Frequently Asked Questions about Flexera Agent requirements for Root Access

6 0 155

Question: What are root access privileges?

Answer: The usage ‘root access privileges’ is typically used to refer to permissions given to a username or account that has access to all commands and files on a Linux or other Unix-like operating system. This account is also referred to as the root account, root user or superuser.

In a Windows environment, an administrator account holds similar superuser privileges.

Question: Are there any risks associated with root access privileges?

Answer: Yes, there are risks associated with human users being given root access privileges. They may make mistakes (mistype a powerful command or delete important files) or perform actions with malicious intent.

When it comes to programs being given root privilege access in an enterprise environment, organizations usually have an IT security approval process to allow a program to have root privileges if it has been certified and needs the privileges for performing it’s intended functions.

Question: Does the Flexera’s inventory solution require root access privileges?

Answer: The inventory components of the FlexNet Manager Suite (FNMS) can be implemented in a variety of ways depending on the license compliance and optimization use cases an organization wishes to fulfil and the inventory tools they would like to use to cover those use cases.

For basic inventory, the FlexNet Beacon can connect to numerous third-party inventory solutions (like Microsoft SCCM, HP Universal Discovery, etc.) to gather hardware and software inventory required for compliance and optimization. It is also possible to build custom adapters to import data from other third-party tools.

For certain specific use cases, where these third-party inventory sources do not provide enough licensing information, the FlexNet Inventory Agent is recommended. The Flexera Inventory Agent is capable of gathering specific inventory details around hardware (like BIOS, UUID details on Linux, MAC address in Solaris, etc.) and software usage tracking for IBM Peak Value Utilization (PVU) and Oracle License Management Services (LMS).

The FlexNet Inventory Agent comprises inventory and usage tracking services that require root access privileges to perform deeper inventory for the above-mentioned specific use cases. These privileges are restricted only to the system(s) with the deployed agent(s) or system(s) adopted for zero-footprint agent installation.

The FlexNet Beacon and Agent are certified by Veracode (SOC 2 Type II) and the server-side components of the FNMS solution have been certified by WhiteHat.

 Question: Can the Flexera Inventory Agent be used without direct root access privileges?

Answer: The Flexera Inventory Agent can be run as a non-root account, but it limits the effectiveness of the inventory gathering. For example, running the Agent as a non-root user returns inventory data only for that user’s context based on the permissions that that user has.

That said, the Flexera Inventory Agent can also be used in an indirect mode which means that it there is an additional level of control that the customer can exercise over the running of the agent program with root access privileges.

  • You can designate a proxy system/user account (with a setuid operation for xnix) for the Flexera Inventory Agent with the permissions that the customer can provide or revoke as needed
  • You can use a command line interface or scheduler (e.g. cron, etc.) to invoke the Inventory Scanner component (with elevated privileges) as needed

You can also use the Flexera Beacon with our ‘Zero Touch’ Agent option along with a High Privilege Access (HPA) management tool like CyberArk which lets you configure access for ‘root’ accounts with access logging. The Flexera Beacon has a built-in integration with CyberArk which allows its password store to provide safe access to remotely install the ‘Zero Touch’ agent to perform inventory.

Question: What are some best practices around allowing root access privileges?

Answer: When it comes to xnix platforms, we recommend using SELinux or similar technologies which have better controls and constraints placed on user permissions.

Question: What are the inventory details that cannot be collected if the Flexera Inventory Agent does not have root access privileges?

Without proper root access privileges, the following inventory details cannot be collected:

All platforms

UNIX-like systems

·   InstallAnywhere, InstallShield Multiplatform, or Oracle Universal Installer evidence under paths not accessible by the executing user

·   Oracle Database service discovery via the local listener using lsnrctl

·   Oracle Database inventory which may use impersonation of an Oracle Database administration user when running the sqlplus command

·   Lack of BIOS serial number which makes computer management quite difficult and usually results in duplicates as machines replaced, migrated etc.

·   File evidence from any file system path not accessible by the executing user


Mac OS X systems

Solaris systems

·   Mac OS X package bundle paths under /Applications or /System/Library not accessible by the executing user

·   MAC addresses of network adapters

·   SPARC model using OpenPROM interface

HP-UX systems

·   SD-UX installation evidence from swlist if access has been locked down with swreg or swacl

·   vPar evidence including VMType, VMName, and vPar capacity (vparstatus requires root)

·   Hard disk drive properties including capacity