search cancel

How do I configure my environment for Control Compliance Suite for UNIX in an agentless mode?

book

Article ID: 151838

calendar_today

Updated On:

Products

Control Compliance Suite Unix

Issue/Introduction

How do I configure my environment for CCS UNIX in and agentless mode?

 

Resolution

Requirements for running an Agentless CCS UNIX configuration:

1) Openssh must be configured, compiled and installed and configured on all boxes. UNIX administrator must expedite. The explanation for this is not in the scope of this discussion.

2) If you will not be given access to a root equivalent account, sudo must be installed and configured on the box. Anything less than root privileges for the sudo user may result in incorrect results.

3) A user account and password with a shell and home directory must be created.

4) The user's environment must have the path to sudo in it if is not in /usr/bin or /usr/sbin. Append the path statement in the user's .profile or .bashrc, or .cshrc or whatever shell is being used that will log to a shell history file

5) For debug logging there must be a .sh_history or .bash_history in the home directory. The user's shell can be anything - we switch to the Bourne shell after login. So if the user's shell is .cshrc, the data after login will be logged to the /export/home/<user>.sh_history In the .profile HISTFILE and HISTSIZE environment variables must be set.


6) It should not be necessary to use any command aliases in the sudoers file if using "Root ALL = (ALL) ALL"

7) Here are the recommended default entries for the sudoers file (there is an example in the on-line Help in the Console.)


User_Alias BV_CONTROL_USERS = bvagentless (or whatever)
Runas_Alias BV_CONTROL_USERS = root
BV_CONTROL_USERS ALL = NOPASSWD: ALL
Root ALL = (ALL) ALL

Optional:
Defaults logfile=/var/log/sudolog or wherever

8) The contents of \Program Files\Bindview\RMS\Control\UNIX\ConfigFiles\bvAgentlessConfig.ini should be all commented out except the last line. If SecuredFiles=SecuredFiles.dat is commented out you will not have access to /etc/shadow and /etc/passwd making most user's queries useless.

Example: This example shows SecuredFiles=SecuredFiles.dat is commented out remove the semi colon and it will no longer be commented out.

; bvControl for UNIX
[default]

; Possible Values: true or false
; Description: Used for ignoring remote filesystems while query
;IgnoreRemoteFileSystems=false

; Specifies the path to the file containing list of directories to be ignored for
; queries using "find" command
;IgnoreDirectoryPathsForFind=IgnoreDirectoryPathsForFind.dat

; Specifies the path to the file containing list of directories to be ignored for
; all queries
;IgnoreDirectoryPathsAlways=IgnoreDirectoryPathsAlways.dat

; Content information for files listed in SecuredFilesList.dat will not be displayed
; SecuredFiles=SecuredFiles.dat

; Possible Values: true or false
; Description: Used for Sudo support
SupportsSudo=true

CCS UNIX  add the following options:

; ExceptionList Processing options
;
; Possible values : true or false
;ExclusionRuleFeatureEnabled=false
;
; Possible value : file name in which rules are defined, if above parameter is true
;ExclusionRuleFile=ExceptionRules.ini

After this is completed then a "plink" test can be performed if validation fails.
Plink uses similar commands line options as ssh:

plink -v -l <username> -pw <password> <target>


You do not have to use the same user account and password on all machines but you will have to keep track of them.