다음을 통해 공유


SCOM Sudoers Reference

 

NOTE: These example sudoers configurations are compatible with SCOM 2012 R2. There have been some minor changes to the nix deployment kit names in SCOM 2016 and these changes have not been added below... YET.

If you would like to submit your additions for SCOM 2016, please do so in the comments and the community will thank you for it.

These are just examples. Use at your own risk. You are responsible for verifying the security of your environment. Always test in non-production environment first.

 

Redhat:
# -----------------------------------------------------------------------------------

# User configuration for Operations Manager agent – for a user with the name: SCOMNIXAccount
# General requirements

Defaults:SCOMNIXAccount !requiretty
# Agent maintenance (discovery, install, uninstall, upgrade, restart, certificate signing

SCOMNIXAccount ALL=(root) NOPASSWD: /bin/sh -c cp /tmp/scx-SCOMNIXAccount/scx.pem /etc/opt/microsoft/scx/ssl/scx.pem; rm -rf /tmp/scx-SCOMNIXAccount; /opt/microsoft/scx/bin/tools/scxadmin -restart

SCOMNIXAccount ALL=(root) NOPASSWD: /bin/sh -c sh /tmp/scx-SCOMNIXAccount/GetOSVersion.sh; EC=$?; rm -rf /tmp/scx-SCOMNIXAccount; exit $EC

SCOMNIXAccount ALL=(root) NOPASSWD: /bin/sh -c cat /etc/opt/microsoft/scx/ssl/scx.pem

SCOMNIXAccount ALL=(root) NOPASSWD: /bin/sh -c rpm -e scx

SCOMNIXAccount ALL=(root) NOPASSWD: /bin/sh -c /bin/rpm -F --force /tmp/scx-SCOMNIXAccount/scx-1.[0-9].[0-9]-[0-9][0-9][0-9].rhel.[0-9].x[6-8][4-6].rpm; EC=$?; cd /tmp; rm -rf /tmp/scx-SCOMNIXAccount; exit $EC

SCOMNIXAccount ALL=(root) NOPASSWD: /bin/sh -c /bin/rpm -U --force /tmp/scx-SCOMNIXAccount/scx-1.[0-9].[0-9]-[0-9][0-9][0-9].rhel.[0-9].x[6-8][4-6].rpm; EC=$?; cd /tmp; rm -rf /tmp/scx-SCOMNIXAccount; exit $EC
# Log file monitoring

SCOMNIXAccount ALL=(root) NOPASSWD: /opt/microsoft/scx/bin/scxlogfilereader -p
# Samples

## Custom shell command monitoring example – replace with the correct command string

#SCOMNIXAccount ALL=(root) NOPASSWD: /bin/bash -c
## Daemon diagnostic and restart recovery tasks example (using cron)

#SCOMNIXAccount ALL=(root) NOPASSWD: /bin/sh -c ps -ef | grep cron | grep -v grep

#SCOMNIXAccount ALL=(root) NOPASSWD: /usr/sbin/cron &
# End user configuration for Operations Manager agent

# -----------------------------------------------------------------------------------

 

Solaris:
# -----------------------------------------------------------------------------------

# User configuration for Operations Manager agent – for a user with the name: SCOMNIXAccount
# General requirements

Defaults:SCOMNIXAccount passwd_tries = 1, passwd_timeout = 1
# Agent maintenance (discovery, install, uninstall, upgrade, restart, certificate signing

SCOMNIXAccount ALL=(root) NOPASSWD: /usr/bin/sh -c sh /tmp/scx-SCOMNIXAccount/GetOSVersion.sh; EC=??; rm -rf /tmp/scx-SCOMNIXAccount; exit ?EC
## Solaris 9

SCOMNIXAccount ALL=(root) NOPASSWD: /usr/bin/sh -c echo -e "mail=*/usr/sbin/pkgadd -a /tmp/scx-SCOMNIXAccount/scx -n -d /tmp/scx-SCOMNIXAccount/scx-1.[0-9].[0-9]-[0-9][0-9][0-9].solaris.9.sparc.pkg MSFTscx;*exit ?EC
## Solaris 10/11

SCOMNIXAccount ALL=(root) NOPASSWD: /usr/bin/sh -c echo -e "mail=*/usr/sbin/pkgadd -a /tmp/scx-SCOMNIXAccount/scx -n -d /tmp/scx-SCOMNIXAccount/scx-1.[0-9].[0-9]-[0-9][0-9][0-9].solaris.1[0-1].sparc.pkg MSFTscx;*exit ?EC

SCOMNIXAccount ALL=(root) NOPASSWD: /usr/bin/sh -c echo -e "mail=*/usr/sbin/pkgadd -a /tmp/scx-SCOMNIXAccount/scx -n -d /tmp/scx-SCOMNIXAccount/scx-1.[0-9].[0-9]-[0-9][0-9][0-9].solaris.1[0-1].x86.pkg MSFTscx;*exit ?EC
SCOMNIXAccount ALL=(root) NOPASSWD: /usr/bin/sh -c rm -rf /tmp/scx-SCOMNIXAccount;*/usr/sbin/pkgrm -a /tmp/scx-SCOMNIXAccount/scx -n MSFTscx;*exit ?EC
SCOMNIXAccount ALL=(root) NOPASSWD: /usr/bin/sh -c cat /etc/opt/microsoft/scx/ssl/scx.pem

SCOMNIXAccount ALL=(root) NOPASSWD: /usr/bin/sh -c rm -rf /tmp/scx-SCOMNIXAccount

SCOMNIXAccount ALL=(root) NOPASSWD: /usr/bin/sh -c cp /tmp/scx-SCOMNIXAccount/scx.pem /etc/opt/microsoft/scx/ssl/scx.pem; rm -rf /tmp/scx-SCOMNIXAccount; /opt/microsoft/scx/bin/tools/scxadmin -restart

SCOMNIXAccount ALL=(root) NOPASSWD: /opt/microsoft/scx/bin/tools/scxadmin
# Log file monitoring

SCOMNIXAccount ALL=(root) NOPASSWD: /opt/microsoft/scx/bin/scxlogfilereader -p
# Samples

## Custom shell command monitoring example – replace with the correct command string

#SCOMNIXAccount ALL=(root) NOPASSWD: /bin/bash -c
## Daemon diagnostic and restart recovery tasks example (using cron)

#SCOMNIXAccount ALL=(root) NOPASSWD: /bin/sh -c ps -ef | grep cron | grep -v grep

#SCOMNIXAccount ALL=(root) NOPASSWD: /usr/sbin/cron &
# End user configuration for Operations Manager agent

# -----------------------------------------------------------------------------------

 

SUSE Enterprise
# -----------------------------------------------------------------------------------

# User configuration for Operations Manager agent – for a user with the name: SCOMNIXAccount
# General requirements

Defaults:SCOMNIXAccount !requiretty
# Agent maintenance (discovery, install, uninstall, upgrade, restart, certificate signing

SCOMNIXAccount ALL=(root) NOPASSWD: /bin/sh -c cp /tmp/scx-SCOMNIXAccount/scx.pem /etc/opt/microsoft/scx/ssl/scx.pem; rm -rf /tmp/scx-SCOMNIXAccount; /opt/microsoft/scx/bin/tools/scxadmin -restart

SCOMNIXAccount ALL=(root) NOPASSWD: /bin/sh -c sh /tmp/scx-SCOMNIXAccount/GetOSVersion.sh; EC=$?; rm -rf /tmp/scx-SCOMNIXAccount; exit $EC

SCOMNIXAccount ALL=(root) NOPASSWD: /bin/sh -c cat /etc/opt/microsoft/scx/ssl/scx.pem

SCOMNIXAccount ALL=(root) NOPASSWD: /bin/sh -c rpm -e scx
## SuSE Linux Enterprise Server 9

SCOMNIXAccount ALL=(root) NOPASSWD: /bin/sh -c /bin/rpm -F --force /tmp/scx-SCOMNIXAccount/scx-1.[0-9].[0-9]-[0-9][0-9][0-9].sles.9.x[6-8][4-6].rpm; EC=$?; cd /tmp; rm -rf /tmp/scx-SCOMNIXAccount; exit $EC

SCOMNIXAccount ALL=(root) NOPASSWD: /bin/sh -c /bin/rpm -U --force /tmp/scx-SCOMNIXAccount/scx-1.[0-9].[0-9]-[0-9][0-9][0-9].sles.9.x[6-8][4-6].rpm; EC=$?; cd /tmp; rm -rf /tmp/scx-SCOMNIXAccount; exit $EC
## SuSE Linux Enterprise Server 10/11/12

SCOMNIXAccount ALL=(root) NOPASSWD: /bin/sh -c /bin/rpm -F --force /tmp/scx-SCOMNIXAccount/scx-1.[0-9].[0-9]-[0-9][0-9][0-9].sles.1[0|1|2].x[6-8][4-6].rpm; EC=$?; cd /tmp; rm -rf /tmp/scx-SCOMNIXAccount; exit $EC

SCOMNIXAccount ALL=(root) NOPASSWD: /bin/sh -c /bin/rpm -U --force /tmp/scx-SCOMNIXAccount/scx-1.[0-9].[0-9]-[0-9][0-9][0-9].sles.1[0|1|2].x[6-8][4-6].rpm; EC=$?; cd /tmp; rm -rf /tmp/scx-SCOMNIXAccount; exit $EC
# Log file monitoring

SCOMNIXAccount ALL=(root) NOPASSWD: /opt/microsoft/scx/bin/scxlogfilereader -p
# Samples

## Custom shell command monitoring example – replace with the correct command string

#SCOMNIXAccount ALL=(root) NOPASSWD: /bin/bash -c
## Daemon diagnostic and restart recovery tasks example (using cron)

#SCOMNIXAccount ALL=(root) NOPASSWD: /bin/sh -c ps -ef | grep cron | grep -v grep

#SCOMNIXAccount ALL=(root) NOPASSWD: /usr/sbin/cron &
# End user configuration for Operations Manager agent

# -----------------------------------------------------------------------------------

 

Universal: Debian, Ubuntu
# -----------------------------------------------------------------------------------

# User configuration for Operations Manager agent – for a user with the name: SCOMNIXAccount
# General requirements

Defaults:SCOMNIXAccount !requiretty
# Agent maintenance (discovery, install, uninstall, upgrade, restart, certificate signing

SCOMNIXAccount ALL=(root) NOPASSWD: /bin/sh -c cp /tmp/scx-SCOMNIXAccount/scx.pem /etc/opt/microsoft/scx/ssl/scx.pem; rm -rf /tmp/scx-SCOMNIXAccount; /opt/microsoft/scx/bin/tools/scxadmin -restart

SCOMNIXAccount ALL=(root) NOPASSWD: /bin/sh -c sh /tmp/scx-SCOMNIXAccount/GetOSVersion.sh; EC=$?; rm -rf /tmp/scx-SCOMNIXAccount; exit $EC

SCOMNIXAccount ALL=(root) NOPASSWD: /bin/sh -c cat /etc/opt/microsoft/scx/ssl/scx.pem

SCOMNIXAccount ALL=(root) NOPASSWD: /bin/sh -c dpkg -P scx

SCOMNIXAccount ALL=(root) NOPASSWD: /bin/sh -c dpkg -i /tmp/scx-SCOMNIXAccount/scx-1.[0-9].[0-9]-[0-9][0-9][0-9].universald.1.x[6-8][4-6].deb; EC=$?; cd /tmp; rm -rf /tmp/scx-SCOMNIXAccount; exit $EC
# Log file monitoring

SCOMNIXAccount ALL=(root) NOPASSWD: /opt/microsoft/scx/bin/scxlogfilereader -p
# Samples

## Custom shell command monitoring example – replace with the correct command string

#SCOMNIXAccount ALL=(root) NOPASSWD: /bin/bash -c
## Daemon diagnostic and restart recovery tasks example (using cron)

#SCOMNIXAccount ALL=(root) NOPASSWD: /bin/sh -c ps -ef | grep cron | grep -v grep

#SCOMNIXAccount ALL=(root) NOPASSWD: /usr/sbin/cron &
# End user configuration for Operations Manager agent

# -----------------------------------------------------------------------------------

 

Universal: Centos, Oracle Linux
# -----------------------------------------------------------------------------------

# User configuration for Operations Manager agent – for a user with the name: SCOMNIXAccount
# General requirements

Defaults:SCOMNIXAccount !requiretty
# Agent maintenance (discovery, install, uninstall, upgrade, restart, certificate signing

SCOMNIXAccount ALL=(root) NOPASSWD: /bin/sh -c cp /tmp/scx-SCOMNIXAccount/scx.pem /etc/opt/microsoft/scx/ssl/scx.pem; rm -rf /tmp/scx-SCOMNIXAccount; /opt/microsoft/scx/bin/tools/scxadmin -restart

SCOMNIXAccount ALL=(root) NOPASSWD: /bin/sh -c sh /tmp/scx-SCOMNIXAccount/GetOSVersion.sh; EC=$?; rm -rf /tmp/scx-SCOMNIXAccount; exit $EC

SCOMNIXAccount ALL=(root) NOPASSWD: /bin/sh -c cat /etc/opt/microsoft/scx/ssl/scx.pem

SCOMNIXAccount ALL=(root) NOPASSWD: /bin/sh -c rpm -e scx

SCOMNIXAccount ALL=(root) NOPASSWD: /bin/sh -c /bin/rpm -F --force /tmp/scx-SCOMNIXAccount/scx-1.[0-9].[0-9]-[0-9][0-9][0-9].universalr.[0-9].x[6-8][4-6].rpm; EC=$?; cd /tmp; rm -rf /tmp/scx-SCOMNIXAccount; exit $EC

SCOMNIXAccount ALL=(root) NOPASSWD: /bin/sh -c /bin/rpm -U --force /tmp/scx-SCOMNIXAccount/scx-1.[0-9].[0-9]-[0-9][0-9][0-9].universalr.[0-9].x[6-8][4-6].rpm; EC=$?; cd /tmp; rm -rf /tmp/scx-SCOMNIXAccount; exit $EC
# Log file monitoring

SCOMNIXAccount ALL=(root) NOPASSWD: /opt/microsoft/scx/bin/scxlogfilereader -p
# Samples

## Custom shell command monitoring example – replace with the correct command string

#SCOMNIXAccount ALL=(root) NOPASSWD: /bin/bash -c
## Daemon diagnostic and restart recovery tasks example (using cron)

#SCOMNIXAccount ALL=(root) NOPASSWD: /bin/sh -c ps -ef | grep cron | grep -v grep

#SCOMNIXAccount ALL=(root) NOPASSWD: /usr/sbin/cron &
# End user configuration for Operations Manager agent

# -----------------------------------------------------------------------------------

 

 

Disclaimer:

The code samples are not supported under any Microsoft standard support program or service. The code samples are provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the code samples and documentation remains with you. In no event shall Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the code samples or documentation, even if Microsoft has been advised of the possibility of such damages.

Comments

  • Anonymous
    February 19, 2019
    It looks like for 2016 most of the agent names are now prefixed with "omsagent-" rather than "scx-". Exceptions to this we see on our side (we only have a few installed) are Solaris and rhel.7 which still appear to use the "scx-" convention.
    • Anonymous
      February 19, 2019
      @HS Brown: Thanks for the info!