1 2 Previous Next 15 Replies Latest reply on Feb 12, 2013 10:37 AM by Bill Robinson

    Check for process in component template compliance rule

    Eric Robeson

      This should be simple, but it isn't working for me:

       

      I want a component template compliance rule which looks for existence or non-existence of a running process by name. I want to use the Processes list, do not want to create an extended object for each process I want to monitor, because that does not scale well. The processes list is there by default, so it seems I should be able to use it.

       

      For example, to check for running sendmail I tried this compliance rule:

      "Processes.Process:/*".Command contains "sendmail"

       

      I have two entries in my process list where the Command value equals "/usr/sbin/sendmail.sendmail", so it should match, but it isn't working. I can't find the magic syntax to get that sort of check to work.

       

      Anyone have any suggestions?

        • 1. Re: Check for process in component template compliance rule
          Sean Berry

          sendmail or Processes.Process:/**?

          • 2. Re: Check for process in component template compliance rule
            Daniel Goetzman

            How about…

             

            exists “Processes.Process:/*” where

            Command contain “sendmail”

            End

             

            -Dan

            • 3. Re: Check for process in component template compliance rule
              Ashitosh Wagh

              Hi Eric,

               

              You can Use following BLCLI's  for Compliance Rule creation :

               

              #blcli Template createServiceListTemplate ${TEMPLATE_NAME} ${TEMPGROUPID} true

               

              returns  TEMPKEY

               

              #blcli Template addServicePart ${TEMPKEY} Alerter

               

              Returns Modified  TEMPKEY , here Alerter is service name

               

              #blcli Template addRuleWithServerObjectCondition

              /${Template_Parent_Group}/${TEMPLATE_GROUPNAME} ${TEMPLATE_NAME} / TestRule Test_description "111" false "Test notes" "" "Windows Service" Alerter "MUST EXIST" "StartupType (Windows)" equals AUTO_START

               

              returns  TEMPKEY

               

              #blcli Template addPropertyConditionToRule /${Template_Parent_Group}/${TEMPLATE_GROUPNAME} ${TEMPLATE_NAME} "/" TestRule "AND" "??AUTO_GENERATED??" "equals" "true"

               

               

              returns  TEMPKEY

               

              Create Discovery and Compliance Job and you will get result depending on status on Server.

               

              Thanks

              Ashitosh

              • 4. Re: Check for process in component template compliance rule
                Eric Robeson

                Nope, the double asterisk didn't work

                • 5. Re: Check for process in component template compliance rule
                  Eric Robeson

                  Ashitosh, your solution looks to be Windows specific. I am working on a Linux system, so it doesn't fit my needs.

                  • 6. Re: Check for process in component template compliance rule
                    Joe Piotrowski

                    I'm getting inconsistent results. I have the RSCD Agent installed and running on two Red Hat servers. My compliance tests (equals, ends with and contains) fail on one, but succeed on the other.

                    process1.jpg

                    process2.jpg

                    • 7. Re: Check for process in component template compliance rule
                      suresh Balla

                      for process that are running on Unix floavour machines we have EO by name "Running Processes"

                      this is a global EO. backend ps command will be ran and get the output.

                       

                      Here is syntax:

                      "Extended Object Entry:Running Processes//PROCESSES/COMMAND-name-**sendmail**" exists

                       

                      Please check CIS RHEL5 template for rule implementation if you not able to figure out

                      • 8. Re: Check for process in component template compliance rule
                        Bill Robinson

                        exists "Processes.Process:/**" where

                        Command contains sendmail

                        end

                         

                        this is an 'exists loop' from the condition drop down w/ the basic condition inside.

                        • 9. Re: Check for process in component template compliance rule
                          Joe Piotrowski

                          I can't get this to work either. Here are screenshots to show you what I mean.

                           

                          RSCD Agent installed on server 1:

                          process1.jpg

                           

                          RSCD Agent installed on server 2:

                          process2.jpg

                           

                          My Compliance Rule condition tests including the "contains" condition:

                          process3.jpg

                           

                          Compliance check comes back as "Compliant" but the conditions have all failed. I scrolled through the list at the bottom and the rscd processes aren't listed. I wonder if this is the same issue Eric is having? Using /** instead of /* produces the same result.

                          process4.jpg

                          • 10. Re: Check for process in component template compliance rule

                            We had an issue where the "Processes.Process" object failed during incremental upgrades and we had to refresh the template after every change. This proved too cumbersome. I created a EO (not global) in the Local Configuration Objects tab that uses the Bladelogic lsof to check processes and their ports. You could also make it use ps instead or leave off the -i -P.

                             

                            <field name="name"><![CDATA[BL-LXO DST_LSOF_PORTS RX]]></field>

                            <field name="execScript"><![CDATA[`cat /usr/lib/rsc/HOME`/bin/lsof -n -i -P | egrep -v "^COMMAND|ESTAB|WAIT|RAW|\*:\*|>" | awk '{print $1" "$3" "$5" "$8" "$9}']]></field>

                            <field name="remoteExecute">true</field>

                             

                            That gets you output like this:

                             

                            ntpd ntp IPv4 UDP *:123

                            ntpd ntp IPv4 UDP 127.0.0.1:123

                            ntpd ntp IPv4 UDP 10.192.90.201:123

                            ntpd ntp IPv4 UDP 172.27.20.201:123

                            sendmail root IPv4 TCP 127.0.0.1:25

                            rscd root IPv4 TCP *:4750

                            sshd root IPv4 TCP *:22

                             

                            Then I check for sendmail listener.

                             

                            exists "Extended Object Entry:BL-LXO DST_LSOF_PORTS RX//**" where

                               Name = "sendmail" AND

                               "Value4 as String (All OS)" = "127.0.0.1:25"

                            end

                             

                            You can create any EO that can run from the command line and format the results to whatever you need to test. I only make a global EO if it truly needs to be universal.

                            • 11. Re: Check for process in component template compliance rule
                              Eric Robeson

                              Thanks everyone for your input. Here are my findings:

                               

                              The exists loop works as desired. It worked equally well whether I used single asterisk (exists "Processes.Process/*") or double asterisks (exists "Processes.Process/**"). Does anyone know of any reason why one should be used over the other?

                               

                              Looking at the results is a bit confusing though, because a compliant result still shows red:

                              Compliant.png

                               

                              while a non-compliant result returns a bit more red:

                              NonCompliant.png

                              Joe, is this why you say you are seeing inconsistent results? I think we just have to stop thinking so much and trust the verdict, from what I am seeing it seems to be correct.

                               

                              My original post also noted that in some cases I need to ensure that processes are NOT running. Through some testing I found that replacing 'exists' with 'foreach', and 'contains' with 'does not contain' achieves that.

                               

                              Suresh, regarding your suggestion of using the CIS provided Extended Objects, that is what I have been doing up to now, but I have gotten too many false positives using them, which is why I am looking to change. In my experience they take a very long time to generate results, the output data structure is unusual, I don't want to depend on add-ons that might change to meet other requirements, and in general I just do not trust them anymore. That is why I am looking to use the built-in Processes list instead.

                               

                              Tom, your suggestion looks good, but I am trying to follow the keep-it-simple method and use the process list that is provided out of the box. I will come back to your suggestion if we hit problems with that.

                              • 12. Re: Check for process in component template compliance rule
                                Joe Piotrowski

                                With Compliance results I'm use to selecting the failed compliance condition and seeing the Left and Right values showing what it's looking for, and what the value is.

                                 

                                I would assume that I would get a full list (successes and failures) that I could review. But in my case it never showed the successes. Have you tried renaming sendmail to sendmailtest (text that doesn't exist) and see if it still succeeds?

                                • 13. Re: Check for process in component template compliance rule
                                  Eric Robeson

                                  I tested the failure scenario by stopping sendmail, and it did properly flag as non-compliant.

                                   

                                  The 'rule editor condition zoom' function doesn't work for me either, in this and most other situations. It used to be pretty handy to see what value caused non-compliance, but I no longer consider it. Seems like when we upgraded to 8.2 it stopped showing discovered values and now just shows the line from the compliance rule in a different format.

                                  1 of 1 people found this helpful
                                  • 14. Re: Check for process in component template compliance rule
                                    Daniel Goetzman

                                    Per the docs…

                                    Match multiple characters including zero-length

                                    strings. This pattern does not match a separator

                                    character in a path, such as /.

                                     

                                    If I recall correctly, then the “**” match includes the separator char “/”, that is the difference I believe…

                                    So it depends on the data in the values you are attempting to match/include!

                                    -Dan

                                    1 of 1 people found this helpful
                                    1 2 Previous Next