[Check_mk (english)] agent permissions -

Matt Taggart matt at lackof.org
Thu Feb 12 18:38:57 CET 2015


Jolyon Brown writes:

> However someone isn't happy here at my client site about having the agent
> run with root permissions. I'm loathe to give up the data running with
> these permissions. What solutions do others have here? A dedicated user on
> the remote boxes? Wrapping with ssh?

dedicated user, ssh, alternate ssh port, firewall allowing only the server 
to connect to that port, restricted ssh, restricted sudo:

datasource_programs = [
 ( "ssh -l checkmk -p XXXX <HOST> sudo /usr/bin/check_mk_agent", ['ssh'], 
ALL_HOSTS ),
 ]

authorized_keys:
command="sudo /usr/bin/check_mk_agent" ssh-....

sudoers:
checkmk        ALL= NOPASSWD: /usr/bin/check_mk_agent


I still wish the agent didn't need to always be root. Something where it's 
mortal by default but can be adjusted (like how munin does it) would be 
nice.

-- 
Matt Taggart
matt at lackof.org




More information about the checkmk-en mailing list