0

We have external monitoring tool which will access our linux machines through SSH and will read top/ping/netstat/disk activity. As i am creating separated ssh key and separated user for this purpose i wonder if i can restrict this user in any way or it does have to be admin user.

Is there any fine-grained control of what user can run and what not ? e.g. scp our DB dump out is bad, read top statistics or ping to anothe machine is fine...

martin85
  • 115
  • 1
  • 7

1 Answers1

2

A good practice would be to create a user that has next to no privileges, then setup sudo. The monitoring account can run the commands you need for checking the status via and nothing else.

On my Nagios setup, I have a basic user named nagios combined with the sudo config that looks like this.

### Nagios commands
nagios ALL=NOPASSWD: /etc/nagios_checks/*, /usr/lib/nagios/plugins/*
Zoredache
  • 130,897
  • 41
  • 276
  • 420
  • how i can setup 'sudo sup' in Ubuntu/Debian ? any reference / tutorial available ? – martin85 May 07 '13 at 23:54
  • Sorry about the 'sudo sup', the 'sup' bit was a typo. Just install sudo, if it isn't already. Then configure sudo. Refer to the sudo man page, or the examples on the sudo web page. – Zoredache May 08 '13 at 00:11