Skip to content

Commit

Permalink
Added perl script to add the new SSL parameters
Browse files Browse the repository at this point in the history 
to an existing nrpe.cfg file. Updated the README's to mention
the `update-cfg.pl` script, and changes related to the new
install routines.
  • Loading branch information
John C. Frickson committed Jul 7, 2016
1 parent 36f3754 commit 9868958
Show file tree
Hide file tree
Showing 3 changed files with 192 additions and 50 deletions.
3 changes: 3 additions & 0 deletions README.SSL.md
View file
Expand Up @@ -46,6 +46,9 @@ connections, or enforce more secure communication as your migration
progresses. The new options are in the "SSL/TLS OPTIONS" section of
nrpe.cfg, about two-thirds of the way down.

If you are upgrading NRPE from a prior version, you can run the
`update-cfg.pl` script to add the new parameters to your nrpe.cfg.

The `ssl_version` directive lets you set which versions of SSL/TLS
you want to allow. SSLv2, SSLv3, TLSv1, TLSv1.1 and TLSv1.2 are
allowed, or those litereals with a `+` after them (as in TLSv1.1+).
Expand Down
95 changes: 45 additions & 50 deletions README.md
View file
Expand Up @@ -5,6 +5,9 @@ For installation instructions and information on the design overview
of the NRPE addon, please read the PDF documentation that is found in
this directory: `docs/NRPE.pdf`

If you are upgrading from a previous version, run 'update-cfg.pl' to
add the new SSL parameters to your config file.


Purpose
-------
Expand Down Expand Up @@ -82,89 +85,81 @@ Running Under INETD or XINETD
-----------------------------

If you plan on running nrpe under inetd or xinetd and making use
of TCP wrappers, you need to do the following things:

1) Add a line to your `/etc/services` file as follows (modify the port
number as you see fit)
of TCP wrappers, you need to add a line to your `/etc/services`
file as follows (modify the port number as you see fit)

nrpe 5666/tcp # NRPE
nrpe 5666/tcp # NRPE

2) Add entries for the NRPE daemon to either your inetd or xinetd
configuration files. Which one your use will depend on which
superserver is installed on your system. Both methods are described
below.
The run `make install-inetd` to copy the appropriate file, or
add the appropriate line to your `/etc/inetd.conf`.

_NOTE: If you run nrpe under inetd or xinetd, the server_port
and allowed_hosts variables in the nrpe configuration file are
ignored._


#### INETD
If your system uses the inetd superserver **with** tcpwrappers, add an entry
to `/etc/inetd.conf` as follows:

nrpe stream tcp nowait <user> /usr/sbin/tcpd <nrpebin> -c <nrpecfg> --inetd
After running `make install-inetd`, your `/etc/inetd.conf` file will
contain lines similar to the following:

```
#
# Enable the following entry to enable the nrpe daemon
#nrpe stream tcp nowait nagios /usr/local/nagios/bin/nrpe nrpe -c /usr/local/nagios/etc/nr
# Enable the following entry if the nrpe daemon didn't link with libwrap
#nrpe stream tcp nowait nagios /usr/sbin/tcpd /usr/local/nagios/bin/nrpe -c /usr/local/nag
```

Un-comment the appropriate line, then Restart inetd:

If your system uses the inetd superserver **without** tcpwrappers, add an
entry to `/etc/inetd.conf` as follows:
/etc/rc.d/init.d/inet restart

nrpe stream tcp nowait <user> <nrpebin> -c <nrpecfg> --inetd
OpenBSD users can use the following command to restart inetd:

kill -HUP `cat /var/run/inet.pid`

- Replace `<user>` with the name of the user that the nrpe server should run as.
Example: `nagios`
- Replace `<nrpebin>` with the path to the nrpe binary on your system.
Example: `/usr/local/nagios/nrpe`
- Replace `<nrpecfg>` with the path to the nrpe config file on your system.
Example: `/usr/local/nagios/nrpe.cfg`
Then add entries to your `/etc/hosts.allow` and `/etc/hosts.deny`
file to enable TCP wrapper protection for the nrpe service.
This is optional, although highly recommended.


#### XINETD
If your system uses xinetd instead of inetd, you'll probably
want to create a file called `nrpe` in your `/etc/xinetd.d`
directory that contains the following entries:

If your system uses xinetd instead of inetd, `make install-inetd`
will create a file called `nrpe` in your `/etc/xinetd.d`
directory that contains a file similar to this:

```
# default: on
# description: NRPE
# default: off
# description: NRPE (Nagios Remote Plugin Executor)
service nrpe
{
flags = REUSE
disable = yes
socket_type = stream
port = @NRPE_PORT@
wait = no
user = <user>
server = <nrpebin>
server_args = -c <nrpecfg> --inetd
user = nagios
group = nagios
server = /usr/local/nagios/bin/nrpe
server_args = -c /usr/local/nagios/etc/nrpe.cfg --inetd
only_from = 127.0.0.1
log_on_failure += USERID
disable = no
only_from = <ipaddress1> <ipaddress2> ...
}
```

- Replace `<user>` with the name of the user that the nrpe server should run as.
- Replace `<nrpebin>` with the path to the nrpe binary on your system.
- Replace `<nrpecfg>` with the path to the nrpe config file on your system.
- Replace the `<ipaddress>` fields with the IP addresses of hosts which
- Replace `disable = yes` with `disable = no`
- Replace the `127.0.0.1` field with the IP addresses of hosts which
are allowed to connect to the NRPE daemon. This only works if xinetd was
compiled with support for tcpwrappers.
- Add entries to your `/etc/hosts.allow` and `/etc/hosts.deny`
file to enable TCP wrapper protection for the nrpe service.
This is optional, although highly recommended.

3) Restart inetd or xinetd will the following command (pick the
on that is appropriate for your system:

/etc/rc.d/init.d/inet restart

or
Restart xinetd:

/etc/rc.d/init.d/xinetd restart

OpenBSD users can use the following command to restart inetd:

kill -HUP `cat /var/run/inet.pid`

4) Add entries to your `/etc/hosts.allow` and `/etc/hosts.deny`
file to enable TCP wrapper protection for the nrpe service.
This is optional, although highly recommended.


Configuring Things On The Nagios Host
---------------------------------------
Expand Down
144 changes: 144 additions & 0 deletions update-cfg.pl
View file
@@ -0,0 +1,144 @@
#! /usr/bin/perl -w

use strict;

my ($fname_in, $fname_out);

if ($#ARGV != 0) {
&usage;
}

$fname_in = $ARGV[0];
$fname_out = $fname_in . ".new";

if (&check_ssl) {
print "\n'$fname_in' already has some or all of the\n";
print "new SSL parameters. No processing will be done.\n\n";
exit 0;
}

open IN, $fname_in or die "Could not open '$fname_in' for reading: $!\n";
open OUT, ">$fname_out" or die "Could not open '$fname_out' for writing: $!\n";

while (<IN>) {
print OUT;
&add_ssl if $_ =~ /allow_weak_random_seed/;
}

print "\nConfig file '$fname_in' was read.\n";
print "The new SSL comments and parameters were added and the output written to\n";
print "'$fname_out'\n";
print "Please check this file for accuracy and rename it when you are satisfied.\n\n";

close IN;
close OUT;

# ==========================================================================

sub usage
{
print "\nUsage: update-cfg.pl <path-to-nrpe.cfg-file>\n\n";
print "This perl script will read the nrpe configuration file\n";
print "specified on the command line, and write out a new file\n";
print "with the new SSL comments and parameters added.\n\n";
exit 1;
}

# --------------------------------------------------------------------------
# check_ssl checks if the config file already has the ssl parameters
# --------------------------------------------------------------------------
sub check_ssl
{
my $has_ssl = 0;

open IN, $fname_in or die "Could not open '$fname_in' for reading: $!\n";

while (<IN>) {
if ($_ =~ /ssl_version=/ or
$_ =~ /ssl_use_adh=/ or
$_ =~ /ssl_cipher_list=/ or
$_ =~ /ssl_cacert_file=/ or
$_ =~ /ssl_cert_file=/ or
$_ =~ /ssl_privatekey_file=/ or
$_ =~ /ssl_client_certs=/ or
$_ =~ /ssl_logging=/)
{
$has_ssl = 1;
last;
}
}

close IN;

return $has_ssl;
}

# --------------------------------------------------------------------------
# add_ssl inserts the new SSL comments and parameters into the config file
# --------------------------------------------------------------------------
sub add_ssl
{
my $txt = <<"END_SSL";
# SSL/TLS OPTIONS
# These directives allow you to specify how to use SSL/TLS.
# SSL VERSION
# This can be any of: SSLv2 (only use SSLv2), SSLv2+ (use any version),
# SSLv3 (only use SSLv3), SSLv3+ (use SSLv3 or above), TLSv1 (only use
# TLSv1), TLSv1+ (use TLSv1 or above), TLSv1.1 (only use TLSv1.1),
# TLSv1.1+ (use TLSv1.1 or above), TLSv1.2 (only use TLSv1.2),
# TLSv1.2+ (use TLSv1.2 or above)
# If an "or above" version is used, the best will be negotiated. So if both
# ends are able to do TLSv1.2 and use specify SSLv2, you will get TLSv1.2.
#ssl_version=SSLv2+
# SSL USE ADH
# This is for backward compatibility and is DEPRECATED. Set to 1 to enable
# ADH or 2 to require ADH. 1 is currently the default but will be changed
# in a later version.
#ssl_use_adh=1
# SSL CIPHER LIST
# This lists which ciphers can be used. For backward compatibility, this
# defaults to 'ssl_cipher_list=ALL:!MD5:\@STRENGTH' in this version but
# will be changed to something like the example below in a later version of NRPE.
#ssl_cipher_list=ALL:!MD5:\@STRENGTH
#ssl_cipher_list=ALL:!aNULL:!eNULL:!SSLv2:!LOW:!EXP:!RC4:!MD5:\@STRENGTH
# SSL Certificate and Private Key Files
#ssl_cacert_file=/etc/ssl/servercerts/ca-cert.pem
#ssl_cert_file=/etc/ssl/servercerts/nagios-cert.pem
#ssl_privatekey_file=/etc/ssl/servercerts/nagios-key.pem
# SSL USE CLIENT CERTS
# This options determines client certificate usage.
# Values: 0 = Don't ask for or require client certificates (default)
# 1 = Ask for client certificates
# 2 = Require client certificates
#ssl_client_certs=0
# SSL LOGGING
# This option determines which SSL messages are send to syslog. OR values
# together to specify multiple options.
# Values: 0x00 (0) = No additional logging (default)
# 0x01 (1) = Log startup SSL/TLS parameters
# 0x02 (2) = Log remote IP address
# 0x04 (4) = Log SSL/TLS version of connections
# 0x08 (8) = Log which cipher is being used for the connection
# 0x10 (26) = Log if client has a certificate
# 0x20 (32) = Log details of client's certificate if it has one
# -1 or 0xff or 0x2f = All of the above
#ssl_logging=0x00
END_SSL
print OUT $txt;
}

0 comments on commit 9868958

Please sign in to comment.