So, there was a problem with the Zabbix agent - I can’t get the correct proc.num count for running services.
After searching the problem, I found this hestiacp/hst-install-ubuntu.sh at 2304b935db47ea303c8e0caa8931712c4e2764e0 · hestiacp/hestiacp · GitHub
What about creating a new option at installation?
Because with restricting access to /proc fs with hidepid=2 I can’t monitor with Zabbix agent processes. It sees only processes by Zabbix user only. AllowRoot=1 did not solve the problem.
What do you think about adding option -hp --hidepid [0|1|2] default: 2 And -gi --gid Group ID (Monitoring like zabbix)
By default, the hidepid option has the value zero (0). This means that every user can see all data. When setting it to 1, the directories entries in /proc will remain visible, but not accessible. With value 2 they are hidden altogether. This last option will work perfectly for most systems.
Additionally you can specify a user/group ID which is still able to look up the processes with the gid option. So if you want to hide all processes to other users, except zabbix
Back to github hestiacp/hst-install-ubuntu.sh at 2304b935db47ea303c8e0caa8931712c4e2764e0 · hestiacp/hestiacp · GitHub
The line will be like (If gid also set at installation)
mount -o remount,defaults,hidepid=value,gid=gid /proc > /dev/null 2>&1
So, what do you think? Because at installation we make hidepid, without any notification, let’s change it and allow users to set value 0,1,2 and set group id for Zabbix Agent
We have cron file /etc/cron.d/hestia-proc where also we have hard code
2nd sollution, allow users to change this policy https://hestiacp-srv:8083/edit/server/ at Security tab.
Add select hidepid = 0,1,2 and add Group ID
It is to prevent other users can read the active processes from other users / admin user. It could be a abused to get the request key.
Feel free to make any changes in /etc/cron.d/hestia-proc to make fit your needs. Change the value as you need and restart the server or run the commands that can be found in the installer…
I use Icinga2 my self for monitoring and I don’t have any issues with it.
I don’t think we need to change this for the installer or via a settings.
But if add this options at installation and add settings, my pull request will be rejected?
because this hidepid option at installation change filesystem without any notifications.
I haven’t seen any issue with enabling when the feature got introduced back in 1.3 or even 1.2 version.
I don’t think we should touch it after Hestia install and users that know what need to be changed should be familiar enough to modify a file in /etc/cron.d/hestia-proc and restart the server.
If you haven’t seen it, it doesn’t mean it wasn’t.
Not all users commit to GitHub and post problems with solutions.
So, what about my question?
But if add these options at installation and add settings, my pull request will be rejected?
If you want to implement it as changeable option in security settings, default value hidepid active, please go on. We’ll review and merge the commit.
Hotfix solution for zabbix:
Edit /etc/fstab and add lines:
proc /proc proc defaults,hidepid=2,gid=zabbix 0 0
Next step: reboot or remount /proc and zabbix give access for process list.
I have updated the https://docs.hestiacp.com with the required information.