Add new check command w/o restarting NRPE
We have hundreds of *nix servers in our environment. If I decide to add a new check to these servers, that means besides copying the new script to the servers, we also have to modify the nrpe.cfg and restart NRPE. This is a very time consuming process that may never get done. I needed a method to be able to run a new check command without modifying nrpe.cfg and especially without having to restart NRPE. With this method, the new script can be copied to the servers(this in itself can be scripted). NRPE.CFG will eventually get modified and restart so we can use a proper check command later.
command[check_whatever]=/usr/opt/nagios/libexec/open_scripts/$ARG1$ $ARG2$ $ARG3$
Just add this check command to nrpe.cfg and restart NRPE one last time. Remember though, once you have this in there, it opens up some security concerns. As long as you nest it down one folder as I did, use SSL, have NRPE locked to only_from the proper IP, the security issues should be relatively small.
One security issue is this:
One other security hole I thought about – could you pass relative paths through it? For example:
command[check_whatever]=/usr/opt/nagios/libexec/$ARG1$ $ARG2$ $ARG3$
$ARG1$ = "../../../../bin/bash"
$ARG2$ = "<nasty shell code here>"
I would assume you could pass relative paths like the command above. The best way to implement this, may be to pass the command to a wrapper script that can attempt to do some sanity checking/scrubbing of the input before passing it to the shell. But then again, that would be pita, and would nearly reproduce what nrpe already does. If you trust your network, it is probably not a big deal, though it would be an abdication of my responsibility to at least not mention it.