Allow Agent Bakery to work with non-root
Today many organisations are enforced to implement zero-trust security measurements. Running the check mk agent as a non privileges account is a hard requirement for many of us.
The Agent bakery does not work with the non-root setup in these scenarios:
- Local checks deployed using "deploy local files with agent" does not work as the user/group for all folders are still owned by root.
- The execution bit for other is not set, meaning no local checks can run
- As the agen have built-in checks in the agent (as not as separate checks) its not possible to run these as SUDO unless these functions are copied and created as local checks with sudo implemented. Postfix, NTP are some of these that might require root permissions
- Even if the agent updater (that exits twice!) once as a plugin and once as a timer in system.d cannot be updated if the agent is running as someone else than root. Even if the system.d update service and timer is running as root the agent cant update itselves
Comments: 5
-
12 Jul
Niklas Pulina AdminHi Andy, thank you for you suggestion.
Did you have a look at the rule "Plugins, local checks and MRPE for non-root users"? It might solve some of the issues you describe. -
13 Jul
Robert SanderSystem services like cron, ntpd, NetworkManager, journald, syslogd etc also run as root.
Why is a monitoring agent different? -
14 Jul
AndyHi Niklas.
No we cannot use that option.
Hi Robert
They are included in the OS and provided by the dist. Checkmk is not. -
17 Jul
Lars SörensenIn larger organisations it is common that 3rd party tools have to be run with a non-privileged account (Segregation of Duties (SOD) ). Somtimes the installation and execution is divided between two users. The privileged user is only allowed to install (within defined parameters) and the unprivileged user is only allowed to execute.
In such a non-root Setup the installer could provide appropriate sudo rules to run all checks that require more privileges to display all the information, such as "netstat -an, psotfix". This Rules could easily be reviewed and approved by the auditors.
These FRs address the same issue.
https://features.checkmk.com/suggestions/346085/add-the-possibility-to-use-sudo-in-all-unix-agents-if-agent-not-running-as-root
https://features.checkmk.com/suggestions/338312/agent-bakery-and-update-agent-as-nonroot -
23 Aug
AnnIn a time when even Database software uses SOD for day to day operation (where non-root users only get granted very specific command execution rights), the same should be possible for monitoring agents.