Fix for bug #1295006 Introduce more secure location of PHP script configs to harden a Cacti setup

roman-vynar · roman-vynar · commit 596df6c7177e · 2014-03-20T09:59:24.000+02:00
diff --git a/Changelog b/Changelog
@@ -1,3 +1,7 @@
+2014-03-20: version 1.1.3
+-------------------------
+* Introduced more secure location of PHP script configs to harden a Cacti setup (bug #1295006)
+
 2014-03-14: version 1.1.2
 -------------------------
 * Added Nagios plugin and Cacti template for Amazon RDS 
diff --git a/VERSION b/VERSION
@@ -1 +1 @@
-1.1.2
+1.1.3
diff --git a/cacti/scripts/ss_get_by_ssh.php b/cacti/scripts/ss_get_by_ssh.php
@@ -61,9 +61,13 @@
 # ============================================================================
 # Include settings from an external config file.
 # ============================================================================
-if ( file_exists(__FILE__ . '.cnf' ) ) {
-   debug("Found configuration file " . __FILE__ . ".cnf");
+if ( file_exists('/etc/cacti/' . basename(__FILE__) . '.cnf' ) ) {
+   require('/etc/cacti/' . basename(__FILE__) . '.cnf');
+   debug('Found configuration file /etc/cacti/' . basename(__FILE__) . '.cnf');
+}
+elseif ( file_exists(__FILE__ . '.cnf' ) ) {
    require(__FILE__ . '.cnf');
+   debug('Found configuration file ' . __FILE__ . '.cnf');
 }
 
 # Make this a happy little script even when there are errors.
@@ -1213,7 +1217,7 @@ function openvz_parse ( $options, $output ) {
             # An intro line or a dummy line
             continue;
          }
-         else if ( $words[0] === 'uid' ) {
+         elseif ( $words[0] === 'uid' ) {
             # It's the header row.  Get the headers into the header array,
             # except for the UID header, which we don't need, and the resource
             # header, which just defines the leftmost header that's in every
diff --git a/cacti/scripts/ss_get_mysql_stats.php b/cacti/scripts/ss_get_mysql_stats.php
@@ -61,11 +61,15 @@
 $version = '$VERSION$';
 
 # ============================================================================
-# Include settings from an external config file (issue 39).
+# Include settings from an external config file.
 # ============================================================================
-if ( file_exists(__FILE__ . '.cnf' ) ) {
-   debug("Found configuration file " . __FILE__ . ".cnf");
+if ( file_exists('/etc/cacti/' . basename(__FILE__) . '.cnf' ) ) {
+   require('/etc/cacti/' . basename(__FILE__) . '.cnf');
+   debug('Found configuration file /etc/cacti/' . basename(__FILE__) . '.cnf');
+}
+elseif ( file_exists(__FILE__ . '.cnf' ) ) {
    require(__FILE__ . '.cnf');
+   debug('Found configuration file ' . __FILE__ . '.cnf');
 }
 
 # Make this a happy little script even when there are errors.
@@ -195,9 +199,9 @@ function usage($message) {
 
    --host      MySQL host
    --items     Comma-separated list of the items whose data you want
-   --user      MySQL username; defaults to $mysql_user if not given
-   --pass      MySQL password; defaults to $mysql_pass if not given
-   --port      MySQL port; defaults to $mysql_port if not given
+   --user      MySQL username
+   --pass      MySQL password
+   --port      MySQL port
    --server-id Server id to associate with a heartbeat if heartbeat usage is enabled
    --nocache   Do not cache results in a file
    --help      Show usage
diff --git a/docs/cacti/hardening-cacti-setup.rst b/docs/cacti/hardening-cacti-setup.rst
@@ -25,13 +25,13 @@ Unfortunately, the folder ``/usr/share/cacti/scripts/`` is not closed by default
 We strongly recommend to close any access from the web for these additional directories or files:
 
 * /usr/share/cacti/scripts/
+* /usr/share/cacti/site/scripts/ (for Debian systems)
 * /usr/share/cacti/cli/
-* /usr/share/cacti/.ssh/
 * /usr/share/cacti/.boto
 
 Here is an example of httpd configuration that can harden your setup (goes to ``/etc/httpd/conf.d/cacti.conf``)::
 
-   <Directory ~ "/usr/share/cacti/(log|rra|scripts|cli|\.ssh|\.boto|.*\.cnf)">
+   <Directory ~ "/usr/share/cacti/(log|rra|scripts|site/scripts|cli|\.boto|\.ssh|.*\.cnf)">
 	<IfModule mod_rewrite.c>
 		Redirect 404 /
 	</IfModule>
@@ -48,3 +48,8 @@ Here is an example of httpd configuration that can harden your setup (goes to ``
 
 Even if you fully password-protected your Cacti installation using HTTP authentication, it is still recommended to double-secure the directories and files listed above.
 
+Outlining the basic rules:
+
+* keep your PHP config files ``ss_get_mysql_stats.php.cnf`` and ``ss_get_by_ssh.php.cnf`` outside the web directory ``/usr/share/cacti/scripts/``. The recommended location is ``/etc/cacti/``.
+* do not put any SSH keys under cacti user home directory which is still the web directory.
+* avoid placing ``.boto`` file under ``~cacti/``, use ``/etc/boto.cfg`` instead (that's for RDS plugins).
diff --git a/docs/cacti/installing-templates.rst b/docs/cacti/installing-templates.rst
@@ -152,12 +152,13 @@ A Configuration File
 --------------------
 
 If you don't want to store the configuration options directly into the PHP
-script file, you can create another file with the same name and the filename
-extension ``.cnf``.  Place this in the same directory as the PHP script file,
-and ensure it is valid PHP.  This file will be included by the PHP script file,
+script file or you want to preserve your settings after the package update,
+you can create another file with the same name and the filename
+extension ``.cnf``.  Place this under ``/etc/cacti/`` and ensure it is valid PHP.
+This file will be included by the PHP script file,
 so you can define the same configuration options there that you might define in
 the PHP script file.  For example, you might create
-``scripts/ss_get_mysql_stats.php.cnf`` with the following contents::
+``/etc/cacti/ss_get_mysql_stats.php.cnf`` with the following contents::
 
    <?php
    $mysql_user = "root";
@@ -179,7 +180,11 @@ A MySQL user should be configured with :ref:`the proper privileges
 
 Securing Your Setup
 -------------------
-Ensure that any files under  ``scripts/`` are not accessible from Web.
+You can also place ``.cnf`` file in the same directory as the PHP script file
+(just to keep the backward compatibility)
+but this is a security risk as ``scripts/`` folder falls under the web directory.
+So ``/etc/cacti/`` is the recommended location for ``.cnf`` file.
+In any case, ensure that any files under ``scripts/`` are not accessible from Web.
 Check out :ref:`Hardening Cacti setup <hardening_cacti_setup>` guide.
 
 Passing Command-Line Arguments
diff --git a/docs/cacti/rds-templates.rst b/docs/cacti/rds-templates.rst
@@ -24,14 +24,19 @@ should have permissions to read the config /etc/boto.cfg or ~cacti/.boto.
 
 For example::
 
-   [root@centos6 ~]# cat ~cacti/.boto 
+   [root@centos6 ~]# cat /etc/boto.cfg
    [Credentials]
    aws_access_key_id = THISISATESTKEY
    aws_secret_access_key = thisisatestawssecretaccesskey 
-   [root@centos6 ~]# chown cacti ~cacti/.boto
-   [root@centos6 ~]# chmod 600 ~cacti/.boto
 
-**IMPORTANT:** Ensure the file ``.boto`` is not accessible from Web.
+If you do not use this config with other tools such as our Nagios plugin,
+you can secure this file the following way::
+
+   [root@centos6 ~]# chown cacti /etc/boto.cfg
+   [root@centos6 ~]# chmod 600 /etc/boto.cfg
+
+**IMPORTANT:** If you decide to create ``~cacti/.boto`` instead, which is not secure
+as it falls under the web directory, ensure this file is not accessible from Web.
 Check out :ref:`Hardening Cacti setup <hardening_cacti_setup>` guide.
 
 Test the script assuming DB instance identifier is ``blackbox``::
diff --git a/docs/cacti/ssh-based-templates.rst b/docs/cacti/ssh-based-templates.rst
@@ -120,11 +120,11 @@ and set the proper configuration variables.  This example shows how to do it
 with an external configuration file, but you can do it any way you please::
 
    debian:~# cp scripts/ss_get_by_ssh.php /usr/share/cacti/site/scripts/
-   debian:~# cat > /usr/share/cacti/site/scripts/ss_get_by_ssh.php.cnf
+   debian:~# cat > /etc/cacti/ss_get_by_ssh.php.cnf
    <?php
    $ssh_user   = 'cacti';
    $ssh_iden   = '-i /etc/cacti/id_rsa';
-   ?>
+
    CTRL-D
 
 If you need a more complex configuration setup, such as connecting to a
@@ -133,7 +133,11 @@ the data templates and accept input in each data source.
 
 Securing Your Setup
 -------------------
-Ensure that any files under  ``scripts/`` are not accessible from Web.
+You can also place ``.cnf`` file in the same directory as the PHP script file
+(just to keep the backward compatibility)
+but this is a security risk as ``scripts/`` folder falls under the web directory.
+So ``/etc/cacti/`` is the recommended location for ``.cnf`` file.
+In any case, ensure that any files under ``scripts/`` are not accessible from Web.
 Check out :ref:`Hardening Cacti setup <hardening_cacti_setup>` guide.
 
 Testing the Setup
diff --git a/nagios/bin/pmp-check-aws-rds.py b/nagios/bin/pmp-check-aws-rds.py
@@ -295,6 +295,10 @@ def main():
   [Credentials]
   aws_access_key_id = THISISATESTKEY
   aws_secret_access_key = thisisatestawssecretaccesskey
+
+If you do not use this config with other tools such as our Cacti script,
+you can secure this file the following way:
+
   [root@centos6 ~]# chown nagios /etc/boto.cfg
   [root@centos6 ~]# chmod 600 /etc/boto.cfg
 
