Scripts

The Scripts category makes it possible for you to upload scripts into the Security Auditor console and run them as part of your compliance checks. Running your existing scripts through the Security Auditor for AIX console allows administrators to consolidate scripts in a central location and keep track of the last time they were run as well as take advantage of Security Auditor’s reporting functions. The Scripts category shares the same features as other categories. The compliance status of each script run through Security Auditor is reflected in the console, included in Security Auditor reports and can be invoked through the integrated cron function.

The scripts run during a compliance check (CheckIt) are typically scripts written by administrators to view server configuration elements or the state of a server or element of a server but in reality, they can be any script you want to run via and the results reported through Security Auditor.

Defining a Script Policy

Defining a script policy is a two-step process.

Step 1: Before a script policy can be defined, the script(s) must be uploaded to the server on which the Security Auditor console is running. Do this by going to Admin Tasks > Scripts > Upload to upload the script from your desktop to a Windows console.

Or, when running an AIX or Linux console, you can place the scripts in the following directory (where Security Auditor was installed):

…/PowerTech/SecurityAuditor/tomcat/webapps/securityauditor/scripts

Once a script has been uploaded or placed directly into the scripts directory, it will appear as a selection for the CheckIt script and FixIt script when defining a Script Policy.

Step 2: Once a script has been uploaded to the console, you can define a Script Policy. Go to Servers and Policies > [server] >Scripts and click New to get started.

The Policy Value is what you see as a result of running the script. Specify the Data Type that is appropriate for this result.

Data types may be String, Integer, Boolean and date

• String values can be literal or regular expressions.
• The syntax for regular expressions follows a standard and is documented in the dialog. The documentation can be viewed in a popup dialog by clicking on the icon.
• Integer values can be a specific value, a range, or a list of ranges and specific values. The syntax for integers is also documented in the popup dialog.
• A Boolean value is considered true if it matches (ignoring case) any of the values "true", "t", "yes", "y" or "on" or if the value can be parsed as a number and does not equal zero.
• Date values can be a specific date, a before date, an after date or a date range.

Click on the CheckIt Script drop down to choose the script.

If the script requires arguments to be passed in, specify those in the Arguments field.

Running a Compliance Check

When a compliance check (CheckIt) is run, the Policy Value is compared to the value returned by the script. If the value returned by the script (which is called the Server Value in the script policy) matches the Policy Value, the policy is compliant. If they don’t match, it’s out of compliance (non-compliant.)

Notes:

• The line returned by the script is compared to the policy value to determine compliance status.
• A valid result of running a script may be nothing or a blank result. When this is the case, the Policy Value field should be left empty (blank.)
• If multiple values are checked, they must be rolled up into a single line.
• A script may be given one or more arguments to be passed when invoked.
• When a script policy is run during the compliance check, the script is first transferred to the server using scp, run, then deleted from the server.
• See the Return Codes section (below) for considerations when using return codes in your script.

Running FixIt

You can enable FixIt for a Script Policy. If you check the Enable FixIt box, the FixIt script line will appear and you will have to select the script to run when FixIt is run for this policy. When selecting the script for FixIt, you will not be prompted for a Policy Value since FixIt is intended to change the server configuration or state to a compliant value and there will likely be no results expected from running the FixIt script.

Return Codes

By convention, a return code of 0 from a script indicates success. Any non-zero numeric value is, by convention, used to indicate specific error conditions. On the Return Codes panel, values can be associated with strings that will be shown when a script is run and returns that code. The associated strings are also shown in Security Auditor reports. Only when a script returns a success code AND the returned value matches the policy value is a script policy considered compliant. Return code of 0 is pre-defined for both CheckIt and FixIt.

Exporting and Importing Script Packages

You may want to utilize the same scripts on multiple Security Auditor consoles or those acquired elsewhere. In either case, you will need to use the Export / Import function of the Script category. This differs from the more general Export / Import policy function because this function imports both the script policy AND the scripts defined for the policy – we call this a script package.

To import a script package go to Admin Tasks > Scripts > Import Package.

• For an AIX console, place the package in the following directory

• For a Windows console, go to Admin Tasks > Scripts > Upload to upload it to the console

Select the script package file to import and then select the servers to which the policy will be applied.

To export a script package, go to Admin Tasks > Script > Export Package.

 

Related Topics