...
Code Block |
---|
# Setup User Logins and Groups
useradd -m -U omkadmin
passwd -l omkadmin
usermod -a -G omkadmin nmis
usermod -a -G nmis omkadmin
# NOTE - uncomment the below if also using Open-AudIT
# usermod -a -G omkadmin www-data
# Showdown all impacting/impacted services
/usr/local/omk/bin/checkomkdaemons.sh stop
systemctl stop nmis9d
systemctl stop cron
sleep 10
systemctl stop nmis9d
# START of standard installer changes
OMK_DIR=/usr/local/omk
#
echo Set OMK directory structure writable by group:
sudo chown -R omkadmin:omkadmin "${OMK_DIR}";
sudo find "${OMK_DIR}" -type d -exec chmod 0770 '{}' \;;
#
echo Set user and group able to write files:
sudo find "${OMK_DIR}" -type f -exec chmod 0660 '{}' \;;
#
echo Set scripts executable by user and group:
sudo find "${OMK_DIR}/script" -type f -exec chmod 0770 '{}' \;;
#
echo Set scripts executable by user and group:
sudo find "${OMK_DIR}/bin" -type f -exec chmod 0770 '{}' \;;
# END of standard installer changes
#
echo Delete existing PAR subdirectories as we may have set incorrect permissions on this directory
sudo rm -Rf ${PAR_GLOBAL_TMPDIR}/par-*
sudo rm -Rf /tmp/par-*
#
echo Set sticky bit on $PAR_GLOBAL_TMPDIR directory and only executable by root.
sudo chmod 1700 ${PAR_GLOBAL_TMPDIR}
#
echo Recreate $PAR_GLOBAL_TMPDIR/par- directories for root,nmis and omkadmin
sudo ${OMK_DIR}/bin/patch_config.exe 2> /dev/null
sudo -u nmis ${OMK_DIR}/bin/patch_config.exe 2> /dev/null
sudo -u omkadmin ${OMK_DIR}/bin/patch_config.exe 2> /dev/null
#
echo Update opCommon.json config with new PID directories
sed -i 's/var\/run/var\/run\/omk/g' /usr/local/omk/conf/opCommon.json
#
echo Update SYSTEMCTL Server Files
#
echo omkd.service
sed -i 's/\[Service\]/\[Service\]\nUser\=omkadmin\nGroup\=omkadmin/g' /etc/systemd/system/omkd.service
sed -i 's/\/var\/run/\/var\/run\/omk/g' /etc/systemd/system/omkd.service
sed -i 's/\[Service\]/\[Service\]\nPermissionsStartOnly\=true\nExecStartPre\=\/bin\/sh \-c \"mkdir \-p \/var\/run\/omk\/\"\nExecStartPre\=\/bin\/sh \-c \"chown omkadmin\.omkadmin \/var\/run\/omk\/\"\nExecStartPre\=\/bin\/sh \-c \"chmod 3700 \/var\/run\/omk\/\"/g' /etc/systemd/system/omkd.service
#
echo opchartsd.service
sed -i 's/\[Service\]/\[Service\]\nUser\=omkadmin\nGroup\=omkadmin/g' /etc/systemd/system/opchartsd.service
sed -i 's/\/var\/run/\/var\/run\/omk/g' /etc/systemd/system/opchartsd.service
sed -i 's/\[Service\]/\[Service\]\nPermissionsStartOnly\=true\nExecStartPre\=\/bin\/sh \-c \"mkdir \-p \/var\/run\/omk\/\"\nExecStartPre\=\/bin\/sh \-c \"chown omkadmin\.omkadmin \/var\/run\/omk\/\"\nExecStartPre\=\/bin\/sh \-c \"chmod 3700 \/var\/run\/omk\/\"/g' /etc/systemd/system/opchartsd.service
#
echo opconfigd.service
sed -i 's/\[Service\]/\[Service\]\nUser\=omkadmin\nGroup\=omkadmin/g' /etc/systemd/system/opconfigd.service
sed -i 's/\/var\/run/\/var\/run\/omk/g' /etc/systemd/system/opconfigd.service
sed -i 's/\[Service\]/\[Service\]\nPermissionsStartOnly\=true\nExecStartPre\=\/bin\/sh \-c \"mkdir \-p \/var\/run\/omk\/\"\nExecStartPre\=\/bin\/sh \-c \"chown omkadmin\.omkadmin \/var\/run\/omk\/\"\nExecStartPre\=\/bin\/sh \-c \"chmod 3700 \/var\/run\/omk\/\"/g' /etc/systemd/system/opconfigd.service
#
echo opeventsd.service
sed -i 's/\[Service\]/\[Service\]\nUser\=omkadmin\nGroup\=omkadmin/g' /etc/systemd/system/opeventsd.service
sed -i 's/\/var\/run/\/var\/run\/omk/g' /etc/systemd/system/opeventsd.service
sed -i 's/\[Service\]/\[Service\]\nPermissionsStartOnly\=true\nExecStartPre\=\/bin\/sh \-c \"mkdir \-p \/var\/run\/omk\/\"\nExecStartPre\=\/bin\/sh \-c \"chown omkadmin\.omkadmin \/var\/run\/omk\/\"\nExecStartPre\=\/bin\/sh \-c \"chmod 3700 \/var\/run\/omk\/\"/g' /etc/systemd/system/opeventsd.service
#
echo Update logrotate config
sed -i 's/create 0660 nmis nmis/create 0660 omkadmin omkadmin/g' /etc/logrotate.d/omk-rotate.conf
sed -i 's/endscript/endscript\n\tsu omkadmin omkadmin/g' /etc/logrotate.d/omk-rotate.conf
#
echo Update all crontab job owners
sed -i 's/ root\t/\tomkadmin\t/g' /etc/cron.d/opaddress
sed -i 's/\troot\t/\tomkadmin\t/g' /etc/cron.d/opconfig
sed -i 's/\troot\t/\tomkadmin\t/g' /etc/cron.d/opevents
sed -i 's/\troot\t/\tomkadmin\t/g' /etc/cron.d/opha
sed -i 's/\troot\t/\tomkadmin\t/g' /etc/cron.d/oplicense
sed -i 's/\troot\t/\tomkadmin\t/g' /etc/cron.d/opreports
#
echo Add an Hourly Rights Check to CRONTAB
touch /etc/cron.d/omk_check_omkadmin_user_group
echo "PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin" >> /etc/cron.d/omk_check_omkadmin_user_group
echo "# m h dom mon dow user command" >> /etc/cron.d/omk_check_omkadmin_user_group
echo "40 * * * * root find /usr/local/omk ! -group omkadmin ! -group nmis ! -regex '/usr/local/omk/var/lib/common/par-.+' -exec ls -lAhd '{}' \;;" >> /etc/cron.d/omk_check_omkadmin_user_group
echo "42 * * * * omkadmin find /usr/local/omk ! -writable -exec ls -lAhd '{}' \;;" >> /etc/cron.d/omk_check_omkadmin_user_group
echo "44 * * * * root find /usr/local/omk -perm /+2000 -exec ls -lAhd '{}' \;;" >> /etc/cron.d/omk_check_omkadmin_user_group
echo "46 * * * * root find /usr/local/omk -perm /+4000 -exec ls -lAhd '{}' \;;" >> /etc/cron.d/omk_check_omkadmin_user_group
|
...