Nagios Core - Error: Could not stat() command file '/usr/local/nagios/var/rw/nagios.cmd'!

 Setting up a new Nagios Core installation and I ran across the following error message:

Error: Could not stat() command file '/usr/local/nagios/var/rw/nagios.cmd'!

If you search for this error, you'll find a lot of posts saying to set SELinux to Permissive or Disabled. This (and many other SELinux issues) is easily solved while leaving SELinux Enforcing. First, verify that SELinux is the culprit: 

tail -f -n 0 /var/log/audit/audit.log

Could pipe to "grep denied" if you wanted. Do whatever you did to get the error again, and you should see some new lines come in like this:

type=AVC msg=audit(1609875518.415:72426): avc:  denied  { getattr } for  pid=951704 comm="cmd.cgi" path="/usr/local/nagios/var/rw/nagios.cmd" dev="dm-0" ino=68793599 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=fifo_file permissive=0

What you need to do is use audit2allow to build policy to instead allow the denied action. So copy the single offending line of audit.log and run the following:

# echo "<replace-with-the-denied-error-message>" | audit2allow -M <some-name>

So mine looked like:

# echo "type=AVC msg=audit(1609875518.415:72426): avc:  denied  { getattr } for  pid=951704 comm="cmd.cgi" path="/usr/local/nagios/var/rw/nagios.cmd" dev="dm-0" ino=68793599 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=fifo_file permissive=0" | audit2allow -M nagios_1

Then load the new policy:

# semodule -i nagios_1.pp

Wait a few seconds and the new policy will be in effect. Tail your audit.log and try the action again. Second time around I got a new error in the web-gui:

Error: Could not open command file '/usr/local/nagios/var/rw/nagios.cmd' for update! 

If you get another "avc denied" message take that and pipe it to audit2allow and load the new policy. Rinse/repeat until you stop getting denied messages and the action you were trying works. For the Nagios Core command I needed to do this 3 times total, but end result should be a working application and SELinux still enabled.

# echo <2nd-denied-log> | audit2allow -M nagios_2

# semodule -i nagios_2.pp

# echo <3rd-denied-log> | audit2allow -M nagios_3 

# semodule -i nagios_3.pp

Remove Leading Zeros from IP Address

I was working on some automation where I'd need to translate an IP address that was always represented as 3 digits per octet - like 001.002.003.004 instead of 1.2.3.4.

Since I didn't want to reinvent the wheel I went to Google and to my surprise found no examples that worked well - some would only remove 1 leading zero.

So, after some testing and code borrowing, here are two solutions:

Using sed:
sed -r 's/^0*([0-9]+)\.0*([0-9]+)\.0*([0-9]+)\.0*([0-9]+)$/\1.\2.\3.\4/'

Using awk:
awk -F'[.]' '{w=$1+0; x=$2+0; y=$3+0; z=$4+0; print w"."x"."y"."z}'

POC:
$ echo 001.002.003.004 | sed -r 's/^0*([0-9]+)\.0*([0-9]+)\.0*([0-9]+)\.0*([0-9]+)$/\1.\2.\3.\4/'
1.2.3.4
$ echo 001.002.003.004 | awk -F'[.]' '{w=$1+0; x=$2+0; y=$3+0; z=$4+0; print w"."x"."y"."z}'
1.2.3.4

Use tcpdump to Filter and Merge Multiple pcap Files

The other day I had a couple dozen pcap files (each just under 1 GB in size) that I wanted to filter the traffic of one host out of. A couple different options come to mind - merge the pcap files together and then filter, or filter each pcap separately and then merge the results together. Both of these are pretty sloppy ways of doing this if you don't do it in one line:

# mergecap -w /dev/stdout file1.pcap file2.pcap file3.pcap | tcpdump -r - -w output.pcap host 192.168.1.10

mergecap reads the list of files at the end as input and writes them out to /dev/stdout, where tcpdump reads them in and writes the result to output.pcap after applying the filter (host 192.168.1.10).

Single Line Base64 Decoder

If you have a chunk of Base64 encoded data and want to decode it, the quickest method is usually to find some online decoder. If you're worried about the sensitivity of the data or don't have access to a web browser or even the Internet you'll want to decode it locally.

To do this you'll need perl (should be installed on most linux distros). Given any file containing only Base64 encoded text, ex:

$ file base64_file
base64_file: ASCII text, with CRLF line terminators
$

The following command will decode the text:
(NOTE - the file must contain ONLY Base64 encoded text - any existing decoded data will break the process)

$ perl -MMIME::Base64 -e 'print decode_base64(join("",<>))' < base64_file >output
$ file output
output: HTML document, ASCII text, with CRLF line terminators
$

If done correctly the output file should contain the decoded data.

Single Line Web Server in Python

This is an old trick, but very useful for transferring files in a pinch - especially in cross platform situations. Also great if you need a simple web server for testing.

The commands are simple.

For Python 2.x: python -m SimpleHTTPServer

[user@fedora folder1]$ python -m SimpleHTTPServer
Serving HTTP on 0.0.0.0 port 8000 ...

For Python 3.x: python3 -m http.server

[user@fedora folder1]$ python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 ...

Both of these default to port 8000, but you can add a port number to the end of the line to specify something else if you like. The current directory is used as the root folder. If an index.html or index.htm file is present it will be served initially, otherwise the server will provide a directory listing. Just point your browser to the system:

http://<your-ip-address>:8000

Make sure your firewall/IP-tables are properly adjusted to allow the inbound connection.

The terminal will show a running Apache style access log of connections. CTRL + c to exit.

Performance is pretty good too:

Official documentation here:
https://docs.python.org/2/library/simplehttpserver.html
https://docs.python.org/3/library/http.server.html