Hello there!
I’ve writen a custom plugin that needs iptables
for its functionality:
#!/bin/bash
check_iptables_installed() {
if ! command -v iptables &> /dev/null; then
echo "CRITICAL - iptables is not installed."
exit 2
fi
}
comprobar_politicas_iptables() {
local INPUT_POLICY=$(iptables -L INPUT | grep -o DROP)
local FORWARD_POLICY=$(iptables -L FORWARD | grep -o DROP)
if [ "$INPUT_POLICY" != "DROP" ] || [ "$FORWARD_POLICY" != "DROP" ]; then
echo "CRITICAL - iptables policies are not configured correctly."
exit 2
fi
echo "OK - iptables is installed and policies are configured correctly."
exit 0
}
############# inicio ################
check_iptables_installed
comprobar_politicas_iptables
However, the Nagios user lacks the necessary permissions to execute iptables
commands directly.
Error encountered:
iptables v1.6.0: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
While using setcap cap_net_raw,cap_net_admin+ep /sbin/xtables-multi
resolves this issue, it implies a security risk
Could you help me figure out how Nagios-Icinga-NRPE handles capabilities to these binaries/users instead of directly to the iptables program itself?
Any help on this matter would be great!