Ideally a credential that you add for discovery should be one that is valid for a range of machines and has sufficient rights to run system level commands in order to discover richer data.
Adding a credential is the same whether you add it for UNIX systems or Windows systems accessed via the credential slave. You do not need to add credentials for systems accessed via the Workgroup or Active Directory slaves as these use the permissions of the user they were installed as.
To add a credential:
- On the Discovery page, click the Credentials button. The Login Credentials page is displayed.
- Click the Add... button. The Add Login Credential page is displayed.
- You can then set up the login credentials as follows:
| Field Name |
Details |
| IP Range |
Enter an IP address, a range of IP addresses, or a regular expression representing the IP addresses for which this credential is valid.
IP address – for example, 10.10.10.3
Range of IP addresses – 10.10.10.* or 10.10.1-5.* or 10.10.10.0/24
Regular expression – .* or 10.10.10.(23|25) |
| Username |
Username used to log in to hosts identified by the key. If this is a Windows credential that will be used by the internal slave or the External Credential Slave, ensure you prefix the username with localhost\. |
| Password |
This field is only visible when you are adding a credential. Enter the password into the password field; the password text is not echoed to the screen.
When you edit a credential, the password field is not displayed. To change a password, you must use the Change Password link on the Login Credentials page. |
| Description |
A free-text description of this login credential. |
| Access Methods |
Choose the access methods to be attempted for any host identified by the key by selecting them and moving them to the right-hand (enabled) list box using the right arrow button. By default, all access methods are placed in this box, that is, they are all enabled.
You can also change the order in which the access methods are attempted by selecting them and moving them up or down with the up or down arrow buttons. |
| Options |
Choose one or more options that apply to this remote login. To enable an option you must select the checkbox:
• Session Logging - select the checkbox to create a session log. These log all communication between the Foundation appliance and a host and should only be used for diagnosing discovery problems with that host. There is currently no option for recording a session log for Windows hosts.
• Prompt - a regular expression to define valid prompt characters expected.
• SU - select this checkbox to use the su command to change to the root user. Specify the root user's password in the adjacent text boxes. This field is not prepopulated and if left blank, the password will remain unchanged. To change the password, enter the new password in the two password fields.
• Buffer Size - specify a valid buffer size (any number in bytes). The default is 512 bytes.
• Timeout - specify a valid timeout period (in seconds). The default is 30 seconds.
• Force Subshell - select this checkbox to force the session to open a Bourne (/bin/sh) subshell if the default login shell is a C shell (/bin/csh /bin/tcsh). This enables you to cater for machines using non-standard shells. |
| Last Changed |
A read-only field that displays the date and time that this credential was last changed.
This field is only displayed in the Edit Login Credential window. |
- Click the Apply button to add the credentials, and repeat this for all the credentials you want to add.
- When you have added the credentials, you can test them. Click the test link in the Actions column. If the test link is not displayed, click the START ALL SCANS button on the Discovery Status Page. The Test Login Credential dialog is displayed.
- Enter a single IP in the Target IP address field to test the credentials against. In this example, 172.17.3.100.
- Click the Test Credentials button. The page is refreshed to show that the test in in progress and when complete, the results are shown.
Privileged Command Execution
The UNIX and Linux discovery scripts in versions of Tideway Foundation before version 7.2 used hard coded commands to run a command as a privileged user. For example, /usr/bin/sudo /usr/sbin/ifconfig args. In version 7.2 and later, these are replaced with user defined commands. That is, the hard coded /usr/bin/sudo is replaced in the script with PRIV_IFCONFIG which is substituted with the user defined command when the script is run. The commands are defined in the init section for each platform.
Tideway Foundation is shipped with no commands using privileged execution. The example below shows adding privileged execution to lsof commands. You will have to do the same for any command that you want to execute as a privileged user.
To configure execution of a command as a privileged user:
- Click the Platforms icon in the security section of the Administration page.
The Platforms page is displayed.
- Click the operating system link whose commands you want to add the privileged execution to.
- The commands for the operating system are displayed.
- Click the Edit link in the Action column of the initialise method row. The edit window is shown containing the script. Click in the edit window to enlarge it. This is shown below.
- For the PRIV_LSOF function, add the path and command required to run the commands as a privileged user. For example /usr/bin/sudo. Scroll down to the section with defining privileged execution.
- Edit this section so it reads:
You must add a privileged execution method to whichever commands you require in order to gain the fullest possible discovery. The available commands, their impact on discovery and the platforms they are available on described on the Privileged Commands for each Platform page.
Tideway Blog