Added support for password encryption to the Pandora FMS Server.
This commit is contained in:
parent
df651810d4
commit
3a6f885b15
|
@ -98,6 +98,9 @@ sub pandora_startup () {
|
|||
# Grab config tokens shared with the console and not in the .conf
|
||||
pandora_get_sharedconfig (\%Config, $DBH);
|
||||
|
||||
# Generate the encryption key after reading the passphrase.
|
||||
$Config{"encryption_key"} = enterprise_hook('pandora_get_encryption_key', [\%Config, $Config{"encryption_passphrase"}]);
|
||||
|
||||
pandora_audit (\%Config, 'Pandora FMS Server Daemon starting', 'SYSTEM', 'System', $DBH);
|
||||
|
||||
# Load servers
|
||||
|
|
|
@ -832,6 +832,9 @@ sub pandora_load_config {
|
|||
elsif ($parametro =~ m/^console_pass\s(.*)/i) {
|
||||
$pa_config->{'console_pass'}= safe_input($1);
|
||||
}
|
||||
elsif ($parametro =~ m/^encryption_passphrase\s(.*)/i) {
|
||||
$pa_config->{'encryption_passphrase'}= safe_input($1);
|
||||
}
|
||||
} # end of loop for parameter #
|
||||
|
||||
# Set to RDBMS' standard port
|
||||
|
|
|
@ -62,10 +62,14 @@ Exported Functions:
|
|||
|
||||
=item * C<pandora_generate_alerts>
|
||||
|
||||
=item * C<pandora_input_password>
|
||||
|
||||
=item * C<pandora_module_keep_alive>
|
||||
|
||||
=item * C<pandora_module_keep_alive_nd>
|
||||
|
||||
=item * C<pandora_output_password>
|
||||
|
||||
=item * C<pandora_planned_downtime>
|
||||
|
||||
=item * C<pandora_process_alert>
|
||||
|
@ -176,12 +180,14 @@ our @EXPORT = qw(
|
|||
pandora_get_module_phone_tags
|
||||
pandora_get_module_email_tags
|
||||
pandora_get_os
|
||||
pandora_input_password
|
||||
pandora_is_master
|
||||
pandora_mark_agent_for_alert_update
|
||||
pandora_mark_agent_for_module_update
|
||||
pandora_module_keep_alive
|
||||
pandora_module_keep_alive_nd
|
||||
pandora_module_unknown
|
||||
pandora_output_password
|
||||
pandora_planned_downtime
|
||||
pandora_planned_downtime_set_quiet_elements
|
||||
pandora_planned_downtime_unset_quiet_elements
|
||||
|
@ -2533,7 +2539,7 @@ sub pandora_create_module_from_network_component ($$$$) {
|
|||
$component->{'id_tipo_modulo'} = $component->{'type'};
|
||||
delete $component->{'type'};
|
||||
$component->{'ip_target'} = $addr;
|
||||
|
||||
|
||||
my $module_id = pandora_create_module_from_hash($pa_config, $component, $dbh);
|
||||
|
||||
# Propagate the tags to the module
|
||||
|
@ -2568,6 +2574,18 @@ sub pandora_create_module_from_hash ($$$) {
|
|||
if (defined $parameters->{'id_network_component_group'}) {
|
||||
delete $parameters->{'id_network_component_group'};
|
||||
}
|
||||
|
||||
# Encrypt plug-in passwords.
|
||||
if (defined($parameters->{'plugin_pass'})) {
|
||||
$parameters->{'plugin_pass'} = pandora_input_password($pa_config, $parameters->{'plugin_pass'});
|
||||
}
|
||||
|
||||
# Encrypt SNMP v3 passwords.
|
||||
if ($parameters->{'id_tipo_modulo'} >= 15 && $parameters->{'id_tipo_modulo'} <= 18 &&
|
||||
$parameters->{'tcp_send'} == 3) {
|
||||
$parameters->{'custom_string_2'} = pandora_input_password($pa_config, $parameters->{'custom_string_2'});
|
||||
}
|
||||
|
||||
my $module_id = db_process_insert($dbh, 'id_agente_modulo',
|
||||
'tagente_modulo', $parameters);
|
||||
|
||||
|
@ -4929,6 +4947,54 @@ sub pandora_create_integria_ticket ($$$$$$$$) {
|
|||
}
|
||||
}
|
||||
|
||||
##########################################################################
|
||||
=head2 C<< pandora_input_password (I<$pa_config>, I<$password>) >>
|
||||
|
||||
Process a password to be stored in the Pandora FMS Database (encrypting it if
|
||||
necessary).
|
||||
|
||||
=cut
|
||||
##########################################################################
|
||||
sub pandora_input_password($$) {
|
||||
my ($pa_config, $password) = @_;
|
||||
|
||||
# Do not attemp to encrypt empty passwords.
|
||||
return '' if ($password eq '');
|
||||
|
||||
# Encryption disabled.
|
||||
return $password if (! defined($pa_config->{'encryption_key'}) || $pa_config->{'encryption_key'} eq '');
|
||||
|
||||
# Encrypt the password.
|
||||
my $encrypted_password = enterprise_hook ('pandora_encrypt', [$pa_config, $password, $pa_config->{'encryption_key'}]);
|
||||
return $password unless defined($encrypted_password);
|
||||
|
||||
return $encrypted_password;
|
||||
}
|
||||
|
||||
##########################################################################
|
||||
=head2 C<< pandora_output_password (I<$pa_config>, I<$password>) >>
|
||||
|
||||
Process a password retrieved from the Pandora FMS Database (decrypting it if
|
||||
necessary).
|
||||
|
||||
=cut
|
||||
##########################################################################
|
||||
sub pandora_output_password($$) {
|
||||
my ($pa_config, $password) = @_;
|
||||
|
||||
# Do not attemp to decrypt empty passwords.
|
||||
return '' if ($password eq '');
|
||||
|
||||
# Encryption disabled.
|
||||
return $password if (! defined($pa_config->{'encryption_key'}) || $pa_config->{'encryption_key'} eq '');
|
||||
|
||||
# Decrypt the password.
|
||||
my $decrypted_password = enterprise_hook ('pandora_decrypt', [$pa_config, $password, $pa_config->{'encryption_key'}]);
|
||||
return $password unless defined($decrypted_password);
|
||||
|
||||
return $decrypted_password;
|
||||
}
|
||||
|
||||
# End of function declaration
|
||||
# End of defined Code
|
||||
|
||||
|
|
|
@ -344,10 +344,10 @@ sub pandora_query_snmp ($$$) {
|
|||
|
||||
my $snmp_version = $module->{"tcp_send"}; # (1, 2, 2c or 3)
|
||||
my $snmp3_privacy_method = $module->{"custom_string_1"}; # DES/AES
|
||||
my $snmp3_privacy_pass = $module->{"custom_string_2"};
|
||||
my $snmp3_privacy_pass = pandora_output_password($pa_config, $module->{"custom_string_2"});
|
||||
my $snmp3_security_level = $module->{"custom_string_3"}; # noAuthNoPriv|authNoPriv|authPriv
|
||||
my $snmp3_auth_user = $module->{"plugin_user"};
|
||||
my $snmp3_auth_pass = $module->{"plugin_pass"};
|
||||
my $snmp3_auth_pass = pandora_output_password($pa_config, $module->{"plugin_pass"});
|
||||
my $snmp3_auth_method = $module->{"plugin_parameter"}; #MD5/SHA1
|
||||
my $snmp_community = $module->{"snmp_community"};
|
||||
my $snmp_target = $module->{"ip_target"};
|
||||
|
|
|
@ -186,8 +186,10 @@ sub data_consumer ($$) {
|
|||
{
|
||||
my $macro_field = safe_output($macros{$macro_id}{'macro'});
|
||||
my $macro_desc = safe_output($macros{$macro_id}{'desc'});
|
||||
my $macro_value = safe_output($macros{$macro_id}{'value'});
|
||||
|
||||
my $macro_value = (defined($macros{$macro_id}{'hide'}) && $macros{$macro_id}{'hide'} eq '1') ?
|
||||
pandora_output_password($pa_config, safe_output($macros{$macro_id}{'value'})) :
|
||||
safe_output($macros{$macro_id}{'value'});
|
||||
|
||||
# build parameters to invoke plugin
|
||||
$parameters =~ s/$macros{$macro_id}{'macro'}/$macro_value/g;
|
||||
|
||||
|
|
|
@ -667,6 +667,9 @@ sub md5 ($) {
|
|||
return "";
|
||||
}
|
||||
|
||||
# Initialize once.
|
||||
md5_init() if (!defined($R[0]));
|
||||
|
||||
# Note: All variables are unsigned 32 bits and wrap modulo 2^32 when calculating
|
||||
|
||||
# Initialize variables
|
||||
|
|
|
@ -145,7 +145,7 @@ sub data_consumer ($$) {
|
|||
# Build command to execute
|
||||
my $wmi_command = '';
|
||||
if (defined ($module->{'plugin_pass'}) && $module->{'plugin_pass'} ne "") {
|
||||
$wmi_command = $pa_config->{'wmi_client'} . ' -U "' . $module->{'plugin_user'} . '"%"' . $module->{'plugin_pass'} . '"';
|
||||
$wmi_command = $pa_config->{'wmi_client'} . ' -U "' . $module->{'plugin_user'} . '"%"' . pandora_output_password($pa_config, $module->{'plugin_pass'}) . '"';
|
||||
}
|
||||
elsif (defined ($module->{'plugin_user'}) && $module->{'plugin_user'} ne "") {
|
||||
$wmi_command = $pa_config->{'wmi_client'} . ' -U "' . $module->{'plugin_user'} . '"';
|
||||
|
|
Loading…
Reference in New Issue