Hi
I've just installed Zabbix on a Debian Etch server from OVH (2.6.27.10-grsec-xxxx-grs-ipv4-64) and I have a little problem with some zabbix commands. For example, if I want to know if apache is on, I run zabbix_agentd -t proc.num[apache2]. Answer is no but in fact apache is runnig.
I saw grsecurity forbid access to "/proc" but I need to browse this directory with user zabbix.
I would like to know how I could do to allow zabbix user to do this.
Thanks
Problem with zabbix and /proc
6 posts
• Page 1 of 1
Problem with zabbix and /proc
by fabalti » Fri Jul 03, 2009 10:02 am
- fabalti
- Posts: 2
- Joined: Fri Jul 03, 2009 9:49 am
Re: Problem with zabbix and /proc
by Oscon » Sat Jul 04, 2009 5:06 am
fabalti wrote:Hi
I've just installed Zabbix on a Debian Etch server from OVH (2.6.27.10-grsec-xxxx-grs-ipv4-64) and I have a little problem with some zabbix commands. For example, if I want to know if apache is on, I run zabbix_agentd -t proc.num[apache2]. Answer is no but in fact apache is runnig.
I saw grsecurity forbid access to "/proc" but I need to browse this directory with user zabbix.
I would like to know how I could do to allow zabbix user to do this.
Thanks
Grsecurity (Security level custom)->Filesystem Protections (Y)->Proc restrictions(Y)->Restrict /proc to user only (N)->Allow special group(Y)-> GID for special group ...in the kernel configuration.
and "zabbix" is member of this "special group".
- Oscon
- Posts: 44
- Joined: Fri Jun 11, 2004 6:32 pm
Re: Problem with zabbix and /proc
by fabalti » Mon Jul 06, 2009 9:20 am
Hi Oscon
Thanks for your answer.
[quote="Oscon"]Grsecurity (Security level custom)->Filesystem Protections (Y)->Proc restrictions(Y)->Restrict /proc to user only (N)->Allow special group(Y)-> GID for special group ...in the kernel configuration.
and "zabbix" is member of this "special group".[/quote]
Now I have another problem. Where do you find Grsecurity and the others because I have no idea ?
Thanks for your answer.
[quote="Oscon"]Grsecurity (Security level custom)->Filesystem Protections (Y)->Proc restrictions(Y)->Restrict /proc to user only (N)->Allow special group(Y)-> GID for special group ...in the kernel configuration.
and "zabbix" is member of this "special group".[/quote]
Now I have another problem. Where do you find Grsecurity and the others because I have no idea ?
- fabalti
- Posts: 2
- Joined: Fri Jul 03, 2009 9:49 am
Re: Problem with zabbix and /proc
by specs » Mon Jul 06, 2009 12:49 pm
If I read your question right I think you should learn how to configure and compile a working kernel before playing with grsecurity.
Look for a kernel HOWTO (for example http://www.digitalhermit.com/linux/Kern ... HOWTO.html), because this forum will not teach you how to compile kernels.
If you know how to compile kernels look for a recent vanilla kernel from http://www.kernel.org and the grsecurity patch from http://www.grsecurity.org.
A quickstart guide for grsecurity can be found at http://www.grsecurity.org/papers.php. It is a little outdated, but the lacking information can be found in the help of menuconfig with a patched kernel.
To optimize the kernel you can post your questions about specific grsecurity-options here.
Look for a kernel HOWTO (for example http://www.digitalhermit.com/linux/Kern ... HOWTO.html), because this forum will not teach you how to compile kernels.
If you know how to compile kernels look for a recent vanilla kernel from http://www.kernel.org and the grsecurity patch from http://www.grsecurity.org.
A quickstart guide for grsecurity can be found at http://www.grsecurity.org/papers.php. It is a little outdated, but the lacking information can be found in the help of menuconfig with a patched kernel.
To optimize the kernel you can post your questions about specific grsecurity-options here.
- specs
- Posts: 190
- Joined: Sun Mar 26, 2006 7:00 am
Re: Problem with zabbix and /proc
by dougnaka » Fri Jul 10, 2009 8:00 pm
I have a similar problem. I'm using Gentoo with a grsecurity patched kernel and the "Hardened Gentoo [server]" pre-configured level of grsecurity.
My GID for special group (GRKERNSEC_PROC_GID) is 10 (wheel). I have added my zabbix (and other) users to wheel, and they still seem unable to view other processes.
I think it this is from another grsecurity option, "Remove addresses from /proc/<pid>/[smaps|maps|stat], CONFIG_GRKERNSEC_PROC_MEMMAP.
Perhaps there is a different open source ps, as the one I have states in it's man page
This ps works by reading the virtual files in /proc.
I haven't rebuilt without that option to test.
I've used grsecurity for years and never had that work, so finding this thread gave me hope. It would be great if I could run more things non-root...
My GID for special group (GRKERNSEC_PROC_GID) is 10 (wheel). I have added my zabbix (and other) users to wheel, and they still seem unable to view other processes.
I think it this is from another grsecurity option, "Remove addresses from /proc/<pid>/[smaps|maps|stat], CONFIG_GRKERNSEC_PROC_MEMMAP.
Perhaps there is a different open source ps, as the one I have states in it's man page
This ps works by reading the virtual files in /proc.
I haven't rebuilt without that option to test.
I've used grsecurity for years and never had that work, so finding this thread gave me hope. It would be great if I could run more things non-root...
- dougnaka
- Posts: 1
- Joined: Fri Jul 10, 2009 7:50 pm
Re: Problem with zabbix and /proc
by spender » Fri Jul 10, 2009 10:33 pm
if you do a cat /proc/<pid of zabbix daemon>/status
take a look at the groups line and see if "10" is listed.
-Brad
take a look at the groups line and see if "10" is listed.
-Brad
- spender
- Posts: 2185
- Joined: Wed Feb 20, 2002 8:00 pm
6 posts
• Page 1 of 1