Running plugins with NRPE as root: NRPE unable to read output

Question

I have a problem with nagios and NRPE and I can't resolve it.

I've already tried.

# grep "nrpe_user=" /etc/nagios/nrpe.cfg
nrpe_user=nrpe

NRPE is running as the user nrpe. So I added this lines to visudo:

Defaults:nrpe !requiretty
nrpe ALL=(ALL) NOPASSWD: /usr/lib64/nagios/plugins/check_jboss_files

I edited my nagios nrpe.cfg:

command[check_jboss_files]=sudo /usr/lib64/nagios/plugins/check_jboss_files

But if I try to run the command from the Nagios server I get the following:

# /usr/lib64/nagios/plugins/check_nrpe -H 1.2.3.4 -c check_jboss_files
NRPE: Unable to read output

The script was running as expected when launched locally, even when running as user nrpe:

# sudo sudo -s -u nrpe
bash-4.2$ sudo /usr/lib64/nagios/plugins/check_jboss_files
JBOSS Files: 2049
WARNING - JBOSS Files: 2049

Without sudo the script is working on nagios server, but must work with sudo to give good results. What I missed? I've probably tried everything and I will be grateful for any help.

Answer 1

I faced with a very similar situation recently and the solution was to configure selinux to allow sudo access.

Follow this article and you'll find out what to do.

For me this worked on CentOS 7.4:

1. yum install -y setroubleshoot-server
2. Search the violation in audit log
3. Use audit2why
4. Follow its suggestion

My violation:

$ grep -m 1 type=AVC.*sudo /var/log/audit/audit.log | audit2why
type=AVC msg=audit(1525359549.889:211763): avc:  denied  { getattr } for  pid=127488 comm="check_d" path="/usr/bin/sudo" dev="dm-0" ino=67120340 scontext=system_u:system_r:nrpe_t:s0 tcontext=system_u:object_r:sudo_exec_t:s0 tclass=file
Was caused by:
The boolean nagios_run_sudo was set incorrectly.
Description:
Allow nagios to run sudo

Allow access by executing:
# setsebool -P nagios_run_sudo 1

Running the suggested command solved my problem.