Re: {bb} BB security

["James Mastros" <james@rtweb.net>]

From: "Ian Watts" <ian@radix.net>
> The
> management wants to know whether or not there are any security risks
> associated with using Big Brother.

I'm no expert, but as far as I know, there are two basic classes of possible
security issues with bb:
1: It makes information about your systems and management personality known.
2: There is the possibility of it reporting faked status.

The first is rather obvious: a potential attacker could determine what
machines and services you consider important enough to monitor.  You can
protect against outsiders viewing the status by the normal webserver-based
means.  You can also make BB display arbitrary machine names, if you are
concerned about revealing them.

On the second point, BB does not check that the status being reported to it
about machine foo is from machine foo.  This means that a possible attacker
could report a green status artificially on a host and then take it down.
However, this doesn't make a simple green, but rather creates a race
condition between the green status, and the red that should (still) be being
reported from the attacked host.

Now that I think about it, an attacker could replace the real bb on an
attacked machine with one that reports greens without actually checking
anything.

BB does offer a file, etc/security, that allows you to limit the hosts (by
IP) that a report can come from, so an attacker couldn't just use any old
machine (without faking the packet) to fool the display, but any /monitored/
machine would be game.

However, there is no risk (again, AFAIK) that can cause damage to anything
outside of BB (I.E., no root-getting).

    -=- James Mastros,
     A man who dosn't really know what he's talking about all the time.

--
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-=-=-=-=-=-=-=-=-=
To unsubscribe from this list, or to subscribe to the bb-digest list
send e-mail to mailto:majordomo@bb4.com with unsubscribe bb -and/or-
subscribe bb-digest in the BODY of the message.