UNIX and Linux commands requiring root privileges for Discovery and Orchestration

These commands require root privileges in Discovery and Orchestration.

The examples here assume that the user name in the credentials is Disco. Substitute the actual user name and ensure that the paths for the commands match the path on the systems.

Note: Sudo commands do not work with private key credentials, because there is no password to supply to the sudo command. A solution is to add the NOPASSWD option to the sudo configuration. For example, you might enter: disco ALL=(root) NOPASSWD:/usr/sbin/dmidecode,/usr/sbin/lsof,/sbin/ifconfig.
Table 1. UNIX and Linux commands requiring root privileges
Command Platform Purpose /etc/sudoers line example Used by
dmidecode All Linux Gathers several pieces of information about the hardware, including the serial number embedded within the motherboard. Disco ALL=(root) /sbin/dmidecode Discovery
lsof All UNIX versions Determines the relationship between processes and the connections being made to the system. Disco ALL=(root) /sbin/lsof Discovery
adb HP-UX Gathers CPU speed and memory. Disco ALL=(root) /usr/bin/adb Discovery
chpasswd All Linux and UNIX versions Changes user passwords. Disco ALL=(root) /etc/chpasswd Orchestration
chage All Linux and UNIX versions Changes the number of days between password changes and the date of the last password change. Disco ALL=(root) /etc/chage Orchestration
oratab All Unix versions Grants read access to the oratab file for locating the Oracle Home and pfile. N/A Discovery
/usr/bin/ps Solaris Lists running process. As an alternative to running with root access, add a proc_owner role. Disco ALL=(root) /usr/bin/ps Discovery
/usr/ucb/ps Solaris Lists running process. As an alternative to running with root access, add a proc_owner role.
Note: The use of the /usr/ucb/ps command is deprecated as of Solaris 11. Because Discovery and Orchestration require the use of this command for all Solaris versions, you must install the ucb utility manually on Solaris 11 systems. For instructions, see KB0564262 .
Disco ALL=(root) /usr/ucb/ps Discovery
fdisk All Linux Gathers the disks and size information on the system. Disco ALL=(root) /usr/bin/fdisk -l Discovery
dmsetup Linux and Solaris Examines a low level volume.
  • Disco ALL=(root) /usr/bin/dmsetup table *
  • Disco ALL=(root) /usr/bin/dmsetup ls
Discovery
multipath All Linux Gathers device mappings for MPIO. Disco ALL=(root) /usr/bin/multipath -ll Discovery
prtvtoc Solaris Reports information about disk partitions. Disco ALL=(root) /usr/bin/prtvtoc Discovery

Privileged commands for Discovery

To discover certain information on a host server, Discovery must run SSH commands with higher privilege.

An example of information that requires elevated privileges is information about storage disks on a host server, retrieved with the fdisk -l command. If your system cannot use sudo commands, you must configure the hosts in your network to use one of the other privileged commands.

For a list of possible SSH commands requiring root privileges, see UNIX and Linux commands requiring root privileges for Discovery and Orchestration.

Note: You can have different privileged commands set up for different hosts. However, Discovery supports only one privileged command per host.
Table 2. SSH privileged escalation command requirements
Command Description
sudo
  • Host must support the sudo -S -p <password> command and return the correct list of allowed SSH commands.
  • Credentials provided for Discovery must be able to run the command sudo -S -p <password> <commands>.
pbrun
  • Host must support the pbrun -v command and return the correct version of PowerBroker.
  • Credentials provided for Discovery must be able to run pbrun <commands>.
  • Discovery does not support any other pbrun - options, such as a password prompt.
pfexec
  • Host must support the pfexec id -a command and return the correct ID.
  • Credentials provided for Discovery must be able to run pfexec <commands>.
  • Discovery does not support any other pfexec - options, such as a password prompt.
dzdo
  • Host must support the command –v dzdo command and return the path to dzdo in standard output.
  • Credentials provided for Discovery must be able to run dzdo <commands>.
  • Discovery does not support any other dzdo – options, but Discovery supports password authentication for dzdo.

Add a new privileged command

Add a new privileged command to the Privileged Command [privileged_command] table that is available to your MID Servers.

Before you begin

Role required: admin

About this task

Important: Do not delete any of the supported commands.

Procedure

  1. Navigate to MID Server > Privileged Command and click New.
  2. Complete these fields:
    • Command: The name of the privileged command.
    • Password Prompt: The password prompt displayed to the user for this privileged command, or a regular expression that matches this password prompt. If this field is empty, no password is required for this privileged command, and no prompt is displayed. SUDO commands do not require a password prompt.
  3. Click Submit.

Configure the MID Server to use specific privileged commands

You can configure the MID Server to use specific commands in a defined order.

Before you begin

Role required: admin

Procedure

  1. Navigate to the list of MID Servers using one of the following paths:
    • MID Server > Servers
    • Discovery > MID Servers
    • Orchestration > MID Servers
  2. Select the MID Server you want to configure.
  3. Click the menu icon in the header bar and select View > Advanced from the context menu.
    Figure 1. Selecting the Advanced view
    Selecting the Advanced view
  4. In the Privileged Command related list, click Edit.
  5. Select the command you want this MID Server to use and click Save.
    The default order of privileged commands is 100, but you can change the order as necessary. The privileged command with the smallest order number is tried first.
    Figure 2. List of privileged commands to use for a MID Server
    List of privileged commands to use for a MID Server

Create a pbrun profile privileged command

You can create a special configuration for the pbrun privileged command that allows it to run as a profile.

Before you begin

Role required: discovery_admin, admin

About this task

Of all the privileged commands, only the pbrun command can be configured to run as a profile, and only one of these special pbrun configurations can function on a MID Server.
Important: Edit the existing pbrun record for this purpose. The system ignores any additional commands you create for pbrun.

Procedure

  1. Navigate to MID Server > Privileged Command.
  2. Select pbrun from the list.
  3. In the Privileged Command record, edit the value in the Command field to use the format pbrun -u <profile>.
    For example, you can set pbrun -u admin as a command to run with an admin profile.
  4. Click Update.

Long running commands with sudo

Configure J2SSH and ServiceNow SSH to prevent long running commands using sudo from failing when the MID Server disconnects.

ServiceNow SSH allows probes to run sudo against individual commands or an entire, long-running script. This is also supported for the pbrun and pfexec privileged commands

Sudo for individual commands

You can run sudo against individual commands within a probe, but only if all the following sudoer configurations are performed on the target:
  • The !requiretty option is required.
  • Allow individual commands to be run by the user in the provided credential with NOPASSWD configured.
  • The target specifies an individual sudo call in the command or referenced scripts. For example, set sudo as "sudo fdisk -I" or "${sudo:fdisk -I}" rather than "must_sudo" for the entire script.
Note: Running sudo against individual commands with ServiceNow SSH produces detailed and useful entries in the sudo logs on the target computer.

Running sudo on an entire script

If any of the required sudoer configuration requirements for individual commands is not in place, Discovery applies sudo to the initial and complete probes, and does not execute sudo remotely inside the command. This condition can be forced by setting must_sudo on the probe and eliminating any sudo commands within the probe.

This approach prevents long running commands from failing when the probe disconnects, but cannot specify individual commands in the sudoers configuration.

Logging

The logs from ServiceNow SSH sudo activity run against an entire script show cryptic entries, such as /tmp/.run.aef13123fe124123, which prevent administrators from controlling permissible commands and knowing the exact command that was run. Sudo run against individual commands produces more detailed log entries, such as /sbin/fdisk –l.