Hello!
So, there was a problem with the Zabbix agent - I can’t get the correct proc.num count for running services.
After searching the problem, I found this https://github.com/hestiacp/hestiacp/blob/2304b935db47ea303c8e0caa8931712c4e2764e0/install/hst-install-ubuntu.sh#L1025
What about creating a new option at installation?
Because with restricting access to /proc fs with hidepid=2 I can’t monitor with Zabbix agent processes. It sees only processes by Zabbix user only. AllowRoot=1 did not solve the problem.
What do you think about adding option -hp --hidepid [0|1|2] default: 2 And -gi --gid Group ID (Monitoring like zabbix)
By default, the hidepid option has the value zero (0). This means that every user can see all data. When setting it to 1, the directories entries in /proc will remain visible, but not accessible. With value 2 they are hidden altogether. This last option will work perfectly for most systems.
Additionally you can specify a user/group ID which is still able to look up the processes with the gid option. So if you want to hide all processes to other users, except zabbix
So, what do you think? Because at installation we make hidepid, without any notification, let’s change it and allow users to set value 0,1,2 and set group id for Zabbix Agent
locations
install/hst-install-ubuntu.sh
install/hst-install-debian.sh
We have cron file /etc/cron.d/hestia-proc where also we have hard code
2nd sollution, allow users to change this policy https://hestiacp-srv:8083/edit/server/ at Security tab.
Add select hidepid = 0,1,2 and add Group ID
It is to prevent other users can read the active processes from other users / admin user. It could be a abused to get the request key.
Feel free to make any changes in /etc/cron.d/hestia-proc to make fit your needs. Change the value as you need and restart the server or run the commands that can be found in the installer…
I use Icinga2 my self for monitoring and I don’t have any issues with it.
I don’t think we need to change this for the installer or via a settings.
But if add this options at installation and add settings, my pull request will be rejected?
because this hidepid option at installation change filesystem without any notifications.
I haven’t seen any issue with enabling when the feature got introduced back in 1.3 or even 1.2 version.
I don’t think we should touch it after Hestia install and users that know what need to be changed should be familiar enough to modify a file in /etc/cron.d/hestia-proc and restart the server.
