~derf / interblag / entry / Running remote nagios checks with an SSH forcecommand
dark mode

This is a little perl script to make sure a remote nagios account only runs the checks it is configured to, and in case it somehow gets owned does (hopefully) not do any damage.

Script: forcecommand, Example config: forcecommand.cfg. I recommend the following line for .ssh/authorized_keys: command="/usr/local/lib/nagios/forcecommand",no-agent-forwarding,no-port-forwarding,no-pty,no-X11-forwarding $key

In my icinga, I configured it the following way: In /etc/nagios-plugins/config/ssh.cfg, I added:

define command {
    command_name check_by_ssh_fc
    command_line /usr/lib/nagios/plugins/check_by_ssh -H '$HOSTADDRESS$' -t 50 '$ARG1$'
}

And then use "check_command check_by_ssh_fc!check_apt_updates" etc.