[Xymon] execute a command from server (browser) on a client

Jeremy Laidman jlaidman at rebel-it.com.au
Fri Jul 5 04:57:46 CEST 2013


On 5 July 2013 07:44, Ralph Mitchell <ralphmitchell at gmail.com> wrote:

> You should be very careful about how you validate this kind of
> automation.  The client should probably do some kind of verification, and
> use canned scripts rather than just running any command handed to it.
>

Yes.  With ssh, authorized_keys can force a particular command to run,
rather than let an attacker dictate what gets executed.


>   For example:
>
> xymon adds to client-local.cfg for server1:   restartapache:`date+%s`
>

This is ingenious.  However it should be noted that it can take quite some
time for changes in client-local.cfg to be actioned on the client.  Expect
a 10-15 minute delay between the change to client-local.cfg and when the
cron task picks it up - and that's if it runs every minute.

It would be more responsive for the client cron task to just query the
status from the server every minute, and act accordingly.  Something like:

#!/usr/lib/xymon/client/bin/xymoncmd /bin/sh
$XYMON $XYMSRV "query $MACHINE.http" | grep ^green >/dev/null || sudo
service httpd restart
$XYMON $XYMSRV "query $MACHINE.smtp" | grep ^green >/dev/null || sudo
service postfix restart

This kind of automated restart can get you into a bit of trouble, so should
be used with caution.  The last thing you want is a stack of run-away tasks
that end up consuming all memory and CPU resources.  A change to make this
a manually-triggered process might be for the client cron task to look for
a disabled/acknowledged status using xymondboard, and detect when a special
keyword (eg "!!RESTART!!") is entered into the disable/ack message.
 Something like this:

#!/usr/lib/xymon/client/bin/xymoncmd /bin/sh
RESPONSE=`$XYMON $XYMSRV "xymondboard host=$MACHINE test=http color=blue
fields=lastchange,dismsg" | grep '!!RESTART!!' | cut -d"|" -f1`
[ `expr 0$RESPONSE + 60` -gt `date +%s` ] && sudo service httpd restart

This gets the status time for the host and test, but only if it's blue
(disabled) and only if it contains the '!!RESTART!!' keyword.  The status
time is compared to the current time and if within 60 seconds, runs the
restart command.

J
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20130705/226aa9ec/attachment.html>


More information about the Xymon mailing list