[hobbit] localhost, clamd, rights

Henrik Stoerner henrik at hswn.dk
Thu Aug 17 18:15:21 CEST 2006


On Thu, Aug 17, 2006 at 01:57:05PM +0200, John GALLET wrote:

> > As Charles writes, you can use "sudo" to permit the hobbit user to run
> > the privileged commands with root privs. The risk in doing that
> > obviously is that if a user manages to break into your box and get 
> > shell access as the "hobbit" user, then he can run those same commands
> > with root privileges.
> 
> When it comes to security, a lot of things don't seem "obvious" to me ! 

Well, security often is far from obvious. If it were, we wouldn't have
all those security incidents with computers.

> Especially the part about breaking into my box with the hobbit user. It's
> not named "hobbit", neither is its group. I use iptable and only allow
> INPUT on 1984 from my boxes, I htpassword protect all the hobbit cgi
> directories and run them as "nobody/nobody" and the shell account passwd
> is strong. But I can very easily have forgotten some *basic* security
> measure that applies to Hobbit (and which I am not familiar with because I
> don't run such daemons in general).

Securing Hobbit isn't very different from securing any kind of network
service, and it sounds like you have it pretty much nailed down.

Hobbit in itself doesn't provide a whole lot of security settings; so
far I have been quite happy to have security handled outside Hobbit by
firewalls, Apache htaccess checks and general unix permissions. There is
one security feature that you might want to look into: hobbitd (the core
daemon) has a series of options controlling which IP-adresses it will
accept certain commands from. The "--admin-senders" option especially
controls who may ask the Hobbit server to delete or rename hosts being 
monitored; if you're going to attack a server, it sure is nice if you
can delete it from the monitoring system first - so that should be
locked down. The default setting in hobbitlaunch.cfg only allows these
commands to come from the Hobbit server itself.

A related option - the --maint-senders option - controls who can send
commands to disable monitoring of a host. This is NOT restricted by
default; if you only enable/disable hosts and tests via the built-in
Hobbit web-utilities, then you can restrict this also to only accept
such commands from the Hobbit server itself.

Finally, the "--status-senders" option controls who may update the
status of a test. This is not turned on by default, so anyone can
send in a status update for any host/service that Hobbit monitors.
If you enable this, then only the host itself is allowed to send
updates; the Hobbit server itself and any other servers running network
tests must be allowed to send status updates.

All of these are described in the hobbitd(8) man-page.


Regards,
Henrik




More information about the Xymon mailing list