To monitoring some metrics in the /proc path special permission is needed if the kernel is compiled with grsecurity.
To check if grsecurity is enabled run sysctl -a | grep grsecurity
root@test:~# sysctl -a | grep grsecurity
kernel.grsecurity.audit_ptrace = 1
kernel.grsecurity.consistent_setxid = 1
kernel.grsecurity.deny_new_usb = 0
kernel.grsecurity.dmesg = 1
kernel.grsecurity.forkfail_logging = 1
kernel.grsecurity.grsec_lock = 0
kernel.grsecurity.harden_ptrace = 1
kernel.grsecurity.ptrace_readexec = 1
kernel.grsecurity.signal_logging = 1
kernel.grsecurity.timechange_logging = 1
If nothing appears grsecurity is not enabled.
To grant nixstats access to the /proc directory run the following commands.
First check what groupID (gid) nixstats has.
id nixstats
Now open the grub configuration file at /etc/default/grub
Edit the line with GRUB_CMDLINE_LINUX_DEFAULT and add grsec_proc_gid=XXX at the end right before the double quote (").
For example if your groupid is 123 change the line from
GRUB_CMDLINE_LINUX_DEFAULT="noquiet nosplash net.ifnames=0 biosdevname=0"
To
GRUB_CMDLINE_LINUX_DEFAULT="noquiet nosplash net.ifnames=0 biosdevname=0 grsec_proc_gid=123"
Don't forget to include a space between the values!
Finally run update-grub and reboot to restart your system.
To check if grsecurity is enabled run sysctl -a | grep grsecurity
root@test:~# sysctl -a | grep grsecurity
kernel.grsecurity.audit_ptrace = 1
kernel.grsecurity.consistent_setxid = 1
kernel.grsecurity.deny_new_usb = 0
kernel.grsecurity.dmesg = 1
kernel.grsecurity.forkfail_logging = 1
kernel.grsecurity.grsec_lock = 0
kernel.grsecurity.harden_ptrace = 1
kernel.grsecurity.ptrace_readexec = 1
kernel.grsecurity.signal_logging = 1
kernel.grsecurity.timechange_logging = 1
If nothing appears grsecurity is not enabled.
To grant nixstats access to the /proc directory run the following commands.
First check what groupID (gid) nixstats has.
id nixstats
Now open the grub configuration file at /etc/default/grub
Edit the line with GRUB_CMDLINE_LINUX_DEFAULT and add grsec_proc_gid=XXX at the end right before the double quote (").
For example if your groupid is 123 change the line from
GRUB_CMDLINE_LINUX_DEFAULT="noquiet nosplash net.ifnames=0 biosdevname=0"
To
GRUB_CMDLINE_LINUX_DEFAULT="noquiet nosplash net.ifnames=0 biosdevname=0 grsec_proc_gid=123"
Don't forget to include a space between the values!
Finally run update-grub and reboot to restart your system.
Published on: 02 / 02 / 2018