1. Manuals
  2. Brands
  3. Symantec Manuals
  4. Network Card
  5. Critical System
  6. System installation manual

Symantec Critical System System Installation Manual

Symantec critical system installation guide
Hide thumbs
Table of Contents

Advertisement

Quick Links

Download this manual
Symantec™ Critical System
Protection Installation Guide

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the Critical System and is the answer not in the manual?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for Symantec Critical System

Summary of Contents for Symantec Critical System

  • Page 1 Symantec™ Critical System Protection Installation Guide...

  • Page 2: Installation Guide

    License Terms and Conditions. Symantec, the Symantec Logo, Norton, Norton AntiVirus, and LiveUpdate are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering.

  • Page 3: Technical Support

    The Technical Support group also authors content for our online Knowledge Base. The Technical Support group works collaboratively with the other functional areas within Symantec to answer your questions in a timely fashion. For example, the Technical Support group works with Product Engineering and Symantec Security Response to provide alerting services and virus definition updates.

  • Page 4: Customer Service

    ■ ■ ■ Licensing and registration If your Symantec product requires registration or a license key, access our technical support Web page at the following URL: www.symantec.com/techsupp/ent/enterprise.html. Select your region or language under Global Support, and then select the Licensing and Registration page.
  • Page 5 North America and Latin America: supportsolutions@symantec.com ■ Additional enterprise services Symantec offers a comprehensive set of services that allow you to maximize your investment in Symantec products and to develop your knowledge, expertise, and global insight, which enable you to manage your business risks proactively.

  • Page 7: Table Of Contents

    Disabling Windows XP firewalls ... 21 Disabling Internet Connection Firewall ... 21 Disabling Windows Firewall ... 22 About using firewalls with Symantec Critical System Protection ... 22 About name resolution ... 23 About IP routing ... 24 About intrusion prevention ... 24 About simple failover ...
  • Page 8 Bypassing prerequisite checks ... 77 Installing an agent in verbose mode ... 78 Installing the management server into a database instance previously used for Symantec Critical System Protection ... 37 Management server installation settings and options ... 38 system ... 42 or Windows XP Professional agents ...
  • Page 9 Troubleshooting agent issues ... 99 Chapter 5 Migrating to the latest version Migrating legacy installations of Symantec Critical System Protection ..101 Providing scspdba password during management server upgrade ...102 Unattended Windows agent migration ...103 Specifying the management server list for an agent ...103 Migrating other legacy agent installations ...105...
  • Page 10 10 Contents Copying files required for the policy conversion utility ... 110 Migrating legacy detection policy files ... 111 Converting legacy detection policy files ... 111 Importing the zip file ... 113 Creating a new policy ... 113 Validating your rules ... 114 Validating rule types and criteria ...

  • Page 11: Introducing Symantec™ Critical System Protection

    Symantec Critical System Protection agents control behavior by allowing and preventing specific actions that an application or user might take. For example, a Symantec Critical System Protection prevention policy can specify that an email application may not spawn other processes, including dangerous processes like viruses, worms, and Trojan horses.

  • Page 12: Components Of Symantec Critical System Protection

    Symantec Critical System Protection agents detect behavior by auditing and monitoring processes, files, log data, and Windows example, a Symantec Critical System Protection detection policy can specify to monitor the Windows registry keys that the Welchia worm changes during infection and send an alert. As a result, Windows registry security-related events can be put into context and appropriate measures taken.

  • Page 13: How Symantec Critical System Protection Works

    About the policy library Symantec Critical System Protection provides a policy library that contains pre- configured prevention and detection policies, which you can use and customize to protect your network. A prevention policy is a collection of rules that governs how processes and users access resources.

  • Page 14: Where To Get More Information

    14 Introducing Symantec™ Critical System Protection Where to get more information Where to get more information Product manuals for Symantec Critical System Protection are available on the Symantec Critical System Protection installation CD. Updates to the documentation are available from the Symantec Technical Support and Platinum Support Web sites.

  • Page 15: Planning The Installation

    About network architecture and policy distribution When you install Symantec Critical System Protection for the first time for testing purposes, you do not need to consider network architecture and policy distribution. You can install a management server and management console,...

  • Page 16: System Requirements

    16 Planning the installation System requirements along with a few agents, and become familiar with Symantec Critical System Protection operations. When you are ready to roll out policies to your production environment, you can roll out different policies that are based on computing needs, and prevention and detection levels.

  • Page 17: Operating System Requirements

    Windows NT® Server Sun™ Solaris™ 8.0/9.0/10.0 “Solaris packages” Red Hat® Enterprise Linux ES 3.0 “Linux kernel driver support” page 19. lists Symantec Critical System Protection component operating Operating system requirements Service pack SP1 or later SP1, R2 SP1, R2 SP1, R2...

  • Page 18: Solaris Packages

    18 Planning the installation System requirements Table 2-1 Component Operating system Red Hat Enterprise Linux ES 4.0 SUSE® Enterprise Linux 8 “Linux kernel driver support” page 19. SUSE Enterprise Linux 9 Hewlett-Packard® HP-UX® 11.11 (11i v1) 11.23 (11i v2) PA-RISC (IDS only) Hewlett-Packard HP-UX 11.23 (v2)/11.31 (v3) on Itanium 2®...

  • Page 19: Linux Kernel Driver Support

    ■ Linux kernel driver support Symantec Critical System Protection agent supports the Linux kernel for Red Hat Enterprise Linux ES 3.0 and ES 4.0 and SUSE Enterprise Linux 8 and Linux 9 SP4. The agent comes packaged with precompiled drivers that support the latest stock kernel versions.

  • Page 20: Hardware Requirements

    ■ 2.6.5-7.191 ■ 2.6.5-7.244 ■ 2.6.5-7.252 ■ lists the recommended hardware for Symantec Critical System Recommended hardware Specific OS (if applicable) Windows Server 2003 Standard/Enterprise x64 Windows Server 2003 Standard/Enterprise x64 Sun Solaris 8, 9, 10 Sun Solaris 10 HP-UX on PA-RISC...

  • Page 21: Disabling Windows Xp Firewalls

    Firewall that can interfere with network communications. If any of your computers run Windows XP, you can disable the Windows XP firewall before or after you install Symantec Critical System Protection components. To disable Internet Connection Firewall On the Windows XP taskbar, click Start > Control Panel.

  • Page 22: Disabling Windows Firewall

    Click OK. About using firewalls with Symantec Critical System Protection To use Symantec Critical System Protection with a firewall, you need to configure the firewall to support communications by opening ports, or by specifying trusted services. Note: All ports are default settings that you can change during installation.

  • Page 23: About Name Resolution

    Thus, your firewall must allow traffic from the management server to the MS SQL Server system on UDP port 1434 and on the TCP port used by the Symantec Critical System Protection instance. You can get more information about MS SQL Server's use of ports at http://support.microsoft.com/default.aspx?scid=kb;EN-US;823938.

  • Page 24: About Ip Routing

    Agent Config Tool, and rebooting the agent computer. If you are only interested in the detection features of Symantec Critical System Protection, Symantec recommends that you select the enable intrusion prevention option during agent installation, and use the Null prevention policy to avoid any blocking.

  • Page 25: About Simple Failover

    Simple failover enables you to deploy a set of front-end Tomcat servers without reconfiguring your IT infrastructure. The ordered list of management server host names or IP addresses is maintained by the Symantec Critical System Protection agent configuration. Another use for simple failover is static load balancing. With static load balancing, you manually assign a set of agents to each Tomcat server.

  • Page 26: About The Fail Back Interval

    26 Planning the installation About simple failover Once the IPS Service fails away from the first server in the ordered list, it ■ periodically checks if server #1 is back, based on the fail back interval. When the fail back interval expires, the IPS Service checks if server #1 is ■...

  • Page 27: Specifying The Management Server List For An Agent

    To use simple failover for an agent, you must provide the list of primary and alternate management servers using one of the following methods: If you are installing Symantec Critical System Protection for the first time, ■ you provide the list of primary and alternate management servers during agent installation.

  • Page 28: About Log Files

    Service) do not automatically restart after aborting. About log files Symantec Critical System Protection uses log files to record events and messages related to agent and management server activity. Multiple versions of a log file may exist, as old versions are closed and new versions are opened.

  • Page 29: What To Do After Installation

    You can begin enforcing the Symantec Critical System Protection policies on agents immediately after agent installation and registration with the management server. Symantec recommends that you first apply a policy to a few agents, and then verify that the agent computers are functioning properly with the applied policy.
  • Page 30 30 Planning the installation What to do after installation...

  • Page 31: Installing Symantec Critical System Protection On Windows

    Installing Symantec Critical System Protection on Windows This chapter includes the following topics: About installing Symantec Critical System Protection on Windows ■ About installing a database to a SQL Server instance ■ Configuring the temp environment variable ■ Installing the management server ■...

  • Page 32: About Installing Symantec Critical System Protection On Windows

    Protection on Windows If this is a first-time installation, you should install, configure, and test Symantec Critical System Protection components in a test environment. You should install the Symantec Critical System Protection in the order listed: Management server ■ Management console ■...

  • Page 33: Bypassing Prerequisite Checks

    The Windows installation kit does not remove the scsp-check-bypass.txt file upon successful installation. You can bypass the following checks when installing the Symantec Critical System Protection agent: Agent install disk space checks that are performed apart from MSI engine ■...

  • Page 34: About Installing A Database To A Sql Server Instance

    100 MB for the database. MSDE and SQL Server automatically allocate more space when it is needed. If you elect to install a database to an instance of SQL Server, Symantec recommends that you first install a new instance of SQL Server that conforms to the installation requirements.

  • Page 35: About Installing On Computers That Run Windows 2000

    About installing on computers that run Windows 2000 If you want to install Microsoft SQL Server and Symantec Critical System Protection management server on different computers, and if the computer on which you want to install Symantec Critical System Protection management server runs Windows 2000 Professional or Server, you must first upgrade the Microsoft Data Access Components (MDAC) version on that computer.

  • Page 36: Configuring The Temp Environment Variable

    Installing the management server The management server coordinates events from agents, and provides database access to the Symantec Critical System Protection authoring environment and management console. The management server secures communication with other components by using SSL to encrypt the communication channel.

  • Page 37: Installing The Management Server Into A Database Instance Previously Used For Symantec Critical System Protection

    Installing the management server into a database instance previously used for Symantec Critical System Protection If you are installing the Symantec Critical System Protection management server into an existing SQL Server (or MSDE) instance that contained a previous Symantec Critical System Protection server database, you must clean the previous Symantec Critical System Protection database and user accounts from the instance.

  • Page 38: Management Server Installation Settings And Options

    Using the SQL Server Enterprise Manager, do the following: Drop the Symantec Critical System Protection database. ■ Select the Security folder of the instance, click Logins, select the Symantec ■ Critical System Protection user accounts, and then right-click Delete. You must delete the following accounts: ■...
  • Page 39 ■ SQL Eval: NA ■ SQL Prod: NA ■ Installing Symantec Critical System Protection on Windows Management server installation settings Description The directory location for the management server. The port that is used to communicate with the agent. If you are installing on a computer that runs a Web...
  • Page 40 40 Installing Symantec Critical System Protection on Windows Installing the management server Table 3-2 Setting Default/options MSDE Data Path C:\Program Files\ Symantec\Critical System Protection\Server You have the following options: MSDE Eval: variable ■ SQL Eval: NA ■ SQL Prod: NA ■...
  • Page 41 ■ SQL Eval: NA ■ SQL Prod: variable ■ Installing Symantec Critical System Protection on Windows Management server installation settings Description The password that is associated with the database sa account. The password must be 8 to 19 characters long, not begin with _ and contain at least two two-letter characters.

  • Page 42: Installing Evaluation Installation That Runs Msde On The Local System

    42 Installing Symantec Critical System Protection on Windows Installing the management server Table 3-2 Setting Default/options SCSP Database none Guest user password You have the following options: MSDE Eval: NA ■ SQL Eval: NA ■ SQL Prod: variable ■ Installing evaluation installation that runs MSDE on the local...
  • Page 43 Installing Symantec Critical System Protection on Windows In the Installation Type panel, click Evaluation Installation, click Install MSDE on the Local System, and then click Next. In the Destination Folder panel, change the folder if necessary, and then click Next.

  • Page 44: Installing Evaluation Installation Using Existing Ms Sql Instance

    44 Installing Symantec Critical System Protection on Windows Installing the management server In the Database Selection panel, change the default server and database directory locations if necessary. The directory name must contain printable ASCII characters only. Multi- byte, double-byte, hi-ASCII and non-printable ASCII characters are not supported.

  • Page 45: Installing Production Installation With Tomcat And Database Schema

    The sa account must already exist and you must provide the accurate ■ password for the sa account during the management server installation. Installing Symantec Critical System Protection on Windows Installing the management server Type the IP address or fully qualified domain name of the SQL Server.
  • Page 46 46 Installing Symantec Critical System Protection on Windows Installing the management server All other accounts (owner, guest, and internal accounts) must not exist in ■ the instance. The management server installation creates these accounts and aborts if it cannot create them.

  • Page 47: Installing Tomcat Component Only

    ■ These files are located in the default management server installation directory: C:\Program Files\Symantec\Critical System Protection\Server Installing Symantec Critical System Protection on Windows Installing the management server Type the name of the database to install. The option is for use with international operating systems.

  • Page 48: Installing And Configuring The Management Console

    48 Installing Symantec Critical System Protection on Windows Installing and configuring the management console Note: If the management server database is on a Tomcat system instead of a dedicated system, you must specify the real IP (not localhost) for the initial installation.

  • Page 49: Configuring The Management Console

    Localhost Server Host local host Port 4443 Installing Symantec Critical System Protection on Windows Installing and configuring the management console describes the management console configuration settings and options. Management console configuration settings Description The name of the management server that you want to manage from the management console.
  • Page 50 If you feel that your system provides adequate firewall security and you do not want to use SSL X.509 certificate-based channel encryption for Symantec Critical System Protection, clear this check box. If you clear this check box, you must edit the server.xml file, found on the management server, in the <Server_Install_Root>\tomcat\conf...

  • Page 51: Installing A Windows Agent

    Installing a Windows agent The Symantec Critical System Protection agent enforces policy on the endpoints. Each agent enforces rules that are expressed in policies, thereby controlling and monitoring application (process) and user behavior. You must log on to an Administrator account to install a Windows agent.
  • Page 52 52 Installing Symantec Critical System Protection on Windows Installing a Windows agent Table 3-4 Setting Default Logs File C:\Program Files\Symantec Directory \Critical System Protection \Agent Agent Name Host name of agent computer Polling Interval 300 seconds Enable Intrusion Enabled Prevention...
  • Page 53 Group Prevention none Configuration Group Installing Symantec Critical System Protection on Windows Windows agent installation settings Description The IP address or fully qualified host name of the management server that will manage the agent. The Agent Port number that was used during management server installation.
  • Page 54 54 Installing Symantec Critical System Protection on Windows Installing a Windows agent Table 3-4 Setting Default Prevention none Policy Group Detection none Configuration Group Detection Policy Windows Group Windows agent installation settings Description The name of an existing prevention policy group for this agent to join.

  • Page 55: Installing The Windows Agent Software

    In the Welcome panel, click Next. In the License Agreement panel, select I accept the terms in the license agreement, and then click Next. Installing Symantec Critical System Protection on Windows Windows agent installation settings Description The service user name account that registers services for the agent.
  • Page 56 Next. In the Agent Configuration panel, accept or change the default settings, and then click Next. Symantec strongly recommends that you do not clear the Enable Intrusion Prevention check box. In the Management Server Configuration panel, in the Primary Management Server box, type the fully qualified host name or IP address of the primary server that is used to manage this agent.
  • Page 57 Installing Symantec Critical System Protection on Windows If you changed the Agent Port setting during management server installation, in the Agent Port box, type a port number that matches. (Optional) In the Management Server Configuration panel, in the Alternate Management Servers box, type the fully qualified host name or IP address of the alternate servers that are used for failover for this agent.
  • Page 58 58 Installing Symantec Critical System Protection on Windows Installing a Windows agent You may add multiple detection policy group names separated with commas. You may include the name of an existing detection policy domain in the group path/name. 11 In the Agent Group Configuration panel, click Next.

  • Page 59: Unattended Agent Installation

    Note: You must enclose the command string that follows /v in quotations. To display InstallShield commands Insert the installation CD into your computer. Display a command prompt, and navigate to the agent installation directory. Installing Symantec Critical System Protection on Windows Unattended agent installation...

  • Page 60: Microsoft Windows Installer Commands

    60 Installing Symantec Critical System Protection on Windows Unattended agent installation Type and run one of the following commands: agent.exe ? agent-windows-nt.exe ? Microsoft Windows Installer commands See the Microsoft documentation for information about standard Microsoft Windows Installer commands and additional logging levels.

  • Page 61: Installation Properties

    <val> AGENT_NAME=<name> Host name of agent computer AGENT_PORT=<val> Installing Symantec Critical System Protection on Windows describes the Windows agent installation settings and options. Windows agent installation settings Description The IP address or fully qualified host name of the management server that will manage the agent.
  • Page 62 62 Installing Symantec Critical System Protection on Windows Unattended agent installation Table 3-6 Setting LOG_DIR=<val> POLLING_INTERVAL=<val> IPS_ENABLE=<val> NOTIFICATION_PORT= <val> Windows agent installation settings Default Description C:\Program Files\Symantec The installation directory prefix for the <prefix \Critical System Protection dir>/scsplogs subdirectory. \Agent...
  • Page 63 IPS_CONFIG_GROUP=<val> Configuration IPS_POLICY_GROUP=<val> Policy IDS_CONFIG_GROUP=<val> Configuration Installing Symantec Critical System Protection on Windows Windows agent installation settings Description The name of an existing common configuration group for this agent to join. An agent is placed in the default common configuration group, unless you specify another configuration group that already exists in the management console.

  • Page 64: Installing The Windows Nt Policy

    SERVICE_CONFPW=<val> Installing the Windows NT policy The Windows NT prevention policy is not part of the Symantec Critical System Protection installation; the policy must be installed separately. You can obtain the policy from the Symantec Critical System Protection installation CD, and then manually import the policy into the policy library.

  • Page 65: Uninstalling Symantec Critical System Protection

    Uninstalling Symantec Critical System Protection To uninstall Symantec Critical System Protection, you need to uninstall each component separately. You can uninstall the components in any order. If the agent runs on a computer that also runs the management server or management console, disable policy prevention on the agent by setting the Null policy or by using the policy override tool.

  • Page 66: Uninstalling An Agent Using Add Or Remove Programs

    MsiExec.exe. It can be found in the following directory: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall Browse the list of IDs. Locate the Symantec Critical System Protection agent application by looking at the properties in the right pane. Note the UinstallString string, and copy and modify it. For example: MsiExec.exe /X{3D24482F-98BD-48DD-AA62-8B24BFDE7329} /qn /l*v!+...

  • Page 67: Uninstalling The Management Console

    If the policy on the computer that runs the agent is not Null and permits ■ policy override, use the policy override tool to disable policy prevention. See the Symantec Critical System Protection Policy Override Guide. To uninstall the management console and database Disable policy prevention on the agent computer.

  • Page 68: Temporarily Disabling Windows Agents

    68 Installing Symantec Critical System Protection on Windows Temporarily disabling Windows agents Click Symantec Critical System Protection Management Server, and then click Remove. Follow and complete the prompts until uninstallation completes. (Optional) Do one of the following: If you installed the evaluation database, click Microsoft SQL Server Desktop Engine (SCSP), and then click Remove.

  • Page 69: Temporarily Disabling Windows Nt Agents

    Warning: Use the alternate hardware profile method only if you cannot disable intrusion prevention using other methods. You must create the alternate hardware profile before using Symantec Critical System Protection with intrusion prevention enabled. To temporarily disable Windows NT agents, you must disable intrusion prevention on the agent.
  • Page 70 In the Available Hardware Profiles pane, select Original Configuration, and then click Copy. Type a name for the new hardware profile, and then click OK. To disable the Symantec IPS driver for the new hardware profile, do the following: Click Start > Settings > Control Panel > Devices.

  • Page 71: Reinstalling Windows Agents

    The following examples show a command string: agent.exe /s /v"/qn /l*v!+ %temp%\SISAgentSetup.log" agent-windows-nt.exe /s /v"/qn /l*v!+ %temp%\SISAgentSetup.log" “Unattended agent installation” “Unattended Windows agent migration” Installing Symantec Critical System Protection on Windows Reinstalling Windows agents on page 59. on page 103.
  • Page 72 72 Installing Symantec Critical System Protection on Windows Reinstalling Windows agents...

  • Page 73: Installing Unix Agents

    Installing UNIX agents This chapter includes the following topics: About installing UNIX agents ■ Installing an agent in verbose mode ■ Installing an agent in silent mode ■ Uninstalling agents using package commands ■ Uninstalling agents manually ■ Disabling and enabling UNIX agents ■...
  • Page 74 All primary and alternate management servers must use the same certificate file. Required The name of the agent computer. After installation, you can change the agent name through the management console. Symantec Critical System Protection agent locale setting.
  • Page 75 Table 4-1 UNIX agent installation settings Setting Default Agent Port Agent Polling 300 seconds Interval Notification Port 2222 Agent Notifications Enable Util Service Port 2323 Enable IPS Feature Enable Installing UNIX agents About installing UNIX agents Description The Agent Port number that was used during management server installation.
  • Page 76 76 Installing UNIX agents About installing UNIX agents Table 4-1 Setting Common Config Group Prevention Config Group Prevention Policy Group UNIX agent installation settings Default Description none The name of an existing common configuration group for this agent to join. You use common configuration groups to apply communication and event logging parameters to agents.

  • Page 77: Bypassing Prerequisite Checks

    Table 4-1 Setting Detection Configuration Group Detection Policy Group Bypassing prerequisite checks The UNIX installation kit lets you bypass some of the prerequisite checks for agent installation. You can use this feature if you know the installation kit is incorrectly failing a prerequisite. To enable the bypass prerequisite checks feature, run Touch as superuser: touch /etc/scsp-check-bypass UNIX agent installation settings...

  • Page 78: Installing An Agent In Verbose Mode

    After agent installation, you should assign a prevention policy and one or more detection policies to the agent using the management console. See the Symantec Critical System Protection Administration Guide for information on assigning policies. Before you install an agent, you need to place the SSL certificate on the computer that is targeted for installation.

  • Page 79: Installing An Agent In Silent Mode

    On the computer on which the agent will be installed, create a directory and ■ then copy the file agent-cert.ssl into the directory using FTP in binary mode or some other protocol. The directory path name cannot contain spaces. To install an agent in verbose mode Open a Terminal window and become superuser.
  • Page 80 Default none none Interactive No reboot 127.0.0.1 none /opt/Symantec /var/log/scsplog Description You can run the installer with the –help switch to get a list of all the switches. Displays the installation package version information. Installation does not occur. Installs silently without user prompts.
  • Page 81 Installing UNIX agents Installing an agent in silent mode Description The directory location of the SSL certificate file, agent-cert.ssl, obtained from the Symantec Critical System Protection management server installation directory. You must copy this file from the management server to the specified location before starting the installation.
  • Page 82 82 Installing UNIX agents Installing an agent in silent mode Table 4-2 Setting -idsPolGrp=<group> -agentport=<port> -notifyport=<port> -notify=<0|1> UNIX agent installation settings Default Description OS-specific group The name of an existing detection policy group for this agent to join. You can The OS-specific specify multiple groups by using group is one of the...
  • Page 83 -svcport switch. Indicates whether to enable intrusion prevention for Solaris or Linux agents. When enabled, the prevention features of Symantec Critical System Protection are enabled for the agent. The IPS drivers are loaded on the agent computer, and the agent accepts prevention policies from the management console.

  • Page 84: Uninstalling Agents Using Package Commands

    84 Installing UNIX agents Uninstalling agents using package commands To install an agent in silent mode Follow the procedures and steps that are used to install an agent in verbose mode, up to and including mounting the installation CD drive. Type and run the following command after replacing <os>...

  • Page 85: Uninstalling Agents Manually

    On HP-UX, type and run the following command: swremove SYMCcsp On Tru64, type and run the following command: setld -d SYMCSP513 (Solaris and Linux) If the uninstall completes successfully, run the following command to restart the computer: init 6 Computers running HP-UX and AIX do not need to be restarted. Uninstalling agents manually If an agent installation is canceled or an error occurs during installation, the installation might be corrupted, and might prevent you from uninstalling an...
  • Page 86 Type and run the following commands: rem_drv sisips; rem_drv sisipsne; find /kernel -name '*sisips*' | xargs rm -f Type and run the following commands to remove the installation files: rm -rf /opt/Symantec/scspagent rmdir /opt/Symantec rm -rf /etc/sisips rm -f /etc/Symantec.conf rm -f /etc/sisips.conf...

  • Page 87: Uninstalling Linux Agents Manually

    If either agent process is running, run the following command to stop the agent process: kill -KILL <agent_PID> Type and run the following commands to remove the installation files: rm -rf /opt/Symantec/scspagent rmdir /opt/Symantec rm -rf /etc/sisips rm -f /etc/sisips.conf rm -f /etc/init.d/sisi?s*...

  • Page 88: Uninstalling Hp-Ux Agents Manually

    If either agent process is running, run the following command to stop the agent process: kill -KILL <agent_PID> Type and run the following commands to remove the installation files: rm -rf /opt/Symantec/scspagent rmdir /opt/Symantec rm -rf /etc/sisips rm -f /etc/Symantec.conf rm -f /etc/sisips.conf...

  • Page 89: Uninstalling Aix Agents Manually

    If either agent process is running, run the following command to stop the agent process: kill -KILL <agent_PID> Type and run the following commands to remove the installation files: rm -rf /opt/Symantec/scspagent rmdir /opt/Symantec rm -rf /etc/sisips rm -f /etc/Symantec.conf rm -f /etc/sisipsdaemon.pid...

  • Page 90: Uninstalling Tru64 Agents Manually

    If either agent process is running, run the following command to stop the agent process: kill -KILL <agent_PID> Type and run the following commands to remove the installation files: rm -rf /opt/Symantec/scspagent rmdir /cluster/members/\{memb\}/Symantec rm -rf /var/log/scsplog rm -f /var/run/sisipsdaemon.pid rm -f /var/run/sisidsdaemon.pid...

  • Page 91: Disabling And Enabling Unix Agents

    Edit and remove the line from /etc/symantec/sis/sis.conf: SisInstalledClsId=<cluster_member_id> Get the Cluster Member ID by running the following command: /sbin/sysconfig -q generic | grep memberid If the machine not is a member of a TruCluster, or it is configured as a...

  • Page 92: Permanently Disabling Solaris Agents

    You must include the s switch in the boot command to boot into single-user mode. If you omit the s switch, then once the system boots into multi-user mode, it will enable the Symantec Critical System Protection driver. When the boot sequence asks for the location of your /etc/system file, type...

  • Page 93: Enabling A Disabled Solaris Agent

    Enabling a disabled Solaris agent You can enable a Solaris agent that was previously disabled. To enable a disabled Solaris agent Open a Terminal window and become superuser. Type and run the following commands, which rename the sisipsgent scripts: mv /etc/init.d/sisipsagentOFF /etc/init.d/sisipsagent mv /etc/init.d/sisidsagentOFF /etc/init.d/sisidsagent Type and run the following command to restart the computer: init 6...

  • Page 94: Enabling A Disabled Linux Agent

    94 Installing UNIX agents Disabling and enabling UNIX agents Warning: You should perform these procedures only in emergency situations. To permanently disable Linux agents Open a Terminal window and become superuser. Type and run the following commands: /etc/init.d/sisipsagent stop /etc/init.d/sisidsagent stop Type and run the following commands to rename the agent scripts, which temporarily break any symbolic links in the rc#.d startup scripts: mv /etc/init.d/sisipsagent /etc/init.d/sisipsagentOFF...

  • Page 95: Permanently Disabling Hp-Ux Agents

    /sbin/init.d/sisidsagent stop Permanently disabling HP-UX agents If you have performance issues with HP-UX agents, you may need to permanently disable them. Warning: You should perform these procedures only in emergency situations. To permanently disable HP-UX agents Open a Terminal window and become superuser. Type and run the following commands: /sbin/init.d/sisipsagent stop /sbin/init.d/sisidsagent stop...

  • Page 96: Temporarily Disabling Aix Agents

    96 Installing UNIX agents Disabling and enabling UNIX agents Temporarily disabling AIX agents Warning: You should perform these procedures only in emergency situations. To temporarily disable AIX agents Open a Terminal window and become superuser. Type and run the following commands: /etc/rc.sisipsagent stop /etc/rc.sisidsagent stop Permanently disabling AIX agents...

  • Page 97: Disabling And Enabling Tru64 Agents

    rcsisidsagent:23456789:wait:/etc/rc.sisidsagent start >/dev/ console 2>&1 Type and run the following commands to restart the agents: /sbin/init.d//sisipsagent start /sbin/init.d//sisidsagent start Disabling and enabling Tru64 agents This section describes how to disable and enable Tru64 agents. Temporarily disabling Tru64 agents Warning: You should perform these procedures only in emergency situations. To temporarily disable Tru64 agents Open a Terminal window and become superuser.

  • Page 98: Enabling A Disabled Tru64 Agent

    98 Installing UNIX agents Monitoring and restarting UNIX agents mv sisipsagent sisipsagentOFF mv sisidsagent sisidsagentOFF If the machine not is a member of a TruCluster, is configured as a single member cluster, or if you want to disable the agent on all clusters, perform the following actions: mv /sbin/init.d/sisipsagent /sbin/init.d/sisipsagentOFF mv /sbin/init.d/sisidsagent /sbin/init.d/sisidsagentOFF...

  • Page 99: Troubleshooting Agent Issues

    ■ Crontab: /var/spool/cron/crontabs/root Scripts: /sbin/init.d/sisidsagent, /sbin/init.d/sisipsagent Note: The scripts keep the last five core files generated in the agent’s respective home directory (/opt/Symantec/scspagent/IDS/bin and /opt/Symantec/ scspagent/IPS). To change this setting, modify the MAX_CORES=5 value in the scripts. Troubleshooting agent issues ISSUE: An NFS server that does not respond on an agent computer causes the agent installation to hang.
  • Page 100 100 Installing UNIX agents Troubleshooting agent issues...

  • Page 101: Migrating To The Latest Version

    Migrating legacy detection policy files ■ Migrating legacy installations of Symantec Critical System Protection You can migrate legacy installations for the following Symantec Critical System Protection software: Symantec Critical System Protection 5.0.0 (server, console, agent) ■ Symantec Critical System Protection 5.0.1 (server, console, agent) ■...

  • Page 102: Providing Scspdba Password During Management Server Upgrade

    “Specifying the management server list for an agent” You cannot upgrade Symantec Critical System Protection 4.5. You must uninstall the Symantec Critical System Protection 4.5 software (server, console, and agent) and then install the latest version.

  • Page 103: Unattended Windows Agent Migration

    “About simple failover” You use the agent config tool to do the following: After upgrading to Symantec Critical System Protection agent 5.1.1 or ■ higher, add alternate management servers to an agent’s configuration Change the primary or alternate management servers used by an agent ■...
  • Page 104 104 Migrating to the latest version Migrating legacy installations of Symantec Critical System Protection Table 5-1 Table 5-1 Command Syntax -host Windows: sisipsconfig -host primary[,alternate1,alternate2,...] UNIX: sisipsconfig.sh –host primary[,alternate1,alternate2,...] -failbackinterval Windows: sisipsconfig -failbackinterval num_mins UNIX: sisipsconfig.sh -failbackinterval num_mins num_mins = number of minutes...

  • Page 105: Migrating Other Legacy Agent Installations

    Migrating other legacy agent installations You can migrate legacy software agent installations for the following software: Symantec Intruder Alert™ 3.6 and higher ■ Symantec Host Intrusion Detection System (Symantec Host IDS) 4.0 and ■ higher Agent software migration is straightforward. When you install Symantec Critical System Protection agents, the installation kit automatically detects legacy agents, uninstalls the legacy software, and installs the latest version.

  • Page 106: Checklist For Migrating From Symantec Intruder Alert

    Symantec Critical System Protection management console and authoring environment. Symantec Critical System Protection implements rules differently than Symantec Intruder Alert and Symantec Host IDS, so you must validate your rules before compiling your policies. Checklist for migrating from Symantec Intruder...
  • Page 107 “Migrating legacy detection policy files” The policy conversion process automatically migrates your existing Symantec Intruder Alert registry and event log settings, but you will need to manually reenter any custom files under observation into the file lists in the following policies: Host_IDS_File_Tampering policy ■...

  • Page 108: Checklist For Migrating From Symantec Host Ids

    The Symantec Critical System Protection management server only runs on Windows, while the SESA server is multi-platform. You may want to run Symantec Host IDS and Symantec Critical System Protection in parallel, migrating over agents from Symantec Host IDS to...

  • Page 109: Migrating Legacy Agent Software

    (and each ungrouped agent), noting the stock policies and the custom policies that are applied. You should be able to find equivalent Symantec Critical System Protection policies for the Symantec Host IDS stock policies that you applied. Uninstall the Symantec Host IDS agent, and install the Symantec Critical System Protection agent on each client to be migrated.

  • Page 110: Installing The Authoring Environment And Policy Conversion Utility

    110 Migrating to the latest version Preparing for detection policy migration Installing the authoring environment and policy conversion utility The Symantec Critical System Protection authoring environment and the policy conversion utility were automatically installed during management console installation. No separate installation is required.

  • Page 111: Migrating Legacy Detection Policy Files

    This is accomplished using command line switches. The -p switch converts legacy detection policy files to Symantec Critical System Protection detection policy files, and creates option groups for the policy so that you can see the policy rules with the management console. The OS switches convert OS-specific policies;...
  • Page 112 Description no switch (converts Converts legacy detection policy files to policy files to policy Symantec Critical System Protection detection files) policy files, and creates option groups for the policy so that you can see the policy rules with the management console.

  • Page 113: Importing The Zip File

    The next procedure is to create a new policy and add one of the legacy rulesets that you imported. Symantec recommends that you follow a one ruleset per policy association to reduce complexity.

  • Page 114: Validating Your Rules

    10 Click Tools > Validate. Validating your rules In Symantec Host IDS and Symantec Intruder Alert, rules are not typed. In Symantec Critical System Protection, rules are typed such as event log, registry, etc. When you validated your new policy, you validated that the initial conversion was successful.

  • Page 115: Validating Rule Types And Criteria

    Select on System is changed due to architecture limitations. ■ Email and SNMP is implemented at the management server side. ■ Append to file action is limited to the local file system. With Symantec ■ Intruder Alert, you can specify to append to c:\temp\log.txt@anotherITAgentname.

  • Page 116: Configuring An Option Group

    You should also validate your policies after configuring option groups. See the Symantec Critical System Protection Policy Authoring Guide for details on how to configure an option group for detection policies. Compiling a policy Once you verify that your rules are properly migrated, you are ready to compile your policy.

  • Page 117: Applying Policies Created And Compiled In The Authoring Environment

    Test the workspace policy. ■ Apply the workspace policy to your agents and policy groups. ■ See the Symantec Critical System Protection Administration Guide for instructions on applying policies created and compiled in the authoring environment. Migrating to the latest version...
  • Page 118 118 Migrating to the latest version Migrating legacy detection policy files...
  • Page 119 48, 110 domain, detection policy 54, 58, 77, 82 Index fail back interval 26, 103, 104 failover 25, 74, 103 firewall, using with Symantec Critical System Protection 22 HP-UX agents disabling and enabling 94 monitoring and restarting 98 uninstalling manually 88...
  • Page 120 SQL 44 hardware requirements 20 installation settings 38 installation type 38 installing 36 installing into database instance previously used for Symantec Critical System Protection 37 operating system requirements 17 primary 74, 103 production installation Tomcat and database schema 45 Tomcat only 47...
  • Page 121 UNIX agents using package commands 84 Windows agents 66 UNIX agent installation 78 unattended installation options 79 upgrade Symantec Critical System Protection 101 Windows Installer, commands 60 Windows NT policy, installing 64 Windows XP firewalls disabling 21 Internet connection firewall 21...
  • Page 122 122 Index...

Table of Contents