What elevated commands are executed by ServiceNow for Service Mapping ?

Pranita Bahugun
Tera Expert

3 weeks ago

 

Hello Community,

I am working on configuring Service Mapping in ServiceNow and need clarity on the Unix – Enhanced ADM (ADME) probe.

From the documentation, I see that the probe requires elevated permissions to run certain commands. For example, on AIX the recommended sudoers entry is:

Cmnd_Alias ADME_CMDS=/usr/bin/netstat -Aan, /usr/sbin/lsof -iTCP -n -P
discoUser ALL=(root) NOPASSWD:ADME_CMDS
Defaults:discoUser !requiretty

 

Currently my user has lower level of access but i could see the processes details available in ecc_queue input details of ADME probe but those processes are not getting discovered or are not getting associated to server post discovery, what could be the reason behind this behavior?

 

My questions are:

  • What exact commands does the Unix ADME probe execute on Linux/AIX/Solaris?

  • Do I need to configure both netstat and lsof or is one sufficient?

  • What information do these commands provide to Service Mapping (e.g., process‑to‑port mapping, established connections)? Or Service Mapping uses some other specific set of commands?

  • Why are elevated permissions required for these commands, and are there best practices for limiting scope to only what ServiceNow needs?

I want to ensure I configure sudoers correctly so that the Discovery user has just enough privilege to run the required commands, without granting full root access.

 

Thanks in advance for your guidance!

 

Best Regards,

Pranita Bahuguni

Labels:
0 Helpfuls
  • 917 Views
6 REPLIES 6

VivekSattanatha
Mega Sage

3 weeks ago

Hi,

 

ServiceNow documented already what level of elevated rights required for different operating system. Please go through them and make the sudoers accordingly  

 

https://www.servicenow.com/docs/bundle/zurich-it-operations-management/page/product/service-mapping/...

 

Regards,

Vivek

 

Pranita Bahugun
Tera Expert
In response to VivekSattanatha

Wednesday

Hi @VivekSattanatha,

Thank you for your reply, it was very helpful. As per the ServiceNow documentation, we have configured the sudoers file accordingly. However, when the Enhanced ADME probe is triggered, there are still certain commands that fail with permission errors, such as:

  1. lsof -iTCP -n -P
  2. netstat -antp
  3. ss -tlnp
  4. ss -tenp

Could you please advise where we can find the complete list of commands executed by the Unix/Windows – Enhanced Application Dependency Mapping probe? The commands referenced in the documentation appear to differ from the ones failing here, and I would like to understand this better.

Your guidance would be much appreciated. Thanks in advance.

0 Helpfuls

VivekSattanatha
Mega Sage
In response to Pranita Bahugun

Wednesday

@Pranita Bahugun 

The Enhanced ADM probe command lists are documented here. I can see these are all not documented in one place.

https://www.servicenow.com/docs/bundle/zurich-it-operations-management/page/product/discovery/refere...

0 Helpfuls