This documentation supports the 21.3 (12.3) version of BMC Discovery.


Adding privileged execution to commands

BMC Discovery is shipped without any commands that use privileged execution. The following example procedure describes how to add privileged execution to lsof commands. You must do the same for any command that you want to execute as a privileged user. 

The individual discovery scripts for each platform, getDeviceInfogetFileSystems, and so on, use a privilege mechanism that is configured in the initialise script. You do not need to edit the individual scripts to escalate privileges, only the initialise script.

Configuring privileges

Discovery of UNIX, Linux and related systems requires elevated privileges to retrieve detailed information. This is controlled using the privilege functions that are defined during session initialization. For example, the PRIV_CAT command is used in getDirectoryListing, getFileContent and getFileMetadata platform scripts on Linux to check the ability to run a process. However, the path to privilege escalation commands may not be the same in all IT environments. For example, in some cases, PowerBroker may be used to delegate UNIX/Linux privileges, which may require specifying a different path to commands. Also, you may want to grant privilege escalation to only specific commands. You can do this using the Configure Privileges option for the initialise method. This is a simpler and faster way to configure the execution of a command as a privileged user than the earlier Edit option for the initialise method. However, the Edit option is still valid and you may continue to use it instead of Configure Privileges.

To configure privilege escalation

  1. From the main menu, click the Administration icon.
    The Administration page opens.
  2. In the Discovery section, click Platforms.
  3. Click the OS link for the platform on which you want to configure privilege escalation. 
    The Shell Scripts tab is displayed.



  4. In the Action column of the initialise method row, click Configure Privileges.



  5. In the Path to command field, enter the path to privilege escalation command, specific to your IT environment. For example, enter /usr/bin/sudo.
  6. By default, the Allow patterns to run commands with elevated privileges checkbox is selected as that is the purpose of privilege escalation. Clear this checkbox only if you want to currently stop running commands with elevated privileges.
  7. The Command to escalate column lists all commands, such as cat, df, ls, and so on available for the OS. Select the checkboxes for only those commands that you want to run with elevated privileges. For example, to run only the cat and df commands with elevated privileges, select the /bin/cat and /bin/df checkboxes.
  8. Click Apply.
    You are asked to confirm the change.
  9. Click OK to save.
    This process updates the initialise method with your path and selected commands.

The Shell Scripts tab is displayed. In the Actions column, if you click the Edit option for the initialise method, and look for the PRIV section, you'll find that the commands you had selected for escalation are listed here along with the new path (for example, the cat and df commands with /usr/bin/sudo path). 

...
# cat requires superuser privileges to read some files belonging to
# other users
PRIV_CAT() {
    usr/bin/sudo cat "$@"
}
# df requires superuser privileges to report file systems owned by other
# users
PRIV_DF() {
    usr/bin/sudo "$@"
}
...

If you want to cancel your changes and revert to the original initialise script, then in the Actions column of the initialise method, click Reset to Default.

To configure execution of a command as a privileged user 

  1. From the main menu, click the Administration icon.
    The Administration page opens. 
  2. In the Discovery section, click Platforms.
  3. Click the OS link corresponding to the commands on which you want to add the privileged execution.
  4. In the Action column of the initialise method row, click Edit.
    The Edit window shows the script.
  5. Click in the edit window to enlarge it.



  6. In your browser, use the Find function to search for the PRIV section (search for PRIV_XXX to find the beginning of the PRIV section).
  7. In the PRIV function (in this example PRIV_RUNCMD), add the command required (for example, sudo, pbrun, or dzdo) to run the commands as a privileged user.
    For example:

    ...
    PRIV_RUNCMD() { 
      sudo "$@" 
    }
    ...
    


    Alternatively, if you need to specify the path:

    ...
    PRIV_RUNCMD() { 
    /usr/bin/sudo "$@" } 
    ...
    

    You can also limit the privilege escalation to a particular command; in this case, pmap:

    ...
    PRIV_RUNCMD() {
    if [ $1 = "pmap" or $1 = "usr/bin/pmap" ]; then
        sudo "$@"
    else
        "$@"
    fi
    }
    ...
  8. Click Apply.

    Important

    The screen is refreshed, and the initialise method is highlighted to show that it has changed from the default.




  9. Click Show Differences to see the differences between the default script and the current script. 

The $@ represents the command that BMC Discovery issues. Adding sudo (or a similar privileged command) tells it how to escalate the privilege for that command. Now when a script needs to call pmap, it calls the PRIV_RUNCMD() command with the full command it needs to run, which then runs pmap with the correct privilege.

Important

If the path is specified, it will affect all discovery commands that use that function. The privileged command might not always be at the same place on all discovery targets.

If the path is not specified, the privileged command will be found with the path of the user profile and the BMC Discovery path environment variable. You can check the path environment variable, see Managing the discovery platform scripts.

You must add a privileged execution method to whichever commands you require so that you gain the fullest possible discovery. The available commands, their impact on discovery, and the platforms they are available on are described on the Privileged commands page.

Password prompt in privileged command execution

Where the sudo (or similar privileged command) configuration on a target host requires the user password to be entered at the command line, discovery resends the credential already used to log on to the target.

In such situations however, if the default sudo "Password:" prompt has been customized on target systems (for example, by setting the SUDO_PROMPT environment variable, or specifying a passprompt entry in the target's sudoers file), then the initialize script for the corresponding platform must be edited to specify:

...
SUDO_PROMPT="Password:"
export SUDO_PROMPT
...

Privileged commands in Solaris

Solaris versions 9 and later no longer use sudo as the preferred method of privilege escalation, rather, they use a more sophisticated Role Based Access Control (RBAC) privilege mechanism. One of the ways of granting a user escalated privileges is to assign them a role, which can be either system, or user defined. The preferred way to provide escalated privileges for BMC Discovery is to grant the proc_owner role to the discovery user. This enables the discovery user to obtain information on processes that belong to other users.

An alternative method is to use elevated profiles using the pfexec command. This prompts for a password, but will be handled by the discovery scripts in the same way as sudo.

Was this page helpful? Yes No Submitting... Thank you

Comments