Nixstats with grsecurity (OVH Kernel)

To monitoring some metrics in the /proc path special permission is needed if the kernel is compiled with grsecurity.

To check if grsecurity is enabled run sysctl -a | grep grsecurity

``

root@test:~# sysctl -a | grep grsecurity

kernel.grsecurity.audit_ptrace = 1

kernel.grsecurity.consistent_setxid = 1

kernel.grsecurity.deny_new_usb = 0

kernel.grsecurity.dmesg = 1

kernel.grsecurity.forkfail_logging = 1

kernel.grsecurity.grsec_lock = 0

kernel.grsecurity.harden_ptrace = 1

kernel.grsecurity.ptrace_readexec = 1

kernel.grsecurity.signal_logging = 1

kernel.grsecurity.timechange_logging = 1

``

If nothing appears grsecurity is not enabled.

To grant nixstats access to the /proc directory run the following commands.

First check what groupID (gid) nixstats has.

``id nixstats``

Now open the grub configuration file at /etc/default/grub

Edit the line with GRUB_CMDLINE_LINUX_DEFAULT and add grsec_proc_gid=XXX at the end right before the double quote (").

For example if your groupid is 123 change the line from

``

GRUB_CMDLINE_LINUX_DEFAULT="noquiet nosplash net.ifnames=0 biosdevname=0"

``

To

``

GRUB_CMDLINE_LINUX_DEFAULT="noquiet nosplash net.ifnames=0 biosdevname=0 grsec_proc_gid=123"

``

Don't forget to include a space between the values!

Finally run update-grub and reboot to restart your system.

Updated on: 02/02/2018