Xymon Mailing List Archive search

localhost, clamd, rights

list Buchan Milne
Thu, 17 Aug 2006 15:41:22 +0200
Message-Id: <user-c7602e374b84@xymon.invalid>

On Thursday 17 August 2006 10:56, John GALLET wrote:
Hi there,

This is my first Hobbit install, I am still fumbling around on lots of
things. Great software, after installing it I wonder how I survived
without it.

I have 3 totally distinct questions.

1) I am running as many daemons as possible on 127.0.0.1 in case I make a
mistake in my iptables rules and as a general security rule anyway. I
added a 127.0.0.1 localhost line in etc/bb-hosts to monitor them. Is this
the correct/preferred way to do it or can I monitor them on a single line
with the public ip of the host ?

2) I configured clamd so that it uses /tmp/clamd for communications. Can I
still monitor it with Hobbit ? I can't check the process (see question 3).
I tried /tmp/clamd as a port in bb-services and saw an atoi() must be
called on it ;-)

The reason I am using a local socket is that clamassassin looks for it to
know whether to call the clamscan binary on each and every mail or to use
clamdscan daemon. I could force it to use the daemon, but I don't know if
it'll still call the binary in cas the daemon is down.
Just compile clamassassin with --enable-clamdscan, looking for a specific 
named socket to determine the availability of a a service which can run on 
either a port or a socket is quite weird ...

3) Not directly Hobbit related but might need a turnaround.

My kernel is patched with -grsec, which implies only root can access /proc
or see other user's processes in a "ps" command. The result is that the
hobbit-client log is filled with "access denied" on /proc/net/snmp (which
I don't really mind) but also that the stats about users and especially
number of processes is totally and utterly wrong, and I'd need this
information (I have some random load peaks to diagnose). Do I need to run
parts of hobbit as root ? Which ones ? What's the risk involved ?
Or are there other solutions ? (the grsec documentation is non-existant or
very well hidden).

Seems you should be able to allow a specific user to get a full process 
listing via gradm ...

Regards,
Buchan

-- 
Buchan Milne
ISP Systems Specialist
B.Eng,RHCE(803004789010797),LPIC-2(LPI000074592)