Distributing plugins

Andreas Ericsson ae at op5.se
Thu Aug 30 09:44:40 CEST 2007


Thomas Guyot-Sionnest wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On 29/08/07 05:07 PM, Andreas Ericsson wrote:
>> Thomas Guyot-Sionnest wrote:
>>> That could easily be done in a secure manner, just require all
>>> distributed packages to be signed and have the public key reside on the
>>> servers. This is what most distributions already do under the hood for
>>> security updates.
>>>
>> Not really, no, since the whole idea of having pre-defined commands
>> in nrpe.cfg is to make sure that the rest of the network stays more
>> or less intact even if someone manages to obtain a user account on
>> the nagios server.
>>
>> Ofcourse, if that user account is the root account, ssh keys allowing
>> distribution of programs and configuration files aren't secure either.
> 
> I was talking about digitally signing the stuff you send to the remote
> daemons (binary or script + command + (optionally) allowed hosts). Of
> course it's worth nothing if an unencrypted key is lying around the
> server - ideally the key should be encrypted and sitting on the
> administrator's computer.
> 

Yes, I quite understood that. However, such a solution (where the sending
end distributes the check-commands along with the programs) would provide
a single point of entry to every nrpe-monitored machine in the the entire
network which is a very bad thing indeed.

-- 
Andreas Ericsson                   andreas.ericsson at op5.se
OP5 AB                             www.op5.se
Tel: +46 8-230225                  Fax: +46 8-230231

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/




More information about the Developers mailing list