sporticia

Even though we’re not a massive company (less than 50 butts on seats) we do have quite a bit of kit in an environment that is growing ever more complex.

To help we use Nagios to monitor key systems and services and to alert us via email when issues arise (and hopefully we can correct them before the masses notice)

My boss decided he wanted to share our Nagios screens with others (well, his boss) and so I installed a workstation with x2 flat screens lofted up on high so they could be seen from a distance.

But, I had a slight snag. We use authentication on Nagios and the account used for viewing the web console had enough permissions to be able to execute the host commands listed on the right hand side of interface (shown below)

This meant that should any passer by wish to, they could click the url link to say, turn off a check that was failing (not that any of our users would do such a thing !). So I needed a way to make the web interface either not display those links or be read-only for those links, essentially prevent people from altering the configuration.

Peeking through the config files for Nagios, it seems my predecessor had the same idea at some point, but had not quite managed to pull it off. Inside the cgi.cfg file (which was located at /usr/local/nagios/etc/cgi.cfg) are the following lines

default_user_name=
authorized_for_system_information=
authorized_for_configuration_information=
authorized_for_system_commands=
authorized_for_all_services=
authorized_for_all_hosts=
authorized_for_all_service_commands=
authorized_for_all_host_commands=

The ones of interest are :

authorized_for_all_services=

authorized_for_all_hosts=

By adding a user to these x2 lines *only*, the urls on the pages for running commands and viewing/modifying the config do not work and give a permissions error

You will also need to add the name you add to those x2 line to the /usr/local/nagios/etc/htpasswd file as well

Now, even though you can still see the command urls on the pages, you get this if you try to click them

So, how far had my predecessor gotten ? Well, something I take for granted that I guess he did not know, the list of names supplied should be comma seperated with no space between them

Easy when you know how :o)

Tags: nagios, readonly

This entry was posted on Friday, March 5th, 2010 at 6:30 pm and is filed under unix. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.