file monitoring permission problems
list Christof Wessely
I am trying to monitor the integrity of some files on hobbit clients using the FILE md5 test. But I am running into permission problems. The files are owned by user oracle and the file permissions are so strict, so that the hobbit user cannot even list the files. This is confirmed when looking into the client data sent to the server: . [file:/opt/oracle/product/j2ee/applications/appl.ear] ERROR: Permission denied . Is there an easy workaround without having to change file permissions, eg. running the file tests with sudo? Regards, Chris
list Paul Root
can't you run a script on the oracle machine in oracle's cron, and report back with bb? -- Paul Root Qwest MNS Infrastructure
▸
From: Chris [mailto:user-024af9c96b49@xymon.invalid]
Sent: Sun 1/11/2009 6:12 AM
To: user-ae9b8668bcde@xymon.invalid
Subject: [hobbit] file monitoring permission problems
I am trying to monitor the integrity of some files on hobbit clients using the FILE md5 test.
But I am running into permission problems. The files are owned by user oracle and the file permissions are so strict, so that the hobbit user cannot even list the files.
This is confirmed when looking into the client data sent to the server:
...
[file:/opt/oracle/product/j2ee/applications/appl.ear]
ERROR: Permission denied
...
Is there an easy workaround without having to change file permissions, eg. running the file tests with sudo?
Regards,
Chris
This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly
prohibited and may be unlawful. If you have received this communication
in error, please immediately notify the sender by reply e-mail and destroy
all copies of the communication and any attachments.
list L.M.J
Le Sun, 11 Jan 2009 13:12:20 +0100,
▸
"Chris" <user-024af9c96b49@xymon.invalid> a écrit :
This is confirmed when looking into the client data sent to the server: [file:/opt/oracle/product/j2ee/applications/appl.ear] ERROR: Permission denied Is there an easy workaround without having to change file permissions, eg. running the file tests with sudo?
You can add the user "hobbit" to the oracle unix group. I think it's the fastest and simplest way to fix your issue.
list Ralph Mitchell
▸
On Sun, Jan 11, 2009 at 1:05 PM, L.M.J <user-78bb6d5d9024@xymon.invalid> wrote:
Le Sun, 11 Jan 2009 13:12:20 +0100, "Chris" <user-024af9c96b49@xymon.invalid> a écrit :This is confirmed when looking into the client data sent to the server: [file:/opt/oracle/product/j2ee/applications/appl.ear] ERROR: Permission denied Is there an easy workaround without having to change file permissions, eg. running the file tests with sudo?You can add the user "hobbit" to the oracle unix group. I think it's the fastest and simplest way to fix your issue.
That also reduces your database security, and I'll bet your DBAs wouldn't allow it. Better to have the oracle account run the script from cron and pick up the output from a neutral location. Ralph Mitchell
list Christof Wessely
Thanks for your suggestions. Adding the hobbit user to the oracle group is unfortunately not an option, as the permissions do not even give the group permission to the directory, but only the owner itself. When you suggest running a script as oracle from cron, I presume that we are talking outside of the hobbit environment, or is there still a way to keep server side configuration, etc?
▸
From: Ralph Mitchell [mailto:user-00a5e44c48c0@xymon.invalid]
Sent: Sonntag, 11. Jänner 2009 20:27
To: user-ae9b8668bcde@xymon.invalid
Subject: Re: [hobbit] file monitoring permission problems
On Sun, Jan 11, 2009 at 1:05 PM, L.M.J <user-78bb6d5d9024@xymon.invalid> wrote:
Le Sun, 11 Jan 2009 13:12:20 +0100,
"Chris" <user-024af9c96b49@xymon.invalid> a écrit :
This is confirmed when looking into the client data sent to the server: [file:/opt/oracle/product/j2ee/applications/appl.ear] ERROR: Permission denied Is there an easy workaround without having to change file permissions, eg. running the file tests with sudo?
You can add the user "hobbit" to the oracle unix group. I think it's the fastest and simplest way to fix your issue. That also reduces your database security, and I'll bet your DBAs wouldn't allow it. Better to have the oracle account run the script from cron and pick up the output from a neutral location. Ralph Mitchell
list Ralph Mitchell
You would have oracle's cron to execute something like this regularly: #!/bin/sh md5sum /some/secure/oracle/path/filename > /var/tmp/filename.md5 Then have hobbit's cron run something like: #!/bin/sh $HOME/server/bin/bbcmd $HOME/server/ext/oracle-md5-checker.sh You could use Hobbit's launcher, but I always found it easier to use cron to spread scheduled jobs over time. The oracle-md5-checker.sh script would start up with all the Hobbit environment, grab the md5 checksum from the file, check it against the proper value, then report red/green. I think I would then have it delete the md5 file - that might require parking the file somewhere other than /var/tmp, which would be a good idea anyway... Deleting the file means that next time the hobbit script runs, it can validate that the oracle cron job ran, rather than just blindly re-reading the same file. That's probably simpler than comparing the file-last-changed timestamp to realtime. Ralph Mitchell
▸
On Tue, Jan 13, 2009 at 1:45 PM, chris <user-024af9c96b49@xymon.invalid> wrote:
Thanks for your suggestions. Adding the hobbit user to the oracle group is unfortunately not an option, as the permissions do not even give the group permission to the directory, but only the owner itself. When you suggest running a script as oracle from cron, I presume that we are talking outside of the hobbit environment, or is there still a way to keep server side configuration, etc? *From:* Ralph Mitchell [mailto:user-00a5e44c48c0@xymon.invalid] *Sent:* Sonntag, 11. Jänner 2009 20:27 *To:* user-ae9b8668bcde@xymon.invalid *Subject:* Re: [hobbit] file monitoring permission problems On Sun, Jan 11, 2009 at 1:05 PM, L.M.J <user-78bb6d5d9024@xymon.invalid> wrote: Le Sun, 11 Jan 2009 13:12:20 +0100, "Chris" <user-024af9c96b49@xymon.invalid> a écrit :This is confirmed when looking into the client data sent to the server: [file:/opt/oracle/product/j2ee/applications/appl.ear] ERROR: Permission denied Is there an easy workaround without having to change file permissions, eg. running the file tests with sudo?You can add the user "hobbit" to the oracle unix group. I think it's the fastest and simplest way to fix your issue. That also reduces your database security, and I'll bet your DBAs wouldn't allow it. Better to have the oracle account run the script from cron and pick up the output from a neutral location. Ralph Mitchell