RVY200442: Required Permissions for a Zero Touch Inventory of Linux, UNIX, and Mac Devices

General Information

This article describes the permissions required for an Inventory Service Account used to perform a Zero-Touch Inventory of Linux/UNIX/Mac devices, by connecting those via SSH. 

User Specifications

Option 1:  sudoer

A sudoer without any restrictions on the command lines is the most simple approach to enable RayVentory to execute all neccessary commands and to read some folders and files (details see below).

Such a service account needs to be added to each device, permitted by the sudoer's list  and rolled out to all devices that will be targeted by this user account.

 

Option 2:  Account with minimum permissions

This option realizes a least-privilege approach. Permissions are described in the following tables covering all commands and files required for Zero-Touch Inventory. 

Such an approach requires named permissions on files and commands granted to the inventory service account, who will access the target devices by SSH.

Once the permissions have been set for each platform, the credentials and permissions need to be rolled out to all devices in scope of scanning by Zero-Touch.

Legend:

Pic0.png

A) Commands and files which do not need privileges

Pic1.png

Pic2.png

B) Commands and files which do not explicit require privileged rights

Pic3.png

Pic4.png

C) Commands and files which deliver best results with privileged rights

Pic5.png

Pic6.png

D) Commands which could require privileged rights depending on OS version

Pic7.png

Please check carefully!

It is very important to check all commands in your environment and if they can be executed without privileged rights. It's recommended to verify the permissions with your subject matter experts for each OS configuration used in your environment before starting rollout or updates.

All commands and files are listed in the attached ZIP file, containing an Excel sheet.

Have more questions? Submit a request

Comments

Powered by Zendesk