How to make the console connection on your ArcSight appliance useful.
Note: HP would prefer if you don't follow any of my tweaks as it appears they know nothing about Linux; how it works or how it interacts with their applications. That being said tweak at your own risk =]
This tweak will allow you root shell access to the appliance when you console in (works if you remote console in as well) instead of that useless basic config interface it comes with.
This one is very simple: As root:
1) cat /etc/inittab
You will see a line with something like: SO:235:respawn:/sbin/agetty -ni -l/opt/arcsight/cli/cli.sh 9600 ttyS0
2) edit the file cli.sh
3) You'll see the last line as something like:
$JAVA_HOME/bin/java -cp $CPATH -DCOPYRIGHT=$COPYRIGHT -DPRODUCT="$PRODUCT" -DADDRESS=127.0.0.1 -DLOGDIR=$LOGDIR ........
4) Simply comment out the line (by putting a # in front of it)
5) Add a new line below (should be the last line of file):
6) Save the file and exit the editor
7) Lock the file
#>chattr +i /opt/arcsight/cli/cli.sh
😎 cat the file just in case the ArcSight overlord was watching and verify the bash line is still there.
9) You're good to go. Test the console connection before logging off, just in case.You should get the AS banner then a root prompt.
Note: If you're nervous about security just remember that access trumps security.
Quick anecdote: one of my ArcSight appliances had some corrupted blocks on the HDD. In most Linux deployments this isn't a big deal as you can chose (or be forced to) verify and fixed drive issues on boot. However, since AS is so locked down and restricted you can't run fsck on reboot because it requires the root password. The root password is inaccessible as the account is locked by the AS overlord process. Special note: no you cannot just boot into single-user mode from Grub because that's passworded too and it still requires the root password even after booting into SUM. I'd give you the Grub password but to be honest I forgot it (it was like: mainlin3 or something-hopefully they change it once and a while, which I doubt as the default root password is still arcsight or something like that). So long story short, I came up with the root password lock and console access tweaks to allow me to actually fix some basic issues with my appliance. I'll skip the long joke of a tale about how "helpful" HP support was for this.