This guide steps through the changes to settings and filesystem privileges required to enhance the security on a standalone machine running NMIS9 Modules on Ubuntu Linux.
This guide has also been tested on RHEL8.8, the steps are exactly the same, and along with verification. The only difference is that you have to use service instead of systemctl on RHEL/Centos distributions.
This guide runs top to bottom as a sequence. It is important that this sequence is followed in order to prevent issues on restart.
Backups are highly recommended.
Preparation
The changes involved in this document include the use of recursive rights changes and recursive directory deletion as the "root" user.
The changes involved require the shutdown of all monitoring tasks and the cron daemon.
If this solution is critical to your environment ensure that an outage window is allocated. In the testing environment the required changes executed in less than 1 minute scripted however a manual implementation with cross-checking and cross-checking post change on a system with additional local customisation will take longer in the validation stage of the change.
This document was tested on an Ubuntu 20.04 installation running default service files and directory settings for nmis and omk modules from their respective installers.
Tested Modules
Be aware that in the event the system is running any other applications/modules that require access to the file structures on the following list there is a very high probability that their rights will be blocked and the additional processes could fail to execute properly.
- nmis9
- opAddress
- opAdmin
- opCharts
- opConfig
- opEvents
- opHA
- opReports
System Snapshot/Backup
For System Snapshots and Backups you will need to refer to the documentation for your environment.
If the information on your system, or stability of the system is critical to your business it is important to retain a working backup. It is important that you have confirmed that you backups can be restored.
- Full system backups, including Operating System and Data - Contact your IT department, Vendor Support, or Integrator
- Virtual Machine Snapshots - Refer to the solution guides for your environment
User Setup
These steps will allow omkadmin as a user and as a group able to execute OMK scripts. To do this, we will follow the steps below:
If the omkadmin user does not exist it will have to be created. We will create the user in a manner that does not allow ssh access as this user will be acting as the "system" account.
adduser omkadmin --disabled-login
Example session output
root@server:~# adduser omkadmin --disabled-login Adding user `omkadmin' ... Adding new group `omkadmin' (1010) ... Adding new user `omkadmin' (1009) with group `omkadmin' ... Creating home directory `/home/omkadmin' ... Copying files from `/etc/skel' ... Changing the user information for omkadmin Enter the new value, or press ENTER for the default Full Name []: Room Number []: Work Phone []: Home Phone []: Other []: Is the information correct? [Y/n] root@server:~#
In the previous example output you will note the line "Adding new user `omkadmin' (1009) with group `omkadmin'", there is a default setting that adds a group at the same time as adding a user.
The following command will not work if there was ANY error issued when creating the user or group. If you get an error in creating the user this needs to be resolved before proceeding.
Adjust User Groups
Next we will add the USER "nmis" to the GROUP "omkadmin" and the add USER "omkadmin" to the GROUP "nmis"
Reciprocal rights are required as applications running under both users write and read into the omk and nmis directory structures.
usermod -a -G omkadmin nmis usermod -a -G nmis omkadmin
The following example shows how running the command "groups <username>" will list all group memberships for the specified user as a validation.
User "nmis" should now have "omkadmin" in the groups list and user "omkadmin" should have "nmis" in its groups list.
root@server:~# groups nmis nmis adm plugdev netdev lxd google-sudoers omkadmin root@server:~# groups omkadmin omkadmin nmis
Open-AudIT and the Apache user
If you are using Open-AudIT, you will also need to add the Apache user (www-data) to the omkadmin group.
usermod -a -G omkadmin www-data
Shutdown all impacting services
This section will bring all services that are going to be altered down this will include; crond, nmis9d, omk daemons.
Because we are shutting crond down some system administrative tasks may not fire during this period.
This step is required to prevent nmis/omk processes from creating files that may block or create issues with this update process.
Run the following commands:
/usr/local/omk/bin/checkomkdaemons.sh stop systemctl stop nmis9d systemctl stop cron
Output example
root@server:~# /usr/local/omk/bin/checkomkdaemons.sh stop job complete! root@server:~# systemctl stop nmis9d root@server:~# systemctl stop cron root@server:~#
The commands can take some time to gracefully shutdown. You can check the status of the shutdown by running the following command:
ps ax | grep -E "(nmis|cron| op)"
It may output a list of running processes to start with. If the server is small and/or not very busy the processes may exit immediately and this long list won't be seen.
root@server:~# ps ax | grep -E "(nmis|cron| op)" 1443255 ? Ss 0:00 /usr/sbin/cron -f 1443265 ? Ss 0:00 nmisd.scheduler 1443266 ? S 0:00 nmisd.fping 1443268 ? S 0:00 nmisd.worker.<idle> 1443269 ? S 0:00 nmisd.worker.<idle> 1443272 ? S 0:00 nmisd.worker.<idle> 1443273 ? S 0:01 nmisd.worker.<idle> 1443276 ? S 0:00 nmisd.worker.<idle> 1443279 ? S 0:01 nmisd.worker.<idle> 1443282 ? S 0:00 nmisd.worker.<idle> 1443283 ? S 0:01 nmisd.worker.<idle> 1443285 ? S 0:00 nmisd.worker.<idle> 1443288 ? S 0:00 nmisd.worker.<idle> 1443359 ? Ss 0:04 opmantek.pl-webserver -f -p /var/run/opmantek.exe.pid -r 1443365 ? Ss 0:00 opchartsd 1443366 ? S 0:00 opchartsd worker 1443415 ? Ss 0:00 opeventsd 1443416 ? S 0:00 opeventsd.worker 1443438 ? S 0:00 opmantek.pl-webserver -f -p /var/run/opmantek.exe.pid -r 1443439 ? S 0:00 opmantek.pl-webserver -f -p /var/run/opmantek.exe.pid -r 1443440 ? S 0:00 opmantek.pl-webserver -f -p /var/run/opmantek.exe.pid -r 1443441 ? S 0:00 opmantek.pl-webserver -f -p /var/run/opmantek.exe.pid -r 1443442 ? S 0:00 opmantek.pl-webserver -f -p /var/run/opmantek.exe.pid -r 1443443 ? S 0:00 opmantek.pl-webserver -f -p /var/run/opmantek.exe.pid -r 1443444 ? S 0:00 opeventsd.tail.winlogd.log 1443445 ? S 0:00 opeventsd.tail.trap.log 1443446 ? S 0:00 opeventsd.tail.event.log 1443447 ? S 0:00 opmantek.pl-webserver -f -p /var/run/opmantek.exe.pid -r 1443448 ? S 0:00 opeventsd.tail.cisco.log 1443450 ? S 0:00 opmantek.pl-webserver -f -p /var/run/opmantek.exe.pid -r 1443451 ? S 0:00 opeventsd.tail.tivoli.log 1443453 ? S 0:00 opmantek.pl-webserver -f -p /var/run/opmantek.exe.pid -r 1443455 ? S 0:00 opmantek.pl-webserver -f -p /var/run/opmantek.exe.pid -r 1443463 ? Ss 0:00 opconfigd 1443464 ? S 0:00 opconfigd worker 1443546 pts/0 S+ 0:00 grep --color=auto -E (nmis|cron| op)
When processes have all shutdown gracefully the previous command will return something very similar to the following. The first number on the line can be ignored:
root@server:~# ps ax | grep -E "(nmis|cron| op)" 1443224 pts/0 S+ 0:00 grep --color=auto -E (nmis|cron| op) root@server:~#
Ownership and Rights Changes
The following set of commands will run through and alter all of the file and directory rights as the key security task. You should be able to cut and past the entire block into the cli as root user.
# START of standard installer changes OMK_DIR=/usr/local/omk # These command are exactly as for /data/omk: echo Set OMK directory structure writable by group: sudo chown -R omkadmin:omkadmin "${OMK_DIR}"; sudo find "${OMK_DIR}" -type d -exec chmod 0770 '{}' \;; echo Set user and group able to write files: sudo find "${OMK_DIR}" -type f -exec chmod 0660 '{}' \;; echo Set scripts executable by user and group: # This command should succeed: this directory is likely to exist sudo find "${OMK_DIR}/script" -type f -exec chmod 0770 '{}' \;; echo Set scripts executable by user and group: # This command should succeed: this directory is likely to exist sudo find "${OMK_DIR}/bin" -type f -exec chmod 0770 '{}' \;; # END of standard installer changes
Cleanup and set appropriate "common" directory rights. If we don't kill the cron process as per the beginning of this document, this part of the change can cause issues.
This command will output a lot of information to the screen for debugging should something not work properly here.
echo Delete existing PAR subdirectories as we may have set incorrect permissions on this directory # structure when executing the previous commands. # The PAR subdirectories are re-created automatically by PAR upon being deleted (at execution of any PAR # script exe by that user): OMK_DIR=/usr/local/omk sudo rm -Rvf ${PAR_GLOBAL_TMPDIR}/par-* sudo rm -Rvf /tmp/par-* # The following commands should be executed after any of the the above commands # to ensure PAR directory structure is re-created with PAR's own permissions set: echo Set sticky bit on $PAR_GLOBAL_TMPDIR directory and only executable by root. # This is a more secure implementation of the linux /tmp/ directory implementation which also uses # sticky bit, but with chmod 1777: sudo chmod 3700 ${PAR_GLOBAL_TMPDIR} echo Run tests sudo ${OMK_DIR}/bin/patch_config.exe sudo -u nmis ${OMK_DIR}/bin/patch_config.exe sudo -u omkadmin ${OMK_DIR}/bin/patch_config.exe
Review the temporary directory by running the following command:
ls -la /usr/local/omk/var/lib/common/
This following screenscrape is very important. It is a crosscheck that user rights are being allocated properly when applications run. The output should return something very similar to this example:
Note the single Capital "T" and three Capital "S" and that the username nmis, omkadmin, and root in lines 5,6,7 are all followed by omkadmin (the group name).
root@server:~# ls -la /usr/local/omk/var/lib/common/ total 20 drwxrws--T 5 omkadmin omkadmin 4096 Jul 13 11:55 . drwxrwx--- 3 omkadmin omkadmin 4096 Jun 28 03:41 .. drwx--S--- 3 nmis omkadmin 4096 Jul 13 11:55 par-6e6d6973 drwx--S--- 3 omkadmin omkadmin 4096 Jul 13 11:55 par-6f6d6b61646d696e drwx--S--- 12 root omkadmin 4096 Jul 13 12:57 par-726f6f74
Change Process PID locations:
In /usr/local/omk/conf/opCommon.json set each *_pid entry as follows (note that each service has its own pid directory under /var/run):
- "opchartsd_pid" : "/var/run/omk/opchartsd.pid"
- "opconfigd_pid" : "/var/run/omk/opconfigd.pid"
- "opeventsd_pid" : "/var/run/omk/opeventsd.pid"
This command will search through the config file and insert the appropriate entries for you:
sed -i 's/var\/run/var\/run\/omk/g' /usr/local/omk/conf/opCommon.json
Check that the entries look correct as follows:
root@server:/run# grep "/var/run/omk" /usr/local/omk/conf/opCommon.json "opflowd_pid" : "/var/run/omk/opflowd.pid", "opchartsd_pid" : "/var/run/omk/opchartsd.pid", "opeventsd_pid" : "/var/run/omk/opeventsd.pid", "opconfigd_pid" : "/var/run/omk/opconfigd.pid", root@server:/run#
SYSTEMCTL Service Files
Locate necessary service files for alteration using a grep command
cd /etc/systemd/system grep -s omk *
Example output
root@server:~# cd /etc/systemd/system root@server:/etc/systemd/system# grep -s omk * omkd.service:ExecStart=/usr/local/omk/script/opmantek.pl -f -p /var/run/opmantek.exe.pid -r opchartsd.service:ExecStart=/usr/local/omk/bin/opchartsd.pl opconfigd.service:ExecStart=/usr/local/omk/bin/opconfigd.pl opeventsd.service:ExecStart=/usr/local/omk/bin/opeventsd.pl root@server:/etc/systemd/system#
From this output we can see that there are four (4) files that will need to be altered:
- omkd.service
- opchartsd.service
- opconfigd.service
- opeventsd.service
omkd.service
sed -i 's/\[Service\]/\[Service\]\nUser\=omkadmin\nGroup\=omkadmin/g' /etc/systemd/system/omkd.service sed -i 's/\/var\/run/\/var\/run\/omk/g' /etc/systemd/system/omkd.service sed -i 's/\[Service\]/\[Service\]\nPermissionsStartOnly\=true\nExecStartPre\=\/bin\/sh \-c \"mkdir \-p \/var\/run\/omk\/\"\nExecStartPre\=\/bin\/sh \-c \"chown omkadmin\.omkadmin \/var\/run\/omk\/\"\nExecStartPre\=\/bin\/sh \-c \"chmod 3700 \/var\/run\/omk\/\"/g' /etc/systemd/system/omkd.service
opchartsd.service
sed -i 's/\[Service\]/\[Service\]\nUser\=omkadmin\nGroup\=omkadmin/g' /etc/systemd/system/opchartsd.service sed -i 's/\/var\/run/\/var\/run\/omk/g' /etc/systemd/system/opchartsd.service sed -i 's/\[Service\]/\[Service\]\nPermissionsStartOnly\=true\nExecStartPre\=\/bin\/sh \-c \"mkdir \-p \/var\/run\/omk\/\"\nExecStartPre\=\/bin\/sh \-c \"chown omkadmin\.omkadmin \/var\/run\/omk\/\"\nExecStartPre\=\/bin\/sh \-c \"chmod 3700 \/var\/run\/omk\/\"/g' /etc/systemd/system/opchartsd.service
opconfigd.service
sed -i 's/\[Service\]/\[Service\]\nUser\=omkadmin\nGroup\=omkadmin/g' /etc/systemd/system/opconfigd.service sed -i 's/\/var\/run/\/var\/run\/omk/g' /etc/systemd/system/opconfigd.service sed -i 's/\[Service\]/\[Service\]\nPermissionsStartOnly\=true\nExecStartPre\=\/bin\/sh \-c \"mkdir \-p \/var\/run\/omk\/\"\nExecStartPre\=\/bin\/sh \-c \"chown omkadmin\.omkadmin \/var\/run\/omk\/\"\nExecStartPre\=\/bin\/sh \-c \"chmod 3700 \/var\/run\/omk\/\"/g' /etc/systemd/system/opconfigd.service
opeventsd.service
sed -i 's/\[Service\]/\[Service\]\nUser\=omkadmin\nGroup\=omkadmin/g' /etc/systemd/system/opeventsd.service sed -i 's/\/var\/run/\/var\/run\/omk/g' /etc/systemd/system/opeventsd.service sed -i 's/\[Service\]/\[Service\]\nPermissionsStartOnly\=true\nExecStartPre\=\/bin\/sh \-c \"mkdir \-p \/var\/run\/omk\/\"\nExecStartPre\=\/bin\/sh \-c \"chown omkadmin\.omkadmin \/var\/run\/omk\/\"\nExecStartPre\=\/bin\/sh \-c \"chmod 3700 \/var\/run\/omk\/\"/g' /etc/systemd/system/opeventsd.service
Confirm SYSTEMCTL Changes:
The output of the above commands will have been to adjust the service files to add some additional entries to the Service section of the configs and to alter PID references in the omkd.service file
The requirement is to add a User and Group entry into the Service section of each of the service files. We will also match any PID references to the new setup as well. As per the following example:
# simple systemd unit file for the Opmantek Webserver daemon [Unit] Description=Opmantek Webserver After=network-online.target After=mongod.service Requires=mongod.service Wants=mongod.service Wants=network-online.target [Install] WantedBy=multi-user.target [Service] Type=forking Restart=no EnvironmentFile=/etc/environment PIDFile=/var/run/opmantek.exe.pid TimeoutSec=120s KillMode=process ExecStart=/usr/local/omk/script/opmantek.pl -f -p /var/run/opmantek.exe.pid -r
With the new USER, GROUP and altered PID entries as per the following - post change. You can use this example as a guide for a concise review of each file if you wish.
# simple systemd unit file for the Opmantek Webserver daemon [Unit] Description=Opmantek Webserver After=network-online.target After=mongod.service Requires=mongod.service Wants=mongod.service Wants=network-online.target [Install] WantedBy=multi-user.target [Service] PermissionsStartOnly=true ExecStartPre=/bin/sh -c "mkdir -p /var/run/omk/" ExecStartPre=/bin/sh -c "chown omkadmin.omkadmin /var/run/omk/" ExecStartPre=/bin/sh -c "chmod 3700 /var/run/omk/" User=omkadmin Group=omkadmin Type=forking Restart=no EnvironmentFile=/etc/environment PIDFile=/var/run/omk/opmantek.exe.pid TimeoutSec=120s KillMode=process ExecStart=/usr/local/omk/script/opmantek.pl -f -p /var/run/omk/opmantek.exe.pid -r
Alternatively if you want to do a quick cross-check of the changes you can do so with the following grep command.
grep -s omk /etc/systemd/system/* | grep -vE "pl$
The output will be similar to the following which should reveal all new entries.
root@server:/etc/systemd/system# grep -s omk /etc/systemd/system/* | grep -vE "pl$" /etc/systemd/system/omkd.service:ExecStartPre=/bin/sh -c "mkdir -p /var/run/omk/" /etc/systemd/system/omkd.service:ExecStartPre=/bin/sh -c "chown omkadmin.omkadmin /var/run/omk/" /etc/systemd/system/omkd.service:ExecStartPre=/bin/sh -c "chmod 0700 /var/run/omk/" /etc/systemd/system/omkd.service:User=omkadmin /etc/systemd/system/omkd.service:Group=omkadmin /etc/systemd/system/omkd.service:PIDFile=/var/run/omk/opmantek.exe.pid /etc/systemd/system/omkd.service:ExecStart=/usr/local/omk/script/opmantek.pl -f -p /var/run/omk/opmantek.exe.pid -r /etc/systemd/system/opchartsd.service:ExecStartPre=/bin/sh -c "mkdir -p /var/run/omk/" /etc/systemd/system/opchartsd.service:ExecStartPre=/bin/sh -c "chown omkadmin.omkadmin /var/run/omk/" /etc/systemd/system/opchartsd.service:ExecStartPre=/bin/sh -c "chmod 0700 /var/run/omk/" /etc/systemd/system/opchartsd.service:User=omkadmin /etc/systemd/system/opchartsd.service:Group=omkadmin /etc/systemd/system/opchartsd.service:PIDFile=/var/run/omk/opchartsd.pid /etc/systemd/system/opconfigd.service:ExecStartPre=/bin/sh -c "mkdir -p /var/run/omk/" /etc/systemd/system/opconfigd.service:ExecStartPre=/bin/sh -c "chown omkadmin.omkadmin /var/run/omk/" /etc/systemd/system/opconfigd.service:ExecStartPre=/bin/sh -c "chmod 0700 /var/run/omk/" /etc/systemd/system/opconfigd.service:User=omkadmin /etc/systemd/system/opconfigd.service:Group=omkadmin /etc/systemd/system/opconfigd.service:PIDFile=/var/run/omk/opconfigd.pid /etc/systemd/system/opeventsd.service:ExecStartPre=/bin/sh -c "mkdir -p /var/run/omk/" /etc/systemd/system/opeventsd.service:ExecStartPre=/bin/sh -c "chown omkadmin.omkadmin /var/run/omk/" /etc/systemd/system/opeventsd.service:ExecStartPre=/bin/sh -c "chmod 0700 /var/run/omk/" /etc/systemd/system/opeventsd.service:User=omkadmin /etc/systemd/system/opeventsd.service:Group=omkadmin /etc/systemd/system/opeventsd.service:PIDFile=/var/run/omk/opeventsd.pid
Logrotate Changes
/etc/logrotate.d/omk-rotate.conf needs to be edited and each section of the logrotate script needs to include:
The following commands with do this for the default conf.
sed -i 's/create 0660 nmis nmis/create 0660 omkadmin omkadmin/g' /etc/logrotate.d/omk-rotate.conf sed -i 's/endscript/endscript\n\tsu omkadmin omkadmin/g' /etc/logrotate.d/omk-rotate.conf
The commands set the following directives:
- create 0660 omkadmin omkadmin
- su omkadmin omkadmin
The su directive is new and is required so that logrotate will continue to work when writing to a no-root owned file (non-privileged). We place it at after the "endscript" statement.
CRON Job Changes
The following commands are used to change all of the default cronjobs. Replacing all "root" user entries with "omkadmin" user entries.
sed -i 's/ root\t/\tomkadmin\t/g' opaddress sed -i 's/\troot\t/\tomkadmin\t/g' opconfig sed -i 's/\troot\t/\tomkadmin\t/g' opevents sed -i 's/\troot\t/\tomkadmin\t/g' opha sed -i 's/\troot\t/\tomkadmin\t/g' oplicense sed -i 's/\troot\t/\tomkadmin\t/g' opreports
Rights Checks
If crond was not disabled prior to updating all of the directory rights this list will likely return many files owned by root.root. Those specific files will need to be manually changed to omkadmin.omkadmin ownership.
sudo find /usr/local/omk/ ! -group omkadmin ! -regex '/usr/local/omk/var/lib/common/par-.+' -exec ls -lAhd '{}' \;; -rw-rw-r-- 1 nmis nmis 453 Jul 13 20:15 /usr/local/omk/var/opcore/registry/open-audit.json -rw-rw-r-- 1 nmis nmis 3.5K Jul 13 20:15 /usr/local/omk/var/opcore/registry/opEvents.json -rw-rw-r-- 1 nmis nmis 1.5K Jul 13 20:15 /usr/local/omk/var/opcore/registry/opHA.json -rw-rw-r-- 1 nmis nmis 5.1K Jul 13 20:15 /usr/local/omk/var/opcore/registry/opCharts.json -rw-rw-r-- 1 nmis nmis 2.0K Jul 13 20:15 /usr/local/omk/var/opcore/registry/opConfig.json -rw-rw-r-- 1 nmis nmis 108 Jul 13 20:27 /usr/local/omk/var/opevents/file_state/_usr_local_nmis9_logs_event.log.json
Rights Check CronJob
Create cronjob /etc/cron.d/omk_check_omkadmin_user_group:
Copy and paste the following code block to the command line to create the new cronjob
touch /etc/cron.d/omk_check_omkadmin_user_group echo "PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin" >> /etc/cron.d/omk_check_omkadmin_user_group echo "# m h dom mon dow user command" >> /etc/cron.d/omk_check_omkadmin_user_group echo "40 * * * * root find /usr/local/omk ! -group omkadmin ! -group nmis ! -regex '/usr/local/omk/var/lib/common/par-.+' -exec ls -lAhd '{}' \;;" >> /etc/cron.d/omk_check_omkadmin_user_group echo "42 * * * * omkadmin find /usr/local/omk ! -writable -exec ls -lAhd '{}' \;;" >> /etc/cron.d/omk_check_omkadmin_user_group echo "44 * * * * root find /usr/local/omk -perm /+2000 -exec ls -lAhd '{}' \;;" >> /etc/cron.d/omk_check_omkadmin_user_group echo "46 * * * * root find /usr/local/omk -perm /+4000 -exec ls -lAhd '{}' \;;" >> /etc/cron.d/omk_check_omkadmin_user_group
Reboot the machine
Rebooting the machine will restore all services and allow for system maintenance and startup tasks that were halted to be run as required with the new users and privileges.
sudo reboot
Full Script
Note that the following script has been added for convenience at this stage and has no checks or error handling embedded.
# Setup User Logins and Groups useradd -m -U omkadmin passwd -l omkadmin usermod -a -G omkadmin nmis usermod -a -G nmis omkadmin # NOTE - uncomment the below if also using Open-AudIT # usermod -a -G omkadmin www-data # Showdown all impacting/impacted services /usr/local/omk/bin/checkomkdaemons.sh stop systemctl stop nmis9d systemctl stop cron sleep 10 systemctl stop nmis9d # START of standard installer changes OMK_DIR=/usr/local/omk # echo Set OMK directory structure writable by group: sudo chown -R omkadmin:omkadmin "${OMK_DIR}"; sudo find "${OMK_DIR}" -type d -exec chmod 0770 '{}' \;; # echo Set user and group able to write files: sudo find "${OMK_DIR}" -type f -exec chmod 0660 '{}' \;; # echo Set scripts executable by user and group: sudo find "${OMK_DIR}/script" -type f -exec chmod 0770 '{}' \;; # echo Set scripts executable by user and group: sudo find "${OMK_DIR}/bin" -type f -exec chmod 0770 '{}' \;; # END of standard installer changes # echo Delete existing PAR subdirectories as we may have set incorrect permissions on this directory sudo rm -Rf ${PAR_GLOBAL_TMPDIR}/par-* sudo rm -Rf /tmp/par-* # echo Set sticky bit on $PAR_GLOBAL_TMPDIR directory and only executable by root. sudo chmod 1700 ${PAR_GLOBAL_TMPDIR} # echo Recreate $PAR_GLOBAL_TMPDIR/par- directories for root,nmis and omkadmin sudo ${OMK_DIR}/bin/patch_config.exe 2> /dev/null sudo -u nmis ${OMK_DIR}/bin/patch_config.exe 2> /dev/null sudo -u omkadmin ${OMK_DIR}/bin/patch_config.exe 2> /dev/null # echo Update opCommon.json config with new PID directories sed -i 's/var\/run/var\/run\/omk/g' /usr/local/omk/conf/opCommon.json # echo Update SYSTEMCTL Server Files # echo omkd.service sed -i 's/\[Service\]/\[Service\]\nUser\=omkadmin\nGroup\=omkadmin/g' /etc/systemd/system/omkd.service sed -i 's/\/var\/run/\/var\/run\/omk/g' /etc/systemd/system/omkd.service sed -i 's/\[Service\]/\[Service\]\nPermissionsStartOnly\=true\nExecStartPre\=\/bin\/sh \-c \"mkdir \-p \/var\/run\/omk\/\"\nExecStartPre\=\/bin\/sh \-c \"chown omkadmin\.omkadmin \/var\/run\/omk\/\"\nExecStartPre\=\/bin\/sh \-c \"chmod 3700 \/var\/run\/omk\/\"/g' /etc/systemd/system/omkd.service # echo opchartsd.service sed -i 's/\[Service\]/\[Service\]\nUser\=omkadmin\nGroup\=omkadmin/g' /etc/systemd/system/opchartsd.service sed -i 's/\/var\/run/\/var\/run\/omk/g' /etc/systemd/system/opchartsd.service sed -i 's/\[Service\]/\[Service\]\nPermissionsStartOnly\=true\nExecStartPre\=\/bin\/sh \-c \"mkdir \-p \/var\/run\/omk\/\"\nExecStartPre\=\/bin\/sh \-c \"chown omkadmin\.omkadmin \/var\/run\/omk\/\"\nExecStartPre\=\/bin\/sh \-c \"chmod 3700 \/var\/run\/omk\/\"/g' /etc/systemd/system/opchartsd.service # echo opconfigd.service sed -i 's/\[Service\]/\[Service\]\nUser\=omkadmin\nGroup\=omkadmin/g' /etc/systemd/system/opconfigd.service sed -i 's/\/var\/run/\/var\/run\/omk/g' /etc/systemd/system/opconfigd.service sed -i 's/\[Service\]/\[Service\]\nPermissionsStartOnly\=true\nExecStartPre\=\/bin\/sh \-c \"mkdir \-p \/var\/run\/omk\/\"\nExecStartPre\=\/bin\/sh \-c \"chown omkadmin\.omkadmin \/var\/run\/omk\/\"\nExecStartPre\=\/bin\/sh \-c \"chmod 3700 \/var\/run\/omk\/\"/g' /etc/systemd/system/opconfigd.service # echo opeventsd.service sed -i 's/\[Service\]/\[Service\]\nUser\=omkadmin\nGroup\=omkadmin/g' /etc/systemd/system/opeventsd.service sed -i 's/\/var\/run/\/var\/run\/omk/g' /etc/systemd/system/opeventsd.service sed -i 's/\[Service\]/\[Service\]\nPermissionsStartOnly\=true\nExecStartPre\=\/bin\/sh \-c \"mkdir \-p \/var\/run\/omk\/\"\nExecStartPre\=\/bin\/sh \-c \"chown omkadmin\.omkadmin \/var\/run\/omk\/\"\nExecStartPre\=\/bin\/sh \-c \"chmod 3700 \/var\/run\/omk\/\"/g' /etc/systemd/system/opeventsd.service # echo Update logrotate config sed -i 's/create 0660 nmis nmis/create 0660 omkadmin omkadmin/g' /etc/logrotate.d/omk-rotate.conf sed -i 's/endscript/endscript\n\tsu omkadmin omkadmin/g' /etc/logrotate.d/omk-rotate.conf # echo Update all crontab job owners sed -i 's/ root\t/\tomkadmin\t/g' /etc/cron.d/opaddress sed -i 's/\troot\t/\tomkadmin\t/g' /etc/cron.d/opconfig sed -i 's/\troot\t/\tomkadmin\t/g' /etc/cron.d/opevents sed -i 's/\troot\t/\tomkadmin\t/g' /etc/cron.d/opha sed -i 's/\troot\t/\tomkadmin\t/g' /etc/cron.d/oplicense sed -i 's/\troot\t/\tomkadmin\t/g' /etc/cron.d/opreports # echo Add an Hourly Rights Check to CRONTAB touch /etc/cron.d/omk_check_omkadmin_user_group echo "PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin" >> /etc/cron.d/omk_check_omkadmin_user_group echo "# m h dom mon dow user command" >> /etc/cron.d/omk_check_omkadmin_user_group echo "40 * * * * root find /usr/local/omk ! -group omkadmin ! -group nmis ! -regex '/usr/local/omk/var/lib/common/par-.+' -exec ls -lAhd '{}' \;;" >> /etc/cron.d/omk_check_omkadmin_user_group echo "42 * * * * omkadmin find /usr/local/omk ! -writable -exec ls -lAhd '{}' \;;" >> /etc/cron.d/omk_check_omkadmin_user_group echo "44 * * * * root find /usr/local/omk -perm /+2000 -exec ls -lAhd '{}' \;;" >> /etc/cron.d/omk_check_omkadmin_user_group echo "46 * * * * root find /usr/local/omk -perm /+4000 -exec ls -lAhd '{}' \;;" >> /etc/cron.d/omk_check_omkadmin_user_group
Hardening NMIS:
The above guide can also be applied to the nmis user and change the nmid9d service to execute and own all of it's process's rather than having the root process own the nmis workers.
This can be done concurrently, independantly or after following the above guide to harden the omk modules and rest of the NMIS suite.
This has been tested on a Ubuntu 20.04/RHEL 8.8 installation running default service files and directory settings for nmis and omk modules from their respective installers. You will need to modify some commands into their respective RHEL/Centos counterparts in the above script and steps.
Shutdown all impacting services
/usr/local/omk/bin/checkomkdaemons.sh stop systemctl stop nmis9d systemctl stop cron
SYSTEMCTL Service File changes for NMIS
sudo sed -i 's/\/var\/run/\/var\/run\/nmis9/' /etc/systemd/system/nmis9d.service sudo sed -i 's/\[Service\]/\[Service\]\nPermissionsStartOnly\=true\nExecStartPre\=\/bin\/sh \-c \"mkdir \-p \/var\/run\/nmis9\/\"\nExecStartPre\=\/bin\/sh \-c \"chown nmis\.nmis \/var\/run\/nmis9\/\"\nExecStartPre\=\/bin\/sh \-c \"chmod 3700 \/var\/run\/nmis9\/\"/g' /etc/systemd/system/nmis9d.service sudo sed -i 's/PIDFile=\/usr\/local\/nmis9\/var\/nmis_system\/nmisd.pid/PIDFile=\/var\/run\/nmis9\/nmis9d.pid/' /etc/systemd/system/nmis9d.service sudo sed -i '/\[Service\]/a User=nmis\nGroup=nmis' /etc/systemd/system/nmis9d.service
CRON Job Changes for NMIS
sed -i 's/\troot/\/nmis\t/g' /etc/cron.d/nmis9
Reboot the machine
Rebooting the machine will restore all services and allow for system maintenance and startup tasks that were halted to be run as required with the new users and privileges.
sudo reboot
Verify the changes