[Freeipmi-devel] best practices and small IPMI toolz online

[dan farmer]

Hi folks (sorry if you're on multiple lists - some folks complained the last

time I sent out something that their list wasn't included, so I'm sending it 

to a few IPMI lists and I'm not going to cross-post - sorry for the I-spam!)

FYI, I have a draft version of some IPMI best practices that some of you 

folks helped out with; it's at:

http://fish2.com/ipmi/sundry.pdf

(Sorry to the PDF haters; there will be a text version as it gets closer to completion,

it's just a bit painful to keep two versions in sync.  I also thanked a few people;

I'll take your name off if you don't want to be associated with such a doc or me.)

I also wrote a few small IPMI tools (mostly draft status as well, but they do

appear to work, or do what I think they should, at least) that do security audity-

things with BMCs/IPMI:

http://fish2.com/ipmi/tools/ztools.html

The first is a one-packet auditing tool (you could do the same parsing other tool

outputs, but this seems easier and less reliant on external stuff):

http://trouble.org/?p=712

It's pretty heavily commented; it's interesting how much information they pack into

the reply to a "Get Channel Authentication Capability", which you can do without 

any authentication - 10 discrete security issues are returned, and among other 

things you can found out if anonymous logins are enabled and in use as well as 

if null usernames are allowed (which seem just stupid to give out, security-wise, 

but hey, no one asked me!)

Two more little tools (also in python); one that sucks IPMI configuration data 

from a remote BMC and spits it all out in a JSON file, and a 2nd that attempts

to audit the results of the first and give out some warnings on potential problems

(based on the things in the document above):

http://trouble.org/?p=797

Perversely I read plain text from IPMI tools, change it to JSON, and then

emit text again :)  This is hopefully because I'm simply testing out the stuff, not

because I'm a complete idiot, but time will tell (or already has.)  Mostly because

I'm not sure what the final thing will look like.  There are some items I'm not sure 

how to test for, at least easily - if anyone has any ideas I'm all ears!  Ditto with

thoughts on output or something; I thought JSON might be fun since it's so

simple to manipulate with web/_javascript_/etc. stuff.

Certainly these aren't meant to be deathless programs or the last word on IPMI 

security or anything; just trying to toss a few more coins into the knowledge 

fountain.

Any feedback is certainly more than welcome, and again sorry for various list

posting.

dan

¸¸.·´¯`·.¸><(((º>