Migrate your Linux collectors to non-root by Sept 30!

Not likely. WIIFM (a conversation I’ve had with MRod several times over the years).

Besides, it uses undocumented, and therefore unsupported, API endpoints. But I’ll make you a deal: if you add the endpoints into the documentation and start supporting them, I’ll open source my DS. Probably still won’t put it into the exchange though because I can’t use git to push updates to that repo and code reviews take years to complete.

If you think other users could benefit from this, please consider making yourdatasource available on LM Exchange. 
https://www.logicmonitor.com/support/logicmodules/about-logicmodules/lm-exchange

Great answer!

Added /setting/collector/collectors/:id/services/getStatusCheck checkPoints as ILPs to my collector problem detector datasource so now I have that role (and a ton of other stuff) as a property that I can just check.

Turns out none of my Linux collectors are running as root. Would have been nice not to have to go through all that work to find out there’s nothing to do.

FYI: If you know you installed your Linux collectors accepting the defaults (i.e. create the logicmonitor user), then there’s nothing to do.

If you go to your collectors page → Click on on “Manage” for the collector in question → Go to Collector status, you can find the root/non-root status of the collector
If you are installing the Linux collector using the logicmonitor user created, you dont have to take any action. It is running as a non-root user then.
 

We are pursuing non-root privileges for the collector because:
1) It will limit damages in case a vulnerability is exploited by an attacker.
2) It helps you pass security audits if a security conscious customer demands it.
3) The collector does not need to run at max privilege in order to monitor most devices and running software applications in the least privilege mode is security best practice

Let me rephrase: “running all collectors using non-privileged credentials” is not a goal, it’s a strategy to get to a goal. 

What benefit are you trying to provide to me? What outcome are you trying to achieve?

this is the ultimate goal for Logicmonitor

Hi Axshey, what is the ultimate goal? Why are you trying to move away from root? This makes running collectors in containers harder since they typically don’t have any user besides root.

Is there a propertysource you’ve written that will tell me which collectors are running as root vs. non-root? When we do the install, we run it with sudo and it creates the logicmonitor user. Neither of which are using the root account (depending on your philosophy on sudo).

Come to think of it, I need a propertysource that shows the user for each of my collectors (windows too), so i may just write it. Might make it a configsource so i can keep the history.

Hi Stewart, this is the ultimate goal for Logicmonitor, but we are still some ways from it. This notice mainly refers to moving linux collectors from root to non-root users. If you have further questions, please send me a private message over here or you can also contact your customer success manager for help.

We appreciate your support in helping us achieve our goal of running all collectors using non-privileged credentials. 

I missed this in the original goal. This is not a requirement for us. We haven’t started the planning process much less started executing.