Re: Netsaint

To: Johan Jacobsson <johan.jacobsson@koppla.com>
Cc: "debian-security@lists.debian.org" <debian-security@lists.debian.org>
Subject: Re: Netsaint
From: tony mancill <tony@mancill.com>
Date: Fri, 1 Mar 2002 12:13:14 -0800 (PST)
Message-id: <[🔎] Pine.LNX.4.44.0203011000280.5730-100000@bach>
In-reply-to: <3C7E44D1.38AC7718@koppla.com>

On Thu, 28 Feb 2002, Johan Jacobsson wrote:

> I am using netsaint_statd on a debian machine and I would like to know
> what I am doing, eg what security holes may this create?
> As I understand it, the netsaint_statd deamon makes it possible to
> extract information about CPU load, disk usage, memory load etc.
> Is this a security problem?
> Has anyone heard about security holes in netsaint_statd 2.13? The web
> page maintaining it is not so informative...

Hi, I'm the package maintainer for netsaint_statd, and I also run it at
pretty large installation at work.  Basically what you're doing is this:

Plugins on the Netsaint server attach to netsaint_statd, which is a perl
daemon listening on port 1040.  The daemon, by default will accept
connections from anywhere, but this can be changed by editing
@allowed_hosts in the netsaint_statd script itself (this will be changed
to a configuration file once I can get with upstream and agree on how to
do it).  The daemon is pretty well written, IMO, in that you can only ask
it to run "labels of commands" - the command itself is hardcoded into the
daemon - and the arguments are checked for validity, so it's not as if you
can pass in "disk /dev/sda3 ; rm -rf /."  Also, the netsaint_statd daemon
runs as nobody.  (I once saw an installation where it was running as root
- yikes!)

Now, all of that information is flowing around in cleartext.  But there is
no sort of password/handshake going on, just request and response.  The
response can contain things like file system utilizations, whether or not
a process is running, system load, the current number of users, and the
version of netsaint_statd.  If you believe this information is sensitive
then you should consider some sort of tunnel or VPN as was suggested in a
previous posting (FreeSWAN with opportunistic IPsec seems like a great way
to do this), or use something else to collect this information.

Someone else posted a message about using nrpe with ssh.  This is a good
approach (if you don't mind keys without passwords).  In some larger
installations, I've used netsaint_statd to perform most of the service
checks, and then configured event handlers to use ssh to log in to the
endpoint and then sudo to take some action based on the state of the
service check.

Anyway, I'm slowly drifting off-topic here...  netsaint_statd alone is
pretty safe unless you don't like the idea of folks being able to sniff
out the amount of disk space you have free.

tony
<tmancill@debian.org>

Reply to:

Prev by Date: Re: wtmp non readable?
Next by Date: pre-advisories
Previous by thread: Re: Netsaint
Next by thread: wtmp non readable?
Index(es):
- Date
- Thread