Unix discovery with Powerbroker, no sudo?

supratik2 · ‎06-01-2017

Hi all,

A customer is asking to implement Unix discovery, but is unwilling to use sudo in their environment. They are using a access and identity management tool Powerbroker for Unix. The requirement is to use Powerbroker, instead of Sudo, for Unix discovery.

Does anyone have any prior experience on this or related issue(Discovering unix with other mechanism apart from sudo)? Any inputs will be greatly appreciated, quick responses even more

Instance used: Helsinki version

Thanks in advance!

SM

Dave Ainsworth · ‎06-01-2017

Hi Supratik,

Powerbroker is supported along with some other privileged commands...

Privileged commands for Discovery

You would need to change the privileged command that the MID server uses to pbrun. There is some information in the documentation above about what is and isn't supported. For example, only certain pbrun options are supported.

I haven't used it myself and not sure exactly how Powerbroker works although I believe there is a Powerbroker server that checks what privileges a user has. If each time a pbrun command is issued, a connection is made to the Powerbroker server to check that the user has privileges to run that command, the trip to the Powerbroker server could increase the time taken to run commands depending if there is any delay in getting a response so something that might need considering.

Regards,

Dave

supratik2 · ‎06-02-2017

Hi David,

Thanks a ton for the prompt reply.

I had gone through the wiki link you provided for privileged commands for Powerbroker, as below screenshot:

From above we can conclude that "pbrun -v" and "pbrun<commands like lsof,dmidecode etc.>" should be able to run on desired host if credentials have respective access rights, but any other "pbrun -" command is not supported by Discovery. Is there any Powerbroker related capability which Discovery has apart from those given in the wiki screenshot?

Since there is no out of the box integration/plugin for Powerbroker with SNOW Discovery, I'd love to some more details on how ServiceNow Discovery will extract CI information from a Solaris(for example) box monitored through Powerbroker.

Any help would be highly appreciated.

Hoping for a quick reply

Thanks,

SM

Dave Ainsworth · ‎06-02-2017

Hi Supratik,

Perhaps I am misunderstanding your request but if you configure pbrun to be the privileged command in ServiceNow, then any command where we currently use sudo (such as dmidecode), we will use pbrun instead. When pbrun is used on a target device, a Powerbroker daemon on that server connects to the Powerbroker policy server to check whether the user is allowed to run that command. If a command such as uname is run where privilege escalation is not required, the command will run as the discovery user and pbrun is not used.

So no integration is required. All discovery needs to do is use pbrun in front of the command instead of sudo and if Powerbroker is configured correctly, Powerbroker will then do the rest.

However, there are options with pbrun such as pbrun -u <user> <command> which will request that the command is run as the a different user. The documentation suggests that options like these might not be supported. So you would need to confirm with the customer how they want to use Powerbroker.

Regards,

Dave

supratik2 · ‎06-02-2017

Hi Dave,

Thanks for the quick reply yet again .

Your latest reply clarified the mechanism for running pbrun with Discovery for me. I added the below parameter, and ran discovery on the Solaris host, but discovery still failed with "Invalid credential type" error(I have latest credentials lodged in the instance)

In above parameter, I have also tried value as "pbrun dmidecode", "pbrun -v", "pbrun -v <hostname>" and others as well, but all of them are returning "Active couldn't classify" error stating invalid credential type as below:

I'd like your inputs on whether I'm entering correct values in the "value" parameter in MID parameter configuration?

Thanks again,

SM