5 Replies Latest reply on Dec 5, 2016 1:31 PM by Todd McDaniel

    setuid/setgid alerts in audit scan

    Todd McDaniel

      We are getting warnings from our audit team regarding the files in

       

      /opt/bmc/Bladelogic/8.1/NSH/nativetool/platform/sunos-5-sparc/*

      /opt/bmc/Bladelogic/8.1/NSH/nativetool/platform/sunos-5-sparcv9/*

       

      These are 2 new boxes we just imported and are alerting or setuid/setguid changes. As far as I know now, we have exceptions for our other older servers already in BSA so we don't get the audit alert on those because its a known issue for the application.

       

      I believe its related to the world writeable files under those directories

       

      I saw an idea that Bill R had posted on the subject about an enhancement that a team member had copied me on that appears to discuss this exact issue.

       

       

       

       

       

       

      https://communities.bmc.com/ideas/14802

        • 1. Re: setuid/setgid alerts in audit scan
          Bill Robinson

          So is the warning because “These are 2 new boxes we just imported and are alerting or setuid/setguid changes” or “I believe its related to the world writeable files under those directories” ?

           

           

          – is the suid bit set on these files?  or they are world-writable? how about an ls –la in /opt/bmc/BladeLogic/8.1/NSH/nativetool/platform/sunos-5-sparc/* ?

           

          – what rscd version ?

           

          – what is the actual audit finding that you have been given ?  and how was that check performed ?  do you have the raw output showing why this finding was triggered ?

           

          - you seem to have an exception in your audit system already, so is it applied to these systems?  if so, why is the alert being triggered?  What is the exception for ?

          • 2. Re: setuid/setgid alerts in audit scan
            Todd McDaniel

            Bill,

             

            we are running 8.6.01 BSA and agents. I am new to this auditing process, but I believe our other existing boxes have an exception for this issue related to auditing. In this case these 2 servers have 555 unix permissions so it is a world writeable issue.

             

            Also, the files were "changed" 12/02 (output of ls -lc) since they've been imported into our BSA instance prior to 11/27. So there may be two issues here.

             

            A question is does BSA update these files without a job having been run? it appears something about their ownership/group/permissions were changed on 12/2.

             

            I haven't spoken to the audit team as yet. I was trying to understand first why the files were touched first and then go determine if we need to file an exception to the audit rules for this action if it is truly something the application does to validate agent installation file permissions.

            • 3. Re: setuid/setgid alerts in audit scan
              Todd McDaniel

              addendum:

               

              cant find anything in the logs that shows an activity during the timeframe the files were changed around 03:33 that morning.

              • 4. Re: setuid/setgid alerts in audit scan
                Bill Robinson

                555 is world read + world execute.  not world write.  i don't believe anything in bsa would change the permissions on those files after the fact.

                 

                you need to go back to your auditors and find out specifically what the problem is here since it doesn't seem to be world-write or suid and you need to find out about what this exception is, how it's applied to your servers, why it's not applied to the new ones, etc.  so far i don't really see a bsa issue.

                • 5. Re: setuid/setgid alerts in audit scan
                  Todd McDaniel

                  yea sorry I misread the permissions.

                   

                  the actual message was related to setuid/gid. I will check with them and reply back probably on Tuesday.