Return
-
Title
How to check tainted files in the firmware. How to remove tainted files. -
Description
How to check tainted files in the firmware.
How to remove tainted files.
-
Cause
The firmware can become tainted for the following reasons:1) Any application is modified (scripts,binaries, etc)2) Mode or ownership is changed3) Interrupted backup/archive process4) Malicious change5) Error in the firmware after upgrade6) Intentional change by integration7) Unsuccessful upgrade attempt8) Box crashed and left temporary files behind -
Resolution
Checking tainted files
- Run these commands from the boot shell of the appliance:
xcbclient self xcb_check_boot_files
xcbclient self xcb_check_core_files
- If the appliance is in HA Cluster mode, run the following command to check the slave node:
xcbclient other xcb_check_boot_files
Removing tainted files
You can simply delete the files using these commands from the appliance as those are usually harmless.
- Run these commands from the boot shell of the appliance:
xcbclient self xcb_check_boot_files | xargs rm -f
xcbclient self xcb_check_core_files | xargs rm -f
- If the appliance is in HA Cluster mode, run the following command to remove tainted files from the slave node:
Syslog-ng Store Box
xcbclient other xcb_check_boot_files | xargs ssh ssb-other rm -f
One Identity Safeguard for Privileged Sessions
xcbclient other xcb_check_boot_files | xargs ssh scb-other rm -f
Please note: If some of the tainted files that you are trying to remove contain a space in them and do not get delete, please enclose the information in brackets so unix recognizes the space. For example:
rm "/mnt/drbd/private/root/ystemctl reset-failed"