SSH commands requiring a privileged user during probe-based discovery

  • Release version: Xanadu
  • Updated January 30, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of SSH commands requiring a privileged user during probe-based discovery

    This information details the SSH commands used by ServiceNow Discovery probes during horizontal discovery that require elevated privileges. These commands are executed on target systems via SSH and necessitate privileged access to gather critical system and hardware information.

    Show full answer Show less

    It is important to configure the target systems properly to allow these commands to run securely and effectively, using the appropriate sudo permissions without requiring passwords, especially when using SSH key-based authentication.

    Key Configuration Considerations

    • Username substitution: Replace the example user "disco" with your actual user configured on the target system.
    • Path verification: Ensure the command paths in the sudoers file match those on the target system.
    • Sudo NOPASSWD option: Since sudo commands won’t work with private key credentials without a password prompt, configure sudo to allow specified commands to run without a password by adding NOPASSWD entries in the sudoers file.
    • SSH host key validation: The MID Server does not validate SSH host keys, which can expose connections to man-in-the-middle attacks. To mitigate risk, avoid sending sensitive credentials and use SSH keys or certificates for authentication.

    Commands Requiring Elevated Privileges

    The commands vary by operating system. Below are key commands and their purposes, along with example sudoers file entries:

    • HP-UX: adb to gather CPU speed and memory information.
    • Linux (all versions):
      • dmidecode: hardware details, including motherboard serial number
      • fdisk -l: disk and size information
      • multipath -ll: MultiPath I/O device mappings
    • Linux and Solaris:
      • dmsetup table and dmsetup ls: low-level volume examination
    • All UNIX versions:
      • lsof, netstat, ss: process and connection relationships
      • oratab: read access for Oracle Home and pfile locations
    • Solaris-specific:
      • iscsiadm: iSCSI qualified names (IQNs)
      • fcinfo: World Wide Port Names (WWPNs)
      • prtvtoc: disk partition reports
      • ps and /usr/ucb/ps: lists running processes (note: /usr/ucb/ps is deprecated in Solaris 11 and requires manual installation)
      • pgrep: process IDs with socket info
      • pfiles: process file information

    Practical Recommendations for ServiceNow Customers

    • Configure sudoers entries explicitly for each privileged command needed by Discovery probes, specifying absolute command paths and using NOPASSWD to enable passwordless execution.
    • Use SSH keys or certificates for authentication and avoid transmitting plaintext system credentials over SSH.
    • Review and match command paths on each target system to ensure Discovery commands run successfully.
    • Be aware that lack of SSH host key validation by the MID Server requires minimizing sensitive data over SSH and ensuring secure network environments.
    • For Solaris 11, manually install the ucb utility if required for Discovery compatibility.

    These tables display the SSH commands run by Discovery probes during horizontal discovery. These SSH commands require elevated privileges to run.

    Operating system commands requiring elevated rights

    These examples assume that the user name is Disco. Substitute the actual user name and verify that the paths for the commands match the paths on the system.
    Note:
    Sudo commands don’t work with private key credentials, because there’s no password to supply to the sudo command. A solution is to add the NOPASSWD option to the sudo configuration. For example, you might enter: disco ALL=(root) NOPASSWD:/usr/sbin/dmidecode,/usr/sbin/lsof,/sbin/ifconfig.

    For information on commands that don’t require elevated rights, see SSH commands not requiring a privileged user during probe-based discovery.

    For information on commands used by Service Mapping during the top-down discovery, see Service Mapping commands requiring a privileged user and Service Mapping commands not requiring a privileged user.

    SSH key not validated

    When the MID Server connects to a system, the MID Server doesn’t perform host key validation against that system and so treats it as untrusted. If an attacker performs a man-in-the-middle attack and redirects the traffic to a malicious SSH service, the attacker can intercept or modify any data sent over the connection.

    Therefore, limit any sensitive information exchanged between the MID Server and the target SSH server. Only use keys or certificates for SSH authentication, and avoid sending system credentials. Configure NOPASSWD in the sudoers file for the required privileged commands.

    Table 1. HP-UX
    Command Purpose
    adb Gathers CPU speed and memory.

    /etc/sudoers line example: Disco ALL=(root) /usr/bin/adb
    Table 2. All Linux
    Command Purpose
    dmidecode Gathers several pieces of information about the hardware, including the serial number embedded within the motherboard.

    /etc/sudoers line example: Disco ALL=(root) /sbin/dmidecode
    fdisk Gathers the disks and size information on the system.

    /etc/sudoers line example: Disco ALL=(root) /usr/bin/fdisk -l
    multipath Gathers device mappings for MultiPath Input Output (MPIO).

    /etc/sudoers line example: Disco ALL=(root) /usr/bin/multipath -ll
    Table 3. Linux and Solaris
    Command Purpose
    dmsetup Examines a low-level volume.

    /etc/sudoers line example

    • Disco ALL=(root) /usr/bin/dmsetup table *
    • Disco ALL=(root) /usr/bin/dmsetup ls
    Table 4. All UNIX versions
    Command Purpose
    lsof Determines the relationship between processes and the connections being made to the system.

    /etc/sudoers line example: Disco ALL=(root) /sbin/lsof
    oratab Grants read access to the oratab file for locating the Oracle Home and pfile.
    netstat Determines the relationship between processes and the connections being made to the system.

    /etc/sudoers line example: Disco ALL=(root) /bin/netstat
    ss Determines the relationship between processes and the connections being made to the system.

    /etc/sudoers line example: Disco ALL=(root) /sbin/ss
    Table 5. Solaris
    Command Purpose
    iscsiadm Gets iSCSI qualified names (IQNs).

    /etc/sudoers line example: ${sudo:iscsiadm list target -S}
    fcinfo Gets World Wide Port Names (WWPNs) for ports.

    /etc/sudoers line example: ${sudo:fcinfo remote-port -sl -p $port}
    prtvtoc Reports information about disk partitions.

    /etc/sudoers line example: Disco ALL=(root) /usr/bin/prtvtoc
    /usr/bin/ps Lists running process. As an alternative to running with root access, add a proc_owner role.sola.

    /etc/sudoers line example: Disco ALL=(root) /usr/bin/ps
    /usr/ucb/ps Lists running process. As an alternative to running with root access, add a proc_owner role.

    The use of the /usr/ucb/ps command is deprecated as of Solaris 11. Because Discovery requires the use of this command for all Solaris versions, you must install the ucb utility manually on Solaris 11 systems. For instructions, see KB0564262.

    /etc/sudoers line example: Disco ALL=(root) /usr/ucb/ps
    pgrep Gets list of process IDs (PIDs) with socket information.

    /etc/sudoers line example: Disco ALL=(root) /usr/bin/pgrep
    pfiles For each PID, gets and processes the output for S_IFSOCK.

    /etc/sudoers line example: Disco ALL=(root) /usr/bin/pfiles