Nagios Interface Revisited

[Anthony Brock]

>>> Sean Dilda <agrajag at dragaera.net> 09/08/04 10:33AM >>>
On Wed, 2004-09-08 at 05:32, Anton Krall wrote:
>> Guys.
>>  
>> I was thinking, would this work: if you make a copy of the html pages for
>> nagios and strip out the links and options you dont want your users to see,
>> out them on another web directory, would it work for them? would this make a
>> oogd end user interface without having to recode anything and without having
>> to worry on them trying to click on something they dont need to or having to
>> use another auth system?
> 
> Security through obscurity is never a good idea.  Even if the links
> weren't there, they could still craft a URL to see it.  Is there some
> reason you can't configure the standard CGI permissions in cgi.cfg and
> get that to work for you?
> 
> If this is a case where users will yell at you if a link tells them
> 'permission denied' after clicking on it, that's a completely different
> story.  But you'll have to hack the cgi's to get that to work.

Actually, we're doing something very similar to Anton's suggestion. While it is possible for someone to craft the correct URL, we've modified our Apache configuration to deny access to specific CGI scripts except for members of a "maintainer" group. We then specified this group as having permissions to the full pages and cgi-scripts. All other users are allowed access to the restrictive pages with a limited number of cgi-scripts. Next, we built a "cgi.cfg" file specifically for the guest pages (this file refers to our "normal" installation for non-cgi configuration directives). The final key to getting it all working was to built a "guest" version of Nagios cgi-scripts with the appropriate URL's (you don't need anything from this build besides the cgi-scripts).

Overall, it's quite the pain to setup. However, with a little scripting for the rare change to our "maintainer" users, it hasn't been hard to maintain. The biggest pain is documenting the exact configuration command for the "guest" cgi scripts when upgrading Nagios versions.

However, this is a pure hack. Put simply, we needed users that could see a set of services and hosts, but would couldn't change anything. Also, we were fortunately since required functionality was very limited and happened to fall cleanly between the different cgi scripts. As it stands, our read-only users have a more functionality than would be ideal, but not enough to be of concern.

Tony



-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_idP47&alloc_id808&op=click
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null