31 Oct 2024 04:22 PM - last edited on 12 Nov 2024 10:43 AM by MaciejNeumann
Has anyone done any testing on the level of permission that the user requires in standard Linux Repo, UNIX versions?
The documentation states: "A user with permission to connect and run the required commands" which is kind of obvious, and I can see that it's a challenge for different UNIX/Linux to try and define it from a standard view.
Hence my question?
Solved! Go to Solution.
31 Oct 2024 06:14 PM
Hello @gchastne
Regarding the remote Unix monitoring:
KR,
Peter.
31 Oct 2024 06:22 PM
Hi @gchastne
Hoping it adds value.
BR,
Peter.
01 Nov 2024 07:32 AM
I'm trying to bridge a gap in the documentation.
Currently all the hub says is: "A user with permission to connect and run the required commands"
and then gives a list of commands that the extension runs.
In the spirit of least privilege the user that we use should only be a special user if it needs to be.
From my reading the Remote UNIX commands on a Debian Linux box don't require su, so could get away with a normal user. Hence I'm reaching out to the community to see if others have validated that situation and/or extended that understanding to the broader UNIX base where the permissoins models are similar but not the same.
01 Nov 2024 08:41 AM
Hello @gchastne
Thanks for you detailed explanation, agree with you.
01 Nov 2024 09:51 AM
as the product base for example in Debian there's a list of commands that's being used by the extension to monitor it remotely as the following figure, so you can grant the user to only has permissions to run these commands
so you've to grant permission to this user group in `/etc/sudoers` as the below:
%monitoring_group ALL=(ALL) NOPASSWD: /usr/bin/vmstat
%monitoring_group ALL=(ALL) NOPASSWD: /usr/bin/w
%monitoring_group ALL=(ALL) NOPASSWD: /usr/bin/df
%monitoring_group ALL=(ALL) NOPASSWD: /usr/bin/cat
%monitoring_group ALL=(ALL) NOPASSWD: /usr/bin/top
%monitoring_group ALL=(ALL) NOPASSWD: /usr/bin/pgrep
%monitoring_group ALL=(ALL) NOPASSWD: /usr/bin/iostat
or you can make some exercise to make a sudoer user that has all permissions granted in sandbox linux (like Centos) and create configuration in dynatrace to this sandbox vm and use this user, once monitoring is successfully let it run for 1 - 2 hours then back to it and check this file to track footprint of extension to know what's the activities and commands has been executed by this user `cat /va/log/auth.log` then start track it line by line to know what's the exact permissions need to be granted to commands or directories in specific.
BR,
Mostafa Hussein.
05 Nov 2024 04:26 PM
I will add a note to the Hub tile on this. As a security best-practice we advise against using the root user or a user with sudo priviledges. During development of this extension we made a point to not use any commands that require such privileges and so using a root/sudo user is an unnecessary risk.