On Wed, May 11, 2005 at 01:18:01PM -0500, Kauffman, Tom wrote:
Did this make it into 4.0.3 RC1 or 2?
As you've probably found out: No.
I decided against it, because I really don't like the idea of putting something that is supposed to be confidential on a webpage. It's just the wrong solution, so I won't encourage people to use it.
(A couple of years back, I was doing a lot of IT security work - pen-testing, vulnerability scanning and such ... I still have that slightly paranoid instinct).
Although, truth to tell, I prefer the acknowledge web page option.
Me too.
And I need to dig into Apache security (pointers to appropriate doc cheerfully accepted). I have 14 remote sites whith equipment we monitor centrally. I would really like each site's local contact to be able to acknowledge alerts or disable tests for his site only, while leaving the central support group the option to handle alerts and test disabling for all systems.
Apache security is most easily setup by separating the webpages into different directories. In Hobbit, that maps nicely into putting hosts on different pages and subpages. E.g. if you have this bb-hosts file:
page nyc New York 10.0.0.1 nyc-router-1 10.0.0.2 nyc-firewall ... more New York hosts ...
page la Los Angeles 10.2.0.1 la-router-1
Then in Apache you can setup access rules like this:
AuthGroupFile /etc/hobbit/admingroups AuthUserFile /etc/hobbit/adminusers AuthType Basic AuthName "Hobbit monitor"
<Directory /var/lib/hobbit/www> # Restrict access to the top-level page Require group globaladmin </Directory>
<Directory /var/lib/hobbit/www/gifs> # Everyone allowed access to this Require valid-user </Directory>
<Directory /var/lib/hobbit/www/nyc> # NYC page: Access allowed for global admins and the NYC admins Require group globaladmin nycadmin </Directory>
<Directory /var/lib/hobbit/www/la> # LA page: Access allowed for global admins and the LA admins Require group globaladmin laadmin </Directory>
The "adminusers" file is constructed with the "htpasswd" utility, and holds the login-names and passwords for your users. The "admingroups" file then maps a user to a group:
globaladmin: tkauffman nyadmin: jdoe,bsmith laadmin: ajones
So depending on what username you login with, you're mapped to a group - and that group membership is what controls your access to the Hobbit pages. You'll need to grant full access to some directories - like the www/gifs/ and the cgi-bin directory. Controlling access to the acknowledge- and enable/disable functions is a bit tricky: Acknowledge should be simple since you need the ack token from an alert so you can do it by controlling who gets alerts for hosts; the enable/disable function needs some tweaking to "lock" users into handling only their own hosts - it might require some changes to the hobbit-enadis CGI.
Hope that helps, Henrik