Re: Running an "application" within HPSA (769 Views)
Reply
Regular Advisor
Bertram Fukuda
Posts: 107
Registered: ‎11-30-2009
Message 1 of 11 (813 Views)
Accepted Solution

Running an "application" within HPSA

We're working with a government customer. We are in the process of a huge security review of all our systems using a DISA compliance scanning tool called SECSCN - we're running v6.3. They want to know if we can get HPSA to run SECSCN. Basically, SECSCN is a script that calls other scripts (shell/perl) based on OS, Organization etc.  Any ideas?

 

Thanks,

Bert

Trusted Contributor
DBR
Posts: 211
Registered: ‎07-29-2010
Message 2 of 11 (786 Views)

Re: Running an "application" within HPSA

Bert,

It is really just a script? Where are the other scripts located? Are they already on the servers? You can import the sciprts into HPSA and then either create a software policy to add them to the servers and then you could use an audit policy to set them up to run.

Don
Valued Contributor
Dimiter Todorov
Posts: 109
Registered: ‎03-02-2010
Message 3 of 11 (780 Views)

Re: Running an "application" within HPSA

[ Edited ]

If you have OGFS / OGSH enabled with a user that can impersonate root, then that would be the easiest way of running SECSCN. If not, you would have to use the Audit/Snapshot mechanism I think.

 

Your script would do something like this:

1. Enumerate Taget servers.

2. Copy SECSCN tarball using OGFS onto all target server.

3. Execute SECSCN as you would locally. Using rosh.

4. Create tarball of SECSCN results and copy from target server to OGFS local folder or to another remote server.

 

For example, here is a simple script that copied a file from a local server to a group of target servers.

Using this sort of for loop makes a task like SECSCN scanning really simple.

 

#!/bin/bash

cp -f /opsw/Server/@/WIN-VD-TEST/files/LOCALSYSTEM/L/RUBYDEV/feb2013/sasync/migration_files/Host_PortFile.txt ~/
dos2unix ~/Host_PortFile.txt
for n in `ls /opsw/Group/Public/Customer\ Groups/TOOLS/TOOLS_ROOT/HPSA_SERVERS/ALL_HPSA_SATELLITES/@/Server`
do
        echo $n
        cp  -r -f ~/Host_PortFile.txt /opsw/Group/Public/Customer\ Groups/TOOLS/TOOLS_ROOT/HPSA_SERVERS/ALL_HPSA_SATELLITES/@/Server/$n/files/root/var/opt/opsware/its/port_test/

done

 

Regular Advisor
Bertram Fukuda
Posts: 107
Registered: ‎11-30-2009
Message 4 of 11 (775 Views)

Re: Running an "application" within HPSA

Don,

  Is it really just a script?

It's not just a script but a suite of scripts and associated files.  You run Start-SECSCN.sh, it's asks a couple of questions (location for reports & organization) and based on those answers and the OS it calls all the other required scripts.  When the script completes it creates a set of reports.

 

Where are the other scripts located? 

 The entire suite is contained in a tar ball in /var/tmp/ on the HPSA server.  Not sure if that answers your question though.  

Are they already on the servers? 

  No

 

Thanks,
Bert

Trusted Contributor
DBR
Posts: 211
Registered: ‎07-29-2010
Message 5 of 11 (769 Views)

Re: Running an "application" within HPSA

Bert,

You can import the tar ball into HPSA and then use a software policy to do the install.

You can use OGFS to run the Start-SECSCN.sh script. Does the script allow you to pass in the answers to the questions? Where do you get the organization from?


cd /opsw/api/com/opsware/script/ServerScriptService/method./.startServerScript:i self:n=$sunScript "args={timeOut=10
240000 tailOutputSize=10000 targets:i=com.opsware.device.DeviceGroupRef:$deviceG
roupID parameters='$imID'}" "userTag=$imID" | awk '{print $2}' FS=":"`

Something like the above.

Don


Regular Advisor
Bertram Fukuda
Posts: 107
Registered: ‎11-30-2009
Message 6 of 11 (747 Views)

Re: Running an "application" within HPSA

Don,

  This might be the way to go.  I'll give it a go over the next fews days as time allows.

Thanks,
Bert

Regular Advisor
Bertram Fukuda
Posts: 107
Registered: ‎11-30-2009
Message 7 of 11 (741 Views)

Re: Running an "application" within HPSA

Humm - So I imported my zip file, create a SW policy but can't see to get it to install the zip.  Is there some "magic" I'm missing?

 

Thanks,

Bert

Regular Advisor
Bertram Fukuda
Posts: 107
Registered: ‎11-30-2009
Message 8 of 11 (716 Views)

Re: Running an "application" within HPSA

So I was able to get a SW policy to install my zip file and used the post-installation script to run the Start-SECSCN.sh script.  Now all I need to do it get the resulting report tar file back to my core server.  I'm thinking a OGFS script would be best but honestly don't know where to start.  Any help would be greatly appreciated.

 

Thanks,
Bert

Trusted Contributor
DBR
Posts: 211
Registered: ‎07-29-2010
Message 9 of 11 (709 Views)

Re: Running an "application" within HPSA

Bert,

How big is your report tar file? You do not want to use OGFS to move large files. The HPSA documentation says to only use it to move files like configuration files. We have set a 2MB limit for our users. If the files aren't that big then OGFS is the way to go.

Don
Regular Advisor
Bertram Fukuda
Posts: 107
Registered: ‎11-30-2009
Message 10 of 11 (702 Views)

Re: Running an "application" within HPSA

Humm, our files are between 4M-5M. Are those too big for OGFS?  If so, what are the other options for getting the files to the core server?

 

 

Trusted Contributor
DBR
Posts: 211
Registered: ‎07-29-2010
Message 11 of 11 (694 Views)

Re: Running an "application" within HPSA

I would go ahead and try it and see what the impact is to your core.  If you do one at a time it might be ok.

 

Don

 

The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.