Before invoking cbcluster to connect to a minion as a non-root user, the remote user on the minion must have certain assigned privileges:

  • Secure Shell (SSH) access to the minion node.

    Initial SSH Connection must be made interactively. During the key exchange, the server identifies itself to the client with a unique host key. If the client has never communicated with this particular server before, the server’s host key is unknown to the client and it does not connect.

    SSH notifies the user that the authenticity of the host cannot be established and prompts the user to accept or reject it. The user is expected to independently verify the new host key before accepting it. In subsequent connections, the server’s host key is checked against the saved version on the client, providing confidence that the client is indeed communicating with the intended server. If, in the future, the host key no longer matches, the user must remove the client’s saved version before a connection can occur.

  • Sudo privileges for the commands listed below. The user must be configured to run with NOPASSWD.
  • If any of the required permissions are not configured, the cbcluster command prompts for the missing permissions during initial validation.

For Carbon Black EDR versions 7.4+, add the following entries to your sudoers file to use the cbcluster commands with a non-root user:

## Sudoers adjustments for restricted Carbon Black EDR cluster environments.
##
Cmnd_Alias HOSTNAME = /bin/hostname
Cmnd_Alias CB_INIT = /usr/share/cb/cbinit
Cmnd_Alias CB_CLUSTER = /usr/share/cb/cbcluster
Cmnd_Alias CB_UPGRADE = /usr/share/cb/cbupgrade
Cmnd_Alias CB_SERVICE = /usr/share/cb/cbservice
Cmnd_Alias YUM_INSTALL_CB = /usr/bin/yum install cb-enterprise -y
Cmnd_Alias YUM_INSTALL_RSYNC = /usr/bin/yum install rsync -y
Cmnd_Alias MKDIR_ETC_CB = /bin/mkdir /etc/cb --mode=755
Cmnd_Alias MKDIR_ETC_CB_CERTS = /bin/mkdir /etc/cb/certs --mode=755
Cmnd_Alias COPY_ALLIANCE_CRT = /usr/bin/rsync --remove-source-files --verbose /tmp/.cb_tmp/carbonblack-alliance-client.crt /etc/cb/certs/carbonblack-alliance-client.crt
Cmnd_Alias COPY_SERVER_CRT = /usr/bin/rsync --remove-source-files --verbose /tmp/.cb_tmp/cb-server.crt /etc/cb/certs/cb-server.crt
Cmnd_Alias COPY_CLIENT_CA_CRT = /usr/bin/rsync --remove-source-files --verbose /tmp/.cb_tmp/cb-client-ca.crt /etc/cb/certs/cb-client-ca.crt
Cmnd_Alias COPY_ALLIANCE_KEY = /usr/bin/rsync --remove-source-files --verbose /tmp/.cb_tmp/carbonblack-alliance-client.key /etc/cb/certs/carbonblack-alliance-client.key
Cmnd_Alias COPY_SERVER_KEY = /usr/bin/rsync --remove-source-files --verbose /tmp/.cb_tmp/cb-server.key /etc/cb/certs/cb-server.key
Cmnd_Alias COPY_CLIENT_CA_KEY = /usr/bin/rsync --remove-source-files --verbose /tmp/.cb_tmp/cb-client-ca.key /etc/cb/certs/cb-client-ca.key
Cmnd_Alias COPY_CB_REPO = /usr/bin/rsync --remove-source-files --verbose /tmp/.cb_tmp/CarbonBlack.repo /etc/yum.repos.d/CarbonBlack.repo
Cmnd_Alias COPY_CLUSTER_CONF = /usr/bin/rsync --remove-source-files --verbose /tmp/.cb_tmp/cluster.conf /etc/cb/cluster.conf
Cmnd_Alias COPY_ERLANG_COOKIE = /usr/bin/rsync --remove-source-files --verbose /tmp/.cb_tmp/.erlang.cookie /var/cb/.erlang.cookie
Cmnd_Alias COPY_SERVER_LIC = /usr/bin/rsync --remove-source-files --verbose /tmp/.cb_tmp/server.lic /etc/cb/server.lic
Cmnd_Alias COPY_SERVER_TOKEN = /usr/bin/rsync --remove-source-files --verbose /tmp/.cb_tmp/server.token /etc/cb/server.token
Cmnd_Alias CBCHECK_IP_TABLES = /usr/share/cb/cbcheck iptables --apply
Cmnd_Alias CB_ENTERPRISE = /etc/init.d/cb-enterprise
Cmnd_Alias CAT_VERSION = /bin/cat /usr/share/cb/VERSION
Cmnd_Alias COPY_REDIS_SERVER_KEY = /usr/bin/rsync --remove-source-files --verbose /tmp/.cb_tmp/cb-redis-server.key /etc/cb/certs/cb-redis-server.key
Cmnd_Alias COPY_REDIS_SERVER_CERT = /usr/bin/rsync --remove-source-files --verbose /tmp/.cb_tmp/cb-redis-server.crt /etc/cb/certs/cb-redis-server.crt
Cmnd_Alias COPY_SOLR_FIPS_CONFIG = /usr/bin/rsync --remove-source-files --verbose /tmp/.cb_tmp/solr-ssl.keystore.bcfks /etc/cb/certs/solr-ssl.keystore.bcfks
Cmnd_Alias ERASE_OPENRESTY_OPENSSL = /usr/bin/rpm -e openresty-openssl-1.0.2zd-1a.cb.el8 --nodeps
Cmnd_Alias ERASE_NON_FIPS_OPENRESTY = /usr/bin/rpm -e openresty-1.21.4.1-1a.cb.el8 --nodeps
Cmnd_Alias INSTALL_FIPS_OPENRESTY = /usr/bin/yum install -y openresty-1.21.4.1-1b.cb.el8
Cmnd_Alias DELETE_CLIENT_CA_BUNDLE_CRT = /usr/bin/rm -f /etc/cb/certs/cb-client-ca-bundle.crt

Cmnd_Alias CLUSTER_OPERATIONS = HOSTNAME, CB_INIT, YUM_INSTALL_CB, YUM_INSTALL_RSYNC, MKDIR_ETC_CB, MKDIR_ETC_CB_CERTS, COPY_ALLIANCE_CRT, COPY_SERVER_CRT, COPY_CLIENT_CA_CRT, COPY_ALLIANCE_KEY, COPY_SERVER_KEY, COPY_CLIENT_CA_KEY, COPY_CB_REPO, COPY_CLUSTER_CONF, COPY_ERLANG_COOKIE, COPY_SERVER_LIC, COPY_SERVER_TOKEN, CBCHECK_IP_TABLES, CB_ENTERPRISE, CAT_VERSION, CB_CLUSTER, CB_UPGRADE, CB_SERVICE, COPY_REDIS_SERVER_KEY, COPY_REDIS_SERVER_CERT, COPY_SOLR_FIPS_CONFIG, ERASE_OPENRESTY_OPENSSL, ERASE_NON_FIPS_OPENRESTY, INSTALL_FIPS_OPENRESTY, DELETE_CLIENT_CA_BUNDLE_CRT
my_user ALL=(ALL) NOPASSWD: CLUSTER_OPERATIONS

For Carbon Black EDR versions 6.2-7.3, add the following entries to your sudoers file to use the cbcluster commands with a non-root user:

## Required sudo privileges on minion to run cbcluster add-node
Cmnd_Alias HOSTNAME = /bin/hostname
Cmnd_Alias CB_INIT = /usr/share/cb/cbinit
Cmnd_Alias YUM_INSTALL_CB = /usr/bin/yum install cb-enterprise -y
Cmnd_Alias YUM_INSTALL_RSYNC = /usr/bin/yum install rsync -y
Cmnd_Alias MKDIR_ETC_CB = /bin/mkdir /etc/cb --mode=755
Cmnd_Alias MKDIR_ETC_CB_CERTS = /bin/mkdir /etc/cb/certs --mode=755
Cmnd_Alias COPY_ALLIANCE_CRT = /usr/bin/rsync --remove-source-files --verbose /tmp/.cb_tmp/carbonblack-alliance-client.crt /etc/cb/certs/carbonblack-alliance-client.crt
Cmnd_Alias COPY_SERVER_CRT = /usr/bin/rsync --remove-source-files --verbose /tmp/.cb_tmp/cb-server.crt /etc/cb/certs/cb-server.crt
Cmnd_Alias COPY_CLIENT_CA_CRT = /usr/bin/rsync --remove-source-files --verbose /tmp/.cb_tmp/cb-client-ca.crt /etc/cb/certs/cb-client-ca.crt
Cmnd_Alias COPY_ALLIANCE_KEY = /usr/bin/rsync --remove-source-files --verbose /tmp/.cb_tmp/carbonblack-alliance-client.key /etc/cb/certs/carbonblack-alliance-client.key
Cmnd_Alias COPY_SERVER_KEY = /usr/bin/rsync --remove-source-files --verbose /tmp/.cb_tmp/cb-server.key /etc/cb/certs/cb-server.key
Cmnd_Alias COPY_CLIENT_CA_KEY = /usr/bin/rsync --remove-source-files --verbose /tmp/.cb_tmp/cb-client-ca.key /etc/cb/certs/cb-client-ca.key
Cmnd_Alias COPY_CB_REPO = /usr/bin/rsync --remove-source-files --verbose /tmp/.cb_tmp/CarbonBlack.repo /etc/yum.repos.d/CarbonBlack.repo
Cmnd_Alias COPY_CLUSTER_CONF = /usr/bin/rsync --remove-source-files --verbose /tmp/.cb_tmp/cluster.conf /etc/cb/cluster.conf
Cmnd_Alias COPY_ERLANG_COOKIE = /usr/bin/rsync --remove-source-files --verbose /tmp/.cb_tmp/.erlang.cookie /var/cb/.erlang.cookie
Cmnd_Alias COPY_SERVER_LIC = /usr/bin/rsync --remove-source-files --verbose /tmp/.cb_tmp/server.lic /etc/cb/server.lic
Cmnd_Alias COPY_SERVER_TOKEN = /usr/bin/rsync --remove-source-files --verbose /tmp/.cb_tmp/server.token /etc/cb/server.token
Cmnd_Alias CBCHECK_FIREWALL = /usr/share/cb/cbcheck firewall --apply
Cmnd_Alias CB_ENTERPRISE = /etc/init.d/cb-enterprise
Cmnd_Alias CAT_VERSION = /bin/cat /usr/share/cb/VERSION
Cmnd_Alias CBUPGRADE = /usr/share/cb/cbupgrade --non-interactive
Cmnd_Alias CBUPGRADE_CHECK = /usr/share/cb/cbupgrade --check
 
my_user        ALL=(ALL)  NOPASSWD: HOSTNAME, CB_INIT, YUM_INSTALL_CB, YUM_INSTALL_RSYNC, MKDIR_ETC_CB, MKDIR_ETC_CB_CERTS, COPY_ALLIANCE_CRT, COPY_SERVER_CRT, COPY_CLIENT_CA_CRT, COPY_ALLIANCE_KEY, COPY_SERVER_KEY, COPY_CLIENT_CA_KEY, COPY_CB_REPO, COPY_CLUSTER_CONF, COPY_ERLANG_COOKIE, COPY_SERVER_LIC, COPY_SERVER_TOKEN, CBCHECK_FIREWALL, CB_ENTERPRISE, CAT_VERSION, CBUPGRADE, CBUPGRADE_CHECK