XI 2014R1.2
There is a security concern on all the ID and password stored in clear text in the CCM.
Can you please advice how get around this issue?
Thanks
ID Security
ID Security
5 x Nagios 5.6.9 Enterprise Edition
RHEL 6 & 7
rrdcached & ramdisk optimisation
RHEL 6 & 7
rrdcached & ramdisk optimisation
Re: ID Security
I can certainly put in a feature request for salted+hashed passwords in the database, but where specifically were you referring to? If you mean in the host/service definitions as arguments the way to keep them from being displayed is to place them in the resource.cfg file and reference them as $USERX$ macros.
Former Nagios employee
Re: ID Security
Security team requirements.tmcdonald wrote:I can certainly put in a feature request for salted+hashed passwords in the database, but where specifically were you referring to? If you mean in the host/service definitions as arguments the way to keep them from being displayed is to place them in the resource.cfg file and reference them as $USERX$ macros.
Password cannot be displayed anywhere in clear text and must be stored in encrypted state.
This includes in the definition files *.cfg, resource.cfg & DB.
5 x Nagios 5.6.9 Enterprise Edition
RHEL 6 & 7
rrdcached & ramdisk optimisation
RHEL 6 & 7
rrdcached & ramdisk optimisation
Re: ID Security
The database is possible, we just need to salt+hash passwords and do a compare when authenticating.
However, since the passwords in *.cfg and resource.cfg need to be sent/used (as opposed to compared against) there is no way they can be encrypted. You can't send a FTP password to test file upload capabilities if that password is not known (i.e. it is encrypted).
However, since the passwords in *.cfg and resource.cfg need to be sent/used (as opposed to compared against) there is no way they can be encrypted. You can't send a FTP password to test file upload capabilities if that password is not known (i.e. it is encrypted).
Former Nagios employee