Required Capabilities for UNIX and Linux Accounts
Updated: March 10, 2017
Applies To: System Center 2012 R2 Operations Manager, System Center 2012 - Operations Manager, System Center 2012 SP1 - Operations Manager
Access to UNIX and Linux computers in System Center 2012 – Operations Manager uses three Run as profiles. One profile is associated with an unprivileged account while the other two accounts are associated with a privileged account or an unprivileged account that is elevated by using sudo
or su
.
In the simplest case, a privileged account has capabilities equivalent to a UNIX and Linux root account, while an unprivileged account has capabilities equivalent to a normal user account. However, with some computer versions of UNIX and Linux, and when you use sudo
for privilege elevation, you can assign more specific capabilities to accounts. In support of such specific assignments, the following table lists the specific capabilities required by accounts that are assigned to each of the three Run as profiles. These descriptions are somewhat generic because information, such as exact file system paths, can vary among different UNIX and Linux computer versions.
Note
The following table describes the required capabilities for accounts to communicate with the Operations Manager agent on a managed UNIX or Linux computer, but the agent itself must always run under the root account on the UNIX or Linux computer.
UNIX and Linux profile | Required capabilities |
---|---|
Action profile | - To log the UNIX or Linux computer on to the network, authenticated by the Pluggable Authentication Modules (PAM). Must have the ability to run a background shell (not connected to a TTY). Interactive logons are not required. - To read any log file that was specified as unprivileged when a custom log file monitor was created, plus the ability to run /opt/microsoft/scx/bin/scxlogfilereader .- To fully run any command shell command that was specified as unprivileged when a command-line monitor, rule, or task was created. Note UNIX and Linux shell commands are saved to the /tmp directory, executed, and then removed from the /tmp directory. The /tmp directory requires exec privileges for using UNIX and Linux shell commands. - To run /usr/bin/vmstat for the Run VMStat task. |
Privileged profile |
|
Agent maintenance profile, and for accounts used to install agents for initial monitoring. |
|
Important Security Considerations
The Operations Manager Linux/UNIX agent uses the standard PAM (Pluggable Authentication Module) mechanism on the Linux or UNIX computer to authenticate the user name and password specified in the Action Profile and Privilege Profile. Any user name with a password that PAM authenticates can perform monitoring functions, including running command lines and scripts that collect monitoring data. Such monitoring functions are always performed in the context of that user name (unless sudo elevation is explicitly enabled for that user name), so the Operations Manager agent provides no more capability than if the user name were to login to the Linux/UNIX system.
However, the PAM authentication used by the Operations Manager agent does not require that the user name have an interactive shell associated with it. If your Linux/UNIX account management practices include removing the interactive shell as a way to pseudo-disable an account, such removal does not prevent the account from being used to connect to the Operations Manager agent and perform monitoring functions. In these cases, you should use additional PAM configuration to ensure that these pseudo-disabled accounts do not authenticate to the Operations Manager agent.
See Also
How to Set Credentials for Accessing UNIX and Linux Computers
Accessing UNIX and Linux Computers in Operations Manager
How to Configure sudo Elevation and SSH Keys
Credentials You Must Have to Access UNIX and Linux Computers
Configuring SSL Ciphers