[Check_mk (english)] agent permissions -

Matt Taggart matt at lackof.org
Thu Feb 12 18:38:57 CET 2015

Jolyon Brown writes:

> However someone isn't happy here at my client site about having the agent
> run with root permissions. I'm loathe to give up the data running with
> these permissions. What solutions do others have here? A dedicated user on
> the remote boxes? Wrapping with ssh?

dedicated user, ssh, alternate ssh port, firewall allowing only the server 
to connect to that port, restricted ssh, restricted sudo:

datasource_programs = [
 ( "ssh -l checkmk -p XXXX <HOST> sudo /usr/bin/check_mk_agent", ['ssh'], 

command="sudo /usr/bin/check_mk_agent" ssh-....

checkmk        ALL= NOPASSWD: /usr/bin/check_mk_agent

I still wish the agent didn't need to always be root. Something where it's 
mortal by default but can be adjusted (like how munin does it) would be 

Matt Taggart
matt at lackof.org

More information about the checkmk-en mailing list