Securing the agent installation files
After you install monitoring agents as a non-root user on Linux or AIX® systems, you can run the
secure.sh script to secure the agent installation by removing world
write permissions and setting correct
Before you begin
- You must have
executepermissions for the installation directory.
- Installation of the monitoring agents and any agent configuration must be completed on the system and the agents must be successfully started.
- If you are running agents as different user accounts, they must be members of the same group. (See the
About this task
Complete this step to lock down the file permissions in your installation. Options are available to require no root password, to specify a group name, and to view help for the command.
Run the following command from the
secure.sh [-g common_group] [-n] [-h]
- In the simplest mode, run the ./secure.sh script, which removes world
writepermissions, and sets the current user and user's group as the file owners. If the script is run by a non-root user, the user is prompted for the root password.
- If a non-root user runs the ./secure.sh script with the
–noption, this user is not prompted for a root password. In this case, changing file permissions and changing ownership are done by using this user's privileges. If the installation directory contains files that are owned by different users and the current user has no privileges to modify permissions and ownership of other user's files, this mode can fail.
If you want to set a certain group as the group owner, the owner must provide the
–goption with a valid group name as an argument to that option. (See Example.) Run secure.sh -g common_group. The command changes ownership of the files and directories recursively. If the common_group group is not the user's primary group, you can set the common_group group to be the group owner of new files created in a directory. Run the following command:
chmod g+s install_dir/sub_dir
Where, sub_dir is any subdirectory, for example,
- Run the ./secure.sh script with the
–hoption to get help information for the script.
The installation directory allows access to only the user who ran the script or to only the users in the specified group.
If you are a member of the system group that is named
apmgroup, you can use the group to set file group ownership with the following command:
./secure.sh -g apmgroup
After the script is run, the group is set as
apmgroup for all files in install_dir for the group.
What to do next
Running the ./secure.sh script results in the following permissions are set for the agents.
rwx rwx ---
After you run the script, check the permissions for the agent files. For example, for IBM MQ (formerly WebSphere MQ) agent, check the files in the
install_dir/arch/mq/lib directory. If the permissions for these files are not set correctly,
update the permissions manually. For example, for the IBM MQ (formerly WebSphere MQ) agent:
Set the permissions by running the following command:
chmod g+rx install_dir/bin/mq-agent.sh
Set the user and group by running the following command:
chown newuser:newgroup install_dir/bin/mq-agent.sh