Configurar ServiceNow arquivo de sudoers
Configure o. ServiceNow arquivo de sudoers para conceder ao usuário da servicenow as permissões necessárias para executar comandos específicos com privilégios elevados. Esta configuração usa um arquivo drop-in em /etc/sudoers.d/ para manter regras de sudo seguras e isoladas para ServiceNow operações.
Antes de Iniciar
Função necessária: administrador
Procedimento
- Abra o terminal com acesso raiz executando sudo -i .
- Crie e edite o arquivo sudoers drop-in executando -f /etc/sudoers.d/_servicenow .
-
Cole o seguinte conteúdo no editor:
# ServiceNow Agent Collector - Sudoers Configuration for macOS # Command alias for ServiceNow allowed commands # These commands can be executed by the _servicenow user with sudo privileges Cmnd_Alias SN_ALLOWED = /usr/bin/powermetrics, \ /usr/bin/mdls, \ /usr/bin/log, \ /usr/bin/log show *, \ /bin/kill, \ /usr/bin/defaults, \ /usr/local/bin/jamf, \ /bin/rm, \ /bin/ls, \ /usr/bin/pgrep, \ /usr/bin/find, \ /usr/bin/pmset, \ /usr/bin/open, \ /Library/Application\ Support/servicenow/agent-client-collector/cache/acc-dex-modules/bin/scripts/sudo/app_freeze.sh, \ /Library/Application\ Support/servicenow/agent-client-collector/cache/acc-dex-modules/bin/scripts/sudo/zscaler_zpa_reconnect.sh, \ /Library/Application\ Support/servicenow/agent-client-collector/cache/acc-dex-modules/bin/scripts/sudo/clear_google_chrome_browsing_data.sh, \ /Library/Application\ Support/servicenow/agent-client-collector/cache/acc-dex-modules/bin/scripts/sudo/services.sh, \ /Library/Application\ Support/servicenow/agent-client-collector/cache/acc-dex-modules/bin/scripts/sudo/restart_service.sh *, \ /Applications/Zscaler/Zscaler.app/Contents/PlugIns/zscli, \ /Library/Application\ Support/servicenow/agent-client-collector/cache/acc-dex-modules/bin/scripts/sudo/elevate_temporary_admin.sh # ServiceNow user permissions # _servicenow user can run osqueryi and all SN_ALLOWED commands without password # SETENV allows environment variables to be preserved _servicenow ALL=NOPASSWD: SETENV: /Library/Application\ Support/servicenow/agent-client-collector/cache/osquery/bin/osqueryi *, SN_ALLOWED # Defaults for _servicenow user # !requiretty: Allow sudo without a TTY (required for automated scripts) Defaults:_servicenow !requiretty - Salve e saia.
-
Execute para validar a sintaxe do arquivo -c -f /etc/sudoers.d/_servicenow .
Saída esperada: /Etc/sudoers.d/_servicenow: Analisado OK .
-
Defina as permissões de arquivo:
- raiz:wheel /etc/sudoers.d/_servicenow
- chmod 440 /etc/sudoers.d/_servicenow
-
Execute para confirmar se o diretório drop-in está incluído no arquivo sudoers grep -i includir /etc/sudoers .
Saída esperada: /etc/sudoers.d .
-
Execute permissões para o usuário da ServiceNow executando sudo -u _servicenow sudo -l .
Liste todos os comandos permitidos confirmando que as regras estão ativas.