where are discovery pattern step scripts stored

James Behrens
Giga Guru

‎09-09-2024 12:51 PM - edited ‎09-09-2024 12:57 PM

We are implementing ITOM Visibility. There are steps that require elevated privileges on the discovery target and those are called out well on this document. Service Mapping commands requiring a privileged user (servicenow.com)

 

While that does tell you, per platform type WHAT commands are used that will require elevated privileges but it cannot really get into WHERE those calls are being made so that the affected team can evaluate the risk and need for each call. There could literally be hundreds of calls across dozens of discovery patterns. 

 

The question: Is there a way to query all of the steps for each of the commands that require elevated rights? 

searching within pattern designer.png

In the pattern designer, you can search for terms (see screenshot) but I have not found a way to use regex to keep from triggering on every try/catch for CAT for example.

 

Understandable from the solution owners perspective. They want to know what you are reading with CAT and SUDO rights. You could literally read any file on any server. The flip side, our service mapping is in peril unless we can resolve their concerns.

Labels:
0 Helpfuls
  • 877 Views
5 REPLIES 5

James Behrens
Giga Guru

‎10-21-2024 10:40 AM

Update on this subject...

What we were really pursuing was least privilege. We have chosen at this juncture to run the patterns with minimal privileges, see where we run into issues, fix them as we run into them. I'm not exactly sure where we will end up in this pursuit but it allows us to address failures as they occur and end up with a solution that uses least privilege.

So far, so good. We are running into a few errors but those seem mostly to do with a difference in how we deployed a specific solution vs what the pattern is expecting. 

Our open systems engineers have evaluated a number of items from the attached elevated privileges document and implemented them in the SUDOers list, added our credentials to specific groups, etc. We're attempting to capture how much effort this approach takes so that we can, eventually, evaluate risks vs effort along with risks vs rewards.