Bug 185685

Summary: conf.d/nagios.conf issues
Product: [Fedora] Fedora Reporter: Matthew Schick <mschick>
Component: nagiosAssignee: Mike McGrath <imlinux>
Status: CLOSED WONTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: dcantrell, extras-qa, llim
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-03-24 14:22:34 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Replacement conf file none

Description Matthew Schick 2006-03-16 21:50:34 UTC 
Current conf file is far too restrictive out of the box IMHO.  Restricting via
ip and requiring username/pass just to see if you've got a successful install is
a bit much.  I've left the lines in here, but commented out...

Also, I fixed the /nagios Alias so it works as localhost/nagios and
localhost/nagios/
Comment 1 Matthew Schick 2006-03-16 21:50:34 UTC 
Created attachment 126253 [details]
Replacement conf file
Comment 2 Mike McGrath 2006-03-16 23:57:37 UTC 
It's good practice to only listen to localhost on default install.  And Nagios
doesn't work without authentication by default so that was my reasoning behind
the restrictive perms.  How about the following default setup instead (with the
changes from your patch)

ScriptAlias /nagios/cgi-bin/ /usr/lib/nagios/cgi-bin/
<Directory /usr/lib/nagios/cgi-bin/>
   Options ExecCGI
   order deny,allow
   deny from all
   allow from 127.0.0.1
   AuthType Basic
   AuthUserFile /etc/nagios/passwd
   AuthName "nagios"
   require valid-user
</Directory>

Alias /nagios /usr/share/nagios/html/
<Directory /usr/share/nagios/html/>
   Options None
   order deny,allow
   deny from all
   allow from 127.0.0.1
   #AuthType Basic
   #AuthUserFile /etc/nagios/passwd
   #AuthName "nagios"
   #require valid-user
</Directory>

In this senario you can atleast load up a page from localhost without
authentication.  Any testing beyond that (using CGI's) requires extensive
configuration of Nagios anyway.

My main concern is giving access to the cgis, afterall, cmd.cgi is designed to
run commands on the local machine via the nagios.cmd file.  I think its best to
keep it locked down pretty tight.

What are your thoughts?
Comment 3 Matthew Schick 2006-03-17 13:55:59 UTC 
Executing via cmd.cgi is locked down already via the config file, so it's a
non-issue.  Normally I'd agree with any efforts to secure a default install, but
honestly I think it's a bit much here for no real gain.

Nagios by default doesn't let anyone do anything (or even see much) with a
default install and most people are going to be doing an install on a remote
machine.  Imagine the frustration for a newbie trying to figure out why their
shiny new install doesn't work.  That person is not going to know they should be
looking at an apache conf file, they will just assume there's something wrong
with our packages (or spam forums/mailing lists).

I'd strongly recommend using a permissive default with the more restrictive
lines commented out with detailed instructions.  That way folks will see the
rationale and hopefully go with the more secure access, but won't run into
issues with the install.

I hope this makes sense... Haven't had enough cafeine yet to tell... ;)
Comment 4 Mike McGrath 2006-03-17 15:24:13 UTC 
I think the main reasoning behind this isn't the way it works when its installed
but to protect against an unconfigured service getting exploited by a
vulnerability that comes out later.  I'll make the restrictions lighter if you
can find another Fedora web package that has ligher restrictions.  I don't want
to be inconsistant with what the other packages are doing.

What tests need to be run to verify that Nagios is installed correctly?  (Aside
from the significant config work needed to be done to get the Nagios daemon running)
Comment 5 Matthew Schick 2006-03-17 16:15:14 UTC 
Meh... I didn't realize the host restrictions were a FC standard. I still have
my objections, but this isn't the right forum...

I don't really know of any tests (other that bringing up localhost/nagios) that
could be automagically run at install time.  As you noted, nagios is useless
till the daemon is configured.
Comment 6 Mike McGrath 2006-03-24 04:22:35 UTC 
Just following up on this, would you mind if I closed it?
Comment 7 Matthew Schick 2006-03-24 13:49:13 UTC 
Feel free...
Comment 8 Mike McGrath 2006-03-24 14:22:34 UTC 
Closing this for now but will continue to consider an easier way for users to
test their install.