[hobbit] localhost, clamd, rights

Buchan Milne bgmilne at staff.telkomsa.net
Thu Aug 17 15:41:22 CEST 2006


On Thursday 17 August 2006 10:56, John GALLET wrote:
> Hi there,
>
> This is my first Hobbit install, I am still fumbling around on lots of
> things. Great software, after installing it I wonder how I survived
> without it.
>
> I have 3 totally distinct questions.
>
> 1) I am running as many daemons as possible on 127.0.0.1 in case I make a
> mistake in my iptables rules and as a general security rule anyway. I
> added a 127.0.0.1 localhost line in etc/bb-hosts to monitor them. Is this
> the correct/preferred way to do it or can I monitor them on a single line
> with the public ip of the host ?
>
> 2) I configured clamd so that it uses /tmp/clamd for communications. Can I
> still monitor it with Hobbit ? I can't check the process (see question 3).
> I tried /tmp/clamd as a port in bb-services and saw an atoi() must be
> called on it ;-)
>
> The reason I am using a local socket is that clamassassin looks for it to
> know whether to call the clamscan binary on each and every mail or to use
> clamdscan daemon. I could force it to use the daemon, but I don't know if
> it'll still call the binary in cas the daemon is down.

Just compile clamassassin with --enable-clamdscan, looking for a specific 
named socket to determine the availability of a a service which can run on 
either a port or a socket is quite weird ...

>
> 3) Not directly Hobbit related but might need a turnaround.
>
> My kernel is patched with -grsec, which implies only root can access /proc
> or see other user's processes in a "ps" command. The result is that the
> hobbit-client log is filled with "access denied" on /proc/net/snmp (which
> I don't really mind) but also that the stats about users and especially
> number of processes is totally and utterly wrong, and I'd need this
> information (I have some random load peaks to diagnose). Do I need to run
> parts of hobbit as root ? Which ones ? What's the risk involved ?
> Or are there other solutions ? (the grsec documentation is non-existant or
> very well hidden).
>


Seems you should be able to allow a specific user to get a full process 
listing via gradm ...

Regards,
Buchan

-- 
Buchan Milne
ISP Systems Specialist
B.Eng,RHCE(803004789010797),LPIC-2(LPI000074592)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20060817/97bb6997/attachment.sig>


More information about the Xymon mailing list