IBM Tivoli Monitoring > Version 6.3 Fix Pack 2 > Installation Guides > Agent Installation Guides > UNIX Agent Installation Guide > Agent installation and configuration
IBM Tivoli Monitoring, Version 6.3 Fix Pack 2
Enable the monitoring agent to run as a nonroot user
The "Post-installation steps for nonroot installations" section of the IBM Tivoli Monitoring Installation and Setup Guide describes the post-installation setup process required to enable a nonroot user. Those instructions result in the availability of root authority to the underlying IBM Tivoli Monitoring processes. These instructions, in contrast, remove root authority from the underlying processes.
Securing the IBM Tivoli Monitoring installation
On UNIX operating systems, the product installation process creates the majority of directories and files with world write permissions. This configuration creates a security situation that is not acceptable in many enterprises. The secureMain utility helps you bring the monitoring environment into compliance with the security standards of your company. Run the secureMain utility on all installations, especially those installations that include the UNIX OS Agent, to prevent privilege escalation.
For information about the secureMain utility and usage examples, see the "Securing the IBM Tivoli Monitoring installation on Linux or UNIX" appendix in the IBM Tivoli Monitoring Installation and Setup Guide.
Set overall file ownership and permissions for nonroot users
The Monitoring Agent for UNIX OS is capable of running with nonroot user privileges, with some limitations, by changing some agent file permissions and assuring that the desired running user ID has write access to the necessary directories.
The Monitoring Agent for UNIX OS must run with root user privileges to assure correct remote deployment, and collection of some attributes on the Solaris platform. To ensure root privileges, the IBM Tivoli Monitoring installation sets the owner to root and the Set User-ID bit on the primary agent binary, kuxagent, to ensure the agent starts up as the root regardless of which user ID starts the agent.
To start the Monitoring Agent for UNIX OS with permissions of another user ID, use the chmod command to turn off the Set User-ID (SUID) bits of the kuxagent binaries to enable running the agent as nonroot. The relevant binary for the Monitoring Agent for UNIX OS in the directory CANDLEHOME/platform/ux/bin directory is kuxagent (HPUX - User SUID, Solaris - User SUID, AIX).
Set kuxagent binary permissions
Change the permissions requires running systems commands locally on the target system:
find CANDLEHOME/* -name kuxagent -exec chmod 755{} \;The bit setting above (755) unsets the SUID bit and ensures that the other bits are set correctly. Note that the bit setting for kuxagent is not persistent. If you ever run secureMain, SetPerm, or install.sh, you need to unset the SUID bit for kuxagent again.
Limitations of starting the agent as a nonroot user
On installation of any other agent by a nonroot user, the permissions on the agent are reset to run the agent with root requirements. You must manually reset the permissions as described above.
Metrics belonging to the WPAR attribute groups:
All of the metrics belonging to the WPAR attribute groups are collected using the lswpar command. However, only the root user can run this command. Therefore, to collect metrics for the WPAR attribute groups, you must be logged into the system as the root user.
Metrics belonging to the Defined Users attributes group:
All of the metrics belonging to the Defined Users attribute group are collected using the lsuser -c ALL command. To collect metrics for the Defined Users attribute group as a nonroot user, you must belong to the security group. If not, the Defined Users view of the Users workspace lists "Not Collected" for each of its fields. In addition, even if the user belongs to the security group, the Roles and Login Retries attributes of the Defined Users group might be incorrectly reported as Not Collected.
Remote Deployment:
Remote deployment might not complete or work at all on certain agents that require root privileges to install the desired application. Install the agents locally or configure the agent manually after installation.
Parent topic:
Agent installation and configuration