New Ranks & Badges For The Community!
Notice something different? The ranks and associated badges have gone "Star Fleet". See what they all mean HERE
Highlighted
624 views

Arcsight Logger SUID / SGID

Jump to solution

Hi,

We are currently trying to audit our Linux-based software VM Logger for SUIDs and SGIDs:

Model: Software VM Arcsight Logger, RHEL 7.4

Version: 6.6.0.8204

The audit output for identifying Linux SUIDs based on command

https://secscan.acron.pl/centos7/6/1/13

https://secscan.acron.pl/centos7/6/1/14

# df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -4000

# df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -2000

 

Produces the following arcsight logger output:

 

/opt/arcsight/current/arcsight/logger/bin/runner

/opt/arcsight/current/arcsight/logger/bin/retrievelogs

/opt/arcsight/current/arcsight/logger/bin/receiverstart

/opt/arcsight/current/local/monit/bin/monit

 
Not sure if these are the default / whitelisted SUIDs / SGIDs for the Logger

Thanks!

Labels (1)
0 Likes
1 Solution

Accepted Solutions
Highlighted

Microfocus can officially verify the following are required for shared permissions:
Open a case with them if official reponse is required.

For logger:

/opt/arcsight/current/arcsight/logger/bin/runner

/opt/arcsight/current/arcsight/logger/bin/retrievelogs

/opt/arcsight/current/arcsight/logger/bin/receiverstart

/opt/arcsight/current/local/monit/bin/monit

 

For ArcMC:

/opt/local/monit/bin/monit

/opt/arcsight/arcmc/bin/ae_emergency_restore

/opt/arcsight/arcmc/bin/retrievelogs

/opt/arcsight/arcmc/bin/runner

/opt/arcsight/arcmc/bin/receiverstart

View solution in original post

0 Likes
1 Reply
Highlighted

Microfocus can officially verify the following are required for shared permissions:
Open a case with them if official reponse is required.

For logger:

/opt/arcsight/current/arcsight/logger/bin/runner

/opt/arcsight/current/arcsight/logger/bin/retrievelogs

/opt/arcsight/current/arcsight/logger/bin/receiverstart

/opt/arcsight/current/local/monit/bin/monit

 

For ArcMC:

/opt/local/monit/bin/monit

/opt/arcsight/arcmc/bin/ae_emergency_restore

/opt/arcsight/arcmc/bin/retrievelogs

/opt/arcsight/arcmc/bin/runner

/opt/arcsight/arcmc/bin/receiverstart

View solution in original post

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.