Run the agent according to the principle of least privileges
When running Snow Inventory Agent for Linux as a user with limited privileges, the following must be taken into consideration:
-
The user must have read access to the file areas that it scans.
-
Detection of running processes may be limited due to reduced access as defined by the implemented security policies.
File permission requirements
The following permissions are required to run the agent:
-
Read permissions on all contents of the agent folder.
-
Read and execute permissions on the Linux agent.
-
Read and write permissions on the agent's
/data
folder. -
The user must have read and write access to the
snowagent.log
,snowagent.lock
, and.hst.lg
files.As the files are created with every scan, a preceding scan with an elevated user could stop the agent from working.
-
Read and write permissions for the
/var/run/SnowSoftware/Inventory/Agent/script-output
folder if dynamic inventory is used.
Read and execute permissions are required for the folders that should be scanned, and read permissions on the contained files.
Read and execute permissions are required on /proc
, /sys
, /etc
, /dev
, /var
, /lib
and all of its subfolders, and read permissions on the contained files.
You can control the access rights on a very granular level by using Access Control Lists, for example by using the following command, where snow is replaced with the actual user used for the scan and var is replaced with the actual paths to be included in the scan:
sudo setfacl -Rm u:snow:r-X,d:u:snow:r-X /var
Flexera recommends the setup described in File and package scanning.
Sudo requirements
The following commands require sudo privileges for the agent to be able to collect all data:
Command | Data lost when not run as sudo or root |
---|---|
dmesg | Hypervisor detection, specifically XEN |
dmidecode | Hypervisor detection Chassis and manufacturer identification, like BIOS serial number |
ldconfig -p | Information about shared libraries |
The Linux agent requires sudo version 1.7.8 or later. If sudo version 1.7.8 or later is not available for the agent, the recommendation is to run as root instead of using an earlier sudo version.
Additional requirements for Oracle scanners
If you are running any of the Oracle scanners with the agent, additional requirements will apply. For more information, see the documentation for each Oracle scanner:
Sudoers configuration
When editing the sudoers file, the following must be taken into consideration:
-
If a command is configured to be run without providing a password, that path will be used before the search path of the agent.
-
If the keyword ALL is used to allow the snow user sudo rights to any command, it must be placed as the last keyword on the line.