On 09.05.2013 12:33, David Young wrote: > Hi all, > > My first post to the list - I've been harassing @icinga on ADN and > Twitter lately,
Better just come here, or the forums as this will allow more people read/discuss than the 140 chars limitation. (and I'm sure Amanda will redirect you here to the tech guys anyway). > just replaced 2 standalone Nagios installations with a > single Icinga instance with a gearman component, monitoring 166 hosts > and 1315 services, lots of green :) > > My first question then.. I want to provide icinga-web to my users, but > we have fairly stringent security requirements. I'm currently meeting > these requirements using Classic UI as follows: > > * Any /icinga/ URL has to be requested from an approved IP (no user auth) > * cgi-bin/cmd.cgi has to be requested from an approved IP _AND_ provide > a username authenticated against our LDAP store (using apache ldapz module) > > This enables normal users to browse the GUI without having to > authenticate (provided they're on our VPN), but requires more > accountability when taking actions which could impact alarming. > > I've stumbled across this post > (http://comments.gmane.org/gmane.comp.monitoring.icinga.user/434), which > details how I might provide access to icinga-web using apache ldapz > again, but I'd want to do the same trick re forcing authentication when > running commands, but allowing read-only access when browsing. > > I'm wondering whether I can do this by applying the same restriction to > /icinga-web/modules/cronks/commandproc ? > > Does anybody else have any experience doing this? Not sure if I got you correctly, but this is how I would do it: - do not provide any webpage without authentication before (use an sso provider for multiple data locations, like /icinga, /icinga-web, /pnp4nagios etc if required) - alter auth.xml in etc/conf.d to use the ldap provider, but keep the root user based on internal (local fallback if ldap gone) . new users imported from ldap should get the icinga_users role assigned. change its privilege do disallow sending of critical commands If you really want to follow the ip based approach, fiddle with the apache config and "allow from" in order to drop access here. Yet better - use iptables in the first place. Putting an authentication popup when sending commands isn't possible with Icinga Web as far as I know, but that should be solvable with a dedicated user's login required for the session and the sending of commands. Not sure if such an additional security question could be implemented with the current framework itsself. Limiting access to commandproc sounds interesting, never tried that - maybe you'll do and report back. kind regards, Michael -- DI (FH) Michael Friedrich mail: michael.friedr...@gmail.com twitter: https://twitter.com/dnsmichi jabber: dnsmi...@jabber.ccc.de irc: irc.freenode.net/icinga dnsmichi icinga open source monitoring position: lead core developer url: https://www.icinga.org ------------------------------------------------------------------------------ AlienVault Unified Security Management (USM) platform delivers complete security visibility with the essential security capabilities. Easily and efficiently configure, manage, and operate all of your security controls from a single console and one unified framework. Download a free trial. http://p.sf.net/sfu/alienvault_d2d _______________________________________________ icinga-users mailing list icinga-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/icinga-users
