Skip to main content

Run the agent according to the principle of least privileges

When running the Linux agent as a user with limited privileges, the following must be taken into consideration:

  • The user must have read access to the file areas that it scans.

  • Detection of running processes may be limited due to reduced access as defined by the implemented security policies.

File permission requirements

The following permissions are required to run the agent:

  • Read permissions on all contents of the agent folder.

  • Read and execute permissions on the Linux agent.

  • Read and write permissions on the agent's /data folder.

  • The user must have read and write access to the snowagent.log, snowagent.lock, and .hst.lg files.

    As the files are created with every scan, a preceding scan with an elevated user could stop the agent from working.

  • Read and write permissions for the /var/run/SnowSoftware/Inventory/Agent/script-output folder if dynamic inventory is used.

Read and execute permissions are required for the folders that should be scanned, and read permissions on the contained files.

Read and execute permissions are required on /proc, /sys, /etc, /dev, /var, /lib and all of its subfolders, and read permissions on the contained files.

You can control the access rights on a very granular level by using Access Control Lists, for example by using the following command, where "snow" is replaced with the actual user used for the scan and "var" is replaced with the actual paths to be included in the scan:

sudo setfacl -Rm u:snow:r-X,d:u:snow:r-X /var

Note

Snow recommends the setup described in Scanning the file systems.

Sudo requirements

The following commands require sudo privileges for the agent to be able to collect all data:

Command

Data lost when not run as sudo or root

dmesg

Hypervisor detection, specifically XEN

dmidecode

Hypervisor detection

Chassis and manufacturer identification, like BIOS serial number

ldconfig -p

Information about shared libraries

Note

The Linux agent requires sudo version 1.7.8 or later. If sudo version 1.7.8 or later is not available for the agent, the recommendation is to run as root instead of using an earlier sudo version.

Additional requirements for Oracle scanners

If you are running any of the Oracle scanners with the agent, additional requirements will apply, see the documentation for each Oracle scanner:

Sudoers configuration

When editing the sudoers file, the following must be taken into consideration:

  • If a command is configured to be run without providing a password, that path will be used before the search path of the agent.

  • If the keyword ALL is used to allow the snow user sudo rights to any command, it must be placed as the last keyword on the line.