Re: [FlexNet Manager Suite] Sudo rm required with NOPASSWD but not available at customer site

marcog · ‎Mar 04, 2020

Hi,

I'm approaching FNMS for a zero-footprint inventory at customer site.

Customer provided all sudo privileges for the flexera user as documented for 2019R2 version. But when I run the inventory I got the following error about "rm" and "date". I'm attaching Solaris screenshot but this happens also on RHEL and AIX.

I've been able to receive date privileges (but why is needed to be run with sudo), but customer doesn't want to provide rm in sudo for flexera user because of security rules, and this also is not documented in flexera.

So I was wondering, how can I solve this error without sudo privileges?

Is there a way I can customize that command to run it without sudo? (all files listed are owned by flexera user so there is no need of elevation to sudo)

Thanks for your answers!

MG

mag00_75 · ‎Mar 04, 2020

Hi

Not the answer to your question but another way to approach the Nix-team.
We had several internal discussions with our team in ways to solve the inventory, it ended up in having a local cron job that runs the ndtrack.sh
In that way they had 100% control themself , one disadvantage is however you need to have mechanism in place to rollout updates and especially inventorysettings.xml

ChrisG · ‎Mar 10, 2020

The "sudo date" command is executed in order to test whether the account used for remote execution is able to successfully elevate privileges on the target device.

I can't think of any way to get the system to run the "rm" command to clean up files used during the inventory gathering process without sudo (or priv or another similar tool). However if you are OK for the ndtrack.sh, ndtrack.ini and InventorySettings.xml files to be left on computers after the process has terminated, you could try configuring the following registry entry on your beacon server(s):

HKLM\SOFTWARE\WOW6432Node\ManageSoft Corp\ManageSoft\RemoteExecution\CurrentVersion\UnixAgentRemoveCommand = echo

I haven't tested this, but I am thinking that this will change the behavior so that instead of executing "sudo rm -f ./ndtrack.sh ..." it will execute a more innocuous "sudo echo ./ndtrack.sh ...".

I recommend considering an approach along the lines of what @mag00_75 has suggested: you may find it is more effective for production use to find another way to execute the ndtrack.sh process than using the zero-touch inventory gathering approach that is built in to FlexNet Manager Suite.

(Did my reply solve the question? Click "ACCEPT AS SOLUTION" to help others find answers faster. Liked something? Click "KUDO". Anything expressed here is my own view and not necessarily that of my employer, Flexera.)

marcog · ‎Mar 11, 2020

Thanks, I will try it.

marcog · ‎Mar 15, 2020

Unfortunately this did not work and the error remains the same.

ChrisG · ‎Mar 15, 2020

Ahh, I made a typo in the name of the registry entry sorry. It should be UnixAgentRemoveCommand rather than UnitAgentRemoveCommand. I'll correct the original post.

(Did my reply solve the question? Click "ACCEPT AS SOLUTION" to help others find answers faster. Liked something? Click "KUDO". Anything expressed here is my own view and not necessarily that of my employer, Flexera.)

marcog · ‎Mar 31, 2020

Aren't any other solution we can apply?