Using sudo Elevation in System Center 2012 - Operations Manager

A new feature for UNIX and Linux monitoring with System Center 2012 – Operations Manager is the ability to use sudo elevation in the discovery and agent ugprade wizards, as well as Run As accounts. This means that the root user is no longer needed for privileged monitoring (log file monitoring, script/command execution) and agent maintenance (installation, upgrade, and uninstallation). Information on configuring Operations Manager credentials to use sudo elevation can be found here.

In order to use sudo-enabled accounts for Operations Manager monitoring, the sudoers file must be configured (on each UNIX/Linux computer) to authorize elevation for the selected user account, using visudo.  General requirements for the accounts used by Operations Manager with sudo elevation are:

  • The sudoers option requiretty must be disabled for the user
  • For required commands, sudo authorization must be configured to allow the user to elevate to root, without password

Information on the rights and privileges required for Operations Manager activities can be found here.

Sample Configurations

The actual list of commands used for privileged monitoring or agent maintenance varies between platforms. The sample configurations below provide a user named “monuser” with the minimum necessary authorization to perform the following activities:

  • Discover and install the agent 
  • Sign the agent certificate
  • Upgrade the agent
  • Restart the agent (used in certificate signing and agent recovery)
  • Uninstall the agent
  • Read privileged log files

Commented lines in these configurations provide example syntax for use with custom command/script monitors, rules, or tasks (such as those created with the UNIX/Linux Shell Command monitoring templates), as well as daemon monitoring diagnostic and recovery tasks. 

System Center 2012 SP1 - Operations Manager

These configurations apply to System Center 2012 SP1 - Operations Manager. Example configurations for System Center 2012 - Operations Manager are listed in the next section.

AIX

#-----------------------------------------------------------------------------------
#User configuration for Operations Manager agent – for a user with the name: monuser

 #General requirements
Defaults:monuser !requiretty
 

#Agent maintenance (discovery, install, uninstall, upgrade, restart, cert signing)
monuser ALL=(root) NOPASSWD: /bin/sh -c cp /tmp/scx-monuser/scx.pem /etc/opt/microsoft/scx/ssl/scx.pem; rm -rf /tmp/scx-monuser; /opt/microsoft/scx/bin/tools/scxadmin -restart
monuser ALL=(root) NOPASSWD: /bin/sh -c sh /tmp/scx-monuser/GetOSVersion.sh; EC=$?; rm -rf /tmp/scx-monuser; exit $EC
monuser ALL=(root) NOPASSWD: /bin/sh -c cat /etc/opt/microsoft/scx/ssl/scx.pem
monuser ALL=(root) NOPASSWD: /bin/sh -c /usr/sbin/installp -u scx
monuser ALL=(root) NOPASSWD: /usr/bin/sh -c gzip -dqf /tmp/scx-monuser/scx-1.[0-9].[0-9]-[0-9][0-9][0-9].aix.[0-9].ppc.lpp.gz;/usr/sbin/installp -a -d /tmp/scx-monuser/scx-1.[0-9].[0-9]-[0-9][0-9][0-9].aix.[0-9].ppc.lpp scx; EC=$?; cd /tmp; rm -rf /tmp/scx-monuser; exit $EC

#Log file monitoring
monuser ALL=(root) NOPASSWD: /opt/microsoft/scx/bin/scxlogfilereader -p

###Examples
#Custom shell command monitoring example – replace <shell command> with the correct command string
#monuser ALL=(root) NOPASSWD: /bin/bash -c <shell command>
 
#Daemon diagnostic and restart recovery tasks example (using cron)
#monuser ALL=(root) NOPASSWD: /bin/sh -c ps -ef | grep cron | grep -v grep
#monuser ALL=(root) NOPASSWD: /usr/sbin/cron & 
 

#End user configuration for Operations Manager agent

#----------------------------------------------------------------------------------- 

 

HP-UX

#-----------------------------------------------------------------------------------
#User configuration for Operations Manager agent – for a user with the name: monuser

#Agent maintenance (discovery, install, uninstall, upgrade, restart, cert signing)
monuser ALL=(root) NOPASSWD: /usr/bin/sh -c sh /tmp/scx-monuser/GetOSVersion.sh; EC=$?; rm -rf /tmp/scx-monuser; exit $EC

#ia64
monuser ALL=(root) NOPASSWD: /usr/bin/sh -c uncompress -f /tmp/scx-monuser/scx-1.[0-9].[0-9]-[0-9][0-9][0-9].hpux.11iv[0-9].ia64.depot.Z;/usr/sbin/swinstall -s /tmp/scx-monuser/scx-1.[0-9].[0-9]-[0-9][0-9][0-9].hpux.11iv[0-9].ia64.depot scx; EC=$?; cd /tmp; rm -rf /tmp/scx-monuser; exit $EC

#parisc
monuser ALL=(root) NOPASSWD: /usr/bin/sh -c uncompress -f /tmp/scx-monuser/scx-1.[0-9].[0-9]-[0-9][0-9][0-9].hpux.11iv[0-9].parisc.depot.Z;/usr/sbin/swinstall -s /tmp/scx-monuser/scx-1.[0-9].[0-9]-[0-9][0-9][0-9].hpux.11iv[0-9].parisc.depot scx; EC=$?; cd /tmp; rm -rf /tmp/scx-monuser; exit $EC

monuser ALL=(root) NOPASSWD: /usr/bin/sh -c cat /etc/opt/microsoft/scx/ssl/scx.pem
monuser ALL=(root) NOPASSWD: /usr/bin/sh -c cp /tmp/scx-monuser/scx.pem /etc/opt/microsoft/scx/ssl/scx.pem; rm -rf /tmp/scx-monuser; /opt/microsoft/scx/bin/tools/scxadmin -restart
monuser ALL=(root) NOPASSWD: /usr/bin/sh -c /usr/sbin/swremove scx

#Logfile monitoring
monuser ALL=(root) NOPASSWD: /opt/microsoft/scx/bin/scxlogfilereader -p

###Examples
#Custom shell command monitoring example – replace <shell command> with the correct command string
#monuser ALL=(root) NOPASSWD: /bin/bash -c <shell command>
 
#Daemon diagnostic and restart recovery tasks example (using cron)
#monuser ALL=(root) NOPASSWD: /bin/sh -c ps -ef | grep cron | grep -v grep
#monuser ALL=(root) NOPASSWD: /usr/sbin/cron & 

 

#End user configuration for Operations Manager agent
#-----------------------------------------------------------------------------------

 

Linux - RHEL

#-----------------------------------------------------------------------------------
#User configuration for Operations Manager agent – for a user with the name: monuser

#General requirements
Defaults:monuser !requiretty
 
#Agent maintenance (discovery, install, uninstall, upgrade, restart, cert signing)
monuser ALL=(root) NOPASSWD: /bin/sh -c cp /tmp/scx-monuser/scx.pem /etc/opt/microsoft/scx/ssl/scx.pem; rm -rf /tmp/scx-monuser; /opt/microsoft/scx/bin/tools/scxadmin -restart
monuser ALL=(root) NOPASSWD: /bin/sh -c sh /tmp/scx-monuser/GetOSVersion.sh; EC=$?; rm -rf /tmp/scx-monuser; exit $EC
monuser ALL=(root) NOPASSWD: /bin/sh -c  cat /etc/opt/microsoft/scx/ssl/scx.pem
monuser ALL=(root) NOPASSWD: /bin/sh -c  rpm -e scx
monuser ALL=(root) NOPASSWD: /bin/sh -c /bin/rpm -F --force /tmp/scx-monuser/scx-1.[0-9].[0-9]-[0-9][0-9][0-9].rhel.[0-9].x[6-8][4-6].rpm; EC=$?; cd /tmp; rm -rf /tmp/scx-monuser; exit $EC
monuser ALL=(root) NOPASSWD: /bin/sh -c /bin/rpm -U --force /tmp/scx-monuser/scx-1.[0-9].[0-9]-[0-9][0-9][0-9].rhel.[0-9].x[6-8][4-6].rpm; EC=$?; cd /tmp; rm -rf /tmp/scx-monuser; exit $EC

#Log file monitoring
monuser ALL=(root) NOPASSWD: /opt/microsoft/scx/bin/scxlogfilereader -p

###Examples
#Custom shell command monitoring example – replace <shell command> with the correct command string
#monuser ALL=(root) NOPASSWD: /bin/bash -c <shell command>
 
#Daemon diagnostic and restart recovery tasks example (using cron)
#monuser ALL=(root) NOPASSWD: /bin/sh -c ps -ef | grep cron | grep -v grep
#monuser ALL=(root) NOPASSWD: /usr/sbin/cron & 

 #End user configuration for Operations Manager agent
#-----------------------------------------------------------------------------------

 

Linux - SLES

#-----------------------------------------------------------------------------------
#User configuration for Operations Manager agent – for a user with the name: monuser

#General requirements
Defaults:monuser !requiretty
 
#Agent maintenance (discovery, install, uninstall, upgrade, restart, cert signing)
monuser ALL=(root) NOPASSWD: /bin/sh -c cp /tmp/scx-monuser/scx.pem /etc/opt/microsoft/scx/ssl/scx.pem; rm -rf /tmp/scx-monuser; /opt/microsoft/scx/bin/tools/scxadmin -restart
monuser ALL=(root) NOPASSWD: /bin/sh -c sh /tmp/scx-monuser/GetOSVersion.sh; EC=$?; rm -rf /tmp/scx-monuser; exit $EC
monuser ALL=(root) NOPASSWD: /bin/sh -c  cat /etc/opt/microsoft/scx/ssl/scx.pem
monuser ALL=(root) NOPASSWD: /bin/sh -c  rpm -e scx
#SLES 9
monuser ALL=(root) NOPASSWD: /bin/sh -c /bin/rpm -F --force /tmp/scx-monuser/scx-1.[0-9].[0-9]-[0-9][0-9][0-9].sles.9.x[6-8][4-6].rpm; EC=$?; cd /tmp; rm -rf /tmp/scx-monuser; exit $EC
monuser ALL=(root) NOPASSWD: /bin/sh -c /bin/rpm -U --force /tmp/scx-monuser/scx-1.[0-9].[0-9]-[0-9][0-9][0-9].sles.9.x[6-8][4-6].rpm; EC=$?; cd /tmp; rm -rf /tmp/scx-monuser; exit $EC
#SLES 10 or 11
monuser ALL=(root) NOPASSWD: /bin/sh -c /bin/rpm -F --force /tmp/scx-monuser/scx-1.[0-9].[0-9]-[0-9][0-9][0-9].sles.1[0-1].x[6-8][4-6].rpm; EC=$?; cd /tmp; rm -rf /tmp/scx-monuser; exit $EC
monuser ALL=(root) NOPASSWD: /bin/sh -c /bin/rpm -U --force /tmp/scx-monuser/scx-1.[0-9].[0-9]-[0-9][0-9][0-9].sles.1[0-1].x[6-8][4-6].rpm; EC=$?; cd /tmp; rm -rf /tmp/scx-monuser; exit $EC

#Log file monitoring
monuser ALL=(root) NOPASSWD: /opt/microsoft/scx/bin/scxlogfilereader -p


###Examples
#Custom shell command monitoring example – replace <shell command> with the correct command string
#monuser ALL=(root) NOPASSWD: /bin/bash -c <shell command>
 
#Daemon diagnostic and restart recovery tasks example (using cron)
#monuser ALL=(root) NOPASSWD: /bin/sh -c ps -ef | grep cron | grep -v grep
#monuser ALL=(root) NOPASSWD: /usr/sbin/cron & 

 

#End user configuration for Operations Manager agent
#-----------------------------------------------------------------------------------

 

Linux - Universal DEB (Debian, Ubuntu)

#-----------------------------------------------------------------------------------
#User configuration for Operations Manager agent – for a user with the name: monuser

#General requirements
Defaults:monuser !requiretty
 
#Agent maintenance (discovery, install, uninstall, upgrade, restart, cert signing)
monuser ALL=(root) NOPASSWD: /bin/sh -c cp /tmp/scx-monuser/scx.pem /etc/opt/microsoft/scx/ssl/scx.pem; rm -rf /tmp/scx-monuser; /opt/microsoft/scx/bin/tools/scxadmin -restart
monuser ALL=(root) NOPASSWD: /bin/sh -c sh /tmp/scx-monuser/GetOSVersion.sh; EC=$?; rm -rf /tmp/scx-monuser; exit $EC
monuser ALL=(root) NOPASSWD: /bin/sh -c cat /etc/opt/microsoft/scx/ssl/scx.pem
monuser ALL=(root) NOPASSWD: /bin/sh -c dpkg -P scx
monuser ALL=(root) NOPASSWD: /bin/sh -c dpkg -i /tmp/scx-monuser/scx-1.[0-9].[0-9]-[0-9][0-9][0-9].universald.1.x[6-8][4-6].rpm; EC=$?; cd /tmp; rm -rf /tmp/scx-monuser; exit $EC

#Log file monitoring
monuser ALL=(root) NOPASSWD: /opt/microsoft/scx/bin/scxlogfilereader -p

###Examples
#Custom shell command monitoring example – replace <shell command> with the correct command string
#monuser ALL=(root) NOPASSWD: /bin/bash -c <shell command>
 
#Daemon diagnostic and restart recovery tasks example (using cron)
#monuser ALL=(root) NOPASSWD: /bin/sh -c ps -ef | grep cron | grep -v grep
#monuser ALL=(root) NOPASSWD: /usr/sbin/cron & 

 

#End user configuration for Operations Manager agent
#-----------------------------------------------------------------------------------

 

Linux - Universal RPM (CentOS, Oracle)

#----------------------------------------------------------------------------------
#User configuration for Operations Manager agent – for a user with the name: monuser

#General requirements
Defaults:monuser !requiretty
 
#Agent maintenance (discovery, install, uninstall, upgrade, restart, cert signing)
monuser ALL=(root) NOPASSWD: /bin/sh -c cp /tmp/scx-monuser/scx.pem /etc/opt/microsoft/scx/ssl/scx.pem; rm -rf /tmp/scx-monuser; /opt/microsoft/scx/bin/tools/scxadmin -restart
monuser ALL=(root) NOPASSWD: /bin/sh -c sh /tmp/scx-monuser/GetOSVersion.sh; EC=$?; rm -rf /tmp/scx-monuser; exit $EC
monuser ALL=(root) NOPASSWD: /bin/sh -c  cat /etc/opt/microsoft/scx/ssl/scx.pem
monuser ALL=(root) NOPASSWD: /bin/sh -c  rpm -e scx
monuser ALL=(root) NOPASSWD: /bin/sh -c /bin/rpm -F --force /tmp/scx-monuser/scx-1.[0-9].[0-9]-[0-9][0-9][0-9].universalr.[0-9].x[6-8][4-6].rpm; EC=$?; cd /tmp; rm -rf /tmp/scx-monuser; exit $EC
monuser ALL=(root) NOPASSWD: /bin/sh -c /bin/rpm -U --force /tmp/scx-monuser/scx-1.[0-9].[0-9]-[0-9][0-9][0-9].universalr.[0-9].x[6-8][4-6].rpm; EC=$?; cd /tmp; rm -rf /tmp/scx-monuser; exit $EC

#Log file monitoring
monuser ALL=(root) NOPASSWD: /opt/microsoft/scx/bin/scxlogfilereader -p

###Examples
#Custom shell command monitoring example – replace <shell command> with the correct command string
#monuser ALL=(root) NOPASSWD: /bin/bash -c <shell command>
 
#Daemon diagnostic and restart recovery tasks example (using cron)
#monuser ALL=(root) NOPASSWD: /bin/sh -c ps -ef | grep cron | grep -v grep
#monuser ALL=(root) NOPASSWD: /usr/sbin/cron & 

 

#End user configuration for Operations Manager agent
#-----------------------------------------------------------------------------------

 

Solaris

#----------------------------------------------------------------------------------
#User configuration for Operations Manager agent – for a user with the name: monuser


# Defaults specification
Defaults:monuser passwd_tries = 1, passwd_timeout = 1

##OS Discovery Script
monuser ALL=(root) NOPASSWD: /usr/bin/sh -c sh /tmp/scx-monuser/GetOSVersion.sh; EC=??; rm -rf /tmp/scx-monuser; exit ?EC

#Agent install and upgrade
#Solaris 9
monuser ALL=(root) NOPASSWD: /usr/bin/sh -c echo -e "mail=*/usr/sbin/pkgadd -a /tmp/scx-monuser/scx -n -d /tmp/scx-monuser/scx-1.[0-9].[0-9]-[0-9][0-9][0-9].solaris.9.sparc.pkg MSFTscx;*exit ?EC
#Solaris 10 or 11
monuser ALL=(root) NOPASSWD: /usr/bin/sh -c echo -e "mail=*/usr/sbin/pkgadd -a /tmp/scx-monuser/scx -n -d /tmp/scx-monuser/scx-1.[0-9].[0-9]-[0-9][0-9][0-9].solaris.1[0-1].sparc.pkg MSFTscx;*exit ?EC
monuser ALL=(root) NOPASSWD: /usr/bin/sh -c echo -e "mail=*/usr/sbin/pkgadd -a /tmp/scx-monuser/scx -n -d /tmp/scx-monuser/scx-1.[0-9].[0-9]-[0-9][0-9][0-9].solaris.1[0-1].x86.pkg MSFTscx;*exit ?EC

##Agent uninstall
monuser ALL=(root) NOPASSWD: /usr/bin/sh -c rm -rf /tmp/scx-monuser;*/usr/sbin/pkgrm -a /tmp/scx-monuser/scx -n MSFTscx;*exit ?EC

##Certificate signing
monuser ALL=(root) NOPASSWD: /usr/bin/sh -c cat /etc/opt/microsoft/scx/ssl/scx.pem
monuser ALL=(root) NOPASSWD: /usr/bin/sh -c rm -rf /tmp/scx-monuser
monuser ALL=(root) NOPASSWD: /usr/bin/sh -c cp /tmp/scx-monuser/scx.pem /etc/opt/microsoft/scx/ssl/scx.pem; rm -rf /tmp/scx-monuser; /opt/microsoft/scx/bin/tools/scxadmin -restart

##Agent control
monuser ALL=(root) NOPASSWD: /opt/microsoft/scx/bin/tools/scxadmin

##Log file monitoring
monuser ALL=(root) NOPASSWD: /opt/microsoft/scx/bin/scxlogfilereader -p


#End user configuration for Operations Manager agent
#-----------------------------------------------------------------------------------

 

 

System Center 2012 - Operations Manager

These configurations apply to System Center 2012 - Operations Manager

AIX

#-----------------------------------------------------------------------------------
#User configuration for Operations Manager agent – for a user with the name: monuser

#General requirements
Defaults:monuser !requiretty

#Lower sudo password prompt timeout for the user
Defaults:monuser passwd_tries = 1, passwd_timeout = 1

#Agent maintenance (discovery, install, uninstall, upgrade, restart, cert signing)
monuser ALL=(root) NOPASSWD: /opt/microsoft/scx/bin/tools/scxadmin
monuser ALL=(root) NOPASSWD: /usr/bin/sh -c sh /tmp/scx-*/GetOSVersion.sh; EC=$?; rm -rf /tmp/scx-*; exit $EC
monuser ALL=(root) NOPASSWD: /usr/bin/sh -c cat /etc/opt/microsoft/scx/ssl/scx.pem
monuser ALL=(root) NOPASSWD: /usr/bin/sh -c gzip -dqf /tmp/scx-*
monuser ALL=(root) NOPASSWD: /usr/bin/sh -c echo *
monuser ALL=(root) NOPASSWD: /usr/bin/sh -c /usr/sbin/installp -u scx

###Examples
#Custom shell command monitoring example – replace <shell command> with the correct command string
#monuser ALL=(root) NOPASSWD: /bin/bash -c <shell command>

#Daemon diagnostic and restart recovery tasks example (using cron)
#monuser ALL=(root) NOPASSWD: /bin/sh -c ps -ef | grep cron | grep -v grep
#monuser ALL=(root) NOPASSWD: /usr/sbin/cron &

#End user configuration for Operations Manager agent
#-----------------------------------------------------------------------------------

 

HP-UX

#-----------------------------------------------------------------------------------
#User configuration for Operations Manager agent – for a user with the name: monuser

#General requirements
Defaults:monuser !requiretty

#Lower sudo password prompt timeout for the user
Defaults:monuser passwd_tries = 1, passwd_timeout = 1

#Agent maintenance (discovery, install, uninstall, upgrade, restart, cert signing)
monuser ALL=(root)      NOPASSWD: /opt/microsoft/scx/bin/tools/scxadmin
monuser ALL=(root)      NOPASSWD: /bin/sh -c sh /tmp/scx-*/GetOSVersion.sh; EC=$?; rm -rf /tmp/scx-*; exit $EC
monuser ALL=(root)      NOPASSWD: /bin/sh -c uncompress -f /tmp/scx-*
monuser ALL=(root)      NOPASSWD: /bin/sh -c cat /etc/opt/microsoft/scx/ssl/scx.pem
monuser ALL=(root)      NOPASSWD: /bin/sh -c echo *
monuser ALL=(root)      NOPASSWD: /bin/sh -c /usr/sbin/swremove scx

###Examples
#Custom shell command monitoring example – replace <shell command> with the correct command string
#monuser ALL=(root) NOPASSWD: /bin/bash -c <shell command>

#Daemon diagnostic and restart recovery tasks example (using cron)
#monuser ALL=(root) NOPASSWD: /bin/sh -c ps -ef | grep cron | grep -v grep
#monuser ALL=(root) NOPASSWD: /sbin/init.d/cron start

#End user configuration for Operations Manager agent
#-------------------------------------------------------------------------------


Linux

#-----------------------------------------------------------------------------------
#User configuration for Operations Manager agent – for a user with the name: monuser

#General requirements
Defaults:monuser !requiretty

#Lower sudo password prompt timeout for the user
Defaults:monuser passwd_tries = 1, passwd_timeout = 1
 
#Agent maintenance (discovery, install, uninstall, upgrade, restart, cert signing)
monuser ALL=(root) NOPASSWD: /opt/microsoft/scx/bin/tools/scxadmin
monuser ALL=(root) NOPASSWD: /bin/sh -c sh /tmp/scx-*/GetOSVersion.sh; EC=$?; rm -rf /tmp/scx-*; exit $EC
monuser ALL=(root) NOPASSWD: /bin/sh -c  /bin/rpm -U --force */scx-*
monuser ALL=(root) NOPASSWD: /bin/sh -c  /bin/rpm -F --force */scx-*
monuser ALL=(root) NOPASSWD: /bin/sh -c  rpm -e scx
monuser ALL=(root) NOPASSWD: /bin/sh -c  cat /etc/opt/microsoft/scx/ssl/scx.pem
monuser ALL=(root) NOPASSWD: /bin/sh -c  echo *
 
#Log file monitoring
monuser ALL=(root) NOPASSWD: /opt/microsoft/scx/bin/scxlogfilereader -p

###Examples
#Custom shell command monitoring example – replace <shell command> with the correct command string
#monuser ALL=(root) NOPASSWD: /bin/bash -c <shell command>
 
#Daemon diagnostic and restart recovery tasks example (using cron)
#monuser ALL=(root) NOPASSWD: /bin/sh -c ps -ef | grep cron | grep -v grep
#monuser ALL=(root) NOPASSWD: /sbin/service cron start
 
#End user configuration for Operations Manager agent
#-----------------------------------------------------------------------------------

 

 

Solaris

#-----------------------------------------------------------------------------------
#User configuration for Operations Manager agent – for a user with the name: monuser

#General requirements
Defaults:monuser !requiretty

#Lower sudo password prompt timeout for the user
Defaults:monuser passwd_tries = 1, passwd_timeout = 1

Monuser ALL=(root) NOPASSWD: /opt/microsoft/scx/bin/tools/scxadmin
monuser ALL=(root) NOPASSWD: /usr/bin/sh -c sh /tmp/scx-*/GetOSVersion.sh; EC=$?; rm -rf /tmp/scx-*; exit $EC
monuser ALL=(root) NOPASSWD: /usr/bin/sh -c cat /etc/opt/microsoft/scx/ssl/scx.pem
monuser ALL=(root) NOPASSWD: /usr/bin/sh -c echo *
monuser ALL=(root) NOPASSWD: /usr/bin/sh -c rm -rf /tmp/scx-*
 
#Log file monitoring
monuser ALL=(root) NOPASSWD: /opt/microsoft/scx/bin/scxlogfilereader -p

###Examples
#Custom shell command monitoring example – replace <shell command> with the correct command string
#monuser ALL=(root) NOPASSWD: /bin/bash -c <shell command>
 
#Daemon diagnostic and restart recovery tasks example (using cron)
#monuser ALL=(root) NOPASSWD: /bin/sh -c ps -ef | grep cron | grep -v grep
#monuser ALL=(root) NOPASSWD: sh -c '/etc/init.d/cron start'
 
#End user configuration for Operations Manager agent
#-----------------------------------------------------------------------------------

 

Troubleshooting


Sudo log

The best way to troubleshoot authentication failures that may be related to sudoers configuration is to inspect the sudo log on the agent host.  Sudo logging is controlled in sudoers, with the Defaults parameter logfile.  For example, the line: Defaults logfile=/var/log/sudolog enables sudo logging to the file /var/log/sudolog.

Password Prompts and Timeouts


Operations Manager’s use of sudo elevation requires passwordless elevation. By default, sudo will prompt for a password if a command is not configured with NOPASSWD for the user (this may happen if a specific command was not configured for the user, or if the NOPASSWD option was not set). It is recommended that you configure the following option in sudoers for the user account: Defaults:monuser passwd_tries = 1, passwd_timeout = 1. This example sets a one minute password prompt timeout for the user monuser, which allows the command to fail quickly if a sudo configuration problem exists.