Различия

Здесь показаны различия между двумя версиями данной страницы.

--- freebsd:cacti [2020/01/06 21:28]
alex
+++ freebsd:cacti [2021/11/13 16:54] (текущий)
alex
@@ Строка 281: / Строка 281: @@
+Из файла ///usr/local/share/cacti/include/config.php.sample// создаю файл конфигурации в котором указываю пользователя и пароль базы данных cacti.
+загружаю временные зоны в MySQL
+  mysql_tzinfo_to_sql /usr/share/zoneinfo | mysql -u root -p mysql
+В папке ///var/log/cacti// создаю файл для логов **log**  и задаю права доступа www:www
+  touch /var/log/cacti/log
+Меняю права доступа к папке cacti
+  chown -R www:www /usr/local/share/cacti/
+Создаю папку и меняю права доступа
+  mkdir -p /usr/local/share/cacti/log/
+  chown -R www:www /usr/local/share/cacti/log/
+В браузере набираю cacti.klotik.ru. На приглашение логина и пароля набираю **admin/admin**. Cacti предложит сменить пароль.
+  Input Validation Whitelist Protection
+  Cacti Data Input methods that call a script can be exploited in ways that a non-administrator can perform damage
+  to either files owned by the poller account, and in cases where someone runs the Cacti poller as root, can
+  compromise the operating system allowing attackers to exploit your infrastructure.
-  mysqladmin -uroot -p create cacti
-  Enter password:
-  mysql -u root -p
+  Therefore, several versions ago, Cacti was enhanced to provide Whitelist capabilities on the these types of Data
-  Enter password:
+  Input Methods. Though this does secure Cacti more thouroughly, it does increase the amount of work required by
+  the Cacti administrator to import and manage Templates and Packages.
-  > show databases;
+  The way that the Whitelisting works is that when you first import a Data Input Method, or you re-import a Data
-  +--------------------+
+  Input Method, and the script and or aguments change in any way, the Data Input Method, and all the corresponding
-  | Database           |
+  Data Sources will be immediatly disabled until the administrator validates that the Data Input Method is valid.
-  +--------------------+
-  | information_schema |
-  | cacti              |
-  | mysql              |
-  | performance_schema |
-  | sys                |
-  +--------------------+
-rows in set (0.00 sec)
-  > CREATE USER 'cacti'@'localhost' IDENTIFIED BY 'rfRn3c_rkjn';
+  To make identifying Data Input Methods in this state, we have provided a validation script in Cacti's CLI
-  > CREATE USER 'cacti'@'10.215.130.21' IDENTIFIED BY 'rfRn3c_rkjn';
+  directory that can be run with the following options:
-  > GRANT ALL ON `cacti`.* TO 'cacti'@'10.215.130.21';
-  > GRANT SELECT ON `mysql`.`time_zone_name` TO 'cacti'@'10.215.130.21';
-  > FLUSH PRIVILEGES;
-  > use mysql
+  php -q input_whitelist.php --audit - This script option will search for any Data Input Methods that are currently
-  > SELECT Host,User FROM user;
+  banned and provide details as to why.
-  +---------------+---------------+
+  php -q input_whitelist.php --update - This script option un-ban the Data Input Methods that are currently banned.
-  | Host          | User          |
+  php -q input_whitelist.php --push - This script option will re-enable any disabled Data Sources.
-  +---------------+---------------+
+  It is strongly suggested that you update your config.php to enable this feature by uncommenting the
-  | 10.215.130.21 | cacti         |
+  $input_whitelist variable and then running the three CLI script options above after the web based install has completed.
-  | localhost     | cacti         |
-  | localhost     | mysql.session |
-  | localhost     | mysql.sys     |
-  | localhost     | root          |
-  +---------------+---------------+
-rows in set (0.00 sec)
-  > quit;
-Добавляю в созданную базу данных таблицы
-  root@jail_2:~ # mysql --database=cacti -h 10.215.130.20 -u cacti -p < /usr/local/share/cacti/cacti.sql
-  mysql -h 10.215.130.20 -u cacti -prfRn3c_rkjn
-  > use cacti
-  > show tables;
-  +-------------------------------------+
-  | Tables_in_cacti                     |
-  +-------------------------------------+
-  | aggregate_graph_templates           |
-  | aggregate_graph_templates_graph     |
-  | aggregate_graph_templates_item      |
-  | aggregate_graphs                    |
-  | aggregate_graphs_graph_item         |
-  | aggregate_graphs_items              |
-  | automation_devices                  |
-  | automation_graph_rule_items         |
-  | automation_graph_rules              |
-  | automation_ips                      |
-  | automation_match_rule_items         |
-  | automation_networks                 |
-  | automation_processes                |
-  | automation_snmp                     |
-  | automation_snmp_items               |
-  | automation_templates                |
-  | automation_tree_rule_items          |
-  | automation_tree_rules               |
-  | cdef                                |
-  | cdef_items                          |
-  | color_template_items                |
-  | color_templates                     |
-  | colors                              |
-  | data_debug                          |
-  | data_input                          |
-  | data_input_data                     |
-  | data_input_fields                   |
-  | data_local                          |
-  | data_source_profiles                |
-  | data_source_profiles_cf             |
-  | data_source_profiles_rra            |
-  | data_source_purge_action            |
-  | data_source_purge_temp              |
-  | data_source_stats_daily             |
-  | data_source_stats_hourly            |
-  | data_source_stats_hourly_cache      |
-  | data_source_stats_hourly_last       |
-  | data_source_stats_monthly           |
-  | data_source_stats_weekly            |
-  | data_source_stats_yearly            |
-  | data_template                       |
-  | data_template_data                  |
-  | data_template_rrd                   |
-  | external_links                      |
-  | graph_local                         |
-  | graph_template_input                |
-  | graph_template_input_defs           |
-  | graph_templates                     |
-  | graph_templates_gprint              |
-  | graph_templates_graph               |
-  | graph_templates_item                |
-  | graph_tree                          |
-  | graph_tree_items                    |
-  | host                                |
-  | host_graph                          |
-  | host_snmp_cache                     |
-  | host_snmp_query                     |
-  | host_template                       |
-  | host_template_graph                 |
-  | host_template_snmp_query            |
-  | plugin_config                       |
-  | plugin_db_changes                   |
-  | plugin_hooks                        |
-  | plugin_realms                       |
-  | poller                              |
-  | poller_command                      |
-  | poller_data_template_field_mappings |
-  | poller_item                         |
-  | poller_output                       |
-  | poller_output_boost                 |
-  | poller_output_boost_processes       |
-  | poller_output_realtime              |
-  | poller_reindex                      |
-  | poller_resource_cache               |
-  | poller_time                         |
-  | reports                             |
-  | reports_items                       |
-  | sessions                            |
-  | settings                            |
-  | settings_tree                       |
-  | settings_user                       |
-  | settings_user_group                 |
-  | sites                               |
-  | snmp_query                          |
-  | snmp_query_graph                    |
-  | snmp_query_graph_rrd                |
-  | snmp_query_graph_rrd_sv             |
-  | snmp_query_graph_sv                 |
-  | snmpagent_cache                     |
-  | snmpagent_cache_notifications       |
-  | snmpagent_cache_textual_conventions |
-  | snmpagent_managers                  |
-  | snmpagent_managers_notifications    |
-  | snmpagent_mibs                      |
-  | snmpagent_notifications_log         |
-  | user_auth                           |
-  | user_auth_cache                     |
-  | user_auth_group                     |
-  | user_auth_group_members             |
-  | user_auth_group_perms               |
-  | user_auth_group_realm               |
-  | user_auth_perms                     |
-  | user_auth_realm                     |
-  | user_domains                        |
-  | user_domains_ldap                   |
-  | user_log                            |
-  | vdef                                |
-  | vdef_items                          |
-  | version                             |
-  +-------------------------------------+
-rows in set (0.03 sec)
-  root@klotik:/usr/local/etc/mysql# mysql --database=cacti -uroot -p < /usr/local/share/cacti/cacti.sql
-  Enter password:
-  root@klotik:/usr/local/etc/mysql# mysql_tzinfo_to_sql /usr/share/zoneinfo | mysql -u root -p mysql
-  Enter password:
-  Warning: Unable to load '/usr/share/zoneinfo/Factory' as time zone. Skipping it.
-  Warning: Unable to load '/usr/share/zoneinfo/zone.tab' as time zone. Skipping it.
-В /usr/local/share/cacti/include/config.php добавил строку
-date_default_timezone_set( 'Europe/Moscow' );
-Выполняю инструкцию
+  Check the Checkbox below to acknowledge that you have read and understand this security concern
-# mysqladmin -uroot -p create cacti
-Enter password:
-root@localhost [(none)]> CREATE USER 'cacti'@'localhost' IDENTIFIED BY 'rfRnec_rkjn';
-Query OK, 0 rows affected (0.41 sec)
-root@localhost [(none)]> FLUSH PRIVILEGES;
-Query OK, 0 rows affected (0.20 sec)
-root@localhost [(none)]> GRANT ALL ON `cacti`.* TO 'cacti'@'localhost';
-Query OK, 0 rows affected (0.05 sec)
-root@localhost [(none)]> GRANT ALL ON `cacti`.* TO 'cacti'@'localhost';
-Query OK, 0 rows affected (0.04 sec)
-root@localhost [(none)]> GRANT SELECT ON `mysql`.`time_zone_name` TO 'cacti'@'localhost';
-Query OK, 0 rows affected (0.04 sec)
-root@localhost [(none)]> FLUSH PRIVILEGES;
-Query OK, 0 rows affected (0.02 sec)
-root@localhost [(none)]> exit
-Bye
-root@klotik:~ # mysql --database=cacti -ucacti -p < /usr/local/share/cacti/cacti.sql
-Enter password:
-ERROR 1045 (28000): Access denied for user 'cacti'@'localhost' (using password: YES)
-root@klotik:~ # mysql --database=cacti -ucacti -p < /usr/local/share/cacti/cacti.sql
-Enter password:
-root@klotik:~ # mysql_tzinfo_to_sql /usr/share/zoneinfo | mysql -u root -p mysql
-Enter password:
-Warning: Unable to load '/usr/share/zoneinfo/Factory' as time zone. Skipping it.
-Warning: Unable to load '/usr/share/zoneinfo/zone.tab' as time zone. Skipping it.
-Из файла
-/usr/local/share/cacti/include/config.php.sample создаю файл конфигурации в котором указываю пользователя и пароль базы данных cacti.
@@ Строка 542: / Строка 340: @@
+=== Обновление старого cacti ===
-Installing cacti-0.8.8h...
-===> Creating groups.
-Using existing group 'cacti'.
-===> Creating users
-Using existing user 'cacti'.
-=======================================================================
-Cacti is now installed. If you intall it for the first time,
-you may have to follow this steps to make it work correctly:
-. Create the MySQL database, a cacti user, and initialize:
-   a) CREATE DATABASE cacti;
-   b) Create a mysql user/password for cacti:
-      CREATE USER 'cacti'@'localhost' IDENTIFIED BY 'password';
-      FLUSH PRIVILEGES;
-   c) Add GRANTS:
-      GRANT ALL ON cacti.* TO 'cacti'@'localhost';
-      FLUSH PRIVILEGES;
-   d) Import the default cacti database:
-      mysql --database=cacti -ucacti -p < /usr/local/share/cacti/cacti.sql
- NOTE:
-   * Cacti does not LOCK TABLES.
-. Edit /usr/local/share/cacti/include/config.php from the template
-   config.php.orig.
-   PHP requires the time zone to be explicitly set rather that rely on
-   the system time zone, otherwise poller complains. I added the
-   following line to my config.php:
-   date_default_timezone_set('America/Los_Angeles');
-. Add the following line to cron for cacti:
-*/5 * * * * /usr/local/bin/php /usr/local/share/cacti/poller.php > /dev/null 2>&1
-. Example Apache 2.4 configuration:
-   LoadModule php5_module  libexec/apache22/libphp5.so
-   <FilesMatch "\.php$">
-       SetHandler application/x-httpd-php
-   </FilesMatch>
-   <FilesMatch "\.phps$">
-       SetHandler application/x-httpd-php-source
-   </FilesMatch>
-   DirectoryIndex index.php
-   DocumentRoot "/usr/local/share/cacti"
-   Alias /cacti "/usr/local/share/cacti/"
-   Alias /Cacti "/usr/local/share/cacti/"
-   <Directory "/usr/local/share/cacti">
-      Require all granted
-      AllowOverride None
-      Order Allow,deny
-      Allow from all
-   </Directory>
-. Open a Cacti login page in your web browser and login with
-   admin/admin.
-If you update cacti, open a login page and an updating process will
-start automatically.
-NOTEs as of 10Aug2014:
-) Cacti now better supports hier(7)
-   a) Cacti log files are now found under /var/log/cacti where you can
-      manage them using newsyslog.
-   b) Cacti RRD files are now found under /var/db/cacti/rra.
-   If you have an existing Cacti installation these paths are also
-   found in Cacti's SQL database and MUST be updated. These two SQL
-   commands should do the trick:
-   UPDATE settings SET value='/var/log/cacti/log' \
-     WHERE name='path_cactilog';
-   UPDATE poller_item SET rrd_path=\
-     REPLACE(rrd_path,'/usr/local/share/cacti/rra','/var/db/cacti/rra') \
-     WHERE rrd_path REGEXP '^/usr/local/share/cacti/rra';
-) The PERL paths in the Cacti PERL scripts have been updated to
-   /usr/local/bin.
-Other Erratas:
-Mount linprocfs in /compat/linux/proc will alow most scripts to work.
-=======================================================================
-===>  Cleaning for php55-mysqli-5.5.38_1
-===>  Cleaning for php55-sockets-5.5.38_1
-===>  Cleaning for cacti-0.8.8h
 После обновления cacti внёс изменения в базу данных MySQL
@@ Строка 702: / Строка 393: @@
   # ln -s /usr/local/lib/libpng16.so.16.23.0 /usr/local/lib/libpng15.so.15
+Ссылки:\\
-root@localhost [(none)]> CREATE USER 'cacti'@'localhost' IDENTIFIED BY 'rfRnec_rkjn';
-ERROR 1819 (HY000): Your password does not satisfy the current policy requirements
-root@localhost [(none)]> CREATE USER 'cacti'@'localhost' IDENTIFIED BY 'rfRn3c_rkjn';
-Query OK, 0 rows affected (0.05 sec)
-root@localhost [(none)]> use mysql
-Database changed
-root@localhost [mysql]> SELECT Host,User FROM user;
-+-----------+---------------+
-| Host      | User          |
-+-----------+---------------+
-| localhost | cacti         |
-| localhost | mysql.session |
-| localhost | mysql.sys     |
-| localhost | root          |
-+-----------+---------------+
-rows in set (0.00 sec)
-root@localhost [mysql]> quit
-Bye
-root@jail_1:/usr/local/etc/mysql# mysql -u root -p
-Enter password:
-Welcome to the MySQL monitor.  Commands end with ; or \g.
-Your MySQL connection id is 6
-Server version: 5.7.25-log Source distribution
-Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.
-Oracle is a registered trademark of Oracle Corporation and/or its
-affiliates. Other names may be trademarks of their respective
-owners.
-Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
-root@localhost [(none)]> CREATE USER 'cacti'@'10.215.130.21' IDENTIFIED BY 'rfRn3c_rkjn';
-Query OK, 0 rows affected (0.01 sec)
-root@localhost [(none)]> use mysql
-Database changed
-root@localhost [mysql]> SELECT Host,User FROM user;
-+---------------+---------------+
-| Host          | User          |
-+---------------+---------------+
-| 10.215.130.21 | cacti         |
-| localhost     | cacti         |
-| localhost     | mysql.session |
-| localhost     | mysql.sys     |
-| localhost     | root          |
-+---------------+---------------+
-rows in set (0.00 sec)
 http://dnaeon.github.io/cacti-freebsd/\\
 https://ctopmbi4.wordpress.com/2014/08/29/%D1%83%D1%81%D1%82%D0%B0%D0%BD%D0%BE%D0%B2%D0%BA%D0%B0-cacti-%D0%BD%D0%B0-freebsd/\\

klotik.ru

Инструменты пользователя

Инструменты сайта

Различия

Инструменты страницы