Public bug reported: As monit is a configurable system monitoring tool, it is expected that admins will expand it to monitor all aspects of a system. The configured system hardening rules block what seem like common use cases:
1. To run systemctl on an NVMe drive needs CAP_SYS_ADMIN and on a SATA drive needs CAP_SYS_RAWIO 2. Monit is commonly used to restart other services (usually with systemctl) so it should have all the capability to run whatever is required in other service files. See https://bitbucket.org/tildeslash/monit/issues/1109/unable-to- monitor-php-fpm-unixsockets-on in which CAP_DAC_OVERRIDE is required to monitor, restart php-fpm. Instead of playing whack-a-mole on permissions as admins try to use monit as intended, it might be better to not be as restrictive. It appears that this is an addition to 24.04 and the version of monit distributed with it. Thanks. Jeff ** Affects: monit (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2086568 Title: monit system hardening additions To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/monit/+bug/2086568/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
