1 2 Previous Next 15 Replies Latest reply on Jan 30, 2013 10:41 AM by Bill Robinson

    Error running DISA Windows Server 2008 compliance

      Error Dec 17, 2012 8:33:26 AM com.bladelogic.om.infra.app.collector.AssetCollectionException: Unable to append to file //targetserver/C/Program Files/BMC Software/BladeLogic/RSCD//tmp/preDISA/gpo_remediation.tmp: Connection refused

      (component=DISA - Windows Server 2008_vickersc (targetserver), selector=Extended Object:Audit-Policy-3.138-V0015991)

        • 1. Re: Error running DISA Windows Server 2008 compliance

          "Extended Object Entry:Audit-Policy-3.138-V0015991//SRR_Result/status"."Value1 as String (All OS)" = "Not a Finding"

           

          If the value for "User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop" is not set to Disabled, then this is a finding.
              
          The policy referenced configures the following registry value:

          Registry Hive: HKEY_LOCAL_MACHINE
          Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\

          Value Name: EnableUIADesktopToggle

          Value Type: REG_DWORD
          Value: 0

           

          If this is just checking a registry key; why would this require an extended object? We have verified that we have administrator access, so we don't know why we are getting a "connection refused" error.

          • 2. Re: Error running DISA Windows Server 2008 compliance

            Hi Jason,

             

                 Can you please check whether RSCD agent service is running on the target server?

             

            ~Gauri

            • 3. Re: Error running DISA Windows Server 2008 compliance

              Gauri,

               

              Yes the agent service is running and we can access the server through the console.

              • 4. Re: Error running DISA Windows Server 2008 compliance

                Here are additional details from the app server log:

                 

                [17 Dec 2012 08:47:42,212] [WorkItem-Thread-16] [INFO] [houghtja-a:BLAdmins:] [Compliance] com.bladelogic.om.infra.app.collector.AssetCollectionException: Unable to append to file //targetserver/C/Program Files/BMC Software/BladeLogic/RSCD//tmp/preDISA/gpo_remediation.tmp: Connection refused

                (component=DISA - Windows Server 2008_vickersc (targetserver), selector=Extended Object:Audit-Policy-4.010:38-V0001103)

                [17 Dec 2012 08:47:42,212] [WorkItem-Thread-16] [ERROR] [houghtja-a:BLAdmins:] [Compliance] Exception while collecting assets

                com.bladelogic.om.infra.app.collector.AssetCollectionException: Unable to append to file //targetserver/C/Program Files/BMC Software/BladeLogic/RSCD//tmp/preDISA/gpo_remediation.tmp: Connection refused

                (component=DISA - Windows Server 2008_vickersc (targetserver), selector=Extended Object:Audit-Policy-4.010:38-V0001103)

                • 5. Re: Error running DISA Windows Server 2008 compliance

                  Hi Jason,

                   

                       Can you please add "set -x" at the beginning of "gpo_compliance_through_secedit.nsh" NSH script which resides on the file server "extended_objects" folder and then execute the below EO from the app server NSH prompt and paste the output...

                   

                  e.g.

                   

                  nsh -c "//XXX.bmc.com/opt/bmc/BladeLogic/8.0/NSH/storage/extended_objects/gpo_compliance_through_secedit.nsh" -prefix "DISA" -parametername "MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableUIADesktopToggle" -parametervalue "4,0" -rscddir "??TARGET.RSCD_DIR??" -host "??TARGET.NAME??"

                   

                  Replace 1) With your FILE SERVER "extended_objects" location

                               2) ??TARGET.RSCD_DIR?? with the location of Target RSCD location

                               3) ??TARGET.NAME?? with the name of the Target

                   

                  like

                   

                  nsh -c "//abc.bmc.com/opt/bmc/BladeLogic/8.0/NSH/storage/extended_objects/gpo_compliance_through_secedit.nsh" -prefix "DISA" -parametername "MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableUIADesktopToggle" -parametervalue "4,0" -rscddir "/C/Program Files/BMC Software/BladeLogic/RSCD/" -host "xyz.bmc.com"

                   

                  ~Gauri

                  • 6. Re: Error running DISA Windows Server 2008 compliance
                    Joe Piotrowski

                    The first time we ran it, there were non-stop "permission denied" errors trying to remove the .lock file in the preDISA folder. We deleted the folder, ran Compliance within BSA and it failed. We then ran the script you gave us and here is the output:

                     

                    CN-VM-BSAAPP01% nsh -c "//cn-vm-fs01/E/storage/extended_objects/gpo_compliance_through_secedit.nsh" -prefix "DISA" -parametername "MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableUIADesktopToggle" -parametervalue "4,0" -rscddir "/E/Program Files/BMC Software/BladeLogic/RSCD/" -host "cn-vm-fs01"

                    +nsh:317> i_PARAMETER_VALUE_COUNT=0

                    +nsh:318> str_OPERATOR='='

                    +nsh:319> str_SECTION_NAME=''

                    +nsh:320> str_ASTERISK='*'

                    +nsh:321> str_ASTERISK_PATTERN='\*'

                    +nsh:322> str_FORCE_REMEDIATION=n

                    +nsh:323> str_APP_SERVER_OS=+nsh:1> uname

                    +nsh:323> str_APP_SERVER_OS=WindowsNT

                    +nsh:325> [ 10 -gt 0 ']'

                    +nsh:327> case -prefix (-sectionname)

                    +nsh:327> case -prefix (-parametername)

                    +nsh:327> case -prefix (-parametervalue)

                    +nsh:327> case -prefix (-parametervalueored)

                    +nsh:327> case -prefix (-parametervalueanded)

                    +nsh:327> case -prefix (-le|-ge|-lt|-gt|-range)

                    +nsh:327> case -prefix (-rscddir)

                    +nsh:327> case -prefix (-host)

                    +nsh:327> case -prefix (-ruleid)

                    +nsh:327> case -prefix (-prefix)

                    +nsh:348> str_PREFIX=DISA

                    +nsh:348> shift

                    +nsh:357> shift

                    +nsh:325> [ 8 -gt 0 ']'

                    +nsh:327> case -parametername (-sectionname)

                    +nsh:327> case -parametername (-parametername)

                    +nsh:329> str_PARAMETER_NAME='MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableUIADesktopToggle'

                    +nsh:329> shift

                    +nsh:357> shift

                    +nsh:325> [ 6 -gt 0 ']'

                    +nsh:327> case -parametervalue (-sectionname)

                    +nsh:327> case -parametervalue (-parametername)

                    +nsh:327> case -parametervalue (-parametervalue)

                    +nsh:331> str_PARAMETER_VALUE=4,0

                    +nsh:332> i_PARAMETER_VALUE_COUNT=+nsh:1> expr 0 + 1

                    +nsh:332> i_PARAMETER_VALUE_COUNT=1

                    +nsh:333> shift

                    +nsh:357> shift

                    +nsh:325> [ 4 -gt 0 ']'

                    +nsh:327> case -rscddir (-sectionname)

                    +nsh:327> case -rscddir (-parametername)

                    +nsh:327> case -rscddir (-parametervalue)

                    +nsh:327> case -rscddir (-parametervalueored)

                    +nsh:327> case -rscddir (-parametervalueanded)

                    +nsh:327> case -rscddir (-le|-ge|-lt|-gt|-range)

                    +nsh:327> case -rscddir (-rscddir)

                    +nsh:344> str_RSCD_DIR='/E/Program Files/BMC Software/BladeLogic/RSCD/'

                    +nsh:344> shift

                    +nsh:357> shift

                    +nsh:325> [ 2 -gt 0 ']'

                    +nsh:327> case -host (-sectionname)

                    +nsh:327> case -host (-parametername)

                    +nsh:327> case -host (-parametervalue)

                    +nsh:327> case -host (-parametervalueored)

                    +nsh:327> case -host (-parametervalueanded)

                    +nsh:327> case -host (-le|-ge|-lt|-gt|-range)

                    +nsh:327> case -host (-rscddir)

                    +nsh:327> case -host (-host)

                    +nsh:345> str_HOST=cn-vm-fs01

                    +nsh:345> shift

                    +nsh:357> shift

                    +nsh:325> [ 0 -gt 0 ']'

                    +nsh:360> [ -z 'MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableUIADesktopToggle' -o 1 -ne 1 -o -z '/E/Program Files/BMC Software/BladeLogic/RSCD/' -o -z cn-vm-fs01 ']'

                    +nsh:365> mkdir -p '//cn-vm-fs01/E/Program Files/BMC Software/BladeLogic/RSCD//tmp/preDISA/'

                    +nsh:367> str_REMEDIATION_FILE='//cn-vm-fs01/E/Program Files/BMC Software/BladeLogic/RSCD//tmp/preDISA/gpo_remediation'

                    +nsh:368> str_WIN_RSCD_PATH=+nsh:368> str_WIN_RSCD_PATH=+nsh:1> sed -e 's%/%\\%g' -e 's%^\\\([^\\]*\)%\1:%'

                    +nsh:1> echo '/E/Program Files/BMC Software/BladeLogic/RSCD/'

                    +nsh:368> str_WIN_RSCD_PATH='E:\Program Files\BMC Software\BladeLogic\RSCD\'

                    +nsh:369> str_SECEDIT_FILE_WINDOWS='E:\Program Files\BMC Software\BladeLogic\RSCD\\tmp\preDISA\secedit_3520.txt'

                    +nsh:370> str_SECEDIT_FILE='//cn-vm-fs01/E/Program Files/BMC Software/BladeLogic/RSCD//tmp/preDISA/secedit_3520.txt'

                    +nsh:372> str_PARAMETER_VALUE_ORED_ORG=''

                    +nsh:373> str_PARAMETER_VALUE_ANDED_ORG=''

                    +nsh:375> [ WindowsNT '=' WindowsNT ']'

                    +nsh:377> str_NULL='//cn-vm-fs01/E/Program Files/BMC Software/BladeLogic/RSCD//tmp/preDISA/NULL'

                    +nsh:381> check_lock

                    +check_lock:2> i_LOCK=0

                    +check_lock:3> [ -e '//cn-vm-fs01/E/Program Files/BMC Software/BladeLogic/RSCD//tmp/preDISA/gpo_remediation.lock' ']'

                    +check_lock:7> i_TRY_COUNT=1

                    +check_lock:8> [ 0 -eq 1 ']'

                    +check_lock:22> touch '//cn-vm-fs01/E/Program Files/BMC Software/BladeLogic/RSCD//tmp/preDISA/gpo_remediation.lock'

                    +nsh:382> nexec cn-vm-fs01 cmd.exe /c secedit /export /overwrite /quiet /cfg 'E:\Program Files\BMC Software\BladeLogic\RSCD\\tmp\preDISA\secedit_3520.txt'

                    +nsh:383> check_compliance

                    +check_compliance:2> [ ! -f '//cn-vm-fs01/E/Program Files/BMC Software/BladeLogic/RSCD//tmp/preDISA/secedit_3520.txt' ']'

                    +check_compliance:4> str_STATUS='Not Reviewed'

                    +nsh:384> str_STATUS_LOCAL='Not Reviewed'

                    +nsh:385> [ 'Not Reviewed' '=' LOCAL ']'

                    +nsh:413> str_PARAMETER_VALUE_ORED=''

                    +nsh:414> str_PARAMETER_VALUE_ANDED=''

                    +nsh:415> nexec cn-vm-fs01 cmd.exe /c secedit /export /overwrite /quiet /mergedpolicy /cfg 'E:\Program Files\BMC Software\BladeLogic\RSCD\\tmp\preDISA\secedit_3520.txt'

                    +nsh:416> check_compliance

                    +check_compliance:2> [ ! -f '//cn-vm-fs01/E/Program Files/BMC Software/BladeLogic/RSCD//tmp/preDISA/secedit_3520.txt' ']'

                    +check_compliance:4> str_STATUS='Not Reviewed'

                    +nsh:417> un_lock

                    +un_lock:2> rm -f '//cn-vm-fs01/E/Program Files/BMC Software/BladeLogic/RSCD//tmp/preDISA/gpo_remediation.lock'

                    +nsh:418> [ 'Not Reviewed' '=' LOCAL ']'

                    +nsh:423> [ 'Not Reviewed' '=' Open -o 'Not Reviewed' '=' Open ']'

                    +nsh:426> [ 'Not Reviewed' '=' 'Not Reviewed' -o 'Not Reviewed' '=' 'Not Reviewed' ']'

                    +nsh:428> str_STATUS='Not Reviewed'

                    +nsh:431> echo '<SRR_Result>'

                    <SRR_Result>

                    +nsh:432> echo '<status>Not Reviewed</status>'

                    <status>Not Reviewed</status>

                    +nsh:433> echo '</SRR_Result>'

                    </SRR_Result>

                    +nsh:435> rm -f '//cn-vm-fs01/E/Program Files/BMC Software/BladeLogic/RSCD//tmp/preDISA/secedit_3520.txt'

                    +nsh:437> [ WindowsNT '=' WindowsNT ']'

                    +nsh:439> rm -f '//cn-vm-fs01/E/Program Files/BMC Software/BladeLogic/RSCD//tmp/preDISA/NULL'

                    +nsh:442> exit 0

                    CN-VM-BSAAPP01%

                    • 7. Re: Error running DISA Windows Server 2008 compliance
                      Joe Piotrowski

                      Not sure if it matters or not, but we're running this DISA Compliance Analysis against our BSA infrastructure servers as a test. It keeps failing against our File Server.

                      • 8. Re: Error running DISA Windows Server 2008 compliance
                        Bill Robinson

                        if you get a permission denied, what local user are you mapped to?

                         

                        i believe the above seems to have run ok.  is there only a single EO failing against the file server, or other servers in the env, or are there multiple EOs failing ?

                        • 9. Re: Error running DISA Windows Server 2008 compliance

                          Hi Joe,

                           

                          From the output , it seems that the EO executed successfully on the target......

                           

                          For file server target , is it failing with the same error? or something else?

                           

                          Thanks & Regards,

                          ~Gauri

                          • 10. Re: Error running DISA Windows Server 2008 compliance

                            Hi Joe,

                                  Looks like some changes need in users and user.local file..Can it be checked once..??

                             

                             

                             

                            Regards,

                            Avisekh Das

                            • 11. Re: Error running DISA Windows Server 2008 compliance
                              Joe Piotrowski

                              This is a brand new installation. The users file is blank, and the users.local file contains:

                              BLAdmins:* rw,map=localadmin

                              System:System rw,map=localadmin

                               

                              Our user Role is BLAdmins.

                               

                              It failed on a different EO last week. We thought the RSCD Agent installation might have been bad so we re-installed the Agent. Since then it keeps failing on this EO.

                              • 12. Re: Error running DISA Windows Server 2008 compliance

                                From the output run of the EO it does look like it completed successfully as Gauri pointed out.  It created a status of “Not Reviewed” as you can see from the below  and even deleted the lock file.  So, unless there is still a permission denied error somewhere (such as when running the actual job) I don’t see any point in discussing the agent ACL files.  Is there a permission denied error when running the job, but you get successful install when running the EO manually?

                                 

                                 

                                +nsh:431> echo '<SRR_Result>'

                                <SRR_Result>

                                +nsh:432> echo '<status>Not Reviewed</status>'

                                <status>Not Reviewed</status>

                                +nsh:433> echo '</SRR_Result>'

                                </SRR_Result>

                                • 13. Re: Error running DISA Windows Server 2008 compliance
                                  Joe Piotrowski

                                  Thanks for the input guys. We might be having problems with this server so we're going to rebuild it. Compliance is running fine on all the other servers. We've uninstalled/installed the RSCD Agent a few times. But we're still getting this error and seeing RSCD errors in the server Application Logs.

                                  • 14. Re: Error running DISA Windows Server 2008 compliance

                                    Looks like we found a solution to this issue; after extensive troubleshooting which involved multiple variations of installing the RSCD agent on the BSA file server C: drive vs. D: drive, installing the RSCD agent .MSI using "Run as administrator" command line vs. standard .MSI install, multiple BSA file server reboots, and continually checking the application event logs, the fix action was adding the FQDN to the server name/IP Address when adding the BSA file server into BladeLogic.

                                     

                                    So far, I have ran at least four Windows Server 2008 Compliance Jobs against the BSA file server with no issues with each returning completed in about 8 minutes. As soon as I decommission the BSA file server in Bladelogic and re-added it only using the server name without the FQDN, re-run the Windows Server 2008 Discover Job followed by the Windows Server 2008 Compliance job, the Compliance job fails consistently.

                                     

                                    I'm still not sure why we only had this issue with the BSA file server and not the other servers in the BSA Architecture that were added using only the server name without the FQDN.

                                    1 2 Previous Next