Control Compliance Suite

 View Only
Back to discussions
Expand all | Collapse all

Scan Oracle ASM files Using CCS command based checks

  • 1.  Scan Oracle ASM files Using CCS command based checks

    Broadcom Employee
    Posted Aug 18, 2017 02:51 AM

    How to scan Oracle ASM files Using CCS command based checks:

    To evaluate on Oracle ASM files, you can create a command based check in the CCS Standards Manager and run it. The evaluation results from the check run, will help you to make informed decisions and secure your Oracle software environment.

    To create a command based simple check, refer to the following steps:          

    1. For detailed steps to create a command-based customized check, refer to the Creating a check for Commands entity for UNIX section in the CCS Security Content Update (SCU) 2017-1 Getting Started Guide (Versions: CCS 11.1.x and CCS 11.5.x)                              

    2. Select the target type from the UNIX platform based on your target.

    For example - UNIX Platform->All Red Hat Enterprise Linux Machines".                              

    3. Edit the check expression for evaluation as per the requirement:

    For example - CommandOutput contains a match with permission "rw-rw-rw-"                                              

    4. In the Standards workspace, on the Command tab, add the command text as per your requirement:                                              

    For example - To fetch the Name and permissions of all the DATAFILES present on the ASM storage,                                                              

    ps -eo "pid,args" | grep asm_pmon | grep -v "grep" |while read Instances; do export instanceID=$(echo $Instances | awk -F" " '{print $1}'); export instanceName=$(echo $Instances | sed 's/asm_pmon_//g' |  awk -F" " '{print $2}'); export OraHome=$(ls -llad /proc/$instanceID/exe|sed 's/\/bin\/oracle//g' | awk -F" " '{print $11}');  su grid -c "ORACLE_SID=$instanceName;export ORACLE_SID;ORACLE_HOME=$OraHome ;export ORACLE_HOME;$OraHome/bin/asmcmd ls --permission DATA/ORCL/DATAFILE/*";done                            

    Note:

    1. The command needs to be changed as per the requirement.
    2. User need to increase the value of CustomCommandTextLengthLimit in <..\CCS\Reporting and Analytics\Application Server\AppserverService.exe.config> and restart APS if command text exceeds 512 characters limit.
    3. asmcmd is a utility provided by Oracle that works with ASM files, directories and aliases

    5. Add the following commands in the CommandWhitelist.ini file:

    • awk
    • export
    • grep
    • ps
    • sed
    • su
    • while
    • do
    • done
    • echo
    • ls

    Note:           

    1.  The CommandWhitelist.ini file is present at <CCS Installation Directory>\Symantec\CCS\Reporting and Analytics\Application Server\PlatformSettings\Global\Unix\Control\UNIX\ConfigFiles
    2. Whenever you modify the whitelisted commands in the configuration file, you must run the Sync Configuration job to make sure that the change is applied to future scans. The job updates the changes on all the CCS Managers.                                    

    6. Run the Collection-Evaluation-Reporting (CER) job against the Unix targets in your environment by using the customized check that you create.