Nagios监控远程的disk使用或者Nagios: How to Enable check_nrpe Command

在nagios的commands.cfg

增加如下:

#’check_remote_disk_all’
define command{
        command_name check_remote_disk_all
        command_line    $USER1$/check_nrpe -H $ARG1$ -c check_disk -a $ARG2$ $ARG3$ $ARG4$
        }

在services.cfg增加:

define service{
        use                             generic-service         ; Name of service template to use
        host_name                       master_mysql
        service_description             check disk
        check_command                   check_remote_disk_all!IP!20%!10%!/
}

到此nagios服务器端已经完成

下面进行客户端的安装配置

在安装nrpe的时候

./configure --enable-command-args
开启
Enable check_nrpe command arguments

或者在监控远程disk的时候服务器端出现:

check disk

UNKNOWN
05-12-2011 15:23:13
0d 0h 21m 38s
3/3
CHECK_NRPE: Received 0 bytes from daemon. Check the remote server logs for error messages.

在被监控机查看日志发现大量

May 12 15:20:51 localhost nrpe[15251]: Error: Request contained command arguments, but argument option is not enabled!
May 12 15:20:51 localhost nrpe[15251]: Client request was invalid, bailing out…
May 12 15:21:56 localhost nrpe[15284]: Error: Request contained command arguments, but argument option is not enabled!
May 12 15:21:56 localhost nrpe[15284]: Client request was invalid, bailing out…

造成的原因即是没有使用–enable-command-args,同时在nrpe.cfg里面需要把

dont_blame_nrpe=0修改成dont_blame_nrpe=1

重启nrpe

启用了NRPE的命令行参数功能可能会带来严重的安全问题

Imagine you have this command in your nrpe.cfg file:

command[check_disk]=/usr/local/nagios/libexec/chec_disk -p $ARG1$

and you want to pass “/usr” as the parameter to check the disk space available to the /usr directory.

Now, imagine some rogue has discovered you’re running NRPE on your server, connects to it, and sends the command check_disk with “/usr && rm -rf /” as the argument.

NRPE will pass out to the shell the command “/usr/local/nagios/libexec/chec_disk -p /usr && rm -rf /” which will cause it to run the plugin, then erase the entire contents of your server’s file system.

此条目发表在Nagios分类目录。将固定链接加入收藏夹。