You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@stratos.apache.org by chris snow <ch...@gmail.com> on 2014/05/19 12:50:42 UTC
agent security
hi Devs,
Does an agent authenticate itself to Stratos? If not, is it possible
that an agent could write spoofed events to the MB?
It also looks like the agent has access to the bam admin user name and
password [1]:
-Dmonitoring.server.port=<%= @bam_port %>
-Dmonitoring.server.secure.port=<%= @bam_secure_port %>
-Dmonitoring.server.admin.username=<%= @bam_username %>
-Dmonitoring.server.admin.password=<%= @bam_password %>
What damage could someone (e.g. a tenant) do with possession of those
credentials?
Many thanks,
Chris
---
[1] https://github.com/apache/incubator-stratos/blob/master/tools/puppet3/modules/agent/templates/bin/stratos.sh.erb
Re: agent security
Posted by Lakmal Warusawithana <la...@wso2.com>.
Hi Chris,
Since still we haven't security@ mail, will used privete@ for now.
thanks
On Mon, May 19, 2014 at 8:33 PM, chris snow <ch...@gmail.com> wrote:
> Thanks Nirmal - I'll probably have a few more security questions to
> follow...
>
> Should I post my questions to private@stratos.apache.org? Or should
> we setup a security@ email address?
>
> On Mon, May 19, 2014 at 2:26 PM, Nirmal Fernando <ni...@gmail.com>
> wrote:
> >
> >
> >
> > On Mon, May 19, 2014 at 4:20 PM, chris snow <ch...@gmail.com> wrote:
> >>
> >> hi Devs,
> >>
> >> Does an agent authenticate itself to Stratos?
> >
> > Yes, Chris.
> >
> >>
> >> If not, is it possible
> >> that an agent could write spoofed events to the MB?
> >>
> >> It also looks like the agent has access to the bam admin user name and
> >> password [1]:
> >>
> >> -Dmonitoring.server.port=<%= @bam_port %>
> >> -Dmonitoring.server.secure.port=<%= @bam_secure_port %>
> >> -Dmonitoring.server.admin.username=<%= @bam_username %>
> >> -Dmonitoring.server.admin.password=<%= @bam_password %>
> >>
> >> What damage could someone (e.g. a tenant) do with possession of those
> >> credentials?
> >
> >
> > We might need to encrypt them and store in agent's side?!
> >>
> >>
> >> Many thanks,
> >>
> >> Chris
> >>
> >>
> >> ---
> >> [1]
> >>
> https://github.com/apache/incubator-stratos/blob/master/tools/puppet3/modules/agent/templates/bin/stratos.sh.erb
> >
> >
> >
> >
> > --
> > Best Regards,
> > Nirmal
> >
> > Nirmal Fernando.
> > PPMC Member & Committer of Apache Stratos,
> > Senior Software Engineer, WSO2 Inc.
> >
> > Blog: http://nirmalfdo.blogspot.com/
>
>
>
> --
> Check out my professional profile and connect with me on LinkedIn.
> http://lnkd.in/cw5k69
>
--
Lakmal Warusawithana
Director - Cloud Architecture; WSO2 Inc.
Mobile : +94714289692
Blog : http://lakmalsview.blogspot.com/
Re: agent security
Posted by chris snow <ch...@gmail.com>.
Thanks Nirmal - I'll probably have a few more security questions to follow...
Should I post my questions to private@stratos.apache.org? Or should
we setup a security@ email address?
On Mon, May 19, 2014 at 2:26 PM, Nirmal Fernando <ni...@gmail.com> wrote:
>
>
>
> On Mon, May 19, 2014 at 4:20 PM, chris snow <ch...@gmail.com> wrote:
>>
>> hi Devs,
>>
>> Does an agent authenticate itself to Stratos?
>
> Yes, Chris.
>
>>
>> If not, is it possible
>> that an agent could write spoofed events to the MB?
>>
>> It also looks like the agent has access to the bam admin user name and
>> password [1]:
>>
>> -Dmonitoring.server.port=<%= @bam_port %>
>> -Dmonitoring.server.secure.port=<%= @bam_secure_port %>
>> -Dmonitoring.server.admin.username=<%= @bam_username %>
>> -Dmonitoring.server.admin.password=<%= @bam_password %>
>>
>> What damage could someone (e.g. a tenant) do with possession of those
>> credentials?
>
>
> We might need to encrypt them and store in agent's side?!
>>
>>
>> Many thanks,
>>
>> Chris
>>
>>
>> ---
>> [1]
>> https://github.com/apache/incubator-stratos/blob/master/tools/puppet3/modules/agent/templates/bin/stratos.sh.erb
>
>
>
>
> --
> Best Regards,
> Nirmal
>
> Nirmal Fernando.
> PPMC Member & Committer of Apache Stratos,
> Senior Software Engineer, WSO2 Inc.
>
> Blog: http://nirmalfdo.blogspot.com/
--
Check out my professional profile and connect with me on LinkedIn.
http://lnkd.in/cw5k69
Re: agent security
Posted by Nirmal Fernando <ni...@gmail.com>.
On Mon, May 19, 2014 at 4:20 PM, chris snow <ch...@gmail.com> wrote:
> hi Devs,
>
> Does an agent authenticate itself to Stratos?
Yes, Chris.
> If not, is it possible
> that an agent could write spoofed events to the MB?
>
> It also looks like the agent has access to the bam admin user name and
> password [1]:
>
> -Dmonitoring.server.port=<%= @bam_port %>
> -Dmonitoring.server.secure.port=<%= @bam_secure_port %>
> -Dmonitoring.server.admin.username=<%= @bam_username %>
> -Dmonitoring.server.admin.password=<%= @bam_password %>
>
> What damage could someone (e.g. a tenant) do with possession of those
> credentials?
>
We might need to encrypt them and store in agent's side?!
>
> Many thanks,
>
> Chris
>
>
> ---
> [1]
> https://github.com/apache/incubator-stratos/blob/master/tools/puppet3/modules/agent/templates/bin/stratos.sh.erb
>
--
Best Regards,
Nirmal
Nirmal Fernando.
PPMC Member & Committer of Apache Stratos,
Senior Software Engineer, WSO2 Inc.
Blog: http://nirmalfdo.blogspot.com/