Limiting Access
list Bb
Hello, We have been using BB for several years and are ready to upgrade everything to a new monitoring system. We would really like to use Xymon. We have several different groups that will need to use the system in different ways. We were curious what solutions people may have come up with to limit access to certain tests or hosts. For instance, we have a group that will simply monitor certain hosts and make judgments on who to call based on status, these systems would be a subset of all the systems . They have no real technical knowledge and do not need to see all the systems. We may have a group of admins that need to see a certain set of hosts, but not every host since they have no real technical responsibility for certain systems. Also, we have a lot of custom scripts that monitor security related items (locked accounts, brute force attempts etc), we would want only a certain group (security group) to be able to access those tests. Not being very familiar with Xymon yet, we were wondering if there was a way to accomplish this. If not natively in Xymon, maybe via Apache? Any suggestions on how to proceed?
list Henrik Størner
Hi,
▸
We were curious what solutions people may have come up with to limit access to certain tests or hosts. For instance, we have a group that will simply monitor certain hosts and make judgments on who to call based on status, these systems would be a subset of all the systems . They have no real technical knowledge and do not need to see all the systems. We may have a group of admins that need to see a certain set of hosts, but not every host since they have no real technical responsibility for certain systems. Also, we have a lot of custom scripts that monitor security related items (locked accounts, brute force attempts etc), we would want only a certain group (security group) to be able to access those tests. Not being very familiar with Xymon yet, we were wondering if there was a way to accomplish this. If not natively in Xymon, maybe via Apache? Any suggestions on how to proceed?
There isn't any security built into the Xymon web interface - it is very much like the one you know from BB. On my installation, we use Apache's built-in authentication for controlling access to the webpages. The overview pages are static (generated by xymongen), so if you group hosts sensibly using page/subpage/subparent, then you will also have a directory structure that Apache access-controls can handle. This doesn't take care of the CGI utilities, since they don't have a clue about these access controls. So a dedicated snoop will be able to manipulate the query sent to a CGI, and grab data about hosts from pages that he normally cannot see. So it isn't good enough if real security is an issue. But for a basic "look at this page for the information you need" it will work. You can also use the "alternate pageset" method to generate multiple sets of overview pages for your different groups. Combined with "group-only" / "group-except" directives you can limit the available information more, so your users will only see the columns they should be able to see. Regards, Henrik
list Ulric Eriksson
Citerar user-adff70a40333@xymon.invalid:
▸
We were curious what solutions people may have come up with to limit access to certain tests or hosts.
In a previous life, I set up Apache as a reverse proxy with a custom authentication module. The proxy redirected anything hobbit related to a few simple scripts which granted access based on information in a separate database. All the little gifs were not proxied of course, that would have been a performance disaster. Ulric