Privilege Elevation

Some commands utilized during the collection processes require elevated privilege on the target system. This corresponds to elevation to the root account. The specific commands requiring elevated privilege are provided in SSH Collection Module Command Reference.

If the username associated with the credential entry is exactly root, then no additional privilege elevation will be attempted when issuing commands. Any other username involves the use of the sudo utility to perform the elevation. The sudo utility is ubiquitous in the Linux and UNIX-class system space, and will be provided by the operating system for many systems and/or distributions.

The use of sudo introduces several requirements for configuration, and is typically the most involved portion of configuring the environment for participation in the SSH Collection Module.

sudo is typically password-based, and was designed for interactive use. Particularly, an interactive session on a system will involve a terminal device, or TTY, that is associated with the sign in shell of the session. When using the SSH protocol as a communication transport in a non-interactive manner, a TTY device on the target system is not allocated. Due to the automated nature of the SSH Collection Module, this means that the SSH Collection Module will not allocate a TTY.

In order to provide sudo with a password, the utility typically requires a TTY device to present a password entry prompt. As the SSH Collection Module does not allocate a TTY, this facility is not currently supported. In order to configure sudo to participate in the SSH Collection Module, the requirement of an associated TTY device must be disabled, and sudo must be configured to not prompt for a password. Both of these configuration items can be set on a per-user basis, either on the existing user account associated with the credential entry, or as a component of a specific account created for the purposes of utilizing the SSH Collection Module as part of the RISC Networks engagement process. Details on how to configure sudo for these requirements are provided in Entering Credentials.