Before invoking cbcluster
to connect to a minion as a non-root user, the remote user on the minion must have certain assigned privileges:
- Secure Shell (SSH) access to the minion node.
Initial SSH Connection must be made interactively. During the key exchange, the server identifies itself to the client with a unique host key. If the client has never communicated with this particular server before, the server’s host key is unknown to the client and it does not connect.
SSH notifies the user that the authenticity of the host cannot be established and prompts the user to accept or reject it. The user is expected to independently verify the new host key before accepting it. In subsequent connections, the server’s host key is checked against the saved version on the client, providing confidence that the client is indeed communicating with the intended server. If, in the future, the host key no longer matches, the user must remove the client’s saved version before a connection can occur.
- Sudo privileges for the commands listed below. The user must be configured to run with NOPASSWD.
-
If any of the required permissions are not configured, the
cbcluster
command prompts for the missing permissions during initial validation.
For Carbon Black EDR versions 7.4+, add the following entries to your sudoers file to use the cbcluster
commands with a non-root user:
## Sudoers adjustments for restricted Carbon Black EDR cluster environments. ## Cmnd_Alias HOSTNAME = /bin/hostname Cmnd_Alias CB_INIT = /usr/share/cb/cbinit Cmnd_Alias CB_CLUSTER = /usr/share/cb/cbcluster Cmnd_Alias CB_UPGRADE = /usr/share/cb/cbupgrade Cmnd_Alias CB_SERVICE = /usr/share/cb/cbservice Cmnd_Alias YUM_INSTALL_CB = /usr/bin/yum install cb-enterprise -y Cmnd_Alias YUM_INSTALL_RSYNC = /usr/bin/yum install rsync -y Cmnd_Alias MKDIR_ETC_CB = /bin/mkdir /etc/cb --mode=755 Cmnd_Alias MKDIR_ETC_CB_CERTS = /bin/mkdir /etc/cb/certs --mode=755 Cmnd_Alias COPY_ALLIANCE_CRT = /usr/bin/rsync --remove-source-files --verbose /tmp/.cb_tmp/carbonblack-alliance-client.crt /etc/cb/certs/carbonblack-alliance-client.crt Cmnd_Alias COPY_SERVER_CRT = /usr/bin/rsync --remove-source-files --verbose /tmp/.cb_tmp/cb-server.crt /etc/cb/certs/cb-server.crt Cmnd_Alias COPY_CLIENT_CA_CRT = /usr/bin/rsync --remove-source-files --verbose /tmp/.cb_tmp/cb-client-ca.crt /etc/cb/certs/cb-client-ca.crt Cmnd_Alias COPY_ALLIANCE_KEY = /usr/bin/rsync --remove-source-files --verbose /tmp/.cb_tmp/carbonblack-alliance-client.key /etc/cb/certs/carbonblack-alliance-client.key Cmnd_Alias COPY_SERVER_KEY = /usr/bin/rsync --remove-source-files --verbose /tmp/.cb_tmp/cb-server.key /etc/cb/certs/cb-server.key Cmnd_Alias COPY_CLIENT_CA_KEY = /usr/bin/rsync --remove-source-files --verbose /tmp/.cb_tmp/cb-client-ca.key /etc/cb/certs/cb-client-ca.key Cmnd_Alias COPY_CB_REPO = /usr/bin/rsync --remove-source-files --verbose /tmp/.cb_tmp/CarbonBlack.repo /etc/yum.repos.d/CarbonBlack.repo Cmnd_Alias COPY_CLUSTER_CONF = /usr/bin/rsync --remove-source-files --verbose /tmp/.cb_tmp/cluster.conf /etc/cb/cluster.conf Cmnd_Alias COPY_ERLANG_COOKIE = /usr/bin/rsync --remove-source-files --verbose /tmp/.cb_tmp/.erlang.cookie /var/cb/.erlang.cookie Cmnd_Alias COPY_SERVER_LIC = /usr/bin/rsync --remove-source-files --verbose /tmp/.cb_tmp/server.lic /etc/cb/server.lic Cmnd_Alias COPY_SERVER_TOKEN = /usr/bin/rsync --remove-source-files --verbose /tmp/.cb_tmp/server.token /etc/cb/server.token Cmnd_Alias CBCHECK_IP_TABLES = /usr/share/cb/cbcheck iptables --apply Cmnd_Alias CB_ENTERPRISE = /etc/init.d/cb-enterprise Cmnd_Alias CAT_VERSION = /bin/cat /usr/share/cb/VERSION Cmnd_Alias COPY_REDIS_SERVER_KEY = /usr/bin/rsync --remove-source-files --verbose /tmp/.cb_tmp/cb-redis-server.key /etc/cb/certs/cb-redis-server.key Cmnd_Alias COPY_REDIS_SERVER_CERT = /usr/bin/rsync --remove-source-files --verbose /tmp/.cb_tmp/cb-redis-server.crt /etc/cb/certs/cb-redis-server.crt Cmnd_Alias COPY_SOLR_FIPS_CONFIG = /usr/bin/rsync --remove-source-files --verbose /tmp/.cb_tmp/solr-ssl.keystore.bcfks /etc/cb/certs/solr-ssl.keystore.bcfks Cmnd_Alias ERASE_OPENRESTY_OPENSSL = /usr/bin/rpm -e openresty-openssl-1.0.2zd-1a.cb.el8 --nodeps Cmnd_Alias ERASE_NON_FIPS_OPENRESTY = /usr/bin/rpm -e openresty-1.21.4.1-1a.cb.el8 --nodeps Cmnd_Alias INSTALL_FIPS_OPENRESTY = /usr/bin/yum install -y openresty-1.21.4.1-1b.cb.el8 Cmnd_Alias DELETE_CLIENT_CA_BUNDLE_CRT = /usr/bin/rm -f /etc/cb/certs/cb-client-ca-bundle.crt Cmnd_Alias CLUSTER_OPERATIONS = HOSTNAME, CB_INIT, YUM_INSTALL_CB, YUM_INSTALL_RSYNC, MKDIR_ETC_CB, MKDIR_ETC_CB_CERTS, COPY_ALLIANCE_CRT, COPY_SERVER_CRT, COPY_CLIENT_CA_CRT, COPY_ALLIANCE_KEY, COPY_SERVER_KEY, COPY_CLIENT_CA_KEY, COPY_CB_REPO, COPY_CLUSTER_CONF, COPY_ERLANG_COOKIE, COPY_SERVER_LIC, COPY_SERVER_TOKEN, CBCHECK_IP_TABLES, CB_ENTERPRISE, CAT_VERSION, CB_CLUSTER, CB_UPGRADE, CB_SERVICE, COPY_REDIS_SERVER_KEY, COPY_REDIS_SERVER_CERT, COPY_SOLR_FIPS_CONFIG, ERASE_OPENRESTY_OPENSSL, ERASE_NON_FIPS_OPENRESTY, INSTALL_FIPS_OPENRESTY, DELETE_CLIENT_CA_BUNDLE_CRT my_user ALL=(ALL) NOPASSWD: CLUSTER_OPERATIONS
For Carbon Black EDR versions 6.2-7.3, add the following entries to your sudoers file to use the cbcluster
commands with a non-root user:
## Required sudo privileges on minion to run cbcluster add-node Cmnd_Alias HOSTNAME = /bin/hostname Cmnd_Alias CB_INIT = /usr/share/cb/cbinit Cmnd_Alias YUM_INSTALL_CB = /usr/bin/yum install cb-enterprise -y Cmnd_Alias YUM_INSTALL_RSYNC = /usr/bin/yum install rsync -y Cmnd_Alias MKDIR_ETC_CB = /bin/mkdir /etc/cb --mode=755 Cmnd_Alias MKDIR_ETC_CB_CERTS = /bin/mkdir /etc/cb/certs --mode=755 Cmnd_Alias COPY_ALLIANCE_CRT = /usr/bin/rsync --remove-source-files --verbose /tmp/.cb_tmp/carbonblack-alliance-client.crt /etc/cb/certs/carbonblack-alliance-client.crt Cmnd_Alias COPY_SERVER_CRT = /usr/bin/rsync --remove-source-files --verbose /tmp/.cb_tmp/cb-server.crt /etc/cb/certs/cb-server.crt Cmnd_Alias COPY_CLIENT_CA_CRT = /usr/bin/rsync --remove-source-files --verbose /tmp/.cb_tmp/cb-client-ca.crt /etc/cb/certs/cb-client-ca.crt Cmnd_Alias COPY_ALLIANCE_KEY = /usr/bin/rsync --remove-source-files --verbose /tmp/.cb_tmp/carbonblack-alliance-client.key /etc/cb/certs/carbonblack-alliance-client.key Cmnd_Alias COPY_SERVER_KEY = /usr/bin/rsync --remove-source-files --verbose /tmp/.cb_tmp/cb-server.key /etc/cb/certs/cb-server.key Cmnd_Alias COPY_CLIENT_CA_KEY = /usr/bin/rsync --remove-source-files --verbose /tmp/.cb_tmp/cb-client-ca.key /etc/cb/certs/cb-client-ca.key Cmnd_Alias COPY_CB_REPO = /usr/bin/rsync --remove-source-files --verbose /tmp/.cb_tmp/CarbonBlack.repo /etc/yum.repos.d/CarbonBlack.repo Cmnd_Alias COPY_CLUSTER_CONF = /usr/bin/rsync --remove-source-files --verbose /tmp/.cb_tmp/cluster.conf /etc/cb/cluster.conf Cmnd_Alias COPY_ERLANG_COOKIE = /usr/bin/rsync --remove-source-files --verbose /tmp/.cb_tmp/.erlang.cookie /var/cb/.erlang.cookie Cmnd_Alias COPY_SERVER_LIC = /usr/bin/rsync --remove-source-files --verbose /tmp/.cb_tmp/server.lic /etc/cb/server.lic Cmnd_Alias COPY_SERVER_TOKEN = /usr/bin/rsync --remove-source-files --verbose /tmp/.cb_tmp/server.token /etc/cb/server.token Cmnd_Alias CBCHECK_FIREWALL = /usr/share/cb/cbcheck firewall --apply Cmnd_Alias CB_ENTERPRISE = /etc/init.d/cb-enterprise Cmnd_Alias CAT_VERSION = /bin/cat /usr/share/cb/VERSION Cmnd_Alias CBUPGRADE = /usr/share/cb/cbupgrade --non-interactive Cmnd_Alias CBUPGRADE_CHECK = /usr/share/cb/cbupgrade --check my_user ALL=(ALL) NOPASSWD: HOSTNAME, CB_INIT, YUM_INSTALL_CB, YUM_INSTALL_RSYNC, MKDIR_ETC_CB, MKDIR_ETC_CB_CERTS, COPY_ALLIANCE_CRT, COPY_SERVER_CRT, COPY_CLIENT_CA_CRT, COPY_ALLIANCE_KEY, COPY_SERVER_KEY, COPY_CLIENT_CA_KEY, COPY_CB_REPO, COPY_CLUSTER_CONF, COPY_ERLANG_COOKIE, COPY_SERVER_LIC, COPY_SERVER_TOKEN, CBCHECK_FIREWALL, CB_ENTERPRISE, CAT_VERSION, CBUPGRADE, CBUPGRADE_CHECK