High-Security Use Case

Hi! Maybe someone can help me with the problem we are facing.
We have an OT environment with Windows servers that is otherwise airgapped. We need to monitor those hosts in a way where the monitoring is read-only.

A coworker has told me that Icinga Agents might be able to be configured not to accept configurations from the master, so that you receive metrics but aren’t able to remotely accept commands.
Is this possible? and if so how? Does anyone have any other ideas?

You can set the attribute accept_config = false for every Windows machine. This done while running agent wizard or manually in the file C:\ProgramData\icinga2\etc\icinga2\features-available\api.conf.

@rsx Which checks can be executed if the agent has no config/gets no config updates?
or would that mean to copy the config on each windows machine “by hand”?

@unpowered You can go for passive check results and a windows task scheduler to execute them. This is very inconvenient to manage but there is no chance that any other device writes to your windows machines

@moreamazingnick This is a job for DevOp tool like Ansible etc.

I thought of that, that’s why the by hand is in quotation marks.
But isn’t that super annoying, not being able to use like everything that makes icinga2 configuration friendly. (config deployment, director). has anyone done that, It sounds super interesting but thinking of it I would prefer passive checks over that and manage that with ansible…

We have started with director and the default config sync. It works of course, but:

  • this concept was declined by our security experts
  • in large deployments we prefer to not reload everything at the same time
  • we are unhappy to reload to make changes active anyway

Hence, we’re currently redesigning our solution without director and managing changes with Ansible directly with files and/or via RestAPI. But of course, this is overkill for small deployments.

1 Like