[Xymon] execute a command from server (browser) on a client

Another Xymon User xymon at epperson.homelinux.net
Fri Jul 5 01:33:28 CEST 2013


 

Actually, I'm thinking that since I already have the PKI stuff in
place, the server just puts a private-key encrypted https URL to a
script in client-local.cfg, and the client decrypts and retrieves it.


One thing I've learned in 30 years in this business is that you never
give the auditors everything you can do at the outset. Let them make a
finding, then wrap something else around it. 

On 2013-07-04 17:44,
Ralph Mitchell wrote: 

> You should be very careful about how you
validate this kind of automation. The client should probably do some
kind of verification, and use canned scripts rather than just running
any command handed to it. For example:
> 
> xymon adds to
client-local.cfg for server1: restartapache:`date+%s` 
> server1 xymon
client saves that in $HOME/etc/local.cfg 
> server1 cron job sees
"restartapache", extracts the timestamp, checks that it didn't already
do that, then posts that timestamp back to the xymon server, asking what
it means; 
> xymon server replies: restartapache 
> As long as the reply
matches, the client kicks apache 
> Everybody writes log entries
> 
>
The client call-back to verify the command could be done with curl over
https with a client-side SSL certificate to validate each party to the
other. That may seem like overkill, but when auditors are involved,
maybe not... :-)
> 
> Ralph Mitchell 
> 
> On Thu, Jul 4, 2013 at 3:21
PM, Another Xymon User <xymon at epperson.homelinux.net> wrote:
> 
>>
Thanks, Ralph! I had case 1 working with a PKI trust relationship for
root between the Xymon servers and the clients, but when the auditors
made us set "NoRootLogin yes" in sshd_config everywhere, it broke and I
had not had a chance to figure out how to do it with sudo. Case 2 will
let me work up an alternative. 
>> 
>> On 2013-07-04 12:07, Ralph
Mitchell wrote: 
>> 
>>> It could be done, but it's a bit more
complicated than that. Your browser is talking to the Xymon server, not
the server where the downed service should be running. Here's a couple
of ways it could be done, using your tomcat example: 
>>> 
>>> 1) you
would need a cgi script on the Xymon server capable of logging in to the
remote tomcat server with enough privilege to be able to restart tomcat
or to dump memory, then send back to your browser any restart messages
or the memory dump as a file download; 
>>> or 
>>> 2) a cgi script on
the xymon server that could add a variable to the client-local.cfg for
the tomcat server. Next time the remote checks in with xymon it would
pick up that flag and store it in $HOME/etc/local.cfg. A cron job could
examine that file occasionally and if the flag shows up, restart or dump
memory as appropriate. This cycle could take 10 - 15 minutes to
complete. 
>>> 
>>> I don't know if anyone has such automation currently
running. 
>>> 
>>> Ralph Mitchell 
>>> 
>>> On Thu, Jul 4, 2013 at 7:24
AM, deepak deore <deepakdeore2004 at gmail.com> wrote:
>>> 
>>>> Is it
possible to execute a command on client from xymon browser? 
>>>> 
>>>>
eg. 
>>>> 
>>>> 1.If a service is in RED state, just select that service
and fire restart command from browser. 
>>>> 
>>>> 2. If tomcat not
responding then take thread dump from browser by selecting that
particular tomcat. 
>>>> 
>>>> I can write html for gui. 
>>>> 
>>>>
_______________________________________________
>>>> Xymon mailing
list
>>>> Xymon at xymon.com
>>>>
http://lists.xymon.com/mailman/listinfo/xymon [1]
>>> 
>>>
_______________________________________________
>>> Xymon mailing
list
>>> Xymon at xymon.com
>>>
http://lists.xymon.com/mailman/listinfo/xymon [1]
>> 
>>
_______________________________________________
>> Xymon mailing list
>>
Xymon at xymon.com
>> http://lists.xymon.com/mailman/listinfo/xymon [1]
>

> _______________________________________________
> Xymon mailing
list
> Xymon at xymon.com
> http://lists.xymon.com/mailman/listinfo/xymon
[1]

 

Links:
------
[1] http://lists.xymon.com/mailman/listinfo/xymon
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20130704/6c3d8cf6/attachment.html>


More information about the Xymon mailing list