I have configured both the Monitoring module and the IcingaDB Web module on one of our Icinga master servers.
I noticed a difference in how sensitive custom variables are displayed:
-
In the Monitoring module / tactical view, credentials stored under custom variables are hidden or masked correctly.
-
In the IcingaDB Web module, the same credentials are visible in plain text under the variables section.
This creates a security concern, because users who can access IcingaDB Web are able to see sensitive values directly.
I would like to understand:
-
Is this expected behavior in IcingaDB Web?
-
Is there any way to mask or hide sensitive custom variables there?
-
What is the recommended best practice for storing credentials securely when using IcingaDB?
Example:
A custom variable containing credentials is masked in the Monitoring module, but the same value is shown in clear text in IcingaDB Web.
Environment:
Icinga Web 2 Version: 2.12.6
Icinga 2 version (icinga2 --version): r2.15.2-1
**Icinga DB / IcingaDB Web version:**1.3.0
Operating System and version: RHEL 9
Webserver, PHP versions: PHP 8.3.29
Additional notes:
This behavior is reproducible on our side and appears to be consistent for custom variables containing credentials.
Any clarification or recommendation would be appreciated.