Nagios user capabilities

Hello there!

I’ve writen a custom plugin that needs iptables for its functionality:

#!/bin/bash

check_iptables_installed() {
    if ! command -v iptables &> /dev/null; then
        echo "CRITICAL - iptables is not installed."
        exit 2
    fi
}

comprobar_politicas_iptables() {
    local INPUT_POLICY=$(iptables -L INPUT | grep -o DROP)
    local FORWARD_POLICY=$(iptables -L FORWARD | grep -o DROP)

    if [ "$INPUT_POLICY" != "DROP" ] || [ "$FORWARD_POLICY" != "DROP" ]; then
        echo "CRITICAL - iptables policies are not configured correctly."
        exit 2
    fi

    echo "OK - iptables is installed and policies are configured correctly."
    exit 0
}

############# inicio ################

check_iptables_installed
comprobar_politicas_iptables

However, the Nagios user lacks the necessary permissions to execute iptables commands directly.

Error encountered:

iptables v1.6.0: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.

While using setcap cap_net_raw,cap_net_admin+ep /sbin/xtables-multi resolves this issue, it implies a security risk

Could you help me figure out how Nagios-Icinga-NRPE handles capabilities to these binaries/users instead of directly to the iptables program itself?

Any help on this matter would be great!

Also curious about this

I use sudo for this.

In the command definition you need to prefix with sudo.
This should end up looking something like this: /bin/sudo /path/to/checks/your_check.

Add lines like the following ones into a file under /etc/sudoers.d/.
This should end up looking something like this:
/etc/sudoers.d/icinga-checks:

Defaults:nagios !requiretty
nagios    ALL = NOPASSWD: /path/to/checks/your_check

If you’re not on a Debian based system, you would need to propablly replace nagios with icinga.

Hello!

Sorry for the late response.

Your approach made it work without needing to grant additional capabilities.

Thank you very much!