RVY200442: Required Permissions for a Zero Touch Inventory of Linux, UNIX, and Mac Devices

General Information

This article describes the permissions required for an Inventory Service Account used to perform a Zero-Touch Inventory of Linux/UNIX/Mac devices, by connecting those via SSH. 

User Specifications

Option 1:  sudoer

A sudoer without any restrictions on the command lines is the simplest approach to enable RayVentory to execute all neccessary commands and to read some folders and files (details see below).

Such a service account needs to be added to each device, permitted by the sudoer's list  and rolled out to all devices that will be targeted by this user account.

 

Option 2:  Account with minimum permissions

This option realizes a least-privilege approach. Permissions are described in the following tables covering all commands and files required for Zero-Touch Inventory. 

Such an approach requires named permissions on files and commands granted to the inventory service account which will access the target devices by SSH.

Once the permissions have been set for each platform, the credentials and permissions need to be rolled out to all devices in scope of scanning by Zero-Touch.

Legend:

Legend.PNG

A) Commands and files which do not need privileges

Commands_which_do_not_need_privileges.PNG

Files_which_do_not_need_privileges.PNG

B) Commands and files which do not explicit require privileged rights

Commands_which_do_not_explicit_require_privileged_rights.PNG

Files_which_do_not_explicit_require_privileged_rights.PNG

C) Commands and files which deliver best results with privileged rights

Commands_which_deliver_best_results_with_privileged_rights.PNG

Files_which_deliver_best_results_with_privileged_rights.PNG

D) Commands which could require privileged rights depending on OS version

Commands_depending_on_OS_version.PNG

Please check carefully!

It is very important to check all commands in your environment and if they can be executed without privileged rights. It's recommended to verify the permissions with your subject matter experts for each OS configuration used in your environment before starting rollout or updates.

All commands and files are listed in the attached ZIP file, containing an Excel sheet.

Comments

Powered by Zendesk