On 6/8/2021 11:49 AM, Bruce Ferrell wrote:
? Are you
maybe referring to remote logfetch via ssh?
I am referring to logfetch, which is part of the standard client package, and which does not default to -noexec (and which does not use ssh).
Per the man page:
Logfetch can be requested to execute arbitrary commands to generate a list of log files to examine dynamically, but this can present a security risk in some environments. Set this option to prevent logfetch from executing requested commands
Let's pass arbitrary code, unencrypted across the network, for it to be run by a daemon on a remote machine. What could possibly go wrong?
Why would anyone want to permit this?
Do you still use 'telnet' for production job control?
My point is that simple is good.? Simple is in your control.
Your point John?
My point is that a 'simple solution' may not include some things which have become standard and expected between 1998 and 2021.
I still run Xymon, and have been running its predecessors since the late 90s. But this _is_ 2021. Encrypted network communication, or at least the _capability_ to encrypt network communication is pretty much normal. When my users come to me asking me to make Xymon do things for them, I must continually remind them of its 1990's roots, and clarify which of their base assumptions may not be valid.
--
Do things because you should, not just because you can.
John Thurston XXX-XXX-XXXX
user-ce4d79d99bab@xymon.invalid
Department of Administration
State of Alaska