Good evening,
As part of our trial of the Nagios products we’re required to subject the products to various security scans. I’ve come across some vulnerabilities of varying severities relating the instances of MariaDB. We’ve installed Nagios on CentOS using the manual installation method.
Nagios XI
• There are two anonymous users defined: ''@localhost and ''@<servername>. Can these be removed?
• Can we remove the 'root'@'::1' IPv6 user?
• Can we remove the test database?
• /usr/local/nagiosxi/scripts/restore_xi.sh is world readable and contains the root MySQL password in cleartext. Can we change the permissions on this file?
• /usr/local/nagiosxi/var/xi-sys.cfg is world readable and contains the root MySQL password in cleartext. Can we change the permissions on this file?
• /usr/local/nagios/etc/ndo.cfg is world readable and contains the ndoutils MySQL password in cleartext. Can we change the permissions on this file?
• /usr/local/nagiosxi/html/config.inc.php is world readable and contains the ndoutils, nagiosxi and nagiosql MySQL passwords in cleartext. Can we change the permissions on this file?
• /usr/local/nagvis/etc/nagvis.ini.php is world readable and contains the ndoutils MySQL password in cleartext. Can we change the permissions on this file?
Nagios Fusion
• There are two anonymous users defined: ''@localhost and ''@<servername>. Can these be removed?
• Can we remove the 'root'@'::1' IPv6 user?
• Can we remove the test database?
• /usr/local/nagiosfusion/scripts/restore_fusion.sh is world readable and contains the root MySQL password in cleartext. Can we change the permissions on this file?
• /usr/local/nagiosfusion/var/fusion-sys.cfg is world readable and contains the root MySQL password in cleartext. Can we change the permissions on this file?
• /usr/local/nagiosfusion/html/config.inc.php is world readable and contains the fusion MySQL password in cleartext. Can we change the permissions on this file?
Nagios Network Analyzer
• The root MySQL user has no password set. Can we update this to a secure password of our choosing? Do we need to update any files? If there are files containing the password, can we change permissions so they're not world readable?
• Can we set the nagiosna MySQL account password to a password of our choosing? Do we need to update any files? If there are files containing the password, can we change permissions so they're not world readable?
• There are two anonymous users defined: ''@localhost and ''@<servername>. Can these be removed?
• Can we remove the 'root'@'::1' IPv6 user?
• Can we remove the test database?
Regards,
Neville
MariaDB vulnerabilities
-
ssax
- Dreams In Code
- Posts: 7682
- Joined: Wed Feb 11, 2015 12:54 pm
Re: MariaDB vulnerabilities
In the future please create new posts under the appropriate sections for each product, this is requested by policy.
Nagios XI:
I tested with removing the users/hardening the permissions on those files and I did not eperience any issues:
- NOTE: You may need to change the -pnagiosxi if you've changed the root mysql password
- NOTE: Change <servername> to the hostname of the XI server
See here as well:
https://assets.nagios.com/downloads/nag ... ios-XI.pdf
Nagios Fusion:
I tested with removing the users/hardening the permissions on those files and I did not eperience any issues:
- NOTE: You may need to change the -pfusion in the top 5 commands if you've changed the root mysql password
- NOTE: Change <servername> to the hostname of the Fusion server
See here as well:
https://assets.nagios.com/downloads/nag ... Fusion.pdf
Nagios Network Analyzer:
You can change the mysql root password like this:
You can change the nagiosna mysql password like this:
Then set the password here:
I tested with removing the users/hardening the permissions on the file and I did not experience any issues:
- NOTE: You will need to change NewRootPass in all the commands to what your new mysql root password is
- NOTE: Change <servername> to the hostname of the NNA server
EDIT: This one apparently causes bandwidth graphs in NNA to fail so don't run this:
Nagios XI:
I tested with removing the users/hardening the permissions on those files and I did not eperience any issues:
- NOTE: You may need to change the -pnagiosxi if you've changed the root mysql password
- NOTE: Change <servername> to the hostname of the XI server
Code: Select all
mysql -uroot -pnagiosxi -e "DROP USER ''@'localhost';"
mysql -uroot -pnagiosxi -e "DROP USER ''@'<servername>';"
mysql -uroot -pnagiosxi -e "DROP USER 'root'@'::1';"
mysql -uroot -pnagiosxi -e "FLUSH PRIVILEGES"
mysql -uroot -pnagiosxi -e "DROP DATABASE test;"
chmod 0750 /usr/local/nagiosxi/scripts/restore_xi.sh
chmod 0640 /usr/local/nagiosxi/var/xi-sys.cfg
chmod 0660 /usr/local/nagios/etc/ndo.cfg
chmod 0640 /usr/local/nagiosxi/html/config.inc.php
chmod 0640 /usr/local/nagvis/etc/nagvis.ini.phphttps://assets.nagios.com/downloads/nag ... ios-XI.pdf
Nagios Fusion:
I tested with removing the users/hardening the permissions on those files and I did not eperience any issues:
- NOTE: You may need to change the -pfusion in the top 5 commands if you've changed the root mysql password
- NOTE: Change <servername> to the hostname of the Fusion server
Code: Select all
mysql -uroot -pfusion -e "DROP USER ''@'localhost';"
mysql -uroot -pfusion -e "DROP USER ''@'<servername>';"
mysql -uroot -pfusion -e "DROP USER 'root'@'::1';"
mysql -uroot -pfusion -e "FLUSH PRIVILEGES"
mysql -uroot -pfusion -e "DROP DATABASE test;"
chmod 0750 /usr/local/nagiosfusion/scripts/restore_fusion.sh
chmod 0640 /usr/local/nagiosfusion/var/fusion-sys.cfg
chmod 0640 /usr/local/nagiosfusion/html/config.inc.phphttps://assets.nagios.com/downloads/nag ... Fusion.pdf
Nagios Network Analyzer:
You can change the mysql root password like this:
Code: Select all
mysqladmin -uroot password 'NewRootPass'Code: Select all
mysql -uroot -p'NewRootPass' -e "set password for 'nagiosna'@'localhost'=password('NewPassword2');"Code: Select all
/var/www/html/nagiosna/application/config/config.local.php- NOTE: You will need to change NewRootPass in all the commands to what your new mysql root password is
- NOTE: Change <servername> to the hostname of the NNA server
Code: Select all
mysql -uroot -p'NewRootPass' -e "set password for 'fusion'@localhost= password('NewPassword2');"
mysql -uroot -p'NewRootPass' -e "DROP USER ''@'localhost';"
mysql -uroot -p'NewRootPass' -e "DROP USER ''@'<servername>';"
mysql -uroot -p'NewRootPass' -e "DROP USER 'root'@'::1';"
mysql -uroot -p'NewRootPass' -e "FLUSH PRIVILEGES"
mysql -uroot -p'NewRootPass' -e "DROP DATABASE test;"
Code: Select all
chmod 0670 /var/www/html/nagiosna/application/config/config.local.php-
nevillestyles
- Posts: 19
- Joined: Thu Aug 05, 2021 2:37 pm
Re: MariaDB vulnerabilities
Many thanks for the quick and comprehensive response, and apologies for posting it all in the XI forum.
We'll make these changes on our trial system in readiness for our production deployment.
Regards,
Neville
We'll make these changes on our trial system in readiness for our production deployment.
Regards,
Neville
-
nevillestyles
- Posts: 19
- Joined: Thu Aug 05, 2021 2:37 pm
Re: MariaDB vulnerabilities
Hi,
I'll post any follow-ups in the relevant forums. I've changed the file permissions on our test XI host as recommended, but we've noticed the permissions on some of them have reverted to their original settings:
Is there a mechanism which is correcting these?
Regards,
Neville
I'll post any follow-ups in the relevant forums. I've changed the file permissions on our test XI host as recommended, but we've noticed the permissions on some of them have reverted to their original settings:
Code: Select all
$ ls -l /usr/local/nagiosxi/scripts/restore_xi.sh
-rwxr-xr-x 1 nagios nagios 15301 Nov 10 13:16 /usr/local/nagiosxi/scripts/restore_xi.sh
$ ls -l /usr/local/nagiosxi/var/xi-sys.cfg
-rw-r----- 1 nagios nagios 948 Nov 10 13:16 /usr/local/nagiosxi/var/xi-sys.cfg
$ ls -l /usr/local/nagios/etc/ndo.cfg
-rw-rw-r-- 1 apache nagios 693 Nov 10 13:17 /usr/local/nagios/etc/ndo.cfg
$ ls -l /usr/local/nagiosxi/html/config.inc.php
-rw-r--r-- 1 root nagios 9330 Nov 10 13:22 /usr/local/nagiosxi/html/config.inc.php
$ ls -l /usr/local/nagvis/etc/nagvis.ini.php
-rw-r----- 1 apache apache 24844 Nov 10 13:19 /usr/local/nagvis/etc/nagvis.ini.phpRegards,
Neville
-
benjaminsmith
- Posts: 5324
- Joined: Wed Aug 22, 2018 4:39 pm
- Location: saint paul
Re: MariaDB vulnerabilities
Hi Neville,
Glad that's was helpful. And thank you for trying out Nagios XI.
Let us know if you have any other questions after testing these out.
---Benjamin
Glad that's was helpful. And thank you for trying out Nagios XI.
Let us know if you have any other questions after testing these out.
---Benjamin
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
Be sure to check out our Knowledgebase for helpful articles and solutions!
Be sure to check out our Knowledgebase for helpful articles and solutions!
-
nevillestyles
- Posts: 19
- Joined: Thu Aug 05, 2021 2:37 pm
Re: MariaDB vulnerabilities
Hi,
It appears our messages crossed in the ether! This is a polite bump to ensure my last comment was seen.
Regards,
Neville
It appears our messages crossed in the ether! This is a polite bump to ensure my last comment was seen.
Regards,
Neville
-
ssax
- Dreams In Code
- Posts: 7682
- Joined: Wed Feb 11, 2015 12:54 pm
Re: MariaDB vulnerabilities
It's the apply configuration that is doing it, I'm investigating and will post an update shortly.
-
ssax
- Dreams In Code
- Posts: 7682
- Joined: Wed Feb 11, 2015 12:54 pm
Re: MariaDB vulnerabilities
When you apply configuration the /usr/local/nagiosxi/scripts/reset_config_perms.sh script runs which is changing the permissions on the files back.
The problem with that is that even if you change it in that file when you upgrade it will be overwritten and you'll need to re-implement the script changes after every upgrade.
The problem with that is that even if you change it in that file when you upgrade it will be overwritten and you'll need to re-implement the script changes after every upgrade.
-
nevillestyles
- Posts: 19
- Joined: Thu Aug 05, 2021 2:37 pm
Re: MariaDB vulnerabilities
That's great, thank you for the explanation.
For now we'll update /usr/local/nagiosxi/scripts/reset_config_perms.sh and make a note this change will need applying following any upgrade.
Would you consider making this change a permanent feature of Nagios XI? It seems a sensible idea to protect the cleartext passwords from regular users.
Thanks again,
Neville
For now we'll update /usr/local/nagiosxi/scripts/reset_config_perms.sh and make a note this change will need applying following any upgrade.
Would you consider making this change a permanent feature of Nagios XI? It seems a sensible idea to protect the cleartext passwords from regular users.
Thanks again,
Neville
-
ssax
- Dreams In Code
- Posts: 7682
- Joined: Wed Feb 11, 2015 12:54 pm
Re: MariaDB vulnerabilities
I have submitted a feature request to development:
Please keep in mind that the decision to implement the enhancement is at the discretion of our development team.
Code: Select all
FR: XI - Harden reset_config_perms.sh to remove "other" permissions