SCOM agent on Linux - does it really need root and is it a problem?

SCOM agent on Linux - does it really need root and is it a problem?

Oleg Goldshmidt pub at goldshmidt.org
Sun Jan 15 13:11:46 IST 2012 

Hi,

Has anyone here got any experience with running SCOM (Microsoft's
System Center Operations Manager) agent on (RHEL) Linux?

Our admins are used to monitoring Windows servers with SCOM. In
particular, they monitor CPU usage, memory usage, disk usage, and all
sorts of other stuff. We also have Linux servers, and SCOM has a linux
agent. I can understand the admins' desire to use the same - and
familiar - tool across the board, even if it is from Microsoft. Let's
not discuss this particular issue, OK?

However, it looks like the thing requires root permissions not just to
install (that would be OK) but also for operation. All I've seen (I
admit I have not done a really deep research into the subject) is a
bunch of excuses that look rather dodgy (need to access privileged
kernel data structures - what's not exposed via /proc or similar?) or
downright suspicious (need to spawn processes as other users -
what?!?). At the same time, there are enough websites, blogs, whatever
by 3rd parties that describe how to run SCOM without root, while our
official support say root is mandatory.

My only problem is security. It just does not seem reasonable that one
needs root privileges to monitor a dedicated server running software
that does not itself require root privileges to run. It may not even
be acceptable (in cases when the SW is deployed at a customer's data
center - this is why we took special care not to require root access
for operation of our own system).

Can anyone shed the light on the following questions:

1) Is the "official" deployment mode of SCOM (with root, etc.) a
security problem (e.g., for a bank where I keep my money and am a very
unimportant customer)? I mean, beyond "M$ know zilch about security"
statements?

2) If it is deployed without root privileges (can you confirm that
this is possible?), what functionality will not work?

3) My understanding is that what it does not like about sudo is
passwords - can anyone assess the effect of putting it into sudoers
with NOPASSWD for what it needs?

Thanks a lot,

-- 
Oleg Goldshmidt | pub at goldshmidt.org

More information about the Linux-il mailing list