5 Replies Latest reply on Apr 24, 2013 1:57 AM by Steffen Kreis

    Is it possible to run remediation using NSH for Windows?

      Hi everyone,

       

      The remediation in Bladelogic is using a BLPackage. Inside the BLPackage, you are only allowed to add external command. If target is a Windows, you are only to allow to use DOS like command. However, the remediation is somehow not simple where logic is needed. I want to know if it is possible that I can use NSH to perform the remediation in the BLPackage. As you know, DOS is somehow handicap when you want to script something with logic. Not like Unix syntax in NSH, you can have sed, awk, even simple command like cut, grep etc. Life would be  easy if I can use NSH instead of the stupid DOS by Bill Gate. Thanks a lot.

        • 1. Re: Is it possible to run remediation using NSH for Windows?
          Steffen Kreis

          Hi,

           

          unfortunately it is not really possible to run an NSH based remediation job.

          There were some previous discussions where it was suggested to write a script that exports the compliance results as CSV filters for the non-compliant targets and hands those targets over to an NSH script job.

           

          Not sure if anybody has really done this, but personally I think it is too complex and error-prone.

           

           

          In case you just miss some scripting power with the DOS based CMD, I always suggest to look into writing a PowerShell script, deploy that with the blpackage and execute it with an external command.

           

          Do you have an example what you want to achieve with your remediation ?

           

           

          Steffen

          1 of 1 people found this helpful
          • 2. Re: Is it possible to run remediation using NSH for Windows?

            Hmm... I am trying to perform remediation on SQL server by using Bladelogic. The situation is there may be single or multiple instance on a SQL server. Also, there will be more than one database on each of the instance that need to execute SQL statement on it. So, the script logic need to able to do the follow,

             

            1. Differentiate the SQL server is running single instance or multiple instance

            2. Loop through each of the instance one by one using while loop (while not to the end)

            3. Loop through each of the database inside each of the instance using for loop (for each database)

             

            The requirement above should over the capability of DOS script. Since I am from the Unix world, I prefer to use Unix syntax. Besides, I have never touch on either VBScript or PowerShell. Their syntax are aliens to me. By the way, below is the sample NSH script that I have used to achieve the points above. Please feel free to share your comments or hints on translating it into VBScript or PowerShell, as NSH does not support in remediation. Well, Unix script is always to most powerful and easiest type of script in the computer world. I just hope Bladelogic can support it for remediation some day in the future.

             

            # Query SQL server instance and query all databases within a SQL server instance

            # Syntax will be in UNIX like

             

            # Get the SQL server instance name from registry value

            Reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server" /s /t REG_MULTI_SZ /f InstalledInstances /se " " | findstr InstalledInstances | findstr MSSQLSERVER

             

            # If there is just only one default SQL server instance, the instance name will be MSSQLSERVER

            # If the command return successfully, that means only one default SQL server instance

            if [ $? -eq 0 ]; then

              # Set the instance name to NULL

              INSTANCE=

              # Get all the database name on the SQL server instance

              sqlcmd -S .\$INSTANCE -Q "select name from sys.databases" | findstr /V NT | more +2 | findstr /V rows > C:\Temp\db.list

              # Loop through all databases one by one and execute the SQL statement

              for db in `cat C:\Temp\db.list`

              do

              sqlcmd -S .\$INSTANCE -Q "select OBJECT_NAME(c.major_id) as [Object_name] from $db.sys.database_permissions where OBJECT_NAME(major_id) = 'sp_add_job'" | findstr /V NT | more +2 | findstr /V rows"

              done

            # In case there are multiple SQL server instance

            else

              # Since the registry result will be like "InstalledInstances    REG_MULTI_SZ    [instance_list]", so it will loop starting from the third column

              i=3

              while true

              do

              # Set the instance name by looping the instance list in the registry value one by one

              INSTANCE=`Reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server" /s /t REG_MULTI_SZ /f InstalledInstances /se " "  | findstr InstalledInstances | more +1" | awk -v a=$i '{ print $a }'`

              # If INSTANCE is empty, exit the while lopp

              if [ -z $INSTANCE ]; then

              exit 0

              fi

              # Get all the database name on the SQL server instance

              sqlcmd -S .\$INSTANCE -Q "select name from sys.databases" | findstr /V NT | more +2 | findstr /V rows > C:\Temp\db.list

              # Loop through all databases one by one and execute the SQL statement

              for db in `cat C:\Temp\db.list`

              do

              sqlcmd -S .\$INSTANCE -Q "select OBJECT_NAME(c.major_id) as [Object_name] from $db.sys.database_permissions where OBJECT_NAME(major_id) = 'sp_add_job'" | findstr /V NT | more +2 | findstr /V rows"

              done

              # increase the count of i by 1 so that it will loop to the next SQL sever instance

              i=$(($i+1))

              done

            fi

            • 3. Re: Is it possible to run remediation using NSH for Windows?
              Steffen Kreis

              Just a quick thought..... Do you really remediate something here ? As it looks to me that you are just querying stuff.

               

              Why can't you run that against all your Windows targets straight away with some additional logic that detects if a SQL Server is installed at all

              • 4. Re: Is it possible to run remediation using NSH for Windows?

                The scripts is just copied from the NSH that I used to perform query on the target SQL server for compliance check. For remediation, the SELECT statement will be replace by an ALTER statement or REVOKE statement etc. I just try to use it to show what logic I would like to achieve when using Bladelogic on the SQL server. The NSH did the job in a nut shell, fast and easy. While I spent one night on trouble shooting the PowerShell script on using escape character on dollar sign when executing an external DOS command. What a pity...

                 

                NSH is the only way that can achieve my target, so all I can do is to perform remediation by running the NSH script depot job separately instead of create the remediation in the compliance template. It looks a little bit ugly and stupid but at least this can get the job done. But of course it will look much better to customers if it can embedded into the compliance template. I just only can hope customer will not blame me for this. God bless me......

                 

                I really really hope NSH can be used for remediation in the future release. Cause the scripting languages (DOS, VBScript, PowerShell) in Windows are not in industrial standard and with limited functions when compare to Unix like script (U know how powerful awk and sed are). If NSH can be used for remediation, the development time for performing automation with Bladelogic on Windows server would become much much lesser.

                • 5. Re: Is it possible to run remediation using NSH for Windows?
                  Steffen Kreis

                  Puhhhh....

                  I don't want to kick off a fundamental debate about which Shell is better to achieve what you are looking for.

                   

                  You should at least raise an RFE with support, or create an idea here on the community.

                   

                  Steffen