asterisk nagios plugin: permissions issue

aagaag · 08-06-2016, 02:24 AM

I have a permission issue that is driving me crazy. I am trying to monitor asterisk on an arch linux virtual machine, using the plugin "check_asterisk_peers". I have installed NRPE (the Nagios remote agent). The relevant section of nrpe.cfg is:

Code:

command[check_users]=/usr/lib/monitoring-plugins/check_users -w 5 -c 10
command[check_asterisk_peers]=/usr/lib/monitoring-plugins/check_asterisk_peers -p monika_gigaset

Here is what I am getting:

Code:

aag ~ $ /usr/lib/monitoring-plugins/check_nrpe -H 10.10.10.10 -c check_users
USERS OK - 2 users currently logged in |users=2;5;10;0

Now, this tells me that the NRPE is working all right, and all permissions are set correctly.

If I simply run the plugin (without invoking check_nrpe) I get:

Code:

aag ~ $ /usr/lib/monitoring-plugins/check_asterisk_peers -p monika_gigaset
CRITICAL: Unable to connect to remote asterisk (does /var/run/asterisk/asterisk.ctl exist?)

however if I run it with sudo it works fine, telling me that the plugin does not have sufficient privileges:

Code:

aag ~ $ sudo /usr/lib/monitoring-plugins/check_asterisk_peers -p monika_gigaset
 OK: monika_gigaset

If I however run the asterisk plugin, I get:

Code:

aag ~ $ /usr/lib/monitoring-plugins/check_nrpe -H 10.10.10.10 -c check_asterisk_peers
CRITICAL: Unable to connect to remote asterisk (does /var/run/asterisk/asterisk.ctl exist?)

same thing if I run it with sudo:

Code:

aag ~ $ sudo /usr/lib/monitoring-plugins/check_nrpe -H 10.10.10.10 -c check_asterisk_peers
CRITICAL: Unable to connect to remote asterisk (does /var/run/asterisk/asterisk.ctl exist?)

I am certain that the issue is one of permissions, but I cannot wrap my head around it. The sudoers file (excerpt) reads like:

Code:

## User privilege specification
##
root ALL=(ALL) ALL
http ALL = NOPASSWD: /usr/sbin/asterisk -rx database *
# Allows running a script as root with any arguments
# THIS COULD BE DANGEROUS AND IS _NOT_ RECOMMENDED
nrpe ALL=(ALL) NOPASSWD: /usr/sbin/service,/usr/lib/monitoring-plugins/check_asterisk_peers
asterisk ALL=(ALL) ALL

## Uncomment to allow members of group wheel to execute any command
%wheel ALL=(ALL) ALL
%admins ALL= (ALL) ALL
## Same thing without a password
# %wheel ALL=(ALL) NOPASSWD: ALL
## Uncomment to allow members of group sudo to execute any command
# %sudo ALL=(ALL) ALL
## Uncomment to allow any user to run sudo if they know the password
## of the user they are running the command as (root by default).
Defaults targetpw  # Ask for the password of the target user
ALL ALL=(ALL) ALL  # WARNING: only use this together with 'Defaults targetpw'
## Read drop-in files from /etc/sudoers.d
## (the '#' here does not indicate a comment)
#includedir /etc/sudoers.d

Any hint would be gratefully appreciated! My diagnosis is that the plugin "check_asterisk_peers" does not have the permission to contact asterisk (which runs as root), but I do not understand how I can grant the appropriate permissions to it.

24x7servermanagement · 08-07-2016, 08:51 AM

From the user you are running command does not seems to have enough permission, since sudo works pretty well for that user. Did you try to add permission for that user?

Also, some plugin may use nagios user to run some application. Try with giving permissions for nagios user as well.

aagaag · 08-07-2016, 09:15 AM

Thank you. You are right , it seems to be a sudo password issue. In the meantime, I have found the following:
if I instruct nrpe.cfg to prefix every command with sudo (directive: command_prefix=/usr/bin/sudo), none of the plugins work any more. The journalctl -xe shows:

Code:

Aug 07 16:05:09 asterisk sudo[24023]: pam_unix(sudo:auth): auth could not identify password for [root]

If I remove the directive and allow commands to be run as non-root, everything is fine (except for the check_asterisk_peers command which NEEDS to be run as root).

I deduce from the above that the problem is not related to any specific plugin, but rather to the inability of any plugin to run as root. Now, asterisk runs on an arch linux VM, the root account is enabled and has a defined password. What shall I do correct this issue? I guess that I need to tweak sudoers, but what exactly? Here is my sudoers:

Code:

# Reset environment by default
Defaults      env_reset

# Set default EDITOR to nano, and do not allow visudo to use EDITOR/VISUAL.
Defaults      editor=/usr/bin/nano, !env_editor
Defaults: nrpe !requiretty
Defaults:ALL timestamp_timeout=120

## User privilege specification
##
root ALL=(ALL) ALL
http ALL = NOPASSWD: /usr/sbin/asterisk -rx database *

nrpe ALL=(ALL) NOPASSWD: /usr/sbin/service,/usr/lib/monitoring-plugins
asterisk ALL=(ALL) ALL

## Uncomment to allow members of group wheel to execute any command
%wheel ALL=(ALL) ALL
%admins ALL= (ALL) ALL

## Uncomment to allow any user to run sudo if they know the password
## of the user they are running the command as (root by default).
Defaults targetpw  # Ask for the password of the target user
ALL ALL=(ALL) ALL  # WARNING: only use this together with 'Defaults targetpw'

## Read drop-in files from /etc/sudoers.d
## (the '#' here does not indicate a comment)
#includedir /etc/sudoers.d

MadeInGermany · 08-07-2016, 10:59 AM

If it runs with /usr/bin/sudo, then put the working command into the .cfg like this

Code:

command[check_asterisk_peers]=/usr/bin/sudo /usr/lib/monitoring-plugins/check_asterisk_peers -p monika_gigaset

Restart nrpe to reread its .cfg file.

24x7servermanagement · 08-08-2016, 03:52 PM

Try with

Code:

asterisk ALL=(ALL) NOPASSWD: ALL

After that test the command and if you are still facing the issue then check journalctl -xe

If you are still getting same error, then I suspect the issue may be with pam. Meanwhile, you can always use working command with /usr/bin/sudo