Hi Chris, Since still we haven't security@ mail, will used privete@ for now.
thanks On Mon, May 19, 2014 at 8:33 PM, chris snow <[email protected]> wrote: > Thanks Nirmal - I'll probably have a few more security questions to > follow... > > Should I post my questions to [email protected]? Or should > we setup a security@ email address? > > On Mon, May 19, 2014 at 2:26 PM, Nirmal Fernando <[email protected]> > wrote: > > > > > > > > On Mon, May 19, 2014 at 4:20 PM, chris snow <[email protected]> wrote: > >> > >> hi Devs, > >> > >> Does an agent authenticate itself to Stratos? > > > > Yes, Chris. > > > >> > >> If not, is it possible > >> that an agent could write spoofed events to the MB? > >> > >> It also looks like the agent has access to the bam admin user name and > >> password [1]: > >> > >> -Dmonitoring.server.port=<%= @bam_port %> > >> -Dmonitoring.server.secure.port=<%= @bam_secure_port %> > >> -Dmonitoring.server.admin.username=<%= @bam_username %> > >> -Dmonitoring.server.admin.password=<%= @bam_password %> > >> > >> What damage could someone (e.g. a tenant) do with possession of those > >> credentials? > > > > > > We might need to encrypt them and store in agent's side?! > >> > >> > >> Many thanks, > >> > >> Chris > >> > >> > >> --- > >> [1] > >> > https://github.com/apache/incubator-stratos/blob/master/tools/puppet3/modules/agent/templates/bin/stratos.sh.erb > > > > > > > > > > -- > > Best Regards, > > Nirmal > > > > Nirmal Fernando. > > PPMC Member & Committer of Apache Stratos, > > Senior Software Engineer, WSO2 Inc. > > > > Blog: http://nirmalfdo.blogspot.com/ > > > > -- > Check out my professional profile and connect with me on LinkedIn. > http://lnkd.in/cw5k69 > -- Lakmal Warusawithana Director - Cloud Architecture; WSO2 Inc. Mobile : +94714289692 Blog : http://lakmalsview.blogspot.com/
