1

When Debian Jessie is compiled with grsecurity, a simple user can't see all processes. Therefore tasks carried out by Sensu client (monitoring and telemetry solution) can't see if another processes (like Apache) exists.

Is there a way to grant the sensu user the privilege to see all system processes?

Esa Jokinen
  • 43,252
  • 2
  • 75
  • 122
Dani
  • 511
  • 2
  • 10
  • 21

1 Answers1

1

If users can't see each others processes, Grsecurity is compiled with kernel configuration symbol:

Restrict /proc to user only

GRKERNSEC_PROC_USER

If you say Y here, non-root users will only be able to view their own processes, and restricts them from viewing network-related information, and viewing kernel symbol and module information.

It depends on GRKERNSEC_PROC_USERGROUP whether you can allow an user to see others processes by adding the user into a special group.

Allow special group

GRKERNSEC_PROC_USERGROUP

If you say Y here, you will be able to select a group that will be able to view all processes and network-related information. If you've enabled GRKERNSEC_HIDESYM, kernel and symbol information may still remain hidden. This option is useful if you want to run identd as a non-root user. The group you select may also be chosen at boot time via grsec_proc_gid= on the kernel commandline.

And GRKERNSEC_PROC_GID specifies the group that is exempted (if not set via boot time kernel CLI).

You can check whether you have this set and add your Sensu user to this group:

  1. Find your running kernel release with uname -r.
  2. Check the setting from grep "GRKERNSEC_PROC_GID" /boot/config-<kernel_release>
  3. Look for the name of this group from /etc/group. At the same time you could check all the groups your Sensu user currently belongs to as otherwise you will remove it from all these groups on next step. (If the group doesn't exist, create it with groupadd -g GID grsecproc.)

  4. Add your Sensu user to this group with usermod -a -G GROUP sensu, but don't forget to also list all other groups from step 3:

    -G, --groups GROUP1[,GROUP2,...[,GROUPN]]]
    A list of supplementary groups which the user is also a member of.
    Each group is separated from the next by a comma, with no
    intervening whitespace. The groups are subject to the same
    restrictions as the group given with the -g option.

    If the user is currently a member of a group which is not listed,
    the user will be removed from the group. This behaviour can be
    changed via the -a option, which appends the user to the current
    supplementary group list.

As the same steps works for all server monitoring software, the list of groups may vary. Therefore I had to emphasize this even if there weren't any important groups in this case with Sensu.

It the GRKERNSEC_PROC_GID (or GRKERNSEC_PROC_USERGROUP) wasn't set, (read about Compiling a New Kernel in Jessie and) you can configure it with make menuconfig and compile the kernel.

Esa Jokinen
  • 43,252
  • 2
  • 75
  • 122
  • Thanks for the detailed answer, I'll try it than accept. – Dani Apr 19 '17 at 18:52
  • Good luck with it! I hope you don't need to recompile your kernel for this. – Esa Jokinen Apr 19 '17 at 19:25
  • @esa : Thanks for the solution. I'll give it a try. Please note that in step 4 you are using option "-a" of usermod and (as it is explained in paragraph 2 of the man page you quote) this /appends/ the new group to the user's current groups, so your step 3 is useless. – user2115112 Dec 21 '17 at 10:06