[Xymon] Limiting Access

Henrik Størner henrik at hswn.dk
Fri Mar 4 19:00:32 CET 2011


Hi,

> We were curious what solutions people may have come up with to limit
> access to certain tests or hosts.  For instance, we have a group that
> will simply monitor certain hosts and make judgments on who to call
> based on status, these systems would be a subset of all the systems .
> They have no real technical knowledge and do not need to see all the
> systems.  We may have a group of admins that need to see a certain set
> of hosts, but not every host since they have no real technical
> responsibility for certain systems.  Also, we have a lot of custom
> scripts that monitor security related items (locked accounts, brute
> force attempts etc), we would want only a certain group (security group)
> to be able to access those tests.
>
> Not being very familiar with Xymon yet, we were wondering if there was a
> way to accomplish this.  If not natively in Xymon, maybe via Apache?
> Any suggestions on how to proceed?

There isn't any security built into the Xymon web interface - it is
very much like the one you know from BB.

On my installation, we use Apache's built-in authentication for
controlling access to the webpages. The overview pages are static
(generated by xymongen), so if you group hosts sensibly using
page/subpage/subparent, then you will also have a directory structure
that Apache access-controls can handle.

This doesn't take care of the CGI utilities, since they don't have
a clue about these access controls. So a dedicated snoop will be
able to manipulate the query sent to a CGI, and grab data about
hosts from pages that he normally cannot see. So it isn't good
enough if real security is an issue. But for a basic "look at this
page for the information you need" it will work.

You can also use the "alternate pageset" method to generate multiple
sets of overview pages for your different groups. Combined with 
"group-only" / "group-except" directives you can limit the available 
information more, so your users will only see the columns they should be 
able to see.


Regards,
Henrik



More information about the Xymon mailing list