Allow Agent Bakery to work with non-root

7 votes

Today many organisations are enforced to implement zero-trust security measurements. Running the check mk agent as a non privileges account is a hard requirement for many of us.

The Agent bakery does not work with the non-root setup in these scenarios:

- Local checks deployed using "deploy local files with agent" does not work as the user/group for all folders are still owned by root.
- The execution bit for other is not set, meaning no local checks can run
- As the agen have built-in checks in the agent (as not as separate checks) its not possible to run these as SUDO unless these functions are copied and created as local checks with sudo implemented. Postfix, NTP are some of these that might require root permissions
- Even if the agent updater (that exits twice!) once as a plugin and once as a timer in system.d cannot be updated if the agent is running as someone else than root. Even if the system.d update service and timer is running as root the agent cant update itselves

Under consideration Checks&Agents Suggested by: Andy Upvoted: 14 Oct, '23 Comments: 5

Comments: 5