SSH user permissions on target server
Hi team,
what are the necessary minimum user permissions on the target hosts, that is bare metal server with Red Hat operating system with turned SSH server on it. The collector executable that is planned is the "Native Win32 Version (Host Optics only)" planned to run 24h on a windows OS.
Venelin
-
The answer here is that “it depends.”
Optical Prime only reads data from the OS on Linux. It makes no configuration changes. However, some of the data points that are gathered by Optical Prime often require super-user level (root) privileges to execute. Some of these commands return rather innocuous data, like logical volume configuration, SAN cluster disk serial numbers, and SAN multipathing information. Guest VM information on KVM and Xen also require privileged access. If it were up to the Live Optics team, reading these data points would not require super-user privileges. But, the OS developers thought otherwise.
Optical Prime will execute regardless of the privileges, as long as the user has basic read access. However, some data points, especially around the configuration of the underlying storage, and hypervisor datapoints will be missing.
So, if you are purely interested in total capacities and total IO profiles, then root privileges are not necessary. However, if you are interested in accurate useable capacities and information on how underlying physical devices are mapped to logical volumes, then root privilege is required.
In general, we advise that Optical Prime be granted super-level privileges to avoid any confusion when the report data is finally analyzed.
1 -
The following is a list of most (if not all) of the commands run by the Linux collector and general paths to files that are accessed by the collector. Note, some of these commands and paths might require root level privileges to access.
Command or Path
Notes
bash
Our collector requires that bash is installed on the system (which is installed by default on all Linux distros)
The collector relies on many of the built-in bash commands (echo, cat, etc) that are not listed here./etc/*
The collector looks in the ‘/etc’ folder to identify the linux distro version
/proc/version
OS version info
df
Filesystem information
/dev/*
Used to detect device (disk) mappings
xl
Xen admin tool for Xen servers
/proc/cpuinfo
Kernel file for reading CPU information
xe
Xen admin tool for Xen servers
domainname
Tool for reading the DNS domain name
virsh
KVM admin tool for KVM servers
/proc/meminfo
kernel file for reading memory configuration
/proc/stat
kernel file for reading running process information
/proc/vmstat
kernel file for reading memory page fault information
xentop
Tool for reading Xen performance for Xen servers
rpm
Tool for reading installed apps
dpkg-query
Tool for reading installed apps
/var/db/pkg
Path for reading installed apps on Gentoo
getconf
Returns kernel configuration information
/proc/*/stat
Kernel files accessed for running process information
/proc/*/io
Kernel files accessed for running process information
/proc/*/statm
Kernel files accessed for running process information
sudo
Used for root privilege if available
lspci
Tool for reading PCI devices
cut
Text processing tool
awk
Text processing tool
grep
Text searching tool
dmidecode
Tool for reading system configuration
/dev/mem
Kernel file required for using dmidecode
/proc/scsi/scsi
Kernel file for reading SCSI device information
dmesg
Tool for reading boot up log
/proc/net/dev
Paths for network device information
ethtool
Tool for reading Ethernet device configuration
ifconfig
Tool for reading network interface configuration
/dev/mapper
Path required to read device mappings
find
Tool for searching filesystem
dmsetup
Tool for reading device mappings
/dev/disk/by-id
Path needed for mapping disk IDs
su
Switch user tool used if root access provided
/sys/block/*
Paths to kernel files describing block IO devices
/dev/oracleasm/disks
Path to Oracle ASM disks folder
oracleasm
Tool for reading Oracle ASM configuration
iscsiadm
Tool for reading iSCSI configuration
scsi_id
Tool for reading SCSI configuration
/lib/udev/scsi_id
Path for reading SCSI configuration
multipath
Tool for reading multipath information
vgdisplay
Tool for reading logical volume information
ssh
Used for remote connections
uname
Kernel version info
1 -
Venelin,
These are often customer specific and difficult for us to answer. Every customer can setup security different. Your basic administrator shouldn't have any issues so long as their account can administer the box itself. However if there is specific security measures (i.e. RSA) we have the Linux version that can be run locally and support for sudo.
They key to understanding if you need to uplevel your creds are: can not connect. Or report lacks some detail like hardware information where it didn't have permission to pull the values.0 -
Sam,
I hope you don't expect from customers to give you root user access on a Red Hat Linux box. My understanding is that once logged in with SSH you will need only read permissions or access to specific tools on the Red Hat server.
Once again the question is about the permissions from the user on the target bare metal server that is accessed via SSH. Not the permissions where the Native Win32 collector client is being installed.
I would be glad if you are more specific about the tools on a linux that need to be accessed. Then it could be figured out what local permissions and user need to be configured.
Best
0 -
Hi,
I realize this is an old topic but still relevant to our situation.
I really need to use sudo to restrict the remote SSH user liveoptics to only have root privileges for executing a specific subset commands.
Otherwise security audits will chop my head off .. :)
Is there any documentation on this?
Thanks in advance.
Regrads, John
0
Please sign in to leave a comment.
Comments
5 comments