Skip to main content

Run the agent according to the principle of least privileges

When running Snow Inventory Agent for Linux as a user with limited privileges, the following must be taken into consideration:

  • The user must have read access to the file areas that it scans.

  • Detection of running processes may be limited due to reduced access as defined by the implemented security policies.

File permission requirements

The following permissions are required to run the agent:

  • Read permissions on all contents of the agent folder.

  • Read and execute permissions on the Linux agent.

  • Read and write permissions on the agent's /data folder.

  • The user must have read and write access to the snowagent.log, snowagent.lock, and .hst.lg files.

    As the files are created with every scan, a preceding scan with an elevated user could stop the agent from working.

  • Read and write permissions for the /var/run/SnowSoftware/Inventory/Agent/script-output folder if dynamic inventory is used.

Read and execute permissions are required for the folders that should be scanned, and read permissions on the contained files.

Read and execute permissions are required on /proc, /sys, /etc, /dev, /var, /lib and all of its subfolders, and read permissions on the contained files.

You can control the access rights on a very granular level by using Access Control Lists, for example by using the following command, where snow is replaced with the actual user used for the scan and var is replaced with the actual paths to be included in the scan:

sudo setfacl -Rm u:snow:r-X,d:u:snow:r-X /var

note

Flexera recommends the setup described in File and package scanning.

Sudo requirements

The following commands require sudo privileges for the agent to be able to collect all data:

CommandData lost when not run as sudo or root
dmesgHypervisor detection, specifically XEN
dmidecodeHypervisor detection
Chassis and manufacturer identification, like BIOS serial number
ldconfig -pInformation about shared libraries
note

The Linux agent requires sudo version 1.7.8 or later. If sudo version 1.7.8 or later is not available for the agent, the recommendation is to run as root instead of using an earlier sudo version.

Additional requirements for Oracle scanners

If you are running any of the Oracle scanners with the agent, additional requirements will apply. For more information, see the documentation for each Oracle scanner:

Sudoers configuration

When editing the sudoers file, the following must be taken into consideration:

  • If a command is configured to be run without providing a password, that path will be used before the search path of the agent.

  • If the keyword ALL is used to allow the snow user sudo rights to any command, it must be placed as the last keyword on the line.