CLEANACCESS Archives

February 2006

CLEANACCESS@LISTSERV.MIAMIOH.EDU
Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Re: postgres changes
From:
"Rajesh Nair (rajnair)" <[log in to unmask]>
Reply To:
Perfigo SecureSmart and CleanMachines Discussion List <[log in to unmask]>
Date:
Wed, 22 Feb 2006 18:31:49 -0800
Content-Type:
text/plain
Parts/Attachments:
text/plain (143 lines) 
Alex,

Yes, this is not a forum for feature requests. Ideally, you would do
that through Cisco's PERS system that tracks enhancements (similar to
CDETS tracking bugs). But, it doesn't hurt for me to understand what it
is that you are trying to do.  This forum has been great about telling
us what is wrong with the product and what can be improved and while we
cannot do everything that is asked of us, we try to keep adding things
as much as possible. 

Few things:

1) "Show all users that have an explicit allow/block" - what does this
mean?  Currently, only devices (MAC addresses) can have an explicit
allow/block (Filters -> Devices).  Do you mean these or something else?
If you mean Filters->Devices entries, then the entries in the database
are the static entries - i.e. it does not tell you who is currently
sending traffic on the network.  

2) We currently do not allow any remote communication to postgres.  Only
communication possible is local.  If you have compromised access to the
box (root access), then all is lost anyways.  But yes, we should add
authentication especially if users intend to open up remote access.

-Rajesh.

-----Original Message-----
From: Perfigo SecureSmart and CleanMachines Discussion List
[mailto:[log in to unmask]] On Behalf Of Alex Lanstein
Sent: Wednesday, February 22, 2006 6:02 PM
To: [log in to unmask]
Subject: Re: postgres changes

Sure, I wasn't aware that this is a proper forum for feature requests.  
As you can see from my prior posts, I definately would perfer using the
vendor supplied API whenever possible.  I am not doing any writes to the
database, only reads.

The functions I was looking to implement where:
Show all users that have an explicit allow Show all users that have an
explicit block Show all users in X role Pull up a history of user logins
and outs.

Also, I must say it's fairly ridiculous that the controlsmartdb is using
any sort of authentication.  It is not beyond any reasonable doubt that
there will be a remote vulnerability that requires an account, but can
spoof the source.  Please add some sort of password to that account in
one of the later releases!

Keep up the good work.

Regards,
Alex Lanstein

Rajesh Nair (rajnair) wrote:

>Folks,
>
>I have to say this - please avoid modifying the DB or access to the DB.
>There are some remote threats that Postgres is vulnerable to that might

>affect you.  You could affect the functioning of the DB and the perfigo

>service negatively.  And most importantly, TAC will not support you if 
>they know that access to DB or the DB itself have been modified in some

>way.
>
>I had to recently work with a customer who had installed a Postgres 
>admin utility which broke the DB syncing and failover.  And TAC was not

>supportive at all of this.  And to be fair to them, they have very good

>reasons to take that approach.  They were working with this customer 
>for quite a while before realizing (or before being told) that the 
>customer had tried to install a utility.
>
>That said, can you explain what is lacking in the API - please make 
>feature requests w.r.t. the API.  We will slowly but surely add 
>additional APIs.  In this specific case, are you looking for all MAC 
>addresses that belong to a particular role?  Are you looking for Online

>Users in the Temporary Role or Quarantine role?  What is the specific 
>thing you are trying to do?
>
>-Rajesh. 
>
>-----Original Message-----
>From: Perfigo SecureSmart and CleanMachines Discussion List 
>[mailto:[log in to unmask]] On Behalf Of Joyce, Todd N
>Sent: Wednesday, February 22, 2006 12:52 PM
>To: [log in to unmask]
>Subject: Re: postgres changes
>
>ps -ae | grep post
>  748 ?        00:00:00 postmaster
>  750 ?        00:00:00 postmaster
>
>kill -1 748
>
>Todd Joyce
>Network Services
>Radford University - The Smart Choice
>[log in to unmask]
>(540) 831-7777
> 
>Keep your boots and ChapStick and ice hotels.
>Give me shorts and sandals and a thirty-blocker.
>
>Temperance Brennan - Monday Mourning
>-----Original Message-----
>From: Perfigo SecureSmart and CleanMachines Discussion List 
>[mailto:[log in to unmask]] On Behalf Of Lanstein, Alex C
>Sent: Wednesday, February 22, 2006 12:33 PM
>To: [log in to unmask]
>Subject: postgres changes
>
>Well, I've found the API to be inadequate for what I'm trying to do 
>(make a page where our help desk can see what users are blocked).  So, 
>I'm going to query the database directly.  I know I need to make the 
>permission changes in pg_hba.conf, and to do that I have to edit the 
>make-pg_hba_conf.pl script.  I
>
>I did that, but I know I have to restart the perfigo service.  Tom, 
>from this list, said he just did a /etc/init.d perfigo restart and his 
>changes took effect, but when I did that something didn't start up 
>properly and it was throwing license errors like mad.  I didn't have a 
>chance to look into it, since I had just taken down the dorm's 
>abilities to login temporarily, so I had to restart it quickly.  My 
>changes took effect once I rebooted, but I'd like to know just how to 
>restart the postgres service (the 'perfigo way'... /sbin/service 
>postgres restart borked it too) without rebooting.  I set a fairly 
>unrestrictive set of mapping rules to the db and I'd like to lock it 
>down a little more with the ident stuff postgres does as well.
>
>Any thoughts?
>
>Thanks in advance,
>
>Alex Lanstein
>  
>

ATOM RSS1 RSS2