I need to check if policy changes are being applied at the Linux Agent
search cancel

I need to check if policy changes are being applied at the Linux Agent

book

Article ID: 377272

calendar_today

Updated On:

Products

Endpoint Security

Issue/Introduction

You would like to know if the policy changes are being accepted by the SEP for Linux Agent.

Environment

SEP 14.3 RU4+

Resolution

Here are the details that you can use to check from the Agent level if a policy change is taking place. 

1) As root, please type the following command, then inspect the output. In "Pull" mode with a 1 min interval, the proc file output will reflect around 1min after the change to the policy on SEPM side.

# cat /proc/sisap/status
VER=1.78
...

2) mode tells ENA(bled) or DIS(abled) status of current AP module

When Auto Protect [AP] is enabled by SEPM policy
=== UCOMM ===
mode=ENA
...

When AP is disabled by SEPM policy
=== UCOMM ===
mode=DIS
...

Scanner pid tells one of sisamddaemon task id (aka thread id)
 # ps -ef | grep sisamddaemon
 root      1941     1  3 Aug02 ?        1-09:42:59 /opt/Symantec/sdcssagent/AMD/bin/sisamddaemon
 # ls /proc/1941/task | grep 2032
 2032

3) AP Flags tell the details of the scanning policy

When Scan when accessed and modified is selected
=== STATUS ===
client pid=1941
...
AP flags=0x4287 (WR | RD | EX | FX | DY_EX | NR)


When Scan when modified is selected
=== STATUS ===
client pid=1941
...
AP flags=0x4285 (WR | EX | FX | DY_EX | NR)

Client pid tells sisamddaemon process id
AP flags tells current scanning hook for files
0x4287 (WR | RD | EX | FX | DY_EX | NR ) == accessed and modified
0x4285 (WR | EX | FX | DY_EX | NR) == modified

This means read() and fstat(), access() system calls are omitted from the hook to create AP event

Using the above output examples, and changes to the policy from the SEPM, you should be able to determine if the policy change has been applied. The policy will encompass all the settings from SEPM, so if you change the AP state, and the Agent takes the change, then we know it's getting the new policy from SEPM.

Additional Information

Here are the details on the different flags.
For example EX flag means that 'scan before execute'
Please note: not all of flags are always available and configurable with SEPM Policy.

SISAP_FL_AP_WR          0x0001 // scan after write access
SISAP_FL_AP_RD          0x0002 // scan before read access
SISAP_FL_AP_EX          0x0004 // scan before execute
SISAP_FL_AP_HC          0x0008 // hold user on close/modified
SISAP_FL_AP_D_FL        0x0010 // scan floppies
SISAP_FL_AP_D_NE        0x0020 // scan network volumes
SISAP_FL_AP_D_RM        0x0040 // scan removable (e.g. CD) volumes
SISAP_FL_AP_D_FX        0x0080 // scan fixed volumes
SISAP_FL_AP_D_DY        0x0100 // scan dynamic volumes (/proc)
SISAP_FL_AP_D_DY_EX     0x0200 // scan exec on dynamic volumes (for use if dynamic scan off)
SISAP_FL_AP_D_NE_EX     0x0400 // scan exec on network volumes (for use if network scan off)
SISAP_FL_AP_D_UNUSED    0x0800      // unused bit
SISAP_FL_AP_NW          0x1000 // no-wait scan mode (except exec)
SISAP_FL_AP_T0          0x2000 // truncation to zero -> modified
SISAP_FL_AP_NR          0x4000 // don't restore atime after scan

Powered by Wolken Software