A new feature for UNIX and Linux monitoring with System Center 2012 – Operations Manager is the ability to use sudo elevation in the discovery and agent ugprade wizards, as well as Run As accounts. This means that the root user is no longer needed for privileged monitoring (log file monitoring, script/command execution) and agent maintenance (installation, upgrade, and uninstallation). Information on configuring Operations Manager credentials to use sudo elevation can be found here. In order to use sudo-enabled accounts for Operations Manager monitoring, the sudoers file must be configured (on each UNIX/Linux computer) to authorize elevation for the selected user account, using visudo. General requirements for the accounts used by Operations Manager with sudo elevation are:
Information on the rights and privileges required for Operations Manager activities can be found here.
The actual list of commands used for privileged monitoring or agent maintenance varies between platforms. The sample configurations below provide a user named “monuser” with the minimum necessary authorization to perform the following activities:
Commented lines in these configurations provide example syntax for use with custom command/script monitors, rules, or tasks (such as those created with the UNIX/Linux Shell Command monitoring templates), as well as daemon monitoring diagnostic and recovery tasks.
These configurations apply to System Center 2012 SP1 - Operations Manager. Example configurations for System Center 2012 - Operations Manager are listed in the next section.
#----------------------------------------------------------------------------------- #User configuration for Operations Manager agent – for a user with the name: monuser #General requirements Defaults:monuser !requiretty
#Agent maintenance (discovery, install, uninstall, upgrade, restart, cert signing) scxuser ALL=(root) NOPASSWD: /bin/sh -c cp /tmp/scx-scxuser/scx.pem /etc/opt/microsoft/scx/ssl/scx.pem; rm -rf /tmp/scx-scxuser; /opt/microsoft/scx/bin/tools/scxadmin -restart scxuser ALL=(root) NOPASSWD: /bin/sh -c sh /tmp/scx-scxuser/GetOSVersion.sh; EC=$?; rm -rf /tmp/scx-scxuser; exit $EC scxuser ALL=(root) NOPASSWD: /bin/sh -c cat /etc/opt/microsoft/scx/ssl/scx.pem scxuser ALL=(root) NOPASSWD: /bin/sh -c /usr/sbin/installp -u scx scxuser ALL=(root) NOPASSWD: /usr/bin/sh -c gzip -dqf /tmp/scx-scxuser/scx-1.[0-9].[0-9]-[0-9][0-9][0-9].aix.[0-9].ppc.lpp.gz;/usr/sbin/installp -a -d /tmp/scx-scxuser/scx-1.[0-9].[0-9]-[0-9][0-9][0-9].aix.[0-9].ppc.lpp scx; EC=$?; cd /tmp; rm -rf /tmp/scx-scxuser; exit $EC
#Log file monitoring scxuser ALL=(root) NOPASSWD: /opt/microsoft/scx/bin/scxlogfilereader -p
###Examples #Custom shell command monitoring example – replace <shell command> with the correct command string #monuser ALL=(root) NOPASSWD: /bin/bash -c <shell command> #Daemon diagnostic and restart recovery tasks example (using cron) #monuser ALL=(root) NOPASSWD: /bin/sh -c ps -ef | grep cron | grep -v grep #monuser ALL=(root) NOPASSWD: /usr/sbin/cron &
#End user configuration for Operations Manager agent #-----------------------------------------------------------------------------------
#----------------------------------------------------------------------------------- #User configuration for Operations Manager agent – for a user with the name: monuser ### SCXUSER - Bare minimum requirements to install/upgrade/remove SCX Agent on HP-UX ### #Agent maintenance (discovery, install, uninstall, upgrade, restart, cert signing) scxuser ALL=(root) NOPASSWD: /usr/bin/sh -c sh /tmp/scx-scxuser/GetOSVersion.sh; EC=$?; rm -rf /tmp/scx-scxuser; exit $EC scxuser ALL=(root) NOPASSWD: /usr/bin/sh -c uncompress -f /tmp/scx-scxuser/scx-1.[0-9].[0-9]-[0-9][0-9][0-9].hpux.11iv[0-9].[ia64|parisc].depot.Z;/usr/sbin/swinstall -s /tmp/scx-scxuser/scx-1.[0-9].[0-9]-[0-9][0-9][0-9].hpux.11iv[0-9].[ia64|parisc].depot scx; EC=$?; cd /tmp; rm -rf /tmp/scx-scxuser; exit $EC scxuser ALL=(root) NOPASSWD: /usr/bin/sh -c cat /etc/opt/microsoft/scx/ssl/scx.pem scxuser ALL=(root) NOPASSWD: /usr/bin/sh -c cp /tmp/scx-scxuser/scx.pem /etc/opt/microsoft/scx/ssl/scx.pem; rm -rf /tmp/scx-scxuser; /opt/microsoft/scx/bin/tools/scxadmin -restart scxuser ALL=(root) NOPASSWD: /usr/bin/sh -c /usr/sbin/swremove scx #Logfile monitoring scxuser ALL=(root) NOPASSWD: /opt/microsoft/scx/bin/scxlogfilereader -p ###Examples #Custom shell command monitoring example – replace <shell command> with the correct command string #monuser ALL=(root) NOPASSWD: /bin/bash -c <shell command> #Daemon diagnostic and restart recovery tasks example (using cron) #monuser ALL=(root) NOPASSWD: /bin/sh -c ps -ef | grep cron | grep -v grep #monuser ALL=(root) NOPASSWD: /usr/sbin/cron &
#----------------------------------------------------------------------------------- #User configuration for Operations Manager agent – for a user with the name: monuser #General requirements Defaults:monuser !requiretty #Agent maintenance (discovery, install, uninstall, upgrade, restart, cert signing) monuser ALL=(root) NOPASSWD: /bin/sh -c cp /tmp/scx-monuser/scx.pem /etc/opt/microsoft/scx/ssl/scx.pem; rm -rf /tmp/scx-monuser; /opt/microsoft/scx/bin/tools/scxadmin -restart monuser ALL=(root) NOPASSWD: /bin/sh -c sh /tmp/scx-monuser/GetOSVersion.sh; EC=$?; rm -rf /tmp/scx-monuser; exit $EC monuser ALL=(root) NOPASSWD: /bin/sh -c cat /etc/opt/microsoft/scx/ssl/scx.pem monuser ALL=(root) NOPASSWD: /bin/sh -c rpm -e scx monuser ALL=(root) NOPASSWD: /bin/sh -c /bin/rpm -F --force /tmp/scx-monuser/scx-1.[0-9].[0-9]-[0-9][0-9][0-9].rhel.[0-9].x[6-8][4-6].rpm; EC=$?; cd /tmp; rm -rf /tmp/scx-monuser; exit $EC monuser ALL=(root) NOPASSWD: /bin/sh -c /bin/rpm -U --force /tmp/scx-monuser/scx-1.[0-9].[0-9]-[0-9][0-9][0-9].rhel.[0-9].x[6-8][4-6].rpm; EC=$?; cd /tmp; rm -rf /tmp/scx-monuser; exit $EC
#Log file monitoring monuser ALL=(root) NOPASSWD: /opt/microsoft/scx/bin/scxlogfilereader -p ###Examples #Custom shell command monitoring example – replace <shell command> with the correct command string #monuser ALL=(root) NOPASSWD: /bin/bash -c <shell command> #Daemon diagnostic and restart recovery tasks example (using cron) #monuser ALL=(root) NOPASSWD: /bin/sh -c ps -ef | grep cron | grep -v grep #monuser ALL=(root) NOPASSWD: /usr/sbin/cron &
#----------------------------------------------------------------------------------- #User configuration for Operations Manager agent – for a user with the name: monuser
#General requirements Defaults:monuser !requiretty #Agent maintenance (discovery, install, uninstall, upgrade, restart, cert signing) monuser ALL=(root) NOPASSWD: /bin/sh -c cp /tmp/scx-monuser/scx.pem /etc/opt/microsoft/scx/ssl/scx.pem; rm -rf /tmp/scx-monuser; /opt/microsoft/scx/bin/tools/scxadmin -restart monuser ALL=(root) NOPASSWD: /bin/sh -c sh /tmp/scx-monuser/GetOSVersion.sh; EC=$?; rm -rf /tmp/scx-monuser; exit $EC monuser ALL=(root) NOPASSWD: /bin/sh -c cat /etc/opt/microsoft/scx/ssl/scx.pem monuser ALL=(root) NOPASSWD: /bin/sh -c rpm -e scx #SLES 9 monuser ALL=(root) NOPASSWD: /bin/sh -c /bin/rpm -F --force /tmp/scx-monuser/scx-1.[0-9].[0-9]-[0-9][0-9][0-9].sles.9.x[6-8][4-6].rpm; EC=$?; cd /tmp; rm -rf /tmp/scx-monuser; exit $EC monuser ALL=(root) NOPASSWD: /bin/sh -c /bin/rpm -U --force /tmp/scx-monuser/scx-1.[0-9].[0-9]-[0-9][0-9][0-9].sles.9.x[6-8][4-6].rpm; EC=$?; cd /tmp; rm -rf /tmp/scx-monuser; exit $EC #SLES 10 or 11 monuser ALL=(root) NOPASSWD: /bin/sh -c /bin/rpm -F --force /tmp/scx-monuser/scx-1.[0-9].[0-9]-[0-9][0-9][0-9].sles.1[0-1].x[6-8][4-6].rpm; EC=$?; cd /tmp; rm -rf /tmp/scx-monuser; exit $EC monuser ALL=(root) NOPASSWD: /bin/sh -c /bin/rpm -U --force /tmp/scx-monuser/scx-1.[0-9].[0-9]-[0-9][0-9][0-9].sles.1[0-1].x[6-8][4-6].rpm; EC=$?; cd /tmp; rm -rf /tmp/scx-monuser; exit $EC
#----------------------------------------------------------------------------------- #User configuration for Operations Manager agent – for a user with the name: monuser #General requirements Defaults:monuser !requiretty #Agent maintenance (discovery, install, uninstall, upgrade, restart, cert signing) monuser ALL=(root) NOPASSWD: /bin/sh -c cp /tmp/scx-monuser/scx.pem /etc/opt/microsoft/scx/ssl/scx.pem; rm -rf /tmp/scx-monuser; /opt/microsoft/scx/bin/tools/scxadmin -restart monuser ALL=(root) NOPASSWD: /bin/sh -c sh /tmp/scx-monuser/GetOSVersion.sh; EC=$?; rm -rf /tmp/scx-monuser; exit $EC monuser ALL=(root) NOPASSWD: /bin/sh -c cat /etc/opt/microsoft/scx/ssl/scx.pem monuser ALL=(root) NOPASSWD: /bin/sh -c dpkg -P scx monuser ALL=(root) NOPASSWD: /bin/sh -c dpkg -i /tmp/scx-monuser/scx-1.[0-9].[0-9]-[0-9][0-9][0-9].universald.1.x[6-8][4-6].rpm; EC=$?; cd /tmp; rm -rf /tmp/scx-monuser; exit $EC
#Log file monitoring monuser ALL=(root) NOPASSWD: /opt/microsoft/scx/bin/scxlogfilereader -p
#---------------------------------------------------------------------------------- #User configuration for Operations Manager agent – for a user with the name: monuser #General requirements Defaults:monuser !requiretty #Agent maintenance (discovery, install, uninstall, upgrade, restart, cert signing) monuser ALL=(root) NOPASSWD: /bin/sh -c cp /tmp/scx-monuser/scx.pem /etc/opt/microsoft/scx/ssl/scx.pem; rm -rf /tmp/scx-monuser; /opt/microsoft/scx/bin/tools/scxadmin -restart monuser ALL=(root) NOPASSWD: /bin/sh -c sh /tmp/scx-monuser/GetOSVersion.sh; EC=$?; rm -rf /tmp/scx-monuser; exit $EC monuser ALL=(root) NOPASSWD: /bin/sh -c cat /etc/opt/microsoft/scx/ssl/scx.pem monuser ALL=(root) NOPASSWD: /bin/sh -c rpm -e scx monuser ALL=(root) NOPASSWD: /bin/sh -c /bin/rpm -F --force /tmp/scx-monuser/scx-1.[0-9].[0-9]-[0-9][0-9][0-9].universalr.[0-9].x[6-8][4-6].rpm; EC=$?; cd /tmp; rm -rf /tmp/scx-monuser; exit $EC monuser ALL=(root) NOPASSWD: /bin/sh -c /bin/rpm -U --force /tmp/scx-monuser/scx-1.[0-9].[0-9]-[0-9][0-9][0-9].universalr.[0-9].x[6-8][4-6].rpm; EC=$?; cd /tmp; rm -rf /tmp/scx-monuser; exit $EC
#---------------------------------------------------------------------------------- #User configuration for Operations Manager agent – for a user with the name: monuser # Defaults specification Defaults:monuser passwd_tries = 1, passwd_timeout = 1
##OS Discovery Script monuser ALL=(root) NOPASSWD: /usr/bin/sh -c sh /tmp/scx-monuser/GetOSVersion.sh; EC=??; rm -rf /tmp/scx-monuser; exit ?EC
#Agent install and upgrade #Solaris 9 monuser ALL=(root) NOPASSWD: /usr/bin/sh -c echo -e "mail=*/usr/sbin/pkgadd -a /tmp/scx-monuser/scx -n -d /tmp/scx-monuser/scx-1.[0-9].[0-9]-[0-9][0-9][0-9].solaris.9.sparc.pkg MSFTscx;*exit ?EC #Solaris 10 or 11 monuser ALL=(root) NOPASSWD: /usr/bin/sh -c echo -e "mail=*/usr/sbin/pkgadd -a /tmp/scx-monuser/scx -n -d /tmp/scx-monuser/scx-1.[0-9].[0-9]-[0-9][0-9][0-9].solaris.1[0-1].sparc.pkg MSFTscx;*exit ?EC monuser ALL=(root) NOPASSWD: /usr/bin/sh -c echo -e "mail=*/usr/sbin/pkgadd -a /tmp/scx-monuser/scx -n -d /tmp/scx-monuser/scx-1.[0-9].[0-9]-[0-9][0-9][0-9].solaris.1[0-1].x86.pkg MSFTscx;*exit ?EC
##Agent uninstall monuser ALL=(root) NOPASSWD: /usr/bin/sh -c rm -rf /tmp/scx-monuser;*/usr/sbin/pkgrm -a /tmp/scx-monuser/scx -n MSFTscx;*exit ?EC
##Certificate signing monuser ALL=(root) NOPASSWD: /usr/bin/sh -c cat /etc/opt/microsoft/scx/ssl/scx.pem monuser ALL=(root) NOPASSWD: /usr/bin/sh -c rm -rf /tmp/scx-monuser monuser ALL=(root) NOPASSWD: /usr/bin/sh -c cp /tmp/scx-monuser/scx.pem /etc/opt/microsoft/scx/ssl/scx.pem; rm -rf /tmp/scx-monuser; /opt/microsoft/scx/bin/tools/scxadmin -restart
##Agent control monuser ALL=(root) NOPASSWD: /opt/microsoft/scx/bin/tools/scxadmin
##Log file monitoring monuser ALL=(root) NOPASSWD: /opt/microsoft/scx/bin/scxlogfilereader -p
These configurations apply to System Center 2012 - Operations Manager
#General requirements Defaults:monuser !requiretty
#Lower sudo password prompt timeout for the user Defaults:monuser passwd_tries = 1, passwd_timeout = 1
#Agent maintenance (discovery, install, uninstall, upgrade, restart, cert signing) monuser ALL=(root) NOPASSWD: /opt/microsoft/scx/bin/tools/scxadmin monuser ALL=(root) NOPASSWD: /usr/bin/sh -c sh /tmp/scx-*/GetOSVersion.sh; EC=$?; rm -rf /tmp/scx-*; exit $EC monuser ALL=(root) NOPASSWD: /usr/bin/sh -c cat /etc/opt/microsoft/scx/ssl/scx.pem monuser ALL=(root) NOPASSWD: /usr/bin/sh -c gzip -dqf /tmp/scx-* monuser ALL=(root) NOPASSWD: /usr/bin/sh -c echo * monuser ALL=(root) NOPASSWD: /usr/bin/sh -c /usr/sbin/installp -u scx
###Examples #Custom shell command monitoring example – replace <shell command> with the correct command string #monuser ALL=(root) NOPASSWD: /bin/bash -c <shell command>
#Daemon diagnostic and restart recovery tasks example (using cron) #monuser ALL=(root) NOPASSWD: /bin/sh -c ps -ef | grep cron | grep -v grep #monuser ALL=(root) NOPASSWD: /usr/sbin/cron &
#General requirements Defaults:momuser !requiretty
#Lower sudo password prompt timeout for the user Defaults:momuser passwd_tries = 1, passwd_timeout = 1
#Agent maintenance (discovery, install, uninstall, upgrade, restart, cert signing) momuser ALL=(root) NOPASSWD: /opt/microsoft/scx/bin/tools/scxadmin momuser ALL=(root) NOPASSWD: /bin/sh -c sh /tmp/scx-*/GetOSVersion.sh; EC=$?; rm -rf /tmp/scx-*; exit $EC momuser ALL=(root) NOPASSWD: /bin/sh -c uncompress -f /tmp/scx-* momuser ALL=(root) NOPASSWD: /bin/sh -c cat /etc/opt/microsoft/scx/ssl/scx.pem momuser ALL=(root) NOPASSWD: /bin/sh -c echo * momuser ALL=(root) NOPASSWD: /bin/sh -c /usr/sbin/swremove scx
#Daemon diagnostic and restart recovery tasks example (using cron) #monuser ALL=(root) NOPASSWD: /bin/sh -c ps -ef | grep cron | grep -v grep #monuser ALL=(root) NOPASSWD: /sbin/init.d/cron start
#End user configuration for Operations Manager agent #-------------------------------------------------------------------------------
#Lower sudo password prompt timeout for the user Defaults:monuser passwd_tries = 1, passwd_timeout = 1 #Agent maintenance (discovery, install, uninstall, upgrade, restart, cert signing) monuser ALL=(root) NOPASSWD: /opt/microsoft/scx/bin/tools/scxadmin monuser ALL=(root) NOPASSWD: /bin/sh -c sh /tmp/scx-*/GetOSVersion.sh; EC=$?; rm -rf /tmp/scx-*; exit $EC monuser ALL=(root) NOPASSWD: /bin/sh -c /bin/rpm -U --force */scx-* monuser ALL=(root) NOPASSWD: /bin/sh -c /bin/rpm -F --force */scx-* monuser ALL=(root) NOPASSWD: /bin/sh -c rpm -e scx monuser ALL=(root) NOPASSWD: /bin/sh -c cat /etc/opt/microsoft/scx/ssl/scx.pem monuser ALL=(root) NOPASSWD: /bin/sh -c echo * #Log file monitoring monuser ALL=(root) NOPASSWD: /opt/microsoft/scx/bin/scxlogfilereader -p
###Examples #Custom shell command monitoring example – replace <shell command> with the correct command string #monuser ALL=(root) NOPASSWD: /bin/bash -c <shell command> #Daemon diagnostic and restart recovery tasks example (using cron) #monuser ALL=(root) NOPASSWD: /bin/sh -c ps -ef | grep cron | grep -v grep #monuser ALL=(root) NOPASSWD: /sbin/service cron start #End user configuration for Operations Manager agent #-----------------------------------------------------------------------------------
Monuser ALL=(root) NOPASSWD: /opt/microsoft/scx/bin/tools/scxadmin monuser ALL=(root) NOPASSWD: /usr/bin/sh -c sh /tmp/scx-*/GetOSVersion.sh; EC=$?; rm -rf /tmp/scx-*; exit $EC monuser ALL=(root) NOPASSWD: /usr/bin/sh -c cat /etc/opt/microsoft/scx/ssl/scx.pem monuser ALL=(root) NOPASSWD: /usr/bin/sh -c echo * monuser ALL=(root) NOPASSWD: /usr/bin/sh -c rm -rf /tmp/scx-* #Log file monitoring monuser ALL=(root) NOPASSWD: /opt/microsoft/scx/bin/scxlogfilereader -p
###Examples #Custom shell command monitoring example – replace <shell command> with the correct command string #monuser ALL=(root) NOPASSWD: /bin/bash -c <shell command> #Daemon diagnostic and restart recovery tasks example (using cron) #monuser ALL=(root) NOPASSWD: /bin/sh -c ps -ef | grep cron | grep -v grep #monuser ALL=(root) NOPASSWD: sh -c '/etc/init.d/cron start' #End user configuration for Operations Manager agent #-----------------------------------------------------------------------------------
The best way to troubleshoot authentication failures that may be related to sudoers configuration is to inspect the sudo log on the agent host. Sudo logging is controlled in sudoers, with the Defaults parameter logfile. For example, the line: Defaults logfile=/var/log/sudolog enables sudo logging to the file /var/log/sudolog.
Chad Myslinsky edited Revision 17. Comment: Removed extra spaces... Changed "scx -1" to "scx-1"
Found for Certificate Signing this maybe missing:
monuser ALL=(root) NOPASSWD: /bin/sh -c cp /tmp/scx-svc-gmp-scomla/scx.pem \
/etc/opt/microsoft/scx/ssl/scx.pem; rm -rf /tmp/scx-svc-gmp-scomla; /opt/microsoft/scx/bin/tools/scxadmin -restart
I would like to warn OS administrators, that suggested permissions for 'monuser' user are equivalent to the following line in /etc/sudoers:
monuser ALL=(root) NOPASSWD: ALL
Explanation:
Note that monuser can create folders and files in /tmp.
The following command actually gives monuser possibility to run ANY script he wants as root. To do this he just need to create his own /tmp/scx-monuser/GetOSVersion.sh script and execute the command above with sudo.
monuser ALL=(root) NOPASSWD: /bin/sh -c sh /tmp/scx-monuser/GetOSVersion.sh; EC=$?; rm -rf /tmp/scx-monuser; exit $EC
With the following command monuser can create his own rpm package (lpp for AIX, depot for HP-UX, pkg for Solaris) and install it as a root with sudo.
monuser ALL=(root) NOPASSWD: /bin/sh -c /bin/rpm -U --force /tmp/scx-monuser/scx-1.[0-9].[0-9]-[0-9][0-9][0-9].rhel.[0-9].x[6-8][4-6].rpm; EC=$?; cd /tmp; rm -rf /tmp/scx-monuser; exit $EC
So I would suggest enable those command only temporary during installation/upgrade of SCOM agent.
For permanent sudo settings I use the following lines:
Defaults: monuser !requiretty
monuser ALL=(root) NOPASSWD: /opt/microsoft/scx/bin/tools/*
monuser ALL=(root) NOPASSWD: /opt/microsoft/scx/bin/scxlogfilereader