[hobbit] BBwin Security role?

Mario Andre Panza rower.master at gmail.com
Thu Apr 29 19:52:20 CEST 2010


Thanks David!

That's the point --admin-senders !
Xymon is the best!

Regards,

Mario.



On Wed, Apr 28, 2010 at 11:20 PM, David Baldwin <
david.baldwin at ausport.gov.au> wrote:

>  Mario Andre Panza wrote:
>
> Hi guys,
>
> I was looking at the bbwin command line tool bbwincmd.exe help page and
> something really get me worried.
> There we have :
>
> *Sending a drop
> bbwincmd.exe <bbdisplay>[:<port>] drop <hostname> [<testname>]
> Sending a hostname rename
> bbwincmd.exe <bbdisplay>[:<port>] rename <hostname> <newhostname>
> Sending a test rename
> bbwincmd.exe <bbdisplay>[:<port>] rename <hostname> <oldtestname>
> <newtestname
> Sending a download message. default download path is the filename requested
> it
> bbwincmd.exe <bbdisplay>[:<port>] download <hostname> <filename> [<path>]
>
> *I've tried from an agent to drop a test and thanks God doesn't work. I've
> tried from a linux xymon-client and thanks God again didin't work too.
> I don't know why this is in the documentation , but my question is why this
> kind of administration commands are available at the agents?
> In my opinion this is not a good idea.
> If one day this kind of thing work, how we can avoid the server to execute
> this? Is there something in the configuration?
>
> There are a number of arguments to hobbitd which are specified in
> /etc/hobbit/hobbitlaunch.cfg in [hobbitd] section. The relevant defaults are
> '--admin-senders=127.0.0.1,$BBSERVERIP' which block access to the *drop*and
> *rename* commands from other than the server. Not sure about *download*.
>
> From 'man hobbitd'
>
> --status-senders=IP[/MASK][,IP/MASK]
>     Controls which hosts may send "status", "combo", "config" and "query"
> commands to hobbitd.
>
>     By default, any host can send status-updates. If this option is used,
> then status-updates are accepted only if they are sent by one of the
> IP-adresses listed here, or if they are sent from the IP-address of the host
> that the updates pertains to (this is to allow Xymon clients to send in
> their own status updates, without having to list all clients here). So
> typically you will need to list your BBNET servers here.
>
>     The format of this option is a list of IP-adresses, optionally with a
> network mask in the form of the number of bits. E.g. if you want to accept
> status-updates from the host 172.16.10.2, you would use
>
>         --status-senders=172.16.10.2
>     whereas if you want to accept status updates from both 172.16.10.2 and
> from all of the hosts on the 10.0.2.* network (a 24-bit IP network), you
> would use
>
>         --status-senders=172.16.10.2,10.0.2.0/24
>
> --maint-senders=IP[/MASK][,IP/MASK]
>     Controls which hosts may send maintenance commands to hobbitd.
> Maintenance commands are the "enable", "disable", "ack" and "notes"
> commands. Format of this option is as for the --status-senders option. It is
> strongly recommended that you use this to restrict access to these commands,
> so that monitoring of a host cannot be disabled by a rogue user - e.g. to
> hide a system compromise from the monitoring system.
>
>     Note: If messages are sent through a proxy, the IP-address restrictions
> are of little use, since the messages will appear to originate from the
> proxy server address. It is therefore strongly recommended that you do NOT
> include the address of a server running bbproxy in the list of allowed
> addresses.
>
> --www-senders=IP[/MASK][,IP/MASK]
>     Controls which hosts may send commands to retrieve the state of
> hobbitd. These are the "hobbitdlog", "hobbitdboard" and "hobbitdxboard"
> commands, which are used by bbgen(1) and bbcombotest(1) to retrieve the
> state of the Xymon system so they can generate the Xymon webpages.
>
>     Note: If messages are sent through a proxy, the IP-address restrictions
> are of little use, since the messages will appear to originate from the
> proxy server address. It is therefore strongly recommended that you do NOT
> include the address of a server running bbproxy in the list of allowed
> addresses.
>
> --admin-senders=IP[/MASK][,IP/MASK]
>     Controls which hosts may send administrative commands to hobbitd. These
> commands are the "drop" and "rename" commands. Access to these should be
> restricted, since they provide an un-authenticated means of completely
> disabling monitoring of a host, and can be used to remove all traces of e.g.
> a system compromise from the Xymon monitor.
>
>     Note: If messages are sent through a proxy, the IP-address restrictions
> are of little use, since the messages will appear to originate from the
> proxy server address. It is therefore strongly recommended that you do NOT
> include the address of a server running bbproxy in the list of allowed
> addresses.
>
> --
> David Baldwin - IT Unit
> Australian Sports Commission          www.ausport.gov.au
> Tel 02 62147830 Fax 02 62141830       PO Box 176 Belconnen ACT 2616david.baldwin at ausport.gov.au          Leverrier Street Bruce ACT 2617
>
>
> ------------------------------
> Keep up to date with what's happening in Australian sport visit
> www.ausport.gov.au
>
> This message is intended for the addressee named and may contain
> confidential and privileged information. If you are not the intended
> recipient please note that any form of distribution, copying or use of this
> communication or the information in it is strictly prohibited and may be
> unlawful. If you receive this message in error, please delete it and notify
> the sender.
> ------------------------------
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20100429/86a11fe4/attachment.html>


More information about the Xymon mailing list