SCOM Sudoers Reference
NOTE: These example sudoers configurations are compatible with SCOM 2012 R2. There have been some minor changes to the nix deployment kit names in SCOM 2016 and these changes have not been added below... YET.
If you would like to submit your additions for SCOM 2016, please do so in the comments and the community will thank you for it.
These are just examples. Use at your own risk. You are responsible for verifying the security of your environment. Always test in non-production environment first.
Redhat:
# -----------------------------------------------------------------------------------
# User configuration for Operations Manager agent – for a user with the name: SCOMNIXAccount
# General requirements
Defaults:SCOMNIXAccount !requiretty
# Agent maintenance (discovery, install, uninstall, upgrade, restart, certificate signing
SCOMNIXAccount ALL=(root) NOPASSWD: /bin/sh -c cp /tmp/scx-SCOMNIXAccount/scx.pem /etc/opt/microsoft/scx/ssl/scx.pem; rm -rf /tmp/scx-SCOMNIXAccount; /opt/microsoft/scx/bin/tools/scxadmin -restart
SCOMNIXAccount ALL=(root) NOPASSWD: /bin/sh -c sh /tmp/scx-SCOMNIXAccount/GetOSVersion.sh; EC=$?; rm -rf /tmp/scx-SCOMNIXAccount; exit $EC
SCOMNIXAccount ALL=(root) NOPASSWD: /bin/sh -c cat /etc/opt/microsoft/scx/ssl/scx.pem
SCOMNIXAccount ALL=(root) NOPASSWD: /bin/sh -c rpm -e scx
SCOMNIXAccount ALL=(root) NOPASSWD: /bin/sh -c /bin/rpm -F --force /tmp/scx-SCOMNIXAccount/scx-1.[0-9].[0-9]-[0-9][0-9][0-9].rhel.[0-9].x[6-8][4-6].rpm; EC=$?; cd /tmp; rm -rf /tmp/scx-SCOMNIXAccount; exit $EC
SCOMNIXAccount ALL=(root) NOPASSWD: /bin/sh -c /bin/rpm -U --force /tmp/scx-SCOMNIXAccount/scx-1.[0-9].[0-9]-[0-9][0-9][0-9].rhel.[0-9].x[6-8][4-6].rpm; EC=$?; cd /tmp; rm -rf /tmp/scx-SCOMNIXAccount; exit $EC
# Log file monitoring
SCOMNIXAccount ALL=(root) NOPASSWD: /opt/microsoft/scx/bin/scxlogfilereader -p
# Samples
## Custom shell command monitoring example – replace with the correct command string
#SCOMNIXAccount ALL=(root) NOPASSWD: /bin/bash -c
## Daemon diagnostic and restart recovery tasks example (using cron)
#SCOMNIXAccount ALL=(root) NOPASSWD: /bin/sh -c ps -ef | grep cron | grep -v grep
#SCOMNIXAccount ALL=(root) NOPASSWD: /usr/sbin/cron &
# End user configuration for Operations Manager agent
# -----------------------------------------------------------------------------------
Solaris:
# -----------------------------------------------------------------------------------
# User configuration for Operations Manager agent – for a user with the name: SCOMNIXAccount
# General requirements
Defaults:SCOMNIXAccount passwd_tries = 1, passwd_timeout = 1
# Agent maintenance (discovery, install, uninstall, upgrade, restart, certificate signing
SCOMNIXAccount ALL=(root) NOPASSWD: /usr/bin/sh -c sh /tmp/scx-SCOMNIXAccount/GetOSVersion.sh; EC=??; rm -rf /tmp/scx-SCOMNIXAccount; exit ?EC
## Solaris 9
SCOMNIXAccount ALL=(root) NOPASSWD: /usr/bin/sh -c echo -e "mail=*/usr/sbin/pkgadd -a /tmp/scx-SCOMNIXAccount/scx -n -d /tmp/scx-SCOMNIXAccount/scx-1.[0-9].[0-9]-[0-9][0-9][0-9].solaris.9.sparc.pkg MSFTscx;*exit ?EC
## Solaris 10/11
SCOMNIXAccount ALL=(root) NOPASSWD: /usr/bin/sh -c echo -e "mail=*/usr/sbin/pkgadd -a /tmp/scx-SCOMNIXAccount/scx -n -d /tmp/scx-SCOMNIXAccount/scx-1.[0-9].[0-9]-[0-9][0-9][0-9].solaris.1[0-1].sparc.pkg MSFTscx;*exit ?EC
SCOMNIXAccount ALL=(root) NOPASSWD: /usr/bin/sh -c echo -e "mail=*/usr/sbin/pkgadd -a /tmp/scx-SCOMNIXAccount/scx -n -d /tmp/scx-SCOMNIXAccount/scx-1.[0-9].[0-9]-[0-9][0-9][0-9].solaris.1[0-1].x86.pkg MSFTscx;*exit ?EC
SCOMNIXAccount ALL=(root) NOPASSWD: /usr/bin/sh -c rm -rf /tmp/scx-SCOMNIXAccount;*/usr/sbin/pkgrm -a /tmp/scx-SCOMNIXAccount/scx -n MSFTscx;*exit ?EC
SCOMNIXAccount ALL=(root) NOPASSWD: /usr/bin/sh -c cat /etc/opt/microsoft/scx/ssl/scx.pem
SCOMNIXAccount ALL=(root) NOPASSWD: /usr/bin/sh -c rm -rf /tmp/scx-SCOMNIXAccount
SCOMNIXAccount ALL=(root) NOPASSWD: /usr/bin/sh -c cp /tmp/scx-SCOMNIXAccount/scx.pem /etc/opt/microsoft/scx/ssl/scx.pem; rm -rf /tmp/scx-SCOMNIXAccount; /opt/microsoft/scx/bin/tools/scxadmin -restart
SCOMNIXAccount ALL=(root) NOPASSWD: /opt/microsoft/scx/bin/tools/scxadmin
# Log file monitoring
SCOMNIXAccount ALL=(root) NOPASSWD: /opt/microsoft/scx/bin/scxlogfilereader -p
# Samples
## Custom shell command monitoring example – replace with the correct command string
#SCOMNIXAccount ALL=(root) NOPASSWD: /bin/bash -c
## Daemon diagnostic and restart recovery tasks example (using cron)
#SCOMNIXAccount ALL=(root) NOPASSWD: /bin/sh -c ps -ef | grep cron | grep -v grep
#SCOMNIXAccount ALL=(root) NOPASSWD: /usr/sbin/cron &
# End user configuration for Operations Manager agent
# -----------------------------------------------------------------------------------
SUSE Enterprise
# -----------------------------------------------------------------------------------
# User configuration for Operations Manager agent – for a user with the name: SCOMNIXAccount
# General requirements
Defaults:SCOMNIXAccount !requiretty
# Agent maintenance (discovery, install, uninstall, upgrade, restart, certificate signing
SCOMNIXAccount ALL=(root) NOPASSWD: /bin/sh -c cp /tmp/scx-SCOMNIXAccount/scx.pem /etc/opt/microsoft/scx/ssl/scx.pem; rm -rf /tmp/scx-SCOMNIXAccount; /opt/microsoft/scx/bin/tools/scxadmin -restart
SCOMNIXAccount ALL=(root) NOPASSWD: /bin/sh -c sh /tmp/scx-SCOMNIXAccount/GetOSVersion.sh; EC=$?; rm -rf /tmp/scx-SCOMNIXAccount; exit $EC
SCOMNIXAccount ALL=(root) NOPASSWD: /bin/sh -c cat /etc/opt/microsoft/scx/ssl/scx.pem
SCOMNIXAccount ALL=(root) NOPASSWD: /bin/sh -c rpm -e scx
## SuSE Linux Enterprise Server 9
SCOMNIXAccount ALL=(root) NOPASSWD: /bin/sh -c /bin/rpm -F --force /tmp/scx-SCOMNIXAccount/scx-1.[0-9].[0-9]-[0-9][0-9][0-9].sles.9.x[6-8][4-6].rpm; EC=$?; cd /tmp; rm -rf /tmp/scx-SCOMNIXAccount; exit $EC
SCOMNIXAccount ALL=(root) NOPASSWD: /bin/sh -c /bin/rpm -U --force /tmp/scx-SCOMNIXAccount/scx-1.[0-9].[0-9]-[0-9][0-9][0-9].sles.9.x[6-8][4-6].rpm; EC=$?; cd /tmp; rm -rf /tmp/scx-SCOMNIXAccount; exit $EC
## SuSE Linux Enterprise Server 10/11/12
SCOMNIXAccount ALL=(root) NOPASSWD: /bin/sh -c /bin/rpm -F --force /tmp/scx-SCOMNIXAccount/scx-1.[0-9].[0-9]-[0-9][0-9][0-9].sles.1[0|1|2].x[6-8][4-6].rpm; EC=$?; cd /tmp; rm -rf /tmp/scx-SCOMNIXAccount; exit $EC
SCOMNIXAccount ALL=(root) NOPASSWD: /bin/sh -c /bin/rpm -U --force /tmp/scx-SCOMNIXAccount/scx-1.[0-9].[0-9]-[0-9][0-9][0-9].sles.1[0|1|2].x[6-8][4-6].rpm; EC=$?; cd /tmp; rm -rf /tmp/scx-SCOMNIXAccount; exit $EC
# Log file monitoring
SCOMNIXAccount ALL=(root) NOPASSWD: /opt/microsoft/scx/bin/scxlogfilereader -p
# Samples
## Custom shell command monitoring example – replace with the correct command string
#SCOMNIXAccount ALL=(root) NOPASSWD: /bin/bash -c
## Daemon diagnostic and restart recovery tasks example (using cron)
#SCOMNIXAccount ALL=(root) NOPASSWD: /bin/sh -c ps -ef | grep cron | grep -v grep
#SCOMNIXAccount ALL=(root) NOPASSWD: /usr/sbin/cron &
# End user configuration for Operations Manager agent
# -----------------------------------------------------------------------------------
Universal: Debian, Ubuntu
# -----------------------------------------------------------------------------------
# User configuration for Operations Manager agent – for a user with the name: SCOMNIXAccount
# General requirements
Defaults:SCOMNIXAccount !requiretty
# Agent maintenance (discovery, install, uninstall, upgrade, restart, certificate signing
SCOMNIXAccount ALL=(root) NOPASSWD: /bin/sh -c cp /tmp/scx-SCOMNIXAccount/scx.pem /etc/opt/microsoft/scx/ssl/scx.pem; rm -rf /tmp/scx-SCOMNIXAccount; /opt/microsoft/scx/bin/tools/scxadmin -restart
SCOMNIXAccount ALL=(root) NOPASSWD: /bin/sh -c sh /tmp/scx-SCOMNIXAccount/GetOSVersion.sh; EC=$?; rm -rf /tmp/scx-SCOMNIXAccount; exit $EC
SCOMNIXAccount ALL=(root) NOPASSWD: /bin/sh -c cat /etc/opt/microsoft/scx/ssl/scx.pem
SCOMNIXAccount ALL=(root) NOPASSWD: /bin/sh -c dpkg -P scx
SCOMNIXAccount ALL=(root) NOPASSWD: /bin/sh -c dpkg -i /tmp/scx-SCOMNIXAccount/scx-1.[0-9].[0-9]-[0-9][0-9][0-9].universald.1.x[6-8][4-6].deb; EC=$?; cd /tmp; rm -rf /tmp/scx-SCOMNIXAccount; exit $EC
# Log file monitoring
SCOMNIXAccount ALL=(root) NOPASSWD: /opt/microsoft/scx/bin/scxlogfilereader -p
# Samples
## Custom shell command monitoring example – replace with the correct command string
#SCOMNIXAccount ALL=(root) NOPASSWD: /bin/bash -c
## Daemon diagnostic and restart recovery tasks example (using cron)
#SCOMNIXAccount ALL=(root) NOPASSWD: /bin/sh -c ps -ef | grep cron | grep -v grep
#SCOMNIXAccount ALL=(root) NOPASSWD: /usr/sbin/cron &
# End user configuration for Operations Manager agent
# -----------------------------------------------------------------------------------
Universal: Centos, Oracle Linux
# -----------------------------------------------------------------------------------
# User configuration for Operations Manager agent – for a user with the name: SCOMNIXAccount
# General requirements
Defaults:SCOMNIXAccount !requiretty
# Agent maintenance (discovery, install, uninstall, upgrade, restart, certificate signing
SCOMNIXAccount ALL=(root) NOPASSWD: /bin/sh -c cp /tmp/scx-SCOMNIXAccount/scx.pem /etc/opt/microsoft/scx/ssl/scx.pem; rm -rf /tmp/scx-SCOMNIXAccount; /opt/microsoft/scx/bin/tools/scxadmin -restart
SCOMNIXAccount ALL=(root) NOPASSWD: /bin/sh -c sh /tmp/scx-SCOMNIXAccount/GetOSVersion.sh; EC=$?; rm -rf /tmp/scx-SCOMNIXAccount; exit $EC
SCOMNIXAccount ALL=(root) NOPASSWD: /bin/sh -c cat /etc/opt/microsoft/scx/ssl/scx.pem
SCOMNIXAccount ALL=(root) NOPASSWD: /bin/sh -c rpm -e scx
SCOMNIXAccount ALL=(root) NOPASSWD: /bin/sh -c /bin/rpm -F --force /tmp/scx-SCOMNIXAccount/scx-1.[0-9].[0-9]-[0-9][0-9][0-9].universalr.[0-9].x[6-8][4-6].rpm; EC=$?; cd /tmp; rm -rf /tmp/scx-SCOMNIXAccount; exit $EC
SCOMNIXAccount ALL=(root) NOPASSWD: /bin/sh -c /bin/rpm -U --force /tmp/scx-SCOMNIXAccount/scx-1.[0-9].[0-9]-[0-9][0-9][0-9].universalr.[0-9].x[6-8][4-6].rpm; EC=$?; cd /tmp; rm -rf /tmp/scx-SCOMNIXAccount; exit $EC
# Log file monitoring
SCOMNIXAccount ALL=(root) NOPASSWD: /opt/microsoft/scx/bin/scxlogfilereader -p
# Samples
## Custom shell command monitoring example – replace with the correct command string
#SCOMNIXAccount ALL=(root) NOPASSWD: /bin/bash -c
## Daemon diagnostic and restart recovery tasks example (using cron)
#SCOMNIXAccount ALL=(root) NOPASSWD: /bin/sh -c ps -ef | grep cron | grep -v grep
#SCOMNIXAccount ALL=(root) NOPASSWD: /usr/sbin/cron &
# End user configuration for Operations Manager agent
# -----------------------------------------------------------------------------------
Disclaimer:
The code samples are not supported under any Microsoft standard support program or service. The code samples are provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the code samples and documentation remains with you. In no event shall Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the code samples or documentation, even if Microsoft has been advised of the possibility of such damages.
Comments
- Anonymous
February 19, 2019
It looks like for 2016 most of the agent names are now prefixed with "omsagent-" rather than "scx-". Exceptions to this we see on our side (we only have a few installed) are Solaris and rhel.7 which still appear to use the "scx-" convention.- Anonymous
February 19, 2019
@HS Brown: Thanks for the info!
- Anonymous