nagios nrpe plugin: permission issue
Solution 1
Correct solution:
in /etc/asterisk/asterisk.conf change owner of socket to
[files]
astctlpermissions = 0660
astctlowner = asterisk
astctlgroup = asterisk
And add nrpe or nagios user(user you use you can see in nrpe.cfg) to asterisk group.
Solution 2
According to the manual page for the plugin, you need to run the plugin with sudo command, therefore you have a successful result when you run the plugin with sudo.
I have highlighted the instructions from the page for you:
To grant the nagios user permissions to execute the script, try something like the following in your /etc/sudoers file:
nagios ALL=(ALL) NOPASSWD: /path/to/plugins/directory/check_asterisk_peers
Then call the plugin using sudo:
/path/to/sudo check_asterisk_peers
Related videos on Youtube
aag
AAG is a physician-scientist with an MD degree and a PhD in molecular biology. His scientific focus is in the neurobiology of disease, specifically neurodegeneration. He is the Director of the MD-PhD program at a major European University, where he is employed as a Full Professor with Tenure. AAG's programming skills (PHP, Python) are somewhere between "modest" and "ridiculous", as anybody viewing his posts can readily confirm.
Updated on September 18, 2022Comments
-
aag over 1 year
I have a permission issue that is driving me crazy. I am trying to monitor asterisk on an arch linux virtual machine, using the plugin "check_asterisk_peers". I have installed NRPE (the Nagios remote agent). The relevant section of nrpe.cfg is:
command[check_users]=/usr/lib/monitoring-plugins/check_users -w 5 -c 10 command[check_asterisk_peers]=/usr/lib/monitoring-plugins/check_asterisk_peers -p monika_gigaset
Here is what I am getting:
/usr/lib/monitoring-plugins/check_nrpe -H 10.10.10.10 -c check_users USERS OK - 2 users currently logged in |users=2;5;10;0
Now, this tells me that the NRPE is working all right, and all permissions are set correctly.
If I simply run the plugin (without invoking check_nrpe) I get:
aag ~ $ /usr/lib/monitoring-plugins/check_asterisk_peers -p monika_gigaset CRITICAL: Unable to connect to remote asterisk (does /var/run/asterisk/asterisk.ctl exist?)
however if I run it with sudo it works fine (from which I conclude that the plugin does not have sufficient privileges when run as non-root):
aag ~ $ sudo /usr/lib/monitoring-plugins/check_asterisk_peers -p monika_gigaset OK: monika_gigaset
If I however run the asterisk plugin, I get:
aag ~ $ /usr/lib/monitoring-plugins/check_nrpe -H 10.10.10.10 -c check_asterisk_peers CRITICAL: Unable to connect to remote asterisk (does /var/run/asterisk/asterisk.ctl exist?)
same thing if I run it with sudo:
aag ~ $ sudo /usr/lib/monitoring-plugins/check_nrpe -H 10.10.10.10 -c check_asterisk_peers CRITICAL: Unable to connect to remote asterisk (does /var/run/asterisk/asterisk.ctl exist?)
I am certain that the issue is one of permissions, but am unable to solve it. The sudoers file (excerpt) reads like:
root ALL=(ALL) ALL http ALL = NOPASSWD: /usr/sbin/asterisk -rx database * nrpe ALL=(ALL) NOPASSWD: /usr/sbin/service,/usr/lib/monitoring-plugins/check_asterisk_peers asterisk ALL=(ALL) ALL %wheel ALL=(ALL) ALL %admins ALL= (ALL) ALL Defaults targetpw # Ask for the password of the target user ALL ALL=(ALL) ALL # WARNING: only use this together with 'Defaults targetpw'
Any hint would be gratefully appreciated! My diagnosis is that the plugin "check_asterisk_peers" does not have the permission to contact asterisk (which runs as root), but I do not understand how I can grant the appropriate permissions to it.
-
aag almost 8 yearsThanks Simon. Calling the plugin with sudo indeed works. But the Nagios server calls nrpe, as in 'check_nrpe -H 10.10.10.10 -c check_asterisk_peers'. I am unable to get that part to work. As you see, the sudoers line is already included in my sudoers (except that it says "nrpe" instead of nagios, since nrpe is the daemon in question here).
-
Simon MC. Cheng almost 8 yearsI am wondering if you could try to modify the command values with sudo and see if it works, e.g. command[check_asterisk_peers]=/path/to/sudo /usr/lib/monitoring-plugins/check_asterisk_peers -p monika_gigaset
-
aag almost 8 yearsstill no joy. I entered into nrpe.cfg the following
command[check_asterisk_peers]=sudo /usr/lib/monitoring-plugins/check_asterisk_peers -p monika_gigaset
and it results intoNRPE: Unable to read output
. However, entering exactly the same command into the command line works just fine! I am starting to despair... -
aag almost 8 yearsthis will identify me as a total n00b, but so what. The journalctl says:
pam_unix(sudo:auth): auth could not identify password for [root]
. I still do not know how to fix it, but I have a hunch that I am getting close... -
Simon MC. Cheng almost 8 yearsI think you can check two places: 1. pass the full path for sudo command, so your command value will change to
<code>command[check_asterisk_peers]=/usr/bin/sudo /usr/lib/monitoring-plugins/check_asterisk_peers -p monika_gigaset
, 2. chcek out the link link, it said even if you mentioned the NRPE to use different user, for some application will still use nagios user account -
arheops almost 8 yearsThis one is potentially security hole. Only purpose of nrpe user is isolate nrpe plugins or nrpe deamon from root environment. You drop all that by this sudoers file. With same result you can run nrpe under root user.
-
aag almost 8 yearsI agree. I was happy to get it up-and-running, but I was unhappy with the security implications.