Hi folks (sorry if you're on multiple lists - some folks complained the last
time I sent out something that their list wasn't included, so I'm sending it
to a few IPMI lists and I'm not going to cross-post - sorry for the I-spam!)
FYI, I have a draft version of some IPMI best practices that some of you
folks helped out with; it's at:
http://fish2.com/ipmi/sundry.pdf
(Sorry to the PDF haters; there will be a text version as it gets closer to
completion,
it's just a bit painful to keep two versions in sync. I also thanked a few
people;
I'll take your name off if you don't want to be associated with such a doc or
me.)
I also wrote a few small IPMI tools (mostly draft status as well, but they do
appear to work, or do what I think they should, at least) that do security
audity-
things with BMCs/IPMI:
http://fish2.com/ipmi/tools/ztools.html
The first is a one-packet auditing tool (you could do the same parsing other
tool
outputs, but this seems easier and less reliant on external stuff):
http://trouble.org/?p=712
It's pretty heavily commented; it's interesting how much information they pack
into
the reply to a "Get Channel Authentication Capability", which you can do
without
any authentication - 10 discrete security issues are returned, and among other
things you can found out if anonymous logins are enabled and in use as well as
if null usernames are allowed (which seem just stupid to give out,
security-wise,
but hey, no one asked me!)
Two more little tools (also in python); one that sucks IPMI configuration data
from a remote BMC and spits it all out in a JSON file, and a 2nd that attempts
to audit the results of the first and give out some warnings on potential
problems
(based on the things in the document above):
http://trouble.org/?p=797
Perversely I read plain text from IPMI tools, change it to JSON, and then
emit text again :) This is hopefully because I'm simply testing out the stuff,
not
because I'm a complete idiot, but time will tell (or already has.) Mostly
because
I'm not sure what the final thing will look like. There are some items I'm not
sure
how to test for, at least easily - if anyone has any ideas I'm all ears! Ditto
with
thoughts on output or something; I thought JSON might be fun since it's so
simple to manipulate with web/javascript/etc. stuff.
Certainly these aren't meant to be deathless programs or the last word on IPMI
security or anything; just trying to toss a few more coins into the knowledge
fountain.
Any feedback is certainly more than welcome, and again sorry for various list
posting.
dan
¸¸.·´¯`·.¸><(((º>
_______________________________________________
Freeipmi-devel mailing list
Freeipmi-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/freeipmi-devel
