...
General Changes required by both fapolicyd and noexec mounted /tmp (required by OMK Installers, but not by NMIS Installers):
Code Block # Create an install directory which we can use in a less restricted fashion to get OMK Applications' installed and functioning # - for this example we have chosen directory '/data/installs/': sudo -i mkdir -p /data/installs/ # Set an environment variable globally to accomodate Perl::PAR module, which is used to create and execute OMK daemons and scripts, if needed: # check the environment variable is not already set (should not return reference to PAR_GLOBAL_TMPDIR if not set in this file): cat /etc/environment # check the environment variable is not already set in some other manner (should not return anything if PAR_GLOBAL_TMPDIR is not already exported): echo "${PAR_GLOBAL_TMPDIR}" # set up PAR_GLOBAL_TMPDIR if needed: # # IMPORTANT: # If you require OMK scripts, that don't explicitly require root privileges, able to be executed by users without root privileges: # Set PAR_GLOBAL_TMPDIR to a suitable directory outside of the OMK install directory (/usr/local/omk in this example); # The OMK install directory currently has root as both owner and group by default. # Users without root privileges won't therefore have execute capability in the OMK install directory structure. # mkdir -p /usr/local/omk/var/lib/common/ chmod 1777 echo 'PAR_GLOBAL_TMPDIR="/usr/local/omk/var/lib/common/"' >> /etc/environment # reboot to get the PAR_GLOBAL_TMPDIR exported globally if it needed to be set: reboot # check PAR_GLOBAL_TMPDIR is exported after reboot: echo "${PAR_GLOBAL_TMPDIR}" /usr/local/omk/var/lib/common/ # Unfortunately systemd services do not pick up this global environment variable, so each OMK systemd service needs to be edited: # first we check the needed 'EnvironmentFile' entry is not already included with: sudo systemctl cat omkd # then, if necessary, edit omkd service sudo systemctl edit omkd # Ensure the service is configured to use PAR_GLOBAL_TMPDIR environment variable as set in /etc/environment # by adding the following entry to [Service] # - add [Service] section if it is not already present: [Service] EnvironmentFile=/etc/environment # edit each OMK systemd service in this manner if needed, for example: sudo systemctl edit opchartsd sudo systemctl edit opconfigd sudo systemctl edit opeventsd sudo systemctl edit opflowd # NMIS9 plugin SubnetImport.pm, which is executed by nmis9d.service daemon, executes opcharts-cli.pl so this service too # needs to be configured to have PAR_GLOBAL_TMPDIR environment variable in its environment, as set in /etc/environment: # # first we check the needed 'EnvironmentFile' entry is not already included with: sudo systemctl cat nmis9d # then, if necessary, edit nmis9d service sudo systemctl edit nmis9d # Ensure the service is configured to have PAR_GLOBAL_TMPDIR environment variable in its environment, as set in /etc/environment # by adding the following entry to [Service] # - add [Service] section if it is not already present # - note the '=-' which instructs nmis9d.service not to fail on file /etc/environment not being found: [Service] EnvironmentFile=-/etc/environment # reload the edited services sudo systemctl daemon-reload # restart the OMK services sudo /path/to/omk/bin/checkomkdaemons.sh restart # restart the nmis9d service sudo systemctl restart nmis9d # To ensure cron jobs cron jobs read /etc/environment and pick up the environment variable PAR_GLOBAL_TMPDIR, # prepend the following code to the command: export $(/usr/bin/xargs < /etc/environment)||:; # For example /etc/cron.d/opreports: # was # this cron schedule runs the opReports scheduler every 5 minutes # # m h dom month dow user command */5 * * * * root /usr/local/omk/bin/opreports-scheduler.exe # and becomes # this cron schedule runs the opReports scheduler every 5 minutes # # m h dom month dow user command */5 * * * * root export $(/usr/bin/xargs < /etc/environment)||:; /usr/local/omk/bin/opreports-scheduler.exe
fapolicyd fapolicyd Whitelisting Change (required by OMK Installers, but not by NMIS Installers):
Code Block # For setting new fapolicyd rules, please read: # https://www.mankier.com/5/fapolicyd.rules # For OMK services and scripts to function correctly we will need to add a rule to whitelist needed directories in fapolicyd # such that root (uid=0) can execute scripts in the listed directories: # - for this example we have chosen directory '/data/installs/' and /path/to/omk/ is /usr/local/omk/: # Insert the following block of 3 rules immediately after the '%languages=' entry, making this the first rule in /etc/fapolicyd/fapolicyd.rules. # See the paragraph further below 'Debugging fapolicyd' for the method used to identify the additional two 'Fix' rules for RHEL8 in this case. # The additional two 'Fix rules' may have a different 'path=/path/to/file.so' from those in this case. # Please do follow the steps in paragraph further below 'Debugging fapolicyd' and debug for at least 24 hours to ensure your fapolicyd implementation is complete! # OMK PAR allow perm=any uid=0 : dir=/data/installs/,/usr/local/omk/bin/,/usr/local/omk/var/lib/common/,/data/omk/var/lib/common/,/usr/local/omk/lib/common/PAR/,/usr/local/omk/lib/.tmp/PAR/ # Fix "dec=deny_audit perm=execute auid=-1 pid=108878 exe=...opmantek.pl : path=/usr/lib64/ld-2.28.so ftype=application/x-sharedlib" allow_audit perm=execute uid=0 : path=/usr/lib64/ld-2.28.so # Fix "dec=deny_audit perm=open auid=-1 pid=27086 exe=/usr/local/omk/bin/opha-cli.exe : path=/usr/lib64/libpthread-2.28.so ftype=application/x-sharedlib" allow_audit perm=execute uid=0 : path=/usr/lib64/libpthread-2.28.so # Update faplicyd with the additional rule we have inserted: sudo fapolicyd-cli --update # Reboot at this point is not absolutely necessary, but reinforces that settings are working as intended sudo reboot # restart the OMK services sudo /usr/local/omk//bin/checkomkdaemons.sh restart
...
Code Block |
---|
sudo systemctl stop fapolicyd # For debugging fapolicyd, please read: # https://www.mankier.com/8/fapolicyd # ... # --debug-deny # leave the daemon in the foreground for debugging. Event information is written to stderr only when the decision is to deny access. sudo /usr/sbin/fapolicyd --debug-deny Loaded 16 rules Changed to uid 990 Initializing the database fapolicyd integrity is 0 backend rpmdb registered backend file registered Loading rpmdb backend Loading file backend Checking database Importing data from rpmdb backend Importing data from file backend Entries in DB: 28117 Loaded from all backends(without duplicates): 28117 Database checks OK added /dev/shm mount point added / mount point added /var mount point added /boot mount point added /tmp mount point added /data mount point added /run/user/1000 mount point Starting to listen for events rule=15 dec=deny_audit perm=execute auid=-1 pid=2302 exe=/usr/local/omk/bin/opha-cli.exe : path=/tmp/par-726f6f74/cache-00548e237c0c0fdd9581d8236e7b57e47c9024b4/opha-cli.pl ftype=application/x-executable rule=15 dec=deny_audit perm=execute auid=-1 pid=2303 exe=/usr/local/omk/bin/opreports-scheduler.exe : path=/tmp/par-726f6f74/cache-815c07b0877113fa7553963226f8855aa1160121/opreports-scheduler.exe ftype=application/x-executable rule=15 dec=deny_audit perm=execute auid=-1 pid=2306 exe=/usr/local/omk/bin/opha-cli.exe : path=/tmp/par-726f6f74/cache-00548e237c0c0fdd9581d8236e7b57e47c9024b4/opha-cli.pl ftype=application/x-executable rule=15 dec=deny_audit perm=execute auid=-1 pid=2542 exe=/usr/local/omk/bin/baseline.exe : path=/tmp/par-726f6f74/cache-62f960e7d5fb11c6bcbb34fba76fe5030b04477c/baseline.exe ftype=application/x-executable rule=15 dec=deny_audit perm=execute auid=-1 pid=2695 exe=/usr/local/omk/bin/opreports-scheduler.exe : path=/tmp/par-726f6f74/cache-815c07b0877113fa7553963226f8855aa1160121/opreports-scheduler.exe ftype=application/x-executable ... ... # When finished debugging, press CTRL+C to kill this foreground fapolicyd process: ^C shutting down... # I traced the above few issues returned while debugging to cron jobs not reading /etc/environment # and therefore not picking up the environment variable PAR_GLOBAL_TMPDIR # Here is the solution to this issue: # # To ensure cron jobs cron jobs read /etc/environment and pick up the environment variable PAR_GLOBAL_TMPDIR, # prepend the following code to the command: export $(/usr/bin/xargs < /etc/environment)||:; # For example /etc/cron.d/opreports: # was # this cron schedule runs the opReports scheduler every 5 minutes # # m h dom month dow user command */5 * * * * root /usr/local/omk/bin/opreports-scheduler.exe # and becomes # this cron schedule runs the opReports scheduler every 5 minutes # # m h dom month dow user command */5 * * * * root export $(/usr/bin/xargs < /etc/environment)||:; /usr/local/omk/bin/opreports-scheduler.exe # Restart the fapolicyd service when debugging is finished: sudo systemctl start fapolicyd |
...