[check_postgres] more secure nagios checks

[Robert Treat]

On Tuesday 10 March 2009 07:34:55 Glyn Astill wrote:
> --- On Mon, 9/3/09, Robert Treat <xzilla at users.sourceforge.net> wrote:
> > Howdy folks,
> >
> > I've got a system that has some relativly high security
> > needs that I want to
> > use check_postgres / nagios on.  Currently some the checks
> > I want to use
> > require superuser acess (like check_postgres_wal_files),
> > but I'd rather not
> > put a superuser account into my nagios config. In theory it
> > would be easy to
> > wrap the checks into a security definer function and have a
> > non-super user
> > call them, but I'm not really eager to make a
> > quasi-fork of check postgres.
> > So, before I do that, I thought I'd ask if anyone here
> > has had a similar need
> > and come up with a work around for that? Alternativly, if I
> > do have to go
> > through rewriting the checks, does anyone have an interest
> > in using them? TIA
>
> I've not avoided putting account details in my nagios config, so this
> probably is not secure enough for you. However all my checks are done via
> the nrpe plugin, this way the superuser account is only used on the
> database server itself via a .pgpass file, i.e. no account details are on
> the external monitoring machines running nagios.

We're doing something similar as a stop-gap. I had someone fix the last couple 
issues preventing nagios plugins from being used in resmon 
(http://labs.omniti.com/trac/resmon/), so we can now run check_postgres from 
the local server. 

Note, I spoke with greg a bit, and it looks like we can provide and a thin 
layer between check_postgres and the database to give the nagios user access 
to all the various knobs/switches it needs without full superuser access. I 
have this working with wal files, the rest should be quite a bit easier. 
Anyone interested can following along at 
http://github.com/xzilla/check_postgres/tree/dashdashsecure 

-- 
Robert Treat
Conjecture: http://www.xzilla.net
Consulting: http://www.omniti.com