stratos-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From chris snow <chsnow...@gmail.com>
Subject Re: agent security
Date Mon, 19 May 2014 15:03:05 GMT
Thanks Nirmal - I'll probably have a few more security questions to follow...

Should I post my questions to private@stratos.apache.org?  Or should
we setup a security@ email address?

On Mon, May 19, 2014 at 2:26 PM, Nirmal Fernando <nirmal070125@gmail.com> wrote:
>
>
>
> On Mon, May 19, 2014 at 4:20 PM, chris snow <chsnow123@gmail.com> wrote:
>>
>> hi Devs,
>>
>> Does an agent authenticate itself to Stratos?
>
> Yes, Chris.
>
>>
>>  If not, is it possible
>> that an agent could write spoofed events to the MB?
>>
>> It also looks like the agent has access to the bam admin user name and
>> password [1]:
>>
>>             -Dmonitoring.server.port=<%= @bam_port %>
>>             -Dmonitoring.server.secure.port=<%= @bam_secure_port %>
>>             -Dmonitoring.server.admin.username=<%= @bam_username %>
>>             -Dmonitoring.server.admin.password=<%= @bam_password %>
>>
>> What damage could someone (e.g. a tenant) do with possession of those
>> credentials?
>
>
> We might need to encrypt them and store in agent's side?!
>>
>>
>> Many thanks,
>>
>> Chris
>>
>>
>> ---
>> [1]
>> https://github.com/apache/incubator-stratos/blob/master/tools/puppet3/modules/agent/templates/bin/stratos.sh.erb
>
>
>
>
> --
> Best Regards,
> Nirmal
>
> Nirmal Fernando.
> PPMC Member & Committer of Apache Stratos,
> Senior Software Engineer, WSO2 Inc.
>
> Blog: http://nirmalfdo.blogspot.com/



-- 
Check out my professional profile and connect with me on LinkedIn.
http://lnkd.in/cw5k69

Mime
View raw message