Adagios is a modern web-based configuration interface for Nagios that provides a more user-friendly alternative to editing configuration files directly. As a tool that can modify Nagios configuration and execute commands, Adagios requires careful security configuration. This guide covers security measures for production Adagios deployments.
Adagios architecture includes these security-sensitive components:
Key security concerns include web application security, Nagios configuration protection, command execution security, and preventing unauthorized monitoring changes.
Configure firewall rules for Adagios:
# Adagios Web Interface (Apache/Nginx)
ufw allow from 10.0.0.0/8 to any port 80 proto tcp
ufw allow from 10.0.0.0/8 to any port 443 proto tcp
# Nagios command pipe (local only)
# No network access needed - local socket only
# Block external access
ufw deny from any to any port 8000 proto tcp # Default Adagios port
Configure web server binding:
# /etc/apache2/sites-available/adagios.conf
<VirtualHost 10.0.1.100:443>
ServerName adagios.company.com
DocumentRoot /usr/share/adagios
SSLEngine on
SSLCertificateFile /etc/ssl/certs/adagios.crt
SSLCertificateKeyFile /etc/ssl/private/adagios.key
WSGIScriptAlias / /usr/share/adagios/adagios.wsgi
<Directory /usr/share/adagios>
Require ip 10.0.0.0/8 192.168.0.0/16
Options None
AllowOverride None
</Directory>
</VirtualHost>
Configure Adagios settings:
# /etc/adagios/adagios.conf
[nagios]
nagios_config = /etc/nagios3/nagios.cfg
nagios_command_file = /var/cache/nagios3/rw/nagios.cmd
nagios_status_file = /var/cache/nagios3/status.dat
[security]
allowed_hosts = 10.0.0.0/8, 192.168.0.0/16
Configure HTTP authentication:
# /etc/apache2/sites-available/adagios.conf
<Directory /usr/share/adagios>
AuthType Basic
AuthName "Adagios Access"
AuthUserFile /etc/adagios/htpasswd
Require valid-user
Require ip 10.0.0.0/8
</Directory>
Manage users:
# Create admin user
htpasswd -c /etc/adagios/htpasswd admin
# Add additional users
htpasswd /etc/adagios/htpasswd username
Configure Adagios user management:
# /etc/adagios/adagios.conf
[authentication]
# Use Django authentication
auth_backend = django
# Or use PAM
# auth_backend = pam
# Session settings
session_timeout = 3600
session_secure = true
Configure Adagios permissions:
# /etc/adagios/adagios.conf
[permissions]
# Default role for authenticated users
default_role = viewer
# Role definitions
# viewer: Read-only access
# operator: Can acknowledge alerts and schedule downtime
# admin: Full configuration access
# Group mappings
[groups]
admins = admin,ops-lead
operators = operator1,operator2
viewers = viewer1,viewer2
Sync with Nagios contacts:
# Adagios reads Nagios contact definitions
# Configure in Nagios configuration:
# /etc/nagios3/conf.d/contacts.cfg
define contact {
contact_name adagios-admin
alias Adagios Administrator
service_notification_period 24x7
host_notification_period 24x7
service_notification_options w,u,c,r
host_notification_options d,u,r
service_notification_commands notify-service-by-email
host_notification_commands notify-host-by-email
email admin@company.com
}
Configure external authentication:
LDAP:
# /etc/adagios/adagios.conf
[ldap]
enabled = true
server = ldap.company.com
port = 636
use_ssl = true
bind_dn = cn=adagios,ou=services,dc=company,dc=com
bind_password = ${LDAP_PASSWORD}
user_base = ou=users,dc=company,dc=com
user_filter = (objectClass=inetOrgPerson)
user_attr = uid
Configure HTTPS for Adagios:
# /etc/apache2/sites-available/adagios-ssl.conf
<VirtualHost *:443>
ServerName adagios.company.com
DocumentRoot /usr/share/adagios
SSLEngine on
SSLCertificateFile /etc/ssl/certs/adagios.crt
SSLCertificateKeyFile /etc/ssl/private/adagios.key
SSLCertificateChainFile /etc/ssl/certs/ca-bundle.crt
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256
SSLHonorCipherOrder on
# Security headers
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
Header always set X-Frame-Options "SAMEORIGIN"
Header always set X-Content-Type-Options "nosniff"
Header always set X-XSS-Protection "1; mode=block"
Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src * data:; font-src 'self' data:; connect-src 'self'"
WSGIScriptAlias / /usr/share/adagios/adagios.wsgi
<Directory /usr/share/adagios>
Options None
AllowOverride None
Require all granted
</Directory>
</VirtualHost>
Secure Adagios API:
# /etc/adagios/adagios.conf
[api]
enabled = true
require_https = true
allowed_hosts = 10.0.0.0/8
Secure Adagios web application:
# /etc/adagios/adagios.conf
[security]
# CSRF protection
csrf_enabled = true
# Session security
session_secure = true
session_httponly = true
# Input validation (built-in)
# Rate limiting
rate_limit = 100 # requests per minute
Configure Django security:
# /usr/share/adagios/adagios/settings.py
SECRET_KEY = '${DJANGO_SECRET_KEY}'
DEBUG = False
ALLOWED_HOSTS = ['adagios.company.com', '10.0.1.100']
SESSION_COOKIE_SECURE = True
SESSION_COOKIE_HTTPONLY = True
CSRF_COOKIE_SECURE = True
CSRF_COOKIE_HTTPONLY = True
Protect Nagios configuration files:
# Set restrictive permissions
chown -R nagios:nagios /etc/nagios3/
chmod -R 750 /etc/nagios3/
# Allow Adagios to modify configuration
# Add adagios user to nagios group
usermod -a -G nagios www-data
# Protect sensitive configuration files
chmod 640 /etc/nagios3/conf.d/contacts.cfg
chmod 640 /etc/nagios3/conf.d/commands.cfg
Restrict Nagios command execution:
# /etc/nagios3/nagios.cfg
# Enable external commands (required for Adagios)
check_external_commands=1
command_check_interval=15s
command_file=/var/cache/nagios3/rw/nagios.cmd
# Secure command file
# chown nagios:www-data /var/cache/nagios3/rw/nagios.cmd
# chmod 660 /var/cache/nagios3/rw/nagios.cmd
Secure Adagios API access:
| Endpoint | Risk Level | Access Control |
|---|---|---|
GET /api/status |
Low | Authenticated users |
GET /api/hosts |
Low | Authenticated users |
POST /api/hosts |
High | Admin only |
PUT /api/hosts/{id} |
High | Admin only |
DELETE /api/hosts/{id} |
Critical | Admin only |
POST /api/commands |
Critical | Admin only |
Protect Adagios configuration:
# Set restrictive permissions
chown root:www-data /etc/adagios/adagios.conf
chmod 640 /etc/adagios/adagios.conf
# Encrypt sensitive configuration
gpg -c /etc/adagios/adagios.conf
Secure sensitive credentials:
# /etc/adagios/adagios.conf
[ldap]
# Use environment variable
bind_password = ${LDAP_PASSWORD}
# Or use external secrets file
# include = /etc/adagios/secrets.conf
Protect secrets file:
# Set restrictive permissions
chown root:www-data /etc/adagios/secrets.conf
chmod 640 /etc/adagios/secrets.conf
Secure Adagios object cache:
# Set restrictive permissions
chown -R www-data:www-data /var/cache/adagios
chmod -R 750 /var/cache/adagios
Secure Adagios logs:
# Set restrictive permissions
chown www-data:adm /var/log/adagios
chmod 750 /var/log/adagios
# Configure log rotation
cat > /etc/logrotate.d/adagios << EOF
/var/log/adagios/*.log {
weekly
rotate 4
compress
delaycompress
missingok
notifempty
create 640 www-data adm
}
EOF
Enable logging:
# /etc/adagios/adagios.conf
[logging]
level = INFO
file = /var/log/adagios/adagios.log
# Log all configuration changes
log_config_changes = true
# Log all command executions
log_commands = true
Configure web server access logging:
# /etc/apache2/sites-available/adagios.conf
CustomLog /var/log/apache2/adagios_access.log combined
ErrorLog /var/log/apache2/adagios_error.log
Monitor Adagios for security events:
#!/bin/bash
# /usr/local/bin/check-adagios-security.sh
# Check for failed login attempts
FAILED_LOGINS=$(grep -c "Authentication failed" /var/log/adagios/adagios.log 2>/dev/null || echo 0)
if [ "$FAILED_LOGINS" -gt 10 ]; then
echo "CRITICAL: Multiple failed login attempts"
exit 2
fi
# Check for configuration changes
CONFIG_CHANGES=$(grep -c "Configuration changed" /var/log/adagios/adagios.log 2>/dev/null || echo 0)
if [ "$CONFIG_CHANGES" -gt 20 ]; then
echo "WARNING: High number of configuration changes"
exit 1
fi
# Check for command executions
COMMANDS=$(grep -c "Command executed" /var/log/adagios/adagios.log 2>/dev/null || echo 0)
if [ "$COMMANDS" -gt 50 ]; then
echo "WARNING: High number of command executions"
exit 1
fi
Forward logs to SIEM:
# /etc/rsyslog.d/adagios.conf
:programname, isequal, "adagios" /var/log/adagios/syslog.log
:programname, isequal, "adagios" @siem.company.com:514