search

thomas-krenn / check_lsi_raid

Monitoring plugin to check MegaRAID controllers
GNU General Public License v3.0
59 stars 27 forks source link

Suggestion for usage with CentOS (selinux,audit,sudo) #7

Open ronator opened 7 years ago

ronator commented 7 years ago

Hi, this is just feedback, no real issue, but you may want to add some more information on how to get this plugin running over NRPE on CentOS. All 20 other plugins/checks were running, but this one was failing me.

Problem: The plugin worked locally, but not over nrpe. Calling check_nrpe locally on the monitored host revealed the same problem as from the monitoring server: "Error: invalid controller number, controller not found!"

Everytime I ran the plugin, I noticed a "failed" access in the audit.log: type=USER_CMD msg=audit(1478525564.208:1885): pid=1823 uid=995 auid=4294967295 ses=4294967295 subj=system_u:system_r:nrpe_t:s0 msg='cwd="/" cmd=2F7573722F7362696E2F73746F72636C69202F63302073686F772074696D65 terminal=? res=failed'

Looks like it wanted a tty.

I followed your instructions on https://www.thomas-krenn.com/en/wiki/LSI_RAID_Monitoring_Plugin but I could not get it running over NRPE. I was assuming some sudo issue, since "controller not found" sounded like so.

Cause: IMHO the "problem" is, that CentOS sets "Defaults: requiretty" in the sudoers file. Some (older) distros don't do that. Your suggested sudoers config won't work on CentOS 7 - but I found a solution:

https://community.spiceworks.com/how_to/99564-tuning-selinux-to-allow-nrpe-to-run-plugins-as-root

Basically, I had to add to sudoers

User_Alias PRIVNAGIOS = nrpe Defaults:nrpe !requiretty Cmnd_Alias NRPE = /opt/MegRAID/storcli/storcli64 PRIVNAGIOS ALL =(ALL) NOPASSWD: NRPE

and then it started working over NRPE!

I do wonder, why "only" this plugin caused such an effect but I guess it is due to the way the plugin works with storcli. So maybe you want to add this info regarding CentOS 7/ RHL 7. I spent 5 hours on this "issue", so I wanted to give you this feedback.

Cheers

gschoenberger commented 7 years ago

THX for the comment, i think I will update the README and/or wiki articles!

All the best, Georg

rathologic commented 5 years ago

Hi! This isn't limited to CentOS; I just had the same issue on a number of RHEL 7 machines. I was very confused as to why local checks worked, but NRPE returned its least helpful error message. Managed to discover the audit messages before finding this thread which solved everything. Thanks, ronator!

If your NRPE is running as user nagios, you should only need 1 line in your sudoers config to fix it: Defaults:nagios !requiretty

It doesn't look like this is in the readme yet; updating it may help users who haven't found this page... ^^