Versions Compared

Old Version 108

changes.mady.by.user Robin Twiggs

Saved on

compared with

New Version 109

changes.mady.by.user John Sinclair

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • General Changes required by both fapolicyd and noexec mounted /tmp (required by OMK Installers, but not by NMIS Installers):

    Code Block
    languagebash
    # Create an install directory which we can use in a less restricted fashion to get OMK Applications' installed and functioning
# - for this example we have chosen directory '/data/installs/':

sudo -i
mkdir -p /data/installs/


# Set an environment variable globally to accomodate Perl::PAR module, which is used to create and execute OMK daemons and scripts, if needed:
# check the environment variable is not already set (should not return reference to PAR_GLOBAL_TMPDIR if not set in this file):
cat /etc/environment

# check the environment variable is not already set in some other manner (should not return anything if PAR_GLOBAL_TMPDIR is not already exported):
echo "${PAR_GLOBAL_TMPDIR}"

# set up PAR_GLOBAL_TMPDIR if needed:
	#
	# IMPORTANT:
	#	If you require OMK scripts, that don't explicitly require root privileges, able to be executed by users without root privileges:
	#		Set PAR_GLOBAL_TMPDIR to a suitable directory outside of the OMK install directory (/usr/local/omk in this example);
	#		The OMK install directory currently has root as both owner and group by default.
	#		Users without root privileges won't therefore have execute capability in the OMK install directory structure.
	#
mkdir -p /usr/local/omk/var/lib/common/
chmod 1777 /usr/local/omk/var/lib/common/
echo 'PAR_GLOBAL_TMPDIR="/usr/local/omk/var/lib/common/"' >> /etc/environment

# Fix perl warning: Please check that your locale settings:
#		LANGUAGE = (unset)
#		LC_ALL = (unset)
#		LANG = "en_US.UTF-8"
#	are supported and installed on your system.
. /etc/environment;{ [[ -z "${LANG:-}" ]] && echo "LANG=en_US.utf-8";[[ -z "${LC_ALL:-}" ]] && echo "LC_ALL=C"; } >> /etc/environment


# To allow group omkadmin to execute OMK scripts using PAR_GLOBAL_TMPDIR we need to set permissions on /usr/local/omk/var directory to allow this:
sudo chmod 0750 /usr/local/omk/var;
sudo chown root:omkadmin /usr/local/omk/var;

# To allow user nmis to to execute OMK scripts using PAR_GLOBAL_TMPDIR we add user nmis to group omkadmin:
sudo usermod -a -G omkadmin nmis;


# reboot to get the PAR_GLOBAL_TMPDIR exported globally if it needed to be set:
reboot


# check PAR_GLOBAL_TMPDIR is exported after reboot:
echo "${PAR_GLOBAL_TMPDIR}"
/usr/local/omk/var/lib/common/

# Unfortunately systemd services do not pick up this global environment variable, so each OMK systemd service needs to be edited:
# first we check the needed 'EnvironmentFile' entry is not already included with:
sudo systemctl cat omkd
# then, if necessary, edit omkd service
sudo systemctl edit omkd

# Ensure the service is configured to use PAR_GLOBAL_TMPDIR environment variable as set in /etc/environment
# by adding the following entry to [Service]
# - add [Service] section if it is not already present:

[Service]
EnvironmentFile=/etc/environment


# edit each OMK systemd service in this manner if needed, for example: 
sudo systemctl edit opchartsd
sudo systemctl edit opconfigd
sudo systemctl edit opeventsd
sudo systemctl edit opflowd

# NMIS9 plugin SubnetImport.pm, which is executed by nmis9d.service daemon, executes opcharts-cli.pl so this service too
# needs to be configured to have PAR_GLOBAL_TMPDIR environment variable in its environment, as set in /etc/environment:
#
# first we check the needed 'EnvironmentFile' entry is not already included with:
sudo systemctl cat nmis9d
# then, if necessary, edit nmis9d service
sudo systemctl edit nmis9d

# Ensure the service is configured to have PAR_GLOBAL_TMPDIR environment variable in its environment, as set in /etc/environment
# by adding the following entry to [Service]
# - add [Service] section if it is not already present
# - note the '=-' which instructs nmis9d.service not to fail on file /etc/environment not being found:

[Service]
EnvironmentFile=-/etc/environment



# reload the edited services
sudo systemctl daemon-reload


# restart the OMK services
sudo /path/to/omk/bin/checkomkdaemons.sh restart

# restart the nmis9d service
sudo systemctl restart nmis9d  


# To ensure cron jobs cron jobs read /etc/environment and pick up the environment variable PAR_GLOBAL_TMPDIR,
# prepend the following code to the command:
export $(/usr/bin/xargs < /etc/environment)||:;
# For example /etc/cron.d/opreports: 
# was 
        # this cron schedule runs the opReports scheduler every 5 minutes
        #
        # m h dom month dow user command
        */5 * * * *   root 	/usr/local/omk/bin/opreports-scheduler.exe
# and becomes
        # this cron schedule runs the opReports scheduler every 5 minutes
        #
        # m h dom month dow user command
        */5 * * * *   root	export $(/usr/bin/xargs < /etc/environment)||:; /usr/local/omk/bin/opreports-scheduler.exe


  • fapolicyd Whitelisting Change (required by OMK Installers, but not by NMIS Installers):


  • Code Block
    # For setting new fapolicyd rules, please read:
# https://www.mankier.com/5/fapolicyd.rules


# For OMK services and scripts to function correctly we will need to add a rule to whitelist needed directories in fapolicyd
# such that root (uid=0) can execute scripts in the listed directories:
# - for this example we have chosen directory '/data/installs/' and /path/to/omk/ is /usr/local/omk/:

# Insert the following block of 2 rules immediately after the '%languages=' entry, making this the first rule in /etc/fapolicyd/fapolicyd.rules.
# See the paragraph further below 'Debugging fapolicyd' for the method used to identify the additional two 'Fix' rules for RHEL8 in this case.
# The additional 'Fix rule' may have a different file paths from those in this case.
# Please do follow the steps in paragraph further below 'Debugging fapolicyd' and debug for at least a week to ensure your fapolicyd implementation is complete!



# Allow Installs:
allow perm=any uid=0 : dir=/data/installs/
# Allow NMIS9:
# Fix dec=deny_audit perm=open auid=-1 pid=1931352 exe=/usr/local/nmis9/bin/wmic : path=/usr/lib64/libresolv-2.28.so ftype=application/x-sharedlib
allow_audit perm=any uid=0 : path=/usr/lib64/libresolv-2.28.so
# Allow OMK PAR:
allow perm=any uid=0 : dir=/usr/local/omk/bin/,/usr/local/omk/script/,/usr/local/omk/var/lib/common/,/data/omk/var/lib/common/,/usr/local/omk/lib/common/PAR/
#
# Fix "dec=deny_audit perm=execute OR open auid=-1 pid=108878 exe=...opmantek.pl : path=/usr/lib64/ld-2.28.so ftype=application/x-sharedlib"
# Fix "dec=deny_audit perm=open auid=-1 pid=27086 exe=/usr/local/omk/bin/opha-cli.exe : path=/usr/lib64/libpthread-2.28.so ftype=application/x-sharedlib"
# Fix "dec=deny_audit perm=open auid=-1 pid=27086 exe=...opha-cli.pl: path=/usr/lib64/libnsl.so.2.0.0 ftype=application/x-sharedlib"
# Fix dec=deny_audit perm=open auid=-1 pid=809147 exe=/data/omk/var/lib/common/par-726f6f74/cache-17e3f7c595dddb09f71069f2282bdbb1943a69e3/opreports-scheduler.exe
#       : path=/usr/lib64/libnsl-2.28.so ftype=application/x-sharedlib
# Fix dec=deny_audit perm=open auid=-1 pid=776150 exe=/usr/local/nmis9/bin/wmic : path=/usr/lib64/libcrypt.so.1.1.0 ftype=application/x-sharedlib
# Fix dec=deny_audit perm=open auid=-1 pid=1680601 exe=/data/omk/var/lib/common/par-726f6f74/cache-17e3f7c595dddb09f71069f2282bdbb1943a69e3/opreports-scheduler.exe
#       : path=/usr/lib64/libdl-2.28.so ftype=application/x-sharedlib
# Fix dec=deny_audit perm=open auid=-1 pid=1749856 exe=/data/omk/var/lib/common/par-726f6f74/cache-00548e237c0c0fdd9581d8236e7b57e47c9024b4/opha-cli.pl
#       : path=/usr/lib64/libm-2.28.so ftype=application/x-sharedlib
# Fix dec=deny_audit perm=open auid=-1 pid=2211812 exe=/data/omk/var/lib/common/par-726f6f74/cache-15aafc77ad1c5493483a4c1937bb5e81cc946bd0/patch_access.exe
#       : path=/usr/lib64/libutil-2.28.so ftype=application/x-sharedlib
# dec=deny_audit perm=open auid=-1 pid=2306975 exe=/data/omk/var/lib/common/par-726f6f74/cache-17e3f7c595dddb09f71069f2282bdbb1943a69e3/opreports-scheduler.exe
#       : path=/usr/lib64/libc-2.28.so ftype=application/x-sharedlib
allow_audit perm=any uid=0 : path=/usr/lib64/ld-2.28.so,/usr/lib64/libpthread-2.28.so,/usr/lib64/libnsl.so.2.0.0,/usr/lib64/libnsl-2.28.so,/usr/lib64/libcrypt.so.1.1.0,/usr/lib64/libdl-2.28.so,/usr/lib64/libm-2$
# Fix persistent issues where above 'Fix' strategies aren't working 100% with 'trust=1' strategy: Add each script to trust with following commands
# which need to be run after each applicable OMK App install and OMK App upgrade:
#       fapolicyd-cli --file add /usr/local/omk/bin/opha-cli.exe
#       fapolicyd-cli --file add /usr/local/omk/bin/opreports-scheduler.exe
#       fapolicyd-cli --file add /usr/local/omk/bin/opreports-scheduler.exe
# Fix dec=deny_audit perm=execute auid=-1 pid=2183440 exe=/usr/sbin/logrotate : path=/usr/lib64/ld-2.28.so ftype=application/x-sharedlib
#       fapolicyd-cli --file add /usr/sbin/logrotate    
# Update the fapolicyd trust database after making any change using `fapolicyd-cli --file ...`
#       fapolicyd-cli --update
# Check files in the fapolicyd trust database with this command:
#       fapolicyd-cli --dump-db|grep -v rpmdb



# Update faplicyd with the additional rule we have inserted:
sudo fapolicyd-cli --update

# Reboot at this point is not absolutely necessary, but reinforces that settings are working as intended
sudo reboot

 # restart the OMK services
sudo /usr/local/omk//bin/checkomkdaemons.sh restart


...