Overview
This article provides an overview of the LanGuard Mac and Linux Operations component. After reviewing this article, you will:
- Understand the differences between the GFI LanGuard operations on Windows and Linux/macOS machines.
- Learn about Linux and macOS scanning and remediation.
- Find out relevant debug logs to search for errors to assist with triaging.
- Learn the common errors and troubleshooting guidelines.
Introduction
Even though LanGuard is mainly focused to function and operate in the Microsoft Windows networks, it allows scanning and patching for Linux and macOS computers that meet the requirements.
Linux and macOS scanning and patching are completely different from Windows OS:
- LanGuard uses an SSH connection for the scanning and remediation operation on the Linux and macOS machines
- LanGuard copies script files via SFTP and then executes them via SSH. Scripts communicate with the Linux machines' built-in Package Manager which does the actual scanning and patching
- No agent or services are installed on the client computer
- For Linux, no definitions are needed and relevant patches are not stored on a LanGuard server
Description
Linux Scanning and Remediation
The list of supported Linux distributions and the requirements for successful LanGuard operations are covered by the What are the Requirements to Scan and Patch Linux Computers with LanGuard? article.
All the Linux distributions supported by LanGuard have a built-in Package Manager, so there is no need to install anything custom before performing a scan or patch the Linux computer. LanGuard copies all the .sh scripts to the user’s home folder and runs them.
Everything then is handled by the Package Manager on each Linux machine while scripts are sending the information from the Package Manager back to the LanGuard server.
Linux Scanning
The Package Manager knows when the software is out of date and does not need any definitions from the LanGuard. When information is sent back to the LanGuard server from the Package Manager, it contains both a list of installed software and information on any missing updates.
Common scanning scripts used are:
- The script for patch scanning - C:\ProgramData\GFI\LanGuard 12\Scripts\linuxpatchscan.sh
- The script for determining installed packages - C:\ProgramData\GFI\LanGuard 12\Scripts\packagescan.sh
Linux Patching
The main reason for not downloading the patches with the LanGuard server but strictly through the Package Manager is that some Linux distribution updates are only available based on the Linux distribution subscription purchased by the customer. If LanGuard would manage the patch repository it would bypass the license checks for these systems.
The patching scripts with the name pattern <number>_<target computer name>_deploy.sh are generated on the fly according to the missing patches list. Each script contains a sequence of Bash and Python commands for the Package Manager to download and install the patches.
When Debug mode is enabled the contents of each remediation script are dumped into debug logs.
macOS Scanning and Remediation
The macOS supported versions and requirements are covered by the What are the Requirements to Scan and Patch macOS Computers with LanGuard? article.
The scanning and remediation operations for macOS machines are based on SSH scripts as well. LanGuard copies all the .sh scripts to the user’s home folder and runs them.
Scripts are sending the information back to the LanGuard server via the established SSH connection.
macOS Scanning
A series of scripts are executed on the target computer with a random number for the filename to avoid any conflict. The first script is the osdata.sh, which determines the Operating System. The next script, macpatchscan.sh, uses macOS built-in softwareupdate utility for getting patch definitions from the Apache website published by the LanGuard server.
When the LanGuard Program Updates are configured and operating correctly, the PatchManagement\Mac folder contains all the needed information for patch scanning. This means, that unlike for the Linux targets, internet connection is not one of the mandatory requirements for the macOS operations.
Common scanning scripts used are:
- The script for OS scanning - C:\ProgramData\GFI\LanGuard 12\Scripts\Scripts\osdata.sh
- The script for determining installed packages - C:\ProgramData\GFI\LanGuard 12\Scripts\macpatchscan.sh
macOS Patching
A customized script is generated on the fly for each remediation session, copied, and executed on the target machine. Scripts are downloading patches from the LanGuard server (or the assigned Relay) via the HTTP request to the Apache configured port (1072 by default) and utilizing the macOS built-in Installer Service to execute each patch installer.
When Debug mode is enabled the contents of each remediation script are dumped into debug logs.
Logging and Troubleshooting
Linux and macOS operations troubleshooting, after the mandatory requirements verification, is based on the debugging information from logs in the %Data%\GFI\LanGuard 12\DebugLogs\ folder. Relevant log names for LanGuard 12.5 (numbers would be based on the customer version) are:
- lanss_v125_sshrunner.csv - SSH runner
- lanss_v125_patchdeployment.csv - patch deployment
- lanss_v125_securityscanner.csv - scanning
No logs are written on the target Linux machine.
The macOS client computers only create a log file when the “Let the user decide” option is used combined with reboot options. The file called lanss_XXX_RebootAttendantD.csv is an extremely verbose reboot attendant application log generated on the deployment target ~/.gfi_temp.
Common errors are:
Missing one of the required utilities: Expect or GDB or diff
The procscan.sh script requires expect, gdb, and diff packages to be present. You can check them with which command and install using package manager, for example: yum install diff.
Python3: command not found
You can encounter this error in some logs. This error usually does not affect scan results because script files check the available python version. If needed, check the exact commands executed.
Directory is not created. Comment is "Failure". Error code is 4.
This error means that the temporary directory that LanGuard is creating for the scripts, .gfi_temp, already exists. Usually, it was not removed after the previous failure.
macOS scanning and patching fail to detect/deploy missing patches
By default, the macOS patch definition updates are not enabled for a new LanGuard server installation, ie they are not downloaded automatically. This and some other common root causes for macOS operations are covered by the Unable to Scan or Deploy Missing Patches to Mac OS X Computers article.
Conclusion
Most of the time Linux administration knowledge, shell scripts understanding, and the ability to analyze logs are all that is needed to pinpoint possible issues.
Note: Linux scanning results are more likely to produce false positives (or missing information) because Linux is by definition open source and offers a very unrestricted set of conditions when it comes to software design and implementation.
Ticket Examples
Below are some examples of tickets were agents are using the logs analysis results to identify issues and probable root causes:
- https://central-supportdesk.zendesk.com/agent/tickets/2263957
- https://central-supportdesk.zendesk.com/agent/tickets/2146049