If you have ever seen this picture, then you have at least once searched for the word sudo or sudoers in your lifetime.
In this blog I will explain:
- What is sudo command?
- What is sudoers file?
- How to configure the sudeors file for SCOM monitoring?
What is sudo command?
sudo (Super User DO) command in Linux is used as a prefix to any command that only superuser are allowed to run.
If you prefix “sudo” with any command, it will run that command with elevated privileges or in other words allow a user with proper permissions to execute a command as another user, such as the superuser.
This is somehow equivalent of “Run as Administrator” in Windows.
What is sudoers file?
sudoers file contains the information regarding privileges for different users and groups of the server.
Those users who can use the sudo command need to have an entry in the sudoers file located at “/etc/sudoers”.
To edit the sudoers file it is recommended to use “visudo” command.
How to configure the sudoers file for SCOM monitoring?
Firstly, we need to configure the sudoers file in an UNIX machine to use low privilege permissions for SCOM monitoring.
Note: If you are using ROOT account, there is NO need to configure the sudoers file.
Let me show you the steps involved.
Step 1: Create two users in any UNIX box. I am using scxmon and scxmaint. I am also using RHEL 8.
Step 2: Copy the section as per the flavor of UNIX box you are using from the link provided below in a notepad/ notepad++. For RHEL 8 we have to use Universal section.
Note: Choose appropriate section as per the version of UNIX.
Step 3: Replace scxadm with scxmaint and scxuser with scxmon.
Alert!! If you have never used vi editor, ask your UNIX administrator to handle this part. Misconfiguring your sudoers can have catastrophic effect.
Step 4: Open the sudoers file with the command visudo
Step 5: Hit on INSERT button to go into insert mode.
Step 6: Hit the DOWN arrow to navigate almost to the end of the sudoers file and paste the lines from Step 3. It should look like this.
Step 7: Hit the ESCAPE button and type :wq to save and exit the file.
Step 8: Run the below two commands to check the permission for the two users.
sudo -l -U scxmaint
sudo -l -U scxmon
I know the naming convention of the Run As Profiles as well as the elevation we need to in the Run As Accounts are not very user friendly. Let me help you with that.
Step 9: Create the Run As Account for UNIX/LINUX. We need 3 of them: monitoring, privilege and agent maintenance.
1.Monitoring Account
2. Maintenance Account
3.Privilege Account
Yes, we need a monitoring account for privilege account.
Step 10: Associate the Run As Account for UNIX/LINUX monitoring, privilege and agent maintenance to the respective Run As Profiles.
1.UNIX/LINUX Action Account Profile
2.UNIX/LINUX Agent Maintenance Account Profile
3.UNIX/LINUX Privileged Account Profile
You should be good to go now to use those accounts in your discovery as well as monitoring.
Important point to keep in mind!
- DO NOT copy the sudoers content directly from Internet. It can replace few characters to unknown symbols.
- UNIX read the sudoers file bottom up. That means if there any group which SCOM users are part of and written somewhere at the bottom with different permissions then you might see your permission taking effect.
- SCOM needs NOPASSWD to run the commands non-interactively.
Take Away
- Configuring sudoers file is required if you want to use least privilege permissions for UNIX/LINUX monitoring in SCOM.
- Always use the right sudoers configuration from our Wiki. Make sure you are using the right flavor of UNIX and right SCOM version while copying the sudoers configuration.
- Configuring the Run As Account and Run As Profile is equally important as configuring the sudoers file.
Thanks!!
Explore, Learn, Share, Repeat!