Symantec™ Critical System Protection Installation Guide
Symantec™ Critical System Protection Installation Guide The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement. Documentation version 5.1.3 Legal Notice Copyright © 2007 Symantec Corporation. All rights reserved. Federal acquisitions: Commercial Software - Government Users Subject to Standard License Terms and Conditions.
Technical Support Symantec Technical Support maintains support centers globally. Technical Support’s primary role is to respond to specific queries about product feature and function, installation, and configuration. The Technical Support group also authors content for our online Knowledge Base. The Technical Support group works collaboratively with the other functional areas within Symantec to answer your questions in a timely fashion.
■ Operating system ■ Version and patch level ■ Network topology ■ Router, gateway, and IP address information ■ Problem description: ■ Error messages and log files ■ Troubleshooting that was performed before contacting Symantec ■ Recent software configuration changes and network changes Licensing and registration If your Symantec product requires registration or a license key, access our technical support Web page at the following URL: www.symantec.com/techsupp/ent/enterprise.html.
Maintenance agreement resources If you want to contact Symantec regarding an existing maintenance agreement, please contact the maintenance agreement administration team for your region as follows: ■ Asia-Pacific and Japan: contractsadmin@symantec.com ■ Europe, Middle-East, and Africa: semea@symantec.com ■ North America and Latin America: supportsolutions@symantec.
Contents Technical Support Chapter 1 Introducing Symantec™ Critical System Protection About Symantec Critical System Protection ................................................... 11 Components of Symantec Critical System Protection ................................... 12 How Symantec Critical System Protection works .......................................... 13 About the policy library ...................................................................................... 13 Where to get more information .
Contents Bypassing prerequisite checks .................................................................. 33 About installing a database to a SQL Server instance ................................... 34 About SQL Server installation requirements .......................................... 34 About installing on computers that run Windows 2000 ....................... 35 Configuring the temp environment variable .................................................. 36 Installing the management server ...........
Contents Installing an agent in silent mode ..................................................................... 79 Uninstalling agents using package commands ............................................... 84 Uninstalling agents manually ........................................................................... 85 Uninstalling Solaris agents manually ...................................................... 85 Uninstalling Linux agents manually ........................................................
Contents Copying files required for the policy conversion utility ...................... 110 Migrating legacy detection policy files .......................................................... 111 Converting legacy detection policy files ................................................ 111 Importing the zip file ................................................................................ 113 Creating a new policy ................................................................................
Chapter 1 Introducing Symantec™ Critical System Protection This chapter includes the following topics: ■ About Symantec Critical System Protection ■ Components of Symantec Critical System Protection ■ How Symantec Critical System Protection works ■ About the policy library ■ Where to get more information About Symantec Critical System Protection Symantec™ Critical System Protection provides policy-based behavior control and detection for desktop and server computers.
Introducing Symantec™ Critical System Protection Components of Symantec Critical System Protection Symantec Critical System Protection agents detect behavior by auditing and monitoring processes, files, log data, and Windows® registry settings. For example, a Symantec Critical System Protection detection policy can specify to monitor the Windows registry keys that the Welchia worm changes during infection and send an alert.
Introducing Symantec™ Critical System Protection How Symantec Critical System Protection works How Symantec Critical System Protection works Symantec Critical System Protection controls and monitors what programs and users can do to computers. Agent software at the endpoints controls and monitors behavior based on policy. There are two types of policies: prevention and detection. An agent enforces one prevention policy at a time. An agent can enforce one or more detection policies simultaneously.
Introducing Symantec™ Critical System Protection Where to get more information Where to get more information Product manuals for Symantec Critical System Protection are available on the Symantec Critical System Protection installation CD. Updates to the documentation are available from the Symantec Technical Support and Platinum Support Web sites. The Symantec Critical System Protection product manuals are as follows: Installation Guide Install the Symantec Critical System Protection components.
Chapter 2 Planning the installation This chapter includes the following topics: ■ About planning the installation ■ About network architecture and policy distribution ■ System requirements ■ Disabling Windows XP firewalls ■ About using firewalls with Symantec Critical System Protection ■ About name resolution ■ About IP routing ■ About intrusion prevention ■ About simple failover ■ About the Windows NT agent installation ■ About log files About planning the installation You can insta
Planning the installation System requirements along with a few agents, and become familiar with Symantec Critical System Protection operations. When you are ready to roll out policies to your production environment, you can roll out different policies that are based on computing needs, and prevention and detection levels.
Planning the installation System requirements Operating system requirements Table 2-1 lists Symantec Critical System Protection component operating system requirements: Table 2-1 Operating system requirements Component Operating system Service pack Management console Windows 2000 Professional/Server/ Advanced Server SP4 Windows XP Professional SP1 or later Kernel version Windows Server™ 2003 Standard/ Enterprise 32-bit Management server Agent Windows Server 2003 Standard/ Enterprise 64-bit S
Planning the installation System requirements Table 2-1 Component Operating system requirements Operating system Service pack Red Hat Enterprise Linux ES 4.0 Kernel version 2.6.9-5.EL 2.6.9-11.EL (update 1, released 2005-06) 2.6.9-22.EL (update 2, released 2005-10) 2.6.9-34.EL (update 3, released 2006-03) SUSE® Enterprise Linux 8 See “Linux kernel driver support” on page 19. SUSE Enterprise Linux 9 2.4.21-304 (SP4, released 2005-03) 2.4.21-306 (kernel update, released 2006-02) 2.6.5-7.97 2.6.
Planning the installation System requirements ■ SUNWkvm Core Architecture, (Kvm) ■ SUNWcsr Core Solaris, (Root) ■ SUNWcsu Core Solaris, (Usr) ■ SUNWcsd Core Solaris Devices ■ SUNWcsl Core Solaris Libraries ■ SUNWloc System Localization The following extended system packages are required for computers running Solaris 8.0, Solaris 9.0, and Solaris 10.
Planning the installation System requirements SUSE Enterprise Linux 9 The kernel versions are as follows: ■ 2.6.5-7.97 ■ 2.6.5-7.139 ■ 2.6.5-7.191 ■ 2.6.5-7.244 2.6.5-7.252 ■ If a system is configured with a different kernel, the agent will attempt to load the latest version available for the system during boot. Hardware requirements Table 2-2 lists the recommended hardware for Symantec Critical System Protection components.
Planning the installation Disabling Windows XP firewalls Table 2-2 Component Recommended hardware Hardware Specific OS (if applicable) x86 Windows NT Server Windows Server 2003 32-bit Windows XP Professional Red Hat Enterprise Linux ES 3.0, 4.0 SUSE Linux Enterprise 8, 9 Sun Solaris 10 (IDS only in non-global zone) EM64T Windows Server 2003 Standard/Enterprise x64 Red Hat Enterprise Linux ES 3.0, 4.
Planning the installation About using firewalls with Symantec Critical System Protection 4 On the Advanced tab, under Internet Connection Firewall, uncheck Protect my computer and network by limiting or preventing access to this computer from the Internet. 5 Click OK. Disabling Windows Firewall Windows XP with Service Pack 2 and Windows 2003 Server include a firewall called Windows Firewall that can interfere with network communications.
Planning the installation About name resolution to the instance using that port. Thus, your firewall must allow traffic from the management server to the MS SQL Server system on UDP port 1434 and on the TCP port used by the Symantec Critical System Protection instance. You can get more information about MS SQL Server's use of ports at http://support.microsoft.com/default.aspx?scid=kb;EN-US;823938.
Planning the installation About IP routing About IP routing As bastion hosts, firewalls traditionally incorporate some form of network address translation (NAT) between the two networks that the firewall bridges. For example, the management server may be on an internal network while the Agents are in a DMZ network, with a firewall between the two networks. Typically, the internal network IP addresses are hidden from the DMZ network, and are not routable from the DMZ network.
Planning the installation About simple failover By default, the enable intrusion prevention option is selected during Symantec Critical System Protection agent installation. Symantec Critical System Protection supports intrusion prevention on computers that run Windows, Solaris, and Linux operating systems. About simple failover Symantec Critical System Protection includes simple failover.
Planning the installation About simple failover ■ Once the IPS Service fails away from the first server in the ordered list, it periodically checks if server #1 is back, based on the fail back interval. See “About the fail back interval” on page 26. ■ When the fail back interval expires, the IPS Service checks if server #1 is available. If server #1 is available, the IPS Service starts using it immediately.
Planning the installation About the Windows NT agent installation Specifying the management server list for an agent To use simple failover for an agent, you must provide the list of primary and alternate management servers using one of the following methods: ■ If you are installing Symantec Critical System Protection for the first time, you provide the list of primary and alternate management servers during agent installation. ■ If you are upgrading to Symantec Critical System Protection 5.1.
Planning the installation About log files drivers. To temporarily disable agents that run on Windows NT Server, you create an alternate hardware profile with the drivers disabled. See “Temporarily disabling Windows NT agents” on page 69. ■ Symantec Critical System Protection services (IPS Service, IDS Service, Util Service) do not automatically restart after aborting.
Planning the installation What to do after installation Table 2-5 lists the management server log files. Table 2-5 Management server log files File name Description Default location sis-agent.*.log This log file is used for agent activity. Windows: Program Files\Symantec\Critical System Protection\Server\Tomcat\logs The asterisk in the file name represents a version number. sis-alert.*.log This log file is used for alert activity. The asterisk in the file name represents a version number.
Planning the installation What to do after installation
Chapter 3 Installing Symantec Critical System Protection on Windows This chapter includes the following topics: ■ About installing Symantec Critical System Protection on Windows ■ About installing a database to a SQL Server instance ■ Configuring the temp environment variable ■ Installing the management server ■ Installing and configuring the management console ■ Installing a Windows agent ■ Unattended agent installation ■ Installing the Windows NT policy ■ Uninstalling Symantec Critical
Installing Symantec Critical System Protection on Windows About installing Symantec Critical System Protection on Windows About installing Symantec Critical System Protection on Windows If this is a first-time installation, you should install, configure, and test Symantec Critical System Protection components in a test environment.
Installing Symantec Critical System Protection on Windows About installing Symantec Critical System Protection on Windows Bypassing prerequisite checks The Windows installation kit lets you bypass some of the prerequisite checks for agent and management server installation. You can use this feature if you know the installation kit is incorrectly failing a prerequisite.
Installing Symantec Critical System Protection on Windows About installing a database to a SQL Server instance About installing a database to a SQL Server instance The Symantec Critical System Protection installation lets you locally install an MSDE evaluation database, and also lets you locally or remotely install an evaluation or production database to an instance of SQL Server. All installations allocate 100 MB for the database. MSDE and SQL Server automatically allocate more space when it is needed.
Installing Symantec Critical System Protection on Windows About installing a database to a SQL Server instance After you install the instance of SQL Server, you must do the following: ■ (SQL Server 2000) Apply SQL Server Service Pack 4. ■ Select to authenticate using SQL Server credentials. ■ Register the instance. Registering the instance also starts the instance. When you register the instance of SQL Server, you must do the following: ■ Set the authentication mode to SQL Server authentication.
Installing Symantec Critical System Protection on Windows Configuring the temp environment variable Configuring the temp environment variable The installation packages unpack installation files into the directory that is specified by the TEMP environment variable. The volume that contains this directory must have at least 200 MB of available disk space. If this volume does not have the required disk space, you must change your TEMP environment variable or your installation will fail.
Installing Symantec Critical System Protection on Windows Installing the management server ■ Evaluation installation using existing MS SQL instance You can install an evaluation installation on SQL Server. The SQL Server instance must exist and be running before you perform the installation. The SQL Server can be local or remote. ■ Production installation with Tomcat and database schema You can install a production installation that installs Tomcat and creates the database schema.
Installing Symantec Critical System Protection on Windows Installing the management server Using the SQL Server Enterprise Manager, do the following: ■ Drop the Symantec Critical System Protection database. ■ Select the Security folder of the instance, click Logins, select the Symantec Critical System Protection user accounts, and then right-click Delete.
Installing Symantec Critical System Protection on Windows Installing the management server Table 3-2 Management server installation settings Setting Default/options Description Destination Folder C:\Program Files\Symantec \Critical System Protection\Server The directory location for the management server. Agent port 443 The port that is used to communicate with the agent.
Installing Symantec Critical System Protection on Windows Installing the management server Table 3-2 Management server installation settings Setting Default/options Description MSDE Data Path C:\Program Files\ Symantec\Critical System Protection\Server The directory in which to install the MSDE database.
Installing Symantec Critical System Protection on Windows Installing the management server Table 3-2 Management server installation settings Setting Default/options Description sa password none The password that is associated with the database sa account.
Installing Symantec Critical System Protection on Windows Installing the management server Table 3-2 Setting Management server installation settings Default/options SCSP Database none Guest user password You have the following options: ■ MSDE Eval: NA ■ SQL Eval: NA ■ SQL Prod: variable Description The password that is associated with the database guest user account. The password must be 8 to 19 characters long, not begin with _ and contain at least two two-letter characters.
Installing Symantec Critical System Protection on Windows Installing the management server 4 In the Installation Type panel, click Evaluation Installation, click Install MSDE on the Local System, and then click Next. 5 In the Destination Folder panel, change the folder if necessary, and then click Next. The directory name must contain printable ASCII characters only. Multibyte, double-byte, hi-ASCII and non-printable ASCII characters are not supported.
Installing Symantec Critical System Protection on Windows Installing the management server 7 In the Database Selection panel, change the default server and database directory locations if necessary. The directory name must contain printable ASCII characters only. Multibyte, double-byte, hi-ASCII and non-printable ASCII characters are not supported.
Installing Symantec Critical System Protection on Windows Installing the management server 3 In the License Agreement panel, select I accept the terms in the license agreement, and then click Next. 4 In the Installation Type panel, click Evaluation Installation, then click Use an Existing MS SQL Instance, and then click Next. 5 In the Destination Folder panel, change the folder if necessary, and then click Next. The directory name must contain printable ASCII characters only.
Installing Symantec Critical System Protection on Windows Installing the management server ■ All other accounts (owner, guest, and internal accounts) must not exist in the instance. The management server installation creates these accounts and aborts if it cannot create them. ■ The database name that you enter into the management server installation must not exist in the instance. The management server installation creates these accounts and aborts if it cannot create them.
Installing Symantec Critical System Protection on Windows Installing the management server 9 In the Database Configuration panel, specify the database parameters, and then click Next. Database Name Type the name of the database to install. Enable Unicode Storage The option is for use with international operating systems. SCSP Database Owner Under SCSP Database Owner, do the following: ■ In the User name box, type the name of the SCSP Database Owner.
Installing Symantec Critical System Protection on Windows Installing and configuring the management console Note: If the management server database is on a Tomcat system instead of a dedicated system, you must specify the real IP (not localhost) for the initial installation. To install Tomcat component only 1 Insert and display the installation CD, and then double-click server.exe. 2 In the Welcome panel, click Next.
Installing Symantec Critical System Protection on Windows Installing and configuring the management console C:/Program Files/Symantec/Critical System Protection/Console Management console installation does not prompt you to enter port numbers or server names. You enter this information after installation. To install the management console 1 On the installation CD, double-click console.exe. 2 In the initial installation panel, click Next.
Installing Symantec Critical System Protection on Windows Installing and configuring the management console Table 3-3 Management console configuration settings Setting Default Description Admin port 8081 The Web server Administration Port number that was used during management server installation. See Table 3-2, “Management server installation settings,” on page 38. See Table 3-1, “Port number mapping,” on page 32.
Installing Symantec Critical System Protection on Windows Installing a Windows agent Installing a Windows agent The Symantec Critical System Protection agent enforces policy on the endpoints. Each agent enforces rules that are expressed in policies, thereby controlling and monitoring application (process) and user behavior. You must log on to an Administrator account to install a Windows agent.
Installing Symantec Critical System Protection on Windows Installing a Windows agent Table 3-4 Windows agent installation settings Setting Default Description Logs File Directory C:\Program Files\Symantec The installation directory prefix for the /scsplogs \Critical System Protection subdirectory. \Agent The installation creates an scsplog folder under the folder that you specify. Agent Name Host name of agent computer The agent name.
Installing Symantec Critical System Protection on Windows Installing a Windows agent Table 3-4 Windows agent installation settings Setting Default Description Primary Management Server localhost The IP address or fully qualified host name of the management server that will manage the agent. Agent Port 443 The Agent Port number that was used during management server installation. See Table 3-2, “Management server installation settings,” on page 38. See Table 3-1, “Port number mapping,” on page 32.
Installing Symantec Critical System Protection on Windows Installing a Windows agent Table 3-4 Windows agent installation settings Setting Default Description Prevention Policy Group none The name of an existing prevention policy group for this agent to join. An agent is placed in the default prevention policy group (named Policy), unless you specify another policy group that already exists in the management console.
Installing Symantec Critical System Protection on Windows Installing a Windows agent Table 3-4 Setting Windows agent installation settings Default Description Use LocalSystem Use LocalSystem account account The service user name account that registers services for the agent. Use an alternate account Do one of the following: ■ Select Use LocalSystem account to accept the default LocalSystem account. ■ Select Use an alternate account to select a different account.
Installing Symantec Critical System Protection on Windows Installing a Windows agent 4 In the Destination Folder panel, change the folders if necessary, and then click Next. 5 In the Agent Configuration panel, accept or change the default settings, and then click Next. Symantec strongly recommends that you do not clear the Enable Intrusion Prevention check box.
Installing Symantec Critical System Protection on Windows Installing a Windows agent If you changed the Agent Port setting during management server installation, in the Agent Port box, type a port number that matches. 7 (Optional) In the Management Server Configuration panel, in the Alternate Management Servers box, type the fully qualified host name or IP address of the alternate servers that are used for failover for this agent. Type the servers in a comma-separated list.
Installing Symantec Critical System Protection on Windows Installing a Windows agent You may add multiple detection policy group names separated with commas. You may include the name of an existing detection policy domain in the group path/name. 11 In the Agent Group Configuration panel, click Next. 12 In the Service User Configuration panel, accept the default LocalSystem account or specify an alternate account, and then click Next.
Installing Symantec Critical System Protection on Windows Unattended agent installation Unattended agent installation You must log on to an Administrator account to install a Windows agent. You can perform an unattended installation of Windows agents using the agent.exe or agent-windows-nt.exe executable and InstallShield and Windows Installer commands. The following command structure shows the sequencing: agent.
Installing Symantec Critical System Protection on Windows Unattended agent installation 3 Type and run one of the following commands: agent.exe ? or agent-windows-nt.exe ? Microsoft Windows Installer commands See the Microsoft documentation for information about standard Microsoft Windows Installer commands and additional logging levels. Table 3-5 describes the optional basic commands that are used for installations.
Installing Symantec Critical System Protection on Windows Unattended agent installation Installation properties Table 3-6 describes the Windows agent installation settings and options. Table 3-6 Windows agent installation settings Setting Default Description MANAGEMENT_SERVER= localhost The IP address or fully qualified host name of the management server that will manage the agent. Required ALT_MANAGEMENT_ SERVERS=
Installing Symantec Critical System Protection on Windows Unattended agent installation Table 3-6 Windows agent installation settings Setting Default Description LOG_DIR= C:\Program Files\Symantec \Critical System Protection \Agent The installation directory prefix for the /scsplogs subdirectory. 300 seconds The interval that the agent uses to poll the management server for policy and configuration updates.
Installing Symantec Critical System Protection on Windows Unattended agent installation Table 3-6 Windows agent installation settings Setting Default Description COMMON_CONFIG_GROUP = Common Configuration The name of an existing common configuration group for this agent to join. An agent is placed in the default common configuration group, unless you specify another configuration group that already exists in the management console.
Installing Symantec Critical System Protection on Windows Installing the Windows NT policy Table 3-6 Windows agent installation settings Setting Default Description IDS_POLICY_GROUP= Windows The name of an existing detection policy group for this agent to join. You can specify multiple groups by using commas between the group names. You can optionally include the name of an existing detection policy domain in the group path/name.
Installing Symantec Critical System Protection on Windows Uninstalling Symantec Critical System Protection ■ You must install the Symantec Critical System Protection management server, and install and configure the management console, before you install the Windows NT policy. See “Installing the management server” on page 36. See “Installing and configuring the management console” on page 48.
Installing Symantec Critical System Protection on Windows Uninstalling Symantec Critical System Protection Uninstalling an agent using Add or Remove Programs Agent uninstallation uses the Windows Add or Remove Programs utility. If the agent enforces policy prevention, it prevents you from removing agentrelated files, the management server, and management console. If a service user account was created during installation, the account is not removed during uninstallation.
Installing Symantec Critical System Protection on Windows Uninstalling Symantec Critical System Protection See “Unattended agent installation” on page 59. Uninstalling the management console Management console uninstallation uses the Windows Add or Remove Programs utility.
Installing Symantec Critical System Protection on Windows Temporarily disabling Windows agents 3 Click Symantec Critical System Protection Management Server, and then click Remove. 4 Follow and complete the prompts until uninstallation completes. 5 (Optional) Do one of the following: If you installed the evaluation database, click Microsoft SQL Server Desktop Engine (SCSP), and then click Remove.
Installing Symantec Critical System Protection on Windows Temporarily disabling Windows agents C:\Program Files\Symantec\Critical System Protection\Agent\IPS\bin To reset the prevention policy 1 On the agent computer, open a command prompt. 2 At a command prompt, type the following command, and then press Enter: sisipsconfig -r -----------------------------------------------Agent Configuration Tool version 5.0.0.
Installing Symantec Critical System Protection on Windows Temporarily disabling Windows agents Use one of the following methods to disable intrusion prevention on the agent: ■ Start the management console, and set the policy for the target agent to the Null prevention policy (sym_win_null_sbp). ■ If the policy on the computer that runs the agent is not Null and permits policy override, use the policy override tool to disable policy prevention.
Installing Symantec Critical System Protection on Windows Reinstalling Windows agents Reinstalling Windows agents You can perform an unattended reinstall of Windows agents using the agent.exe or agent-windows-nt.exe executable and InstallShield and Windows Installer commands. Reinstalling a Windows agent is useful if an agent becomes corrupted. Reinstalling a Windows agent is equivalent to uninstalling an agent and then installing the same version of that agent.
Installing Symantec Critical System Protection on Windows Reinstalling Windows agents
Chapter 4 Installing UNIX agents This chapter includes the following topics: ■ About installing UNIX agents ■ Installing an agent in verbose mode ■ Installing an agent in silent mode ■ Uninstalling agents using package commands ■ Uninstalling agents manually ■ Disabling and enabling UNIX agents ■ Monitoring and restarting UNIX agents ■ Troubleshooting agent issues About installing UNIX agents Installation prompts you to enter a series of values.
Installing UNIX agents About installing UNIX agents ■ If you are installing a Solaris, Linux, HP-UX, AIX, or Tru64 agent on a system that supports non-English character sets, the destination directory that you choose for the agent must contain only ASCII characters. If you include any non-ASCII characters in the path, the installation will fail. Table 4-1 describes the agent installation settings.
Installing UNIX agents About installing UNIX agents Table 4-1 UNIX agent installation settings Setting Default Description Agent Port 443 The Agent Port number that was used during management server installation. See Table 3-2, “Management server installation settings,” on page 38. Agent Polling Interval 300 seconds The interval that the agent uses to poll the management server for policy and configuration updates.
Installing UNIX agents About installing UNIX agents Table 4-1 UNIX agent installation settings Setting Default Description Common Config Group none The name of an existing common configuration group for this agent to join. You use common configuration groups to apply communication and event logging parameters to agents. An agent is placed in the default common configuration group, unless you specify another configuration group that already exists in the management console.
Installing UNIX agents About installing UNIX agents Table 4-1 Setting UNIX agent installation settings Default Detection none Configuration Group Description The name of an existing detection configuration group for this agent to join. You use detection configuration groups to apply detection parameters and log rules to agents. An agent is placed in the default detection configuration group, unless you specify another configuration group that already exists in the management console.
Installing UNIX agents Installing an agent in verbose mode You can use the bypass prerequisite checks feature to bypass the following prerequisite checks: ■ Verify that the installation kit is being run by the root user ■ Perform OS platform and version checks ■ Perform package dependencies checks ■ Perform file system/disk space usage checks When the bypass prerequisite checks feature is used, the installation kit displays all errors and warnings about prerequisite check failures.
Installing UNIX agents Installing an agent in silent mode ■ On the computer on which the agent will be installed, create a directory and then copy the file agent-cert.ssl into the directory using FTP in binary mode or some other protocol. The directory path name cannot contain spaces. To install an agent in verbose mode 1 Open a Terminal window and become superuser. 2 Insert the installation CD and if necessary, mount the volume.
Installing UNIX agents Installing an agent in silent mode Table 4-2 describes the settings that are used with the installation commands. Table 4-2 UNIX agent installation settings Setting Default Description -help none You can run the installer with the –help switch to get a list of all the switches. -version none Displays the installation package version information. Installation does not occur. -silent Interactive Installs silently without user prompts.
Installing UNIX agents Installing an agent in silent mode Table 4-2 UNIX agent installation settings Setting Default Description -cert= /tmp/agent-cert.ssl The directory location of the SSL certificate file, agent-cert.ssl, obtained from the Symantec Critical System Protection management server installation directory. You must copy this file from the management server to the specified location before starting the installation.
Installing UNIX agents Installing an agent in silent mode Table 4-2 UNIX agent installation settings Setting Default Description -idsPolGrp= OS-specific group The name of an existing detection policy group for this agent to join. You can specify multiple groups by using commas between the group names.
Installing UNIX agents Installing an agent in silent mode Table 4-2 UNIX agent installation settings Setting Default Description -poll= 300 The polling interval, in seconds, that the agent uses to poll the management server for policy updates. -svcport= 2323 This installation setting supports the policy override tool for Solaris and Linux. You use the policy override tool to override prevention policy enforcement.
Installing UNIX agents Uninstalling agents using package commands To install an agent in silent mode 1 Follow the procedures and steps that are used to install an agent in verbose mode, up to and including mounting the installation CD drive. See “Installing an agent in verbose mode” on page 78. 2 Type and run the following command after replacing with solarissparc, solaris10-sparc, solaris10-x86, linux-rhel3, linux-rhel4, linux-sles8, linux-sles9, hpux-hppa, hpux-ia64, aix, or tru64: .
Installing UNIX agents Uninstalling agents manually 6 On HP-UX, type and run the following command: swremove SYMCcsp 7 On Tru64, type and run the following command: setld -d SYMCSP513 8 (Solaris and Linux) If the uninstall completes successfully, run the following command to restart the computer: init 6 Computers running HP-UX and AIX do not need to be restarted.
Installing UNIX agents Uninstalling agents manually pgrep -U sisips -P1 -f sisipsdaemon pgrep -U sisips -P1 -f sisipsutildaemon pgrep -U root -P1 -f sisidsdaemon If the agent daemons are not running, continue with the next numbered step.
Installing UNIX agents Uninstalling agents manually Uninstalling Linux agents manually You can manually uninstall Linux agents. To uninstall Linux agents manually 1 In the management console, set the policy for the agent to uninstall to the Null prevention policy. If the Linux agent is not communicating with the management console, disable the agent, and then continue with the uninstall. See “Disabling and enabling Linux agents” on page 93.
Installing UNIX agents Uninstalling agents manually 7 Remove the following lines from the initialization scripts: Remove the lines (including comments) between # Begin SIS IPS and # End SIS IPS in files /etc/init.d/boot.local and /etc/init.d/halt.local.
Installing UNIX agents Uninstalling agents manually rm -rf /var/log/scsplog (default directory) rm -f /var/run/sisipsdaemon.pid rm -f /var/run/sisidsdaemon.pid 5 Type and run the following commands to remove the agent user and group: userdel sisips groupdel sisips Uninstalling AIX agents manually You can manually uninstall AIX agents. To uninstall AIX agents manually 1 Open a Terminal window on the computer that runs the agent to uninstall, and become superuser.
Installing UNIX agents Uninstalling agents manually 5 Type and run the following commands to remove the agent user and group: userdel sisips rmgroup sisips 6 Run the following commands to remove entries from inittab: rmitab rcsisipsagent rmitab rcsisidsagent Uninstalling Tru64 agents manually You can manually uninstall Tru64 agents. To uninstall Tru64 agents manually 1 Open a Terminal window on the computer that runs the agent to uninstall, and become superuser.
Installing UNIX agents Disabling and enabling UNIX agents Edit and remove the line from /etc/symantec/sis/sis.
Installing UNIX agents Disabling and enabling UNIX agents After you disable the driver, apply the Null prevention policy or a prevention policy in which prevention was disabled. Reboot the system. Warning: You should perform these procedures only in emergency situations. To temporarily disable the IPS driver 1 Interrupt the boot cycle with a Stop-a or break sequence.
Installing UNIX agents Disabling and enabling UNIX agents Enabling a disabled Solaris agent You can enable a Solaris agent that was previously disabled. To enable a disabled Solaris agent 1 Open a Terminal window and become superuser. 2 Type and run the following commands, which rename the sisipsgent scripts: mv /etc/init.d/sisipsagentOFF /etc/init.d/sisipsagent mv /etc/init.d/sisidsagentOFF /etc/init.
Installing UNIX agents Disabling and enabling UNIX agents Warning: You should perform these procedures only in emergency situations. To permanently disable Linux agents 1 Open a Terminal window and become superuser. 2 Type and run the following commands: /etc/init.d/sisipsagent stop /etc/init.d/sisidsagent stop 3 Type and run the following commands to rename the agent scripts, which temporarily break any symbolic links in the rc#.d startup scripts: mv /etc/init.d/sisipsagent /etc/init.
Installing UNIX agents Disabling and enabling UNIX agents /sbin/init.d/sisidsagent stop Permanently disabling HP-UX agents If you have performance issues with HP-UX agents, you may need to permanently disable them. Warning: You should perform these procedures only in emergency situations. To permanently disable HP-UX agents 1 Open a Terminal window and become superuser. 2 Type and run the following commands: /sbin/init.d/sisipsagent stop /sbin/init.
Installing UNIX agents Disabling and enabling UNIX agents Temporarily disabling AIX agents Warning: You should perform these procedures only in emergency situations. To temporarily disable AIX agents 1 Open a Terminal window and become superuser. 2 Type and run the following commands: /etc/rc.sisipsagent stop /etc/rc.sisidsagent stop Permanently disabling AIX agents If you have performance issues with AIX agents, you may need to permanently disable them.
Installing UNIX agents Disabling and enabling UNIX agents rcsisidsagent:23456789:wait:/etc/rc.sisidsagent start >/dev/ console 2>&1 3 Type and run the following commands to restart the agents: /sbin/init.d//sisipsagent start /sbin/init.d//sisidsagent start Disabling and enabling Tru64 agents This section describes how to disable and enable Tru64 agents. Temporarily disabling Tru64 agents Warning: You should perform these procedures only in emergency situations.
Installing UNIX agents Monitoring and restarting UNIX agents mv sisipsagent sisipsagentOFF mv sisidsagent sisidsagentOFF If the machine not is a member of a TruCluster, is configured as a single member cluster, or if you want to disable the agent on all clusters, perform the following actions: mv /sbin/init.d/sisipsagent /sbin/init.d/sisipsagentOFF mv /sbin/init.d/sisidsagent /sbin/init.d/sisidsagentOFF Enabling a disabled Tru64 agent You can enable a Tru64 agent that was previously disabled.
Installing UNIX agents Troubleshooting agent issues 0 * * * * /etc/init.d/sisidsagent health_check 0 * * * * /etc/init.d/sisipsutil health_check (Solaris and Linux Only) Use the appropriate crontab file for the UNIX platform: ■ AIX Crontab: /var/spool/cron/cronttabs/root Scripts: /etc/rc.sisidsagent, /etc/rc.sisipsagent ■ HP-UX Crontab: /var/spool/cron/crontab.root Scripts: /sbin/init.d/sisidsagent, /sbin/init.d/sisipsagent ■ Linux Crontab: /var/spool/cron/tabs/root Scripts: /etc/init.
Installing UNIX agents Troubleshooting agent issues
Chapter 5 Migrating to the latest version This chapter includes the following topics: ■ Migrating legacy installations of Symantec Critical System Protection ■ Migrating other legacy agent installations ■ Checklist for migrating from Symantec Intruder Alert ■ Checklist for migrating from Symantec Host IDS ■ Migrating legacy agent software ■ Preparing for detection policy migration ■ Migrating legacy detection policy files Migrating legacy installations of Symantec Critical System Protection
Migrating to the latest version Migrating legacy installations of Symantec Critical System Protection When migrating legacy installations for Symantec Critical System Protection, you should note the following: ■ If you upgrade the management server, then you must also upgrade the management console to the same version, and vice versa. The management server and management console must be the same version. ■ Upgrading the agent is optional; you can use agent 5.0.0, agent 5.0.1, agent 5.0.
Migrating to the latest version Migrating legacy installations of Symantec Critical System Protection If you changed the name of the database owner account during a Production installation, you should enter that account name during the upgrade as well. You should not use the sa account during the upgrade. Unattended Windows agent migration You can perform an unattended migration of Windows agents using the agent.exe or agent-windows-nt.exe executable and InstallShield and Windows Installer commands.
Migrating to the latest version Migrating legacy installations of Symantec Critical System Protection Table 5-1 lists the management server-related agent config tool commands: Table 5-1 Agent config tool commands Command Syntax Description -host Windows: sisipsconfig -host primary[,alternate1,alternate2,...] Set the IP address or fully qualified host name of the primary management server and optional alternate management servers used by the agent. UNIX: sisipsconfig.
Migrating to the latest version Migrating other legacy agent installations Table 5-1 Agent config tool commands Command Syntax Description -test To test first server in list (default): Test the connection information for a server in the management server list. ■ Windows: sisipsconfig -t ■ UNIX: sisipsconfig.sh -t To test nth server in list: ■ Windows: sisipsconfig -t n ■ UNIX: sisipsconfig.
Migrating to the latest version Checklist for migrating from Symantec Intruder Alert Policy migration involves using a policy conversion utility that converts legacy .pol and .ini files to XML files and places them in a .zip file, and then using the authoring environment to compile the converted legacy policies to the latest version. The utility runs on Windows only, but will convert UNIX policy files.
Migrating to the latest version Checklist for migrating from Symantec Intruder Alert System Protection authoring environment (and eventually conditionally applied to your Symantec Critical System Protection agents). See “Migrating legacy detection policy files” on page 111.
Migrating to the latest version Checklist for migrating from Symantec Host IDS Checklist for migrating from Symantec Host IDS Symantec Critical System Protection contains an IDS component similar in functionality to Symantec Host IDS. Migrating from Symantec Host IDS to Symantec Critical System Protection is a fairly straightforward process.
Migrating to the latest version Migrating legacy agent software (and each ungrouped agent), noting the stock policies and the custom policies that are applied. You should be able to find equivalent Symantec Critical System Protection policies for the Symantec Host IDS stock policies that you applied. Uninstall the Symantec Host IDS agent, and install the Symantec Critical System Protection agent on each client to be migrated.
Migrating to the latest version Preparing for detection policy migration Installing the authoring environment and policy conversion utility The Symantec Critical System Protection authoring environment and the policy conversion utility were automatically installed during management console installation. No separate installation is required. See “Installing and configuring the management console” on page 48.
Migrating to the latest version Migrating legacy detection policy files Migrating legacy detection policy files Your legacy detection policy files may have both enabled and disabled rules. The enabled and disabled status of the rules is also migrated.
Migrating to the latest version Migrating legacy detection policy files Table 5-2 lists the policy conversion utility command line switches. Table 5-2 Command line switches Switch Default setting Description -p no switch (converts policy files to policy files) Converts legacy detection policy files to Symantec Critical System Protection detection policy files, and creates option groups for the policy so that you can see the policy rules with the management console.
Migrating to the latest version Migrating legacy detection policy files 4 Type ITAHIDSpolicyMigration.exe, type the names of your source and destination directories, and run the command. Importing the zip file The zip file in the destination directory contains the legacy policies. To import the zip file 1 On the computer that runs the Symantec Critical System Protection management console, click Start > Programs > Symantec Critical System Protection > Authoring Tool.
Migrating to the latest version Migrating legacy detection policy files 3 In the right pane, on the General tab, in the Name box, type a name for your detection policy. You might want to use a name that reflects the ruleset. 4 Click File > Save. 5 In the Save As dialog, select the folder that you created for converted policies, and then click Save As. 6 On the Outline tab, select Detection Rulesets in your new policy, click the Add icon, and then click Browse.
Migrating to the latest version Migrating legacy detection policy files Status Symantec Critical System Protection agent status messages You should also check other migrated rule elements such as patterns and actions for accuracy. Note that OR'ing of select clauses is no longer supported, so rules with OR'ed select clauses are split into multiple rules. You should also check this split for accuracy.
Migrating to the latest version Migrating legacy detection policy files 6 For rules that need to be changed, on the Rules tab, right-click the rule and then select the correct conversion menu item. 7 Verify that all other criteria, actions, and values are correctly set for your rules. 8 Click Tools > Validate. If an error prompt appears, troubleshoot the error.
Migrating to the latest version Migrating legacy detection policy files Applying policies created and compiled in the authoring environment You use the management console to apply a policy that you created and compiled in the authoring environment. Using the management console, you do the following: ■ Create a workspace policy that is based on your compiled policy. ■ Verify the policy option configuration. ■ Test the workspace policy. ■ Apply the workspace policy to your agents and policy groups.
Migrating to the latest version Migrating legacy detection policy files
Index A F agent alternate management servers 27, 103 fail back interval 26 failover 25, 74 groups common configuration 53, 63, 76, 81 detection configuration 54, 63, 77, 81 detection policy 54, 64, 77, 82 prevention configuration 53, 63, 76, 81 prevention policy 54, 63, 76, 81 hardware requirements 20 name of 52 operating system requirements 17 primary management server 27, 103 UNIX bypassing prerequisite checks 77 disabling and enabling 91 installing 73 uninstalling 84 uninstalling manually 85 Windows b
Index IP routing 24 L Linux agents disabling and enabling 93 kernel driver support 19 monitoring and restarting 98 uninstalling manually 87 log files agent 28 management server 28 M management console configuring 49 configuring server 50 hardware requirements 20 installing 49 operating system requirements 17 setting up initial password 50 uninstalling 67 using encrypted communications 50 verifying server certificate 50 management server alternate 74, 103 database 67 evaluation installation MSDE 42 SQ
Index SQL server evaluation installation 44 installation requirements 34 installing to existing 34 MDAC requirements 35 production database installation 45 SSL certificate 51, 53, 61, 81 Symantec Host IDS, migrating from 108 Symantec Intruder Alert, migrating from 106 system requirements hardware agent 20 management console 20 management server 20 operating system agent 17 management console 17 management server 17 T TEMP environment variable 36 Tru64 agents disabling and enabling 97 uninstalling manually
Index
