Configuring Console to Agent Security Using the PATROL Roles File (patrol.conf) - Evanios

Configuring Console to Agent Security Using the PATROL Roles File (patrol.conf)


Did you know that you could restrict access to a PATROL Agent using the PATROL Roles file? Most people don’t know what the purpose of this file. The PATROL Roles files is used to control accessing the agent from a PATROL tool or the command line. Every agent and console has a PATROL Roles file called the patrol.conf file, which is located in the common directory of your PATROL installation.

%BMC_ROOT%\common\patrol.d or /etc/patrol.d

The PATROL Roles File defines the permissions that are used to grant or remove the ability to alter the configuration of a PATROL Agent or execute commands against the PATROL Agent using a PATROL Console, the command line interface or system output window of a user connected to the agent. Within the in the “patrol.conf” file security roles are defined which are read by the PATROL software when it is started. On Linux and Unix the file is owned by root and therefore only root can change the file but on Windows the file is readily accessible and it is a text based file, so once you have configured the file, either the file access permissions should be changed to read only for everyone and owned by the system administrator to prevent unauthorized access to the file and changes or the file should be relocated and configured for access by PATROL using the PATROL Client Configuration tool.

patrol conf

patrol conf

If you re-install PATROL on a server where a PATROL product already exists it will overwrite your file so be sure to keep a backup copy of the file for emergencies

Changing the Location of “patrol.conf”

On a PATROL Console you can start the PATROL Client Configuration tool by selecting it from the start menu.

change patrol

Figure 1: Changing the Location on the Client Side

To change the location on an agent configuration tool from the command line by entering “pacfg”

change patrol

Figure 2: Changing the Location on the Agent Side

Tips for Working with PATROL Roles

  1. When considering the roles file, if the file does not exist, it will create a new file on startup.
  2. If all the lines are commented out then all rights will be granted to all users. Otherwise, all rights are initially denied, and must be explicitly granted.
  3. The final rights are determined by processing all of the entries, in the order that they appear in the file.
  4. When you are working with the file, make a backup copy before you change it and do not change the format of the file
  5. You must place all group definition statements above any rights assignment statements.
  6. Always enclose group definitions with define and end statements
  7. You must place each right assignment statement alone on a single line.
  8. You use the group definition section to define the groups of PATROL users, agents, and tasks (both console-wide and connection-specific) for which you need to administer rights.
  9. You must precede any comments with a # in the first position of the line.
  10. The rights assignment statements refer to the groups you defined in the first section of the file, and determine the scope of the permissions you are either granting or denying.
    • In the Rights Assignment Sections the statements you use in this section assign or remove the right to perform specific console operations to specific users.

patrol conf

When you are working with the PATROL roles file rights are granted or denied with the consolerights statement, these rights are applied to the console without regard for the agent connection. Rights granted or denied with the connectionrights statement apply to the console only if it is connected to an agent host specified by the agent’s variable.

Configuring the File

The top section of the file which is commented out provides examples on how to perform the configuration. You always assign all rights and then selectively remove the ones you don’t want them to have. You can assign rights to individuals or groups. The groups must already exist locally on the server or in your network environment. This section provides some examples that you can use to configure the file.

patrol conf

Figure 3: Grant all example

Defining Read and Write Access to the System Output Window

Use this for operators, to allow read/write on system output window.

Insert the user name, the host name or * for all and the mode “O” for operator.
Define the overall connection rights on the last line

…………………………………………………………………….……………………………………
define login operator
joseph_1/*/O
end

define connectionrights readWrite
allowdeveloper=true
allowsysoutputexec=true
end
connection operator,*,readWrite
…………………………………………………………………….……………………………………
By setting allowsysoutputexec to true, it allows write and read access to the system output window for the operator. You use the allowdeveloper set to allows the developer connection.

If you don’t want the user to have write access to the system output window you set the variable to false to allow read only to the system output window.

Removing the Ability to Execute Commands on an Agent
…………………………………………………………………….……………………………………
define agents noexecute
moon.mycompany.com
sun.mcompany.com
end

connection *,noexecute,allowsysoutputexec=false
…………………………………………………………………….……………………………………

Enabling Parameter Overrides on a Classic Console
This features turns on the ability for a user to right click on a parameter from a Classic Console and configure the thresholds. After all thresholds are configured the PATROL KM for Event Management KM (AS_CHANGESPRING) can be loaded and used to automatically convert the thresholds set on the classic console to PATROL Configuration Manager Thresholds.

The ALLOWOVERRIDEPARAMETER

There are multiple ways to set thresholds for a PATROL agent but by far the easiest way is to select one agent for each type of platform and application and set the thresholds using a classic console. This does not modify the KM but places the changes in a specific folder of the pconfig database.

It is very quick and easy to use. Simply drill down to the parameter you want to change and right click on it and select “Override Parameters”

patrol conf

This will open a window where you can change the history retention period, collection schedule or threshold.

patrol conf

When you are all done, copy the AS_CHANGESPRING KM file from the “UTILS” directory where you installed PATROL Configuration Manager to your knowledge directory on your console, and then load the KM.

patrol conf

Locate the menu command that will Convert the Overrides you just set to PATROL Configuration Manager Thresholds. This is labeled as “Convert Overrides to EVS”

patrol conf

As soon as you convert the overrides are changed to a PCM settings and stored in the agent configuration database file and future changes can be made using PCM where you can apply the changes you made to multiple agents at the same time.

If you want to be able to use the override parameter feature you must add it. It is not part of the default configuration.

define connectionrights allconnect
allowdeveloper=true
allowsysoutputexec=true
allowoverrideparameter=true
end

Change the ALLOWOVERRIDEPARAMETER from false to “true
…………………………………………………………………….……………………………………
The default setting is false.

Defining Read Only from the System Output Window

This example prevents an operator from modifying parameters, and gives them read only access to the system output window. The first entry is the user name, the second is which agents (asterisk is all) and O means operators.

define login operator
JoeSmith/*/O
end

define connectionrights readOnly
allowdeveloper=false
allowsysoutputexec=false
allowtuning=false
end

connection operator,*,readOnly

Defining Variables for a Developer for Read Write in the System Output Window and the Ability to Commit

This setting allows modifications of parameters, read/write for the system output window, and commit for anyone connected as Developer.

define login developer
user-name/*/D
end

define consolerights devconsole
allowcommit=true
allowdeveloper=true
end

define connectionrights devReadWrite
allowdeveloper=true
allowsysoutputexec=true
allowtuning=false
end

console developer,devconsole
connection developer,*,devReadWrite

Disable the Commit Function for all Users

Disable all commit functions for all users. Even though this is done on the Console-level, it # # applies to all connections as well. Restrict Developer #connections (to any agent) to users who # # login as #part of the group called developer.


define login developer
george/host1/D
mike/host2/D
patrol/*/D

end

connection *,*,allowdeveloper=false
connection developer,*,allowdeveloper=true

Disable Based on a Group
Disable executing commands in the system output window for all connections to machines in the PATROLOPERATIONS group.

define agents PATROLOPERATIONS
m1.my.domain
m2.my.domain

end

connection *,noexecute,allowsysoutputexec=false

To Disable All COMMIT Functions For Everyone. Applies To All Connections.

console *,allowcommit=false

Restrict DEVELOPER Connections To Any Agent Unless the User is in the Group Called Developer.

In this example the user patoper is an account in the domain mycompany.com.

define login developer
user1/host1/D
user2/host2/D
patrol/*/D
mycompany.com\ patoper /*/D

end

connection *,*,allowdeveloper=false
connection developer,*,allowdeveloper=true

Disable Abilities to Make Changes to PATROL Agents

The Agent section is used to disable access to agents for specific actions like using the pconfig utilities, executing PSL functions or commands, executing commands from an SNMP network monitor like HP OpenViw and configuring an agent from the command line using the PATROL CLI.

Default settings are all rights to all actions.

[AGENT]
define agentrights allrights
allowconfigview=true
allowpslconfig=true
allowsnmpexecute=true
allowcmdlinecfg=true
allowalldlls=true
allowpsloverride=true
allowoperatoroverride=true
requiresconfigauthentication=false
end

VIEWING OF ACCOUNT INFORMATION
To disable the viewing of Account information when using Agent configuration utilities. Utilities are pconfig, xpconfig, and wpconfig.

allowconfigview=false

Note: No access to the utilities are pconfig, xpconfig, and wpconfig, this includes applying and getting configurations with PCM.

DISABLE USE OF PSL PCONFIG
To disable the ability to use the PSL function pconfig() from getting account information
allowpslconfig=false.

DISABLE REMOTE EXECUTION FROM SNMP MONITORS
To disable the ability to run PSL commands from an SNMP Network monitor like HP OpenView

allowsnmpexecute=false

DISABLE ACCESS TO RECONFIGURE FROM CLI
Disable the ability to reconfigure the PatrolAgent from the PatrolAgent command line interface

allowcmdlinecfg=false

DISABLE USE OF PCONFIG PSL FUNCTION
To disable the ability for the psl function pconfig() from getting account information you set the variable allowpslconfig=false.

DISABLE CONFIGING FROM THE CLI
Disable the ability to reconfigure the PatrolAgent from the PatrolAgent command line

allowcmdlinecfg=false

Changing the PATROL Central Console Server Account
When you change the Console Server password you must also change it in the patrol.conf file. Use the command line password encryption tool to change the password and then insert it in the [CSERVER] section. The tool is sec_encrypt_p3x and is located in the common bin directory. Simply type in the tool name followed by the password and place it in the appropriate area. The same is true for the Distribution Server.

[CSERVER]
defaultAccount = patrol:encryptedpassword

[DS]
defaultAccount = DS_DEFAULT_ACCOUNT:DS_DEF_ACCOUNT_PASSWORD