[Xymon] Recommendations for how I should set maint-senders ?

John Thurston john.thurston at alaska.gov
Thu Mar 6 21:44:53 CET 2014


the --maint-senders option for xymond is explained as:
> Controls which hosts may send maintenance commands to xymond.
> Maintenance commands are the "enable", "disable", "ack" and "notes"
> commands. Format of this option is as for the --status-senders
> option. It is strongly recommended that you use this to restrict
> access to these commands, so that monitoring of a host cannot be
> disabled by a rogue user - e.g. to hide a system compromise from the
> monitoring system.

But while exploring some unexpected client behavior today, it appears 
that --maint-senders is only enforced for hosts in hosts.cfg which are 
defined with explicit addresses.

On line 71 of lib/ipaccess.c I found this:
> if (strcmp(targetip, "0.0.0.0") == 0) return 1; /* DHCP hosts can report from any address */

It looks like regardless of how I set --maint-senders, anyone can send a 
'disable' message for any host defined with 0.0.0.0   Since 90% of my 
500 hosts are dynamically defined in hosts.cfg, it feels like trying to 
clamp down --maint-senders is kind of pointless for me.

Can anyone suggest reasons why I shouldn't just blow that setting wide open?
-- 
    Do things because you should, not just because you can.

John Thurston    907-465-8591
John.Thurston at alaska.gov
Enterprise Technology Services
Department of Administration
State of Alaska



More information about the Xymon mailing list