10 Replies Latest reply on Jan 27, 2015 7:07 AM by sachin Manjunath

    Issue with compliance

      we have compllince rule to check the password complexity of AIX.

       

       

      we have the extended object for that to check and below is the script.( we are using script util and central execution)

       

       

      extended object setting : scriptutil -h ??TARGET.HOST?? -s script.aix (central execution)

       

       

       

       

      when i browse the server and click on the extended object we get a value as passed or failed and also when i run the compliance for single server it succeeds and when run for a rule it succeeds but when run for a group of 1000 servers the servers show non compliant with the below error in the log.

       

       

      Error in the compliance log:

       

       

      com.bladelogic.om.infra.mfw.util.BlException: /usr/bin/ksh: /tmp/_Server name-8438-1-"script.aix":  not found.

       

       

      Script.aix:

       

       

      #!/bin/ksh

       

       

      OS_VER=$(oslevel -r)

       

       

      # Define the Xerox security setting expected

       

       

      # Extended Security Settings

       

       

      minloweralpha=1

      minupperalpha=1

      minspecialchar=1

      mindigit=1

       

       

      # Basic security settings

       

       

      minother=1

      minalpha=1

       

       

      check_ext_security()

      {

       

       

              OS_R=$1

       

       

              echo $OS_R | awk -F- '{print $1,$2}' | read ver tl

              if [[ $ver = "7100" ]]

              then

                      export EXTS="On" # Turn on extended security

              elif [[ $ver = "6100" ]]

              then

                      tl=${tl#0}

                      if [[ $tl -lt 8 ]]

                      then

                              # oslevel less than TL8 do not have these options

                              export EXTS=""

                      else

                              export EXTS="On"

                      fi

              else

                      # If its not 6100 or 7100 then these options do not exist

                      export EXTS=""

              fi

      }

       

       

      check_ext_security $OS_VER

       

       

      if [[ "$EXTS" = "On" ]]

      then

              # Perform the extended security checks

              server_minloweralpha=$(lssec -cf /etc/security/user -s default -a minloweralpha | egrep -v "#" | awk -F: '{print $2}')

              server_minupperalpha=$(lssec -cf /etc/security/user -s default -a minupperalpha | egrep -v "#" | awk -F: '{print $2}')

              server_minspecialchar=$(lssec -cf /etc/security/user -s default -a minspecialchar | egrep -v "#" | awk -F: '{print $2}')

              server_mindigit=$(lssec -cf /etc/security/user -s default -a mindigit  | egrep -v "#" | awk -F: '{print $2}')

              server_minother=$(lssec -cf /etc/security/user -s default -a minother | egrep -v "#" | awk -F: '{print $2}')

       

       

              if [[ "$server_minloweralpha" -lt "$minloweralpha" || "$server_minupperalpha" -lt "$minupperalpha" || "$server_minspecialchar" -lt "$specialchar" || "$server_mindigit" -lt "$mindigit" ]]

              then

                      RESULT=FAILED

       

       

              elif [ "$server_minother" -lt 2 ]

              then

                     RESULT=FAILED

              else

                      RESULT=PASSED

              fi

      else

              # Check only the basic settings

       

       

              server_minother=$(lssec -cf /etc/security/user -s default -a minother | egrep -v "#" | awk -F: '{print $2}')

              server_minalpha=$(lssec -cf /etc/security/user -s default -a minalpha | egrep -v "#" | awk -F: '{print $2}')

       

       

              if [[ "$server_minother" -lt "$minother" || "$server_minalpha" -lt "$minalpha" ]]

              then

                      RESULT=FAILED

              else

                      RESULT=PASSED

              fi

      fi

       

       

      echo VALUE=$RESULT

        • 1. Re: Issue with compliance
          Jim Wilson

          Discussion successfully moved from BMC BladeLogic to Server Automation

          • 2. Re: Issue with compliance
            Bill Robinson

            so either the copy of the script that scriptutil makes is not found on the target, or there is a call to something in the script that isn't found on the target.

             

            so you can do a few things to isolate the problem:

             

            1 - copy the script to the target, make it executable and run it.  does it work ?

            2 - run scriptutil manually from the appserver w/ the command in the EO definition.  does it work ?

            • 3. Re: Issue with compliance

              1 - copy the script to the target, make it executable and run it.  does it work ?

                  yes it work i get a result

               

              2 - run scriptutil manually from the appserver w/ the command in the EO definition.  does it work ?

                   i tried it but i am getting error scriptutil not found i tried going to path /bin and running it can you please help me on executing the command

               

               

              • 4. Re: Issue with compliance
                Don Kim

                Scriptutil is an NSH command. Are you using NSH shell or trying <install path>/NSH/bin ?

                • 5. Re: Issue with compliance
                  Bill Robinson

                  if you are not in nsh, then scriptutil is in <install>/NSH/bin

                  • 6. Re: Issue with compliance

                    1 - copy the script to the target, make it executable and run it.  does it work ?

                    It works

                    2 - run scriptutil manually from the appserver w/ the command in the EO definition.  does it work ?

                    unable to run in app server as i dont have access to run as root user

                    • 7. Re: Issue with compliance

                      I am using scriptutil and the script is present in sensors folder

                      • 8. Re: Issue with compliance

                        Hi Rob below is the job log we find the target is able to verify and push ACL

                         

                        ParticipantTypeDateMessage
                        Run at Jan 23, 2015 2:19:31 PMInfo1/23/2015 14:19Started running the job 'Enterprise Compliance Reporting - AIX' with priority 'NORMAL' on application server 'xrxdallin008'(2,017,744)
                        Run at Jan 23, 2015 2:19:31 PMInfo1/23/2015 14:19creating work item for component Enterprise Compliance Reporting - AIX (adc-al-ibm10)
                        Run at Jan 23, 2015 2:19:31 PMInfo1/23/2015 14:19Executing work item Compliance Job:Enterprise Compliance Reporting - AIX; Template:Enterprise Compliance Reporting - AIX; Component:Enterprise Compliance Reporting - AIX (adc-al-ibm10); Server:adc-al-ibm10; on application server: xrxdallin003
                        Enterprise Compliance Reporting - AIX (adc-al-ibm10) ()Info1/23/2015 14:19Compliance execution started for component: Enterprise Compliance Reporting - AIX (adc-al-ibm10)
                        Enterprise Compliance Reporting - AIX (adc-al-ibm10) ()Warning1/23/2015 14:19com.bladelogic.om.infra.mfw.util.BlException: /usr/bin/ksh: /tmp/_adc-al-ibm10-9729-1-pam.test.aix:  not found.
                        Enterprise Compliance Reporting - AIX (adc-al-ibm10) ()Warning1/23/2015 14:19com.bladelogic.om.infra.mfw.util.BlException: /usr/bin/ksh: /tmp/_adc-al-ibm10-9738-1-pam.test.aix:  not found.
                        Enterprise Compliance Reporting - AIX (adc-al-ibm10) ()Info1/23/2015 14:19Compliance execution finished for component: Enterprise Compliance Reporting - AIX (adc-al-ibm10)
                        Run at Jan 23, 2015 2:19:31 PMInfo1/23/2015 14:19saving results for job
                        Run at Jan 23, 2015 2:19:31 PMWarning1/23/2015 14:19The job 'Enterprise Compliance Reporting - AIX' has succeeded with warnings
                        • 9. Re: Issue with compliance
                          Bill Robinson

                          you can try copying the same scripts into your local NSH/share/sensors directory and try the scriptutil run.  also the agent log from the target may help to determine if the script is getting copied over.

                           

                          also, is /tmp mounted noexec on the target ?

                          • 10. Re: Issue with compliance

                            The issue is resolved now, the script was changed which was causing issue below is the new script now.

                             

                            #!/bin/ksh

                            OS_VER=$(oslevel -r)

                            # Define the Xerox security setting expected

                            # Extended Security Settings

                            minloweralpha=1
                            minupperalpha=1
                            minspecialchar=1
                            mindigit=1

                            # Basic security settings

                            minother=1
                            minalpha=1

                            check_ext_security()
                            {

                                    OS_R=$1

                                    echo $OS_R | awk -F- '{print $1,$2}' | read ver tl
                                    if [[ $ver = "7100" ]]
                                    then
                                            export EXTS="On" # Turn on extended security
                                    elif [[ $ver = "6100" ]]
                                    then
                                            tl=${tl#0}
                                            if [[ $tl -lt 8 ]]
                                            then
                                                    # oslevel less than TL8 do not have these options
                                                    export EXTS=""
                                            else
                                                    export EXTS="On"
                                            fi
                                    else
                                            # If its not 6100 or 7100 then these options do not exist
                                            export EXTS=""
                                    fi
                            }

                            check_ext_security $OS_VER

                            if [[ "$EXTS" = "On" ]]
                            then
                                    # Perform the extended security checks
                                    server_minloweralpha=$(lssec -cf /etc/security/user -s default -a minloweralpha | egrep -v "#" | awk -F: '{print

                            $2}')
                                    server_minupperalpha=$(lssec -cf /etc/security/user -s default -a minupperalpha | egrep -v "#" | awk -F: '{print

                            $2}')
                                    server_minspecialchar=$(lssec -cf /etc/security/user -s default -a minspecialchar | egrep -v "#" | awk -F: '{print

                            $2}')
                                    server_mindigit=$(lssec -cf /etc/security/user -s default -a mindigit  | egrep -v "#" | awk -F: '{print $2}')
                                    server_minother=$(lssec -cf /etc/security/user -s default -a minother | egrep -v "#" | awk -F: '{print $2}')

                                    if [[ "$server_minloweralpha" -lt "$minloweralpha" || "$server_minupperalpha" -lt "$minupperalpha" ||

                            "$server_minspecialchar" -lt "$minspecialchar" || "$server_mindigit" -lt "$mindigit" ]]
                                    then
                                            RESULT=FAILED
                                    elif [ "$server_minother" -lt 2 ]
                                    then
                                           RESULT=FAILED
                                    else
                                            RESULT=PASSED
                                    fi
                            else
                                    # Check only the basic settings

                                    server_minother=$(lssec -cf /etc/security/user -s default -a minother | egrep -v "#" | awk -F: '{print $2}')
                                    server_minalpha=$(lssec -cf /etc/security/user -s default -a minalpha | egrep -v "#" | awk -F: '{print $2}')

                                    if [[ "$server_minother" -lt "$minother" || "$server_minalpha" -lt "$minalpha" ]]
                                    then
                                            RESULT=FAILED
                                    else
                                            RESULT=PASSED
                                    fi
                            fi

                            echo VALUE=$RESULT