To configure the environment for CCS data collection on UNIX target computers, you can assign the following privileges to users depending on your requirements:
Root account privileges
Non-root account privileges
A user having root account privileges gets default access to all UNIX commands and files, whereas a user having non-root account privileges has limited access to UNIX commands and files. For non-root user, you must install and configure sudo on the user’s target computer. Root user must assign additional privileges to the sudo user to access commands that a non-root user cannot access.
Using sudo functionality for querying UNIX targets
The Sudo functionality permits you to execute a command on a target computer, as a super user, or another user. For agentless raw data collection on UNIX targets, you can use the sudo (superuser do) functionality to run queries in the context of a super user. To use the Sudo functionality:
Make sure that the sudo program is installed on the UNIX target computer, on which you want to use the sudo functionality.
In the sudoers file, list the user accounts you will use to run the commands. Users whose credentials are added in the credentials database must have corresponding user accounts listed in the /etc/sudoers file. If you are the invoking user and a root user, and if the target user is the same as the invoking user, no password is required. However, if the invoking user and the target user are different, you must specify a password to execute commands on the target computer. See "Example of the sudoers file" .
In the bvAgentlessConfig.ini file, enable the sudo option by configuring the SupportsSudo parameter. The bvAgentlessConfig.ini file is present at the following location on CCS Manager. <INSTALL_DIR>\Symantec\CCS\Reporting and Analytics\DPS\control\Unix\ConfigFiles
In the ExecutionContext.ini file, prefix the word sudo before the commands of a query, to run the queries in the context of a super user. The ExecutionContext.ini file is present at the following location on CCS Manager.
To be able to use sudo for running queries, you can add the following in the sudoers file to disable password prompt for every command: <name> ALL=(ALL) NOPASSWD: ALL where, <name> is the native user, whose credentials are specified in the credential database. You may encounter the following issues if the password prompt is not disabled, and certain commands get blocked by not specifying a password:
Special values for certain commands such as hostname, may return different values.
If the uname command is blocked, validation of agentless targets may fail and the data sources will not return data.
Data sources may return incomplete data.
Configuring the SupportsSudo parameter in the bvAgentlessConfig.ini file
To be able to use sudo for running queries, you must enable the sudo option by configuring the SupportsSudo parameter in the bvAgentlessConfig.ini file. The parameter and its value is as follows: SupportsSudo=<value> Where, <value> is true or false. The default value is false, which means the use of sudo is disabled by default. To enable sudo for running queries on UNIX targets, specify the value as true. You must also specify the FQDN of the UNIX target computer before the SupportsSudo parameter. For example, [testcomputer.example.com] SupportsSudo=true Where, [testcomputer.example.com] is the FQDN of the UNIX target computer. After sudo is enabled in the bvAgentlessConfig.ini file, you can use the ExecutionContext.ini file for optimizing queries by prefixing the word sudo before the commands specified in the ExecutionContext.ini file. For information about CCS support for authentication with one account and sudo to root for general query credentials, see https://support.symantec.com/en_US/article.TECH189750.html
Optimizing queries using sudo in the ExecutionContext.ini file
To be able to use sudo for running queries in the context of a super user, you must prefix the word sudo before the commands of the query specified in the ExecutionContext.ini file. Following table lists the parameters which you can configure to run commands using sudo: Table 1-1 Parameters to be configured for running commands using sudo
Specify the value as true if you want to run all commands of a query on the target computer using sudo. If you want to run only specific commands of a query using sudo, then specify the value as false.
If you have specified the value as true for the ApplyPrefixForAll parameter, you can specify if any commands must be run without sudo. If you have specified the value as false for the ApplyPrefixForAll parameter, you can specify if any commands must be run with sudo. In this case the word sudo must be prefixed to each command..
<target platform> AIX, LINUX, SunOS, HP-UX
Specify for which platforms the queries must be run using sudo.
Specify for which targets the queries must be run using sudo. The name can be the name of the target computer as displayed in the CCS console, or the IP address of the target computer
Example of the sudoers file
This is an example of the contents of the sudoers file is located in the /etc directory of the UNIX target computer. This example contains sample configurations required to use the sudo functionality as mentioned in the section Using sudo functionality for querying UNIX targets. # User alias specification ## User_Alias UNIX_USERS = unix1, unix2, unix3 User_Alias CCS_USERS = bvunix1, bvunix2, bvunix3 ## # Runas alias specification Defaults:UNIX_USERS !authenticate Defaults:CCS_USERS !authenticate ## Runas_Alias SUPER_USERS = root Defaults logfile=/var/log/sudolog ## # Cmnd alias specification ## Cmnd_Alias APPLICATIONS = /usr/sbin/named Cmnd_Alias AIX_ADMINCMDS = /usr/sbin/lsps, /usr/sbin/lsattr Cmnd_Alias ADMINCMDS = /usr/sbin/prtconf, /sbin/runlevel, ulimit, AIX_ADMINCMDS, Cmnd_Alias NETWORKCMDS = /sbin/ifconfig, /usr/local/bin/nslookup, inetadm -p Cmnd_Alias FILECMDS = /bin/cat, /bin/date '+%Z', /usr/bin/strings -n, \ /usr/bin/diff, /usr/bin/cmp, /usr/bin/find, \ /bin/echo, /usr/bin/file, /bin/df -P, \ /usr/bin/cksum, /bin/ls -la, /bin/ls -lad, \ /bin/ls -lac, /bin/ls -lau #Cmnd_Alias COMMONCMDS = /usr/bin, /bin, /usr/local/bin Cmnd_Alias SU = /usr/bin/su Cmnd_Alias SYSADMCMD = /usr/lib/sendmail Cmnd_Alias ACTIVEADMCMDS = /usr/sbin/adduser UNIX_USERS ALL = (SUPER_USERS) APPLICATIONS, NETWORKCMDS, ADMINCMDS, FILECMDS, !SU, !ACTIVEADMCMDS, !SYSADMCMD, NOPASSWD: ALL CCS_USERS ALL = NOPASSWD: ALL