What are the minimum entries required in the sudoers file for the dradmin user after install of vertica.

book

Article ID: 207726

calendar_today

Updated On:

Products

DX NetOps

Issue/Introduction

We need to allow the very least possible number of entries in the /etc/sudoers file due to underlying security requirements.

After installing vertica as a sudo user (dradmin) can we remove the section added to the sudoers file for the vertica install?

Cause

We offer 2 ways to install the CAPM product.

  1. As a root user with the root password.
  2. As a non-root user with specific entries in the sudoers file.

As called out here:

https://techdocs.broadcom.com/us/en/ca-enterprise-software/it-operations-management/performance-management/3-7/installing/prepare-to-install-the-data-repository.html#concept.dita_b9e3cbd8e6bd55644b1ecbac6836f62fd8e55a34_OptionalConfiguretheSudoUserAccountforDataRepository

We require this entry to be made in the sudoers file (at the bottom):

Cmnd_Alias CA_DATAREP=/opt/vertica/sbin/install_vertica,/tmp/installDR.bin,/opt/CA/IMDataRepository_vertica9/dr_validate.sh,/opt/CA/IMDataRepository_vertica9/dr_install.sh,/usr/bin/vim,/usr/bin/reboot,/opt/CA/IMDataRespository_vertica9/RemoteEngineer/re.sh,/bin/mkdir*,/usr/bin/whoami,/bin/echo,/sbin/service,/bin/grep,/usr/bin/test,/sbin/iptables,/opt/vertica/oss/python/bin/python,/usr/bin/tee,/usr/sbin/ntpd,/etc/init.d/ntpd,/sbin/blockdev,/etc/init.d/sshd,/etc/sysconfig/sshd,/etc/ssh/sshd_config,/bin/su,/usr/sbin/sshd restart,/usr/bin/ssh,/bin/df,/bin/mv,/bin/rm,/usr/bin/install

Cmnd_Alias VERTICA = /opt/vertica/bin/,/opt/vertica/sbin/,/opt/vertica/oss/python/bin/

Cmnd_Alias VERTICA_INSTALL = /bin/echo,/bin/ps -A,/bin/cp /opt/vertica/config/admintools.conf /opt/vertica/config/admintools.conf.bak.*,/bin/rm -rf /tmp/dbRPM.rpm,/bin/df --portability /tmp,/usr/bin/install --owner * --mode 700 -d *,/bin/mv -f /tmp/vstage-*/file /tmp/*,/bin/rm -rf /tmp/vstage-*,/usr/bin/id *,/bin/cp -T /opt/vertica/* /tmp/vstage-*,/bin/su --login dbadmin *,/bin/mkdir -p /opt/vertica/*,/bin/touch /opt/vertica/*,/bin/rm -rf /opt/vertica/*,/bin/mv -f /tmp/vstage-* /opt/vertica/*,/bin/mkdir -p /opt/vertica/*,/bin/touch /opt/vertica/config/users/dbadmin/agent.conf,/bin/su dbadmin *,/bin/sh -c *,/usr/bin,/opt/vertica/share/binlib/test/*,/usr/bin/su dbadmin,/bin/test [ -e /* ],/usr/bin/[ -e /* ]

Cmnd_Alias USEFUL = /usr/bin/lshw,/usr/bin/yum,/bin/rpm,/sbin/reboot,/sbin/shutdown,/usr/bin/cpan,/bin/chgrp,/bin/chmod,/bin/chown,/bin/mnt,/usr/bin/test,/bin/[,/sbin/service

## Allows the Data Repository user to manage the Data Repository

dradmin ALL = CA_DATAREP, VERTICA , VERTICA_INSTALL , USEFUL

Defaults env_keep +="VERT_DBA_USR VERT_DBA_HOME VERT_DBA_GRP VERT_DBA_DATA_DIR _ENV_VPWD_VAR"

Environment

Release : 20.2

Component : Vertica Data Repository

Resolution

After the install is done, that entire section can be removed or commented out, and replaced with this:

 

Cmnd_Alias CA_DATAREP=/opt/CA/IMDataRespository_vertica9/RemoteEngineer/re.sh

## Allows the Data Repository user to gather troubleshooting information at support request.

dradmin ALL = CA_DATAREP