To discover certain information on a host server, the MID Server must run SSH commands with higher privileges. The platform provides default privileged commands for the MID Server to use and the ability to add additional commands to the system.

Links to each of the MID Server sectionsEnsure that the MID Server can connect to elements inside and outside your networkDownload and install the MID Server on a Linux or Windows hostConfigure your MID ServerConfigure MID Server securityEnsure that the MID Server can connect to elements inside and outside your networkDownload and install the MID Server on a Linux or Windows hostConfigure your MID ServerConfigure MID Server security

An example of information that requires elevated privileges is information about storage disks on a host server, retrieved with the fdisk -l command. If your system cannot use sudo commands, you must configure the hosts in your network to use one of the other privileged commands. You can configure different privileged commands for different hosts. However, Discovery supports only one privileged command per host.

Important: You can edit supported privileged commands, but do not delete them.

For a list of possible SSH commands requiring root privileges, see SSH credentials.

Table 1. SSH privileged escalation command requirements
CommandDescription
sudo
  • Host must support the sudo -S -p <password> command and return the correct list of allowed SSH commands.
  • Credentials provided for Discovery must be able to run the command sudo -S -p <password> <commands>.
pbrun
  • Host must support the pbrun -v command and return the correct version of PowerBroker.
  • Credentials provided for Discovery must be able to run pbrun <commands>.
  • Discovery does not support any other pbrun - options, such as a password prompt.
  • The instance must be able to reach the target host via SSH.
pfexec
  • Host must support the pfexec id -a command and return the correct ID.
  • Credentials provided for Discovery must be able to run pfexec <commands>.
  • Discovery does not support any other pfexec - options, such as a password prompt.
dzdo
  • Host must support the command –v dzdo command and return the path to dzdo in standard output.
  • Credentials provided for Discovery must be able to run dzdo <commands>.
  • Discovery does not support any other dzdo – options, but Discovery supports password authentication for dzdo.

Long-running commands with sudo

Configure J2SSH and ServiceNow SSH to prevent long running commands using sudo from failing when the MID Server disconnects.

ServiceNow SSH allows probes to run sudo against individual commands or an entire, long-running script. This is also supported for the pbrun and pfexec privileged commands.

Sudo for individual commands

You can run sudo against individual commands within a probe, but only if all the following sudoer configurations are performed on the target:
  • The !requiretty option is required.
  • Allow individual commands to be run by the user in the provided credential with NOPASSWD configured.
  • The target specifies an individual sudo call in the command or referenced scripts. For example, set sudo as "sudo fdisk -I" or "${sudo:fdisk -I}" rather than "must_sudo" for the entire script.
Note: Running sudo against individual commands with ServiceNow SSH produces detailed and useful entries in the sudo logs on the target computer.

Running sudo on an entire script

If any of the required sudoer configuration requirements for individual commands is not in place, Discovery applies sudo to the initial and complete probes, and does not execute sudo remotely inside the command. This condition can be forced by setting must_sudo on the probe and eliminating any sudo commands within the probe.

This approach prevents long running commands from failing when the probe disconnects, but cannot specify individual commands in the sudoers configuration.

Logging

The logs from ServiceNow SSH sudo activity run against an entire script show cryptic entries, such as /tmp/.run.aef13123fe124123, which prevent administrators from controlling permissible commands and knowing the exact command that was run. Sudo run against individual commands produces more detailed log entries, such as /sbin/fdisk –l.

Add a new privileged command for use by the MID Server

Add a new privileged command to the Privileged Command [privileged_command] table that is available to your MID Servers.

Before you begin

Role required: admin

About this task

Important: Do not delete any of the supported commands.

Procedure

  1. Navigate to All > MID Server > Privileged Command and click New.
  2. Complete these fields:
    • Command: The name of the privileged command.
    • Password Prompt: The password prompt displayed to the user for this privileged command, or a regular expression that matches this password prompt. If this field is empty, no password is required for this privileged command, and no prompt is displayed. SUDO commands do not require a password prompt.
  3. Click Submit.

Configure the MID Server to use specific privileged commands

You can configure the MID Server to use specific commands in a defined order.

Before you begin

Role required: admin

Procedure

  1. Navigate to the list of MID Servers using one of the following paths:
    • MID Server > Servers
    • Discovery > MID Servers
    • Orchestration > MID Servers
  2. Select the MID Server you want to configure.
  3. Click the menu icon in the header bar and select View > Advanced from the context menu.
    Figure 1. Selecting the Advanced view
    Selecting the Advanced view
  4. In the Privileged Command related list, click Edit.
  5. Select the command you want this MID Server to use and click Save.
    The default order of privileged commands is 100, but you can change the order as necessary. The privileged command with the smallest order number is tried first.
    Figure 2. List of privileged commands to use for a MID Server
    List of privileged commands to use for a MID Server

Create a pbrun profile privileged command

You can create a special configuration for the pbrun privileged command that allows it to run as a profile.

Before you begin

Role required: discovery_admin, admin

About this task

Of all the privileged commands, only the pbrun command can be configured to run as a profile, and only one of these special pbrun configurations can function on a MID Server.
Important: Edit the existing pbrun record for this purpose. The system ignores any additional commands you create for pbrun.

Procedure

  1. Navigate to All > MID Server > Privileged Command.
  2. Select pbrun from the list.
  3. In the Privileged Command record, edit the value in the Command field to use the format pbrun -u <profile>.
    For example, you can set pbrun -u admin as a command to run with an admin profile.
  4. Click Update.

What to do next

Return to Configuring MID Servers.