grsecurity forums

Hi

I've just installed Zabbix on a Debian Etch server from OVH (2.6.27.10-grsec-xxxx-grs-ipv4-64) and I have a little problem with some zabbix commands. For example, if I want to know if apache is on, I run zabbix_agentd -t proc.num[apache2]. Answer is no but in fact apache is runnig.

I saw grsecurity forbid access to "/proc" but I need to browse this directory with user zabbix.

I would like to know how I could do to allow zabbix user to do this.

Thanks

fabalti wrote:Hi

I've just installed Zabbix on a Debian Etch server from OVH (2.6.27.10-grsec-xxxx-grs-ipv4-64) and I have a little problem with some zabbix commands. For example, if I want to know if apache is on, I run zabbix_agentd -t proc.num[apache2]. Answer is no but in fact apache is runnig.

I saw grsecurity forbid access to "/proc" but I need to browse this directory with user zabbix.

I would like to know how I could do to allow zabbix user to do this.

Thanks

Grsecurity (Security level custom)->Filesystem Protections (Y)->Proc restrictions(Y)->Restrict /proc to user only (N)->Allow special group(Y)-> GID for special group ...in the kernel configuration.

and "zabbix" is member of this "special group".

Hi Oscon

Thanks for your answer.

[quote="Oscon"]Grsecurity (Security level custom)->Filesystem Protections (Y)->Proc restrictions(Y)->Restrict /proc to user only (N)->Allow special group(Y)-> GID for special group ...in the kernel configuration.

and "zabbix" is member of this "special group".[/quote]


Now I have another problem. Where do you find Grsecurity and the others because I have no idea ?

If I read your question right I think you should learn how to configure and compile a working kernel before playing with grsecurity.
Look for a kernel HOWTO (for example http://www.digitalhermit.com/linux/Kern ... HOWTO.html), because this forum will not teach you how to compile kernels.

If you know how to compile kernels look for a recent vanilla kernel from http://www.kernel.org and the grsecurity patch from http://www.grsecurity.org.
A quickstart guide for grsecurity can be found at http://www.grsecurity.org/papers.php. It is a little outdated, but the lacking information can be found in the help of menuconfig with a patched kernel.

To optimize the kernel you can post your questions about specific grsecurity-options here.

I have a similar problem. I'm using Gentoo with a grsecurity patched kernel and the "Hardened Gentoo [server]" pre-configured level of grsecurity.
My GID for special group (GRKERNSEC_PROC_GID) is 10 (wheel). I have added my zabbix (and other) users to wheel, and they still seem unable to view other processes.
I think it this is from another grsecurity option, "Remove addresses from /proc/<pid>/[smaps|maps|stat], CONFIG_GRKERNSEC_PROC_MEMMAP.

Perhaps there is a different open source ps, as the one I have states in it's man page

This ps works by reading the virtual files in /proc.

I haven't rebuilt without that option to test.
I've used grsecurity for years and never had that work, so finding this thread gave me hope. It would be great if I could run more things non-root...

if you do a cat /proc/<pid of zabbix daemon>/status
take a look at the groups line and see if "10" is listed.

-Brad