Control Compliance Suite

Hi,

We are having an enviroment where some of the UNIX target machines are registered with information server as agentless and some as agent based.

Can anyone give the advantages and disadvantages of registering UNIX target computers as agentbased and agent less?

Couple of the advantages of Agentbased solution over agentless:

1. 
   Agentbased collection is a bit faster than agentless collection since in agentbased, API's are used for data collection whereas in agentless, collection happens using commands run remotely.
2. All the fields in all the datasources are supported in agentbased whereas, in agentless, some of the fields are not supported.

When you say "All the fields in all the datasources are supported in agentbased" for a Red Hat servers would an agentbased registered server be able to test the compliance of password specifically whether a user has to use a a specfic combination of letters and numbers for their password?

Thanks in advance.

Mike

Hello Mike,

BvC-Unix do not report specifically on the password policy / usage of combinations of letters, special charactors or numbers etc. for passwords.

By saying "All the fields in all the datasources are supported in agentbased" i mean, "all the fields (as per product design) included in the datasources are implemented to fetch data and will report values for agentbased solution."

On your requirement lines, BvC-Unix reports on the weak passwords. To identify the weak password, a Password Strength utility has been developed. The Password Strength utility checks the following:

1)If the password in /etc/passwd is blank.
2)If the password in shadow file is blank.
3)If the password matches with the words in the dictionary provided with the product. (present in $INSTALL_DIR/utils/ folder of agent)
4)If the password is the same as Username. You can include Is Weak Password field in the Users data source to check if the password is a dictionary word or the same as user name.

From CCS, there is no predefined check for this. However a custome check can be created to check if the password is weak/strong.


-- Mrunal

An advantage of Agent based is that it will run faster than the agent less, but from what I have experienced speed is not a huge issue, so it is very minimal.

The disadvantages are minimal as well, the support team will have to install the agent on each server and maintain any issues that come up where an uninstall/re-install is necessary ... again not a long process, but depending on how many servers you are talking about could be time consuming.  

Another thing to consider and this is not an advantage or disadvantage, but more of a preference.  The agent less requires the service ID that you are using to have access to root credentials - the UNIX admin can input them during setup so it is not like the password would ever be revealed, but assuming the root password is changed every 90 days or so - I believe that it would also be reset throughout CCS.  Hope this helps!  

 

 

Does Symantec Publish Which Fields Are Not Supported by Agentles?

 

I have our environment setup in agentless now and have made the changes in the bvAgentlessConfig.ini file that were outlined in the link below. I'm looking at moving us to agentbased

http://www.symantec.com/business/support/index?page=content&id=TECH114243&actp=search&viewlocale=en_US&searchid=1294696218891

The biggest advantage of having agentless setup is that there is less maintenance involved, I am sure you would not want pieces of code residing on your servers that you would want to maintain.