Recommendations for how I should set maint-senders ?
the --maint-senders option for xymond is explained as:
Controls which hosts may send maintenance commands to xymond. Maintenance commands are the "enable", "disable", "ack" and "notes" commands. Format of this option is as for the --status-senders option. It is strongly recommended that you use this to restrict access to these commands, so that monitoring of a host cannot be disabled by a rogue user - e.g. to hide a system compromise from the monitoring system.
But while exploring some unexpected client behavior today, it appears that --maint-senders is only enforced for hosts in hosts.cfg which are defined with explicit addresses.
On line 71 of lib/ipaccess.c I found this:
if (strcmp(targetip, "0.0.0.0") == 0) return 1; /* DHCP hosts can report from any address */
It looks like regardless of how I set --maint-senders, anyone can send a 'disable' message for any host defined with 0.0.0.0 Since 90% of my 500 hosts are dynamically defined in hosts.cfg, it feels like trying to clamp down --maint-senders is kind of pointless for me.
Can anyone suggest reasons why I shouldn't just blow that setting wide open?
Do things because you should, not just because you can.John Thurston 907-465-8591 John.Thurston at alaska.gov Enterprise Technology Services Department of Administration State of Alaska
Den 2014-03-06 21:44, John Thurston skrev:
the --maint-senders option for xymond is explained as:
Controls which hosts may send maintenance commands to xymond. Maintenance commands are the "enable", "disable", "ack" and "notes" commands. Format of this option is as for the --status-senders option. It is strongly recommended that you use this to restrict access to these commands, so that monitoring of a host cannot be disabled by a rogue user - e.g. to hide a system compromise from the monitoring system.
But while exploring some unexpected client behavior today, it appears that --maint-senders is only enforced for hosts in hosts.cfg which are defined with explicit addresses.
On line 71 of lib/ipaccess.c I found this:
if (strcmp(targetip, "0.0.0.0") == 0) return 1; /* DHCP hosts can report from any address */
It looks like regardless of how I set --maint-senders, anyone can send a 'disable' message for any host defined with 0.0.0.0 Since 90% of my 500 hosts are dynamically defined in hosts.cfg, it feels like trying to clamp down --maint-senders is kind of pointless for me.
This is a bug. In most cases, the IP access check with the --maint-senders option will not hit this piece of the code in lib/ipaccess.c (because the 'targetip' parameter is NULL). But exactly for the enable/disable case, it is set to the IP from hosts.cfg.
The idea behind this is to permit a host to send a "disable" status for itself, e.g. when shutting down a service for maintenance.
I'll get a fix for this into 4.3.18.
Regards, Henrik
participants (2)
-
henrik@hswn.dk
-
john.thurston@alaska.gov