Community
- Command Central
- MVP Program
- Monthly Mission
- Blogs
- Groups
- Events
- Media Vault
Products
- Observability
- Network Management
- Application Management
- IT Security
- IT Service Management
- System Management
- Database Management
Content Exchange
- SolarWinds Platform
- Server & Application Monitor
- Database Performance Analyzer
- Server Configuration Monitor
- Network Performance Monitor
- Network Configuration Manager
- SQL Sentry
- Web Help Desk
Free Tools & Trials

Restricting APM Component Linux/Unix Script Monitor

I´ve been looking around for a solution for restricting the Linux/Unix Script Monitor so the host configuration is more secure and only allows certain scripts to be run. This is mainly for usage on our OpenBSD firewalls.
SSH keys can define allowed scripts to be run, but this isn´t supported as credentials so I played around a bit and found a solution using a wrapper shell that you assign to the SSH user which in a strict manner only allow defined commands/scripts to be run.
I just recorded how the NPM SSH session for the APM component looks like and created a look-alike shell script.

I would like some feedback on any flaws or drawbacks using this solutions.

Thanks ...

======================================
Wrapper shell code:

#!/bin/sh
# Custom restricted wrapper shell for Orion NPM monitoring
# Only allows specific scripts to be run.

# Orion NPM variables and constants
ORION_STATUS_UP=0
ORION_STATUS_DOWN=1
ORION_STATUS_WARNING=2
ORION_STATUS_CRITICAL=3

return_result() {
# Performs cleanup and returns exit code to orion npm
echo -n "__SOLAR_WINDS_APM__"
read str
echo $1
echo -n "__SOLAR_WINDS_APM__"
read str
exit $1
}

read InitCmd1
echo "${InitCmd1}" >./lastsession.log
if [ "${InitCmd1}" != "sh" ]; then
echo "Invalid init1 command, expecting 'sh'." >>./lastsession.log
exit 99
fi

read InitCmd2
echo "$InitCmd2" >>./lastsession.log
if [ "$InitCmd2" != "PS1='__SOLAR_WINDS_APM__'" ]; then
echo "Invalid init2 command, expecting PS1='__SOLAR_WINDS_APM__'" >>./lastsession.log
exit 99
else
echo -n "__SOLAR_WINDS_APM__"
fi

read ScriptCommand
echo "${ScriptCommand}" >>./lastsession.log

case "${ScriptCommand}" in

"check_master_fw")
# Source in and run shell script check_master_fw
. ./check_master_fw
echo "Return code is ${exitcode}" >>./lastsession.log
return_result ${exitcode}
;;

"check_other_fw")
# Source in and run shell script check_other_fw
. ./check_other_fw
echo "Return code is ${exitcode}" >>./lastsession.log
return_result ${exitcode}
;;

*)
echo "Message: Command ${ScriptCommand} is rejected."
echo "Statistic: ${ORION_STATUS_CRITICAL}"
echo "Command ${ScriptCommand} is rejected." >>./lastsession.log
return_result ${ORION_STATUS_CRITICAL}
;;

esac

======================================

check_master_fw and check_other_fw example code:

# Global Orion NPM variables
# ORION_STATUS_UP
# ORION_STATUS_DOWN
# ORION_STATUS_WARNING
# ORION_STATUS_CRITICAL

echo "Message: The firewall has trouble."
echo "Statistic: ${ORION_STATUS_WARNING}"
exitcode=${ORION_STATUS_WARNING}

Component.jpg

Find more posts tagged with

linux_script

apm_2.0

Accepted answers

All comments

MarieB

Hi Goran--

Were you able to resolve this?

I've marked this for the PM to see.

GoranTornqvist

We have decided to go with the above solution for now, it appears to be running fine on our test boxes ...