search cancel

IPS translate command fails to generate the trans file due to an IPS exit code of 200

book

Article ID: 243342

calendar_today

Updated On:

Products

Data Center Security Server Advanced

Issue/Introduction

The IPS translate command failed to generate the trans file which resulted in the process automatically setting the policy to "Built-in"

The root cause seemed to be a mystery error seen in the logs as follows:

nb-appliance:/home/maintenance # grep 239803 /tmp/409.log
05/17/2022 01:02:34.439 [Info] [239803] COMMAND_BEGIN(64): /opt/NBUAppliance/scripts/scsp/scsp_deploy.pl -r /opt/scsp -c
05/17/2022 01:02:34.943 [Info] [239803] Log Message :stop sisipsagent
05/17/2022 01:02:36.423 [Info] [239803] Log Message :stop sisipsutil
05/17/2022 01:02:36.582 [Info] [239803] Log Message :stop sisidsagent
05/17/2022 01:02:44.086 [Info] [239803] Log Message :Copied /opt/NBUAppliance/scripts/scsp/IDS/agent.ini to /opt/Symantec/sdcssagent/IDS/system/agent.ini
05/17/2022 01:02:44.095 [Info] [239803] Log Message :Copied /opt/NBUAppliance/scripts/scsp/IPS/agent.ini to /etc/sisips/agent.ini
05/17/2022 01:02:44.104 [Info] [239803] Log Message :Copied /opt/NBUAppliance/scripts/scsp/IPS/fallback.ini to /etc/sisips/fallback.ini
05/17/2022 01:02:44.114 [Info] [239803] Log Message :Copied /opt/NBUAppliance/scripts/scsp/IPS/sisips.reg to /etc/sisips/sisips.reg
05/17/2022 01:02:44.123 [Info] [239803] Log Message :Copied /opt/NBUAppliance/scripts/scsp/IPS/unmanaged_detection_policy.sbp.zip to /etc/sisips/unmanaged_detection_policy.sbp.zip
05/17/2022 01:02:44.135 [Info] [239803] Log Message :Copied /opt/NBUAppliance/scripts/scsp/IPS/unmanaged_prevention_policy.sbp.zip to /etc/sisips/unmanaged_prevention_policy.sbp.zip
05/17/2022 01:02:49.222 [Info] [239803] Log Message :Before translating the IPS policy
05/17/2022 01:02:49.234 [Info] [239803] Log Message :File: unmanaged_prevention_policy.sbp.zip found
05/17/2022 01:02:59.728 [Info] [239803] Log Message :Failed to translate the IPS policy.Exit Code : 200
05/17/2022 01:03:00.845 [Info] [239803] Log Message :start sisipsagent
05/17/2022 01:03:01.096 [Info] [239803] Log Message :start sisipsutil
05/17/2022 01:03:01.249 [Info] [239803] Log Message :start sisidsagent
05/17/2022 01:03:01.713 [Info] [239803] Log Message :Enabled trace for Symantec Data Center Security (SDCS)
05/17/2022 01:03:01.724 [Info] [239803] COMMAND_END(64): /opt/NBUAppliance/scripts/scsp/scsp_deploy.pl

Cause

Knowing where to start looking for the root cause is always the difficult part.  In this case reverences to the unmanaged_prevention_policy.sbp.zip is where it started.

After executing the translate command manually, and it failed-- an examination of the corresponding file "unmanaged_prevention_policy.confShowed that there was an error indicating that a certain ID or group could not be looked up. Also a search through the file "\log\sdcsslog\translate_strace.out " contained the following:

lstat("/home/wcatusers", 0x7ffc7982e020)  = -1 ENOENT (No such file or directory)

The policy, as delivered specified an account or group through which the action could be performed. No such group named wcatusers was found on the system (in this case Linux).

Environment

Release : 6.9.1

 

Resolution

Creating the group wcatusers on the local Linux system allowed the translation to complete without failing since the user/group existed.