Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#1039270: Here's my monit.service
19 views
Skip to first unread message
Trent W. Buck
Jun 26, 2023, 2:10:05 AM6/26/23
to
FYI, attached are my monit systemd units.
They are definitely "too hardened" for some users.
You can PROBABLY just take everything before the hardening part, and use that as-is.
In particular, I deliberately prevent monit running as root
(I want systemd to restart units; I just want monit to check the availability of remote hosts).
This required some kludges because (IIRC) monit wants to have write access to its own config (like cupsd, or a crappy PHP webapp).
The NRPE replacement's "server" side should be here:
https://github.com/cyberitsolutions/die-nrpe-die
but I never got around to git filter-repo'ing the publishable parts out, so
I've attached a minified version of that as well.
They are definitely "too hardened" for some users.
You can PROBABLY just take everything before the hardening part, and use that as-is.
In particular, I deliberately prevent monit running as root
(I want systemd to restart units; I just want monit to check the availability of remote hosts).
This required some kludges because (IIRC) monit wants to have write access to its own config (like cupsd, or a crappy PHP webapp).
The NRPE replacement's "server" side should be here:
https://github.com/cyberitsolutions/die-nrpe-die
but I never got around to git filter-repo'ing the publishable parts out, so
I've attached a minified version of that as well.
Christian Göttsche
Jul 22, 2023, 10:50:05 AM7/22/23
to
On Mon, 26 Jun 2023 at 08:00, Trent W. Buck <tren...@gmail.com> wrote:
>
> FYI, attached are my monit systemd units.
> They are definitely "too hardened" for some users.
> You can PROBABLY just take everything before the hardening part, and use that as-is.
>
> In particular, I deliberately prevent monit running as root
> (I want systemd to restart units; I just want monit to check the availability of remote hosts).
> This required some kludges because (IIRC) monit wants to have write access to its own config (like cupsd, or a crappy PHP webapp).
>
FWIW, the monit service configuration I use:
>
> FYI, attached are my monit systemd units.
> They are definitely "too hardened" for some users.
> You can PROBABLY just take everything before the hardening part, and use that as-is.
>
> In particular, I deliberately prevent monit running as root
> (I want systemd to restart units; I just want monit to check the availability of remote hosts).
> This required some kludges because (IIRC) monit wants to have write access to its own config (like cupsd, or a crappy PHP webapp).
>
[Unit]
Description=Pro-active monitoring utility for unix systems
Documentation=man:monit(1) https://mmonit.com/wiki/Monit/HowTo
After=network.target
[Service]
Type=simple
KillMode=process
ExecStart=/usr/bin/monit -I -c /etc/monit/monitrc
ExecStop=/usr/bin/monit -I -c /etc/monit/monitrc quit
ExecReload=/usr/bin/monit -I -c /etc/monit/monitrc reload
Restart=on-abnormal
StandardOutput=null
# hardening options
# details: https://www.freedesktop.org/software/systemd/man/systemd.exec.html
CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_NET_RAW CAP_SYS_PTRACE
LockPersonality=true
MemoryDenyWriteExecute=true
NoNewPrivileges=true
PrivateTmp=true
ProtectClock=true
ProtectControlGroups=true
ProtectHome=yes
ProtectHostname=true
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectSystem=strict
ReadWritePaths=/run/ /var/lib/monit/ /var/log/
RestrictRealtime=true
RestrictSUIDSGID=true
SystemCallArchitectures=native
[Install]
WantedBy=multi-user.target
0 new messages