[mrtg] Re: Community string lookup
Daniel J McDonald
dan.mcdonald at austinenergy.com
Tue Feb 10 14:15:53 MET 2004
On Tue, 2004-02-10 at 03:25, Mohamed Eldesoky wrote:
> >
> > I imagine it will be pretty simple to just intercept the string in the
> > target parsing section and do a few DB calls... But I'd hate to
> > re-invent the wheel.
>
> That way you will store the DB user/pass somewhere in plain text, thus someone
> will look up the strings in the database.
> Better to the access to the filesystem as tight as possible, and for involved
> admins only.
>
The cfg files have to be readable by the apache user in order for
routers.cgi and mrtg-rrd.cgi to work. The cfg files have to be readable
by the Big Brother user in order for bbmrtg.pl to work. All three of
those tools need to see a target line in order to recognize the presence
of a monitoring point, so I can't pull those out into a separate file
with restricted permissions. None of those tools require an SNMP
community string to function (routers.cgi can use one if you load the
routing-table extension, but that's not recommended in secure
environments). It would be easy to create a small file with permissions
400 that said something like:
lookup*dsn: DBI:mysql:database=mrtg
lookup*user: mrtg
lookup*passwd: verysecretstring
Include: /var/mrtg/cfg/mrtg.cfg
and then point all of the other tools at mrtg.cfg
But the main point of the exercise is not security. It is flexibility
to change snmp community strings without re-running cfgmaker.
--
Daniel J McDonald <dan.mcdonald at austinenergy.com>
Austin Energy
--
Unsubscribe mailto:mrtg-request at list.ee.ethz.ch?subject=unsubscribe
Archive http://www.ee.ethz.ch/~slist/mrtg
FAQ http://faq.mrtg.org Homepage http://www.mrtg.org
WebAdmin http://www.ee.ethz.ch/~slist/lsg2.cgi
More information about the mrtg
mailing list