[Xymon] status of disabled alert shows Disabled by: unknown @

Root, Paul T Paul.Root at CenturyLink.com
Fri Jul 19 18:26:40 CEST 2019 

You could probably add back in the AllowOverride and Options.

What the lines commented out was doing was looking for the mod_authz_core module and if so granting all access, ie not authenticating.

There is probably a more elegant solution, but I'm not that up on apache 2.4.

Commenting them out forced http to enforce the password and group file to authenticate. Thus increasing security.  As it was anyone that could get to the web page could enable/disable/acknowledge the event.

From: Chris Pretorius <chrisp at lightstoneauto.co.za>
Sent: Friday, July 19, 2019 10:59 AM
To: Root, Paul T <Paul.Root at CenturyLink.com>
Cc: xymon at xymon.com
Subject: RE: status of disabled alert shows Disabled by: unknown @

Hi Paul

Sorry for that oversight, I will double check in future.

Commenting the lines you suggested did the trick.

Does this action compromise security?

Kind regards

From: Root, Paul T <Paul.Root at CenturyLink.com<mailto:Paul.Root at CenturyLink.com>>
Sent: Friday, 19 July 2019 16:33
To: Chris Pretorius <chrisp at lightstoneauto.co.za<mailto:chrisp at lightstoneauto.co.za>>
Cc: xymon at xymon.com<mailto:xymon at xymon.com>
Subject: RE: status of disabled alert shows Disabled by: unknown @

Do not EVER take a question off of the mailing list. The list is there to help. I am not, I'm just another user, sometimes I have some insight.

Your issue is basic authentication in HTTP and not xymon.

So you have a user in /etc/xymon/xymonpasswd and that user is in the admin group in /etc/xymon/xymongroups?

Look in the http log files for the accounting when you click on the 'Apply' button. I should look something like this:

10.0.63.193 - - [19/Jul/2019:09:27:47 -0500] "GET /xymon-cgi/showgraph.sh?host=apaxymdev&service=xymond&graph_width=576&graph_height=120&disp=apaxymdev&nostale&color=yellow&graph_start=1563373667&graph_end=1563546467&graph=hourly&action=view HTTP/1.1" 200 20108
10.0.63.193 - - [19/Jul/2019:09:27:54 -0500] "GET /xymon-seccgi/enadis.sh HTTP/1.1" 401 381
10.0.63.193 - ptroot [19/Jul/2019:09:28:01 -0500] "GET /xymon-seccgi/enadis.sh HTTP/1.1" 200 69277
10.0.63.193 - - [19/Jul/2019:09:28:10 -0500] "GET /xymon-cgi/svcstatus.sh?HOST=apaxymdev&SERVICE=info HTTP/1.1" 200 37307
10.0.63.193 - ptroot [19/Jul/2019:09:28:28 -0500] "POST /xymon-seccgi/enadis.sh HTTP/1.1" 302 271
10.0.63.193 - - [19/Jul/2019:09:28:28 -0500] "GET /xymon-cgi/svcstatus.sh?HOST=apaxymdev&SERVICE=info HTTP/1.1" 200 38189




You can try commenting out the following:
  # AllowOverride None
   # Options ExecCGI Includes
   # <IfModule mod_authz_core.c>
   #     # Apache 2.4+
   #     Require all granted
   # </IfModule>
   # <IfModule !mod_authz_core.c>
   #     Order deny,allow
   #     Allow from all
   # </IfModule>




From: Chris Pretorius <chrisp at lightstoneauto.co.za<mailto:chrisp at lightstoneauto.co.za>>
Sent: Friday, July 19, 2019 2:46 AM
To: Root, Paul T <Paul.Root at CenturyLink.com<mailto:Paul.Root at CenturyLink.com>>
Subject: RE: status of disabled alert shows Disabled by: unknown @

Hi Paul

Thank you for your response.
Please find my answers to your question below.

How are you disabling the alert?
I click on info, scroll down to Disable alerts, select the test, add a cause and apply.

Are you asked to login when you click on the disable or acknowledge pages?
No, I do have to log on when I open our xymon page.

How is your xymon-seccgi secured in your xymon config in apache?  Should be /etc/httpd/conf.d/xymon.conf

httpd-2.4.6-80.el7.centos.1.x86_64

xymon-seccgi section from apache xymon.conf (xymon-4.3.28-1.el7.x86_64 - Terabithia repo)

ScriptAlias /xymon-seccgi/ "/usr/share/xymon/cgi-secure/"
<Directory "/usr/share/xymon/cgi-secure">
    AllowOverride None
    Options ExecCGI Includes
    <IfModule mod_authz_core.c>
        # Apache 2.4+
        Require all granted
    </IfModule>
    <IfModule !mod_authz_core.c>
        Order deny,allow
        Allow from all
    </IfModule>

    AuthUserFile /etc/xymon/xymonpasswd
    AuthGroupFile /etc/xymon/xymongroups
    AuthType Basic
    AuthName "Xymon Administration"
    Require valid-user
    Require group admins

</Directory>

Kind regards

From: Root, Paul T <Paul.Root at CenturyLink.com<mailto:Paul.Root at CenturyLink.com>>
Sent: Thursday, 18 July 2019 15:36
To: Chris Pretorius <chrisp at lightstoneauto.co.za<mailto:chrisp at lightstoneauto.co.za>>; xymon at xymon.com<mailto:xymon at xymon.com>
Subject: RE: status of disabled alert shows Disabled by: unknown @

How are you disabling the alert?

Are you asked to login when you click on the disable or acknowledge pages?

I know when I disable via the command line, I get unknown, but using the webpage, it always ask requires

How is your xymon-seccgi secured in your xymon config in apache?  Should be /etc/httpd/conf.d/xymon.conf

From: Xymon <xymon-bounces at xymon.com<mailto:xymon-bounces at xymon.com>> On Behalf Of Chris Pretorius
Sent: Thursday, July 18, 2019 4:59 AM
To: xymon at xymon.com<mailto:xymon at xymon.com>
Subject: [Xymon] status of disabled alert shows Disabled by: unknown @

Good day

I am using the Terabithia repo for my Xymon instance.

All is working great an so far no major issues.
Only problem I am struggling with is when I disable a alert the status show -

Disabled until OK

Disabled by: unknown @ 172.33.255.1
Reason: investigating


Where do I need to change to display the name of the authenticated user @ source ip.

Authentication is handled by apache basic authentication.

Kind regards
This communication is the property of CenturyLink and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments.
This communication is the property of CenturyLink and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments.
This communication is the property of CenturyLink and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20190719/08c52b9b/attachment.htm>

More information about the Xymon mailing list