Privileged Command Execution (sudo)

Version 10
    Share This:

    Parent Document:  ADDM Support Guide - Chapter 11 - Security, Script Errors, Debugging

     

    Update - as of 02-Dec-2016

    I am trying to update and rationalize our Sudo commands across the Bank.  We now have a new sudo config.  please see the last section of this document which is entirely new.

     

    Privileged Command Execution

     

    On UNIX, ADDM requires elevated privilege to run many commands.  When designing your sudo configuration, you need to understand what commands are executed by ADDM during discovery.  There are about over 1,000 different command lines that are executed (see matrix below).

     

    Command File Matrix

     

    The full list of commands that are run during discovery are listed in a spread sheet that can be downloaded from the BMC Electronic Product Download (EPD) web site.  The picture below shows the BMC EPD web site and the file to download: The file with the check mark next to it.

     

    addm-security-additional-commands.jpg

    In the patterns, there are 1044 separate UNIX command lines  that are executed by runCommand() during Additional Discovery.

     

    sudo for Solaris

     

    Standard Discovery

    Elevated privileges are required for running the Platform Scripts (Standard Discovery) which are called solaris.sh and Llnux.sh etc.  These platform scripts gather DDD data and then ship the data back to the Discovery Appliance.  Patterns are then triggered which populate additional Inferred nodes.

    sudo provides a method for giving the UNIX service account (addmuser) elevated privileges (i.e. root) for running certain discovery scripts.

     

    Additional Discovery

     

    The patterns can trigger Additional Discovery which can trigger additional commands to be executed on the target host.  So it is incorrect to assume that UNIX commands are only invoked from within the Platform Scripts such ads solaris.sh.

    At the bottom of each DA record, there is a section of Additional Discovery which lists any script failures. sudo may need to be configured for some of these script failures if discovery of certain applications are failing.

     

    Please note:  You also need to check the Script Successes.  ADDM does not distingiush reliably between script failures and script successes because ADDM does not distringuish between output to syserr and sysout.  Most UNIX commands have the postfix 2 > 1 which means that error output (syserr) is redirected to sysout (sucessful output). ADDM also does not examine the return code of the command.

     

    For Additional Discovery, the configuration of sudo may become an iterative process, whereby certain commands (script failures) are added to the sudo config – over the course of server months or years.

     

    Why not RBAC?

     

    sudo is recommended (rather than RBAC) because you can specify the command line options used on the command.

     

    Edit ADDM Discovery Script

     

    The function calls in the Solaris.sh script must be edited as shown in the example below:

    # lsof requires superuser privileges to display information on processes
    # other than those running as the current user
    PRIV_LSOF() {
    /opt/sfw/bin/sudo  "$@"
    }

     

    1.6.5    Add file into directory: /etc/sudoers.d

     

    The following entries are recommended.  A new file called /etc/sudoers.d/addm_sudoers should be pushed out to all Solaris Servers.

     

    02-Dec-2016 - I have updfated this config. please see the end of this file.

     

    ########################################################

    # File: /etc/sudoers.d/addm_sudoers

    # BMC ADDM - ADDM - sudo access for addmuser to gather data

    User_Alias ADDMGRP = addmuser,%addm

    Cmnd_Alias ADDMMGMT= /usr/bin/ls *, /usr/bin/cat *, /usr/bin/kstat *, /usr/bin/ps *, /usr/ucb/ps *, /usr/sbin/ifconfig -a, /usr/bin/test *, \

    /usr/local/bin/lsof *, /opt/SUNWsneep/bin/sneep *, /sbin/dladm show-aggr, /sbin/dladm show-dev, /sbin/dladm show-ether, \

    /sbin/dladm show-vlan, /bin/df -lk,/usr/bin/pargs *, /usr/sbin/virtinfo -ap, /bin/egrep *, \

    /opt/Patrol3/PatrolAgent –v, /usr/bin/grep *

    ADDMGRP  ALL = (root) NOPASSWD: ADDMMGMT

    ########################################################

     

     

    Cat *

     

    The configuration of “cat *” caused considerable debate – because you could cat the shadow file. Unfortunately cat * cannot be restricted due to Additional Discovery commands that can be invoked from within the patterns.

     

    One UNIX Administrastor, tried to convince me that you can over-write a file using cat by using this command:

     

    cat /tmp/passwd > /etc/passwd

     

    This is false.  The sudo priviledge does not extend past the > character.  This is also true for pipe (|) and semi-colon. (;).  When you think aboutthis, this is sensible, otherwise sudo would be a gaping security hole.

     

     

    Edit Solaris.sh

     

    You need to edit the ADDM platform script for Solaris so that the script uses sudo to invoke certain commands:

     

    • Click on the Administration Tab.
    • Click on the Platforms Icon in the Discovery Section.
    • Click on Solaris

    Edit the init section of the solaris.sh script as shown below.

     

     

    solaris.sh script

     

    #!/bin/sh

     

    # Simple script to obtain host info from Solaris systems

    # Script is divided into sections to match discovery methods

     

    os=`uname -s`

    if [ "$os" != "SunOS" ]; then

        echo This script must be run on Solaris

        exit 1

    fi

     

    # Set PATH

    PATH=/bin:/usr/bin:/sbin:/usr/sbin:/usr/local/bin

    export PATH

     

    # Initialisation

    tw_locale=`locale -a | grep -i en_us | grep -i "utf.*8" | head -n 1 2>/dev/null`

     

    LANGUAGE=""

    if [ "$tw_locale" != "" ]; then

        LANG=$tw_locale

        LC_ALL=$tw_locale

    else

        LANG=C

        LC_ALL=C

    fi

    export LANG LC_ALL

     

     

    # Stop alias commands changing behaviour.

    unalias -a

     

    # Insulate against systems with -u set by default.

    set +u

     

    if [ -w /tmp ]

    then

        # use a /tmp file to capture stderr

    TW_CAPTURE_FILE=/tmp/tideway_status_$$

        export TW_CAPTURE_FILE

        rm -f $TW_CAPTURE_FILE

     

        tw_capture(){

            TW_NAME=$1

            shift

            echo begin cmd_status_err_$TW_NAME >>$TW_CAPTURE_FILE

            "$@" 2>>$TW_CAPTURE_FILE

            RETURN_VAL=$?

            echo end cmd_status_err_$TW_NAME >>$TW_CAPTURE_FILE

     

            echo cmd_status_$TW_NAME=$RETURN_VAL >>$TW_CAPTURE_FILE

            return $RETURN_VAL

        }

     

        tw_report(){

            if [ -f $TW_CAPTURE_FILE ]

            then

                cat $TW_CAPTURE_FILE 2>/dev/null

                rm -f $TW_CAPTURE_FILE 2>/dev/null

            fi

        }

    else

        # can't write to /tmp - do not capture anything

        tw_capture(){

            shift

            "$@" 2>/dev/null

        }

     

        tw_report(){

            echo "cmd_status_err_status_unavailable=Unable to write to /tmp"

        }

    fi

     

    # replace the following PRIV_XXX functions with one that has the path to a

    # program to run the commands as super user, e.g. sudo. For example

    # PRIV_LSOF() {

    #   /usr/bin/sudo "$@"

    # }

     

    # lsof requires superuser privileges to display information on processes

    # other than those running as the current user

    PRIV_LSOF() {

      /usr/local/bin/sudo "$@"

    }

     

    # This function supports running privileged commands from patterns

    PRIV_RUNCMD() {

      COM="$@"

      SUDO="/usr/local/bin/sudo"

      case $COM in

                    grep)

                                    $SUDO $COM

                                    ;;

                    egrep)

                                    $SUDO $COM

                                    ;;

                    "/opt/patrol35/Patrol3/PatrolAgent -v")

                                    $SUDO $COM

                                    ;;

                    *)

                                    "$@"

                                    ;;

      esac

    }

     

    # This function supports privileged cat of files.

    # Used in patterns and to get file content.

    PRIV_CAT() {

      /usr/local/bin/sudo cat "$@"

    }

     

    # This function supports privilege testing of attributes of files.

    # Used in conjunction with PRIV_CAT and PRIV_LS

    PRIV_TEST() {

      /usr/local/bin/sudo test "$@"

    }

     

    # This function supports privilege listing of files and directories

    # Used in conjunction with PRIV_TEST

    PRIV_LS() {

      /usr/local/bin/sudo ls "$@"

    }

     

    # This function supports privilege listing of file systems and related

    # size and usage.

    PRIV_DF() {

      /usr/local/bin/sudo "$@"

    }

     

    tw_which() {

      SAVE=$IFS

      IFS=:

      for d in $PATH

      do

        if [ -x $d/$1 -a ! -d $d/$1 ]

        then

            echo $d/$1

            break

        fi

      done

      IFS=$SAVE

    }

     

    # dmidecode requires superuser privileges to read data from the system BIOS

    # on Solaris X86 platforms only

    PRIV_DMIDECODE() {

        "$@"

    }

     

    # ifconfig requires superuser privileges to display the MAC address of each

    # interface

    PRIV_IFCONFIG() {

        /usr/local/bin/sudo "$@"

    }

     

    # dladm requires superuser privileges to display speed, duplex settings, and

    # port aggregation information

    PRIV_DLADM() {

        /usr/local/bin/sudo "$@"

    }

     

    # ndd requires superuser privileges to display any interface speed

    # and negotiation settings

    PRIV_NDD() {

        /usr/local/bin/sudo "$@"

    }

     

    # By default, the standard ps command on Solaris will truncate command lines

    # to 80 characters. This affects Solaris 11, Solaris 10 and Solaris 8 & 9

    # with certain patches.

    #

    # In order to display unlimited command lines, there are several options:

    #

    #   pargs - This tool is available in more recent updates of Solaris 9 and

    #           all updates of Solaris 10 and later. This tool requires the

    #           proc_owner privilege to display unlimited command lines for all

    #           processes.

    #

    #   /usr/bin/ps - On Solaris 11, the standard ps command can display

    #           unlimited command lines by using BSD style command line arguments.

    #           This still requires the the tool is run with proc_owner privilege

    #

    #  /usr/ucb/ps - This tool is part of the UCB compatibility package which is

    #           usually installed by default on versions up to and including

    #           Solaris 10 (SUNWscpu package). This tool requires the

    #           proc_owner privilege to display unlimited command lines for all

    #           processes.

    #

    #           On Solaris 11, the compatibility/ucb is not usually installed

    #           by default and in any case, the /usr/ucb/ps command is simply

    #           a link to /usr/bin/ps

    #

    # In order for the Discovery Condition pattern to correctly detect whether

    # ps is being executed with proc_owner privilege, this function must accept

    # both the ps command and the ppriv command used by pattern.

    PRIV_PS() {

        /usr/local/bin/sudo "$@"

    }

     

    # See comments above PRIV_PS, above

    PRIV_PARGS() {

        /usr/local/bin/sudo "$@"

    }

     

    # lputil requires superuser privileges to display any HBA information

    PRIV_LPUTIL() {

        "$@"

    }

     

    # hbacmd requires superuser privileges to display any HBA information

    PRIV_HBACMD() {

        "$@"

    }

     

    # emlxadm requires superuser privileges to display any HBA information

    PRIV_EMLXADM() {

        "$@"

    }

     

    # fcinfo requires superuser privileges to display any HBA information

    PRIV_FCINFO() {

        "$@"

    }

     

    # pfiles requires superuser privileges to display open port information

    # for processes not running as the current user

    PRIV_PFILES() {

        "$@"

    }

     

    # Formatting directive

    echo FORMAT Solaris

     

    # getDeviceInfo

    echo --- START device_info

    ihn=`hostname 2>/dev/null`

    echo 'hostname:' $ihn

    if [ -r /etc/resolv.conf ]; then

        echo 'dns_domain:' `awk '/^(search|domain)/ { print $2; exit }' /etc/resolv.conf 2>/dev/null`

    fi

    echo 'domain:' `domainname 2>/dev/null`

    if [ -r /etc/release ]; then

        echo 'os:' `head -1 /etc/release 2>/dev/null`

    else

        echo 'os:' `uname -sr 2>/dev/null`

    fi

    echo 'os_arch:' `isainfo -k 2>/dev/null`

    echo --- END device_info

     

    # getHostInfo

    echo --- START host_info

    os_ver=`uname -r | cut -d. -f2`

    if [ $os_ver -ge 11 ]; then

         pkg list -H --no-refresh system/kernel | awk '{print "kernel:", $2; exit}'

    else

        showrev 2>/dev/null | nawk -F: '/^Kernel version/ {gsub("^ *", "", $2); print "kernel:", $2; exit}'

    fi

    echo 'model:' `uname -i 2>/dev/null`

    /usr/sbin/prtconf 2>/dev/null | nawk '/^Memory size:/ {print "ram: " $3 "MB"}'

     

    # Run kstat cpu_info to get full CPU information, if possible

    echo 'begin kstat_cpu_info:'

    kstat cpu_info 2>/dev/null

    echo 'end kstat_cpu_info:'

     

    if [ `uname -p` = i386 ]; then

        if [ -x /usr/sbin/smbios ]; then

            /usr/sbin/smbios -t SMB_TYPE_SYSTEM 2>/dev/null | nawk '{

                if( $1 ~ /Manufacturer:/ ) { sub(".*Manufacturer: *","");  printf( "vendor: %s\n", $0 ); }

                if( $1 ~ /Product:/ ) { sub(".*Product: *",""); printf( "model: %s\n", $0 ); }

                if( $1 ~ /Serial/ && $2 ~ /Number:/ ) { sub(".*Serial Number: *",""); printf( "serial: %s\n", $0 ); }

            }'

        else

            if [ -f /usr/sbin/dmidecode ]; then

                PRIV_DMIDECODE /usr/sbin/dmidecode 2>/dev/null | nawk '/DMI type 1,/,/^Handle 0x0*[2-9]+0*/ {

                    if( $1 ~ /Manufacturer:/ ) { sub(".*Manufacturer: *","");  printf( "vendor: %s\n", $0 ); }

                    if( $1 ~ /Product/ && $2 ~ /Name:/ ) { sub(".*Product Name: *",""); printf( "model: %s\n", $0 ); }

                    if( $1 ~ /Serial/ && $2 ~ /Number:/ ) { sub(".*Serial Number: *",""); printf( "serial: %s\n", $0 ); }

                }'

            fi

        fi

    else

        # Solaris SPARC - use prtdiag if possible

        run_prtdiag=1

        if [ -x /usr/bin/zonename ]; then

            # Solaris 10 or later, check this is the global zone before attempting

            # to run prtdiag

            if [ `/usr/bin/zonename 2>/dev/null` != "global" ]; then

                # Non global zone, don't run prtdiag

                run_prtdiag=0

            fi

        fi

     

        if [ $run_prtdiag -eq 1 ]; then

            if [ -x /usr/platform/`uname -m`/sbin/prtdiag ]; then

    platdir=/usr/platform/`uname -m`/sbin

            else

    platdir=/usr/platform/`uname -i`/sbin

            fi

            if [ -x $platdir/prtdiag ]; then

                echo 'begin prtdiag:'

                $platdir/prtdiag -v 2>/dev/null

                echo ''

                echo 'end prtdiag'

            fi

        fi

    fi

     

    # Get serial number. We first try sneep as that knows how to collect the

    # serial number on the vast majority of Sun/Fujitsu machines. If that is not

    # available we try a few obvious fallbacks including any "Chassis Serial Number"

    # from prtdiag

    if [ -x /opt/SUNWsneep/bin/sneep ]; then

    serial=`/opt/SUNWsneep/bin/sneep 2>/dev/null`

        if [ "$serial" != "unknown" ]; then

            echo "serial: $serial"

        fi

    else

        # Sneep isn't available. Check for Fujitsu serialid command

        if [ -x /opt/FJSVmadm/sbin/serialid ]; then

    /opt/FJSVmadm/sbin/serialid | sed -e 's/serialid/serial/'

        fi

    fi

     

    echo 'hostid:' `hostid`

    if [ -r /etc/ssphostname ]; then

        # E10K support

        echo 'ssphostname:' `cat /etc/ssphostname`

    fi

    if [ -x /usr/bin/zonename ]; then

        # Solaris 10 zone support

        echo 'zonename:' `/usr/bin/zonename 2>/dev/null`

    fi

    if [ -x /usr/sbin/zoneadm ]; then

        # Solaris 10 zone support

        echo 'begin zoneadm:'

        /usr/sbin/zoneadm list -ip 2>/dev/null

        echo 'end zoneadm:'

    fi

    if [ -x /usr/sbin/virtinfo ]; then

        # LDOM support for Solaris 11 in system/core-os, and Solaris 9/10 in SUNWcsu

        echo 'begin virtinfo:'

        /usr/sbin/virtinfo -ap 2>/dev/null

        echo 'end virtinfo:'

    fi

    echo 'begin solaris_uptime_string:'

    uptime 2>/dev/null

    echo 'end solaris_uptime_string:'

    echo --- END host_info

     

    # getMACAddresses

    echo --- START netstat_mac

    netstat -n -f inet -p 2>/dev/null | awk '{ if ( $4 ~ /SP/ ) { print $NF } }' | sort -u

    netstat -n -f inet6 -p 2>/dev/null | awk '{ if ( $3 ~ /local/ ) { print $2 } }' | sort -u

    echo --- END netstat_mac

     

    echo --- START ifconfig_mac

    PRIV_IFCONFIG ifconfig -a 2>/dev/null

    echo --- END ifconfig_mac

     

    # getIPAddresses

    echo --- START ifconfig_ip

    ifconfig -a 2>/dev/null

    echo --- END ifconfig_ip

     

    # getNetworkInterfaces

    echo --- START interface_commands

    IFCONFIG=`PRIV_IFCONFIG ifconfig -a 2>/dev/null`

    OS_VERSION=`uname -r | cut -f2 -d.`

    LISTOFNICS=`echo "$IFCONFIG" | awk '/^[^ \t]/ {if ($1!~/lo/) print $1 "\n"}' | sort -u`

    LINKNAMES=`echo "$LISTOFNICS" |  sed 's/:[0-9]*://g

    s/://g' | sort -u`

    echo 'begin ifconfig:'

    echo "$IFCONFIG"

    echo 'end ifconfig:'

    echo 'begin netstat_mac:'

    netstat -n -f inet -p 2>/dev/null | awk '{ if ( $4 ~ /SP/ ) { print $1, $NF } }' | sort -u

    netstat -n -f inet6 -p 2>/dev/null | awk '{ if ( $3 ~ /local/ ) { print $1, $2 } }' | sort -u

    echo 'end netstat_mac:'

    DLADM=`tw_which dladm`

    GOT_SPEED_DUPLEX=0 # this flag indicates if netstat or ndd -set are required

    GOT_NEGOTIATION=0  # this flag indicates if kstat is required

    if [ -f "$DLADM" ]; then

        echo 'begin dladm:'

        if [ $OS_VERSION -lt 11 ]; then

            echo 'begin show-dev:'

            PRIV_DLADM $DLADM show-dev 2>/dev/null

            if [ $? -eq 0 ]; then

    GOT_SPEED_DUPLEX=1

            fi

            echo 'end show-dev:'

        else

            echo 'begin show-ether:'

            PRIV_DLADM $DLADM show-ether 2>/dev/null

            if [ $? -eq 0 ]; then

    GOT_NEGOTIATION=1

    GOT_SPEED_DUPLEX=1

            fi

            echo 'end show-ether:'

            echo 'begin show-vlan:'

            PRIV_DLADM $DLADM show-vlan 2>/dev/null

            echo 'end show-vlan:'

        fi

        echo 'begin show-aggr:'

        PRIV_DLADM $DLADM show-aggr 2>/dev/null

        echo 'end show-aggr:'

        echo 'end dladm:'

    fi

    KSTAT=`tw_which kstat`

    if [ -x "$KSTAT" -a $GOT_NEGOTIATION -eq 0 ]; then

        echo 'begin kstats:'

        for NAME in $LINKNAMES; do

            GOT_SPEED_DUPLEX=1

            $KSTAT -p -n $NAME 2>/dev/null

            if [ $? -ne 0 ]; then

                GOT_SPEED_DUPLEX=0

            fi

        done

        echo 'end kstats:'

    fi

    if [ $OS_VERSION -lt 10 -a $GOT_SPEED_DUPLEX -eq 0 ]; then

        echo 'begin netstats:'

        GOT_SPEED_DUPLEX=1

        for NAME in $LINKNAMES; do

            netstat -k $NAME 2>/dev/null # -k option is not available for Solaris 10 or later

            if [ $? -ne 0 ]; then

    GOT_SPEED_DUPLEX=0

            fi

        done

        echo 'end netstats:'

    fi

    NDD=`tw_which ndd`

    if [ -f "$NDD" -a $OS_VERSION -lt 11 ]; then

        echo 'begin ndd:'

        if [ $GOT_SPEED_DUPLEX -eq 1 ]; then # ndd -get may provide negotiation info

            for NAME in $LINKNAMES; do

                NIC_TYPE=`echo $NAME | sed 's/[0-9]*//g'`

                case $NIC_TYPE in

                    dmfe | bge | nxge)

                        echo 'NDD :' $NAME ':adv_autoneg_cap:' `PRIV_NDD $NDD -get /dev/$NAME adv_autoneg_cap 2>/dev/null`

                    ;;

                    *)  # ce, ipge (kstat) / ge, hme, qfe, eri, fjqe, fjgi (skipped to avoid ndd -set) / unknown interfaces

                        continue

                    ;;

                esac

            done

        else # ndd -set / -get to retrieve speed, duplex, and negotiation: only if all the other commands failed

    VARS="link_status link_speed ifspeed link_mode link_duplex duplex adv_cap_autoneg adv_autoneg_cap adv_1000autoneg_cap"

    vars_hme="link_speed link_mode adv_autoneg_cap"

    vars_eri="adv_autoneg_cap"

    vars_bge="adv_autoneg_cap link_duplex link_speed"

    vars_dmfe="link_speed link_mode adv_autoneg_cap"

            vars_qfe="link_mode adv_autoneg_cap"

    vars_ge="link_mode adv_1000autoneg_cap"

    vars_ce="adv_autoneg_cap"

    vars_fjqe="link_mode link_speed adv_autoneg_cap"

    vars_fjgi="link_mode link_speed adv_autoneg_cap"

            LISTOFTYPES=`echo "$LINKNAMES" | sed 's/[0-9]*$//g' | sort -u`

    LISTOFSETTYPES=`echo $LISTOFTYPES | sed -e 's/bge//' -e 's/dmfe//'`

            for iface in $LISTOFSETTYPES; do

                eval initial_$iface=`PRIV_NDD $NDD -get /dev/$iface instance 2>/dev/null`

            done

            for NAME in $LINKNAMES; do

                NIC_TYPE=`echo $NAME | sed 's/[0-9]*//g'`

    NIC_NUMBER=`echo $NAME | sed 's/[a-z]*//'`

                eval vars=\$vars_$NIC_TYPE

                case $NIC_TYPE in

                    ge | hme | ce | qfe | eri | fjqe | fjgi) # interfaces that need the -set option:

    PRIV_NDD $NDD -set /dev/$NIC_TYPE instance $NIC_NUMBER 2>/dev/null

    instance=`PRIV_NDD $NDD -get /dev/$NIC_TYPE instance 2>/dev/null`

                        if [ $instance -a $instance != "$NIC_NUMBER" ]; then

                          echo "Skipping $NAME : ndd  -set failed"

    continue

                        fi

                        for var in $vars

                        do

                          echo 'NDD :' $NAME ':' $var ':' `PRIV_NDD $NDD -get /dev/$NIC_TYPE $var 2>/dev/null`

                        done

                    ;;

                    bge | dmfe ) #interfaces that do not need -set:

                        for var in $vars

                        do

                          echo 'NDD :' $NAME ':' $var ':' `PRIV_NDD $NDD -get /dev/$NAME $var 2>/dev/null`

                        done

                    ;;

                    dman ) # Known but ignored interfaces

    continue

                    ;;

                    *) # unknown interface

                        echo unknown interface: $NIC_TYPE

    continue

                    ;;

                esac

            done

            for iface in $LISTOFSETTYPES; do

                eval instance=\$initial_$iface

                PRIV_NDD $NDD -set /dev/$iface instance $instance 2>/dev/null

            done

        fi

        echo 'end ndd:'

    fi

    echo --- END interface_commands

     

    # getNetworkConnectionList

    echo --- START netstat

    netstat -an -f inet 2>/dev/null | grep -v '^ *\*\.\*'

    netstat -an -f inet6 2>/dev/null | grep -v '^ *\*\.\*'

    echo --- END netstat

     

    # getProcessList

    echo --- START ps

    os_ver=`uname -r | cut -d. -f2`

    if [ $os_ver -ge 10 -a  -x /usr/bin/zonename ]; then

        zone=`/usr/bin/zonename 2>/dev/null`

        ps -eo pid,ppid,uid,user,zone,args 2>/dev/null | awk "\$5~/^($zone|ZONE)$/ {print}"

    else

        ps -eo pid,ppid,uid,user,args 2>/dev/null

    fi

    if [ $os_ver -ge 11 ]; then

        PRIV_PS /usr/bin/ps axww 2>/dev/null

    else

        if [ -x /usr/ucb/ps ]; then

            PRIV_PS /usr/ucb/ps -axww 2>/dev/null

        fi

    fi

    if [ -x /usr/bin/pargs -a -d /proc ]; then

        echo begin pargs:

        PRIV_PARGS /usr/bin/pargs `ls -1 /proc` 2>/dev/null

        echo end pargs:

    fi

    echo --- END ps

     

    # getPatchList

    echo --- START patch_list

    os_ver=`uname -r | cut -d. -f2`

    if [ $os_ver -lt 11 ]; then

        showrev -p 2>/dev/null | grep -v "No patches are installed" | cut -c-16 | nawk '{print $2;}'

    else

        echo NO PATCHES

    fi

    echo --- END patch_list

     

    # getProcessToConnectionMapping

    echo --- START lsof-i

    temp_lc=$LC_ALL

    LC_ALL=C

    export LC_ALL

    if [ `uname -r | cut -d. -f2` -lt 7 ]; then

        PRIV_LSOF lsof -l -n -P -F ptPTn -C -i 2>/dev/null

    else

        PRIV_LSOF lsof -l -n -P -F ptPTn -i 2>/dev/null

    fi

    LC_ALL=$temp_lc

    export LC_ALL

    echo --- END lsof-i

     

    # getPackageList

    echo --- START pkginfo

    os_ver=`uname -r | cut -d. -f2`

    if [ $os_ver -ge 11 ]; then

        echo begin pkg_list:

        echo arch: `uname -p`

        pkg list -H --no-refresh 2>/dev/null

        echo end pkg_list:

    fi

    PKGINFO=`tw_which pkginfo`

    if [ ! -z "$PKGINFO" -a -x $PKGINFO ]; then

        pkginfo -l 2>/dev/null

    fi

    echo --- END pkginfo

     

    # getHBAList

    echo --- START hba_fcinfo

    echo begin fcinfo_hba:

    PRIV_FCINFO fcinfo hba-port

    echo end fcinfo_hba:

    echo --- END hba_fcinfo

     

    echo --- START hba_emlxadm

    PATH=/opt/EMLXemlxu/bin:$PATH

     

    echo begin emlxadm_get_host_attrs:

    PRIV_EMLXADM emlxadm devctl -y get_host_attrs

    echo end emlxadm_get_host_attrs:

    echo --- END hba_emlxadm

     

    echo --- START hba_hbacmd

    PATH=/usr/sbin/hbanyware:$PATH

     

    echo begin hbacmd_listhbas:

    PRIV_HBACMD hbacmd ListHBAs

    echo end hbacmd_listhbas:

     

    echo begin hbacmd_hbaattr:

    for WWPN in `PRIV_HBACMD hbacmd ListHBAs 2>/dev/null | awk '/Port WWN/ {print $4;}'`

    do

        PRIV_HBACMD hbacmd HBAAttrib $WWPN 2>/dev/null

    done

    echo end hbacmd_hbaattr:

    echo --- END hba_hbacmd

     

    # getServices

    #   ** UNSUPPORTED **

     

    # getFileSystems

    echo --- START df

    echo begin df:

    PRIV_DF df -lk 2>/dev/null

    echo end df:

    echo begin mount:

    if [ -r /etc/mnttab ]; then

        cat /etc/mnttab

    fi

    echo end mount:

    echo begin xtab:

    if [ -r /etc/xtab ]; then

        cat /etc/xtab

    fi

    echo end xtab:

    echo begin smbclient:

    smbclient -N -L localhost

    echo end smbclient:

    echo begin smbconf:

    configfile=`smbstatus -v 2>/dev/null | grep "using configfile" | awk '{print $4;}'`

    if [ "$configfile" != "" ]; then

        if [ -r $configfile ]; then

            cat $configfile

        fi

    fi

    echo end smbconf:

    echo --- END df

     

     

    Testing the sudoers change

     

    • Examine ADDM and look at how many Software Instances have been discovered on your DEV hosts.
    • Apply the new ADDM package to a few DEV Solaris hosts
    • Edit the Solaris.sh script as shown above.
    • Examine ADDM again to see how many more Software Instances have been discovered.
    • Look for any Script errors in the DA Records attached to the Host.
    • Look for any Script errors in Additional Discovery section at the bottom of the DA record.

     

     

    sudo config for LINUX

     

    sudo config for LINUX.

     

    02-Dec-2016 - I have updfated this config. please see the end of this file.

     

    Discovery Phase When UsedCommandComments
    Standard/bin/cat *
    Standard/bin/df *
    Standard/bin/ls *
    Standard/bin/netstat *
    Standard/opt/xensource/bin/xe *
    Standard/usr/sbin/ethtool *
    Standard/sbin/ethtool *
    Standard/sbin/mii-tool  -v *
    Standard/usr/bin/test *
    Standard/usr/sbin/dmidecode
    Standard/usr/sbin/esxcfg-info --hardware
    Standard/usr/sbin/hbanyware/hbacmd *
    Standard/usr/sbin/hwinfo --bios
    Standard/usr/sbin/lsof *
    Additional/bin/grep *
    Additional/bin/egrep *

     

     

    sudo config for AIX

     

    Standard Discovery

     

    02-Dec-2016 - I have updfated this config. please see the end of this file.

     

    Commandfunction call in ADD aix.sh scriptCommands in aix.sh scriptAdditional discovery commandsComments
    /usr/bin/cat  *PRIV_CATcat /usr/ios/cli/ios.level,  cat /tmp/tideway.$$,  cat /etc/xtab, cat $configfile, etc..
    1. discovery.GetFileContent
    cat is called in both the aix.sh script and from the getFileContent method from within the TPL patterns.
    /usr/bin/ls *PRIV_LSOFnone
    1. discovery.getFileMetaData
    ls is not used in the aix.sh script but is called in the getFileMetaData method called from within the TPL patterns.
    /usr/bin/lslpp *PRIV_LSLPPlslpp -L devices.*.$adapter_type.*, lslpp -l
    /usr/bin/test *PRIV_TESTnone
    1. discovery.getFileMetaData, getFileContent
    test is not used in the aix.sh script but is called in both the getFileMetaData and getFileContent methods called from within the TPL patterns.
    /usr/sbin/lsof *PRIV_LSOFlsof -l -n -P -F ptPTn -i
    /usr/sysv/bin/df *PRIV_DF/usr/sysv/bin/df -lg,

     

     

    Additional Discovery

     

    02-Dec-2016 - I have updfated this config. please see the end of this file.

     

    Commandfunction call in ADD aix.sh scriptSample command executedAdditional discovery commandsComments
    /usr/bin/egrep *PRIV_RUNCMD
    1. discovery.runCommand
    This command is often used by Patterns.
    /usr/bin/grep *PRIV_RUNCMD
    1. discovery.runCommand
    This command is often used by Patterns.
    /usr/lpp/OV//bin/opcagt -versionPRIV_RUNCMD/usr/lpp/OV//bin/opcagt -version
    1. discovery.runCommand
    See Query below
    /sbin/acfsutil info fsPRIV_RUNCMD/sbin/acfsutil info fs
    1. discovery.runCommand
    See Query below
    /usr/sbin/powermt dev=allPRIV_RUNCMD/usr/sbin/powermt dev=all
    1. discovery.runCommand
    See Query below
    /usr/sbin/powermt display dev=allPRIV_RUNCMD/usr/sbin/powermt display dev=all
    1. discovery.runCommand
    See Query below
    /usr/sbin/wlmstatPRIV_RUNCMD/usr/sbin/wlmstat
    1. discovery.runCommand

    See Query below

     

     

    Query to Find Commands Used

     

    ADDM Query to list commands that failed when running the runCommand metho during additional discovery.  Some of these will have failed due to permissions issues (conmmsand not configured in sudoers file) but some other commands will have failed simply because the command returned no results or wrote to stderr for some other reason.

     

    search Host

    where os_type = 'AIX' traverse InferredElement:Inference:Associate:DiscoveryAccess

    traverse DiscoveryAccess:DiscoveryAccessResult:DiscoveryResult:DiscoveredCommandResult

    where cmd matches ('^' + 'PRIV\\_RUNCMD')

    show cmd, result, failure_reason, #DiscoveryResult:DiscoveryAccessResult:DiscoveryAccess:DiscoveryAccess.#Associate:Inference:InferredElement:Host.name as Name

     

    Additional Discovery

     

    DA node – Additional Discovery Section

    The image below shows the section called Additional Discovery at the bottom for the DA Form displayed in ADDM.  Shown below is an example of the Additional Discovery section in a DA record for host nzdca02z.

     

     

     

    What Triggers Additional Discovery?

     

    Additional discovery is triggered from within the TPL patterns.  Shown below is an example of the triggering of the runCommand.

    priv_ran_cmd := discovery.runCommand(pa_pr, "%BMCPatrolAgentConfigs.priv_function% %cmd%");

    This command causes ADDM to open a new ssh session to the end-point, login and run the command.

    In this example above, the variable BMCPatrolAgentConfigs.priv_function is set to PRIV_RUNCMD.

    The pattern controls whether or not privileged execution is used.

     

    Additional Discovery – Failure Reason

     

    Additional Discover methods complete with a failure_reason code. Please read the next section for an explanation Script Errors and failure_reason.

     

    02-Dec-2016 Update - New sudo config

     

    01/12/2016 - sudoers.d

    It is much easier to manage sudo config if each config is kep in a separate file in the sudoers.d directory.  If you try and put all the config into the one sudoers file, it becomes really hard to manage the sudo config and you will suffer.  Politely encourage all your UNIX teams acorss the tnerprise to do it proerly and set up seperate files for each app - ADDM being just one of them.  If they won't play ball - then call in a senior manager.

     

    01/12/2016 - Email from Colleague

     

    We have just added these 2 commands to the NZ Solaris policy:

    /opt/SUNWldm/bin/ldm ls-devices -a cpu
    /opt/SUNWldm/bin/ldm list-domain -l -p

    You should add the first one to your agreed list!
    The second one is covered in your list.


    02/12/2016 - Email from BMC Customer Support

     

     

    I am following up on the case 00215046. I just wanted to make sure that you have received my previous email communication, which is mentioned below;

    "Below is my comments on your query 6:-

    Banner output is from sudo.

    As to whether the ADDM system gets confused or not -  that would be related to the the use of the privileged command, i.e. how the output is processed.

    For example PRIV_DMIDECODE usage specifically extracts part of the output so it would no cause issues. While various uses of PRIV_CAT it would break because it just expects the output.

    Now how to handle the Banner to avoid any issue:- The /etc/sudoers lecture setting controls if this message is output every time. By default this is set to once so it is only ever shown once and hence does not become an issue."

     

    24/10/2016 - Email from UNIX Team

     

    I sent the updated rules last week. There has been a tiny update to ensure we cover all the relevant group names, so I’ll put them below.

    I’ve been working on the code to update sudo on Solaris for most of the last couple of days. It’s not actually a lot of code but there has been a lengthy discovery process (9 different versions of sudo and just as many different ways the config has been done). It’s almost there and I have been testing the new code this afternoon.

    AIX:

    User_Alias ADDMGRP=%addm,%gbladdmgrp,%gbladdmunixgrp
    Cmnd_Alias ADDMMGMT = /usr/bin/cat *,                                                   \
                          /usr/bin/ls *,                                                    \
                          /usr/bin/test *,                                                  \
                          /usr/sbin/lsof *,                                                 \
                          /usr/sysv/bin/df *,                                               \
                          /usr/bin/lslpp -l,                                                \
                          /usr/bin/egrep *,                                                 \
                          /usr/bin/grep *,                                                  \
                          /usr/sbin/wlmstat,                                                \
                          /usr/sbin/smtctl,                                                 \
                          /usr/sbin/powermt dev=all,                                        \
                          /usr/sbin/powermt display dev=all,                                \
                          /usr/bin/pcmpath query port,                                      \
                          /usr/bin/pcmpath query device,                                    \
                          /usr/sbin/lswpar *,                                               \
                          /usr/lpp/OV//bin/opcagt -version,                                 \
                          /sbin/acfsutil info fs,                                           \
                          /app/oragrid/product/*/bin/cemutlo -n,                            \
                          /app/oragrid/product/*/bin/crs_stat -v,                           \
                          /app/oragrid/product/*/bin/crsctl query crs softwareversion,      \
                          /app/oragrid/product/*/bin/olsnodes
    Defaults:ADDMGRP !lecture
    ADDMGRP ALL=(root)  NOPASSWD:ADDMMGMT

    RedHat:

    User_Alias ADDMGRP=%addm,%gbladdmgrp,%gbladdmunixgrp
    Cmnd_Alias ADDMMGMT = /usr/sbin/esxcfg-info --hardware, \
                          /opt/xensource/bin/xe *,          \
                          /usr/sbin/dmidecode,              \
                          /usr/sbin/hwinfo --bios,          \
                          /bin/cat *,                       \
                          /sbin/ethtool *,                  \
                          /sbin/mii-tool -v *,              \
                          /bin/netstat *,                   \
                          /usr/sbin/lsof *,                 \
                          /usr/sbin/hbanyware/hbacmd *,     \
                          /bin/df *,                        \
                          /sbin/lvs *,                      \
                          /usr/sbin/dmidecode *,            \
                          /app/mcafee/install/bin/nails --version
    Defaults:ADDMGRP !lecture
    ADDMGRP ALL=(root) NOPASSWD:ADDMMGMT

    Solaris:

    User_Alias ADDMGRP=%addm,%gbladdmgrp,%gbladdmunixgrp
    Cmnd_Alias ADDMMGMT = /usr/bin/ls,                              \
                          /usr/bin/cat *,                           \
                          /usr/bin/grep *,                          \
                          /bin/egrep *,                             \
                          /usr/sbin/fcinfo hba-port,                \
                          /usr/bin/kstat *,                         \
                          /usr/bin/ps *,                            \
                          /usr/ucb/ps *,                            \
                          /usr/sbin/ndd -get *,                     \
                          /usr/sbin/ndd -set /dev/ce instance *,    \
                          /usr/sbin/ndd -set /dev/qfe instance *,   \
                          /usr/sbin/ndd -set /dev/eri instance *,   \
                          /usr/sbin/ifconfig -a,                    \
                          /usr/bin/test *,                          \
                          /opt/sysadm/bin/lsof *,                   \
                          /opt/SUNWsneep/bin/sneep,                 \
                          /sbin/dladm show-aggr,                    \
                          /sbin/dladm show-dev,                     \
                          /sbin/dladm show-ether,                   \
                          /sbin/dladm show-vlan,                    \
                          /bin/df -lk,                              \
                          /usr/bin/pargs *,                         \
                          /opt/SUNWldm/bin/ldm list-domain *,       \
                          /usr/sbin/virtinfo -ap,                   \
                          /sbin/pooladm,                            \
                          /usr/sbin/poolbind -q *,                  \
                          /sbin/zoneadm list -cv,                   \
                          /opt/OV//bin/opcagt -version
    Defaults:ADDMGRP !lecture
    ADDMGRP ALL=(root) NOPASSWD:ADDMMGMT

     

    Parent Document:  ADDM Support Guide - Chapter 11 - Security, Script Errors, Debugging