Improvement: restrict one command to one host (or subnet)

NagiosEnterprises / nrpe

NRPE Agent

GNU General Public License v2.0

259 stars 133 forks source link

Improvement: restrict one command to one host (or subnet) #213

Open AlbanVidal opened 5 years ago

AlbanVidal commented 5 years ago

Dear developers,

Could it be possible to add a restriction of host for a specific command.

By example, if I have multiple supervision server and I want to restrict some command to just one server (or subnet).

file.cfg example :

# Define all network allowed to talk with us
allowed_hosts="192.168.0.0/24,192.168.1.0/24"

# Generic command
command[check_standard]=/usr/local/bin/check_standard

# Restricted command
allowed_hosts="192.168.0.0/24" command[check_restricted]=/usr/local/bin/check_restricted

Thanks and best regards, Alban

AlbanVidal commented 5 years ago

Or another implementation

[...]

# Define global hosts or networks allowed to talk with us
allowed_hosts=192.168.0.0/24,192.168.1.0/24

# Authorizations for specific commands
allowed_hosts=[check_restricted_one,check_restricted_two]=192.168.2.0/24,192.168.3.1

# Define commands
command[check_standard]=/usr/local/bin/check_standard
command[check_restricted_one]=/usr/local/bin/check_restricted_one
command[check_restricted_two]=/usr/local/bin/check_restricted_two

[...]

ericloyd commented 5 years ago

I agree that a "hosts allow/deny" type thing should be added to NRPE as a general configuration option. Not really sure how it should be done, but I like the stanza approach with a per service allow and deny:

command[check_standard]=/usr/local/bin/check_standard,allow=192.168.0.0/24,deny=192.168.0.123