Re: process details: user +selcontext and user: pw and shell

[Martin Pala]

Hi,

the process' uid/gid is general test - we have implementation of it already 
(not finished yet on all platforms), i think it makes sense to add it.

The selinux test is however specific to linux only - it is better to use the 
"check program" test with custom script to test the privileges. The other 
platforms (Solaris, FreeBSD, etc.) have their own privilege separation 
frameworks, the selinux configuration won't be portable.

Similarly with the login test - it will be better to use the "check program" 
(custom script) or "check file" (logfiles content test), as intercepting the 
authentication process to track the invalid passwords is out of monit scope.

Regards,
Martin


On Jun 11, 2012, at 4:22 PM, cgzones wrote:

> Hi list,
> hi developers,
> i would like to have a option to observer the rights of processes.
> So can you add a check for the user/uid of a process and the selinux
> context (if selinux is enabled) of it; something like:
> 
> check process apache with pidfile /var/run/apache2.pid
>       if failed uid www-data then ACTION            (like the file check)
>       if failed selcontext system_u:system_r:httpd_t then ACTION
> 
> In addition some services (like apache or mysql) creates and uses users
> for running it's daemons.
> But these users are task is only running these processes, so they should
> not have a valid password or a valid shell.
> Can you add a new check section for system users like:
> 
> check user USERNAME with uid STRING/UID
>        if failed invalidpw then ACTION       (check for ""|"!"|"?"|"*"...)
>        if failed invalidshell then ACTION    (check for
> "/bin/false"|"/bin/nologin"...)
> 
> Best regards,
>          Christian Göttsche
> 
> --
> To unsubscribe:
> https://lists.nongnu.org/mailman/listinfo/monit-general