECK_NRPE: Received 0 bytes from daemon. Check the remote server logs for error messages.

If you view the /var/log/messages on the remote host, (in the above example, that is 192.168.1.20), you’ll see the nrpe error “Error: Request contained command arguments!” as shown below, indicating that check_nrpe is not enabled to take the command arguments.

$ tail -f /var/log/messages
Dec 5 11:11:52 dev-db xinetd[2536]: START: nrpe pid=24187 from=192.168.101.108
Dec 5 11:11:52 dev-db nrpe[24187]: Error: Request contained command arguments!
Dec 5 11:11:52 dev-db nrpe[24187]: Client request was invalid, bailing out...
Dec 5 11:11:52 dev-db xinetd[2536]: EXIT: nrpe status=0 pid=24187 duration=0(sec)

Enable check_nrpe command arguments

To enable command arguments in NRPE, you should do the following two things.

1. Configure NRPE with –enable-command-args

Typically when you install NRPE on the remote host, you’ll do ./configure without any arguments. To enable support for command arguments in the NRPE daemon, you should install it with –enable-command-args as shown below.

[remotehost]# tar xvfz nrpe-2.12.tar.gz
[remotehost]# cd nrpe-2.12

[remotehost]# ./configure --enable-command-args

[remotehost]# make all
[remotehost]# make install-plugin
[remotehost]# make install-daemon
[remotehost]# make install-daemon-config
[remotehost]# make install-xinetd

2. Modify nrpe.cfg and set dont_blame_nrpe

Modify the /usr/local/nagios/etc/nrpe.cfg on the remote server and set the dont_blame_nrpe directive to 1 as shown below.

$ /usr/local/nagios/etc/nrpe.cfg
dont_blame_nrpe=1

Execute check_nrpe with command arguments

After the above two changes, if you execute the check_nrpe for this particular remote host, you’ll not see the error message anymore as shown below.

$ /usr/local/nagios/libexec/check_nrpe -H 192.168.1.20 -c check_disk -a 60 80 /dev/sdb1
DISK OK - free space: / 111199 MB (92% inode=99%);| /=9319MB;101662;114370;0;127078

Security Warning

Enabling NRPE command line arguments is a security risk. If you don’t know what you are doing, don’t enable this.

Probably by now you’ve already figured out that you can’t blame NRPE if something goes wrong. After all you did set dont_blame_nrpe to 1.

 

注意启用了NRPE的命令行参数功能可能会带来严重的安全问题(如果你没有做足工作的话),有一篇文章比较清楚地说明了这个问题,转贴如下:

Imagine you have this command in your nrpe.cfg file:

command[check_disk]=/usr/local/nagios/libexec/chec_disk -p $ARG1$

and you want to pass "/usr" as the parameter to check the disk space available to the /usr directory.

Now, imagine some rogue has discovered you're running NRPE on your server, connects to it, and sends the command check_disk with "/usr && rm -rf /" as the argument.

NRPE will pass out to the shell the command "/usr/local/nagios/libexec/chec_disk -p /usr && rm -rf /" which will cause it to run the plugin, then erase the entire contents of your server's file system.

To be fair, I think it's only a risk if your server is wide open in other ways, such as:

- NRPE allowing any host to connect to it

- No firewall restrictions

- sudo security really permissive

etc.  So if you know that only your Nagios server can connect to Nagios (restricted by firewalls and allowed_hosts in nrpe.cfg) I think, with a bit of extra attention paid to command definitions, you'll be OK.  But that's just my opinion.