[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Freeipmi-devel] best practices and small IPMI toolz online

From: dan farmer
Subject: [Freeipmi-devel] best practices and small IPMI toolz online
Date: Tue, 26 Feb 2013 16:37:10 -0800

Hi folks (sorry if you're on multiple lists - some folks complained the last
time I sent out something that their list wasn't included, so I'm sending it 
to a few IPMI lists and I'm not going to cross-post - sorry for the I-spam!)

FYI, I have a draft version of some IPMI best practices that some of you 
folks helped out with; it's at:

(Sorry to the PDF haters; there will be a text version as it gets closer to completion,
it's just a bit painful to keep two versions in sync.  I also thanked a few people;
I'll take your name off if you don't want to be associated with such a doc or me.)

I also wrote a few small IPMI tools (mostly draft status as well, but they do
appear to work, or do what I think they should, at least) that do security audity-
things with BMCs/IPMI:

The first is a one-packet auditing tool (you could do the same parsing other tool
outputs, but this seems easier and less reliant on external stuff):

It's pretty heavily commented; it's interesting how much information they pack into
the reply to a "Get Channel Authentication Capability", which you can do without 
any authentication - 10 discrete security issues are returned, and among other 
things you can found out if anonymous logins are enabled and in use as well as 
if null usernames are allowed (which seem just stupid to give out, security-wise, 
but hey, no one asked me!)

Two more little tools (also in python); one that sucks IPMI configuration data 
from a remote BMC and spits it all out in a JSON file, and a 2nd that attempts
to audit the results of the first and give out some warnings on potential problems
(based on the things in the document above):

Perversely I read plain text from IPMI tools, change it to JSON, and then
emit text again :)  This is hopefully because I'm simply testing out the stuff, not
because I'm a complete idiot, but time will tell (or already has.)  Mostly because
I'm not sure what the final thing will look like.  There are some items I'm not sure 
how to test for, at least easily - if anyone has any ideas I'm all ears!  Ditto with
thoughts on output or something; I thought JSON might be fun since it's so
simple to manipulate with web/_javascript_/etc. stuff.

Certainly these aren't meant to be deathless programs or the last word on IPMI 
security or anything; just trying to toss a few more coins into the knowledge 

Any feedback is certainly more than welcome, and again sorry for various list



reply via email to

[Prev in Thread] Current Thread [Next in Thread]