ITM Agent Insights: Agent Builder custom agents relying on "Ping" data source must be run as "root" on UNIX / Linux.

Body

Gathering PING metrics requires "root" authority due to the underlying ICMP protocol.  Opening a raw socket to send / receive data on when issuing a "ping" request requires "root" authority.

This applies even when running "ping" command manually.

This is why the "ping" command has "setuid" bit set so that when it is issued by a non-root user, the setuid bit being set runs the command as if it had been initiated by "root":

Example:

$ ls -l /bin/ping

-rwsr-xr-x 1 root root 38264 Nov 13  2015 /bin/ping

 
This explains why it is possible to gather "ping" output manually using a non-root user id.  The effective user ID is "root" when the process is run since the setuid bit is set on the "ping" command.

Custom monitoring agents built with Agent Builder use the ICMP protocol directly, and do NOT turn on the setuid bit for the custom agent executable to escalate privileges.  This is why the custom agent must be run as "root" in order to be able to create the raw socket and gather PING metrics.  Standard practice frowns upon programs escalating privileges, as this is often seen as a security concern.  As such, in order to gather PING attribute data, custom agents built with Agent Builder need to run as "root" user.  This is considered a limitation due to the underlying restriction of ICMP open (raw) socket.

ITM diagnostics will show the following in the RAS1 logs when using: KBB_RAS1=ERROR (UNIT: ping all)

Using "itmadm" user:

*********** Wed Mar 28 08:51:05 EDT 2018 ******************
User: itmadm Groups: nonroot
Host name : System1 Installer Lvl:06.30.02.00
CandleHome: /opt/IBM/ITM
***********************************************************
Host Prod PID Owner Start ID ..Status
System1 14 16384090 itmadm 08:48:55 None ...running

System1_14_k14agent_5abb8f37-01.log
!5ABB8F37.0000!========================> IBM Tivoli RAS1 Service Log <========================
+5ABB8F37.0000 System Name: System1 Process ID: 16384090
+5ABB8F37.0000 Program Name: k14agent User Name: itmadm
+5ABB8F37.0000 Task Name: k14agent System Type: AIX;7.1
+5ABB8F37.0000 MAC1_ENV Macro: 0xA326 Start Date: 2018/03/28
+5ABB8F37.0000 Start Time: 08:48:55 AS Limit: None
+5ABB8F37.0000 Core Limit: None CPU Limit: None
+5ABB8F37.0000 Data Limit: None Fsize Limit: None
+5ABB8F37.0000 Nofile Limit: None Stack Limit: 1024M
+5ABB8F37.0000 Service Point: ictm.dev268_14 UTC Start Time: 5abb8f37
+5ABB8F37.0000 Executable Name: k14agent ITM Home: /apps/ITM
+5ABB8F37.0000 ITM Process: dev268_14 Effective User Name: itmadm
+5ABB8F37.0000 KBB_RAS1=ERROR (UNIT: ping all)

ping.cpp,711,"initV4") ***** unable to open IPv4 raw socket for ICMP processing. Errno 13

ping.cpp,716,"initV4") Exit: 0x0

pingqueryclass.cpp,227,"reset") Failed to open IP V4 ICMP socket.

ping.cpp,974,"initV6") Active RAS1 Classes: EVERYT EVERYE EVERYU

ping.cpp,974,"initV6") Entry

ping.cpp,987,"initV6") ***** unable to open IPv6 raw socket for ICMP processing. Errno 13

ping.cpp,993,"initV6") Exit: 0x0

pingqueryclass.cpp,232,"reset") Failed to open IP V6 ICMP socket.

pingqueryclass.cpp,301,"setPerformanceObjectStatus") Active RAS1 Classes: EVERYT EVERYE EVERYU

pingqueryclass.cpp,301,"setPerformanceObjectStatus") Entry

pingqueryclass.cpp,347,"setPerformanceObjectStatus") Exit

pingqueryclass.cpp,297,"reset") Exit

In the TEP, the "Performance Object Status" workspace will report the Object Status as "INACTIVE" and the Error Code as "ICMP SOCKETS FAILED"

The "Managed Nodes" workspace will be blank and not populated with data.

Previous security incident report (PSIRT) regarding programs escalating privileges.
http://man7.org/linux/man-pages/man7/raw.7.html
" In order to create a raw socket, a process must have the CAP_NET_RAW capability in the user namespace that governs its network namespace."

Submitter: drd401709
Compid: 5724C04BR 5725U05AB
Reference DCF technotes: CMVCS 178711

Keywords: AB ICMP_SOCKETS_FAILED