ESM File Find module not picking up setuid\setgid executable files on RHEL(Red Hat Enterprise Linux operating system)

book

Article ID: 171185

calendar_today

Updated On:

Products

Control Compliance Suite Windows

Issue/Introduction

Running Message Based data Collection (MBC) using Enterprise Security Manager policies.  The File Find module is not flagging executables that it should be for SetUID and SetGID checks.
 

Cause

On Redhat Enterprise Linux (RHEL) agents the Setuid and setguid checks parse through results of the linux FILE command looking for the word "executable".  This word flags the ESM module that the check has failed on this file.  However in later versions of RHEL the executables are compiled with the libraries and the FILE command displays them as "shared object" types, not as executable.  This was causing these checks to not report that these files were actually executable.

 

Environment

CCS 9.x and higher using Message Based data Collection (MBC) with Security Update (SU) 47.
 

Resolution

Symantec has released a Quick Fix (QF) package 11103 that can be pushed by the ESM console to the ESM managers.  The fix will  be pushed via liveupdate to Intel based 32 bit Linux agents during the next policy run.  Agents must have SU 47 and liveupdate activated to receive this fix. 
Directions for how to stage and push the package are included in the QF.

NOTE: Message Based data Collection requires that the 32 bit version Linux agent, along with the 32 bit libraries, be loaded onto the RHEL machine.