Monit and M/Monit both put a lot of faith in filesystem permissions to protect passwords. Three different passwords can be found in the clear:
- admin password for monit agent HTTP interface in monitrc file
- M/Monit password in monitrc file
- M/Monit stores monit agent passwords in the clear within the "host" table
I understand that these files should only be able to be read by root user, but we still consider it a security violation to have any passwords in the clear, regardless of the file permissions.