Solved

Map-Option in Pass-Manager with SNMP-Plugin

  • 17 November 2023
  • 1 reply
  • 121 views

Hello,

I try to use the pass-manger to inject the credentials of the tape-library from Hashicorp Vault. The credentials will be pulled, but not mapped to snmp-options (like “--snmp-username”; “--privpassphrase”; “--authpassphrase”). 

I have also checked the topic Using --pass-manager options and the provider hashicorp vault | Community (centreon.com)

Error Message: 

UNKNOWN: Missing parameter Security Name.

Command to run:

[07:52:23 centreon@vault-username ~]
$ /usr/lib64/nagios/plugins/contrib/centreon-plugins/src/centreon_plugins.pl \
--plugin=apps::protocols::snmp::plugin --hostname=tapelib --authprotocol=SHA \
--privprotocol AES --mode=string-value --oid='.1.3.6.1.4.1.20884.2.4.1.6.3' \
--snmp-version=3 --critical-regexp="FAILED" --pass-manager hashicorpvault \
--vault-address=172.28.13.55 --vault-port=443 --vault-protocol=https \
--auth-method=userpass --auth-settings='username=vault-username' \
--auth-settings='password=Js#GrU$5y4Vt' \
--secret-path="inf-icinga/data/library" \
--map-option="authpassphrase=%{value_inf-icinga/data/library}" \
--map-option="privpassphrase=%{value_inf-icinga/data/library}" \
--map-option="snmp-username=%{key_inf-icinga/data/library}"
UNKNOWN: Missing parameter Security Name.
[07:52:24 centreon@vault-username ~]
$

  

Debug Output:

[07:52:23 centreon@vault-username ~]
$ /usr/lib64/nagios/plugins/contrib/centreon-plugins/src/centreon_plugins.pl \
--plugin=apps::protocols::snmp::plugin --hostname=tapelib --authprotocol=SHA \
--privprotocol AES --mode=string-value --oid='.1.3.6.1.4.1.20884.2.4.1.6.3' \
--snmp-version=3 --critical-regexp="FAILED" --pass-manager hashicorpvault \
--vault-address=172.28.13.55 --vault-port=443 --vault-protocol=https \
--auth-method=userpass --auth-settings='username=vault-username' \
--auth-settings='password=Js#GrU$5y4Vt' \
--secret-path="inf-icinga/data/library" \
--map-option="authpassphrase=%{value_inf-icinga/data/library}" \
--map-option="privpassphrase=%{value_inf-icinga/data/library}" \
--map-option="snmp-username=%{key_inf-icinga/data/library}" --debug
UNKNOWN: Missing parameter Security Name.
== Info: About to connect() to 172.28.13.55 port 443 (#0)
== Info: Trying 172.28.13.55...
== Info: Connected to 172.28.13.55 (172.28.13.55) port 443 (#0)
== Info: Initializing NSS with certpath: sql:/etc/pki/nssdb
== Info: CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
== Info: SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
== Info: Server certificate:
== Info: subject:
== Info: start date: Mar 29 10:33:20 2023 GMT
== Info: expire date: Mar 27 10:33:20 2028 GMT
== Info: common name: 172.28.13.55
== Info: issuer:
=> Send header: POST /v1/auth/userpass/login/vault-username HTTP/1.1
Host: 172.28.13.55
Accept: */*
Content-type: application/json
Content-Length: 53

=> Send data: {"password":"Js#GrU$5y4Vt","username":"vault-username"}
== Info: upload completely sent off: 53 out of 53 bytes
=> Recv header: HTTP/1.1 200 OK
=> Recv header: Date: Fri, 17 Nov 2023 06:52:24 GMT
=> Recv header: Server: Apache
=> Recv header: X-Content-Type-Options: nosniff
=> Recv header: X-XSS-Protection: 1; mode=block;
=> Recv header: X-Frame-Options: SAMEORIGIN
=> Recv header: Strict-Transport-Security: max-age=31536000;
=> Recv header: Cache-Control: no-store
=> Recv header: Content-Type: application/json
=> Recv header: Strict-Transport-Security: max-age=31536000; includeSubDomains
=> Recv header: Content-Length: 707
=> Recv header: Via: 1.1 172.28.13.55
=> Recv header: Vary: Accept-Encoding
=> Recv header: Via: 1.1 172.28.13.55
=> Recv header:
=> Recv data: {"request_id":"654d5520-b458-0226-b2cc-8a428a8abb42","lease_id":"","renewable":false,"lease_duration":0,"data":null,"wrap_info":null,"warnings":["Endpoint replaced the value of these parameters with the values captured from the endpoint's path: [username]"],"auth":{"client_token":"hvs.XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX","accessor":"Lu1n9dEz9FgQhAgsjStXfVL8","policies":["default","inf-icinga.ro"],"token_policies":["default","inf-icinga.ro"],"metadata":{"username":"vault-username"},"lease_duration":604800,"renewable":true,"entity_id":"cc0f1543-6838-46d1-c97e-d61a5899fc9b","token_type":"service","orphan":true,"mfa_requirement":null,"num_uses":0}}
== Info: Connection #0 to host 172.28.13.55 left intact
== Info: Found bundle for host 172.28.13.55: 0x307ed50
== Info: Re-using existing connection! (#0) with host 172.28.13.55
== Info: Connected to 172.28.13.55 (172.28.13.55) port 443 (#0)
=> Send header: GET /v1/inf-icinga/data/library HTTP/1.1
Host: 172.28.13.55
X-Vault-Token:hvs.XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Accept:application/json

=> Recv header: HTTP/1.1 200 OK
=> Recv header: Date: Fri, 17 Nov 2023 06:52:24 GMT
=> Recv header: Server: Apache
=> Recv header: X-Content-Type-Options: nosniff
=> Recv header: X-XSS-Protection: 1; mode=block;
=> Recv header: X-Frame-Options: SAMEORIGIN
=> Recv header: Strict-Transport-Security: max-age=31536000;
=> Recv header: Cache-Control: no-store
=> Recv header: Content-Type: application/json
=> Recv header: Strict-Transport-Security: max-age=31536000; includeSubDomains
=> Recv header: Content-Length: 326
=> Recv header: Via: 1.1 172.28.13.55
=> Recv header: Vary: Accept-Encoding
=> Recv header: Via: 1.1 172.28.13.55
=> Recv header:
=> Recv data: {"request_id":"e53cc865-c9cf-6ae6-a3f1-16d6abf7d031","lease_id":"","renewable":false,"lease_duration":0,"data":{"data":{"monitor":"tSLp7UpX#e#u"},"metadata":{"created_time":"2023-11-17T06:52:00.730837154Z","custom_metadata":null,"deletion_time":"","destroyed":false,"version":2}},"wrap_info":null,"warnings":null,"auth":null}
== Info: Connection #0 to host 172.28.13.55 left intact
{"request_id":"e53cc865-c9cf-6ae6-a3f1-16d6abf7d031","lease_id":"","renewable":false,"lease_duration":0,"data":{"data":{"monitor":"tSLp7UpX#e#u"},"metadata":{"created_time":"2023-11-17T06:52:00.730837154Z","custom_metadata":null,"deletion_time":"","destroyed":false,"version":2}},"wrap_info":null,"warnings":null,"auth":null}
$VAR1 = [
'{"request_id":"e53cc865-c9cf-6ae6-a3f1-16d6abf7d031","lease_id":"","renewable":false,"lease_duration":0,"data":{"data":{"monitor":"tSLp7UpX#e#u"},"metadata":{"created_time":"2023-11-17T06:52:00.730837154Z","custom_metadata":null,"deletion_time":"","destroyed":false,"version":2}},"wrap_info":null,"warnings":null,"auth":null}
'
];
[07:52:24 centreon@vault-username ~]
$

I hope anyone can help me…

regards,

icon

Best answer by lugg1 21 November 2023, 08:40

View original

1 reply

Solved: As value in the map-option parameter the variable of the plugin (Github source snmpv3) has to be used.

 

  --map-option="snmp_auth_passphrase=%{value_inf-icinga/data/library}" \
--map-option="snmp_priv_passphrase=%{value_inf-icinga/data/library}" \
--map-option="snmp_security_name=%{key_inf-icinga/data/library}"

 

Reply