Update sudo config recommendation (#5337)
This commit is contained in:
		
							parent
							
								
									35d18d3fd7
								
							
						
					
					
						commit
						7a229e25a6
					
				|  | @ -10,15 +10,24 @@ Acquiring the required permissions can be done using several methods: | |||
| 
 | ||||
| ### Using sudo | ||||
| 
 | ||||
| You may edit your sudo configuration with the following: | ||||
| You will need the following in your telegraf config: | ||||
| ```toml | ||||
| [[inputs.fail2ban]] | ||||
|   use_sudo = true | ||||
| ``` | ||||
| 
 | ||||
| ``` sudo | ||||
| telegraf ALL=(root) NOEXEC: NOPASSWD: /usr/bin/fail2ban-client status, /usr/bin/fail2ban-client status * | ||||
| You will also need to update your sudoers file: | ||||
| ```bash | ||||
| $ visudo | ||||
| # Add the following line: | ||||
| Cmnd_Alias FAIL2BAN = /usr/bin/fail2ban-client status, /usr/bin/fail2ban-client status * | ||||
| telegraf  ALL=(root) NOEXEC: NOPASSWD: FAIL2BAN | ||||
| Defaults!FAIL2BAN !logfile, !syslog, !pam_session | ||||
| ``` | ||||
| 
 | ||||
| ### Configuration: | ||||
| 
 | ||||
| ``` toml | ||||
| ```toml | ||||
| # Read metrics from fail2ban. | ||||
| [[inputs.fail2ban]] | ||||
|   ## Use sudo to run fail2ban-client | ||||
|  |  | |||
|  | @ -25,10 +25,19 @@ AmbientCapabilities=CAP_NET_RAW CAP_NET_ADMIN | |||
| 
 | ||||
| ### Using sudo | ||||
| 
 | ||||
| You may edit your sudo configuration with the following: | ||||
| You will need the following in your telegraf config: | ||||
| ```toml | ||||
| [[inputs.ipset]] | ||||
|   use_sudo = true | ||||
| ``` | ||||
| 
 | ||||
| ```sudo | ||||
| telegraf ALL=(root) NOPASSWD: /sbin/ipset save | ||||
| You will also need to update your sudoers file: | ||||
| ```bash | ||||
| $ visudo | ||||
| # Add the following line: | ||||
| Cmnd_Alias IPSETSAVE = /sbin/ipset save | ||||
| telegraf  ALL=(root) NOPASSWD: IPSETSAVE | ||||
| Defaults!IPSETSAVE !logfile, !syslog, !pam_session | ||||
| ``` | ||||
| 
 | ||||
| ### Configuration | ||||
|  |  | |||
|  | @ -28,10 +28,20 @@ Since telegraf will fork a process to run iptables, `AmbientCapabilities` is req | |||
| 
 | ||||
| ### Using sudo | ||||
| 
 | ||||
| You may edit your sudo configuration with the following: | ||||
| You will need the following in your telegraf config: | ||||
| ```toml | ||||
| [[inputs.iptables]] | ||||
|   use_sudo = true | ||||
| ``` | ||||
| 
 | ||||
| ```sudo | ||||
| telegraf ALL=(root) NOPASSWD: /usr/bin/iptables -nvL * | ||||
| You will also need to update your sudoers file: | ||||
| 
 | ||||
| ```bash | ||||
| $ visudo | ||||
| # Add the following line: | ||||
| Cmnd_Alias IPTABLESSHOW = /usr/bin/iptables -nvL * | ||||
| telegraf  ALL=(root) NOPASSWD: IPTABLESSHOW | ||||
| Defaults!IPTABLESSHOW !logfile, !syslog, !pam_session | ||||
| ``` | ||||
| 
 | ||||
| ### Using IPtables lock feature | ||||
|  |  | |||
|  | @ -86,7 +86,9 @@ You will also need to update your sudoers file: | |||
| ```bash | ||||
| $ visudo | ||||
| # Add the following line: | ||||
| telegraf ALL=(ALL) NOPASSWD: /usr/sbin/smtpctl | ||||
| Cmnd_Alias SMTPCTL = /usr/sbin/smtpctl | ||||
| telegraf  ALL=(ALL) NOPASSWD: SMTPCTL | ||||
| Defaults!SMTPCTL !logfile, !syslog, !pam_session | ||||
| ``` | ||||
| 
 | ||||
| Please use the solution you see as most appropriate. | ||||
|  |  | |||
|  | @ -61,6 +61,27 @@ smartctl -s on <device> | |||
|   # devices = [ "/dev/ada0 -d atacam" ] | ||||
| ``` | ||||
| 
 | ||||
| ### Permissions: | ||||
| 
 | ||||
| It's important to note that this plugin references smartctl, which may require additional permissions to execute successfully. | ||||
| Depending on the user/group permissions of the telegraf user executing this plugin, you may need to  use sudo. | ||||
| 
 | ||||
| 
 | ||||
| You will need the following in your telegraf config: | ||||
| ```toml | ||||
| [[inputs.smart]] | ||||
|   use_sudo = true | ||||
| ``` | ||||
| 
 | ||||
| You will also need to update your sudoers file: | ||||
| ```bash | ||||
| $ visudo | ||||
| # Add the following line: | ||||
| Cmnd_Alias SMARTCTL = /usr/bin/smartctl | ||||
| telegraf  ALL=(ALL) NOPASSWD: SMARTCTL | ||||
| Defaults!SMARTCTL !logfile, !syslog, !pam_session | ||||
| ``` | ||||
| 
 | ||||
| ### Metrics: | ||||
| 
 | ||||
| - smart_device: | ||||
|  |  | |||
|  | @ -56,7 +56,9 @@ You will also need to update your sudoers file: | |||
| ```bash | ||||
| $ visudo | ||||
| # Add the following line: | ||||
| telegraf ALL=(ALL) NOPASSWD: /usr/sbin/unbound-control | ||||
| Cmnd_Alias UNBOUNDCTL = /usr/sbin/unbound-control | ||||
| telegraf  ALL=(ALL) NOPASSWD: UNBOUNDCTL | ||||
| Defaults!UNBOUNDCTL !logfile, !syslog, !pam_session | ||||
| ``` | ||||
| 
 | ||||
| Please use the solution you see as most appropriate. | ||||
|  |  | |||
|  | @ -391,7 +391,9 @@ You will also need to update your sudoers file: | |||
| ```bash | ||||
| $ visudo | ||||
| # Add the following line: | ||||
| telegraf ALL=(ALL) NOPASSWD: /usr/bin/varnishstat | ||||
| Cmnd_Alias VARNISHSTAT = /usr/bin/varnishstat | ||||
| telegraf  ALL=(ALL) NOPASSWD: VARNISHSTAT | ||||
| Defaults!VARNISHSTAT !logfile, !syslog, !pam_session | ||||
| ``` | ||||
| 
 | ||||
| Please use the solution you see as most appropriate. | ||||
|  |  | |||
		Loading…
	
		Reference in New Issue