Checking on IPS in Unix and Linux DCS Agent
search cancel

Checking on IPS in Unix and Linux DCS Agent

book

Article ID: 153975

calendar_today

Updated On:

Products

Data Center Security Server Advanced

Issue/Introduction

Is there a command for UNIX systems to check if the Prevention Service is enabled?
 
Previously used "lmod | grep sisips" to see if the Prevention Service is enabled.
 

Resolution

A) Try to access /etc/sisips/testforprevention…if access is denied, then prevention is enabled.

If  (chmod 551 /etc/sisips/testforprevention) works then Prevention is “disabled”
 If (chmod 551 /etc/sisips/testforprevention) fails then Prevention is “enabled”
 Using the “testforprevention “ object  tests the end results of prevention, so it is a better method.
  
 
2) What is the procedure to restart the prevention daemon (from the host) if they are down?
/opt/Symantec/scspagent/IPS/bin/sisipsdaemon
/opt/Symantec/scspagent/IPS/bin/sisipsutildaemon
 
Steps:
To start the sisipsagent:  /etc/init.d/sisipsagent start
To start the sisipsutil use this command: /etc/init.d/sisipsutil start
 
3) What is the procedure to restart the IDS daemon (from the host) if it is down?
/opt/Symantec/scspagent/IDS/bin/sisidsdaemon
 
Steps:
To start the idsdaemon use this command: /etc/init.d/sisidsagent start
When using /etc/init.d/sisidsagent we can use the following commands:
 
 ( start | stop | restart | health_check | status ).
 
To check if the daemon is running use the “status” command and it will tell you if it is up or down and the PID if it is running.
 
To see if the driver is loaded we can look in /proc/modules.
 
To see if prevention is enabled we can look in /etc/sisips/sisips.reg. 
 
·         UseBuiltin=0   if this =1 then the Null policy would be applied here 0 means it is not
·         Enable=1    1=prevention enabled 0=disabled  
 
To see if the agent is talking to the manager run sisipsconfig.sh –t
 
You can use the following to help keep the agent up and running
 
ids_ref.pdf
Page 75
 
UNIX_CSP_Agent_Status IDS policy 
 
 This UNIX detection policy runs scripts that provide health checks on IPS agents. The health check scripts run based on user-configurable timers. The timers are started when the policy is initially applied to an agent or when the agent is restarted.
 
The policy options are as follows:
 
IPS Health Check:
 
Periodically runs the IPS agent health check script. Specify the health check frequency in days, hours, minutes, and seconds.
 
By default, the health check script runs every hour.
 
IPS Util Health Check:
 
Periodically runs the IPS Util health check script on Solaris or Linux agents. Specify the Util health check frequency in days, hours, minutes, and seconds.
 
By default, the health check script runs every hour.
 
IPS Core Detection:
 
 Monitors syslogs for detected sisipsagent core dump files. 
 
Monitoring and restarting UNIX agents
 
scspinst.pdf
Page 97. 
 
The Health Check feature monitors and restarts UNIX agents in the event of an unexpected termination. This feature is available through the use of a crontab entry, which calls the daemon startup scripts at regular intervals with a health_check parameter.
 
For example, to monitor the UNIX agents every hour, add the following lines to the crontab file:
 
0 * * * * /etc/init.d/sisipsagent health_check
0 * * * * /etc/init.d/sisidsagent health_check
0 * * * * /etc/init.d/sisipsutil health_check (Solaris and Linux Only)
 
Use the appropriate crontab file for the UNIX platform:
 
AIX
Crontab: /var/spool/cron/cronttabs/root
Scripts: /etc/rc.sisidsagent, /etc/rc.sisipsagent
 
HP-UX
Crontab: /var/spool/cron/crontab.root
Scripts: /sbin/init.d/sisidsagent, /sbin/init.d/sisipsagent
 
Linux
Crontab: /var/spool/cron/tabs/root
Scripts: /etc/init.d/sisidsagent, /etc/init.d/sisipsagent, /etc/init.d/sisipsutil
 
Solaris
Crontab: /var/spool/cron/crontabs/root
Scripts: /etc/init.d/sisidsagent, /etc/init.d/sisipsagent, /etc/init.d/sisipsutil
 
Tru64
Crontab: /var/spool/cron/crontabs/root
Scripts: /sbin/init.d/sisidsagent, /sbin/init.d/sisipsagent
 
About the system_state attribute in the policy:  
 
The system_state attribute in the policy (*.conf) corresponds to the state/configuration of the prevention policy applied at the Agent and can have the following values:   
 
P – Prevention Policy Globally overridden
X - Prevention Policy overridden except for Self Protection
G - Prevention Policy Globally disabled (Global Log only option selected)
"" - Prevention Policy Enabled
 
The system_state flag ONLY reflects the state of the applied policy. A scenario where this setting in the .conf file may not reflect the actual system/policy state of the IPS driver is if the builtin policy were manually applied to the system (i.e. With configtool '-r' parameter).  
 
To query the policy name that is currently applied to the system, you can run 'cat /proc/sisips', which you could then correlate with the .conf file if the policy name matches.
 
For instance, after running sisipsconfig.sh -r:
 
# cat /proc/sisips
== POLICY INFO ==
Policy Name    = pl_builtin
Policy Version = 1.0
Policy ID      = BUILTIN
 
Or after resetting to previously applied policy:
 
# cat /proc/sisips
== POLICY INFO ==
Policy Name    = sym_unix_protection_sbp
Policy Version = 225
Policy ID      = b39b9e81df0dea488b5d74637c707496
 
Currently, the proc information doesn't reflect the current system_state value.

 

 

 

 

 

Powered by Wolken Software