Saturday, March 8, 2008

Limit the use of root with SUDO in ITM 6.1

Most Unix/Linux sysadmins don't make it a habit of giving root access to their servers out to just anyone. Most likely once you get ITM 6.1 close to production, you will be asked whether sudo can be used rather than root access...

Based on my testing (RHEL4), you can use sudo to locally install ITM agent code.

Here is what I put in my /etc/sudoers (use visudo on Linux, don't modify this file directly):

NOTE: the following is all on one line in /etc/sudoers, where 'test' is the user, '/opt/IBM/ITM' is your ITM installation directory, and '/mnt/cdrecorder' is the path to the ITM media. You can also include groups with %group. Also if you don't want the user to be able to uninstall the agent, remove the /opt/IBM/ITM/bin/uninstall.sh entry:

test ALL=/opt/IBM/, /mnt/cdrecorder/install.sh, /opt/IBM/ITM/bin/uninstall.sh, /opt/IBM/ITM/bin/itmcmd

I then logged in as user 'test' and ran:

sudo ./install.sh

...and selected the lz agent during the installation.

Then to configure and start the agent I ran:

sudo /opt/IBM/ITM/bin/itmcmd config -A lz

...and entered the prompted information

sudo /opt/IBM/ITM/bin/itmcmd agent start lz

To uninstall the agent:

sudo /opt/IBM/ITM/bin/uninstall.sh

...and enter prompted information on what to uninstall

or to remove everything ITM from that server without being prompted:

sudo /opt/IBM/ITM/bin/uninstall.sh REMOVE EVERYTHING

That's it.

As for remote agent deployments from a Linux TEMS, you won't need sudo by default since the tacmd command gets laid down with open user permissions during ITM installation, but does require you export the $CANDLEHOME env variable to your ITM installation directory, to be authenticated with TEMS with tacmd login command, and provide a privileged account on the remote server in the tacmd command, which is covered by other blogs on this site.

No comments: