Hi,

At firstn thanks for fast answear ;-)

i did some modifications on hobbitclient-freebsd.sh in order to have a good reporting.

Indeed, on freebsd, there is a default security which prevents to see the process/socket of the other users:

$ sysctl -a |grep other security.bsd.see_other_uids: 0

So, when i m in hobbit user, i can see only hobbit process:

$ id uid=1003(hobbit) gid=1003(hobbit) groups=1003(hobbit)

$ ps auxw USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND hobbit 26764 0.0 0.1 1836 1104 ?? I 2:38PM 0:00.01 sh -c vmstat 300 2 1>/usr/local/www/hobbit/client/tmp/hobbit_vmstat. hobbit 26766 0.0 0.0 1424 852 ?? I 2:38PM 0:00.05 vmstat 300 2 hobbit 69830 0.0 0.0 1420 880 ?? Ss 6:03PM 0:01.07 /usr/local/www/hobbit/client/bin/hobbitlaunch --config=/usr/local/ww hobbit 26861 0.0 0.0 1500 740 pf R+ 2:41PM 0:00.00 ps auxw hobbit 71775 0.0 0.1 3348 1680 pf S 6:52PM 0:00.60 -su (bash)

So, i installed sudo package, and gave some rights to hobbit:

hobbit ALL=(ALL) NOPASSWD: /usr/sbin/jls,/usr/sbin/jexec, /bin/ps, /usr/bin/top, /usr/bin/netstat,/usr/local/sbin/portaudit

Then, changed the hobbitclient-freebsd.sh file by adding the "/usr/local/bin/sudo" prefix before "netstat", "ps" and "top" commands.

Do you think it's possible to take care this in future freebsd client ? I can help you if you need freebsd account or whatever.

I wrote a little script which surveys the security packages (called "ports" on freebsd) based on the freebsd package "portaudit".

[hobbit at bmbcolt1 ~/client/etc]$ pkg_info |grep portaudit portaudit-0.5.11 Checks installed ports against a list of security vulnerabilities

You can find the script on this adress: http://hobbit.mybsd.eu/hobbit-portaudit.sh.txt

It works only for freebsd, needs the "portaudit" package and sudo rights.

I m going to see if i can make a hobblit client port for the freebsd port tree.

regards, Nicolas

Le Mar 13 juin 2006 22:15, Henrik Stoerner a écrit :

On Tue, Jun 13, 2006 at 07:10:09PM +0200, Nicolas wrote:

...

I installed the client on a freebsd 6.1 box and it works fine.

Currently, there are 7 jails on the box and i m going to install the hobbit client on each one.

but i d like to know if there ll be some external scripts in order to monitore Freebsd jails without installing a client hobbit into each jails. (there are some tools like "jexec" to execute command into jail without logging on it).

I haven't played with FreeBSD jails at all, all I know is the basic concept of isolating certain tasks into their own pseudo system. So I don't know enough about them to say whether this will be simple or difficult to implement.

The Hobbit client script is pretty simple, though - so if there is a mechanism in place where a script at the physical-box-level can run commands inside each of the jails, then it should be pretty simple to tweak the client to run on all of the jail-systems without having to install it there - you'd basically be doing "uptime", "df", "ps" etc. once for each jail instance, wrapping it up into a client message and send that across to the Hobbit server. Each of your jails would then show up as a separate "host" on the Hobbit server display.

Just one way of doing it, I am open to suggestions since this is not something I know a whole lot about.

Regards, Henrik

To unsubscribe from the hobbit list, send an e-mail to hobbit-unsubscribe at hswn.dk