To successfully restrict the pgdba user Linux shell access privileges by setting the default shell assigned to the pgdba user in the
/etc/passwd file to
/sbin/nologin, do as follows:
1. Declare an appropriate maintenance window for NCM in which service, as well as the controldb host OS can both be restarted, then complete the below steps during that maintenance window.
2. Log into Linux shell session on the NCM Report Advisor (RA) host as well as the NCM Application Server host 'root'.
3. Run the following command to set NCM related shell session variables in the Linux shell session on the RA and AS hosts:
source /etc/voyence.conf
4. Stop the tomcat service on the RA host by running the following command to keep the RA from maintaining a live connection to the controldb during this process that could potentially prevent any controldb related changes from taking effect:
service tomcat stop
5. Stop all NCM services on the AS host by running the following command to keep the AS from maintaining a live connection to the controldb during this process that could potentially prevent any controldb related changes from taking effect:
service vcmaster stop
6. If the controldb is located on a dedicated database (DB) host, log into the DB host under a Linux shell as 'root', then set NCM related shell session variables and stop the controldb service by running the following commands:
source /etc/voyence.conf
service controldb stop
7. Run the following sequence of commands in the Linux shell on the host where the controldb resides (AS, DB, or Combination Server) to back up appropriate files, update the pgdba user shell permissions, and update the NCM controldb initialization script to allow correct controldb operation under a pdgba user with restricted shell privileges (you may need to move the
/tmp/_[etc-init.d-]controldb.bak file backup of the
/etc/init.d/controldb file and the
/tmp/_[etc-]passwd.back file backup of the
/etc/passwd file created by these commands to another location after this step to keep the backup secure if your organization clears the contents of the
/tmp path on a regular basis):
cp -p /etc/init.d/controldb /tmp/_[etc-init.d-]controldb.bak
sed -i 's/su - pgdba -c/su - pgdba -s \/bin\/bash -c/g' /etc/init.d/controldb
cp -p /etc/passwd /tmp/_[etc-]passwd.bak
usermod -s /sbin/nologin pgdba
reboot
8. After the host where the controldb resides has been successfully rebooted, log into a Linux shell on the DB host again as 'root'.
Run the following commands to determine the state of NCM controldb service:
Dedicated DB host:
source /etc/voyence.conf
service controldb status
Combined AS+DB or CS+DB host:
source /etc/voyence.conf
service vcmaster status
9. If any NCM services on the host where the controldb resides are not running, start them using the following command:
Dedicated DB host:
service controldb start
Combined AS+DB or CS+DB host (It is normal for service stop on some services to show as
[FAILED] if they were not previously running but all service starts should show as
[ OK ] ):
service vcmaster restart