[osiris-devel] Agent Architecture question
Brian Wotring
brian at shmoo.com
Wed Nov 24 01:15:53 EST 2004
> What was the reasoning for having an open port on all agent machines
> versus one open port on the management system? Admittedly, it is
> simple enough to firewall off this port with little to no consequence
> to other activities, but I'm not fond of having any more open ports on
> my systems.
A few reasons. First, it's a lot easier to manage. If you decide to
change scheduling, check status of hosts, update configs, or whatever,
you can operate on many hosts from a single interface. Otherwise, you
would have to perform these operations from each managed host.
Second, it made more sense (to me) in the beginning to initiate the
connections from the more trusted system, as opposed to receiving them.
The management console is critical in that it is to be a secure store
for all of the monitoring data. If this is compromised, the whole
system is almost useless.
Third, if the agents initiated connections, it could be argued that the
management console would have a harder time detecting that an agent
didn't scan when it was supposed to. That is, it may be easier for a
broken agent to go unnoticed.
There may be other reasos, but these are the main ones that were
considered during design and development. This isn't to say that doing
it the other way is wrong, it's just not the way Osiris was built.
> Could the communication not have been done with a client push / pull
> to the management console instead? Is it possible to turn off the
> listening feature of the agent component and force a push within the
> current framework?
No, not really. You could just run a management console on each
monitored host, tripwire style, but that doesn't scale very well.
-brian
More information about the osiris-devel
mailing list