SSH commands requiring a privileged user during probe-based discovery

  • Release version: Australia
  • Updated March 12, 2026
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of SSH commands requiring a privileged user during probe-based discovery

    This document details the SSH commands that ServiceNow Discovery probes run during horizontal discovery which require elevated privileges on target systems. These commands gather critical hardware, disk, process, and network information necessary for accurate discovery and mapping of IT infrastructure.

    Show full answer Show less

    ServiceNow customers should configure the privileged user (commonly named Disco) appropriately, ensuring that the commands execute with the necessary rights to collect discovery data. The sudoers file must be configured with NOPASSWD for these commands because sudo commands do not work with private key authentication due to the absence of a password prompt.

    Key Configuration Considerations

    • Privileged commands require sudo with NOPASSWD. For example, a sudoers entry like disco ALL=(root) NOPASSWD:/usr/sbin/dmidecode enables running dmidecode without a password.
    • Private key authentication limitations: sudo commands cannot prompt for passwords, so NOPASSWD is essential.
    • Host key validation is not performed by the MID Server. This means the connection is vulnerable to man-in-the-middle attacks, so avoid exchanging sensitive credentials over SSH. Use SSH keys or certificates for authentication exclusively.
    • Substitute the actual username and verify command paths on your systems. The examples assume user disco and common command paths, but these must be adjusted to match your environment.

    Common Privileged SSH Commands by Operating System

    The following tables summarize commands requiring elevated privileges. Each command should be enabled with the corresponding sudoers configuration.

    • HP-UX:
      • adb: Gathers CPU speed and memory info.
    • Linux:
      • dmidecode: Hardware details including motherboard serial number.
      • fdisk -l: Disk and size info.
      • multipath -ll: MultiPath IO device mappings.
    • Linux and Solaris:
      • dmsetup table and dmsetup ls: Low-level volume examination.
    • All UNIX versions:
      • lsof: Process and connection relationships.
      • oratab: Read access for Oracle Home and pfile locations.
      • netstat and ss: Network connection details.
    • Solaris:
      • iscsiadm: iSCSI qualified names.
      • fcinfo: WWPNs for ports.
      • prtvtoc: Disk partition info.
      • ps and /usr/ucb/ps: Running processes (procowner role alternative available).
      • pgrep: List of process IDs with socket info.
      • pfiles: Process socket file info.

    Practical Implications for ServiceNow Customers

    • Ensure the privileged user account used by Discovery has sudo privileges configured with NOPASSWD for the listed commands to enable seamless execution without manual password entry.
    • Verify command paths and adjust sudoers entries to match your system environment to prevent discovery failures.
    • Limit sensitive data exposure over SSH connections since MID Server does not validate host keys; use key-based authentication and avoid sending credentials.
    • Refer to related documentation for commands not requiring privileges and for Service Mapping-specific commands.

    These tables display the SSH commands run by Discovery probes during horizontal discovery. These SSH commands require elevated privileges to run.

    Operating system commands requiring elevated rights

    These examples assume that the user name is Disco. Substitute the actual user name and verify that the paths for the commands match the paths on the system.
    Note:
    Sudo commands don’t work with private key credentials, because there’s no password to supply to the sudo command. A solution is to add the NOPASSWD option to the sudo configuration. For example, you might enter: disco ALL=(root) NOPASSWD:/usr/sbin/dmidecode,/usr/sbin/lsof,/sbin/ifconfig.

    For information on commands that don’t require elevated rights, see Non-privileged SSH commands during probe-based discovery.

    For information on commands used by Service Mapping during the top-down discovery, see Service Mapping commands requiring a privileged user and Service Mapping commands not requiring a privileged user.

    SSH key not validated

    When the MID Server connects to a system, the MID Server doesn’t perform host key validation against that system and so treats it as untrusted. If an attacker performs a man-in-the-middle attack and redirects the traffic to a malicious SSH service, the attacker can intercept or modify any data sent over the connection.

    Therefore, limit any sensitive information exchanged between the MID Server and the target SSH server. Only use keys or certificates for SSH authentication, and avoid sending system credentials. Configure NOPASSWD in the sudoers file for the required privileged commands.

    Table 1. HP-UX
    Command Purpose
    adb Gathers CPU speed and memory.

    /etc/sudoers line example: Disco ALL=(root) /usr/bin/adb
    Table 2. All Linux
    Command Purpose
    dmidecode Gathers several pieces of information about the hardware, including the serial number embedded within the motherboard.

    /etc/sudoers line example: Disco ALL=(root) /sbin/dmidecode
    fdisk Gathers the disks and size information on the system.

    /etc/sudoers line example: Disco ALL=(root) /usr/bin/fdisk -l
    multipath Gathers device mappings for MultiPath Input Output (MPIO).

    /etc/sudoers line example: Disco ALL=(root) /usr/bin/multipath -ll
    Table 3. Linux and Solaris
    Command Purpose
    dmsetup Examines a low-level volume.

    /etc/sudoers line example

    • Disco ALL=(root) /usr/bin/dmsetup table *
    • Disco ALL=(root) /usr/bin/dmsetup ls
    Table 4. All UNIX versions
    Command Purpose
    lsof Determines the relationship between processes and the connections being made to the system.

    /etc/sudoers line example: Disco ALL=(root) /sbin/lsof
    oratab Grants read access to the oratab file for locating the Oracle Home and pfile.
    netstat Determines the relationship between processes and the connections being made to the system.

    /etc/sudoers line example: Disco ALL=(root) /bin/netstat
    ss Determines the relationship between processes and the connections being made to the system.

    /etc/sudoers line example: Disco ALL=(root) /sbin/ss
    Table 5. Solaris
    Command Purpose
    iscsiadm Gets iSCSI qualified names (IQNs).

    /etc/sudoers line example: ${sudo:iscsiadm list target -S}
    fcinfo Gets World Wide Port Names (WWPNs) for ports.

    /etc/sudoers line example: ${sudo:fcinfo remote-port -sl -p $port}
    prtvtoc Reports information about disk partitions.

    /etc/sudoers line example: Disco ALL=(root) /usr/bin/prtvtoc
    /usr/bin/ps Lists running process. As an alternative to running with root access, add a proc_owner role.sola.

    /etc/sudoers line example: Disco ALL=(root) /usr/bin/ps
    /usr/ucb/ps Lists running process. As an alternative to running with root access, add a proc_owner role.

    The use of the /usr/ucb/ps command is deprecated as of Solaris 11. Because Discovery requires the use of this command for all Solaris versions, you must install the ucb utility manually on Solaris 11 systems. For instructions, see KB0564262.

    /etc/sudoers line example: Disco ALL=(root) /usr/ucb/ps
    pgrep Gets list of process IDs (PIDs) with socket information.

    /etc/sudoers line example: Disco ALL=(root) /usr/bin/pgrep
    pfiles For each PID, gets and processes the output for S_IFSOCK.

    /etc/sudoers line example: Disco ALL=(root) /usr/bin/pfiles