This guide will go over a few settings that will help to make your Linux environment with NMIS9 more secure and stable.
Set the OMK NMIS9 VM to run services & scripts as user with omkadmin being the owner:group of /usr/local/omk
These steps will allow omkadmin as a user and as a group able to execute OMK scripts. To do this, we will follow the steps below:
To begin, we will find files and directories in /data/omk with setUID bit set
sudo find /data/omk -perm/+4000
Set Cronjobs to run as omkadmin
Be sure to set all OMK cronjobs to run as the user omkadmin and not as the root user.
General settings to ensure omkdadmin is the user running commands:
# stop services while we make this change:
sudo /usr/local/omk/bin/checkomkdaemons.sh stop;
# Add approved users, such as nmis, to omkadmin group as needed:
sudo usermod -a -G omkadmin nmis;
# this directory exists on the OMK NMIS9 VM:
OMK_DIR=/data/omk
# Set OMK directory structure writable by group:
sudo chown -R omkadmin:omkadmin "${OMK_DIR:-FAIL_HERE}";
sudo find "${OMK_DIR:-FAIL_HERE}" -type d -exec chmod 0770 {} \;;
# Set user and group able to write files:
sudo find "${OMK_DIR:-FAIL_HERE}" -type f -exec chmod 0660 {} \;;
# Set scripts executable by user and group:
# This command is purely precautionary: this directory is not likely to exist
sudo find "${OMK_DIR:-FAIL_HERE}/script" -type f -exec chmod 0770 {} \;;
# This command is purely precautionary: this directory is not likely to exist
sudo find "${OMK_DIR:-FAIL_HERE}/bin" -type f -exec chmod 0770 {} \;;
OMK_DIR=/usr/local/omk
# These command are exactly as for /data/omk:
# Set OMK directory structure writable by group:
sudo chown -R omkadmin:omkadmin "${OMK_DIR:-FAIL_HERE}";
sudo find "${OMK_DIR:-FAIL_HERE}" -type d -exec chmod 0770 {} \;;
# Set user and group able to write files:
sudo find "${OMK_DIR:-FAIL_HERE}" -type f -exec chmod 0660 {} \;;
# Set scripts executable by user and group:
# This command should succeed: this directory is likely to exist
sudo find "${OMK_DIR:-FAIL_HERE}/script" -type f -exec chmod 0770 {} \;;
# This command should succeed: this directory is likely to exist
sudo find "${OMK_DIR:-FAIL_HERE}/bin" -type f -exec chmod 0770 {} \;;
# The following commands should be executed after any of the the above commands
# to ensure PAR directory structure is re-created with PAR's own permissions set:
# Set sticky bit on $PAR_GLOBAL_TMPDIR directory and only executable by root.
# This is a more secure implementation of the linux /tmp/ directory implementation which also uses
sticky bit, but with chmod 1777:
sudo chmod 1700 "${PAR_GLOBAL_TMPDIR:-FAIL_HERE}";
# Delete existing PAR subdirectories as we may have set incorrect permissions on this directory
structure when executing the previous commands.
# The PAR subdirectories are re-created automatically by PAR upon being deleted (at execution of any PAR
script exe by that user):
sudo rm -rf "${PAR_GLOBAL_TMPDIR:-FAIL_HERE}"/*;
A good check that PAR is working as envisaged is when a normal user can execute OMK PAR exe scripts (other than those scripts that explicitly require execution by sudo with elevated permissions) and when there aren't any directories found of pattern /tmp/par-*/. (Assuming that environment variable "$PAR_GLOBAL_TMPDIR" points to an existing and user accessible directory).