I am concerns from my Linux team over the permissions needed for SCOM on Linux to be able to install the agent. How have others addressed these concerns?
I talked to my Linux team and anything that requires elevated rights that are outside their control is not desirable. They would like me to see if we can set up a Ansble playbook that can do the install and sign the cert completely end to end staying with in their control and for scom to have very limited rights to Linux. Just enough to access the agent and run monitoring.
Our Linux team have the same issues so they install the agent.
They send me a .pem certificate, which I certify in SCOM, using scxcertconfig.exe and send them back the generated cert.
Once they have installed the certificate, I search for the new machine in SCOM and manage it.
They also have to make sure that the iptables and frewall have ports 22 and 1270 open.
The linux team has an ansible playbook which installs the agent/ sets the sudo rules and iptables configuration. Afterwards we sign it using the Operations Console or using powershell.
Here’s a handy link for the sudoers file: