-
1. Re: Security issues with resource management
mazz Jan 19, 2012 8:57 AM (in response to vladcrc)> "An attacker could take control over the RHQ server as "rhqadmin"
Just as with any system requiring login credentials, RHQ assumes administrators will safeguard systems and passwords to avoid such intrusion. This is the same issue with Linux and its "root" password or any "superuser" password.
That said, you can submit an RFE to bugzilla to request the ability to disable certain subsystems like the Bundle and Operation subsystem. However, you won't be able to simply disable some things like "Connection Settings" because that is how you tell RHQ how all its plugin components connect to their resources (e.g. its how you tell the jboss pugin what the JMX credentials are to connect to a monitored JBossAS app server). So that is required for the system to even work.
-
2. Re: Security issues with resource management
ips Jan 19, 2012 11:41 AM (in response to mazz)RHQ also allows you to create additional users that have limited privileges. For example, you could create a user bob that only has view access to a certain set of Resources and no access to the bundle subsystem. For details on the RHQ authorization system, see http://rhq-project.org/display/JOPR2/Security+Model.
Note, the default password for the rhqadmin user is "rhqadmin". Obviously, if you're concerned about security, one of the first things you should do is change that password. This can be done via the RHQ GUI (go to the Administration>Users page).
-
3. Re: Security issues with resource management
vladcrc Jan 20, 2012 4:37 AM (in response to vladcrc)OK, what about if an attacker breaks into the RHQ server machine and logs-in as an operating system user.
He can build and run his own application (an RHQ-agent "client") which connects to the RHQ agents and call their remote interface, just like the RHQ server does. He can obtain the agents security tokens or SSL certificates and also can access the RHQ database.
In a big enterprise environment the RHQ server can be a point of weakness which can give access to all monitored machines. This is why we think it's useful to have a "read-only", "monitoring" agent (the possibility to disable the "write" parts of the agent's interface).
-
4. Re: Security issues with resource management
lkrejci Jan 20, 2012 5:46 AM (in response to vladcrc)I think that is a very good idea and wouldn't even be too hard to implement, imho. As you say this would prevent anyone (be it the RHQ server or an attacker) from using the agent to do any changes on the agent machine. It could e a configuration switch that could be flipped only by re-reading the agent configuration file, for example - which would make it unchangeable by any other means than by having an access to the agent machine and having the ability to restart the agent process from the commandline.
-
5. Re: Security issues with resource management
lkrejci Jan 20, 2012 5:52 AM (in response to vladcrc)Vlad, could you please create a BZ with a feature request for this, so that we can think about incorporating the feature in some future version of RHQ? We'd also very much appreciate any help / code you could provide to help us get this into RHQ faster.
You can enter the BZ in here https://bugzilla.redhat.com/enter_bug.cgi?product=RHQ%20Project and prepend the BZ title with "RFE" or you can add the Keyword "FutureFeature" (not sure if you are going to have access to that field).
Thanks, Lukas
-
6. Re: Security issues with resource management
rzd Jan 25, 2012 5:21 AM (in response to lkrejci)the RFE is here: https://bugzilla.redhat.com/show_bug.cgi?id=783911
-
7. Re: Security issues with resource management
vladcrc Jul 8, 2013 10:15 AM (in response to vladcrc)Hello,
We discovered a security problem: when login to RHQ GUI the user & password are sent in clear text from browser to RHQ server.
An attacker could snoop one's [general purpose/works for everything :)] password from the network with tcpdump, below is an example.
This is something that should not be.
What can we do about this ?
----------------------------------------------------------------------
{code}
No. Time Source Destination Protocol Length Info
83343 458.446186000 172.28.125.37 172.28.124.63 HTTP 636 POST /j_security_check.do HTTP/1.1 (application/x-www-form-urlencoded)
...
Hypertext Transfer Protocol
POST /j_security_check.do HTTP/1.1\r\n
[Expert Info (Chat/Sequence): POST /j_security_check.do HTTP/1.1\r\n]
Request Method: POST
Request URI: /j_security_check.do
Request Version: HTTP/1.1
...
[Full request URI: http://yyy:7080/j_security_check.do]
[HTTP request 1/1]
[Response in frame: 83362]
Line-based text data: application/x-www-form-urlencoded
j_username=rhqadmin&j_password=rhqadmin
{code}
----------------------------------------------------------------------
-
8. Re: Security issues with resource management
mazz Jul 8, 2013 10:20 AM (in response to vladcrc)Did you try to go over https protocol rather than using an http URL?
-
9. Re: Security issues with resource management
pilhuhn Jul 8, 2013 10:24 AM (in response to mazz)We may add a way (perhaps documentation for the start) to disable the http connector completely, so that even with https configured acceidental http traffic is prevented.