You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@stratos.apache.org by chris snow <ch...@gmail.com> on 2014/05/19 12:50:42 UTC

agent security

hi Devs,

Does an agent authenticate itself to Stratos?  If not, is it possible
that an agent could write spoofed events to the MB?

It also looks like the agent has access to the bam admin user name and
password [1]:

            -Dmonitoring.server.port=<%= @bam_port %>
            -Dmonitoring.server.secure.port=<%= @bam_secure_port %>
            -Dmonitoring.server.admin.username=<%= @bam_username %>
            -Dmonitoring.server.admin.password=<%= @bam_password %>

What damage could someone (e.g. a tenant) do with possession of those
credentials?

Many thanks,

Chris


---
[1] https://github.com/apache/incubator-stratos/blob/master/tools/puppet3/modules/agent/templates/bin/stratos.sh.erb

Re: agent security

Posted by Lakmal Warusawithana <la...@wso2.com>.

Hi Chris,

Since still we haven't security@ mail, will used privete@ for now.

thanks


On Mon, May 19, 2014 at 8:33 PM, chris snow <ch...@gmail.com> wrote:

> Thanks Nirmal - I'll probably have a few more security questions to
> follow...
>
> Should I post my questions to private@stratos.apache.org?  Or should
> we setup a security@ email address?
>
> On Mon, May 19, 2014 at 2:26 PM, Nirmal Fernando <ni...@gmail.com>
> wrote:
> >
> >
> >
> > On Mon, May 19, 2014 at 4:20 PM, chris snow <ch...@gmail.com> wrote:
> >>
> >> hi Devs,
> >>
> >> Does an agent authenticate itself to Stratos?
> >
> > Yes, Chris.
> >
> >>
> >>  If not, is it possible
> >> that an agent could write spoofed events to the MB?
> >>
> >> It also looks like the agent has access to the bam admin user name and
> >> password [1]:
> >>
> >>             -Dmonitoring.server.port=<%= @bam_port %>
> >>             -Dmonitoring.server.secure.port=<%= @bam_secure_port %>
> >>             -Dmonitoring.server.admin.username=<%= @bam_username %>
> >>             -Dmonitoring.server.admin.password=<%= @bam_password %>
> >>
> >> What damage could someone (e.g. a tenant) do with possession of those
> >> credentials?
> >
> >
> > We might need to encrypt them and store in agent's side?!
> >>
> >>
> >> Many thanks,
> >>
> >> Chris
> >>
> >>
> >> ---
> >> [1]
> >>
> https://github.com/apache/incubator-stratos/blob/master/tools/puppet3/modules/agent/templates/bin/stratos.sh.erb
> >
> >
> >
> >
> > --
> > Best Regards,
> > Nirmal
> >
> > Nirmal Fernando.
> > PPMC Member & Committer of Apache Stratos,
> > Senior Software Engineer, WSO2 Inc.
> >
> > Blog: http://nirmalfdo.blogspot.com/
>
>
>
> --
> Check out my professional profile and connect with me on LinkedIn.
> http://lnkd.in/cw5k69
>



-- 
Lakmal Warusawithana
Director - Cloud Architecture; WSO2 Inc.
Mobile : +94714289692
Blog : http://lakmalsview.blogspot.com/

Re: agent security

Posted by chris snow <ch...@gmail.com>.

Thanks Nirmal - I'll probably have a few more security questions to follow...

Should I post my questions to private@stratos.apache.org?  Or should
we setup a security@ email address?

On Mon, May 19, 2014 at 2:26 PM, Nirmal Fernando <ni...@gmail.com> wrote:
>
>
>
> On Mon, May 19, 2014 at 4:20 PM, chris snow <ch...@gmail.com> wrote:
>>
>> hi Devs,
>>
>> Does an agent authenticate itself to Stratos?
>
> Yes, Chris.
>
>>
>>  If not, is it possible
>> that an agent could write spoofed events to the MB?
>>
>> It also looks like the agent has access to the bam admin user name and
>> password [1]:
>>
>>             -Dmonitoring.server.port=<%= @bam_port %>
>>             -Dmonitoring.server.secure.port=<%= @bam_secure_port %>
>>             -Dmonitoring.server.admin.username=<%= @bam_username %>
>>             -Dmonitoring.server.admin.password=<%= @bam_password %>
>>
>> What damage could someone (e.g. a tenant) do with possession of those
>> credentials?
>
>
> We might need to encrypt them and store in agent's side?!
>>
>>
>> Many thanks,
>>
>> Chris
>>
>>
>> ---
>> [1]
>> https://github.com/apache/incubator-stratos/blob/master/tools/puppet3/modules/agent/templates/bin/stratos.sh.erb
>
>
>
>
> --
> Best Regards,
> Nirmal
>
> Nirmal Fernando.
> PPMC Member & Committer of Apache Stratos,
> Senior Software Engineer, WSO2 Inc.
>
> Blog: http://nirmalfdo.blogspot.com/



-- 
Check out my professional profile and connect with me on LinkedIn.
http://lnkd.in/cw5k69

Re: agent security

Posted by Nirmal Fernando <ni...@gmail.com>.

On Mon, May 19, 2014 at 4:20 PM, chris snow <ch...@gmail.com> wrote:

> hi Devs,
>
> Does an agent authenticate itself to Stratos?

Yes, Chris.


>  If not, is it possible
> that an agent could write spoofed events to the MB?
>
> It also looks like the agent has access to the bam admin user name and
> password [1]:
>
>             -Dmonitoring.server.port=<%= @bam_port %>
>             -Dmonitoring.server.secure.port=<%= @bam_secure_port %>
>             -Dmonitoring.server.admin.username=<%= @bam_username %>
>             -Dmonitoring.server.admin.password=<%= @bam_password %>
>
> What damage could someone (e.g. a tenant) do with possession of those
> credentials?
>

We might need to encrypt them and store in agent's side?!

>
> Many thanks,
>
> Chris
>
>
> ---
> [1]
> https://github.com/apache/incubator-stratos/blob/master/tools/puppet3/modules/agent/templates/bin/stratos.sh.erb
>



-- 
Best Regards,
Nirmal

Nirmal Fernando.
PPMC Member & Committer of Apache Stratos,
Senior Software Engineer, WSO2 Inc.

Blog: http://nirmalfdo.blogspot.com/