Certain Unix, Linux and Mac (ULM) agent data that was in clear text in previous versions has been encrypted in 7.5. Among the data that is now encrypted are the package codebase and policy xml files, which are useful for troubleshooting purposes. This data can be made available in a decrypted format by applying what is known as a ‘troubleshooting password’ and running the ‘aex-dsecuredb’ command on a ULM client computer.
High-level Overview
Setting the troubleshooting password
The troubleshooting password field is available in the 7.5 SMP/NS console at Settings, All Settings, Agents/Plug-ins, Symantec Management Agent, Settings, Symantec Management Agent Settings – Global, ‘Authentication’ tab, in the ‘Remote troubleshooting password’ section.
After checking the ‘Allow remote troubleshooting’ checkbox and entering a secure password, the troubleshooting password will be encrypted and sent to the clients as part of the global policy. Note that this feature requires a password of at least eight characters and must contain at least on upper case letter, one lower case letter, one number and one special character.
Following is a screen shot of the ‘troubleshooting password’ screen in the NS console:
Decrypting securedb data on the ULM clients
The ULM agent includes a command named ‘aex-dsecuredb’. This command creates decrypted copies of the securedb directory’s encrypted files.
Please note the following regarding the aex-dsecuredb command:
Limited mode:
This mode does not prompt for the troubleshooting password. Running this command without any command line parameters results in the decryption of a very limited set of directories and files.
Example:
$ sudo aex-dsecuredb
The resulting directory tree is something like:
|-ctagent
High Mode:
This mode requires elevated privileges and prompts for the troubleshooting password. After successfully entering the troubleshooting password when prompted, this mode creates a complete set of decrypted files.
$ sudo aex-dsecuredb -high
Enter superuser password:
The resulting directory tree is something like the following. Note that all securedb directories have been decrypted.
|-ctagent
|---cache
|-nsagent
Codebase files:
Codebase files contain the package download locations for each package available to a given client. Knowing the download location is helpful for troubleshooting software installation and other issues.
In previous versions, the codebase file was available in the /opt/altiris/notification/nsagent/var/packages/<package guid>/.aex-pkg-codebase-<package guid> file.
In 7.5, the codebase files are available in the following directory after decrypting them with the troubleshooting password:
/opt/altiris/notification/nsagent/var/securedb.decrypted/nsagent/packages/<package guid>/package.xml
Policy XML files:
Policy files contain information regarding each policy assigned to a given client, including (depending on the policy type), the policy name, execution priorities, applicable platforms and other criteria unique to each policy type.
After decrypting the securedb with the “-high” parameter, the decrypted policies are available in:
/opt/altiris/notification/nsagent/var/securedb.decrypted/nsagent/policies/data/<policy guid>/<identifier>