пятница, 5 сентября 2014 г.

Safe work around to make check_esxi_hardware.py work within normal user

Adding nagios user to the root group (popular work around in the Internet) is a big security hole. I suggest never doing this.

Here is a better work around until VMware fixes 'CIM interaction' permission (which doesn't work at least since 4.0 and up to the recent 5.5):

1) Create a local user 'nagios' on a ESXi host
2) Add a cron job to check and update /etc/security/access.conf
user=nagios; access=/etc/security/access.conf; crontab=/var/spool/cron/crontabs/root; grep $access $crontab > /dev/null || cat << EOF >> $crontab
*/5  *    *   *   *   grep '^+:$user:sfcb$' $access > /dev/null || sed -i '2i +:$user:sfcb' $access
EOF
3) Done!

Now you can use nagios user to check check_esxi_hardware.py, no special roles or permissions are needed.