Agent Third-Party Deployment: Least Privilege Operation Mode

What happens at installation

When the agent is configured at installation for the least privileged operation mode, the following changes are made by the installer:

• A new user/group named flxrasvc is created by the installer. No password is set for the account which puts it into a locked state. Therefore, it is not possible to log into the UNIX system using this account. This account name cannot be changed. Therefore, no changes should be made to this account to avoid breaking the installed agent.
• On Linux, if the Docker group exists, flxrasvc is added to the Docker group to allow fnms-docker-monitor to collect Docker inventory without root privileges.
• The installer updates ownership on the installation directory to allow binaries to be run as the flxrasvc account.
• The installer updates ownership of the agent data directory to be owned by flxrasvc.
• The normal agent daemons (such as the usage agent mgsusageag, the schedule agent ndtask, the Docker monitor fnms-docker-monitor, and the Podman monitor fnms-podman-monitor) are configured to run as flxrasvc.
  Note: Podman is designed to be user-centric, with containers managed on a per-user basis. Each user has their own set of containers, and other users cannot access or manage them. This is unlike Docker, where containers are managed on a per-host basis, allowing any user in the Docker group on that machine or host to view and manage the same set of containers. Therefore, the Podman monitor fnms-podman-monitor requires root privileges to collect containers and image inventory from all users using Podman on the system. To grant root privileges, update the /etc/sudoers.d/flexera configuration by adding /opt/managesoft/libexec/fnms-podman-monitor to the Cmnd_Alias FLEXERA command alias. For details, see Agent Third-Party Deployment: Sample Sudoers File.
• A new entry to /etc/managesoft.ini is added to indicate that the agent is configured for least privileged operation; this setting is also propagated to the agent’s config.ini main settings file.

The Flexera agent service account

The flxrasvc account is managed by the agent and the agent installer. No modifications should be made to this account.

Uninstalling an agent running in the least privilege operation mode will remove the flxrasvc account as well as the entire agent data directory from the UNIX system , because there is file system data owned by this account.

Additional processes launched by inventory collection

The agent uses flxfsscan and flxoracleinv to perform work on behalf of ndtrack, in both the full privilege default operation mode and the least privilege operation mode. It is an expected behaviour that these tools are launched several times while ndtrack is running.

How to run agent components directly

Under normal operation, an agent configured for the least privilege operation mode will have the schedule agent daemon ndtask and the usage agent daemon mgsusageag running as the flxrasvc account. Any scheduled events, such as policy updates, inventory collection, or uploads, will be run by the scheduler under the flxrasvc account.