SSH Scanning Reference
This guide provides a complete reference for the SSH scanner, which discovers and collects detailed information from Linux, Unix, and AIX systems — including the exact commands executed, privilege requirements, and sudoers configuration.
Overview
The SSH scanner connects to target systems using the Secure Shell (SSH) protocol to execute a series of commands. It gathers a comprehensive inventory of the system's hardware, software, and configuration without requiring a dedicated agent on the target machine.
Network Requirements
- Port: TCP 22 must be open from the Tripl-i Scanner Agent to the target Linux, Unix, or AIX system.
- Protocol: Secure Shell (SSH)
Authentication Methods
- The scanner requires an SSH user account on the target system.
- Both password-based and SSH key-based authentication methods are supported.
- For security, SSH key-based authentication is recommended.
- Both methods are configured in the Credentials tab of the Tripl-i Scanner Agent application.
Privilege Requirements
The scanner is designed with the principle of least privilege — it never requires full root access. It collects whatever data is available at the current privilege level and silently skips commands that fail due to insufficient permissions. The scan never fails regardless of privilege level.
| Scenario | Behavior |
|---|---|
| Root user | All commands run directly — full data collected |
| Non-root + full sudo (NOPASSWD) | All commands run via sudo -n — full data collected |
| Non-root + selective sudo | Only allowed commands succeed, others silently skipped |
| Non-root + no sudo | Only basic commands collected — elevated commands silently skipped |
Basic Discovery (Non-Root User)
A standard, non-privileged user account is sufficient for basic inventory.
-
Required Permissions:
- SSH access to the target system.
- Read access to standard system directories like
/proc,/sys, and/etc. - Permission to execute common system commands (
hostname,uname,ip,df,ps, etc.).
-
Data Collected:
- System identification (hostname, OS version, kernel)
- Basic hardware information (CPU model, memory, disk space)
- Network configuration (IP addresses, network interfaces, active connections)
- Running processes
- Installed software packages (
dpkgorrpm) - User accounts
Enhanced Discovery (Sudo User)
For the most comprehensive data collection, an account with selective sudo privileges is recommended. Full root access is not required — you can grant passwordless sudo for only the specific commands the scanner needs.
-
Required Permissions:
- All basic permissions.
- Passwordless
sudo(NOPASSWD) for specific read-only commands.
-
Additional Data Collected with Privileged Access:
- Detailed Hardware Information: Full hardware details from
dmidecode, including BIOS, memory modules, and processor specifications. - Storage Health: Disk health and SMART data from tools like
smartctl. - Advanced Network Details: Full process-to-connection mapping using
lsof. - Virtualization Details: Information about Docker containers or other virtualization platforms (
virsh).
- Detailed Hardware Information: Full hardware details from
Data Collected Summary
The SSH scanner gathers a wide range of information, which is normalized and sent to the CMDB.
| Category | Examples | Privileges |
|---|---|---|
| System | Hostname, OS Version, Kernel, Manufacturer, Model, Serial Number | Basic (Full detail with Sudo) |
| Hardware | CPU Model & Cores, Total Memory, Disk Partitions, PCI Devices | Basic (Full detail with Sudo) |
| Network | IP Addresses, MAC Addresses, Default Gateway, Active Connections | Basic |
| Software | Installed Packages (e.g., from rpm or dpkg), Versions | Basic |
| Processes | Running Processes, Executable Paths, Owning User | Basic (Full detail with Sudo) |
| Users | Local User Accounts, Recent Logins | Basic |
| Storage | Filesystem Usage, Disk Health (SMART data) | Basic (Health data with Sudo) |
| Virtualization | Docker Containers, KVM/libvirt VMs | Sudo |
Commands Executed During Discovery
Basic Commands (No Root or Sudo Required)
These commands run for every SSH scan. They require only standard user access and read permissions on common system paths.
| Command Key | Command | Purpose |
|---|---|---|
| hostname | hostname | System hostname |
| kernel | uname -a | Kernel version and architecture |
| os_info | cat /etc/os-release | OS distribution and version |
| os_level | uname -r | Kernel release version |
| cpu_info | cat /proc/cpuinfo | CPU information |
| cpu_model | cat /proc/cpuinfo | grep "model name" | CPU model name |
| cpu_detail | lscpu | CPU architecture details |
| memory | free -h | Memory usage summary |
| memory_info | cat /proc/meminfo | Detailed memory information |
| disk_space | df -h | Filesystem disk usage |
| disk_total | df -k / | Root filesystem total size |
| network | ip addr show | Network interface configuration |
| default_routes | ip route show default | Default gateway |
| local_ips | hostname -I | All local IP addresses |
| users | cat /etc/passwd | Local user accounts |
| last_login | last -5 | Recent login history |
| network_connections | ss -tuanp or netstat -tuanp | Active network connections |
| process_list | ps -eo pid,ppid,user,start_time,cmd | Running processes |
| system_model | cat /sys/devices/virtual/dmi/id/product_name | Hardware model |
| manufacturer | cat /sys/devices/virtual/dmi/id/sys_vendor | Hardware vendor |
| serial_sources | cat /sys/class/dmi/id/product_serial (+ board, chassis, UUID) | Serial number (sysfs) |
| platform_type | systemd-detect-virt | Virtualization platform detection |
| linux_services | systemctl list-units --type=service | Running services |
| installed_packages | dpkg -l or rpm -qa | Installed software packages |
| process_paths | readlink /proc/$pid/exe (loop) | Process executable paths |
Elevated Commands (Root or Sudo Required)
These commands provide deeper hardware and system information. When the scan user is not root, each command is automatically wrapped with sudo -n (non-interactive, passwordless sudo). If sudo is not available or not configured for that command, it silently returns empty — the scan continues without error.
| Command Key | Command | Purpose | Binary Path |
|---|---|---|---|
| serial_dmidecode | dmidecode -s system-serial-number | Hardware serial number | /usr/sbin/dmidecode |
| system_info | dmidecode -t system | System hardware details | /usr/sbin/dmidecode |
| bios | dmidecode -t bios | BIOS information | /usr/sbin/dmidecode |
| processor | dmidecode -t processor | CPU hardware specifications | /usr/sbin/dmidecode |
| memory_devices | dmidecode -t memory | Memory DIMM details (slots, speed, type) | /usr/sbin/dmidecode |
| disk_info | fdisk -l | Physical disk layout and partitions | /sbin/fdisk |
| pci_full | lspci -v | PCI device details | /usr/bin/lspci |
| docker_info | docker info | Docker engine information | /usr/bin/docker |
| virsh_list | virsh list --all | KVM/libvirt virtual machines | /usr/bin/virsh |
| network_interfaces | ip -o -4 addr show | Network IP addresses (detailed) | /sbin/ip |
| network_connections_root | ss -tupan or netstat -tupan | Connections with process IDs | /usr/sbin/ss |
| smart_info | smartctl -a /dev/$device | Disk SMART health data | /usr/sbin/smartctl |
| lsof_connections | lsof -i -n -P | Open network connections with process mapping | /usr/bin/lsof |
Configuring Sudo Privileges
Instead of granting full root access, you can configure passwordless sudo for only the specific commands the scanner needs. This is the recommended approach for production environments.
Step-by-Step Setup
-
Create a dedicated scan user (if not already done):
useradd -m -s /bin/bash tripli -
Create a sudoers drop-in file:
visudo -f /etc/sudoers.d/tripli-scanner -
Add the following configuration (replace
tripliwith your scan username):# Tripl-i Scanner Agent - Passwordless sudo for infrastructure discovery
# All commands are READ-ONLY — no system modification is performed
tripli ALL=(root) NOPASSWD: /usr/sbin/dmidecode
tripli ALL=(root) NOPASSWD: /sbin/fdisk -l
tripli ALL=(root) NOPASSWD: /usr/bin/lspci -v
tripli ALL=(root) NOPASSWD: /usr/sbin/smartctl
tripli ALL=(root) NOPASSWD: /usr/bin/lsof -i -n -P
tripli ALL=(root) NOPASSWD: /usr/bin/docker info
tripli ALL=(root) NOPASSWD: /usr/bin/virsh list --all
tripli ALL=(root) NOPASSWD: /usr/sbin/ss -tupan
tripli ALL=(root) NOPASSWD: /bin/netstat -tupan -
Set correct file permissions:
chmod 440 /etc/sudoers.d/tripli-scanner -
Verify the configuration:
su - tripli -c "sudo -n dmidecode -s system-serial-number"
Selective Sudo Configuration
If your organization's security policy does not allow all elevated commands, you can selectively enable only the ones you need. The table below shows the impact of each command:
| Command | Data Lost Without It | Recommendation |
|---|---|---|
dmidecode | Hardware serial number, BIOS, memory slots, processor details | Highly recommended — critical for asset tracking |
fdisk -l | Physical disk layout | Optional — filesystem usage still collected via df |
lspci -v | PCI device details | Optional — useful for GPU and network card inventory |
smartctl | Disk health and SMART data | Optional — useful for proactive hardware monitoring |
lsof -i -n -P | Process-to-connection mapping | Recommended — improves application dependency mapping |
docker info | Docker engine details | Only needed if Docker is installed |
virsh list --all | KVM/libvirt VM list | Only needed on KVM hypervisors |
ss -tupan / netstat -tupan | Network connections with process IDs | Recommended — enhances dependency discovery |
Minimal Recommended Configuration
For the most common use case (asset tracking and dependency mapping), the minimum recommended sudoers configuration is:
tripli ALL=(root) NOPASSWD: /usr/sbin/dmidecode
tripli ALL=(root) NOPASSWD: /usr/bin/lsof -i -n -P
tripli ALL=(root) NOPASSWD: /usr/sbin/ss -tupan
This provides hardware serial numbers, BIOS details, and process-to-connection mapping while keeping the sudo surface area minimal.
Binary Path Notes
The binary paths listed above (/usr/sbin/dmidecode, /sbin/fdisk, etc.) are the most common locations on mainstream Linux distributions (RHEL, CentOS, Ubuntu, Debian, SUSE). On some systems, these paths may differ.
To verify the correct path on your system:
which dmidecode
which fdisk
which lspci
which smartctl
which lsof
which docker
which virsh
which ss
which netstat
Update the sudoers entries with the correct paths for your distribution if they differ.
AIX Systems
AIX systems use a different set of commands. The scanner collects all AIX data using standard (non-privileged) commands:
| Command | Purpose |
|---|---|
oslevel -s | AIX version |
lsdev -Cc processor | Processor inventory |
svmon -G | Memory usage |
lsattr -El sys0 -a realmem | Total physical memory |
df -g | Disk usage |
ifconfig -a | Network interfaces |
netstat -an | Network connections |
lslpp -Lc | Installed packages |
lsconf / prtconf | Serial number |
lparstat -i | LPAR configuration |
ps -ef | Running processes |
No sudo or root access is required for AIX discovery. All critical data is collected using standard user privileges.
Security Considerations
- All commands are read-only — the scanner never modifies system configuration, installs software, or writes files.
- No interactive sudo — the scanner only uses
sudo -n(non-interactive). It will never prompt for a password. - Credential encryption — credentials stored in the Scanner Agent are encrypted using Windows DPAPI and never transmitted to the central platform.
- Network boundary — credentials remain within your network; only the collected inventory data is sent to the Tripl-i platform.
- Audit trail — all scan activities are logged for review.
Troubleshooting
Common Issues
| Issue | Cause | Solution |
|---|---|---|
| Serial number shows as "Unknown" | dmidecode not allowed via sudo | Add /usr/sbin/dmidecode to sudoers |
| Missing memory slot details | dmidecode not allowed via sudo | Add /usr/sbin/dmidecode to sudoers |
| No process-to-connection mapping | lsof not allowed via sudo | Add /usr/bin/lsof -i -n -P to sudoers |
| Docker containers not discovered | docker info not allowed | Add user to docker group or add /usr/bin/docker info to sudoers |
| Scan completes but data is incomplete | Insufficient privileges for elevated commands | Review sudoers configuration above |
| "Permission denied" in scan logs | Sudo not configured as NOPASSWD | Ensure NOPASSWD: is in the sudoers entry |
Verifying Sudo Access
To test which elevated commands will work for your scan user:
# Test each command as the scan user
su - tripli -c "sudo -n dmidecode -s system-serial-number 2>/dev/null && echo 'OK: dmidecode' || echo 'FAIL: dmidecode'"
su - tripli -c "sudo -n fdisk -l 2>/dev/null && echo 'OK: fdisk' || echo 'FAIL: fdisk'"
su - tripli -c "sudo -n lspci -v 2>/dev/null && echo 'OK: lspci' || echo 'FAIL: lspci'"
su - tripli -c "sudo -n ss -tupan 2>/dev/null && echo 'OK: ss' || echo 'FAIL: ss'"
su - tripli -c "sudo -n lsof -i -n -P 2>/dev/null && echo 'OK: lsof' || echo 'FAIL: lsof'"
Any command that prints FAIL will be silently skipped during the scan — it will not cause the scan to fail.