On 2022-01-11, Nick Holland <n...@holland-consulting.net> wrote: > On 1/10/22 6:33 PM, F Bax wrote: >> nagios install creates user _nagios with login = /sbin/nologin >> I have some OpenBSD systems not configured to send email to external >> addresses; there is one system (host0) that is configured to send email >> outside. I wish to use nagios on host0 to monitor the other systems and >> send notifications to an offsite email address. I was thinking that some >> sort of restricted shell (only access to /usr/local/libexec/nagios/) would >> be appropriate. Anyone able to provide a clue how this can be accomplished? >> Is there a best practices document for using check_by_ssh in OpenBSD? >> Frank > > ok, I'm totally lost as to what e-mail has to do with your question. > > Been a while since I managed setting up new services on Nagios, but if you > are having your nagios server monitor other systems by SSH, you probably > want to have passwords disabled on the monitored node accounts, use keys > and IP address restrictions. Setting up a restricted shell or a chroot is > probably going to be very frustrating and in the end, not very productive. > > What you ask for is basically what the nagios nrpe modules are about -- > avoiding full logins. NRPE runs various tests and answers queries about > the results.
Strongly recommend not using NRPE. If it's something that can be monitored via SNMP (e.g. cpu, memory, process counts, disk space, network interfaces) then that's often not a bad way to do it, there are scripts that work with nagios/icinga that will do this nicely in the "manubulon-snmp" package. Then you can just run snmpd(8) on the monitored node. Icinga has quite nice distributed monitoring where it has its own methods to distribute check jobs to agents, which might be appropriate for setups that aren't wedded to nagios. For check_by_ssh probably the best way to go is to generate separate keys for different checks and use ForceCommand so each key can only run the relevant check.
