It's not very hard to construct a method to install custom scripts. Linux
systems generally have a package manager, whether it's rpm, yum, dnf,
zypper, apt or whatever. So, off the top of my head, I think this would
work:
1) construct packages for the various tests you want to install
2) construct a meta-package for each different server type (DB, App, web,
etc) that contains nothing other than requirements for the relevant packages
3) in Xymon's client-local.cfg you can put *anything* you want, so add a
line for each client that contains the name of the meta-package:
clientPKG: DB
clientPKG: APP
clientPKG: WEB
That will get delivered to the client every time the main client test
(cpu, disk, mem, port, procs) runs.
4) then distribute to each client a generic custom test that grep's that
line out of the local.cfg and does the equivalent of:
yum install xymon-client-DB
or -APP, or -WEB, to install the meta-package, which in turn will pull
in the appropriate group of test packages.
The client will then use all the safeguards built into the OS package
delivery/installation process to download and verify the signed package
before installing it. That ought to satisfy an auditor.
If you need to modify a test, just update its package, rebuild any
meta-package that has a dependency for it, and push them all to your
package repository server. Similarly for a new test. Clients will pull in
the updated meta-package whenever their update script checks in (hourly,
daily, weekly?), and install any updated bits. The updater can be run as a
Xymon task, even if it doesn't generate a report.
Ralph Mitchell
On Fri, Dec 4, 2020 at 11:19 AM Greg Hubbard <user-435e16ecfd6a@xymon.invalid> wrote:
I think that the original philosophy behind Xymon was to "inform and
notify" and not to "remediate." The client sends data to a predefined
destination at regular intervals.
However, you have described the Xymon administrators dilemma very well --
what about custom tests? As Timothy points out, some thought has been put
into this in the PowerShell client, but I am not sure what JC is planning
for the Xymon "native" clients. Just keep in mind that once your Xymon
server can start distributing code to its clients, the security
requirements will likely escalate. Some form of "trust" will be needed
between the client and the server as well as other features to keep the
auditors at bay.
However, you might be able to roll your own distribution function. All
you need is a custom test that connects to your distribution point to look
for changes. If anything changes, it can download the new code and "do the
needful" to activate it. Another coping mechanism is to write your custom
checks so they do not need to be updated very often, or isolate the updates
so they can be easily applied.
Regards,
Greg Hubbard
On Fri, Dec 4, 2020 at 9:21 AM Timothy Williams <user-1a5482fb085e@xymon.invalid>
wrote:
On the Windows PSXymon or (shudder) BBWin client, you can run an external
script by specifying it in the client-config file. Client can download from
a central repository using URL or BB: (from Xymon server) link to run every
scan or on slow scan. Therefore, changes to script are immediately
distributed. The script can write an output file to TMP folder and that is
picked up and displayed on Xymon console (name of file becomes name of
column).
As Windows clients were built to mimic the Linux client, I would assume
there is a mechanism there as well.
*Timothy L. Williams*Windows Server
*Operating Systems Analyst*
On Fri, Dec 4, 2020 at 9:12 AM Gabby Gibbons via Xymon <xymon at xymon.com>
wrote:
---------- Forwarded message ----------
From: Gabby Gibbons <user-920f9e87cd7f@xymon.invalid>
To: Xymon Mailinglist <xymon at xymon.com>
Cc:
Bcc:
Date: Fri, 4 Dec 2020 13:52:18 +0000 (UTC)
Subject: Running a custom test on multiple clients.
Hello,
I am trying to figure out if there's a way to write a custom test on the
xymon server and then run that test on each client as the client. I am
aware of the ability to write a test on the server and then use XYMONGREP
to run a test on each machine as the server, but the problem with that is,
as far as I can tell, you can only run unauthenticated checks from the
outside of the system. Say, for example, I want to monitor a log file using
xymon on each client. If I were able to run the check on each system itself
as the authenticated xymon user I could do that easily, but I wouldn't be
able to view that file from the outside with another computer without first
authenticating.
Right now my solution is to simply copy all of the custom tests I have
to each monitored machine. This works, but the problem is that it's so
decentralized. Every time I make a simple change to a script or want to add
a new custom script I have to go to every single machine and make the same
change. Being able to centralize this somewhat and have the clients all
read from one source would make managing custom tests much much easier. Is
this possible to do?
---------- Forwarded message ----------
From: Gabby Gibbons via Xymon <xymon at xymon.com>
To: Xymon Mailinglist <xymon at xymon.com>
Cc:
Bcc:
Date: Fri, 4 Dec 2020 13:52:18 +0000 (UTC)
Subject: [Xymon] Running a custom test on multiple clients.
--
Disclaimer: 1) all opinions are my own, 2) I may be completely wrong, 3)
my advice is worth at least as much as what you are paying for it, or your
money cheerfully refunded.