Running SOS on RSA NetWitness Version 11.x

Issue

The customer would like to get diagnostic information on their 11.x device.

Resolution

• The following command can be used to execute the script from the command line: 
  OWB_ALLOW_NON_FIPS=1 sosreport
• The following command can be used to view the on-screen help menu: 
  OWB_ALLOW_NON_FIPS=1 sosreport --help
• The following command can be used to skip a plugin (only at customer support request) :
  --skip-plugins=<pluginname>

• The following command can be used to skip only the plugins 'rsa_nw_mongo' and 'rsa_nw_rest': 
  OWB_ALLOW_NON_FIPS=1 sosreport --skip-plugins=rsa_nw_mongo,rsa_nw_rest
• The following command can be used to run only the plugin 'rsa_nw_mongo': 
  OWB_ALLOW_NON_FIPS=1 sosreport -o rsa_nw_mongo
• The following command can be used to make sosreport limit log sizes to 5mb (default: 10mb):
  OWB_ALLOW_NON_FIPS=1 sosreport --log-size=5
  • However, this will only apply to those log files specifically set up to follow this limit.
• The following command can be used to find a list of active and inactive plugins: 
  OWB_ALLOW_NON_FIPS=1 sosreport -l
• The following command can be used to get the help menu: 
  [root@saserver1857 ~]# OWB_ALLOW_NON_FIPS=1 sosreport --help
  Usage: sosreport [options]
  
  Options:
  -h, --help show this help message and exit
  -l, --list-plugins list plugins and available plugin options
  -n NOPLUGINS, --skip-plugins=NOPLUGINS
  disable these plugins
  --experimental enable experimental plugins
  -e ENABLEPLUGINS, --enable-plugins=ENABLEPLUGINS
  enable these plugins
  -o ONLYPLUGINS, --only-plugins=ONLYPLUGINS
  enable these plugins only
  -k PLUGOPTS, --plugin-option=PLUGOPTS
  plugin options in plugname.option=value format (see
  -l)
  --log-size=LOG_SIZE set a limit on the size of collected logs (in MiB)
  -a, --alloptions enable all options for loaded plugins
  --all-logs collect all available logs regardless of size
  --batch batch mode - do not prompt interactively
  --build preserve the temporary directory and do not package
  results
  -v, --verbose increase verbosity
  --verify perform data verification during collection
  --quiet only print fatal errors
  --debug enable interactive debugging using the python debugger
  --ticket-number=CASE_ID
  specify ticket number
  --case-id=CASE_ID specify case identifier
  -p PROFILES, --profile=PROFILES
  enable plugins selected by the given profiles
  --list-profiles display a list of available profiles and plugins that
  they include
  --name=CUSTOMER_NAME specify report name
  --config-file=CONFIG_FILE
  specify alternate configuration file
  --tmp-dir=TMP_DIR specify alternate temporary directory
  --no-report disable HTML/XML reporting
  -s SYSROOT, --sysroot=SYSROOT
  system root directory path (default='/')
  -c CHROOT, --chroot=CHROOT
  chroot executed commands to SYSROOT [auto, always,
  never] (default=auto)
  -z COMPRESSION_TYPE, --compression-type=COMPRESSION_TYPE
  compression technology to use [auto, gzip, bzip2, xz]
  (default=auto)
  • Examples of the Help Menu options: 
    • enable dlm plugin only and collect dlm lockdumps: 
      # OWB_ALLOW_NON_FIPS=1 sosreport -o dlm -k dlm.lockdump
    • disable memory and samba plugins, turn off rpm -Va collection: 
      # OWB_ALLOW_NON_FIPS=1 sosreport -n memory,samba -k rpm.rpmva=off

Notes

Running the sosreport out-of-the-box will yield many errors and force SOS to run in debug mode, due to the BSAFE package on RSA NetWitness 11.0 devices.

Example errors include:

The following fixes will cause SOS to run much more cleanly. If the customer does not wish to perform the following steps, then the SOS package will not generate a .sha256 file (not required) accompanying the .tar.xz file, and the contents of the .tar.xz file may have some items missing. However, the report will run.

Fix
To resolve the errors, the customer should perform the following steps:

1. First, add 'OWB_ALLOW_NON_FIPS=1' in front of the command to execute the report, which removes nearly all the errors being printed to the screen.

• Example of sosreport run:
  OWB_ALLOW_NON_FIPS=1 sosreport

• To make this a permanent fix, create a file /etc/profile.d/sos.sh with the following contents: 
  alias sosreport='OWB_ALLOW_NON_FIPS=1 sosreport' 2>/dev/null
  Example Command to create file /etc/profile.d/sos.sh
  printf "alias sosreport='OWB_ALLOW_NON_FIPS=1 sosreport' 2>/dev/null" > /etc/profile.d/sos.sh

2. The next error is how the RSA system has enabled FIPS. The open-source SOS package is looking in /proc/sys/crypto/fips_enabled to see if it is running on a FIPS enabled system. Our devices, by default, have a ‘0’ in that file and the SOS package wrongly assumes FIPS isn’t enabled. Because of this, when SOS goes to create a checksum file for the generated report, it will fail. Because SOS is recognizing our appliances as non-FIPS enabled, it uses md5 instead of sha256 to create that checksum.
   • The fix for this is to manually modify the SOS code. Though RSA is unable to modify the open-source code, we are able to provide the customers with the necessary information. Customers will have to repeat the following step each time they update the sos RPM (e.g. sos-3.3-5.el7.centos.noarch.rpm) : 
     sed -i.bak 's/"md5"/"sha256"/g' /usr/lib/python2.7/site-packages/sos/policies/__init__.py

3. The customer should log out of the ssh session and then log back in.

Product Details

Summary

SOS is a utility introduced in RSA NetWitness Version 11.0 that allows customers and support to get diagnostic information of their RSA NetWitness Version 11.X device.

Approval Reviewer Queue

RSA NetWitness Suite Approval Queue