Configuring nagios to run privileged or root commands with NRPE.

By sholsapp | Published: August 19, 2009

Theres several things you’ll need to adjust in the default Nagios installation to get NRPE to run privileged commands. Before we start, I’m assuming that you’re using a similar /etc/xinetd.d/nrpe file:

service nrpe 
{
       	flags=REUSE
        socket_type=stream    
	port= 5666    
       	wait=no
        user=nagios
	group=nagios
       	server=/usr/local/nagios/bin/nrpe
        server_args=-n -c /usr/local/nagios/etc/nrpe.cfg -i
       	log_on_failure+=USERID
        disable=no
	only_from=111.111.111.111
}

The things to watch out for here are the username and group. If you’re not running them as user nagios then you’re going to have to update the the rest of the configuration data provided in this post with whatever user you’re using in the /etc/xinetd.d/nrpe file.

Now we need to configure the /etc/sudoers file on the remote, or monitored, host. Feel free to consult a manual online, here is one. First lets allow nagios to run all the commands in its libexec directory as root using the /usr/bin/sudo command.

Add the following line somewhere in that file and adjust the user/path information if necessary. Realize for security reasons this can be dangerous. Also realize that you can update the following line to be much more strict, doing so may prevent you from using the “command_prefix” directive in the /usr/local/nagios/etc/nrpe.cfg file. You can even set up the /etc/sudoers file to allow nagios to run only specific commands (maybe just your event handlers) as root. As such lets take two paths:

nagios  ALL=(ALL) NOPASSWD: /usr/local/nagios/libexec/

If you’re going to be running this command remotely, you’ll also want to verify that the following line in /etc/sudoers is commented out by placing a “#” sign at the beginning of the line to comment it out. This is because if you run the command remotely, the process won’t in fact be associated with any terminal and will sadly and silently fail with a “NRPE: Unable to read output” on the main nagios host.

#Defaults    requiretty

If you make the additions as shown exactly, you can enable this option in your /usr/local/nagios/etc/nrpe.cfg file. If you decided to make your rules more strict in /etc/sudoers, you might not be able to use this. Instead, try appending a sudo or /usr/bin/sudo in front of the actual command.

command_prefix=/usr/bin/sudo

This post is associated with my other post, Event handlers in nagios using NRPE.

This entry was posted in Nagios, Webhosting and tagged , . Bookmark the permalink. Post a comment or leave a trackback: Trackback URL.