Solaris 10 sparc xymon 4.3.10 issue ?

5 messages in this thread

list Matt Goebel · Mon, 8 Oct 2012 11:55:18 -0400 (EDT) ·

Hi,

  I installed xymon 4.3.10 last week and since then I have noticed that
something has been appending data to the end of /usr/bin/logger every
5 minutes.  Since this wasn't happening before I suspect xymon.

164.76.2.44 - - [08/Oct/201 2:11:26:03 -0400] "GET / HTTP/1.1" 302 209.

  This is the IP address of my xymon server.  Any suggestions as 
what I might need to tweak?

Thanks,
Matt

-- 
Matthew Goebel : user-74d13dabeb26@xymon.invalid : Unix Jockey @ EMU : Hail Eris
Neo-Student, Net Lurker, Donut consumer, and procrastinating medher...
 "Always with the negative waves, Moriarty" - Oddball
 "Comfort the troubled, and trouble the comfortable." - Dietrich Bonhoeffer

list Ryan Novosielski · Mon, 8 Oct 2012 12:16:07 -0400 ·

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

▸ quoted from Matt Goebel


On 10/08/2012 12:08 PM, Matt Goebel wrote:

Hi,

I installed xymon 4.3.10 last week and since then I have noticed
that something has been appending data to the end of
/usr/bin/logger every 5 minutes.  Since this wasn't happening
before I suspect xymon.

164.76.2.44 - - [08/Oct/201 2:11:26:03 -0400] "GET / HTTP/1.1" 302
209.

This is the IP address of my xymon server.  Any suggestions as what
I might need to tweak?

Thanks, Matt

/usr/bin/logger? A binary?

- -- 
- ---- _  _ _  _ ___  _  _  _
|Y#| |  | |\/| |  \ |\ |  | |Ryan Novosielski - Sr. Systems Programmer
|$&| |__| |  | |__/ | \| _| |user-ae4522577e16@xymon.invalid - 973/972.0922 (2-0922)
\__/ Univ. of Med. and Dent.|IST/EI-Academic Svcs. - ADMC 450, Newark
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlBy/EYACgkQmb+gadEcsb4mHwCgh4pz/ryHCn2P6WBhWwWfxtlN
9uEAoK13Sa8JhazU/egT3j3J/AU+Ga91
=G3U/
-----END PGP SIGNATURE-----

list Matt Goebel · Mon, 8 Oct 2012 12:50:05 -0400 (EDT) ·

Yes... /bin/logger is a binary...

I seem to have figured out the issue, fping was being run as root by xymon,
so I did the following :

so I removed the sticky bit from user and group on /usr/local/sbin/fping

then I did the following and restarted xymon

add in : /etc/security/exec_attr
Network Management:solaris:cmd:::/usr/local/sbin/fping:privs=net_icmpaccess

add in : /etc/user_attr
xymon::::defaultpriv=basic,net_icmpaccess

▸ quoted from Matt Goebel


Matt

-- 
Matthew Goebel : user-74d13dabeb26@xymon.invalid : Unix Jockey @ EMU : Hail Eris
Neo-Student, Net Lurker, Donut consumer, and procrastinating medher...
 "Always with the negative waves, Moriarty" - Oddball
 "Comfort the troubled, and trouble the comfortable." - Dietrich Bonhoeffer

list Ralph Mitchell · Mon, 8 Oct 2012 12:56:10 -0400 ·

If something was appending to the /usr/bin/logger binary, you might want to
check your various scripts for code that does:

     ....... > /usr/bin/logger

instead of:

     ..... | /usr/bin/logger

Ralph Mitchell

▸ quoted from Matt Goebel

On Oct 8, 2012 12:50 PM, "Matt Goebel" <user-74d13dabeb26@xymon.invalid> wrote:

Yes... /bin/logger is a binary...

I seem to have figured out the issue, fping was being run as root by xymon,
so I did the following :

so I removed the sticky bit from user and group on /usr/local/sbin/fping

then I did the following and restarted xymon

add in : /etc/security/exec_attr
Network Management:solaris:cmd:::/usr/local/sbin/fping:privs=net_icmpaccess

add in : /etc/user_attr
xymon::::defaultpriv=basic,net_icmpaccess

Matt

--
Matthew Goebel : user-74d13dabeb26@xymon.invalid : Unix Jockey @ EMU : Hail Eris
Neo-Student, Net Lurker, Donut consumer, and procrastinating medher...
 "Always with the negative waves, Moriarty" - Oddball
 "Comfort the troubled, and trouble the comfortable." - Dietrich Bonhoeffer

list Matt Goebel · Mon, 8 Oct 2012 14:47:08 -0400 (EDT) ·

  Aha, there was a long burried issue on our apache server in a customlog 
setup which had never been an issues until xymon was turned on.  There 
was no redirect, /bin/tee was opening everything listed after it 
including "|" and "/bin/logger" and appending to them the apache logs...
it must be a monday... :)

Matt

And now a bit of polka music by "Ralph Mitchell"

▸ quoted from Ralph Mitchell


If something was appending to the /usr/bin/logger binary, you might want to
check your various scripts for code that does:

     ....... > /usr/bin/logger

instead of:

     ..... | /usr/bin/logger

Ralph Mitchell
On Oct 8, 2012 12:50 PM, "Matt Goebel" <user-74d13dabeb26@xymon.invalid> wrote:

Yes... /bin/logger is a binary...

I seem to have figured out the issue, fping was being run as root by xymon,
so I did the following :

so I removed the sticky bit from user and group on /usr/local/sbin/fping

then I did the following and restarted xymon

add in : /etc/security/exec_attr
Network Management:solaris:cmd:::/usr/local/sbin/fping:privs=net_icmpaccess

add in : /etc/user_attr
xymon::::defaultpriv=basic,net_icmpaccess

Matt

--
Matthew Goebel : user-74d13dabeb26@xymon.invalid : Unix Jockey @ EMU : Hail Eris
Neo-Student, Net Lurker, Donut consumer, and procrastinating medher...
 "Always with the negative waves, Moriarty" - Oddball
 "Comfort the troubled, and trouble the comfortable." - Dietrich Bonhoeffer

--bcaec54fb0c030d40f04cb8f19b6
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

<p dir=3D"ltr">If something was appending to the /usr/bin/logger binary, yo=
u might want to check your various scripts for code that does:</p>
<p dir=3D"ltr">=A0=A0=A0=A0 ....... &gt; /usr/bin/logger</p>
<p dir=3D"ltr">instead of:</p>
<p dir=3D"ltr">=A0=A0=A0=A0 ..... | /usr/bin/logger</p>
<p dir=3D"ltr">Ralph Mitchell</p>
<div class=3D"gmail_quote">On Oct 8, 2012 12:50 PM, &quot;Matt Goebel&quot;=
 &lt;<a href=3D"mailto:user-74d13dabeb26@xymon.invalid">user-74d13dabeb26@xymon.invalid</a>=
&gt; wrote:<br type=3D"attribution"><blockquote class=3D"gmail_quote" style=
=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
Yes... /bin/logger is a binary...<br>
<br>
I seem to have figured out the issue, fping was being run as root by xymon,=
<br>
so I did the following :<br>
<br>
so I removed the sticky bit from user and group on /usr/local/sbin/fping<br=

<br>
then I did the following and restarted xymon<br>
<br>
add in : /etc/security/exec_attr<br>
Network Management:solaris:cmd:::/usr/local/sbin/fping:privs=3Dnet_icmpacce=
ss<br>
<br>
add in : /etc/user_attr<br>
xymon::::defaultpriv=3Dbasic,net_icmpaccess<br>
<br>
Matt<br>
<br>
--<br>
Matthew Goebel : <a href=3D"mailto:user-74d13dabeb26@xymon.invalid">goebel at emunix.e=
mich.edu</a> : Unix Jockey @ EMU : Hail Eris<br>
Neo-Student, Net Lurker, Donut consumer, and procrastinating medher...<br>
=A0&quot;Always with the negative waves, Moriarty&quot; - Oddball<br>
=A0&quot;Comfort the troubled, and trouble the comfortable.&quot; - Dietric=
h Bonhoeffer<br>
<br>
<a href=3D"mailto:Xymon at xymon.com">Xymon at xymon.com</a><br>
</blockquote></div>

--bcaec54fb0c030d40f04cb8f19b6--

▸ quoted from Ralph Mitchell

-- 
Matthew Goebel : user-74d13dabeb26@xymon.invalid : Unix Jockey @ EMU : Hail Eris
Neo-Student, Net Lurker, Donut consumer, and procrastinating medher...
 "Always with the negative waves, Moriarty" - Oddball
 "Comfort the troubled, and trouble the comfortable." - Dietrich Bonhoeffer

Solaris 10 sparc xymon 4.3.10 issue ? 🔗 link

Solaris 10 sparc xymon 4.3.10 issue ?