SSH commands requiring a privileged user during probe-based discovery

Release version: Yokohama

Updated January 30, 2025

2 minutes to read

Summarize

Summarized using AI

Summary of SSH commands requiring a privileged user during probe-based discovery

This document outlines the SSH commands that ServiceNow Discovery probes execute during horizontal discovery which require elevated (privileged) user rights. It explains the necessity of configuring these commands with appropriate sudo privileges and highlights security considerations related to SSH key authentication and host key validation.

Show full answer Show less

Key Details for ServiceNow Customers

Privileged Commands Usage: Discovery probes require certain OS commands to run with elevated privileges to gather hardware, network, and process information. These commands vary by operating system (HP-UX, Linux, Solaris, UNIX).
User and Sudo Configuration: The example user name is Disco, which you should replace with your actual user. Commands must be added to the sudoers file with the NOPASSWD option to allow passwordless privilege escalation. For example:
disco ALL=(root) NOPASSWD:/usr/sbin/dmidecode,/usr/sbin/lsof,/sbin/ifconfig
SSH Authentication Considerations: Private key-based SSH authentication does not support sudo commands requiring passwords. Configuring NOPASSWD in sudoers avoids this issue. Also, the MID Server does not validate SSH host keys, which poses a potential security risk. Limit sensitive data sent over SSH and prefer key/certificate authentication over passwords.

Commands by Operating System

Each OS uses specific privileged commands during discovery. Below are important commands and their purposes, along with example sudoers entries:

HP-UX: adb for CPU speed and memory info.
Sudo example: disco ALL=(root) /usr/bin/adb
Linux (all versions):
- dmidecode – hardware details including motherboard serial number
- fdisk – disk and size info
- multipath – device mappings for multipath I/O
Sudo examples include:
disco ALL=(root) /sbin/dmidecode,
disco ALL=(root) /usr/bin/fdisk -l,
disco ALL=(root) /usr/bin/multipath -ll
Linux and Solaris: dmsetup to examine low-level volumes.
Sudo examples:
disco ALL=(root) /usr/bin/dmsetup table
disco ALL=(root) /usr/bin/dmsetup ls
All UNIX Versions:
- lsof – relationship between processes and connections
- oratab – read access for Oracle Home locations
- netstat, ss – process and connection info
Example sudoers:
disco ALL=(root) /sbin/lsof
disco ALL=(root) /bin/netstat
disco ALL=(root) /sbin/ss
Solaris Specific:
- iscsiadm – iSCSI qualified names
- fcinfo – World Wide Port Names for Fibre Channel ports
- prtvtoc – disk partition info
- ps – process listing; alternatively, assign procowner role to avoid root access
- pgrep – list PIDs with socket info
- pfiles – detailed file info for processes
Sudoers entries example:
disco ALL=(root) /usr/bin/prtvtoc
disco ALL=(root) /usr/bin/ps
disco ALL=(root) /usr/bin/pgrep

Security Recommendations

Configure sudoers with NOPASSWD for required commands to allow Discovery probes to run privileged commands without password prompts.
Use SSH keys or certificates for authentication and avoid sending system credentials over SSH.
Be aware that MID Server does not validate SSH host keys, so limit sensitive data exposure to reduce risk from man-in-the-middle attacks.

These tables display the SSH commands run by Discovery probes during horizontal discovery. These SSH commands require elevated privileges to run.

Operating system commands requiring elevated rights

These examples assume that the user name is Disco. Substitute the actual user name and verify that the paths for the commands match the paths on the system.

Note:

Sudo commands don’t work with private key credentials, because there’s no password to supply to the sudo command. A solution is to add the NOPASSWD option to the sudo configuration. For example, you might enter:

disco ALL=(root)
                  NOPASSWD:/usr/sbin/dmidecode,/usr/sbin/lsof,/sbin/ifconfig

For information on commands that don’t require elevated rights, see Non-privileged SSH commands during probe-based discovery.

For information on commands used by Service Mapping during the top-down discovery, see Service Mapping commands requiring a privileged user and Service Mapping commands not requiring a privileged user.

SSH key not validated

When the MID Server connects to a system, the MID Server doesn’t perform host key validation against that system and so treats it as untrusted. If an attacker performs a man-in-the-middle attack and redirects the traffic to a malicious SSH service, the attacker can intercept or modify any data sent over the connection.

Therefore, limit any sensitive information exchanged between the MID Server and the target SSH server. Only use keys or certificates for SSH authentication, and avoid sending system credentials. Configure NOPASSWD in the sudoers file for the required privileged commands.

Table 1. HP-UX
Command	Purpose
adb	Gathers CPU speed and memory. /etc/sudoers line example: `Disco ALL=(root) /usr/bin/adb`

Table 2. All Linux
Command	Purpose
dmidecode	Gathers several pieces of information about the hardware, including the serial number embedded within the motherboard. /etc/sudoers line example: `Disco ALL=(root) /sbin/dmidecode`
fdisk	Gathers the disks and size information on the system. /etc/sudoers line example: `Disco ALL=(root) /usr/bin/fdisk -l`
multipath	Gathers device mappings for MultiPath Input Output (MPIO). /etc/sudoers line example: `Disco ALL=(root) /usr/bin/multipath -ll`

Table 3. Linux and Solaris
Command	Purpose
dmsetup	Examines a low-level volume. /etc/sudoers line example `Disco ALL=(root) /usr/bin/dmsetup table *` `Disco ALL=(root) /usr/bin/dmsetup ls`

Table 4. All UNIX versions
Command	Purpose
lsof	Determines the relationship between processes and the connections being made to the system. /etc/sudoers line example: `Disco ALL=(root) /sbin/lsof`
oratab	Grants read access to the oratab file for locating the Oracle Home and pfile.
netstat	Determines the relationship between processes and the connections being made to the system. /etc/sudoers line example: `Disco ALL=(root) /bin/netstat`
ss	Determines the relationship between processes and the connections being made to the system. /etc/sudoers line example: `Disco ALL=(root) /sbin/ss`

Table 5. Solaris
Command	Purpose
iscsiadm	Gets iSCSI qualified names (IQNs). /etc/sudoers line example: `${sudo:iscsiadm list target -S}`
fcinfo	Gets World Wide Port Names (WWPNs) for ports. /etc/sudoers line example: `${sudo:fcinfo remote-port -sl -p $port}`
prtvtoc	Reports information about disk partitions. /etc/sudoers line example: `Disco ALL=(root) /usr/bin/prtvtoc`
/usr/bin/ps	Lists running process. As an alternative to running with root access, add a proc_owner role.sola. /etc/sudoers line example: `Disco ALL=(root) /usr/bin/ps`
/usr/ucb/ps	Lists running process. As an alternative to running with root access, add a proc_owner role. The use of the `/usr/ucb/ps` command is deprecated as of Solaris 11. Because Discovery requires the use of this command for all Solaris versions, you must install the ucb utility manually on Solaris 11 systems. For instructions, see KB0564262. /etc/sudoers line example: `Disco ALL=(root) /usr/ucb/ps`
pgrep	Gets list of process IDs (PIDs) with socket information. /etc/sudoers line example: `Disco ALL=(root) /usr/bin/pgrep`
pfiles	For each PID, gets and processes the output for S_IFSOCK. /etc/sudoers line example: `Disco ALL=(root) /usr/bin/pfiles`