Configuring sudo for UNIX and Linux Softagent Discovery

Configuring sudo for UNIX and Linux Softagent Discovery

When using the NDG Softagent to discover UNIX and Linux servers, NDG attempts to establish an SSH connection to the UNIX and Linux hosts using the set of credentials provided in the credential vault. Depending how your UNIX/Linux security is configured, it is possible that some commands issued by the NDG Softagent cannot be authorized for the non-root user, resulting in less data being discovered for the server.

You have the following options to avoid having a non-root user issue discovery-related commands:

• Provide root user credentials in the credential vault so all discovery-related commands are issued as root. This ensures the commands are authorized.
• Use the sudo command to enable a non-root user to issue discovery-related commands under the authority of root, without having to supply root’s credentials.

You also have to define a path for the userid that is associated with the sudo user that includes all the locations for the following commands and utilities that NDG discovery uses:

• /bin
• /sbin
• /usr/sbin
• /opt/xensource/bin

To configure the /etc/sudoers file to use sudo to authorize non-root users

1. Edit the /etc/sudoers file using the visudoers command.
2. Create the following entry for the user ndguser to issue all NDG Softagent commands using sudo without prompting for root credentials:

   # simple entry for ndg discovery if client does not need granularity
   # ndguser ALL=NOPASSWD: ALL
   # detailed entry for ndg discovery permitting only those commands used by discovery
   

   ndguser ALL = NOPASSWD: /bin/uname, /bin/echo, /bin/cat, \
                           /bin/domainname, /bin/hostname, \
                           /bin/netstat, /bin/df, /bin/ps, /bin/rpm, \
                           /bin/ls, /sbin/ifconfig, /sbin/ip, \
                           /sbin/mii-tool, /sbin/chkconfig, \
                           /sbin/sfdisk, /usr/sbin/dmidecode, \
                           /usr/bin/cdrecord, \
                           /opt/xensource/bin/xe, /bin/lshmc
   

   Note: You can modify this entry to authorize an existing user instead of creating ndguser. If your system already has a user configured in the /etc/sudoers file to issue all commands without password prompting, or a granular list that contains all of the commands shown, that user can be used without any modifications by adding this user to your credential vault.

3. Save and close the sudoers file.
4. Click the Enable use of sudo check box on the Network Scan Policy page as described in Create a Network Scan Policy.

Define the path for the sudo user

1. Edit the shell configuration file for your UNIX or Linux system's shell (typically, .bashrc in the user's $HOME directory), and add the following lines to the user's PATH definition:

   PATH=$PATH:/bin:/sbin:/usr/sbin:/opt/xensource/bin
   export PATH
   

2. Save and close the file.