diff options
30 files changed, 1272 insertions, 0 deletions
diff --git a/debian/NEWS b/debian/NEWS new file mode 100644 index 0000000..2123c7e --- /dev/null +++ b/debian/NEWS @@ -0,0 +1,92 @@ +nagios-nrpe (3.2.0-2) unstable; urgency=medium + + The bug that caused the SSL support between NRPE 2.x and 3.x not + to work has been fixed. + + Because the default SSL support without certificates configured + in nrpe.cfg uses pre-generated key data, configuring SSL + certificates is strongly advised when STunnel is not used. + + The ssl-cert package can be used to generate a self-signed + certificate, but CA certificates like those from Let's Encrypt + are a better choice. + + SSL support has been re-enabled by default, to be better compatible + with previous NRPE versions where SSL support was enabled by default + too. + + The check_nrpe command definition has been updated to enable SSL + support (by removing the -n option) and the check_nrpe_ssl command + definition has been removed. The previous check_nrpe command + definition which disables SSL support is available with the new + check_nrpe_nossl command definition. + + -- Bas Couwenberg <sebastic@debian.org> Fri, 07 Jul 2017 13:48:38 +0200 + +nagios-nrpe (3.0.1-1) unstable; urgency=medium + + The check_nrpe command definition has been updated to remove the + arguments option, because nagios-nrpe-server does not support + command arguments since 2.15-1. And the check_nrpe_1arg command + definition has been removed. + + If you're using the check_nrpe_1arg command in your Nagios/Icinga + configuration, you need to replace it with check_nrpe. + + SSL support is disabled by default, the reworked SSL/TLS support in + NRPE requires configuration before it can be used. Read the + instructions in /usr/share/doc/nagios-nrpe-server/README.SSL.md.gz + before enabling SSL support in /etc/default/nagios-nrpe-server. + + The default check_nrpe command in check_nrpe.cfg has been updated + to disable SSL by default too. The check_nrpe_ssl command has been + added to connect to the NRPE daemon over SSL. + + Beware that the new NRPE daemon only works with old check_nrpe + plugins when SSL support is disabled on both sides, likewise the + new check_nrpe plugin only works with the old NRPE daemon when SSL + support is disabled. + + To use SSL between the NRPE client and server, configuring Stunnel + is recommended. + + -- Bas Couwenberg <sebastic@debian.org> Mon, 05 Dec 2016 01:16:46 +0100 + +nagios-nrpe (2.15-1) unstable; urgency=high + + This update disables the command-args support in nrpe. The feature + has several security problems and is often used wrong. If you have to + use this feature recompile the package with --enable-command-args + in debian/rules. + + -- Alexander Wirt <formorer@debian.org> Tue, 15 Jul 2014 09:52:48 +0200 + +nagios-nrpe (2.12-4) unstable; urgency=low + + The pidfile creation mechanism changed with this update. If you do not + add "pid_file=/var/run/nagios/nrpe.pid" to you nrpe config take care that + the user "nagios" is able to write to your pidfile location. You can also + change the initscript to create the pid directory on your own. + + -- Alexander Wirt <formorer@debian.org> Tue, 07 Jul 2009 07:42:13 +0200 + +nagios-nrpe (2.12-3) unstable; urgency=low + + The homedirectory of the nagios user moved to /var/lib/nagios + which is now common on all nagios related packages. Its recommended + that you migrate an already existing nagios user to use /var/lib/nagios + as homedirectory. + + -- Alexander Wirt <formorer@debian.org> Sat, 21 Mar 2009 09:08:58 +0100 + +nagios-nrpe (2.4-1) unstable; urgency=low + + the nagios-nrpe-doc package is no longer provided. the documentation + can now be found in /usr/share/doc/nagios-nrpe-{server|plugins}. new + versions of the plugin and server packages conflict with the doc + package to prevent the old (and possibly incorrect in the future) + documentation from remaining. to fully purge all information about + the package you should run: + dpkg -P nagios-nrpe-doc + + -- sean finney <seanius@debian.org> Mon, 13 Mar 2006 15:47:47 +0100 diff --git a/debian/README.Debian b/debian/README.Debian new file mode 100644 index 0000000..497b509 --- /dev/null +++ b/debian/README.Debian @@ -0,0 +1,23 @@ +NRPE +---- + +Put any local check command you need into /etc/nagios/nrpe_local.cfg or +as a *.cfg file in /etc/nagios/nrpe.d/ +These files are included from the /etc/nagios/nrpe.cfg + +This package is built without support for command argument processing. If you +want to enable it, you will have to rebuild this package with +--enable-command-args in debian/rules. +The feature has several security problems and should not be used. If you +really need some dynamic argument processing try check_by_ssh or something +similar. + +Do not rely on SSL mode for security +------------------------------------ + +NRPE contains an SSL mode which encrypts the data over the NRPE channel. +The current implementation does not verify client or server and uses +pregenerated key data by default. It cannot be fixed right away because +it would break the existing NRPE protocol. + +Please refer to the file SECURITY.md in this directory for more information. diff --git a/debian/TODO b/debian/TODO new file mode 100644 index 0000000..a0a0586 --- /dev/null +++ b/debian/TODO @@ -0,0 +1,5 @@ +TODO +==== + + +Add a nagios-common package which ships a user and homedir diff --git a/debian/changelog b/debian/changelog new file mode 100644 index 0000000..5758b6a --- /dev/null +++ b/debian/changelog @@ -0,0 +1,554 @@ +nagios-nrpe (4.1.0-1) unstable; urgency=medium + + * Move from experimental to unstable. + + -- Bas Couwenberg <sebastic@debian.org> Wed, 20 Jul 2022 11:16:39 +0200 + +nagios-nrpe (4.1.0-1~exp1) experimental; urgency=medium + + * New upstream release. + * Bump watch file version to 4. + * Bump Standards-Version to 4.6.1, no changes. + * Update watch file for GitHub URL changes. + * Bump debhelper compat to 12, no changes. + * Add ${misc:Pre-Depends} substvar to nagios-nrpe-server. + * Update lintian overrides. + * Update Vcs-* URLs for repo rename. + * Refresh patches. + + -- Bas Couwenberg <sebastic@debian.org> Tue, 19 Jul 2022 10:50:41 +0200 + +nagios-nrpe (4.0.3-1) unstable; urgency=medium + + * New upstream release. + + -- Bas Couwenberg <sebastic@debian.org> Wed, 29 Apr 2020 10:38:59 +0200 + +nagios-nrpe (4.0.2-1) unstable; urgency=medium + + * New upstream release. + * Bump Standards-Version to 4.5.0, no changes. + * Don't explicitly enable systemd, enabled by default. + * Drop check_nrpe-buffer-length.patch, included upstream. + * Refresh patches. + + -- Bas Couwenberg <sebastic@debian.org> Mon, 23 Mar 2020 06:06:35 +0100 + +nagios-nrpe (4.0.0-2) unstable; urgency=medium + + * Add upstream patch to fix check_nrpe buffer length calculation. + + -- Bas Couwenberg <sebastic@debian.org> Thu, 23 Jan 2020 05:40:17 +0100 + +nagios-nrpe (4.0.0-1) unstable; urgency=medium + + * Move from experimental to unstable. + + -- Bas Couwenberg <sebastic@debian.org> Thu, 16 Jan 2020 08:09:17 +0100 + +nagios-nrpe (4.0.0-1~exp1) experimental; urgency=medium + + [ Bas Couwenberg ] + * New upstream release. + * Bump Standards-Version to 4.4.1, no changes. + * Refresh patches. + * Use single tab for dh command in rules. + * Drop --parallel dh argument, used by default with compat 10. + + [ Debian Janitor ] + * Bump debhelper from old 9 to 10. + * Drop unnecessary dependency on dh-autoreconf. + * Remove obsolete field Name from debian/upstream/metadata (already + present in machine-readable debian/copyright). + + -- Bas Couwenberg <sebastic@debian.org> Thu, 16 Jan 2020 06:07:37 +0100 + +nagios-nrpe (3.2.1-3) unstable; urgency=medium + + * Drop autopkgtest to test installability. + * Add lintian override for testsuite-autopkgtest-missing. + * Bump Standards-Version to 4.4.0, no changes. + * Update gbp.conf to use --source-only-changes by default. + * Use /run instead of /var/run for PID. + (closes: #932353) + + -- Bas Couwenberg <sebastic@debian.org> Sun, 28 Jul 2019 11:17:34 +0200 + +nagios-nrpe (3.2.1-2) unstable; urgency=medium + + * Bump Standards-Version to 4.1.5, no changes. + * Update Vcs-* URLs for Salsa. + * Drop dh-systemd build dependency, use debhelper (>= 9.20160709) instead. + * Strip trailing whitespace from changelog file. + + -- Bas Couwenberg <sebastic@debian.org> Fri, 20 Jul 2018 21:04:36 +0200 + +nagios-nrpe (3.2.1-1) unstable; urgency=medium + + * New upstream release. + * Drop patches included upstream, refresh remaining patches. + + -- Bas Couwenberg <sebastic@debian.org> Sun, 03 Sep 2017 10:52:40 +0200 + +nagios-nrpe (3.2.0-4) unstable; urgency=medium + + * Add upstream patch to turn seteuid errors into warnings. + (closes: #868326) + + -- Bas Couwenberg <sebastic@debian.org> Fri, 14 Jul 2017 16:51:12 +0200 + +nagios-nrpe (3.2.0-3) unstable; urgency=medium + + * Re-enable SSL support by default. + Compatibility with older versions has been fixed. + + -- Bas Couwenberg <sebastic@debian.org> Fri, 07 Jul 2017 14:08:13 +0200 + +nagios-nrpe (3.2.0-2) unstable; urgency=medium + + * Fix 11_reproducible_dh.h.patch to not leave USE_SSL_DH undefined. + Thanks to Johan Carlquist for pointing out this issue. + * Drop --with-need-dh=no configure option, dh is needed. + * Remove deterministic "openssl dhparam" output handling, + dh.h not included in upstream source. + + -- Bas Couwenberg <sebastic@debian.org> Thu, 06 Jul 2017 14:33:39 +0200 + +nagios-nrpe (3.2.0-1) unstable; urgency=medium + + * New upstream release. + (closes: #565643) + * Bump Standards-Version to 4.0.0, no changes. + * Add autopkgtest to test installability. + * Set --with-logdir configure option to /var/log. + * Update watch file for GitHub releases. + * Update copyright file. + * Refresh patches. + * Reinstate 11_reproducible_dh.h.patch for reproducible dh.h. + * Regenerate dh.h with OpenSSL 1.1.0. + + -- Bas Couwenberg <sebastic@debian.org> Wed, 05 Jul 2017 09:53:06 +0200 + +nagios-nrpe (3.1.1-1) unstable; urgency=medium + + * Move from experimental to unstable. + + -- Bas Couwenberg <sebastic@debian.org> Sun, 18 Jun 2017 13:39:05 +0200 + +nagios-nrpe (3.1.1-1~exp1) experimental; urgency=medium + + * New upstream release. + * Drop format-security.patch, applied upstream. + * Use --with-need-dh=no configure option instead of patch. + + -- Bas Couwenberg <sebastic@debian.org> Sat, 27 May 2017 10:57:03 +0200 + +nagios-nrpe (3.1.0-1~exp1) experimental; urgency=medium + + * New upstream release. + (closes: #849417, #445976, #691328) + * Fix typo in manpage. + (closes: #856658) + * Drop 10_reproducible_build.patch, applied upstream. + Refresh remaining patches. + * Update build dependency for OpenSSL 1.1.0. + (closes: #859223) + * Add patch to fix FTBFS with -Werror=format-security. + + -- Bas Couwenberg <sebastic@debian.org> Wed, 19 Apr 2017 19:28:05 +0200 + +nagios-nrpe (3.0.1-3) unstable; urgency=medium + + * Add reload command to systemd service file. + * Make missing EnvironmentFile non-fatal in systemd service. + + -- Bas Couwenberg <sebastic@debian.org> Sat, 24 Dec 2016 10:24:09 +0100 + +nagios-nrpe (3.0.1-2) unstable; urgency=medium + + * Add systemd service file and tmpfiles.d configuration. + (closes: #665422) + * Update nrpe manpage to include new options. + + -- Bas Couwenberg <sebastic@debian.org> Fri, 23 Dec 2016 23:15:19 +0100 + +nagios-nrpe (3.0.1-1) unstable; urgency=medium + + * Update check_nrpe.cfg to remove command with arguments. + (LP: #975918) + * Disable SSL support by default, requires configuration. + It also doesn't work well with old check_nrpe versions. + * Move from experimental to unstable. + + -- Bas Couwenberg <sebastic@debian.org> Fri, 09 Dec 2016 00:15:29 +0100 + +nagios-nrpe (3.0.1-1~exp1) experimental; urgency=medium + + [ Alexander Wirt ] + * Sync uploaders with reality. + (closes: #773441) + + [ Bas Couwenberg ] + * New upstream release. + - Reworked SSL/TLS. See the README.SSL.md file for full info. + (closes: #547092) + * Add myself to Uploaders. + * Add Vcs-* fields to control file. + (closes: #755507) + * Change nagios-plugins dependencies to monitoring-plugins. + * Switch from dpatch to source format 3.0 (quilt). + (closes: #756410) + * Drop obsolete patch: 04_weird_output.dpatch. + * Restructure control file with cme. + * Reorder (build) dependencies. + * Add Homepage field to control file. + * Update copyright file using copyright-format 1.0. + * Add gbp.conf to use pristine-tar by default. + * Update build dependency to use openssl 1.0. + * Enable all hardening buildflags. + (closes: #728218) + * Enable parallel builds. + * Suggest xinetd | inetd. + (closes: #662247) + * Include PDF & ODT documentation in docs. + (closes: #662249) + * Update watch file to handle common issues. + * Add upstream metadata. + * Merge nrpe.cfg patches into single patch. + (closes: #660583) + * Use configure option to set custom PID directory instead of patch. + * Drop 09_noremove_pid.patch, fixed upstream. Refresh remaining patches. + * Add patch to use pre-generated dh.h for reproducible builds. + * Override dh_auto_build to build all targets. + * Use dh-autoreconf instead of autotools-dev. + * Use exit status 0 in init script when inetd is configured. + (closes: #775924) + * Include README.SSL.md in docs. + * Bump Standards-Version to 3.9.8, changes: + Vcs-* fields, copyright-format 1.0. + + [ Benjamin Drung ] + * Use dh_auto_configure to enable default hardening flags. + (closes: #843805) + * Fix copyright-refers-to-symlink-license. + (closes: #756414) + + [ Chris Lamb ] + * Make the build reproducible. + (closes: #834857) + + -- Bas Couwenberg <sebastic@debian.org> Sun, 04 Dec 2016 18:36:54 +0100 + +nagios-nrpe (2.15-1) unstable; urgency=high + + * [f2cea9f] Imported Upstream version 2.15 + * [023e909] Disable command-args in nrpe. (Closes: #745272) + * [6369220] Use restorecon to set SE Linux context on $PIDDIR + (Closes: #679241) + * [a484e7d] Switch order of nagios-plugins recommends to prefer -basic. + (Closes: #752243) + * [b1ef043] Don't recommend a core implementation for the plugin + * [16dbf01] Remove obsolete patch + * [694b804] Remove luk from uploaders. (Closes: #719636) + * [28d9004] Remove obsolete patch + * [86ea67e] 08_CVE-2013-1362.dpatch is now obsolete + * [74e3b07] Refresh patches + * [1258ab2] Reword NEWS entry + * [744eec6] configure is buggy: --disable- in fact enables a feautre. + * [eec54b6] Adjust README.Debian for the removal or argument processing + + -- Alexander Wirt <formorer@debian.org> Tue, 15 Jul 2014 18:30:36 +0200 + +nagios-nrpe (2.13-4) unstable; urgency=low + + * [dcffec6] Do not remove the PID file after a connection error. + Original patch from Hiren Patel. (Closes: #716949) + + -- Bernd Zeimetz <bzed@debian.org> Mon, 15 Jul 2013 16:07:54 +0200 + +nagios-nrpe (2.13-3) unstable; urgency=high + + * [e55afd1] Add 08_CVE-2013-1362.dpatch patch. + If command arguments are enabled in the NRPE configuration, it was + possible to pass $() as arguments as the checking for nasty caracters + was not strict enough to catch $(). This allowed executing shell + commands under a subprocess and pass the output as a parameter to the + called script (if run under bash). CVE-2013-1362 (Closes: #701227) + + -- Alexander Wirt <formorer@debian.org> Sat, 09 Mar 2013 08:42:05 +0100 + +nagios-nrpe (2.13-2) unstable; urgency=high + + [ Thijs Kinkhorst ] + * Add warning about the inadequateness of the 'ssl' option. + + -- Alexander Wirt <formorer@debian.org> Mon, 11 Feb 2013 17:45:20 +0100 + +nagios-nrpe (2.13-1) unstable; urgency=low + + * [3e113b5] Imported Upstream version 2.13 + * [acc152b] Bump standards version + * [c707bce] Use dh9 for hardening + * Updated patches + + -- Alexander Wirt <formorer@debian.org> Sat, 30 Jun 2012 11:08:22 +0200 + +nagios-nrpe (2.12-6) unstable; urgency=low + + * [36b1062] Add add icinga to the list of recommends + * [a698acb] Don't remove homedirectory of the nagios user (Closes: #665845) + * [4dc53fb] Use retry argument for start-stop-daemon when stopping nrpe + (Closes: #650464) + + -- Alexander Wirt <formorer@debian.org> Mon, 30 Apr 2012 09:25:45 +0200 + +nagios-nrpe (2.12-5) unstable; urgency=low + + [ Alexander Wirt ] + * [e3af3bd] Bump compat to 8 + * [4f9e892] Add versioned depends to dpatch for sequence support + * [5ec5a3b] Install example nrpe_local.cfg + * [69ea7b9] Move rules file to dh + * [298f725] Use autotools_dev dh sequence helper + * [10da37d] Bump debhelper dependency to 8 + * [2b009ae] Bump standards version + * [4d093e3] Ignore usermod failure (Closes: #538894) + * [e776f7b] Use pidfile for start-stop-daemon and fix pidfile deletion + (Closes: #548157, #639523) + * [8050c97] Support multiarch in rulesfile (Closes: #642790) + * [027274f] Use pidfile for start-stop-daemon in start() + * [1f69c63] Support status in nrpe initscript + * [42ccdcc] Add a comment to nrpe.cfg that snipplets have to end .cfg + (Closes: #641933) + + [ Jan Wagner ] + * [0a80fdb] Update debian/README.Debian about conf.d/ + + -- Alexander Wirt <formorer@debian.org> Sun, 25 Sep 2011 08:35:48 +0200 + +nagios-nrpe (2.12-4) unstable; urgency=low + + * Build against libwrap0-dev (Closes: #412705) + * Remove 'last modified header' from nrpe config (Closes: #499280) + * Create /etc/nagios/nrpe.d (Closes: #505700, #474333) + * Fix pidfile handling (Closes: #411046) + * Add newer config.{guess,sub} (Closes: #535737) + - Build-depend on autotools-dev + * Delete /var/lib/nagios if empty after purge (Closes: #527069) + * Bump standards version (add README.source) + * Bump dh_compat version (remove -k from dh_clean) + + -- Alexander Wirt <formorer@debian.org> Mon, 06 Jul 2009 07:08:26 +0200 + +nagios-nrpe (2.12-3.1) unstable; urgency=low + + * Non-maintainer upload. + * Fix bashism (Closes: #530149). + + -- Raphael Geissert <geissert@debian.org> Sat, 04 Jul 2009 20:23:23 -0500 + +nagios-nrpe (2.12-3) unstable; urgency=low + + * Sync homedirectory of the nagios user with the nagios3 package + (Closes: #479051) + * Removed now empty nagios-nrpe-plugins.post* scripts + + -- Alexander Wirt <formorer@debian.org> Sat, 21 Mar 2009 09:33:39 +0100 + +nagios-nrpe (2.12-2) unstable; urgency=low + + * Add myself to uploaders. + * Clean buffer before use (Closes: #498749). + * Remove pid file before creating a new ones (Closes: #411046). + * Include inetd support (Closes: #409772). + + -- Luk Claes <luk@debian.org> Sun, 14 Sep 2008 16:04:17 +0200 + +nagios-nrpe (2.12-1) unstable; urgency=low + + * Support an nrpe.d config directory in addition to nrpe_local.cfg + (Closes: #474333) + * Add myself to uploaders + * Add watch file + * New upstream version (Closes: #475081) + * Acknowledge NMU from Chris Lamb (Closes: #484412) + * Recommend Nagios 3 instead of Nagios 2 + * Update copyright file + * Use the same homedir as nagios3 (Closes: #479051) + + -- Alexander Wirt <formorer@debian.org> Wed, 06 Aug 2008 20:33:57 +0200 + +nagios-nrpe (2.8.1-1.1) unstable; urgency=medium + + * Non-maintainer upload. + * Fix bashism in debian/rules (Closes: #484412) + * Bump Standards-Version to 3.8.0. + + -- Chris Lamb <chris@chris-lamb.co.uk> Sat, 12 Jul 2008 01:09:21 +0100 + +nagios-nrpe (2.8.1-1) unstable; urgency=low + + * New upstream release + * bump Recommends to nagios2, thanks to Henning Sprang + for suggesting this (closes: #399856). + * fix typo in package description, thanks to Tilman Koschnick for + noticing this (closes: #419130). + + -- sean finney <seanius@debian.org> Sat, 12 May 2007 12:27:30 +0200 + +nagios-nrpe (2.5.1-3) unstable; urgency=high + + * apparently we were already including another default file + without installing it, and some people were using it. so + now we include this one as well as the new default, with this + one taking precedence since it was there first. thanks to + Peter Palfrader for catching this (closes: #398914). + + -- sean finney <seanius@debian.org> Fri, 17 Nov 2006 09:17:55 +0100 + +nagios-nrpe (2.5.1-2) unstable; urgency=low + + * include a /etc/default/nagios-nrpe-server where variables + such as DAEMON_OPTS can be set (closes: #396709). + * bump standards version to 3.7.2 + * add pre-depends on adduser + * LSB-ize init script, and add dependency on lsb-base + + -- sean finney <seanius@debian.org> Sat, 04 Nov 2006 17:38:34 +0100 + +nagios-nrpe (2.5.1-1) unstable; urgency=low + + * new upstream release. includes fix from Peter Palfrader to catch + invalid free()'s when nrpe is called with --no-ssl (closes: #361233). + + -- sean finney <seanius@debian.org> Sun, 14 May 2006 21:38:48 -0500 + +nagios-nrpe (2.4-2) unstable; urgency=low + + [sean finney] + * removing nrpe_local.cfg caused trouble for some people, so + i've added it back in (closes: #360093). + + -- sean finney <seanius@debian.org> Fri, 31 Mar 2006 07:02:31 +0200 + +nagios-nrpe (2.4-1) unstable; urgency=low + + * new upstream release. + + [sean finney] + * (NEEDS TESTING) move away from cdbs for my own sanity. + * add build-dependency on dpatch. + * no longer create nrpe_local.cfg. no reason to have it. + * remove postinst script for nagios-nrpe-server, as all it + did was touch the previously mentioned file. + * upstream has incorporated the following patches: + - 02_global-cmd-prefix.dpatch + - 03_nrpe-trailing-whitespace.dpatch + * check_nrpe -h provides what "-a" does, but i've gone ahead and + added a comment in check_nrpe.cfg too, because it can't hurt + to do so :) (closes: #351714). + * no longer generate the nagios-nrpe-doc package, and move copies of + the documentation into the plugin and server packages. add a + Conflicts: nagios-nrpe-doc to the remaining packages to ensure + that the stale package doesn't remain. NEWS.Debian also mentions + this and instructs the admin to purge the package too. + + -- sean finney <seanius@debian.org> Tue, 24 Jan 2006 18:16:54 +0100 + +nagios-nrpe (2.2-1) unstable; urgency=low + + * new upstream release. + + [sean finney] + * debian packaging source repository is now migrated to svn. + * updated 01_nodevrandom-and-docoptions.dpatch and + 02_global-cmd-prefix.dpatch to apply against the latest + upstream version. + * nrpe.cfg has moved location in the upstream tarball. + * introduced 03_nrpe-trailing-whitespace.dpatch to fix regression + in config file parsing until upstream incorporates it. + + -- sean finney <seanius@debian.org> Tue, 24 Jan 2006 17:52:54 +0100 + +nagios-nrpe (2.0-9) unstable; urgency=low + + * Sean Finney: + - nagios-nrpe has now joined forces with the debian pkg-nagios + project, updated Maintainer and Uploaders field accordingly. + - provide check_nrpe_1arg command definition so that one can call + check_nrpe both with and without arguments to the cmds + (closes: #248424). + - changed nagios-nrpe-server's Recommends on nagios-plugins to reflect + the upcoming new nagios-plugins layout. + - changed nagios-nrpe-plugin's Depends on nagios to a Recommends. + - building issues seem to be resolved on arm now (closes: #259442). + - updated Standards-Version to 3.6.2 + - included patch from joerg and weasel to document some cmdline options + and provide a better alternative to reading a random byte from + /dev/random (closes: #333552). + - included "global command prefix" patch from joerg jaspert + (closes: #332253). + + -- sean finney <seanius@debian.org> Tue, 25 Oct 2005 10:04:59 -0400 + +nagios-nrpe (2.0-8) unstable; urgency=low + + * debian/control: change depends on nagios-plugins, to recommends. + (closes: #327199) + + -- Jason Thomas <jason@debian.org> Mon, 10 Oct 2005 08:07:57 +1000 + +nagios-nrpe (2.0-7) unstable; urgency=high + + * The previous upload fixes a bug that breaks the install of this package so + this is a new upload with a high urgency to try and get it into sarge. + + -- Jason Thomas <jason@debian.org> Thu, 19 Aug 2004 22:47:40 +1000 + +nagios-nrpe (2.0-6) unstable; urgency=low + + * nagios plugin config dir changed to etc/nagios-plugins/configs/ + (closes: #266826) + + -- Jason Thomas <jason@debian.org> Thu, 19 Aug 2004 21:17:28 +1000 + +nagios-nrpe (2.0-5) unstable; urgency=low + + * debian/nagios-nrpe-server.preinst: added code to create nagios user and + group. + (closes: #248995, #241168) + + -- Jason Thomas <jason@debian.org> Sat, 15 May 2004 12:02:35 +1000 + +nagios-nrpe (2.0-4) unstable; urgency=low + + * debian/nagios-nrpe-server.init.d: added missing -d to restart. + (closes: #248797) + * debian/nrpe.1: renamed to nrpe.8 + * debian/nagios-nrpe-server.manpages: changed nrpe.1 to nrpe.8 + * debian/dirs: deleted it as its not needed. + + -- Jason Thomas <jason@debian.org> Fri, 14 May 2004 14:05:03 +1000 + +nagios-nrpe (2.0-3) unstable; urgency=low + + * debian/nagios-nrpe-server.init.d: added --oknodo to stop commands which + will make upgrades and purges clean. + + -- Jason Thomas <jason@debian.org> Wed, 24 Mar 2004 13:09:00 +1100 + +nagios-nrpe (2.0-2) unstable; urgency=low + + * debian/control: added build-depends cdbs + (closes: #230943) + * debian/control: nagios-nrpe-server now conflicts netsaint-nrpe-server + (closes: #230303) + + -- Jason Thomas <jason@debian.org> Wed, 11 Feb 2004 09:27:01 +1100 + +nagios-nrpe (2.0-1) unstable; urgency=low + + * Initial Release. + (closes: #209124) + + -- Jason Thomas <jason@debian.org> Wed, 14 Jan 2004 16:13:36 +1100 diff --git a/debian/check_nrpe.cfg b/debian/check_nrpe.cfg new file mode 100644 index 0000000..2b71c31 --- /dev/null +++ b/debian/check_nrpe.cfg @@ -0,0 +1,11 @@ +# this command runs a program $ARG1$ with no arguments and enables SSL support +define command { + command_name check_nrpe + command_line /usr/lib/nagios/plugins/check_nrpe -H $HOSTADDRESS$ -c $ARG1$ +} + +# this command runs a program $ARG1$ with no arguments and disables SSL support +define command { + command_name check_nrpe_nossl + command_line /usr/lib/nagios/plugins/check_nrpe -H $HOSTADDRESS$ -c $ARG1$ -n +} diff --git a/debian/control b/debian/control new file mode 100644 index 0000000..f72262c --- /dev/null +++ b/debian/control @@ -0,0 +1,46 @@ +Source: nagios-nrpe +Maintainer: Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org> +Uploaders: Bas Couwenberg <sebastic@debian.org> +Section: net +Priority: optional +Build-Depends: debhelper-compat (= 12), + libssl-dev, + libwrap0-dev, + openssl +Standards-Version: 4.6.1 +Vcs-Browser: https://salsa.debian.org/nagios-team/nrpe +Vcs-Git: https://salsa.debian.org/nagios-team/nrpe.git +Homepage: https://github.com/NagiosEnterprises/nrpe + +Package: nagios-nrpe-server +Architecture: any +Depends: lsb-base, + ${shlibs:Depends}, + ${misc:Depends} +Recommends: monitoring-plugins-basic | monitoring-plugins +Suggests: xinetd | inetd +Pre-Depends: adduser, + ${misc:Pre-Depends} +Conflicts: nagios-nrpe-doc +Description: Nagios Remote Plugin Executor Server + Nagios is a host/service/network monitoring and management system. + . + The purpose of this addon is to allow you to execute Nagios plugins on a + remote host in as transparent a manner as possible. + . + This program runs as a background process on the remote host and processes + command execution requests from the check_nrpe plugin on the Nagios host. + +Package: nagios-nrpe-plugin +Architecture: any +Depends: ${shlibs:Depends}, + ${misc:Depends} +Conflicts: nagios-nrpe-doc +Description: Nagios Remote Plugin Executor Plugin + Nagios is a host/service/network monitoring and management system. + . + The purpose of this addon is to allow you to execute Nagios plugins on a + remote host in as transparent a manner as possible. + . + This is a plugin that is run on the Nagios host and is used to contact the + NRPE process on remote hosts. diff --git a/debian/copyright b/debian/copyright new file mode 100644 index 0000000..e1cb223 --- /dev/null +++ b/debian/copyright @@ -0,0 +1,79 @@ +Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Upstream-Name: NRPE +Upstream-Contact: Nagios Users List <nagios-users@lists.nagios.com> +Source: https://github.com/NagiosEnterprises/nrpe + +Files: * +Copyright: 2006-2017, Nagios Enterprises + 2016, Nagios Core Development Team + 1999-2008, Ethan Galstad (nagios@nagios.org) +License: GPL-2+ with OpenSSL exception + +Files: include/acl.h + src/acl.c +Copyright: 2011, Kaspersky Lab ZAO +License: GPL-2+ + +Files: src/snprintf.c +Copyright: Patrick Powell 1995 +License: attribution + This code is based on code written by Patrick Powell (papowell@astart.com) + It may be used for any purpose as long as this notice remains intact + on all source code distributions + +Files: debian/* +Copyright: 2004, Jason Thomas <jason@debian.org> +License: GPL-2+ + +License: GPL-2+ + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + . + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + . + You should have received a copy of the GNU General Public License along + with this program; if not, write to the Free Software Foundation, Inc., + 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + . + On Debian systems, the complete text of version 2 of the GNU General + Public License can be found in `/usr/share/common-licenses/GPL-2'. + +License: GPL-2+ with OpenSSL exception + This program is free software; you can redistribute it + and/or modify it under the terms of the GNU General Public + License as published by the Free Software Foundation; either + version 2 of the License, or (at your option) any later + version. + . + In addition, as a special exception, the author of this + program gives permission to link the code of its + release with the OpenSSL project's "OpenSSL" library (or + with modified versions of it that use the same license as + the "OpenSSL" library), and distribute the linked + executables. You must obey the GNU General Public + License in all respects for all of the code used other + than "OpenSSL". If you modify this file, you may extend + this exception to your version of the file, but you are + not obligated to do so. If you do not wish to do so, + delete this exception statement from your version. + . + This program is distributed in the hope that it will be + useful, but WITHOUT ANY WARRANTY; without even the implied + warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + PURPOSE. See the GNU General Public License for more + details. + . + You should have received a copy of the GNU General Public + License along with this package; if not, write to the Free + Software Foundation, Inc., 51 Franklin St, Fifth Floor, + Boston, MA 02110-1301 USA + . + On Debian systems, the full text of the GNU General Public + License version 2 can be found in the file + `/usr/share/common-licenses/GPL-2'. + diff --git a/debian/dirs b/debian/dirs new file mode 100644 index 0000000..91d0516 --- /dev/null +++ b/debian/dirs @@ -0,0 +1 @@ +/etc/nagios/nrpe.d diff --git a/debian/gbp.conf b/debian/gbp.conf new file mode 100644 index 0000000..e3daba6 --- /dev/null +++ b/debian/gbp.conf @@ -0,0 +1,19 @@ +[DEFAULT] + +# The default name for the upstream branch is "upstream". +# Change it if the name is different (for instance, "master"). +upstream-branch = upstream + +# The default name for the Debian branch is "master". +# Change it if the name is different (for instance, "debian/unstable"). +debian-branch = master + +# git-import-orig uses the following names for the upstream tags. +# Change the value if you are not using git-import-orig +upstream-tag = upstream/%(version)s + +# Always use pristine-tar. +pristine-tar = True + +[buildpackage] +pbuilder-options = --source-only-changes diff --git a/debian/nagios-nrpe-plugin.install b/debian/nagios-nrpe-plugin.install new file mode 100644 index 0000000..3afb517 --- /dev/null +++ b/debian/nagios-nrpe-plugin.install @@ -0,0 +1,2 @@ +src/check_nrpe usr/lib/nagios/plugins/ +debian/check_nrpe.cfg etc/nagios-plugins/config/ diff --git a/debian/nagios-nrpe-plugin.postrm b/debian/nagios-nrpe-plugin.postrm new file mode 100644 index 0000000..a77d21a --- /dev/null +++ b/debian/nagios-nrpe-plugin.postrm @@ -0,0 +1,9 @@ +#!/bin/sh +set -e + +if [ "$1" = purge ]; then + test -d /var/lib/nagios && rmdir /var/lib/nagios || true #ignore non-failure errors +fi + +#DEBHELPER# + diff --git a/debian/nagios-nrpe-server.default b/debian/nagios-nrpe-server.default new file mode 100644 index 0000000..828ef02 --- /dev/null +++ b/debian/nagios-nrpe-server.default @@ -0,0 +1,16 @@ +# defaults file for nagios-nrpe-server +# (this file is a /bin/sh compatible fragment) + +# NRPE_OPTS are any extra cmdline parameters you'd like to pass along to the +# nrpe daemon. +# +# The -n option disables SSL support. +#NRPE_OPTS="-n" + +# NICENESS is if you want to run the server at a different nice() priority. +# (only used by the init script) +#NICENESS=5 + +# INETD is if you want to run the server via inetd (default=0, run as daemon). +# (only used by the init script) +#INETD=0 diff --git a/debian/nagios-nrpe-server.doc-base b/debian/nagios-nrpe-server.doc-base new file mode 100644 index 0000000..a153da5 --- /dev/null +++ b/debian/nagios-nrpe-server.doc-base @@ -0,0 +1,6 @@ +Document: nagios-nrpe +Title: NRPE Documentation +Section: Network/Monitoring + +Format: PDF +Files: /usr/share/doc/nagios-nrpe-server/*.pdf.gz diff --git a/debian/nagios-nrpe-server.docs b/debian/nagios-nrpe-server.docs new file mode 100644 index 0000000..ec4a52e --- /dev/null +++ b/debian/nagios-nrpe-server.docs @@ -0,0 +1,5 @@ +LEGAL +README.md +README.SSL.md +SECURITY.md +docs/* diff --git a/debian/nagios-nrpe-server.init b/debian/nagios-nrpe-server.init new file mode 100644 index 0000000..ae16f2d --- /dev/null +++ b/debian/nagios-nrpe-server.init @@ -0,0 +1,85 @@ +#! /bin/sh +# + +### BEGIN INIT INFO +# Provides: nagios-nrpe-server +# Required-Start: $local_fs $remote_fs $syslog $named $network $time +# Required-Stop: $local_fs $remote_fs $syslog $named $network +# Should-Start: +# Should-Stop: +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: Start/Stop the Nagios remote plugin execution daemon +### END INIT INFO + + +PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin +DAEMON=/usr/sbin/nrpe +NAME=nagios-nrpe +DESC=nagios-nrpe +CONFIG=/etc/nagios/nrpe.cfg +PIDDIR=/run/nagios + +test -x $DAEMON || exit 0 + +if ! [ -x "/lib/lsb/init-functions" ]; then + . /lib/lsb/init-functions +else + echo "E: /lib/lsb/init-functions not found, lsb-base (>= 3.0-6) needed" + exit 1 +fi + +# Include nagios-nrpe defaults if available +if [ -f /etc/default/nagios-nrpe-server ] ; then + . /etc/default/nagios-nrpe-server +fi +# we also used to include this file, so if it's there +# we include it as well +if [ -f /etc/default/nagios-nrpe ]; then + . /etc/default/nagios-nrpe +fi +if [ "$NICENESS" ]; then NICENESS="-n $NICENESS"; fi + +#since /run can be wiped completly we create our run directory here +if [ ! -d "$PIDDIR" ]; then + mkdir "$PIDDIR" + chown nagios "$PIDDIR" + [ -x /sbin/restorecon ] && /sbin/restorecon "$PIDDIR" +fi + +set -e + +case "$1" in + start) + if [ "$INETD" = 1 ]; then + exit 0 + fi + log_daemon_msg "Starting $DESC" "$NAME" + start_daemon -p $PIDDIR/nrpe.pid $NICENESS $DAEMON -c $CONFIG -d $NRPE_OPTS + log_end_msg $? + ;; + stop) + log_daemon_msg "Stopping $DESC" "$NAME" + start-stop-daemon --stop --quiet --oknodo --pidfile $PIDDIR/nrpe.pid --retry 15 + log_end_msg $? + ;; + reload|force-reload) + log_daemon_msg "Reloading $DESC configuration files" "$NAME" + start-stop-daemon --stop --signal HUP --quiet --pidfile $PIDDIR/nrpe.pid + log_end_msg $? + ;; + status) + status_of_proc -p $PIDDIR/nrpe.pid "$DAEMON" "$NAME" && exit 0 || exit $? + ;; + restart) + $0 stop + sleep 1 + $0 start + ;; + *) + log_failure_msg "Usage: $N {start|stop|restart|reload|force-reload}" + exit 1 + ;; +esac + +exit 0 diff --git a/debian/nagios-nrpe-server.install b/debian/nagios-nrpe-server.install new file mode 100644 index 0000000..5da03c3 --- /dev/null +++ b/debian/nagios-nrpe-server.install @@ -0,0 +1,3 @@ +src/nrpe usr/sbin +sample-config/nrpe.cfg etc/nagios +debian/nrpe_local.cfg etc/nagios diff --git a/debian/nagios-nrpe-server.manpages b/debian/nagios-nrpe-server.manpages new file mode 100644 index 0000000..d6530c4 --- /dev/null +++ b/debian/nagios-nrpe-server.manpages @@ -0,0 +1 @@ +debian/nrpe.8 diff --git a/debian/nagios-nrpe-server.preinst b/debian/nagios-nrpe-server.preinst new file mode 100644 index 0000000..d9b4fa2 --- /dev/null +++ b/debian/nagios-nrpe-server.preinst @@ -0,0 +1,55 @@ +#! /bin/sh +# preinst script for nagios-nrpe-server +# +# see: dh_installdeb(1) + +set -e + +# summary of how this script can be called: +# * <new-preinst> `install' +# * <new-preinst> `install' <old-version> +# * <new-preinst> `upgrade' <old-version> +# * <old-preinst> `abort-upgrade' <new-version> +# +# for details, see http://www.debian.org/doc/debian-policy/ or +# the debian-policy package + + +case "$1" in + install|upgrade) + if id nagios >/dev/null 2>&1 ; then + # We have a nagios user. + if [ `id nagios -g -n` != "nagios" ] ; then + addgroup --system nagios || true + #this can fail sometimes (i.e. with LDAP) so ignore it + usermod -g nagios nagios || true + fi + else + adduser --system --group --home /var/lib/nagios --quiet nagios + fi + +# if [ "$1" = "upgrade" ] +# then +# start-stop-daemon --stop --quiet --oknodo \ +# --pidfile /var/run/bud.pid \ +# --exec /usr/sbin/bud 2>/dev/null || true +# fi + ;; + + abort-upgrade) + ;; + + *) + echo "preinst called with unknown argument \`$1'" >&2 + exit 1 + ;; +esac + +# dh_installdeb will replace this with shell code automatically +# generated by other debhelper scripts. + +#DEBHELPER# + +exit 0 + + diff --git a/debian/nagios-nrpe-server.service b/debian/nagios-nrpe-server.service new file mode 100644 index 0000000..4b5ae6a --- /dev/null +++ b/debian/nagios-nrpe-server.service @@ -0,0 +1,23 @@ +[Unit] +Description=Nagios Remote Plugin Executor +Documentation=http://www.nagios.org/documentation +After=var-run.mount nss-lookup.target network.target local-fs.target remote-fs.target time-sync.target +Before=getty@tty1.service plymouth-quit.service xdm.service +Conflicts=nrpe.socket + +[Install] +WantedBy=multi-user.target + +[Service] +Type=simple +Restart=on-abort +PIDFile=/run/nagios/nrpe.pid +EnvironmentFile=-/etc/default/nagios-nrpe-server +ExecStart=/usr/sbin/nrpe -c /etc/nagios/nrpe.cfg -f $NRPE_OPTS +ExecReload=/bin/kill -HUP $MAINPID +ExecStopPost=/bin/rm -f /run/nagios/nrpe.pid +TimeoutStopSec=60 +User=nagios +Group=nagios +PrivateTmp=true +OOMScoreAdjust=-500 diff --git a/debian/nagios-nrpe-server.tmpfile b/debian/nagios-nrpe-server.tmpfile new file mode 100644 index 0000000..5a24552 --- /dev/null +++ b/debian/nagios-nrpe-server.tmpfile @@ -0,0 +1,2 @@ +#Type Path Mode UID GID Age Argument +d /run/nagios 0755 nagios nagios - - diff --git a/debian/nrpe.8 b/debian/nrpe.8 new file mode 100644 index 0000000..67e280c --- /dev/null +++ b/debian/nrpe.8 @@ -0,0 +1,60 @@ +.\" Hey, EMACS: -*- nroff -*- +.\" First parameter, NAME, should be all caps +.\" Second parameter, SECTION, should be 1-8, maybe w/ subsection +.\" other parameters are allowed: see man(7), man(1) +.TH NAGIOS-NRPE 8 "January 14, 2004" +.\" Please adjust this date whenever revising the manpage. +.\" +.\" Some roff macros, for reference: +.\" .nh disable hyphenation +.\" .hy enable hyphenation +.\" .ad l left justify +.\" .ad b justify to both left and right margins +.\" .nf disable filling +.\" .fi enable filling +.\" .br insert line break +.\" .sp <n> insert n+1 empty lines +.\" for manpage-specific macros, see man(7) +.SH NAME +nrpe \- Nagios Remote Plugin Executor - Server +.SH SYNOPSIS +.B nagios-nrpe +\fI[-n] -c <config_file> [-4|-6] <mode>\fR +.SH DESCRIPTION +.PP +The purpose of this addon is to allow you to execute Nagios plugins on a +remote host in as transparent a manner as possible. +.PP +This program runs as a background process on the remote host and processes +command execution requests from the check_nrpe plugin on the Nagios host. +.SH OPTIONS +.TP +\fB\-n\fR = Do not use SSL +.TP +\fB\-c\fR <config_file> = Name of config file to use +.TP +\fB\-4\fR = Use IPv4 only +.TP +\fB\-6\fR = Use IPv6 only +.TP +<mode> = One of the following two operating modes: +.TP + \fB\-i\fR = Run as a service under inetd or xinetd +.TP + \fB\-d\fR = Run as a standalone daemon +.TP + \fB\-d \-s\fR = Run as a subsystem under AIX +.TP + \fB\-f\fR = Don't fork() for systemd, launchd, etc. +.PP +Notes: +This program is designed to process requests from the check_nrpe +plugin on the host(s) running Nagios. It can run as a service +under inetd or xinetd (read the docs for info on this), or as a +standalone daemon. Once a request is received from an authorized +host, NRPE will execute the command/plugin (as defined in the +config file) and return the plugin output and return code to the +check_nrpe plugin. +.SH AUTHOR +This manual page was written by Jason Thomas <jason@debian.org>, +for the Debian project (but may be used by others). diff --git a/debian/nrpe_local.cfg b/debian/nrpe_local.cfg new file mode 100644 index 0000000..9660438 --- /dev/null +++ b/debian/nrpe_local.cfg @@ -0,0 +1,3 @@ +###################################### +# Do any local nrpe configuration here +###################################### diff --git a/debian/patches/02_nrpe.cfg_local-include_support_nrpe.d.patch b/debian/patches/02_nrpe.cfg_local-include_support_nrpe.d.patch new file mode 100644 index 0000000..198954b --- /dev/null +++ b/debian/patches/02_nrpe.cfg_local-include_support_nrpe.d.patch @@ -0,0 +1,27 @@ +Description: Support nrpe_local.cfg & nrpe.d directory. +Author: Sean Finney <seanius@debian.org> +Author: Alexander Wirt <formorer@debian.org> +Forwarded: not-needed + +--- a/sample-config/nrpe.cfg.in ++++ b/sample-config/nrpe.cfg.in +@@ -362,6 +362,19 @@ command[check_total_procs]=@pluginsdir@/ + #include_dir=<somedirectory> + #include_dir=<someotherdirectory> + ++ ++ ++# local configuration: ++# if you'd prefer, you can instead place directives here ++ ++include=/etc/nagios/nrpe_local.cfg ++ ++# you can place your config snipplets into nrpe.d/ ++# only snipplets ending in .cfg will get included ++ ++include_dir=/etc/nagios/nrpe.d/ ++ ++ + # KEEP ENVIRONMENT VARIABLES + # This directive allows you to retain specific variables from the environment + # when starting the NRPE daemon. diff --git a/debian/patches/07_warn_ssloption.patch b/debian/patches/07_warn_ssloption.patch new file mode 100644 index 0000000..a6f9686 --- /dev/null +++ b/debian/patches/07_warn_ssloption.patch @@ -0,0 +1,28 @@ +Description: Warn against inadequateness of NRPE's own SSL option. +Author: Thijs Kinkhorst <thijs@debian.org> +Forwarded: not-needed + +--- a/SECURITY.md ++++ b/SECURITY.md +@@ -91,14 +91,17 @@ Encryption + ---------- + + If you do enable support for command arguments in the NRPE daemon, +-make sure that you encrypt communications either by using: +- +- 1. Stunnel (see http://www.stunnel.org for more info) +- 2. Native SSL support (See the [SSL Readme](README.SSL.md) file for more info) ++make sure that you encrypt communications by using, for example, ++Stunnel (see http://www.stunnel.org for more info). + + Do **NOT** assume that just because the daemon is behind a firewall + that you are safe! ***Always encrypt NRPE traffic!*** + ++NOTE: the currently shipped native SSL support of NRPE is not an ++adequante protection, because it does not verify clients and ++server, and uses pregenerated key material. NRPE's SSL option is ++advised against. For more information, see Debian bug #547092. ++ + + Using Arguments + --------------- diff --git a/debian/patches/11_reproducible_dh.h.patch b/debian/patches/11_reproducible_dh.h.patch new file mode 100644 index 0000000..523c8d1 --- /dev/null +++ b/debian/patches/11_reproducible_dh.h.patch @@ -0,0 +1,70 @@ +Description: Use pre-generated dh.h for reproducible builds. +Author: Bas Couwenberg <sebastic@debian.org> +Bug-Debian: https://bugs.debian.org/834857 +Forwarded: not-needed + +--- /dev/null ++++ b/include/dh.h +@@ -0,0 +1,36 @@ ++DH *get_dh2048() ++{ ++ static unsigned char dh2048_p[]={ ++ 0x80,0xCF,0xFC,0xB3,0xBC,0xDD,0x17,0x11,0x00,0xFF,0x73,0x97,0x51,0x64,0xB9, ++ 0x32,0xB9,0x5E,0x91,0x42,0x11,0x31,0x6F,0xC4,0x3B,0x8A,0x80,0x87,0x08,0x3B, ++ 0x8A,0x5B,0x04,0x18,0xFA,0xEF,0x75,0xA5,0x13,0xF3,0xD6,0x3C,0x64,0x0C,0x36, ++ 0x50,0xEC,0x25,0xA1,0xCF,0x0D,0x24,0xD0,0x99,0x87,0x1C,0x3C,0x2C,0x75,0x87, ++ 0x7A,0x9F,0x21,0xEA,0x43,0x34,0x54,0x96,0xD1,0x68,0xEF,0xD2,0xC4,0xBF,0x21, ++ 0xBA,0x48,0x05,0xC8,0x3D,0x97,0xEA,0x04,0x12,0xF9,0xAC,0xE2,0xFD,0x4C,0xFE, ++ 0xF8,0x4C,0x43,0x8D,0x61,0xE5,0x0D,0xDB,0xAF,0x51,0xEF,0x17,0xA3,0x3D,0xDD, ++ 0x26,0x27,0xA8,0x90,0x12,0x99,0x83,0xC2,0x68,0xEC,0xA1,0xEC,0xFF,0x06,0x3A, ++ 0x34,0x0A,0x3C,0x59,0xF2,0xED,0x23,0x4B,0x98,0xC9,0xBC,0x9E,0x37,0xF7,0xD0, ++ 0x1A,0x9F,0x39,0x2D,0xF4,0xC1,0x4D,0x19,0xE2,0x81,0xA8,0xF6,0xBD,0xBA,0x23, ++ 0x6A,0x58,0x7A,0xBC,0x8A,0x9C,0xB7,0x4F,0x27,0xD1,0x34,0xE9,0xEC,0x03,0xDE, ++ 0xC4,0x22,0xF0,0x7F,0x56,0x8E,0x93,0xD1,0xB5,0xA6,0x9B,0x87,0x8A,0xE9,0xC4, ++ 0xDF,0x79,0xEC,0xC8,0xAA,0x17,0xDE,0x3E,0x15,0x63,0x35,0x99,0x88,0xA1,0xCA, ++ 0xE2,0xC5,0x70,0x4F,0x73,0x0A,0x41,0xFC,0xF5,0x8F,0xF8,0x5B,0x52,0x06,0x58, ++ 0x33,0x39,0xDA,0x59,0x68,0x1F,0x06,0xCE,0xD6,0xBA,0x98,0xD7,0x45,0xD9,0x22, ++ 0x35,0x81,0x35,0x40,0x03,0xF0,0xEB,0xA6,0xE3,0x6B,0x56,0x13,0x7E,0xCA,0xD3, ++ 0x55,0x7E,0x0E,0xCE,0x24,0xF6,0xEB,0xDB,0x83,0x64,0x23,0x89,0x1C,0xC0,0xEA, ++ 0xAF, ++ }; ++ static unsigned char dh2048_g[]={ ++ 0x02, ++ }; ++ DH *dh; ++ ++ if ((dh=DH_new()) == NULL) return(NULL); ++ BIGNUM *p=BN_bin2bn(dh2048_p,sizeof(dh2048_p),NULL); ++ BIGNUM *g=BN_bin2bn(dh2048_g,sizeof(dh2048_g),NULL); ++ if ((p == NULL) || (g == NULL)) ++ { DH_free(dh); return(NULL); } ++ int result = DH_set0_pqg(dh, p, NULL, g); ++ if (result == 0) { DH_free(dh); return(NULL); } ++ return(dh); ++} +--- a/macros/ax_nagios_get_ssl ++++ b/macros/ax_nagios_get_ssl +@@ -290,23 +290,11 @@ if test x$SSL_TYPE != xNONE; then + if test x$need_dh = xyes; then + AC_PATH_PROG(sslbin,openssl,value-if-not-found,$ssl_dir/sbin$PATH_SEPARATOR$ssl_dir/bin$PATH_SEPARATOR$PATH) + AC_DEFINE(USE_SSL_DH) +- # Generate DH parameters + if test -f "$sslbin"; then +- echo "" +- echo "*** Generating DH Parameters for SSL/TLS ***" +- # OpenSSL 3 removes dhparam -C +- # check version and use our own parser if needed + nagios_ssl_major_version=`$sslbin version | cut -d' ' -f2 | cut -d. -f1` + +- test -d include || mkdir include + if test "x$nagios_ssl_major_version" = "x3"; then + AC_DEFINE_UNQUOTED(OPENSSL_V3,[1],[Have OpenSSL v3]) +- test -d src || mkdir src +- $CC ${srcdir}/src/print_c_code.c -o src/print_c_code +- $sslbin dhparam -text 2048 | ./src/print_c_code > include/dh.h +- else +- # awk to strip off meta data at bottom of dhparam output +- $sslbin dhparam -C 2048 | awk '/^-----/ {exit} {print}' > include/dh.h + fi + fi + fi diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 0000000..15e2844 --- /dev/null +++ b/debian/patches/series @@ -0,0 +1,3 @@ +02_nrpe.cfg_local-include_support_nrpe.d.patch +07_warn_ssloption.patch +11_reproducible_dh.h.patch diff --git a/debian/rules b/debian/rules new file mode 100755 index 0000000..8eacd6e --- /dev/null +++ b/debian/rules @@ -0,0 +1,31 @@ +#!/usr/bin/make -f + +# newer dpkg set this by default. +DEB_HOST_MULTIARCH ?= $(shell dpkg-architecture -qDEB_HOST_MULTIARCH) + +# Enable hardening build flags +export DEB_BUILD_MAINT_OPTIONS=hardening=+all + +CFLAGS += $(CPPFLAGS) + +export AUTOHEADER=true + +%: + dh $@ + +override_dh_auto_configure: + dh_auto_configure -- \ + --prefix=/usr \ + --sysconfdir=/etc \ + --libdir=/usr/lib/nagios \ + --libexecdir=/usr/lib/nagios/plugins \ + --localstatedir=/var \ + --enable-ssl \ + --with-logdir=/var/log \ + --with-ssl-lib=/usr/lib/$(DEB_HOST_MULTIARCH) \ + --with-piddir=/run/nagios + +override_dh_auto_build: + dh_auto_build -- all + +override_dh_auto_install: diff --git a/debian/source/format b/debian/source/format new file mode 100644 index 0000000..163aaf8 --- /dev/null +++ b/debian/source/format @@ -0,0 +1 @@ +3.0 (quilt) diff --git a/debian/upstream/metadata b/debian/upstream/metadata new file mode 100644 index 0000000..c5c326d --- /dev/null +++ b/debian/upstream/metadata @@ -0,0 +1,5 @@ +--- +Bug-Database: https://github.com/NagiosEnterprises/nrpe/issues +Bug-Submit: https://github.com/NagiosEnterprises/nrpe/issues/new +Repository: https://github.com/NagiosEnterprises/nrpe.git +Repository-Browse: https://github.com/NagiosEnterprises/nrpe diff --git a/debian/watch b/debian/watch new file mode 100644 index 0000000..9c73a06 --- /dev/null +++ b/debian/watch @@ -0,0 +1,7 @@ +version=4 +opts=\ +dversionmangle=s/\+(debian|dfsg|ds|deb)\d*$//,\ +uversionmangle=s/(\d)[_\.\-\+]?((RC|rc|pre|dev|beta|alpha)\d*)$/$1~$2/;s/RC/rc/;s/-/./g,\ +filenamemangle=s/(?:.*?)?(?:rel|v|nrpe)?[\-\_]?(\d\S+)\.(tgz|tbz|txz|(?:tar\.(?:gz|bz2|xz)))/nrpe-$1.$2/ \ +https://github.com/NagiosEnterprises/nrpe/tags \ +(?:.*?/archive/(?:.*?/)?)?(?:rel|v|nrpe)?[\-\_]?(\d\S+)\.(?:tgz|tbz|txz|(?:tar\.(?:gz|bz2|xz))) |