Compare commits
7 commits
master
...
patch-queu
Author | SHA1 | Date | |
---|---|---|---|
|
6065f8945d | ||
|
561ea163bc | ||
|
e222db65fc | ||
|
df777ff68c | ||
|
bfc3192441 | ||
|
b830d1aaec | ||
|
18ad333e14 |
11
SECURITY
11
SECURITY
|
@ -93,14 +93,17 @@ ENCRYPTION
|
|||
----------
|
||||
|
||||
If you do enable support for command arguments in the NRPE daemon,
|
||||
make sure that you encrypt communications either by using:
|
||||
|
||||
1. Stunnel (see http://www.stunnel.org for more info)
|
||||
2. Native SSL support
|
||||
make sure that you encrypt communications either by using, for
|
||||
example, Stunnel (see http://www.stunnel.org for more info).
|
||||
|
||||
Do NOT assume that just because the daemon is behind a firewall
|
||||
that you are safe! Always encrypt NRPE traffic!
|
||||
|
||||
NOTE: the currently shipped native SSL support of NRPE is not an
|
||||
adequante protection, because it does not verify clients and
|
||||
server, and uses pregenerated key material. NRPE's SSL option is
|
||||
advised against. For more information, see Debian bug #547092.
|
||||
|
||||
|
||||
USING ARGUMENTS
|
||||
---------------
|
||||
|
|
2
configure
vendored
2
configure
vendored
|
@ -6745,7 +6745,7 @@ _ACEOF
|
|||
sslbin=$ssldir/bin/openssl
|
||||
fi
|
||||
# awk to strip off meta data at bottom of dhparam output
|
||||
$sslbin dhparam -C 512 | awk '/^-----/ {exit} {print}' > include/dh.h
|
||||
$sslbin dhparam -C 2048 | awk '/^-----/ {exit} {print}' > include/dh.h
|
||||
fi
|
||||
fi
|
||||
|
||||
|
|
|
@ -340,7 +340,7 @@ if test x$check_for_ssl = xyes; then
|
|||
sslbin=$ssldir/bin/openssl
|
||||
fi
|
||||
# awk to strip off meta data at bottom of dhparam output
|
||||
$sslbin dhparam -C 512 | awk '/^-----/ {exit} {print}' > include/dh.h
|
||||
$sslbin dhparam -C 2048 | awk '/^-----/ {exit} {print}' > include/dh.h
|
||||
fi
|
||||
fi
|
||||
|
||||
|
|
|
@ -23,7 +23,7 @@ log_facility=@log_facility@
|
|||
# number. The file is only written if the NRPE daemon is started by the root
|
||||
# user and is running in standalone mode.
|
||||
|
||||
pid_file=/var/run/nrpe.pid
|
||||
pid_file=/var/run/nagios/nrpe.pid
|
||||
|
||||
|
||||
|
||||
|
@ -233,3 +233,14 @@ command[check_total_procs]=@libexecdir@/check_procs -w 150 -c 200
|
|||
#command[check_load]=@libexecdir@/check_load -w $ARG1$ -c $ARG2$
|
||||
#command[check_disk]=@libexecdir@/check_disk -w $ARG1$ -c $ARG2$ -p $ARG3$
|
||||
#command[check_procs]=@libexecdir@/check_procs -w $ARG1$ -c $ARG2$ -s $ARG3$
|
||||
|
||||
#
|
||||
# local configuration:
|
||||
# if you'd prefer, you can instead place directives here
|
||||
include=/etc/nagios/nrpe_local.cfg
|
||||
|
||||
#
|
||||
# you can place your config snipplets into nrpe.d/
|
||||
# only snipplets ending in .cfg will get included
|
||||
include_dir=/etc/nagios/nrpe.d/
|
||||
|
||||
|
|
12
src/nrpe.c
12
src/nrpe.c
|
@ -266,7 +266,7 @@ int main(int argc, char **argv){
|
|||
|
||||
/* use anonymous DH ciphers */
|
||||
SSL_CTX_set_cipher_list(ctx,"ADH");
|
||||
dh=get_dh512();
|
||||
dh=get_dh2048();
|
||||
SSL_CTX_set_tmp_dh(ctx,dh);
|
||||
DH_free(dh);
|
||||
if(debug==TRUE)
|
||||
|
@ -317,13 +317,13 @@ int main(int argc, char **argv){
|
|||
/* log info to syslog facility */
|
||||
syslog(LOG_NOTICE,"Starting up daemon");
|
||||
|
||||
/* drop privileges */
|
||||
drop_privileges(nrpe_user,nrpe_group);
|
||||
|
||||
/* write pid file */
|
||||
if(write_pid_file()==ERROR)
|
||||
return STATE_CRITICAL;
|
||||
|
||||
/* drop privileges */
|
||||
drop_privileges(nrpe_user,nrpe_group);
|
||||
|
||||
/* make sure we're not root */
|
||||
check_privileges();
|
||||
|
||||
|
@ -998,7 +998,7 @@ void wait_for_connections(void){
|
|||
/* close socket prioer to exiting */
|
||||
close(sock);
|
||||
|
||||
return;
|
||||
exit(STATE_CRITICAL);
|
||||
}
|
||||
|
||||
/* handle signals */
|
||||
|
@ -1022,7 +1022,7 @@ void wait_for_connections(void){
|
|||
/* close socket prior to exiting */
|
||||
close(new_sd);
|
||||
|
||||
return;
|
||||
exit(STATE_CRITICAL);
|
||||
}
|
||||
|
||||
/* is this is a blessed machine? */
|
||||
|
|
Loading…
Reference in a new issue