"This query was halted before completion" while running data collection on UNIX Platform

book

Article ID: 161031

calendar_today

Updated On:

Products

Control Compliance Suite Unix

Issue/Introduction

When running data collection (DC) jobs using a UNIX standard, the job runs for a long time and time out. The console displays a message regarding command that have been halted.

Error 1: This query was halted before completion - Query timed out in command execution: find /* -name "*" -nouser -o -nogroup @lt/dev/null

Error 2: This query was halted before completion - Query timed out in command execution: find / -name "*" -type d \\( -perm -0002 -a ! -perm -1000 \\) @lt/dev/null

This is not always regarding a "find" command it could also be on a "du" or other file or filesystem commands being runs for a long time.

Cause

 The timeouts are due to the DC accessing remote filesystem. By doing so the "find" or "du" commands are not excluding the filesystem like nfs or autofs. (correct usage of pruning option)

Resolution

For RedHat the FindOptions for the following checks have been modified to exclude the remote mounts.

  • Are there no '.' or group/world-writable directories in root's $PATH?

  • Do world-writable directories have sticky bit set?

  • No unauthorized SUID system executables?

  • No unauthorized SGID system executables?

  • Do unowned files exist on the system?

  • No unauthorized world-writable files?

 

For HP-UX the FindOptions for the following checks have been modified to exclude the remote mounts:

 

  • 5.7.1 Are system files world-writable?

  • 5.3.1 Do unauthorized world-writable files exist on the system?

  • 5.5.2 Are there any unauthorized SGID executables on the server?’

  • 5.5.1 Are there any unauthorized SUID executables on the server?

  • 5.6.1 Are any orphan files and directories present on the system?

  • 5.4.2 Are Set-GID removed from system executables?

  • 5.4.1 Are the Set-UID removed from system executables?"

  • 7.5.1 Are the system log files protected from unauthorized users?

  • 8.8.1 Are write permissions not allowed to group and others on configuration files inside home directories?

  • 8.6.2 Does the PATH attribute of root not contain group/world writable directory?

Agentless only -> In CCS Manager, following 2 dlls have been modified at this location ‘C:\Program Files (x86)\Symantec\CCS\Reporting and Analytics\DPS\control\Unix’

  • BVUnixDataSourceImpl.dll

  • BVUnixUsersDataSource.dll

 

For Solaris checks modified are:

  • 7.9.5 Are directories in root users PATH, world writeable?

  • 7.9.4 Are directories in root users PATH, group writeable?

  • 5.4.1 Has the sticky bit been set on all world writeable directories?

  • 5.5.1 Do world writeable files exist on the system?"

  • 5.7.1 Does the system have any orphan files and directories?

  • 5.6.2 Does the system contain any SGID System Executables?

  • 5.6.1 Does the system contain any SUID System Executables?

  • 5.8.1 Does the system contain any Files and Directories with Extended Attributes?

 The find options will exclude nfs, autofs and proc.

 

For Security Essentials for AIX 5.x and 6.1, FindOptions for the following checks have been modified to exclude the remote mounts:

  • Is sticky bit set on world-writable directories?
  • Are there any unauthorized SGID executables on the server?
  • Are there any unauthorized SUID executables on the server?
  • Are all the files and directories owned by valid users and groups?
  • Are all world-writable files removed from the system?

 

 

 

Applies To

The issue can happen in both Agent based and Agentless data collection setup.

Attachments

Update RHEL6 standard.zip get_app
Update RHEL5 standard.zip get_app
Update HP-UX Standard (agentless).zip get_app
Update CIS Solaris 10 Benchmark v4.0.zip get_app
Security Essentials for AIX 5.x and 6.1.zip get_app