NetIQ Unix Agent Installation and Configuration Guide

NetIQ® Security Agent for Unix Installation and Configuration Guide

NetIQ Security Manager™NetIQ Secure Configuration Manager™November 1, 2006

THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT ARE FURNISHED UNDER AND ARE SUBJECT TO THE TERMS OF A LICENSE AGREEMENT OR A NON-DISCLOSURE AGREEMENT. EXCEPT AS EXPRESSLY SET FORTH IN SUCH LICENSE AGREEMENT OR NON-DISCLOSURE AGREEMENT, NETIQ CORPORATION PROVIDES THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. SOME STATES DO NOT ALLOW DISCLAIMERS OF EXPRESS OR IMPLIED WARRANTIES IN CERTAIN TRANSACTIONS; THEREFORE, THIS STATEMENT MAY NOT APPLY TO YOU.

This document and the software described in this document may not be lent, sold, or given away without the prior written permission of NetIQ Corporation, except as otherwise permitted by law. Except as expressly set forth in such license agreement or non-disclosure agreement, no part of this document or the software described in this document may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, or otherwise, without the prior written consent of NetIQ Corporation. Some companies, names, and data in this document are used for illustration purposes and may not represent real companies, individuals, or data.

This document could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein. These changes may be incorporated in new editions of this document. NetIQ Corporation may make improvements in or changes to the software described in this document at any time.

© 1995-2006 NetIQ Corporation, all rights reserved.

U.S. Government Restricted Rights: If the software and documentation are being acquired by or on behalf of the U.S. Government or by a U.S. Government prime contractor or subcontractor (at any tier), in accordance with 48 C.F.R. 227.7202-4 (for Department of Defense (DOD) acquisitions) and 48 C.F.R. 2.101 and 12.212 (for non-DOD acquisitions), the government’s rights in the software and documentation, including its rights to use, modify, reproduce, release, perform, display or disclose the software or documentation, will be subject in all respects to the commercial license rights and restrictions provided in the license agreement.

Check Point, FireWall-1, VPN-1, Provider-1, and SiteManager-1 are trademarks or registered trademarks of Check Point Software Technologies Ltd.

ActiveAgent, ActiveAnalytics, ActiveAudit, ActiveReporting, ADcheck, AppAnalyzer, AppManager, the cube logo design, Directory and Resource Administrator, Directory Security Administrator, Domain Migration Administrator, Exchange Administrator, File Security Administrator, IntelliPolicy, Knowing is Everything, Knowledge Scripts, Mission Critical Software for E-Business, MP3check, NetConnect, NetIQ, the NetIQ logo, NetIQ Change Administrator, NetIQ Change Guardian, NetIQ Compliance Suite, NetIQ Group Policy Administrator, NetIQ Group Policy Guardian, NetIQ Group Policy Suite, the NetIQ Partner Network design, NetIQ Patch Manager, NetIQ Risk and Compliance Center, NetIQ Secure Configuration Manager, NetIQ Security Administration Suite, NetIQ Security Analyzer, NetIQ Security Manager, NetIQ Vulnerability Manager, PSAudit, PSDetect, PSPasswordManager, PSSecure, Server Consolidator, VigilEnt, Vivinet, Work Smarter, and XMP are trademarks or registered trademarks of NetIQ Corporation or its subsidiaries in the United States and other jurisdictions. All other company and product names mentioned are used only for identification purposes and may be trademarks or registered trademarks of their respective companies.

Contents

About This Book and the Library .................................................................................... viiConventions ....................................................................................................................... ixAbout Attachmate ............................................................................................................... x

Chapter 1Introduction 1What Are Unix Agents? ...................................................................................................... 2How Unix Agents Work with Secure Configuration Manager ......................................... 3How Unix Agents Work with Security Manager ............................................................... 3How Unix Agents Help You .............................................................................................. 3

Chapter 2Licensing and Upgrading 5Understanding Licensing .................................................................................................... 5

Trial Licenses ......................................................................................................... 5Licensing Unix Agents ........................................................................................... 6Upgrading an Unexpired License ......................................................................... 6Installing a Unix Agent License ............................................................................ 6

Upgrading ........................................................................................................................... 7Starting Agent Manager ......................................................................................... 8Exporting the Host List .......................................................................................... 9Upgrading Unix Manager on a Windows Computer ......................................... 10Upgrading Unix Manager on a Solaris or Red Hat Computer ........................... 11Importing the Host List ........................................................................................ 13Upgrading Unix Agents ....................................................................................... 14

Configuring IP Addresses and Updating Ports ............................................................... 17

Contents iii

Chapter 3Installing Unix Manager and Unix Agents 19Checklist for Installing Unix Agents ................................................................................ 19Requirements .................................................................................................................... 21

Unix Manager Computer Requirements ............................................................. 21Unix Agent Computer Requirements .................................................................. 22Unix Agent Communication Protocols ............................................................... 23

Installing Unix Manager ................................................................................................... 24Installing Unix Manager on a Windows Computer ............................................ 24Installing Unix Manager on a Solaris or Red Hat Computer ............................. 25

Starting Unix Manager ...................................................................................................... 26Starting Unix Manager on a Unix or Linux Computer ....................................... 26Starting Unix Manager on a Windows Computer .............................................. 27Starting Unix Manager from the Secure Configuration Manager Console ........ 28

Installing Unix Agents ...................................................................................................... 28Installing Unix Agents Remotely ......................................................................... 29Installing Unix Agents Locally ............................................................................. 31

Synchronizing Unix Agents .............................................................................................. 35

Chapter 4Configuring Security Manager Support 39Configuring Basic Security Manager Support .................................................................. 39

Installing the TCP Daemon ................................................................................. 40Activating the Most Current Rule Sets ................................................................. 40

Configuring Extended Security Manager Support ........................................................... 42Enabling Process Accounting .............................................................................. 42Enabling and Configuring the Basic Security Module on Solaris ...................... 45

Configuring Security Manager Support for Oracle ......................................................... 48Configuring Failover or Multiple Configuration Groups ................................................ 50

iv Installation and Configuration Guide

Chapter 5Configuring Secure Configuration Manager Support 51Configuring Basic Secure Configuration Manager Support ............................................ 51Configuring Secure Configuration Manager Support for Oracle ................................... 52

Appendix ACreating and Managing Unix Rules 55Understanding Unix Agent Rules .................................................................................... 55Deciding How to Create Unix Rules and Rule Sets ....................................................... 56Understanding Rule Sets .................................................................................................. 58

Selecting a Rule Set to Edit ................................................................................. 58Viewing Rule Sets and Editing Rule Set Properties ........................................... 59Saving Rule Sets Locally ...................................................................................... 61Activating Rule Sets on Remote Hosts ................................................................ 61

Using the Rule Wizard to Create Rules ........................................................................... 62Understanding Event Sources .......................................................................................... 63

Editing Event Source Properties .......................................................................... 64Creating New Event Sources ............................................................................... 65Deleting Event Sources ....................................................................................... 65

Understanding Rule Groups ............................................................................................ 66Editing Rule Group Properties ............................................................................ 67Creating New Rule Groups ................................................................................. 67Deleting Rule Groups .......................................................................................... 68

Understanding Rules and Actions ................................................................................... 69Viewing and Editing Rule Properties and Actions ............................................. 70Creating New Rules and Actions ........................................................................ 71Deleting Rules and Actions ................................................................................. 72

Understanding Initialization Code ................................................................................... 72Viewing and Editing Initialization Code ............................................................. 72Adding New Initialization Code .......................................................................... 73Deleting Initialization Code ................................................................................ 73

Contents v

Understanding Conditionals and Comparisons ............................................................... 74Viewing and Editing Comparison Properties ..................................................... 74Adding Comparisons ........................................................................................... 76Adding And .......................................................................................................... 77Adding Or ............................................................................................................. 78Associating Comparisons with Conditionals ....................................................... 78Deleting Comparisons or Conditionals ............................................................... 79

Understanding Time Conditions ...................................................................................... 79Viewing and Editing Time Conditions ................................................................ 80Adding New Time Conditions ............................................................................. 80Deleting Time Conditions .................................................................................... 81

Understanding Main Code ............................................................................................... 81Viewing and Editing Main Code ......................................................................... 81Adding New Main Code ...................................................................................... 82Deleting Main Code ............................................................................................. 82

Customizing the Rules Management User Interface ....................................................... 83Deciding Whether to Use Tabbed Layouts ......................................................... 83Deciding Whether to Use Parameter Aliases ...................................................... 84

Appendix BUninstalling Agents and Unix Manager 87Uninstalling Unix Agents .................................................................................................. 87Uninstalling Unix Manager on Windows ........................................................................ 88Uninstalling Unix Manager on Solaris or Red Hat .......................................................... 88

vi Installation and Configuration Guide

About This Book and the Library

The Installation and Configuration Guide provides steps for Unix Manager installation, steps for NetIQ Security Agent for Unix (Unix agent) product deployment, and integration information for the NetIQ Security Manager (Security Manager) and NetIQ Secure Configuration Manager (Secure Configuration Manager) products. The Secure Configuration Manager product was formerly known as NetIQ Vulnerability Manager.

Intended AudienceThis book provides information for individuals responsible for installing and using Unix agents and reporting information to Security Manager and Secure Configuration Manager.

Other Information in the LibraryThe Security Agent for Unix can be configured to forward data to both Security Manager and Secure Configuration Manager. Depending on the product you purchased, your library provides the following information resources:

Installation and Configuration Guide Provides Unix Manager installation steps, agent deployment steps, and integration information for Security Manager and Secure Configuration Manager.

Help Provides context-sensitive information and step-by-step guidance for common tasks.

User Guide for NetIQ Security ManagerProvides conceptual information about Security Manager. This book also provides an overview of the Security Manager user interfaces and step-by-step guidance for many tasks.

About This Book and the Library vii

User Guide for NetIQ Secure Configuration ManagerProvides conceptual information about Secure Configuration Manager. This book also provides an overview of the Secure Configuration Manager installation, interfaces, and reports and the Help.

viii Installation and Configuration Guide

Conventions

The library uses consistent conventions to help you identify items throughout the documentation. The following table summarizes these conventions.

Convention Use

Bold • Window and menu items• Technical terms, when introduced

Italics • Book and CD-ROM titles• Variable names and values• Emphasized words

Fixed Font • File and folder names• Commands and code examples• Text you must type• Text (output) displayed in the command-line interface

Brackets, such as [value] • Optional parameters of a command

Braces, such as {value} • Required parameters of a command

Logical OR, such asvalue1 | value2

• Exclusive parameters. Choose one parameter.

Conventions ix

About Attachmate

Attachmate, owned by an investment group led by Francisco Partners, Golden Gate Capital and Thoma Cressey Equity Partners, enables IT organizations to extend mission critical services and assure they are managed, secure and compliant. Attachmate's leading solutions include host connectivity, systems and security management, and PC lifecycle management. Our goal is to empower IT organizations to deliver trusted applications, manage service levels, and ensure compliance by leveraging knowledge, automation and secured connectivity. For more information, visit www.attachmate.com.

NetIQ Solutions from AttachmateAttachmate provides a wide selection of systems and security management solutions to help you manage and secure all your essential platforms, including Windows, Unix, Linux, and iSeries. These Knowledge-Based Service Assurance products and solutions include embedded knowledge and tools to implement industry best practices and to better ensure operational integrity, manage service levels and risk, and ensure policy compliance. Our modular, best-of-breed solutions for Performance and Availability Management, Security Management, Configuration and Vulnerability Management, and Operational Change Control integrate through an open, service-oriented architecture allowing for common reporting, analytics and dashboards. Attachmate offers the following systems and security management solutions:

Performance and Availability ManagementThese products offer rapid time-to-value solutions that enable you to align your IT operations with business priorities and optimize the delivery of your IT-based business services. This solution automates the complete IT service management lifecycle: assessment of requirements, definition of Service Level Agreements, management of day-to-day operations, and review of operational metrics.

x Installation and Configuration Guide

http://www.attachmate.com

Security ManagementThese easy-to-install-and-deploy products provide effective protection from and response to security-related threats. This solution provides powerful features, such as real-time security event monitoring, mapping of threat indicators, policy violation alerts, and expedited incident forensics and resolution. These products reduce the time required to identify and resolve security threats.

Configuration and Vulnerability ManagementThese products allow you to quickly and easily assess vulnerabilities, manage security risks, and assure policy compliance. This powerful solution measures and enforces compliance to configuration baselines based on your corporate policies, regulations, and evolving security threats. You can use the latest security knowledge, which is updated in real time, to resolve compliance and configuration issues.

Operational Change ControlThese products enable IT organizations to control, manage, and audit operational changes to servers, Active Directory, and Group Policy with unprecedented levels of accountability. NetIQ's Operational Change Control (OCC) solutions enable enterprise customers to meet IT compliance and operational integrity needs in the most cost-effective manner, by delegating access control, managing changes according to policy, and alerting and reporting on change activities and entitlements.

About Attachmate xi

Contacting NetIQ Solutions SupportPlease contact us with your questions and comments. We look forward to hearing from you. For support around the world, please contact your local partner. For a complete list of our partners, please see our Web site. If you cannot contact your partner, please contact our Technical Support team.

Telephone: 713-418-5000888-323-6768 (only in the United States and Canada)

Sales Email: [email protected]

Support: www.netiq.com/support

Web Site: www.netiq.com

xii Installation and Configuration Guide

mailto:[email protected]

http://www.netiq.com/support

http://www.netiq.com

Chapter 1

Introduction

Securing your Unix environment can be expensive and time-consuming, especially when you and your staff face tight budgets and escalating security threats. Consider the following issues most enterprise security managers confront:

• Deficits in staff knowledge concerning Unix security and system expertise

• Managing various operating systems including Solaris, AIX, Linux, and HP-UX

• Controlling access to privileged commands and sensitive resources

• Lacking intrusion detection and response systems to handle both real and potential security breaches

• Integrating Unix management into company-wide security initiatives

Security Agents for Unix (Unix agents) help you effectively address these challenges, allowing you to audit, secure, and monitor your Unix environment.

Chapter 1 • Introduction 1

What Are Unix Agents?Unix agents form an integral part of any host-based management solution attempting to secure your Unix and Linux systems from a central point of control. Unix agents allow you to assess business-critical Unix hosts for risks and vulnerabilities, minimize risk through automated alerts and event response, and monitor for real-time threats. Unix agents protect your critical Unix and Linux hosts in the following ways:

• Reduce time lost due to misconfiguration

• Report vulnerabilities across multiple Unix operating systems

• Control access to critical files and resources

• Streamline the Unix security management workflow

• Detect critical file changes and intrusion

Unix agents provide built-in, Unix-specific security knowledge, allowing your more novice staff to safely contribute to securing your enterprise.

Integrating your Unix agents with Security Manager and Secure Configuration Manager (formerly known as NetIQ Vulnerability Manager) joins your Unix systems with the rest of your multi-platform environment. Both Secure Configuration Manager and Security Manager provide threat management solutions across platforms, servers, and application software. Your Unix agents can supply the information Security Manager needs to detect intrusion events in real-time, perform forensic analysis on log files, and send notifications to security personnel. Coupling your agents with Secure Configuration Manager allows you to proactively flag and correct vulnerable computers.

2 Installation and Configuration Guide

How Unix Agents Work with Secure Configuration Manager

Secure Configuration Manager uses Unix agents to validate the configuration of Unix hosts to ensure compliance with corporate security policies and pinpoint potential vulnerabilities. For more information about Secure Configuration Manager, see the User Guide for NetIQ Secure Configuration Manager.

How Unix Agents Work with Security ManagerSecurity Manager uses Unix agents to detect intrusions and collect syslog events from Unix platforms. Security Manager stores collected syslog events in a secure repository that you can access from a single, centralized console. From a single console you can view intrusion attempts and run reports across multiple unix platforms. For more information, see the User Guide for NetIQ Security Manager and the Security Manager for Unix Monitoring Guide.

How Unix Agents Help YouUnix agents form part of a comprehensive solution for proactive auditing, securing, monitoring, and maintaining Unix and Linux environment security. Combining Unix agents with Security Manager and Secure Configuration Manager helps you achieve a number of objectives:

• Ensure continuous compliance with information security policies

• Protect information assets on Unix and Linux hosts

• Defend against intruders and other malicious activity

Chapter 1 • Introduction 3

• Manage security across dissimilar Unix operating systems

• Integrate Unix and Linux systems into cross-platform, company-wide security initiatives


Chapter 2

Licensing and Upgrading

The following sections provide information about licensing Unix agents and upgrading previous versions of both the Unix Manager (Unix Console) and Unix agents.

Understanding LicensingThe following sections help you understand licensing, count your Unix agent and Unix Manager license use, upgrade licenses, and install new licenses.

Trial LicensesYour trial license allows you to experience the convenience and security of deployed Unix agents for up to one month. During this time, the Unix Manager can manage up to 1,000 agents. When you decide to move your trial into production, contact your NetIQ sales representative for a production license.

Chapter 2 • Licensing and Upgrading 5

Licensing Unix AgentsUnix agents require the use of a license key file. You install this license key file on the Unix Manager that communicates with the agents. Security Manager and Secure Configuration Manager require a separate license key file that includes the Unix agents. Each agent you install decrements the license key file located on the managing console. For example, if you manage agents using Security Manager, both the Security Manager console and the Unix Manager console need valid licenses. If you manage agents using Secure Configuration Manager, the Secure Configuration Manager console and the Unix Manager require valid licenses. Ensure your licenses provide the appropriate coverage for your needs.

Upgrading an Unexpired LicenseLicense key files from version prior to 4.0 of the Unix Manager are incompatible with the latest version of the Unix Manager. If you have an unexpired license for a product version prior to 4.0, contact your NetIQ sales representative to obtain an updated license key file.

You can take advantage of the month long, 1000 agent trial to explore the benefits of the current version. This allows you to deploy immediately, without having to wait for an updated license.

Installing a Unix Agent LicenseWhen you install Security Manager or Secure Configuration Manager, you install a license key to cover all your endpoints. The Unix Manager stores a separate license key file for the agents. Ensure you have enough agents licensed to account for your Secure Configuration Manager and Security Manager implementations.

To install your Unix agent license key file:

1. Secure a license key file from your NetIQ sales representative.

2. Copy the license key file to a folder or directory on the Unix Manager computer.


3. Start Unix Manager. For more information, see “Starting Unix Manager” on page 26.

4. On the Agent Manager menu, click Licenses > Add to Console License.

5. Browse to your license key file, and then click Open.

UpgradingTo successfully upgrade your Unix Manager and Unix agents, complete the following checklist.

Upgrading Previous Unix Manager and Unix Agent Implementations

1. Ensure your current hardware and software support the upgrade of the Unix Manager and Unix agents. For more information, see “Unix Manager Computer Requirements” on page 21 and “Unix Agent Computer Requirements” on page 22.

2. Start the previously installed Unix Manager and launch the Agent Manager. For more information, see “Starting Agent Manager” on page 8.

3. Export the host list. For more information, see “Exporting the Host List” on page 9.

4. For more information about upgrading a Windows implementation of the Unix Manager, see “Upgrading Unix Manager on a Windows Computer” on page 10.

5. For more information about upgrading a Unix implementation of the Unix Manager, see “Upgrading Unix Manager on a Solaris or Red Hat Computer” on page 11.

6. Import the host list. For more information, see “Importing the Host List” on page 13.

7. Review the following sections and decide how you want to upgrade your agents: “Upgrading Agents Remotely” on page 14 and “Upgrading Agents Locally” on page 15.


Starting Agent ManagerAgent Manager is a part of Unix Manager. You can start Agent Manager from Unix Manager. If you have Secure Configuration Manager, you can also start Agent Manager from the Secure Configuration Manager console.

To start Agent Manager:

1. If you want to start Agent Manager from Unix Manager, complete the following steps:

a. Start Unix Manager. For more information about starting Unix Manager, see “Starting Unix Manager” on page 26.

b. In the left pane of Unix Manager, click Manage Agents.

2. If you want to start Agent Manager from Secure Configuration Manager, complete the following steps:

a. Start Secure Configuration Manager.

b. Click Tools > Unix Manager.

c. In the left pane of Unix Manager, click Manage Agents.

8. Configure any new communication targets for your upgraded agents. For more information, see “Configuring IP Addresses and Updating Ports” on page 17.

Upgrading Previous Unix Manager and Unix Agent Implementations


Exporting the Host ListA host list contains a list of hosts, port information, and an encryption key. The Unix Manager and agents installed on hosts defined in the host list share this encryption key. If Unix Manager does not know the encryption key, it cannot communicate with its agents. Before you upgrade Unix Manager, ensure you export the host list. Exporting the host list allows you to share the encryption key with the upgraded Unix Manager computer. If you do not export the host list and the upgrade process overwrites the encryption key, Unix Manager cannot communicate with its agents.

To export the host list:

1. Start the Agent Manager. For more information, see “Starting Agent Manager” on page 8.

2. Click Hosts > Edit Hosts.

3. Select all hosts in the Current Hosts list.

4. Click Export Selected.

5. Save the agent host file to a convenient location.

6. Click Close.

7. On the File menu, click Exit.


Upgrading Unix Manager on a Windows ComputerIf you previously installed Unix Manager on a Windows computer, complete the following steps to upgrade Unix Manager.

To upgrade the Unix Manager on a Windows computer:

1. Ensure you have exported the host list. For more information, see “Exporting the Host List” on page 9.

2. Run SETUPforWINDOWS.EXE in the root folder of the installation kit.

3. On the Setup tab, click Check Version to compare the product version of the installation kit against the newest product version available on the Web site.

4. Click Begin Unix Manager for Windows Setup on the Setup tab.

Note• To ensure you maintain your host list, license, password, and cached

reports, install Unix Manager to your previous installation folder. If the installation path you specify is different than the previous installation path, the setup program installs a new Unix Manager instance. Copy your license to the new installation folder and import your host list in the new Unix Manager instance.

• If you are upgrading the Unix Manager on a computer running Windows Server 2003 Service Pack 1 or Windows XP Service Pack 2, ensure the Data Execution Prevention (DEP) feature on the computer allows you to run SETUPforWINDOWS.EXE and install UM_install_Windows.exe. For more information about configuring the DEP feature, see Microsoft Knowledge Base Article 875352, available at support.microsoft.com.

NoteIf you are installing the Unix Manager from the CD, the setup program should automatically start when you insert the CD in the drive.


5. Complete the setup program. The setup program guides you through the license agreement and upgrades Unix Manager. For more information, see “Understanding Licensing” on page 5.

6. If you specify a different installation path than the previously installed Unix Manager, copy and paste the license to the new Unix Manager installation folder by completing the following steps:

a. Copy vsau_console.lic from the following folder:

<installation folder>\Program Files\NetIQ\Secure Configuration Manager\VSOC\VSAU\unix\local\license

Where <installation folder> is the folder where you installed Secure Configuration Manager.

b. Paste vsau_console.lic to the following folder:

<installation folder>\Program Files\NetIQ\VSAU\unix\local\license

Where <installation folder> is the folder where you are installing Unix Manager.


8. Type your password in the window, and then click Accept.

9. Click File > Exit.

Upgrading Unix Manager on a Solaris or Red Hat ComputerIf you previously installed the Unix Manager on a Solaris or Red Hat computer, complete the following steps to upgrade your implementation. Ensure you have exported your host list from your previous implementation before completing this procedure.

Note If you want to specify a different installation path than the previously installed Unix Manager, type the new password in both fields to confirm.


To upgrade the Unix Manager on a Solaris or Red Hat computer:

1. Log on to the Solaris or Red Hat computer with the account you plan to use to run the Unix Manager.

2. Ensure you have installed the most current recommended patch clusters and security patches. You can download current recommended patch clusters and security patches for Sun Solaris. For more information, see www.sunsolve.sun.com. Similar Red Hat packages may be available from www.redhat.com.

3. Change directories to the product installation kit.

4. Open WELCOME_UNIX.HTM in a Web browser.

5. Click Check Version to compare the product version of the installation kit against the newest product version available on the Web site.

6. If you are installing the Unix Manager on a Solaris computer, start the installer script by entering the following command at the command prompt:

/bin/sh ./UM_install_Solaris.sh

7. If you are installing the Unix Manager on a Red Hat computer, start the installer script by entering the following command at the command prompt:

/bin/sh ./UM_install_Linux.sh

8. Complete the install script. The script guides you through the license agreement and installs the Unix Manager and a symbolic link to the directory that you select. For more information, see “Understanding Licensing” on page 5.

NoteTo ensure you maintain your cached reports, host list, and licenses, install the Unix Manager to your previous installation folder.


http://www.sunsolve.sun.com

http://www.redhat.com

9. Start the Unix Manager. For more information, see “Starting Unix Manager” on page 26.

10. Type your password in the window, and then click Accept.

Importing the Host ListIf you do not immediately see all your managed agents in Unix Manager, complete the following procedure to import the host list. Importing the host lists allows you to maintain uninterrupted communication with your previously installed Unix agents.

To import the host list:


2. In the left pane, click Manage Agents.

3. Click Hosts > Edit Hosts.

4. Click Import Hosts.

5. Navigate to the location of your saved agent host file and click Open. For more information, see “Exporting the Host List” on page 9.

6. Click Save.

7. Click Hosts > Scan All Hosts to restore communication with your previously installed Unix agents.

NoteUpgrading your Unix Manager implementation allows you to retain your previous password.


Upgrading Unix AgentsThe following procedures provide methods for upgrading Unix agents without losing data or customizations. You can either remotely upgrade your agents from the Unix Manager or install the agent locally. Complete one of the following procedures to upgrade your agents.

Upgrading Agents RemotelyThe following procedure guides you through upgrading Unix agents with Unix Manager.

To upgrade agents using the Unix Manager:


2. Click Hosts > Scan All Hosts to update the status of the Unix agents in the agent summary table.

3. Review the right pane and verify that all agent computers are listed and communicating properly. The UAgent and UVserv columns should be green for all the agents you want to upgrade.

4. Click Hosts > Patch Mgr to open the Patch Manager.

5. Select all hosts in the Hosts Running uAgent list.

6. Select NSAU 5.6.0.0 in the Patches Available list.

7. Click Apply. The time necessary to update your agents depends on the number of agents to update, distance from the Unix Manager console, network connectivity, and bandwidth, among other factors. This process can take up to 20 minutes per agent.

8. Click Close to close the Patch Manager.

9. Click Hosts > Scan All Hosts to update the status of the Unix agents in the agent summary table.


Upgrading Agents LocallyThe following procedure guides you through logging on to a Unix agent computer and locally upgrading the agent.

To install an agent on the local computer:

1. Log on to an agent computer using the root account.

2. Mount the CD drive. For more information on mounting the CD drive to preserve long file names, see “Mounting the Drive Used to Read the Installation CD” on page 31.

3. Change directories to the CD drive, and then enter the following command to start the install script:

/bin/sh ./install.sh

4. Press Enter.

5. Press Enter to accept the default installation directory. If you want to change the installation directory, type an alternate directory to use.

6. Press Enter to confirm the installation directory.

7. Press Enter to accept the default uvserv port.

8. Press Enter to accept the default uagent port.

9. Press Enter to accept the recommended start method for the agent daemons or supply one of the following alternate start methods:

rclinkStarts the agent daemons immediately after the deployment process and adds a startup script to the /etc/rc.d directory. This startup script starts the agent daemons after each reboot when the master rc script runs.

inittabStarts the agent daemons immediately after the deployment process and adds an entry to the /etc/inittab file. This inittab file entry starts the agent daemons at the default run level after each reboot.


inetdConfigures the (x)inetd daemon to start the agent daemons when needed and then stop and unload the agent daemons. The inetd start method is recommended for the agent daemons.

10. Press Enter to accept the recommended start method for the event detection and alerting daemon. Alternately, you can select rclink as your start method. For more information about rclink or inittab, see the previous step.

11. If you are installing the agent for Secure Configuration Manager, enter the IP address of the Secure Configuration Manager Core Services computer and press Enter to accept the default Core Services port.

12. If you do not have Secure Configuration Manager, press Enter to omit the IP address of the Core Services computer and press Enter to continue.

13. If you are installing the agent for Intrusion Manager, enter the IP address of the Security Manager central computer, and then enter 1636 for the Security Manager port. If you want to configure the agent to send data to multiple configuration groups or failover central computers for Intrusion Manager, configure these options after upgrading the agent. For more information, see “Configuring IP Addresses and Updating Ports” on page 17.

14. If you do not have Security Manager, press Enter to omit the IP address of the Security Manager central computer and then press Enter to continue.

15. If you want the Unix agent to send SNMP traps, enter the IP address of the SNMP management console computer.

16. If you do not want the Unix agent to send SNMP traps, press Enter to omit the IP address of the SNMP management console.

17. Press Enter to install the agent files.

18. Press Enter to start the daemons.

19. Eject the product CD and log off the agent computer.


Configuring IP Addresses and Updating PortsYour agents integrate easily with your existing Security Manager, Secure Configuration Manager, and SNMP management implementations. To successfully integrate your agents, ensure your Unix Manager and your Unix agents are the most current version. For more information, see “Upgrading” on page 7.

The following procedure guides you through the process of integrating existing Unix agents with Secure Configuration Manager or Security Manager. You can also use this procedure to update communication ports and IP addresses.

To configure IP addresses and update your port assignments:


2. In the left pane, click Manage Agents.

3. Click Hosts > Scan All Hosts to update the status of your Unix agents.

4. Click Hosts > Configure Agent.

5. On the Agent Options window, select the agents you want to update, then click Parameters.

6. On the Agent Parameters window, provide the appropriate information.

• If you have Intrusion Manager, type the IP address of the Security Manager central computer, a colon (:), and then the Security Manager port number in the appropriate field. For example, type 10.10.123:1636.

• If you have Intrusion Manager and want the agent to send event information to more than one Security Manager configuration group, separate the central computer IP address and port number for each configuration group with a comma (,). For example, type 10.10.123:1636,10.10.135:1636.


• If you have Intrusion Manager and want to specify failover Security Manager central computers, separate the IP address and port number for each Security Manager central computer with a bar (|). Failover occurs in the order you specify, from left to right, with the first central computer acting as the primary central computer. For example, type 10.10.123:1636|10.10.135:1636.

• If you have Secure Configuration Manager, type the IP address of the Secure Configuration Manager Core Services computer, a colon (:), and then the Secure Configuration Manager port number in the appropriate field. For example, type 10.16.23.12:1626.

• If you have implemented an SNMP management solution, type the IP address of the SNMP console computer, a colon (:), and then the SNMP console computer port number.

7. Click OK.


Chapter 3

Installing Unix Manager and Unix Agents

The following sections guide you through the initial installation of the Unix Manager, if necessary, and your Unix agents. The information provided in these sections ensures error-free implementation and accelerated agent deployment.

Checklist for Installing Unix AgentsThe following checklist guides you through reviewing the requirements and installing the Unix Manager and your agents. By the time you complete the checklist, your agents should already be communicating with Secure Configuration Manager, NetIQ Security Manager, or both. For information about upgrading existing agents, see “Licensing and Upgrading” on page 5.

Chapter 3 • Installing Unix Manager and Unix Agents 19

To deploy your Unix agents, complete the following checklist.

Tasks to Deploy Unix Agents

1. Ensure you have correctly installed Secure Configuration Manager or NetIQ Security Manager before installing your agents. For more information, see the Installation Guide for Secure Configuration Manager or the Installation Guide for NetIQ Security Manager.

2. If you are upgrading existing agents, see “Licensing and Upgrading” on page 5.

3. If you want to install Unix agents for NetIQ Security Manager, review the requirements for the Unix Manager. For more information, see “Unix Manager Computer Requirements” on page 21. After reviewing, install Unix Manager. For more information, see “Installing Unix Manager” on page 24.

4. Review the Unix agent requirements. For more information, see “Unix Agent Computer Requirements” on page 22.


6. Install your Unix agents. For more information, see “Installing Unix Agents” on page 28.

7. Synchronize your Unix agents. For more information, see “Synchronizing Unix Agents” on page 35.

8. If you received a license file from your NetIQ Sales Representative, install the license file. For more information, see “Installing a Unix Agent License” on page 6.

9. If you installed Unix agents for NetIQ Security Manager, configure your agents appropriately. For more information, see “Configuring Security Manager Support” on page 39.

10. If you installed Unix agents for Secure Configuration Manager, verify that the Unix agents correctly registered with Secure Configuration Manager. For more information, see the User Guide for Secure Configuration Manager.


RequirementsThe following sections outline the computer, operating system, and software requirements for the Unix Manager and your Unix agents.

Unix Manager Computer RequirementsThe following table describes the hardware and software requirements for the computer on which you install the Unix Manager. You can use the Unix Deployment wizard, accessed through either the Unix Manager or Secure Configuration Manager, to deploy Unix agents.

Category Requirements

Operating Systems

You can install the Unix Manager on a computer with one of the following operating systems:

• Microsoft Windows 2000, XP, and 2003• Sun Solaris 8, 9• Red Hat Linux on Intel platforms

Memory 128MB minimum RAM


Unix Agent Computer RequirementsThe following table describes the hardware and software requirements for computers where you want to deploy Unix agents. For more information about supported versions, see the Release Notes for NetIQ Security Agent for Unix.

Hard Disk Space 500MB minimum, more for large reports caches

Monitor 1024x768 or higher resolution

Software Dependencies

The Unix Manager requires one of the following software programs or suites to support installing agents remotely:

• SSH protocol version 2 and SFTP• FTP and telnet

If you have SSH protocol version 2 installed, you can take advantage of the secure file transfer features in the Agent Manager and the Deployment wizard. To download the latest version of OpenSSH, a free source for the SSH protocol, see www.openssh.org.The Unix Manager also requires one of the following Web browsers:

• Internet Explorer 5.5 or later• Netscape Communicator 6 or later• Mozilla• Other browsers with Internet Explorer compatibility modes


Operating Systems

• Compaq Tru64 UNIX• HP-UX Integrity and PA-RISC• IBM-AIX• IBM Linux on Power• Red Hat Enterprise Linux (RHEL)• Silicon Graphics IRIX• Sun Solaris• Novell SuSE Linux for Enterprise Servers (SLES)



http://www.openssh.org

Unix Agent Communication ProtocolsUnix agents communicate with Secure Configuration Manager and Log Manager using authentication and encryption. Unix agents communicate with Intrusion Manager using encryption only. However, Unix agents send event information only to the IP address and port number you specify during installation. For more information about ports and encryption protocols for each port, see “Unix Agent Computer Requirements” on page 22.

Memory Unix agents have the following memory requirements:• 128MB minimum RAM• 512MB swap file (virtual memory)

IP Addresses The Unix agents can support a number of event consolidation, vulnerability assessment, and SNMP management products. If you want to integrate your agents with these products, you must provide the following information:

• NetIQ Security Manager central computer• Secure Configuration Manager Core Services computer• SNMP Management console computer

Default Port Assignments

Unix agents listen on the following default ports:• 1622 (NetIQ Security Manager Log Manager [SSL])• 2620 (Unix Manager [Blowfish])

Unix agents also open the following middle-tier ports:• 1626 (Secure Configuration Manager [SSL])• 1636 (NetIQ Security Manager Intrusion Manager [SSL])

You can configure Unix agents to use different ports. For more information, see “Configuring IP Addresses and Updating Ports” on page 17.

Hard Disk Space 200MB minimum, plus 400 Bytes per inode used by local file systems

Accounts The Unix Deployment wizard requires root access for the computer on which you want to install Unix agents. The root password is only used by the wizard at installation. It is not stored.



Installing Unix ManagerUnix Manager can be installed on Windows, Unix, and Linux computers. The Unix Manager helps you install, upgrade, and configure your Unix agents. When you want to integrate Unix agents with your NetIQ Security Manager implementation, you must install the Unix Manager. The Unix Manager can be installed with Secure Configuration Manager, although you can install Unix Manager as a stand-alone application. Complete one of the following sections to install the Unix Manager:

• “Installing Unix Manager on a Windows Computer” on page 24

• “Installing Unix Manager on a Solaris or Red Hat Computer” on page 25

Installing Unix Manager on a Windows ComputerComplete the following steps to install the Unix Manager on a Windows computer. You use the Unix Manager to install, configure, manage, and upgrade Unix agents.

If you are installing the Unix Manager on a computer running Windows Server 2003 Service Pack 1 or Windows XP Service Pack 2, ensure the Data Execution Prevention (DEP) feature on the computer allows you to run SETUPforWINDOWS.EXE and install UM_install_Windows.exe. For more information about configuring the DEP feature, see Microsoft Knowledge Base Article 875352, available at support.microsoft.com.

To install the Unix Manager on a Windows computer:

1. Log on to the Windows computer using a local administrator account.

2. Run SETUPforWINDOWS.EXE in the root folder of the installation kit.

NoteWhen you put the CD in the drive, the setup program should automatically start.


3. Click Check Version on the Setup tab to check the product version of the installation kit against the newest available product version on the Web site.

4. If you do not have the latest version of the product, download the latest product version.

5. If you downloaded a newer version of the installation kit, complete the instructions provided with the download to extract the installation kit and then run SETUPforWINDOWS.EXE in the root folder.

6. Click Begin Unix Manager for Windows Setup on the Setup tab.

7. Complete the automatic installer wizard. The wizard guides you through the Trial Software License Agreement and installs the Unix Manager to the folder that you specify.

8. Start the Unix Manager. For more information, see “Starting Unix Manager on a Windows Computer” on page 27.

9. Type and confirm a password in the window and then click Accept.

Installing Unix Manager on a Solaris or Red Hat ComputerYou can also install the Unix Manager on Solaris or Red Hat computers.

To install the Unix Manager on a Solaris or Red Hat computer:

1. Log on to the computer. Depending on the platform you want monitor, you may need the root password to install the Unix Manager.

2. Verify that the current Recommended & Security Patch clusters are installed on your operating system.

3. Change directories to where you copied the installation kit for the Unix Manager. Within the installation kit, change directories to where the installation files are located.

NoteRemember your password. You must type the same password every time you start the Unix Manager.


4. Open WELCOME_UNIX.HTM in a Web browser and click Check Version to check the product version of the installation kit against the newest available product version on the Web site.

5. If you are installing the Unix Manager on a Solaris computer, start the installer script by entering the following command:

/UM_install_Solaris.sh

6. If you are installing the Unix Manager on a Red Hat computer, start the installer script by entering the following command:

./UM_install_Linux.sh

7. Complete the installation script. The script guides you through the License Agreement and installs the Unix Manager and a symbolic link to the directory that you select.

8. Start the Unix Manager. For more information, see “Starting Unix Manager on a Unix or Linux Computer” on page 26.

Starting Unix ManagerThe Unix Manager provides a number of services, including access to your Unix agents without the interaction of Secure Configuration Manager or NetIQ Security Manager and the ability to install, configure, manage, and upgrade Unix agents. The following procedures guide you through starting the Unix Manager.

Starting Unix Manager on a Unix or Linux ComputerComplete the following procedure to start the Unix Manager on a Unix or Linux computer.


To start Unix Manager on a Unix or Linux computer:

1. At a command prompt, enter the following commands:

cd InstallDirectory/NetIQ/VSAU./VSAU.sh

By default, the InstallDirectory is the install directory configured for the logged on account. Typically, the install directory is /usr.

2. Type your password.

3. If this is your first time starting Unix Manager, confirm your password.

4. Click Accept.

Starting Unix Manager on a Windows ComputerComplete the following procedure to start the Unix Manager on a Windows computer.

To start Unix Manager on a Windows computer:

1. Start the Unix Manager in the NetIQ Security Agents program group.



4. Click Accept.




Starting Unix Manager from the Secure Configuration Manager Console

Complete the following procedure to start the Unix Manager from the Secure Configuration Manager console.

To start Unix Manager from the Secure Configuration Manager console:

1. Open the Secure Configuration Manager console.

2. On the Tools menu, click Unix Manager.



5. Click Accept.

Installing Unix AgentsInstall, configure, and start Unix agents using one or a combination of the following methods:

• “Installing Unix Agents Remotely” on page 29

• “Installing Unix Agents Locally” on page 31



Installing Unix Agents RemotelyRemotely installing Unix agents provides a convenient and uniform method for deploying Unix agents. You can use the Deployment wizard provided in the Unix Manager for remote deployment, unless one or more of the following conditions exist:

• Your site standards prohibit your access to root passwords.

• Your site standards require a specific software distribution mechanism.

• Your site standards prohibit software distribution mechanisms.

You can use the Deployment wizard to deploy Unix agents for NetIQ Security Manager and Secure Configuration Manager.

The Deployment wizard attempts to transfer files and access remote computers using the secure shell program (SSH version 2). SSH version 2 protects security critical information such as the root password from being transmitted unencrypted to the remote computer. If SSH version 2 is not running on the agent computer, the Deployment wizard can transfer files using FTP and access the agent computer using telnet. However, FTP is not a secure transfer method, and telnet does not encrypt passwords. To ensure secure file transfer, install SSH version 2. You can download OpenSSH, a free version of the SSH version 2 protocol suite, from www.openssh.org.

Complete the following steps to remotely install and configure your initial Unix agent implementation. For more information about installing agents locally, see “Installing Unix Agents Locally” on page 31.

To remotely deploy Unix agents:


2. In the right pane, click Deploy Agents Remotely.

3. On the Target Computer Search window, complete the appropriate information to limit or extend the search capabilities of the wizard, and then click Next. For more information about fields on this window, see the Help.


http://www.openssh.org

4. On the Target Computer Selection window, select and add computers to the Target Computers, and then click Next. If the search did not return the appropriate computer, you can add the computer using the IP address. For more information about fields on this window, see the Help.

5. On the Deployment Parameters window, select the target computers that share the same parameters and click Define Parameters.

6. Ensure you specify the appropriate information on each tab of the Define Deployment Parameters window and click OK. For more information about the fields on any tab, click Help.

7. Repeat Steps 5 through 6 until you have defined parameters for all agents to deploy.

8. Click Next.

9. On the Deployment Parameter Verification window, click Begin Verification.

10. Verification may take a few minutes or longer, depending on how many agents you are deploying. After verification completes, click Next.

11. Review the Parameter Verification Results window.

12. If any agents failed verification, correct the failures. Complete one or more of the following tasks to troubleshoot and correct the failures:

• To review more information about the problem, click Show Problems.

• To correct the deployment parameters, click Redefine Parameters. After you redefine parameters, repeat Steps 8 through 12.

• To remove a computer that failed verification, select the computer and click Remove from List.

13. Click Next.

14. On the Agent Deployment window, click Begin Deployment. When you have installed all your agents, click Next.

15. Review the Deployment Results window and click Finish. For more information, see the Help.


Installing Unix Agents LocallyYou can use the installation script on the product CD-ROM to manually install and configure Unix agents. The local install script does not require SSH, FTP, or telnet. You can use this method to successfully install Unix agents when one or more of the following conditions exist:

• SSH, FTP, and telnet services are disabled or not installed on the agent computer.

• The Unix Manager or Secure Configuration Manager are in a different or inconvenient location.

• Your site standards prohibit software distribution mechanisms.

Mounting the Drive Used to Read the Installation CDThe installation CD requires the ability to support long file names. Most operating systems automatically provide support for this functionality. To ensure long file name support on either HP-UX or IBM AIX, you must enable this support either before mounting the CD or while mounting the CD.

To mount the product CD with support for long file names on an HP-UX or IBM AIX computer:

1. If you want to mount the product CD on an HP-UX computer, complete the following steps to mount the CD drive in a way that preserves long file names:

a. Log onto the HP-UX computer as root or log on normally and su to root.

b. Find the device name by entering the following at the prompt:

ioscan -C disk -f -n

For example, a typical device name is /dev/rdsk/c0t6d0.

c. If a mount point does not exist, create a mount point by entering the following command:

mkdir /cdrom

d. Open /etc/pfs-fstab in an editor.


e. Add an entry for your CD-ROM that specifies your CD-ROM device name, followed by a mount point. Consider the following sample entry:

/dev/rdsk/c0t6d0 /cdrom pfs-rrip xlat=unix 0

f. Start the pfs daemons.

g. If you want to create an rc script that automatically starts the daemons, type the following lines in an rc script:

nohup /usr/sbin/pfs_mountd > /dev/null 2>&1 &

nohup /usr/sbin/pfsd 4 > /dev/null 2>&1 &

h. Insert the product CD-ROM in the CD-ROM drive.

i. Enter the following command to mount the CD-ROM:

/usr/sbin/pfs_mount /cdrom

where /cdrom is the device you defined in /etc/pfs_fstab

2. If you want to mount the product CD on an IBM AIX computer, mount the CD drive by entering the following command:

mount -v cdrfs -o ro /dev/cd0 /cdrom

Installing the Unix Agent on a Local ComputerComplete the following steps to install, configure, and start an agent on the local computer. For more information about installing a Unix agent remotely, see “Installing Unix Agents Remotely” on page 29.

To install an agent on the local computer:

1. Log on to an agent computer using the root account or log on normally and su to root.

2. Mount the CD-ROM in a way that preserves long file names. For more information, see “Mounting the Drive Used to Read the Installation CD” on page 31.

3. Change directories to the CD-ROM mount point or the root directory of the product installation kit.


4. Enter the following command to start the installer script:

/bin/sh ./install.sh

5. Press Enter.

6. Press Enter to accept the default installation directory or enter an alternative installation directory.

7. Press Enter to confirm the installation directory.

8. Press Enter to accept the default uvserv port.

9. Press Enter to accept the default uagent port.

10. Press Enter to accept the default start method for the agent daemons or enter one of the following start methods:

rclinkStarts the agent daemons immediately after the deployment process completes and adds a startup script to the /etc/rc.d directory, which starts the agent daemons when the master rc script runs after each reboot.

inittabStarts the agent daemons immediately after the deployment process completes and adds an entry to the /etc/inittab file, which starts the agent daemons at run level 3 after each reboot.

inetdConfigures the (x)inetd daemon to start the agent daemons when they are needed and unload the agent daemons when they are no longer needed. inetd is the recommended start method for the agent daemons.


11. Press Enter to accept the default start method for the event detection and alerting daemon or enter one of the following start methods:

rclinkStarts the detection and alerting daemon immediately after the deployment process completes and adds a startup script to the /etc/rc.d directory, which starts the detection and alerting daemon when the master rc script runs after each reboot.

inittabStarts the event detection and alerting daemon immediately after the deployment process completes and adds an entry to the /etc/inittab file, which starts the event detection and alerting daemon at run level 3 after each reboot. inittab is the recommended start method for the event detection and alerting daemon.

12. If you are installing the agent for Secure Configuration Manager, enter the IP address of the Core Services computer and press Enter to accept the default Core Services port.

13. If you do not have Secure Configuration Manager, press Enter to omit the IP address of the Core Services computer and press Enter again to continue.

14. If you are installing the agent for Intrusion Manager, enter the IP address of the NetIQ Security Manager central computer, and then enter 1636 for the default NetIQ Security Manager port. If you want to configure the agent to send data to multiple configuration groups or failover central computers for Intrusion Manager, configure these options after installing the agent. For more information, see “Configuring IP Addresses and Updating Ports” on page 17.

15. If you do not have NetIQ Security Manager, press Enter to omit the IP address of the Security Manager central computer and press Enter again to continue.

16. If you want the Unix agent to send SNMP traps, enter the IP address of the SNMP management console computer.

17. If you do not want the Unix agent to send SNMP traps, press Enter to omit the IP address of the SNMP management console.


18. Press Enter to install the agent files.

19. Press Enter to start the daemons.

20. Eject the product CD-ROM.

21. Log off the agent computer.

Synchronizing Unix AgentsIf you installed the Unix agent locally or if you want to reset the encryption keys used by Unix Manager to communicate with Unix agents, you can synchronize the Unix agents. Synchronizing Unix agents generates new encryption keys for Unix Manager and the Unix agents and helps you verify the Unix agents are successfully communicating with the Unix Manager or Secure Configuration Manager.

Notes• If the Uagent or UVserv columns display cells of a different color, the agent

may not have started successfully or there may be another problem, such as a firewall between Unix agents and the Unix Manager blocking ports. For more information about the meaning of the colors, see the Help.

• If the Unix Manager is unable to find the psekfile, which is the encryption key, you can resolve this issue by manually deleting the psekfile from the host computer. By default, the psekfile is located the bin folder in the agent installation directory. After you delete the psekfile, regenerate the encryption key and then scan the host computer.


To synchronize Unix agents:


2. If you locally installed agents or all your agent computers are not listed in the Current Hosts list, complete the following steps:

a. Click Host > Edit Hosts.

b. In the field to the right of the Add button, type the host name of the agent computers that you want to add and then click Add. You can add multiple computers by delimiting the host names with a semicolon (;).

c. Click Save.

3. Click Host > Scan All Hosts to update the status of the Unix agents. When the scan completes, Unix agents you added in Step 2 show a yellow psekfile? cell in the UAgent column and a green Running cell in the UVserv column. For more information about the meaning of the colors, see the Help.

4. Generate and synchronize new encryption keys by completing the following steps:

a. Select Licenses > Re-Generate Keys.

b. Select all computers in the Hosts to recreate key list.

c. Click Okay to start the synchronization process, which may take a few minutes or more to complete.

5. Select Hosts > Scan All Hosts to update the agent summary table.


6. Review the agent summary table to verify that the Unix agents are communicating properly. All Unix agents should have green cells in the UAgent column and green or orange cells in the uvserv column, the operating system type should be displayed in the OS Type column, and version numbers should appear for the components in the component columns. The Detect column may have cells with a different color. For more information about the meaning of the colors, see the Help.

7. Complete the following steps to save the host file, which you can import at any time to restore the hosts in the agent summary table to the current configuration:

a. Click Hosts > Edit Hosts.

b. Select all hosts in the Current Hosts list.

c. Click Export Selected.

d. Save the host file to a safe location.



Chapter 4

Configuring Security Manager Support

This section includes steps to guide you through the tasks required to configure Unix agents to send events to Security Manager. Ensure you have configured your agents to communicate with Security Manager. For more information, see “Configuring IP Addresses and Updating Ports” on page 17.

Configuring Basic Security Manager SupportThe following sections provide step-by-step guidance on configuring basic Security Manager support on your Unix agents. Completing these sections will immediately configure your agents for Security Manager support.

Chapter 4 • Configuring Security Manager Support 39

Installing the TCP DaemonThe Unix Manager includes a mechanism for installing the tcp daemon on agent computers. The tcp daemon captures events logged by (x)inetd, which is a daemon that controls services such as FTP and telnet. You can install the tcp daemon to capture (x)inetd events for Intrusion Manager and Log Manager. Complete the following steps to install the tcp daemon on an agent computer. You must repeat the steps for each computer where you want to install the tcp daemon.

To install the tcp daemon on an agent computer:


2. Click Manage Resource Access.

3. Click File > Open to open a session with an agent computer.

4. In the computer selection window, select an agent computer on which you want to install the tcp daemon.

5. Click Select.

6. Click File > Install Tcpd to install the tcp daemon on the selected agent computer.

7. Click File > Close to close the session with the agent computer.

Activating the Most Current Rule SetsComplete the following steps to activate the rule set delivered with the latest version of Unix Manager on your agent computers. These rules configure the event detection and alerting daemon to send events to the Security Manager Intrusion Manager and spool events for the Security Manager Log Manager.


To deploy rule sets to agent computers:


2. Click Rules Manager.

3. If you want to make changes to the default rule set displayed in the Rule Manager, customize the rule set as needed until the rule set is correctly configured for your environment. For more information about configuring custom rule set elements, see Appendix A, “Creating and Managing Unix Rules.”

4. If you made changes to the rule set, save a copy by clicking File > Save As and completing the Save window.

5. Click File > To Hosts.

6. In the Available Hosts list, select the agent computers where you want to deploy the rule set.

7. Click Select to deploy the rule set. The detectd process, which is a watchdog process, begins processing and initializing the new rule set immediately. However, it may take up to 30 seconds for the new rule set to take effect.

8. Click Manage Agents.

9. Click Hosts > Scan All Hosts.

10. Verify that rule set is active on the agent computers. The Detect column shows green cells for all agents with an active rule set.

NoteYou cannot use custom rule sets that you created for previous versions of the product with the current version of the product. However, you can manually copy and paste elements from your custom rule set to the default rule set. For more information about copying and pasting rule elements, see the Help.


Configuring Extended Security Manager SupportThe tasks in this section help you enable and configure process accounting on Unix computers and the Basic Security Module on Solaris computers. Enabling this functionality provides additional auditing of security-related events beyond the scope of events that are logged to syslog.

Many security-related events are logged to the syslog facility, which is enabled by default on all Unix operating systems supported by Security Manager. All events logged to syslog are sent to Intrusion Manger and collected by Log Manager. However, Intrusion Manager and Log Manager can also process security-related events logged by modules that are not enabled by default, such as process accounting and the Basic Security Module on Solaris.

You can enhance security event reporting in Intrusion Manager and Log Manager by enabling process accounting. You can also enable and configure the Basic Security Module on Solaris to map the events for Intrusion Manager. However, enabling process accounting and the Basic Security Module substantially increases the activity on the monitored computer and also changes the base computer configuration, which may not be allowed per your site standards. Enabling process accounting and the Basic Security Module are optional tasks. Do not enable these modules if syslog reports the events you want to monitor.

Unix administrators need the following items to properly enable extended Security Manager support to include process accounting and the enablement of Basic Security Module on Solaris:

• The product installation kit

• The root password for the agent computers

Enabling Process AccountingEnabling process accounting provides additional events to Intrusion Manager and Log Manager. This section provides information about enabling process accounting and configuring rc scripts to automatically restart process accounting after a reboot.


Enabling Process Accounting on AIX ComputersThe steps in this section help you start and restart process accounting on AIX computers.

To enable process accounting, enter the following command at the prompt:

/usr/sbin/acct/accton /var/adm/pact

You can also enter the following line in an rc script to automatically restart process accounting:

/usr/bin/su – adm –c /usr/sbin/acct/startup

Enabling Process Accounting on HP-UX ComputersThe steps in this section help you start and restart process accounting on HP-UX computers.

To enable process accounting, enter the following command at the prompt:

/usr/sbin/acct/startup

You can also enter the following line in the /etc/rc.config.d/acct script to automatically restart process accounting:

START_ACCT=1

Enabling Process Accounting on Red Hat LinuxThe steps in this section help you configure process accounting on Red Hat Linux computers.


To configure process accounting on Red Hat Linux computers:

1. Install the psacct package located in the Linux installation kit. This package is not installed by default unless you installed all available packages. For more information about installing the psacct package, see the Red Hat Linux documentation.

2. Modify your system init script to automatically start process accounting by adding the following lines:

# Turn process accounting on.

if [ -x /sbin/accton ]

then

/sbin/accton /var/log/pacct

echo "Process accounting turned on."

fi

3. Create an accounting record file named pacct by entering the following command:

touch /var/log/pacct

By default, the process accounting software prints out all commands executed to the file /var/log/pacct.

4. Modify the permissions to the pacct file by entering the following commands:

chown root /var/log/pacct

chmod 644 /var/log/pacct

Enabling Process Accounting on Solaris ComputersThe steps in this section help you start and restart process accounting on Solaris computers.

To start process accounting, enter the following command at the prompt:

/usr/lib/acct/accton /var/adm/pacct


You can also enter the following commands to automatically restart process accounting:

ln /etc/init.d/acct /etc/rc2.d/S22acct

ln /etc/init.d/acct /etc/rc0.d/K22acct

Enabling and Configuring the Basic Security Module on SolarisIntrusion Manager and Log Manager can process events from the Basic Security Module on Solaris computers. Intrusion Manager can alert you to security events reported by the Basic Security Module. The steps in this section help you enable and configure the Basic Security Module. The steps also help you archive and delete audit log files.

Enabling the Basic Security ModuleThe Basic Security Module is disabled by default on Solaris computers. Complete the following steps to enable the Basic Security Module.

To enable the Basic Security Module:

1. Change directories to /etc/security.

2. Enter ./bsmconv at the prompt to run a script that enables and configures the Basic Security Module to automatically restart after a reboot.

Configuring the Basic Security ModuleComplete the following steps to configure the Basic Security Module to correctly map events for Intrusion Manager.


To configure the Basic Security Module for Intrusion Manager:

1. Modify the /etc/security/audit_class file by adding the following three lines:

0x00010000:nb:NetIQ success&failure

0x00020000:ns:NetIQ success

0x00040000:nf:NetIQ failure

between the following lines:

0x00004000:ap:application

0x20000000:io:ioctl

2. Modify the /etc/security/audit_control file by changing the flags as follows:

flags:nb,+ns,-nf

3. Modify the /etc/security/audit_event file by appending nb or nf to the end of the lines as follows:

2:AUE_FORK:fork(2):pc,nb

4:AUE_CREAT:creat(2):fc,nb

5:AUE_LINK:link(2):fc,nb

6:AUE_UNLINK:unlink(2):fd,nb

7:AUE_EXEC:exec(2):pc,ex,nb

10:AUE_CHMOD:chmod(2):fm,nb

11:AUE_CHOWN:chown(2):fm,nb

23:AUE_EXECVE:execve(2):pc,ex,nb

25:AUE_VFORK:vfork(2):pc,nb

30:AUE_FCNTL:fcntl(2):fm,nb

37:AUE_SETTIMEOFDAY:settimeofday(2):ad,nb

38:AUE_FCHOWN:fchown(2):fm,nb

39:AUE_FCHMOD:fchmod(2):fm,nb

40:AUE_SETREUID:setreuid(2):pc,nb

41:AUE_SETREGID:setregid(2):pc,nb

42:AUE_RENAME:rename(2):fc,fd,nb


43:AUE_TRUNCATE:truncate(2):fd,nb

44:AUE_FTRUNCATE:ftruncate(2):fd,nb

50:AUE_ADJTIME:adjtime(2):ad,nb

72:AUE_OPEN_R:open(2) - read:fr,nf

73:AUE_OPEN_RC:open(2) - read,creat:fc,fr,nf

74:AUE_OPEN_RT:open(2) - read,trunc:fd,fr,nb

75:AUE_OPEN_RTC:open(2) - read,creat,trunc:fc,fd,fr,nb

76:AUE_OPEN_W:open(2) - write:fw,nb

77:AUE_OPEN_WC:open(2) - write,creat:fc,fw,nb

78:AUE_OPEN_WT:open(2) - write,trunc:fd,fw,nb

79:AUE_OPEN_WTC:open(2) - write,creat,trunc:fc,fd,fw,nb

80:AUE_OPEN_RW:open(2) - read,write:fr,fw,nb

81:AUE_OPEN_RWC:open(2) - read,write,creat:fc,fw,fr,nb

82:AUE_OPEN_RWT:open(2) - read,write,trunc:fd,fr,fw,nb

83:AUE_OPEN_RWTC:open(2) - read,write,creat,trunc:fc,fd,fw,fr,nb

111:AUE_CORE:process dumped core:fc,nb

201:AUE_STIME:old stime(2):ad,nb

214:AUE_SETEGID:setegid(2):pc,nb

215:AUE_SETEUID:seteuid(2):pc,nb

241:AUE_FORK1:fork1(2):pc,nb

4. Change the init level or reboot the computer to restart the Basic Security Module.

Manually Archiving and Deleting Audit LogsThe Basic Security Module creates audit log files that can grow to a considerable size. You can manually archive and delete audit log files.


To manually archive and delete audit logs:

1. Change directories to the audit log directory, /var/audit/ by default.

2. Copy the audit logs to your archive directory.

3. Delete the original audit logs, except for the log file with not_terminated in the filename. This is the active audit log and is typically the last file in the list.

Configuring Security Manager Support for OracleAs a part of the steps to configure Security Manager to monitor Oracle, register the Oracle database and specify an account that has access to read the table/views. You can perform these steps on the Unix Manager computer.

You must also ensure you have installed and configured the appropriate Security Manager modules. For more information about the overall process of configuring Security Manager to monitor Oracle, see the Security Manager for Oracle on Unix Monitoring Guide, which is available in the following folder on the Security Manager user interface computer:

installation folder\Program Files\NetIQ Security Manager\OnePoint\Documentation\Module Documentation

Where installation folder is the location where you installed Security Manager user interfaces.

NoteYou can define the directory where logs are stored by modifying the /etc/security/audit_control file.

NoteYou only need to register the Oracle database and endpoint if you are not also running Secure Configuration Manager on your Unix Manager computer.


To register the Oracle database and specify an account with permission to read the table/views:

1. Start Unix Manager. For more information about starting Unix Manager, see“Starting Unix Manager” on page 26.

2. On the Hosts menu, click Configure Agent.

3. Select the host with the Oracle database you want to monitor.

4. Click Register Oracle Endpoint.

5. Complete the fields on the window. The fields are defined as follows:

User NameThe account that has read access to the table/views in the Oracle database.

PasswordThe password used by the account that has read access to the table/views.

oratab File PathThe path to the oratab file. If you have specified a location other than the default location, type the path in this field. The oratab file specifies the ORACLE_HOME directory and other environment settings.

Instance NameThe database instance name to be registered.

6. Click OK.

7. Activate the Oracle rule set. For more information about activating rule sets, see “Activating the Most Current Rule Sets” on page 40.


Configuring Failover or Multiple Configuration Groups

If you have Intrusion Manager, you can configure the Unix agent to send data to multiple configuration groups. You can also specify redundant central computers in the event that the primary central computer becomes unavailable. You configure failover or multiple configuration groups with Unix Manager. For more information, see “Configuring IP Addresses and Updating Ports” on page 17.

NoteThis feature is available only for Intrusion Manager, not Log Manager.


Chapter 5

Configuring Secure Configuration Manager Support

This section guides you through the tasks required to configure Unix agents for assessment by Secure Configuration Manager. Ensure you have configured your agents to communicate with Secure Configuration Manager. For more information, see “Configuring IP Addresses and Updating Ports” on page 17.

Configuring Basic Secure Configuration Manager Support

Secure Configuration Manager handles agents monitoring Unix computers as it does any other kind of agent, with no special configuration necessary. For more information, see the User Guide for NetIQ Secure Configuration Manager.

Chapter 5 • Configuring Secure Configuration Manager Support 51

Configuring Secure Configuration Manager Support for Oracle

Secure Configuration Manager can only monitor Oracle events on a Unix computer. In order to configure Secure Configuration Manager to monitor Oracle, you must first deploy a Unix agent on the computer running Oracle. For more information about deploying agents, see the section on installing Unix and iSeries agents in the Installation Guide for NetIQ Secure Configuration Manager.

Once you deploy a Unix agent, you can add one or more Oracle endpoints to the new Unix agent.

To add Oracle endpoints to a Unix agent:

1. In the tree pane, expand NetIQ Secure Configuration Manager > IT Assets > Agents > OS > Unix.

2. In the content pane, select the Unix agent to which you want to add the endpoint.

3. On the Actions menu, click Add Endpoint.

4. Select the Unix agent you want the endpoint to monitor and click Next.

5. In the Name field, type a name for the endpoint.

6. In the Endpoint Type field, select Oracle.

7. Complete the required information in the following fields.

Oracle Instance IDName of the Oracle instance.

User NameUser account used to access the Oracle database.

PasswordPassword for the user account used to access the Oracle database.


8. If you would like to add more information about the endpoint, complete the following optional fields.

Oracle oratab File PathThe path to the oratab file. If you have specified a location other than the default location, type the path in this field. The oratab file specifies the ORACLE_HOME directory and other environment settings.

Contact EmailEmail address of the contact person.

Contact NameName of the designated contact person.

ImportanceCriticality level of the endpoint.

LocationLocation of the computer hardware.

Major VersionVersion of Oracle the endpoint is running.

9. If you want to add the endpoint to a group, complete the following steps:

a. Click Add Endpoint to a Group.

b. Select an existing group to which you want to add the endpoint, or click Create to create a new group.

c. Click Finish to return to the Define Endpoint window.

10. If you are adding more than one endpoint, click Add Endpoint. Repeat Step 5 through Step 9 for each endpoint that you want to add.

11. Click Finish.

Chapter 5 • Configuring Secure Configuration Manager Support 53


Appendix A

Creating and Managing Unix Rules

The following sections provide an overview of Unix agent rules and how to implement them using the Unix Manager.

Understanding Unix Agent RulesYou can protect your information assets and ensure uniform security by applying Unix agent rule sets. By working in conjunction with the event detection and alerting daemon, rule sets offer real-time event detection, alerting, and response. The default rule set provides a wealth of Unix knowledge and an excellent starting point from which to build custom rule sets.

Unix Manager provides a Rule wizard that guides you through creating rules to monitor and react to a number of common conditions, including the following:

• Terminating daemons

• Running specific sensitive commands

• Running sensitive commands in a context other than root

• Creating, modifying, or deleting of specific files

You can deploy the rule sets that you create to any or all of the Unix computers in your enterprise.

Appendix A • Creating and Managing Unix Rules 55

Deciding How to Create Unix Rules and Rule SetsUnix Manager provides both wizard-driven rule creation and the ability to create custom rules not covered by the wizard. Use the following diagrams to help you decide how to create your custom rules and guide you to the sections you need to review.

“Understanding Rule Sets” on page 58

“Using the Rule Wizard to Create Rules” on page 62

“Saving Rule Sets Locally” on page 61

“Activating Rule Sets on Remote Hosts” on page 61


“Understanding Event Sources” on page 63

“Understanding Rule Groups” on page 66

“Understanding Rules and Actions” on page 69

“Understanding Conditionals and Comparisons” on page 74 and “Understanding Main Code” on page 81

“Understanding Initial-ization Code” on page 72


Understanding Rule SetsRule sets are collections of rules you want to enforce on a specific Unix agent computer or a group of Unix agent computers. You can create rule sets that are specific to the location, job, or sensitivity of a particular Unix host, or you can easily create a rule set to apply to all your Unix hosted Apache web servers or Oracle database servers. Whether you want to enforce unique rule sets on each Unix agent or you want to deploy a uniform rule set to numerous hosts, the Unix Manager helps you accomplish your goals.

Selecting a Rule Set to EditBefore you start working with a rule set, determine what rule set you want to modify. Consider the following scenarios:

• Consider reviewing and editing the default rule set provided with the Unix Manager if this is an initial implementation of rule sets within your organization. For more information, see “Opening the Default Rule Set” on page 58.

• Open a saved rule set if you have already begun to edit a rule set and saved that rule set with a custom name. You might also need to open a saved rule set if you have template rule sets based on the job-related use of the agent computer. For more information, see “Opening Saved Rule Sets” on page 59.

• Retrieve a rule set from an agent computer if you want to modify the rules enforced on a specific agent computer. For more information, see “Retrieving Rule Sets from Remote Hosts” on page 59.

Opening the Default Rule SetThe Unix Manager displays the default rule set when you click Rules Manager. Consider using the default rule set as a starting point for building custom rule sets. If you modify the default rule set, consider saving the new rule set with a unique name. For more information, see “Saving Rule Sets Locally” on page 61.


Opening Saved Rule SetsSaved rule sets allow you to keep an archive of your currently deployed rule sets. You can open rule sets that are saved on the Unix Manager by clicking Rules Manager, and then clicking File > Open. Navigate to your saved rule set, and then click Open. By default, rule sets have the .xml extension.

You can open multiple rules sets. To navigate between open rule sets, click the tab with the name of the open rule set.

Retrieving Rule Sets from Remote HostsIf you do not have a local copy of an activated rule set, you can retrieve the rule set you want to edit from a remote host.

To retrieve a rule set:

1. Click Rules Manager.

2. Click File > From Host.

3. Select the appropriate agent computer in the Available Hosts list, and then click OK.

Retrieving a rule set copies the rule set currently enforced on the remote agent computer and creates a tab for the rule set in the tree area. Clicking the tab displays the rule set.

Viewing Rule Sets and Editing Rule Set PropertiesWhen you open a rule set, the Unix Manager provides both a tree pane and a content pane. The tree pane provides an easy way to navigate through specific event source and rule group information, while the content pane changes to provide detailed information about your tree selection.


Navigating the Rule Set TreeAt the top of the rule set tree, the Unix Manager provides a Rule Set node. Click Rule Set to review all the rules contained in the rule set and their status. Using the content pane, you can also quickly enable or disable rules.

At the second level of the tree, you can find the event sources and rule groups of the rule set. The following list provides a short description of the contents of this secondary tree level and references for more information:

• Event sources provide the data on which to trigger your rules. For more information, see “Understanding Event Sources” on page 63.

• Rule groups provide editable properties at the group level, and contain individual rules. For more information, see “Understanding Rule Groups” on page 66.

Expanding a rule group allows you to view and edit the rules associated with its common event source. For more information, see “Understanding Rules and Actions” on page 69.

Editing PropertiesThe content pane allows you to view the configuration of any selected tree element. But, you cannot edit the properties in the content pane.

To edit the properties of an element:

1. Right-click the element in the tree pane. You cannot modify the properties of action elements and conditional elements from the tree pane. For more information, see “Understanding Rules and Actions” on page 69, “Understanding Conditionals and Comparisons” on page 74, and “Understanding Time Conditions” on page 79.

2. Select Edit on the menu.

NoteThe Unix Manager displays disabled rules and event sources in a darker color.


3. On the Edit window, modify the appropriate properties.

4. Click OK to save the modifications and close the window.

Saving Rule Sets LocallyAfter modifying a rule set for a specific agent computer or for a group of agent computers, consider saving the modified rule set to the local computer. Saving a copy of the rule set locally allows you to build an archive of rule sets and saves you the time involved in retrieving rule sets from remote agent computers. To save a copy of the rule set on the Unix Manager computer, click File > Save or File > Save As, and save the rule set using an .xml extension. If you began with the default rule set, ensure you use the save as option. You cannot save the default rule set with any other name than detect.xml. While the default rule set is write-protected, avoid changing the file attributes and overwriting the default rule set.

Activating Rule Sets on Remote HostsPushing a rule set to an agent computer replaces the previous rule set. The event detection and alerting daemon begins processing and initializing the new rule set immediately. However, it may take up to 30 seconds for the new rule set to take effect. Modifications to items in the filesystem rule group may cause the event detection and alerting daemon may take longer to initialize, due to the time it takes to create initial snapshots of the filesystem objects.

To activate the selected rule set on one or more remote agent computers:

1. Click File > To Host.

2. Select one or more agent computers in the Available Hosts list.

3. Click OK to push the rule set to the selected remote agent computers.


Using the Rule Wizard to Create RulesThe Rule wizard helps you quickly create the following types of rules:

• Rules that trigger when a certain daemon terminates

• Rules that trigger when a log file decreases in size

• Rules that trigger when certain commands are run

• Rules that trigger when certain commands are run by users other than root

• Rules that trigger when certain files are changed or created

To use the Rules Wizard to create rules:

1. Click Wizard > Rule Wizard to start the Rule wizard.

2. On the select rule type window, select the appropriate rule type, and then click Next. For more information, see the description of rule type or “Understanding Rules and Actions” on page 69.

3. On the Rule Description window, provide a name for the rule, and then click Next.

4. On the Rule Name window, provide a descriptive name for the rule, and then click Next.

5. If you are using the Log_file_shrunk or modified_file rule, select either Names or Paths, and then click Next. Selecting Name causes the event detection and alerting daemon to monitor all files with a certain name. Selecting Paths causes the event detection and alerting daemon to monitor a specific file.

6. On the Name of File window, specify the name of the object you want to monitor, and then click Next. The name depends on the rule type selected. It may be a daemon executable, a command, a file name, or a fully-qualified path name. For example, if you selected Paths while creating a modified_file rule, you need to specify the full path, including the file name you want to monitor.


7. Provide the appropriate information for the action you want the rule to trigger in response to an event, and then click Next. All fields are optional. You do not need to select an action to create a rule. For more information, see “Understanding Rules and Actions” on page 69.

8. Review the information provided about the rule group associated with your rule, and then click Next.

9. Complete the Rule wizard. The Rule wizard displays only the windows relevant to the event source you associated with the new rule. If the new rule is in a rule group that uses configurable event sources, the remaining windows offer you the ability to modify the configurable parameters. Read the descriptions provided and, if necessary, modify parameters. If you are unsure, retain the current value.

10. When you have completed the Rule wizard, click Finish.

Understanding Event SourcesEvent sources extract a particular type or class of events from one of the following providers:

• Operating system

• Daemon

• Server

• Application

Typically, event sources extract the required information by parsing and filtering log entries. Once extracted, the log entry is considered an event. All events must be composed of output parameters that can be evaluated by the event detection and alerting daemon.

NoteRight-click the text area of a field to access a list of available parameters.


When an event source detects an event and assigns output parameter values, the event detection and alerting daemon uses the values to trigger the appropriate rule response in the associated rule group. For example, you can configure a rule in an agent computer rule set that alerts you when an FTP event associated with a particular user account is detected. To successfully trigger your FTP rule, you must have an event source that can do the following:

• Monitor the wtmp log file, the log in which FTP events are reported

• Parse the log entries

• Generate output about each event

Unix Manager provides a wtmp event source with the default rule set. This event source scans the wtmp log and generates output about each entry in the log. The wtmp event source extracts a number of properties, including the event type and user login name, and provides them to the event detection and alerting daemon. Specifically, the event type and user login are defined as the $id and $user output parameters. If the value of an output parameter matches criteria you configure in a rule, the actions you specify in the rule properties trigger.

You can use a single event source for multiple rule groups, but consider configuring each event source to monitor unique log files. Configuring multiple rule groups to use identical event sources and setting configuration parameters to the same values, is undesirable. You duplicate the monitoring, parsing, and output parameter generation between instances of the event source. You specify the event source of a rule group by editing the properties of its corresponding rule group. For more information, see “Editing Rule Group Properties” on page 67.

Editing Event Source PropertiesThe Unix Manager provides the ability to edit existing event source properties. Ensure you fully understand the purpose and capabilities required of an event source before editing currently functioning event sources. For more information, see “Understanding Event Sources” on page 63.


To edit event source properties:

1. Right-click the event source that you want to edit.

2. Click Edit.

3. On the Edit Event Source window, select the tab of the properties you want to modify.

4. Modify the property, and then click OK.

Creating New Event SourcesThe Unix Manager provides the ability to create your own event sources. Ensure you fully understand the purpose and capabilities required of an event source before attempting to create an event source. For more information, see “Understanding Event Sources” on page 63.

To create new event sources:

1. Right-click the Rule Set node in the tree area, and then click Add Event Source.

2. Configure the event source properties in the Add Event Source window, and then click OK. For examples of syntax, view the properties of an existing events source in the default rule set.

After configuring an event source, you can create a rule group associated with the event source. For more information, see “Creating New Rule Groups” on page 67.

Deleting Event SourcesThe Unix Manager provides the ability to delete existing event sources. Ensure you fully understand the purpose of an event source before deleting the event source. For more information, see “Understanding Event Sources” on page 63.


To delete an event source from a rule set:

1. Delete all rule groups associated with the event source or reconfigure the rule groups to use a different event source. For more information, see “Deleting Rule Groups” on page 68 and “Editing Rule Group Properties” on page 67.

2. Right-click the event source that you want to delete, and then click Delete.

3. Click Yes on the Delete window.

After deleting an event source, you can save the modified rule set on the Unix Manager computer and activate the modified rule set on remote agent computers. For more information, see “Saving Rule Sets Locally” on page 61 and “Activating Rule Sets on Remote Hosts” on page 61.

Understanding Rule GroupsRule groups contain one or more rules sharing common event sources, schedules, and other properties. Clicking a rule group in the tree area displays the group properties in the content area. Rule group properties consist of the following information:

• Delay

• Event source name

• Event source parameters for the rules contained in the rule group

• Name and description of the rule group

• Nice value or process priority

Increasing the allowable delay and nice value lowers the impact on the resources of the agent computer.


Editing Rule Group PropertiesYou can easily edit the properties of a rule group. Consider editing rule group properties to change the name or description of a rule group or to lessen the resource impact of executing the rules contained within the rule group.

To edit rule group properties:

1. Right-click the rule group you want to edit, and then click Edit.

2. Modify the rule group properties on the Edit Group window, and then click OK.

Creating New Rule GroupsYou can create two different types of rule groups:

• Real-time rule groups

• Scheduled rule groups

Real-time Rule GroupsReal-time rule groups detect events and evaluate rules as the events occur.

To create real-time rule groups:

1. Use an existing event source or create a new event source for the new rule group. For more information, see “Editing Rule Group Properties” on page 67 or “Creating New Event Sources” on page 65.

2. Right-click Rule Set, and then click Add Real-time Group.

3. On the Add Real-time Group window, configure the rule group properties, and then click OK.

After configuring a real-time rule group, you can create rules in the rule group that detect events as they occur. For information about creating rules and actions, see “Creating New Rules and Actions” on page 71.


Creating Scheduled Rule GroupsScheduled rule groups detect events and evaluate rules during scheduled times. You can schedule rules to activate for minute-long increments during any number of minutes in a year.

To create scheduled rule groups:

1. Right-click Rule Set, and then click Add Scheduled Group.

2. On the Add Scheduled Group window, configure the properties of the rule group. You can edit values by typing in the fields. To declare more than one value in a scheduling attribute, separate the values with commas.

3. Click OK to close the window.

After configuring a scheduled rule group, you must create rules in the rule group. All rules contained in the scheduled rule group have identical schedules. For information about creating rules and actions, see “Creating New Rules and Actions” on page 71.

Deleting Rule GroupsIf you no longer need a rule group, you can delete it. Before deleting a rule group, consider making a backup copy of the rule set. By backing up your rule set, you ensure you do not lose rules and rule groups you may want to reactivate in the future. Deleting a rule group also deletes the rules it contains.

To delete a rule group and all of the rules it contains from a rule set:

1. Right-click the rule group that you want to delete, and then click Delete.

2. On the Delete window, click Yes.

After deleting a rule group, if you no longer need the associated event source for other rule groups, you can delete the associated event source. Save the modified rule set on the Unix Manager computer and activate the modified rule set on remote agent computers. For more information, see “Saving Rule Sets Locally” on page 61 and “Activating Rule Sets on Remote Hosts” on page 61.


Understanding Rules and ActionsRules contain all of the information the event detection and alerting daemon needs to evaluate event source output parameters and trigger actions. Expanding a rule group displays the rules contained in the rule group. Rules that appear in the same group have common event sources and schedules, if applicable.

A rule is defined and governed by one or more of the following properties:

• Actions.

• Initialization code. For more information, see “Understanding Initialization Code” on page 72.

• Main code. For more information, see “Understanding Main Code” on page 81.

• Conditionals -- And and Or objects. For more information, see “Understanding Conditionals and Comparisons” on page 74.

• Comparisons. For more information, see “Understanding Conditionals and Comparisons” on page 74.

• Time conditions. For more information, see “Understanding Time Conditions” on page 79.

• Templates contain information for the Rule wizard. Template nodes do not require user maintenance.

The Unix Manager displays these properties as child objects of the rule in the tree. The following figure illustrates the tree arrangement of the default telnet rule.


Actions are the responses available for a detected event. The following definitions provide more information about your options:

E-mailSpecifies the name, email address, and message content you want sent when the rule triggers. Populate these fields with the appropriate information. Separate multiple email addresses with a comma (,). You must have sendmail configured correctly on the agent computer to send email.

SNMP MessageSpecifies the SNMP message you want sent when the rule triggers. Select the appropriate notification for this field.

LogSpecifies the name of the log file and the message written in the log file when the rule triggers. Provide the appropriate information in these fields.

CommandSpecifies a Bourne shell command to execute on the agent computer when the rule triggers. Provide an appropriate command in this field.

Security Manager EventSpecifies the NetIQ classification attribute used to classify events for Log Manager.

Viewing and Editing Rule Properties and ActionsClicking a rule displays the properties, configuration, actions, conditions, and advanced settings of the rule in the content pane. The rule attributes tab identifies and describes the rule; the configuration tab displays the rule configuration; the actions tab specifies the actions to perform when the rule triggers; the conditions tab displays the conditions that must be met for the rule to trigger; and the advanced tab displays the rule debug level.


Expanding an action node displays a sub-node that is labeled with the action that will occur if the rule triggers. For example, an element that is labeled “Alert: $user logged in at $time” describes the alert message that displays when the rule triggers.

To edit existing rule properties:

1. Right-click the rule that you want to edit, and then click Edit.

2. On the Edit Rule window, modify the appropriate rule properties, and then click OK.

Creating New Rules and ActionsCreating new rules can be a time consuming task. Before creating new rules, ensure you have investigated the following statements are true:

• You cannot use the Rules wizard.

• You cannot find an existing rule to modify.

To create new rules and actions in a rule group:

1. Right-click a rule group that is associated with the event source that you want to use, and then click Add Rule.

2. On the Add Rule window, configure the appropriate rule group properties and actions, then click OK.

NoteUse only Bourne shell commands when specifying Command rule properties.

NoteUse only Bourne shell commands in the Command attribute.


After configuring the rule, you can save the modified rule set on the Unix Manager computer and activate the modified rule set on remote agent computers. For more information, see “Saving Rule Sets Locally” on page 61 and “Activating Rule Sets on Remote Hosts” on page 61.

Deleting Rules and ActionsIf a rule and its associated actions are no longer necessary within your environment, consider deleting the rule and its actions. Consider making a backup of the rule set before deleting rules.

To delete a rule and its associated actions from a rule set:

1. Right-click the rule that you want to delete, and then click Delete.

2. Click Yes on the Delete window.

After deleting a rule and its associated actions, you can save the modified rule set on the Unix Manager computer and activate the modified rule set on remote agent computers. For more information, see “Saving Rule Sets Locally” on page 61 and “Activating Rule Sets on Remote Hosts” on page 61.

Understanding Initialization CodeInitialization code, written in Perl, runs when the rule set is activated. Your rule requires initialization code if it relies on parameters or tables not previously configured. If the rule configures itself through querying the operating system or daemons, the rule requires initialization code. Rule containing initialization code display Init Code as a child element in the tree pane.

Viewing and Editing Initialization CodeTo view initialization code, expand the appropriate rule, and then click Init Code. Review the initialization code in the content pane.


Complete the following procedure to edit existing rule initialization code.

To edit existing initialization code:

1. Right-click Init Code, and then click Edit.

2. Modify the Perl code in the Edit Initialization Code window that opens, and then click OK to close the window.

Adding New Initialization CodeComplete the following procedure to add new initialization code to a rule.

To add initialization code:

1. Right-click the rule you want to modify, and then click Add Initialization Code.

2. On the Edit Initialization Code window, add the appropriate Perl code, and then click OK.

Deleting Initialization CodeIf you no longer need the initialization code for a rule, you can delete the code. Consider making a backup of the rule set before deleting rules.

To delete initialization code:

1. Ensure the rule does not have parameters or tables that require the initialization code.

2. Right-click the initialization code you want to delete, and then click Delete.


NoteYou can add one set of initialization code per rule.


Understanding Conditionals and ComparisonsYou declare conditionals and comparisons to ensure you trigger actions only when necessary. Conditionals and comparisons help you filter event source output parameters. Consider the following example from the telnet rule:

• $message =~ /telnet/

• $source =~ /telnet/

Because you can find these entries in an Or child element of the telnet login rule, you know the rule triggers when any one of the comparisons is true. When the syslog event source generates a $message or a $source parameter equivalent to telnet, the event detection and alerting daemon searches the output parameters and triggers the defined actions.

To trigger an action when both comparisons are met, you create And comparisons. And comparisons trigger rule actions when both comparisons evaluate as true.

The hierarchy of the tree graphically represents the order in which conditional and comparison expressions are evaluated. While the tree displays one conditional or comparison under the rule element, the And or Or may have numerous child elements. Rules that do not have conditional or comparison statements must have main code to trigger. For more information, see “Understanding Main Code” on page 81.

Rules that contain a comparison not as a child element of an And or Or comparison is not a conditional. These comparisons trigger actions when the event detection and alerting daemon evaluates the statement as true.

Viewing and Editing Comparison PropertiesYou can view the properties of a comparison by clicking the comparison in the tree pane and viewing properties in the content pane. Comparisons are labeled with the output parameter name, equation, and value describing the comparison. For example, $message =~ /telnet/.


You can edit comparison properties by completing the following procedure.

To edit existing comparison properties:

1. Expand the appropriate rule.

2. Right-click the comparison you want to edit, and then click Edit.

3. On the Add Comparison window, modify the comparison properties, and then click OK.

After modifying the properties of the comparison, you can save the modified rule set on the Unix Manager computer and activate the modified rule set on remote agent computers. For more information, see “Saving Rule Sets Locally” on page 61 and “Activating Rule Sets on Remote Hosts” on page 61.

NoteWhen defining the Value property, enclose regular expressions with slashes (/) to indicate that the value is a regular expression. For example, /telnet/ designates telnet is a regular expression.


Adding ComparisonsThe following procedure guides you through adding comparisons to a rule.

To add comparisons:

1. If you want to associate a comparison with a conditional, you must first add the conditional. For more information, see “Adding And” on page 77, “Adding Or” on page 78, and “Associating Comparisons with Conditionals” on page 78.

2. If you want to add a new comparison that is not associated with a conditional, right-click the rule you want to modify, and then click Add Comparison.

3. On the Add Comparison window, configure comparison properties, and then click OK.

After adding comparisons to a rule, you can save the modified rule set on the Unix Manager computer and activate the modified rule set on remote agent computers. For more information, see “Saving Rule Sets Locally” on page 61 and “Activating Rule Sets on Remote Hosts” on page 61.



Adding AndAnd conditionals declare that all the conditional components must be true for the actions of a rule to trigger. The following procedure guides you through adding And conditionals to your rule.

To add and conditionals:

1. If you want to trigger actions when all comparisons in a group of comparisons evaluates as true, right-click the rule you want to modify, and then click Add And.

2. Add comparisons as child elements to the conditional. For more information, see “Associating Comparisons with Conditionals” on page 78.

NoteThe tree pane displays only one conditional or comparison as a child element of the rule in the tree pane. You can nest And conditionals within other conditionals. To do nest conditionals, right-click the conditional, and then click Add And.


Adding OrOr conditions declare that any one of the conditional components must be true for the actions of a rule to trigger. The following procedure guides you through adding Or conditionals to your rule.

To add or conditionals:

1. If you want to trigger actions when any comparison in a group of comparisons evaluates as true, right-click the rule that you want to modify, and then select Add Or from the pop-up menu.

2. Add comparisons as child elements to the conditional. For more information, see “Associating Comparisons with Conditionals” on page 78.

Associating Comparisons with ConditionalsYou can associate two or more comparisons with a conditional. The Unix Manager displays comparisons you associate with a conditional as child elements of the conditional. Complete the following procedure to associate comparisons with a conditional.

To associate comparisons with a conditional:

1. Right-click the conditional, and then click Add Comparison.

2. On the Add Comparison window, configure comparison properties, and then click OK.

NoteThe tree pane displays only one conditional or comparison as a child element of the rule in the tree pane. You can nest And conditionals within other conditionals. To do nest conditionals, right-click the conditional, and then click Add Or.



After associating comparisons with conditionals in a a rule, you can save the modified rule set on the Unix Manager computer and activate the modified rule set on remote agent computers. For more information, see “Saving Rule Sets Locally” on page 61 and “Activating Rule Sets on Remote Hosts” on page 61.

Deleting Comparisons or ConditionalsWhen you no longer need a comparison or a conditional, you can delete it from the rule set. Ensure you no longer need the comparison or conditional to trigger your rule actions. Complete the following procedure to delete a comparison or conditional.

To delete a comparison or a conditional and the associated comparisons and nested conditionals:

1. In the tree pane, right-click the comparison or the conditional you want to delete, and then click Delete.


After deleting the comparisons or conditionals, you can save the modified rule set on the Unix Manager computer and activate the modified rule set on remote agent computers. For more information, see “Saving Rule Sets Locally” on page 61 and “Activating Rule Sets on Remote Hosts” on page 61.

Understanding Time ConditionsTime conditions allow you to specify when you want a rule activated and ready to trigger. A time condition specifies the days and hours during the week when you want to activate the rule. For example, if your information security policy does not allow FTP sessions after hours, you can attach a time condition to the FTP rule that alerts you only when FTP sessions initiate after hours.


Viewing and Editing Time ConditionsTo view time conditions, expand the rule containing the time condition, and then click Time Condition. The Unix Manager displays when the associated rule is active.

If you want to change the schedule of a rule governed by a time condition, complete the following procedure.

To edit existing time conditions:

1. Right-click the time condition that you want to edit, and then click Edit.

2. Select the days and hours on which you want to activate the rule. You can use the Ctrl and Shift keys to select multiple days and times.

3. Click OK.

Adding New Time ConditionsThe following procedure guides you through adding a time condition to a rule. You can designate one time condition per rule. Time conditions ensure rules only run when necessary.

To add a new time condition:

1. Right-click the rule that you want to modify, and then click Add Time Condition.

2. Select the days and hours on which you want to activate the rule. You can use the Ctrl and Shift keys to select multiple days and times.

3. Click OK.


Deleting Time ConditionsYou can remove time conditions and have a rule active all the time. Complete the following procedure to delete a time condition.

To delete time conditions:

1. Right-click the time condition node you want to delete, and then click Delete.


Understanding Main CodeMain code is Perl code you can add to a rule if the filtering provided by the conditionals and comparisons is inadequate or needs augmenting to detect more complex patterns. Main code must contain a call to the subroutine _take_actions(). The code you write can be selective about the circumstances under which the subroutine is called. It is not necessary for the code to call _take_actions() every time it is evaluated. Rule that contain main code display the Code element in the rule.

Viewing and Editing Main CodeTo view main code, expand the rule containing the main code you want to view, and then click Code.

The Unix Manager also allows you to edit existing main code. Before editing code that functions correctly, ensure you make a back up of the rule set. Complete the following procedure to edit your main code.

To edit existing main code:

1. Expand the appropriate rule, and then right-click Code.

2. Click Edit.


3. On the Edit Code window, modify the Perl code.

4. Click OK.

After editing main code, you can save the modified rule set on the Unix Manager computer and activate the modified rule set on remote agent computers. For more information, see “Saving Rule Sets Locally” on page 61 and “Activating Rule Sets on Remote Hosts” on page 61.

Adding New Main CodeThe Unix Manager allows you to add main code to a rule. Before adding main code, ensure you have a thorough knowledge of Perl and a complete understanding of what you want the code to accomplish. You can create one set of main code per rule.

To add main code:

1. Right-click the rule to which you want to add main code, and then click Add Main Code.

2. On the Edit Code window, add your Perl code.

3. Click OK.

After adding new main code, you can save the modified rule set on the Unix Manager computer and activate the modified rule set on remote agent computers. For more information, see “Saving Rule Sets Locally” on page 61 and “Activating Rule Sets on Remote Hosts” on page 61.

Deleting Main CodeBefore deleting main code, ensure you no longer need the code to make the rule work. Complete the following procedure to delete main code.

To delete main code:

1. Right-click the main code you want to delete, and then click Delete.



Customizing the Rules Management User InterfaceThe Unix Manager provides a number of options that allow you to adjust the appearance and usability rules management. The following sections provide overviews of the features you can select from the Customize menu.

Deciding Whether to Use Tabbed LayoutsTabbed layouts allow you to select how you want to view configuration information in the content area. The following figure illustrates the default tabbed layout of the filesystem event source. The tabbed layout provides easy to read information grouped into specific categories. You navigate to other configuration categories by clicking the corresponding tab.


The following figure shows the same event source displayed without the category grouped tabs. The non-tabbed layout option shows all the configuration information in one pane. This option is convenient if you have a large monitor and want to see all the information about an element. The pane borders are adjustable so that you can show more or less of each section. To adjust the pane border, click the border and drag it up or down.

Deciding Whether to Use Parameter AliasesThe Unix Manager uses parameter aliases to make parameters generated by event sources or rules easier to understand. The Unix Manager provides parameter aliases to make the configuration of alerts easier. Aliases are more descriptive than the actual parameter names.


For example, if parameter aliases are turned off, an alert message in the configuration area may look like the following:

Linux user, $user, logged in via ftp at $time, from $host at @addr_linux.

However, with parameter aliases turned on, the same alert message is easier to understand:

Linux user, (User name), logged in via ftp at (Hour:Minute:Second) from (Remote host name) at (Linux remote host Internet address).

Aliases are enclosed in parenthesis to visually sets them apart from the surrounding text.

When you configure rules using the descriptive aliases instead of the parameter name, the Unix Manager Rules Manager automatically substitutes the appropriate parameter. You can view the parameters, their associated aliases, and a description of their functions in the event source configuration area Output tab.



Appendix B

Uninstalling Agents and Unix Manager

This section guides you through uninstalling Unix agents and the Unix Manager.

Uninstalling Unix AgentsComplete the following steps to uninstall Unix agents.

To uninstall Unix agents:


2. Click Manage Agents.

3. Click Hosts > Uninstall.

4. Select one or more hosts in the list where you want to uninstall agents.

5. Click Uninstall.

Appendix B • Uninstalling Agents and Unix Manager 87

6. Click Yes in the confirmation window.

7. Verify that the agent summary table no longer lists the host you chose to uninstall.

Uninstalling Unix Manager on WindowsTo uninstall the Unix Manager on Windows computers, use the Add/Remove Programs Control Panel to remove the Unix Manager program.

Uninstalling Unix Manager on Solaris or Red HatTo uninstall the Unix Manager on Solaris or Red Hat, change directories to the Unix Manager installation directory, and then enter rm -rf VSAU.


Documents

NetIQ Unix Agent Installation and Configuration Guide