How to disable Domain Cache in Control Compliance Suite

book

Article ID: 197180

calendar_today

Updated On:

Products

Control Compliance Suite Standards Server Control Compliance Suite Control Compliance Suite Unix Control Compliance Suite Windows

Issue/Introduction

Symantec Control Compliance Suite (CCS)

When running CCS scans, you do not need CCS to report on information about users or groups, or you use the predefined benchmarks released by Symantec.

NOTE: The predefined CIS benchmarks released by Symantec do not require domain cache when run, so domain cache can be disabled.

Cause

Domain Cache is enabled by default and needs to be collected by each manager for each domain. The Domain Cache is pushed down to each agent to use in scans that need information about users, groups, or some computer components.

Environment

Release : CCS 12.x 
SCU: 2018-1 (or newer SCU)

Component :  Needs to be set on each CCS manager that you want to disable Domain Cache.

Resolution

Full information about disabling domain cache in the CCS 12.x documentation:

12.x documentation to disable domain cache

How to disable domain cache:

On each CCS manager that you would like to disable domain cache, do the following:

  1. Make a backup of the ConfigurationSettings.xml file in the <CCS installation directory>\Symantec\CCS\Reporting and Analytics\DPS \control\Windows directory.

  2. Edit the ConfigurationSettings.xml file and add the following parameter:
    <PlatformSetting>
    <Key>BuildDomainCache</Key>
    <Value><![CDATA[FALSE]]></Value>
    <Metadata><![CDATA[]]></Metadata>
    </PlatformSetting>
  3. To synchronize the configuration parameter changes with the agents, modify the <CCS installation directory>\Symantec\CCS\Reporting and Analytics\DPS\ManagerManifestFile.xml (still on the CCS manager) and increase the "wnt.Dictionary.ConfigurationSettings-xml" version number by 1.  As always, make a backup of the ManagerManifestFile.xml file before you make changes.
    Example:
    <file id="wnt.Dictionary.ConfigurationSettings-xml" FileTypeKey="wnt.Configuration" version="16-06-2018 07:00:54"
    FilterValue="" ignore_if_absent_on_agent="false">
    				<name>ConfigurationSettings.xml</name>
        <manager_path>control/windows</manager_path>
        <MFH library="" procedure="" />
        <depFiles />
      </file>
    In this example, you would increase the version to "16-06-2020 07:00:55"
    (NOTE: the version may also just be a numeric value and not a date/time as shown in the example)

    Additional note:  In agentless data collection, you do not need any such version increment in the ManagerManifestFile.xml file.

  4. Stop and restart the 'Symantec CCS Manager' and 'Symantec Data Processing Service' services on the manager.
     

Additional Information

If you just want to disable collecting domain cache for specific domains, but not all domains, you can use the also add the 'DomainCacheExclusionList' to to ConfigurationSettings.xml file (after step 2 above, but before doing step 3) and specify which domains you want to disable domain cache.

Example:

<PlatformSetting>
  <Key>BuildDomainCache</Key>
<Value><![CDATA[TRUE]]></Value>
  <Metadata><![CDATA[]]></Metadata>
</PlatformSetting>
<PlatformSetting>
  <Key>DomainCacheExclusionList</Key>
  <Value><![CDATA[domainA,domainB,domainC]]></Value>
  <Metadata><![CDATA[]]></Metadata>
</PlatformSetting>

In the 'DomainCacheExclusionList' parameter, list the domain for which you do not want cache to be created. If you want to list more than one domain, provide a comma-separated list of domains.

Attachments