[Check_mk (english)] Check_MK Linux Agent

Mathias Kettner mk at mathias-kettner.de
Sat Dec 12 21:41:24 CET 2009


Hi Nitesh,

I'll never write a check_mk-standalone daemon for Linux/UNIX,
since:

* That would do exactly the same as (x)inetd (maybe
   a bit less flexible)
* (x)inetd would surely be safer since it has been debugged
   for about 30 years, i guess.

NRPE is much more unsecure than check_mk + inetd.
It does read data from the network and is thus
exposed to buffer overflows.

NRPE uses only IP-address based access control,
which is not worth much.

If you allow NRPE to use arguments, everybody
can very easily execute arbitrary commands on
your target hosts. Please just try a $(touch /tmp/test)
in one of your arguments.

NRPE uses SSL, but it does not verity certificates,
so no authentication is done. Encryption is done,
but since only IP-address based access control is
used, everybody can retrieve the data anyway.

If you need a really secure access to the agent,
the most secure I know is using check_mk + SSH
with command restriction (see official docu of
check_mk). That way:

* you have strong encryption
* you have a really strong access control
* the agent secures itself against Nagios

Greetings,

Mathias


Nitesh Patel schrieb:
> Hello All,
> 
>  
> 
> Does the Check_MK Linux agent work without xinetd or inetd?
> 
>  
> 
> If so does anyone have any instructions?
> 
>  
> 
> I’ll have to install nrpe if not L
> 
>  
> 
> Regards,
> 
> * *
> 
> *Nitesh Patel
> 
> *
> 
>  
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> checkmk-en mailing list
> checkmk-en at lists.mathias-kettner.de
> http://mathias-kettner.de/mailman/listinfo/checkmk-en


-- 
                        __  __ _  __
Mathias Kettner       |  \/  | |/ /   M A T H I A S   K E T T N E R
Preysingstr. 74       | |\/| | ' /
81667 München         | |  | | . \        Linux Beratung & Schulung
089 / 444 09 662      |_|  |_|_|\_\       http://mathias-kettner.de


More information about the checkmk-en mailing list