[Xymon] Does maint-senders work as advertised?
john.thurston at alaska.gov
Mon Oct 14 23:10:26 CEST 2013
In xymond.8.html is written:
> Controls which hosts may send maintenance commands to xymond. Maintenance commands are the "enable", "disable", "ack" and "notes" commands. Format of this option is as for the --status-senders option. It is strongly recommended that you use this to restrict access to these commands, so that monitoring of a host cannot be disabled by a rogue user - e.g. to hide a system compromise from the monitoring system.
I am able to make '--status-senders' work as advertised, but I am unable
to make '--maint-senders' work the way I think it should.
The xmond segment of my tasks.cfg is:
>CMD xymond --pidfile=$XYMONSERVERLOGS/xymond.pid \
> --restart=$XYMONTMP/xymond.chk --checkpoint-file=$XYMONTMP/xymond.chk --checkpoint-interval=600 \
> --log=$XYMONSERVERLOGS/xymond.log \
> --maint-senders=$XYMONSERVERIP \
> --no-download \
but I can still send disable-messages for an arbitrary hosts-test
combination from an arbitrary windows machine with:
BBWinCmd.exe xymon.example.com disable foo.example.com ssh 10 Text
When I change the tasks.cfg to contain an arbitrary ip address (of a
> --maint-senders=10.10.10.10 \
I am still able to send disable-messages from arbitrary machines. But,
my log file then shows errors for attempts by the xymon server to handle
> 2013-10-14 12:34:27 Refused message from 10.200.10.24: notify foo,example,com.ssh
So I see --maint-senders being evaluated by the alert-handling process,
but ignored by the client-listener.
Does anyone else have --main-senders working correctly?
Do things because you should, not just because you can.
John Thurston 907-465-8591
John.Thurston at alaska.gov
Enterprise Technology Services
Department of Administration
State of Alaska
More information about the Xymon