BSA: Compliance Job fails with warning: "truncated data from job result for rule..."

Version 1

    This document contains official content from the BMC Software Knowledge Base. It is automatically updated when the knowledge article is modified.


    BladeLogic Server Automation Suite


    BMC BladeLogic Server Automation Suite



    When running CIS-Compliance, the job generates the following warning: "truncated data from job result for rule Find unauthorized SUID/SGID system executables".
    The affected rule may vary. The target lists as failed in the run details and there is no server view created for the server.


    BMC BladeLogic Server Automation Suite




    Legacy ID:KA315355


    This is due to a compliance rule finding too many non-compliant assets for BladeLogic to process, hence the result is truncated.
    In this example the compliance check found an overly high number of files or folders with SUID/SGID set, but any rule potentially capable of detecting large amounts of non-compliant assets can be affected by this.


    To eliminate the warning, the number of assets impacted by the rule must be reduced. Typically this is done by excluding file system paths from the scan that are known to contain a large number of non-compliant assets. The local extended objects used by most CIS-compliance rules leverage the EXCLUDED_DIR server property to exclude specific paths from the scan.
    Using 'scriptutil' to identify exclusion candidates
    scriptutil -h <target> -s <CIS sensor> -x 80 "<dirs>"
    <target> is the host affected by the issue
    <CIS sensor> is the sensor script, usually found in <BL_DIR>/share/sensors on the app server
    <dirs> is the comma-separated list of paths you want to exclude
    $ cd <BL_DIR>/bin
    $ ./scriptutil -h -s unauth_suid_sgid_file -x 80 "/opt/devel/app,/opt/testing/app"


    Reviewing the appserver log for the Compliance Job execution, one can also see the exact scriptutil command (including sensor and parameters) as it could be executed manually.


    This command should be run from the regular shell, not NSH. Log onto the appserver host using SSH/RDP for this.
    The script returns a list of non-compliant assets, optionally pipe it into 'wc -l' to get just the number. Repeat with different path exclusions until the number goes down considerably - that's the path you want to put in EXCLUDED_DIR.
    Alternatively you can manually remediate the assets by making them compliant, as this will also reduce the number of results.

    Related Products:  
    1. BMC BladeLogic Server Automation Suite


    Article Number:


    Article Type:

    Solutions to a Product Problem

      Looking for additional information?    Search BMC Support  or  Browse Knowledge Articles