Index
- What is the security configuration on the Statseeker server?
- How do I reset my root password?
- How do I add a New Web User?
- What characters can I use for my User passwords?
- What authentication methods does Statseeker support?
- Is Statseeker vulnerable to the Heartbleed exploit?
- Is Statseeker vulnerable to Shellshock (BASH) vulnerability (CVE-2014-6271 or CVE-2014-7169)?
- Is Statseeker vulnerable to the Spectre and Meltdown security vulnerabilities?
- Is Statseeker vulnerable to the Log4j 2 Vulnerability (CVE-2021-44228)?
- Is Statseeker vulnerable to the HTTP/2 Rapid Reset Vulnerability (CVE-2023-44487)?
What is the security configuration on the Statseeker server?
Statseeker is a highly scalable monitoring tool for the network running on the FreeBSD operating system and as such, only requires ICMP access and SNMP READ access to devices that it monitors. Things to note with respect to security are:
Server Processes:
- Sendmail:
- Is configured to only process local mail
- Will not accept remote SMTP connections
- runs as a non-privileged user
- will make outgoing connections to the configured SMTP gateway
- You cannot login as root via a network connection.
Protocols Used:
- ICMP
- UDP SNMP
- UDP snmptrap
- TCP http
How do I reset my root password?
There are three ways to change the root password:
- From NIM Console > Administration Tool > Statseeker Administration > OS Configuration > Edit (upper right corner) > Root Password: Change – this option is only available to the admin account, the Is Admin role is not sufficient
- From SSADMIN > Option 7 – Passwords > Option 1 – Set root Unix Password
- From the Statseeker server command line interface (CLI)
The third option, resetting the password from the CLI, can be used when the current root password is unknown. For details on this see Resetting the Root Server Password from the CLI
Note: for further assistance with managing the Statseeker server accounts, please contact Statseeker Technical Support.
How do I add a New Web User?
To create a new user or remove/edit an existing user:
- Select Administration Tool > User Profile/Grouping > Add/Edit Users
- Enter a Username
- Click Add
- Enter an email address (often used for alerting)
- Enter a password
- Select the default Time Zone relevant to the user’s reporting requirements
- Click Add User
The user account has now been created.
By default, newly created web users have no visibility to any Statseeker group, device, interface or report, this access needs to be granted from within the Administration Tool. To modify the groups/entities that a user can view:
- From the NIM Console select Administration Tool > User Profile/Grouping > Groups to an Entity
- From Entity Type, select Users
- Select the user to edit their permissions
- Add the groups to the user’s Include list to grant access the group’s contents
Note: by default, Statseeker does not have a group containing reports. New users will require access to a group tailored to contain reports applicable to the devices they have visibility to.
For more details on managing user accounts see:
What characters can I use for my User passwords?
The following characters are not supported:
- \ – backslash
- ‘ – single-quote
Other alpha-numeric, special characters, and spaces are permitted.
What authentication methods does Statseeker support?
Statseeker utilizes token-based authentication through Basic file, LDAP and Active Directory user authentication. In addition, Statseeker offers authentication through 3rd party SAML-based authentication services, see User Authentication for detailed instructions.
Is Statseeker vulnerable to the Heartbleed exploit?
Statseeker does not utilize an OpenSSL version affected by the Heartbleed vulnerability.
To confirm the version used by your installation run the following from the command line on your Statseeker server
Is Statseeker vulnerable to Shellshock (BASH) vulnerability (CVE-2014-6271 or CVE-2014-7169)?
Statseeker does not include the BASH shell as part of the standard installation package and is therefore not vulnerable to the Shellshock (CVE-2014-6271 or CVE-2014-7169) exploit.
Is Statseeker vulnerable to the Spectre and Meltdown security vulnerabilities?
No. The Spectre and Meltdown security vulnerabilities do not target the Statseeker product, rather they target the underlying operating system (OS) and hardware. Fixes for these issues were produced by the OS developers and are included with the version of FreeBSD that is bundled with Statseeker. For more information on this issue, refer to the FreeBSD website (https://www.freebsd.org/).
Is Statseeker vulnerable to the Log4j 2 Vulnerability (CVE-2021-44228)?
No. Statseeker is not susceptible to this issue as we do not utilize any of the elements affected by the CVE 2021-44228 vulnerability.
Is Statseeker vulnerable to the HTTP/2 Rapid Reset Vulnerability (CVE-2023-44487)?
No. The Statseeker server does not accept HTTP/2 protocol communication, so is not affected by this exploit.