Setting Up RHEL 6 for Microsoft SCOM 2012 Support

Believe it or not, it’s important to know that Microsoft has a monitoring solution for Linux servers using Microsoft SCOM (System Center Operations Manager) 2012, which recently I had the chance to setup a Red Hat 6 system using sudo elevation.

A new feature for UNIX and Linux monitoring with System Center 2012 – Operations Manager is the ability to use sudo elevation in the discovery and agent upgrade wizards, as well as Run As accounts. This means that the root user is no longer needed for privileged monitoring (log file monitoring, script/command execution) and agent maintenance (installation, upgrade, and un-installation).

In order to use sudo-enabled accounts for Operations Manager monitoring, the sudoers file must be configured (on each UNIX/Linux computer) to authorize elevation for the selected user account, using visudo.

General requirements for the accounts used by Operations Manager with sudo elevation are:

  • The sudoers option require tty must be disabled for the user
  • For required commands, sudo authorization must be configured to allow the user to elevate to root, without password

Make the following changes to /etc/sudoers using visudo. In this example the user account is called opsmgrsvc, change the account name to your choice:

Defaults:opsmgrsvc !requiretty
#Agent discovery, installation, certificate signing, and maintenance tasks 
opsmgrsvc ALL=(root) NOPASSWD: /bin/sh -c cp /tmp/scx-opsmgrsvc/scx.pem /etc/opt/microsoft/scx/ssl/scx.pem; rm -rf /tmp/scx-opsmgrsvc; /opt/microsoft/scx/bin/tools/scxadmin -restart 
opsmgrsvc ALL=(root) NOPASSWD: /bin/sh -c sh /tmp/scx-opsmgrsvc/GetOSVersion.sh; EC=$?; rm -rf /tmp/scx-opsmgrsvc; exit $EC 
opsmgrsvc ALL=(root) NOPASSWD: /bin/sh -c  cat /etc/opt/microsoft/scx/ssl/scx.pem 
opsmgrsvc ALL=(root) NOPASSWD: /bin/sh -c  rpm -e scx 
opsmgrsvc ALL=(root) NOPASSWD: /bin/sh -c /bin/rpm -F --force /tmp/scx-opsmgrsvc/scx-1.[0-9].[0-9]-[0-9][0-9][0-9].rhel.[0-9].x[6-8][4-6].rpm; EC=$?; cd /tmp; rm -rf /tmp/scx-opsmgrsvc; exit $EC 
opsmgrsvc ALL=(root) NOPASSWD: /bin/sh -c /bin/rpm -U --force /tmp/scx-opsmgrsvc/scx-1.[0-9].[0-9]-[0-9][0-9][0-9].rhel.[0-9].x[6-8][4-6].rpm; EC=$?; cd /tmp; rm -rf /tmp/scx-opsmgrsvc; exit $EC

#Log file monitoring 
opsmgrsvc ALL=(root) NOPASSWD: /opt/microsoft/scx/bin/scxlogfilereader -p

#Add sudo logging 
Defaults logfile=/var/log/sudolog

Save the changes and now SCOM 2012 can deploy and install monitors.