4

Heey all,

I have made a platform to show CPU, RAM and swap data. This data is entered in a database for analysing reasons. At this moment it's written in a bash script using the proc filesystem.

The platform is written in PHP using Symfony framework. Should i consider moving the bash scripts to my PHP project and make use of the functions system(), exec(), shellExec() Or shall i stay with the bash scripts?

I'd to know this in security point of view. With sources for more info.

For now the bash scripts post data to an url (which comes from the symfony project)

The servers are running Debian.

Baklap4
  • 3,914
  • 2
  • 29
  • 56
  • 1
    why don't using zabbix, nagios ... ? – Halayem Anis Mar 21 '16 at 12:45
  • The same question everyone asks me. Those tools are mostly good for system monitoring. Yet the problem i'm facing is i have a lot of custom applications which needs to be monitored as well. And i need one platform which has it all together. Besides those tools also use the system programs i'm using right now. And another reason is i wanted to learn Bash and get some knowledge of the proc file system. But this is offtopic. I've asked specifically about security right now. The "why i'm doing this discussion should be left out now" – Baklap4 Mar 21 '16 at 12:50
  • Custom applications can easily be monitored by Zabbix/Nagios/etc. – ceejayoz Mar 21 '16 at 12:57
  • Installing/deploying Nagios and reading the documentation will help you a lot in how to design a powerfull application that it can be easily enhanced.. also, it will let you focus in writing a specific script shell/batch for you business needs ;) – Halayem Anis Mar 21 '16 at 12:58

3 Answers3

3

I really advice you to use nagios or zabbix They are a powerfull tools used for monitoring, also there is a lot of free plugins ready to use ....

Now to respond to your question :

  • create an agent (deamon process) that it will run on every machine that you want to be monitored
  • Agent will receive only a virtual command name and parameters, and never the exact command to be executed
  • The assiciation between Virtual command and the script/command to be executed will be parametrized in configuration file (xml, json...) and can be deployed from a single point ...

    Hope that helps

    • Halayem Anis
    • 7,654
    • 2
    • 25
    • 45
    2

    Your solution is a good starting point.

    • Php dangerous functions like system(), exec() and others should be disabled due to security reasons. So you shouldn't consider to moving your bash scripts to your symfony projects

    • You can connect your bash scripts which generates data and your php-application in different ways:

      1. Through api calls (your approach). bash script --> api calls --> php application. In this case you need to save data in your app synchronously with its generating (sometimes you want to smooth out the peaks)
      2. Through log files bash script --> write log files && php application --> read log files. In this case your bash scripts don't need to know about your php application. You only need to agree on the format of the log files. In this case you can process your data in your app asynchronously.
    alexander.polomodov
    • 5,396
    • 14
    • 39
    • 46
    1

    From a security perspective both approaches can be made secure and insecure. I would pick your language for other reasons (eg ease of writing what you want to do, portability, etc) and then focus on making the script secure in that language.

    Bash has the advantage of simplicity if all you are doing is executing commands. But PHP will be easier to work with if you want more advanced logic and is easier to work with databases.

    Note that the php calls you have mentioned do contain security concerns and you should be wary of how you use them and generally try to avoid them.

    You may want to look at the influxdata stack which sounds like it already does most of what you want.

    Michael Daffin
    • 796
    • 1
    • 7
    • 7