Nagios user capabilities

Hello there!

I’ve writen a custom plugin that needs iptables for its functionality:

#!/bin/bash

check_iptables_installed() {
    if ! command -v iptables &> /dev/null; then
        echo "CRITICAL - iptables is not installed."
        exit 2
    fi
}

comprobar_politicas_iptables() {
    local INPUT_POLICY=$(iptables -L INPUT | grep -o DROP)
    local FORWARD_POLICY=$(iptables -L FORWARD | grep -o DROP)

    if [ "$INPUT_POLICY" != "DROP" ] || [ "$FORWARD_POLICY" != "DROP" ]; then
        echo "CRITICAL - iptables policies are not configured correctly."
        exit 2
    fi

    echo "OK - iptables is installed and policies are configured correctly."
    exit 0
}

############# inicio ################

check_iptables_installed
comprobar_politicas_iptables


However, the Nagios user lacks the necessary permissions to execute iptables commands directly.

Error encountered:

iptables v1.6.0: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.

While using setcap cap_net_raw,cap_net_admin+ep /sbin/xtables-multi resolves this issue, it implies a security risk :disappointed_relieved:

Could you help me figure out how Nagios-Icinga-NRPE handles capabilities to these binaries/users instead of directly to the iptables program itself?

Any help on this matter would be great!

Also curious about this

I use sudo for this.

In the command definition you need to prefix with sudo.
This should end up looking something like this: /bin/sudo /path/to/checks/your_check.

Add lines like the following ones into a file under /etc/sudoers.d/.
This should end up looking something like this:
/etc/sudoers.d/icinga-checks:

Defaults:nagios !requiretty
nagios    ALL = NOPASSWD: /path/to/checks/your_check

If you’re not on a Debian based system, you would need to propablly replace nagios with icinga.

3 Likes

Hello!

Sorry for the late response.

Your approach made it work without needing to grant additional capabilities.

Thank you very much! :bouquet: