So is the warning because “These are 2 new boxes we just imported and are alerting or setuid/setguid changes” or “I believe its related to the world writeable files under those directories” ?
– is the suid bit set on these files? or they are world-writable? how about an ls –la in /opt/bmc/BladeLogic/8.1/NSH/nativetool/platform/sunos-5-sparc/* ?
– what rscd version ?
– what is the actual audit finding that you have been given ? and how was that check performed ? do you have the raw output showing why this finding was triggered ?
- you seem to have an exception in your audit system already, so is it applied to these systems? if so, why is the alert being triggered? What is the exception for ?
we are running 8.6.01 BSA and agents. I am new to this auditing process, but I believe our other existing boxes have an exception for this issue related to auditing. In this case these 2 servers have 555 unix permissions so it is a world writeable issue.
Also, the files were "changed" 12/02 (output of ls -lc) since they've been imported into our BSA instance prior to 11/27. So there may be two issues here.
A question is does BSA update these files without a job having been run? it appears something about their ownership/group/permissions were changed on 12/2.
I haven't spoken to the audit team as yet. I was trying to understand first why the files were touched first and then go determine if we need to file an exception to the audit rules for this action if it is truly something the application does to validate agent installation file permissions.
cant find anything in the logs that shows an activity during the timeframe the files were changed around 03:33 that morning.
555 is world read + world execute. not world write. i don't believe anything in bsa would change the permissions on those files after the fact.
you need to go back to your auditors and find out specifically what the problem is here since it doesn't seem to be world-write or suid and you need to find out about what this exception is, how it's applied to your servers, why it's not applied to the new ones, etc. so far i don't really see a bsa issue.
yea sorry I misread the permissions.
the actual message was related to setuid/gid. I will check with them and reply back probably on Tuesday.