VMware Cloud Community
steve_bailey
Contributor
Contributor
Jump to solution

How do I check the immutable flag using VCM?

So VCM is patching our Oracle Linux servers great now (thank you 5.7.2) however there is an issue.

On some of our servers the immutable flag is set on grub.conf.  This is simple to fix.  Just do a "chattr -i /boot/grub.conf" and we're on our way.

I'm looking for a way to automate this....

How can I create a compliance template to run a lsattr command to check to see if the immutable flag is set on /boot/grub.conf and, can I remediate that with a remote command?

Appreciate the help.

Steve

Reply
0 Kudos
1 Solution

Accepted Solutions
admin
Immortal
Immortal
Jump to solution

Hi Steve,

First of all, there is no easy way in VCM (using default file structure data class) to get file extended properties such as immutable bit. VCM as of now collects information that can be gathered using ls command only.

But, VCM does facilitate something known as Custom Information Type which can be leveraged to execute system commands and parse command output to utilize the data for compliance. However, please note that such data would *NOT* be available for automatable remediation. If you are ok, read further:

I assume this is for /boot/grub/grub.conf file only. I also assume that you are on VCM 5.7.2.

This would require below steps:

1) Create a Custom Information Type (CIT)

2) Collect data using Custom Information Data class on /boot/grub/grub.conf file

3) Verify data collection in VCM console | Unix | Custom Information Node

4) Write Compliance Rule and run the template

5) Verify results

These steps are outlined in the attachment. Please let me know if you would require any other information.

Thanks and regards,

Pravin Goyal

View solution in original post

Reply
0 Kudos
1 Reply
admin
Immortal
Immortal
Jump to solution

Hi Steve,

First of all, there is no easy way in VCM (using default file structure data class) to get file extended properties such as immutable bit. VCM as of now collects information that can be gathered using ls command only.

But, VCM does facilitate something known as Custom Information Type which can be leveraged to execute system commands and parse command output to utilize the data for compliance. However, please note that such data would *NOT* be available for automatable remediation. If you are ok, read further:

I assume this is for /boot/grub/grub.conf file only. I also assume that you are on VCM 5.7.2.

This would require below steps:

1) Create a Custom Information Type (CIT)

2) Collect data using Custom Information Data class on /boot/grub/grub.conf file

3) Verify data collection in VCM console | Unix | Custom Information Node

4) Write Compliance Rule and run the template

5) Verify results

These steps are outlined in the attachment. Please let me know if you would require any other information.

Thanks and regards,

Pravin Goyal

Reply
0 Kudos