Privileged Execution
Comprehensive guide to configuring and managing privileged script execution with SysManage agents, including security considerations and best practices.
Overview
⚠️ Security Warning: Privileged execution allows remote scripts to run with elevated permissions on your systems. This is a powerful feature that requires careful configuration and understanding of security implications. Only enable this feature if you trust the server administrators and have proper security controls in place.
Privileged execution in SysManage allows agents to run scripts and commands with elevated permissions, enabling system administration tasks like package installation, service management, and system configuration changes. This feature is disabled by default and requires explicit configuration.
Execution Modes
Standard User Mode
The agent runs as a standard user account with limited privileges.
Advantages
- Enhanced security - limited system access
- Reduced risk of system damage
- Follows principle of least privilege
- Suitable for monitoring and data collection
Limitations
- Cannot install packages
- Cannot modify system configuration
- Cannot manage system services
- Limited file system access
Privileged Mode (Root/Administrator)
The agent runs with root privileges (Linux/Unix) or as Administrator (Windows).
Capabilities
- Full system administration capabilities
- Package installation and management
- System service control
- System configuration changes
- User account management
- Network configuration
Security Risks
- Complete system access
- Potential for system damage
- Increased attack surface
- Requires strict access controls
Sudo Mode (Recommended)
The agent runs as a standard user but can execute specific commands with sudo privileges.
Advantages
- Granular privilege control
- Audit trail through sudo logging
- Limited scope of privileged operations
- Follows security best practices
Requirements
- Proper sudoers configuration
- NOPASSWD configuration for automated execution
- Specific command restrictions
Sudo Configuration
For secure privileged execution, configure sudo to allow the agent user to execute specific commands without a password prompt.
Basic Sudoers Configuration
Create a sudoers file for the SysManage agent:
# Create sudoers file for sysmanage-agent
sudo visudo -f /etc/sudoers.d/sysmanage-agentExample Sudoers Configuration
# SysManage Agent Sudoers Configuration
# Allow sysmanage user to execute specific administrative commands
# Package management
sysmanage ALL=(root) NOPASSWD: /usr/bin/apt, /usr/bin/apt-get, /usr/bin/aptitude
sysmanage ALL=(root) NOPASSWD: /usr/bin/yum, /usr/bin/dnf
sysmanage ALL=(root) NOPASSWD: /usr/sbin/pkg, /usr/sbin/pkg_add
sysmanage ALL=(root) NOPASSWD: /opt/homebrew/bin/brew, /usr/local/bin/brew
# Service management
sysmanage ALL=(root) NOPASSWD: /bin/systemctl, /sbin/service
sysmanage ALL=(root) NOPASSWD: /sbin/rc-service, /usr/sbin/svcadm
# System updates
sysmanage ALL=(root) NOPASSWD: /usr/bin/unattended-upgrade
sysmanage ALL=(root) NOPASSWD: /usr/bin/do-release-upgrade
# File operations (specific paths only)
sysmanage ALL=(root) NOPASSWD: /bin/mkdir /var/log/sysmanage/*
sysmanage ALL=(root) NOPASSWD: /bin/chown sysmanage /var/log/sysmanage/*
# Network configuration (if needed)
sysmanage ALL=(root) NOPASSWD: /sbin/ifconfig, /bin/ip
# Hardware information
sysmanage ALL=(root) NOPASSWD: /usr/bin/dmidecode, /usr/sbin/smartctlSecurity Considerations for Sudo
- Use specific command paths: Always specify full paths to executables
- Avoid wildcards: Don't use
ALLor wildcards in command specifications - Regular reviews: Periodically review and update sudo permissions
- Logging: Ensure sudo logging is enabled for audit trails
- Testing: Test sudo configuration in a safe environment first
Script Execution Configuration
Configure the agent's script execution capabilities through the configuration file.
Secure Configuration Example
script_execution:
# Enable script execution
enabled: true
# Maximum script execution timeout (5 minutes)
timeout: 300
# Limit concurrent executions
max_concurrent: 2
# Restrict allowed shells
allowed_shells:
- "bash"
- "sh"
# User execution restrictions
user_restrictions:
# Disable user switching for security
allow_user_switching: false
allowed_users: []
# Security restrictions
security:
# Prevent access to sensitive files
restricted_paths:
- "/etc/passwd"
- "/etc/shadow"
- "/etc/ssh/"
- "/home/*/.ssh/"
- "/root/.ssh/"
- "*.key"
- "*.pem"
- "/etc/sudoers*"
# Enable comprehensive audit logging
audit_logging: true
# Require approval for all script executions
require_approval: true
# Additional security measures
environment_isolation: true
resource_limits:
max_memory_mb: 256
max_cpu_percent: 50Script Approval Workflow
When require_approval is enabled, scripts go through an approval process:
- Script execution request is received
- Script is queued for approval
- Administrator reviews script content and context
- Administrator approves or rejects the script
- Approved scripts are executed
- Results are logged and reported
Execution Examples
Package Installation
# Install a package using sudo
#!/bin/bash
sudo apt update
sudo apt install -y nginx
# Check installation
systemctl status nginxService Management
# Restart a service
#!/bin/bash
sudo systemctl restart apache2
sudo systemctl enable apache2
# Verify service status
systemctl is-active apache2System Updates
# Update system packages
#!/bin/bash
sudo apt update
sudo apt upgrade -y
# Clean up package cache
sudo apt autoremove -y
sudo apt autocleanConfiguration Management
# Update configuration file
#!/bin/bash
# Backup original configuration
sudo cp /etc/nginx/nginx.conf /etc/nginx/nginx.conf.backup
# Update configuration
sudo tee /etc/nginx/sites-available/mysite << 'EOF'
server {
listen 80;
server_name example.com;
root /var/www/html;
index index.html;
}
EOF
# Enable site and reload nginx
sudo ln -sf /etc/nginx/sites-available/mysite /etc/nginx/sites-enabled/
sudo nginx -t
sudo systemctl reload nginxMonitoring and Logging
Audit Logging
Enable comprehensive logging for all privileged operations:
# Example audit log entry
2024-01-01 12:00:00 [AUDIT] User: admin
2024-01-01 12:00:00 [AUDIT] Host: web-server-01
2024-01-01 12:00:00 [AUDIT] Script: install_nginx.sh
2024-01-01 12:00:00 [AUDIT] Command: sudo apt install -y nginx
2024-01-01 12:00:00 [AUDIT] Exit Code: 0
2024-01-01 12:00:00 [AUDIT] Duration: 15.3s
2024-01-01 12:00:00 [AUDIT] Changes: Package nginx installedSudo Logging Configuration
Configure detailed sudo logging:
# Add to /etc/sudoers or sudoers.d/sysmanage-agent
Defaults:sysmanage log_host, log_year, logfile="/var/log/sudo-sysmanage.log"
Defaults:sysmanage !syslogSecurity Monitoring
- Failed executions: Monitor and alert on failed sudo commands
- Unusual patterns: Detect abnormal script execution patterns
- Privilege escalation: Monitor attempts to modify sudo configuration
- File access: Track access to sensitive files and directories
- Network activity: Monitor network connections during script execution
Security Hardening
System-Level Security
- SELinux/AppArmor: Use mandatory access controls where available
- Container isolation: Run agents in containers with limited capabilities
- Network segmentation: Isolate agent traffic on dedicated networks
- File system restrictions: Use read-only file systems where possible
- Resource limits: Implement cgroups or similar resource controls
Agent-Level Security
- Certificate pinning: Pin server certificates to prevent MITM attacks
- Script validation: Implement script signature verification
- Execution sandboxing: Use chroot or similar isolation techniques
- Regular updates: Keep agent software updated with security patches
- Configuration encryption: Encrypt sensitive configuration data
Troubleshooting Privileged Execution
Common Issues
Permission Denied Errors
Symptoms: Scripts fail with "Permission denied" errors
Solutions:
- Verify sudo configuration in
/etc/sudoers.d/sysmanage-agent - Check file permissions on executable files
- Ensure agent user is in correct groups
- Test sudo commands manually:
sudo -u sysmanage sudo apt update
Password Prompts
Symptoms: Scripts hang waiting for password input
Solutions:
- Add
NOPASSWDto sudo rules - Verify sudo rule syntax is correct
- Check for conflicting sudo rules
- Test with
sudo -n(non-interactive) flag
Script Timeouts
Symptoms: Long-running scripts are terminated
Solutions:
- Increase timeout value in agent configuration
- Optimize scripts for faster execution
- Break large operations into smaller tasks
- Use background processes for long operations
Environment Issues
Symptoms: Scripts can't find commands or files
Solutions:
- Use full paths to executables
- Set PATH environment variable in scripts
- Check sudo
secure_pathconfiguration - Verify required packages are installed
Debugging Steps
- Enable debug logging: Set log level to DEBUG in agent configuration
- Test sudo manually: Try running commands as the agent user
- Check system logs: Review /var/log/auth.log and /var/log/sudo.log
- Verify permissions: Check file and directory permissions
- Test in isolation: Run scripts manually to identify issues
- Review audit logs: Check agent audit logs for detailed execution info
Best Practices
Security Best Practices
- Principle of least privilege: Grant only necessary permissions
- Regular audits: Review and audit privileged operations regularly
- Script validation: Review all scripts before deployment
- Monitoring: Implement comprehensive monitoring and alerting
- Documentation: Document all privileged operations and procedures
- Testing: Test scripts thoroughly in development environments
- Incident response: Have procedures for handling security incidents
Operational Best Practices
- Change management: Use formal change management for privileged scripts
- Rollback procedures: Always have rollback plans for changes
- Backup verification: Ensure backups are taken before changes
- Gradual deployment: Deploy changes gradually across infrastructure
- Health checks: Implement health checks after script execution
- Resource monitoring: Monitor system resources during execution