A new feature for UNIX and Linux
monitoring with System Center 2012 – Operations Manager is the ability
to use sudo elevation in the discovery and agent ugprade wizards, as
well as Run As accounts. This means that the root user is no longer
needed for privileged monitoring (log file monitoring, script/command
execution) and agent maintenance (installation, upgrade, and
uninstallation). Information on configuring Operations Manager
credentials to use sudo elevation can be found
In order to use sudo-enabled accounts for Operations Manager monitoring, the sudoers file must be configured (on each UNIX/Linux computer) to authorize elevation for the selected user account, using visudo. General requirements for the accounts used by Operations Manager with sudo elevation are:
In order to use sudo-enabled accounts for Operations Manager monitoring, the sudoers file must be configured (on each UNIX/Linux computer) to authorize elevation for the selected user account, using visudo. General requirements for the accounts used by Operations Manager with sudo elevation are:
- The sudoers option requiretty must be disabled for the user
- For required commands, sudo authorization must be configured to allow the user to elevate to root, without password
Sample Configurations
The actual list of commands used for privileged monitoring or agent maintenance varies between platforms. The sample configurations below provide a user named “monuser” with the minimum necessary authorization to perform the following activities:- Discover and install the agent
- Sign the agent certificate
- Upgrade the agent
- Restart the agent (used in certificate signing and agent recovery)
- Uninstall the agent
- Read privileged log files
AIX
| #----------------------------------------------------------------------------------- #User configuration for Operations Manager agent – for a user with the name: monuser #General requirements Defaults:monuser !requiretty #Lower sudo password prompt timeout for the user Defaults:monuser passwd_tries = 1, passwd_timeout = 1 #Agent maintenance (discovery, install, uninstall, upgrade, restart, cert signing) monuser ALL=(root) NOPASSWD: /opt/microsoft/scx/bin/tools/scxadmin monuser ALL=(root) NOPASSWD: /usr/bin/sh -c sh /tmp/scx-*/GetOSVersion.sh; EC=$?; rm -rf /tmp/scx-*; exit $EC monuser ALL=(root) NOPASSWD: /usr/bin/sh -c cat /etc/opt/microsoft/scx/ssl/scx.pem monuser ALL=(root) NOPASSWD: /usr/bin/sh -c gzip -dqf /tmp/scx-* monuser ALL=(root) NOPASSWD: /usr/bin/sh -c echo * monuser ALL=(root) NOPASSWD: /usr/bin/sh -c /usr/sbin/installp -u scx ###Examples #Custom shell command monitoring example – replace <shell command> with the correct command string #monuser ALL=(root) NOPASSWD: /bin/bash -c <shell command> #Daemon diagnostic and restart recovery tasks example (using cron) #monuser ALL=(root) NOPASSWD: /bin/sh -c ps -ef | grep cron | grep -v grep #monuser ALL=(root) NOPASSWD: /usr/sbin/cron & #End user configuration for Operations Manager agent #----------------------------------------------------------------------------------- |
|
#----------------------------------------------------------------------------------- #User configuration for Operations Manager agent – for a user with the name: monuser #General requirements Defaults:momuser !requiretty #Lower sudo password prompt timeout for the user Defaults:momuser passwd_tries = 1, passwd_timeout = 1 #Agent maintenance (discovery, install, uninstall, upgrade, restart, cert signing) momuser ALL=(root) NOPASSWD: /opt/microsoft/scx/bin/tools/scxadmin momuser ALL=(root) NOPASSWD: /bin/sh -c sh /tmp/scx-*/GetOSVersion.sh; EC=$?; rm -rf /tmp/scx-*; exit $EC momuser ALL=(root) NOPASSWD: /bin/sh -c uncompress -f /tmp/scx-* momuser ALL=(root) NOPASSWD: /bin/sh -c cat /etc/opt/microsoft/scx/ssl/scx.pem momuser ALL=(root) NOPASSWD: /bin/sh -c echo * momuser ALL=(root) NOPASSWD: /bin/sh -c /usr/sbin/swremove scx ###Examples #Custom shell command monitoring example – replace <shell command> with the correct command string #monuser ALL=(root) NOPASSWD: /bin/bash -c <shell command> #Daemon diagnostic and restart recovery tasks example (using cron) #monuser ALL=(root) NOPASSWD: /bin/sh -c ps -ef | grep cron | grep -v grep #monuser ALL=(root) NOPASSWD: /sbin/init.d/cron start #End user configuration for Operations Manager agent #------------------------------------------------------------------------------- |
|
#----------------------------------------------------------------------------------- #User configuration for Operations Manager agent – for a user with the name: monuser #General requirements Defaults:monuser !requiretty #Lower sudo password prompt timeout for the user Defaults:monuser passwd_tries = 1, passwd_timeout = 1 #Agent maintenance (discovery, install, uninstall, upgrade, restart, cert signing) monuser ALL=(root) NOPASSWD: /opt/microsoft/scx/bin/tools/scxadmin monuser ALL=(root) NOPASSWD: /bin/sh -c sh /tmp/scx-*/GetOSVersion.sh; EC=$?; rm -rf /tmp/scx-*; exit $EC monuser ALL=(root) NOPASSWD: /bin/sh -c /bin/rpm -U --force */scx-* monuser ALL=(root) NOPASSWD: /bin/sh -c /bin/rpm -F --force */scx-* monuser ALL=(root) NOPASSWD: /bin/sh -c rpm -e scx monuser ALL=(root) NOPASSWD: /bin/sh -c cat /etc/opt/microsoft/scx/ssl/scx.pem monuser ALL=(root) NOPASSWD: /bin/sh -c echo * #Log file monitoring monuser ALL=(root) NOPASSWD: /opt/microsoft/scx/bin/scxlogfilereader -p ###Examples #Custom shell command monitoring example – replace <shell command> with the correct command string #monuser ALL=(root) NOPASSWD: /bin/bash -c <shell command> #Daemon diagnostic and restart recovery tasks example (using cron) #monuser ALL=(root) NOPASSWD: /bin/sh -c ps -ef | grep cron | grep -v grep #monuser ALL=(root) NOPASSWD: /sbin/service cron start #End user configuration for Operations Manager agent #----------------------------------------------------------------------------------- |
|
#----------------------------------------------------------------------------------- #User configuration for Operations Manager agent – for a user with the name: monuser #General requirements Defaults:monuser !requiretty #Lower sudo password prompt timeout for the user Defaults:monuser passwd_tries = 1, passwd_timeout = 1 Monuser ALL=(root) NOPASSWD: /opt/microsoft/scx/bin/tools/scxadmin monuser ALL=(root) NOPASSWD: /usr/bin/sh -c sh /tmp/scx-*/GetOSVersion.sh; EC=$?; rm -rf /tmp/scx-*; exit $EC monuser ALL=(root) NOPASSWD: /usr/bin/sh -c cat /etc/opt/microsoft/scx/ssl/scx.pem monuser ALL=(root) NOPASSWD: /usr/bin/sh -c echo * monuser ALL=(root) NOPASSWD: /usr/bin/sh -c rm -rf /tmp/scx-* #Log file monitoring monuser ALL=(root) NOPASSWD: /opt/microsoft/scx/bin/scxlogfilereader -p ###Examples #Custom shell command monitoring example – replace <shell command> with the correct command string #monuser ALL=(root) NOPASSWD: /bin/bash -c <shell command> #Daemon diagnostic and restart recovery tasks example (using cron) #monuser ALL=(root) NOPASSWD: /bin/sh -c ps -ef | grep cron | grep -v grep #monuser ALL=(root) NOPASSWD: sh -c '/etc/init.d/cron start' #End user configuration for Operations Manager agent #----------------------------------------------------------------------------------- |
Troubleshooting
Sudo log
The best way to troubleshoot authentication failures that may be
related to sudoers configuration is to inspect the sudo log on the agent
host. Sudo logging is controlled in sudoers, with the Defaults
parameter logfile. For example, the line: Defaults logfile=/var/log/sudolog enables sudo logging to the file /var/log/sudolog. Password Prompts and Timeouts
Operations Manager’s use of sudo elevation requires passwordless elevation. By default, sudo will prompt for a password if a command is not configured with NOPASSWD for the user (this may happen if a specific command was not configured for the user, or if the NOPASSWD option was not set). It is recommended that you configure the following option in sudoers for the user account: Defaults:monuser passwd_tries = 1, passwd_timeout = 1. This example sets a one minute password prompt timeout for the user monuser, which allows the command to fail quickly if a sudo configuration problem exists.
No comments:
Post a Comment