Onboard RedHat Linux RHEL 8.1, 9.6 to SCOM Management Group

Tyson Paul0 commentsLinuxPowershellXPlatcrossplatlinuxRedhatxplat deployment



RHEL 8.1 / 9.6 SCOM 2022 Agent Deployment – What Worked in My Lab


Prerequisites

  • System Center Operations Manager 2022, Management Pack for Linux, and (optional but recommended) the UR2 hotfix.
  • Crypto/FIPS support as per Microsoft KB 5037360.
  • Management servers included in a “Nix Resource Pool”, with required mgmt server certificates shared among pool members. Every pool member must have the SCOM mgmt server cert of every other pool member installed.
  • Forward and reverse DNS entries must exist for all target Linux systems.
  • Firewall opened to allow SCOM management servers (Nix Resource Pool) to talk to the Linux hosts on TCP ports 22 and 1270.
  • Linux server accounts were created for both ongoing monitoring (e.g., scom_monitor) and maintenance (e.g., scom_maint) on each Linux VM and in SCOM’s Unix/Linux Accounts.
  • Sudoers configuration was implemented so these accounts could do precisely what was required, and nothing more.


VM Deployment – Deployed VMs using Hyper-V and PowerShell:

  • Specified VM name, location for the VHD, memory, disk size, vSwitch, VLAN, and ISO path for the RHEL installer (“New-VM”, “Set-VMNetworkAdapterVlan”, etc.).
  • Disabled Secure Boot on the VM (“Set-VMFirmware -EnableSecureBoot Off”) 1 .
  • Attached the RHEL ISO and set the VM to boot from DVD.
  • Adjusted CPU/vCPU count as needed.
  • Started the VM for installation.

Example VM Deployment Script

# Deploy RHEL
# PARAMETERS  
$VMName        = "NIX02"  
$VMFullName    = "NIX02.contos.com"  
$VMMemoryGB    = 4GB
$VHDPath       = "G:\VMs\$VMName\$VMName.vhdx"         # Adjust as needed  
$VHDSizeGB     = 40GB 
$SwitchName    = "vSwitchExternal_12"                       # Change to your target vSwitch  
$VlanNumber    = 12
$ISOPath       = "G:\BIN\ISOs\rhel-9.6-x86_64-dvd.iso"                   # Path to your RHEL 8 ISO  
  
# 1. Create VM  
New-VM -Name $VMName -MemoryStartupBytes $VMMemoryGB -Generation 2 -NewVHDPath $VHDPath -NewVHDSizeBytes $VHDSizeGB -SwitchName $SwitchName

Set-VMNetworkAdapterVlan -VMName $VMName -Access -VlanId $VlanNumber

# ** Disable Secure Boot (for RHEL, this is usually required) **  
Set-VMFirmware -VMName $VMName -EnableSecureBoot Off 

# 2. Attach RHEL8 ISO for installation  
Add-VMDvdDrive -VMName $VMName -ControllerNumber 0 -ControllerLocation 1  
Set-VMDvdDrive -VMName $VMName -ControllerNumber 0 -ControllerLocation 1 -Path $ISOPath 

# 3. Set VM to boot from DVD  
# Get the desired VM's DVD drive as a boot device  
$dvdBootDevice = (Get-VMFirmware -VMName $VMName).BootOrder | Where-Object { $_.Device -match 'DVD' }
  
# Set the firmware to boot from DVD first  
Set-VMFirmware -VMName $VMName -FirstBootDevice $dvdBootDevice -Verbose

# 4. Optional: Set CPU count, etc.  
Set-VMProcessor -VMName $VMName -Count 2
  
# 5. Start the VM  
Start-VM -Name $VMName


RHEL Installation

  • Used the RHEL installer’s UI to configure networking, set the static IP address, gateway, DNS, and server hostname.
  • Proceeded with RHEL installation, using typical/required packages for my scenario.


RHEL Configuration

  • Created scom_monitor and scom_maint user accounts with strong passwords.
  • Suppressed SSH login banners for SCOM accounts by adding a .hushlogin file in their home directory.
  • Ensured the hostname and static IP matched forward and reverse DNS records.


Account commands (bash)

# Create SCOM Users
sudo useradd scom_monitor
sudo passwd scom_monitor
 
sudo useradd scom_maint
sudo passwd scom_maint
 
# Suppress login messages for SCOM accounts
# Verify home directories
getent passwd scom_maint scom_monitor
 
sudo touch /home/scom_maint/.hushlogin
sudo chown scom_maint:scom_maint /home/scom_maint/.hushlogin
 
sudo touch /home/scom_monitor/.hushlogin
sudo chown scom_monitor:scom_monitor /home/scom_monitor/.hushlogin



SCOM Agent Least Privilege Sudoers

Sudoers configuration (via /etc/sudoers.d/scom) to enable monitoring and maintenance without giving full root access

https://learn.microsoft.com/en-us/system-center/scom/manage-security-unix-linux-sudoers-templates?view=sc-om-2025#universal-linux

# launch sudo editor
sudo visudo -f /etc/sudoers.d/scom

#----------------------------------------------------------------------------------------
# Example user configuration for Operations Manager 2022 and above
# Example assumes users named: scom_maint & scom_monitor
# Replace usernames & corresponding /tmp/scx-\<username\> specification for your environment

# General requirements
Defaults:scom_maint !requiretty

# Agent maintenance
## Certificate signing
scom_maint ALL=(root) NOPASSWD: /bin/sh -c cp /tmp/scx-scom_maint/scx.pem /etc/opt/microsoft/scx/ssl/scx.pem; rm -rf /tmp/scx-scom_maint; /opt/microsoft/scx/bin/tools/scxadmin -restart
scom_maint ALL=(root) NOPASSWD: /bin/sh -c cat /etc/opt/microsoft/scx/ssl/scx.pem
scom_maint ALL=(root) NOPASSWD: /bin/sh -c if test -f /opt/microsoft/omsagent/bin/service_control; then cp /tmp/scx-scom_maint/omsadmin.conf /etc/opt/microsoft/omsagent/scom/conf/omsadmin.conf; /opt/microsoft/omsagent/bin/service_control restart scom; fi

## Install or upgrade
# Compiler mitigated agent version changes
scom_maint ALL=(root) NOPASSWD: /bin/sh -c sh /tmp/scx-scom_maint/scx-1.[5-9].[0-9]-[0-9].universal[[\:alpha\:]].[[\:digit\:]].s.x[6-8][4-6].sh --install --enable-opsmgr; EC=$?; cd /tmp; rm -rf /tmp/scx-scom_maint; exit $EC
scom_maint ALL=(root) NOPASSWD: /bin/sh -c sh /tmp/scx-scom_maint/scx-1.[5-9].[0-9]-[0-9]-[0-9].universal[[\:alpha\:]].[[\:digit\:]].x[6-8][4-6].sh --install --enable-opsmgr; EC=$?; cd /tmp; rm -rf /tmp/scx-scom_maint; exit $EC
scom_maint ALL=(root) NOPASSWD: /bin/sh -c sh /tmp/scx-scom_maint/scx-1.[5-9].[0-9]-[0-9].universal[[\:alpha\:]].[[\:digit\:]].x[6-8][4-6].sh --install --enable-opsmgr; EC=$?; cd /tmp; rm -rf /tmp/scx-scom_maint; exit $EC
scom_maint ALL=(root) NOPASSWD: /bin/sh -c sh /tmp/scx-scom_maint/scx-1.[5-9].[0-9]-[0-9].universal[[\:alpha\:]].[[\:digit\:]].s.x[6-8][4-6].sh --upgrade --enable-opsmgr; EC=$?; cd /tmp; rm -rf /tmp/scx-scom_maint; exit $EC
scom_maint ALL=(root) NOPASSWD: /bin/sh -c sh /tmp/scx-scom_maint/scx-1.[5-9].[0-9]-[0-9]-[0-9].universal[[\:alpha\:]].[[\:digit\:]].x[6-8][4-6].sh --upgrade --enable-opsmgr; EC=$?; cd /tmp; rm -rf /tmp/scx-scom_maint; exit $EC
scom_maint ALL=(root) NOPASSWD: /bin/sh -c sh /tmp/scx-scom_maint/scx-1.[5-9].[0-9]-[0-9].universal[[\:alpha\:]].[[\:digit\:]].x[6-8][4-6].sh --upgrade --enable-opsmgr; EC=$?; cd /tmp; rm -rf /tmp/scx-scom_maint; exit $EC

## Uninstall
#scom_maint ALL=(root) NOPASSWD: /bin/sh -c /opt/microsoft/scx/bin/uninstall
scom_maint ALL=(root) NOPASSWD: /bin/sh -c if test -f /opt/microsoft/omsagent/bin/omsadmin.sh; then if test "$(/opt/microsoft/omsagent/bin/omsadmin.sh -l | grep scom | wc -l)" \= "1" && test "$(/opt/microsoft/omsagent/bin/omsadmin.sh -l | wc -l)" \= "1" || test "$(/opt/microsoft/omsagent/bin/omsadmin.sh -l)" \= "No Workspace"; then /opt/microsoft/omsagent/bin/uninstall; else /opt/microsoft/omsagent/bin/omsadmin.sh -x scom; fi; else /opt/microsoft/scx/bin/uninstall; fi

## Log file monitoring
scom_monitor ALL=(root) NOPASSWD: /opt/microsoft/scx/bin/scxlogfilereader -p

### Examples ###
## Custom shell command monitoring example – replace \<shell command\> with the correct command string
#scom_monitor ALL=(root) NOPASSWD: /bin/sh -c echo error

## Daemon diagnostic and restart recovery tasks example (using cron)
#scom_monitor ALL=(root) NOPASSWD: /bin/sh -c ps -ef | grep cron | grep -v grep
#scom_monitor ALL=(root) NOPASSWD: /usr/sbin/cron & 

#When using the ExecuteShellScript method to run elevated scripts, add the following line your sudoers file for your user:
#scomuser ALL=(root) NOPASSWD: /etc/opt/microsoft/scx/conf/tmpdir/scx*

# End user configuration for Operations Manager 
#-----------------------------------------------------------------------------------
# write the file and quit the editor
:wq <enter>
# set permissions on the new sudoers config
sudo chmod 440 /etc/sudoers.d/scom


Firewall and DNS

  • Opened ports 22 (SSH) and 1270 (SCX agent) via firewalld rules on Linux VMs for the SCOM management server IPs to communicate:
  • Example:
    • sudo firewall-cmd –zone=public –permanent –add-rich-rule=’rule family=”ipv4″ source address=”192.168.123.61″ port port=”1270″ protocol=”tcp” accept’
    • sudo firewall-cmd –reload
  • Confirmed DNS forward and reverse lookup for the new VMs
# make permanent rules for the mgmt server connectivity using specific IPs, port, and protocol
sudo firewall-cmd --zone=public --permanent --add-rich-rule='rule family="ipv4" source address="192.168.123.61" port port="1270" protocol="tcp" accept'  
sudo firewall-cmd --zone=public --permanent --add-rich-rule='rule family="ipv4" source address="192.168.123.62" port port="1270" protocol="tcp" accept'  
  
# Reload firewall to apply permanent changes  
sudo firewall-cmd --reload


Add DNS Entries


Create nix accounts in SCOM



Maintenance Account



Monitoring Account


Discovery


Note: in the screenshot below I had added a second server (a RHEL 8.1 server) and discovered both at the same time. Forgot to get a screenshot of it.



Success

Leave a Reply

Your email address will not be published. Required fields are marked *