LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 08-06-2016, 03:24 AM   #1
aagaag
Member
 
Registered: Aug 2014
Posts: 40

Rep: Reputation: Disabled
asterisk nagios plugin: permissions issue


I have a permission issue that is driving me crazy. I am trying to monitor asterisk on an arch linux virtual machine, using the plugin "check_asterisk_peers". I have installed NRPE (the Nagios remote agent). The relevant section of nrpe.cfg is:

Code:
command[check_users]=/usr/lib/monitoring-plugins/check_users -w 5 -c 10
command[check_asterisk_peers]=/usr/lib/monitoring-plugins/check_asterisk_peers -p monika_gigaset
Here is what I am getting:
Code:
aag ~ $ /usr/lib/monitoring-plugins/check_nrpe -H 10.10.10.10 -c check_users
USERS OK - 2 users currently logged in |users=2;5;10;0
Now, this tells me that the NRPE is working all right, and all permissions are set correctly.

If I simply run the plugin (without invoking check_nrpe) I get:
Code:
aag ~ $ /usr/lib/monitoring-plugins/check_asterisk_peers -p monika_gigaset
CRITICAL: Unable to connect to remote asterisk (does /var/run/asterisk/asterisk.ctl exist?)
however if I run it with sudo it works fine, telling me that the plugin does not have sufficient privileges:
Code:
aag ~ $ sudo /usr/lib/monitoring-plugins/check_asterisk_peers -p monika_gigaset
 OK: monika_gigaset
If I however run the asterisk plugin, I get:
Code:
aag ~ $ /usr/lib/monitoring-plugins/check_nrpe -H 10.10.10.10 -c check_asterisk_peers
CRITICAL: Unable to connect to remote asterisk (does /var/run/asterisk/asterisk.ctl exist?)
same thing if I run it with sudo:
Code:
aag ~ $ sudo /usr/lib/monitoring-plugins/check_nrpe -H 10.10.10.10 -c check_asterisk_peers
CRITICAL: Unable to connect to remote asterisk (does /var/run/asterisk/asterisk.ctl exist?)
I am certain that the issue is one of permissions, but I cannot wrap my head around it. The sudoers file (excerpt) reads like:

Code:
## User privilege specification
##
root ALL=(ALL) ALL
http ALL = NOPASSWD: /usr/sbin/asterisk -rx database *
# Allows running a script as root with any arguments
# THIS COULD BE DANGEROUS AND IS _NOT_ RECOMMENDED
nrpe ALL=(ALL) NOPASSWD: /usr/sbin/service,/usr/lib/monitoring-plugins/check_asterisk_peers
asterisk ALL=(ALL) ALL

## Uncomment to allow members of group wheel to execute any command
%wheel ALL=(ALL) ALL
%admins ALL= (ALL) ALL
## Same thing without a password
# %wheel ALL=(ALL) NOPASSWD: ALL
## Uncomment to allow members of group sudo to execute any command
# %sudo ALL=(ALL) ALL
## Uncomment to allow any user to run sudo if they know the password
## of the user they are running the command as (root by default).
Defaults targetpw  # Ask for the password of the target user
ALL ALL=(ALL) ALL  # WARNING: only use this together with 'Defaults targetpw'
## Read drop-in files from /etc/sudoers.d
## (the '#' here does not indicate a comment)
#includedir /etc/sudoers.d
Any hint would be gratefully appreciated! My diagnosis is that the plugin "check_asterisk_peers" does not have the permission to contact asterisk (which runs as root), but I do not understand how I can grant the appropriate permissions to it.
 
Old 08-07-2016, 09:51 AM   #2
24x7servermanagement
Member
 
Registered: Jul 2016
Location: India
Distribution: CentOS, Redhat, Ubuntu and Debian
Posts: 57

Rep: Reputation: Disabled
From the user you are running command does not seems to have enough permission, since sudo works pretty well for that user. Did you try to add permission for that user?

Also, some plugin may use nagios user to run some application. Try with giving permissions for nagios user as well.
 
Old 08-07-2016, 10:15 AM   #3
aagaag
Member
 
Registered: Aug 2014
Posts: 40

Original Poster
Rep: Reputation: Disabled
Thank you. You are right , it seems to be a sudo password issue. In the meantime, I have found the following:
if I instruct nrpe.cfg to prefix every command with sudo (directive: command_prefix=/usr/bin/sudo), none of the plugins work any more. The journalctl -xe shows:
Code:
Aug 07 16:05:09 asterisk sudo[24023]: pam_unix(sudo:auth): auth could not identify password for [root]
If I remove the directive and allow commands to be run as non-root, everything is fine (except for the check_asterisk_peers command which NEEDS to be run as root).

I deduce from the above that the problem is not related to any specific plugin, but rather to the inability of any plugin to run as root. Now, asterisk runs on an arch linux VM, the root account is enabled and has a defined password. What shall I do correct this issue? I guess that I need to tweak sudoers, but what exactly? Here is my sudoers:

Code:
# Reset environment by default
Defaults      env_reset

# Set default EDITOR to nano, and do not allow visudo to use EDITOR/VISUAL.
Defaults      editor=/usr/bin/nano, !env_editor
Defaults: nrpe !requiretty
Defaults:ALL timestamp_timeout=120

## User privilege specification
##
root ALL=(ALL) ALL
http ALL = NOPASSWD: /usr/sbin/asterisk -rx database *

nrpe ALL=(ALL) NOPASSWD: /usr/sbin/service,/usr/lib/monitoring-plugins
asterisk ALL=(ALL) ALL

## Uncomment to allow members of group wheel to execute any command
%wheel ALL=(ALL) ALL
%admins ALL= (ALL) ALL

## Uncomment to allow any user to run sudo if they know the password
## of the user they are running the command as (root by default).
Defaults targetpw  # Ask for the password of the target user
ALL ALL=(ALL) ALL  # WARNING: only use this together with 'Defaults targetpw'

## Read drop-in files from /etc/sudoers.d
## (the '#' here does not indicate a comment)
#includedir /etc/sudoers.d
 
Old 08-07-2016, 11:59 AM   #4
MadeInGermany
Senior Member
 
Registered: Dec 2011
Location: Simplicity
Posts: 1,289

Rep: Reputation: 592Reputation: 592Reputation: 592Reputation: 592Reputation: 592Reputation: 592
If it runs with /usr/bin/sudo, then put the working command into the .cfg like this
Code:
command[check_asterisk_peers]=/usr/bin/sudo /usr/lib/monitoring-plugins/check_asterisk_peers -p monika_gigaset
Restart nrpe to reread its .cfg file.

Last edited by MadeInGermany; 08-07-2016 at 12:02 PM.
 
Old 08-08-2016, 04:52 PM   #5
24x7servermanagement
Member
 
Registered: Jul 2016
Location: India
Distribution: CentOS, Redhat, Ubuntu and Debian
Posts: 57

Rep: Reputation: Disabled
Try with

Code:
asterisk ALL=(ALL) NOPASSWD: ALL
After that test the command and if you are still facing the issue then check journalctl -xe

If you are still getting same error, then I suspect the issue may be with pam. Meanwhile, you can always use working command with /usr/bin/sudo
 
  


Reply

Tags
asterisk, nagios, nrpe, permissions


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Monitoring VMware withe Nagios (Can't locate Nagios/Plugin/Functions.pm) wael.elmasry Linux - Software 9 06-02-2014 12:18 PM
Monitoring VMware withe Nagios (Can't locate Nagios/Plugin/Functions.pm) wael.elmasry Linux - Software 1 05-19-2014 06:50 AM
[SOLVED] Nagios Asterisk active calls script issue kamran.ayub Linux - Server 4 02-21-2013 09:40 PM
check_asterisk - Asterisk SIP Channel Nagios Plugin aocferreira Linux - Server 1 05-21-2011 05:09 AM
How to monitor Asterisk using nagios aocferreira Linux - Networking 1 03-31-2011 12:30 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 09:04 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration