As monit is a configurable system monitoring tool, it is expected that admins will expand it to monitor all aspects of a system. The configured system hardening rules block what seem like common use cases. Two additional ones are:
1. To run systemctl on an NVMe drive needs CAP_SYS_ADMIN and on a SATA drive needs CAP_SYS_RAWIO 2. Monit is commonly used to restart other services (usually with systemctl) so it should have all the capability to run whatever is required in other service files. See https://bitbucket.org/tildeslash/monit/issues/1109/unable-to-monitor- php-fpm-unixsockets-on in which CAP_DAC_OVERRIDE is required to monitor, restart php-fpm. Instead of playing whack-a-mole on permissions as admins try to use monit as intended, it might be better to not be as restrictive. Thanks Jeff -- Jeffrey C. Honig <j...@honig.net> http://jch.honig.net PGP ID: A96C148E8B0E5F741A90ED04BBE5FFC5E52718CE <https://keyserver.ubuntu.com/pks/lookup?op=get&search=0xa96c148e8b0e5f741a90ed04bbe5ffc5e52718ce> Keybase: jchonig <https://keybase.io/jchonig> Secure E-mail <https://protonmail.com>: jcho...@pm.me
