[sysmon-help] Re: Sysmon - root required for icmp

Jared Mauch jared at sysmon.org
Wed Aug 24 21:21:45 EDT 2005 

On Wed, Aug 24, 2005 at 04:01:08PM -0700, David Ski wrote:
> 
> Jared,
> 
> 
> Thank you for a great program, I have been using it
> for  over a year now to assist in monitoring
> environments.
> 
> I would like to run sysmon from a FreeBSD jail system.
> In this scenario I would not be using any ICMP checks.
> In fact the jail "virtual" system can not use ICMP at
> all.

	Well, yes they can, my machine "puck" runs inside a FreeBSD
jail :)

> iron# ping localhost
> ping: socket: Operation not permitted
> 
> My issue is the sysmon program stops on a check for
> root access to ICMP.  The jail root user doesn't have
> rights to create ICMP packets in a jail system.
> 
> Can this be modified to skip with a sysmon.conf switch
> or turned off ?

	yes:

puck:~/sysmon/sysmon> src/sysmond -h
Usage: src/sysmond [ -f config-file ] [ -n ] [ -d ] [ -v ] [ -t ] 
         [ -p port ] [ reload ] 
  -b             : IP Address to listen on
  -f config-file : Alternate config file location
          DEFAULT: /usr/local/etc/sysmon.conf
  -n             : Don't do notifies
  -d             : Don't fork
  -i             : Disable ICMP

	You can also use this sysctl to allow raw sockets
within a Jail:

security.jail.allow_raw_sockets

	If you're running FreeBSD 4.x, you can use this
patch too:

	http://puck.nether.net/~jared/fbsd-4.8-rc1-diff-jail-raw_ip.txt

http://adam.kungfoohampster.com/lists/freebsd-hackers/msg00329.shtml

> I would like to use UDP and TCP based checks on this
> jail sysmon system only.

	if you use '-i' it will have the desired result.

	- jared


> I am able to run the program from the main FreeBSD
> system, but I wanted to customize the checks for
> different teams and create redundancy without a huge
> hardware investment which is why I am using jails.
> Also, I can let users create monitors and test them
> without impacing or restarting the main sysmon.
> 
> >From a jail system the program does not run.
> sysmond: 15:06:47 Starting sysmon v0.92
> /usr/local/bin/sysmond started on iron.fcmc1.com
> forked process as pid 48541
> iron# sysmond: 15:06:47 We are not root, unable to
> perform icmp check, exiting
> 
> My intent was to use
> TCP 135, TCP 22, or UDP 161 checks instead of ICMP for
> my jail system to know network equpiment is up.

-- 
Jared Mauch  | pgp key available via finger from jared at puck.nether.net
clue++;      | http://puck.nether.net/~jared/  My statements are only mine.

More information about the Sysmon-help mailing list