Hi,
I am new to Site24x7 and was configuring your database monitoring plugins for the first time. You documentation gives a really bad advise to the users and I think you should review and update it. So far I looked at Postgres and MySQL plugins. In the documentation you give the steps for creation of a monitoring user in the databases and in them you specify superuser permissions for Postgres role and root for MySQL user. It is common knowledge that one of the basic rules of security is "minimum necessary privilege". The monitoring user does not need such extensive privileges to do the job and no sysadmin worth his salt would give them. Please update the documentation with the minimum necessary permissions for the monitoring user. In cases where access has to be provided to a particular database or table, please put their names in the documentation explicitly, not just mention "set the appropriate values for variables", like it is done it the Postgres plugin documentation.
I have not looked at other plugins yet, but there is a good chance that the documentation there has a similar problem. I strongly advise to review and update all plugin documentation and make sure that the rule of least necessary privilege is followed. For Postgres it should be enough to give a monitoring user SELECT rights on pg_stat_database table and for MySQL user just a REPLICATION CLIENT database privilege.
Thank you,
Alex
Hi Alex,
Thank you for pointing out the issues. The plugins require basic read-only user permission to fetch data for monitoring, although it is mentioned otherwise in the documentation.
We will update the documents appropriately.
Regards,
Anita
Hi Anita,
This is exactly what I am talking about. There is no such thing as "basic read-only user permissions". You have to document which permissions exactly to what databases or tables ideally providing the commands to achieve that. The examples with superuser and root access in my vew should be removed.
Thank you for looking into this as security is ever important these days!
Alex
Hi Alex,
By "basic read-only permission", I referred to the fact that plugins don't require super user or root permission.
As you have mentioned, we are updating our documentation with the exact permissions required for getting the monitoring data.
Regards,
Anita
Hi Anita,
I have read the updates to Postgres integration documentation page and I don't think these are good enough. Instead of a bad security advise now it is just confusing. There is no "read only" privilege in SQL. There is SELECT, INSERT, DROP, etc. And these privileges are always applied to something in particular be that all databases, particular database, table, etc. The instruction currently available do not provide any information on what permissions are actually required.
I expected to see something like:
Create a user in in Postgres database and provide SELECT privilege to the pg_stat_table in postgres database. Substitute <user_name> with a name you pick for a monitoring user and <password> for the password you want to assign to it. Login to the database as a "postgres" user and then:
For PostgreSQL 10 and later:
\c postgres
create user <user_name> with password '<password>'; grant pg_monitor to <user_name>; grant SELECT ON pg_stat_database to <user_name>;
For older PostgreSQL versions:
\c postgres
create user <user_name> with password '<password>'; grant SELECT ON pg_stat_database to <user_name>;
In the postgres.py plugin code make the following edits, assuming that the plugin runs on the same host as the database:
db = 'postgres'
userName = '<user_name>'
passWord = '<password>'
hostName = 'localhost'
port = '5432'
That would have been useful instructions, which a user can easily implement. MySQL instructions can be written in the similar way giving the exact steps which can be followed by a person who is not an expert in a particular database and a developer having to look into the code of the plugin and figure out which permissions are required from the queries issued. Bonus points if you also describe the necessary configuration line in pg_hba.conf.
Regards,
Alex