How To Monitor Linux With SSH And Sudo

Version 11

    Overview

     

    I had this documented for my own benefit, but I figured that I would put it on Thwack as it might prove helpful to others. This document outlines how to setup a SAM component using SSH and a non-root account.

     

    I'm going to use the SAM application template called 'Linux Disk Monitoring Perl' for this document and I'll be testing the script against a CentOS 6 host.

     

     

    Prerequisites

    Before we edit anything in SAM we’ll need to ensure that the linux account has sudo access and set for NOPASSWD. For the sake of this article and security i'll simply point out that you can specify specific commands for a user with sudo access instead of giving them ALL access. My actual sudoers file contains a faily refined list of available commands, but they are pretty specific to our infastructure. Here is an example screenshot of part of the sudoers file with my service account called everychad. I added the following line below the root entry:

    everychad    ALL=(ALL)    NOPASSWD:ALL

    4.png

    (Make sure that when you edit the /etc/sudoers file that you simply run visudo (if root) or sudo visudo (if non-root). visudo does validation checking on the sudoers file to ensure the syntax is correct before committing the changes.)

     

     

    Configuration

    Now on to Solarwind's SAM install...

     

    When I assign the template to my host I have some checks that succeed and some that fail.

    1.png

     

    Option 1

    At this point we need to edit the SAM template. You can either edit the entire template, which is what I’m going to do, or just override the template for the specific host.

    1. In the ‘Credential for Monitoring:’ drop the list down and add/select a non-root account.
    2. In the ‘Command Line:’ add ‘sudo’ at the beginning.

    2e.png

     

     

    Option 2

    At this point we need to edit the SAM template. You can either edit the entire template, which is what I’m going to do, or just override the template for the specific host.

    1. In the ‘Credential for Monitoring:’ drop the list down and add/select a non-root account.
    2. Examine the script and explicitly call sudo for the commands that require it. This is even further hardening what access the service account has since you're not granting a blanket sudo statement for the entire scripting language (in this case, perl).
      1. Going this route allows you to lock down your sudoers file with just the specific commands that need to be run instead of 'ALL' mentioned in the prerequisites section.

    1.png

     

     

    Test - Get script output

    Once those are in place click the 'Edit Script' button and test it on a node. This will tell you if there is an error and if it’s related to permissions, missing packages, etc. Once you fix those errors you’ll see the correct respective Output Results.

    3e.png

     

    I hope this write-up is helpful to others.