What are the minimum entries required in the sudoers file for the dradmin user after install of vertica.
search cancel

What are the minimum entries required in the sudoers file for the dradmin user after install of vertica.

book

Article ID: 207726

calendar_today

Updated On:

Products

DX NetOps CA Performance Management - Usage and Administration

Issue/Introduction

We need to allow the very least possible number of entries in the /etc/sudoers file due to underlying security requirements.

After installing vertica as a sudo user (dradmin) can we remove the section added to the sudoers file for the vertica install?

Environment

Release : 22.2, 23.3

Component : Vertica Data Repository

Cause

We offer 2 ways to install the CAPM product.

  1. As a root user with the root password.
  2. As a non-root user with specific entries in the sudoers file.

As called out here:

https://techdocs.broadcom.com/us/en/ca-enterprise-software/it-operations-management/performance-management/22-2/installing/prepare-to-install-the-data-repository.html

We require this entry to be made in the sudoers file (at the bottom):

Cmnd_Alias CA_DATAREP=/opt/vertica/sbin/install_vertica,/tmp/installDR.bin,/opt/CA/IMDataRepository_vertica9/dr_validate.sh,/opt/CA/IMDataRepository_vertica9/dr_install.sh,/usr/bin/vim,/usr/bin/reboot,/opt/CA/IMDataRespository_vertica9/RemoteEngineer/re.sh,/bin/mkdir*,/usr/bin/whoami,/bin/echo,/sbin/service,/bin/grep,/usr/bin/test,/sbin/iptables,/opt/vertica/oss/python/bin/python,/usr/bin/tee,/usr/sbin/ntpd,/etc/init.d/ntpd,/sbin/blockdev,/etc/init.d/sshd,/etc/sysconfig/sshd,/etc/ssh/sshd_config,/bin/su,/usr/sbin/sshd restart,/usr/bin/ssh,/bin/df,/bin/mv,/bin/rm,/usr/bin/install

Cmnd_Alias VERTICA = /opt/vertica/bin/,/opt/vertica/sbin/,/opt/vertica/oss/python/bin/

Cmnd_Alias VERTICA_INSTALL = /bin/echo,/bin/ps -A,/bin/cp /opt/vertica/config/admintools.conf /opt/vertica/config/admintools.conf.bak.*,/bin/rm -rf /tmp/dbRPM.rpm,/bin/df --portability /tmp,/usr/bin/install --owner * --mode 700 -d *,/bin/mv -f /tmp/vstage-*/file /tmp/*,/bin/rm -rf /tmp/vstage-*,/usr/bin/id *,/bin/cp -T /opt/vertica/* /tmp/vstage-*,/bin/su --login dbadmin *,/bin/mkdir -p /opt/vertica/*,/bin/touch /opt/vertica/*,/bin/rm -rf /opt/vertica/*,/bin/mv -f /tmp/vstage-* /opt/vertica/*,/bin/mkdir -p /opt/vertica/*,/bin/touch /opt/vertica/config/users/dbadmin/agent.conf,/bin/su dbadmin *,/bin/sh -c *,/usr/bin,/opt/vertica/share/binlib/test/*,/usr/bin/su dbadmin,/bin/test [ -e /* ],/usr/bin/[ -e /* ]

Cmnd_Alias USEFUL = /usr/bin/lshw,/usr/bin/yum,/bin/rpm,/sbin/reboot,/sbin/shutdown,/usr/bin/cpan,/bin/chgrp,/bin/chmod,/bin/chown,/bin/mnt,/usr/bin/test,/bin/[,/sbin/service

## Allows the Data Repository user to manage the Data Repository

dradmin ALL = CA_DATAREP, VERTICA , VERTICA_INSTALL , USEFUL

Defaults env_keep +="VERT_DBA_USR VERT_DBA_HOME VERT_DBA_GRP VERT_DBA_DATA_DIR _ENV_VPWD_VAR"

Resolution

After the install is done, that entire section can be removed or commented out, and replaced with this:

 

Cmnd_Alias CA_DATAREP=/opt/CA/IMDataRespository_vertica9/RemoteEngineer/re.sh

## Allows the Data Repository user to gather troubleshooting information at support request.

dradmin ALL = CA_DATAREP

Powered by Wolken Software