Securing the agent installation files

After you install monitoring agents as a non-root user on Linux or AIX® systems, you can run the secure.sh script to secure the agent installation by removing world write permissions and setting correct file ownership.

Before you begin

• You must have read, write, and execute permissions for the installation directory.
• Installation of the monitoring agents and any agent configuration must be completed on the system and the agents must be successfully started.
• If you are running agents as different user accounts, they must be members of the same group. (See the –g option.)

About this task

Complete this step to lock down the file permissions in your installation. Options are available to require no root password, to specify a group name, and to view help for the command.

Procedure

Run the following command from the install_dir/bin directory.

secure.sh [-g common_group] [-n] [-h]

• In the simplest mode, run the ./secure.sh script, which removes world write permissions, and sets the current user and user's group as the file owners. If the script is run by a non-root user, the user is prompted for the root password.
• If a non-root user runs the ./secure.sh script with the –n option, this user is not prompted for a root password. In this case, changing file permissions and changing ownership are done by using this user's privileges. If the installation directory contains files that are owned by different users and the current user has no privileges to modify permissions and ownership of other user's files, this mode can fail.

• If you want to set a certain group as the group owner, the owner must provide the –g option with a valid group name as an argument to that option. (See Example.) Run secure.sh -g common_group. The command changes ownership of the files and directories recursively. If the common_group group is not the user's primary group, you can set the common_group group to be the group owner of new files created in a directory. Run the following command:

  chmod g+s install_dir/sub_dir
  

  Where, sub_dir is any subdirectory, for example, /opt/ibm/apm/agent.

• Run the ./secure.sh script with the –h option to get help information for the script.

Results

The installation directory allows access to only the user who ran the script or to only the users in the specified group.

Example

If you are a member of the system group that is named apmgroup, you can use the group to set file group ownership with the following command:

./secure.sh -g apmgroup

After the script is run, the group is set as apmgroup for all files in install_dir for the group.

What to do next

Running the ./secure.sh script results in the following permissions are set for the agents.

rwx rwx ---

After you run the script, check the permissions for the agent files. For example, for IBM MQ (formerly WebSphere MQ) agent, check the files in the install_dir/arch/mq/lib directory. If the permissions for these files are not set correctly, update the permissions manually. For example, for the IBM MQ (formerly WebSphere MQ) agent:

1. Set the permissions by running the following command:

   chmod g+rx install_dir/bin/mq-agent.sh
   

2. Set the user and group by running the following command:

   chown newuser:newgroup install_dir/bin/mq-agent.sh