I am trying to make a fixlet that simply runs an SH script we have on our Macs using BigFix. The script is to fix an OSSEC issue we are having and I have been pushing the script to our Macs via a Centrify GPO setting, and hoping to execute the script using a BigFix fixlet, however I cannot seem to get it to run no matter what I try for the action script part of the fixlet. The fixlet is showing up as relevant on our Macs it just is failing when we run it. Here are some examples of the actions I have tried:
Thanks. I tried that and it still is failing. I looked at the client log and it seems like its still having trouble with the fixlet script or is it having trouble running the SH fscript? I’m not too sure. I had to remove the https because it wouldn’t let me post more than 2 URLs.
At 11:47:41 -0500 - mailboxsite (FQDN:52311/cgi-bin/bfgather.exe/mailboxsite14351330)
Relevant - OSSEC Fix for Macs (fixlet:224278)
At 11:47:41 -0500 -
ActionLogMessage: (action:224278) Action signature verified for Execution
ActionLogMessage: (action:224278) starting action
At 11:47:42 -0500 -
Report posted successfully
At 11:47:42 -0500 - actionsite (FQDN:52311/cgi-bin/bfgather.exe/actionsite)
Error executing script /Library/Application Support/BigFix/BES Agent/__BESData/__bes4: internal error
At 11:47:42 -0500 -
ActionLogMessage: (action:224278) ending action
At 11:47:42 -0500 - mailboxsite (FQDN:52311/cgi-bin/bfgather.exe/mailboxsite14351330)
Not Relevant - OSSEC Fix for Macs (fixlet:224278)
At 11:48:59 -0500 -
Report posted successfully
Hey Tim thanks. I did just try that but we also were sending the file via the Centrify GPO as root wheel with read, execute permissions.
-rwxrwxrwx 1 root wheel 377 Mar 9 10:57 OSSEC_FIX.sh
We do seem to be getting somewhere though now it seems like its trying to run but we are seeing this error in the log now.
Error executing script /Library/Application Support/BigFix/BES Agent/__BESData/__bes8: internal error
Error executing script /Library/Application Support/BigFix/BES Agent/__BESData/__bes9: internal error
At 14:38:03 -0500 - mailboxsite (FQDN:52311/cgi-bin/bfgather.exe/mailboxsite14351330)
Not Relevant - OSSEC Fix for Macs (fixlet:224282)
The relevance clause we are using for the fixlet is pretty simple and the Mac is showing the fixlet as relevant so I’m not sure what that Not Relevant line is about:
(version of client >= "6.0.0.0") AND (exists true whose (if true then (exists (operating system) whose (it as string as lowercase contains "Mac OS X" as lowercase)) else false))
The whole log around this is below:
At 14:37:48 -0500 -
GatherHashMV command received.
At 14:37:53 -0500 - mailboxsite (FQDN:52311/cgi-bin/bfgather.exe/mailboxsite14351330)
Downloaded 'FQDN:52311/mailbox/files/5b/91/5b91fe123b9f75506b417ca86c39726ec08c2...' as 'Action 224282.fxf'
Gather::SyncSiteByFile adding files - count: 1
At 14:37:53 -0500 -
Successful Synchronization with site 'mailboxsite' (version 25) - 'FQDN:52311/cgi-bin/bfgather.exe/mailboxsite14351330'
At 14:37:54 -0500 -
Processing action site.
ForceRefresh command received. Version difference, gathering action site.
At 14:37:59 -0500 -
Successful Synchronization with site 'actionsite' (version 264731) - 'FQDN:52311/cgi-bin/bfgather.exe/actionsite'
Gathering all operator/mailbox sites.
At 14:38:00 -0500 -
Successful Synchronization with site 'mailboxsite' (version 25) - 'FQDN:52311/cgi-bin/bfgather.exe/mailboxsite14351330'
Successful Synchronization with site 'opsite125' (version 164887) - 'FQDN:52311/cgi-bin/bfgather.exe/opsite125'
Successful Synchronization with site 'opsite127' (version 232001) - 'FQDN:52311/cgi-bin/bfgather.exe/opsite127'
Successful Synchronization with site 'opsite128' (version 158913) - 'FQDN:52311/cgi-bin/bfgather.exe/opsite128'
At 14:38:01 -0500 -
Successful Synchronization with site 'opsite131' (version 222965) - 'FQDN:52311/cgi-bin/bfgather.exe/opsite131'
Successful Synchronization with site 'opsite132' (version 222966) - 'FQDN:52311/cgi-bin/bfgather.exe/opsite132'
At 14:38:02 -0500 -
Report posted successfully
At 14:38:02 -0500 - mailboxsite (FQDN:52311/cgi-bin/bfgather.exe/mailboxsite14351330)
Relevant - OSSEC Fix for Macs (fixlet:224282)
At 14:38:02 -0500 -
ActionLogMessage: (action:224282) Action signature verified for Execution
ActionLogMessage: (action:224282) starting action
At 14:38:03 -0500 - actionsite (FQDN:52311/cgi-bin/bfgather.exe/actionsite)
Error executing script /Library/Application Support/BigFix/BES Agent/__BESData/__bes9: internal error
At 14:38:03 -0500 -
ActionLogMessage: (action:224282) ending action
At 14:38:03 -0500 - mailboxsite (FQDN:52311/cgi-bin/bfgather.exe/mailboxsite14351330)
Not Relevant - OSSEC Fix for Macs (fixlet:224282)
At 14:38:54 -0500 -
ForceRefresh command received. Version difference, gathering action site.
At 14:38:56 -0500 -
Successful Synchronization with site 'actionsite' (version 264731) - 'FQDN:52311/cgi-bin/bfgather.exe/actionsite'
Gathering all operator/mailbox sites.
Successful Synchronization with site 'mailboxsite' (version 25) - 'FQDN:52311/cgi-bin/bfgather.exe/mailboxsite14351330'
At 14:38:57 -0500 -
Successful Synchronization with site 'opsite125' (version 164887) - 'FQDN:52311/cgi-bin/bfgather.exe/opsite125'
Successful Synchronization with site 'opsite127' (version 232001) - 'FQDN:52311/cgi-bin/bfgather.exe/opsite127'
Successful Synchronization with site 'opsite128' (version 158913) - 'FQDN:52311/cgi-bin/bfgather.exe/opsite128'
Successful Synchronization with site 'opsite131' (version 222965) - 'FQDN:52311/cgi-bin/bfgather.exe/opsite131'
At 14:38:58 -0500 -
Successful Synchronization with site 'opsite132' (version 222966) - 'FQDN:52311/cgi-bin/bfgather.exe/opsite132'
Report posted successfully
At 14:39:10 -0500 -
ForceRefresh command received. Version difference, gathering action site.
At 14:39:12 -0500 -
Successful Synchronization with site 'actionsite' (version 264731) - 'FQDN:52311/cgi-bin/bfgather.exe/actionsite'
Gathering all operator/mailbox sites.
Successful Synchronization with site 'mailboxsite' (version 25) - 'FQDN:52311/cgi-bin/bfgather.exe/mailboxsite14351330'
Successful Synchronization with site 'opsite125' (version 164887) - 'FQDN:52311/cgi-bin/bfgather.exe/opsite125'
At 14:39:13 -0500 -
Successful Synchronization with site 'opsite127' (version 232001) - 'FQDN:52311/cgi-bin/bfgather.exe/opsite127'
Successful Synchronization with site 'opsite128' (version 158913) - 'FQDN:52311/cgi-bin/bfgather.exe/opsite128'
Successful Synchronization with site 'opsite131' (version 222965) - 'FQDN:52311/cgi-bin/bfgather.exe/opsite131'
Successful Synchronization with site 'opsite132' (version 222966) - 'FQDN:52311/cgi-bin/bfgather.exe/opsite132'
At 14:39:14 -0500 -
Report posted successfully
At 14:40:08 -0500 -
Full Report posted successfully
I don’t know anything about Centrify, but what if you cut out the middleman, so to speak, and used creatfile until and had the action create a new script. That would at least take the file out of the equation.
Hi alinder thanks. I’ve never used creatfile until before. Is that basically taking the SH script code and putting it in the fixlet action itself basically?
You just put the content of the script between the createfile until END_OF_FILE line and the END_OF_FILE line, then you run the script. In your case, you’ll want to move it to [nameofscript].sh rather than .bat. In this case, the example is using relevance substitution, which is why it’s encased in {}, but you won’t need to do that.
Ok thanks, I think I follow you. So I would basically have my action look like this? Would I need anything else in there like I see in the example you mentioned?
createfile until END_OF_FILE
#!/bin/bash
#Get OSSEC working on Mac if they Never connected.
#Stop OSSEC
sudo /var/ossec/bin/ossec-control stop
#Clean the old bits
cd /var
sudo rm -rf ossec
cd
#Get the install script
/usr/bin/curl http://FQDN/ossec/install_ossec_osx.sh > /tmp/install_ossec_osx.sh
chmod +x /tmp/install_ossec_osx.sh
#Run the install script
sudo /tmp/install_ossec_osx.sh
END_OF_FILE
You shouldn’t need to use sudo in any of the parts of your script because BigFix is running as root. This will at least be a good test to see if it runs this script. I wonder if you’ll also need to createfile the install script?
ok still no luck. So if I wanted to add in another createfile for the install script how would that work since I’m guessing the below action script will not work?
delete __createfile
createfile until END_OF_FILE
#!/bin/bash
#Get OSSEC working on Mac if they Never connected.
#Stop OSSEC
/var/ossec/bin/ossec-control stop
#Clean the old bits
cd /var
rm -rf ossec
cd
#Get the install script
/usr/bin/curl FQDN/ossec/install_ossec_osx.sh > /tmp/install_ossec_osx.sh
chmod +x /tmp/install_ossec_osx.sh
#Run the install script
/tmp/install_ossec_osx.sh
END_OF_FILE
delete __createfile
createfile until END_OF_FILE
#!/bin/bash
#Usage: ./install_ossec.sh
#Hostname optional
HOSTNAME=$(hostname | cut -d'.' -f1)
sudo echo "OSSEC Installer for OSX Clients"
#curl FQDN/~aconrey/ossec/ossec-hids-2.8.3.zip -O
curl FQDN/ossec/ossec-hids-2.8.3.zip -O
unzip ossec-hids-2.8.3.zip
echo -e '
USER_LANGUAGE="en"
USER_NO_STOP="y"
USER_INSTALL_TYPE="agent"
USER_DIR="/var/ossec"
USER_DELETE_DIR="y"
USER_ENABLE_ACTIVE_RESPONSE="y"
USER_ENABLE_SYSCHECK="y"
USER_ENABLE_ROOTCHECK="y"
USER_UPDATE="y"
USER_UPDATE_RULES="y"
USER_AGENT_SERVER_IP="_IP_"
USER_AGENT_CONFIG_PROFILE="generic"
' > ./ossec-hids-2.8.3/etc/preloaded-vars.conf
sudo ./ossec-hids-2.8.3/install.sh
FETCHKEY=$(curl FQDN/ossec/client.keys | grep $HOSTNAME)
if [[ -n $FETCHKEY ]]; then
echo $FETCHKEY
OSSEC_KEY="$FETCHKEY"
else
echo "Enter the appropriate host info for /var/ossec/etc/client.keys here:"
echo "(ie. '249 aconrey-ltm 0.0.0.0/0 46bb66c253628ce2973501b5c58b8d476dcd6e8fb6e54fb9b1be9a2b6ac8f575')"
read -p "Key: " OSSEC_KEY
echo ""
fi
echo "Set as: " $OSSEC_KEY
echo $OSSEC_KEY | sudo tee -a /var/ossec/etc/client.keys
sudo /var/ossec/bin/ossec-control start
END_OF_FILE
delete "/tmp/OSSEC_FIX.sh"
move __createfile "/tmp/OSSEC_FIX.sh"
wait bash "/tmp/OSSEC_FIX.sh"
I don’t see why that wouldn’t work, except that you’d want to remove the part where the first script runs the second script, then make sure you actually run the first script. If you try that, the BigFix log should give you some indication of what’s going on.
The error here is you have converted the action to using ActionScript but you are still using the action type of a shell based action. You need to change the action body to be ActionScript.