Configuration for Control Compliance Suite agentless data collection on UNIX targets
To configure the environment for CCS data collection on UNIX target computers, you can assign the following privileges to users depending on your requirements:
A user having root account privileges gets default access to all UNIX commands and files, whereas a user having non-root account privileges has limited access to UNIX commands and files. For non-root user, you must install and configure sudo on the user’s target computer. Root user must assign additional privileges to the sudo user to access commands that a non-root user cannot access.
The Sudo functionality permits you to execute a command on a target computer, as a super user, or another user. For agentless raw data collection on UNIX targets, you can use the sudo (superuser do) functionality to run queries in the context of a super user.
To use the Sudo functionality:
<INSTALL_DIR>\Symantec\CCS\Reporting and Analytics\DPS\control\Unix\ConfigFiles
See "Optimizing queries using sudo in the ExecutionContext.ini file"
To be able to use sudo for running queries, you can add the following in the sudoers file to disable password prompt for every command:
<name> ALL=(ALL) NOPASSWD: ALL
where, <name> is the native user, whose credentials are specified in the credential database.
You may encounter the following issues if the password prompt is not disabled, and certain commands get blocked by not specifying a password:
To be able to use sudo for running queries, you must enable the sudo option by configuring the SupportsSudo parameter in the bvAgentlessConfig.ini file.
The parameter and its value is as follows:
Where, <value> is true or false.
The default value is false, which means the use of sudo is disabled by default.
To enable sudo for running queries on UNIX targets, specify the value as true. You must also specify the FQDN of the UNIX target computer before the SupportsSudo parameter.
Where, [testcomputer.example.com] is the FQDN of the UNIX target computer.
After sudo is enabled in the bvAgentlessConfig.ini file, you can use the ExecutionContext.ini file for optimizing queries by prefixing the word sudo before the commands specified in the ExecutionContext.ini file.
For information about CCS support for authentication with one account and sudo to root for general query credentials, see KB 156510
To be able to use sudo for running queries in the context of a super user, you must prefix the word sudo before the commands of the query specified in the ExecutionContext.ini file.
Following table lists the parameters which you can configure to run commands using sudo:
Table 1-1 Parameters to be configured for running commands using sudo
|ApplyPrefixForAll||Specify the value as true if you want to run all commands of a query on the target computer using sudo.
If you want to run only specific commands of a query using sudo, then specify the value as false.
|Default||If you have specified the value as true for the ApplyPrefixForAll parameter, you can specify if any commands must be run without sudo.
If you have specified the value as false for the ApplyPrefixForAll parameter, you can specify if any commands must be run with sudo. In this case the word sudo must be prefixed to each command..
AIX, LINUX, SunOS, HP-UX
|Specify for which platforms the queries must be run using sudo.|
|Target||Specify for which targets the queries must be run using sudo. The name can be the name of the target computer as displayed in the CCS console, or the IP address of the target computer|
This is an example of the contents of the sudoers file is located in the /etc directory of the UNIX target computer. This example contains sample configurations required to use the sudo functionality as mentioned in the section Using sudo functionality for querying UNIX targets.
# User alias specification
User_Alias UNIX_USERS = unix1, unix2, unix3
User_Alias CCS_USERS = bvunix1, bvunix2, bvunix3
# Runas alias specification
Runas_Alias SUPER_USERS = root
# Cmnd alias specification
Cmnd_Alias APPLICATIONS = /usr/sbin/named
Cmnd_Alias AIX_ADMINCMDS = /usr/sbin/lsps, /usr/sbin/lsattr
Cmnd_Alias ADMINCMDS = /usr/sbin/prtconf, /sbin/runlevel, ulimit, AIX_ADMINCMDS,
Cmnd_Alias NETWORKCMDS = /sbin/ifconfig, /usr/local/bin/nslookup, inetadm -p
Cmnd_Alias FILECMDS = /bin/cat, /bin/date '+%Z', /usr/bin/strings -n, \
/usr/bin/diff, /usr/bin/cmp, /usr/bin/find, \
/bin/echo, /usr/bin/file, /bin/df -P, \
/usr/bin/cksum, /bin/ls -la, /bin/ls -lad, \
/bin/ls -lac, /bin/ls -lau
#Cmnd_Alias COMMONCMDS = /usr/bin, /bin, /usr/local/bin
Cmnd_Alias SU = /usr/bin/su
Cmnd_Alias SYSADMCMD = /usr/lib/sendmail
Cmnd_Alias ACTIVEADMCMDS = /usr/sbin/adduser
UNIX_USERS ALL = (SUPER_USERS) APPLICATIONS, NETWORKCMDS, ADMINCMDS, FILECMDS, !SU, !ACTIVEADMCMDS,
!SYSADMCMD, NOPASSWD: ALL
CCS_USERS ALL = NOPASSWD: ALL