SSH commands requiring a privileged user during probe-based discovery

Release version: Zurich

Updated July 31, 2025

2 minutes to read

Summarize

Summarized using AI

Summary of SSH commands requiring a privileged user during probe-based discovery

This content outlines the SSH commands used by ServiceNow Discovery probes during horizontal discovery that require elevated (privileged) user rights. These commands help gather detailed system information essential for accurate discovery of target machines. The commands run under a user account (commonly namedDisco), which must have sudo privileges configured appropriately to execute these commands without password prompts.

Show full answer Show less

It is important to configure the sudoers file with the NOPASSWD option for the required commands, as sudo commands cannot be used with private key authentication without password prompts. This ensures smooth automated discovery operations.

Key Considerations

SSH key validation: The MID Server does not validate host keys, so the SSH connection is treated as untrusted. To mitigate risks such as man-in-the-middle attacks, avoid sending sensitive credentials over these connections and prefer using SSH keys or certificates for authentication.
Sudo configuration: The user running Discovery probes should have specific commands permitted with NOPASSWD in the sudoers file to allow seamless command execution.
Command paths: Verify and adjust command paths in the sudoers file and Discovery configurations to match the target system's environment.

Commands Requiring Elevated Privileges

The commands vary depending on the operating system. Below are examples with suggested sudoers entries for the user Disco:

HP-UX: adb to gather CPU speed and memory (Disco ALL=(root) /usr/bin/adb).
Linux:
- dmidecode for hardware info including serial numbers (Disco ALL=(root) /sbin/dmidecode).
- fdisk -l to retrieve disk and size info (Disco ALL=(root) /usr/bin/fdisk -l).
- multipath -ll for multipath device mappings (Disco ALL=(root) /usr/bin/multipath -ll).
Linux and Solaris:
- dmsetup for low-level volume examination (Disco ALL=(root) /usr/bin/dmsetup table and Disco ALL=(root) /usr/bin/dmsetup ls).
All UNIX versions:
- lsof to map processes to connections (Disco ALL=(root) /sbin/lsof).
- netstat or ss to understand process connection relationships (Disco ALL=(root) /bin/netstat and Disco ALL=(root) /sbin/ss).
- Read access to oratab for Oracle home and pfile location.
Solaris:
- iscsiadm to get iSCSI qualified names.
- fcinfo to retrieve WWPNs for ports.
- prtvtoc for disk partition info (Disco ALL=(root) /usr/bin/prtvtoc).
- ps command to list running processes (can be run with root or by assigning a procowner role). Solaris 11 requires manual installation of /usr/ucb/ps as it is deprecated (Disco ALL=(root) /usr/ucb/ps).
- pgrep for process IDs with socket info (Disco ALL=(root) /usr/bin/pgrep).
- pfiles to process socket file info (Disco ALL=(root) /usr/bin/pfiles).

Practical Application for ServiceNow Customers

To enable successful probe-based horizontal discovery using SSH on your target systems, ensure the Discovery user is configured with passwordless sudo rights for the listed commands relevant to your operating systems. Confirm that command paths and sudoers configurations are accurate to prevent probe failures. Use SSH keys or certificates for authentication and avoid transmitting sensitive credentials to minimize security risks.

By implementing these configurations, your Discovery probes can efficiently gather comprehensive system information, leading to a more complete and accurate CMDB population.

These tables display the SSH commands run by Discovery probes during horizontal discovery. These SSH commands require elevated privileges to run.

Operating system commands requiring elevated rights

These examples assume that the user name is Disco. Substitute the actual user name and verify that the paths for the commands match the paths on the system.

Note:

Sudo commands don’t work with private key credentials, because there’s no password to supply to the sudo command. A solution is to add the NOPASSWD option to the sudo configuration. For example, you might enter:

disco ALL=(root)
                  NOPASSWD:/usr/sbin/dmidecode,/usr/sbin/lsof,/sbin/ifconfig

For information on commands that don’t require elevated rights, see SSH commands not requiring a privileged user during probe-based discovery.

For information on commands used by Service Mapping during the top-down discovery, see Service Mapping commands requiring a privileged user and Service Mapping commands not requiring a privileged user.

SSH key not validated

When the MID Server connects to a system, the MID Server doesn’t perform host key validation against that system and so treats it as untrusted. If an attacker performs a man-in-the-middle attack and redirects the traffic to a malicious SSH service, the attacker can intercept or modify any data sent over the connection.

Therefore, limit any sensitive information exchanged between the MID Server and the target SSH server. Only use keys or certificates for SSH authentication, and avoid sending system credentials. Configure NOPASSWD in the sudoers file for the required privileged commands.

Table 1. HP-UX
Command	Purpose
adb	Gathers CPU speed and memory. /etc/sudoers line example: `Disco ALL=(root) /usr/bin/adb`

Table 2. All Linux
Command	Purpose
dmidecode	Gathers several pieces of information about the hardware, including the serial number embedded within the motherboard. /etc/sudoers line example: `Disco ALL=(root) /sbin/dmidecode`
fdisk	Gathers the disks and size information on the system. /etc/sudoers line example: `Disco ALL=(root) /usr/bin/fdisk -l`
multipath	Gathers device mappings for MultiPath Input Output (MPIO). /etc/sudoers line example: `Disco ALL=(root) /usr/bin/multipath -ll`

Table 3. Linux and Solaris
Command	Purpose
dmsetup	Examines a low-level volume. /etc/sudoers line example `Disco ALL=(root) /usr/bin/dmsetup table *` `Disco ALL=(root) /usr/bin/dmsetup ls`

Table 4. All UNIX versions
Command	Purpose
lsof	Determines the relationship between processes and the connections being made to the system. /etc/sudoers line example: `Disco ALL=(root) /sbin/lsof`
oratab	Grants read access to the oratab file for locating the Oracle Home and pfile.
netstat	Determines the relationship between processes and the connections being made to the system. /etc/sudoers line example: `Disco ALL=(root) /bin/netstat`
ss	Determines the relationship between processes and the connections being made to the system. /etc/sudoers line example: `Disco ALL=(root) /sbin/ss`

Table 5. Solaris
Command	Purpose
iscsiadm	Gets iSCSI qualified names (IQNs). /etc/sudoers line example: `${sudo:iscsiadm list target -S}`
fcinfo	Gets World Wide Port Names (WWPNs) for ports. /etc/sudoers line example: `${sudo:fcinfo remote-port -sl -p $port}`
prtvtoc	Reports information about disk partitions. /etc/sudoers line example: `Disco ALL=(root) /usr/bin/prtvtoc`
/usr/bin/ps	Lists running process. As an alternative to running with root access, add a proc_owner role.sola. /etc/sudoers line example: `Disco ALL=(root) /usr/bin/ps`
/usr/ucb/ps	Lists running process. As an alternative to running with root access, add a proc_owner role. The use of the `/usr/ucb/ps` command is deprecated as of Solaris 11. Because Discovery requires the use of this command for all Solaris versions, you must install the ucb utility manually on Solaris 11 systems. For instructions, see KB0564262. /etc/sudoers line example: `Disco ALL=(root) /usr/ucb/ps`
pgrep	Gets list of process IDs (PIDs) with socket information. /etc/sudoers line example: `Disco ALL=(root) /usr/bin/pgrep`
pfiles	For each PID, gets and processes the output for S_IFSOCK. /etc/sudoers line example: `Disco ALL=(root) /usr/bin/pfiles`

Privileged SSH commands