[hobbit] New Features #2 (the 'publish-cookie' option)

Henrik Stoerner henrik at hswn.dk
Tue May 24 23:22:09 CEST 2005 

On Wed, May 11, 2005 at 01:18:01PM -0500, Kauffman, Tom wrote:
> Did this make it into 4.0.3 RC1 or 2?

As you've probably found out: No.

I decided against it, because I really don't like the idea of putting
something that is supposed to be confidential on a webpage. It's just
the wrong solution, so I won't encourage people to use it.

(A couple of years back, I was doing a lot of IT security work - 
pen-testing, vulnerability scanning and such ... I still have that
slightly paranoid instinct).

> Although, truth to tell, I prefer the acknowledge web page option.

Me too.

> And I need to dig into Apache security (pointers to appropriate doc
> cheerfully accepted). I have 14 remote sites whith equipment we monitor
> centrally. I would really like each site's local contact to be able to
> acknowledge alerts or disable tests for his site only, while leaving the
> central support group the option to handle alerts and test disabling for
> all systems.

Apache security is most easily setup by separating the webpages into
different directories. In Hobbit, that maps nicely into putting hosts
on different pages and subpages. E.g. if you have this bb-hosts file:

   page nyc New York
   10.0.0.1  nyc-router-1
   10.0.0.2  nyc-firewall
   ... more New York hosts ...

   page la Los Angeles
   10.2.0.1  la-router-1

Then in Apache you can setup access rules like this:

   AuthGroupFile /etc/hobbit/admingroups
   AuthUserFile  /etc/hobbit/adminusers
   AuthType Basic
   AuthName "Hobbit monitor"

   <Directory /var/lib/hobbit/www>
      # Restrict access to the top-level page
      Require group globaladmin
   </Directory>

   <Directory /var/lib/hobbit/www/gifs>
      # Everyone allowed access to this
      Require valid-user
   </Directory>

   <Directory /var/lib/hobbit/www/nyc>
      # NYC page: Access allowed for global admins and the NYC admins
      Require group globaladmin nycadmin
   </Directory>

   <Directory /var/lib/hobbit/www/la>
      # LA page: Access allowed for global admins and the LA admins
      Require group globaladmin laadmin
   </Directory>


The "adminusers" file is constructed with the "htpasswd" utility,
and holds the login-names and passwords for your users. The
"admingroups" file then maps a user to a group:

   globaladmin: tkauffman
   nyadmin: jdoe,bsmith
   laadmin: ajones

So depending on what username you login with, you're mapped to
a group - and that group membership is what controls your access 
to the Hobbit pages. You'll need to grant full access to some
directories - like the www/gifs/ and the cgi-bin directory.
Controlling access to the acknowledge- and enable/disable functions
is a bit tricky: Acknowledge should be simple since you need the
ack token from an alert so you can do it by controlling who gets alerts 
for hosts; the enable/disable function needs some tweaking to "lock"
users into handling only their own hosts - it might require some
changes to the hobbit-enadis CGI.


Hope that helps,
Henrik

More information about the Xymon mailing list