[Nagiosplug-devel] [RFC] Plugins config file

[Gavin Carr]

I've got a perl nagios plugin that performs arbitrary queries against
a database and reports status codes based on the number of rows 
returned i.e.

  Usage: check_db_query_rowcount [-v] -q <query> -w <warn-count> 
            -c <crit-count> -d <dsn> -u <user> -p <pass>

An obvious security problem with this is that the user must pass the
database credentials on the command line, which typically means 
they're exposed to any local users via the process list for however 
long the plugin executes.

This must be a problem for lots of other kinds of plugin too - 
anywhere you need to pass any kind of secret to a plugin. Is there a
good way of dealing with this that I'm not aware of?

My suggestion is that we introduce a config file specifically for use
by plugins (e.g. /etc/nagios/plugins.cfg or 
$NAGIOS_HOME/etc/plugins.cfg), for arbitrary per-plugin parameters we 
don't want to have to pass at the command line. Perhaps an INI-style 
format would make sense, with per-plugin sections, or arbitrary 
section names specified explicitly e.g.

  [ check_db_query_rowcount ]
  dsn = db:Pg:database=foo
  user = fred
  pass = secret

or perhaps if I want to check multiple different databases, or share
the credentials across plugins:

  [ foo_db ]
  dsn = db:Pg:database=foo
  user = fred
  pass = secret
  
Then my plugin could have a usage pattern like this:

  Usage: check_db_query_rowcount [-v] -q <query> -w <warn-count> 
            -c <crit-count> [--auth=<auth-section>]

where auth-section might default to the plugin name if not specified
(and the plugin would fail if an appropriate auth section could not 
be found).

Thoughts/comments?

Cheers,
Gavin

-- 
Gavin Carr
Open Fusion - Open Source Business Solutions [ Linux - Perl - Apache ]
http://www.openfusion.com.au
- Fashion is a variable, but style is a constant - Programming Perl