Even more about root account usage in the cross platform monitoring

Root account usage requirements are a hot topic around here. It’s not always clear why root access is required or when it’s required. I’ve written a couple of articles about this topic already (see More on Unix Privileged Account vs. Unix Action Account and root-level access context and Privileged and Non-Privileged “Run As” accounts in cross platform monitoring). The thing is that these articles explain why you need root access, but they don’t explain how you might work around this if you don’t want to use root. One of the guys on our team sent me some more info to pass along that I think will add more clarification to this discussion.

Note: This is a workaround and not what we would consider a tested, supported configuration. Please test in your own environment before implementing in any production environment.

Secure File Access

If the user does not wish to use the root account to access secure files (like secure logs) this is not required, but the user configured in the Unix Privileged Account RunAs Profile has to have read access to the secure log files. You can change the file permissions to allow this user to read the protected files. Normally they are read-only by root, but you could grant read access to a group that includes the lower privileged user. This is an easy fix.

Diagnostics and Recoveries

You can either override the diagnostics and recoveries provided in the cross platform MPs and prefix all the commands with “sudo” or you can disable the built in ones and add new ones with the “sudo” prefix. This will only work if sudo does not require a password as there is no support for piping in a password. The command is simply executed as the low privilege user and no further input is possible.

If you need sudo with password input, we do not support that today. One way of mitigating the risk of not having a password for sudo is to allow only a select few commands that you want the low privilege account to be able to run (sudo feature).

People are usually much more concerned about logfile scanning than diagnostics and recoveries. Many customers are ok with simply disabling the diagnostics (recoveries are already manual) instead of trying to setup sudo.

Share this post :