Added support for password encryption to the Pandora FMS Server.

This commit is contained in:
Ramon Novoa 2015-03-02 17:29:14 +01:00
parent df651810d4
commit 3a6f885b15
7 changed files with 83 additions and 6 deletions

View File

@ -98,6 +98,9 @@ sub pandora_startup () {
# Grab config tokens shared with the console and not in the .conf
pandora_get_sharedconfig (\%Config, $DBH);
# Generate the encryption key after reading the passphrase.
$Config{"encryption_key"} = enterprise_hook('pandora_get_encryption_key', [\%Config, $Config{"encryption_passphrase"}]);
pandora_audit (\%Config, 'Pandora FMS Server Daemon starting', 'SYSTEM', 'System', $DBH);
# Load servers

View File

@ -832,6 +832,9 @@ sub pandora_load_config {
elsif ($parametro =~ m/^console_pass\s(.*)/i) {
$pa_config->{'console_pass'}= safe_input($1);
}
elsif ($parametro =~ m/^encryption_passphrase\s(.*)/i) {
$pa_config->{'encryption_passphrase'}= safe_input($1);
}
} # end of loop for parameter #
# Set to RDBMS' standard port

View File

@ -62,10 +62,14 @@ Exported Functions:
=item * C<pandora_generate_alerts>
=item * C<pandora_input_password>
=item * C<pandora_module_keep_alive>
=item * C<pandora_module_keep_alive_nd>
=item * C<pandora_output_password>
=item * C<pandora_planned_downtime>
=item * C<pandora_process_alert>
@ -176,12 +180,14 @@ our @EXPORT = qw(
pandora_get_module_phone_tags
pandora_get_module_email_tags
pandora_get_os
pandora_input_password
pandora_is_master
pandora_mark_agent_for_alert_update
pandora_mark_agent_for_module_update
pandora_module_keep_alive
pandora_module_keep_alive_nd
pandora_module_unknown
pandora_output_password
pandora_planned_downtime
pandora_planned_downtime_set_quiet_elements
pandora_planned_downtime_unset_quiet_elements
@ -2533,7 +2539,7 @@ sub pandora_create_module_from_network_component ($$$$) {
$component->{'id_tipo_modulo'} = $component->{'type'};
delete $component->{'type'};
$component->{'ip_target'} = $addr;
my $module_id = pandora_create_module_from_hash($pa_config, $component, $dbh);
# Propagate the tags to the module
@ -2568,6 +2574,18 @@ sub pandora_create_module_from_hash ($$$) {
if (defined $parameters->{'id_network_component_group'}) {
delete $parameters->{'id_network_component_group'};
}
# Encrypt plug-in passwords.
if (defined($parameters->{'plugin_pass'})) {
$parameters->{'plugin_pass'} = pandora_input_password($pa_config, $parameters->{'plugin_pass'});
}
# Encrypt SNMP v3 passwords.
if ($parameters->{'id_tipo_modulo'} >= 15 && $parameters->{'id_tipo_modulo'} <= 18 &&
$parameters->{'tcp_send'} == 3) {
$parameters->{'custom_string_2'} = pandora_input_password($pa_config, $parameters->{'custom_string_2'});
}
my $module_id = db_process_insert($dbh, 'id_agente_modulo',
'tagente_modulo', $parameters);
@ -4929,6 +4947,54 @@ sub pandora_create_integria_ticket ($$$$$$$$) {
}
}
##########################################################################
=head2 C<< pandora_input_password (I<$pa_config>, I<$password>) >>
Process a password to be stored in the Pandora FMS Database (encrypting it if
necessary).
=cut
##########################################################################
sub pandora_input_password($$) {
my ($pa_config, $password) = @_;
# Do not attemp to encrypt empty passwords.
return '' if ($password eq '');
# Encryption disabled.
return $password if (! defined($pa_config->{'encryption_key'}) || $pa_config->{'encryption_key'} eq '');
# Encrypt the password.
my $encrypted_password = enterprise_hook ('pandora_encrypt', [$pa_config, $password, $pa_config->{'encryption_key'}]);
return $password unless defined($encrypted_password);
return $encrypted_password;
}
##########################################################################
=head2 C<< pandora_output_password (I<$pa_config>, I<$password>) >>
Process a password retrieved from the Pandora FMS Database (decrypting it if
necessary).
=cut
##########################################################################
sub pandora_output_password($$) {
my ($pa_config, $password) = @_;
# Do not attemp to decrypt empty passwords.
return '' if ($password eq '');
# Encryption disabled.
return $password if (! defined($pa_config->{'encryption_key'}) || $pa_config->{'encryption_key'} eq '');
# Decrypt the password.
my $decrypted_password = enterprise_hook ('pandora_decrypt', [$pa_config, $password, $pa_config->{'encryption_key'}]);
return $password unless defined($decrypted_password);
return $decrypted_password;
}
# End of function declaration
# End of defined Code

View File

@ -344,10 +344,10 @@ sub pandora_query_snmp ($$$) {
my $snmp_version = $module->{"tcp_send"}; # (1, 2, 2c or 3)
my $snmp3_privacy_method = $module->{"custom_string_1"}; # DES/AES
my $snmp3_privacy_pass = $module->{"custom_string_2"};
my $snmp3_privacy_pass = pandora_output_password($pa_config, $module->{"custom_string_2"});
my $snmp3_security_level = $module->{"custom_string_3"}; # noAuthNoPriv|authNoPriv|authPriv
my $snmp3_auth_user = $module->{"plugin_user"};
my $snmp3_auth_pass = $module->{"plugin_pass"};
my $snmp3_auth_pass = pandora_output_password($pa_config, $module->{"plugin_pass"});
my $snmp3_auth_method = $module->{"plugin_parameter"}; #MD5/SHA1
my $snmp_community = $module->{"snmp_community"};
my $snmp_target = $module->{"ip_target"};

View File

@ -186,8 +186,10 @@ sub data_consumer ($$) {
{
my $macro_field = safe_output($macros{$macro_id}{'macro'});
my $macro_desc = safe_output($macros{$macro_id}{'desc'});
my $macro_value = safe_output($macros{$macro_id}{'value'});
my $macro_value = (defined($macros{$macro_id}{'hide'}) && $macros{$macro_id}{'hide'} eq '1') ?
pandora_output_password($pa_config, safe_output($macros{$macro_id}{'value'})) :
safe_output($macros{$macro_id}{'value'});
# build parameters to invoke plugin
$parameters =~ s/$macros{$macro_id}{'macro'}/$macro_value/g;

View File

@ -667,6 +667,9 @@ sub md5 ($) {
return "";
}
# Initialize once.
md5_init() if (!defined($R[0]));
# Note: All variables are unsigned 32 bits and wrap modulo 2^32 when calculating
# Initialize variables

View File

@ -145,7 +145,7 @@ sub data_consumer ($$) {
# Build command to execute
my $wmi_command = '';
if (defined ($module->{'plugin_pass'}) && $module->{'plugin_pass'} ne "") {
$wmi_command = $pa_config->{'wmi_client'} . ' -U "' . $module->{'plugin_user'} . '"%"' . $module->{'plugin_pass'} . '"';
$wmi_command = $pa_config->{'wmi_client'} . ' -U "' . $module->{'plugin_user'} . '"%"' . pandora_output_password($pa_config, $module->{'plugin_pass'}) . '"';
}
elsif (defined ($module->{'plugin_user'}) && $module->{'plugin_user'} ne "") {
$wmi_command = $pa_config->{'wmi_client'} . ' -U "' . $module->{'plugin_user'} . '"';