In the following of the @Importance of Credential Management published by my colleagues Anders and Angelo Nappi about the importance of Credential Management, I want to share the best practice for configuring UNIX sudoers file for agentless ServiceMapping and Discovery
Let's see what is a sudoers file for Unix/Linux from @Wikipedia
The /etc/sudoers file controls who can run what commands as what users on what machines, and can also control special things such as whether you need a password for particular commands. The file is composed of aliases (basically variables) and user specifications (which control who can run what).
And, what is very important from agentless discovery and mapping perspective, the sudo command offers a mechanism for providing trusted users with administrative access to a system without sharing the password of the root user.
The best way to understand the "sudo" command, and the rules in sudoers file, the funny way is by this comic.
As you can see from this funny picture, using "SUDO" command, makes the system obey any given order.
The two best advantages about using "sudo" command are:
- Restricted privileges
- Logs of the actions taken by users
I'm sure you are now fully aware of the advantages of using SUDO command in a daily basis, So... what do we need to do?
In order to perform agentless Mapping/Discovery tasks with customer provided non-root user credentials, we should add necessary Linux commands into sudoers file, which will allow us to execute these commands with root privileges, which will allow us to execute these commands with root privileges.
And here is the list of commands necessary for Mapping:
Service Mapping commands requiring sudo-level credentials
and for Discovery
UNIX and Linux commands requiring root privileges for Discovery and Orchestration
Let's see examples of sudoers file part relevant to Mapping/Discovery
Example 1 -
Adding single username for ServiceNow and allowing it to run a limited set of commands
ServiceNow ALL = NOPASSWD: /bin/cat, /bin/ls, /bin/lsof, /usr/sbin/dmidecode, /bin/netstat
Example 2 -
Creating Command Alias for group/user and applying permission to run commands to user.
## ServiceNow account permissions
Cmnd_Alias PRTG = /bin/cat, /bin/ls, /bin/lsof, /usr/sbin/dmidecode, /bin/netstat
ServiceNow ALL = NOPASSWD: PRTG
After changes made to sudoers file and then running "sudo —l" command should provide next output:
User ServiceNow may run the following commands on this host:
(ServiceNow) NOPASSWD: /bin/netstat, /bin/cat, /bin/ls, /usr/sbin/dmidecode, /bin/lsof
And please remember Never edit this file with a normal text editor! Always use the visudo command instead!!!
Because improper syntax in the /etc/sudoers file can leave you with a system where it is impossible to obtain elevated privileges, it is important to use the visudo command to edit the file.
The visudo command opens a text editor like normal, but it validates the syntax of the file upon saving.
This prevents configuration errors from blocking sudo operations, which may be your only way of obtaining root privileges.
Traditionally, visudo opens the /etc/sudoers file with the vi text editor. Ubuntu, however, has configured visudo to use the nano text editor instead.
On CentOS, you can change this value by adding the following line to your ~/.bashrc:
- export EDITOR=`which name_of_editor`
Source the file to implement the changes:
- . ~/.bashrc
After you have configured visudo, execute the command to access the /etc/sudoers file:
- · sudo visudo
Aforementioned example of the sudoers file is only for guidelines purposes only.
Customer's environment could be highly customized and permission from IT Security Department of the customer could be needed in order to make any changes to sudoers file.
If you enjoyed the article, please share it
Co-Author Anders
5 Comments
