[hobbit] Monitoring FreeBSD jails ?

Nicolas nico at crysto.org
Wed Jun 14 14:55:25 CEST 2006


Hi,

At firstn thanks for fast answear ;-)

i did some modifications on hobbitclient-freebsd.sh in order to have a
good reporting.

Indeed, on freebsd, there is a default security which prevents to see the
process/socket of the other users:

$ sysctl -a |grep other
security.bsd.see_other_uids: 0

So, when i m in hobbit user, i can see only hobbit process:

$ id
uid=1003(hobbit) gid=1003(hobbit) groups=1003(hobbit)

$ ps auxw
USER     PID %CPU %MEM   VSZ   RSS  TT  STAT STARTED      TIME COMMAND
hobbit 26764  0.0  0.1  1836  1104  ??  I     2:38PM   0:00.01 sh -c
vmstat 300 2 1>/usr/local/www/hobbit/client/tmp/hobbit_vmstat.
hobbit 26766  0.0  0.0  1424   852  ??  I     2:38PM   0:00.05 vmstat 300 2
hobbit 69830  0.0  0.0  1420   880  ??  Ss    6:03PM   0:01.07
/usr/local/www/hobbit/client/bin/hobbitlaunch --config=/usr/local/ww
hobbit 26861  0.0  0.0  1500   740  pf  R+    2:41PM   0:00.00 ps auxw
hobbit 71775  0.0  0.1  3348  1680  pf  S     6:52PM   0:00.60 -su (bash)


So, i installed sudo package, and gave some rights to hobbit:

hobbit    ALL=(ALL) NOPASSWD: /usr/sbin/jls,/usr/sbin/jexec, /bin/ps,
/usr/bin/top, /usr/bin/netstat,/usr/local/sbin/portaudit

Then, changed the hobbitclient-freebsd.sh file by adding the
"/usr/local/bin/sudo" prefix before "netstat", "ps" and "top" commands.

Do you think it's possible to take care this in future freebsd client ?
I can help you if you need freebsd account or whatever.

I wrote a little script which surveys the security packages (called
"ports" on freebsd) based on the freebsd package "portaudit".

[hobbit at bmbcolt1 ~/client/etc]$ pkg_info |grep portaudit
portaudit-0.5.11    Checks installed ports against a list of security
vulnerabilities


You can find the script on this adress:
http://hobbit.mybsd.eu/hobbit-portaudit.sh.txt

It works only for freebsd, needs the "portaudit" package and sudo rights.

I m going to see if i can make a hobblit client port for the freebsd port
tree.

regards,
Nicolas




Le Mar 13 juin 2006 22:15, Henrik Stoerner a écrit :
> On Tue, Jun 13, 2006 at 07:10:09PM +0200, Nicolas wrote:
>
>> I installed the client on a freebsd 6.1 box and it works fine.
>>
>>
>> Currently, there are 7 jails on the box and i m going to install the
>> hobbit client on each one.
>>
>> but i d like to know if there ll be some external scripts in order to
>> monitore Freebsd jails without installing a client hobbit into each
>> jails. (there are some tools like "jexec" to execute command into jail
>> without logging on it).
>
> I haven't played with FreeBSD jails at all, all I know is the basic
> concept of isolating certain tasks into their own pseudo system. So I don't
> know enough about them to say whether this will be simple or difficult to
> implement.
>
> The Hobbit client script is pretty simple, though - so if there is a
> mechanism in place where a script at the physical-box-level can run
> commands inside each of the jails, then it should be pretty simple to
> tweak the client to run on all of the jail-systems without having to
> install it there - you'd basically be doing "uptime", "df", "ps" etc. once
> for each jail instance, wrapping it up into a client message and send that
> across to the Hobbit server. Each of your jails would then show up as a
> separate "host" on the Hobbit server display.
>
>
> Just one way of doing it, I am open to suggestions since this is not
> something I know a whole lot about.
>
>
> Regards,
> Henrik
>
>
>
> To unsubscribe from the hobbit list, send an e-mail to
> hobbit-unsubscribe at hswn.dk
>
>
>





More information about the Xymon mailing list