debmon
/
nagios-nrpe
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Imported Upstream version 3.2.1

This commit is contained in:
Mario Fetka 2017-11-02 09:55:48 +01:00
parent 02b430a86c
commit 52cbd1b45f
36 changed files with 2095 additions and 1811 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
.travis.yml Normal file
View File

@ -0,0 +1,10 @@
language: c
sudo: enabled
dist:
- trusty
compiler:
- clang
- gcc
script: ./configure && make all && sudo ./test-wrapper

503
CHANGELOG.md Normal file
View File

@ -0,0 +1,503 @@
NRPE Changelog
==============
[3.2.1](https://github.com/NagiosEnterprises/nrpe/releases/tag/nrpe-3.2.1) - 2017-08-31
---------------------------------------------------------------------------------------
**FIXES**
* Change seteuid error messages to warning/debug (Bryan Heden)
* Fix segfault when no nrpe_user is specified (Stephen Smoogen, Bryan Heden)
* Added additional strings to error messages to remove duplicates (Bryan Heden)
* Fix nrpe.spec for rpmbuild (Bryan Heden)
* Fix error for drop_privileges when using inetd (xalasys-luc, Bryan Heden)
[3.2.0](https://github.com/NagiosEnterprises/nrpe/releases/tag/nrpe-3.2.0) - 2017-06-26
---------------------------------------------------------------------------------------
**ENHANCEMENTS**
* Added max_commands definition to nrpe.cfg to rate limit simultaneous fork()ed children (Bryan Heden)
* Added -E, --stderr-to-stdout options for check_nrpe to redirect output (Bryan Heden)
* Added support for Gentoo init (Troy Lea @box293)
* Cleaned up code a bit, updated readmes and comments across the board (Bryan Heden)
* Added -V, --version to nrpe and fixed the output (Bryan Heden)
* Added different SSL error messages to be able to pinpoint where some SSL errors occured (Bryan Heden)
* Updated logic in al parse_allowed_hosts (Bryan Heden)
* Added builtin OpenSSL Engine support where available (Bryan Heden + @skrueger8)
* Clean up compilation warnings (Bryan Heden)
* Added more commented commands in nrpe.cfg (Bryan Heden)
**FIXES**
* Undefined check returns UNKNOWN (Bryan Heden)
* Fix incompatibility with OpenSSL 1.1.0 via SECLEVEL distinction (Bryan Heden)
* Fix ipv4 error in logfile even if address is ipv6 (Bryan Heden)
* Fix improper valid/invalid certificate warnings (Bryan Heden)
[3.1.1](https://github.com/NagiosEnterprises/nrpe/releases/tag/nrpe-3.1.1) - 2017-05-24
---------------------------------------------------------------------------------------
**FIXES**
* The '--log-file=' or '-g' option is missing from the help (John Frickson)
* check_nrpe = segfault when specifying a config file (John Frickson)
* Alternate log file not being used soon enough (John Frickson)
* Unable to compile v3.1.0rc1 with new SSL checks on rh5 (John Frickson)
* Unable to compile nrpe-3.1.0 - undefined references to va_start, va_end (John Frickson)
* Can't build on Debian Stretch, openssl 1.1.0c (John Frickson)
* Fix build failure with -Werror=format-security (Bas Couwenberg)
* Fixed a typo in `nrpe.spec.in` (John Frickson)
* More detailed error logging for SSL (John Frickson)
* Fix infinite loop when unresolvable host is in allowed_hosts (Nick / John Frickson)
[3.1.0](https://github.com/NagiosEnterprises/nrpe/releases/tag/nrpe-3.1.0) - 2017-04-17
---------------------------------------------------------------------------------------
**ENHANCEMENTS**
* Added option to nrpe.cfg.in that can override hard-coded NASTY_METACHARS (John Frickson)
* While processing 'include_dir' statement, sort the files (Philippe Kueck / John Frickson)
* nrpe can now write to a log file using 'log_file=' in nrpe.cfg (John Frickson)
* check_nrpe can now write to a log file using '--log-file=' or '-g' options (John Frickson)
**FIXES**
* Added missing debugging syslog entries, and changed printf()'s to syslog()'s. (Jobst Schmalenbach)
* Fix help output for ssl option (configure) (Ruben Kerkhof)
* Fixes to README.SSL.md and SECURITY.md (Elan Ruusamäe)
* Changed the 'check_load' command in nrpe.cfg.in (minusdavid)
* Cleanup of config.h.in suggested by Ruben Kerkhof
* Minor change to logging in check_nrpe (John Frickson)
* Solaris 11 detection is broken in configure (John Frickson)
* Removed function `b64_decode` which wasn't being used (John Frickson)
* check_nrpe ignores -a option when -f option is specified (John Frickson)
* Added missing LICENSE file (John Frickson)
* Off-by-one BO in my_system() (John Frickson)
* Got rid of some compiler warnings (Stefan Krüger / John Frickson)
* Add SOURCE_DATE_EPOCH specification support for reproducible builds. (Bas Couwenberg)
* nrpe 3.0.1 allows TLSv1 and TLSv1.1 when I configure for TLSv1.2+ (John Frickson)
* "Remote %s accepted a Version %s Packet", please add to debug (John Frickson)
* nrpe 3.0.1 segfaults when key and/or cert are broken symlinks (John Frickson)
* Fixed a couple of typos in docs/NRPE.* files (Ludmil Meltchev)
* Changed release date to ISO format (yyyy-mm-dd) (John Frickson)
* Fix systemd unit description (Bas Couwenberg)
* Add reload command to systemd service file (Bas Couwenberg)
* fix file not found error when updating version (Sven Nierlein)
* Spelling fixes (Josh Soref)
* Return UNKNOWN when check_nrpe cannot communicate with nrpe and -u set (John Frickson)
* xinetd.d parameter causes many messages in log file (John Frickson)
* Fixes for openssl 1.1.x (Stephen Smoogen / John Frickson)
* PATH and other environment variables not set with numeric nrpe_user (John Frickson)
* rpmbuild -ta nrpe-3.0.1.tar.gz failed File not found: /etc/init.d/nrpe (bvandi / John Frickson)
[3.0.1](https://github.com/NagiosEnterprises/nrpe/releases/tag/nrpe-3.0.1) - 2016-09-08
---------------------------------------------------------------------------------------
**FIXES**
* _set_rc: command not found reported by init script (John Frickson)
* Version string contains name (John Frickson)
* Changes to get 'rpmbuild' to work - nrpe.spec file outdated (John Frickson)
* typo in startup/default-xinetd.in (Philippe Kueck)
* debug output missing command name (Philippe Kueck)
* /usr/lib/tmpfiles.d/ndo2db.conf should have 'd' type, not 'D' (John Frickson)
* Fixes in parse_allowed_hosts() and called functions (Jobst Schmalenbach / John Frickson)
* nrpe.cfg: 'debug' statement needs to be first in file (Jobst Schmalenbach / John Frickson)
[3.0.0](https://github.com/NagiosEnterprises/nrpe/releases/tag/nrpe-3.0.0) - 2016-08-01
---------------------------------------------------------------------------------------
**SECURITY**
* Fix for CVE-2014-2913
* Added function to clean the environment before forking. (John Frickson)
**ENHANCEMENTS**
* Added support for optional config file to check_nrpe. With the new SSL
parameters, the line was getting long. The config file is specified with
--config-file=<path> or -f <path> parameters. The config file must look
like command line options, but the options can be on separate lines. It
MUST NOT include --config-file (-f), --command (-c) or --args (-a). If any
options are in both the config file and on the command line, the command line
options are used.
* make can now add users and groups using "make install-groups-users" (John Frickson)
* Added "nrpe-uninstall" script to the same directory nrpe get installed to (John Frickson)
* Updated code so configure && make will work on AIX, HP-UX, Solaris, OS X.
There should be no errors or warnings. Let me know if any errors or
warning appear (John Frickson)
* Added command-line option to prevent forking, since some of the init
replacements (such as systemd, etc.) don't want daemons to fork (John Frickson)
* Added autoconf macros and additional files to better support multi-platform
config and compile. The default will still set up to install to
/usr/local/nagios but I added a new configure option:
'--enable-install-method=<method>'. If <method> is 'opt', everything will
install to '/opt/nagios'. If <method> is 'os', installation will be to O/S-
and distribution-specific locations, such as /usr/sbin, /usr/lib/nagios,
/etc/nagios, and so on.
* Added additional init and inetd config files to support more systems,
including SuSE, Debian, Slackware, Gentoo, *BSD, AIX, HP-UX, Solaris, OS X.
* Added listen_queue_size as configuration option (Vadim Antipov, Kaspersky Lab)
* Reworked SSL/TLS. See the README.SSL.md file for full info. (John Frickson)
* Added support for version 3 variable sized packets up to 64KB. nrpe will
accept either version from check_nrpe. check_nrpe will try to send a
version 3 packet first, and fall back to version 2. check_nrpe can be forced
to only send version 2 packets if the switch `-2` is used. (John Frickson)
* Added extended timeout syntax in the -t <secs>:<status> format. (ABrist)
**FIXES**
* Fixed configure to check more places for SSL headers/libs. (John Frickson)
* Added ifdefs for complete_SSL_shutdown to compile without SSL. (Matthew L. Daniel)
* Renamed configure.in to configure.ac and added check for sigaction (John Frickson)
* Replaced all instances of signal() with sigaction() + blocking (John Frickson)
* check_nrpe does not parse passed arguments correctly (John Frickson)
* NRPE should not start if cannot write pid file (John Frickson)
* Fixed out-of-bounds error (return code 255) for some failures (John Frickson)
* Connection Timeout and Connection Refused messages need a new line (Andrew Widdersheim)
* allowed_hosts doesn't work, if one of the hostnames can't be resolved by dns (John Frickson)
* allowed_hosts doesn't work with a hostname resolving to an IPv6 address (John Frickson)
* Return UNKNOWN when issues occur (Andrew Widdersheim)
* NRPE returns OK if check can't be executed (Andrew Widdersheim)
* nrpe 2.15 [regression in Added SRC support on AIX - 2.14] (frphoebus)
* compile nrpe - Solaris 9 doesn't have isblank() (lilo, John Frickson)
* sample configuration for check_load has crazy sample load avg (ernestoongaro)
2.15 - 09/06/2013
-----------------
* Now compiles on HP-UX (Grant Byers)
* Added support for IPv6 (Leo Baltus, Eric Stanley)
2.14 - 12/21/2012
-----------------
* Added configure option to allow bash command substitutions, disabled by default [bug #400] (Eric Stanley)
* Patched to shutdown SSL connection completely (Jari Takkala)
* Added SRC support on AIX (Thierry Bertaud)
* Updated RPM SPEC file to support creating RPMs on AIX (Eric Stanley)
* Updated logging to support compiling on AIX (Eric Stanley)
2.13 - 11/11/2011
-----------------
* Applied Kaspersky Labs supplied patch for extending allowed_hosts (Konstantin Malov)
* Fixed bug in allowed_hosts parsing (Eric Stanley)
* Updated to support compiling on Solaris 10 (thanks to Kevin Pendleton)
2.12 - 03/10/2008
-----------------
* Fix for unterminated multiline plugin (garbage) output (Krzysztof Oledzki)
2.11 - 12/26/2007
-----------------
* Added lib64 library paths to configure script for 64-bit systems (John Maag)
* Added --with-ssl-lib configure script option
* Added --with-log-facility option to control syslog logging (Ryan Ordway and Brian Seklecki)
2.10 - 10/19/2007
-----------------
* Moved PDF docs to docs/ subdirectory, added OpenOffice source document
* A critical result is now returned for child processed that die due to a signal (Klas Lindfors)
2.9 - 08/13/2007
----------------
* Fixed bug with --with-nrpe-group configure script option (Graham Collinson)
* Fixed bug with check_disk thresholds in sample config file (Patric Wust)
* Added NRPE_PROGRAMVERSION and NRPE_MULTILINESUPPORT environment variables
for scripts that need to detect NRPE version and capabilities (Gerhard Lausser)
* Added asprintf() support for systems that are missing it (Samba team)
2.8.1 - 05/10/2007
-----------------
* Fixed configure script error with user-specified NRPE group
2.8 - 05/08/2007
---------------
* Added support for multiline plugin output (limited to 1KB at the moment) (Matthias Flacke)
2.8b1 - 03/14/2007
-----------------
* Changes to sample config files
* Added ';' as an additional prohibited metachar for command arguments
* Updated documentation and added easier installation commands
2.7.1 - 03/08/2007
------------------
* Changed C++ style comment to C style to fix compilation errors on AIX (Ryan McGarry)
2.7 - 02/18/2007
----------------
* Patches for detection SSL header and library locations (Andrew Boyce-Lewis)
* NRPE daemon will now partially ignore non-fatal configuration file errors and attempt to startup (Andrew Boyce-Lewis)
2.6 - 12/11/2006
----------------
* Added -u option to check_nrpe to return UNKNOWN states on socket timeouts (Bjoern Beutel)
* Added connection_timeout variable to NRPE daemon to catch dead client connections (Ton Voon)
* Added graceful timeout to check_nrpe to ensure connection to NRPE daemon is properly closed (Mark Plaksin)
2.5.2 - 06/30/2006
------------------
* Fixed incorrect service name in sample xinetd config file
* Added note on how to restart inetd for OpenBSD users (Robert Peaslee)
* Fix for nonblocking accept()s on systems that define EAGAIN differently than EWOULDBLOCK (Gerhard Lausser)
* Fix to (re)allow week random seed (Gerhard Lausser)
2.5.1 - 04/09/2006
------------------
* Patch to fix segfault if --no-ssl option is used (Sean Finney/Peter Palfrader)
2.5 - 04/06/2006
----------------
* (Re)added allowed_hosts option for systems that don't support TCP wrappers
* Fix for SSL errors under Solaris 8 (Niels Endres)
* Fix for config file directory inclusion on ReiserFS (Gerhard Lausser)
2.4 - 02/22/2006
----------------
* Added option to allow week random seed (Gerhard Lausser)
* Added optional command line prefix (Sean Finney)
* Added ability to reload config file with SIGHUP
* Fixed bug with location of dh.h include file
* Fixed bug with disconnect message in debug mode
2.3 - 01/23/2006
----------------
* Spec file fixes
* Removed errant PID file debugging code
* Fixed problem with trimming command definitions
2.2 - 01/22/2006
----------------
* Spec file fix
* Patch to add Tru64 and IRIX support (Ton Voon)
* Updated config.sub and config.guess
* Fixed bug with config file lines with only whitespace
* Fixed bug with missing getopt() command line option for -V
* Removed sample FreeBSD init script (now maintained by FreeBSD port)
* Added config file option for writing a PID file
2.1 - 01/19/2004
----------------
* Replaced host access list with TCP wrapper support
* Removed length restrictions for command names and command lines
* Configure script patch for getopt_long on Solaris
* Bug fixes for accept() on HP-UX 11.0
* Init script for SUSE Linux (Subhendu Ghosh)
* SSL protocol used is now limited to TLSv1
* Any output from plugins after first line is now ignored before
plugin process is closed
2.0 - 09/08/2003
----------------
* Added support for passing arguments to command
* NRPE daemon can no longer be run as root user/group
* Added getopt support
* Added 'include' variable to config file to allow inclusion
of external config files
* Added 'include_dir' variable to allow inclusion of external
config files in directories (with recursion)
* Added native SSL support (Derrick Bennett)
* Added my_strsep(), as Solaris doesn't have strsep()
* Added license exemption for use with OpenSSL
1.8 - 01/16/2003
----------------
* Daemon now closes stdio/out/err properly (James Peterson)
* Makefile changes (James Peterson)
* Mode command line option bug fix in daemon
* Fixed incorrect command line options in check_nrpe plugin
1.7 - 01/08/2003
----------------
* Spec file updates and minor bug fixes (James Peterson)
* Bug fix with default nrpe port definition
* Added sample xinetd config file (nrpe.xinetd)
* Bug fix for command_timeout variable (James Peterson)
1.6 - 12/30/2002
----------------
* Updated sample commands to match new plugin argument format
* Added sample init scripts for FreeBSD and Debian (Andrew Ryder)
* Syntax changes (-H option specifies host name in check_nrpe,
-c option specifies config file in nrpe)
* Added command_timeout directive to config file to allow user
to specify timeout for executing plugins
* Added spec file and misc patches for building RPMs (James Peterson)
* Added --with-nrpe-port config directive (James Peterson)
1.5 - 06/03/2002
----------------
* Added setuid/setgid option to config file (suggested by Marek Cervenka)
1.4 - 06/01/2002
----------------
* Changed STATE_UNKNOWN to value of 3 instead of -1 (old style)
* Minor doc and sample config file changes
1.3 - 02/21/2002
----------------
* Name and version change
* Ignore SIGHUP, minor cleanup (Jon Andrews)
1.2.5 - 12/22/2001
------------------
* Implemented Beej's sendall() to handle partial send()s
* Added instructions on running under xinetd to README
* Removed some old crud
1.2.4 - 02/22/2001
------------------
* I forgot what changes I made. Go figure...
1.2.3 - 12/21/2000
------------------
* A bit more documentation on configuring command definitions for the plugin
1.2.2 - 06/05/2000
------------------
* Fixed error in docs for running under inetd using TCP wrappers
* Replaced old email address in src/netutils.h with new one
1.2.1 - 05/07/2000
------------------
* Removed trapping of SIGCHLD
* Changed wait4() to waitpid() to allow compilation on HP-UX and AIX
1.2.0 - 04/18/2000
------------------
* Server forks twice after accepting a client connection, so as to prevent the
creation of zombies
1.1.5 - 04/07/2000
------------------
* Fixed a small bug where one debug message was not getting logged properly
1.1.4 - 03/30/2000
------------------
* Added option to disable/enable debug messages using the debug option in the
config file
1.1.3 - 03/11/2000
------------------
* Changed config file to use an absolute path
* Changed all debug output to use syslog (Rene Klootwijk)
* No convert all data to network order before sending it and convert it back to
host order when receiving it. This makes it possible to mix Solaris and Linux,
e.g. running check_nrpe on Linux and nrpe on Solaris. (Rene Klootwijk)
1.1.2 - 03/07/2000
------------------
* Removed unnecessary code in signal handler routine
* Unused signals are no longer trapper
1.1.1 - 02/28/2000 - RKL
---------------------------
* Modified syslog code to include string describing the error code.
* Changed hardcoded number in signal handler to its name. This prevented nrpe
to run on Solaris.
* Fixed race condition in accept loop. The result of accept should also be
checked for EINTR.
* Modified recv and send function calls to compile without warnings on Solaris.
* Modified configure.in,configure and Makefile.in to include nsl and socket libs
for Solaris.
* Modified the signal handler to reestablish itself after being called.
1.1 - 02/24/2000 - Rene Klootwijk <rene@klootwijk.org>
-----------------
* Added ability to bind nrpe to a specific interface by specifying the address
of this interface in the nrpe.cfg file (e.g. server_address=192.168.2.3)
1.0 - 02/16/2000
------------------
* Added ability to run as a service under inetd
1.0b6 - 02/01/2000
------------------
* Added configure script
* Netutils functions from the NetSaint plugins is now used
* Reset SIGCHLD to default behavior before calling popen() to
prevent race condition with pclose() (Reported by Rene Klootwijk)
* Cleaned up code
1.0b5 - 01/10/2000
------------------
* Added init script contributed by Jacob L
* Incorporated syslog code and other patches contributed by Jacob L
1.0b4 - 11/04/1999
------------------
* Changed 'allowed_ip' option in configuration file to
'allowed_hosts' and added support for multiple hosts
* Minor buffer overflow protection fixes
* main() returned STATE_UNKNOWN on successful launch, changed to STATE_OK (jaclu@grm.se)
* Added syslog support (jaclu@grm.se)

478
Changelog
View File

@ -1,478 +0,0 @@
**************
NRPE Changelog
**************
3.1.1 - 2017-05-24
------------------
FIXES
- The '--log-file=' or '-g' option is missing from the help (John Frickson)
- check_nrpe = segfault when specifying a config file (John Frickson)
- Alternate log file not being used soon enough (John Frickson)
- Unable to compile v3.1.0rc1 with new SSL checks on rh5 (John Frickson)
- Unable to compile nrpe-3.1.0 - undefined references to va_start, va_end (John Frickson)
- Can't build on Debian Stretch, openssl 1.1.0c (John Frickson)
- Fix build failure with -Werror=format-security (Bas Couwenberg)
- Fixed a typo in `nrpe.spec.in` (John Frickson)
- More detailed error logging for SSL (John Frickson)
- Fix infinite loop when unresolvable host is in allowed_hosts (Nick / John Frickson)
3.1.0 - 2017-04-17
------------------
ENHANCEMENTS
- Added option to nrpe.cfg.in that can override hard-coded NASTY_METACHARS (John Frickson)
- While processing 'include_dir' statement, sort the files (Philippe Kueck / John Frickson)
- nrpe can now write to a log file using 'log_file=' in nrpe.cfg (John Frickson)
- check_nrpe can now write to a log file using '--log-file=' or '-g' options (John Frickson)
FIXES
- Added missing debugging syslog entries, and changed printf()'s to syslog()'s. (Jobst Schmalenbach)
- Fix help output for ssl option (configure) (Ruben Kerkhof)
- Fixes to README.SSL.md and SECURITY.md (Elan Ruusamäe)
- Changed the 'check_load' command in nrpe.cfg.in (minusdavid)
- Cleanup of config.h.in suggested by Ruben Kerkhof
- Minor change to logging in check_nrpe (John Frickson)
- Solaris 11 detection is broken in configure (John Frickson)
- Removed function `b64_decode` which wasn't being used (John Frickson)
- check_nrpe ignores -a option when -f option is specified (John Frickson)
- Added missing LICENSE file (John Frickson)
- Off-by-one BO in my_system() (John Frickson)
- Got rid of some compiler warnings (Stefan Krüger / John Frickson)
- Add SOURCE_DATE_EPOCH specification support for reproducible builds. (Bas Couwenberg)
- nrpe 3.0.1 allows TLSv1 and TLSv1.1 when I configure for TLSv1.2+ (John Frickson)
- "Remote %s accepted a Version %s Packet", please add to debug (John Frickson)
- nrpe 3.0.1 segfaults when key and/or cert are broken symlinks (John Frickson)
- Fixed a couple of typos in docs/NRPE.* files (Ludmil Meltchev)
- Changed release date to ISO format (yyyy-mm-dd) (John Frickson)
- Fix systemd unit description (Bas Couwenberg)
- Add reload command to systemd service file (Bas Couwenberg)
- fix file not found error when updating version (Sven Nierlein)
- Spelling fixes (Josh Soref)
- Return UNKNOWN when check_nrpe cannot communicate with nrpe and -u set (John Frickson)
- xinetd.d parameter causes many messages in log file (John Frickson)
- Fixes for openssl 1.1.x (Stephen Smoogen / John Frickson)
- PATH and other environment variables not set with numeric nrpe_user (John Frickson)
- rpmbuild -ta nrpe-3.0.1.tar.gz failed File not found: /etc/init.d/nrpe (bvandi / John Frickson)
3.0.1 - 2016-09-08
------------------
FIXES
- _set_rc: command not found reported by init script (John Frickson)
- Version string contains name (John Frickson)
- Changes to get 'rpmbuild' to work - nrpe.spec file outdated (John Frickson)
- typo in startup/default-xinetd.in (Philippe Kueck)
- debug output missing command name (Philippe Kueck)
- /usr/lib/tmpfiles.d/ndo2db.conf should have 'd' type, not 'D' (John Frickson)
- Fixes in parse_allowed_hosts() and called functions (Jobst Schmalenbach / John Frickson)
- nrpe.cfg: 'debug' statement needs to be first in file (Jobst Schmalenbach / John Frickson)
3.0 - 2016-08-01
-----------------
SECURITY
- Fix for CVE-2014-2913
- Added function to clean the environment before forking. (John Frickson)
ENHANCEMENTS
- Added support for optional config file to check_nrpe. With the new SSL
parameters, the line was getting long. The config file is specified with
--config-file=<path> or -f <path> parameters. The config file must look
like command line options, but the options can be on separate lines. It
MUST NOT include --config-file (-f), --command (-c) or --args (-a). If any
options are in both the config file and on the command line, the command line
options are used.
- make can now add users and groups using "make install-groups-users" (John Frickson)
- Added "nrpe-uninstall" script to the same directory nrpe get installed to (John Frickson)
- Updated code so configure && make will work on AIX, HP-UX, Solaris, OS X.
There should be no errors or warnings. Let me know if any errors or
warning appear (John Frickson)
- Added command-line option to prevent forking, since some of the init
replacements (such as systemd, etc.) don't want daemons to fork (John Frickson)
- Added autoconf macros and additional files to better support multi-platform
config and compile. The default will still set up to install to
/usr/local/nagios but I added a new configure option:
'--enable-install-method=<method>'. If <method> is 'opt', everything will
install to '/opt/nagios'. If <method> is 'os', installation will be to O/S-
and distribution-specific locations, such as /usr/sbin, /usr/lib/nagios,
/etc/nagios, and so on.
- Added additional init and inetd config files to support more systems,
including SuSE, Debian, Slackware, Gentoo, *BSD, AIX, HP-UX, Solaris, OS X.
- Added listen_queue_size as configuration option (Vadim Antipov, Kaspersky Lab)
- Reworked SSL/TLS. See the README.SSL.md file for full info. (John Frickson)
- Added support for version 3 variable sized packets up to 64KB. nrpe will
accept either version from check_nrpe. check_nrpe will try to send a
version 3 packet first, and fall back to version 2. check_nrpe can be forced
to only send version 2 packets if the switch `-2` is used. (John Frickson)
- Added extended timeout syntax in the -t <secs>:<status> format. (ABrist)
FIXES
- Fixed configure to check more places for SSL headers/libs. (John Frickson)
- Added ifdefs for complete_SSL_shutdown to compile without SSL. (Matthew L. Daniel)
- Renamed configure.in to configure.ac and added check for sigaction (John Frickson)
- Replaced all instances of signal() with sigaction() + blocking (John Frickson)
- check_nrpe does not parse passed arguments correctly (John Frickson)
- NRPE should not start if cannot write pid file (John Frickson)
- Fixed out-of-bounds error (return code 255) for some failures (John Frickson)
- Connection Timeout and Connection Refused messages need a new line (Andrew Widdersheim)
- allowed_hosts doesn't work, if one of the hostnames can't be resolved by dns (John Frickson)
- allowed_hosts doesn't work with a hostname resolving to an IPv6 address (John Frickson)
- Return UNKNOWN when issues occur (Andrew Widdersheim)
- NRPE returns OK if check can't be executed (Andrew Widdersheim)
- nrpe 2.15 [regression in Added SRC support on AIX - 2.14] (frphoebus)
- compile nrpe - Solaris 9 doesn't have isblank() (lilo, John Frickson)
- sample configuration for check_load has crazy sample load avg (ernestoongaro)
2.15 - 09/06/2013
-----------------
- Now compiles on HP-UX (Grant Byers)
- Added support for IPv6 (Leo Baltus, Eric Stanley)
2.14 - 12/21/2012
-----------------
- Added configure option to allow bash command substitutions, disabled by default [bug #400] (Eric Stanley)
- Patched to shutdown SSL connection completely (Jari Takkala)
- Added SRC support on AIX (Thierry Bertaud)
- Updated RPM SPEC file to support creating RPMs on AIX (Eric Stanley)
- Updated logging to support compiling on AIX (Eric Stanley)
2.13 - 11/11/2011
-----------------
- Applied Kaspersky Labs supplied patch for extending allowed_hosts (Konstantin Malov)
- Fixed bug in allowed_hosts parsing (Eric Stanley)
- Updated to support compiling on Solaris 10 (thanks to Kevin Pendleton)
2.12 - 03/10/2008
-----------------
- Fix for unterminated multiline plugin (garbage) output (Krzysztof Oledzki)
2.11 - 12/26/2007
-----------------
- Added lib64 library paths to configure script for 64-bit systems (John Maag)
- Added --with-ssl-lib configure script option
- Added --with-log-facility option to control syslog logging (Ryan Ordway and Brian Seklecki)
2.10 - 10/19/2007
-----------------
- Moved PDF docs to docs/ subdirectory, added OpenOffice source document
- A critical result is now returned for child processed that die due to a signal (Klas Lindfors)
2.9 - 08/13/2007
----------------
- Fixed bug with --with-nrpe-group configure script option (Graham Collinson)
- Fixed bug with check_disk thresholds in sample config file (Patric Wust)
- Added NRPE_PROGRAMVERSION and NRPE_MULTILINESUPPORT environment variables
for scripts that need to detect NRPE version and capabilities (Gerhard Lausser)
- Added asprintf() support for systems that are missing it (Samba team)
2.8.1 - 05/10/2007
-----------------
- Fixed configure script error with user-specified NRPE group
2.8 - 05/08/2007
---------------
- Added support for multiline plugin output (limited to 1KB at the moment) (Matthias Flacke)
2.8b1 - 03/14/2007
-----------------
- Changes to sample config files
- Added ';' as an additional prohibited metachar for command arguments
- Updated documentation and added easier installation commands
2.7.1 - 03/08/2007
------------------
- Changed C++ style comment to C style to fix compilation errors on AIX (Ryan McGarry)
2.7 - 02/18/2007
----------------
- Patches for detection SSL header and library locations (Andrew Boyce-Lewis)
- NRPE daemon will now partially ignore non-fatal configuration file errors and attempt to startup (Andrew Boyce-Lewis)
2.6 - 12/11/2006
----------------
- Added -u option to check_nrpe to return UNKNOWN states on socket timeouts (Bjoern Beutel)
- Added connection_timeout variable to NRPE daemon to catch dead client connections (Ton Voon)
- Added graceful timeout to check_nrpe to ensure connection to NRPE daemon is properly closed (Mark Plaksin)
2.5.2 - 06/30/2006
------------------
- Fixed incorrect service name in sample xinetd config file
- Added note on how to restart inetd for OpenBSD users (Robert Peaslee)
- Fix for nonblocking accept()s on systems that define EAGAIN differently than EWOULDBLOCK (Gerhard Lausser)
- Fix to (re)allow week random seed (Gerhard Lausser)
2.5.1 - 04/09/2006
------------------
- Patch to fix segfault if --no-ssl option is used (Sean Finney/Peter Palfrader)
2.5 - 04/06/2006
----------------
- (Re)added allowed_hosts option for systems that don't support TCP wrappers
- Fix for SSL errors under Solaris 8 (Niels Endres)
- Fix for config file directory inclusion on ReiserFS (Gerhard Lausser)
2.4 - 02/22/2006
----------------
- Added option to allow week random seed (Gerhard Lausser)
- Added optional command line prefix (Sean Finney)
- Added ability to reload config file with SIGHUP
- Fixed bug with location of dh.h include file
- Fixed bug with disconnect message in debug mode
2.3 - 01/23/2006
----------------
- Spec file fixes
- Removed errant PID file debugging code
- Fixed problem with trimming command definitions
2.2 - 01/22/2006
----------------
- Spec file fix
- Patch to add Tru64 and IRIX support (Ton Voon)
- Updated config.sub and config.guess
- Fixed bug with config file lines with only whitespace
- Fixed bug with missing getopt() command line option for -V
- Removed sample FreeBSD init script (now maintained by FreeBSD port)
- Added config file option for writing a PID file
2.1 - 01/19/2004
----------------
- Replaced host access list with TCP wrapper support
- Removed length restrictions for command names and command lines
- Configure script patch for getopt_long on Solaris
- Bug fixes for accept() on HP-UX 11.0
- Init script for SUSE Linux (Subhendu Ghosh)
- SSL protocol used is now limited to TLSv1
- Any output from plugins after first line is now ignored before
plugin process is closed
2.0 - 09/08/2003
----------------
- Added support for passing arguments to command
- NRPE daemon can no longer be run as root user/group
- Added getopt support
- Added 'include' variable to config file to allow inclusion
of external config files
- Added 'include_dir' variable to allow inclusion of external
config files in directories (with recursion)
- Added native SSL support (Derrick Bennett)
- Added my_strsep(), as Solaris doesn't have strsep()
- Added license exemption for use with OpenSSL
1.8 - 01/16/2003
----------------
- Daemon now closes stdio/out/err properly (James Peterson)
- Makefile changes (James Peterson)
- Mode command line option bug fix in daemon
- Fixed incorrect command line options in check_nrpe plugin
1.7 - 01/08/2003
----------------
- Spec file updates and minor bug fixes (James Peterson)
- Bug fix with default nrpe port definition
- Added sample xinetd config file (nrpe.xinetd)
- Bug fix for command_timeout variable (James Peterson)
1.6 - 12/30/2002
----------------
- Updated sample commands to match new plugin argument format
- Added sample init scripts for FreeBSD and Debian (Andrew Ryder)
- Syntax changes (-H option specifies host name in check_nrpe,
-c option specifies config file in nrpe)
- Added command_timeout directive to config file to allow user
to specify timeout for executing plugins
- Added spec file and misc patches for building RPMs (James Peterson)
- Added --with-nrpe-port config directive (James Peterson)
1.5 - 06/03/2002
----------------
- Added setuid/setgid option to config file (suggested by Marek Cervenka)
1.4 - 06/01/2002
----------------
- Changed STATE_UNKNOWN to value of 3 instead of -1 (old style)
- Minor doc and sample config file changes
1.3 - 02/21/2002
----------------
- Name and version change
- Ignore SIGHUP, minor cleanup (Jon Andrews)
1.2.5 - 12/22/2001
------------------
- Implemented Beej's sendall() to handle partial send()s
- Added instructions on running under xinetd to README
- Removed some old crud
1.2.4 - 02/22/2001
------------------
- I forgot what changes I made. Go figure...
1.2.3 - 12/21/2000
------------------
- A bit more documentation on configuring command definitions for the plugin
1.2.2 - 06/05/2000
------------------
- Fixed error in docs for running under inetd using TCP wrappers
- Replaced old email address in src/netutils.h with new one
1.2.1 - 05/07/2000
------------------
- Removed trapping of SIGCHLD
- Changed wait4() to waitpid() to allow compilation on HP-UX and AIX
1.2.0 - 04/18/2000
------------------
- Server forks twice after accepting a client connection, so as to prevent the
creation of zombies
1.1.5 - 04/07/2000
------------------
- Fixed a small bug where one debug message was not getting logged properly
1.1.4 - 03/30/2000
------------------
- Added option to disable/enable debug messages using the debug option in the
config file
1.1.3 - 03/11/2000
------------------
- Changed config file to use an absolute path
- Changed all debug output to use syslog (Rene Klootwijk)
- No convert all data to network order before sending it and convert it back to
host order when receiving it. This makes it possible to mix Solaris and Linux,
e.g. running check_nrpe on Linux and nrpe on Solaris. (Rene Klootwijk)
1.1.2 - 03/07/2000
------------------
- Removed unnecessary code in signal handler routine
- Unused signals are no longer trapper
1.1.1 - 02/28/2000 - RKL
---------------------------
- Modified syslog code to include string describing the error code.
- Changed hardcoded number in signal handler to its name. This prevented nrpe
to run on Solaris.
- Fixed race condition in accept loop. The result of accept should also be
checked for EINTR.
- Modified recv and send function calls to compile without warnings on Solaris.
- Modified configure.in,configure and Makefile.in to include nsl and socket libs
for Solaris.
- Modified the signal handler to reestablish itself after being called.
1.1 - 02/24/2000 - Rene Klootwijk <rene@klootwijk.org>
-----------------
- Added ability to bind nrpe to a specific interface by specifying the address
of this interface in the nrpe.cfg file (e.g. server_address=192.168.2.3)
1.0 - 02/16/2000
------------------
- Added ability to run as a service under inetd
1.0b6 - 02/01/2000
------------------
- Added configure script
- Netutils functions from the NetSaint plugins is now used
- Reset SIGCHLD to default behavior before calling popen() to
prevent race condition with pclose() (Reported by Rene Klootwijk)
- Cleaned up code
1.0b5 - 01/10/2000
------------------
- Added init script contributed by Jacob L
- Incorporated syslog code and other patches contributed by Jacob L
1.0b4 - 11/04/1999
------------------
- Changed 'allowed_ip' option in configuration file to
'allowed_hosts' and added support for multiple hosts
- Minor buffer overflow protection fixes
- main() returned STATE_UNKNOWN on successful launch, changed to STATE_OK (jaclu@grm.se)
- Added syslog support (jaclu@grm.se)

339
LICENSE
View File

@ -1,339 +0,0 @@
GNU GENERAL PUBLIC LICENSE
Version 2, June 1991
Copyright (C) 1989, 1991 Free Software Foundation, Inc.,
51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.
Preamble
The licenses for most software are designed to take away your
freedom to share and change it. By contrast, the GNU General Public
License is intended to guarantee your freedom to share and change free
software--to make sure the software is free for all its users. This
General Public License applies to most of the Free Software
Foundation's software and to any other program whose authors commit to
using it. (Some other Free Software Foundation software is covered by
the GNU Lesser General Public License instead.) You can apply it to
your programs, too.
When we speak of free software, we are referring to freedom, not
price. Our General Public Licenses are designed to make sure that you
have the freedom to distribute copies of free software (and charge for
this service if you wish), that you receive source code or can get it
if you want it, that you can change the software or use pieces of it
in new free programs; and that you know you can do these things.
To protect your rights, we need to make restrictions that forbid
anyone to deny you these rights or to ask you to surrender the rights.
These restrictions translate to certain responsibilities for you if you
distribute copies of the software, or if you modify it.
For example, if you distribute copies of such a program, whether
gratis or for a fee, you must give the recipients all the rights that
you have. You must make sure that they, too, receive or can get the
source code. And you must show them these terms so they know their
rights.
We protect your rights with two steps: (1) copyright the software, and
(2) offer you this license which gives you legal permission to copy,
distribute and/or modify the software.
Also, for each author's protection and ours, we want to make certain
that everyone understands that there is no warranty for this free
software. If the software is modified by someone else and passed on, we
want its recipients to know that what they have is not the original, so
that any problems introduced by others will not reflect on the original
authors' reputations.
Finally, any free program is threatened constantly by software
patents. We wish to avoid the danger that redistributors of a free
program will individually obtain patent licenses, in effect making the
program proprietary. To prevent this, we have made it clear that any
patent must be licensed for everyone's free use or not licensed at all.
The precise terms and conditions for copying, distribution and
modification follow.
GNU GENERAL PUBLIC LICENSE
TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
0. This License applies to any program or other work which contains
a notice placed by the copyright holder saying it may be distributed
under the terms of this General Public License. The "Program", below,
refers to any such program or work, and a "work based on the Program"
means either the Program or any derivative work under copyright law:
that is to say, a work containing the Program or a portion of it,
either verbatim or with modifications and/or translated into another
language. (Hereinafter, translation is included without limitation in
the term "modification".) Each licensee is addressed as "you".
Activities other than copying, distribution and modification are not
covered by this License; they are outside its scope. The act of
running the Program is not restricted, and the output from the Program
is covered only if its contents constitute a work based on the
Program (independent of having been made by running the Program).
Whether that is true depends on what the Program does.
1. You may copy and distribute verbatim copies of the Program's
source code as you receive it, in any medium, provided that you
conspicuously and appropriately publish on each copy an appropriate
copyright notice and disclaimer of warranty; keep intact all the
notices that refer to this License and to the absence of any warranty;
and give any other recipients of the Program a copy of this License
along with the Program.
You may charge a fee for the physical act of transferring a copy, and
you may at your option offer warranty protection in exchange for a fee.
2. You may modify your copy or copies of the Program or any portion
of it, thus forming a work based on the Program, and copy and
distribute such modifications or work under the terms of Section 1
above, provided that you also meet all of these conditions:
a) You must cause the modified files to carry prominent notices
stating that you changed the files and the date of any change.
b) You must cause any work that you distribute or publish, that in
whole or in part contains or is derived from the Program or any
part thereof, to be licensed as a whole at no charge to all third
parties under the terms of this License.
c) If the modified program normally reads commands interactively
when run, you must cause it, when started running for such
interactive use in the most ordinary way, to print or display an
announcement including an appropriate copyright notice and a
notice that there is no warranty (or else, saying that you provide
a warranty) and that users may redistribute the program under
these conditions, and telling the user how to view a copy of this
License. (Exception: if the Program itself is interactive but
does not normally print such an announcement, your work based on
the Program is not required to print an announcement.)
These requirements apply to the modified work as a whole. If
identifiable sections of that work are not derived from the Program,
and can be reasonably considered independent and separate works in
themselves, then this License, and its terms, do not apply to those
sections when you distribute them as separate works. But when you
distribute the same sections as part of a whole which is a work based
on the Program, the distribution of the whole must be on the terms of
this License, whose permissions for other licensees extend to the
entire whole, and thus to each and every part regardless of who wrote it.
Thus, it is not the intent of this section to claim rights or contest
your rights to work written entirely by you; rather, the intent is to
exercise the right to control the distribution of derivative or
collective works based on the Program.
In addition, mere aggregation of another work not based on the Program
with the Program (or with a work based on the Program) on a volume of
a storage or distribution medium does not bring the other work under
the scope of this License.
3. You may copy and distribute the Program (or a work based on it,
under Section 2) in object code or executable form under the terms of
Sections 1 and 2 above provided that you also do one of the following:
a) Accompany it with the complete corresponding machine-readable
source code, which must be distributed under the terms of Sections
1 and 2 above on a medium customarily used for software interchange; or,
b) Accompany it with a written offer, valid for at least three
years, to give any third party, for a charge no more than your
cost of physically performing source distribution, a complete
machine-readable copy of the corresponding source code, to be
distributed under the terms of Sections 1 and 2 above on a medium
customarily used for software interchange; or,
c) Accompany it with the information you received as to the offer
to distribute corresponding source code. (This alternative is
allowed only for noncommercial distribution and only if you
received the program in object code or executable form with such
an offer, in accord with Subsection b above.)
The source code for a work means the preferred form of the work for
making modifications to it. For an executable work, complete source
code means all the source code for all modules it contains, plus any
associated interface definition files, plus the scripts used to
control compilation and installation of the executable. However, as a
special exception, the source code distributed need not include
anything that is normally distributed (in either source or binary
form) with the major components (compiler, kernel, and so on) of the
operating system on which the executable runs, unless that component
itself accompanies the executable.
If distribution of executable or object code is made by offering
access to copy from a designated place, then offering equivalent
access to copy the source code from the same place counts as
distribution of the source code, even though third parties are not
compelled to copy the source along with the object code.
4. You may not copy, modify, sublicense, or distribute the Program
except as expressly provided under this License. Any attempt
otherwise to copy, modify, sublicense or distribute the Program is
void, and will automatically terminate your rights under this License.
However, parties who have received copies, or rights, from you under
this License will not have their licenses terminated so long as such
parties remain in full compliance.
5. You are not required to accept this License, since you have not
signed it. However, nothing else grants you permission to modify or
distribute the Program or its derivative works. These actions are
prohibited by law if you do not accept this License. Therefore, by
modifying or distributing the Program (or any work based on the
Program), you indicate your acceptance of this License to do so, and
all its terms and conditions for copying, distributing or modifying
the Program or works based on it.
6. Each time you redistribute the Program (or any work based on the
Program), the recipient automatically receives a license from the
original licensor to copy, distribute or modify the Program subject to
these terms and conditions. You may not impose any further
restrictions on the recipients' exercise of the rights granted herein.
You are not responsible for enforcing compliance by third parties to
this License.
7. If, as a consequence of a court judgment or allegation of patent
infringement or for any other reason (not limited to patent issues),
conditions are imposed on you (whether by court order, agreement or
otherwise) that contradict the conditions of this License, they do not
excuse you from the conditions of this License. If you cannot
distribute so as to satisfy simultaneously your obligations under this
License and any other pertinent obligations, then as a consequence you
may not distribute the Program at all. For example, if a patent
license would not permit royalty-free redistribution of the Program by
all those who receive copies directly or indirectly through you, then
the only way you could satisfy both it and this License would be to
refrain entirely from distribution of the Program.
If any portion of this section is held invalid or unenforceable under
any particular circumstance, the balance of the section is intended to
apply and the section as a whole is intended to apply in other
circumstances.
It is not the purpose of this section to induce you to infringe any
patents or other property right claims or to contest validity of any
such claims; this section has the sole purpose of protecting the
integrity of the free software distribution system, which is
implemented by public license practices. Many people have made
generous contributions to the wide range of software distributed
through that system in reliance on consistent application of that
system; it is up to the author/donor to decide if he or she is willing
to distribute software through any other system and a licensee cannot
impose that choice.
This section is intended to make thoroughly clear what is believed to
be a consequence of the rest of this License.
8. If the distribution and/or use of the Program is restricted in
certain countries either by patents or by copyrighted interfaces, the
original copyright holder who places the Program under this License
may add an explicit geographical distribution limitation excluding
those countries, so that distribution is permitted only in or among
countries not thus excluded. In such case, this License incorporates
the limitation as if written in the body of this License.
9. The Free Software Foundation may publish revised and/or new versions
of the General Public License from time to time. Such new versions will
be similar in spirit to the present version, but may differ in detail to
address new problems or concerns.
Each version is given a distinguishing version number. If the Program
specifies a version number of this License which applies to it and "any
later version", you have the option of following the terms and conditions
either of that version or of any later version published by the Free
Software Foundation. If the Program does not specify a version number of
this License, you may choose any version ever published by the Free Software
Foundation.
10. If you wish to incorporate parts of the Program into other free
programs whose distribution conditions are different, write to the author
to ask for permission. For software which is copyrighted by the Free
Software Foundation, write to the Free Software Foundation; we sometimes
make exceptions for this. Our decision will be guided by the two goals
of preserving the free status of all derivatives of our free software and
of promoting the sharing and reuse of software generally.
NO WARRANTY
11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
REPAIR OR CORRECTION.
12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES.
END OF TERMS AND CONDITIONS
How to Apply These Terms to Your New Programs
If you develop a new program, and you want it to be of the greatest
possible use to the public, the best way to achieve this is to make it
free software which everyone can redistribute and change under these terms.
To do so, attach the following notices to the program. It is safest
to attach them to the start of each source file to most effectively
convey the exclusion of warranty; and each file should have at least
the "copyright" line and a pointer to where the full notice is found.
<one line to give the program's name and a brief idea of what it does.>
Copyright (C) <year> <name of author>
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License along
with this program; if not, write to the Free Software Foundation, Inc.,
51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
Also add information on how to contact you by electronic and paper mail.
If the program is interactive, make it output a short notice like this
when it starts in an interactive mode:
Gnomovision version 69, Copyright (C) year name of author
Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
This is free software, and you are welcome to redistribute it
under certain conditions; type `show c' for details.
The hypothetical commands `show w' and `show c' should show the appropriate
parts of the General Public License. Of course, the commands you use may
be called something other than `show w' and `show c'; they could even be
mouse-clicks or menu items--whatever suits your program.
You should also get your employer (if you work as a programmer) or your
school, if any, to sign a "copyright disclaimer" for the program, if
necessary. Here is a sample; alter the names:
Yoyodyne, Inc., hereby disclaims all copyright interest in the program
`Gnomovision' (which makes passes at compilers) written by James Hacker.
<signature of Ty Coon>, 1 April 1989
Ty Coon, President of Vice
This General Public License does not permit incorporating your program into
proprietary programs. If your program is a subroutine library, you may
consider it more useful to permit linking proprietary applications with the
library. If this is what you want to do, use the GNU Lesser General
Public License instead of this License.

264
LICENSE.md Normal file
View File

@ -0,0 +1,264 @@
The GNU General Public License, Version 2, June 1991 (GPLv2)
============================================================
> Copyright (C) 1989, 1991 Free Software Foundation, Inc.
> 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
Everyone is permitted to copy and distribute verbatim copies of this license
document, but changing it is not allowed.
Preamble
--------
The licenses for most software are designed to take away your freedom to share
and change it. By contrast, the GNU General Public License is intended to
guarantee your freedom to share and change free software--to make sure the
software is free for all its users. This General Public License applies to most
of the Free Software Foundation's software and to any other program whose
authors commit to using it. (Some other Free Software Foundation software is
covered by the GNU Lesser General Public License instead.) You can apply it to
your programs, too.
When we speak of free software, we are referring to freedom, not price. Our
General Public Licenses are designed to make sure that you have the freedom to
distribute copies of free software (and charge for this service if you wish),
that you receive source code or can get it if you want it, that you can change
the software or use pieces of it in new free programs; and that you know you can
do these things.
To protect your rights, we need to make restrictions that forbid anyone to deny
you these rights or to ask you to surrender the rights. These restrictions
translate to certain responsibilities for you if you distribute copies of the
software, or if you modify it.
For example, if you distribute copies of such a program, whether gratis or for a
fee, you must give the recipients all the rights that you have. You must make
sure that they, too, receive or can get the source code. And you must show them
these terms so they know their rights.
We protect your rights with two steps: (1) copyright the software, and (2) offer
you this license which gives you legal permission to copy, distribute and/or
modify the software.
Also, for each author's protection and ours, we want to make certain that
everyone understands that there is no warranty for this free software. If the
software is modified by someone else and passed on, we want its recipients to
know that what they have is not the original, so that any problems introduced by
others will not reflect on the original authors' reputations.
Finally, any free program is threatened constantly by software patents. We wish
to avoid the danger that redistributors of a free program will individually
obtain patent licenses, in effect making the program proprietary. To prevent
this, we have made it clear that any patent must be licensed for everyone's free
use or not licensed at all.
The precise terms and conditions for copying, distribution and modification
follow.
Terms And Conditions For Copying, Distribution And Modification
---------------------------------------------------------------
**0.** This License applies to any program or other work which contains a notice
placed by the copyright holder saying it may be distributed under the terms of
this General Public License. The "Program", below, refers to any such program or
work, and a "work based on the Program" means either the Program or any
derivative work under copyright law: that is to say, a work containing the
Program or a portion of it, either verbatim or with modifications and/or
translated into another language. (Hereinafter, translation is included without
limitation in the term "modification".) Each licensee is addressed as "you".
Activities other than copying, distribution and modification are not covered by
this License; they are outside its scope. The act of running the Program is not
restricted, and the output from the Program is covered only if its contents
constitute a work based on the Program (independent of having been made by
running the Program). Whether that is true depends on what the Program does.
**1.** You may copy and distribute verbatim copies of the Program's source code
as you receive it, in any medium, provided that you conspicuously and
appropriately publish on each copy an appropriate copyright notice and
disclaimer of warranty; keep intact all the notices that refer to this License
and to the absence of any warranty; and give any other recipients of the Program
a copy of this License along with the Program.
You may charge a fee for the physical act of transferring a copy, and you may at
your option offer warranty protection in exchange for a fee.
**2.** You may modify your copy or copies of the Program or any portion of it,
thus forming a work based on the Program, and copy and distribute such
modifications or work under the terms of Section 1 above, provided that you also
meet all of these conditions:
* **a)** You must cause the modified files to carry prominent notices stating
that you changed the files and the date of any change.
* **b)** You must cause any work that you distribute or publish, that in whole
or in part contains or is derived from the Program or any part thereof, to
be licensed as a whole at no charge to all third parties under the terms of
this License.
* **c)** If the modified program normally reads commands interactively when
run, you must cause it, when started running for such interactive use in the
most ordinary way, to print or display an announcement including an
appropriate copyright notice and a notice that there is no warranty (or
else, saying that you provide a warranty) and that users may redistribute
the program under these conditions, and telling the user how to view a copy
of this License. (Exception: if the Program itself is interactive but does
not normally print such an announcement, your work based on the Program is
not required to print an announcement.)
These requirements apply to the modified work as a whole. If identifiable
sections of that work are not derived from the Program, and can be reasonably
considered independent and separate works in themselves, then this License, and
its terms, do not apply to those sections when you distribute them as separate
works. But when you distribute the same sections as part of a whole which is a
work based on the Program, the distribution of the whole must be on the terms of
this License, whose permissions for other licensees extend to the entire whole,
and thus to each and every part regardless of who wrote it.
Thus, it is not the intent of this section to claim rights or contest your
rights to work written entirely by you; rather, the intent is to exercise the
right to control the distribution of derivative or collective works based on the
Program.
In addition, mere aggregation of another work not based on the Program with the
Program (or with a work based on the Program) on a volume of a storage or
distribution medium does not bring the other work under the scope of this
License.
**3.** You may copy and distribute the Program (or a work based on it, under
Section 2) in object code or executable form under the terms of Sections 1 and 2
above provided that you also do one of the following:
* **a)** Accompany it with the complete corresponding machine-readable source
code, which must be distributed under the terms of Sections 1 and 2 above on
a medium customarily used for software interchange; or,
* **b)** Accompany it with a written offer, valid for at least three years, to
give any third party, for a charge no more than your cost of physically
performing source distribution, a complete machine-readable copy of the
corresponding source code, to be distributed under the terms of Sections 1
and 2 above on a medium customarily used for software interchange; or,
* **c)** Accompany it with the information you received as to the offer to
distribute corresponding source code. (This alternative is allowed only for
noncommercial distribution and only if you received the program in object
code or executable form with such an offer, in accord with Subsection b
above.)
The source code for a work means the preferred form of the work for making
modifications to it. For an executable work, complete source code means all the
source code for all modules it contains, plus any associated interface
definition files, plus the scripts used to control compilation and installation
of the executable. However, as a special exception, the source code distributed
need not include anything that is normally distributed (in either source or
binary form) with the major components (compiler, kernel, and so on) of the
operating system on which the executable runs, unless that component itself
accompanies the executable.
If distribution of executable or object code is made by offering access to copy
from a designated place, then offering equivalent access to copy the source code
from the same place counts as distribution of the source code, even though third
parties are not compelled to copy the source along with the object code.
**4.** You may not copy, modify, sublicense, or distribute the Program except as
expressly provided under this License. Any attempt otherwise to copy, modify,
sublicense or distribute the Program is void, and will automatically terminate
your rights under this License. However, parties who have received copies, or
rights, from you under this License will not have their licenses terminated so
long as such parties remain in full compliance.
**5.** You are not required to accept this License, since you have not signed
it. However, nothing else grants you permission to modify or distribute the
Program or its derivative works. These actions are prohibited by law if you do
not accept this License. Therefore, by modifying or distributing the Program (or
any work based on the Program), you indicate your acceptance of this License to
do so, and all its terms and conditions for copying, distributing or modifying
the Program or works based on it.
**6.** Each time you redistribute the Program (or any work based on the
Program), the recipient automatically receives a license from the original
licensor to copy, distribute or modify the Program subject to these terms and
conditions. You may not impose any further restrictions on the recipients'
exercise of the rights granted herein. You are not responsible for enforcing
compliance by third parties to this License.
**7.** If, as a consequence of a court judgment or allegation of patent
infringement or for any other reason (not limited to patent issues), conditions
are imposed on you (whether by court order, agreement or otherwise) that
contradict the conditions of this License, they do not excuse you from the
conditions of this License. If you cannot distribute so as to satisfy
simultaneously your obligations under this License and any other pertinent
obligations, then as a consequence you may not distribute the Program at all.
For example, if a patent license would not permit royalty-free redistribution of
the Program by all those who receive copies directly or indirectly through you,
then the only way you could satisfy both it and this License would be to refrain
entirely from distribution of the Program.
If any portion of this section is held invalid or unenforceable under any
particular circumstance, the balance of the section is intended to apply and the
section as a whole is intended to apply in other circumstances.
It is not the purpose of this section to induce you to infringe any patents or
other property right claims or to contest validity of any such claims; this
section has the sole purpose of protecting the integrity of the free software
distribution system, which is implemented by public license practices. Many
people have made generous contributions to the wide range of software
distributed through that system in reliance on consistent application of that
system; it is up to the author/donor to decide if he or she is willing to
distribute software through any other system and a licensee cannot impose that
choice.
This section is intended to make thoroughly clear what is believed to be a
consequence of the rest of this License.
**8.** If the distribution and/or use of the Program is restricted in certain
countries either by patents or by copyrighted interfaces, the original copyright
holder who places the Program under this License may add an explicit
geographical distribution limitation excluding those countries, so that
distribution is permitted only in or among countries not thus excluded. In such
case, this License incorporates the limitation as if written in the body of this
License.
**9.** The Free Software Foundation may publish revised and/or new versions of
the General Public License from time to time. Such new versions will be similar
in spirit to the present version, but may differ in detail to address new
problems or concerns.
Each version is given a distinguishing version number. If the Program specifies
a version number of this License which applies to it and "any later version",
you have the option of following the terms and conditions either of that version
or of any later version published by the Free Software Foundation. If the
Program does not specify a version number of this License, you may choose any
version ever published by the Free Software Foundation.
**10.** If you wish to incorporate parts of the Program into other free programs
whose distribution conditions are different, write to the author to ask for
permission. For software which is copyrighted by the Free Software Foundation,
write to the Free Software Foundation; we sometimes make exceptions for this.
Our decision will be guided by the two goals of preserving the free status of
all derivatives of our free software and of promoting the sharing and reuse of
software generally.
No Warranty
-----------
**11.** BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR
THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE
STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM
"AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING,
BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE
PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
**12.** IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE
THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR
INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA
BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A
FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER
OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

9
Makefile.in
View File

@ -1,10 +1,9 @@
###############################
# Makefile for NRPE
#
# Last Modified: 03-14-2007
# NRPE Makefile
#
###############################
# Source code directories
SRC_BASE=./src/
SRC_INCLUDE=./include/
@ -110,6 +109,10 @@ install-init:
echo svccfg import $(INIT_DIR)/$(INIT_FILE); \
svccfg import $(INIT_DIR)/$(INIT_FILE); \
echo "*** Run 'svcadm enable nrpe' to start it"; \
elif test $(INIT_TYPE) = gentoo; then\
$(INSTALL) -m 755 startup/$(SRC_INIT) $(INIT_DIR)/$(INIT_FILE); \
echo rc-update add nrpe default; \
rc-update add nrpe default; \
else\
echo $(INSTALL) -m 755 startup/$(SRC_INIT) $(INIT_DIR)/$(INIT_FILE); \
$(INSTALL) -m 755 startup/$(SRC_INIT) $(INIT_DIR)/$(INIT_FILE); \

67
README.SSL.md
View File

@ -1,16 +1,27 @@
NRPE With SSL/TLS
=================
##Contents
1. [Introduction](#intro)
2. [NRPE Changes](#nrpe)
3. [check_nrpe Changes](#chk)
4. [Certificate Generation Example](#xmp)
This document covers the different methods of SSL transport
that NRPE allows for.
<a id=intro></a>
If there was a TL;DR here, it is these:
------------
###Introduction
### Don't use NRPE without encryption
and
### Use Public Key Encryption
Contents
--------
1. [Introduction](#introduction)
2. [NRPE Changes](#nrpe-changes)
3. [check_nrpe Changes](#check_nrpe-changes)
4. [Certificate Generation Example](#certificate-generation-example)
Introduction
------------
NRPE has had basic support for SSL/TLS for some time now, but it was
@ -19,17 +30,16 @@ exchange, it used a fixed 512-bit key (generated at `./configure`
time and extremely insecure) and originally allowed SSLv2. In 2004,
SSLv2 and SSLv3 support was disabled.
nrpe and check_nrpe have been updated to offer much more secure
`nrpe` and `check_nrpe` have been updated to offer much more secure
encryption and more options. And the updates are done in a backward-
compatible way, allowing you to migrate to the newer versions
without having to do it all at once, and possibly miss updating some
machines, causing lost reporting.
<a id=nrpe></a>
------------------------------------------
###CHANGES IN THE CURRENT VERSION OF NRPE
------------------------------------------
NRPE Changes
------------
Running `./configure` will now create a 2048-bit DH key instead
of the old 512-bit key. The most current versions of openSSL will
@ -52,8 +62,8 @@ If you are upgrading NRPE from a prior version, you can run the
The `ssl_version` directive lets you set which versions of SSL/TLS
you want to allow. SSLv2, SSLv3, TLSv1, TLSv1.1 and TLSv1.2 are
allowed, or those litereals with a `+` after them (as in TLSv1.1+).
Without the `+`, that version _only_ will be used. With the `+`,
that version _or above_ will be used. openSSL will always negotiate
Without the `+`, *that version only* will be used. With the `+`,
that *version or above* will be used. openSSL will always negotiate
the highest available allowed version available on both ends. This
directive currently defaults to `TLSv1+`.
@ -61,7 +71,7 @@ The `ssl_use_adh` directive is **DEPRECATED**, even though it is new.
Possible values are `0` to not allow ADH at all, `1` to allow ADH,
and `2` to require ADH. The `2` should never be required, but it's
there just in case it's needed, for whatever reason. `1` is currently
the default, which allows older check_nrpe plugins to connect using
the default, which allows older `check_nrpe` plugins to connect using
ADH. When all the plugins are migrated to the newer version, it
should be set to `0`. In an upcoming version of NRPE, ADH will no
longer be allowed at all. Note that if you use a `2` here, NRPE will
@ -103,13 +113,11 @@ This can be especially helpful during plugin migration, so you can
tell which plugins have certificates, what SSL/TLS version is being
used, and which ciphers are being used.
<a id=chk></a>
------------------------------------------------
###CHANGES IN THE CURRENT VERSION OF CHECK_NRPE
------------------------------------------------
check_nrpe Changes
------------------
The check_nrpe plugin has also been updated to provide more secure
The `check_nrpe` plugin has also been updated to provide more secure
encryption and allow the use of client certificates. The command line
has several new options, which are outlined below. Both the long and
short arguments are presented.
@ -145,11 +153,10 @@ data to syslog. OR (or add) values together to have more than one
option enabled. See the description of the `ssl_logging` directive
from NRPE above.
<a id=xmp></a>
----------------------------------
###Certificate Generation Example
----------------------------------
Certificate Generation Example
------------------------------
**Note** _The following example does not follow best practice for
creating and running a CA or creating certificates. It is for testing
@ -166,7 +173,7 @@ is called `nag_serv`; and there are two Linux machines that will
run the nrpe daemon: `db_server` and `bobs_workstation`.
####Set up the directories
#### Set up the directories
As root, do the following:
@ -181,7 +188,7 @@ As root, do the following:
chown root:nagios client_certs
####Create Certificate Authority
#### Create Certificate Authority
If you want to validate client or server certificates, you will need
to create a Certificate Authority (CA) that will sign all client and
@ -203,7 +210,7 @@ probably want to include `CA` or `Certificate Authority` in for
Common Name (e.g. server FQDN or YOUR name) []:Foo Nagios CA
####Create NRPE Server Certificate Requests
#### Create NRPE Server Certificate Requests
For each of the hosts that will be running the nrpe daemon, you will
need a server certificate. You can create a key, and the CSR
@ -228,7 +235,7 @@ If you have the default `/etc/openssl.cnf`, either change it, or as root, do:
mkdir demoCA
mkdir demoCA/newcerts
touch demoCA/index.txt
echo "01" > demoCA/serial
echo "01" > demoCA/serial
chown -R root:root demoCA
chmod 700 demoCA
chmod 700 demoCA/newcerts
@ -257,7 +264,7 @@ db_server machine, and the `bobs_workstation.pem` and
`ca/ca_cert.pem` file to both machines.
####Create NRPE Client Certificate Requests
#### Create NRPE Client Certificate Requests
Now you need to do the same thing for the machine that will be
running the check_nrpe program.

296
README.md
View File

@ -1,13 +1,30 @@
NRPE README
===========
![Nagios!](https://www.nagios.com/wp-content/uploads/2015/05/Nagios-Black-500x124.png)
[![Build Status](https://travis-ci.org/NagiosEnterprises/nrpe.svg?branch=master)](https://travis-ci.org/NagiosEnterprises/nrpe)
NRPE
====
## Nagios Remote Plugin Executor
For installation instructions and information on the design overview
of the NRPE addon, please read the PDF documentation that is found in
this directory: `docs/NRPE.pdf`
this directory: `docs/NRPE.pdf`.
If you are upgrading from a previous version, run 'update-cfg.pl' to
If you are upgrading from a previous version, you'll want to
check the [Changelog](CHANGELOG.md) and then run `./update-cfg.pl` to
add the new SSL parameters to your config file.
TL;DR: You can jump straight to [Compiling](#compiling) and
[Installing](#installing)
You'll want to read up on the [Security](SECURITY.md) document
regarding NRPE, no doubt.
And make sure to check out the [SSL Readme](README.SSL.md) as well,
if you plan on using encryption methods to transmit `nrpe` data.
Purpose
-------
@ -20,69 +37,126 @@ Contents
There are two pieces to this addon:
1) **NRPE** - This program runs as a background process on the
remote host and processes command execution requests
from the check_nrpe plugin on the Nagios host.
Upon receiving a plugin request from an authorized
host, it will execute the command line associated
with the command name it received and send the
program output and return code back to the
check_nrpe plugin
1. `nrpe`
2) **check_nrpe** - This is a plugin that is run on the Nagios host
and is used to contact the NRPE process on remote
hosts. The plugin requests that a plugin be
executed on the remote host and wait for the NRPE
process to execute the plugin and return the result.
The plugin then uses the output and return code
from the plugin execution on the remote host for
its own output and return code.
This program runs as a background process on the
remote host and processes command execution requests
from the check_nrpe plugin on the Nagios host.
Upon receiving a plugin request from an authorized
host, it will execute the command line associated
with the command name it received and send the
program output and return code back to the
check_nrpe plugin
2. `check_nrpe`
This is a plugin that is run on the Nagios host
and is used to contact the NRPE process on remote
hosts. The plugin requests that a plugin be
executed on the remote host and wait for the NRPE
process to execute the plugin and return the result.
The plugin then uses the output and return code
from the plugin execution on the remote host for
its own output and return code.
Compiling
---------
The code is very basic and may not work on your particular
system without some tweaking. If you are having any problems
compiling on your system, please let us know, hopefully with
fixes. Most users should be able to compile NRPE and the
check_nrpe plugin with the following commands...
If you are having any problems compiling on your system,
please let us know (preferrably with fixes). Most users
should be able to compile `nrpe` and the `check_nrpe`
plugin with the following commands...
./configure
make all
The binaries will be located in the `src/` directory after you
run `make all` and will have to be installed manually somewhere
on your system.
***HINT:*** `./configure --help`
_NOTE: Since the check_nrpe plugin and nrpe daemon run on different
machines (the plugin runs on the Nagios host and the daemon
runs on the remote host), you will have to compile the nrpe
daemon on the target machine._
**NOTE:** If you're cloning from GitHub, you'll need to run
`autoconf` first.
**NOTE:** Since the check_nrpe plugin and nrpe daemon run
on different machines (the plugin runs on the Nagios host and
the daemon runs on the remote host), you will have to compile
the nrpe daemon on the target machine.
Installing
----------
The check_nrpe plugin should be placed on the Nagios host along
with your other plugins. In most cases, this will be in the
`/usr/local/nagios/libexec` directory.
You have a few options here. The binaries created from `make all`
were placed in your `src/` directory. You can either copy these
where they need to be, or you can run any of the following
`make install` options:
The nrpe program and the configuration file `nrpe.cfg` should
be placed somewhere on the remote host. Note that you will also
have to install some plugins on the remote host if you want to
make much use of this addon.
* `make install-groups-users`
Add the users and groups sepcified during `./configure`. Defaults
to nagios and nagios, respectively. You can override these with the
`./configure --with-nrpe-user=USER --with-nrpe-group=GROUP`.
* `make install`
This will run both `install-plugin` and `install-daemon`.
* `make install-plugin`
This will install the plugin by default in
`/usr/local/nagios/libexec`. You can override this
behavior by using the `--with-pluginsdir=DIR` flag during
`./configure`.
* `make install-daemon`
This will install the plugin by default in
`/usr/local/nagios/bin`. You can override this
behavior by using the `--prefix=DIR` or
`--bindir=DIR` flags during `./configure`.
* `make install-config`
This will install the sample config by default in
`/usr/local/nagios/etc`. You can override this
behavior by using the `--with-pkgsysconfdir=DIR`
flag during `./configure`.
* `make install-inetd`
`./configure` attempts to determine your inetd type.
If it finds it, it will install the appropriate inetd
script in the proper location. You can help it out with
`./configure --with-inetd-type=TYPE` where `TYPE` can be
one of: `inetd`, `xinetd`, `systemd`, `launchd`,
`smf10`, `smf11`.
* `make install-init`
`./configure` attempts to determine the appropriate
init type. If it figures it out, will install the
required startup script. You can help it out with
`./configure --with-init-type=TYPE` where TYPE can be
one of: `bsd`, `sysv`, `systemd`, `launchd`, `smf10`,
`smf11`, `upstart`, `openrc`.
If you used all the necessary `./configure` flags, you shouldn't
need to tweak your config file any at this point, and a simple
`service nrpe start` or `systemctl start nrpe.service` should
work just fine.
Configuring
-----------
Sample config files for the NRPE daemon are located in the
A sample config file for the NRPE daemon are located in the
`sample-config/` subdirectory.
If you used the proper flags during `./configure`, this file
should contain all of the appropriate information as a starting
point.
Running Under INETD or XINETD
-----------------------------
Running Under `inetd` or `xinetd`
---------------------------------
If you plan on running nrpe under inetd or xinetd and making use
of TCP wrappers, you need to add a line to your `/etc/services`
@ -93,72 +167,67 @@ file as follows (modify the port number as you see fit)
The run `make install-inetd` to copy the appropriate file, or
add the appropriate line to your `/etc/inetd.conf`.
_NOTE: If you run nrpe under inetd or xinetd, the server_port
and allowed_hosts variables in the nrpe configuration file are
ignored._
**NOTE:** If you run nrpe under inetd or xinetd, the server_port
and allowed_hosts variables in the nrpe configuration file are
ignored.
#### INETD
* `inetd`
After running `make install-inetd`, your `/etc/inetd.conf` file will
contain lines similar to the following:
After running `make install-inetd`, your `/etc/inetd.conf` file will
contain lines similar to the following:
```
#
# Enable the following entry to enable the nrpe daemon
#nrpe stream tcp nowait nagios /usr/local/nagios/bin/nrpe nrpe -c /usr/local/nagios/etc/nr
# Enable the following entry if the nrpe daemon didn't link with libwrap
#nrpe stream tcp nowait nagios /usr/sbin/tcpd /usr/local/nagios/bin/nrpe -c /usr/local/nag
```
# Enable the following entry to enable the nrpe daemon
#nrpe stream tcp nowait nagios /usr/local/nagios/bin/nrpe nrpe -c /usr/local/nagios/etc/nr
# Enable the following entry if the nrpe daemon didn't link with libwrap
#nrpe stream tcp nowait nagios /usr/sbin/tcpd /usr/local/nagios/bin/nrpe -c /usr/local/nag
Un-comment the appropriate line, then Restart inetd:
Un-comment the appropriate line, then Restart inetd:
/etc/rc.d/init.d/inet restart
/etc/rc.d/init.d/inet restart
OpenBSD users can use the following command to restart inetd:
OpenBSD users can use the following command to restart inetd:
kill -HUP `cat /var/run/inet.pid`
kill -HUP `cat /var/run/inet.pid`
Then add entries to your `/etc/hosts.allow` and `/etc/hosts.deny`
file to enable TCP wrapper protection for the nrpe service.
This is optional, although highly recommended.
Then add entries to your `/etc/hosts.allow` and `/etc/hosts.deny`
file to enable TCP wrapper protection for the nrpe service.
This is optional, although highly recommended.
#### XINETD
* `xinetd`
If your system uses xinetd instead of inetd, `make install-inetd`
will create a file called `nrpe` in your `/etc/xinetd.d`
directory that contains a file similar to this:
If your system uses xinetd instead of inetd, `make install-inetd`
will create a file called `nrpe` in your `/etc/xinetd.d`
directory that contains a file similar to this:
```
# default: off
# description: NRPE (Nagios Remote Plugin Executor)
service nrpe
{
disable = yes
socket_type = stream
port = @NRPE_PORT@
wait = no
user = nagios
group = nagios
server = /usr/local/nagios/bin/nrpe
server_args = -c /usr/local/nagios/etc/nrpe.cfg --inetd
only_from = 127.0.0.1
log_on_failure += USERID
}
```
# default: off
# description: NRPE (Nagios Remote Plugin Executor)
service nrpe
{
disable = yes
socket_type = stream
port = @NRPE_PORT@
wait = no
user = nagios
group = nagios
server = /usr/local/nagios/bin/nrpe
server_args = -c /usr/local/nagios/etc/nrpe.cfg --inetd
only_from = 127.0.0.1
log_on_failure += USERID
}
- Replace `disable = yes` with `disable = no`
- Replace the `127.0.0.1` field with the IP addresses of hosts which
are allowed to connect to the NRPE daemon. This only works if xinetd was
compiled with support for tcpwrappers.
- Add entries to your `/etc/hosts.allow` and `/etc/hosts.deny`
file to enable TCP wrapper protection for the nrpe service.
This is optional, although highly recommended.
* Replace `disable = yes` with `disable = no`
* Replace the `127.0.0.1` field with the IP addresses of hosts which
are allowed to connect to the NRPE daemon. This only works if xinetd was
compiled with support for tcpwrappers.
* Add entries to your `/etc/hosts.allow` and `/etc/hosts.deny`
file to enable TCP wrapper protection for the nrpe service.
This is optional, although highly recommended.
Restart xinetd:
* Restart xinetd:
/etc/rc.d/init.d/xinetd restart
/etc/rc.d/init.d/xinetd restart
Configuring Things On The Nagios Host
@ -173,8 +242,8 @@ to define a few things in the host config file. An example
command definition for the check_nrpe plugin would look like this:
define command{
command_name check_nrpe
command_line /usr/local/nagios/libexec/check_nrpe -H $HOSTADDRESS$ -c $ARG1$
command_name check_nrpe
command_line /usr/local/nagios/libexec/check_nrpe -H $HOSTADDRESS$ -c $ARG1$
}
In any service definitions that use the nrpe plugin/daemon to
@ -183,24 +252,41 @@ of the definition to something like this (sample service definition
is simplified for this example):
define service{
host_name someremotehost
service_description someremoteservice
check_command check_nrpe!yourcommand
host_name someremotehost
service_description someremoteservice
check_command check_nrpe!yourcommand
... etc ...
}
where `yourcommand` is a name of a command that you define in
your nrpe.cfg file on the remote host (see the docs in the
your `nrpe.cfg` file on the remote host (see the docs in the
sample nrpe.cfg file for more information).
License Notice
--------------
NRPE - Nagios Remote Plugin Executor
Copyright (c) 2017 Nagios Enterprises
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
Questions?
----------
If you have questions about this addon, or problems getting things
working, first try searching the nagios-users mailing list archives.
Details on searching the list archives can be found at
http://www.nagios.org
If you don't find an answer there, post a message in the Nagios
Plugin Development forum at https://support.nagios.com/forum/viewforum.php?f=35
If you have questions about this addon, or encounter problems getting things
working along the way, your best bet for an answer or quick resolution is to check the
[Nagios Support Forums](https://support.nagios.com/forum/viewforum.php?f=5).

60
SECURITY.md
View File

@ -1,20 +1,19 @@
NRPE SECURITY README
====================
---
### TCP WRAPPER SUPPORT ###
TCP Wrapper Support
-------------------
NRPE 2.x includes native support for TCP wrappers. Once you
compile NRPE you can check to see if it has wrapper support
built in by running the daemon from the command line without
any arguments like this:
./nrpe --help
./nrpe --help
#### COMMAND ARGUMENTS ####
Command Arguments
-----------------
NRPE 2.0 includes the ability for clients to supply arguments to
commands which should be run. Please note that this feature
@ -22,7 +21,8 @@ should be considered a security risk, and you should only use
it if you know what you're doing!
#### BASH COMMAND SUBSTITUTION ####
Bash Command Substitution
-------------------------
Even with the metacharacter restrictions below, if command arguments
are enabled, it is still possible to send bash command substitutions
@ -32,7 +32,8 @@ configuration file option. Enabling this option is **VERY RISKY**
and its use is **HIGHLY DISCOURAGED**.
#### ENABLING ARGUMENTS ####
Enabling Arguments
------------------
To enable support for command argument in the daemon, you must
do two things:
@ -44,7 +45,8 @@ do two things:
file to `1`.
#### ENABLING BASH COMMAND SUBSTITUTION ####
Enabling Bash Command Substitution
----------------------------------
To enable support for arguments containing bash command substitutions,
you must do two things:
@ -58,56 +60,64 @@ you must do two things:
NRPE config file to `1`.
#### ILLEGAL METACHARS ####
Nasty Metacharacters
--------------------
To help prevent some nasty things from being done by evil
clients, the following metacharacters are not allowed
in client command arguments:
| ` & > < ' \ [ ] { } ; ! \r \n
| ` & > < ' \ [ ] { } ; ! \r \n
You can override these defaults by adjusting the `nasty_metachars`
flag in the config file.
Any client request which contains the above mentioned metachars
is discarded.
#### USER/GROUP RESTRICTIONS ####
User/Group Restrictions
-----------------------
The NRPE daemon cannot be run with (effective) root user/group
privileges. You must run the daemon with an account that does
not have superuser rights. Use the nrpe_user and nrpe_group
directives in the config file to specify which user/group the
daemon should run as.
not have superuser rights. Use the `--with-nrpe-user` and
`--with-nrpe-group` flags during `./configure`, or the `nrpe_user`
and `nrpe_group` config file options to specify which user/group
the daemon should run as.
#### ENCRYPTION ####
Encryption
----------
If you do enable support for command arguments in the NRPE daemon,
make sure that you encrypt communications either by using:
1. Stunnel (see http://www.stunnel.org for more info)
2. Native SSL support (See the `README.SSL.md` file for more info)
2. Native SSL support (See the [SSL Readme](README.SSL.md) file for more info)
*Do NOT* assume that just because the daemon is behind a firewall
that you are safe! Always encrypt NRPE traffic!
Do **NOT** assume that just because the daemon is behind a firewall
that you are safe! ***Always encrypt NRPE traffic!***
#### USING ARGUMENTS ####
Using Arguments
---------------
How do you use command arguments? Well, lets say you define a
command in the NRPE config file that looks like this:
command[check_users]=/usr/local/nagios/libexec/check_users -w $ARG1$ -c $ARG2$
command[check_users]=/usr/local/nagios/libexec/check_users -w $ARG1$ -c $ARG2$
You could then call the check_nrpe plugin like this:
./check_nrpe -H <host> -c check_users -a 5 10
./check_nrpe -H <host> -c check_users -a 5 10
The arguments '5' and '10' get substituted into the appropriate
$ARGx$ macros in the command ($ARG1$ and $ARG2$, respectively).
`$ARGx$` macros in the command (`$ARG1$` and `$ARG2$`, respectively).
The command that would be executed by the NRPE daemon would look
like this:
/usr/local/nagios/libexec/check_users -w 5 -c 10
/usr/local/nagios/libexec/check_users -w 5 -c 10
You can supply up to 16 arguments to be passed to the command
for substitution in $ARG$ macros ($ARG1$ - $ARG16$).
for substitution in `$ARG$` macros (`$ARG1$` - `$ARG16$`).

6
THANKS
View File

@ -8,6 +8,7 @@ Bas Couwenberg
Bill Mitchell
Bjoern Beutel
Brian Seklecki
Bryan Heden
Derrick Bennett
Elan Ruusamäe
Eric Mislivec
@ -16,10 +17,12 @@ Gerhard Lausser
Graham Collinson
Grant Byers
Grégory Starck
jaclu@grm.se
James Peterson
Jari Takkala
Jason Cook
Jobst Schmalenbach
John Frickson
John Maag
Jon Andrews
Josh Soref
@ -48,5 +51,4 @@ Subhendu Ghosh
Sven Nierlein
Thierry Bertaud
Ton Voon
Vadim Antipov
jaclu@grm.se
Vadim Antipov

41
configure vendored
View File

@ -1,6 +1,6 @@
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
# Generated by GNU Autoconf 2.69 for nrpe 3.1.1.
# Generated by GNU Autoconf 2.69 for nrpe newdate.
#
# Report bugs to <nagios-users@lists.sourceforge.net>.
#
@ -580,8 +580,8 @@ MAKEFLAGS=
# Identity of this package.
PACKAGE_NAME='nrpe'
PACKAGE_TARNAME='nrpe'
PACKAGE_VERSION='3.1.1'
PACKAGE_STRING='nrpe 3.1.1'
PACKAGE_VERSION='newdate'
PACKAGE_STRING='nrpe newdate'
PACKAGE_BUGREPORT='nagios-users@lists.sourceforge.net'
PACKAGE_URL='https://www.nagios.org/downloads/nagios-core-addons/'
@ -1320,7 +1320,7 @@ if test "$ac_init_help" = "long"; then
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
\`configure' configures nrpe 3.1.1 to adapt to many kinds of systems.
\`configure' configures nrpe newdate to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@ -1370,7 +1370,7 @@ fi
if test -n "$ac_init_help"; then
case $ac_init_help in
short | recursive ) echo "Configuration of nrpe 3.1.1:";;
short | recursive ) echo "Configuration of nrpe newdate:";;
esac
cat <<\_ACEOF
@ -1516,7 +1516,7 @@ fi
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
nrpe configure 3.1.1
nrpe configure newdate
generated by GNU Autoconf 2.69
Copyright (C) 2012 Free Software Foundation, Inc.
@ -2122,7 +2122,7 @@ cat >config.log <<_ACEOF
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
It was created by nrpe $as_me 3.1.1, which was
It was created by nrpe $as_me newdate, which was
generated by GNU Autoconf 2.69. Invocation command line was
$ $0 $@
@ -2487,9 +2487,9 @@ ac_configure="$SHELL $ac_aux_dir/configure" # Please don't use this var.
PKG_NAME=nrpe
PKG_VERSION="3.1.1"
PKG_VERSION="3.2.1"
PKG_HOME_URL="http://www.nagios.org/"
PKG_REL_DATE="2017-05-24"
PKG_REL_DATE="2017-09-01"
RPM_RELEASE=1
LANG=C
@ -3041,12 +3041,6 @@ fi
;;
esac
if test x"$inetd_type" = x; then
if test x"$init_type" = "xupstart"; then
inetd_type="upstart"
fi
fi
if test x"$inetd_type" = x; then
if test -f /etc/xinetd.conf -a -d /etc/xinetd.d; then
inetd_disabled="(Not running)"
@ -3057,6 +3051,12 @@ esac
fi
fi
if test x"$inetd_type" = x; then
if test x"$init_type" = "xupstart"; then
inetd_type="upstart"
fi
fi
if test x"$inetd_type" = x; then
if test x"$init_type" = "xsystemd"; then
inetd_type="systemd"
@ -3686,6 +3686,7 @@ eval webdir=$webdir
eval localedir=$localedir
eval sysconfdir=$sysconfdir
eval pkgsysconfdir=$pkgsysconfdir
eval logdir=$logdir
eval piddir=$piddir
#
@ -4348,7 +4349,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
This file was extended by nrpe $as_me 3.1.1, which was
This file was extended by nrpe $as_me newdate, which was
generated by GNU Autoconf 2.69. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@ -4402,7 +4403,7 @@ _ACEOF
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\
nrpe config.status 3.1.1
nrpe config.status newdate
configured by $0, generated by GNU Autoconf 2.69,
with options \\"\$ac_cs_config\\"
@ -7292,7 +7293,7 @@ fi
if test x$check_for_ssl = xyes; then
# need_dh should only be set for NRPE
# need_dh=yes
#need_dh=yes
# -------------------------------
@ -8284,7 +8285,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
This file was extended by nrpe $as_me 3.1.1, which was
This file was extended by nrpe $as_me newdate, which was
generated by GNU Autoconf 2.69. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@ -8347,7 +8348,7 @@ _ACEOF
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\
nrpe config.status 3.1.1
nrpe config.status newdate
configured by $0, generated by GNU Autoconf 2.69,
with options \\"\$ac_cs_config\\"

8
configure.ac
View File

@ -5,15 +5,15 @@ define([AC_CACHE_LOAD],)
define([AC_CACHE_SAVE],)
m4_include([build-aux/custom_help.m4])
AC_INIT([nrpe],[3.1.1],[nagios-users@lists.sourceforge.net],[nrpe],[https://www.nagios.org/downloads/nagios-core-addons/])
AC_INIT([nrpe],[newdate],[nagios-users@lists.sourceforge.net],[nrpe],[https://www.nagios.org/downloads/nagios-core-addons/])
AC_CONFIG_SRCDIR([src/nrpe.c])
AC_CONFIG_AUX_DIR([build-aux])
AC_PREFIX_DEFAULT(/usr/local/nagios)
PKG_NAME=nrpe
PKG_VERSION="3.1.1"
PKG_VERSION="3.2.1"
PKG_HOME_URL="http://www.nagios.org/"
PKG_REL_DATE="2017-05-24"
PKG_REL_DATE="2017-09-01"
RPM_RELEASE=1
LANG=C
@ -313,7 +313,7 @@ AC_ARG_WITH([need_dh],
dnl Optional SSL library and include paths
if test x$check_for_ssl = xyes; then
# need_dh should only be set for NRPE
# need_dh=yes
#need_dh=yes
AC_NAGIOS_GET_SSL
fi

15
include/acl.h
View File

@ -1,9 +1,11 @@
/*-
* acl.c - header file for acl.c
* Copyright (c) 2011 Kaspersky Lab ZAO
* Last Modified: 08-10-2011 by Konstantin Malov with Oleg Koreshkov's help
/****************************************************************************
*
* License: GPL
* acl.h - header file for acl.c
*
* License: GPLv2
* Copyright (c) 2011 Kaspersky Lab ZAO
*
* License Notice:
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@ -18,7 +20,8 @@
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
*/
*
****************************************************************************/
#ifndef ACL_H_INCLUDED
#define ACL_H_INCLUDED 1

20
include/common.h.in
View File

@ -1,10 +1,12 @@
/************************************************************************
/****************************************************************************
*
* COMMON.H - NRPE Common Include File
* Copyright (c) 1999-2007 Ethan Galstad (nagios@nagios.org)
* Last Modified: 2017-05-24
* common.h - NRPE Common header file
*
* License:
* License: GPLv2
* Copyright (c) 2006-2017 Nagios Enterprises
* 1999-2006 Ethan Galstad (nagios@nagios.org)
*
* License Notice:
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@ -19,7 +21,8 @@
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
************************************************************************/
*
****************************************************************************/
#include "config.h"
@ -30,11 +33,12 @@
# ifdef SSL_TYPE_openssl
# include <@SSL_INC_PREFIX@err.h>
# include <@SSL_INC_PREFIX@rand.h>
# include <@SSL_INC_PREFIX@engine.h>
# endif
#endif
#define PROGRAM_VERSION "3.1.1"
#define MODIFICATION_DATE "2017-05-24"
#define PROGRAM_VERSION "3.2.1"
#define MODIFICATION_DATE "2017-09-01"
#define OK 0
#define ERROR -1

15
include/config.h.in
View File

@ -1,10 +1,12 @@
/************************************************************************
/****************************************************************************
*
* NRPE Common Header File
* Copyright (c) 1999-2007 Ethan Galstad (nagios@nagios.org)
* Last Modified: 11-23-2007
* config.h - NRPE Configuration header file
*
* License:
* License: GPLv2
* Copyright (c) 2006-2017 Nagios Enterprises
* 1999-2006 Ethan Galstad (nagios@nagios.org)
*
* License Notice:
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@ -19,7 +21,8 @@
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
************************************************************************/
*
****************************************************************************/
#ifndef _CONFIG_H
#define _CONFIG_H

16
include/nrpe.h
View File

@ -1,10 +1,12 @@
/************************************************************************
/****************************************************************************
*
* NRPE.H - NRPE Include File
* Copyright (c) 1999-2007 Ethan Galstad (nagios@nagios.org)
* Last Modified: 08-10-2011 by Konstantin Malov
* nrpe.h - Nagios Remote Plugin Executor header file
*
* License:
* License: GPLv2
* Copyright (c) 2006-2017 Nagios Enterprises
* 1999-2006 Ethan Galstad (nagios@nagios.org)
*
* License Notice:
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@ -20,9 +22,7 @@
* along with this program; if not, write to the Free Software
* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
*
************************************************************************/
/**************** COMMAND STRUCTURE DEFINITION **********/
****************************************************************************/
typedef struct command_struct {
char *command_name;

24
include/utils.h
View File

@ -1,17 +1,12 @@
/************************************************************************************************
/****************************************************************************
*
* UTILS.H - NRPE Utilities Include File
* utils.h - NRPE Utility Functions header file
*
* License: GPL
* Copyright (c) 1999-2006 Ethan Galstad (nagios@nagios.org)
* License: GPLv2
* Copyright (c) 2009-2017 Nagios Enterprises
* 1999-2008 Ethan Galstad (nagios@nagios.org)
*
* Last Modified: 12-11-2006
*
* Description:
*
* This file contains common include files and function definitions used in many of the plugins.
*
* License Information:
* License Notice:
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@ -27,7 +22,8 @@
* along with this program; if not, write to the Free Software
* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
*
************************************************************************************************/
****************************************************************************/
#ifndef NRPE_UTILS_H_INCLUDED
#define NRPE_UTILS_H_INCLUDED
@ -39,9 +35,9 @@ unsigned long calculate_crc32(char*, int);
void randomize_buffer(char*,int);
int my_tcp_connect(char*, int, int*);
#ifdef HAVE_STRUCT_SOCKADDR_STORAGE
int my_connect(const char*, struct sockaddr_storage*, u_short, int, const char*);
int my_connect(const char*, struct sockaddr_storage*, u_short, int, const char*, int);
#else
int my_connect(const char*, struct sockaddr*, u_short, int, const char*);
int my_connect(const char*, struct sockaddr*, u_short, int, const char*, int);
#endif
void add_listen_addr(struct addrinfo**, int, char*, int);
int clean_environ(const char *keep_env_vars, const char *nrpe_user);

7
macros/CHANGELOG.md Normal file
View File

@ -0,0 +1,7 @@
1.0.1
-----
* Fix bug determining inetd,xinetd if neither are running (Bryan Heden)
1.0.0
-----
* Initial Release (John Frickson)

513
macros/LICENSE
View File

@ -1,339 +1,264 @@
GNU GENERAL PUBLIC LICENSE
Version 2, June 1991
The GNU General Public License, Version 2, June 1991 (GPLv2)
============================================================
Copyright (C) 1989, 1991 Free Software Foundation, Inc., <http://fsf.org/>
51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.
> Copyright (C) 1989, 1991 Free Software Foundation, Inc.
> 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
Preamble
Everyone is permitted to copy and distribute verbatim copies of this license
document, but changing it is not allowed.
The licenses for most software are designed to take away your
freedom to share and change it. By contrast, the GNU General Public
License is intended to guarantee your freedom to share and change free
software--to make sure the software is free for all its users. This
General Public License applies to most of the Free Software
Foundation's software and to any other program whose authors commit to
using it. (Some other Free Software Foundation software is covered by
the GNU Lesser General Public License instead.) You can apply it to
Preamble
--------
The licenses for most software are designed to take away your freedom to share
and change it. By contrast, the GNU General Public License is intended to
guarantee your freedom to share and change free software--to make sure the
software is free for all its users. This General Public License applies to most
of the Free Software Foundation's software and to any other program whose
authors commit to using it. (Some other Free Software Foundation software is
covered by the GNU Lesser General Public License instead.) You can apply it to
your programs, too.
When we speak of free software, we are referring to freedom, not
price. Our General Public Licenses are designed to make sure that you
have the freedom to distribute copies of free software (and charge for
this service if you wish), that you receive source code or can get it
if you want it, that you can change the software or use pieces of it
in new free programs; and that you know you can do these things.
When we speak of free software, we are referring to freedom, not price. Our
General Public Licenses are designed to make sure that you have the freedom to
distribute copies of free software (and charge for this service if you wish),
that you receive source code or can get it if you want it, that you can change
the software or use pieces of it in new free programs; and that you know you can
do these things.
To protect your rights, we need to make restrictions that forbid
anyone to deny you these rights or to ask you to surrender the rights.
These restrictions translate to certain responsibilities for you if you
distribute copies of the software, or if you modify it.
To protect your rights, we need to make restrictions that forbid anyone to deny
you these rights or to ask you to surrender the rights. These restrictions
translate to certain responsibilities for you if you distribute copies of the
software, or if you modify it.
For example, if you distribute copies of such a program, whether
gratis or for a fee, you must give the recipients all the rights that
you have. You must make sure that they, too, receive or can get the
source code. And you must show them these terms so they know their
rights.
For example, if you distribute copies of such a program, whether gratis or for a
fee, you must give the recipients all the rights that you have. You must make
sure that they, too, receive or can get the source code. And you must show them
these terms so they know their rights.
We protect your rights with two steps: (1) copyright the software, and
(2) offer you this license which gives you legal permission to copy,
distribute and/or modify the software.
We protect your rights with two steps: (1) copyright the software, and (2) offer
you this license which gives you legal permission to copy, distribute and/or
modify the software.
Also, for each author's protection and ours, we want to make certain
that everyone understands that there is no warranty for this free
software. If the software is modified by someone else and passed on, we
want its recipients to know that what they have is not the original, so
that any problems introduced by others will not reflect on the original
authors' reputations.
Also, for each author's protection and ours, we want to make certain that
everyone understands that there is no warranty for this free software. If the
software is modified by someone else and passed on, we want its recipients to
know that what they have is not the original, so that any problems introduced by
others will not reflect on the original authors' reputations.
Finally, any free program is threatened constantly by software
patents. We wish to avoid the danger that redistributors of a free
program will individually obtain patent licenses, in effect making the
program proprietary. To prevent this, we have made it clear that any
patent must be licensed for everyone's free use or not licensed at all.
Finally, any free program is threatened constantly by software patents. We wish
to avoid the danger that redistributors of a free program will individually
obtain patent licenses, in effect making the program proprietary. To prevent
this, we have made it clear that any patent must be licensed for everyone's free
use or not licensed at all.
The precise terms and conditions for copying, distribution and
modification follow.
The precise terms and conditions for copying, distribution and modification
follow.
GNU GENERAL PUBLIC LICENSE
TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
0. This License applies to any program or other work which contains
a notice placed by the copyright holder saying it may be distributed
under the terms of this General Public License. The "Program", below,
refers to any such program or work, and a "work based on the Program"
means either the Program or any derivative work under copyright law:
that is to say, a work containing the Program or a portion of it,
either verbatim or with modifications and/or translated into another
language. (Hereinafter, translation is included without limitation in
the term "modification".) Each licensee is addressed as "you".
Terms And Conditions For Copying, Distribution And Modification
---------------------------------------------------------------
Activities other than copying, distribution and modification are not
covered by this License; they are outside its scope. The act of
running the Program is not restricted, and the output from the Program
is covered only if its contents constitute a work based on the
Program (independent of having been made by running the Program).
Whether that is true depends on what the Program does.
**0.** This License applies to any program or other work which contains a notice
placed by the copyright holder saying it may be distributed under the terms of
this General Public License. The "Program", below, refers to any such program or
work, and a "work based on the Program" means either the Program or any
derivative work under copyright law: that is to say, a work containing the
Program or a portion of it, either verbatim or with modifications and/or
translated into another language. (Hereinafter, translation is included without
limitation in the term "modification".) Each licensee is addressed as "you".
1. You may copy and distribute verbatim copies of the Program's
source code as you receive it, in any medium, provided that you
conspicuously and appropriately publish on each copy an appropriate
copyright notice and disclaimer of warranty; keep intact all the
notices that refer to this License and to the absence of any warranty;
and give any other recipients of the Program a copy of this License
along with the Program.
Activities other than copying, distribution and modification are not covered by
this License; they are outside its scope. The act of running the Program is not
restricted, and the output from the Program is covered only if its contents
constitute a work based on the Program (independent of having been made by
running the Program). Whether that is true depends on what the Program does.
You may charge a fee for the physical act of transferring a copy, and
you may at your option offer warranty protection in exchange for a fee.
**1.** You may copy and distribute verbatim copies of the Program's source code
as you receive it, in any medium, provided that you conspicuously and
appropriately publish on each copy an appropriate copyright notice and
disclaimer of warranty; keep intact all the notices that refer to this License
and to the absence of any warranty; and give any other recipients of the Program
a copy of this License along with the Program.
2. You may modify your copy or copies of the Program or any portion
of it, thus forming a work based on the Program, and copy and
distribute such modifications or work under the terms of Section 1
above, provided that you also meet all of these conditions:
You may charge a fee for the physical act of transferring a copy, and you may at
your option offer warranty protection in exchange for a fee.
a) You must cause the modified files to carry prominent notices
stating that you changed the files and the date of any change.
**2.** You may modify your copy or copies of the Program or any portion of it,
thus forming a work based on the Program, and copy and distribute such
modifications or work under the terms of Section 1 above, provided that you also
meet all of these conditions:
b) You must cause any work that you distribute or publish, that in
whole or in part contains or is derived from the Program or any
part thereof, to be licensed as a whole at no charge to all third
parties under the terms of this License.
* **a)** You must cause the modified files to carry prominent notices stating
that you changed the files and the date of any change.
c) If the modified program normally reads commands interactively
when run, you must cause it, when started running for such
interactive use in the most ordinary way, to print or display an
announcement including an appropriate copyright notice and a
notice that there is no warranty (or else, saying that you provide
a warranty) and that users may redistribute the program under
these conditions, and telling the user how to view a copy of this
License. (Exception: if the Program itself is interactive but
does not normally print such an announcement, your work based on
the Program is not required to print an announcement.)
* **b)** You must cause any work that you distribute or publish, that in whole
or in part contains or is derived from the Program or any part thereof, to
be licensed as a whole at no charge to all third parties under the terms of
this License.
These requirements apply to the modified work as a whole. If
identifiable sections of that work are not derived from the Program,
and can be reasonably considered independent and separate works in
themselves, then this License, and its terms, do not apply to those
sections when you distribute them as separate works. But when you
distribute the same sections as part of a whole which is a work based
on the Program, the distribution of the whole must be on the terms of
this License, whose permissions for other licensees extend to the
entire whole, and thus to each and every part regardless of who wrote it.
* **c)** If the modified program normally reads commands interactively when
run, you must cause it, when started running for such interactive use in the
most ordinary way, to print or display an announcement including an
appropriate copyright notice and a notice that there is no warranty (or
else, saying that you provide a warranty) and that users may redistribute
the program under these conditions, and telling the user how to view a copy
of this License. (Exception: if the Program itself is interactive but does
not normally print such an announcement, your work based on the Program is
not required to print an announcement.)
Thus, it is not the intent of this section to claim rights or contest
your rights to work written entirely by you; rather, the intent is to
exercise the right to control the distribution of derivative or
collective works based on the Program.
These requirements apply to the modified work as a whole. If identifiable
sections of that work are not derived from the Program, and can be reasonably
considered independent and separate works in themselves, then this License, and
its terms, do not apply to those sections when you distribute them as separate
works. But when you distribute the same sections as part of a whole which is a
work based on the Program, the distribution of the whole must be on the terms of
this License, whose permissions for other licensees extend to the entire whole,
and thus to each and every part regardless of who wrote it.
In addition, mere aggregation of another work not based on the Program
with the Program (or with a work based on the Program) on a volume of
a storage or distribution medium does not bring the other work under
the scope of this License.
Thus, it is not the intent of this section to claim rights or contest your
rights to work written entirely by you; rather, the intent is to exercise the
right to control the distribution of derivative or collective works based on the
Program.
3. You may copy and distribute the Program (or a work based on it,
under Section 2) in object code or executable form under the terms of
Sections 1 and 2 above provided that you also do one of the following:
In addition, mere aggregation of another work not based on the Program with the
Program (or with a work based on the Program) on a volume of a storage or
distribution medium does not bring the other work under the scope of this
License.
a) Accompany it with the complete corresponding machine-readable
source code, which must be distributed under the terms of Sections
1 and 2 above on a medium customarily used for software interchange; or,
**3.** You may copy and distribute the Program (or a work based on it, under
Section 2) in object code or executable form under the terms of Sections 1 and 2
above provided that you also do one of the following:
b) Accompany it with a written offer, valid for at least three
years, to give any third party, for a charge no more than your
cost of physically performing source distribution, a complete
machine-readable copy of the corresponding source code, to be
distributed under the terms of Sections 1 and 2 above on a medium
customarily used for software interchange; or,
* **a)** Accompany it with the complete corresponding machine-readable source
code, which must be distributed under the terms of Sections 1 and 2 above on
a medium customarily used for software interchange; or,
c) Accompany it with the information you received as to the offer
to distribute corresponding source code. (This alternative is
allowed only for noncommercial distribution and only if you
received the program in object code or executable form with such
an offer, in accord with Subsection b above.)
* **b)** Accompany it with a written offer, valid for at least three years, to
give any third party, for a charge no more than your cost of physically
performing source distribution, a complete machine-readable copy of the
corresponding source code, to be distributed under the terms of Sections 1
and 2 above on a medium customarily used for software interchange; or,
The source code for a work means the preferred form of the work for
making modifications to it. For an executable work, complete source
code means all the source code for all modules it contains, plus any
associated interface definition files, plus the scripts used to
control compilation and installation of the executable. However, as a
special exception, the source code distributed need not include
anything that is normally distributed (in either source or binary
form) with the major components (compiler, kernel, and so on) of the
operating system on which the executable runs, unless that component
itself accompanies the executable.
* **c)** Accompany it with the information you received as to the offer to
distribute corresponding source code. (This alternative is allowed only for
noncommercial distribution and only if you received the program in object
code or executable form with such an offer, in accord with Subsection b
above.)
If distribution of executable or object code is made by offering
access to copy from a designated place, then offering equivalent
access to copy the source code from the same place counts as
distribution of the source code, even though third parties are not
compelled to copy the source along with the object code.
The source code for a work means the preferred form of the work for making
modifications to it. For an executable work, complete source code means all the
source code for all modules it contains, plus any associated interface
definition files, plus the scripts used to control compilation and installation
of the executable. However, as a special exception, the source code distributed
need not include anything that is normally distributed (in either source or
binary form) with the major components (compiler, kernel, and so on) of the
operating system on which the executable runs, unless that component itself
accompanies the executable.
4. You may not copy, modify, sublicense, or distribute the Program
except as expressly provided under this License. Any attempt
otherwise to copy, modify, sublicense or distribute the Program is
void, and will automatically terminate your rights under this License.
However, parties who have received copies, or rights, from you under
this License will not have their licenses terminated so long as such
parties remain in full compliance.
If distribution of executable or object code is made by offering access to copy
from a designated place, then offering equivalent access to copy the source code
from the same place counts as distribution of the source code, even though third
parties are not compelled to copy the source along with the object code.
5. You are not required to accept this License, since you have not
signed it. However, nothing else grants you permission to modify or
distribute the Program or its derivative works. These actions are
prohibited by law if you do not accept this License. Therefore, by
modifying or distributing the Program (or any work based on the
Program), you indicate your acceptance of this License to do so, and
all its terms and conditions for copying, distributing or modifying
**4.** You may not copy, modify, sublicense, or distribute the Program except as
expressly provided under this License. Any attempt otherwise to copy, modify,
sublicense or distribute the Program is void, and will automatically terminate
your rights under this License. However, parties who have received copies, or
rights, from you under this License will not have their licenses terminated so
long as such parties remain in full compliance.
**5.** You are not required to accept this License, since you have not signed
it. However, nothing else grants you permission to modify or distribute the
Program or its derivative works. These actions are prohibited by law if you do
not accept this License. Therefore, by modifying or distributing the Program (or
any work based on the Program), you indicate your acceptance of this License to
do so, and all its terms and conditions for copying, distributing or modifying
the Program or works based on it.
6. Each time you redistribute the Program (or any work based on the
Program), the recipient automatically receives a license from the
original licensor to copy, distribute or modify the Program subject to
these terms and conditions. You may not impose any further
restrictions on the recipients' exercise of the rights granted herein.
You are not responsible for enforcing compliance by third parties to
this License.
**6.** Each time you redistribute the Program (or any work based on the
Program), the recipient automatically receives a license from the original
licensor to copy, distribute or modify the Program subject to these terms and
conditions. You may not impose any further restrictions on the recipients'
exercise of the rights granted herein. You are not responsible for enforcing
compliance by third parties to this License.
7. If, as a consequence of a court judgment or allegation of patent
infringement or for any other reason (not limited to patent issues),
conditions are imposed on you (whether by court order, agreement or
otherwise) that contradict the conditions of this License, they do not
excuse you from the conditions of this License. If you cannot
distribute so as to satisfy simultaneously your obligations under this
License and any other pertinent obligations, then as a consequence you
may not distribute the Program at all. For example, if a patent
license would not permit royalty-free redistribution of the Program by
all those who receive copies directly or indirectly through you, then
the only way you could satisfy both it and this License would be to
refrain entirely from distribution of the Program.
**7.** If, as a consequence of a court judgment or allegation of patent
infringement or for any other reason (not limited to patent issues), conditions
are imposed on you (whether by court order, agreement or otherwise) that
contradict the conditions of this License, they do not excuse you from the
conditions of this License. If you cannot distribute so as to satisfy
simultaneously your obligations under this License and any other pertinent
obligations, then as a consequence you may not distribute the Program at all.
For example, if a patent license would not permit royalty-free redistribution of
the Program by all those who receive copies directly or indirectly through you,
then the only way you could satisfy both it and this License would be to refrain
entirely from distribution of the Program.
If any portion of this section is held invalid or unenforceable under
any particular circumstance, the balance of the section is intended to
apply and the section as a whole is intended to apply in other
circumstances.
If any portion of this section is held invalid or unenforceable under any
particular circumstance, the balance of the section is intended to apply and the
section as a whole is intended to apply in other circumstances.
It is not the purpose of this section to induce you to infringe any
patents or other property right claims or to contest validity of any
such claims; this section has the sole purpose of protecting the
integrity of the free software distribution system, which is
implemented by public license practices. Many people have made
generous contributions to the wide range of software distributed
through that system in reliance on consistent application of that
system; it is up to the author/donor to decide if he or she is willing
to distribute software through any other system and a licensee cannot
impose that choice.
It is not the purpose of this section to induce you to infringe any patents or
other property right claims or to contest validity of any such claims; this
section has the sole purpose of protecting the integrity of the free software
distribution system, which is implemented by public license practices. Many
people have made generous contributions to the wide range of software
distributed through that system in reliance on consistent application of that
system; it is up to the author/donor to decide if he or she is willing to
distribute software through any other system and a licensee cannot impose that
choice.
This section is intended to make thoroughly clear what is believed to
be a consequence of the rest of this License.
This section is intended to make thoroughly clear what is believed to be a
consequence of the rest of this License.
8. If the distribution and/or use of the Program is restricted in
certain countries either by patents or by copyrighted interfaces, the
original copyright holder who places the Program under this License
may add an explicit geographical distribution limitation excluding
those countries, so that distribution is permitted only in or among
countries not thus excluded. In such case, this License incorporates
the limitation as if written in the body of this License.
**8.** If the distribution and/or use of the Program is restricted in certain
countries either by patents or by copyrighted interfaces, the original copyright
holder who places the Program under this License may add an explicit
geographical distribution limitation excluding those countries, so that
distribution is permitted only in or among countries not thus excluded. In such
case, this License incorporates the limitation as if written in the body of this
License.
9. The Free Software Foundation may publish revised and/or new versions
of the General Public License from time to time. Such new versions will
be similar in spirit to the present version, but may differ in detail to
address new problems or concerns.
**9.** The Free Software Foundation may publish revised and/or new versions of
the General Public License from time to time. Such new versions will be similar
in spirit to the present version, but may differ in detail to address new
problems or concerns.
Each version is given a distinguishing version number. If the Program
specifies a version number of this License which applies to it and "any
later version", you have the option of following the terms and conditions
either of that version or of any later version published by the Free
Software Foundation. If the Program does not specify a version number of
this License, you may choose any version ever published by the Free Software
Foundation.
Each version is given a distinguishing version number. If the Program specifies
a version number of this License which applies to it and "any later version",
you have the option of following the terms and conditions either of that version
or of any later version published by the Free Software Foundation. If the
Program does not specify a version number of this License, you may choose any
version ever published by the Free Software Foundation.
10. If you wish to incorporate parts of the Program into other free
programs whose distribution conditions are different, write to the author
to ask for permission. For software which is copyrighted by the Free
Software Foundation, write to the Free Software Foundation; we sometimes
make exceptions for this. Our decision will be guided by the two goals
of preserving the free status of all derivatives of our free software and
of promoting the sharing and reuse of software generally.
**10.** If you wish to incorporate parts of the Program into other free programs
whose distribution conditions are different, write to the author to ask for
permission. For software which is copyrighted by the Free Software Foundation,
write to the Free Software Foundation; we sometimes make exceptions for this.
Our decision will be guided by the two goals of preserving the free status of
all derivatives of our free software and of promoting the sharing and reuse of
software generally.
NO WARRANTY
11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
REPAIR OR CORRECTION.
No Warranty
-----------
12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES.
**11.** BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR
THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE
STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM
"AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING,
BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE
PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
END OF TERMS AND CONDITIONS
How to Apply These Terms to Your New Programs
If you develop a new program, and you want it to be of the greatest
possible use to the public, the best way to achieve this is to make it
free software which everyone can redistribute and change under these terms.
To do so, attach the following notices to the program. It is safest
to attach them to the start of each source file to most effectively
convey the exclusion of warranty; and each file should have at least
the "copyright" line and a pointer to where the full notice is found.
{description}
Copyright (C) {year} {fullname}
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License along
with this program; if not, write to the Free Software Foundation, Inc.,
51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
Also add information on how to contact you by electronic and paper mail.
If the program is interactive, make it output a short notice like this
when it starts in an interactive mode:
Gnomovision version 69, Copyright (C) year name of author
Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
This is free software, and you are welcome to redistribute it
under certain conditions; type `show c' for details.
The hypothetical commands `show w' and `show c' should show the appropriate
parts of the General Public License. Of course, the commands you use may
be called something other than `show w' and `show c'; they could even be
mouse-clicks or menu items--whatever suits your program.
You should also get your employer (if you work as a programmer) or your
school, if any, to sign a "copyright disclaimer" for the program, if
necessary. Here is a sample; alter the names:
Yoyodyne, Inc., hereby disclaims all copyright interest in the program
`Gnomovision' (which makes passes at compilers) written by James Hacker.
{signature of Ty Coon}, 1 April 1989
Ty Coon, President of Vice
This General Public License does not permit incorporating your program into
proprietary programs. If your program is a subroutine library, you may
consider it more useful to permit linking proprietary applications with the
library. If this is what you want to do, use the GNU Lesser General
Public License instead of this License.
**12.** IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE
THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR
INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA
BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A
FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER
OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

1
macros/LICENSE.md Symbolic link
View File

@ -0,0 +1 @@
LICENSE

84
macros/README.md
View File

@ -1,29 +1,26 @@
autoconf-macros README
======================
Sections below are: Purpose, Contents, Usage, References
##Purpose
autoconf-macros
===============
The purpose of Nagios autoconf-macros is to have a central place for
autoconf macros that can be maintained in one place, but be used by any
of the Nagios software. It is intended to be used as a git subtree.
See the Usage and References section below.
See the [Usage](#usage) and [References](#references) sections below.
Since this project will be included in several parent projects, any
changes must be as project-neutral as possible.
Make sure to check out the [CHANGELOG](CHANGELOG.md) for relevant
information, as well.
## Contents
Contents
--------
The collection consists of the following macros:
### AX_NAGIOS_GET_OS alias AC_NAGIOS_GET_OS
> Output Variable : opsys
> Output Variable : `opsys`
This macro detects the operating system, and transforms it into a generic
label. The most common OS's that use Nagios software are recognized and
@ -31,17 +28,17 @@ used in subsequent macros.
### AX_NAGIOS_GET_DISTRIB_TYPE alias AC_NAGIOS_GET_DISTRIB_TYPE
> Output Variables : dist_type, dist_ver
> Output Variables : `dist_type`, `dist_ver`
This macro detects the distribution type. For Linux, this would be rh
(for Red Hat and derivatives), suse (OpenSUSE, SLES, derivatives), gentoo
(Gentoo and derivatives), debian (Debian and derivatives), and so on.
(for Red Hat and derivitives), suse (OpenSUSE, SLES, derivitives), gentoo
(Gentoo and derivitives), debian (Debian and derivitives), and so on.
For BSD, this would be openbsd, netbsd, freebsd, dragonfly, etc. It can
also be aix, solaris, osx, and so on for Unix operating systems.
### AX_NAGIOS_GET_INIT alias AC_NAGIOS_GET_INIT
> Output Variable : init_type
> Output Variable : `init_type`
This macro detects what software is used to start daemons on bootup
or on request, generally knows as the "init system". The init_type
@ -51,7 +48,7 @@ gentoo (older Gentoo), upstart (several), or unknown.
### AX_NAGIOS_GET_INETD alias AC_NAGIOS_GET_INETD
> Output Variable : inetd_type
> Output Variable : `inetd_type`
This macro detects what software is used to start daemons or services
on demand, which historically has been "inetd". The inetd_type
@ -60,7 +57,7 @@ will generally be one of inetd, xinetd, launchd (OS X), smf10 or smf11
### AX_NAGIOS_GET_PATHS alias AC_NAGIOS_GET_PATHS
> Output Variables : many!
> Output Variables : **many!**
This macro determines the installation paths for binaries, config files,
PID files, and so on. For a "standard" install of Nagios, NRPE, NDO Utils,
@ -72,7 +69,7 @@ O/S dependant directories, such as /usr/bin, /usr/sbin, /var/lib/nagios,
### AX_NAGIOS_GET_FILES alias AC_NAGIOS_GET_FILES
> Output Variables : src_init, src_inetd, src_tmpfile
> Output Variables : `src_init`, `src_inetd`, `src_tmpfile`
Each Nagios project will have a top-level directory named "/startup/".
In that directory will be "*.in" files for the various "init_type" and
@ -81,7 +78,7 @@ that directory will be needed.
### AX_NAGIOS_GET_SSL alias AC_NAGIOS_GET_SSL
> Output Variables : HAVE_KRB5_H, HAVE_SSL, SSL_INC_DIR, SSL_LIB_DIR, CFLAGS, LDFLAGS, LIBS
> Output Variables : `HAVE_KRB5_H`, `HAVE_SSL`, `SSL_INC_DIR`, `SSL_LIB_DIR`, `CFLAGS`, `LDFLAGS`, `LIBS`
This macro checks various directories for SSL libraries and header files.
The searches are based on known install locations on various operating
@ -90,11 +87,11 @@ If it finds the headers and libraries, it will then do an `AC_LINK_IFELSE`
on a simple program to make sure a compile and link will work correctly.
## Usage
Usage
-----
This repo is intended to be used as a git subtree, so changes will
automatically propagate, and still be reasonably easy to use.
automatically propogate, and still be reasonably easy to use.
* First, Create, checkout, clone, or branch your project. If you do an
`ls -AF` it might look something like this:
@ -112,7 +109,8 @@ it should look like this:
.git/ .gitignore ChangeLog LICENSE Makefile.in
README configure.ac include/ macros/ src/
The `macros/` directory has been added.
* The `macros/` directory has been added.
* Now do a `git push` to save everything.
@ -129,11 +127,11 @@ master.
* To get the latest version of `autoconf-macros` into your parent project:
git subtree pull --squash --prefix=macros autoconf-macros master
git subtgree pull --squash --prefix=macros autoconf-macros master
## References
References
----------
Now that autoconf-macros is available to your project, you will need to
reference it.
@ -165,3 +163,37 @@ where you want to check for SSL:
* You will now be able to reference any of the variables in `config.h.in`
and any files listed in the `AC_CONFIG_FILES` macro in `configure.ac`.
License Notice
--------------
Copyright (c) 2016-2017 Nagios Enterprises, LLC
This work is made available to you under the terms of Version 2 of
the GNU General Public License. A copy of that license should have
been provided with this software, but in any event can be obtained
from http://www.fsf.org.
This work is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
02110-1301 or visit their web page on the internet at
http://www.fsf.org.
Questions?
----------
If you have questions about this addon, or problems getting things
working, first try searching the nagios-users mailing list archives.
Details on searching the list archives can be found at
http://www.nagios.org
If you don't find an answer there, post a message in the Nagios
Plugin Development forum at https://support.nagios.com/forum/viewforum.php?f=35

12
macros/ax_nagios_get_inetd
View File

@ -113,12 +113,6 @@ AC_SUBST(inetd_type)
[*],
inetd_type=[`ps -C "inetd,xinetd" -o fname | grep -vi COMMAND | head -1`])
if test x"$inetd_type" = x; then
if test x"$init_type" = "xupstart"; then
inetd_type="upstart"
fi
fi
if test x"$inetd_type" = x; then
if test -f /etc/xinetd.conf -a -d /etc/xinetd.d; then
inetd_disabled="(Not running)"
@ -128,6 +122,12 @@ AC_SUBST(inetd_type)
inetd_disabled="(Not running)"
fi
fi
if test x"$inetd_type" = x; then
if test x"$init_type" = "xupstart"; then
inetd_type="upstart"
fi
fi
if test x"$inetd_type" = x; then
if test x"$init_type" = "xsystemd"; then

1
macros/ax_nagios_get_paths
View File

@ -616,6 +616,7 @@ eval webdir=$webdir
eval localedir=$localedir
eval sysconfdir=$sysconfdir
eval pkgsysconfdir=$pkgsysconfdir
eval logdir=$logdir
eval piddir=$piddir
#

6
nrpe.spec.in
View File

@ -22,7 +22,7 @@
%define _sysconfdir /etc/nagios
%define name @PACKAGE_NAME@
%define version 3.1.1
%define version 3.2.1
%define release @RPM_RELEASE@
%define nsusr @nrpe_user@
%define nsgrp @nrpe_group@
@ -169,13 +169,13 @@ rm -rf $RPM_BUILD_ROOT
@tmpfilesd@
%endif
%{_bindir}/nrpe-uninstall
%doc Changelog LEGAL README.md README.SSL.md SECURITY.md
%doc CHANGELOG.md LEGAL README.md README.SSL.md SECURITY.md
%files plugin
%defattr(755,%{nsusr},%{nsgrp})
%{_libexecdir}
%defattr(644,%{nsusr},%{nsgrp})
%doc Changelog LEGAL README.md
%doc CHANGELOG.md LEGAL README.md
%changelog
* Thu Aug 18 2016 John Frickson jfrickson<@>nagios.com

98
sample-config/nrpe.cfg.in
View File

@ -1,13 +1,13 @@
#############################################################################
# Sample NRPE Config File
# Written by: Ethan Galstad (nagios@nagios.org)
#
# Last Modified: 2016-05-10
# Sample NRPE Config File
#
# Notes:
#
# This is a sample configuration file for the NRPE daemon. It needs to be
# located on the remote host that is running the NRPE daemon, not the host
# from which the check_nrpe client is being executed.
#
# NOTES:
# This is a sample configuration file for the NRPE daemon. It needs to be
# located on the remote host that is running the NRPE daemon, not the host
# from which the check_nrpe client is being executed.
#############################################################################
@ -161,6 +161,13 @@ allow_bash_command_substitution=0
# command_prefix=/usr/bin/sudo
# MAX COMMANDS
# This specifies how many children processes may be spawned at any one
# time, essentially limiting the fork()s that occur.
# Default (0) is set to unlimited
# max_commands=0
# COMMAND TIMEOUT
# This specifies the maximum number of seconds that the NRPE daemon will
@ -218,10 +225,12 @@ connection_timeout=300
# SSL CIPHER LIST
# This lists which ciphers can be used. For backward compatibility, this
# defaults to 'ssl_cipher_list=ALL:!MD5:@STRENGTH' in this version but
# will be changed to something like the example below in a later version of NRPE.
# defaults to 'ssl_cipher_list=ALL:!MD5:@STRENGTH' for < OpenSSL 1.1.0,
# and 'ssl_cipher_list=ALL:!MD5:@STRENGTH:@SECLEVEL=0' for OpenSSL 1.1.0 and
# greater.
#ssl_cipher_list=ALL:!MD5:@STRENGTH
#ssl_cipher_list=ALL:!MD5:@STRENGTH:@SECLEVEL=0
#ssl_cipher_list=ALL:!aNULL:!eNULL:!SSLv2:!LOW:!EXP:!RC4:!MD5:@STRENGTH
# SSL Certificate and Private Key Files
@ -262,21 +271,6 @@ connection_timeout=300
# nasty_metachars="|`&><'\\[]{};\r\n"
# INCLUDE CONFIG FILE
# This directive allows you to include definitions from an external config file.
#include=<somefile.cfg>
# INCLUDE CONFIG DIRECTORY
# This directive allows you to include definitions from config files (with a
# .cfg extension) in one or more directories (with recursion).
#include_dir=<somedirectory>
#include_dir=<someotherdirectory>
# COMMAND DEFINITIONS
# Command definitions that this daemon will run. Definitions
@ -299,6 +293,7 @@ connection_timeout=300
# The following examples use hardcoded command arguments...
# This is by far the most secure method of using NRPE
command[check_users]=@pluginsdir@/check_users -w 5 -c 10
command[check_load]=@pluginsdir@/check_load -r -w .15,.10,.05 -c .30,.25,.20
@ -313,7 +308,54 @@ command[check_total_procs]=@pluginsdir@/check_procs -w 150 -c 200
# config file is set to '1'. This poses a potential security risk, so
# make sure you read the SECURITY file before doing this.
#command[check_users]=@pluginsdir@/check_users -w $ARG1$ -c $ARG2$
#command[check_load]=@pluginsdir@/check_load -w $ARG1$ -c $ARG2$
#command[check_disk]=@pluginsdir@/check_disk -w $ARG1$ -c $ARG2$ -p $ARG3$
#command[check_procs]=@pluginsdir@/check_procs -w $ARG1$ -c $ARG2$ -s $ARG3$
### MISC SYSTEM METRICS ###
#command[check_users]=@pluginsdir@/check_users $ARG1$
#command[check_load]=@pluginsdir@/check_load $ARG1$
#command[check_disk]=@pluginsdir@/check_disk $ARG1$
#command[check_swap]=@pluginsdir@/check_swap $ARG1$
#command[check_cpu_stats]=@pluginsdir@/check_cpu_stats.sh $ARG1$
#command[check_mem]=@pluginsdir@/custom_check_mem -n $ARG1$
### GENERIC SERVICES ###
#command[check_init_service]=sudo @pluginsdir@/check_init_service $ARG1$
#command[check_services]=@pluginsdir@/check_services -p $ARG1$
### SYSTEM UPDATES ###
#command[check_yum]=@pluginsdir@/check_yum
#command[check_apt]=@pluginsdir@/check_apt
### PROCESSES ###
#command[check_all_procs]=@pluginsdir@/custom_check_procs
#command[check_procs]=@pluginsdir@/check_procs $ARG1$
### OPEN FILES ###
#command[check_open_files]=@pluginsdir@/check_open_files.pl $ARG1$
### NETWORK CONNECTIONS ###
#command[check_netstat]=@pluginsdir@/check_netstat.pl -p $ARG1$ $ARG2$
### ASTERISK ###
#command[check_asterisk]=@pluginsdir@/check_asterisk.pl $ARG1$
#command[check_sip]=@pluginsdir@/check_sip $ARG1$
#command[check_asterisk_sip_peers]=sudo @pluginsdir@/check_asterisk_sip_peers.sh $ARG1$
#command[check_asterisk_version]=@pluginsdir@/nagisk.pl -c version
#command[check_asterisk_peers]=@pluginsdir@/nagisk.pl -c peers
#command[check_asterisk_channels]=@pluginsdir@/nagisk.pl -c channels
#command[check_asterisk_zaptel]=@pluginsdir@/nagisk.pl -c zaptel
#command[check_asterisk_span]=@pluginsdir@/nagisk.pl -c span -s 1
# INCLUDE CONFIG FILE
# This directive allows you to include definitions from an external config file.
#include=<somefile.cfg>
# INCLUDE CONFIG DIRECTORY
# This directive allows you to include definitions from config files (with a
# .cfg extension) in one or more directories (with recursion).
#include_dir=<somedirectory>
#include_dir=<someotherdirectory>

4
src/Makefile.in
View File

@ -1,7 +1,7 @@
###############################
# Makefile for NRPE
#
# Last Modified: 08-13-2007
# NRPE Makefile
#
###############################
srcdir=@srcdir@

56
src/acl.c
View File

@ -1,17 +1,20 @@
/*-
/****************************************************************************
*
* acl.c - a small library for nrpe.c. It adds IPv4 subnets support to ACL in nrpe.
*
* License: GPLv2
* Copyright (c) 2011 Kaspersky Lab ZAO
* Last Modified: 08-10-2011 by Konstantin Malov with Oleg Koreshkov's help
*
* Description:
* acl.c creates two linked lists. One is for IPv4 hosts and networks, another is for domain names.
* All connecting hosts (if allowed_hosts is defined) are checked in these two lists.
*
* Some notes:
* 1) IPv6 isn't supported in ACL.
* 2) Only ANCII names are supported in ACL.
* acl.c creates two linked lists. One is for IPv4 hosts and networks, another
* is for domain names. All connecting hosts (if allowed_hosts is defined)
* are checked in these two lists.
*
* License: GPL
* Note:
* Only ANCII names are supported in ACL.
*
* License Notice:
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@ -26,10 +29,12 @@
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
*/
*
****************************************************************************/
#include "../include/config.h"
#include "../include/common.h"
#include "../include/utils.h"
#include <sys/types.h>
#include <sys/socket.h>
@ -131,6 +136,7 @@ char * acl_substring(char *string, int s, int e) {
*/
int add_ipv4_to_acl(char *ipv4) {
int state = 0;
int octet = 0;
int index = 0; /* position in data array */
@ -602,6 +608,7 @@ void parse_allowed_hosts(char *allowed_hosts) {
char *tok;
const char *delim = ",";
char *trimmed_tok;
int add_to_acl = 0;
if (debug == TRUE)
logit(LOG_INFO,
@ -617,15 +624,32 @@ void parse_allowed_hosts(char *allowed_hosts) {
tok = strtok(hosts, delim);
#endif
while( tok) {
trimmed_tok = malloc( sizeof( char) * ( strlen( tok) + 1));
trim( tok, trimmed_tok);
if(debug == TRUE)
trimmed_tok = malloc(sizeof(char) * (strlen(tok) + 1));
trim(tok, trimmed_tok);
if (debug == TRUE)
logit(LOG_DEBUG, "parse_allowed_hosts: ADDING this record (%s) to ACL list!\n", trimmed_tok);
if( strlen( trimmed_tok) > 0) {
if (!add_ipv4_to_acl(trimmed_tok) && !add_ipv6_to_acl(trimmed_tok)
&& !add_domain_to_acl(trimmed_tok)) {
if (strlen(trimmed_tok) > 0) {
/* lets check the type of the address before we try and add it to the acl */
if (strchr(trimmed_tok, ':') != NULL) {
/* its an ipv6 address */
add_to_acl = add_ipv6_to_acl(trimmed_tok);
} else {
/* its either a fqdn or an ipv4 address
unfortunately, i don't want to re-invent the wheel here
the logic exists inside of add_ipv4_to_acl() to detect
whether or not it is a ip or not */
add_to_acl = add_ipv4_to_acl(trimmed_tok);
}
/* but we only try to add it to a domain if the other tests have failed */
if (!add_to_acl && !add_domain_to_acl(trimmed_tok)) {
logit(LOG_ERR,"Can't add to ACL this record (%s). Check allowed_hosts option!\n",trimmed_tok);
} else if (debug == TRUE)
} else if (debug == TRUE)
logit(LOG_DEBUG,"parse_allowed_hosts: Record added to ACL list!\n");
}
free( trimmed_tok);

428
src/check_nrpe.c
View File

@ -1,21 +1,40 @@
/********************************************************************************************
/****************************************************************************
*
* CHECK_NRPE.C - NRPE Plugin For Nagios
* Copyright (c) 1999-2008 Ethan Galstad (nagios@nagios.org)
* License: GPL
* check_nrpe.c - NRPE Plugin For Nagios
*
* Last Modified: 2017-05-24
* License: GPLv2
* Copyright (c) 2009-2017 Nagios Enterprises
* 1999-2008 Ethan Galstad (nagios@nagios.org)
*
* Command line: CHECK_NRPE -H <host_address> [-p port] [-c command] [-to to_sec]
* Command line:
*
* check_nrpe -H <host_address> [-p port] [-c command] [-to to_sec]
*
* Description:
*
* This plugin will attempt to connect to the NRPE daemon on the specified server and port.
* The daemon will attempt to run the command defined as [command]. Program output and
* return code are sent back from the daemon and displayed as this plugin's own output and
* return code.
* This plugin will attempt to connect to the NRPE daemon on the specified
* server and port. The daemon will attempt to run the command
* defined as [command]. Program output and return code are sent back
* from the daemon and displayed as this plugin's own
* output and return code.
*
********************************************************************************************/
* License Notice:
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
*
****************************************************************************/
#include "config.h"
#include "common.h"
@ -37,6 +56,7 @@ char *command_name = NULL;
int socket_timeout = DEFAULT_SOCKET_TIMEOUT;
char timeout_txt[10];
int timeout_return_code = -1;
int stderr_to_stdout = 0;
int sd;
char rem_host[MAX_HOST_ADDRESS_LENGTH];
@ -128,7 +148,11 @@ int main(int argc, char **argv)
if (timeout_return_code == -1)
timeout_return_code = STATE_CRITICAL;
if (sslprm.cipher_list[0] == '\0')
#if OPENSSL_VERSION_NUMBER >= 0x10100000
strncpy(sslprm.cipher_list, "ALL:!MD5:@STRENGTH:@SECLEVEL=0", MAX_FILENAME_LENGTH - 1);
#else
strncpy(sslprm.cipher_list, "ALL:!MD5:@STRENGTH", MAX_FILENAME_LENGTH - 1);
#endif
if (sslprm.ssl_proto_ver == SSL_Ver_Invalid)
sslprm.ssl_proto_ver = TLSv1_plus;
if (sslprm.allowDH == -1)
@ -215,6 +239,8 @@ int process_arguments(int argc, char **argv, int from_config_file)
{"log-file", required_argument, 0, 'g'},
{"help", no_argument, 0, 'h'},
{"license", no_argument, 0, 'l'},
{"version", no_argument, 0, 'V'},
{"stderr-to-stdout", no_argument, 0, 'E'},
{0, 0, 0, 0}
};
#endif
@ -224,7 +250,7 @@ int process_arguments(int argc, char **argv, int from_config_file)
return ERROR;
optind = 0;
snprintf(optchars, MAX_INPUT_BUFFER, "H:f:b:c:a:t:p:S:L:C:K:A:d:s:P:g:246hlnuV");
snprintf(optchars, MAX_INPUT_BUFFER, "H:f:b:c:a:t:p:S:L:C:K:A:d:s:P:g:246hlnuVE");
while (1) {
if (argindex > 0)
@ -267,8 +293,7 @@ int process_arguments(int argc, char **argv, int from_config_file)
case 't':
if (from_config_file && socket_timeout != -1) {
logit(LOG_WARNING, "WARNING: Command-line socket timeout overrides "
"the config file option.");
logit(LOG_WARNING, "WARNING: Command-line socket timeout overrides the config file option.");
break;
}
socket_timeout=parse_timeout_string(optarg);
@ -278,8 +303,7 @@ int process_arguments(int argc, char **argv, int from_config_file)
case 'p':
if (from_config_file && server_port != 0) {
logit(LOG_WARNING, "WARNING: Command-line server port overrides "
"the config file option.");
logit(LOG_WARNING, "WARNING: Command-line server port overrides the config file option.");
break;
}
server_port = atoi(optarg);
@ -289,8 +313,7 @@ int process_arguments(int argc, char **argv, int from_config_file)
case 'P':
if (from_config_file && payload_size > 0) {
logit(LOG_WARNING, "WARNING: Command-line payload-size (-P) overrides "
"the config file option.");
logit(LOG_WARNING, "WARNING: Command-line payload-size (-P) overrides the config file option.");
break;
}
payload_size = atoi(optarg);
@ -300,13 +323,20 @@ int process_arguments(int argc, char **argv, int from_config_file)
case 'H':
if (from_config_file && server_name != NULL) {
logit(LOG_WARNING, "WARNING: Command-line server name overrides "
"the config file option.");
logit(LOG_WARNING, "WARNING: Command-line server name overrides the config file option.");
break;
}
server_name = strdup(optarg);
break;
case 'E':
if (from_config_file && stderr_to_stdout != 0) {
logit(LOG_WARNING, "WARNING: Command-line stderr redirection overrides the config file option.");
break;
}
stderr_to_stdout = 1;
break;
case 'c':
if (from_config_file) {
printf("Error: The config file should not have a command (-c) option.\n");
@ -329,8 +359,7 @@ int process_arguments(int argc, char **argv, int from_config_file)
case 'u':
if (from_config_file && timeout_return_code != -1) {
logit(LOG_WARNING, "WARNING: Command-line unknown-timeout (-u) "
"overrides the config file option.");
logit(LOG_WARNING, "WARNING: Command-line unknown-timeout (-u) overrides the config file option.");
break;
}
timeout_return_code = STATE_UNKNOWN;
@ -338,8 +367,7 @@ int process_arguments(int argc, char **argv, int from_config_file)
case '2':
if (from_config_file && packet_ver != NRPE_PACKET_VERSION_3) {
logit(LOG_WARNING, "WARNING: Command-line v2-packets-only (-2) "
"overrides the config file option.");
logit(LOG_WARNING, "WARNING: Command-line v2-packets-only (-2) overrides the config file option.");
break;
}
packet_ver = NRPE_PACKET_VERSION_2;
@ -348,8 +376,7 @@ int process_arguments(int argc, char **argv, int from_config_file)
case '4':
if (from_config_file && address_family != AF_UNSPEC) {
logit(LOG_WARNING, "WARNING: Command-line ipv4 (-4) "
"or ipv6 (-6) overrides the config file option.");
logit(LOG_WARNING, "WARNING: Command-line ipv4 (-4) or ipv6 (-6) overrides the config file option.");
break;
}
address_family = AF_INET;
@ -357,8 +384,7 @@ int process_arguments(int argc, char **argv, int from_config_file)
case '6':
if (from_config_file && address_family != AF_UNSPEC) {
logit(LOG_WARNING, "WARNING: Command-line ipv4 (-4) "
"or ipv6 (-6) overrides the config file option.");
logit(LOG_WARNING, "WARNING: Command-line ipv4 (-4) or ipv6 (-6) overrides the config file option.");
break;
}
address_family = AF_INET6;
@ -366,8 +392,7 @@ int process_arguments(int argc, char **argv, int from_config_file)
case 'd':
if (from_config_file && sslprm.allowDH != -1) {
logit(LOG_WARNING, "WARNING: Command-line use-adh (-d) "
"overrides the config file option.");
logit(LOG_WARNING, "WARNING: Command-line use-adh (-d) overrides the config file option.");
break;
}
if (!optarg || optarg[0] < '0' || optarg[0] > '2')
@ -377,8 +402,7 @@ int process_arguments(int argc, char **argv, int from_config_file)
case 'A':
if (from_config_file && sslprm.cacert_file != NULL) {
logit(LOG_WARNING, "WARNING: Command-line ca-cert-file (-A) "
"overrides the config file option.");
logit(LOG_WARNING, "WARNING: Command-line ca-cert-file (-A) overrides the config file option.");
break;
}
sslprm.cacert_file = strdup(optarg);
@ -386,8 +410,7 @@ int process_arguments(int argc, char **argv, int from_config_file)
case 'C':
if (from_config_file && sslprm.cert_file != NULL) {
logit(LOG_WARNING, "WARNING: Command-line client-cert (-C) "
"overrides the config file option.");
logit(LOG_WARNING, "WARNING: Command-line client-cert (-C) overrides the config file option.");
break;
}
sslprm.cert_file = strdup(optarg);
@ -396,8 +419,7 @@ int process_arguments(int argc, char **argv, int from_config_file)
case 'K':
if (from_config_file && sslprm.privatekey_file != NULL) {
logit(LOG_WARNING, "WARNING: Command-line key-file (-K) "
"overrides the config file option.");
logit(LOG_WARNING, "WARNING: Command-line key-file (-K) overrides the config file option.");
break;
}
sslprm.privatekey_file = strdup(optarg);
@ -406,8 +428,7 @@ int process_arguments(int argc, char **argv, int from_config_file)
case 'S':
if (from_config_file && sslprm.ssl_proto_ver != SSL_Ver_Invalid) {
logit(LOG_WARNING, "WARNING: Command-line ssl-version (-S) "
"overrides the config file option.");
logit(LOG_WARNING, "WARNING: Command-line ssl-version (-S) overrides the config file option.");
break;
}
@ -439,8 +460,7 @@ int process_arguments(int argc, char **argv, int from_config_file)
case 'L':
if (from_config_file && sslprm.cipher_list[0] != '\0') {
logit(LOG_WARNING, "WARNING: Command-line cipher-list (-L) "
"overrides the config file option.");
logit(LOG_WARNING, "WARNING: Command-line cipher-list (-L) overrides the config file option.");
break;
}
strncpy(sslprm.cipher_list, optarg, sizeof(sslprm.cipher_list) - 1);
@ -449,8 +469,7 @@ int process_arguments(int argc, char **argv, int from_config_file)
case 's':
if (from_config_file && have_log_opts == TRUE) {
logit(LOG_WARNING, "WARNING: Command-line ssl-logging (-s) "
"overrides the config file option.");
logit(LOG_WARNING, "WARNING: Command-line ssl-logging (-s) overrides the config file option.");
break;
}
sslprm.log_opts = strtoul(optarg, NULL, 0);
@ -459,8 +478,7 @@ int process_arguments(int argc, char **argv, int from_config_file)
case 'g':
if (from_config_file && log_file != NULL) {
logit(LOG_WARNING, "WARNING: Command-line log-file (-g) "
"overrides the config file option.");
logit(LOG_WARNING, "WARNING: Command-line log-file (-g) overrides the config file option.");
break;
}
log_file = strdup(optarg);
@ -499,14 +517,12 @@ int process_arguments(int argc, char **argv, int from_config_file)
}
if ((has_cert && !has_priv_key) || (!has_cert && has_priv_key)) {
printf("Error: the client certificate and the private key "
"must both be given or neither\n");
printf("Error: the client certificate and the private key must both be given or neither\n");
return ERROR;
}
if (payload_size > 0 && packet_ver != NRPE_PACKET_VERSION_2) {
printf("Error: if a fixed payload size is specified, "
"'-2' must also be specified\n");
printf("Error: if a fixed payload size is specified, '-2' must also be specified\n");
return ERROR;
}
@ -564,6 +580,8 @@ int read_config_file(char *fname)
argv[argc] = my_strsep(&bufp, delims);
if (!argv[argc++])
break;
if (!bufp)
break;
}
fclose(f);
@ -608,9 +626,8 @@ int translate_state (char *state_text) {
}
void set_timeout_state (char *state) {
if ((timeout_return_code = translate_state(state)) == ERROR)
printf("Timeout state must be a valid state name (OK, "
"WARNING, CRITICAL, UNKNOWN) or integer (0-3).\n");
if ((timeout_return_code = translate_state(state)) == ERROR)
printf("Timeout state must be a valid state name (OK, WARNING, CRITICAL, UNKNOWN) or integer (0-3).\n");
}
int parse_timeout_string (char *timeout_str)
@ -649,87 +666,95 @@ int parse_timeout_string (char *timeout_str)
void usage(int result)
{
if (result != OK)
if (result != OK) {
printf("\n");
printf("Incorrect command line arguments supplied\n");
printf("\n");
printf("\n");
}
printf("NRPE Plugin for Nagios\n");
printf("Copyright (c) 1999-2008 Ethan Galstad (nagios@nagios.org)\n");
printf("Version: %s\n", PROGRAM_VERSION);
printf("Last Modified: %s\n", MODIFICATION_DATE);
printf("License: GPL v2 with exemptions (-l for more info)\n");
#ifdef HAVE_SSL
printf("SSL/TLS Available: OpenSSL 0.9.6 or higher required\n");
#endif
printf("\n");
if (result != OK || show_help == TRUE) {
printf("Usage: check_nrpe -H <host> [-2] [-4] [-6] [-n] [-u] [-V] [-l] [-d <dhopt>]\n"
" [-P <size>] [-S <ssl version>] [-L <cipherlist>] [-C <clientcert>]\n"
" [-K <key>] [-A <ca-certificate>] [-s <logopts>] [-b <bindaddr>]\n"
" [-f <cfg-file>] [-p <port>] [-t <interval>:<state>] [-g <log-file>]\n"
" [-c <command>] [-a <arglist...>]\n");
printf("Copyright (c) 2009-2017 Nagios Enterprises\n");
printf(" 1999-2008 Ethan Galstad (nagios@nagios.org)\n");
printf("\n");
printf("Last Modified: %s\n", MODIFICATION_DATE);
printf("\n");
printf("License: GPL v2 with exemptions (-l for more info)\n");
printf("\n");
#ifdef HAVE_SSL
printf("SSL/TLS Available: OpenSSL 0.9.6 or higher required\n");
printf("\n");
#endif
printf("Usage: check_nrpe -H <host> [-2] [-4] [-6] [-n] [-u] [-V] [-l] [-d <dhopt>]\n");
printf(" [-P <size>] [-S <ssl version>] [-L <cipherlist>] [-C <clientcert>]\n");
printf(" [-K <key>] [-A <ca-certificate>] [-s <logopts>] [-b <bindaddr>]\n");
printf(" [-f <cfg-file>] [-p <port>] [-t <interval>:<state>] [-g <log-file>]\n");
printf(" [-c <command>] [-E] [-a <arglist...>]\n");
printf("\n");
printf("Options:\n");
printf(" <host> = The address of the host running the NRPE daemon\n");
printf(" -2 = Only use Version 2 packets, not Version 3\n");
printf(" -4 = bind to ipv4 only\n");
printf(" -6 = bind to ipv6 only\n");
printf(" -n = Do no use SSL\n");
printf
(" -u = Make connection problems return UNKNOWN instead of CRITICAL\n");
printf(" -V = Show version\n");
printf(" -l = Show license\n");
printf(" <dhopt> = Anonymous Diffie Hellman use:\n");
printf(" 0 = Don't use Anonymous Diffie Hellman\n");
printf(" (This will be the default in a future release.)\n");
printf(" 1 = Allow Anonymous Diffie Hellman (default)\n");
printf(" 2 = Force Anonymous Diffie Hellman\n");
printf(" <size> = Specify non-default payload size for NSClient++\n");
printf
(" <ssl ver> = The SSL/TLS version to use. Can be any one of:\n");
printf(" -H, --host=HOST The address of the host running the NRPE daemon\n");
printf(" -2, --v2-packets-only Only use version 2 packets, not version 3\n");
printf(" -4, --ipv4 Bind to ipv4 only\n");
printf(" -6, --ipv6 Bind to ipv6 only\n");
printf(" -n, --no-ssl Do no use SSL\n");
printf(" -u, --unknown-timeout Make connection problems return UNKNOWN instead of CRITICAL\n");
printf(" -V, --version Print version info and quit\n");
printf(" -l, --license Show license\n");
printf(" -E, --stderr-to-stdout Redirect stderr to stdout\n");
printf(" -d, --use-dh=DHOPT Anonymous Diffie Hellman use:\n");
printf(" 0 Don't use Anonymous Diffie Hellman\n");
printf(" (This will be the default in a future release.)\n");
printf(" 1 Allow Anonymous Diffie Hellman (default)\n");
printf(" 2 Force Anonymous Diffie Hellman\n");
printf(" -P, --payload-size=SIZE Specify non-default payload size for NSClient++\n");
printf(" -S, --ssl-version=VERSION The SSL/TLS version to use. Can be any one of:\n");
#if OPENSSL_VERSION_NUMBER < 0x10100000
printf(" SSLv2 (only), SSLv2+ (or above),\n");
#endif /* OPENSSL_VERSION_NUMBER < 0x10100000 */
printf(" SSLv3 (only), SSLv3+ (or above),\n");
printf(" TLSv1 (only), TLSv1+ (or above DEFAULT),\n");
printf(" TLSv1.1 (only), TLSv1.1+ (or above),\n");
printf(" TLSv1.2 (only), TLSv1.2+ (or above)\n");
printf(" <cipherlist> = The list of SSL ciphers to use (currently defaults\n");
printf
(" to \"ALL:!MD5:@STRENGTH\". WILL change in a future release.)\n");
printf(" <clientcert> = The client certificate to use for PKI\n");
printf(" <key> = The private key to use with the client certificate\n");
printf(" <ca-cert> = The CA certificate to use for PKI\n");
printf(" <logopts> = SSL Logging Options\n");
printf(" <bindaddr> = bind to local address\n");
printf(" <cfg-file> = configuration file to use\n");
printf(" <log-file> = full path to the log file to write to\n");
printf(" [port] = The port on which the daemon is running (default=%d)\n",
DEFAULT_SERVER_PORT);
printf(" [command] = The name of the command that the remote daemon should run\n");
printf(" [arglist] = Optional arguments that should be passed to the command,\n");
printf(" separated by a space. If provided, this must be the last\n");
printf(" option supplied on the command line.\n");
printf(" SSLv2 SSL v2 only\n");
printf(" SSLv2+ SSL v2 or above\n");
#endif
printf(" SSLv3 SSL v3 only\n");
printf(" SSLv3+ SSL v3 or above \n");
printf(" TLSv1 TLS v1 only\n");
printf(" TLSv1+ TLS v1 or above (DEFAULT)\n");
printf(" TLSv1.1 TLS v1.1 only\n");
printf(" TLSv1.1+ TLS v1.1 or above\n");
printf(" TLSv1.2 TLS v1.2 only\n");
printf(" TLSv1.2+ TLS v1.2 or above\n");
printf(" -L, --cipher-list=LIST The list of SSL ciphers to use (currently defaults\n");
#if OPENSSL_VERSION_NUMBER >= 0x10100000
printf(" to \"ALL:!MD5:@STRENGTH:@SECLEVEL=0\". THIS WILL change in a future release.)\n");
#else
printf(" to \"ALL:!MD5:@STRENGTH\". THIS WILL change in a future release.)\n");
#endif
printf(" -C, --client-cert=FILE The client certificate to use for PKI\n");
printf(" -K, --key-file=FILE The private key to use with the client certificate\n");
printf(" -A, --ca-cert-file=FILE The CA certificate to use for PKI\n");
printf(" -s, --ssl-logging=OPTIONS SSL Logging Options\n");
printf(" -b, --bind=IPADDR Local address to bind to\n");
printf(" -f, --config-file=FILE Configuration file to use\n");
printf(" -g, --log-file=FILE Log file to write to\n");
printf(" -p, --port=PORT The port on which the daemon is running (default=%d)\n", DEFAULT_SERVER_PORT);
printf(" -c, --command=COMMAND The name of the command that the remote daemon should run\n");
printf(" -a, --args=LIST Optional arguments that should be passed to the command,\n");
printf(" separated by a space. If provided, this must be the last\n");
printf(" option supplied on the command line.\n");
printf("\n");
printf(" NEW TIMEOUT SYNTAX\n");
printf(" -t <interval>:<state>\n");
printf(" <interval> = Number of seconds before connection times out (default=%d)\n",DEFAULT_SOCKET_TIMEOUT);
printf(" <state> = Check state to exit with in the event of a timeout (default=CRITICAL)\n");
printf(" Timeout state must be a valid state name (case-insensitive) or integer:\n");
printf(" (OK, WARNING, CRITICAL, UNKNOWN) or integer (0-3)\n");
printf(" -t, --timeout=INTERVAL:STATE\n");
printf(" INTERVAL Number of seconds before connection times out (default=%d)\n", DEFAULT_SOCKET_TIMEOUT);
printf(" STATE Check state to exit with in the event of a timeout (default=CRITICAL)\n");
printf(" Timeout STATE must be a valid state name (case-insensitive) or integer:\n");
printf(" (OK, WARNING, CRITICAL, UNKNOWN) or integer (0-3)\n");
printf("\n");
printf("Note:\n");
printf
("This plugin requires that you have the NRPE daemon running on the remote host.\n");
printf
("You must also have configured the daemon to associate a specific plugin command\n");
printf("with the [command] option you are specifying here. Upon receipt of the\n");
printf
("[command] argument, the NRPE daemon will run the appropriate plugin command and\n");
printf
("send the plugin output and return code back to *this* plugin. This allows you\n");
printf
("to execute plugins on remote hosts and 'fake' the results to make Nagios think\n");
printf("This plugin requires that you have the NRPE daemon running on the remote host.\n");
printf("You must also have configured the daemon to associate a specific plugin command\n");
printf("with the [command] option you are specifying here. Upon receipt of the\n");
printf("[command] argument, the NRPE daemon will run the appropriate plugin command and\n");
printf("send the plugin output and return code back to *this* plugin. This allows you\n");
printf("to execute plugins on remote hosts and 'fake' the results to make Nagios think\n");
printf("the plugin is being run locally.\n");
printf("\n");
}
@ -748,18 +773,11 @@ void setup_ssl()
if (sslprm.log_opts & SSL_LogStartup) {
char *val;
logit(LOG_INFO, "SSL Certificate File: %s",
sslprm.cert_file ? sslprm.cert_file : "None");
logit(LOG_INFO, "SSL Private Key File: %s",
sslprm.privatekey_file ? sslprm.privatekey_file : "None");
logit(LOG_INFO, "SSL CA Certificate File: %s",
sslprm.cacert_file ? sslprm.cacert_file : "None");
if (sslprm.allowDH < 2)
logit(LOG_INFO, "SSL Cipher List: %s", sslprm.cipher_list);
else
logit(LOG_INFO, "SSL Cipher List: ADH");
logit(LOG_INFO, "SSL Allow ADH: %s",
sslprm.allowDH == 0 ? "No" : (sslprm.allowDH == 1 ? "Allow" : "Require"));
logit(LOG_INFO, "SSL Certificate File: %s", sslprm.cert_file ? sslprm.cert_file : "None");
logit(LOG_INFO, "SSL Private Key File: %s", sslprm.privatekey_file ? sslprm.privatekey_file : "None");
logit(LOG_INFO, "SSL CA Certificate File: %s", sslprm.cacert_file ? sslprm.cacert_file : "None");
logit(LOG_INFO, "SSL Cipher List: %s", sslprm.cipher_list);
logit(LOG_INFO, "SSL Allow ADH: %d", sslprm.allowDH);
logit(LOG_INFO, "SSL Log Options: 0x%02x", sslprm.log_opts);
switch (sslprm.ssl_proto_ver) {
@ -804,6 +822,9 @@ void setup_ssl()
if (use_ssl == TRUE) {
SSL_load_error_strings();
SSL_library_init();
ENGINE_load_builtin_engines();
RAND_set_rand_engine(NULL);
ENGINE_register_all_complete();
#if OPENSSL_VERSION_NUMBER >= 0x10100000
@ -901,19 +922,16 @@ void setup_ssl()
if (!SSL_CTX_use_certificate_file(ctx, sslprm.cert_file, SSL_FILETYPE_PEM)) {
printf("Error: could not use certificate file '%s'.\n", sslprm.cert_file);
while ((x = ERR_get_error_line_data(NULL, NULL, NULL, NULL)) != 0) {
printf("Error: could not use certificate file '%s': %s\n",
sslprm.cert_file, ERR_reason_error_string(x));
printf("Error: could not use certificate file '%s': %s\n", sslprm.cert_file, ERR_reason_error_string(x));
}
SSL_CTX_free(ctx);
exit(STATE_CRITICAL);
}
if (!SSL_CTX_use_PrivateKey_file(ctx, sslprm.privatekey_file, SSL_FILETYPE_PEM)) {
SSL_CTX_free(ctx);
printf("Error: could not use private key file '%s'.\n",
sslprm.privatekey_file);
printf("Error: could not use private key file '%s'.\n", sslprm.privatekey_file);
while ((x = ERR_get_error_line_data(NULL, NULL, NULL, NULL)) != 0) {
printf("Error: could not use private key file '%s': %s\n",
sslprm.privatekey_file, ERR_reason_error_string(x));
printf("Error: could not use private key file '%s': %s\n", sslprm.privatekey_file, ERR_reason_error_string(x));
}
SSL_CTX_free(ctx);
exit(STATE_CRITICAL);
@ -926,8 +944,7 @@ void setup_ssl()
if (!SSL_CTX_load_verify_locations(ctx, sslprm.cacert_file, NULL)) {
printf("Error: could not use CA certificate '%s'.\n", sslprm.cacert_file);
while ((x = ERR_get_error_line_data(NULL, NULL, NULL, NULL)) != 0) {
printf("Error: could not use CA certificate '%s': %s\n",
sslprm.privatekey_file, ERR_reason_error_string(x));
printf("Error: could not use CA certificate '%s': %s\n", sslprm.privatekey_file, ERR_reason_error_string(x));
}
SSL_CTX_free(ctx);
exit(STATE_CRITICAL);
@ -942,15 +959,19 @@ void setup_ssl()
}
} else {
/* use anonymous DH ciphers */
if (sslprm.allowDH == 2)
strcpy(sslprm.cipher_list, "ADH");
if (sslprm.allowDH == 2) {
#if OPENSSL_VERSION_NUMBER >= 0x10100000
strncpy(sslprm.cipher_list, "ADH@SECLEVEL=0", MAX_FILENAME_LENGTH - 1);
#else
strncpy(sslprm.cipher_list, "ADH", MAX_FILENAME_LENGTH - 1);
#endif
}
}
if (SSL_CTX_set_cipher_list(ctx, sslprm.cipher_list) == 0) {
printf("Error: Could not set SSL/TLS cipher list: %s\n", sslprm.cipher_list);
while ((x = ERR_get_error_line_data(NULL, NULL, NULL, NULL)) != 0) {
printf("Could not set SSL/TLS cipher list '%s': %s\n",
sslprm.cipher_list, ERR_reason_error_string(x));
printf("Could not set SSL/TLS cipher list '%s': %s\n", sslprm.cipher_list, ERR_reason_error_string(x));
}
SSL_CTX_free(ctx);
exit(STATE_CRITICAL);
@ -987,8 +1008,7 @@ int connect_to_remote()
int result, rc, ssl_err, ern, x, nerrs = 0;
/* try to connect to the host at the given port number */
if ((sd =
my_connect(server_name, &hostaddr, server_port, address_family, bind_address)) < 0)
if ((sd = my_connect(server_name, &hostaddr, server_port, address_family, bind_address, stderr_to_stdout)) < 0)
exit(timeout_return_code);
result = STATE_OK;
@ -1025,36 +1045,31 @@ int connect_to_remote()
if (sslprm.log_opts & (SSL_LogCertDetails | SSL_LogIfClientCert)) {
rc = 0;
while ((x = ERR_get_error_line_data(NULL, NULL, NULL, NULL)) != 0) {
logit(LOG_ERR, "Error: Could not complete SSL handshake with %s: %s",
rem_host, ERR_reason_error_string(x));
logit(LOG_ERR, "Error: (ERR_get_error_line_data = %d), Could not complete SSL handshake with %s: %s", x, rem_host, ERR_reason_error_string(x));
++nerrs;
}
if (nerrs == 0)
logit(LOG_ERR, "Error: Could not complete SSL handshake with %s: rc=%d SSL-error=%d",
rem_host, rc, ssl_err);
if (nerrs == 0) {
logit(LOG_ERR, "Error: (nerrs = 0) Could not complete SSL handshake with %s: rc=%d SSL-error=%d", rem_host, rc, ssl_err);
}
} else {
while ((x = ERR_get_error_line_data(NULL, NULL, NULL, NULL)) != 0) {
logit(LOG_ERR, "Error: Could not complete SSL handshake with %s: %s",
rem_host, ERR_reason_error_string(x));
logit(LOG_ERR, "Error: (!log_opts) Could not complete SSL handshake with %s: %s", rem_host, ERR_reason_error_string(x));
++nerrs;
}
if (nerrs == 0)
logit(LOG_ERR, "Error: Could not complete SSL handshake with %s: "
"rc=%d SSL-error=%d", rem_host, rc, ssl_err);
if (nerrs == 0) {
logit(LOG_ERR, "Error: (nerrs = 0)(!log_opts) Could not complete SSL handshake with %s: rc=%d SSL-error=%d", rem_host, rc, ssl_err);
}
}
if (ssl_err == 5) {
/* Often, errno will be zero, so print a generic message here */
if (ern == 0)
printf("CHECK_NRPE: Error - Could not connect to %s. Check system logs on %s\n",
rem_host, rem_host);
printf("CHECK_NRPE: Error - Could not connect to %s. Check system logs on %s\n", rem_host, rem_host);
else
printf("CHECK_NRPE: Error - Could not connect to %s: %s\n",
rem_host, strerror(ern));
} else
printf("CHECK_NRPE: Error - Could not complete SSL handshake with %s: %d\n",
rem_host, ssl_err);
printf("CHECK_NRPE: Error - Could not connect to %s: %s\n", rem_host, strerror(ern));
} else {
printf("CHECK_NRPE: (ssl_err != 5) Error - Could not complete SSL handshake with %s: %d\n", rem_host, ssl_err);
}
# ifdef DEBUG
printf("SSL_connect=%d\n", rc);
@ -1089,8 +1104,8 @@ int connect_to_remote()
if (peer) {
if (sslprm.log_opts & SSL_LogIfClientCert)
logit(LOG_NOTICE, "SSL %s has %s certificate",
rem_host, SSL_get_verify_result(ssl) ? "a valid" : "an invalid");
logit(LOG_NOTICE, "SSL %s has %s certificate", rem_host, SSL_get_verify_result(ssl) == X509_V_OK ? "a valid" : "an invalid");
if (sslprm.log_opts & SSL_LogCertDetails) {
X509_NAME_oneline(X509_get_subject_name(peer), buffer, sizeof(buffer));
logit(LOG_NOTICE, "SSL %s Cert Name: %s", rem_host, buffer);
@ -1240,13 +1255,14 @@ int read_response()
} else if (rc == 0) {
/* server disconnected */
printf("CHECK_NRPE: Received 0 bytes from daemon. Check "
"the remote server logs for error messages.\n");
printf("CHECK_NRPE: Received 0 bytes from daemon. Check the remote server logs for error messages.\n");
if (packet_ver == NRPE_PACKET_VERSION_3) {
if (v3_receive_packet)
if (v3_receive_packet) {
free(v3_receive_packet);
} else if (v2_receive_packet)
}
} else if (v2_receive_packet) {
free(v2_receive_packet);
}
return STATE_UNKNOWN;
}
@ -1259,8 +1275,9 @@ int read_response()
calculated_crc32 = calculate_crc32((char *)v3_receive_packet, pkt_size);
} else {
pkt_size = sizeof(v2_packet);
if (payload_size > 0)
if (payload_size > 0) {
pkt_size = sizeof(v2_packet) - MAX_PACKETBUFFER_LENGTH + payload_size;
}
packet_crc32 = ntohl(v2_receive_packet->crc32_value);
v2_receive_packet->crc32_value = 0L;
calculated_crc32 = calculate_crc32((char *)v2_receive_packet, pkt_size);
@ -1270,10 +1287,12 @@ int read_response()
printf("CHECK_NRPE: Response packet had invalid CRC32.\n");
close(sd);
if (packet_ver == NRPE_PACKET_VERSION_3) {
if (v3_receive_packet)
if (v3_receive_packet) {
free(v3_receive_packet);
} else if (v2_receive_packet)
}
} else if (v2_receive_packet) {
free(v2_receive_packet);
}
return STATE_UNKNOWN;
}
@ -1281,30 +1300,35 @@ int read_response()
/* and print the output returned by the daemon */
if (packet_ver == NRPE_PACKET_VERSION_3) {
result = ntohs(v3_receive_packet->result_code);
if (v3_receive_packet->buffer_length == 0)
if (v3_receive_packet->buffer_length == 0) {
printf("CHECK_NRPE: No output returned from daemon.\n");
else
} else {
printf("%s\n", v3_receive_packet->buffer);
}
} else {
result = ntohs(v2_receive_packet->result_code);
if (payload_size > 0)
if (payload_size > 0) {
v2_receive_packet->buffer[payload_size - 1] = '\x0';
else
} else {
v2_receive_packet->buffer[MAX_PACKETBUFFER_LENGTH - 1] = '\x0';
if (!strcmp(v2_receive_packet->buffer, ""))
}
if (!strcmp(v2_receive_packet->buffer, "")) {
printf("CHECK_NRPE: No output returned from daemon.\n");
else if (strstr(v2_receive_packet->buffer, "Invalid packet version.3") != NULL)
} else if (strstr(v2_receive_packet->buffer, "Invalid packet version.3") != NULL) {
/* NSClient++ doesn't recognize it */
return -1;
else
} else {
printf("%s\n", v2_receive_packet->buffer);
}
}
if (packet_ver == NRPE_PACKET_VERSION_3) {
if (v3_receive_packet)
if (v3_receive_packet) {
free(v3_receive_packet);
} else if (v2_receive_packet)
}
} else if (v2_receive_packet) {
free(v2_receive_packet);
}
return result;
}
@ -1325,9 +1349,7 @@ int read_packet(int sock, void *ssl_ptr, v2_packet ** v2_pkt, v3_packet ** v3_pk
if (rc <= 0 || rc != bytes_to_recv) {
if (rc < bytes_to_recv) {
if (packet_ver != NRPE_PACKET_VERSION_3)
printf("CHECK_NRPE: Receive header underflow - "
"only %d bytes received (%ld expected).\n",
rc, sizeof(bytes_to_recv));
printf("CHECK_NRPE: Receive header underflow - only %d bytes received (%ld expected).\n", rc, sizeof(bytes_to_recv));
}
return -1;
}
@ -1348,8 +1370,9 @@ int read_packet(int sock, void *ssl_ptr, v2_packet ** v2_pkt, v3_packet ** v3_pk
if (payload_size > 0) {
pkt_size = common_size + payload_size;
buffer_size = payload_size;
} else
} else {
buffer_size = pkt_size - common_size;
}
if ((*v2_pkt = calloc(1, pkt_size)) == NULL) {
logit(LOG_ERR, "Error: Could not allocate memory for packet");
return -1;
@ -1398,8 +1421,7 @@ int read_packet(int sock, void *ssl_ptr, v2_packet ** v2_pkt, v3_packet ** v3_pk
*v2_pkt = NULL;
}
if (rc < buffer_size)
printf("CHECK_NRPE: Receive underflow - only %d bytes received "
"(%ld expected).\n", rc, sizeof(buffer_size));
printf("CHECK_NRPE: Receive underflow - only %d bytes received (%ld expected).\n", rc, sizeof(buffer_size));
return -1;
} else
tot_bytes += rc;
@ -1415,8 +1437,7 @@ int read_packet(int sock, void *ssl_ptr, v2_packet ** v2_pkt, v3_packet ** v3_pk
if (rc <= 0 || rc != bytes_to_recv) {
if (rc < bytes_to_recv) {
if (packet_ver != NRPE_PACKET_VERSION_3)
printf("CHECK_NRPE: Receive header underflow - only %d bytes "
"received (%ld expected).\n", rc, sizeof(bytes_to_recv));
printf("CHECK_NRPE: Receive header underflow - only %d bytes received (%ld expected).\n", rc, sizeof(bytes_to_recv));
}
return -1;
}
@ -1504,12 +1525,11 @@ int read_packet(int sock, void *ssl_ptr, v2_packet ** v2_pkt, v3_packet ** v3_pk
*v2_pkt = NULL;
}
if (bytes_read != buffer_size) {
if (packet_ver == NRPE_PACKET_VERSION_3)
printf("CHECK_NRPE: Receive buffer size - %ld bytes received "
"(%ld expected).\n", (long)bytes_read, sizeof(buffer_size));
else
printf("CHECK_NRPE: Receive underflow - only %ld bytes received "
"(%ld expected).\n", (long)bytes_read, sizeof(buffer_size));
if (packet_ver == NRPE_PACKET_VERSION_3) {
printf("CHECK_NRPE: Receive buffer size - %ld bytes received (%ld expected).\n", (long)bytes_read, sizeof(buffer_size));
} else {
printf("CHECK_NRPE: Receive underflow - only %ld bytes received (%ld expected).\n", (long)bytes_read, sizeof(buffer_size));
}
}
return -1;
} else
@ -1542,8 +1562,8 @@ int verify_callback(int preverify_ok, X509_STORE_CTX * ctx)
if (!preverify_ok && sslprm.client_certs >= Ask_For_Cert
&& (sslprm.log_opts & SSL_LogCertDetails)) {
logit(LOG_ERR, "SSL Client has an invalid certificate: %s (issuer=%s) err=%d:%s",
name, issuer, err, X509_verify_cert_error_string(err));
logit(LOG_ERR, "SSL Client has an invalid certificate: %s (issuer=%s) err=%d:%s", name, issuer, err, X509_verify_cert_error_string(err));
}
return preverify_ok;
@ -1565,11 +1585,15 @@ void alarm_handler(int sig)
if (timeout_txt[lth2] == 0)
break;
write(STDOUT_FILENO, msg1, sizeof(msg1) - 1);
write(STDOUT_FILENO, text, lth1);
write(STDOUT_FILENO, msg2, sizeof(msg2) - 1);
write(STDOUT_FILENO, timeout_txt, lth2);
write(STDOUT_FILENO, msg3, sizeof(msg3) - 1);
if ((write(STDOUT_FILENO, msg1, sizeof(msg1) - 1) == -1)
|| (write(STDOUT_FILENO, text, lth1) == -1)
|| (write(STDOUT_FILENO, msg2, sizeof(msg2) - 1) == -1)
|| (write(STDOUT_FILENO, timeout_txt, lth2) == -1)
|| (write(STDOUT_FILENO, msg3, sizeof(msg3) - 1) == -1)) {
logit(LOG_ERR, "ERROR: alarm_handler() write(): %s", strerror(errno));
}
exit(timeout_return_code);
}

295
src/nrpe.c
View File

@ -1,10 +1,10 @@
/*******************************************************************************
/****************************************************************************
*
* NRPE.C - Nagios Remote Plugin Executor
* nrpe.c - Nagios Remote Plugin Executor
*
* Copyright (c) 2009 Nagios Core Development Team and Community Contributors
* Copyright (c) 1999-2008 Ethan Galstad (nagios@nagios.org)
* License: GPL
* License: GPLv2
* Copyright (c) 2009-2017 Nagios Enterprises
* 1999-2008 Ethan Galstad (nagios@nagios.org)
*
* Command line: nrpe -c <config_file> [--inetd | --daemon]
*
@ -16,13 +16,23 @@
* such as check_users, check_load, check_disk, etc. without
* having to use rsh or ssh.
*
******************************************************************************/
/*
* 08-10-2011 IPv4 subnetworks support added.
* Main change in nrpe.c is that is_an_allowed_host() moved to acl.c.
* now allowed_hosts is parsed by parse_allowed_hosts() from acl.c.
*/
* License Notice:
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
*
****************************************************************************/
#include "config.h"
#include "common.h"
@ -102,6 +112,8 @@ int show_help = FALSE;
int show_license = FALSE;
int show_version = FALSE;
int use_inetd = TRUE;
int commands_running = 0;
int max_commands = 0;
int debug = FALSE;
int use_src = FALSE; /* Define parameter for SRC option */
int no_forking = FALSE;
@ -135,7 +147,11 @@ struct _SSL_PARMS {
ClntCerts client_certs;
SslLogging log_opts;
} sslprm = {
#if OPENSSL_VERSION_NUMBER >= 0x10100000
NULL, NULL, NULL, "ALL:!MD5:@STRENGTH:@SECLEVEL=0", TLSv1_plus, TRUE, 0, SSL_NoLogging};
#else
NULL, NULL, NULL, "ALL:!MD5:@STRENGTH", TLSv1_plus, TRUE, 0, SSL_NoLogging};
#endif
#ifdef HAVE_SSL
@ -167,7 +183,10 @@ int main(int argc, char **argv)
/* get absolute path of current working directory */
strcpy(config_file, "");
getcwd(config_file, sizeof(config_file));
if (getcwd(config_file, sizeof(config_file)) == NULL) {
printf("ERROR: getcwd(): %s, bailing out...\n", strerror(errno));
exit(STATE_CRITICAL);
}
/* append a forward slash */
strncat(config_file, "/", sizeof(config_file) - 2);
@ -263,6 +282,9 @@ void init_ssl(void)
/* initialize SSL */
SSL_load_error_strings();
SSL_library_init();
ENGINE_load_builtin_engines();
RAND_set_rand_engine(NULL);
ENGINE_register_all_complete();
meth = SSLv23_server_method();
@ -408,7 +430,7 @@ void init_ssl(void)
SSL_CTX_set_verify(ctx, vrfy, verify_callback);
if (!SSL_CTX_load_verify_locations(ctx, sslprm.cacert_file, NULL)) {
while ((x = ERR_get_error_line_data(NULL, NULL, NULL, NULL)) != 0) {
logit(LOG_ERR, "Error: could not use certificate file '%s': %s\n",
logit(LOG_ERR, "Error: could not use CA certificate file '%s': %s\n",
sslprm.cacert_file, ERR_reason_error_string(x));
}
SSL_CTX_free(ctx);
@ -422,8 +444,14 @@ void init_ssl(void)
strcat(sslprm.cipher_list, ":!ADH");
} else {
/* use anonymous DH ciphers */
if (sslprm.allowDH == 2)
strcpy(sslprm.cipher_list, "ADH");
if (sslprm.allowDH == 2) {
#if OPENSSL_VERSION_NUMBER >= 0x10100000
strncpy(sslprm.cipher_list, "ADH@SECLEVEL=0", MAX_FILENAME_LENGTH - 1);
#else
strncpy(sslprm.cipher_list, "ADH", MAX_FILENAME_LENGTH - 1);
#endif
}
#ifdef USE_SSL_DH
dh = get_dh2048();
SSL_CTX_set_tmp_dh(ctx, dh);
@ -452,12 +480,8 @@ void log_ssl_startup(void)
sslprm.privatekey_file ? sslprm.privatekey_file : "None");
logit(LOG_INFO, "SSL CA Certificate File: %s",
sslprm.cacert_file ? sslprm.cacert_file : "None");
if (sslprm.allowDH < 2)
logit(LOG_INFO, "SSL Cipher List: %s", sslprm.cipher_list);
else
logit(LOG_INFO, "SSL Cipher List: ADH");
logit(LOG_INFO, "SSL Allow ADH: %s",
sslprm.allowDH == 0 ? "No" : (sslprm.allowDH == 1 ? "Allow" : "Require"));
logit(LOG_INFO, "SSL Cipher List: %s", sslprm.cipher_list);
logit(LOG_INFO, "SSL Allow ADH: %d", sslprm.allowDH == 0);
logit(LOG_INFO, "SSL Client Certs: %s",
sslprm.client_certs == 0 ? "Don't Ask" : (sslprm.client_certs ==
1 ? "Accept" : "Require"));
@ -503,50 +527,57 @@ void log_ssl_startup(void)
void usage(int result)
{
printf("\n");
if (result != OK) {
printf("\n");
printf("Incorrect command line arguments supplied\n");
printf("\n");
}
printf("NRPE - Nagios Remote Plugin Executor\n");
printf("Copyright (c) 1999-2008 Ethan Galstad (nagios@nagios.org)\n");
printf("Version: %s\n", PROGRAM_VERSION);
printf("Last Modified: %s\n", MODIFICATION_DATE);
printf("License: GPL v2 with exemptions (-l for more info)\n");
printf("\n");
if (result != OK || show_help == TRUE) {
printf("Copyright (c) 2009-2017 Nagios Enterprises\n");
printf(" 1999-2008 Ethan Galstad (nagios@nagios.org)\n");
printf("\n");
printf("Last Modified: %s\n", MODIFICATION_DATE);
printf("\n");
printf("License: GPL v2 with exemptions (-l for more info)\n");
printf("\n");
#ifdef HAVE_SSL
printf("SSL/TLS Available, OpenSSL 0.9.6 or higher required\n");
printf("SSL/TLS Available, OpenSSL 0.9.6 or higher required\n");
printf("\n");
#endif
#ifdef HAVE_LIBWRAP
printf("TCP Wrappers Available\n");
printf("TCP Wrappers Available\n");
printf("\n");
#endif
printf("\n");
#ifdef ENABLE_COMMAND_ARGUMENTS
printf("***************************************************************\n");
printf("** POSSIBLE SECURITY RISK - COMMAND ARGUMENTS ARE SUPPORTED! **\n");
printf("** Read the NRPE SECURITY file for more information **\n");
printf("***************************************************************\n");
printf("\n");
printf("***************************************************************\n");
printf("** POSSIBLE SECURITY RISK - COMMAND ARGUMENTS ARE SUPPORTED! **\n");
printf("** Read the NRPE SECURITY file for more information **\n");
printf("***************************************************************\n");
printf("\n");
#endif
#ifndef HAVE_LIBWRAP
printf("***************************************************************\n");
printf("** POSSIBLE SECURITY RISK - TCP WRAPPERS ARE NOT AVAILABLE! **\n");
printf("** Read the NRPE SECURITY file for more information **\n");
printf("***************************************************************\n");
printf("\n");
printf("***************************************************************\n");
printf("** POSSIBLE SECURITY RISK - TCP WRAPPERS ARE NOT AVAILABLE! **\n");
printf("** Read the NRPE SECURITY file for more information **\n");
printf("***************************************************************\n");
printf("\n");
#endif
if (show_license == TRUE)
display_license();
if (result != OK || show_help == TRUE) {
printf("Usage: nrpe [-n] -c <config_file> [-4|-6] <mode>\n");
printf("Usage: nrpe [-V] [-n] -c <config_file> [-4|-6] <mode>\n");
printf("\n");
printf("Options:\n");
printf(" -n = Do not use SSL\n");
printf(" -c <config_file> = Name of config file to use\n");
printf(" -4 = use ipv4 only\n");
printf(" -6 = use ipv6 only\n");
printf(" <mode> = One of the following operating modes:\n");
printf(" -i = Run as a service under inetd or xinetd\n");
printf(" -d = Run as a standalone daemon\n");
printf(" -d -s = Run as a subsystem under AIX\n");
printf(" -f = Don't fork() for systemd, launchd, etc.\n");
printf(" -V, --version Print version info and quit\n");
printf(" -n, --no-ssl Do not use SSL\n");
printf(" -c, --config=FILE Name of config file to use\n");
printf(" -4, --ipv4 Use ipv4 only\n");
printf(" -6, --ipv6 Use ipv6 only\n");
printf(" <mode> (One of the following operating modes)\n");
printf(" -i, --inetd Run as a service under inetd or xinetd\n");
printf(" -d, --daemon Run as a standalone daemon\n");
printf(" -s, --src Run as a subsystem under AIX\n");
printf(" -f, --no-forking Don't fork() (for systemd, launchd, etc.)\n");
printf("\n");
printf("Notes:\n");
printf("This program is designed to process requests from the check_nrpe\n");
@ -559,6 +590,9 @@ void usage(int result)
printf("\n");
}
if (show_license == TRUE)
display_license();
exit(STATE_UNKNOWN);
}
@ -621,6 +655,11 @@ void set_stdio_sigs(void)
struct sigaction sig_action;
#endif
if (chdir("/") == -1) {
printf("ERROR: chdir(): %s, bailing out...\n", strerror(errno));
exit(STATE_CRITICAL);
}
close(0); /* close standard file descriptors */
close(1);
close(2);
@ -628,8 +667,6 @@ void set_stdio_sigs(void)
open("/dev/null", O_WRONLY);
open("/dev/null", O_WRONLY);
chdir("/");
/* handle signals */
#ifdef HAVE_SIGACTION
sig_action.sa_sigaction = NULL;
@ -650,8 +687,10 @@ void set_stdio_sigs(void)
exit(STATE_CRITICAL);
clean_environ(keep_env_vars, nrpe_user);
drop_privileges(nrpe_user, nrpe_group, 0); /* drop privileges */
check_privileges(); /* make sure we're not root */
/* drop and then check privileges */
drop_privileges(nrpe_user, nrpe_group, 0);
check_privileges();
}
void cleanup(void)
@ -786,6 +825,14 @@ int read_config_file(char *filename)
if (read_config_file(varvalue) == ERROR)
logit(LOG_ERR, "Continuing with errors...");
} else if (!strcmp(varname, "max_commands")) {
max_commands = atoi(varvalue);
if (max_commands < 0) {
logit(LOG_WARNING, "max_commands set too low, setting to 0\n");
max_commands = 0;
}
} else if (!strcmp(varname, "server_port")) {
server_port = atoi(varvalue);
if (server_port < 1024) {
@ -1407,7 +1454,7 @@ int wait_conn_fork(int sock)
pid = fork();
if (pid < 0) {
logit(LOG_ERR, "fork() failed with error %d, bailing out...", errno);
logit(LOG_ERR, "Second fork() failed with error %d, bailing out...", errno);
exit(STATE_CRITICAL);
}
@ -1500,10 +1547,10 @@ void conn_check_peer(int sock)
}
if (debug == TRUE)
logit(LOG_INFO, "CONN_CHECK_PEER: is this a blessed machine: %s port %d\n",
logit(LOG_INFO, "CONN_CHECK_PEER: checking if host is allowed: %s port %d\n",
remote_host, nptr->sin_port);
/* is this is a blessed machine? */
/* is this host allowed? */
if (allowed_hosts) {
#ifdef HAVE_STRUCT_SOCKADDR_STORAGE
switch (addr.ss_family) {
@ -1707,7 +1754,7 @@ void handle_connection(int sock)
send_buff = calloc(1, sizeof(buffer));
strcpy(send_buff, buffer);
}
result = STATE_CRITICAL;
result = STATE_UNKNOWN;
} else {
@ -1873,31 +1920,29 @@ int handle_conn_ssl(int sock, void *ssl_ptr)
/* keep attempting the request if needed */
while (((rc = SSL_accept(ssl)) != 1)
&& (SSL_get_error(ssl, rc) == SSL_ERROR_WANT_READ)) ;
&& (SSL_get_error(ssl, rc) == SSL_ERROR_WANT_READ));
if (rc != 1) {
/* oops, got an unrecoverable error -- get out */
if (sslprm.log_opts & (SSL_LogCertDetails | SSL_LogIfClientCert)) {
int nerrs = 0;
int nerrs = 0;
rc = 0;
while ((x = ERR_get_error_line_data(NULL, NULL, NULL, NULL)) != 0) {
errmsg = ERR_reason_error_string(x);
logit(LOG_ERR, "Error: Could not complete SSL handshake with %s: %s",
remote_host, errmsg);
if (errmsg && !strcmp(errmsg, "no shared cipher")) {
if (sslprm.cert_file == NULL || sslprm.cacert_file == NULL)
logit(LOG_ERR, "Error: This could be because you have not "
"specified certificate or ca-certificate files");
}
logit(LOG_ERR, "Error: (ERR_get_error_line_data = %d), Could not complete SSL handshake with %s: %s", x, remote_host, errmsg);
if (errmsg && !strcmp(errmsg, "no shared cipher") && (sslprm.cert_file == NULL || sslprm.cacert_file == NULL))
logit(LOG_ERR, "Error: This could be because you have not specified certificate or ca-certificate files");
++nerrs;
}
if (nerrs == 0)
logit(LOG_ERR, "Error: Could not complete SSL handshake with %s: %d",
remote_host, SSL_get_error(ssl, rc));
} else
logit(LOG_ERR, "Error: Could not complete SSL handshake with %s: %d",
remote_host, SSL_get_error(ssl, rc));
if (nerrs == 0) {
logit(LOG_ERR, "Error: (nerrs = 0) Could not complete SSL handshake with %s: %d", remote_host, SSL_get_error(ssl, rc));
}
} else {
logit(LOG_ERR, "Error: (!log_opts) Could not complete SSL handshake with %s: %d", remote_host, SSL_get_error(ssl, rc));
}
# ifdef DEBUG
errfp = fopen("/tmp/err.log", "a");
ERR_print_errors_fp(errfp);
@ -1908,27 +1953,30 @@ int handle_conn_ssl(int sock, void *ssl_ptr)
/* successful handshake */
if (sslprm.log_opts & SSL_LogVersion)
logit(LOG_NOTICE, "Remote %s - SSL Version: %s",
remote_host, SSL_get_version(ssl));
logit(LOG_NOTICE, "Remote %s - SSL Version: %s", remote_host, SSL_get_version(ssl));
if (sslprm.log_opts & SSL_LogCipher) {
c = SSL_get_current_cipher(ssl);
logit(LOG_NOTICE, "Remote %s - %s, Cipher is %s", remote_host,
SSL_CIPHER_get_version(c), SSL_CIPHER_get_name(c));
logit(LOG_NOTICE, "Remote %s - %s, Cipher is %s", remote_host, SSL_CIPHER_get_version(c), SSL_CIPHER_get_name(c));
}
if ((sslprm.log_opts & SSL_LogIfClientCert)
|| (sslprm.log_opts & SSL_LogCertDetails))
{
|| (sslprm.log_opts & SSL_LogCertDetails)) {
peer = SSL_get_peer_certificate(ssl);
if (peer) {
if (sslprm.log_opts & SSL_LogIfClientCert)
logit(LOG_NOTICE, "SSL Client %s has %svalid certificate",
remote_host, SSL_get_verify_result(ssl) ? "a " : "an in");
logit(LOG_NOTICE, "SSL Client %s has %s certificate",
remote_host, SSL_get_verify_result(ssl) == X509_V_OK ? "a valid" : "an invalid");
if (sslprm.log_opts & SSL_LogCertDetails) {
X509_NAME_oneline(X509_get_subject_name(peer), buffer, sizeof(buffer));
logit(LOG_NOTICE, "SSL Client %s Cert Name: %s",
remote_host, buffer);
X509_NAME_oneline(X509_get_issuer_name(peer), buffer, sizeof(buffer));
logit(LOG_NOTICE, "SSL Client %s Cert Issuer: %s",
remote_host, buffer);
@ -1963,7 +2011,7 @@ int read_packet(int sock, void *ssl_ptr, v2_packet * v2_pkt, v3_packet ** v3_pkt
packet_ver = ntohs(v2_pkt->packet_version);
if (packet_ver != NRPE_PACKET_VERSION_2 && packet_ver != NRPE_PACKET_VERSION_3) {
logit(LOG_ERR, "Error: Request packet version was invalid!");
logit(LOG_ERR, "Error: (use_ssl == false): Request packet version was invalid!");
return -1;
}
@ -1991,7 +2039,7 @@ int read_packet(int sock, void *ssl_ptr, v2_packet * v2_pkt, v3_packet ** v3_pkt
buffer_size = ntohl(buffer_size);
pkt_size += buffer_size;
if ((*v3_pkt = calloc(1, pkt_size)) == NULL) {
logit(LOG_ERR, "Error: Could not allocate memory for packet");
logit(LOG_ERR, "Error: (use_ssl == false): Could not allocate memory for packet");
return -1;
}
@ -2025,7 +2073,7 @@ int read_packet(int sock, void *ssl_ptr, v2_packet * v2_pkt, v3_packet ** v3_pkt
packet_ver = ntohs(v2_pkt->packet_version);
if (packet_ver != NRPE_PACKET_VERSION_2 && packet_ver != NRPE_PACKET_VERSION_3) {
logit(LOG_ERR, "Error: Request packet version was invalid!");
logit(LOG_ERR, "Error: (use_ssl == true): Request packet version was invalid!");
return -1;
}
@ -2058,7 +2106,7 @@ int read_packet(int sock, void *ssl_ptr, v2_packet * v2_pkt, v3_packet ** v3_pkt
buffer_size = ntohl(buffer_size);
pkt_size += buffer_size;
if ((*v3_pkt = calloc(1, pkt_size)) == NULL) {
logit(LOG_ERR, "Error: Could not allocate memory for packet");
logit(LOG_ERR, "Error: (use_ssl == true): Could not allocate memory for packet");
return -1;
}
@ -2129,7 +2177,19 @@ int my_system(char *command, int timeout, int *early_timeout, char **output)
if (command == NULL) /* if no command was passed, return with no error */
return STATE_OK;
pipe(fd); /* create a pipe */
/* make sure that we are within max_commands boundaries before attempting */
if (max_commands != 0) {
while (commands_running >= max_commands) {
logit(LOG_WARNING, "Commands choked. Sleeping 1s - commands_running: %d, max_commands: %d", commands_running, max_commands);
sleep(1);
}
}
/* create a pipe */
if (pipe(fd) == -1) {
logit(LOG_ERR, "ERROR: pipe(): %s, bailing out...", strerror(errno));
exit(STATE_CRITICAL);
}
/* make the pipe non-blocking */
fcntl(fd[0], F_SETFL, O_NONBLOCK);
@ -2161,7 +2221,11 @@ int my_system(char *command, int timeout, int *early_timeout, char **output)
/* execute the command in the child process */
if (pid == 0) {
SETEUID(0); /* get root back so the next call works correctly */
/* get root back so the next call works correctly */
if (SETEUID(0) == -1 && debug)
logit(LOG_WARNING, "WARNING: my_system() seteuid(0): %s", strerror(errno));
drop_privileges(nrpe_user, nrpe_group, 1); /* drop privileges */
close(fd[0]); /* close pipe for reading */
setpgid(0, 0); /* become process group leader */
@ -2184,8 +2248,11 @@ int my_system(char *command, int timeout, int *early_timeout, char **output)
if (fp == NULL) {
strncpy(buffer, "NRPE: Call to popen() failed\n", sizeof(buffer) - 1);
buffer[sizeof(buffer) - 1] = '\x0';
/* write the error back to the parent process */
write(fd[1], buffer, strlen(buffer) + 1);
if (write(fd[1], buffer, strlen(buffer) + 1) == -1)
logit(LOG_ERR, "ERROR: my_system() write(fd, buffer)-1 failed...");
result = STATE_CRITICAL;
} else {
@ -2193,10 +2260,13 @@ int my_system(char *command, int timeout, int *early_timeout, char **output)
/* read all lines of output - supports Nagios 3.x multiline output */
while ((bytes_read = fread(buffer, 1, sizeof(buffer) - 1, fp)) > 0) {
/* write the output back to the parent process */
write(fd[1], buffer, bytes_read);
if (write(fd[1], buffer, bytes_read) == -1)
logit(LOG_ERR, "ERROR: my_system() write(fd, buffer)-2 failed...");
}
write(fd[1], "\0", 1);
if (write(fd[1], "\0", 1) == -1)
logit(LOG_ERR, "ERROR: my_system() write(fd, NULL) failed...");
status = pclose(fp); /* close the command and get termination status */
/* report an error if we couldn't close the command */
@ -2216,6 +2286,8 @@ int my_system(char *command, int timeout, int *early_timeout, char **output)
} else {
/* parent waits for child to finish executing command */
commands_running++;
close(fd[1]); /* close pipe for writing */
waitpid(pid, &status, 0); /* wait for child to exit */
time(&end_time); /* get the end time for running the command */
@ -2266,6 +2338,8 @@ int my_system(char *command, int timeout, int *early_timeout, char **output)
}
close(fd[0]); /* close the pipe for reading */
commands_running--;
}
#ifdef DEBUG
@ -2296,6 +2370,9 @@ int drop_privileges(char *user, char *group, int full_drop)
struct group *grp;
struct passwd *pw;
if (use_inetd == TRUE)
return OK;
/* set effective group ID */
if (group != NULL) {
@ -2342,11 +2419,9 @@ int drop_privileges(char *user, char *group, int full_drop)
/* initialize supplementary groups */
if (initgroups(user, gid) == -1) {
if (errno == EPERM)
logit(LOG_ERR,
"Warning: Unable to change supplementary groups using initgroups()");
logit(LOG_ERR, "Warning: Unable to change supplementary groups using initgroups()");
else {
logit(LOG_ERR,
"Warning: Possibly root user failed dropping privileges with initgroups()");
logit(LOG_ERR, "Warning: Possibly root user failed dropping privileges with initgroups()");
return ERROR;
}
}
@ -2391,9 +2466,7 @@ int write_pid_file(void)
else {
/* previous process is still running */
logit(LOG_ERR,
"There's already an NRPE server running (PID %lu). Bailing out...",
(unsigned long)pid);
logit(LOG_ERR, "There's already an NRPE server running (PID %lu). Bailing out...", (unsigned long)pid);
return ERROR;
}
}
@ -2402,7 +2475,10 @@ int write_pid_file(void)
/* write new pid file */
if ((fd = open(pid_file, O_WRONLY | O_CREAT, 0644)) >= 0) {
sprintf(pbuf, "%d\n", (int)getpid());
write(fd, pbuf, strlen(pbuf));
if (write(fd, pbuf, strlen(pbuf)) == -1)
logit(LOG_ERR, "ERROR: write_pid_file() write(fd, pbuf) failed...");
close(fd);
wrote_pid_file = TRUE;
} else {
@ -2421,7 +2497,10 @@ int remove_pid_file(void)
if (wrote_pid_file == FALSE)
return OK; /* pid file was not written */
SETEUID(0); /* get root back so we can delete the pid file */
/* get root back so we can delete the pid file */
if (SETEUID(0) == -1 && debug)
logit(LOG_WARNING, "WARNING: remove_pid_file() seteuid(0): %s", strerror(errno));
if (unlink(pid_file) == -1) {
logit(LOG_ERR, "Cannot remove pidfile '%s' - check your privileges.", pid_file);
return ERROR;
@ -2587,8 +2666,7 @@ int validate_request(v2_packet * v2pkt, v3_packet * v3pkt)
if (strchr(v2pkt->buffer, '!')) {
#ifdef ENABLE_COMMAND_ARGUMENTS
if (allow_arguments == FALSE) {
logit(LOG_ERR,
"Error: Request contained command arguments, but argument option is not enabled!");
logit(LOG_ERR, "Error: Request contained command arguments, but argument option is not enabled!");
return ERROR;
}
#else
@ -2631,8 +2709,7 @@ int validate_request(v2_packet * v2pkt, v3_packet * v3pkt)
return ERROR;
# else
if (FALSE == allow_bash_cmd_subst) {
logit(LOG_ERR,
"Error: Request contained a bash command substitution, but they are disallowed!");
logit(LOG_ERR, "Error: Request contained a bash command substitution, but they are disallowed!");
return ERROR;
}
# endif
@ -2737,11 +2814,12 @@ int process_arguments(int argc, char **argv)
{"src", no_argument, 0, 's'},
{"no-forking", no_argument, 0, 'f'},
{"4", no_argument, 0, '4'},
{"6", no_argument, 0, '4'},
{"ipv6", no_argument, 0, '6'},
{"daemon", no_argument, 0, 'd'},
{"no-ssl", no_argument, 0, 'n'},
{"help", no_argument, 0, 'h'},
{"license", no_argument, 0, 'l'},
{"version", no_argument, 0, 'V'},
{0, 0, 0, 0}
};
#endif
@ -2771,6 +2849,7 @@ int process_arguments(int argc, char **argv)
case 'V':
show_version = TRUE;
have_mode = TRUE;
break;
case 'l':

78
src/utils.c
View File

@ -1,17 +1,16 @@
/****************************************************************************
*
* UTILS.C - NRPE Utility Functions
* utils.c - NRPE Utility Functions
*
* License: GPL
* Copyright (c) 1999-2006 Ethan Galstad (nagios@nagios.org)
*
* Last Modified: 12-11-2006
* License: GPLv2
* Copyright (c) 2009-2017 Nagios Enterprises
* 1999-2008 Ethan Galstad (nagios@nagios.org)
*
* Description:
*
* This file contains common network functions used in nrpe and check_nrpe.
*
* License Information:
* License Notice:
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@ -58,7 +57,7 @@ static unsigned long crc32_table[256];
char *log_file = NULL;
FILE *log_fp = NULL;
static int my_create_socket(struct addrinfo *ai, const char *bind_address);
static int my_create_socket(struct addrinfo *ai, const char *bind_address, int redirect_stderr);
/* build the crc table - must be called before calculating the crc value */
@ -134,10 +133,10 @@ void randomize_buffer(char *buffer, int buffer_size)
/* opens a connection to a remote host */
#ifdef HAVE_STRUCT_SOCKADDR_STORAGE
int my_connect(const char *host, struct sockaddr_storage *hostaddr, u_short port,
int address_family, const char *bind_address)
int address_family, const char *bind_address, int redirect_stderr)
#else
int my_connect(const char *host, struct sockaddr *hostaddr, u_short port,
int address_family, const char *bind_address)
int address_family, const char *bind_address, int redirect_stderr)
#endif
{
struct addrinfo hints, *ai, *aitop;
@ -145,12 +144,16 @@ int my_connect(const char *host, struct sockaddr *hostaddr, u_short port,
int gaierr;
int sock = -1;
FILE *output = stderr;
if (redirect_stderr)
output = stdout;
memset(&hints, 0, sizeof(hints));
hints.ai_family = address_family;
hints.ai_socktype = SOCK_STREAM;
snprintf(strport, sizeof strport, "%u", port);
if ((gaierr = getaddrinfo(host, strport, &hints, &aitop)) != 0) {
fprintf(stderr, "Could not resolve hostname %.100s: %s\n", host, gai_strerror(gaierr));
fprintf(output, "Could not resolve hostname %.100s: %s\n", host, gai_strerror(gaierr));
exit(1);
}
@ -163,12 +166,12 @@ int my_connect(const char *host, struct sockaddr *hostaddr, u_short port,
continue;
if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop, sizeof(ntop),
strport, sizeof(strport), NI_NUMERICHOST | NI_NUMERICSERV) != 0) {
fprintf(stderr, "my_connect: getnameinfo failed\n");
fprintf(output, "my_connect: getnameinfo failed\n");
continue;
}
/* Create a socket for connecting. */
sock = my_create_socket(ai, bind_address);
sock = my_create_socket(ai, bind_address, redirect_stderr);
if (sock < 0)
continue; /* Any error is already output */
@ -177,7 +180,7 @@ int my_connect(const char *host, struct sockaddr *hostaddr, u_short port,
memcpy(hostaddr, ai->ai_addr, ai->ai_addrlen);
break;
} else {
fprintf(stderr, "connect to address %s port %s: %s\n", ntop, strport,
fprintf(output, "connect to address %s port %s: %s\n", ntop, strport,
strerror(errno));
close(sock);
sock = -1;
@ -188,21 +191,25 @@ int my_connect(const char *host, struct sockaddr *hostaddr, u_short port,
/* Return failure if we didn't get a successful connection. */
if (sock == -1) {
fprintf(stderr, "connect to host %s port %s: %s\n", host, strport, strerror(errno));
fprintf(output, "connect to host %s port %s: %s\n", host, strport, strerror(errno));
return -1;
}
return sock;
}
/* Creates a socket for the connection. */
int my_create_socket(struct addrinfo *ai, const char *bind_address)
int my_create_socket(struct addrinfo *ai, const char *bind_address, int redirect_stderr)
{
int sock, gaierr;
struct addrinfo hints, *res;
FILE *output = stderr;
if (redirect_stderr)
output = stdout;
sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol);
if (sock < 0)
fprintf(stderr, "socket: %.100s\n", strerror(errno));
fprintf(output, "socket: %.100s\n", strerror(errno));
/* Bind the socket to an alternative local IP address */
if (bind_address == NULL)
@ -215,12 +222,12 @@ int my_create_socket(struct addrinfo *ai, const char *bind_address)
hints.ai_flags = AI_PASSIVE;
gaierr = getaddrinfo(bind_address, NULL, &hints, &res);
if (gaierr) {
fprintf(stderr, "getaddrinfo: %s: %s\n", bind_address, gai_strerror(gaierr));
fprintf(output, "getaddrinfo: %s: %s\n", bind_address, gai_strerror(gaierr));
close(sock);
return -1;
}
if (bind(sock, res->ai_addr, res->ai_addrlen) < 0) {
fprintf(stderr, "bind: %s: %s\n", bind_address, strerror(errno));
fprintf(output, "bind: %s: %s\n", bind_address, strerror(errno));
close(sock);
freeaddrinfo(res);
return -1;
@ -319,24 +326,35 @@ int clean_environ(const char *keep_env_vars, const char *nrpe_user)
free(keep);
free(kept);
setenv("PATH", path, 1);
setenv("IFS", " \t\n", 1);
setenv("LOGNAME", nrpe_user, 0);
setenv("USER", nrpe_user, 0);
pw = (struct passwd *)getpwnam(nrpe_user);
if (pw == NULL) {
char *end = NULL;
uid_t uid = strtol(nrpe_user, &end, 10);
if (uid > 0)
pw = (struct passwd *)getpwuid(uid);
if (pw == NULL || *end != '\0')
return OK;
char * user = NULL;
if (nrpe_user != NULL) {
user = strdup(nrpe_user);
pw = (struct passwd *)getpwnam(nrpe_user);
}
if (nrpe_user == NULL || pw == NULL) {
pw = (struct passwd *)getpwuid(getuid());
if (pw != NULL) {
user = strdup(pw->pw_name);
}
}
if (pw == NULL) {
free(user);
return OK;
}
setenv("PATH", path, 1);
setenv("IFS", " \t\n", 1);
setenv("LOGNAME", user, 0);
setenv("USER", user, 0);
setenv("HOME", pw->pw_dir, 0);
setenv("SHELL", pw->pw_shell, 0);
free(user);
return OK;
}

49
startup/gentoo-init.in Normal file
View File

@ -0,0 +1,49 @@
#!/sbin/openrc-run
#
# Copyright (c) 2016 Nagios(R) Core(TM) Development Team
#
# Start/stop the nrpe daemon.
#
# Goes in /etc/init.d - Config is in /etc/conf.d/nrpe
extra_started_commands="reload"
NRPE_BIN="@sbindir@/nrpe"
NRPE_PID="@piddir@/nrpe.pid"
NRPE_CFG=@pkgsysconfdir@/nrpe.cfg
depend() {
use logger dns net localmount netmount nfsmount
}
checkconfig() {
# Make sure the config file exists
if [ ! -f $NRPE_CFG ]; then
eerror "You need to setup $NRPE_CFG."
return 1
fi
return 0
}
start() {
checkconfig || return 1
ebegin "Starting nrpe"
# Make sure we have a sane current directory
cd /
start-stop-daemon --start --exec $NRPE_BIN --pidfile $NRPE_PID \
--background -- -c $NRPE_CFG -f $NRPE_OPTS
eend $?
}
stop() {
ebegin "Stopping nrpe"
start-stop-daemon --stop --exec $NRPE_BIN --pidfile $NRPE_PID
eend $?
}
reload() {
ebegin "Reloading nrpe"
start-stop-daemon --stop --oknodo --exec $NRPE_BIN \
--pidfile $NRPE_PID --signal HUP
eend $?
}

6
startup/openrc-conf.in
View File

@ -1,7 +1,7 @@
# /etc/conf.d/nrpe : config file for /etc/init.d/nrpe
# Configuration file - default is @sysconfdir@/nrpe.cfg
NRPE_CFG="@pgksysconfdir@/nrpe.cfg"
# The configuration file to use.
NRPE_CFG="@sysconfdir@/nrpe.cfg"
# Any additional nrpe options (-n -4 -6)
# Any additional options (e.g. -n -4 -6) to pass to the nrpe daemon.
NRPE_OPTS=""

54
startup/openrc-init.in
View File

@ -1,49 +1,17 @@
#!/sbin/runscript
#!/sbin/openrc-run
#
# Copyright (c) 2016 Nagios(R) Core(TM) Development Team
# Copyright (c) 2017 Nagios(R) Core(TM) Development Team
#
# Start/stop the nrpe daemon.
#
# Goes in /etc/init.d - Config is in /etc/conf.d/nrpe
opts="reload"
# extra_started_commands="reload" use this if OpenRC >= 0.9.4
NRPE_BIN="@sbindir@/nrpe"
NRPE_PID="@piddir@/nrpe.pid"
depend() {
use logger dns net localmount netmount nfsmount
}
checkconfig() {
# Make sure the config file exists
if [ ! -f $NRPE_CFG ]; then
eerror "You need to setup $NRPE_CFG.
return 1
fi
return 0
}
start() {
checkconfig || return 1
ebegin "Starting nrpe"
# Make sure we have a sane current directory
cd /
start-stop-daemon --start --exec $NRPE_BIN --pidfile $PID_FILE \
-- -c $NRPE_CFG -f $NRPE_OPTS
eend $?
}
stop() {
ebegin "Stopping nrpe"
start-stop-daemon --stop --exec $NRPE_BIN --pidfile $PID_FILE
eend $?
}
command="@sbindir@/nrpe"
command_args="--config=${NRPE_CFG} ${NRPE_OPTS}"
command_args_background="--daemon"
description="Nagios Remote Plugin Executor (NRPE) daemon"
extra_started_commands="reload"
pidfile="@piddir@/nrpe.pid"
reload() {
ebegin "Reloading nrpe"
start-stop-daemon --stop --oknodo --exec $NRPE_BIN \
--pidfile $PID_FILE --signal HUP
eend $?
ebegin "Reloading ${SVCNAME}"
start-stop-daemon --signal HUP --pidfile "${pidfile}"
eend $?
}

3
test-wrapper Executable file
View File

@ -0,0 +1,3 @@
#!/bin/bash
# Replace this once test is working properly.
./travis-test-1

34
travis-test-1 Executable file
View File

@ -0,0 +1,34 @@
#!/bin/bash
# Integration test for nrpe/check_nrpe
# Should be run only on machines which do NOT have Nagios installed
# and which do not have an enabled firewall.
cd sample-config
echo >> nrpe.cfg # Hopefully this is a newline! I think nrpe.cfg ends in a newling anyways.
echo 'command[check_test]=/tmp/check_yes.sh' >> nrpe.cfg
# Make sure the directory exists such that nrpe can create the nrpe.pid file in the default location
mkdir /usr/ || true
mkdir /usr/local || true
mkdir /usr/local/nagios || true
mkdir /usr/local/nagios/var || true
# Make sure nagios user exists
useradd nagios
# Make a plugin
touch /tmp/check_yes.sh
echo 'echo OK' >> /tmp/check_yes.sh
# Give nagios control of plugins
chown nagios /tmp/check_yes.sh
chmod +x /tmp/check_yes.sh
# Start running the NRPE daemon to accept commands
cd ../src
./nrpe -c ../sample-config/nrpe.cfg -d
# Try to check_nrpe with our check_test command/check_yes.sh plugin
./check_nrpe -H 127.0.0.1 -c check_test
exit 0

6
update-version
View File

@ -28,10 +28,10 @@ else
fi
# Current version number
CURRENTVERSION=3.1.1
CURRENTVERSION=3.2.1
# Last date
LASTDATE=2017-05-24
LASTDATE=2017-09-01
if [ "x$1" = "x" ]
then
@ -41,6 +41,8 @@ then
echo "update version number and modification date in files."
echo "Use the \"newdate\" argument if you want to keep the current version"
echo "number and just update the modification date."
echo "When using \"newdate\" you can specify the release date with"
echo "a second argument in the form of YYYY-MM-DD."
echo ""
echo "Current version=$CURRENTVERSION"
echo "Current Modification date=$LASTDATE"