This is a quick post to address something that I came across in a case I was working recently. For a good review on setting up ACS monitoring for Linux/Unix system, see Stefan Roth’s post on the subject. It’s very comprehensive and will get you moving in the right direction. That said, in working a case recently, I came across an issue where we were unable to get ACS data for the Linux/Unix environment. Consider the scenario:
- The agent was installed on the device and up to date.
- The agent was successfully sending monitoring data to the SCOM server.
- Alerts for security events (such as bad password being generated after successive bad attempts) were being generated.
- ACS for Windows systems was working fine.
- ACS reports for Linux/Unix systems were blank.
The workflow from Stefan’s post notes that the ACS info is written to the security logs, and looking through those logs, there were no “cross platform security” events in them. As it turns out, while the GPO was in place to audit success/failure of object access, it wasn’t being applied. The reason for that was that advanced GPOs were also in place, and the auditing of object access was configured there. Simply turning off those advanced features wasn’t good enough to get it working. The solution was to turn them all on. In certain high secure environments, this could pose an issue.