On Monday, October 13, 2003, at 12:36 PM, Cory Petkovsek wrote:
On Mon, Oct 13, 2003 at 12:33:19AM -0700, Larry Price wrote:the sysctl variables structure __is__ the original Management Interface Base
On Sunday, October 12, 2003, at 11:37 PM, Cory Petkovsek wrote:uh..I'd like to see real configuration of the kernel from the KDE control center (or really, somewhere else), as in configuration of the live kernel: ip_forward, rp_filter, sysctl, etc.
Aren't there already MIB browsers that do this?
Sure, I wonder if someone has already done it.It also wouldn't be too difficult to put together a curses style tree widget that would let you browse the variables and set them (somewhat preferable as GUI's that run as root make me nervous and twitchy)
It looks like one those things that would be great if it weren't such aI still can't believe you are suggesting what I think you are
security incident
waiting to happen.
suggesting. I was asking about setting kernel parameters in /proc, and
you are offering snmp as a solution. Setting kernel parameters over the
network with an unencrypted, unauthenticated protocl!?
snmpv3 does offer authentication, and there are two RFC's for the security model
RFC 3414 && RFC 3415
and it's not such a crazy idea to be gathering information about hosts current state
via snmp. Setting variables that way would (as i said) be a security incident waiting to happen.
At least from what I've been reading, a system user with limited powers can be granted read-access
to the MIB and can report that to network clients using network access controls to limit who can and can't
see things.
The canonical way to do this appears to be using private address space to create a local management domain
(this is assuming you are using correct egress filtering...)
Would this be a good application for an SSL VPN solution? I might be less twitchy about it if everything were encrypted
as well as being on a private address segment.
-- "The Internet is falling" --C. Little 2003
_______________________________________________ EuG-LUG mailing list [EMAIL PROTECTED] http://mailman.efn.org/cgi-bin/listinfo/eug-lug
