2.1.12 Zscaler App Connector
In order for Indeni to run its full set of discovery and interrogation scripts, a SSH user needs to be used to connect your system. It is highly recommended that a unique Indeni user is created for auditing and security purposes. Before adding any App Connector, make sure the SSH credential is provided in Credentials Set.
The Indeni user needs to run the “systemctl status zpa-connector” command. This requires elevated privileges. To allow the command, create a file in the /etc/sudoers.d directory and include the following line in the file.
Indeni <system-name> = NOPASSWD: /bin/systemctl status zpa-connector
Default permissions (0002) can be used for this file.
Verify the privileges
Use the commands below to verify the privileges for the Indeni user.
[[email protected] ~]$ id uid=1000(indeni) gid=1000(indeni) groups=1000(indeni),10(wheel) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 [[email protected] ~]$ [[email protected] ~]$ [[email protected] ~]$ sudo -l Matching Defaults entries for indeni on RedHat-8-4: !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin User indeni may run the following commands on RedHat-8-4: (ALL) ALL (root) NOPASSWD: /usr/bin/yum, /bin/systemctl status zpa-connector [[email protected] ~]$