This is a little perl script to make sure a remote nagios account only runs the checks it is configured to, and in case it somehow gets owned does (hopefully) not do any damage.
Script: forcecommand, Example config:
forcecommand.cfg. I recommend the following line
for .ssh/authorized_keys:
command="/usr/local/lib/nagios/forcecommand",no-agent-forwarding,no-port-forwarding,no-pty,no-X11-forwarding
$key
In my icinga, I configured it the following way: In /etc/nagios-plugins/config/ssh.cfg, I added:
define command {
command_name check_by_ssh_fc
command_line /usr/lib/nagios/plugins/check_by_ssh -H '$HOSTADDRESS$' -t 50 '$ARG1$'
}
And then use "check_command check_by_ssh_fc!check_apt_updates" etc.