LISTSERV - CLEANACCESS Archives - LISTSERV.MIAMIOH.EDU

CLEANACCESS Archives

February 2006

CLEANACCESS@LISTSERV.MIAMIOH.EDU

	LISTSERV Archives
	CLEANACCESS Home
	CLEANACCESS February 2006

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives
Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]
Subject:	Re: postgres changes
From:	Tim McLaurin <[log in to unmask]>
Reply To:	Perfigo SecureSmart and CleanMachines Discussion List <[log in to unmask]>
Date:	Thu, 23 Feb 2006 09:26:54 -0600
Content-Type:	text/plain
Parts/Attachments:	text/plain (395 lines)
We are doing something similar, but in a different way. We are using an
LDAP attribute to map roles (very easy to setup) in the Auth Servers.
This allows you to easily get all the info you need on a client no
matter what role they are in, and you also don't have to touch the
CAM/CAS, as all the info in your LDAP directory. The scripting is _very_
easy to do LDAP update with php.

Doing it this way, you can limit people by login name. i.e. when you
block someone's mac, they can still go to someone else's computer, or
change network cards (yes, we have seen it done). 

Hope this Helps,

Tim

-----Original Message-----
From: Alex Lanstein [mailto:[log in to unmask]] 
Sent: Wednesday, February 22, 2006 10:13 PM
Subject: Re: postgres changes

 The listmac/findmac is exactly what I'm looking for. 

Yes, we could give them an account to read the page, but we don't want 
to do that for a variety of reasons (lack of knowledge, training, etc).

We want it to be part of a larger page that shows 'up/down on critical 
servers, switchports that are shutdown for violations, incoming/outgoing

bandwidth, etc'.  CCA stats/status would just be one more feather in the

cap. 

I considered doing the gmaclist approach, but it was getting a little 
hokey.  What finally turned me off from it was the fact that it only 
shows 25 results at a time, and my iterative automatica 'next' pushing 
was getting ugly.  Querying the database seemed much cleaner, and 
indeed, it was.

In the meantime I think I am going to just keep authentication open to 
localhost and to my monitoring server.  No one else has access to it so 
I'm confident that there is no security risk there, but I promise as 
soon as an API function comes available I'll discontinue use promptly.

Thanks!
Alex

Rajesh Nair (rajnair) wrote:

>6:31 pacific and now 7:23 pacific... :-) In sunny California... Well,
>not so sunny right now... 
>
>Okay, I understand now.  What you are looking for is a listmac/findmac
>function similar to the addmac/removemac functions.  Got it.  Given
mac,
>return role or access type.  Or another function to return the entire
>list. 
>
>Btw, there are two other options in the meantime:
>
>1) You could tell the helpdesk people to first search on the Filters ->
>Devices page (they can be given an account which has at least read
>access to this page).  Would that be difficult to do?
>
>2) Your script/application can directly post to the gmaclist.jsp (the
>filters -> devices page) if you are willing to parse the HTML results
>(of course, your script/application would also have to login and store
>the cookie).  
>
>Thoughts?
>Rajesh.
>
>P.S. Thanks for your kind comments.  I was quite happy when my request
>to "fully participate" on the listserv was welcomed. I am glad to gain
>insight into how the product is used.  We know well that we are not the
>smartest of people.  So, we are constantly looking for input on how to
>improve the product. 
>
>-----Original Message-----
>From: Perfigo SecureSmart and CleanMachines Discussion List
>[mailto:[log in to unmask]] On Behalf Of Alex Lanstein
>Sent: Wednesday, February 22, 2006 7:10 PM
>To: [log in to unmask]
>Subject: Re: postgres changes
>
>9:31 PM EST response?  You must not be in the US! 
>
>Yes, I mean mac addresses with a filter is what I'm looking for.  We
>dont make explicit roles for xboxes and PS2s, our campus is very small
>(~1500 students), so we just throw in a filter for them.  Similarly, if
>users are found to be 'doing wrong', either a virus that isnt picked up
>by CCA or weird traffic or something else abnormal, they get an
explicit
>block on their mac address as a filter.  It works well from the
sysadmin
>team, but, often times there isn't communication with the helpdesk
>staff.  This can be very frustrating for a help desk student trying to
>get a computer to login when it just 'doesnt work'. 
>
>I'm building an interface for our help desk that will show, in real
>time, the users who have blocks in CCA and for what reason (the
>description field), as well as some information about our switches.  I
>would never try to write to the database directly, I don't understand
>enough of how CCA works to do that.  We were fully briefed by our
>original reps that while we have root access to the box, if we screw
>something up, the vendor response is going to be to format and start
>over. 
>
>As an aside, I'd also like to say what a ridiculous resource you are.  
>I've never seen any product for any major vendor that has 'someone on
>the inside' active on the listserv.  I hope more companies adopt this
>sort of communication in the future.
>
>Thanks,
>Alex
>
>
>Rajesh Nair (rajnair) wrote:
>
>  
>
>>Alex,
>>
>>Yes, this is not a forum for feature requests. Ideally, you would do 
>>that through Cisco's PERS system that tracks enhancements (similar to 
>>CDETS tracking bugs). But, it doesn't hurt for me to understand what
it
>>    
>>
>
>  
>
>>is that you are trying to do.  This forum has been great about telling

>>us what is wrong with the product and what can be improved and while
we
>>    
>>
>
>  
>
>>cannot do everything that is asked of us, we try to keep adding things

>>as much as possible.
>>
>>Few things:
>>
>>1) "Show all users that have an explicit allow/block" - what does this

>>mean?  Currently, only devices (MAC addresses) can have an explicit 
>>allow/block (Filters -> Devices).  Do you mean these or something
else?
>>If you mean Filters->Devices entries, then the entries in the database

>>are the static entries - i.e. it does not tell you who is currently 
>>sending traffic on the network.
>>
>>2) We currently do not allow any remote communication to postgres.  
>>Only communication possible is local.  If you have compromised access 
>>to the box (root access), then all is lost anyways.  But yes, we
should
>>    
>>
>
>  
>
>>add authentication especially if users intend to open up remote
access.
>>
>>-Rajesh.
>>
>>-----Original Message-----
>>From: Perfigo SecureSmart and CleanMachines Discussion List 
>>[mailto:[log in to unmask]] On Behalf Of Alex Lanstein
>>Sent: Wednesday, February 22, 2006 6:02 PM
>>To: [log in to unmask]
>>Subject: Re: postgres changes
>>
>>Sure, I wasn't aware that this is a proper forum for feature requests.
>>    
>>
>
>  
>
>>As you can see from my prior posts, I definately would perfer using
the
>>    
>>
>
>  
>
>>vendor supplied API whenever possible.  I am not doing any writes to 
>>the database, only reads.
>>
>>The functions I was looking to implement where:
>>Show all users that have an explicit allow Show all users that have an

>>explicit block Show all users in X role Pull up a history of user 
>>logins and outs.
>>
>>Also, I must say it's fairly ridiculous that the controlsmartdb is 
>>using any sort of authentication.  It is not beyond any reasonable 
>>doubt that there will be a remote vulnerability that requires an 
>>account, but can spoof the source.  Please add some sort of password
to
>>    
>>
>
>  
>
>>that account in one of the later releases!
>>
>>Keep up the good work.
>>
>>Regards,
>>Alex Lanstein
>>
>>Rajesh Nair (rajnair) wrote:
>>
>> 
>>
>>    
>>
>>>Folks,
>>>
>>>I have to say this - please avoid modifying the DB or access to the
>>>      
>>>
>DB.
>  
>
>>>There are some remote threats that Postgres is vulnerable to that 
>>>might
>>>   
>>>
>>>      
>>>
>> 
>>
>>    
>>
>>>affect you.  You could affect the functioning of the DB and the 
>>>perfigo
>>>   
>>>
>>>      
>>>
>> 
>>
>>    
>>
>>>service negatively.  And most importantly, TAC will not support you
if
>>>      
>>>
>
>  
>
>>>they know that access to DB or the DB itself have been modified in 
>>>some
>>>   
>>>
>>>      
>>>
>> 
>>
>>    
>>
>>>way.
>>>
>>>I had to recently work with a customer who had installed a Postgres 
>>>admin utility which broke the DB syncing and failover.  And TAC was 
>>>not
>>>   
>>>
>>>      
>>>
>> 
>>
>>    
>>
>>>supportive at all of this.  And to be fair to them, they have very 
>>>good
>>>   
>>>
>>>      
>>>
>> 
>>
>>    
>>
>>>reasons to take that approach.  They were working with this customer 
>>>for quite a while before realizing (or before being told) that the 
>>>customer had tried to install a utility.
>>>
>>>That said, can you explain what is lacking in the API - please make 
>>>feature requests w.r.t. the API.  We will slowly but surely add 
>>>additional APIs.  In this specific case, are you looking for all MAC 
>>>addresses that belong to a particular role?  Are you looking for 
>>>Online
>>>   
>>>
>>>      
>>>
>> 
>>
>>    
>>
>>>Users in the Temporary Role or Quarantine role?  What is the specific

>>>thing you are trying to do?
>>>
>>>-Rajesh. 
>>>
>>>-----Original Message-----
>>>From: Perfigo SecureSmart and CleanMachines Discussion List 
>>>[mailto:[log in to unmask]] On Behalf Of Joyce, Todd N
>>>Sent: Wednesday, February 22, 2006 12:52 PM
>>>To: [log in to unmask]
>>>Subject: Re: postgres changes
>>>
>>>ps -ae | grep post
>>>748 ?        00:00:00 postmaster
>>>750 ?        00:00:00 postmaster
>>>
>>>kill -1 748
>>>
>>>Todd Joyce
>>>Network Services
>>>Radford University - The Smart Choice
>>>[log in to unmask]
>>>(540) 831-7777
>>>
>>>Keep your boots and ChapStick and ice hotels.
>>>Give me shorts and sandals and a thirty-blocker.
>>>
>>>Temperance Brennan - Monday Mourning
>>>-----Original Message-----
>>>From: Perfigo SecureSmart and CleanMachines Discussion List 
>>>[mailto:[log in to unmask]] On Behalf Of Lanstein, Alex C
>>>Sent: Wednesday, February 22, 2006 12:33 PM
>>>To: [log in to unmask]
>>>Subject: postgres changes
>>>
>>>Well, I've found the API to be inadequate for what I'm trying to do 
>>>(make a page where our help desk can see what users are blocked).
So,
>>>      
>>>
>
>  
>
>>>I'm going to query the database directly.  I know I need to make the 
>>>permission changes in pg_hba.conf, and to do that I have to edit the 
>>>make-pg_hba_conf.pl script.  I
>>>
>>>I did that, but I know I have to restart the perfigo service.  Tom,
>>>   
>>>
>>>      
>>>
>>>from this list, said he just did a /etc/init.d perfigo restart and
his
>> 
>>
>>    
>>
>>>changes took effect, but when I did that something didn't start up 
>>>properly and it was throwing license errors like mad.  I didn't have
a
>>>      
>>>
>
>  
>
>>>chance to look into it, since I had just taken down the dorm's 
>>>abilities to login temporarily, so I had to restart it quickly.  My 
>>>changes took effect once I rebooted, but I'd like to know just how to

>>>restart the postgres service (the 'perfigo way'... /sbin/service 
>>>postgres restart borked it too) without rebooting.  I set a fairly 
>>>unrestrictive set of mapping rules to the db and I'd like to lock it 
>>>down a little more with the ident stuff postgres does as well.
>>>
>>>Any thoughts?
>>>
>>>Thanks in advance,
>>>
>>>Alex Lanstein
>>>
>>>
>>>   
>>>
>>>      
>>>
ATOM RSS1 RSS2
LISTSERV.MIAMIOH.EDU