Technical Blog Post
ITM Agent Insights: Agent Builder custom agents relying on "Ping" data source must be run as "root" on UNIX / Linux.
Gathering PING metrics requires "root" authority due to the underlying ICMP protocol. Opening a raw socket to send / receive data on when issuing a "ping" request requires "root" authority.
This applies even when running "ping" command manually.
This is why the "ping" command has "setuid" bit set so that when it is issued by a non-root user, the setuid bit being set runs the command as if it had been initiated by "root":
$ ls -l /bin/ping
-rwsr-xr-x 1 root root 38264 Nov 13 2015 /bin/ping
This explains why it is possible to gather "ping" output manually using a non-root user id. The effective user ID is "root" when the process is run since the setuid bit is set on the "ping" command.
Custom monitoring agents built with Agent Builder use the ICMP protocol directly, and do NOT turn on the setuid bit for the custom agent executable to escalate privileges. This is why the custom agent must be run as "root" in order to be able to create the raw socket and gather PING metrics. Standard practice frowns upon programs escalating privileges, as this is often seen as a security concern. As such, in order to gather PING attribute data, custom agents built with Agent Builder need to run as "root" user. This is considered a limitation due to the underlying restriction of ICMP open (raw) socket.
ITM diagnostics will show the following in the RAS1 logs when using: KBB_RAS1=ERROR (UNIT: ping all)
Using "itmadm" user:
*********** Wed Mar 28 08:51:05 EDT 2018 ******************
User: itmadm Groups: nonroot
Host name : System1 Installer Lvl:06.30.02.00
Host Prod PID Owner Start ID ..Status
System1 14 16384090 itmadm 08:48:55 None ...running
!5ABB8F37.0000!========================> IBM Tivoli RAS1 Service Log <========================
+5ABB8F37.0000 System Name: System1 Process ID: 16384090
+5ABB8F37.0000 Program Name: k14agent User Name: itmadm
+5ABB8F37.0000 Task Name: k14agent System Type: AIX;7.1
+5ABB8F37.0000 MAC1_ENV Macro: 0xA326 Start Date: 2018/03/28
+5ABB8F37.0000 Start Time: 08:48:55 AS Limit: None
+5ABB8F37.0000 Core Limit: None CPU Limit: None
+5ABB8F37.0000 Data Limit: None Fsize Limit: None
+5ABB8F37.0000 Nofile Limit: None Stack Limit: 1024M
+5ABB8F37.0000 Service Point: ictm.dev268_14 UTC Start Time: 5abb8f37
+5ABB8F37.0000 Executable Name: k14agent ITM Home: /apps/ITM
+5ABB8F37.0000 ITM Process: dev268_14 Effective User Name: itmadm
+5ABB8F37.0000 KBB_RAS1=ERROR (UNIT: ping all)
ping.cpp,711,"initV4") ***** unable to open IPv4 raw socket for ICMP processing. Errno 13
ping.cpp,716,"initV4") Exit: 0x0
pingqueryclass.cpp,227,"reset") Failed to open IP V4 ICMP socket.
ping.cpp,974,"initV6") Active RAS1 Classes: EVERYT EVERYE EVERYU
ping.cpp,987,"initV6") ***** unable to open IPv6 raw socket for ICMP processing. Errno 13
ping.cpp,993,"initV6") Exit: 0x0
pingqueryclass.cpp,232,"reset") Failed to open IP V6 ICMP socket.
pingqueryclass.cpp,301,"setPerformanceObjectStatus") Active RAS1 Classes: EVERYT EVERYE EVERYU
In the TEP, the "Performance Object Status" workspace will report the Object Status as "INACTIVE" and the Error Code as "ICMP SOCKETS FAILED"
The "Managed Nodes" workspace will be blank and not populated with data.
Previous security incident report (PSIRT) regarding programs escalating privileges.
" In order to create a raw socket, a process must have the CAP_NET_RAW capability in the user namespace that governs its network namespace."
Compid: 5724C04BR 5725U05AB
Reference DCF technotes: CMVCS 178711
Keywords: AB ICMP_SOCKETS_FAILED
Additional ITM Agent Insights series of IBM Tivoli Monitoring Agent blogs are indexed under ITM Agent Insights: Introduction.
Subscribe and follow us for all the latest information directly on your social feeds:
Check out all our other posts and updates: