Using Sudo to Grant Privileges For Linux Servers
- Dave Laing
- Deepak Bojanapati
To add a Linux server to the Agentless Data Collector, the account used must be either root or have password-less sudo privileges. When specifying which individual commands an account should be able to run, sudo requires the full path to the command to be specified in the sudoers file. Because of this, the entries will vary slightly depending on the linux distribution. Most commonly, some distributions prefer to use /bin and /sbin, while some prefer /usr/bin and /usr/sbin.
Below are some sample configurations. Note, it is recommended to test on one machine first before deploying the sudoers update to all machines. Note that even different major versions of the same distribution may require different paths.
All examples assume a user account name of cloudamize.
Checking the Paths
You can check the paths for the commands by running which <cmd>. For example, which ss. Upon a permission check failure, the Agentless Data Collector will also print all commands including correct paths to add to sudoers (but does not include specific arguments).
Red Hat 7
No arguments
cloudamize ALL = (root) NOPASSWD: /usr/sbin/dmidecode
cloudamize ALL = (root) NOPASSWD: /usr/bin/cat
cloudamize ALL = (root) NOPASSWD: /usr/readlink
cloudamize ALL = (root) NOPASSWD: /usr/bin/ls
cloudamize ALL = (root) NOPASSWD: /usr/bin/mount -l, /usr/bin/mount --version
cloudamize ALL = (root) NOPASSWD: /usr/sbin/blkid
cloudamize ALL = (root) NOPASSWD: /usr/sbin/dmsetup deps
cloudamize ALL = (root) NOPASSWD: /usr/bin/head
cloudamize ALL = (root) NOPASSWD: /usr/bin/grep
cloudamize ALL = (root) NOPASSWD: /usr/sbin/ss
cloudamize ALL = (root) NOPASSWD: /usr/bin/netstat
cloudamize ALL = (root) NOPASSWD: /usr/sbin/pvs
cloudamize ALL = (root) NOPASSWD: /usr/sbin/lvscloudamize ALL = (root) NOPASSWD: /usr/sbin/dmidecode, /usr/bin/cat, /usr/bin/readlink, /usr/bin/ls, /usr/bin/mount -l, /usr/bin/mount --version, /usr/sbin/blkid, /usr/sbin/dmsetup deps, /usr/bin/head, /usr/bin/grep, /usr/sbin/ss, /usr/bin/netstat, /usr/sbin/pvs, /usr/sbin/lvsSpecific
cloudamize ALL = (root) NOPASSWD: /usr/bin/netstat -V
cloudamize ALL = (root) NOPASSWD: /usr/sbin/ss -V
cloudamize ALL = (root) NOPASSWD: /usr/sbin/dmidecode -V
cloudamize ALL = (root) NOPASSWD: /usr/bin/readlink --version
cloudamize ALL = (root) NOPASSWD: /usr/bin/cat --version
cloudamize ALL = (root) NOPASSWD: /usr/bin/ls --version
cloudamize ALL = (root) NOPASSWD: /usr/bin/mount --version
cloudamize ALL = (root) NOPASSWD: /usr/bin/cat /etc/os-release
cloudamize ALL = (root) NOPASSWD: /usr/bin/cat /proc/*
cloudamize ALL = (root) NOPASSWD: /usr/bin/readlink /proc/*
cloudamize ALL = (root) NOPASSWD: /usr/sbin/dmidecode -t *
cloudamize ALL = (root) NOPASSWD: /usr/bin/ls -lR /dev/
cloudamize ALL = (root) NOPASSWD: /usr/bin/ls -lR /sys/
cloudamize ALL = (root) NOPASSWD: /usr/bin/mount -l
cloudamize ALL = (root) NOPASSWD: /usr/sbin/blkid
cloudamize ALL = (root) NOPASSWD: /usr/sbin/dmsetup deps
cloudamize ALL = (root) NOPASSWD: /usr/bin/grep ExecStart /lib/systemd/system/mssql-server.service
cloudamize ALL = (root) NOPASSWD: /usr/bin/head -n 20 /var/opt/mssql/log/errorlog
cloudamize ALL = (root) NOPASSWD: /usr/bin/grep WorkingDirectory /lib/systemd/system/mssql-server.service
cloudamize ALL = (root) NOPASSWD: /usr/sbin/ss -atnp
cloudamize ALL = (root) NOPASSWD: /usr/sbin/ss -aunp
cloudamize ALL = (root) NOPASSWD: /usr/bin/netstat -atunp
cloudamize ALL = (root) NOPASSWD: /usr/sbin/pvs
cloudamize ALL = (root) NOPASSWD: /usr/sbin/lvsUbuntu 22.04
No arguments
Specific
SLES 12
No arguments
Specific
If you have any questions, please contact the helpdesk via our Helpdesk Portal or by email at helpdesk@cloudamize.com.