Restricting access to the Application Server file system

When an RBAC user executes any job that needs to execute external commands or scripts on the TrueSight Server Automation Application Server, those commands or scripts by default get executed with the user with which the Application Server process is running. On Windows, this user is local SYSTEM and on Linux, this user is bladmin. These external commands get executed locally in the Application Server OS.

You can restrict access to the Application Server file system by configuring a low privilege user. The low privilege user is used by the Application Server only for executing those external commands or scripts. As those external commands or scripts are running with the low privilege user, the user has very restricted access to the Application Server file system.

This topic describes the default low privilege user configurations and steps to modify them.

Default low privilege user

By default, a local user account named bluser is used as a low privilege user on the Windows and Unix Application Server. This account is created on UNIX during the Application Server installation and on Windows during the Application Server startup. For more information, see User-accounts.

The Application Server uses the low privilege user only while running:

  • NSH Script Jobs
  • Compliance Jobs
  • External commands such as Extended Objects.

Important (Windows)

Before you run the NSH Script Jobs, Compliance Jobs or External Commands, ensure the following: 

  • The bluser user has Deny log on locally and Log on as a batch job User Rights, and no other rights.
  • If the Deny log on locally and Log on as a batch job User Rights are managed via a GPO, then ensure to update the GPO so that bluser user has these rights in the GPO.
  • Ensure that any groups bluser user belongs to, does not have the Deny log on as a batch job right.

Using the non-default user name

To use a non-default user name, you need to perform the following steps on Application Server(s).

For the Windows Application Server, perform the following steps

  1. Make sure there are no jobs running in the infrastructure.

  2. To store the low privilege user details in the TrueSight Server Automation database, run the following command with the BLAdmins role.  Few examples with different user combinations:

    Click here for more information.

    Syntax

    blcli LowPrivUser setUser "$USER_NAME" "$PASSWORD" "$DESCRIPTION"

    Example:-

    blcli LowPrivUser setUser "LocalUser1” "UserAccountPassword" "Internal user for TSSA Application Server"

    blcli LowPrivUser setUser "OrgDomain\\DomainUser1” "UserAccountPassword" "Internal user for TSSA Application Server"

    blcli LowPrivUser setUser DomainUser2@OrgDomain.com "UserAccountPassword" "Internal user for TSSA Application Server"

    Note

    If you want to use a domain user account, make sure the account already exists in domain and the Application Server host(s) are already part of the required domain.

  3. Restart the the following Application Server services:
    • TrueSight Server Automation Application Server
    • TrueSight Server Automation Process Spawner (if already running)
  4. Verify that the local user account is created on the Application Server.
  5. Repeat step 3 and 4 on all the Application Servers.
  6. (Optional) Delete the previous local user account on all the Application Servers.


Note

If the configured local user account doesn’t exist, it will be created during Application Server startup using details provided in previous step (only if low privilege user is enabled). If the configured user account already exists, it won’t be modified. 


For the UNIX Application Server, perform the following steps

  1. Make sure there are no jobs running in the infrastructure.
  2. Based on the user account type you want to create, do one of the following steps:

    • For a local user account, create the required non-default user and add it to existing the bladmin group.                

      Click here for more information.

      Syntax:-

      useradd -g bladmin -s /bin/sh -c "TrueSight Server Automation Non-Admin Account" -m -d "<homeDirectory>" $USER_NAME

      Example:-

      useradd -g bladmin -s /bin/sh -c "TrueSight Server Automation Non-Admin Account" -m -d "/opt/bmc/bladelogic/NSH/lowPrivUser" lowPrivUser
    • For the domain user account, create the required user account in Domain and add the user account to existing local group, bladmin on the Application Server.

  3. Set ownership of "nsh2" binary to non-default user and bladmin group.

    Click here for more information.

    Syntax

    chown <UserName>:bladmin <AppserverInstallDirectory>/NSH/bin/nsh2

    Example

    chown lowPrivUser:bladmin /opt/bmc/bladelogic/NSH/bin/nsh2

  4. Set the SUID bit (+s) on 'nsh2' binary and allow read and execute permissions only to owner and group.

    Click here for more information.

    Syntax

    chmod 4550 <InstallDirectory>/NSH/bin/nsh2

    Example

    chmod 4550 /opt/bmc/bladelogic/NSH/bin/nsh2
  5. Repeat Steps 2 to 4 on all Application Servers.

  6. Optionally, delete the previous local user account on all the Application Servers.

    Important

    • Application Server services restart is not required for these changes to take effect.
    • The LowPrivUser name space is not applicable on Unix OS.

Changing password for the low privilege user account

As a part of your organization password policy if you need to change the low privilege user account password, you can follow below steps.

For Windows Application Server, perform the following steps:

  1. Make sure there are no jobs running in the infrastructure.
  2. Change account password:

    • For the local user account, on the Application Server hosts, change the user account at Operating System level.

      Note

      Make sure same password is used on all the Application Server hosts.

    • For the Domain user account password in the TrueSight Server Automation database, run below command once using BLAdmin role.

  3. To update user account password in the TrueSight Server Automation database, run below command once using BLAdmins role.

    Click here for more information.

    Syntax

    blcli LowPrivUser setPassword "$PASSWORD"

    Example

    blcli LowPrivUser setPassword "NewAccPassword"
  4. Restart the following Application Server services:

    •     TrueSight Server Automation Application Server
    •     TrueSight Server Automation Process Spawner (if already running)

For the UNIX Application Server

The default low privilege user account is created with a locked password. Therefore, it is not possible to change the password.

Enable or disable the low privilege user

  1. Start the Application Server Administration console, as described in Starting-the-Application-Server-Administration-console.
  2. Run the following command:
    set appserver EnableLowPrivUser <value>
    You can specify the following values:
    • (Default): If a job needs to execute external commands or scripts on the Application Server, the commands or scripts by default get executed with the low privilege user (for example, bluser).
    • 0: If a job needs to execute external commands or scripts on the Application Server, the commands or scripts get executed with the user with which the Application Server process is running.
    • 3: If a job needs to execute external commands or scripts on the Application Server, the commands or scripts except NSH Script Type 4 get executed with the low privilege user and the NSH Script Type 4 gets executed with the user with which the Application Server process is running.

Note

If a low privilege user is disabled by setting 0 value, the low privilege user account, can be deleted. Later if the low privilege user is enabled by setting 1 or 3 value, follow the steps in the Using the non-default user name section.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*