NetIQ Security Agent for Unix Installation and Configuration Guide. NetIQ Security Manager NetIQ Secure Configuration Manager

Transcription

1 NetIQ Security Agent for Unix Installation and Configuration Guide NetIQ Security Manager NetIQ Secure Configuration Manager November 1, 2006

2 THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT ARE FURNISHED UNDER AND ARE SUBJECT TO THE TERMS OF A LICENSE AGREEMENT OR A NON-DISCLOSURE AGREEMENT. EXCEPT AS EXPRESSLY SET FORTH IN SUCH LICENSE AGREEMENT OR NON-DISCLOSURE AGREEMENT, NETIQ CORPORATION PROVIDES THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. SOME STATES DO NOT ALLOW DISCLAIMERS OF EXPRESS OR IMPLIED WARRANTIES IN CERTAIN TRANSACTIONS; THEREFORE, THIS STATEMENT MAY NOT APPLY TO YOU. This document and the software described in this document may not be lent, sold, or given away without the prior written permission of NetIQ Corporation, except as otherwise permitted by law. Except as expressly set forth in such license agreement or non-disclosure agreement, no part of this document or the software described in this document may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, or otherwise, without the prior written consent of NetIQ Corporation. Some companies, names, and data in this document are used for illustration purposes and may not represent real companies, individuals, or data. This document could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein. These changes may be incorporated in new editions of this document. NetIQ Corporation may make improvements in or changes to the software described in this document at any time NetIQ Corporation, all rights reserved. U.S. Government Restricted Rights: If the software and documentation are being acquired by or on behalf of the U.S. Government or by a U.S. Government prime contractor or subcontractor (at any tier), in accordance with 48 C.F.R (for Department of Defense (DOD) acquisitions) and 48 C.F.R and (for non-dod acquisitions), the government s rights in the software and documentation, including its rights to use, modify, reproduce, release, perform, display or disclose the software or documentation, will be subject in all respects to the commercial license rights and restrictions provided in the license agreement. Check Point, FireWall-1, VPN-1, Provider-1, and SiteManager-1 are trademarks or registered trademarks of Check Point Software Technologies Ltd. ActiveAgent, ActiveAnalytics, ActiveAudit, ActiveReporting, ADcheck, AppAnalyzer, AppManager, the cube logo design, Directory and Resource Administrator, Directory Security Administrator, Domain Migration Administrator, Exchange Administrator, File Security Administrator, IntelliPolicy, Knowing is Everything, Knowledge Scripts, Mission Critical Software for E-Business, MP3check, NetConnect, NetIQ, the NetIQ logo, NetIQ Change Administrator, NetIQ Change Guardian, NetIQ Compliance Suite, NetIQ Group Policy Administrator, NetIQ Group Policy Guardian, NetIQ Group Policy Suite, the NetIQ Partner Network design, NetIQ Patch Manager, NetIQ Risk and Compliance Center, NetIQ Secure Configuration Manager, NetIQ Security Administration Suite, NetIQ Security Analyzer, NetIQ Security Manager, NetIQ Vulnerability Manager, PSAudit, PSDetect, PSPasswordManager, PSSecure, Server Consolidator, VigilEnt, Vivinet, Work Smarter, and XMP are trademarks or registered trademarks of NetIQ Corporation or its subsidiaries in the United States and other jurisdictions. All other company and product names mentioned are used only for identification purposes and may be trademarks or registered trademarks of their respective companies.

3 Contents About This Book and the Library... vii Conventions... ix About Attachmate...x Chapter 1 Introduction 1 What Are Unix Agents?... 2 How Unix Agents Work with Secure Configuration Manager... 3 How Unix Agents Work with Security Manager... 3 How Unix Agents Help You... 3 Chapter 2 Licensing and Upgrading 5 Understanding Licensing... 5 Trial Licenses... 5 Licensing Unix Agents... 6 Upgrading an Unexpired License... 6 Installing a Unix Agent License... 6 Upgrading... 7 Starting Agent Manager... 8 Exporting the Host List... 9 Upgrading Unix Manager on a Windows Computer Upgrading Unix Manager on a Solaris or Red Hat Computer Importing the Host List Upgrading Unix Agents Configuring IP Addresses and Updating Ports Contents iii

4 Chapter 3 Installing Unix Manager and Unix Agents 19 Checklist for Installing Unix Agents Requirements Unix Manager Computer Requirements Unix Agent Computer Requirements Unix Agent Communication Protocols Installing Unix Manager Installing Unix Manager on a Windows Computer Installing Unix Manager on a Solaris or Red Hat Computer Starting Unix Manager Starting Unix Manager on a Unix or Linux Computer Starting Unix Manager on a Windows Computer Starting Unix Manager from the Secure Configuration Manager Console Installing Unix Agents Installing Unix Agents Remotely Installing Unix Agents Locally Synchronizing Unix Agents Chapter 4 Configuring Security Manager Support 39 Configuring Basic Security Manager Support Installing the TCP Daemon Activating the Most Current Rule Sets Configuring Extended Security Manager Support Enabling Process Accounting Enabling and Configuring the Basic Security Module on Solaris Configuring Security Manager Support for Oracle Configuring Failover or Multiple Configuration Groups iv Installation and Configuration Guide

5 Chapter 5 Configuring Secure Configuration Manager Support 51 Configuring Basic Secure Configuration Manager Support Configuring Secure Configuration Manager Support for Oracle Appendix A Creating and Managing Unix Rules 55 Understanding Unix Agent Rules Deciding How to Create Unix Rules and Rule Sets Understanding Rule Sets Selecting a Rule Set to Edit Viewing Rule Sets and Editing Rule Set Properties Saving Rule Sets Locally Activating Rule Sets on Remote Hosts Using the Rule Wizard to Create Rules Understanding Event Sources Editing Event Source Properties Creating New Event Sources Deleting Event Sources Understanding Rule Groups Editing Rule Group Properties Creating New Rule Groups Deleting Rule Groups Understanding Rules and Actions Viewing and Editing Rule Properties and Actions Creating New Rules and Actions Deleting Rules and Actions Understanding Initialization Code Viewing and Editing Initialization Code Adding New Initialization Code Deleting Initialization Code Contents v

6 Understanding Conditionals and Comparisons Viewing and Editing Comparison Properties Adding Comparisons Adding And Adding Or Associating Comparisons with Conditionals Deleting Comparisons or Conditionals Understanding Time Conditions Viewing and Editing Time Conditions Adding New Time Conditions Deleting Time Conditions Understanding Main Code Viewing and Editing Main Code Adding New Main Code Deleting Main Code Customizing the Rules Management User Interface Deciding Whether to Use Tabbed Layouts Deciding Whether to Use Parameter Aliases Appendix B Uninstalling Agents and Unix Manager 87 Uninstalling Unix Agents Uninstalling Unix Manager on Windows Uninstalling Unix Manager on Solaris or Red Hat vi Installation and Configuration Guide

7 About This Book and the Library The Installation and Configuration Guide provides steps for Unix Manager installation, steps for NetIQ Security Agent for Unix (Unix agent) product deployment, and integration information for the NetIQ Security Manager (Security Manager) and NetIQ Secure Configuration Manager (Secure Configuration Manager) products. The Secure Configuration Manager product was formerly known as NetIQ Vulnerability Manager. Intended Audience This book provides information for individuals responsible for installing and using Unix agents and reporting information to Security Manager and Secure Configuration Manager. Other Information in the Library The Security Agent for Unix can be configured to forward data to both Security Manager and Secure Configuration Manager. Depending on the product you purchased, your library provides the following information resources: Installation and Configuration Guide Provides Unix Manager installation steps, agent deployment steps, and integration information for Security Manager and Secure Configuration Manager. Help Provides context-sensitive information and step-by-step guidance for common tasks. User Guide for NetIQ Security Manager Provides conceptual information about Security Manager. This book also provides an overview of the Security Manager user interfaces and stepby-step guidance for many tasks. About This Book and the Library vii

8 User Guide for NetIQ Secure Configuration Manager Provides conceptual information about Secure Configuration Manager. This book also provides an overview of the Secure Configuration Manager installation, interfaces, and reports and the Help. viii Installation and Configuration Guide

9 Conventions The library uses consistent conventions to help you identify items throughout the documentation. The following table summarizes these conventions. Convention Use Bold Window and menu items Technical terms, when introduced Italics Book and CD-ROM titles Variable names and values Emphasized words Fixed Font File and folder names Commands and code examples Text you must type Text (output) displayed in the command-line interface Brackets, such as [value] Optional parameters of a command Braces, such as {value} Required parameters of a command Logical OR, such as value1 value2 Exclusive parameters. Choose one parameter. Conventions ix

10 About Attachmate Attachmate, owned by an investment group led by Francisco Partners, Golden Gate Capital and Thoma Cressey Equity Partners, enables IT organizations to extend mission critical services and assure they are managed, secure and compliant. Attachmate's leading solutions include host connectivity, systems and security management, and PC lifecycle management. Our goal is to empower IT organizations to deliver trusted applications, manage service levels, and ensure compliance by leveraging knowledge, automation and secured connectivity. For more information, visit NetIQ Solutions from Attachmate Attachmate provides a wide selection of systems and security management solutions to help you manage and secure all your essential platforms, including Windows, Unix, Linux, and iseries. These Knowledge-Based Service Assurance products and solutions include embedded knowledge and tools to implement industry best practices and to better ensure operational integrity, manage service levels and risk, and ensure policy compliance. Our modular, best-ofbreed solutions for Performance and Availability Management, Security Management, Configuration and Vulnerability Management, and Operational Change Control integrate through an open, service-oriented architecture allowing for common reporting, analytics and dashboards. Attachmate offers the following systems and security management solutions: Performance and Availability Management These products offer rapid time-to-value solutions that enable you to align your IT operations with business priorities and optimize the delivery of your IT-based business services. This solution automates the complete IT service management lifecycle: assessment of requirements, definition of Service Level Agreements, management of day-to-day operations, and review of operational metrics. x Installation and Configuration Guide

11 Security Management These easy-to-install-and-deploy products provide effective protection from and response to security-related threats. This solution provides powerful features, such as real-time security event monitoring, mapping of threat indicators, policy violation alerts, and expedited incident forensics and resolution. These products reduce the time required to identify and resolve security threats. Configuration and Vulnerability Management These products allow you to quickly and easily assess vulnerabilities, manage security risks, and assure policy compliance. This powerful solution measures and enforces compliance to configuration baselines based on your corporate policies, regulations, and evolving security threats. You can use the latest security knowledge, which is updated in real time, to resolve compliance and configuration issues. Operational Change Control These products enable IT organizations to control, manage, and audit operational changes to servers, Active Directory, and Group Policy with unprecedented levels of accountability. NetIQ's Operational Change Control (OCC) solutions enable enterprise customers to meet IT compliance and operational integrity needs in the most cost-effective manner, by delegating access control, managing changes according to policy, and alerting and reporting on change activities and entitlements. About Attachmate xi

12 Contacting NetIQ Solutions Support Please contact us with your questions and comments. We look forward to hearing from you. For support around the world, please contact your local partner. For a complete list of our partners, please see our Web site. If you cannot contact your partner, please contact our Technical Support team. Telephone: (only in the United States and Canada) Sales info@netiq.com Support: Web Site: xii Installation and Configuration Guide

13 Chapter 1 Introduction Securing your Unix environment can be expensive and time-consuming, especially when you and your staff face tight budgets and escalating security threats. Consider the following issues most enterprise security managers confront: Deficits in staff knowledge concerning Unix security and system expertise Managing various operating systems including Solaris, AIX, Linux, and HP-UX Controlling access to privileged commands and sensitive resources Lacking intrusion detection and response systems to handle both real and potential security breaches Integrating Unix management into company-wide security initiatives Security Agents for Unix (Unix agents) help you effectively address these challenges, allowing you to audit, secure, and monitor your Unix environment. Chapter 1 Introduction 1

14 What Are Unix Agents? Unix agents form an integral part of any host-based management solution attempting to secure your Unix and Linux systems from a central point of control. Unix agents allow you to assess business-critical Unix hosts for risks and vulnerabilities, minimize risk through automated alerts and event response, and monitor for real-time threats. Unix agents protect your critical Unix and Linux hosts in the following ways: Reduce time lost due to misconfiguration Report vulnerabilities across multiple Unix operating systems Control access to critical files and resources Streamline the Unix security management workflow Detect critical file changes and intrusion Unix agents provide built-in, Unix-specific security knowledge, allowing your more novice staff to safely contribute to securing your enterprise. Integrating your Unix agents with Security Manager and Secure Configuration Manager (formerly known as NetIQ Vulnerability Manager) joins your Unix systems with the rest of your multi-platform environment. Both Secure Configuration Manager and Security Manager provide threat management solutions across platforms, servers, and application software. Your Unix agents can supply the information Security Manager needs to detect intrusion events in real-time, perform forensic analysis on log files, and send notifications to security personnel. Coupling your agents with Secure Configuration Manager allows you to proactively flag and correct vulnerable computers. 2 Installation and Configuration Guide

15 How Unix Agents Work with Secure Configuration Manager Secure Configuration Manager uses Unix agents to validate the configuration of Unix hosts to ensure compliance with corporate security policies and pinpoint potential vulnerabilities. For more information about Secure Configuration Manager, see the User Guide for NetIQ Secure Configuration Manager. How Unix Agents Work with Security Manager Security Manager uses Unix agents to detect intrusions and collect syslog events from Unix platforms. Security Manager stores collected syslog events in a secure repository that you can access from a single, centralized console. From a single console you can view intrusion attempts and run reports across multiple unix platforms. For more information, see the User Guide for NetIQ Security Manager and the Security Manager for Unix Monitoring Guide. How Unix Agents Help You Unix agents form part of a comprehensive solution for proactive auditing, securing, monitoring, and maintaining Unix and Linux environment security. Combining Unix agents with Security Manager and Secure Configuration Manager helps you achieve a number of objectives: Ensure continuous compliance with information security policies Protect information assets on Unix and Linux hosts Defend against intruders and other malicious activity Chapter 1 Introduction 3

16 Manage security across dissimilar Unix operating systems Integrate Unix and Linux systems into cross-platform, company-wide security initiatives 4 Installation and Configuration Guide

17 Chapter 2 Licensing and Upgrading The following sections provide information about licensing Unix agents and upgrading previous versions of both the Unix Manager (Unix Console) and Unix agents. Understanding Licensing The following sections help you understand licensing, count your Unix agent and Unix Manager license use, upgrade licenses, and install new licenses. Trial Licenses Your trial license allows you to experience the convenience and security of deployed Unix agents for up to one month. During this time, the Unix Manager can manage up to 1,000 agents. When you decide to move your trial into production, contact your NetIQ sales representative for a production license. Chapter 2 Licensing and Upgrading 5

18 Licensing Unix Agents Unix agents require the use of a license key file. You install this license key file on the Unix Manager that communicates with the agents. Security Manager and Secure Configuration Manager require a separate license key file that includes the Unix agents. Each agent you install decrements the license key file located on the managing console. For example, if you manage agents using Security Manager, both the Security Manager console and the Unix Manager console need valid licenses. If you manage agents using Secure Configuration Manager, the Secure Configuration Manager console and the Unix Manager require valid licenses. Ensure your licenses provide the appropriate coverage for your needs. Upgrading an Unexpired License License key files from version prior to 4.0 of the Unix Manager are incompatible with the latest version of the Unix Manager. If you have an unexpired license for a product version prior to 4.0, contact your NetIQ sales representative to obtain an updated license key file. You can take advantage of the month long, 1000 agent trial to explore the benefits of the current version. This allows you to deploy immediately, without having to wait for an updated license. Installing a Unix Agent License When you install Security Manager or Secure Configuration Manager, you install a license key to cover all your endpoints. The Unix Manager stores a separate license key file for the agents. Ensure you have enough agents licensed to account for your Secure Configuration Manager and Security Manager implementations. To install your Unix agent license key file: 1. Secure a license key file from your NetIQ sales representative. 2. Copy the license key file to a folder or directory on the Unix Manager computer. 6 Installation and Configuration Guide

19 3. Start Unix Manager. For more information, see Starting Unix Manager on page On the Agent Manager menu, click Licenses > Add to Console License. 5. Browse to your license key file, and then click Open. Upgrading To successfully upgrade your Unix Manager and Unix agents, complete the following checklist. Upgrading Previous Unix Manager and Unix Agent Implementations 1. Ensure your current hardware and software support the upgrade of the Unix Manager and Unix agents. For more information, see Unix Manager Computer Requirements on page 21 and Unix Agent Computer Requirements on page Start the previously installed Unix Manager and launch the Agent Manager. For more information, see Starting Agent Manager on page Export the host list. For more information, see Exporting the Host List on page For more information about upgrading a Windows implementation of the Unix Manager, see Upgrading Unix Manager on a Windows Computer on page For more information about upgrading a Unix implementation of the Unix Manager, see Upgrading Unix Manager on a Solaris or Red Hat Computer on page Import the host list. For more information, see Importing the Host List on page Review the following sections and decide how you want to upgrade your agents: Upgrading Agents Remotely on page 14 and Upgrading Agents Locally on page 15. Chapter 2 Licensing and Upgrading 7

20 Upgrading Previous Unix Manager and Unix Agent Implementations 8. Configure any new communication targets for your upgraded agents. For more information, see Configuring IP Addresses and Updating Ports on page 17. Starting Agent Manager Agent Manager is a part of Unix Manager. You can start Agent Manager from Unix Manager. If you have Secure Configuration Manager, you can also start Agent Manager from the Secure Configuration Manager console. To start Agent Manager: 1. If you want to start Agent Manager from Unix Manager, complete the following steps: a. Start Unix Manager. For more information about starting Unix Manager, see Starting Unix Manager on page 26. b. In the left pane of Unix Manager, click Manage Agents. 2. If you want to start Agent Manager from Secure Configuration Manager, complete the following steps: a. Start Secure Configuration Manager. b. Click Tools > Unix Manager. c. In the left pane of Unix Manager, click Manage Agents. 8 Installation and Configuration Guide

21 Exporting the Host List A host list contains a list of hosts, port information, and an encryption key. The Unix Manager and agents installed on hosts defined in the host list share this encryption key. If Unix Manager does not know the encryption key, it cannot communicate with its agents. Before you upgrade Unix Manager, ensure you export the host list. Exporting the host list allows you to share the encryption key with the upgraded Unix Manager computer. If you do not export the host list and the upgrade process overwrites the encryption key, Unix Manager cannot communicate with its agents. To export the host list: 1. Start the Agent Manager. For more information, see Starting Agent Manager on page Click Hosts > Edit Hosts. 3. Select all hosts in the Current Hosts list. 4. Click Export Selected. 5. Save the agent host file to a convenient location. 6. Click Close. 7. On the File menu, click Exit. Chapter 2 Licensing and Upgrading 9

22 Upgrading Unix Manager on a Windows Computer If you previously installed Unix Manager on a Windows computer, complete the following steps to upgrade Unix Manager. Note To ensure you maintain your host list, license, password, and cached reports, install Unix Manager to your previous installation folder. If the installation path you specify is different than the previous installation path, the setup program installs a new Unix Manager instance. Copy your license to the new installation folder and import your host list in the new Unix Manager instance. If you are upgrading the Unix Manager on a computer running Windows Server 2003 Service Pack 1 or Windows XP Service Pack 2, ensure the Data Execution Prevention (DEP) feature on the computer allows you to run SETUPforWINDOWS.EXE and install UM_install_Windows.exe. For more information about configuring the DEP feature, see Microsoft Knowledge Base Article , available at support.microsoft.com. To upgrade the Unix Manager on a Windows computer: 1. Ensure you have exported the host list. For more information, see Exporting the Host List on page Run SETUPforWINDOWS.EXE in the root folder of the installation kit. Note If you are installing the Unix Manager from the CD, the setup program should automatically start when you insert the CD in the drive. 3. On the Setup tab, click Check Version to compare the product version of the installation kit against the newest product version available on the Web site. 4. Click Begin Unix Manager for Windows Setup on the Setup tab. 10 Installation and Configuration Guide

23 5. Complete the setup program. The setup program guides you through the license agreement and upgrades Unix Manager. For more information, see Understanding Licensing on page If you specify a different installation path than the previously installed Unix Manager, copy and paste the license to the new Unix Manager installation folder by completing the following steps: a. Copy vsau_console.lic from the following folder: <installation folder>\program Files\NetIQ\Secure Configuration Manager\VSOC\VSAU\unix\local\license Where <installation folder> is the folder where you installed Secure Configuration Manager. b. Paste vsau_console.lic to the following folder: <installation folder>\program Files\NetIQ\VSAU\unix\local\license Where <installation folder> is the folder where you are installing Unix Manager. 7. Start Unix Manager. For more information, see Starting Unix Manager on page Type your password in the window, and then click Accept. Note If you want to specify a different installation path than the previously installed Unix Manager, type the new password in both fields to confirm. 9. Click File > Exit. Upgrading Unix Manager on a Solaris or Red Hat Computer If you previously installed the Unix Manager on a Solaris or Red Hat computer, complete the following steps to upgrade your implementation. Ensure you have exported your host list from your previous implementation before completing this procedure. Chapter 2 Licensing and Upgrading 11

24 To upgrade the Unix Manager on a Solaris or Red Hat computer: 1. Log on to the Solaris or Red Hat computer with the account you plan to use to run the Unix Manager. 2. Ensure you have installed the most current recommended patch clusters and security patches. You can download current recommended patch clusters and security patches for Sun Solaris. For more information, see Similar Red Hat packages may be available from 3. Change directories to the product installation kit. 4. Open WELCOME_UNIX.HTM in a Web browser. 5. Click Check Version to compare the product version of the installation kit against the newest product version available on the Web site. 6. If you are installing the Unix Manager on a Solaris computer, start the installer script by entering the following command at the command prompt: /bin/sh./um_install_solaris.sh 7. If you are installing the Unix Manager on a Red Hat computer, start the installer script by entering the following command at the command prompt: /bin/sh./um_install_linux.sh 8. Complete the install script. The script guides you through the license agreement and installs the Unix Manager and a symbolic link to the directory that you select. For more information, see Understanding Licensing on page 5. Note To ensure you maintain your cached reports, host list, and licenses, install the Unix Manager to your previous installation folder. 12 Installation and Configuration Guide

25 9. Start the Unix Manager. For more information, see Starting Unix Manager on page Type your password in the window, and then click Accept. Note Upgrading your Unix Manager implementation allows you to retain your previous password. Importing the Host List If you do not immediately see all your managed agents in Unix Manager, complete the following procedure to import the host list. Importing the host lists allows you to maintain uninterrupted communication with your previously installed Unix agents. To import the host list: 1. Start the Unix Manager. For more information, see Starting Unix Manager on page In the left pane, click Manage Agents. 3. Click Hosts > Edit Hosts. 4. Click Import Hosts. 5. Navigate to the location of your saved agent host file and click Open. For more information, see Exporting the Host List on page Click Save. 7. Click Hosts > Scan All Hosts to restore communication with your previously installed Unix agents. Chapter 2 Licensing and Upgrading 13

26 Upgrading Unix Agents The following procedures provide methods for upgrading Unix agents without losing data or customizations. You can either remotely upgrade your agents from the Unix Manager or install the agent locally. Complete one of the following procedures to upgrade your agents. Upgrading Agents Remotely The following procedure guides you through upgrading Unix agents with Unix Manager. To upgrade agents using the Unix Manager: 1. Start the Agent Manager. For more information, see Starting Agent Manager on page Click Hosts > Scan All Hosts to update the status of the Unix agents in the agent summary table. 3. Review the right pane and verify that all agent computers are listed and communicating properly. The UAgent and UVserv columns should be green for all the agents you want to upgrade. 4. Click Hosts > Patch Mgr to open the Patch Manager. 5. Select all hosts in the Hosts Running uagent list. 6. Select NSAU in the Patches Available list. 7. Click Apply. The time necessary to update your agents depends on the number of agents to update, distance from the Unix Manager console, network connectivity, and bandwidth, among other factors. This process can take up to 20 minutes per agent. 8. Click Close to close the Patch Manager. 9. Click Hosts > Scan All Hosts to update the status of the Unix agents in the agent summary table. 14 Installation and Configuration Guide

27 Upgrading Agents Locally The following procedure guides you through logging on to a Unix agent computer and locally upgrading the agent. To install an agent on the local computer: 1. Log on to an agent computer using the root account. 2. Mount the CD drive. For more information on mounting the CD drive to preserve long file names, see Mounting the Drive Used to Read the Installation CD on page Change directories to the CD drive, and then enter the following command to start the install script: /bin/sh./install.sh 4. Press Enter. 5. Press Enter to accept the default installation directory. If you want to change the installation directory, type an alternate directory to use. 6. Press Enter to confirm the installation directory. 7. Press Enter to accept the default uvserv port. 8. Press Enter to accept the default uagent port. 9. Press Enter to accept the recommended start method for the agent daemons or supply one of the following alternate start methods: rclink Starts the agent daemons immediately after the deployment process and adds a startup script to the /etc/rc.d directory. This startup script starts the agent daemons after each reboot when the master rc script runs. inittab Starts the agent daemons immediately after the deployment process and adds an entry to the /etc/inittab file. This inittab file entry starts the agent daemons at the default run level after each reboot. Chapter 2 Licensing and Upgrading 15

28 inetd Configures the (x)inetd daemon to start the agent daemons when needed and then stop and unload the agent daemons. The inetd start method is recommended for the agent daemons. 10. Press Enter to accept the recommended start method for the event detection and alerting daemon. Alternately, you can select rclink as your start method. For more information about rclink or inittab, see the previous step. 11. If you are installing the agent for Secure Configuration Manager, enter the IP address of the Secure Configuration Manager Core Services computer and press Enter to accept the default Core Services port. 12. If you do not have Secure Configuration Manager, press Enter to omit the IP address of the Core Services computer and press Enter to continue. 13. If you are installing the agent for Intrusion Manager, enter the IP address of the Security Manager central computer, and then enter 1636 for the Security Manager port. If you want to configure the agent to send data to multiple configuration groups or failover central computers for Intrusion Manager, configure these options after upgrading the agent. For more information, see Configuring IP Addresses and Updating Ports on page If you do not have Security Manager, press Enter to omit the IP address of the Security Manager central computer and then press Enter to continue. 15. If you want the Unix agent to send SNMP traps, enter the IP address of the SNMP management console computer. 16. If you do not want the Unix agent to send SNMP traps, press Enter to omit the IP address of the SNMP management console. 17. Press Enter to install the agent files. 18. Press Enter to start the daemons. 19. Eject the product CD and log off the agent computer. 16 Installation and Configuration Guide

29 Configuring IP Addresses and Updating Ports Your agents integrate easily with your existing Security Manager, Secure Configuration Manager, and SNMP management implementations. To successfully integrate your agents, ensure your Unix Manager and your Unix agents are the most current version. For more information, see Upgrading on page 7. The following procedure guides you through the process of integrating existing Unix agents with Secure Configuration Manager or Security Manager. You can also use this procedure to update communication ports and IP addresses. To configure IP addresses and update your port assignments: 1. Start Unix Manager. For more information, see Starting Unix Manager on page In the left pane, click Manage Agents. 3. Click Hosts > Scan All Hosts to update the status of your Unix agents. 4. Click Hosts > Configure Agent. 5. On the Agent Options window, select the agents you want to update, then click Parameters. 6. On the Agent Parameters window, provide the appropriate information. If you have Intrusion Manager, type the IP address of the Security Manager central computer, a colon (:), and then the Security Manager port number in the appropriate field. For example, type :1636. If you have Intrusion Manager and want the agent to send event information to more than one Security Manager configuration group, separate the central computer IP address and port number for each configuration group with a comma (,). For example, type :1636, :1636. Chapter 2 Licensing and Upgrading 17

30 If you have Intrusion Manager and want to specify failover Security Manager central computers, separate the IP address and port number for each Security Manager central computer with a bar ( ). Failover occurs in the order you specify, from left to right, with the first central computer acting as the primary central computer. For example, type : :1636. If you have Secure Configuration Manager, type the IP address of the Secure Configuration Manager Core Services computer, a colon (:), and then the Secure Configuration Manager port number in the appropriate field. For example, type :1626. If you have implemented an SNMP management solution, type the IP address of the SNMP console computer, a colon (:), and then the SNMP console computer port number. 7. Click OK. 18 Installation and Configuration Guide

31 Chapter 3 Installing Unix Manager and Unix Agents The following sections guide you through the initial installation of the Unix Manager, if necessary, and your Unix agents. The information provided in these sections ensures error-free implementation and accelerated agent deployment. Checklist for Installing Unix Agents The following checklist guides you through reviewing the requirements and installing the Unix Manager and your agents. By the time you complete the checklist, your agents should already be communicating with Secure Configuration Manager, NetIQ Security Manager, or both. For information about upgrading existing agents, see Licensing and Upgrading on page 5. Chapter 3 Installing Unix Manager and Unix Agents 19

32 To deploy your Unix agents, complete the following checklist. Tasks to Deploy Unix Agents 1. Ensure you have correctly installed Secure Configuration Manager or NetIQ Security Manager before installing your agents. For more information, see the Installation Guide for Secure Configuration Manager or the Installation Guide for NetIQ Security Manager. 2. If you are upgrading existing agents, see Licensing and Upgrading on page If you want to install Unix agents for NetIQ Security Manager, review the requirements for the Unix Manager. For more information, see Unix Manager Computer Requirements on page 21. After reviewing, install Unix Manager. For more information, see Installing Unix Manager on page Review the Unix agent requirements. For more information, see Unix Agent Computer Requirements on page Start the Unix Manager. For more information, see Starting Unix Manager on page Install your Unix agents. For more information, see Installing Unix Agents on page Synchronize your Unix agents. For more information, see Synchronizing Unix Agents on page If you received a license file from your NetIQ Sales Representative, install the license file. For more information, see Installing a Unix Agent License on page If you installed Unix agents for NetIQ Security Manager, configure your agents appropriately. For more information, see Configuring Security Manager Support on page If you installed Unix agents for Secure Configuration Manager, verify that the Unix agents correctly registered with Secure Configuration Manager. For more information, see the User Guide for Secure Configuration Manager. 20 Installation and Configuration Guide

33 Requirements The following sections outline the computer, operating system, and software requirements for the Unix Manager and your Unix agents. Unix Manager Computer Requirements The following table describes the hardware and software requirements for the computer on which you install the Unix Manager. You can use the Unix Deployment wizard, accessed through either the Unix Manager or Secure Configuration Manager, to deploy Unix agents. Category Operating Systems Memory Requirements You can install the Unix Manager on a computer with one of the following operating systems: Microsoft Windows 2000, XP, and 2003 Sun Solaris 8, 9 Red Hat Linux on Intel platforms 128MB minimum RAM Chapter 3 Installing Unix Manager and Unix Agents 21

34 Category Hard Disk Space Monitor Software Dependencies Requirements 500MB minimum, more for large reports caches 1024x768 or higher resolution The Unix Manager requires one of the following software programs or suites to support installing agents remotely: SSH protocol version 2 and SFTP FTP and telnet If you have SSH protocol version 2 installed, you can take advantage of the secure file transfer features in the Agent Manager and the Deployment wizard. To download the latest version of OpenSSH, a free source for the SSH protocol, see The Unix Manager also requires one of the following Web browsers: Internet Explorer 5.5 or later Netscape Communicator 6 or later Mozilla Other browsers with Internet Explorer compatibility modes Unix Agent Computer Requirements The following table describes the hardware and software requirements for computers where you want to deploy Unix agents. For more information about supported versions, see the Release Notes for NetIQ Security Agent for Unix. Category Operating Systems Requirements Compaq Tru64 UNIX HP-UX Integrity and PA-RISC IBM-AIX IBM Linux on Power Red Hat Enterprise Linux (RHEL) Silicon Graphics IRIX Sun Solaris Novell SuSE Linux for Enterprise Servers (SLES) 22 Installation and Configuration Guide

35 Category Memory IP Addresses Default Port Assignments Hard Disk Space Accounts Requirements Unix agents have the following memory requirements: 128MB minimum RAM 512MB swap file (virtual memory) The Unix agents can support a number of event consolidation, vulnerability assessment, and SNMP management products. If you want to integrate your agents with these products, you must provide the following information: NetIQ Security Manager central computer Secure Configuration Manager Core Services computer SNMP Management console computer Unix agents listen on the following default ports: 1622 (NetIQ Security Manager Log Manager [SSL]) 2620 (Unix Manager [Blowfish]) Unix agents also open the following middle-tier ports: 1626 (Secure Configuration Manager [SSL]) 1636 (NetIQ Security Manager Intrusion Manager [SSL]) You can configure Unix agents to use different ports. For more information, see Configuring IP Addresses and Updating Ports on page MB minimum, plus 400 Bytes per inode used by local file systems The Unix Deployment wizard requires root access for the computer on which you want to install Unix agents. The root password is only used by the wizard at installation. It is not stored. Unix Agent Communication Protocols Unix agents communicate with Secure Configuration Manager and Log Manager using authentication and encryption. Unix agents communicate with Intrusion Manager using encryption only. However, Unix agents send event information only to the IP address and port number you specify during installation. For more information about ports and encryption protocols for each port, see Unix Agent Computer Requirements on page 22. Chapter 3 Installing Unix Manager and Unix Agents 23

36 Installing Unix Manager Unix Manager can be installed on Windows, Unix, and Linux computers. The Unix Manager helps you install, upgrade, and configure your Unix agents. When you want to integrate Unix agents with your NetIQ Security Manager implementation, you must install the Unix Manager. The Unix Manager can be installed with Secure Configuration Manager, although you can install Unix Manager as a stand-alone application. Complete one of the following sections to install the Unix Manager: Installing Unix Manager on a Windows Computer on page 24 Installing Unix Manager on a Solaris or Red Hat Computer on page 25 Installing Unix Manager on a Windows Computer Complete the following steps to install the Unix Manager on a Windows computer. You use the Unix Manager to install, configure, manage, and upgrade Unix agents. If you are installing the Unix Manager on a computer running Windows Server 2003 Service Pack 1 or Windows XP Service Pack 2, ensure the Data Execution Prevention (DEP) feature on the computer allows you to run SETUPforWINDOWS.EXE and install UM_install_Windows.exe. For more information about configuring the DEP feature, see Microsoft Knowledge Base Article , available at support.microsoft.com. To install the Unix Manager on a Windows computer: 1. Log on to the Windows computer using a local administrator account. 2. Run SETUPforWINDOWS.EXE in the root folder of the installation kit. Note When you put the CD in the drive, the setup program should automatically start. 24 Installation and Configuration Guide

37 3. Click Check Version on the Setup tab to check the product version of the installation kit against the newest available product version on the Web site. 4. If you do not have the latest version of the product, download the latest product version. 5. If you downloaded a newer version of the installation kit, complete the instructions provided with the download to extract the installation kit and then run SETUPforWINDOWS.EXE in the root folder. 6. Click Begin Unix Manager for Windows Setup on the Setup tab. 7. Complete the automatic installer wizard. The wizard guides you through the Trial Software License Agreement and installs the Unix Manager to the folder that you specify. 8. Start the Unix Manager. For more information, see Starting Unix Manager on a Windows Computer on page Type and confirm a password in the window and then click Accept. Note Remember your password. You must type the same password every time you start the Unix Manager. Installing Unix Manager on a Solaris or Red Hat Computer You can also install the Unix Manager on Solaris or Red Hat computers. To install the Unix Manager on a Solaris or Red Hat computer: 1. Log on to the computer. Depending on the platform you want monitor, you may need the root password to install the Unix Manager. 2. Verify that the current Recommended & Security Patch clusters are installed on your operating system. 3. Change directories to where you copied the installation kit for the Unix Manager. Within the installation kit, change directories to where the installation files are located. Chapter 3 Installing Unix Manager and Unix Agents 25

38 4. Open WELCOME_UNIX.HTM in a Web browser and click Check Version to check the product version of the installation kit against the newest available product version on the Web site. 5. If you are installing the Unix Manager on a Solaris computer, start the installer script by entering the following command: /UM_install_Solaris.sh 6. If you are installing the Unix Manager on a Red Hat computer, start the installer script by entering the following command:./um_install_linux.sh 7. Complete the installation script. The script guides you through the License Agreement and installs the Unix Manager and a symbolic link to the directory that you select. 8. Start the Unix Manager. For more information, see Starting Unix Manager on a Unix or Linux Computer on page 26. Starting Unix Manager The Unix Manager provides a number of services, including access to your Unix agents without the interaction of Secure Configuration Manager or NetIQ Security Manager and the ability to install, configure, manage, and upgrade Unix agents. The following procedures guide you through starting the Unix Manager. Starting Unix Manager on a Unix or Linux Computer Complete the following procedure to start the Unix Manager on a Unix or Linux computer. 26 Installation and Configuration Guide

39 To start Unix Manager on a Unix or Linux computer: 1. At a command prompt, enter the following commands: cd InstallDirectory/NetIQ/VSAU./VSAU.sh By default, the InstallDirectory is the install directory configured for the logged on account. Typically, the install directory is /usr. 2. Type your password. 3. If this is your first time starting Unix Manager, confirm your password. 4. Click Accept. Note Remember your password. You must type the same password every time you start the Unix Manager. Starting Unix Manager on a Windows Computer Complete the following procedure to start the Unix Manager on a Windows computer. To start Unix Manager on a Windows computer: 1. Start the Unix Manager in the NetIQ Security Agents program group. 2. Type your password. 3. If this is your first time starting Unix Manager, confirm your password. 4. Click Accept. Note Remember your password. You must type the same password every time you start the Unix Manager. Chapter 3 Installing Unix Manager and Unix Agents 27

40 Starting Unix Manager from the Secure Configuration Manager Console Complete the following procedure to start the Unix Manager from the Secure Configuration Manager console. To start Unix Manager from the Secure Configuration Manager console: 1. Open the Secure Configuration Manager console. 2. On the Tools menu, click Unix Manager. 3. Type your password. 4. If this is your first time starting Unix Manager, confirm your password. 5. Click Accept. Note Remember your password. You must type the same password every time you start the Unix Manager. Installing Unix Agents Install, configure, and start Unix agents using one or a combination of the following methods: Installing Unix Agents Remotely on page 29 Installing Unix Agents Locally on page Installation and Configuration Guide

41 Installing Unix Agents Remotely Remotely installing Unix agents provides a convenient and uniform method for deploying Unix agents. You can use the Deployment wizard provided in the Unix Manager for remote deployment, unless one or more of the following conditions exist: Your site standards prohibit your access to root passwords. Your site standards require a specific software distribution mechanism. Your site standards prohibit software distribution mechanisms. You can use the Deployment wizard to deploy Unix agents for NetIQ Security Manager and Secure Configuration Manager. The Deployment wizard attempts to transfer files and access remote computers using the secure shell program (SSH version 2). SSH version 2 protects security critical information such as the root password from being transmitted unencrypted to the remote computer. If SSH version 2 is not running on the agent computer, the Deployment wizard can transfer files using FTP and access the agent computer using telnet. However, FTP is not a secure transfer method, and telnet does not encrypt passwords. To ensure secure file transfer, install SSH version 2. You can download OpenSSH, a free version of the SSH version 2 protocol suite, from Complete the following steps to remotely install and configure your initial Unix agent implementation. For more information about installing agents locally, see Installing Unix Agents Locally on page 31. To remotely deploy Unix agents: 1. Start the Unix Manager. For more information, see Starting Unix Manager on page In the right pane, click Deploy Agents Remotely. 3. On the Target Computer Search window, complete the appropriate information to limit or extend the search capabilities of the wizard, and then click Next. For more information about fields on this window, see the Help. Chapter 3 Installing Unix Manager and Unix Agents 29

42 4. On the Target Computer Selection window, select and add computers to the Target Computers, and then click Next. If the search did not return the appropriate computer, you can add the computer using the IP address. For more information about fields on this window, see the Help. 5. On the Deployment Parameters window, select the target computers that share the same parameters and click Define Parameters. 6. Ensure you specify the appropriate information on each tab of the Define Deployment Parameters window and click OK. For more information about the fields on any tab, click Help. 7. Repeat Steps 5 through 6 until you have defined parameters for all agents to deploy. 8. Click Next. 9. On the Deployment Parameter Verification window, click Begin Verification. 10. Verification may take a few minutes or longer, depending on how many agents you are deploying. After verification completes, click Next. 11. Review the Parameter Verification Results window. 12. If any agents failed verification, correct the failures. Complete one or more of the following tasks to troubleshoot and correct the failures: To review more information about the problem, click Show Problems. To correct the deployment parameters, click Redefine Parameters. After you redefine parameters, repeat Steps 8 through 12. To remove a computer that failed verification, select the computer and click Remove from List. 13. Click Next. 14. On the Agent Deployment window, click Begin Deployment. When you have installed all your agents, click Next. 15. Review the Deployment Results window and click Finish. For more information, see the Help. 30 Installation and Configuration Guide

43 Installing Unix Agents Locally You can use the installation script on the product CD-ROM to manually install and configure Unix agents. The local install script does not require SSH, FTP, or telnet. You can use this method to successfully install Unix agents when one or more of the following conditions exist: SSH, FTP, and telnet services are disabled or not installed on the agent computer. The Unix Manager or Secure Configuration Manager are in a different or inconvenient location. Your site standards prohibit software distribution mechanisms. Mounting the Drive Used to Read the Installation CD The installation CD requires the ability to support long file names. Most operating systems automatically provide support for this functionality. To ensure long file name support on either HP-UX or IBM AIX, you must enable this support either before mounting the CD or while mounting the CD. To mount the product CD with support for long file names on an HP-UX or IBM AIX computer: 1. If you want to mount the product CD on an HP-UX computer, complete the following steps to mount the CD drive in a way that preserves long file names: a. Log onto the HP-UX computer as root or log on normally and su to root. b. Find the device name by entering the following at the prompt: ioscan -C disk -f -n For example, a typical device name is /dev/rdsk/c0t6d0. c. If a mount point does not exist, create a mount point by entering the following command: mkdir /cdrom d. Open /etc/pfs-fstab in an editor. Chapter 3 Installing Unix Manager and Unix Agents 31

44 e. Add an entry for your CD-ROM that specifies your CD-ROM device name, followed by a mount point. Consider the following sample entry: /dev/rdsk/c0t6d0 /cdrom pfs-rrip xlat=unix 0 f. Start the pfs daemons. g. If you want to create an rc script that automatically starts the daemons, type the following lines in an rc script: nohup /usr/sbin/pfs_mountd > /dev/null 2>&1 & nohup /usr/sbin/pfsd 4 > /dev/null 2>&1 & h. Insert the product CD-ROM in the CD-ROM drive. i. Enter the following command to mount the CD-ROM: /usr/sbin/pfs_mount /cdrom where /cdrom is the device you defined in /etc/pfs_fstab 2. If you want to mount the product CD on an IBM AIX computer, mount the CD drive by entering the following command: mount -v cdrfs -o ro /dev/cd0 /cdrom Installing the Unix Agent on a Local Computer Complete the following steps to install, configure, and start an agent on the local computer. For more information about installing a Unix agent remotely, see Installing Unix Agents Remotely on page 29. To install an agent on the local computer: 1. Log on to an agent computer using the root account or log on normally and su to root. 2. Mount the CD-ROM in a way that preserves long file names. For more information, see Mounting the Drive Used to Read the Installation CD on page Change directories to the CD-ROM mount point or the root directory of the product installation kit. 32 Installation and Configuration Guide

45 4. Enter the following command to start the installer script: /bin/sh./install.sh 5. Press Enter. 6. Press Enter to accept the default installation directory or enter an alternative installation directory. 7. Press Enter to confirm the installation directory. 8. Press Enter to accept the default uvserv port. 9. Press Enter to accept the default uagent port. 10. Press Enter to accept the default start method for the agent daemons or enter one of the following start methods: rclink Starts the agent daemons immediately after the deployment process completes and adds a startup script to the /etc/rc.d directory, which starts the agent daemons when the master rc script runs after each reboot. inittab Starts the agent daemons immediately after the deployment process completes and adds an entry to the /etc/inittab file, which starts the agent daemons at run level 3 after each reboot. inetd Configures the (x)inetd daemon to start the agent daemons when they are needed and unload the agent daemons when they are no longer needed. inetd is the recommended start method for the agent daemons. Chapter 3 Installing Unix Manager and Unix Agents 33

46 11. Press Enter to accept the default start method for the event detection and alerting daemon or enter one of the following start methods: rclink Starts the detection and alerting daemon immediately after the deployment process completes and adds a startup script to the /etc/rc.d directory, which starts the detection and alerting daemon when the master rc script runs after each reboot. inittab Starts the event detection and alerting daemon immediately after the deployment process completes and adds an entry to the /etc/inittab file, which starts the event detection and alerting daemon at run level 3 after each reboot. inittab is the recommended start method for the event detection and alerting daemon. 12. If you are installing the agent for Secure Configuration Manager, enter the IP address of the Core Services computer and press Enter to accept the default Core Services port. 13. If you do not have Secure Configuration Manager, press Enter to omit the IP address of the Core Services computer and press Enter again to continue. 14. If you are installing the agent for Intrusion Manager, enter the IP address of the NetIQ Security Manager central computer, and then enter 1636 for the default NetIQ Security Manager port. If you want to configure the agent to send data to multiple configuration groups or failover central computers for Intrusion Manager, configure these options after installing the agent. For more information, see Configuring IP Addresses and Updating Ports on page If you do not have NetIQ Security Manager, press Enter to omit the IP address of the Security Manager central computer and press Enter again to continue. 16. If you want the Unix agent to send SNMP traps, enter the IP address of the SNMP management console computer. 17. If you do not want the Unix agent to send SNMP traps, press Enter to omit the IP address of the SNMP management console. 34 Installation and Configuration Guide

47 18. Press Enter to install the agent files. 19. Press Enter to start the daemons. 20. Eject the product CD-ROM. 21. Log off the agent computer. Synchronizing Unix Agents If you installed the Unix agent locally or if you want to reset the encryption keys used by Unix Manager to communicate with Unix agents, you can synchronize the Unix agents. Synchronizing Unix agents generates new encryption keys for Unix Manager and the Unix agents and helps you verify the Unix agents are successfully communicating with the Unix Manager or Secure Configuration Manager. Notes If the Uagent or UVserv columns display cells of a different color, the agent may not have started successfully or there may be another problem, such as a firewall between Unix agents and the Unix Manager blocking ports. For more information about the meaning of the colors, see the Help. If the Unix Manager is unable to find the psekfile, which is the encryption key, you can resolve this issue by manually deleting the psekfile from the host computer. By default, the psekfile is located the bin folder in the agent installation directory. After you delete the psekfile, regenerate the encryption key and then scan the host computer. Chapter 3 Installing Unix Manager and Unix Agents 35

48 To synchronize Unix agents: 1. Start the Agent Manager. For more information, see Starting Agent Manager on page If you locally installed agents or all your agent computers are not listed in the Current Hosts list, complete the following steps: a. Click Host > Edit Hosts. b. In the field to the right of the Add button, type the host name of the agent computers that you want to add and then click Add. You can add multiple computers by delimiting the host names with a semicolon (;). c. Click Save. 3. Click Host > Scan All Hosts to update the status of the Unix agents. When the scan completes, Unix agents you added in Step 2 show a yellow psekfile? cell in the UAgent column and a green Running cell in the UVserv column. For more information about the meaning of the colors, see the Help. 4. Generate and synchronize new encryption keys by completing the following steps: a. Select Licenses > Re-Generate Keys. b. Select all computers in the Hosts to recreate key list. c. Click Okay to start the synchronization process, which may take a few minutes or more to complete. 5. Select Hosts > Scan All Hosts to update the agent summary table. 36 Installation and Configuration Guide

49 6. Review the agent summary table to verify that the Unix agents are communicating properly. All Unix agents should have green cells in the UAgent column and green or orange cells in the uvserv column, the operating system type should be displayed in the OS Type column, and version numbers should appear for the components in the component columns. The Detect column may have cells with a different color. For more information about the meaning of the colors, see the Help. 7. Complete the following steps to save the host file, which you can import at any time to restore the hosts in the agent summary table to the current configuration: a. Click Hosts > Edit Hosts. b. Select all hosts in the Current Hosts list. c. Click Export Selected. d. Save the host file to a safe location. Chapter 3 Installing Unix Manager and Unix Agents 37

50 38 Installation and Configuration Guide

51 Chapter 4 Configuring Security Manager Support This section includes steps to guide you through the tasks required to configure Unix agents to send events to Security Manager. Ensure you have configured your agents to communicate with Security Manager. For more information, see Configuring IP Addresses and Updating Ports on page 17. Configuring Basic Security Manager Support The following sections provide step-by-step guidance on configuring basic Security Manager support on your Unix agents. Completing these sections will immediately configure your agents for Security Manager support. Chapter 4 Configuring Security Manager Support 39

52 Installing the TCP Daemon The Unix Manager includes a mechanism for installing the tcp daemon on agent computers. The tcp daemon captures events logged by (x)inetd, which is a daemon that controls services such as FTP and telnet. You can install the tcp daemon to capture (x)inetd events for Intrusion Manager and Log Manager. Complete the following steps to install the tcp daemon on an agent computer. You must repeat the steps for each computer where you want to install the tcp daemon. To install the tcp daemon on an agent computer: 1. Start the Unix Manager. For more information, see Starting Unix Manager on page Click Manage Resource Access. 3. Click File > Open to open a session with an agent computer. 4. In the computer selection window, select an agent computer on which you want to install the tcp daemon. 5. Click Select. 6. Click File > Install Tcpd to install the tcp daemon on the selected agent computer. 7. Click File > Close to close the session with the agent computer. Activating the Most Current Rule Sets Complete the following steps to activate the rule set delivered with the latest version of Unix Manager on your agent computers. These rules configure the event detection and alerting daemon to send events to the Security Manager Intrusion Manager and spool events for the Security Manager Log Manager. 40 Installation and Configuration Guide

53 To deploy rule sets to agent computers: 1. Start the Unix Manager. For more information, see Starting Unix Manager on page Click Rules Manager. 3. If you want to make changes to the default rule set displayed in the Rule Manager, customize the rule set as needed until the rule set is correctly configured for your environment. For more information about configuring custom rule set elements, see Appendix A, Creating and Managing Unix Rules. Note You cannot use custom rule sets that you created for previous versions of the product with the current version of the product. However, you can manually copy and paste elements from your custom rule set to the default rule set. For more information about copying and pasting rule elements, see the Help. 4. If you made changes to the rule set, save a copy by clicking File > Save As and completing the Save window. 5. Click File > To Hosts. 6. In the Available Hosts list, select the agent computers where you want to deploy the rule set. 7. Click Select to deploy the rule set. The detectd process, which is a watchdog process, begins processing and initializing the new rule set immediately. However, it may take up to 30 seconds for the new rule set to take effect. 8. Click Manage Agents. 9. Click Hosts > Scan All Hosts. 10. Verify that rule set is active on the agent computers. The Detect column shows green cells for all agents with an active rule set. Chapter 4 Configuring Security Manager Support 41

54 Configuring Extended Security Manager Support The tasks in this section help you enable and configure process accounting on Unix computers and the Basic Security Module on Solaris computers. Enabling this functionality provides additional auditing of security-related events beyond the scope of events that are logged to syslog. Many security-related events are logged to the syslog facility, which is enabled by default on all Unix operating systems supported by Security Manager. All events logged to syslog are sent to Intrusion Manger and collected by Log Manager. However, Intrusion Manager and Log Manager can also process security-related events logged by modules that are not enabled by default, such as process accounting and the Basic Security Module on Solaris. You can enhance security event reporting in Intrusion Manager and Log Manager by enabling process accounting. You can also enable and configure the Basic Security Module on Solaris to map the events for Intrusion Manager. However, enabling process accounting and the Basic Security Module substantially increases the activity on the monitored computer and also changes the base computer configuration, which may not be allowed per your site standards. Enabling process accounting and the Basic Security Module are optional tasks. Do not enable these modules if syslog reports the events you want to monitor. Unix administrators need the following items to properly enable extended Security Manager support to include process accounting and the enablement of Basic Security Module on Solaris: The product installation kit The root password for the agent computers Enabling Process Accounting Enabling process accounting provides additional events to Intrusion Manager and Log Manager. This section provides information about enabling process accounting and configuring rc scripts to automatically restart process accounting after a reboot. 42 Installation and Configuration Guide

55 Enabling Process Accounting on AIX Computers The steps in this section help you start and restart process accounting on AIX computers. To enable process accounting, enter the following command at the prompt: /usr/sbin/acct/accton /var/adm/pact You can also enter the following line in an rc script to automatically restart process accounting: /usr/bin/su adm c /usr/sbin/acct/startup Enabling Process Accounting on HP-UX Computers The steps in this section help you start and restart process accounting on HP-UX computers. To enable process accounting, enter the following command at the prompt: /usr/sbin/acct/startup You can also enter the following line in the /etc/rc.config.d/acct script to automatically restart process accounting: START_ACCT=1 Enabling Process Accounting on Red Hat Linux The steps in this section help you configure process accounting on Red Hat Linux computers. Chapter 4 Configuring Security Manager Support 43

56 To configure process accounting on Red Hat Linux computers: 1. Install the psacct package located in the Linux installation kit. This package is not installed by default unless you installed all available packages. For more information about installing the psacct package, see the Red Hat Linux documentation. 2. Modify your system init script to automatically start process accounting by adding the following lines: # Turn process accounting on. if [ -x /sbin/accton ] then /sbin/accton /var/log/pacct echo "Process accounting turned on." fi 3. Create an accounting record file named pacct by entering the following command: touch /var/log/pacct By default, the process accounting software prints out all commands executed to the file /var/log/pacct. 4. Modify the permissions to the pacct file by entering the following commands: chown root /var/log/pacct chmod 644 /var/log/pacct Enabling Process Accounting on Solaris Computers The steps in this section help you start and restart process accounting on Solaris computers. To start process accounting, enter the following command at the prompt: /usr/lib/acct/accton /var/adm/pacct 44 Installation and Configuration Guide

57 You can also enter the following commands to automatically restart process accounting: ln /etc/init.d/acct /etc/rc2.d/s22acct ln /etc/init.d/acct /etc/rc0.d/k22acct Enabling and Configuring the Basic Security Module on Solaris Intrusion Manager and Log Manager can process events from the Basic Security Module on Solaris computers. Intrusion Manager can alert you to security events reported by the Basic Security Module. The steps in this section help you enable and configure the Basic Security Module. The steps also help you archive and delete audit log files. Enabling the Basic Security Module The Basic Security Module is disabled by default on Solaris computers. Complete the following steps to enable the Basic Security Module. To enable the Basic Security Module: 1. Change directories to /etc/security. 2. Enter./bsmconv at the prompt to run a script that enables and configures the Basic Security Module to automatically restart after a reboot. Configuring the Basic Security Module Complete the following steps to configure the Basic Security Module to correctly map events for Intrusion Manager. Chapter 4 Configuring Security Manager Support 45

58 To configure the Basic Security Module for Intrusion Manager: 1. Modify the /etc/security/audit_class file by adding the following three lines: 0x :nb:NetIQ success&failure 0x :ns:NetIQ success 0x :nf:NetIQ failure between the following lines: 0x :ap:application 0x :io:ioctl 2. Modify the /etc/security/audit_control file by changing the flags as follows: flags:nb,+ns,-nf 3. Modify the /etc/security/audit_event file by appending nb or nf to the end of the lines as follows: 2:AUE_FORK:fork(2):pc,nb 4:AUE_CREAT:creat(2):fc,nb 5:AUE_LINK:link(2):fc,nb 6:AUE_UNLINK:unlink(2):fd,nb 7:AUE_EXEC:exec(2):pc,ex,nb 10:AUE_CHMOD:chmod(2):fm,nb 11:AUE_CHOWN:chown(2):fm,nb 23:AUE_EXECVE:execve(2):pc,ex,nb 25:AUE_VFORK:vfork(2):pc,nb 30:AUE_FCNTL:fcntl(2):fm,nb 37:AUE_SETTIMEOFDAY:settimeofday(2):ad,nb 38:AUE_FCHOWN:fchown(2):fm,nb 39:AUE_FCHMOD:fchmod(2):fm,nb 40:AUE_SETREUID:setreuid(2):pc,nb 41:AUE_SETREGID:setregid(2):pc,nb 42:AUE_RENAME:rename(2):fc,fd,nb 46 Installation and Configuration Guide

59 43:AUE_TRUNCATE:truncate(2):fd,nb 44:AUE_FTRUNCATE:ftruncate(2):fd,nb 50:AUE_ADJTIME:adjtime(2):ad,nb 72:AUE_OPEN_R:open(2) - read:fr,nf 73:AUE_OPEN_RC:open(2) - read,creat:fc,fr,nf 74:AUE_OPEN_RT:open(2) - read,trunc:fd,fr,nb 75:AUE_OPEN_RTC:open(2) - read,creat,trunc:fc,fd,fr,nb 76:AUE_OPEN_W:open(2) - write:fw,nb 77:AUE_OPEN_WC:open(2) - write,creat:fc,fw,nb 78:AUE_OPEN_WT:open(2) - write,trunc:fd,fw,nb 79:AUE_OPEN_WTC:open(2) - write,creat,trunc:fc,fd,fw,nb 80:AUE_OPEN_RW:open(2) - read,write:fr,fw,nb 81:AUE_OPEN_RWC:open(2) - read,write,creat:fc,fw,fr,nb 82:AUE_OPEN_RWT:open(2) - read,write,trunc:fd,fr,fw,nb 83:AUE_OPEN_RWTC:open(2) - read,write,creat,trunc:fc,fd,fw,fr,nb 111:AUE_CORE:process dumped core:fc,nb 201:AUE_STIME:old stime(2):ad,nb 214:AUE_SETEGID:setegid(2):pc,nb 215:AUE_SETEUID:seteuid(2):pc,nb 241:AUE_FORK1:fork1(2):pc,nb 4. Change the init level or reboot the computer to restart the Basic Security Module. Manually Archiving and Deleting Audit Logs The Basic Security Module creates audit log files that can grow to a considerable size. You can manually archive and delete audit log files. Chapter 4 Configuring Security Manager Support 47

60 To manually archive and delete audit logs: 1. Change directories to the audit log directory, /var/audit/ by default. Note You can define the directory where logs are stored by modifying the /etc/security/audit_control file. 2. Copy the audit logs to your archive directory. 3. Delete the original audit logs, except for the log file with not_terminated in the filename. This is the active audit log and is typically the last file in the list. Configuring Security Manager Support for Oracle As a part of the steps to configure Security Manager to monitor Oracle, register the Oracle database and specify an account that has access to read the table/views. You can perform these steps on the Unix Manager computer. Note You only need to register the Oracle database and endpoint if you are not also running Secure Configuration Manager on your Unix Manager computer. You must also ensure you have installed and configured the appropriate Security Manager modules. For more information about the overall process of configuring Security Manager to monitor Oracle, see the Security Manager for Oracle on Unix Monitoring Guide, which is available in the following folder on the Security Manager user interface computer: installation folder\program Files\NetIQ Security Manager\OnePoint\Documentation\Module Documentation Where installation folder is the location where you installed Security Manager user interfaces. 48 Installation and Configuration Guide

61 To register the Oracle database and specify an account with permission to read the table/views: 1. Start Unix Manager. For more information about starting Unix Manager, see Starting Unix Manager on page On the Hosts menu, click Configure Agent. 3. Select the host with the Oracle database you want to monitor. 4. Click Register Oracle Endpoint. 5. Complete the fields on the window. The fields are defined as follows: User Name The account that has read access to the table/views in the Oracle database. Password The password used by the account that has read access to the table/views. oratab File Path The path to the oratab file. If you have specified a location other than the default location, type the path in this field. The oratab file specifies the ORACLE_HOME directory and other environment settings. Instance Name The database instance name to be registered. 6. Click OK. 7. Activate the Oracle rule set. For more information about activating rule sets, see Activating the Most Current Rule Sets on page 40. Chapter 4 Configuring Security Manager Support 49

62 Configuring Failover or Multiple Configuration Groups If you have Intrusion Manager, you can configure the Unix agent to send data to multiple configuration groups. You can also specify redundant central computers in the event that the primary central computer becomes unavailable. You configure failover or multiple configuration groups with Unix Manager. For more information, see Configuring IP Addresses and Updating Ports on page 17. Note This feature is available only for Intrusion Manager, not Log Manager. 50 Installation and Configuration Guide

63 Chapter 5 Configuring Secure Configuration Manager Support This section guides you through the tasks required to configure Unix agents for assessment by Secure Configuration Manager. Ensure you have configured your agents to communicate with Secure Configuration Manager. For more information, see Configuring IP Addresses and Updating Ports on page 17. Configuring Basic Secure Configuration Manager Support Secure Configuration Manager handles agents monitoring Unix computers as it does any other kind of agent, with no special configuration necessary. For more information, see the User Guide for NetIQ Secure Configuration Manager. Chapter 5 Configuring Secure Configuration Manager Support 51

64 Configuring Secure Configuration Manager Support for Oracle Secure Configuration Manager can only monitor Oracle events on a Unix computer. In order to configure Secure Configuration Manager to monitor Oracle, you must first deploy a Unix agent on the computer running Oracle. For more information about deploying agents, see the section on installing Unix and iseries agents in the Installation Guide for NetIQ Secure Configuration Manager. Once you deploy a Unix agent, you can add one or more Oracle endpoints to the new Unix agent. To add Oracle endpoints to a Unix agent: 1. In the tree pane, expand NetIQ Secure Configuration Manager > IT Assets > Agents > OS > Unix. 2. In the content pane, select the Unix agent to which you want to add the endpoint. 3. On the Actions menu, click Add Endpoint. 4. Select the Unix agent you want the endpoint to monitor and click Next. 5. In the Name field, type a name for the endpoint. 6. In the Endpoint Type field, select Oracle. 7. Complete the required information in the following fields. Oracle Instance ID Name of the Oracle instance. User Name User account used to access the Oracle database. Password Password for the user account used to access the Oracle database. 52 Installation and Configuration Guide

65 8. If you would like to add more information about the endpoint, complete the following optional fields. Oracle oratab File Path The path to the oratab file. If you have specified a location other than the default location, type the path in this field. The oratab file specifies the ORACLE_HOME directory and other environment settings. Contact address of the contact person. Contact Name Name of the designated contact person. Importance Criticality level of the endpoint. Location Location of the computer hardware. Major Version Version of Oracle the endpoint is running. 9. If you want to add the endpoint to a group, complete the following steps: a. Click Add Endpoint to a Group. b. Select an existing group to which you want to add the endpoint, or click Create to create a new group. c. Click Finish to return to the Define Endpoint window. 10. If you are adding more than one endpoint, click Add Endpoint. Repeat Step 5 through Step 9 for each endpoint that you want to add. 11. Click Finish. Chapter 5 Configuring Secure Configuration Manager Support 53

66 54 Installation and Configuration Guide

67 Appendix A Creating and Managing Unix Rules The following sections provide an overview of Unix agent rules and how to implement them using the Unix Manager. Understanding Unix Agent Rules You can protect your information assets and ensure uniform security by applying Unix agent rule sets. By working in conjunction with the event detection and alerting daemon, rule sets offer real-time event detection, alerting, and response. The default rule set provides a wealth of Unix knowledge and an excellent starting point from which to build custom rule sets. Unix Manager provides a Rule wizard that guides you through creating rules to monitor and react to a number of common conditions, including the following: Terminating daemons Running specific sensitive commands Running sensitive commands in a context other than root Creating, modifying, or deleting of specific files You can deploy the rule sets that you create to any or all of the Unix computers in your enterprise. Appendix A Creating and Managing Unix Rules 55

68 Deciding How to Create Unix Rules and Rule Sets Unix Manager provides both wizard-driven rule creation and the ability to create custom rules not covered by the wizard. Use the following diagrams to help you decide how to create your custom rules and guide you to the sections you need to review. Understanding Rule Sets on page 58 Using the Rule Wizard to Create Rules on page 62 Saving Rule Sets Locally on page 61 Activating Rule Sets on Remote Hosts on page Installation and Configuration Guide

69 Understanding Event Sources on page 63 Understanding Rule Groups on page 66 Understanding Rules and Actions on page 69 Understanding Initialization Code on page 72 Understanding Conditionals and Comparisons on page 74 and Understanding Main Code on page 81 Appendix A Creating and Managing Unix Rules 57

70 Understanding Rule Sets Rule sets are collections of rules you want to enforce on a specific Unix agent computer or a group of Unix agent computers. You can create rule sets that are specific to the location, job, or sensitivity of a particular Unix host, or you can easily create a rule set to apply to all your Unix hosted Apache web servers or Oracle database servers. Whether you want to enforce unique rule sets on each Unix agent or you want to deploy a uniform rule set to numerous hosts, the Unix Manager helps you accomplish your goals. Selecting a Rule Set to Edit Before you start working with a rule set, determine what rule set you want to modify. Consider the following scenarios: Consider reviewing and editing the default rule set provided with the Unix Manager if this is an initial implementation of rule sets within your organization. For more information, see Opening the Default Rule Set on page 58. Open a saved rule set if you have already begun to edit a rule set and saved that rule set with a custom name. You might also need to open a saved rule set if you have template rule sets based on the job-related use of the agent computer. For more information, see Opening Saved Rule Sets on page 59. Retrieve a rule set from an agent computer if you want to modify the rules enforced on a specific agent computer. For more information, see Retrieving Rule Sets from Remote Hosts on page 59. Opening the Default Rule Set The Unix Manager displays the default rule set when you click Rules Manager. Consider using the default rule set as a starting point for building custom rule sets. If you modify the default rule set, consider saving the new rule set with a unique name. For more information, see Saving Rule Sets Locally on page Installation and Configuration Guide

71 Opening Saved Rule Sets Saved rule sets allow you to keep an archive of your currently deployed rule sets. You can open rule sets that are saved on the Unix Manager by clicking Rules Manager, and then clicking File > Open. Navigate to your saved rule set, and then click Open. By default, rule sets have the.xml extension. You can open multiple rules sets. To navigate between open rule sets, click the tab with the name of the open rule set. Retrieving Rule Sets from Remote Hosts If you do not have a local copy of an activated rule set, you can retrieve the rule set you want to edit from a remote host. To retrieve a rule set: 1. Click Rules Manager. 2. Click File > From Host. 3. Select the appropriate agent computer in the Available Hosts list, and then click OK. Retrieving a rule set copies the rule set currently enforced on the remote agent computer and creates a tab for the rule set in the tree area. Clicking the tab displays the rule set. Viewing Rule Sets and Editing Rule Set Properties When you open a rule set, the Unix Manager provides both a tree pane and a content pane. The tree pane provides an easy way to navigate through specific event source and rule group information, while the content pane changes to provide detailed information about your tree selection. Appendix A Creating and Managing Unix Rules 59

72 Navigating the Rule Set Tree At the top of the rule set tree, the Unix Manager provides a Rule Set node. Click Rule Set to review all the rules contained in the rule set and their status. Using the content pane, you can also quickly enable or disable rules. At the second level of the tree, you can find the event sources and rule groups of the rule set. The following list provides a short description of the contents of this secondary tree level and references for more information: Event sources provide the data on which to trigger your rules. For more information, see Understanding Event Sources on page 63. Rule groups provide editable properties at the group level, and contain individual rules. For more information, see Understanding Rule Groups on page 66. Expanding a rule group allows you to view and edit the rules associated with its common event source. For more information, see Understanding Rules and Actions on page 69. Note The Unix Manager displays disabled rules and event sources in a darker color. Editing Properties The content pane allows you to view the configuration of any selected tree element. But, you cannot edit the properties in the content pane. To edit the properties of an element: 1. Right-click the element in the tree pane. You cannot modify the properties of action elements and conditional elements from the tree pane. For more information, see Understanding Rules and Actions on page 69, Understanding Conditionals and Comparisons on page 74, and Understanding Time Conditions on page Select Edit on the menu. 60 Installation and Configuration Guide

73 3. On the Edit window, modify the appropriate properties. 4. Click OK to save the modifications and close the window. Saving Rule Sets Locally After modifying a rule set for a specific agent computer or for a group of agent computers, consider saving the modified rule set to the local computer. Saving a copy of the rule set locally allows you to build an archive of rule sets and saves you the time involved in retrieving rule sets from remote agent computers. To save a copy of the rule set on the Unix Manager computer, click File > Save or File > Save As, and save the rule set using an.xml extension. If you began with the default rule set, ensure you use the save as option. You cannot save the default rule set with any other name than detect.xml. While the default rule set is write-protected, avoid changing the file attributes and overwriting the default rule set. Activating Rule Sets on Remote Hosts Pushing a rule set to an agent computer replaces the previous rule set. The event detection and alerting daemon begins processing and initializing the new rule set immediately. However, it may take up to 30 seconds for the new rule set to take effect. Modifications to items in the filesystem rule group may cause the event detection and alerting daemon may take longer to initialize, due to the time it takes to create initial snapshots of the filesystem objects. To activate the selected rule set on one or more remote agent computers: 1. Click File > To Host. 2. Select one or more agent computers in the Available Hosts list. 3. Click OK to push the rule set to the selected remote agent computers. Appendix A Creating and Managing Unix Rules 61

74 Using the Rule Wizard to Create Rules The Rule wizard helps you quickly create the following types of rules: Rules that trigger when a certain daemon terminates Rules that trigger when a log file decreases in size Rules that trigger when certain commands are run Rules that trigger when certain commands are run by users other than root Rules that trigger when certain files are changed or created To use the Rules Wizard to create rules: 1. Click Wizard > Rule Wizard to start the Rule wizard. 2. On the select rule type window, select the appropriate rule type, and then click Next. For more information, see the description of rule type or Understanding Rules and Actions on page On the Rule Description window, provide a name for the rule, and then click Next. 4. On the Rule Name window, provide a descriptive name for the rule, and then click Next. 5. If you are using the Log_file_shrunk or modified_file rule, select either Names or Paths, and then click Next. Selecting Name causes the event detection and alerting daemon to monitor all files with a certain name. Selecting Paths causes the event detection and alerting daemon to monitor a specific file. 6. On the Name of File window, specify the name of the object you want to monitor, and then click Next. The name depends on the rule type selected. It may be a daemon executable, a command, a file name, or a fully-qualified path name. For example, if you selected Paths while creating a modified_file rule, you need to specify the full path, including the file name you want to monitor. 62 Installation and Configuration Guide

75 7. Provide the appropriate information for the action you want the rule to trigger in response to an event, and then click Next. All fields are optional. You do not need to select an action to create a rule. For more information, see Understanding Rules and Actions on page 69. Note Right-click the text area of a field to access a list of available parameters. 8. Review the information provided about the rule group associated with your rule, and then click Next. 9. Complete the Rule wizard. The Rule wizard displays only the windows relevant to the event source you associated with the new rule. If the new rule is in a rule group that uses configurable event sources, the remaining windows offer you the ability to modify the configurable parameters. Read the descriptions provided and, if necessary, modify parameters. If you are unsure, retain the current value. 10. When you have completed the Rule wizard, click Finish. Understanding Event Sources Event sources extract a particular type or class of events from one of the following providers: Operating system Daemon Server Application Typically, event sources extract the required information by parsing and filtering log entries. Once extracted, the log entry is considered an event. All events must be composed of output parameters that can be evaluated by the event detection and alerting daemon. Appendix A Creating and Managing Unix Rules 63

76 When an event source detects an event and assigns output parameter values, the event detection and alerting daemon uses the values to trigger the appropriate rule response in the associated rule group. For example, you can configure a rule in an agent computer rule set that alerts you when an FTP event associated with a particular user account is detected. To successfully trigger your FTP rule, you must have an event source that can do the following: Monitor the wtmp log file, the log in which FTP events are reported Parse the log entries Generate output about each event Unix Manager provides a wtmp event source with the default rule set. This event source scans the wtmp log and generates output about each entry in the log. The wtmp event source extracts a number of properties, including the event type and user login name, and provides them to the event detection and alerting daemon. Specifically, the event type and user login are defined as the $id and $user output parameters. If the value of an output parameter matches criteria you configure in a rule, the actions you specify in the rule properties trigger. You can use a single event source for multiple rule groups, but consider configuring each event source to monitor unique log files. Configuring multiple rule groups to use identical event sources and setting configuration parameters to the same values, is undesirable. You duplicate the monitoring, parsing, and output parameter generation between instances of the event source. You specify the event source of a rule group by editing the properties of its corresponding rule group. For more information, see Editing Rule Group Properties on page 67. Editing Event Source Properties The Unix Manager provides the ability to edit existing event source properties. Ensure you fully understand the purpose and capabilities required of an event source before editing currently functioning event sources. For more information, see Understanding Event Sources on page Installation and Configuration Guide

77 To edit event source properties: 1. Right-click the event source that you want to edit. 2. Click Edit. 3. On the Edit Event Source window, select the tab of the properties you want to modify. 4. Modify the property, and then click OK. Creating New Event Sources The Unix Manager provides the ability to create your own event sources. Ensure you fully understand the purpose and capabilities required of an event source before attempting to create an event source. For more information, see Understanding Event Sources on page 63. To create new event sources: 1. Right-click the Rule Set node in the tree area, and then click Add Event Source. 2. Configure the event source properties in the Add Event Source window, and then click OK. For examples of syntax, view the properties of an existing events source in the default rule set. After configuring an event source, you can create a rule group associated with the event source. For more information, see Creating New Rule Groups on page 67. Deleting Event Sources The Unix Manager provides the ability to delete existing event sources. Ensure you fully understand the purpose of an event source before deleting the event source. For more information, see Understanding Event Sources on page 63. Appendix A Creating and Managing Unix Rules 65

78 To delete an event source from a rule set: 1. Delete all rule groups associated with the event source or reconfigure the rule groups to use a different event source. For more information, see Deleting Rule Groups on page 68 and Editing Rule Group Properties on page Right-click the event source that you want to delete, and then click Delete. 3. Click Yes on the Delete window. After deleting an event source, you can save the modified rule set on the Unix Manager computer and activate the modified rule set on remote agent computers. For more information, see Saving Rule Sets Locally on page 61 and Activating Rule Sets on Remote Hosts on page 61. Understanding Rule Groups Rule groups contain one or more rules sharing common event sources, schedules, and other properties. Clicking a rule group in the tree area displays the group properties in the content area. Rule group properties consist of the following information: Delay Event source name Event source parameters for the rules contained in the rule group Name and description of the rule group Nice value or process priority Increasing the allowable delay and nice value lowers the impact on the resources of the agent computer. 66 Installation and Configuration Guide

79 Editing Rule Group Properties You can easily edit the properties of a rule group. Consider editing rule group properties to change the name or description of a rule group or to lessen the resource impact of executing the rules contained within the rule group. To edit rule group properties: 1. Right-click the rule group you want to edit, and then click Edit. 2. Modify the rule group properties on the Edit Group window, and then click OK. Creating New Rule Groups You can create two different types of rule groups: Real-time rule groups Scheduled rule groups Real-time Rule Groups Real-time rule groups detect events and evaluate rules as the events occur. To create real-time rule groups: 1. Use an existing event source or create a new event source for the new rule group. For more information, see Editing Rule Group Properties on page 67 or Creating New Event Sources on page Right-click Rule Set, and then click Add Real-time Group. 3. On the Add Real-time Group window, configure the rule group properties, and then click OK. After configuring a real-time rule group, you can create rules in the rule group that detect events as they occur. For information about creating rules and actions, see Creating New Rules and Actions on page 71. Appendix A Creating and Managing Unix Rules 67

80 Creating Scheduled Rule Groups Scheduled rule groups detect events and evaluate rules during scheduled times. You can schedule rules to activate for minute-long increments during any number of minutes in a year. To create scheduled rule groups: 1. Right-click Rule Set, and then click Add Scheduled Group. 2. On the Add Scheduled Group window, configure the properties of the rule group. You can edit values by typing in the fields. To declare more than one value in a scheduling attribute, separate the values with commas. 3. Click OK to close the window. After configuring a scheduled rule group, you must create rules in the rule group. All rules contained in the scheduled rule group have identical schedules. For information about creating rules and actions, see Creating New Rules and Actions on page 71. Deleting Rule Groups If you no longer need a rule group, you can delete it. Before deleting a rule group, consider making a backup copy of the rule set. By backing up your rule set, you ensure you do not lose rules and rule groups you may want to reactivate in the future. Deleting a rule group also deletes the rules it contains. To delete a rule group and all of the rules it contains from a rule set: 1. Right-click the rule group that you want to delete, and then click Delete. 2. On the Delete window, click Yes. After deleting a rule group, if you no longer need the associated event source for other rule groups, you can delete the associated event source. Save the modified rule set on the Unix Manager computer and activate the modified rule set on remote agent computers. For more information, see Saving Rule Sets Locally on page 61 and Activating Rule Sets on Remote Hosts on page Installation and Configuration Guide

81 Understanding Rules and Actions Rules contain all of the information the event detection and alerting daemon needs to evaluate event source output parameters and trigger actions. Expanding a rule group displays the rules contained in the rule group. Rules that appear in the same group have common event sources and schedules, if applicable. A rule is defined and governed by one or more of the following properties: Actions. Initialization code. For more information, see Understanding Initialization Code on page 72. Main code. For more information, see Understanding Main Code on page 81. Conditionals -- And and Or objects. For more information, see Understanding Conditionals and Comparisons on page 74. Comparisons. For more information, see Understanding Conditionals and Comparisons on page 74. Time conditions. For more information, see Understanding Time Conditions on page 79. Templates contain information for the Rule wizard. Template nodes do not require user maintenance. The Unix Manager displays these properties as child objects of the rule in the tree. The following figure illustrates the tree arrangement of the default telnet rule. Appendix A Creating and Managing Unix Rules 69

82 Actions are the responses available for a detected event. The following definitions provide more information about your options: Specifies the name, address, and message content you want sent when the rule triggers. Populate these fields with the appropriate information. Separate multiple addresses with a comma (,). You must have sendmail configured correctly on the agent computer to send . SNMP Message Specifies the SNMP message you want sent when the rule triggers. Select the appropriate notification for this field. Log Specifies the name of the log file and the message written in the log file when the rule triggers. Provide the appropriate information in these fields. Command Specifies a Bourne shell command to execute on the agent computer when the rule triggers. Provide an appropriate command in this field. Security Manager Event Specifies the NetIQ classification attribute used to classify events for Log Manager. Viewing and Editing Rule Properties and Actions Clicking a rule displays the properties, configuration, actions, conditions, and advanced settings of the rule in the content pane. The rule attributes tab identifies and describes the rule; the configuration tab displays the rule configuration; the actions tab specifies the actions to perform when the rule triggers; the conditions tab displays the conditions that must be met for the rule to trigger; and the advanced tab displays the rule debug level. 70 Installation and Configuration Guide

83 Expanding an action node displays a sub-node that is labeled with the action that will occur if the rule triggers. For example, an element that is labeled Alert: $user logged in at $time describes the alert message that displays when the rule triggers. To edit existing rule properties: 1. Right-click the rule that you want to edit, and then click Edit. 2. On the Edit Rule window, modify the appropriate rule properties, and then click OK. Note Use only Bourne shell commands when specifying Command rule properties. Creating New Rules and Actions Creating new rules can be a time consuming task. Before creating new rules, ensure you have investigated the following statements are true: You cannot use the Rules wizard. You cannot find an existing rule to modify. To create new rules and actions in a rule group: 1. Right-click a rule group that is associated with the event source that you want to use, and then click Add Rule. 2. On the Add Rule window, configure the appropriate rule group properties and actions, then click OK. Note Use only Bourne shell commands in the Command attribute. Appendix A Creating and Managing Unix Rules 71

84 After configuring the rule, you can save the modified rule set on the Unix Manager computer and activate the modified rule set on remote agent computers. For more information, see Saving Rule Sets Locally on page 61 and Activating Rule Sets on Remote Hosts on page 61. Deleting Rules and Actions If a rule and its associated actions are no longer necessary within your environment, consider deleting the rule and its actions. Consider making a backup of the rule set before deleting rules. To delete a rule and its associated actions from a rule set: 1. Right-click the rule that you want to delete, and then click Delete. 2. Click Yes on the Delete window. After deleting a rule and its associated actions, you can save the modified rule set on the Unix Manager computer and activate the modified rule set on remote agent computers. For more information, see Saving Rule Sets Locally on page 61 and Activating Rule Sets on Remote Hosts on page 61. Understanding Initialization Code Initialization code, written in Perl, runs when the rule set is activated. Your rule requires initialization code if it relies on parameters or tables not previously configured. If the rule configures itself through querying the operating system or daemons, the rule requires initialization code. Rule containing initialization code display Init Code as a child element in the tree pane. Viewing and Editing Initialization Code To view initialization code, expand the appropriate rule, and then click Init Code. Review the initialization code in the content pane. 72 Installation and Configuration Guide

85 Complete the following procedure to edit existing rule initialization code. To edit existing initialization code: 1. Right-click Init Code, and then click Edit. 2. Modify the Perl code in the Edit Initialization Code window that opens, and then click OK to close the window. Adding New Initialization Code Complete the following procedure to add new initialization code to a rule. To add initialization code: 1. Right-click the rule you want to modify, and then click Add Initialization Code. Note You can add one set of initialization code per rule. 2. On the Edit Initialization Code window, add the appropriate Perl code, and then click OK. Deleting Initialization Code If you no longer need the initialization code for a rule, you can delete the code. Consider making a backup of the rule set before deleting rules. To delete initialization code: 1. Ensure the rule does not have parameters or tables that require the initialization code. 2. Right-click the initialization code you want to delete, and then click Delete. 3. On the Delete window, click Yes. Appendix A Creating and Managing Unix Rules 73

86 Understanding Conditionals and Comparisons You declare conditionals and comparisons to ensure you trigger actions only when necessary. Conditionals and comparisons help you filter event source output parameters. Consider the following example from the telnet rule: $message =~ /telnet/ $source =~ /telnet/ Because you can find these entries in an Or child element of the telnet login rule, you know the rule triggers when any one of the comparisons is true. When the syslog event source generates a $message or a $source parameter equivalent to telnet, the event detection and alerting daemon searches the output parameters and triggers the defined actions. To trigger an action when both comparisons are met, you create And comparisons. And comparisons trigger rule actions when both comparisons evaluate as true. The hierarchy of the tree graphically represents the order in which conditional and comparison expressions are evaluated. While the tree displays one conditional or comparison under the rule element, the And or Or may have numerous child elements. Rules that do not have conditional or comparison statements must have main code to trigger. For more information, see Understanding Main Code on page 81. Rules that contain a comparison not as a child element of an And or Or comparison is not a conditional. These comparisons trigger actions when the event detection and alerting daemon evaluates the statement as true. Viewing and Editing Comparison Properties You can view the properties of a comparison by clicking the comparison in the tree pane and viewing properties in the content pane. Comparisons are labeled with the output parameter name, equation, and value describing the comparison. For example, $message =~ /telnet/. 74 Installation and Configuration Guide

87 You can edit comparison properties by completing the following procedure. To edit existing comparison properties: 1. Expand the appropriate rule. 2. Right-click the comparison you want to edit, and then click Edit. 3. On the Add Comparison window, modify the comparison properties, and then click OK. Note When defining the Value property, enclose regular expressions with slashes (/) to indicate that the value is a regular expression. For example, /telnet/ designates telnet is a regular expression. After modifying the properties of the comparison, you can save the modified rule set on the Unix Manager computer and activate the modified rule set on remote agent computers. For more information, see Saving Rule Sets Locally on page 61 and Activating Rule Sets on Remote Hosts on page 61. Appendix A Creating and Managing Unix Rules 75

88 Adding Comparisons The following procedure guides you through adding comparisons to a rule. To add comparisons: 1. If you want to associate a comparison with a conditional, you must first add the conditional. For more information, see Adding And on page 77, Adding Or on page 78, and Associating Comparisons with Conditionals on page If you want to add a new comparison that is not associated with a conditional, right-click the rule you want to modify, and then click Add Comparison. 3. On the Add Comparison window, configure comparison properties, and then click OK. Note When defining the Value property, enclose regular expressions with slashes (/) to indicate that the value is a regular expression. For example, /telnet/ designates telnet is a regular expression. After adding comparisons to a rule, you can save the modified rule set on the Unix Manager computer and activate the modified rule set on remote agent computers. For more information, see Saving Rule Sets Locally on page 61 and Activating Rule Sets on Remote Hosts on page Installation and Configuration Guide

89 Adding And And conditionals declare that all the conditional components must be true for the actions of a rule to trigger. The following procedure guides you through adding And conditionals to your rule. To add and conditionals: 1. If you want to trigger actions when all comparisons in a group of comparisons evaluates as true, right-click the rule you want to modify, and then click Add And. Note The tree pane displays only one conditional or comparison as a child element of the rule in the tree pane. You can nest And conditionals within other conditionals. To do nest conditionals, right-click the conditional, and then click Add And. 2. Add comparisons as child elements to the conditional. For more information, see Associating Comparisons with Conditionals on page 78. Appendix A Creating and Managing Unix Rules 77

90 Adding Or Or conditions declare that any one of the conditional components must be true for the actions of a rule to trigger. The following procedure guides you through adding Or conditionals to your rule. To add or conditionals: 1. If you want to trigger actions when any comparison in a group of comparisons evaluates as true, right-click the rule that you want to modify, and then select Add Or from the pop-up menu. Note The tree pane displays only one conditional or comparison as a child element of the rule in the tree pane. You can nest And conditionals within other conditionals. To do nest conditionals, right-click the conditional, and then click Add Or. 2. Add comparisons as child elements to the conditional. For more information, see Associating Comparisons with Conditionals on page 78. Associating Comparisons with Conditionals You can associate two or more comparisons with a conditional. The Unix Manager displays comparisons you associate with a conditional as child elements of the conditional. Complete the following procedure to associate comparisons with a conditional. To associate comparisons with a conditional: 1. Right-click the conditional, and then click Add Comparison. 2. On the Add Comparison window, configure comparison properties, and then click OK. Note When defining the Value property, enclose regular expressions with slashes (/) to indicate that the value is a regular expression. For example, /telnet/ designates telnet is a regular expression. 78 Installation and Configuration Guide

91 After associating comparisons with conditionals in a a rule, you can save the modified rule set on the Unix Manager computer and activate the modified rule set on remote agent computers. For more information, see Saving Rule Sets Locally on page 61 and Activating Rule Sets on Remote Hosts on page 61. Deleting Comparisons or Conditionals When you no longer need a comparison or a conditional, you can delete it from the rule set. Ensure you no longer need the comparison or conditional to trigger your rule actions. Complete the following procedure to delete a comparison or conditional. To delete a comparison or a conditional and the associated comparisons and nested conditionals: 1. In the tree pane, right-click the comparison or the conditional you want to delete, and then click Delete. 2. On the Delete window, click Yes. After deleting the comparisons or conditionals, you can save the modified rule set on the Unix Manager computer and activate the modified rule set on remote agent computers. For more information, see Saving Rule Sets Locally on page 61 and Activating Rule Sets on Remote Hosts on page 61. Understanding Time Conditions Time conditions allow you to specify when you want a rule activated and ready to trigger. A time condition specifies the days and hours during the week when you want to activate the rule. For example, if your information security policy does not allow FTP sessions after hours, you can attach a time condition to the FTP rule that alerts you only when FTP sessions initiate after hours. Appendix A Creating and Managing Unix Rules 79

92 Viewing and Editing Time Conditions To view time conditions, expand the rule containing the time condition, and then click Time Condition. The Unix Manager displays when the associated rule is active. If you want to change the schedule of a rule governed by a time condition, complete the following procedure. To edit existing time conditions: 1. Right-click the time condition that you want to edit, and then click Edit. 2. Select the days and hours on which you want to activate the rule. You can use the Ctrl and Shift keys to select multiple days and times. 3. Click OK. Adding New Time Conditions The following procedure guides you through adding a time condition to a rule. You can designate one time condition per rule. Time conditions ensure rules only run when necessary. To add a new time condition: 1. Right-click the rule that you want to modify, and then click Add Time Condition. 2. Select the days and hours on which you want to activate the rule. You can use the Ctrl and Shift keys to select multiple days and times. 3. Click OK. 80 Installation and Configuration Guide

93 Deleting Time Conditions You can remove time conditions and have a rule active all the time. Complete the following procedure to delete a time condition. To delete time conditions: 1. Right-click the time condition node you want to delete, and then click Delete. 2. On the Delete window, click Yes. Understanding Main Code Main code is Perl code you can add to a rule if the filtering provided by the conditionals and comparisons is inadequate or needs augmenting to detect more complex patterns. Main code must contain a call to the subroutine _take_actions(). The code you write can be selective about the circumstances under which the subroutine is called. It is not necessary for the code to call _take_actions() every time it is evaluated. Rule that contain main code display the Code element in the rule. Viewing and Editing Main Code To view main code, expand the rule containing the main code you want to view, and then click Code. The Unix Manager also allows you to edit existing main code. Before editing code that functions correctly, ensure you make a back up of the rule set. Complete the following procedure to edit your main code. To edit existing main code: 1. Expand the appropriate rule, and then right-click Code. 2. Click Edit. Appendix A Creating and Managing Unix Rules 81

94 3. On the Edit Code window, modify the Perl code. 4. Click OK. After editing main code, you can save the modified rule set on the Unix Manager computer and activate the modified rule set on remote agent computers. For more information, see Saving Rule Sets Locally on page 61 and Activating Rule Sets on Remote Hosts on page 61. Adding New Main Code The Unix Manager allows you to add main code to a rule. Before adding main code, ensure you have a thorough knowledge of Perl and a complete understanding of what you want the code to accomplish. You can create one set of main code per rule. To add main code: 1. Right-click the rule to which you want to add main code, and then click Add Main Code. 2. On the Edit Code window, add your Perl code. 3. Click OK. After adding new main code, you can save the modified rule set on the Unix Manager computer and activate the modified rule set on remote agent computers. For more information, see Saving Rule Sets Locally on page 61 and Activating Rule Sets on Remote Hosts on page 61. Deleting Main Code Before deleting main code, ensure you no longer need the code to make the rule work. Complete the following procedure to delete main code. To delete main code: 1. Right-click the main code you want to delete, and then click Delete. 2. On the Delete window, click Yes. 82 Installation and Configuration Guide

95 Customizing the Rules Management User Interface The Unix Manager provides a number of options that allow you to adjust the appearance and usability rules management. The following sections provide overviews of the features you can select from the Customize menu. Deciding Whether to Use Tabbed Layouts Tabbed layouts allow you to select how you want to view configuration information in the content area. The following figure illustrates the default tabbed layout of the filesystem event source. The tabbed layout provides easy to read information grouped into specific categories. You navigate to other configuration categories by clicking the corresponding tab. Appendix A Creating and Managing Unix Rules 83

96 The following figure shows the same event source displayed without the category grouped tabs. The non-tabbed layout option shows all the configuration information in one pane. This option is convenient if you have a large monitor and want to see all the information about an element. The pane borders are adjustable so that you can show more or less of each section. To adjust the pane border, click the border and drag it up or down. Deciding Whether to Use Parameter Aliases The Unix Manager uses parameter aliases to make parameters generated by event sources or rules easier to understand. The Unix Manager provides parameter aliases to make the configuration of alerts easier. Aliases are more descriptive than the actual parameter names. 84 Installation and Configuration Guide

97 For example, if parameter aliases are turned off, an alert message in the configuration area may look like the following: Linux user, $user, logged in via ftp at $time, from $host However, with parameter aliases turned on, the same alert message is easier to understand: Linux user, (User name), logged in via ftp at (Hour:Minute:Second) from (Remote host name) at (Linux remote host Internet address). Aliases are enclosed in parenthesis to visually sets them apart from the surrounding text. When you configure rules using the descriptive aliases instead of the parameter name, the Unix Manager Rules Manager automatically substitutes the appropriate parameter. You can view the parameters, their associated aliases, and a description of their functions in the event source configuration area Output tab. Appendix A Creating and Managing Unix Rules 85