installation and administration guide · installation and administration guide ... xl, integrity,...

Smarter Securi-

Integrity Document Library

Installation and Administration GuideInstalling and using Integrity Agent for Linux

1-0277-0650-2006-03-09

Editor's Notes: ©2006 Check Point Software Technologies Ltd. All rights reserved.

Check Point, Application Intelligence, Check Point Express, the Check Point logo, AlertAdvisor, ClusterXL, Cooperative Enforcement, ConnectControl, Connectra, CoSa, Cooperative Security Alliance, FireWall-1, FireWall-1 GX, FireWall-1 SecureServer, FloodGate-1, Hacker ID, IMsecure, INSPECT, INSPECT XL, Integrity, InterSpect, IQ Engine, Open Security Extension, OPSEC, Policy Lifecycle Management, Provider-1, Safe@Home, Safe@Office, SecureClient, SecureKnowledge, SecurePlatform, SecurRemote, SecurServer, SecureUpdate, SecureXL, SiteManager-1, SmartCenter, SmartCenter Pro, Smarter Security, SmartDashboard, SmartDefense, SmartLSM, SmartMap, SmartUpdate, SmartView, SmartView Monitor, SmartView Reporter, SmartView Status, SmartViewTracker, SofaWare, SSL Network Extender, TrueVector, UAM, User-to-Address Mapping, UserAuthority, VPN-1, VPN-1 Accelerator Card, VPN-1 Edge, VPN-1 Pro, VPN-1 SecureClient, VPN-1 SecuRemote, VPN-1 SecureServer, VPN-1 VSX, Web Intelligence, ZoneAlarm, Zone Alarm Pro, Zone Labs, and the Zone Labs logo, are trademarks or registered trademarks of Check Point Software Technologies Ltd. or its affiliates. All other product names mentioned herein are trademarks or registered trademarks of their respective owners. The products described in this document are protected by U.S. Patent No. 5,606,668, 5,835,726 and 6,496,935 and may be protected by other U.S. Patents, foreign patents, or pending applications.

Integrity Agent for Linux Installation and Administration Guide i

Contents

Chapter 1 Deployment Process and Requirements ............................. 1

System Requirements ................................................ 1Deployment workflow ................................................. 1

Chapter 2 Managing Linux Computer Groups ..................................... 3

Managing Linux computer groups ................................ 4Creating a user catalog and group for Linux computers .....4Setting the cm_auth parameter ......................................4

Chapter 3 Overview of Policy Settings ............................................... 5

Supported policy settings ........................................... 6Understanding policy enforcement .............................. 7

Disconnected policy for Linux options .............................7Managing the disconnected policy ............................... 8

Chapter 4 Installing and Configuring Integrity Agent ........................... 9

Determining the installation type ............................... 10Installing using the installation script ........................ 11

Uninstalling using the installation script .......................13Installing using the Integrity Agent RPM .................... 14

Before you begin ........................................................14Building a customized RPM ........................................14Installing Integrity Agent using RPM ............................15Upgrading Integrity Agent using RPM ...........................16Uninstalling Integrity Agent using RPM ........................17

Customizing the Integrity Agent configuration ............. 18Configuration file settings ............................................18Changing the Integrity Server Connection Manager address .20Changing the cm_auth parameter .................................20

Running Integrity Agent ........................................... 21Using the command line interface ................................21

Integrity Agent RPM .................................................... 22Integrity Agent script ................................................... 22

Using the Service Manager ..........................................23Checking the Log ........................................................23

Integrity Agent for Linux Installation and Administration Guide 1

Chapter 1Deployment Process and Requirements

Integrity Agent for Linux® provides enterprise endpoint security for Linux users. Use this guide to install and administer Integrity Agent.

This chapter provides the system requirements and an overview of the deployment and implementation process for Integrity Agent in an established, Integrity Server-protected enterprise network.

System RequirementsIntegrity Agent requires the following operating system:

Red Hat Enterprise Workstation Edition version 3.0 or later

Deployment workflowTo successfully deploy Integrity Agent to endpoint computers on your Integrity protected network, perform the procedures below in order. Each phase of the deployment process is dependant on the items you verified or configured in the previous phase.

To deploy Integrity Agent for Linux:

1. Create a user catalog and group for the protected Linux computers.

See “Creating a user catalog and group for Linux computers,” in Chapter 2: Managing Linux Computer Groups on page 4.

2. Create and assign an enterprise policy to the Linux user group.

First see “Overview of Policy Settings,” in Chapter 3: Overview of Policy Settings on page 5, then go to the Integrity Server Administrator Guide for detailed instructions on creating, configuring, and assigning the enterprise policy.

3. Create and export a disconnected policy for Integrity Agent.

First see “Supported policy settings,” in Chapter 3: Overview of Policy Settings on page 6, then go to the Integrity Server Administrator Guide for detailed instructions on creating, configuring, and exporting a policy.

4. Install Integrity Agent on the endpoint computers.

See “Installing and Configuring Integrity Agent,” in Chapter 4: Installing and Configuring Integrity Agent on page 9: Installing and Configuring Integrity Agent.

This document is intended specifically for Integrity Agent for Linux. All references in this document to Integrity Agent refer to the Linux version, unless otherwise specified.

Chapter 1 Deployment Process and Requirements


5. Customize Integrity Agent (optional).

See “Customizing the Integrity Agent configuration,” in Chapter 4: Installing and Configuring Integrity Agent on page 18.


Chapter 2Managing Linux Computer Groups

This chapter explains how to manage Linux computer groups and their policy assignments on Integrity Server.

To assign policies and ensure that those policies are exclusively deployed to the Linux users in your environment, you may isolate Linux users on your network. You can do this by creating user catalogs and configuring the ilagent.conf file to send the policies to that catalog.

The following describes some reasons you may want to design policies specifically for Integrity Agent for Linux.

Setting specific security policies: You may wish your Linux users to have different security rules than your Windows users.

Reducing policy size: Since the Linux version of Integrity Agent does not use program control, you can reduce your policy size for Linux users by disabling program control in the policy you define for them. Disabling program control reduces the policy size by up to 80% by excluding the referenced program list from the policy. Reducing the policy size may decrease your bandwidth requirements.

For step-by-step instructions on creating and assigning policies, refer to the Integrity Server Administrator Guide and Integrity Server Best Practices Guide.

Chapter 2 Managing Linux Computer Groups


Managing Linux computer groupsIn order to assign an enterprise security policy to Linux users, you must create a user catalog group. Integrity Agent for Linux users get the policy assigned to their user catalog. Linux users who are not identified as being part of that user catalog, get the default policy.

To manage Linux computer groups:

1. Create a user catalog and group for Linux computers. See “Creating a user catalog and group for Linux computers,” on page 4

2. Set the cm_auth parameter to the catalog and group you created in step 1. See “Setting the cm_auth parameter,” on page 4.

Creating a user catalog and group for Linux computersCreate a new custom catalog and group that you can use to assign a policy to computers running Integrity Agent for Linux.

To create a user catalog and group for protected Linux computers:

1. Log onto the Integrity Server administrator console.

2. Go to Entities, and click New Entity | Custom.

The New Custom Catalog page appears.

3. Complete fields for the custom catalog.

4. Click Save.

The new custom catalog for Linux is created.

5. Select the catalog you created in step 4, then click New Group.

6. Complete fields for the user group.

7. Click Save.

The new user group for Linux is created.

Setting the cm_auth parameterWhen configuring the ilagent.conf file, set the cm_auth parameter to the user catalog and group you created in “Creating a user catalog and group for Linux computers,” on page 4. See “Customizing the Integrity Agent configuration,” on page 18 for more information about setting the ilagent.conf file parameters.


Chapter 3Overview of Policy Settings

This chapter provides an overview of supported settings, details on when policies are enforced, and instructions on changing the disconnected policy for Linux.

Integrity Agent enforces the following two policies:

The enterprise policy that is managed on Integrity Server. Integrity Agents enforce this policy when the protected computer is connected to Integrity Server.

The disconnected policy for Linux is centrally created but can only be managed on the protected computer. You can configure Integrity Agent to enforce this policy when the protected computer is not connected to Integrity Server.

Use Policy Studio, as described in the Integrity Server Administrator Guide, to manage enterprise policies and create and export a disconnected policy.

Chapter 3 Overview of Policy Settings


Supported policy settingsIntegrity Agent enforces most classic firewall rule settings and connection state related client settings in an Integrity security policy. It ignores all other unsupported settings that are included in the policy.

The following describes Integrity Agent supported policy settings:

Names and Notes. Policy information, name, description and notes, used to identify the policy on both Integrity Server and protected computer.

Most classic firewall rule settings. Blocks or allows network traffic by source, destination, and protocol.

Client-Server Communications

Heartbeat frequency and Log transfer frequency

Policy Arbitration Rules

Permit user to shutdown Integrity Client when enterprise policy is active

Enforce this policy when client is disconnected.

Policy assignment. Delivers enterprise security policies to protected computers.

To define a user group for Linux users, see “Creating a user catalog and group for Linux computers,” in Chapter 2: Managing Linux Computer Groups on page 4 of this manual.

Integrity Agent supports all classic firewall settings EXCEPT the following:

Time and day settings. Rules with these settings are enforced all the time.

IGMP protocol type and number. Rules with these settings are enforced for all IGMP traffic.

If the computer is not compliant with the minimum version, Integrity Agent logs the event in the log file. The session is not restricted.

See the Integrity Server Administrator Guide for policy configuration instructions.



Understanding policy enforcementThe policy Integrity Agent enforces changes according to the protected computers connection state as follows:

When the protected computer disconnects from Integrity Server. On disconnection, Integrity Agent loads and enforces the disconnected policy.

When the protected computer connects to Integrity Server. On connection, Integrity Agent loads and enforces the enterprise policy deployed by the server.

When the protected computer is connected and receives a different enterprise policy from Integrity Server. Integrity Agent loads and enforces the new enterprise policy. The IPtable settings are overwritten by the new policy.

Disconnected policy for Linux optionsConsider the following options when setting up and configuring the disconnected policy for Linux:

To provide a more permissive policy when protected computers are not connected, create and export a disconnected policy with limited number of classic firewall rules.

To reduce the policy size, set Program Rules, Program Control for policy_name: Disable program control. This setting excludes the list of referenced programs from the policy.

To provide the same level of security when protected computers are not connected, in the enterprise policy set Client Settings, Policy arbitration rules: Enforce this policy when client is disconnected. Integrity Agent enforces the enterprise policy when disconnected.

To allow the users to configure their own security settings when the protected computer is not connected, do not include a disconnected policy in the installation package or change the disconnected policy value in the Integrity Agent configuration file to null.

If you enable Enforce this policy when client is disconnected in the enterprise policy, Integrity Agent enforces the enterprise policy whether it is connected or not.

Integrity Agent for Linux does not display any alerts to the user upon enforcement.



Managing the disconnected policyThis section explains how to change the name or location of the disconnected policy.

After you install the Integrity Agent, you can modify the disconnected policy settings only on the protected computer. If you modify settings or replace the disconnected policy (without changing the file name or location), simply restart Integrity Agent. No other configuration tasks are required.

To change the name or location of the disconnected policy:

1. Using the Integrity Server Administration Console, create and export a disconnected policy.

2. Log onto the protected computer as root.

3. Copy the updated disconnected policy to the /usr/local/ilagent/etc directory.

4. If the policy name or location changed, update the configuration file.

a. Open the configuration file with a text editor.[root@localhost root] # vi /usr/local/ilagent/etc/ilagent.conf

b. Change the value of disconnected_policy parameter.

<param name="disconnected_policy" value="disconnected_v2.xml"/>

c. Save your changes, then close the file.

5. Restart Integrity Agent.

See “Running Integrity Agent,” in Chapter 4: Installing and Configuring Integrity Agent on page 21 for detailed instructions on starting and stopping the client.

The disconnected policy update is complete. The disconnected policy IPtable settings are replaced with the disconnected policy settings.

You can configure Integrity Agent to only enforce a policy when it is connected to Integrity Server by setting the disconnected_policy value to null (““) in the Integrity Agent configuration file.


Chapter 4Installing and Configuring Integrity Agent

This chapter explains how to install, upgrade, and remove the Integrity Agent for Linux using either the RPM package manager or a standard installation script.

Before installing Integrity Agent, you must perform the following steps:

1. Configure a user catalog and group on Integrity Server

2. Assign a policy to the user group

3. Create and export a disconnected policy.

The Integrity Agent starts immediately after installation, downloads the enterprise security policy and begins enforcing it.

Chapter 4 Installing and Configuring Integrity Agent


Determining the installation typeThere are three methods to install Integrity Agent, select the installation method that is best for your environment.

Installation script - This method requires manual input, but allows administrators to customize settings. For example, to run Integrity Agent in jail, you specify the installation directory and set the chroot_path. See “Installing using the installation script,” on page 11.

Custom build an RPM file for your environment - This method decreases the work involved with large deployments by allowing you to install Integrity Agent without having additional configuration steps. However, it also requires that protected computers have the same configuration and requires the use of Integrity Agent default configuration settings. For example, use this method to install Integrity Agent on ten computers that have the same disconnected policy, you can install Integrity Agent on all their computers using the same customized RPM file. See “Installing using the Integrity Agent RPM,” on page 14.

Pre-configured RPM file - This method allows you to perform large Integrity Agent deployments using RPM package manager without creating a customized installation RPM. It has two post installation configuration steps. For example, use this installation method when you have a few computers that you want to run Integrity Agent on. See “Installing using the Integrity Agent RPM,” on page 14 and “Building a customized RPM,” on page 14.



Installing using the installation scriptThis section explains how to install and uninstall Integrity Agent on an Linux computer using the installation script.

These instructions explain how to do a basic installation using the default settings. The script allows you to configure the IP address of Integrity Server, as well as choose the directory where Integrity Agent is installed.

Use command line switch described in Table 4-1 to silently run the installation.

To install using a script:

1. Move the ilagent-x.x.xxx.x.bin installation file and disconnected policy to the Linux endpoint computer.

2. On the endpoint computer, log in as root.

3. Change the mode of the Integrity Agent installation files.

[root@localhost root] # chmod 755 ilagent-x.x.xxx.x.bin

4. Execute the installation script.

[root@localhost root] # ./ilagent-x.x.xxx.x.bin

The installation script detects the operating system and directory structure.

Found RedHat OSChecking for iptables executables...Checking for iptables filter table...Checking for LOG iptables target...Found LOG targetChecking for ULOG iptables target...Found ULOG targetChecking for /proc/net/dev ...Checking for /dev/random ...Checking for /dev/null ...

After installation, copy the disconnected policy to the computer and update the configuration file.

Option Description

--silent Install Integrity Agent with the default settings.

Note the installer prompts you for the Integrity Server CM address.

Table 4-1: Installation script options

To execute the script in silent mode and use the default settings in step 7, type the following command.

[root@localhost root] # ./ilagent-x.x.xxx.x.bin --silent



5. When prompted, enter the Integrity Server Connection Manager address.

Please enter Integrity Server CM address: https://225.225.225.225/cm

6. When prompted, enter the catalog, group, and user information.

Please enter Integrity Server auth path: manual://<catalog>/<Group>/<user>

7. Enter the local Integrity Agent information.

a. Enter the directory where you want Integrity Agent to be installed.Please enter target directory [default /usr/local/ilagent]:

b. Type Y to run Integrity Agent in jail or N to run Integrity Agent unprotected.

Chroot ilagent daemon to target directory? [y/n, default Y]: YChecking for installed ilagent...

c. For first time installations, you are prompted to create Integrity Agent directories. ir /usr/local/ilagent/bin does not exist. Create? [y/n, default Y]: YAutomatically create all dirs? [y/n, default Y]: Y

d. Set up Integrity Agent logging.Create logrotate file for ilagent? [y/n, default Y]: YEnter logrotate files path [default /etc/logrotate.d]:

e. Automatically create the Integrity Agent start and stop scripts.Create rc script for ilagent? [y/n, default Y]: YEnter rc scripts path [default /etc/init.d]: Starting ilagent ...Starting ilagentd

8. Copy the disconnected policy to the /usr/local/ilagent/etc.

[root@localhost root] # cp /tmp/disconnected.xml /usr/local/ilagent/etc/disconnected.xml

9. Set the disconnected_policy parameter in the Agent configuration file to the location you specified in step 7, relative to the root directory.

The default value for the disconnected_policy parameter is “/etc/disconnected.xml”

After the installation is complete, Integrity Agent automatically starts, connects to Integrity Server, then downloads the enterprise security policy and begins enforcing the policy. If the Integrity Server is not available, Integrity Agent enforces the disconnected policy.

To accept the defaults, press return without entering any information. You are not prompted for this information when running the installer silently.

If you used a custom directory in step a, then verify that the default directory is the same.



Uninstalling using the installation scriptThis section explains how to uninstall Integrity Agent using the installation script.

To uninstall Integrity Agent:

1. Log into the Linux computer as root.

2. Go to the Integrity Agent bin directory.

[root@localhost root] # cd /usr/local/ilagent/bin

3. Execute the uninstall script.

[root@localhost bin] # ./uninstall

The uninstall log is saved as /var/log/ilagent_install.log.

4. After Integrity Agent uninstall script is complete, remove the remaining Integrity Agent directory.

[root@localhost root]# cd /usr/local[root@localhost root]# rm -Rf ilagent

Integrity Agent and all related IPtables entries are removed from the computer. The original IPtable settings are reset.

If you installed Integrity Agent in a different directory, be sure to go to that directory.



Installing using the Integrity Agent RPMThis section explains how to install and upgrade Integrity Agent using RPM Package Manager. The Integrity Agent RPM uses all the default configuration settings except for the Integrity Server IP address and the disconnected policy.

This section covers the following topics:

“Before you begin,” on page 14

“Building a customized RPM,” on page 14

“Installing Integrity Agent using RPM,” on page 15

“Upgrading Integrity Agent using RPM,” on page 16

Before you beginBefore you to install Integrity Agent, define a user group for the protected computers, create and export a disconnected policy, and create and assign an enterprise policy to the user group on the Integrity Server, as explained in Chapter 2: Managing Linux Computer Groups, on page 3.

Then gather and/or verify the following items:

For customized RPM, Integrity Agent RPM build script (ilagent-build-rpm-1.xxx.x-x.bin)

For pre-configured RPM, Integrity Agent RPM (ilagent-x.x.xxx.x-x.i386.rpm)

RPM package manager version 4.2-1 or higher (rpm-build-4.2-1.i386.rpm)

Disconnected policy

Integrity Server Connection Manager address

IPtable service installed and started

Building a customized RPMThis section explains how to create a custom Integrity Agent RPM that you can use to install or upgrade the Integrity Agent. In order to complete these steps, you need the items gathered in “Before you begin,” on page 14.

Customize the configuration by replacing the configuration file and restarting Integrity Agent, after you install the product using RPM.

Log into the Integrity Server administration console from the computer where you are creating the Integrity Agent RPM, then export the disconnected policy directly to the /tmp directory.



To build a custom Integrity Agent RPM:

1. Log in as root user.

2. Move the Integrity Agent RPM build script, ilagent-build-rpm-1.xxx.x-x.bin, and the disconnected policy to the computer.

Put the build script in the root directory and the disconnected policy into /tmp.

3. Change the mode of the ilagent-build-xxx.x.bin file.

[root@localhost root] # chmode 755 ilagent-build-rpm-1.xxx.x-x.bin

4. Create the RPM file.

[root@localhost root] #. /ilagent-build-rpm.2.0.001.0.bin cm_address cm_auth disconnected_policy_path

The script outputs the RPM to: /usr/src/redhat/RPMS/i386/ilagent-x.x.xxx.x-x.i386.rpm.

5. Go to that directory and change the mode of the file.

[root@localhost root] # cd /usr/src/redhat/RPMS/i386 && chmod 755 ilagent-x.x.xxx.x-x.i386.rpm

Installing Integrity Agent using RPMThis section explains how to install Integrity Agent using the RPM package manager.

To install using an RPM:


The syntax of the command above is:

ilagent-build-rpm-1.xxx.x-x.bin is the RPM build script

cm_address is the connection manager address

cm_auth is the user catalog, user group, and user.

disconnected_policy_path is the complete path and file name of the policy that Integrity Agent enforces when it is not connected to the Integrity Server. This setting is optional.

If you install Integrity Agent using the preconfigured RPM, then you must configure the Integrity Server Connection Manager address after the installation is complete (see “Customizing the Integrity Agent configuration,” on page 18).



2. Move the Integrity Agent RPM, ilagent-x.x.xxx.x-x.i386.rpm to the computer.

3. Verify that Integrity Agent is not already installed on the computer.

[root@localhost root] # rpm -qa ilagent

When the Integrity Agent is already installed, the program name displays. If it is installed, then either uninstall before continuing or follow the upgrade instructions in the next section.

4. Execute the installer.

[root@localhost root] # rpm -i ilagent-xxx.x.rpm

5. Verify that the installation completed successfully.

[root@localhost root] # rpm -qa ilagentilagent-xxx.x


Upgrading Integrity Agent using RPMUpgrade previous versions of the Integrity Agent using a customized RPM or pre-configured Integrity Agent RPM.

To upgrade using RPM:


2. Move the Integrity Agent RPM, ilagent-x.x.xxx.x-x.i386.rpm to the computer.

3. Verify that Integrity Agent is already installed on the computer.

[root@localhost root] # rpm -qa ilagent

When the Integrity Agent is already installed, the program name displays. If it is not installed, then use the first time installation instructions in the “Installing Integrity Agent using RPM,” on page 15.

4. Execute the upgrade.

[root@localhost root] # rpm -U ilagent-xxx.x.rpm

You can also use the upgrade command, to change the disconnected policy or Integrity Server Connection Manager address. First build a new RPM using the new IP address or disconnected policy, then follow the instructions in this section.



5. Verify that the installation completed successfully.



Uninstalling Integrity Agent using RPMThis section explains how to remove Integrity Agent using the RPM package manager. When you remove the Integrity Agent from the endpoint computer, the Integrity Agent software and all of the firewall rules added to the iptables are removed.

To uninstall using RPM:


2. Get the name of Integrity Agent that is installed on the computer.


Integrity Agent program name displays. If it is not installed, no information is returned.

3. Using the name of Integrity Agent, execute the uninstall command.

[root@localhost root] # rpm -e ilagent-xxx.x

4. Verify that the Integrity Agent is no longer installed on the computer.

[root@localhost root] # rpm -qa ilagent[root@localhost root] #

5. To clean up the system, remove the ilagent directory and rpm file:

[root@localhost root] # rm -Rf /usr/local/ilagent

[root@localhost root] # rm -f /usr/src/redhat/RPMS/i386/ilagent-xxx.x.rpm

When the uninstall using the Integrity Agent RPM completes, Integrity Agent and firewall rules added to iptables by the policy are removed from the computer.



Customizing the Integrity Agent configurationThis section explains the settings in the Integrity Agent configuration file. To customize the configuration, open the file with a text editor and change the settings. Then restart Integrity Agent to run the client with the new configuration.

Configuration file settingsThe configuration file is located in the /usr/local/ilagent/etc directory. Table 4-2, “Integrity Agent configuration settings,” on page 19 explains how to set each parameter.

Sample configuration file

<ilagent-conf>

<param name=”cm_address” value=”https://localhost/cm”/> <param name=”cm_auth” value=”manual://catalog/group/user”/><param name="is_port" value="5054"/><param name="pidfile" value="/usr/local/ilagent/run/ilagent.pid"/><param name="cxn_signature" value="/usr/local/ilagent/etc/ilagent.sig"/><param name="ipt_accept_log_chain" value="LFA_LOG_ACCEPT"/><param name="ipt_drop_log_chain" value="LFA_LOG_DROP"/><param name="ipt_accept_log_prefix" value="LFA_ACCEPT_"/><param name="ipt_drop_log_prefix" value="LFA_DROP_"/><param name="ipt_log_source" value="ULOG"/>

<param name="ipt_nl_group" value="15"/><param name="ipt_nl_qthreshold" value="1"/>

<param name="ipt_log_limit" value="100"/><param name="ipt_log_limit_burst" value="10"/><param name="chroot_path" value="/var/ilagent"/><param name="logfile" value="ilagent.log"/><param name="ipt_cmd" value="/sbin/iptables"/><param name="ipt_save" value="/sbin/iptables-save"/><param name="ipt_restore" value="/sbin/iptables-restore"/><param name="disconnected_policy" value="disconnected.xml"/><param name="received_policy" value="ilagent-policy.xml"/><param name="dumpfile" value="/run/dump.log"/><param name="statusfile" value="/run/status.log"/>

</ilagent-conf>

If you run the Integrity Agent or IPtables in jail, make all paths relative to chroot_path.



Parameter Description

cm_address Integrity Server Connection Manager address.

cm_auth Catalog, group, and username this policy is assigned to

is_port Integrity Server port. Use the default setting of 5054

pidfile Complete path to ilagentd pid (process identifier) file

cxn_signature Path to the file that contains a unique identifier of Integrity Agent. Primarily used for debugging.

ipt_accept_log_chain Chain where packet logging and accepting rules are placed

ipt_drop_log_chain Chain where rules packet logging and dropping rules are placed

ipt_accept_log_prefix Log messages prefix for accepted packets

ipt_drop_log_prefix Log messages prefix for dropped packets

ipt_log_source Name of firewall events log messages source.

Specify either the syslog file name or 'ULOG' value.

ipt_nl_group When using ULOG, specify the netlink group (1-32) to which the packet is sent.

See man iptables for details.

ipt_nl_qthreshold When using ULOG, specify the number of packets queued inside the kernel.


ipt_log_limit Maximum number of packets logged per second

ipt_log_limit_burst Affects packet shaping mechanism of IPtables.


ipt_cmd Path of iptables executable

ipt_restore Path of iptables-restore executable

ipt_save Path of iptables-save executable

disconnected_policy Path to the policy file Integrity Agent enforces when disconnected from Integrity Server. See “Managing the disconnected policy,” on page 8. The default is ‘/etc/disconnected.xml’. You can disable the disconnected policy by removing the file specified here.

received_policy Path to the enterprise security policy Integrity Agent enforces when connected to Integrity Server

chroot_path Complete path to jail directory.

When you enter a value, ilagentd calls chroot() to that directory. This directory must contain all required files and libraries.

Table 4-2: Integrity Agent configuration settings



Changing the Integrity Server Connection Manager addressYou may need to change the Integrity Server information in the configuration file, such as when the Integrity Server Connection Manager address changes or you installed Integrity Agent using the provided RPM.

To change the Integrity Server Connection Manager address:

1. Open the configuration file with a text editor.

[root@localhost root] # vi /usr/local/ilagent/etc/ilagent.conf

2. Change the value of cm_address parameter to the Integrity Server IP address.

<param name="cm_address" value="https://server_ip/cm"/>

3. Save your changes, then close the file.


See “Running Integrity Agent,” on page 21 for detailed instructions on starting and stopping the client.

Changing the cm_auth parameterYou can change the cm_auth parameter to connect the Integrity Agent using a different catalog, group, or user.

To change the cm_auth parameter

1. Log into the Linux system and open a terminal window.

2. Change the directory to /usr/local/ilagent/etc

3. Open ilagent.conf.

4. Change the value of the the cm_auth parameter and save the file.


It will connect to the sever using the new catalog, group, and user.

logfile Complete path to ilagentd log file. The default is /usr/local/ilagent/run/ilagent.log.

dumpfile Complete path to ilagentd dump file

statusfile Complete path to ilagentd status file

Parameter Description

Table 4-2: Integrity Agent configuration settings (continued)



Running Integrity AgentThis section explains the different methods that you can use to start, stop or restart Integrity Agent on the protected computer.

When you stop Integrity Agent, the endpoint computer is no longer protected.

When you start Integrity Agent, it immediately attempts to connect to Integrity Server and begins enforcing the:

Enterprise security policy if the connection is established.

Disconnected policy if the connection cannot be established.

Using the command line interfaceStarting, stopping and restarting Integrity Agent from the CLI (command line interface) varies depending on the installation type. Use the instructions that correspond to your installation.

The following table describes the options that are available from the CLI.

Option Description

-c <filename>

--config <filename>

Specifies the complete path to the configuration file.

When this option is used alone, it starts Integrity Agent using the specified configuration file.

When options -s and -i are used, this option is required.

-h Displays ilagent version and lists available CLI options.

-i

--info

Displays Integrity Agent status.

Requires configuration file option.

-s

--shutdown

Shuts down Integrity Agent.

Requires configuration file option.

-V Displays Integrity Agent version.

Table 4-3: Integrity Agent command line interface options



Integrity Agent RPM

Log into the endpoint computer as root and use the following commands to start and stop Integrity Agent RPM from the command line interface. These commands start and stop Integrity Agent even when a policy prevents the client from being shutdown.

To start Integrity Agent:

Type the following command to start Integrity Agent:

[root@localhost root] # /etc/init.d/ilagentd start

To stop Integrity Agent:

Type the following command to stop Integrity Agent:

[root@localhost root] # /etc/init.d/ilagentd stop

To restart Integrity Agent:

Type the following command to restart Integrity Agent:

[root@localhost root] # /etc/init.d/ilagentd stop && /etc/init.d/ilagentd start

Integrity Agent script

Log into the endpoint computer as root and use the following commands to start and stop Integrity Agent installed using the script from the command line interface.

To start Integrity Agent:

Type the following command to start Integrity Agent:

[root@localhost root] # ./usr/local/ilagent/bin/ilagentd

To stop Integrity Agent:

Type the following command to stop Integrity Agent:

[root@localhost root] # ./usr/local/ilagent/bin/ilagentd --shutdown -c <config_file>

To restart Integrity Agent:

Type the following command to restart Integrity Agent:

[root@localhost root] # ./usr/local/ilagent/bin/ilagentd --shutdown -c <config_file>

If Integrity Agent is enforcing a policy that prevents the client from being shutdown, Integrity Agent cannot be stopped using any of the script stop or restart commands described in this section.



[root@localhost root] # ./usr/local/ilagent/bin/ilagentd -c <config_file>

Using the Service ManagerWhen Integrity Agent is installed, you register it as a service. Therefore, whether you installed Integrity Agent using the installation script or with the RPM package manager, you can start, stop, and restart Integrity Agent using the service manager interface.

To start, stop, or restart Integrity Agent service:

1. Open the services manager, then locate the ilagent service.

2. Click Start, Stop, or Restart.

The Integrity Agent status changes according to the option you selected.

Checking the LogIntegrity Agent’s log file is located by default at /usr/local/ilagent/run/ilagent.log. You can view the log using any text editor.

installation and administration guide · installation and administration guide ... xl, integrity,...

Documents