Have you ever tried performing compliance check using CCS Agent against Unix password files – for example, to verify there are no passwords in /etc/passwd*, empty password field in /etc/shadow or just good old password dictionary check? In this case you might run into “Unknown” check status and the Evidence telling that the current value is “{Blocked File}”.
Well this is the result of the /etc/passwd and /etc/shadow being restricted in the CCS config files and unlike in agent-less mode, where you can change this config on Application server, the agent-based config is located, where else but on the agent itself. This creates need for visit to the Unix system admin department, which is always a unique experience, and ask them to modify /esm/bin/dcmodules/<platform>/Unix/bv.conf on every target system and to comment-out line containing “SecuredFiles=SecuredFilesList.dat”
So this:
Becomes this:
I imagine our Unix admins have more important work to do than this, luckily, since SCU2016-1, Unix CCS Agent has introduced script-based check feature. Just what we need - capability to execute custom script that will do the Unix system admin task for us (see NOTICE at the bottom of this doc).
The idea is to run specifically crafted CCS Standard with script-based check that will comment-out line “SecuredFiles=SecuredFilesList.dat” from bv.conf.
Script is fairly simple, we just need to locate bv.conf file since for different platforms (SunOS, Linux, HPUX…) it will be under different folder, use sed to comment-out the line and output modified line as evidence for the evaluation.
As for CCS Standard, we will use two Expressions from “Scripts” category:
- Return code Equal to 0
AND
- Standard Output Matches Pattern ‘/#SecuredFiles=SecuredFilesList.dat/’
Here is the Formula:
And the Scripts tab:
After running the CER job agents our Unix systems we get following:
Now our checks that look inside /etc/passwd and /etc/shadow will work.
Attached you can find standard that I used in above demonstration.
NOTICE: assuming ICE scripts are enabled on CCS Agent server, other ways you’ll receive “Scripts are not allowed to be copied to this agent” message and you’ll have to pay Unix admins visit either way (at least until this Idea gets implemented).
DISCLAIMER: The sample scripts intended for demonstration purpose only and are provided AS IS without warranty of any kind.