Fwd: Re: Configuration files obfuscation

Kevin Keane subscription at kkeane.com
Wed Jun 17 10:55:00 CEST 2009
Previous message: Fwd: Re: Configuration files obfuscation
Next message: Fwd: Re: Configuration files obfuscation
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Obfuscating the config files is going to be difficult, because almost 
everything in them is either a Nagios keyword, or something that shows 
up verbatim in the user interface, or an IP address. The only thing you 
could reasonably obfuscate is the names of the various commands.

But you may be able to use either encryption or permissions to 
accomplish the same goal even more securely.

Using permissions:

If you have problems trusting administrators, you shouldn't give them 
root access. Instead, give each administrator a personal non-root 
account, and use sudo to give them only access to what you want them to 
manage. With that approach, you can then give only the authorized 
administrator sudo access to the nagios config files.

It also lets you track, in the log files, who executed which command.

Another option is to put the configuration files onto a different 
machine that the untrusted admins do not have access to. Export that 
directory using NFS and make it only accessible to user nagios. NFS 
prevents root from accessing the directory.

Using Encryption:

Here are a few methods I could think of. They all take advantage of the 
fact that Nagios doesn't read the config files once it is running (at 
least, I believe that's the case).

- Use some form of encrypted file system that only user nagios can read.
- Put the configuration files into an ISO or a cramfs file system. 
Encrypt the file using gpg. Decrypt and mount that file system only 
right before Nagios starts up, and umount it and delete the decrypted 
version right away (you may even be able to mount the encrypted version 
somehow and decrypt on the fly - I'm not an expert on that). Modify the 
nagios.cfg to point to the mount point, as appropriate.
- Put the configuration files into an ISO, burn an actual CD, and put 
the CD into the machine only right before starting up Nagios. That way, 
the config files physically aren't there at all. Something that is not 
on the machine can't be stolen.
- I'm not sure if Nagios is able to read config files from a script 
instead of a file - if it is, you could encrypt the config files using 
gpg, and have Nagios decrypt it on the fly. Or you could modify the 
Nagios startup script to decrypt the config files right before starting 
Nagios, and delete the decrypted config files after Nagios has started 
successfully.

Assaf Flatto wrote:
> As the user sent this mail to me - i am forwarding it to the list , so all will be able to know what 
> he needs and may be able to help more.
>
> Assaf
>
>
> ----------  Forwarded Message  ----------
>
> Subject: Re: [Nagios-users] Configuration files obfuscation
> Date: Tuesday 16 June 2009
> From: edward baddouh <ebaddouh at gmail.com>
> To: Assaf Flatto <assaf.flatto at ssp-intl.com>
>
> Yes, I want the configuration files to be worse (readable).
> The idea is to difficult as-much-as-possible config-files theft from ohter
> people who admin that server..
>
> There have been times that configuration files were implemented on different
> installations (different sites) with minor changes without the admin's
> consent..
>
> I don't want nobody to get credits for work I've done and receive no profit
> at all..
>
> That's my need for obfuscation. My idea is to keep an original
> readable-configuration in a safe place and set the obfuscated config-file in
> production.
>
>
>
> 2009/6/16 Assaf Flatto <assaf.flatto at ssp-intl.com>
>
>   
>> On Tuesday 16 June 2009 15:53:11 edward baddouh wrote:
>>     
>>> Hi,
>>>
>>> is ther a way to obfuscate configuration files?
>>>
>>> edward
>>>       
>> You want the files to be more confusing then they are now ???
>> the easiest way is not to give self explanatory names to the files /
>> directories .
>>
>> btw - i have a question about this ...
>>
>> Why ??
>>
>> Are you trying to make the work on the configuration worse for yourself ?
>>
>>
>>
>>
>> --
>> Assaf Flatto
>>     

-- 
Kevin Keane
Owner
The NetTech
Find the Uncommon: Expert Solutions for a Network You Never Have to Think About

Office: 866-642-7116
http://www.4nettech.com

This e-mail and attachments, if any, may contain confidential and/or proprietary information. Please be advised that the unauthorized use or disclosure of the information is strictly prohibited. The information herein is intended only for use by the intended recipient(s) named above. If you have received this transmission in error, please notify the sender immediately and permanently delete the e-mail and any copies, printouts or attachments thereof.


------------------------------------------------------------------------------
Crystal Reports - New Free Runtime and 30 Day Trial
Check out the new simplified licensing option that enables unlimited
royalty-free distribution of the report engine for externally facing 
server and web deployment.
http://p.sf.net/sfu/businessobjects
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null
Previous message: Fwd: Re: Configuration files obfuscation
Next message: Fwd: Re: Configuration files obfuscation
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the Users mailing list