Blog Post

Tech Talk
2 MIN READ

Migrate your Linux collectors to non-root by Sept 30!

akshay_mysore's avatar
akshay_mysore
Icon for Product Manager rankProduct Manager
2 years ago

Hello All,

Thank you for supporting LogicMonitor's efforts to ensure Collector Security. With your help, we have been able to transition ~7,000 collectors to non-privileged users out of the 10,000 linux collectors currently live in customer environments.

Per our last email on this topic, we had shared a deadline of June 30, 2023 for customers to migrate their collectors from root to non-root users. Due to customer requests needing more time, we have now extended the deadline to September 30, 2023, allowing for more time to test the non-root migration scripts and migrate linux collectors.
 

We appreciate your support in helping us achieve our goal of running all collectors using non-privileged credentials

ACTION REQUIRED:

TIMELINE:

  • Migrate your current linux collector install base to non-privileged users as soon as possible, however no later than September 30, 2023. Your current collectors will not be affected by this change, only new installs will not be installed as root.

Thank you for your prompt attention to this matter.  If you have any questions, please contact Logicmonitor Support or contact your Customer Success Manager (CSM)

Is there a reason why this will not work in your environment?

Would you still like to run a linux collector as root?

Let us know in the comments

Thank you!

Published 2 years ago
Version 1.0
  • Anonymous's avatar
    Anonymous

    Not likely. WIIFM (a conversation I’ve had with MRod several times over the years).

    Besides, it uses undocumented, and therefore unsupported, API endpoints. But I’ll make you a deal: if you add the endpoints into the documentation and start supporting them, I’ll open source my DS. Probably still won’t put it into the exchange though because I can’t use git to push updates to that repo and code reviews take years to complete.

  • Anonymous's avatar
    Anonymous

    Great answer!

    Added /setting/collector/collectors/:id/services/getStatusCheck checkPoints as ILPs to my collector problem detector datasource so now I have that role (and a ton of other stuff) as a property that I can just check.

    Turns out none of my Linux collectors are running as root. Would have been nice not to have to go through all that work to find out there’s nothing to do.

    FYI: If you know you installed your Linux collectors accepting the defaults (i.e. create the logicmonitor user), then there’s nothing to do.

  • this is the ultimate goal for Logicmonitor

    Hi Axshey, what is the ultimate goal? Why are you trying to move away from root? This makes running collectors in containers harder since they typically don’t have any user besides root.

    Is there a propertysource you’ve written that will tell me which collectors are running as root vs. non-root? When we do the install, we run it with sudo and it creates the logicmonitor user. Neither of which are using the root account (depending on your philosophy on sudo).

    Come to think of it, I need a propertysource that shows the user for each of my collectors (windows too), so i may just write it. Might make it a configsource so i can keep the history.

    If you go to your collectors page → Click on on “Manage” for the collector in question → Go to Collector status, you can find the root/non-root status of the collector
    If you are installing the Linux collector using the logicmonitor user created, you dont have to take any action. It is running as a non-root user then.
     

    We are pursuing non-root privileges for the collector because:
    1) It will limit damages in case a vulnerability is exploited by an attacker.
    2) It helps you pass security audits if a security conscious customer demands it.
    3) The collector does not need to run at max privilege in order to monitor most devices and running software applications in the least privilege mode is security best practice

  • Anonymous's avatar
    Anonymous

    Let me rephrase: “running all collectors using non-privileged credentials” is not a goal, it’s a strategy to get to a goal. 

    What benefit are you trying to provide to me? What outcome are you trying to achieve?

  • Anonymous's avatar
    Anonymous

    this is the ultimate goal for Logicmonitor

    Hi Axshey, what is the ultimate goal? Why are you trying to move away from root? This makes running collectors in containers harder since they typically don’t have any user besides root.

    Is there a propertysource you’ve written that will tell me which collectors are running as root vs. non-root? When we do the install, we run it with sudo and it creates the logicmonitor user. Neither of which are using the root account (depending on your philosophy on sudo).

    Come to think of it, I need a propertysource that shows the user for each of my collectors (windows too), so i may just write it. Might make it a configsource so i can keep the history.

  • Hi Stewart, this is the ultimate goal for Logicmonitor, but we are still some ways from it. This notice mainly refers to moving linux collectors from root to non-root users. If you have further questions, please send me a private message over here or you can also contact your customer success manager for help.

  • Anonymous's avatar
    Anonymous

    We appreciate your support in helping us achieve our goal of running all collectors using non-privileged credentials

    I missed this in the original goal. This is not a requirement for us. We haven’t started the planning process much less started executing.