Compliance Check

Before a Managed OS VM can go into the Full Managed state, compliance checks must be run. Only if all relevant checks are successfully passed, the VM will be transferred to the respective state. If one or more tests are not successful, then this must be corrected by the customer. Afterwards the state change can be requested again.

The compliance check will be executed when the following state changes are requested:

  • Temp Admin to Customer Maintenance
  • Temp Admin to Full Managed

Compliance Checks for Managed Windows

This section describes the checks to be executed before offering the Full Managed service on a given system.

IDTest caseExpected results & How to fix it
Base.AdminAutologon.TestsTesting if automatic logon for Admins is disabledAutomatic logon should be disabled.
If failed, use the following powershell command to reset it:
Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon' -Name "AutoAdminLogon" -Value 0
Base.Administrators.TestsTesting local Administrators membershipLocal Administrators should have only swisscom-allowed accounts as member
Please remove any added users from Administrators group and follow user management procedure to give access:
https://docs.entcloud.swisscom.com/guide/managed-services/managed-os/how-to/user-management/
Base.AdminPrivilege.TestsTesting Administrators PrivilegesLocal Administrators Group must have the following Privileges:
- Access this computer from the network
- Allow log on locally
- Allow log on through Terminal Services

If failed, please confirm and re-add group Administrators to the privileges above by:
Run secpol.msc, navigate to Security Settings/Local Policies/User Rights Assignment
In the list of privileges, find each of the above. Make sure Administrators is member of all 3.
Base.AuditPolicy.TestsTesting if Audit Policies are configured to audit Success and FailureThe following Audit Policies are configured to audit Success and Failure:

- Logon
- Logoff
- Account Lockout
- IPsec Main Mode
- IPsec Quick Mode
- IPsec Extended Mode
- Special Logon
- Other Logon/Logoff Events
- Network Policy Server
- User / Device Claims
- Non Sensitive Privilege Use
- Other Privilege Use Events
- Sensitive Privilege Use
- Authentication Policy Change
- Authorization Policy Change
- MPSSVC Rule-Level Policy Change
- Filtering Platform Policy Change
- Other Policy Change Events
- Audit Policy Change
- User Account Management
- Computer Account Management
- Security Group Management
- Distribution Group Management
- Application Group Management
- Other Account Management Events
- Kerberos Service Ticket Operations
- Other Account Logon Events
- Kerberos Authentication Service
- Credential Validation

If test failing, please check the error message, which policy is causing trouble

To get all Audit policies, please use the following command:
auditpol.exe /get /category:*
The failing audit item should not be set to audit Success and Failure

To set one item audit for success and failure, please use the following command (Replace {FAILING_NAME_HERE} with correct policy item):
auditpol.exe /set /subcategory:{FAILING_NAME_HERE} /success:enable /failure:enable

For example, let's say that Logon policy is not set correctly, to set it to audit both success and failure, the following command should be used:
auditpol.exe /set /subcategory:Logon /success:enable /failure:enable
Base.BitLockerDriveEncryption.TestsTesting if the WindowsFeature Bitlocker is installedThe Bitlocker should not be installed on the local the machine.
In case of failure, please first ensure that no disks are encrypted on the system.
This can be done by running command manage-bde -status

!!! Only after confirming that there are no encrypted disks on the system !!!

Bitlocker can be removed by running the following command:
Uninstall-WindowsFeature -Name Bitlocker
Base.BITSService.TestsTesting BITS Service StartModeThe BITS Service should not be disabled
To enable service, please set it to Manual startup (default):
Set-Service BITS -StartupType Manual
Base.BuiltInAccountsDisabled.TestsTesting if Built-in Accounts are disabledThe Built-in Administrator should be enabled
To enable Built-in Administrator, please run the following powershell command
Get-LocalUser | where {$\_.sid -like 'S-1-5-\*-500'} | Enable-LocalUser
The Built-in Guest should be disabled
To disable guest, please run the following powershell command
Get-LocalUser | where {$\_.sid -like 'S-1-5-\*-501'} | Disable-LocalUser
Base.ComputernameChanged.TestsTesting if the Computername changedThe computer name should not have changed since it is registered in the cloud management systems. Please set the computer name to the original name by running Rename-Computer powershell command. You will be prompted for new computer name, which should be the name as set when machine has been created.
Base.CpuUsage.TestsTesting CPU load averageThe average CPU usage should be less than 95 Percent. Please ensure there are no application overloading the CPU or increase number of CPU cores if required (pleas use day 2 action "Reconfigure" once the server it's in Customer Maintenance Mode).
Base.DeviceManager.TestsTesting Device Manager for errorsThe Device Manager should not return any errors. Please open device manager and make sure there are no failing or problematic devices. There should be no problem as long as VmWare tools are installed correctly on the system.
Base.DistributedCOMUsers.TestsTesting local DistributedCOMUsers membershipLocal DistributedCOMUsers should have only swisscom-allowed accounts as member
Please remove any added users from Distributed COM Users group and follow user management procedure to give access:
https://docs.entcloud.swisscom.com/guide/managed-services/managed-os/how-to/user-management/
Base.DomainJoin.TestsTesting the computers domain membershipThe Computer should be part of a swisscom resource domain. Should computer fall off the domain, please ask support to re-join it.
Base.DriveFull.TestsTesting Drive capacitySystem Drive Should have minimum 20 GB of free space
Data Drive Should have minimum 5 GB of free space
Please free up some space, for system drive or Data drive. Run disk cleanup (cleanmgr.exe), selecting Windows Update Cleanup can free up space, it will not be possible to uninstall updates after this action.
Otherwise, please extend the disk.
Base.EventlogProperties.TestsTesting if event log maximum size and -log mode are configured correctlyThe log mode for Application-, System- and Securitylog should be Circular
The maximum size for the Systemlog should be greater than or equal to 262'144 KB
The maximum size for the Applicationlog should be greater than or equal to 262'144 KB
The maximum size for the Securitylog should be greater than or equal to 524'288 KB

The following commands can set the minimum acceptable limit:
Limit-EventLog -LogName System -MaximumSize 262144KB -OverflowAction OverwriteAsNeeded
Limit-EventLog -LogName Application -MaximumSize 262144KB -OverflowAction OverwriteAsNeeded
Limit-EventLog -LogName Security -MaximumSize 524288KB -OverflowAction OverwriteAsNeeded
Base.IISLogLocation.TestsTesting if the IIS logs are at the correct locationThe IIS Logs for each website should be at the data volume, please move them away from C:\ drive by configuring Logging for each site in IIS Manager console.
Base.LocalAccountTokenFilterPolicy.TestsTesting Remote UAC LocalAccountTokenFilterPolicyThe LocalAccountTokenFilterPolicy should be activated
Allow local accounts of the Administrators group other than the built-in administrator account to remotely manage the server

If policy is not activate, please re-activate it by setting up the registry key
Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system' -Name "LocalAccountTokenFilterPolicy" -Value 1
Base.LoggedOnUsers.TestsTesting Logged on UsersThere should be no local users with local admin rights logged on.
Please log off all users from the server and try again.
Base.LogMgmtInstallation.TestsTesting installed Log Management softwareThe Log Management Agent Service should be running
The Log Management Agent Service should be Automatic
The connectivity to the Log Management server should work
Base.MalwareProtectionInstallation.TestsTesting Deep Security InstallationTrend Micro Deep Security Agent Service should be Automatic. If it is not, please reset it to Automatic
Set-Service ds_agent -StartupType Automatic

Trend Micro Deep Security Agent Service should be running. To start it up, please run
Start-Service ds_agent

The connectivity to the Deep Security Manager should be in a good state
Trend Micro Deep Security Agent Status should be green
Trend Micro Deep Security Agent Component AM Mode should be on

Agent is configured by policy, and it is not changeable from the machine. If there are problems with Trend Micro Deep Security Agent, please ensure that network connectivity is present for policy to come down:
Query agent status:
"C:\Program Files\Trend Micro\Deep Security Agent\dsa_query.cmd" -c "GetAgentStatus"
From the output, please copy value for AgentStatus.dsmUrl. This is the management point.
Ensure that dsmURL is accessible from the machine
Test-NetConnection -ComputerName '{Management point hostname here}' -Port '4120'
Base.MonitoringInstallation.TestsTesting installed Monitoring softwareThe Monitoring Agent Service should be Automatic
To change service startup type:
Set-Service 'End Point Operations Management Agent' -StartupType Automatic
The Monitoring Agent Service should be running
To start a stopped service, please run:
Start-Service 'End Point Operations Management Agent'
The Monitoring Agent should be in a good state and Operations manager endpoint should be accessible with good network connectivity. Please ensure that network connectivity exist and network round trip is less than 200ms:
Find out the hostname and the port of the endpoint:
Select-String -Path "$($env:ProgramFiles)\VMware\ep-agent\conf\agent.properties" -Pattern 'agent.setup.serverIP=*'
Select-String -Path "$($env:ProgramFiles)\VMware\ep-agent\conf\agent.properties" -Pattern 'agent.setup.serverSSLPort=*'
The following command to run network check to the endpoint:
Test-NetConnection -ComputerName '{Management point hostname here}' -Port '443'
Base.NicPowerSaving.TestsTesting Network Adapter Power ManagementEach network interface should have Powersaving disabled.
Please use the following Powershell command to disable power saving on all Network adapters attached to the machine:
Get-NetAdapter -Physical | Get-NetAdapterPowerManagement | foreach {$_.AllowComputerToTurnOffDevice = 'Disabled'; $_ | Set-NetAdapterPowerManagement}
Base.NugetAccess.TestsTesting Web Access to the Nuget repositoryThe Nugetfeed should be accessible within 100ms
Base.OSLanguage.TestsTesting OS LanguageThe OS Language should be 'english, United States (en-US)
This affects only language for Operating system User Interface, e.g. menus, messages. Keyboards layouts can be of any language and are not restricted.
Swisscom does not supply multilingual UI build and also does not distribute patches for languages other than English US

To confirm language for OS, please run the following command:
Dism /online /Get-Intl
To change default UI language:
Dism /online /set-allIntl:en-US
Base.OSLicenceState.TestsTesting the Windows Licence activationThe KMS Server should be registered
The name resolution for the KMS Server should return an ip address
The connectivity to the KMS Server should be accessible within 100ms
The OS should be licensed
The OS Licence should be activated

The Key Management server is found via DNS, to confirm if your configured DNS server have KMS, please run the following query:
slmgr.vbs /dli
If server is resolved correctly, the output should give you KMS server IP address and port (1688)
If this server is accessible, please run the following command to re-activate the machine:
slmgr.vbs /ato
Base.OSVersion.TestsTesting OS VersionThe Server should have a Swisscom-supported OS Version
Swisscom supports Windows Server 2019, Windows Server 2016 or Windows Server 2012 R2
Base.PageFileSettings.TestsTesting PageFile ConfigurationThe Server should have PageFile manually managed
Page file Initial size should be equal or greater then 4'096 MB
Page file Maximum size should be equal or greater then 4'096 MB.

To set pagefile to minimal acceptable limits, please run the following command:
wmic pagefileset where name="C:\\pagefile.sys" set InitialSize=4096,MaximumSize=4096
Base.PerformanceMonitorUsers.TestsTesting local PerformanceMonitorUsers membershipLocal PerformanceMonitorUsers should have only swisscom-allowed accounts as member
Please remove any added users from Performance Monitor Users group and follow user management procedure to give access:
https://docs.entcloud.swisscom.com/guide/managed-services/managed-os/how-to/user-management/
Base.PuppetInstallation.TestsTesting Puppet InstallationThe Puppet Service should be Automatic
The following command can be used to set puppet service to be Automatic
Set-Service 'puppet' -StartupType Automatic
The Puppet Service should be running, please use the following command to start the service
Start-Service 'puppet'
The connectivity to the Puppet Master should be in a good state. If there are connectivity problems, Puppet will write Events into Application logs. Please analyse Errors from Puppet in Application logs to understand the problem. This can be done via Powershell as well:
Get-EventLog -LogName 'Application' -Source 'Puppet' -EntryType 'Error'
Base.RegistryRunKeys.TestsTesting entries in Run and RunOnceRun, RunOnce, RunServices, RunServicesOnce should not have any subkeys.
Please analyse the following keys to ensure there are only allowed entries there:
HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run
HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices

HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

By default, only the these entries are allowed:
Deep Security Notifier
InstallWindowsUpdates"
VMware VM3DService Process
VMware User Process

Base.RemoteDesktopProtocol.TestsTesting Remote Desktop Protocol SettingsThe remote desktop connections should be enabled in 'HKLM:\System...'
The remote desktop connections should be enabled in 'HKLM:\SOFTWARE\Policies...'
To enable this, please set the following registry key with the Powershell:
Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -name "fDenyTSConnections" -value 0
The firewall rule 'RemoteDesktop-UserMode-In-TCP' should be enabled, to enable it, please use the following Powershell Command:
Enable-NetFirewallRule -Name RemoteDesktop-UserMode-In-TCP
The firewall rule 'RemoteDesktop-UserMode-In-UDP' should be enabled, to enable it, please use the following Powershell Command:
Enable-NetFirewallRule -Name RemoteDesktop-UserMode-In-UDP
Base.RemoteDesktopUsers.TestsTesting local RemoteDesktopUsers membershipLocal RemoteDesktopUsers should have only swisscom-allowed accounts as member
Please remove any added users from Remote Desktop Users group and follow user management procedure to give access:
https://docs.entcloud.swisscom.com/guide/managed-services/managed-os/how-to/user-management/
Base.Services.TestsTesting if unnecessary services are disabledThe following Services should be disabled
- AudioEndpointBuilder
- Audiosrv
- Browser
- FontCache
- iphlpsvc
- NcaSvc
- NetTcpPortSharing
- RemoteAccess
- SCardSvr
- seclogon
- SharedAccess
- ShellHWDetection
- SSDPSRV
- Themes
- upnphost
- WcsPlugInService

To disable all these services at once, please use the following Powershell command:
@('AudioEndpointBuilder', 'Audiosrv', 'Browser', 'FontCache', 'iphlpsvc', 'NcaSvc', 'NetTcpPortSharing', 'RemoteAccess', 'SCardSvr','seclogon','SharedAccess', 'ShellHWDetection', 'SSDPSRV', 'Themes', 'upnphost', 'WcsPlugInService') | foreach {Set-Service -Name $\_ -Status stopped -StartupType disabled}
Base.SNMPWriteCommunity.TestsTesting SNMP Write Community StringThere should be no SNMP Write Communities defined.
Please ensure, there is nothing defined under this registry key:
SYSTEM\CurrentControlSet\Services\SNMP\Parameters\ValidCommunities\
Base.StickyKeyBackdoor.TestsTesting for Sticky Key BackdoorsThe hash value of Ease of Access system files should meet the OS version
Scan each of those files to ensure they have not been maliciously replaced:
sfc /verifyfile=C:\Windows\System32\sethc.exe
sfc /verifyfile=C:\Windows\System32\utilman.exe
sfc /verifyfile=C:\Windows\System32\osk.exe
sfc /verifyfile=C:\Windows\System32\utilman.exe
sfc /verifyfile=C:\Windows\System32\Magnify.exe
sfc /verifyfile=C:\Windows\System32\Narrator.exe
sfc /verifyfile=C:\Windows\System32\DisplaySwitch.exe

Ease of Access system files should not be have a debugger for hijacking the system
Remove Debug key, by running the following Powershell command:
Base.SwisscomCertificate.TestsTesting Swisscom Root CertificatesThere should be Swisscom Root certificates available
The Swisscom Root certificates should be valid
Base.UnsupportedSoftwareInstalled.TestsTesting if unsupported software is installedThe following Features/Software should not be installed:
- Active Directory Domain Services
- SAP
- SharePoint
- Exchange
The DB directory of the following Databases should not be on the system disk:
- Microsoft SQL Server
- MySQL
- MongoDB
- Oracle
- MariaDB
- PostgreSQL
The current version of the following Applications should be greater or equal than:
- Java Version 1.8.0
- OpenJDK Version 1.8.0
- Apache Tomcat Webserver 8.5
- Microsoft SQL Server 12.0 (MS SQL Server 2014)
The installation directory of the following Applications should not be located on the system disk:
- Apache Tomcat Webserver
- JBoss
Base.VMTools.TestsTesting VMware ToolsThe 'VMware Tools' Service should be running, please use the following command to start the service
Start-Service 'VMTools'
The 'VMware Tools' Service should be Automatic, please useservice the following command to set service startup type to Automatic
Set-Service 'VMTools' -StartupType Automatic
The VMware Tools should be up to date
Base.WindowsFirewall.TestsTesting Windows FirewallThe 'MpsSvc' Service should be running, please use the following command to start the service
Start-Service 'MpsSvc'
The 'MpsSvc' Service should be Automatic, please useservice the following command to set service startup type to Automatic
Set-Service 'MpsSvc' -StartupType Automatic
All Windows Firewall profiles should be enabled
The firewall rule for File and Printer Sharing (SMB-In) should be enabled, to enable it, please use the following Powershell Command:
Enable-NetFirewallRule -DisplayName 'File and Printer Sharing (SMB-In)'
Base.WindowsManagementFramework.TestsTesting installed Windows Management FrameworkWindows Management Framework version 5.1 should be installed
Base.WindowsPatching.TestsTesting Windows PatchingThe difference between the last Windows updates should not be more than 45 days
Base.WindowsRemoteManagement.TestsTesting Windows Remote ManagementThe 'WinRM' Service should be running, please use the following command to start the service
Start-Service 'WinRM'
The 'WinRM' Service should be Automatic, please use the following command to set service startup type to Automatic
Set-Service 'WinRM' -StartupType Automatic
The WinRM Listener should be active
The firewall rule 'WINRM-HTTP-In-TCP' should be enabled, to enable it, please use the following Powershell Command:
Enable-NetFirewallRule -Name WINRM-HTTP-In-TCP
The firewall rule 'WINRM-HTTP-In-TCP' should be Allowed
Base.WindowsUpdate.TestsTesting Windows UpdateThe 'wuauserv' Service should not be Disabled
Please do not disable Windows Update service, if it is disabled, please set it back to Automated (Delayed Start):
sc.exe config wuauserv start= delayed-auto
The connectivity to the Update Server should be in a good state
Feature.SystemCenter.TestsTesting installed System Center componentsThe Configuration Manager Client should be installed
The SMS Agent Host Service should be running, please use the following command to start the service
Start-Service 'CcmExec'
The SMS Agent Host Service StartType should be Automatic, please useservice the following command to set service startup type to Automatic
Set-Service 'CcmExec' -StartupType Automatic
The Management Point should be member of Swisscom-CMS-Domain
The Assigned Site should be the Enterprise Service Cloud Site
Additional Tests for PreMigration
PreMig.CmsSystemAccess.TestsTesting connectivity to the CMS systemsThe name resolution to the cloud management systems should return an ip address
The connectivity to the cloud management systems should be accessible within 100ms
PreMig.MalwareProtection.TestsTesting Malware Protection InstallationThere should be no Malware Protection installed
PreMig.NetFramework35.TestsTesting if the WindowsFeature .NetFramework 3.5 is installedThe .NetFramework 3.5 should be installed on the local the machine
PreMig.SystemManagement.TestsTesting if a System Management Tool is installedThe Product 'Configuration Manager Client' should not be installed
The Service 'CcmExec' should not be installed
The Product 'Puppet' should not be installed
The Service 'Puppet' should not be installed

Compliance Checks for Managed RHEL 7 and Managed RHEL 8

This section describes the checks to be executed before offering the Full Managed state on a given system.
To see whether a system is healthy i.e. able to be changed back to Full Managed state, run the following command from the command line at anytime:

$ sudo checkmate -a

The output of the command is written to standard output and to /var/log/messages.

CheckExplanationTroubleshooting
check_autofs
It's not allowed to have the autofs-rpm installed. Therefore, it must be removed.Remove the autofs-rpm by executing:
$ sudo yum -y remove autofs.x86_64
check_cron
There are no crontab entries allowed which run as user root. There are only dedicated root cronjobs which sha1sum checksums are trusted from check_cron, due to that, it's not allowed to edit existing cronfiles.If the cronjob is absolutely needed, send an incident to the Managed OS operation team explaining why the cronjob is needed. Also provide the exact error message, the hostname and the ip-address.
check_fs_content
Ensure you create no additional content on the OS mountpoints.
No application directories, application logfiles or any other application data is allowed on os mounted filesystems (/, /boot, /usr/local, /usr/local, /opt, /opt/ds_agent, /opt/vmware, /home, /var, /var/log, /var/log/audit, /tmp). Create all your application specific content on additionally added disks which belongs to the LVM volume group "datavg".
Proposed valid procedure:
1. Add a disk for every new mountpoint you want to create via the portal.
2. Add the new disks to the LVM volume group "datavg".
3. Create a new LVM logical volume for every custom mountpoint.
4. Alter /etc/fstab
5. Mount the new filesystems.
6. Test the new filesystems.
check_fslayout
The OS requires the following filesystem layout:
/dev/mapper/vrhvg-slashlv /
/dev/mapper/vrhvg-optlv /opt
/dev/mapper/vrhvg-homelv /home
/dev/mapper/vrhvg-usrloclv /usr/local
/dev/sda1 /boot
/dev/mapper/vrhvg-tmplv /tmp
/dev/mapper/vrhvg-varlv /var
/dev/mapper/vrhvg-varloglv /var/log
/dev/mapper/vrhvg-logaudlv /var/log/audit
/dev/mapper/vrhvg-swaplv01 swap

All OS filesystems must be in the volume group "vrhvg".
All customer filesystems must be in the volume group "datavg" or "datavg[0-9][0-9]".
The size of the OS filesystems must not be changed.
You can check the filesystem layout by executing:
$ df -hP
check_fstab
Checks if all entries from /etc/fstab are mounted. All entries from /etc/fstab must be mounted before switching back to Full Managed state.To test your fstab configuration, you can mount everything in it by executing:
$ sudo mount -a
check_fstypes
Ensure all partitions have an allowed file system type.
Allowed filesystem types:
autofs, binfmt_misc, cgroup, cifs, configfs, debugfs, devpts, devtmpfs, ext4, hugetlbfs, mqueue, nfs, nfs4, proc, pstore, rootfs, securityfs, selinuxfs, smbfs, swap, sysfs, tmpfs, usbfs, xfs
You can check the filesystem type of a mounted filesystem by executing:
$ df -hT [FILESYTEM]
check_hostname
Checks if the hostname has not been changed. If you have tried to change the hostname, you must revert all changes.You can make sure all relevant places have the right hostname set by executing:
$ sudo grep sccloudres /etc/sysconfig/rhn/systemid
$ sudo facter fqdn
$ sudo cat /etc/hostname
$ sudo grep sccloudres /etc/sysconfig/network
$ sudo grep sccloudres /etc/hosts
$ hostnamectl status | grep sccloudres
check_hosts_file
The /etc/hosts file must contain a localhost entry and all IPv4 and IPv6 addresses must be valid.Get an overview about your actual /etc/hosts file by executing:
$ ls -la /etc/hosts && cat /etc/hosts
check_local_users
Ensure that there are no local users with root permissions except for the user root.
Ensure the GID for users and groups are not higher than 99999, as this GIDs are reserved for Groups which are managed in the Active Directory Ressource Domain.
Ensure no local group "dl_esc-mos-lnx-access*" exists as these groups are managed in the Active Directory Ressource Domain.
You can change the UID of a user by executing:
$ sudo usermod -u [NEWUID] [USER]

You can change the GID of a group by executing:
$ sudo groupmod -g [NEWGID] [GROUP]

check_lvm
Checks if the pvs command finds no unknown/missing devices.You can start debugging this issue by executing:
$ sudo pvs
check_malware
There must not be any malware protection installed, besides the malware protection installed by Swisscom.
check_malware_inst
Ensure Deep Security is installed, configured, and running.You get information about the relevant services by executing:
$ sudo systemctl status puppet
$ sudo systemctl status ds_agent
check_monitoring_inst
Ensure the Swisscom monitoring agent is installed and running. Puppet is installing the monitoring agent, if the check fails because the monitoring agent is not installed, check why Puppet is not running.You get information about the relevant services by executing:
$ sudo systemctl status node_exporter
$ sudo ps aux | grep node_exporter | grep -v grep
check_pam_config
Ensure the pam RPM is installed. Pam configuration must not have been changed or must match an accepted configuration.Install the pam-rpm, in case it is missing, by executing:
$ sudo yum -y install pam.x86_64
Also make sure to not alter or add any files to /etc/pam.d.
check_reboot
Ensure the OS does not require a reboot, otherwise you must reboot the OS.Install the yum-utils-rpm, in case it is missing, by executing:
$ sudo yum -y install yum-utils.noarch
Reboot your server in case it is necessary by executing:
$ sudo shutdown -r now
check_repos
Ensure there aren't any unreachable repos configured.Troubleshoot your issues according to the error-message provided. In case you need to update packages, you may do so by executing:
$ sudo yum -y update
check_rhel_version
The OS version must be any of the following:
- RHEL 7.4 or higher minor release
- RHEL 8.0 or higher minor release
You can check your OS- and kernel-version by executing:
$ cat /etc/redhat-release && uname -a
check_root_processes
Ensure only dedicated system processes are running as root. Applications must not run as root.You get a list of all processes with the running user by executing:
$ sudo ps auxf
check_rpm
The system packages must be from Redhat and must not be modified.In case of an error, check what has changed on the package
$ rpm -V [PACKAGE]
try to fix the problem with a reinstall of the package by executing:
$ sudo yum reinstall [PACKAGE]
check_satellite
Ensure the host is registered to the Red Hat satellite server from Swisscom.In case of an error, check if a proper Satellite server is configured by executing:
$ grep cms2capsule /etc/rhsm/rhsm.conf
check_scs_puppet
Ensure puppet agent is installed and has configured the dedicated puppet master from Swisscom. Puppet must run without errors.You can start debugging this issue by executing:
Is the Puppet RPM installed?
$ sudo rpm -qa --last | grep puppet

Is the Puppet-Service enabled and running?
$ sudo systemctl status puppet

Is a Swisscom Puppet-Server defined in /etc/puppetlabs/puppet/puppet.conf?
$ grep '^server\=' /etc/puppetlabs/puppet/puppet.conf

Is the Puppet-Run without errors? (all green)
$ sudo puppet agent -t
check_selinux
Ensure selinux is enabled (permissive or enforcing).You can start debugging this issue by executing:
Is getenforce returning Enforcing or Permissive?
$ sudo getenforce

Is selinuxenabled returning the return code 0?
$ selinuxenabled && echo $?

Is /etc/selinux/config containing SELINUX=enforcing or SELINUX=permissive?
$ sudo grep '^SELINUX\=' /etc/selinux/config
check_snmp
If a SNMP daemon/service is configured and running on the system, only read-access and SNMPv3 is allowed. Write access is disallowed.In case of an error, check for disallowed directives in /etc/snmp/snmpd.conf by executing:
$ grep rw /etc/snmp/snmpd.conf 2>/dev/null
$ grep write /etc/snmp/snmpd.conf 2>/dev/null
check_space
Ensure minimum free space:
/ > 1 GB
/boot > 100 MB
/var/log > 200 MB
/tmp > 500 MB
/var/log/audit > 100 MB
/opt > 50 MB
swap > 1 GB
You can compare the free space with the figures here by executing:
$ df -hP
check_ssh
Ensure sshd is running and the configuration file exists.
Ensure sshd is running with the default configuration file.
Ensure sshd has a minimal sane configuration. Only allowed ciphers are enabled/configured.
Allowed MACs: hmac-sha2-512,hmac-sha2-256
Allowed Ciphers: aes256-ctr,aes128-ctr
Allowed kexalgorithms: diffie-hellman-group-exchange-sha256
In case of an error, try to solve the problem according to the instruction given in the error message. Rerun the check by executing:
$ sudo checkmate -c -f -I check_ssh
check_ssh_keys
Ensure root doesn't have any unknown ssh keys installed in /root/.ssh/authorized_keys, otherwise you must remove the unknown ssh keys.In case of an error, make sure to remove all keys from roots authorized keys file. You can check roots authorized keys by executing:
$ sudo cat /root/.ssh/authorized_keys 2>/dev/null
check_sudo_processes
There must not be any sudo process running.Stop the mentioned process, otherwise it will not be possible to leave the Temp Admin state.
check_sudoers
There must not be any sudoers configurations (aliases etc.) that allow a user to acquire root-privileges. Only trusted sudoers configurations are allowed, which means each sudoers configuration needs to be requested with a CRQ from ManagedServicesLNXTry to avoid sudo configurations, better use the Temp Admin state for administration tasks. If the sudo command is absolutely needed, send an incident to the Managed OS operation team explaining why the sudo file is needed. Also provide the sudo file, the hostname and the ip-address.
check_suid
There must not be any unknown setuid binaries.
Filesystems which are mounted with the "nosuid" option, are excluded from this check. To prevent a long running search for files with the suid bit set, mount the application or nfs filesystems with the "nosuid" option.
In case of an error, try to solve the problem according to the instruction given in the error message. Rerun the check by executing:
$ sudo checkmate -c -f -I check_suid
check_update_age
Determine last patch date. If the installed kernel is older than 90 days, you must update and reboot the server manually, with these commands:
$ sudo yum update -y
$ sudo yum check-update
$ sudo reboot
In case of an error, try to solve the problem according to the instruction given in the error message. Rerun the check by executing:
$ sudo checkmate -c -f -I check_update_age
check_vmware_tools
Vmware tools must be installed.In case of an error, try to reinstall the package by executing:
$ sudo yum install open-vm-tools
check_yum_conf
Ensure there are no importand RPMs excluded from patching
It is not allowed to exclude the following RPMs from updating:
'*', 'BESAgent', 'coreutils', 'dracut', 'ds_agent', 'epops-agent', 'facter', 'firewalld', 'gpg-pupkey', 'grub2', 'gugent', 'hiera', 'iptables', 'iputils', 'kernel', 'openssl-libs', 'open-vm-tools', 'pam', 'passwd', 'puppet', 'SCCMS-checkmate', 'splunkforwarder', 'sudo', 'VMware-Log-Insight-Agent', 'vmware-vra-software-agent-service'
In case of an error, try to solve the problem according to the instruction given in the error message. Rerun the check by executing:
$ sudo checkmate -c -f -I check_yum_conf
t-tec-aut-b-1
Ensure information about last logon is displayed on login.
t-tec-aut-b-3
Ensure login banner is configured.
t-tec-aut-b-4
Ensure the shell timeouts after 30 minutes.
t-tec-bgk-b-7
Ensure a secure the PATH variable for root.
t-tec-bgk-b-10
Ensure time synchronisation is enabled and running.
t-tec-bgk-b-14
Ensure security limits are present.
t-tec-bgk-b-17
Ensure user data is protected (user home,ssh and mail directories are not world accessible).
t-tec-bnk-b-2
Ensure the network stack is hardened as specified in the config file.
t-tec-del-b-1
Ensure dd is available.
t-tec-enc-b-1
Ensure OpenSSH is installed and running and passwords are hashed in /etc/shadow using a secure algorithm.
t-tec-fil-b-1
Ensure iptables is installed and active.
t-tec-log-b-2
Ensure the following events are logged: Logins and login attempts, system messages, permission changes (user mods, visudos), administrative actions, SSH messages
t-tec-pfs-b-4
Ensure the system requires a password on emergency boot and for the single user mode.
t-tec-sof-b-2
Ensure software is integrity-checked.
t-tec-sof-b-3
Ensure the system is set to use the English language.
t-tec-uam-b-1
Ensure accounts are locked after five unsuccessful login attempts.

Run Compliance Checks manually

Managed Windows

The compliance checks for Managed Windows OS on Swisscoms ESC are run using a custom build framework called PccComplianceChecks or PCC for short.

Each time a compliance check is run, the PCC is called behind the curtains and it triggers a so called PccRun.

A PCCRun is the operation that runs when an Exit Temp Admin is launched in the Portal or system is returned to Full Managed mode for instance.

A PccRun executes a number of infrastructure related tests to validate the OS running in the VM is compliant with Swisscoms Managed OS standards. The module has been made publicly available so that compliance checks can be run locally on the Managed Windows OS.

PCC is locally available to ESC customers starting with version 1.0.0 of the PccComplianceChecks package.

Why use PCC manually

Executing an ExitTempAdmin or Return to Full Managed mode via the regular Day 2 Action can last a few minutes and potentially result in failing checks that need to be corrected. To simplify and to speed up this process, it is now possible to call the same tests that run during the Return to Full Managed mode but directly on your VM.

The main benefit of doing so is the gain in time in validating that the OS is Swisscom standards conform before executing the Return to Full Managed action.

With PCC, it is also possible to get a history of the past runs.

Verify the local PCC version

IMPORTANT NOTE: To download and install the latest versions of the PCC Framework and the required module "PCC.CHK.ESC.WIN.MOS" locally, we recommend to execute first an "Exit Temp Admin" or "Return To Full Managed" Day 2 Action in the ESC Portal.

Open a PowerShell prompt and execute the following PowerShell command(s):

Step 1 - Identify the current version of PCC

This request is used to get the current version of PCC working on your Managed Windows OS.

Request

Get-Module PccComplianceChecks -ListAvailable

Note: One or more different PCC versions can co-exist on the same machine. The one with the highest version number is the latest version available.

Execute a PCCRun

Open a PowerShell prompt and execute the following PowerShell command(s):

Step 1 - Execute a PCCRun

Only messages of the failed checks will be displayed on screen. If none are shown, it means that the Managed Windows OS is compliant.

Request

Test-TempAdmin

Step 2 - Optional

Alternatively, it is possible to output directly the run using the following snippet.

Request

Test-TempAdmin -ShowRun

Get all past PCC run results

NOTE: Results can only be retrieved from compliance checks that have run using the PccComplianceChecks version 1.2.0 or above. Any run done with a previous version will not generate the needed PccRunDocument.

Open a PowerShell prompt and execute the following PowerShell command(s):

Step 1 - Retrieve all past PCC run results

Request

Get-PccRundocument

Note: The 'ErrorCount' property indicates how many compliance checks have failed during that specific run.

Step 2 - Retrieve the last PCC run result

Results will look similar to the screen shot below but will vary according to the VM and its current compliance.

Request

Get-PccrunDocument -Latest

Step 3 - Get failed checks from the last pcc run results

To get the list of the failed checks from the last PCC run (or failed Return to FullAdmin) execute the following code. Results will look similar to the screen shot below but will vary according to the VM and its current compliance.

Request

(Get-PCCRunDocument -Latest).GetFailedChecksConcise()

Managed RHEL

If the VM is in Temp Admin state, the compliance check can also be performed manually.
The command below can be used to check whether the VM can be successfully transferred to the Full Managed state.

$ sudo checkmate -a
Last Updated: