In response to: PoT_LiCkEr and the following scenario:
>Scenario: GrandInc runs a multivendor firewall farm that interconnects
>corporate WAN's and the Internet. They want to see firewall performance
>data without having to log onto consoles. Policy forbids them to remotely
>access root on the firewalls across their network. They have to use the
>consoles.
Perhaps this could be of use (at least on UN*X machines):
Since the data required is already going to a file, why not use syslog
instead/also? This offers the advantages of having all system/performance
information going to a single file, syslogd source code is available, AND
the information can be forwarded to a single (more if you want) central
machine. Syslogd on the transmitting machine would need to be modified to
prevent buffer overflow problems and not allow receipt of data from another
machine. Similar patches would need to be on the receiving machine
(see the BUGtraq archives for more info).
This would be basically broadcast and forget transmissions but if it is
important (and you so desire) it can be broadcast many times.
The modifications required would be fairly simple.
For example, in the cron jobs where the log file is being opened including
something like:
system "logger -p daemon.err -i $message_to_syslogd \n";
would result in the following syslog message (for example):
Jul 12 96 13:05:39 machine_name CPU_TOO_BUSY: 03 CPU Running at 70% Idle, Should be more idle than 70
[the date, time, and the machine name the message came from are added
automatically added by syslogd]
If you modify your /etc/syslog.conf file on the trasmitting machine
to include something like:
*.info;user.none @target_machine
the above logger message will be forwarded to target_machine
Then if you want you can set up some type of interface or wrapper and
report on the data received at the central machine (something like
swatch would work nicely). Or, if permitted, you could log on to the
central machine and read the syslogd file (often /var/adm/messages)
directly. You would also have a record of all the data in one central
place to play with (metrics, MTF, and so on).
Shameless plug: Mark Miller and I will be talking at LISA X on a paradigm
for "Centralized Management of Distributed Firewalls" that makes use of
the above idea.
--
=% @
%=-=%@%=-=% @
%=-=%@%=-=% @
%=-=%@%=-=% @
%=-=%@%=-=% @
%=-=%@%=-=% @
%=-=%@%=
Joe W. Morris Distributed Systems Security Specialist, Bell Atlantic
E-mail: joe @
bell-atl .
com Phone: 301-236-7698 FAX: 301-236-8021
13101 Columbia Pike, Room 209B Silver Spring, MD 20904
=% @
%=-=%@%=-=% @
%=-=%@%=-=% @
%=-=%@%=-=% @
%=-=%@%=-=% @
%=-=%@%=-=% @
%=-=%@%=
#include <std/disclaimer.h>
Any sufficiently advanced technology is indistinguishable from magic.
-- Arthur C. Clarke
|
|
