[hobbit] localhost, clamd, rights

Henrik Stoerner henrik at hswn.dk
Thu Aug 17 12:13:17 CEST 2006 

On Thu, Aug 17, 2006 at 10:56:48AM +0200, John GALLET wrote:
>  
> 1) I am running as many daemons as possible on 127.0.0.1 in case I make a 
> mistake in my iptables rules and as a general security rule anyway. I 
> added a 127.0.0.1 localhost line in etc/bb-hosts to monitor them. Is this 
> the correct/preferred way to do it or can I monitor them on a single line 
> with the public ip of the host ? 

If you want to make sure that the ONLY run on 127.0.0.1, I'd setup two
sets of tests: One with the public IP, and one with 127.0.0.1. Then you
can check the same services on both, with one of them being a "negative"
test (i.e. something which must NOT be available). Eg. if smtp should
only be listening locally:

   127.0.0.1     myserver-local  # testip smtp
   12.34.56.78   myserver-public # testip !smtp

The "testip" makes Hobbit use the IP-address from the bb-hosts file,
instead of trying to determine the IP from the hostname.

> 2) I configured clamd so that it uses /tmp/clamd for communications. Can I
> still monitor it with Hobbit ? I can't check the process (see question 3).
> I tried /tmp/clamd as a port in bb-services and saw an atoi() must be 
> called on it ;-)

"clamd" and the other tests in bb-services only work for network tests,
so - no, Hobbit cannot monitor a service communicating via a local unix
socket.

> 3) Not directly Hobbit related but might need a turnaround.
>  
> My kernel is patched with -grsec, which implies only root can access /proc
> or see other user's processes in a "ps" command. The result is that the
> hobbit-client log is filled with "access denied" on /proc/net/snmp (which
> I don't really mind) but also that the stats about users and especially
> number of processes is totally and utterly wrong, and I'd need this
> information (I have some random load peaks to diagnose). Do I need to run
> parts of hobbit as root ? Which ones ? What's the risk involved ?  

As Charles writes, you can use "sudo" to permit the hobbit user to run
the privileged commands with root privs. The risk in doing that
obviously is that if a user manages to break into your box and get 
shell access as the "hobbit" user, then he can run those same commands
with root privileges.


Regards,
Henrik

More information about the Xymon mailing list