7 Replies Latest reply on Jul 23, 2018 3:27 AM by David Heydecker

    ADDM to use elevated privileges for below commands. Please share inputs

    Kanika Chugh
      Share This:

      Hi,

       

      BMC Discovery is trying to run some commands on Linux servers. Scanning of servers is fine but it seems to have permissions issue for certain directories which even prevent ls command to run properly. It was checked in Linux Platform scripts as well & shows PRIV() for ls as well. Please share any inputs if you have any.

       

      Jul 18 01:48:05 SERVERNAME sudo:  tideway : 3 incorrect password attempts ; TTY=pts/0 ; PWD=/home/tideway ; USER=root ; COMMAND=/bin/df -lk

      Jul 18 01:49:37 SERVERNAME sudo:  tideway : 3 incorrect password attempts ; TTY=pts/0 ; PWD=/home/tideway ; USER=root ; COMMAND=/bin/ls -la /proc/4222

      Jul 18 01:52:10 SERVERNAME sudo:  tideway : 3 incorrect password attempts ; TTY=pts/0 ; PWD=/home/tideway ; USER=root ; COMMAND=/bin/ls -ld /var/opt/BESClient/besclient.config

      Jul 18 01:52:17 SERVERNAME sudo:  tideway : 3 incorrect password attempts ; TTY=pts/0 ; PWD=/home/tideway ; USER=root ; COMMAND=/bin/ls /opt/BESClient/bin/iso-swid/

      Jul 18 01:52:29 SERVERNAME sudo:  tideway : 3 incorrect password attempts ; TTY=pts/0 ; PWD=/dev/mapper ; USER=root ; COMMAND=/bin/ls -a --full-time --color=never

      Jul 18 01:52:39 SERVERNAME sudo:  tideway : 3 incorrect password attempts ; TTY=pts/0 ; PWD=/home/tideway ; USER=root ; COMMAND=/bin/ls -ld /proc/mdstat

      Jul 18 01:53:05 SERVERNAME sudo:  tideway : 3 incorrect password attempts ; TTY=pts/0 ; PWD=/home/tideway ; USER=root ; COMMAND=/bin/ls -ld /etc/resolv.conf

      Jul 18 01:53:13 SERVERNAME sudo:  tideway : 3 incorrect password attempts ; TTY=pts/0 ; PWD=/home/tideway ; USER=root ; COMMAND=/bin/ls -ld /var/lib/dhclient/dhclient-eth0.leases

        • 1. Re: ADDM to use elevated privileges for below commands. Please share inputs
          Bernard Stern

          did you check that you have

          1. all sudos rules correctly defined in the sudoers file on the target servers

          2. correctly defined the PRIV commands

          recently I had to add this PRIV command

           

          # This function supports running privileged commands from patterns

          PRIV_RUNCMD() {

            if [ $1 = "/usr/bin/docker" ]; then

              /usr/bin/sudo "$@"

            elif [ $1 = "docker" ]; then

              /usr/bin/sudo "$@"

            else

              "$@"

            fi

          }

           

          since sometimes the command came with the absolute path and sometimes without, it worked only if I configured both variants in the platform script.

           

          an alternative for using PRIV ls would be to use ACLs on the directories you need, if there is only a limited list of those. We also use this for a specific use case.

          4 of 4 people found this helpful
          • 2. Re: ADDM to use elevated privileges for below commands. Please share inputs
            David Heydecker

            Hello, Kanika-

            Your logs appear to suggest that it's account "tideway" that is attempting to issue the sudo commands and, in turn, this suggests that the failures that you illustrate are for discovery of a BMC Discovery appliance.

            I've just checked the /etc/sudoers on my 11.3 Demo appliance, and binaries /bin/ls and /bin/df are not included in the commands that tideway is allowed to run. This would, I believe, explain why the password prompts are being issued as this is the default behaviour for when a command that is not permitted is issued with sudo.

            Do you have other cases where this is happening?

            (I see that Bernard Stern has also offered good advice just as I am typing this).

            1 of 1 people found this helpful
            • 3. Re: ADDM to use elevated privileges for below commands. Please share inputs
              Kanika Chugh

              Thanks Bernard.

               

              Does that mean I have to include all the commands in the platform script.

              Or Can i assign those rights to a particular directly?

              • 4. Re: ADDM to use elevated privileges for below commands. Please share inputs
                Kanika Chugh

                Thanks David.

                 

                Can i edit sudoers file? I mean Can I add /bin/ls in the file or for that matter all the commands I see having permission issue.?

                • 5. Re: ADDM to use elevated privileges for below commands. Please share inputs
                  Saurabh Thuse

                  Kanika - Some commands need root level access to get information. When ever we need elevated privileges we have function defined for that in init() section of the platform script. You will have to define sudo in that script for appropriate section. This will be used by discovery to run those specific commands on the target hosts.

                   

                  On the target hosts, the user which you use for discovery should have sudo rights to execute those commands. That is done in sudoers file.

                   

                  So you need to tell your system admin to assign correct privileges for discovery user, so that it will be able to execute commands given in platform scripts.

                   

                  You dont need to edit sudoers file on appliance for getting results from target. Of course if you are doing self discovery of appliance and if you need all the data, then only sudoers file on appliance will come into picture.

                   

                  Thanks,

                  Saurabh Thuse

                  2 of 2 people found this helpful
                  • 6. Re: ADDM to use elevated privileges for below commands. Please share inputs
                    Bernard Stern

                    Typically you will have a sudoers section for your discovery user where you define all the commands that will be run with elevated privileges during discovery, like this

                     

                    ### BEGIN ADDM

                    addm    ALL=NOPASSWD: /usr/sbin/lsof *

                    addm    ALL=NOPASSWD: /usr/sbin/dmidecode *

                    addm    ALL=NOPASSWD: /sbin/ethtool *

                    ...

                    ### END ADDM

                     

                    In the platform specific init script on your ADDM appliance, you will define all these above commands as privileged, like this

                     

                    PRIV_LSOF() { /usr/bin/sudo "$@" }

                    PRIV_DMIDECODE() { /usr/bin/sudo "$@" }

                    PRIV_ETHTOOL() { /usr/bin/sudo "$@" }

                     

                    You can also use the PRIV_RUNCMD to define custom commands to be run with elevated privileges, like this:

                     

                    PRIV_RUNCMD() {

                      if [ $1 = "/usr/es/sbin/cluster/utilities/cldump" ]; then

                        /usr/bin/sudo "$@"

                      elif [ $1 = "/usr/es/sbin/cluster/utilities/cltopinfo" ]; then

                        /usr/bin/sudo "$@"

                      else

                        "$@"

                      fi

                    }

                     

                    All these commands must be added to the sudoers file as above.

                    1 of 1 people found this helpful
                    • 7. Re: ADDM to use elevated privileges for below commands. Please share inputs
                      David Heydecker

                      Once again, if aspects of this query relate to discovery of the BMC Discovery appliance itself (as suggested by the user account "tideway" in your original post), please don't forget the note about customisation of the appliance: Installing - BMC Discovery 11.3 - BMC Documentation .