[osiris] Re: multiple configs

David Vasil dmvasil at ornl.gov
Thu Aug 10 10:32:19 EDT 2006 

urgrue wrote:
> Hello,
> Is it possible to have more than one config per host?
> I would really like to have for example "global.linux" that would apply 
> to all linuxes, as well as the local ones. This would allow certain 
> global rules to be managed easily without having to go through each host 
> individually (not really an option).

At this point it is not possible to this, however, I do not foresee it
requiring too much of a code change.  An implementation idea for this
would be to have the global config with a minimal set of rules, and then
have the client config do something like this:

Recursive   no
FollowLinks no
IncludeAll
Hash sha
<Modules>
  Include mod_kmods
  Include mod_ports
  Include mod_if
</Modules>
<Directory /etc>
  Exclude file( ^/etc/dumpdates$ )
  Recursive yes
  FollowLinks no
  IncludeAll
</Directory>
<IncludeConfig>
  global.linux
</IncludeConfig>

> Second question, when I install the agent on a client, I then have to 
> head over to the mgmt console and add it with new-host. This "just 
> works", ie doesnt require any kind of special permissions etc. Does this 
> mean anyone, so long as they have access to the network, could install a 
> mgmt console somewhere and "hijack" the client, read/alter the configs, etc?

When the client is installed for the first time, and it does not have an
'osiris_root.pem' yet, it will wait for the first OsirisMD to connect to
it and server will push over the osiris_root.pem for it to use.

If you want to restrict it to never allow this window of opportunity,
you can copy the osiris_root.pem over to the osiris data dir on the
client before you start the client daemon.

This will make the client refuse any connection which doesnt present the
correct certificate with a message in the client syslog like so:

Aug 10 10:29:18 test osirisd[632]: [err] cert authentication failure:
(error:00000012:lib(0):func(0):reason(18)).

-- 
| David Vasil <dmvasil at ornl.gov>
| Oak Ridge National Laboratory NCCS Division
| High Performance Computing Systems Administrator

More information about the osiris mailing list