Agent Third-Party Deployment: Least Privilege Operation Mode
This topic provides information about how the least privilege operation mode works differently from the default operation mode. For instructions about how to configure the agent installation for either the least privilege operation mode or the default operation mode, see Agent Third-Party Deployment: Configuring the Operation Mode on UNIX.
What happens at installation
When the agent is configured at installation for the least privileged operation mode, the following changes are made by the installer:
- A new user/group named
flxrasvc
is created by the installer. No password is set for the account which puts it into a locked state. Therefore, it is not possible to log into the UNIX system using this account. This account name cannot be changed. Therefore, no changes should be made to this account to avoid breaking the installed agent. - On Linux, if the Docker group exists,
flxrasvc
is added to the Docker group to allowfnms-docker-monitor
to collect Docker inventory without root privileges. - The installer updates ownership on the installation directory to allow binaries to be
run as the
flxrasvc
account. - The installer updates ownership of the agent data directory to be owned by
flxrasvc
. - The normal agent daemons (such as the usage agent
mgsusageag
, the schedule agentndtask
, the Docker monitorfnms-docker-monitor
, and the Podman monitorfnms-podman-monitor
) are configured to run asflxrasvc
.Note: Podman is designed to be user-centric, with containers managed on a per-user basis. Each user has their own set of containers, and other users cannot access or manage them. This is unlike Docker, where containers are managed on a per-host basis, allowing any user in the Docker group on that machine or host to view and manage the same set of containers. Therefore, the Podman monitorfnms-podman-monitor
requires root privileges to collect containers and image inventory from all users using Podman on the system. To grant root privileges, update the/etc/sudoers.d/flexera
configuration by adding/opt/managesoft/libexec/fnms-podman-monitor
to theCmnd_Alias FLEXERA
command alias. For details, see Agent Third-Party Deployment: Sample Sudoers File. - A new entry to /etc/managesoft.ini is added to indicate that the agent is configured for least privileged operation; this setting is also propagated to the agent’s config.ini main settings file.
The Flexera agent service account
The flxrasvc
account is managed by the agent and the agent installer. No
modifications should be made to this account.
Uninstalling an agent running in the least privilege operation mode will remove the
flxrasvc
account as well as the entire agent data directory from the UNIX
system , because there is file system data owned by this account.
Additional processes launched by inventory collection
The agent uses flxfsscan
and flxoracleinv
to perform work
on behalf of ndtrack
, in both the full privilege default operation mode and
the least privilege operation mode. It is an expected behaviour that these tools are
launched several times while ndtrack
is running.
How to run agent components directly
Under normal operation, an agent configured for the least privilege operation mode will
have the schedule agent daemon ndtask
and the usage agent daemon
mgsusageag
running as the flxrasvc
account. Any
scheduled events, such as policy updates, inventory collection, or uploads, will be run by
the scheduler under the flxrasvc
account.
ndtrack
and
ndupload
outside of the schedule (for example, manually through cron
jobs), make sure to run these components as flxrasvc
. Other user accounts
on the machine will not be able to launch any agent binaries due to ownership and file
permissions, and no user will be able to write to the agent data directory except
root
.flxrasvc
through the following methods:- Specify a user to impersonate with the
sudo
command.sudo -u flxrasvc /opt/managesoft/bin/ndtrack -t machine
- Impersonate
flxrasvc
throughsu
. Note thatsu
must be run asroot
, otherwise the command will fail because theflxrasvc
account is locked.su - flxrasvc -c "/opt/managesoft/bin/ndtrack -t machine"
IT Asset Management (Cloud)
Current