Foglight Agent Manager 5.8.5.7 - Foglight Agent Manager Guide

Using sudo to configure secure launcher permissions

Using sudo to configure secure launcher permissions

This section contains instructions for using sudo to give agents elevated permissions.

To set up secure launcher permissions using the configuration interface and sudo:

1	Follow the instructions in To launch the Agent Manager Installation and Configuration interface: or To launch the Agent Manager configuration command-line interface: .

2	Navigate to the Configure Secure Launcher or Secure Launcher step.

3	Set the path to point to the sudo executable. This executable is typically located in /usr/bin/sudo (the default path provided by the Agent Manager installer).

4	Exit from the configuration interface as described in To launch the Agent Manager Installation and Configuration interface: or To launch the Agent Manager configuration command-line interface: .

5	Edit the sudoers file for your system to allow <fglam_home>/client/<fglam_version>/bin/fog4_launcher to be run as root by a specific user, without requiring a password, and only for the agents that require root privileges.

For example, to allow the user foglight to execute fog4_launcher for two specific agents without being prompted for a password:

foglight    ALL = NOPASSWD:  \

/<fglam_home>/client/*/bin/fog4_launcher /<fglam_home>/state/default/<cartridge>/*/bin/<agent> ?*@?* bin/<agent>, \

/<fglam_home>/client/*/bin/fog4_launcher /<fglam_home>/state/default/<cartridge>/*/bin/<agent2> ?*@?* bin/<agent2>

The example above also limits the acceptable arguments to match the expected pattern when the Agent Manager runs the agents.

6	Ensure that the requiretty option is disabled in the sudoers file. For example, to disable this option for the foglight user, add the following entry to the file:

Defaults:foglight !requiretty

7	If the agent uses an ICMP ping service, edit the sudoers file for your system to allow <fglam_home>/client/*/bin/udp2icmp to be run as root by a specific user, without requiring a password.

For detailed examples of how to edit the sudoers file to restrict the granted permissions to a specific set of agents, see the Foglight for Infrastructure User and Reference Guide.

 

TIP: For sudo configuration, it is a best practice to use a wildcard for the version-specific Agent Manager and cartridge directories, as shown in the example above. Using a wildcard in a path is described in the Sudoers Manual located at: http://www.gratisoft.us/sudo/man/sudoers.html#wildcards Using a wildcard for the version-specific directories allows you to avoid updating each sudoers file that references these directories when you upgrade the Agent Manager or the agents.

If these permissions are no longer needed, remove the lines that you added to run fog4_launcher or udp2icmp with root permissions.

To set up secure launcher permissions using fglam.config.xml and sudo:

1	Navigate to <fglam_home>/state/default/config.

2	Open the fglam.config.xml file for editing.

3	Edit the <config:path> element under <config:secure-launcher> to point to the sudo executable. This executable is typically located in /usr/bin/sudo (the default path provided by the Agent Manager installer).

4	Edit the sudoers file for your system to allow <fglam_home>/client/<fglam_version>/bin/fog4_launcher to run as root by a specific user, without requiring a password, and only for the agents that require root privileges.

For example, to allow the user foglight to execute fog4_launcher for two specific agents without being prompted for a password:

foglight    ALL = NOPASSWD:  \

/<fglam_home>/client/*/bin/fog4_launcher /<fglam_home>/state/default/<cartridge>/*/bin/<agent> ?*@?* bin/<agent>, \

/<fglam_home>/client/*/bin/fog4_launcher /<fglam_home>/state/default/<cartridge>/*/bin/<agent2> ?*@?* bin/<agent2>

The example above also limits the acceptable arguments to match the expected pattern when the Agent Manager runs the agents.

5	If the agent uses an ICMP ping service, edit the sudoers file for your system to allow <fglam_home>/client/*/bin/udp2icmp to be run as root by a specific user, without requiring a password.

See the Managing Operating Systems User Guide for detailed examples of how to edit the sudoers file to restrict the granted permissions to a specific set of agents.

 

TIP: For sudo configuration, it is a best practice to use a wildcard for the version-specific Agent Manager and cartridge directories, as shown in the example above. Using a wildcard in a path is described in the Sudoers Manual located at: http://www.gratisoft.us/sudo/man/sudoers.html#wildcards Using a wildcard for the version-specific directories allows you to avoid updating each sudoers file that references these directories when you upgrade the Agent Manager or the agents.

Using setuid_launcher to configure secure launcher permissions

Using setuid_launcher to configure secure launcher permissions

This section contains instructions for using setuid_launcher to give agents elevated permissions.

To set up secure launcher permissions using the configuration interface and setuid_launcher:

1	Follow the instructions in To launch the Agent Manager Installation and Configuration interface: or To launch the Agent Manager configuration command-line interface: .

2	Navigate to the Configure Secure Launcher screen or the Secure Launcher step.

3	Set the path to point to the setuid_launcher executable. This executable is located in <fglam_home>/bin/setuid_launcher.

4	Exit from the configuration interface as described in To launch the Agent Manager Installation and Configuration interface: or To launch the Agent Manager configuration command-line interface: .

5	Use the command chmod u+s to set the sticky bit on <fglam_home>/bin/setuid_launcher.

6	Change the owner of <fglam_home>/bin/setuid_launcher to root. This permits the agents that need root privileges to be run as the root user without requiring a password.

If these permissions are no longer needed, issue the following command:

chmod u-s <fglam_home>/bin/setuid_launcher

To set up secure launcher permissions using fglam.config.xml and setuid_launcher:

1	Navigate to <fglam_home>/state/default/config.

2	Open the fglam.config.xml file for editing.

3	Edit the <config:path> element under <config:secure-launcher> to point to your local setuid_launcher executable. This executable is located in <fglam_home>/bin/setuid_launcher.

4	Issue the command chmod u+s to set the sticky bit on <fglam_home>/bin/setuid_launcher.

5	Change the owner of <fglam_home>/bin/setuid_launcher to root. This permits the agents that need root privileges to be run as the root user without requiring a password.

6	If these permissions are no longer needed, issue the command:

chmod u-s <fglam_home>/bin/setuid_launcher

Using the HP patch checking tool

If your database is installed on an HP-UX server, HP® provides a tool for ensuring that all the patches required to run JavaTM on HP-UX are installed.

The tool is available from http://www.hp.com/go/java.

To use the tool, issue the following command:

java -jar ./HPjconfig.jar -nogui -patches -listmis -javavers 6.0

About Agent Manager installations on AIX

About Agent Manager installations on AIX

On newly installed AIX® systems, the base operating system can be further customized by the install_assist program provided by IBM®. By default, this program is listed in the /etc/inittab file so that it starts automatically when the system is started.

When install_assist runs automatically, it can interfere with the Agent Manager startup scripts that are installed in /etc/rc.d/rc2.d, and with other startup scripts, such as those provided by OpenSSH.

To prevent install_assist from starting automatically:

1	Edit the /etc/inittab file.

 

TIP: You can edit the file directly, or by running the following command as root: # rmitab install_assist

2	Remove the following line from the /etc/inittab file:

install_assist:2:wait:/usr/sbin/install_assist </dev/console >/dev/console 2>&1