Want to post a interesting Nagios script today (before my familiy is up… = computer off).
Here it is……

The script automatically installs:

- All necessary dependencies (Debian packages)
- Apache
- mySQL
- Webmin
- Nagios
- Nagios-Plugins
- NRPE
- NSCA
- NDO
- RRD
- PNP
- NagVis
- etc etc.

The script is very basic and has no error handling and user input/control mechanism. As long you have a stable internet connection it will do it’s job.

Download the script here: nagios_install_3.1.2 and copy it anywhere on your Debian machine except /usr/src

Requirements:

A Debian 5 (Lenny) Netinstall with SSH and internet connection.
Download the Debian ISO file here: Debian5-Netinst

Please give us feedback if the script does it’s job!

I will start my family sunday now (the fresh bread in the bread machine smells nice !) and hope
you all have a great sunday to!

Cheers
Daniel

These IDs are super important, say for instance the famous 4740. This event ID should always be tracked. Why? It means someone’s ID is locked out and it could be an impersonator. It is important to get this and many many more IDs in Windows security auditing enabled in your corp net. If you have one server, eh, fine.. if you have 100 now the question is, how can we automate, pickup and evaluate “right” problems/threats.

I would recommend Nagios. With this puppy, you can simply put out all events, do filter, say for instance, get all 4740 with the username “Bob Hope”. Bob, is your CEO and if his account is locked out, we better sort it out.

So, with free form queries, a little guide from Microsoft (see link below) and some consulting from us (fat grin), you can achieve a powerful, centralized, “intelligent” security event log correlator solution for nuts (no license cost). Really, Nagios is free.

In my next post, i will show a litle how i query a Windows 2008 server to filter out Bob Hope’s event 4740 and give me a “state” CRITICAL, send an email out or an SMS immediately.

Nagios and this tiny events plug-in and 8MB agent on your 2008 server/workstation, we can:

• Selection criteria can be defined to filter from most eventlog fields
• Criteria can be defined using a FIELD:VALUE pairs
• AND/OR operations can be employed to create complex filtering rules
• Choose to INCLUDE or EXCLUDE eventlog records
• Define the time period for which events you are after
• Either trigger on most CRITICAL alert in defined time period or trigger on LASTEST event status (useful for checking of backups)

Which brings you and i to a tool, a powerful monitoring tool, to a powerful security collaborative tool.

Also, if you wish to know more about the events in Windows 2008 and Vista, check out this guide from MS Support:

He’s a person using HP Openview OVO for over 10 years and i think i personally would value such an opinion .

Here’s the snippet.

How true. Smile.

Now, get Nagios to do what all ever HP OVO can for no license cost at all. Nagios can do much more in contrary to old believes

Here’s a quick guide on how to enable read only user access for your nagios web interface.

1. Nagios 3 (may work for 2, please try, if it works, pls post a comment)
2. Apache2
3. Debian 3
4. Authentication on Nagios is enabled

You would need first to get hold of your htpasswd file for Nagios access. Normally found in /usr/local/nagios/etc. You then need to generate or use this page http://www.htaccesstools.com/htpasswd-generator/ to generate a readonly user, for this guide, we will use the username rouser and password rouser. The website generate the following line which i will insert into a new line in the htpasswd file;

rouser:$apr1$IHDhm/..$00whe0rH/Fn.c3YisUNV0/

Now, you can test access with that user already on your Nagios web screen. You will notice, it doesn’t have any access to anywhere except for the static images/html in there.

Now, simply edit your nagios cgi file normally found in /usr/local/nagios/etc. Look for the directive

authorized_for_all_services=nagiosadmin
authorized_for_all_hosts=nagiosadmin

And add next to it using a comma, the user which you just created like below:

authorized_for_all_services=nagiosadmin,rouser
authorized_for_all_hosts=nagiosadmin,rouser

Now, sign in again (shutdown your browser) with user rouser and password rouser. You now can see everything but cannot access commands therfore making it read-only.

Now, if you want to make access specific for certain hosts only, then you need to match the user you create with the contacts definition files. So, user rouser can be rouser-switches for instance and now he/she see read only for switches.

Try it out and let us know the outcome.