Advisor
ProfessorThis would be a major security problem if it were possible. I guess what you mean is that they might be able to decrypt the https traffic back to LM and pull the API keys out of a pcap? The only thing they could do on the box itself would be to decode the process because the tasks live in memory, not on any disk. If you were to write code that wrote content to the disk, there might be potential for leakage there, but for the most part, i don’t think this is possible. If it is, it’s only remotely possible. Perhaps LM should put out a bug bounty for someone to grab an API key or password from a collector. It shouldn’t be possible.
I don’t think it would be too hard to pull that off without going into process/memory snooping or https snooping (which isn’t that hard anyway). I believe before SSE was implemented, Logicmonitor would write the powershell script to a temp file to then run it. And even with SSE enabled (where it runs powershell in input mode), Powershell has auditing options that will log all commands used in any instance. I also think debug commands creates a temp file to run scripts in even now. Just taking a quick look at the wrapper log files I see a whole groovy script in there for some reason (looks like a poll now test task is failing on a regular basis, might look into that).
I do agree that is a bit safer with Groovy since it doesn’t embed property values directly in the script like how the implemented powershell. But I’m not really comfortable that it may never leak in some error message or log. Just our compliance officer knowing that our key would be sent to customer owned system would be problem enough. :)
I don’t think LM states that credentials are safely stored on collector. Not sure that happening would count towards a bug bounty. If I even had that kinda time, I might be tempted to try. :)
