Discovery of Linux servers with PBRUN instead of sudo

SNOW9 · ‎05-04-2020

Hi All,

We have a requirement where we need to do a Linux discovery through Powerbroker, where the credentials are installed for the servers, now when we try to use the pbrun as a privileged command and iniiate a discovery on one of the linux servers, the Mid server logs shows the SSHSessionPoolKey still has sudo as Privileged command.

However going deeper in the logs we can see pbrun being executed. Attaching Logs file for reference.

We need to know if anyone has actually implemented Discovery with Powerbroker.

Also we need to understand that is it possible to use Jump server and install Mid Server on that Jump server and then doing a Linux Discovery through Powerbroker

@tim.broberg : Can you please help here?

Regards,

Shub

SNOW9 · ‎07-02-2020

If anyone faces this issue in Future, this is what we need to do, somehow the patterns intrinsically choose the Privileged commands once selected on Mid Server, however the logs are deceiving, but better rely on the debug Mode of Patterns and check if PBRUN is being executed on target server.

Powerbroker Master has to relay the permissions to target daemons, so it is necessary the linux team configures the Powerbroker master correctly such that the commands which require privileged access such as lsof and dmidecode are being executed on daemons with pbrun.

View solution in original post

tim_broberg · ‎05-05-2020

SSHSessionPoolKey defines which SSH requests are able to share the same sessions. For example, you can't run traffic with debug on and with debug off in the same session because the SSH client only has debug granularity on a session by session basis, and the session has to be debug = true or debug = false. If we let two probes with conflicting debug settings run on the same session, the first one would get what it needs and the second one would not.

If you have accurately determined that the pool is seeing sudo but the actual usage is pbrun, it sounds like something wacky is going on where the config is set one way when getting a session but another way when using it.

I'm not terribly familiar with the pattern code, so I can't speak with much authority here. For all I know, they have a separate session they're using to gather information where they don't bother poking at the privileged command config.

I have run discovery with pbrun. It worked fine for me in a pilot test discovering just a few hosts.

I have not done it with a jump server.
- Tim.

SNOW9 · ‎05-06-2020

Thanks @tim.broberg for your response, do you have any doument which highlights what exactly needs to be setup for PBRUN, i tried setting all the parameters which are mentioned in the Servicenow doc, but still when i check the pattern log it tries to execute most of the commands with sudo, because the pattern has sudo defined there, shoud i change the sudo to pbrun in all the commands in the pattern or how should i move forward.

Any pointers would be really helpful.

Regards,

Shub

tim_broberg · ‎05-06-2020

I really am an expert on SSHCommand probes. There, the "sudo command" or "${sudo:command}" syntax predates support of other privileged command utilities like pbrun. It used to mean means escalate command with sudo, but later came to mean escalate command with something.

I'm afraid I'm barely an amateur with patterns.

In many (most?) cases, the pattern calls through to SSHCommand, and I would certainly expect it to treat sudo the same way, and I would certainly expect that to include Linux discovery.

If you add a parameter to the problematic prove, debug = true, do you then see piles and piles of debug messages from the ssh client? That would show exactly what is happening on the wire.
- Tim.

SNOW9 · ‎05-08-2020

Hi @tim.broberg : jus curious to know that while you implemented PBRUN and ran a discovery what did you see in Pattern and MID logs, did you see all commands being executed by PBRUN or was it sudo still, because even after enabling everything suggested for Privileged command am still seeing everything being exceuted by sudo?

Secondly i am more curious to know the credentials that are used do the credentials used for Linux Discovery neccesarily have to be in sudoers file, or can it not be in sudoers? If in sudoers, will it not allow PBRUN to execute at all, just a thought, don't know if it's in the right direction or not?

Any pointers will help.

Regards,

Shub