|
From: | dan farmer |
Subject: | [Freeipmi-devel] best practices and small IPMI toolz online |
Date: | Tue, 26 Feb 2013 16:37:10 -0800 |
Hi folks (sorry if you're on multiple lists - some folks complained the last time I sent out something that their list wasn't included, so I'm sending it to a few IPMI lists and I'm not going to cross-post - sorry for the I-spam!) folks helped out with; it's at: (Sorry to the PDF haters; there will be a text version as it gets closer to completion, it's just a bit painful to keep two versions in sync. I also thanked a few people; I'll take your name off if you don't want to be associated with such a doc or me.) I also wrote a few small IPMI tools (mostly draft status as well, but they do appear to work, or do what I think they should, at least) that do security audity- things with BMCs/IPMI: The first is a one-packet auditing tool (you could do the same parsing other tool outputs, but this seems easier and less reliant on external stuff): It's pretty heavily commented; it's interesting how much information they pack into the reply to a "Get Channel Authentication Capability", which you can do without any authentication - 10 discrete security issues are returned, and among other things you can found out if anonymous logins are enabled and in use as well as if null usernames are allowed (which seem just stupid to give out, security-wise, but hey, no one asked me!) Two more little tools (also in python); one that sucks IPMI configuration data from a remote BMC and spits it all out in a JSON file, and a 2nd that attempts to audit the results of the first and give out some warnings on potential problems (based on the things in the document above): Perversely I read plain text from IPMI tools, change it to JSON, and then emit text again :) This is hopefully because I'm simply testing out the stuff, not because I'm a complete idiot, but time will tell (or already has.) Mostly because I'm not sure what the final thing will look like. There are some items I'm not sure how to test for, at least easily - if anyone has any ideas I'm all ears! Ditto with thoughts on output or something; I thought JSON might be fun since it's so simple to manipulate with web/_javascript_/etc. stuff. Certainly these aren't meant to be deathless programs or the last word on IPMI security or anything; just trying to toss a few more coins into the knowledge fountain. Any feedback is certainly more than welcome, and again sorry for various list posting. dan ¸¸.·´¯`·.¸><(((º> |
[Prev in Thread] | Current Thread | [Next in Thread] |