Mike, We have not tried to install as non-root. I have an outstanding question for the VAIM SE asking "what if" the agent is run as a non-root user, what VAIM functions cease to work. It is common practice to NOT run services such as Apache as root since if compromised, the attacker has root.
My thought is that a similar concept would apply to an SNMP agent, however your point is well taken, /var/log/messages is owned by root. There are work arounds however, in that "dmesg" could be run by the agent as non-root. There is also a wealth of info in the /proc subdir world readable. It *would* be best to have the systemEdge agent installed as root/administrator, but managed by VAIM. We could then set any log watch, proc mon (and restart) via the console and know it would have the privs to complete. The flipside of this is, if you deliver a script to be run on the host (and there are ways to do this with VAIM) and your script malfunctions, it does so as "root".... I will be testing non-root systemEdge install in my lab. Regards -Rob On Mon, Nov 21, 2011 at 2:17 PM, Zink, Michael <[email protected]> wrote: > Craig / Rob, > > > > We have this problem as well. We cannot ssh directly as root, requiring 2 > sets of credentials. Our Unix teams will not provide root access so we > will be providing packages for installation. > > > > Rob, our understanding from CA was that the install of sysedge required > root access. Access other than root is not ideal since processes and logs > owned by root may be missed by the agent for monitoring purposes. Have you > experienced differently? > > > > Thanks, > > > > Michael Zink > > Network Analyst > > Information Technology Services > > 3700 Wake Forest Road > > Raleigh, NC 27609 > > 919-754-6095 (Phone) > > 919-850-2827 (FAX) > > 919-723-7066 (Cell) > > > > 919-754-6000 (ITS Service Desk) > > > > *From:* Robert Borowicz [mailto:[email protected]] > *Sent:* Friday, November 18, 2011 5:33 PM > *To:* spectrum > > *Cc:* spectrum > *Subject:* Re: [spectrum] vaim 12.6 is now available > > > > Craig, > > > I spoke to the Product Manger of VAIM on this at CA World this week. He > is a aware that this is an issue at many customers and as such limits the > ability of the product to be leveraged to its strength. They are working on > this... Theoretically systemEdge (I think) can run as a non-root user, and > provided the remote communication protocol (CAM/UDP Port 4104) can open a > connection and the credentials you CAN provide at the console can write to > the install area on the remote host specified, you *should* be able to > install systemEdge with VAIM as non-root. At least in Linux/Unix I'm > relatively certain this is possible. Winders is another story. > > We didn't do any such forethought in my shop, but rather simply sent Unix > and Windows packages to SA's to install as root/administrator. Now I need > to assimilate these individually installed agents into VAIM. Talking this > through with the SE at CA World, it seems possible. > > -Rob > > > On 11/18/2011 4:01 PM, Craig Cook wrote: > > I am interested in this as well. > > > > It does not look like a deployment can use 2 sets of credentials. > > > > e.g. For me to deploy sysedge to a unix host I have to login as a regular > user first, then su to root. Root can then install the package. > > > > From what I can see you can only use one set of credentials, ie. Login > directly as root. That is not allowed and not a good idea for security > reasons. > > > > If anyone knows a workaround let me know. > > > > (I was told by CA this feature was included in 12.6, maybe I am not > looking in the correct place) > > > > Craig > > - --To unsubscribe from spectrum, send email to [email protected] with > the body: unsubscribe spectrum [email protected] > > > > - --To unsubscribe from spectrum, send email to [email protected] with > the body: unsubscribe spectrum [email protected] > > > ------------------------------ > > E-mail correspondence to and from this address may be subject to the North > Carolina Public Records Law and may be disclosed to third parties by an > authorized state official. > > - --To unsubscribe from spectrum, send email to [email protected] with > the body: unsubscribe spectrum [email protected] > > -- Robert K. Borowicz Austin, Texas --- To unsubscribe from spectrum, send email to [email protected] with the body: unsubscribe spectrum [email protected]
