Page tree

Skip to end of metadata
Go to start of metadata

BMC Atrium Discovery is shipped without any commands that use privileged execution. The following example illustrates how to add privileged execution to lsof commands. You must to do the same for any command that you want to execute as a privileged user. The individual discovery scripts for each platform, getDeviceInfo, getFileSystems, and so on, use a privilege mechanism which is configured in the initialise script. You do not need to edit the individual scripts to escalate privileges, only the initialise script.

To configure execution of a command as a privileged user:

  1. In the Discovery section of the Administration page, click Platforms.
  2. Click the operating system link corresponding to the commands on which you want to add the privileged execution.
  3. Click Edit in the Action column of the initialise method row.
    The edit window is shown containing the script.
  4. Click in the edit window to enlarge it, as illustrated in the following screen.
    This screen illustrates clicking in the edit window to enlarge it.
  5. Use the find function in your browser to search for the PRIV section (search for PRIV_XXX to find the beginning of the PRIV section).
  6. In the PRIV function (in this example PRIV_LSOF), add the command required (such as sudo, pbrun, or dzdo) to run the commands as a privileged user.
    For example:
    PRIV_LSOF() { 
      sudo "$@" 

    Alternatively, if you need to specify the path:
    PRIV_LSOF() { 
    /usr/bin/sudo "$@" } 
  7. Click Apply to apply the changes. The screen is refreshed and the initialise method is highlighted to show that it has changed from the default.
    This screen illustrates the highlighting in the initialise method showing that it has been changed from the default.
  8. Click Show Differences to show the differences between the default script and the current script.
    This screen illustrates the view showing the differences between the default script and the one just edited.

The $@ represents the command that BMC Atrium Discovery issues. Adding sudo (or similar privileged command) tells it how to escalate the privilege for that command. Now when a script needs to call lsof, it calls the PRIV_LSOF() command with the full command it needs to run, which then runs lsof with the correct privilege.

If the path is specified, it will affect all discovery commands that use that function. The privileged command may not always be at the same place on all discovery targets.

If the path is not specified, the privileged command will be found with the path of the user profile and the BMC Atrium Discovery path environment variable. You can check the path environment variable as it is displayed at the top of the Platforms page.

You must add a privileged execution method to whichever commands you require in order to gain the fullest possible discovery. The available commands, their impact on discovery and the platforms they are available on described on the Privileged commands page.

Password prompt in privileged command execution

Where the sudo (or similar privileged command) configuration on a target host requires the user password to be entered at the command line, discovery will resend the credential already used to log on to the target.

In such situation however, if the default sudo "Password:" prompt has been customized on target systems (e.g. by setting the SUDO_PROMPT environment variable, or specifying a passprompt entry in the target's sudoers file), then the initialize script for the corresponding platform would need to be edited to specify:


Privileged commands in Solaris

Solaris versions 9 and later no longer use sudo as the preferred method of privilege escalation, rather, they use a more sophisticated Role Based Access Control (RBAC) privilege mechanism. One of the ways of granting a user escalated privileges is to assign them a role, which can be either system, or user defined. The preferred way to provide escalated privileges for BMC Atrium Discovery is to grant the proc_owner role to the discovery user. This enables the discovery user to obtain information on processes that belong to other users.

An alternative method is to use elevated profiles using the pfexec command. This prompts for a password, but will be handled by the discovery scripts in the same way as sudo.

  • No labels