hi Devs,
Does an agent authenticate itself to Stratos? If not, is it possible
that an agent could write spoofed events to the MB?
It also looks like the agent has access to the bam admin user name and
password [1]:
-Dmonitoring.server.port=<%= @bam_port %>
-Dmonitoring.server.secure.port=<%= @bam_secure_port %>
-Dmonitoring.server.admin.username=<%= @bam_username %>
-Dmonitoring.server.admin.password=<%= @bam_password %>
What damage could someone (e.g. a tenant) do with possession of those
credentials?
Many thanks,
Chris
---
[1]
https://github.com/apache/incubator-stratos/blob/master/tools/puppet3/modules/agent/templates/bin/stratos.sh.erb
