Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CIS hardening may affect nagios_plugin3.py permissions #91

Open
sudeephb opened this issue Jan 4, 2024 · 4 comments
Open

CIS hardening may affect nagios_plugin3.py permissions #91

sudeephb opened this issue Jan 4, 2024 · 4 comments
Labels
Low Triaged

Comments

@sudeephb
Copy link
Contributor

sudeephb commented Jan 4, 2024
edited
Loading

During an NRPE charm upgrade to charmhub version 75 on a bionic endpoint, we experienced 'NRPE: Unable to read output' errors in Nagios.

Trying to run the failing check resulted in the following dump:

Traceback (most recent call last):
File "/usr/local/lib/nagios/plugins/check_lacp_bond.py", line 14, in
from nagios_plugin3 import CriticalError, WarnError, try_check
File "", line 971, in _find_and_load
File "", line 955, in _find_and_load_unlocked
File "", line 665, in _load_unlocked
File "", line 674, in exec_module
File "", line 780, in get_code
File "", line 832, in get_data
PermissionError: [Errno 13] Permission denied: '/usr/local/lib/nagios/plugins/nagios_plugin3.py'

When looking at /usr/local/lib/nagios/plugins/nagios_plugin3.py, we found the owner was root:root and permissions were 640, meaning user nagios could not read the module for import.

When I checked the code in the main branch, it appears that the permissions of the source file are correctly set as 664, and the code uses shutil.copy2() to attempt to preserve permissions.

There may be an issue with CIS hardening that denies this attribute preservation, so the charm should hard-code the expected resulting file permissions within the nrpe_utils.py code that writes the file.

Imported from Launchpad using lp2gh.
@sudeephb
Copy link
Contributor Author

sudeephb commented Jan 4, 2024

(by afreiberger)
Workaround:

juju run -a 'chmod 644 /usr/local/lib/nagios/plugins/nagios_plugin3.py'

@sudeephb
Copy link
Contributor Author

sudeephb commented Jan 4, 2024

(by vultaire)
I had a similar issue occur with etcd NRPE alerts. Same script, but different directory.

sudo -u nagios -- /usr/lib/nagios/plugins/check_etcd-alarms.py

Traceback (most recent call last):
File "/usr/lib/nagios/plugins/check_etcd-alarms.py", line 5, in
import nagios_plugin3
File "", line 971, in _find_and_load
File "", line 955, in _find_and_load_unlocked
File "", line 665, in _load_unlocked
File "", line 674, in exec_module
File "", line 780, in get_code
File "", line 832, in get_data
PermissionError: [Errno 13] Permission denied: '/usr/lib/nagios/plugins/nagios_plugin3.py'

I would extend Drew's tweak as follows, to address the extra path, as well as the path from which the charm seems to do an rsync:

juju run -a 'chmod 644 -v /usr/local/lib/nagios/plugins/nagios_plugin3.py /usr/lib/nagios/plugins/nagios_plugin3.py files/plugins/nagios_plugin3.py'

@sudeephb
Copy link
Contributor Author

sudeephb commented Jan 4, 2024

(by marcusboden)
I ran into the issue as well. After applying Paul's fix, I still had some issues with missing read permissions:
ls -l /usr/local/lib/nagios/plugins/
total 188
-rwxr-x--x 1 root root 2465 May 25 21:22 check_arp_cache.py
-rwxr-xr-x 1 root root 5591 May 25 21:22 check_cis_audit.py
-rwxr-x--x 1 root root 1974 May 25 21:22 check_conntrack.sh
-rwxr-xr-x 1 root root 1431 May 25 21:22 check_cpu_governor.py
-rwxr-x--x 1 root root 5721 May 25 21:22 check_exit_status.pl
-rwxr-xr-x 1 root root 2341 May 25 20:08 check_hw_health_cron_output.py
-rwxr-xr-x 1 root root 994 May 25 20:08 check_ipmi.py
-rwxr-xr-x 1 root root 40212 May 25 20:08 check_ipmi_sensor
-rwxr-xr-x 1 root root 4783 May 25 21:22 check_lacp_bond.py
-rwxr-xr-x 1 root root 15111 May 25 21:22 check_mem.pl
-rwxr-xr-x 1 root root 4025 May 25 21:22 check_netlinks.py
-rwxr-xr-x 1 root root 1135 May 25 21:22 check_netns.sh
-rwxr-xr-x 1 root root 2694 May 25 20:00 check_ntpmon.py
-rwxr-xr-x 1 root root 2746 May 25 21:22 check_reboot.py
-rwxr-x--x 1 root root 2400 May 25 21:22 check_ro_filesystem.py
-rwxr-xr-x 1 root root 1997 May 25 21:22 check_status_file.py
-rwxr-x--x 1 root root 2169 May 25 21:22 check_swap_activity
-rwxr-x--x 1 root root 1467 May 25 21:22 check_systemd.py
-rwxr-xr-x 1 root root 5212 May 25 21:22 check_systemd_scopes.py
-rwxr-x--x 1 root root 2651 May 25 21:22 check_upstart_job
-rwxr-x--x 1 root root 1338 May 25 21:22 check_xfs_errors.py
-rwxr-xr-x 1 root root 4268 May 25 21:22 cron_cis_audit.py
-rwxr-xr-x 1 root root 5955 May 25 20:09 cron_ilorest.py
-rwxr-xr-x 1 root root 2159 May 25 20:09 cron_ipmi_sensors.py
-rwxr-xr-x 1 root root 11479 May 25 20:08 hw_health_lib.py
-rw-r--r-- 1 root root 2275 May 25 21:22 nagios_plugin3.py
drwxr-xr-x 2 root root 4096 May 25 20:09 pycache

The same was true for the files in /var/lib/juju/agents/unit-nrpe*/charm/files.

I ran on the units find /usr/local/lib/nagios/plugins/ -not -perm -o=r -exec chmod o+r {} \; to fix it.

@sudeephb
Copy link
Contributor Author

sudeephb commented Jan 4, 2024

(by aieri)
Given the ongoing work in porting checks to the grafana-agent charm I'll mark this as low.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Low Triaged
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sudeephb