SSH commands requiring a privileged user during probe-based discovery

  • Release version: Zurich
  • Updated July 31, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of SSH commands requiring a privileged user during probe-based discovery

    This information details the SSH commands executed by ServiceNow Discovery probes during horizontal discovery that require elevated privileges. These commands are run by the MID Server on target systems to collect essential hardware and process information. Proper configuration of user privileges and SSH authentication is critical to enable successful discovery while maintaining system security.

    Show full answer Show less

    Key configuration considerations

    • User privileges: The default user example is Disco. Substitute with your actual user and verify command paths on your systems.
    • Sudo and private keys: Sudo commands requiring a password do not work with private key authentication. To address this, configure the sudoers file with the NOPASSWD option for specific commands, allowing passwordless execution.
    • Security: MID Server does not validate SSH host keys, so systems are treated as untrusted. To mitigate man-in-the-middle risks, limit sensitive information exchange and use only keys or certificates for SSH authentication.

    Commands requiring elevated privileges

    Commands vary by operating system. For each, the sudoers file must be configured to permit the Disco user to run these commands with root privileges without a password. Examples include:

    • HP-UX: adb to gather CPU speed and memory.
    • Linux: dmidecode (hardware info including serial number), fdisk (disk and size info), multipath (device mappings for MPIO).
    • Linux and Solaris: dmsetup for low-level volume examination.
    • All UNIX versions: Commands like lsof, netstat, ss to analyze process and connection relationships; reading oratab file for Oracle configurations.
    • Solaris-specific: iscsiadm for iSCSI names, fcinfo for WWPNs, prtvtoc for disk partitions, ps and pgrep for process listings, and pfiles for file descriptor info. Note that on Solaris 11, the deprecated /usr/ucb/ps command requires manual utility installation.

    Practical guidance for ServiceNow customers

    • Configure the sudoers file with NOPASSWD for required commands to ensure Discovery probes can run privileged commands without password prompts.
    • Verify command paths and user privileges on target systems to avoid discovery failures.
    • Restrict sensitive data transmission over SSH due to lack of host key validation by the MID Server.
    • Consult related documentation for commands that do not require elevated privileges and for Service Mapping-specific command requirements.

    These tables display the SSH commands run by Discovery probes during horizontal discovery. These SSH commands require elevated privileges to run.

    Operating system commands requiring elevated rights

    These examples assume that the user name is Disco. Substitute the actual user name and verify that the paths for the commands match the paths on the system.
    Note:
    Sudo commands don’t work with private key credentials, because there’s no password to supply to the sudo command. A solution is to add the NOPASSWD option to the sudo configuration. For example, you might enter: disco ALL=(root) NOPASSWD:/usr/sbin/dmidecode,/usr/sbin/lsof,/sbin/ifconfig.

    For information on commands that don’t require elevated rights, see Non-privileged SSH commands during probe-based discovery.

    For information on commands used by Service Mapping during the top-down discovery, see Service Mapping commands requiring a privileged user and Service Mapping commands not requiring a privileged user.

    SSH key not validated

    When the MID Server connects to a system, the MID Server doesn’t perform host key validation against that system and so treats it as untrusted. If an attacker performs a man-in-the-middle attack and redirects the traffic to a malicious SSH service, the attacker can intercept or modify any data sent over the connection.

    Therefore, limit any sensitive information exchanged between the MID Server and the target SSH server. Only use keys or certificates for SSH authentication, and avoid sending system credentials. Configure NOPASSWD in the sudoers file for the required privileged commands.

    Table 1. HP-UX
    Command Purpose
    adb Gathers CPU speed and memory.

    /etc/sudoers line example: Disco ALL=(root) /usr/bin/adb
    Table 2. All Linux
    Command Purpose
    dmidecode Gathers several pieces of information about the hardware, including the serial number embedded within the motherboard.

    /etc/sudoers line example: Disco ALL=(root) /sbin/dmidecode
    fdisk Gathers the disks and size information on the system.

    /etc/sudoers line example: Disco ALL=(root) /usr/bin/fdisk -l
    multipath Gathers device mappings for MultiPath Input Output (MPIO).

    /etc/sudoers line example: Disco ALL=(root) /usr/bin/multipath -ll
    Table 3. Linux and Solaris
    Command Purpose
    dmsetup Examines a low-level volume.

    /etc/sudoers line example

    • Disco ALL=(root) /usr/bin/dmsetup table *
    • Disco ALL=(root) /usr/bin/dmsetup ls
    Table 4. All UNIX versions
    Command Purpose
    lsof Determines the relationship between processes and the connections being made to the system.

    /etc/sudoers line example: Disco ALL=(root) /sbin/lsof
    oratab Grants read access to the oratab file for locating the Oracle Home and pfile.
    netstat Determines the relationship between processes and the connections being made to the system.

    /etc/sudoers line example: Disco ALL=(root) /bin/netstat
    ss Determines the relationship between processes and the connections being made to the system.

    /etc/sudoers line example: Disco ALL=(root) /sbin/ss
    Table 5. Solaris
    Command Purpose
    iscsiadm Gets iSCSI qualified names (IQNs).

    /etc/sudoers line example: ${sudo:iscsiadm list target -S}
    fcinfo Gets World Wide Port Names (WWPNs) for ports.

    /etc/sudoers line example: ${sudo:fcinfo remote-port -sl -p $port}
    prtvtoc Reports information about disk partitions.

    /etc/sudoers line example: Disco ALL=(root) /usr/bin/prtvtoc
    /usr/bin/ps Lists running process. As an alternative to running with root access, add a proc_owner role.sola.

    /etc/sudoers line example: Disco ALL=(root) /usr/bin/ps
    /usr/ucb/ps Lists running process. As an alternative to running with root access, add a proc_owner role.

    The use of the /usr/ucb/ps command is deprecated as of Solaris 11. Because Discovery requires the use of this command for all Solaris versions, you must install the ucb utility manually on Solaris 11 systems. For instructions, see KB0564262.

    /etc/sudoers line example: Disco ALL=(root) /usr/ucb/ps
    pgrep Gets list of process IDs (PIDs) with socket information.

    /etc/sudoers line example: Disco ALL=(root) /usr/bin/pgrep
    pfiles For each PID, gets and processes the output for S_IFSOCK.

    /etc/sudoers line example: Disco ALL=(root) /usr/bin/pfiles