Configuration for CCS agentless data collection on UNIX targets
search cancel

Configuration for CCS agentless data collection on UNIX targets

book

Article ID: 178691

calendar_today

Updated On:

Products

Control Compliance Suite Control Compliance Suite Standards Module Control Compliance Suite Standards Server

Issue/Introduction

 Configuration for Control Compliance Suite agentless data collection on UNIX targets

Environment

CCS 12.6.X

Resolution

To configure the environment for CCS data collection on UNIX target computers, you can assign the following privileges to users depending on your requirements:
 

  • Root account privileges
  • Non-root account privileges

A user having root account privileges gets default access to all UNIX commands and files, whereas a user having non-root account privileges has limited access to UNIX commands and files. For non-root user, you must install and configure sudo on the user’s target computer. Root user must assign additional privileges to the sudo user to access commands that a non-root user cannot access.
 

Using sudo functionality for querying UNIX targets

The Sudo functionality permits you to execute a command on a target computer, as a super user, or another user. For agentless raw data collection on UNIX targets, you can use the sudo (superuser do) functionality to run queries in the context of a super user.
To use the Sudo functionality: 
 

  • Make sure that the sudo program is installed on the UNIX target computer, on which you want to use the sudo functionality.
  • In the sudoers file, list the user accounts you will use to run the commands. Users whose credentials are added in the credentials database must have corresponding user accounts listed in the /etc/sudoers file. If you are the invoking user and a root user, and if the target user is the same as the invoking user, no password is required. However, if the invoking user and the target user are different, you must specify a password to execute commands on the target computer. See "Example  of the sudoers file" .
  • Disable password prompt in the sudoers file. See "Disabling password prompt in the sudoers file"
  • In the bvAgentlessConfig.ini file, enable the sudo option by configuring the SupportsSudo parameter. The bvAgentlessConfig.ini file is present at the following location on CCS Manager.  <INSTALL_DIR>\Symantec\CCS\Reporting and Analytics\DPS\control\Unix\ConfigFiles

See "Configuring the SupportsSudo parameter in the bvAgentlessConfig.ini file"
 

  • In the ExecutionContext.ini file, prefix the word sudo before the commands of a query, to run the queries in the context of a super user. The ExecutionContext.ini file is present at the following location on CCS Manager.

<INSTALL_DIR>\Symantec\CCS\Reporting and Analytics\DPS\control\Unix\ConfigFiles
See "Optimizing queries using sudo in the  ExecutionContext.ini file"
 

Disabling password prompt in the sudoers file

To be able to use sudo for running queries, you can add the following in the sudoers file to disable password prompt for every command:
<name> ALL=(ALL)     NOPASSWD: ALL  
where, <name> is the native user, whose credentials are specified in the credential database.
You may encounter the following issues if the password prompt is not disabled, and certain commands get blocked by not specifying a password:
 

  • Special values for certain commands such as hostname, may return different values.
  • If the uname command is blocked, validation of agentless targets may fail and the data sources will not return data.
  • Data sources may return incomplete data.

Configuring the SupportsSudo parameter in the bvAgentlessConfig.ini file

To be able to use sudo for running queries, you must enable the sudo option by configuring the SupportsSudo parameter in the bvAgentlessConfig.ini file.
The parameter and its value is as follows:
SupportsSudo=<value>
Where, <value> is true or false.
The default value is false, which means the use of sudo is disabled by default.
To enable sudo for running queries on UNIX targets, specify the value as true. You must also specify the FQDN of the UNIX target computer before the SupportsSudo parameter.
For example,
[testcomputer.example.com]
SupportsSudo=true
Where, [testcomputer.example.com] is the FQDN of the UNIX target computer.
After sudo is enabled in the bvAgentlessConfig.ini file, you can use the ExecutionContext.ini file for optimizing queries by prefixing the word sudo before the commands specified in the ExecutionContext.ini file.
For information about CCS support for authentication with one account and sudo to root for general query credentials, see KB 156510
 

Optimizing queries using sudo in the ExecutionContext.ini file

To be able to use sudo for running queries in the context of a super user, you must prefix the word sudo before the commands of the query specified in the ExecutionContext.ini file.
Following table lists the parameters which you can configure to run commands using sudo:
Table 1-1                     Parameters to be configured for running commands using sudo
 

Parameter Description
ApplyPrefixForAll Specify the value as true if you want to run all commands of a query on the target computer using sudo.
If you want to run only specific commands of a query using sudo, then specify the value as false
Default If you have specified the value as true for the ApplyPrefixForAll parameter, you can specify if any commands must be run without sudo.
If you have specified the value as false for the ApplyPrefixForAll parameter, you can specify if any commands must be run with sudo. In this case the word sudo must be prefixed to each command..
<target platform> 
AIX, LINUX, SunOS, HP-UX 		Specify for which platforms the queries must be run using sudo.
Target Specify for which targets the queries must be run using sudo. The name can be the name of the target computer as displayed in the CCS console, or the IP address of the target computer

Example of the sudoers file

This is an example of the contents of the sudoers file is located in the /etc directory of the UNIX target computer. This example contains sample configurations required to use the sudo functionality as mentioned in the section Using sudo functionality for querying UNIX targets.
# User alias specification
##
User_Alias UNIX_USERS = unix1, unix2, unix3
User_Alias CCS_USERS = bvunix1, bvunix2, bvunix3
##
# Runas alias specification
Defaults:UNIX_USERS !authenticate
Defaults:CCS_USERS !authenticate
##
Runas_Alias SUPER_USERS = root
Defaults logfile=/var/log/sudolog
##
# Cmnd alias specification
##
Cmnd_Alias APPLICATIONS = /usr/sbin/named
Cmnd_Alias AIX_ADMINCMDS = /usr/sbin/lsps, /usr/sbin/lsattr
Cmnd_Alias ADMINCMDS = /usr/sbin/prtconf, /sbin/runlevel, ulimit, AIX_ADMINCMDS,
Cmnd_Alias NETWORKCMDS = /sbin/ifconfig, /usr/local/bin/nslookup, inetadm -p
Cmnd_Alias FILECMDS = /bin/cat, /bin/date '+%Z', /usr/bin/strings -n, \
/usr/bin/diff, /usr/bin/cmp, /usr/bin/find, \
/bin/echo, /usr/bin/file, /bin/df -P, \
/usr/bin/cksum, /bin/ls -la, /bin/ls -lad, \
/bin/ls -lac, /bin/ls -lau
#Cmnd_Alias COMMONCMDS = /usr/bin, /bin, /usr/local/bin
Cmnd_Alias SU = /usr/bin/su
Cmnd_Alias SYSADMCMD = /usr/lib/sendmail
Cmnd_Alias ACTIVEADMCMDS = /usr/sbin/adduser
UNIX_USERS ALL = (SUPER_USERS) APPLICATIONS, NETWORKCMDS, ADMINCMDS, FILECMDS, !SU, !ACTIVEADMCMDS,
!SYSADMCMD, NOPASSWD: ALL
CCS_USERS ALL = NOPASSWD: ALL
 

Attachments

1674748366903__List of Unix Commands with Sudo Privileges_Updated 22_01_2021.docx get_app
sudoes_files.zip get_app
Powered by Wolken Software