Understanding the output
With UNIX content, endpoint scans are accomplished by a series of UNIX Bourne shell scripts that provide greater accessibility to UNIX system administrators.
With most BigFix content, Fixlets constantly evaluate conditions on each endpoint. The console shows the results when the relevance clause of the Fixlet evaluates to true.
With UNIX content, a task initiates a scan of the endpoints, which can be run on an ad hoc basis each time a scan is required. It can also be run as a recurring policy from the console.
The endpoint scan is accomplished by a series of UNIX Bourne shell scripts. While each script runs, it detects a setting or condition. The script writes the information to an output file that is made available to the corresponding Fixlet check for evaluation. When the log files are written to disk, the Fixlets read each log file and show the results in the console. Although the result is similar, this method of detection provides greater accessibility to UNIX system administrators.
After you run the Deploy and Run Security Checklist task, the scripts are in a directory under /var/opt/BESClient/SCM.
The following image is a graphical representation of the directory structure.
| Directory/Script | Description |
|---|---|
| <BES Client Folder> / SCM | This directory is the base directory for the OS-specific check scripts and the master script (runme.sh). The contents of this directory are overwritten each time the ‘Deploy and Run Security Checklist’ task is run from the Endpoint Manager console. |
| ../SCM/util | A subdirectory of the BES Client Folder / SCM directory, this subdirectory contains utility scripts that are used by the master script and in the individual detection and remediation scripts. The primary utility that is found in this directory is the ‘globalfind’ script. |
| ../SCM/$OS/$OS_version | This directory is specific to the platform on which it runs, as specified by $OS and $OS version. For example, the Red Hat Enterprise Linux 4 shows as (../SCM/Linux/4). This directory path contains the specific detection scripts, remediation scripts, and the base parameter file that is used by the scripts. Each check script is named with the corresponding control ID that is used to describe the check. Each corresponding Fixlet also references the check ID. |
| ../SCM/runme.sh | This script is the master script that is called by the Deploy and Run Security Checklist task within the Endpoint Manager console. This script runs the ‘globalfind’ script and the individual check scripts. |
| ../SCM/mytmp/results | This folder is where the OS-specific detection scripts write their log files. These logs are examined by Fixlets and used to determine if a check is compliant or non-compliant. Each log file corresponds to the check ID for the given check. |
| ../SCM/mytmp/data | This folder contains the find.out file. This file is generated by the globalfind script and contains a directory listing of all local file systems and other information. This file is used by many of the OS-specific scripts and is updated only when the globalfind script is run. |
| <BES Client Folder>/scm_preserve | This directory is the base directory that is used to retain the rollback scripts, custom checks, parameters, and other information that is not intended to be overwritten each time the ‘Deploy and Run Security Checklist’ task is run. |
| ../scm_preserve/backup/rollback | Each time a remediation script is run, a corresponding rollback script is created. This script allows the administrator to roll back to the previous setting associated with the specific check. |
| ../scm_preserve/$OS/$OS_version | This directory might contain custom scripts that are produced by the administrator and not provided by Endpoint Manager. Scripts that are in this directory must conform to the input or output specifications are run with out-of- the-box checks when running the ‘Deploy and Run Security Checklist’ task. |
| ../scm_preserve/$OS/$OS_version /customer_params |
This file is used to store any custom parameters that are defined by the administrator. Any parameters defined in this file override the default parameters specified in the params file stored in <BES Client Folder>/SCM/$OS/$OS_version/params). |
Each operating system-specific script writes two files in /var/opt/BESClient/mytmp/results. The filenames correspond to the name of the OS-specific script. For example GEN000020.detect writes two files GEN000020.detect.log and GEN000020.results.
The file with the .log extension contains the STDOUT and STDERR of the operating system-specific script. Under normal conditions, this file is empty. When runme.sh is run with the –t option, this file contains the trace output of the operating system-specific script.
When created, the files with the .results extension are read by a Fixlet and the result becomes available through the Endpoint Manager console. The Fixlets examine the [STATUS] section to determine relevance.
The following is an example of a results file:
[RUN_DATE]
01 Apr 2008
[RUN_DATE_EOF]
[DESCRIPTION]
The UNIX host is configured to require a password for access to single-user
and maintenance modes
[DESCRIPTION_EOF]
[FIXLET_DESCRIPTION]
This UNIX host is not configured to require a password for access to single-user
and maintenance modes
[FIXLET_DESCRIPTION_EOF]
[CHECK_COVERAGE]
DISA-STIG-GEN000020
[CHECK_COVERAGE_EOF]
[STATUS]
PASS
[STATUS_EOF]
[PARAMETERS]
CONFIG_FILE=/etc/default/sulogin;SETTING=PASSREQ;OP='=';VALUE=NO
[PARAMETERS_EOF]
[TIMETAKEN]
0
[TIMETAKEN_EOF]
[REASON]
The /etc/default/sulogin file does not exist, the system will default to
requiring a password for single-user and maintenance modes
[REASON_EOF]Each of the sections found within the log file output are described in the following table:
| Section Name | Description |
|---|---|
| [RUN_DATE] | Contains the date that the script was run. |
| [DESCRIPTION] and [FIXLET_DESCRIPTION] Deprecated | No longer used – deprecated file |
| [CHECK_COVERAGE] | Contains the names of the regulations to which this Fixlet applies. (No longer used – deprecated files) |
| [STATUS] | Used by the associated Fixlet to determine relevance. It contains one of the following strings: PASS, FAIL, or NA. If this section contains the string FAIL, then the associated Fixlet becomes relevant. |
| [PARAMETERS] | Contains the parameters associated with the script. Spaces display as a semicolon. On output into this file, spaces are converted to semicolons for display purposes. This is not representative of how the parameters are set. |
| [TIMETAKEN] | Contains the number of seconds of wall-clock time that the script took to run. |
| [REASON] | Contains a description of why the script passed or failed. This section provides information needed to construct analysis properties and return specific information to the Endpoint Manager Console. |
The runme.sh script also creates a file containing the overall results of running the various OS-specific scripts.
This file, named /var/opt/BESClient/SCM/mytmp/results/master.results,displays as follows:
TOTAL_SCRIPTLETS_RUN:69
TOTAL_SCRIPTLETS_PASS:33
TOTAL_SCRIPTLETS_FAIL:36
TOTAL_SCRIPTLETS_NA:0
TOTAL_SCRIPTLETS_ERR:0
TOTAL_TIME_TAKEN:1367