IBM Tivoli Monitoring > Version 6.3 Fix Pack 2 > Installation Guides > Installation Guide > Securing the IBM Tivoli Monitoring installation on Linux or UNIX
IBM Tivoli Monitoring, Version 6.3 Fix Pack 2
Usage
Before you run the secureMain utility, ensure that you understand the syntax variables.
The secureMain commands use the following syntax:
secureMain [-h install_dir] [-g common_group] [-t type_code] lock secureMain [-h install_dir] [-g common_group] unlockwhere variables are defined as follows:
- install_dir is the directory path for the IBM Tivoli Monitoring installation. If this parameter is not supplied, the script attempts to determine the installation directory.
- common_group is a group ID common to all of the user IDs that are used to run components in this installation. The user ID that is used to perform the installation must also be a member of the group ID specified. The only exception is that the root ID is not required to be a member of the group ID specified.
- type_code is a component code belonging to an installed component. You can specify multiple -t options to create a list of component codes to be processed.
If secureMain is invoked with no parameters, the usage text is displayed.
secureMain lock is used to tighten permissions in an IBM Tivoli Monitoring 6.1 installation. It should be run after installing or configuring components.
When secureMain lock is invoked with no other parameters, the permissions are tightened generally to 755. However, a number of directories and some files are still left with world write permissions. When certain components which are commonly run using multiple user IDs are present in the installation, many more files have world write permissions.
When secureMain lock is invoked with the -g common_group parameter, the permissions are tightened generally to 775 and the directories and files have their group owner changed to common_group specified. There are no directories or files left with world write permissions. Even when certain components which are commonly run using multiple user IDs are present in the installation, no files will have world write permissions. Additionally, the common_group value specified is written to a file and is used for all future secureMain lock invocations in this installation, unless the -g option is specified and the common_group is different from the previous value.
When secureMain lock is invoked with the -t type_code parameter, sections of the installation might be skipped when tightening permissions. Common directories, like bin, config, registry, and logs, and the files in them are always processed. Only directories and files specific to the specified type_code components are processed. The other component directory trees are skipped.
secureMain unlock is used to loosen permissions in an IBM Tivoli Monitoring installation. secureMain unlock is normally not necessary, but can be run if desired. It should be run before installing or configuring components.
secureMain unlock does not return the installation to the permission state that it was in before running secureMain lock. It only processes the common directories, like bin, config, registry, and logs, and the files in them.
Example
The following example locks the installation using the common group itmgroup:
secureMain -g itmgroup lock
The following example locks the base and mq component directories using the common group itmgroup:
secureMain -g itmgroup -t mq lock
Parent topic:
Securing the IBM Tivoli Monitoring installation on Linux or UNIX