From 8d64a2d0bb1122e8cd587bf2303ab5b8bf75e169 Mon Sep 17 00:00:00 2001 From: Michael Friedrich Date: Fri, 10 Mar 2017 18:19:22 +0100 Subject: [PATCH] Update Security section in the Distributed Monitoring chapter fixes #5057 --- doc/6-distributed-monitoring.md | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/doc/6-distributed-monitoring.md b/doc/6-distributed-monitoring.md index f241c5397..da167a3a1 100644 --- a/doc/6-distributed-monitoring.md +++ b/doc/6-distributed-monitoring.md @@ -153,15 +153,16 @@ nodes (firewalls, policies, software hardening, etc.), Icinga 2 also provides additional security: * SSL certificates are mandatory for communication between nodes. The CLI commands -help you create those certs automatically. +help you create those certificates. * Child zones only receive updates (check results, commands, etc.) for their configured objects. +* Child zones are not allowed to push configuration updates to parent zones. * Zones cannot interfere with other zones and influence each other. Each checkable host or service object is assigned to **one zone** only. * All nodes in a zone trust each other. * [Config sync](6-distributed-monitoring.md#distributed-monitoring-top-down-config-sync) and [remote command endpoint execution](6-distributed-monitoring.md#distributed-monitoring-top-down-command-endpoint) is disabled by default. -The underlying protocol is using JSON-RPC events sent over TLS secured -connections. In case you are interested in specific details, please -check the source code. +The underlying protocol uses JSON-RPC event notifications exchanged by nodes. +The connection is secured by TLS. The message protocol uses an internal API, +and as such message types and names may change internally and are not documented. ## Master Setup