...
General Changes required by both fapolicyd and noexec mounted /tmp (required by OMK Installers, but not by NMIS Installers):
Code Block # Create an install directory which we can use in a less restricted fashion to get OMK Applications' installed and functioning # - for this example we have chosen directory '/data/installs/': sudo -i mkdir -p /data/installs/ # Set an environment variable globally to accomodate Perl::PAR module, which is used to create and execute OMK daemons and scripts, if needed: # check the environment variable is not already set (should not return reference to PAR_GLOBAL_TMPDIR if not set in this file): cat /etc/environment # check the environment variable is not already set in some other manner (should not return anything if PAR_GLOBAL_TMPDIR is not already exported): echo "${PAR_GLOBAL_TMPDIR}" # set up PAR_GLOBAL_TMPDIR if needed: # # IMPORTANT: # If you require OMK scripts, that don't explicitly require root privileges, able to be executed by users without root privileges: # Set PAR_GLOBAL_TMPDIR to a suitable directory outside of the OMK install directory (/usr/local/omk in this example); # The OMK install directory currently has root as both owner and group by default. # Users without root privileges won't therefore have execute capability in the OMK install directory structure. # mkdir -p /usr/local/omk/var/lib/common/ chmod 1777 echo 'PAR_GLOBAL_TMPDIR="/usr/local/omk/var/lib/common/"' >> /etc/environment # To allow group omkadmin to execute OMK scripts using PAR_GLOBAL_TMPDIR we need to set permissions on /usr/local/omk/var directory to allow this: sudo chmod 0750 /usr/local/omk/var sudo chown root:omkadmin /usr/local/omk/var # To allow user nmis to to execute OMK scripts using PAR_GLOBAL_TMPDIR we add user nmis to group omkadmin: sudo usermod -a -G omkadmin nmis; # reboot to get the PAR_GLOBAL_TMPDIR exported globally if it needed to be set: reboot # check PAR_GLOBAL_TMPDIR is exported after reboot: echo "${PAR_GLOBAL_TMPDIR}" /usr/local/omk/var/lib/common/ # Unfortunately systemd services do not pick up this global environment variable, so each OMK systemd service needs to be edited: # first we check the needed 'EnvironmentFile' entry is not already included with: sudo systemctl cat omkd # then, if necessary, edit omkd service sudo systemctl edit omkd # Ensure the service is configured to use PAR_GLOBAL_TMPDIR environment variable as set in /etc/environment # by adding the following entry to [Service] # - add [Service] section if it is not already present: [Service] EnvironmentFile=/etc/environment # edit each OMK systemd service in this manner if needed, for example: sudo systemctl edit opchartsd sudo systemctl edit opconfigd sudo systemctl edit opeventsd sudo systemctl edit opflowd # NMIS9 plugin SubnetImport.pm, which is executed by nmis9d.service daemon, executes opcharts-cli.pl so this service too # needs to be configured to have PAR_GLOBAL_TMPDIR environment variable in its environment, as set in /etc/environment: # # first we check the needed 'EnvironmentFile' entry is not already included with: sudo systemctl cat nmis9d # then, if necessary, edit nmis9d service sudo systemctl edit nmis9d # Ensure the service is configured to have PAR_GLOBAL_TMPDIR environment variable in its environment, as set in /etc/environment # by adding the following entry to [Service] # - add [Service] section if it is not already present # - note the '=-' which instructs nmis9d.service not to fail on file /etc/environment not being found: [Service] EnvironmentFile=-/etc/environment # reload the edited services sudo systemctl daemon-reload # restart the OMK services sudo /path/to/omk/bin/checkomkdaemons.sh restart # restart the nmis9d service sudo systemctl restart nmis9d # To ensure cron jobs cron jobs read /etc/environment and pick up the environment variable PAR_GLOBAL_TMPDIR, # prepend the following code to the command: export $(/usr/bin/xargs < /etc/environment)||:; # For example /etc/cron.d/opreports: # was # this cron schedule runs the opReports scheduler every 5 minutes # # m h dom month dow user command */5 * * * * root /usr/local/omk/bin/opreports-scheduler.exe # and becomes # this cron schedule runs the opReports scheduler every 5 minutes # # m h dom month dow user command */5 * * * * root export $(/usr/bin/xargs < /etc/environment)||:; /usr/local/omk/bin/opreports-scheduler.exe
fapolicyd Whitelisting Change (required by OMK Installers, but not by NMIS Installers):
Code Block # For setting new fapolicyd rules, please read: # https://www.mankier.com/5/fapolicyd.rules # For OMK services and scripts to function correctly we will need to add a rule to whitelist needed directories in fapolicyd # such that root (uid=0) can execute scripts in the listed directories: # - for this example we have chosen directory '/data/installs/' and /path/to/omk/ is /usr/local/omk/: # Insert the following block of 3 rules immediately after the '%languages=' entry, making this the first rule in /etc/fapolicyd/fapolicyd.rules. # See the paragraph further below 'Debugging fapolicyd' for the method used to identify the additional two 'Fix' rules for RHEL8 in this case. # The additional two 'Fix rules' may have a different 'path=/path/to/file.so' from those in this case. # Please do follow the steps in paragraph further below 'Debugging fapolicyd' and debug for at least 24 hours to ensure your fapolicyd implementation is complete! # OMK PAR allow perm=any uid=0 : dir=/data/installs/,/usr/local/omk/bin/,/usr/local/omk/var/lib/common/,/data/omk/var/lib/common/,/usr/local/omk/lib/common/PAR/,/usr/local/omk/lib/.tmp/PAR/ # Fix "dec=deny_audit perm=execute auid=-1 pid=108878 exe=...opmantek.pl : path=/usr/lib64/ld-2.28.so ftype=application/x-sharedlib" allow_audit perm=execute uid=0 : path=/usr/lib64/ld-2.28.so # Fix "dec=deny_audit perm=open auid=-1 pid=27086 exe=/usr/local/omk/bin/opha-cli.exe : path=/usr/lib64/libpthread-2.28.so ftype=application/x-sharedlib" allow_audit perm=execute uid=0 : path=/usr/lib64/libpthread-2.28.so # Update faplicyd with the additional rule we have inserted: sudo fapolicyd-cli --update # Reboot at this point is not absolutely necessary, but reinforces that settings are working as intended sudo reboot # restart the OMK services sudo /usr/local/omk//bin/checkomkdaemons.sh restart
...