summaryrefslogtreecommitdiffstats
path: root/SECURITY.md
diff options
context:
space:
mode:
Diffstat (limited to 'SECURITY.md')
-rw-r--r--SECURITY.md123
1 files changed, 123 insertions, 0 deletions
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000..7173f27
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,123 @@
+NRPE SECURITY README
+====================
+
+TCP Wrapper Support
+-------------------
+
+NRPE 2.x includes native support for TCP wrappers. Once you
+compile NRPE you can check to see if it has wrapper support
+built in by running the daemon from the command line without
+any arguments like this:
+
+ ./nrpe --help
+
+
+Command Arguments
+-----------------
+
+NRPE 2.0 includes the ability for clients to supply arguments to
+commands which should be run. Please note that this feature
+should be considered a security risk, and you should only use
+it if you know what you're doing!
+
+
+Bash Command Substitution
+-------------------------
+
+Even with the metacharacter restrictions below, if command arguments
+are enabled, it is still possible to send bash command substitutions
+in the form `$(...)` as an argument. This is explicitly disabled by
+default, but can be enabled by a configure-time option and a
+configuration file option. Enabling this option is **VERY RISKY**
+and its use is **HIGHLY DISCOURAGED**.
+
+
+Enabling Arguments
+------------------
+
+To enable support for command argument in the daemon, you must
+do two things:
+
+ 1. Run the configure script with the `--enable-command-args`
+ option
+
+ 2. Set the `dont_blame_nrpe` directive in the NRPE config
+ file to `1`.
+
+
+Enabling Bash Command Substitution
+----------------------------------
+
+To enable support for arguments containing bash command substitutions,
+you must do two things:
+
+ 1. Enable arguments as described above
+
+ 2. Include the `--enable-bash-command-substitution` configure
+ option when running the configure script
+
+ 3. Set the `allow_bash_command_substitutions` directive in the
+ NRPE config file to `1`.
+
+
+Nasty Metacharacters
+--------------------
+
+To help prevent some nasty things from being done by evil
+clients, the following metacharacters are not allowed
+in client command arguments:
+
+ | ` & > < ' \ [ ] { } ; ! \r \n
+
+You can override these defaults by adjusting the `nasty_metachars`
+flag in the config file.
+
+Any client request which contains the above mentioned metachars
+is discarded.
+
+
+User/Group Restrictions
+-----------------------
+
+The NRPE daemon cannot be run with (effective) root user/group
+privileges. You must run the daemon with an account that does
+not have superuser rights. Use the `--with-nrpe-user` and
+`--with-nrpe-group` flags during `./configure`, or the `nrpe_user`
+and `nrpe_group` config file options to specify which user/group
+the daemon should run as.
+
+
+Encryption
+----------
+
+If you do enable support for command arguments in the NRPE daemon,
+make sure that you encrypt communications either by using:
+
+ 1. Stunnel (see http://www.stunnel.org for more info)
+ 2. Native SSL support (See the [SSL Readme](README.SSL.md) file for more info)
+
+Do **NOT** assume that just because the daemon is behind a firewall
+that you are safe! ***Always encrypt NRPE traffic!***
+
+
+Using Arguments
+---------------
+
+How do you use command arguments? Well, lets say you define a
+command in the NRPE config file that looks like this:
+
+ command[check_users]=/usr/local/nagios/libexec/check_users -w $ARG1$ -c $ARG2$
+
+You could then call the check_nrpe plugin like this:
+
+ ./check_nrpe -H <host> -c check_users -a 5 10
+
+The arguments '5' and '10' get substituted into the appropriate
+`$ARGx$` macros in the command (`$ARG1$` and `$ARG2$`, respectively).
+The command that would be executed by the NRPE daemon would look
+like this:
+
+ /usr/local/nagios/libexec/check_users -w 5 -c 10
+
+You can supply up to 16 arguments to be passed to the command
+for substitution in `$ARG$` macros (`$ARG1$` - `$ARG16$`).