SSH commands requiring a privileged user during probe-based discovery

  • Release version: Washingtondc
  • Updated January 30, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of SSH Commands Requiring a Privileged User During Probe-Based Discovery

    This document outlines the SSH commands executed by Discovery probes during horizontal discovery that necessitate elevated privileges. It emphasizes the need for proper configuration to ensure secure and efficient command execution.

    Show full answer Show less

    Key Features

    • Operating System Commands: Commands such as dmidecode, lsof, and ifconfig require configuration in the /etc/sudoers file to allow the user 'Disco' to run them without a password by using the NOPASSWD option.
    • SSH Key Validation: The MID Server does not validate host keys, which poses a security risk. It is vital to limit sensitive information exchange and use keys or certificates for authentication.
    • Command Examples: Specific commands for various operating systems are provided, alongside examples of how to configure them in the sudoers file for elevated access.

    Key Outcomes

    By implementing the necessary sudo configuration and using secure SSH authentication methods, ServiceNow customers can effectively gather critical system information while mitigating security risks. Proper setup ensures that Discovery functions efficiently while maintaining a secure environment during probe-based discovery.

    These tables display the SSH commands run by Discovery probes during horizontal discovery. These SSH commands require elevated privileges to run.

    Operating system commands requiring elevated rights

    These examples assume that the user name is Disco. Substitute the actual user name and verify that the paths for the commands match the paths on the system.
    Note:
    Sudo commands don’t work with private key credentials, because there’s no password to supply to the sudo command. A solution is to add the NOPASSWD option to the sudo configuration. For example, you might enter: disco ALL=(root) NOPASSWD:/usr/sbin/dmidecode,/usr/sbin/lsof,/sbin/ifconfig.

    For information on commands that don’t require elevated rights, see SSH commands not requiring a privileged user during probe-based discovery.

    For information on commands used by Service Mapping during the top-down discovery, see Service Mapping commands requiring a privileged user and Service Mapping commands not requiring a privileged user.

    SSH key not validated

    When the MID Server connects to a system, the MID Server doesn’t perform host key validation against that system and so treats it as untrusted. If an attacker performs a man-in-the-middle attack and redirects the traffic to a malicious SSH service, the attacker can intercept or modify any data sent over the connection.

    Therefore, limit any sensitive information exchanged between the MID Server and the target SSH server. Only use keys or certificates for SSH authentication, and avoid sending system credentials. Configure NOPASSWD in the sudoers file for the required privileged commands.

    Table 1. HP-UX
    Command Purpose
    adb Gathers CPU speed and memory.

    /etc/sudoers line example: Disco ALL=(root) /usr/bin/adb
    Table 2. All Linux
    Command Purpose
    dmidecode Gathers several pieces of information about the hardware, including the serial number embedded within the motherboard.

    /etc/sudoers line example: Disco ALL=(root) /sbin/dmidecode
    fdisk Gathers the disks and size information on the system.

    /etc/sudoers line example: Disco ALL=(root) /usr/bin/fdisk -l
    multipath Gathers device mappings for MultiPath Input Output (MPIO).

    /etc/sudoers line example: Disco ALL=(root) /usr/bin/multipath -ll
    Table 3. Linux and Solaris
    Command Purpose
    dmsetup Examines a low-level volume.

    /etc/sudoers line example

    • Disco ALL=(root) /usr/bin/dmsetup table *
    • Disco ALL=(root) /usr/bin/dmsetup ls
    Table 4. All UNIX versions
    Command Purpose
    lsof Determines the relationship between processes and the connections being made to the system.

    /etc/sudoers line example: Disco ALL=(root) /sbin/lsof
    oratab Grants read access to the oratab file for locating the Oracle Home and pfile.
    netstat Determines the relationship between processes and the connections being made to the system.

    /etc/sudoers line example: Disco ALL=(root) /bin/netstat
    ss Determines the relationship between processes and the connections being made to the system.

    /etc/sudoers line example: Disco ALL=(root) /sbin/ss
    Table 5. Solaris
    Command Purpose
    iscsiadm Gets iSCSI qualified names (IQNs).

    /etc/sudoers line example: ${sudo:iscsiadm list target -S}
    fcinfo Gets World Wide Port Names (WWPNs) for ports.

    /etc/sudoers line example: ${sudo:fcinfo remote-port -sl -p $port}
    prtvtoc Reports information about disk partitions.

    /etc/sudoers line example: Disco ALL=(root) /usr/bin/prtvtoc
    /usr/bin/ps Lists running process. As an alternative to running with root access, add a proc_owner role.sola.

    /etc/sudoers line example: Disco ALL=(root) /usr/bin/ps
    /usr/ucb/ps Lists running process. As an alternative to running with root access, add a proc_owner role.

    The use of the /usr/ucb/ps command is deprecated as of Solaris 11. Because Discovery requires the use of this command for all Solaris versions, you must install the ucb utility manually on Solaris 11 systems. For instructions, see KB0564262.

    /etc/sudoers line example: Disco ALL=(root) /usr/ucb/ps
    pgrep Gets list of process IDs (PIDs) with socket information.

    /etc/sudoers line example: Disco ALL=(root) /usr/bin/pgrep
    pfiles For each PID, gets and processes the output for S_IFSOCK.

    /etc/sudoers line example: Disco ALL=(root) /usr/bin/pfiles