ACC Plugins (Assets) cannot be synced to MID Servers if Circle of Trust (code signing) is enabled in the instance, breaking all Agent Client Collector related features - Known Error

ACC Plugins (Assets) cannot be synced to MID Servers if Circle of Trust (code signing) is enabled in the instance, breaking all Agent Client Collector related features Description ACC Plugins (Assets) cannot be synced to MID Servers if Circle of Trust (code signing) is enabled in the instance, breaking all Agent Client Collector related features

Symptoms:

The agent's acc.log will confirm that the Agents were unable to subsequently download the ACC Plugins from the MID Web Server, when they need them for running Check commands.

When checks then run, they will fail due to the missing records in the ACC cache folders. The errors are likely to be misleading.

e.g.

ruby.exe: no such file or directory -- endpoint_discovery.rb (LoadError) [Error] [command] Absolute path for command [endpoint_discovery.rb ........] couldnot be determined. executable file not found in $PATH

An on demand Host Data Collection, or Test Check, will give "No asset found for asset" errors e.g. 2024-10-21T11:58:55.697+0300 INFO (Worker-Standard:MonitoringProbe-7d5b1bb65559d690937c345aaf64842e) [AWorker:137] Worker starting: MonitoringProbe source: on_demand_request 2024-10-21T11:58:55.699+0300 WARN (Worker-Standard:MonitoringProbe-7d5b1bb65559d690937c345aaf64842e) [MonitoringLogger:196] Error processing check "Enhanced Discovery" for agent id="XXXXXXXXXX". No asset found for asset name: acc-visibility-modules os:windows platform:microsoft_windows_server_2019_standard platformVersion:10.0.17763 Build 17763 arch:amd64. Check MID logs for more information.

With debug enabled, the MID Server's agent log will show the error downloading the assets from the instance:

2024-10-27 09:56:54 DEBUG (FileSync:sn_agent_asset) [Events:114] Dispatching event: 'IssueEvent{operation=RESOLVE, source=CodeValidation, message= Attachment failed code signing validation, table: sn_agent_asset, attachment sys_id: 1694820a97178a503690998de053af92}' to 41 registered listeners

Steps to Reproduce

Install Agent Client Collector Framework, configure a MID Server and install an Agent in the usual way Enable Code Signing, which is a paid-for feature https://docs.servicenow.com/bundle/vancouver-platform-security/page/administer/encryption/task/enable-codesiging.html On activating the ACC endpoint MID Server extension, ACC Plugin records will sync from sn_agent_asset attachments, to a folder tree in the agent\static\ folders of the MID Server Expected behaviour:

If code signing is enabled, it will block any record without a signature. All OOTB records being synched to MID Servers are expected to have signatures code signing OOTB too.

Since the Utah version the MID Server platform uses SignedGlideRecord when synching records from the instance. Since Washington, the Code signing will error on the instance side if Signatures are missing for the record being fetched, however that can be ignored if code signing is disabled. However if code signing is enabled all OOTB records synched to MID Server do need signatures.

Code signing can only be disabled for the whole instance. Individual apps cannot opt out of this.

Actual behaviour:

sn_kmf_record_signature records are missing for all sn_agent_asset records and their attachments. This includes assets from several apps:

Application: Agent Client Collector for Investigation (4) app-ci-metrics-modules app-ci-metrics-acc-commons

Application: Agent Client Collector for Visibility (1) acc-visibility-main

Application: Agent Client Collector for Visibility Content (3) acc-visibility-modules

Application: Agent Client Collector Framework (12) acc-f-commons acc-f-modules osquery pattern-execution acc-f-upgrade-rpm acc-f-upgrade-msi acc-f-agent-upgrade-deb

Application: Agent Client Collector Log Analytics (3) filebeat winlogbeat

Application: Agent Client Collector Monitoring (9) monitoring-plugin-aws monitoring-plugin-azure-metrics-collector monitoring-plugin-common monitoring-plugin-linux monitoring-plugin-modules monitoring-plugin-windows

Application: Global (21) cimtest

Application: Live CI View (1) live-ci-view

Those assets cannot be synched to Agents, via MID Servers, meaning no Policy/Check commands that depend on those ACC Plugins can be run.

Workaround This problem has no workaround, is currently under review and targeted to be fixed in a future release. Subscribe to this Known Error article to receive notifications when more information will be available.