Improvement: restrict one command to one host (or subnet)
AlbanVidal opened this issue · 2 comments
AlbanVidal commented
Dear developers,
Could it be possible to add a restriction of host for a specific command.
By example, if I have multiple supervision server and I want to restrict some command to just one server (or subnet).
file.cfg
example :
# Define all network allowed to talk with us
allowed_hosts="192.168.0.0/24,192.168.1.0/24"
# Generic command
command[check_standard]=/usr/local/bin/check_standard
# Restricted command
allowed_hosts="192.168.0.0/24" command[check_restricted]=/usr/local/bin/check_restricted
Thanks and best regards,
Alban
AlbanVidal commented
Or another implementation
[...]
# Define global hosts or networks allowed to talk with us
allowed_hosts=192.168.0.0/24,192.168.1.0/24
# Authorizations for specific commands
allowed_hosts=[check_restricted_one,check_restricted_two]=192.168.2.0/24,192.168.3.1
# Define commands
command[check_standard]=/usr/local/bin/check_standard
command[check_restricted_one]=/usr/local/bin/check_restricted_one
command[check_restricted_two]=/usr/local/bin/check_restricted_two
[...]
ericloyd commented
I agree that a "hosts allow/deny" type thing should be added to NRPE as a general configuration option. Not really sure how it should be done, but I like the stanza approach with a per service allow and deny:
command[check_standard]=/usr/local/bin/check_standard,allow=192.168.0.0/24,deny=192.168.0.123