Henrik --

Thanks for the apache pointers -- I was headed in that direction already, this just helps the clarification (I've already got site-level subpages, so that helps).

On the acknowledge -- just because there's only one of me doesn't mean I'm not paranoid (man, does that ever parse badly!)

I'd like to see something along the lines of an 'acknowledge' button on the individual test detail page, with a slot for time to live, and user authentication when the button gets clicked. (I think this was where you were going, but it's near the end of the day and, to quote Mr. Gumby, "My Brain Hurts").

All I've got to do now is re-gen the openLDAP code to add kerberos support, so I can authenticate against Win2003 AD.

Thanks --

Tom

-----Original Message----- From: Henrik Stoerner [mailto:henrik at hswn.dk] Sent: Tuesday, May 24, 2005 4:22 PM To: hobbit at hswn.dk Subject: Re: [hobbit] New Features #2 (the 'publish-cookie' option)

On Wed, May 11, 2005 at 01:18:01PM -0500, Kauffman, Tom wrote:

Did this make it into 4.0.3 RC1 or 2?

As you've probably found out: No.

I decided against it, because I really don't like the idea of putting something that is supposed to be confidential on a webpage. It's just the wrong solution, so I won't encourage people to use it.

(A couple of years back, I was doing a lot of IT security work - pen-testing, vulnerability scanning and such ... I still have that slightly paranoid instinct).

Although, truth to tell, I prefer the acknowledge web page option.

Me too.

And I need to dig into Apache security (pointers to appropriate doc cheerfully accepted). I have 14 remote sites whith equipment we monitor centrally. I would really like each site's local contact to be able to acknowledge alerts or disable tests for his site only, while leaving the central support group the option to handle alerts and test disabling for all systems.

Apache security is most easily setup by separating the webpages into different directories. In Hobbit, that maps nicely into putting hosts on different pages and subpages. E.g. if you have this bb-hosts file:

page nyc New York 10.0.0.1 nyc-router-1 10.0.0.2 nyc-firewall ... more New York hosts ...

page la Los Angeles 10.2.0.1 la-router-1

Then in Apache you can setup access rules like this:

AuthGroupFile /etc/hobbit/admingroups AuthUserFile /etc/hobbit/adminusers AuthType Basic AuthName "Hobbit monitor"

<Directory /var/lib/hobbit/www> # Restrict access to the top-level page Require group globaladmin </Directory>

<Directory /var/lib/hobbit/www/gifs> # Everyone allowed access to this Require valid-user </Directory>

<Directory /var/lib/hobbit/www/nyc> # NYC page: Access allowed for global admins and the NYC admins Require group globaladmin nycadmin </Directory>

<Directory /var/lib/hobbit/www/la> # LA page: Access allowed for global admins and the LA admins Require group globaladmin laadmin </Directory>

The "adminusers" file is constructed with the "htpasswd" utility, and holds the login-names and passwords for your users. The "admingroups" file then maps a user to a group:

globaladmin: tkauffman nyadmin: jdoe,bsmith laadmin: ajones

So depending on what username you login with, you're mapped to a group - and that group membership is what controls your access to the Hobbit pages. You'll need to grant full access to some directories - like the www/gifs/ and the cgi-bin directory. Controlling access to the acknowledge- and enable/disable functions is a bit tricky: Acknowledge should be simple since you need the ack token from an alert so you can do it by controlling who gets alerts for hosts; the enable/disable function needs some tweaking to "lock" users into handling only their own hosts - it might require some changes to the hobbit-enadis CGI.

Hope that helps, Henrik

To unsubscribe from the hobbit list, send an e-mail to hobbit-unsubscribe at hswn.dk