diff options
Diffstat (limited to 'debian')
32 files changed, 1204 insertions, 0 deletions
diff --git a/debian/NEWS b/debian/NEWS new file mode 100644 index 0000000..2123c7e --- /dev/null +++ b/debian/NEWS @@ -0,0 +1,92 @@ +nagios-nrpe (3.2.0-2) unstable; urgency=medium + + The bug that caused the SSL support between NRPE 2.x and 3.x not + to work has been fixed. + + Because the default SSL support without certificates configured + in nrpe.cfg uses pre-generated key data, configuring SSL + certificates is strongly advised when STunnel is not used. + + The ssl-cert package can be used to generate a self-signed + certificate, but CA certificates like those from Let's Encrypt + are a better choice. + + SSL support has been re-enabled by default, to be better compatible + with previous NRPE versions where SSL support was enabled by default + too. + + The check_nrpe command definition has been updated to enable SSL + support (by removing the -n option) and the check_nrpe_ssl command + definition has been removed. The previous check_nrpe command + definition which disables SSL support is available with the new + check_nrpe_nossl command definition. + + -- Bas Couwenberg <sebastic@debian.org> Fri, 07 Jul 2017 13:48:38 +0200 + +nagios-nrpe (3.0.1-1) unstable; urgency=medium + + The check_nrpe command definition has been updated to remove the + arguments option, because nagios-nrpe-server does not support + command arguments since 2.15-1. And the check_nrpe_1arg command + definition has been removed. + + If you're using the check_nrpe_1arg command in your Nagios/Icinga + configuration, you need to replace it with check_nrpe. + + SSL support is disabled by default, the reworked SSL/TLS support in + NRPE requires configuration before it can be used. Read the + instructions in /usr/share/doc/nagios-nrpe-server/README.SSL.md.gz + before enabling SSL support in /etc/default/nagios-nrpe-server. + + The default check_nrpe command in check_nrpe.cfg has been updated + to disable SSL by default too. The check_nrpe_ssl command has been + added to connect to the NRPE daemon over SSL. + + Beware that the new NRPE daemon only works with old check_nrpe + plugins when SSL support is disabled on both sides, likewise the + new check_nrpe plugin only works with the old NRPE daemon when SSL + support is disabled. + + To use SSL between the NRPE client and server, configuring Stunnel + is recommended. + + -- Bas Couwenberg <sebastic@debian.org> Mon, 05 Dec 2016 01:16:46 +0100 + +nagios-nrpe (2.15-1) unstable; urgency=high + + This update disables the command-args support in nrpe. The feature + has several security problems and is often used wrong. If you have to + use this feature recompile the package with --enable-command-args + in debian/rules. + + -- Alexander Wirt <formorer@debian.org> Tue, 15 Jul 2014 09:52:48 +0200 + +nagios-nrpe (2.12-4) unstable; urgency=low + + The pidfile creation mechanism changed with this update. If you do not + add "pid_file=/var/run/nagios/nrpe.pid" to you nrpe config take care that + the user "nagios" is able to write to your pidfile location. You can also + change the initscript to create the pid directory on your own. + + -- Alexander Wirt <formorer@debian.org> Tue, 07 Jul 2009 07:42:13 +0200 + +nagios-nrpe (2.12-3) unstable; urgency=low + + The homedirectory of the nagios user moved to /var/lib/nagios + which is now common on all nagios related packages. Its recommended + that you migrate an already existing nagios user to use /var/lib/nagios + as homedirectory. + + -- Alexander Wirt <formorer@debian.org> Sat, 21 Mar 2009 09:08:58 +0100 + +nagios-nrpe (2.4-1) unstable; urgency=low + + the nagios-nrpe-doc package is no longer provided. the documentation + can now be found in /usr/share/doc/nagios-nrpe-{server|plugins}. new + versions of the plugin and server packages conflict with the doc + package to prevent the old (and possibly incorrect in the future) + documentation from remaining. to fully purge all information about + the package you should run: + dpkg -P nagios-nrpe-doc + + -- sean finney <seanius@debian.org> Mon, 13 Mar 2006 15:47:47 +0100 diff --git a/debian/README.Debian b/debian/README.Debian new file mode 100644 index 0000000..497b509 --- /dev/null +++ b/debian/README.Debian @@ -0,0 +1,23 @@ +NRPE +---- + +Put any local check command you need into /etc/nagios/nrpe_local.cfg or +as a *.cfg file in /etc/nagios/nrpe.d/ +These files are included from the /etc/nagios/nrpe.cfg + +This package is built without support for command argument processing. If you +want to enable it, you will have to rebuild this package with +--enable-command-args in debian/rules. +The feature has several security problems and should not be used. If you +really need some dynamic argument processing try check_by_ssh or something +similar. + +Do not rely on SSL mode for security +------------------------------------ + +NRPE contains an SSL mode which encrypts the data over the NRPE channel. +The current implementation does not verify client or server and uses +pregenerated key data by default. It cannot be fixed right away because +it would break the existing NRPE protocol. + +Please refer to the file SECURITY.md in this directory for more information. diff --git a/debian/TODO b/debian/TODO new file mode 100644 index 0000000..a0a0586 --- /dev/null +++ b/debian/TODO @@ -0,0 +1,5 @@ +TODO +==== + + +Add a nagios-common package which ships a user and homedir diff --git a/debian/changelog b/debian/changelog new file mode 100644 index 0000000..7d84849 --- /dev/null +++ b/debian/changelog @@ -0,0 +1,478 @@ +nagios-nrpe (3.2.1-2) unstable; urgency=medium + + * Bump Standards-Version to 4.1.5, no changes. + * Update Vcs-* URLs for Salsa. + * Drop dh-systemd build dependency, use debhelper (>= 9.20160709) instead. + * Strip trailing whitespace from changelog file. + + -- Bas Couwenberg <sebastic@debian.org> Fri, 20 Jul 2018 21:04:36 +0200 + +nagios-nrpe (3.2.1-1) unstable; urgency=medium + + * New upstream release. + * Drop patches included upstream, refresh remaining patches. + + -- Bas Couwenberg <sebastic@debian.org> Sun, 03 Sep 2017 10:52:40 +0200 + +nagios-nrpe (3.2.0-4) unstable; urgency=medium + + * Add upstream patch to turn seteuid errors into warnings. + (closes: #868326) + + -- Bas Couwenberg <sebastic@debian.org> Fri, 14 Jul 2017 16:51:12 +0200 + +nagios-nrpe (3.2.0-3) unstable; urgency=medium + + * Re-enable SSL support by default. + Compatibility with older versions has been fixed. + + -- Bas Couwenberg <sebastic@debian.org> Fri, 07 Jul 2017 14:08:13 +0200 + +nagios-nrpe (3.2.0-2) unstable; urgency=medium + + * Fix 11_reproducible_dh.h.patch to not leave USE_SSL_DH undefined. + Thanks to Johan Carlquist for pointing out this issue. + * Drop --with-need-dh=no configure option, dh is needed. + * Remove deterministic "openssl dhparam" output handling, + dh.h not included in upstream source. + + -- Bas Couwenberg <sebastic@debian.org> Thu, 06 Jul 2017 14:33:39 +0200 + +nagios-nrpe (3.2.0-1) unstable; urgency=medium + + * New upstream release. + (closes: #565643) + * Bump Standards-Version to 4.0.0, no changes. + * Add autopkgtest to test installability. + * Set --with-logdir configure option to /var/log. + * Update watch file for GitHub releases. + * Update copyright file. + * Refresh patches. + * Reinstate 11_reproducible_dh.h.patch for reproducible dh.h. + * Regenerate dh.h with OpenSSL 1.1.0. + + -- Bas Couwenberg <sebastic@debian.org> Wed, 05 Jul 2017 09:53:06 +0200 + +nagios-nrpe (3.1.1-1) unstable; urgency=medium + + * Move from experimental to unstable. + + -- Bas Couwenberg <sebastic@debian.org> Sun, 18 Jun 2017 13:39:05 +0200 + +nagios-nrpe (3.1.1-1~exp1) experimental; urgency=medium + + * New upstream release. + * Drop format-security.patch, applied upstream. + * Use --with-need-dh=no configure option instead of patch. + + -- Bas Couwenberg <sebastic@debian.org> Sat, 27 May 2017 10:57:03 +0200 + +nagios-nrpe (3.1.0-1~exp1) experimental; urgency=medium + + * New upstream release. + (closes: #849417, #445976, #691328) + * Fix typo in manpage. + (closes: #856658) + * Drop 10_reproducible_build.patch, applied upstream. + Refresh remaining patches. + * Update build dependency for OpenSSL 1.1.0. + (closes: #859223) + * Add patch to fix FTBFS with -Werror=format-security. + + -- Bas Couwenberg <sebastic@debian.org> Wed, 19 Apr 2017 19:28:05 +0200 + +nagios-nrpe (3.0.1-3) unstable; urgency=medium + + * Add reload command to systemd service file. + * Make missing EnvironmentFile non-fatal in systemd service. + + -- Bas Couwenberg <sebastic@debian.org> Sat, 24 Dec 2016 10:24:09 +0100 + +nagios-nrpe (3.0.1-2) unstable; urgency=medium + + * Add systemd service file and tmpfiles.d configuration. + (closes: #665422) + * Update nrpe manpage to include new options. + + -- Bas Couwenberg <sebastic@debian.org> Fri, 23 Dec 2016 23:15:19 +0100 + +nagios-nrpe (3.0.1-1) unstable; urgency=medium + + * Update check_nrpe.cfg to remove command with arguments. + (LP: #975918) + * Disable SSL support by default, requires configuration. + It also doesn't work well with old check_nrpe versions. + * Move from experimental to unstable. + + -- Bas Couwenberg <sebastic@debian.org> Fri, 09 Dec 2016 00:15:29 +0100 + +nagios-nrpe (3.0.1-1~exp1) experimental; urgency=medium + + [ Alexander Wirt ] + * Sync uploaders with reality. + (closes: #773441) + + [ Bas Couwenberg ] + * New upstream release. + - Reworked SSL/TLS. See the README.SSL.md file for full info. + (closes: #547092) + * Add myself to Uploaders. + * Add Vcs-* fields to control file. + (closes: #755507) + * Change nagios-plugins dependencies to monitoring-plugins. + * Switch from dpatch to source format 3.0 (quilt). + (closes: #756410) + * Drop obsolete patch: 04_weird_output.dpatch. + * Restructure control file with cme. + * Reorder (build) dependencies. + * Add Homepage field to control file. + * Update copyright file using copyright-format 1.0. + * Add gbp.conf to use pristine-tar by default. + * Update build dependency to use openssl 1.0. + * Enable all hardening buildflags. + (closes: #728218) + * Enable parallel builds. + * Suggest xinetd | inetd. + (closes: #662247) + * Include PDF & ODT documentation in docs. + (closes: #662249) + * Update watch file to handle common issues. + * Add upstream metadata. + * Merge nrpe.cfg patches into single patch. + (closes: #660583) + * Use configure option to set custom PID directory instead of patch. + * Drop 09_noremove_pid.patch, fixed upstream. Refresh remaining patches. + * Add patch to use pre-generated dh.h for reproducible builds. + * Override dh_auto_build to build all targets. + * Use dh-autoreconf instead of autotools-dev. + * Use exit status 0 in init script when inetd is configured. + (closes: #775924) + * Include README.SSL.md in docs. + * Bump Standards-Version to 3.9.8, changes: + Vcs-* fields, copyright-format 1.0. + + [ Benjamin Drung ] + * Use dh_auto_configure to enable default hardening flags. + (closes: #843805) + * Fix copyright-refers-to-symlink-license. + (closes: #756414) + + [ Chris Lamb ] + * Make the build reproducible. + (closes: #834857) + + -- Bas Couwenberg <sebastic@debian.org> Sun, 04 Dec 2016 18:36:54 +0100 + +nagios-nrpe (2.15-1) unstable; urgency=high + + * [f2cea9f] Imported Upstream version 2.15 + * [023e909] Disable command-args in nrpe. (Closes: #745272) + * [6369220] Use restorecon to set SE Linux context on $PIDDIR + (Closes: #679241) + * [a484e7d] Switch order of nagios-plugins recommends to prefer -basic. + (Closes: #752243) + * [b1ef043] Don't recommend a core implementation for the plugin + * [16dbf01] Remove obsolete patch + * [694b804] Remove luk from uploaders. (Closes: #719636) + * [28d9004] Remove obsolete patch + * [86ea67e] 08_CVE-2013-1362.dpatch is now obsolete + * [74e3b07] Refresh patches + * [1258ab2] Reword NEWS entry + * [744eec6] configure is buggy: --disable- in fact enables a feautre. + * [eec54b6] Adjust README.Debian for the removal or argument processing + + -- Alexander Wirt <formorer@debian.org> Tue, 15 Jul 2014 18:30:36 +0200 + +nagios-nrpe (2.13-4) unstable; urgency=low + + * [dcffec6] Do not remove the PID file after a connection error. + Original patch from Hiren Patel. (Closes: #716949) + + -- Bernd Zeimetz <bzed@debian.org> Mon, 15 Jul 2013 16:07:54 +0200 + +nagios-nrpe (2.13-3) unstable; urgency=high + + * [e55afd1] Add 08_CVE-2013-1362.dpatch patch. + If command arguments are enabled in the NRPE configuration, it was + possible to pass $() as arguments as the checking for nasty caracters + was not strict enough to catch $(). This allowed executing shell + commands under a subprocess and pass the output as a parameter to the + called script (if run under bash). CVE-2013-1362 (Closes: #701227) + + -- Alexander Wirt <formorer@debian.org> Sat, 09 Mar 2013 08:42:05 +0100 + +nagios-nrpe (2.13-2) unstable; urgency=high + + [ Thijs Kinkhorst ] + * Add warning about the inadequateness of the 'ssl' option. + + -- Alexander Wirt <formorer@debian.org> Mon, 11 Feb 2013 17:45:20 +0100 + +nagios-nrpe (2.13-1) unstable; urgency=low + + * [3e113b5] Imported Upstream version 2.13 + * [acc152b] Bump standards version + * [c707bce] Use dh9 for hardening + * Updated patches + + -- Alexander Wirt <formorer@debian.org> Sat, 30 Jun 2012 11:08:22 +0200 + +nagios-nrpe (2.12-6) unstable; urgency=low + + * [36b1062] Add add icinga to the list of recommends + * [a698acb] Don't remove homedirectory of the nagios user (Closes: #665845) + * [4dc53fb] Use retry argument for start-stop-daemon when stopping nrpe + (Closes: #650464) + + -- Alexander Wirt <formorer@debian.org> Mon, 30 Apr 2012 09:25:45 +0200 + +nagios-nrpe (2.12-5) unstable; urgency=low + + [ Alexander Wirt ] + * [e3af3bd] Bump compat to 8 + * [4f9e892] Add versioned depends to dpatch for sequence support + * [5ec5a3b] Install example nrpe_local.cfg + * [69ea7b9] Move rules file to dh + * [298f725] Use autotools_dev dh sequence helper + * [10da37d] Bump debhelper dependency to 8 + * [2b009ae] Bump standards version + * [4d093e3] Ignore usermod failure (Closes: #538894) + * [e776f7b] Use pidfile for start-stop-daemon and fix pidfile deletion + (Closes: #548157, #639523) + * [8050c97] Support multiarch in rulesfile (Closes: #642790) + * [027274f] Use pidfile for start-stop-daemon in start() + * [1f69c63] Support status in nrpe initscript + * [42ccdcc] Add a comment to nrpe.cfg that snipplets have to end .cfg + (Closes: #641933) + + [ Jan Wagner ] + * [0a80fdb] Update debian/README.Debian about conf.d/ + + -- Alexander Wirt <formorer@debian.org> Sun, 25 Sep 2011 08:35:48 +0200 + +nagios-nrpe (2.12-4) unstable; urgency=low + + * Build against libwrap0-dev (Closes: #412705) + * Remove 'last modified header' from nrpe config (Closes: #499280) + * Create /etc/nagios/nrpe.d (Closes: #505700, #474333) + * Fix pidfile handling (Closes: #411046) + * Add newer config.{guess,sub} (Closes: #535737) + - Build-depend on autotools-dev + * Delete /var/lib/nagios if empty after purge (Closes: #527069) + * Bump standards version (add README.source) + * Bump dh_compat version (remove -k from dh_clean) + + -- Alexander Wirt <formorer@debian.org> Mon, 06 Jul 2009 07:08:26 +0200 + +nagios-nrpe (2.12-3.1) unstable; urgency=low + + * Non-maintainer upload. + * Fix bashism (Closes: #530149). + + -- Raphael Geissert <geissert@debian.org> Sat, 04 Jul 2009 20:23:23 -0500 + +nagios-nrpe (2.12-3) unstable; urgency=low + + * Sync homedirectory of the nagios user with the nagios3 package + (Closes: #479051) + * Removed now empty nagios-nrpe-plugins.post* scripts + + -- Alexander Wirt <formorer@debian.org> Sat, 21 Mar 2009 09:33:39 +0100 + +nagios-nrpe (2.12-2) unstable; urgency=low + + * Add myself to uploaders. + * Clean buffer before use (Closes: #498749). + * Remove pid file before creating a new ones (Closes: #411046). + * Include inetd support (Closes: #409772). + + -- Luk Claes <luk@debian.org> Sun, 14 Sep 2008 16:04:17 +0200 + +nagios-nrpe (2.12-1) unstable; urgency=low + + * Support an nrpe.d config directory in addition to nrpe_local.cfg + (Closes: #474333) + * Add myself to uploaders + * Add watch file + * New upstream version (Closes: #475081) + * Acknowledge NMU from Chris Lamb (Closes: #484412) + * Recommend Nagios 3 instead of Nagios 2 + * Update copyright file + * Use the same homedir as nagios3 (Closes: #479051) + + -- Alexander Wirt <formorer@debian.org> Wed, 06 Aug 2008 20:33:57 +0200 + +nagios-nrpe (2.8.1-1.1) unstable; urgency=medium + + * Non-maintainer upload. + * Fix bashism in debian/rules (Closes: #484412) + * Bump Standards-Version to 3.8.0. + + -- Chris Lamb <chris@chris-lamb.co.uk> Sat, 12 Jul 2008 01:09:21 +0100 + +nagios-nrpe (2.8.1-1) unstable; urgency=low + + * New upstream release + * bump Recommends to nagios2, thanks to Henning Sprang + for suggesting this (closes: #399856). + * fix typo in package description, thanks to Tilman Koschnick for + noticing this (closes: #419130). + + -- sean finney <seanius@debian.org> Sat, 12 May 2007 12:27:30 +0200 + +nagios-nrpe (2.5.1-3) unstable; urgency=high + + * apparently we were already including another default file + without installing it, and some people were using it. so + now we include this one as well as the new default, with this + one taking precedence since it was there first. thanks to + Peter Palfrader for catching this (closes: #398914). + + -- sean finney <seanius@debian.org> Fri, 17 Nov 2006 09:17:55 +0100 + +nagios-nrpe (2.5.1-2) unstable; urgency=low + + * include a /etc/default/nagios-nrpe-server where variables + such as DAEMON_OPTS can be set (closes: #396709). + * bump standards version to 3.7.2 + * add pre-depends on adduser + * LSB-ize init script, and add dependency on lsb-base + + -- sean finney <seanius@debian.org> Sat, 04 Nov 2006 17:38:34 +0100 + +nagios-nrpe (2.5.1-1) unstable; urgency=low + + * new upstream release. includes fix from Peter Palfrader to catch + invalid free()'s when nrpe is called with --no-ssl (closes: #361233). + + -- sean finney <seanius@debian.org> Sun, 14 May 2006 21:38:48 -0500 + +nagios-nrpe (2.4-2) unstable; urgency=low + + [sean finney] + * removing nrpe_local.cfg caused trouble for some people, so + i've added it back in (closes: #360093). + + -- sean finney <seanius@debian.org> Fri, 31 Mar 2006 07:02:31 +0200 + +nagios-nrpe (2.4-1) unstable; urgency=low + + * new upstream release. + + [sean finney] + * (NEEDS TESTING) move away from cdbs for my own sanity. + * add build-dependency on dpatch. + * no longer create nrpe_local.cfg. no reason to have it. + * remove postinst script for nagios-nrpe-server, as all it + did was touch the previously mentioned file. + * upstream has incorporated the following patches: + - 02_global-cmd-prefix.dpatch + - 03_nrpe-trailing-whitespace.dpatch + * check_nrpe -h provides what "-a" does, but i've gone ahead and + added a comment in check_nrpe.cfg too, because it can't hurt + to do so :) (closes: #351714). + * no longer generate the nagios-nrpe-doc package, and move copies of + the documentation into the plugin and server packages. add a + Conflicts: nagios-nrpe-doc to the remaining packages to ensure + that the stale package doesn't remain. NEWS.Debian also mentions + this and instructs the admin to purge the package too. + + -- sean finney <seanius@debian.org> Tue, 24 Jan 2006 18:16:54 +0100 + +nagios-nrpe (2.2-1) unstable; urgency=low + + * new upstream release. + + [sean finney] + * debian packaging source repository is now migrated to svn. + * updated 01_nodevrandom-and-docoptions.dpatch and + 02_global-cmd-prefix.dpatch to apply against the latest + upstream version. + * nrpe.cfg has moved location in the upstream tarball. + * introduced 03_nrpe-trailing-whitespace.dpatch to fix regression + in config file parsing until upstream incorporates it. + + -- sean finney <seanius@debian.org> Tue, 24 Jan 2006 17:52:54 +0100 + +nagios-nrpe (2.0-9) unstable; urgency=low + + * Sean Finney: + - nagios-nrpe has now joined forces with the debian pkg-nagios + project, updated Maintainer and Uploaders field accordingly. + - provide check_nrpe_1arg command definition so that one can call + check_nrpe both with and without arguments to the cmds + (closes: #248424). + - changed nagios-nrpe-server's Recommends on nagios-plugins to reflect + the upcoming new nagios-plugins layout. + - changed nagios-nrpe-plugin's Depends on nagios to a Recommends. + - building issues seem to be resolved on arm now (closes: #259442). + - updated Standards-Version to 3.6.2 + - included patch from joerg and weasel to document some cmdline options + and provide a better alternative to reading a random byte from + /dev/random (closes: #333552). + - included "global command prefix" patch from joerg jaspert + (closes: #332253). + + -- sean finney <seanius@debian.org> Tue, 25 Oct 2005 10:04:59 -0400 + +nagios-nrpe (2.0-8) unstable; urgency=low + + * debian/control: change depends on nagios-plugins, to recommends. + (closes: #327199) + + -- Jason Thomas <jason@debian.org> Mon, 10 Oct 2005 08:07:57 +1000 + +nagios-nrpe (2.0-7) unstable; urgency=high + + * The previous upload fixes a bug that breaks the install of this package so + this is a new upload with a high urgency to try and get it into sarge. + + -- Jason Thomas <jason@debian.org> Thu, 19 Aug 2004 22:47:40 +1000 + +nagios-nrpe (2.0-6) unstable; urgency=low + + * nagios plugin config dir changed to etc/nagios-plugins/configs/ + (closes: #266826) + + -- Jason Thomas <jason@debian.org> Thu, 19 Aug 2004 21:17:28 +1000 + +nagios-nrpe (2.0-5) unstable; urgency=low + + * debian/nagios-nrpe-server.preinst: added code to create nagios user and + group. + (closes: #248995, #241168) + + -- Jason Thomas <jason@debian.org> Sat, 15 May 2004 12:02:35 +1000 + +nagios-nrpe (2.0-4) unstable; urgency=low + + * debian/nagios-nrpe-server.init.d: added missing -d to restart. + (closes: #248797) + * debian/nrpe.1: renamed to nrpe.8 + * debian/nagios-nrpe-server.manpages: changed nrpe.1 to nrpe.8 + * debian/dirs: deleted it as its not needed. + + -- Jason Thomas <jason@debian.org> Fri, 14 May 2004 14:05:03 +1000 + +nagios-nrpe (2.0-3) unstable; urgency=low + + * debian/nagios-nrpe-server.init.d: added --oknodo to stop commands which + will make upgrades and purges clean. + + -- Jason Thomas <jason@debian.org> Wed, 24 Mar 2004 13:09:00 +1100 + +nagios-nrpe (2.0-2) unstable; urgency=low + + * debian/control: added build-depends cdbs + (closes: #230943) + * debian/control: nagios-nrpe-server now conflicts netsaint-nrpe-server + (closes: #230303) + + -- Jason Thomas <jason@debian.org> Wed, 11 Feb 2004 09:27:01 +1100 + +nagios-nrpe (2.0-1) unstable; urgency=low + + * Initial Release. + (closes: #209124) + + -- Jason Thomas <jason@debian.org> Wed, 14 Jan 2004 16:13:36 +1100 diff --git a/debian/check_nrpe.cfg b/debian/check_nrpe.cfg new file mode 100644 index 0000000..2b71c31 --- /dev/null +++ b/debian/check_nrpe.cfg @@ -0,0 +1,11 @@ +# this command runs a program $ARG1$ with no arguments and enables SSL support +define command { + command_name check_nrpe + command_line /usr/lib/nagios/plugins/check_nrpe -H $HOSTADDRESS$ -c $ARG1$ +} + +# this command runs a program $ARG1$ with no arguments and disables SSL support +define command { + command_name check_nrpe_nossl + command_line /usr/lib/nagios/plugins/check_nrpe -H $HOSTADDRESS$ -c $ARG1$ -n +} diff --git a/debian/compat b/debian/compat new file mode 100644 index 0000000..ec63514 --- /dev/null +++ b/debian/compat @@ -0,0 +1 @@ +9 diff --git a/debian/control b/debian/control new file mode 100644 index 0000000..92ab14b --- /dev/null +++ b/debian/control @@ -0,0 +1,46 @@ +Source: nagios-nrpe +Maintainer: Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org> +Uploaders: Bas Couwenberg <sebastic@debian.org> +Section: net +Priority: optional +Build-Depends: debhelper (>= 9.20160709), + dh-autoreconf, + libssl-dev, + libwrap0-dev, + openssl +Standards-Version: 4.1.5 +Vcs-Browser: https://salsa.debian.org/nagios-team/pkg-nrpe +Vcs-Git: https://salsa.debian.org/nagios-team/pkg-nrpe.git +Homepage: https://github.com/NagiosEnterprises/nrpe + +Package: nagios-nrpe-server +Architecture: any +Depends: lsb-base, + ${shlibs:Depends}, + ${misc:Depends} +Recommends: monitoring-plugins-basic | monitoring-plugins +Suggests: xinetd | inetd +Pre-Depends: adduser +Conflicts: nagios-nrpe-doc +Description: Nagios Remote Plugin Executor Server + Nagios is a host/service/network monitoring and management system. + . + The purpose of this addon is to allow you to execute Nagios plugins on a + remote host in as transparent a manner as possible. + . + This program runs as a background process on the remote host and processes + command execution requests from the check_nrpe plugin on the Nagios host. + +Package: nagios-nrpe-plugin +Architecture: any +Depends: ${shlibs:Depends}, + ${misc:Depends} +Conflicts: nagios-nrpe-doc +Description: Nagios Remote Plugin Executor Plugin + Nagios is a host/service/network monitoring and management system. + . + The purpose of this addon is to allow you to execute Nagios plugins on a + remote host in as transparent a manner as possible. + . + This is a plugin that is run on the Nagios host and is used to contact the + NRPE process on remote hosts. diff --git a/debian/copyright b/debian/copyright new file mode 100644 index 0000000..e1cb223 --- /dev/null +++ b/debian/copyright @@ -0,0 +1,79 @@ +Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Upstream-Name: NRPE +Upstream-Contact: Nagios Users List <nagios-users@lists.nagios.com> +Source: https://github.com/NagiosEnterprises/nrpe + +Files: * +Copyright: 2006-2017, Nagios Enterprises + 2016, Nagios Core Development Team + 1999-2008, Ethan Galstad (nagios@nagios.org) +License: GPL-2+ with OpenSSL exception + +Files: include/acl.h + src/acl.c +Copyright: 2011, Kaspersky Lab ZAO +License: GPL-2+ + +Files: src/snprintf.c +Copyright: Patrick Powell 1995 +License: attribution + This code is based on code written by Patrick Powell (papowell@astart.com) + It may be used for any purpose as long as this notice remains intact + on all source code distributions + +Files: debian/* +Copyright: 2004, Jason Thomas <jason@debian.org> +License: GPL-2+ + +License: GPL-2+ + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + . + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + . + You should have received a copy of the GNU General Public License along + with this program; if not, write to the Free Software Foundation, Inc., + 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + . + On Debian systems, the complete text of version 2 of the GNU General + Public License can be found in `/usr/share/common-licenses/GPL-2'. + +License: GPL-2+ with OpenSSL exception + This program is free software; you can redistribute it + and/or modify it under the terms of the GNU General Public + License as published by the Free Software Foundation; either + version 2 of the License, or (at your option) any later + version. + . + In addition, as a special exception, the author of this + program gives permission to link the code of its + release with the OpenSSL project's "OpenSSL" library (or + with modified versions of it that use the same license as + the "OpenSSL" library), and distribute the linked + executables. You must obey the GNU General Public + License in all respects for all of the code used other + than "OpenSSL". If you modify this file, you may extend + this exception to your version of the file, but you are + not obligated to do so. If you do not wish to do so, + delete this exception statement from your version. + . + This program is distributed in the hope that it will be + useful, but WITHOUT ANY WARRANTY; without even the implied + warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + PURPOSE. See the GNU General Public License for more + details. + . + You should have received a copy of the GNU General Public + License along with this package; if not, write to the Free + Software Foundation, Inc., 51 Franklin St, Fifth Floor, + Boston, MA 02110-1301 USA + . + On Debian systems, the full text of the GNU General Public + License version 2 can be found in the file + `/usr/share/common-licenses/GPL-2'. + diff --git a/debian/dirs b/debian/dirs new file mode 100644 index 0000000..91d0516 --- /dev/null +++ b/debian/dirs @@ -0,0 +1 @@ +/etc/nagios/nrpe.d diff --git a/debian/gbp.conf b/debian/gbp.conf new file mode 100644 index 0000000..21d0417 --- /dev/null +++ b/debian/gbp.conf @@ -0,0 +1,16 @@ +[DEFAULT] + +# The default name for the upstream branch is "upstream". +# Change it if the name is different (for instance, "master"). +upstream-branch = upstream + +# The default name for the Debian branch is "master". +# Change it if the name is different (for instance, "debian/unstable"). +debian-branch = master + +# git-import-orig uses the following names for the upstream tags. +# Change the value if you are not using git-import-orig +upstream-tag = upstream/%(version)s + +# Always use pristine-tar. +pristine-tar = True diff --git a/debian/nagios-nrpe-plugin.install b/debian/nagios-nrpe-plugin.install new file mode 100644 index 0000000..3afb517 --- /dev/null +++ b/debian/nagios-nrpe-plugin.install @@ -0,0 +1,2 @@ +src/check_nrpe usr/lib/nagios/plugins/ +debian/check_nrpe.cfg etc/nagios-plugins/config/ diff --git a/debian/nagios-nrpe-plugin.postrm b/debian/nagios-nrpe-plugin.postrm new file mode 100644 index 0000000..a77d21a --- /dev/null +++ b/debian/nagios-nrpe-plugin.postrm @@ -0,0 +1,9 @@ +#!/bin/sh +set -e + +if [ "$1" = purge ]; then + test -d /var/lib/nagios && rmdir /var/lib/nagios || true #ignore non-failure errors +fi + +#DEBHELPER# + diff --git a/debian/nagios-nrpe-server.default b/debian/nagios-nrpe-server.default new file mode 100644 index 0000000..828ef02 --- /dev/null +++ b/debian/nagios-nrpe-server.default @@ -0,0 +1,16 @@ +# defaults file for nagios-nrpe-server +# (this file is a /bin/sh compatible fragment) + +# NRPE_OPTS are any extra cmdline parameters you'd like to pass along to the +# nrpe daemon. +# +# The -n option disables SSL support. +#NRPE_OPTS="-n" + +# NICENESS is if you want to run the server at a different nice() priority. +# (only used by the init script) +#NICENESS=5 + +# INETD is if you want to run the server via inetd (default=0, run as daemon). +# (only used by the init script) +#INETD=0 diff --git a/debian/nagios-nrpe-server.doc-base b/debian/nagios-nrpe-server.doc-base new file mode 100644 index 0000000..a153da5 --- /dev/null +++ b/debian/nagios-nrpe-server.doc-base @@ -0,0 +1,6 @@ +Document: nagios-nrpe +Title: NRPE Documentation +Section: Network/Monitoring + +Format: PDF +Files: /usr/share/doc/nagios-nrpe-server/*.pdf.gz diff --git a/debian/nagios-nrpe-server.docs b/debian/nagios-nrpe-server.docs new file mode 100644 index 0000000..ec4a52e --- /dev/null +++ b/debian/nagios-nrpe-server.docs @@ -0,0 +1,5 @@ +LEGAL +README.md +README.SSL.md +SECURITY.md +docs/* diff --git a/debian/nagios-nrpe-server.init b/debian/nagios-nrpe-server.init new file mode 100644 index 0000000..5a48217 --- /dev/null +++ b/debian/nagios-nrpe-server.init @@ -0,0 +1,85 @@ +#! /bin/sh +# + +### BEGIN INIT INFO +# Provides: nagios-nrpe-server +# Required-Start: $local_fs $remote_fs $syslog $named $network $time +# Required-Stop: $local_fs $remote_fs $syslog $named $network +# Should-Start: +# Should-Stop: +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: Start/Stop the Nagios remote plugin execution daemon +### END INIT INFO + + +PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin +DAEMON=/usr/sbin/nrpe +NAME=nagios-nrpe +DESC=nagios-nrpe +CONFIG=/etc/nagios/nrpe.cfg +PIDDIR=/var/run/nagios + +test -x $DAEMON || exit 0 + +if ! [ -x "/lib/lsb/init-functions" ]; then + . /lib/lsb/init-functions +else + echo "E: /lib/lsb/init-functions not found, lsb-base (>= 3.0-6) needed" + exit 1 +fi + +# Include nagios-nrpe defaults if available +if [ -f /etc/default/nagios-nrpe-server ] ; then + . /etc/default/nagios-nrpe-server +fi +# we also used to include this file, so if it's there +# we include it as well +if [ -f /etc/default/nagios-nrpe ]; then + . /etc/default/nagios-nrpe +fi +if [ "$NICENESS" ]; then NICENESS="-n $NICENESS"; fi + +#since /var/run can be wiped completly we create our run directory here +if [ ! -d "$PIDDIR" ]; then + mkdir "$PIDDIR" + chown nagios "$PIDDIR" + [ -x /sbin/restorecon ] && /sbin/restorecon "$PIDDIR" +fi + +set -e + +case "$1" in + start) + if [ "$INETD" = 1 ]; then + exit 0 + fi + log_daemon_msg "Starting $DESC" "$NAME" + start_daemon -p $PIDDIR/nrpe.pid $NICENESS $DAEMON -c $CONFIG -d $NRPE_OPTS + log_end_msg $? + ;; + stop) + log_daemon_msg "Stopping $DESC" "$NAME" + start-stop-daemon --stop --quiet --oknodo --pidfile $PIDDIR/nrpe.pid --retry 15 + log_end_msg $? + ;; + reload|force-reload) + log_daemon_msg "Reloading $DESC configuration files" "$NAME" + start-stop-daemon --stop --signal HUP --quiet --pidfile $PIDDIR/nrpe.pid + log_end_msg $? + ;; + status) + status_of_proc -p $PIDDIR/nrpe.pid "$DAEMON" "$NAME" && exit 0 || exit $? + ;; + restart) + $0 stop + sleep 1 + $0 start + ;; + *) + log_failure_msg "Usage: $N {start|stop|restart|reload|force-reload}" + exit 1 + ;; +esac + +exit 0 diff --git a/debian/nagios-nrpe-server.install b/debian/nagios-nrpe-server.install new file mode 100644 index 0000000..5da03c3 --- /dev/null +++ b/debian/nagios-nrpe-server.install @@ -0,0 +1,3 @@ +src/nrpe usr/sbin +sample-config/nrpe.cfg etc/nagios +debian/nrpe_local.cfg etc/nagios diff --git a/debian/nagios-nrpe-server.manpages b/debian/nagios-nrpe-server.manpages new file mode 100644 index 0000000..d6530c4 --- /dev/null +++ b/debian/nagios-nrpe-server.manpages @@ -0,0 +1 @@ +debian/nrpe.8 diff --git a/debian/nagios-nrpe-server.preinst b/debian/nagios-nrpe-server.preinst new file mode 100644 index 0000000..d9b4fa2 --- /dev/null +++ b/debian/nagios-nrpe-server.preinst @@ -0,0 +1,55 @@ +#! /bin/sh +# preinst script for nagios-nrpe-server +# +# see: dh_installdeb(1) + +set -e + +# summary of how this script can be called: +# * <new-preinst> `install' +# * <new-preinst> `install' <old-version> +# * <new-preinst> `upgrade' <old-version> +# * <old-preinst> `abort-upgrade' <new-version> +# +# for details, see http://www.debian.org/doc/debian-policy/ or +# the debian-policy package + + +case "$1" in + install|upgrade) + if id nagios >/dev/null 2>&1 ; then + # We have a nagios user. + if [ `id nagios -g -n` != "nagios" ] ; then + addgroup --system nagios || true + #this can fail sometimes (i.e. with LDAP) so ignore it + usermod -g nagios nagios || true + fi + else + adduser --system --group --home /var/lib/nagios --quiet nagios + fi + +# if [ "$1" = "upgrade" ] +# then +# start-stop-daemon --stop --quiet --oknodo \ +# --pidfile /var/run/bud.pid \ +# --exec /usr/sbin/bud 2>/dev/null || true +# fi + ;; + + abort-upgrade) + ;; + + *) + echo "preinst called with unknown argument \`$1'" >&2 + exit 1 + ;; +esac + +# dh_installdeb will replace this with shell code automatically +# generated by other debhelper scripts. + +#DEBHELPER# + +exit 0 + + diff --git a/debian/nagios-nrpe-server.service b/debian/nagios-nrpe-server.service new file mode 100644 index 0000000..f67c6da --- /dev/null +++ b/debian/nagios-nrpe-server.service @@ -0,0 +1,23 @@ +[Unit] +Description=Nagios Remote Plugin Executor +Documentation=http://www.nagios.org/documentation +After=var-run.mount nss-lookup.target network.target local-fs.target remote-fs.target time-sync.target +Before=getty@tty1.service plymouth-quit.service xdm.service +Conflicts=nrpe.socket + +[Install] +WantedBy=multi-user.target + +[Service] +Type=simple +Restart=on-abort +PIDFile=/var/run/nagios/nrpe.pid +EnvironmentFile=-/etc/default/nagios-nrpe-server +ExecStart=/usr/sbin/nrpe -c /etc/nagios/nrpe.cfg -f $NRPE_OPTS +ExecReload=/bin/kill -HUP $MAINPID +ExecStopPost=/bin/rm -f /var/run/nagios/nrpe.pid +TimeoutStopSec=60 +User=nagios +Group=nagios +PrivateTmp=true +OOMScoreAdjust=-500 diff --git a/debian/nagios-nrpe-server.tmpfile b/debian/nagios-nrpe-server.tmpfile new file mode 100644 index 0000000..d6bdcf3 --- /dev/null +++ b/debian/nagios-nrpe-server.tmpfile @@ -0,0 +1,2 @@ +#Type Path Mode UID GID Age Argument +d /var/run/nagios 0755 nagios nagios - - diff --git a/debian/nrpe.8 b/debian/nrpe.8 new file mode 100644 index 0000000..67e280c --- /dev/null +++ b/debian/nrpe.8 @@ -0,0 +1,60 @@ +.\" Hey, EMACS: -*- nroff -*- +.\" First parameter, NAME, should be all caps +.\" Second parameter, SECTION, should be 1-8, maybe w/ subsection +.\" other parameters are allowed: see man(7), man(1) +.TH NAGIOS-NRPE 8 "January 14, 2004" +.\" Please adjust this date whenever revising the manpage. +.\" +.\" Some roff macros, for reference: +.\" .nh disable hyphenation +.\" .hy enable hyphenation +.\" .ad l left justify +.\" .ad b justify to both left and right margins +.\" .nf disable filling +.\" .fi enable filling +.\" .br insert line break +.\" .sp <n> insert n+1 empty lines +.\" for manpage-specific macros, see man(7) +.SH NAME +nrpe \- Nagios Remote Plugin Executor - Server +.SH SYNOPSIS +.B nagios-nrpe +\fI[-n] -c <config_file> [-4|-6] <mode>\fR +.SH DESCRIPTION +.PP +The purpose of this addon is to allow you to execute Nagios plugins on a +remote host in as transparent a manner as possible. +.PP +This program runs as a background process on the remote host and processes +command execution requests from the check_nrpe plugin on the Nagios host. +.SH OPTIONS +.TP +\fB\-n\fR = Do not use SSL +.TP +\fB\-c\fR <config_file> = Name of config file to use +.TP +\fB\-4\fR = Use IPv4 only +.TP +\fB\-6\fR = Use IPv6 only +.TP +<mode> = One of the following two operating modes: +.TP + \fB\-i\fR = Run as a service under inetd or xinetd +.TP + \fB\-d\fR = Run as a standalone daemon +.TP + \fB\-d \-s\fR = Run as a subsystem under AIX +.TP + \fB\-f\fR = Don't fork() for systemd, launchd, etc. +.PP +Notes: +This program is designed to process requests from the check_nrpe +plugin on the host(s) running Nagios. It can run as a service +under inetd or xinetd (read the docs for info on this), or as a +standalone daemon. Once a request is received from an authorized +host, NRPE will execute the command/plugin (as defined in the +config file) and return the plugin output and return code to the +check_nrpe plugin. +.SH AUTHOR +This manual page was written by Jason Thomas <jason@debian.org>, +for the Debian project (but may be used by others). diff --git a/debian/nrpe_local.cfg b/debian/nrpe_local.cfg new file mode 100644 index 0000000..9660438 --- /dev/null +++ b/debian/nrpe_local.cfg @@ -0,0 +1,3 @@ +###################################### +# Do any local nrpe configuration here +###################################### diff --git a/debian/patches/02_nrpe.cfg_local-include_support_nrpe.d.patch b/debian/patches/02_nrpe.cfg_local-include_support_nrpe.d.patch new file mode 100644 index 0000000..6c607fd --- /dev/null +++ b/debian/patches/02_nrpe.cfg_local-include_support_nrpe.d.patch @@ -0,0 +1,24 @@ +Description: Support nrpe_local.cfg & nrpe.d directory. +Author: Sean Finney <seanius@debian.org> +Author: Alexander Wirt <formorer@debian.org> +Forwarded: not-needed + +--- a/sample-config/nrpe.cfg.in ++++ b/sample-config/nrpe.cfg.in +@@ -359,3 +359,16 @@ command[check_total_procs]=@pluginsdir@/ + + #include_dir=<somedirectory> + #include_dir=<someotherdirectory> ++ ++ ++ ++# local configuration: ++# if you'd prefer, you can instead place directives here ++ ++include=/etc/nagios/nrpe_local.cfg ++ ++# you can place your config snipplets into nrpe.d/ ++# only snipplets ending in .cfg will get included ++ ++include_dir=/etc/nagios/nrpe.d/ ++ diff --git a/debian/patches/07_warn_ssloption.patch b/debian/patches/07_warn_ssloption.patch new file mode 100644 index 0000000..a6f9686 --- /dev/null +++ b/debian/patches/07_warn_ssloption.patch @@ -0,0 +1,28 @@ +Description: Warn against inadequateness of NRPE's own SSL option. +Author: Thijs Kinkhorst <thijs@debian.org> +Forwarded: not-needed + +--- a/SECURITY.md ++++ b/SECURITY.md +@@ -91,14 +91,17 @@ Encryption + ---------- + + If you do enable support for command arguments in the NRPE daemon, +-make sure that you encrypt communications either by using: +- +- 1. Stunnel (see http://www.stunnel.org for more info) +- 2. Native SSL support (See the [SSL Readme](README.SSL.md) file for more info) ++make sure that you encrypt communications by using, for example, ++Stunnel (see http://www.stunnel.org for more info). + + Do **NOT** assume that just because the daemon is behind a firewall + that you are safe! ***Always encrypt NRPE traffic!*** + ++NOTE: the currently shipped native SSL support of NRPE is not an ++adequante protection, because it does not verify clients and ++server, and uses pregenerated key material. NRPE's SSL option is ++advised against. For more information, see Debian bug #547092. ++ + + Using Arguments + --------------- diff --git a/debian/patches/11_reproducible_dh.h.patch b/debian/patches/11_reproducible_dh.h.patch new file mode 100644 index 0000000..605fb1a --- /dev/null +++ b/debian/patches/11_reproducible_dh.h.patch @@ -0,0 +1,79 @@ +Description: Use pre-generated dh.h for reproducible builds. +Author: Bas Couwenberg <sebastic@debian.org> +Bug-Debian: https://bugs.debian.org/834857 +Forwarded: not-needed + +--- /dev/null ++++ b/include/dh.h +@@ -0,0 +1,53 @@ ++#ifndef HEADER_DH_H ++# include <openssl/dh.h> ++#endif ++ ++DH *get_dh2048() ++{ ++ static unsigned char dhp_2048[] = { ++ 0xD0, 0x0A, 0x1E, 0x0E, 0x73, 0xE5, 0x51, 0xC3, 0x6C, 0xAA, ++ 0x7F, 0x6B, 0x9C, 0x9D, 0x47, 0x26, 0xAA, 0x25, 0x2B, 0x73, ++ 0xCD, 0x93, 0x94, 0xA2, 0xEA, 0x56, 0x14, 0xD4, 0x42, 0x48, ++ 0x21, 0x61, 0xF9, 0xA1, 0xB7, 0x88, 0xA7, 0xDA, 0x8B, 0xD8, ++ 0xFF, 0x12, 0x8D, 0x50, 0x2D, 0x1D, 0x40, 0xAB, 0xFD, 0x97, ++ 0x89, 0x18, 0x1D, 0x57, 0x69, 0xD3, 0x68, 0xBF, 0x68, 0xA1, ++ 0x20, 0xAD, 0x80, 0xFF, 0xB4, 0xE3, 0xC6, 0xC9, 0x5A, 0x62, ++ 0x23, 0x39, 0x45, 0x79, 0x8D, 0x03, 0x45, 0x55, 0xEB, 0xCA, ++ 0x34, 0x37, 0x44, 0x4B, 0x9C, 0xFF, 0x3B, 0xA7, 0xA4, 0xD3, ++ 0x2A, 0xD6, 0x96, 0x41, 0x6C, 0x58, 0x19, 0x9E, 0x89, 0xD3, ++ 0xB9, 0x36, 0xB0, 0x07, 0xD2, 0x9C, 0xFE, 0xFD, 0x3E, 0x4E, ++ 0x38, 0x71, 0x2C, 0xB2, 0xE8, 0x54, 0x83, 0x8A, 0xFA, 0x57, ++ 0xE2, 0x2B, 0x62, 0xD6, 0x0D, 0x66, 0x01, 0xE2, 0x46, 0xAD, ++ 0x64, 0x5B, 0x57, 0x5C, 0xED, 0x43, 0x97, 0x58, 0xA9, 0x93, ++ 0x4C, 0xCA, 0xAC, 0x4C, 0xB1, 0xBB, 0xD0, 0xDC, 0xF8, 0xEC, ++ 0x4A, 0x5A, 0xBB, 0xF5, 0x44, 0x70, 0x69, 0xC4, 0x51, 0xA8, ++ 0x0D, 0x47, 0x59, 0x19, 0x57, 0x7A, 0x71, 0x3D, 0x65, 0xB7, ++ 0x55, 0x27, 0x87, 0x44, 0xC0, 0x45, 0x87, 0xA7, 0x0B, 0x73, ++ 0x8D, 0x31, 0xFD, 0xE5, 0xA2, 0xDA, 0x99, 0x6D, 0xC0, 0x51, ++ 0xA3, 0x63, 0x73, 0x76, 0x91, 0x38, 0x5C, 0x57, 0x0B, 0x26, ++ 0x08, 0xC1, 0x66, 0x9F, 0x2D, 0xBE, 0x86, 0x44, 0x1B, 0xD2, ++ 0x40, 0x07, 0xB5, 0x7D, 0x15, 0x4A, 0xDA, 0x5F, 0x89, 0xE9, ++ 0xE7, 0x48, 0xDE, 0x0E, 0x3A, 0xA9, 0xF5, 0x60, 0x3C, 0x32, ++ 0x08, 0x40, 0xAF, 0xF0, 0x83, 0x74, 0xB3, 0x97, 0x44, 0x2E, ++ 0x2F, 0xE8, 0x67, 0x70, 0xA2, 0xAC, 0x94, 0xD9, 0x75, 0xBF, ++ 0x4F, 0x75, 0x8B, 0x2A, 0x1B, 0x1B ++ }; ++ static unsigned char dhg_2048[] = { ++ 0x02 ++ }; ++ DH *dh = DH_new(); ++ BIGNUM *dhp_bn, *dhg_bn; ++ ++ if (dh == NULL) ++ return NULL; ++ dhp_bn = BN_bin2bn(dhp_2048, sizeof (dhp_2048), NULL); ++ dhg_bn = BN_bin2bn(dhg_2048, sizeof (dhg_2048), NULL); ++ if (dhp_bn == NULL || dhg_bn == NULL ++ || !DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) { ++ DH_free(dh); ++ BN_free(dhp_bn); ++ BN_free(dhg_bn); ++ return NULL; ++ } ++ return dh; ++} +--- a/macros/ax_nagios_get_ssl ++++ b/macros/ax_nagios_get_ssl +@@ -288,15 +288,7 @@ if test x$SSL_TYPE != xNONE; then + # Find the openssl program + + if test x$need_dh = xyes; then +- AC_PATH_PROG(sslbin,openssl,value-if-not-found,$ssl_dir/sbin$PATH_SEPARATOR$ssl_dir/bin$PATH_SEPARATOR$PATH) + AC_DEFINE(USE_SSL_DH) +- # Generate DH parameters +- if test -f "$sslbin"; then +- echo "" +- echo "*** Generating DH Parameters for SSL/TLS ***" +- # awk to strip off meta data at bottom of dhparam output +- $sslbin dhparam -C 2048 | awk '/^-----/ {exit} {print}' > include/dh.h +- fi + fi + fi + fi diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 0000000..15e2844 --- /dev/null +++ b/debian/patches/series @@ -0,0 +1,3 @@ +02_nrpe.cfg_local-include_support_nrpe.d.patch +07_warn_ssloption.patch +11_reproducible_dh.h.patch diff --git a/debian/rules b/debian/rules new file mode 100755 index 0000000..12df244 --- /dev/null +++ b/debian/rules @@ -0,0 +1,31 @@ +#!/usr/bin/make -f + +# newer dpkg set this by default. +DEB_HOST_MULTIARCH ?= $(shell dpkg-architecture -qDEB_HOST_MULTIARCH) + +# Enable hardening build flags +export DEB_BUILD_MAINT_OPTIONS=hardening=+all + +CFLAGS += $(CPPFLAGS) + +export AUTOHEADER=true + +%: + dh $@ --with autoreconf,systemd --parallel + +override_dh_auto_configure: + dh_auto_configure -- \ + --prefix=/usr \ + --sysconfdir=/etc \ + --libdir=/usr/lib/nagios \ + --libexecdir=/usr/lib/nagios/plugins \ + --localstatedir=/var \ + --enable-ssl \ + --with-logdir=/var/log \ + --with-ssl-lib=/usr/lib/$(DEB_HOST_MULTIARCH) \ + --with-piddir=/var/run/nagios + +override_dh_auto_build: + dh_auto_build -- all + +override_dh_auto_install: diff --git a/debian/source/format b/debian/source/format new file mode 100644 index 0000000..163aaf8 --- /dev/null +++ b/debian/source/format @@ -0,0 +1 @@ +3.0 (quilt) diff --git a/debian/tests/control b/debian/tests/control new file mode 100644 index 0000000..3b18c6d --- /dev/null +++ b/debian/tests/control @@ -0,0 +1,3 @@ +# Test installability +Depends: @ +Test-Command: /bin/true diff --git a/debian/upstream/metadata b/debian/upstream/metadata new file mode 100644 index 0000000..882ce58 --- /dev/null +++ b/debian/upstream/metadata @@ -0,0 +1,6 @@ +--- +Bug-Database: https://github.com/NagiosEnterprises/nrpe/issues +Bug-Submit: https://github.com/NagiosEnterprises/nrpe/issues/new +Name: NRPE +Repository: https://github.com/NagiosEnterprises/nrpe.git +Repository-Browse: https://github.com/NagiosEnterprises/nrpe diff --git a/debian/watch b/debian/watch new file mode 100644 index 0000000..b512ed5 --- /dev/null +++ b/debian/watch @@ -0,0 +1,7 @@ +version=3 +opts=\ +dversionmangle=s/\+(debian|dfsg|ds|deb)\d*$//,\ +uversionmangle=s/(\d)[_\.\-\+]?((RC|rc|pre|dev|beta|alpha)\d*)$/$1~$2/;s/RC/rc/;s/-/./g,\ +filenamemangle=s/(?:.*?)?(?:rel|v|nrpe)?[\-\_]?(\d\S+)\.(tgz|tbz|txz|(?:tar\.(?:gz|bz2|xz)))/nrpe-$1.$2/ \ +https://github.com/NagiosEnterprises/nrpe/releases \ +(?:.*?/archive\/)?(?:rel|v|nrpe)?[\-\_]?(\d\S+)\.(?:tgz|tbz|txz|(?:tar\.(?:gz|bz2|xz))) |