Agent Third-Party Deployment: Least Privilege Operation Mode

IT Asset Management (Cloud)

This topic provides information about how the least privilege operation mode works differently from the default operation mode. For instructions about how to configure the agent installation for either the least privilege operation mode or the default operation mode, see Agent Third-Party Deployment: Configuring the Operation Mode on UNIX.

What happens at installation

When the agent is configured at installation for the least privileged operation mode, the following changes are made by the installer:

  • A new user/group named flxrasvc is created by the installer. No password is set for the account which puts it into a locked state. Therefore, it is not possible to log into the UNIX system using this account. This account name cannot be changed. Therefore, no changes should be made to this account to avoid breaking the installed agent.
  • On Linux, if the Docker group exists, flxrasvc is added to the Docker group to allow fnms-docker-monitor to collect Docker inventory without root privileges.
  • The installer updates ownership on the installation directory to allow binaries to be run as the flxrasvc account.
  • The installer updates ownership of the agent data directory to be owned by flxrasvc.
  • The normal agent daemons (such as the usage agent mgsusageag, the schedule agent ndtask, the Docker monitor fnms-docker-monitor, and the Podman monitor fnms-podman-monitor) are configured to run as flxrasvc.
    Note: Podman is designed to be user-centric, with containers managed on a per-user basis. Each user has their own set of containers, and other users cannot access or manage them. This is unlike Docker, where containers are managed on a per-host basis, allowing any user in the Docker group on that machine or host to view and manage the same set of containers. Therefore, the Podman monitor fnms-podman-monitor requires root privileges to collect containers and image inventory from all users using Podman on the system. To grant root privileges, update the /etc/sudoers.d/flexera configuration by adding /opt/managesoft/libexec/fnms-podman-monitor to the Cmnd_Alias FLEXERA command alias. For details, see Agent Third-Party Deployment: Sample Sudoers File.
  • A new entry to /etc/managesoft.ini is added to indicate that the agent is configured for least privileged operation; this setting is also propagated to the agent’s config.ini main settings file.

The Flexera agent service account

The flxrasvc account is managed by the agent and the agent installer. No modifications should be made to this account.

Uninstalling an agent running in the least privilege operation mode will remove the flxrasvc account as well as the entire agent data directory from the UNIX system , because there is file system data owned by this account.

Additional processes launched by inventory collection

The agent uses flxfsscan and flxoracleinv to perform work on behalf of ndtrack, in both the full privilege default operation mode and the least privilege operation mode. It is an expected behaviour that these tools are launched several times while ndtrack is running.

Tip: When you use trace to troubleshoot agent issues, it is recommended that the trace file name include %p to trace per-agent processes or %n to trace per-agent process names. This will help to separate different component tracing into logically separate trace files.

How to run agent components directly

Under normal operation, an agent configured for the least privilege operation mode will have the schedule agent daemon ndtask and the usage agent daemon mgsusageag running as the flxrasvc account. Any scheduled events, such as policy updates, inventory collection, or uploads, will be run by the scheduler under the flxrasvc account.

Important: When running the agent components ndtrack and ndupload outside of the schedule (for example, manually through cron jobs), make sure to run these components as flxrasvc. Other user accounts on the machine will not be able to launch any agent binaries due to ownership and file permissions, and no user will be able to write to the agent data directory except root.
Agent components can be run as flxrasvc through the following methods:
  • Specify a user to impersonate with the sudo command.
    sudo -u flxrasvc /opt/managesoft/bin/ndtrack -t machine
  • Impersonate flxrasvc through su. Note that su must be run as root, otherwise the command will fail because the flxrasvc account is locked.
    su - flxrasvc -c "/opt/managesoft/bin/ndtrack -t machine"

IT Asset Management (Cloud)

Current