Difference between revisions of "DPM Argus Integration"
(Created page with "While compute systems perform regular callouts to ARGUS for security purposes, DPM's architecture is not well suited to the same process. DPM can be integrated with a site ARG...") |
(No difference)
|
Revision as of 10:31, 8 June 2016
While compute systems perform regular callouts to ARGUS for security purposes, DPM's architecture is not well suited to the same process. DPM can be integrated with a site ARGUS, using the dpm-argus package. Essentially, this package provides a single tool, dpns-arguspoll, which calls out to a specified ARGUS server, and retrieves the ban list from it, adding it to DPM's internal list of "banned DNs".
dpns-arguspoll can be called (once) by invoking it (on the DPM head node, or any other node with sufficient database and security permissions with respect to DPM and $DPNS_HOST set to point at the DPM head):
dpns-arguspoll TAG https://MY-ARGUS-SERVER:8154/authz
where TAG is an arbitrary name which is appended to the call to ARGUS so it can be tracked in logs, and you should appropriately replace "YOUR-ARGUS-SERVER" with the right hostname.
In order to have useful integration, it is advisable to poll ARGUS fairly frequently (the lookup is not trivial, but is relatively light). For example, you can set up an hourly cron job like:
- cat /etc/cron.hourly/poll-argus
#!/bin/sh # Sync DPM's internal user banning states from argus export DPNS_HOST=MYDPMHEADNODE dpns-arguspoll TAG https://MY-ARGUS-SERVER:8154/authz 2>/dev/null