Pattern execution on ACC - check-allow-list.json manage commands (powershell)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-20-2025 03:08 AM
Hello,
There is attached check-allow-list.json.zip file in KB1585764 which contains all possible commands to get application patterns working almost 1000 commands.
There is not commented which pattern is using which command. I tried to just include commands for one pattern only and it always failed.
Does anyone know if is possible to manage somehow? To know which command, belong to pattern?
If I want to allow and disallow patterns using this allowlist file.
Commands in pd_command_list does not match with attached check-allow-list.json file.
Thanks!
Tomas P.
- Labels:
-
Discovery
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-12-2025 04:06 AM
I think you would need to go through the pattern and look in the allow list for the commands in the pattern.
I have downloaded the allow list from the KB, but I feel like it is outdated as patterns are failing with commands not being allowed, but these are not in the file of the KB.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-19-2025 12:00 AM
I am using OOB patterns and allowlist from KB works, but problem is that in KB allowlist allows almost everything and this way is not secure to allow everything to be execuded.
I have tested just enable one pattern and check commands only for that pattern, but I am still missing to remove bunch of echo commands which are somehow needed and not in pattern at all.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-07-2025 12:28 AM - edited 04-07-2025 12:29 AM
I 100% agree that this needs better clarification from SN ITOM Team.
The out-of-box "check-allow-list.json" is auto generated and contains mostly reference to ruby scripts that are executed as part of ACC-VC (and other plugins that are enabled).
If you want to enable pattern execution on ACC then you need to also use the additional commands as detailed in KB1585764.
Refer KB last updated October 2024:
https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1585764
This is cumbersome. There should be an auto generate that combines these directly from the SN platform.
For those that are stuck - you can use the attached to see how this would work.
Included in zip attached is the out-of-box allow list and KB allow list for pattern exec. Also included a combined allow list. This is based on ACC v4.2.1.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-07-2025 04:18 AM
Hello, the problem itself here is the opposite. If it were up to me, I would roll out "check-allow-list.json" from the KB article to all agents, but there is no control from the agent side.
Our infrastructure and security teams need to know, why each command is used and for which pattern. If we have just one application pattern enabled for an MS SQL instance, we don't want to have all possible commands enabled on the server side.
The logic here is to control from both sides especially from agent side. For example, if we need to add another application pattern check like IIS to be enabled on all servers, we have to release a new allowlist only with those commands needed for the IIS pattern and add to the allowlist only those needed commands.
What I also observed, if you use allowlist for application pattern from the KB1585764, so without allowing advanced checks and SAM, they are anyway working allong with the pattern allowlist. The actual allowlist for check is in different place in 4.1.0.
Thanks!
Tomas P.
