POLYCENTER Security Intrusion Detector for_DEC_OSF/1_________________________________ Installation Guide Order Number: AA-Q8YNA-TE August 1994 This guide describes how to install POLYCENTER Security Intrusion Detector for DEC OSF/1. Revision Information: This is a new manual. Operating System: DEC OSF/1 Version 2.0 or higher. Product Version: POLYCENTER Security Intrusion Detector for DEC OSF/1 Version 1.2 Digital Equipment Corporation Maynard, Massachusetts __________________________________________________________ August 1994 Possession, use, or copying of the software described in this documentation is authorized only pursuant to a valid written license from Digital, an authorized, sublicensor, or the identified licensor. While Digital believes the information included in this publication is correct as of the date of publication, it is subject to change without notice. Digital Equipment Corporation makes no representations that the interconnection of its products in the manner described in this document will not infringe existing or future patent rights, nor do the descriptions contained in this document imply the granting of licenses to make, use, or sell equipment or software in accordance with the description. © Digital Equipment Corporation 1994. All Rights Reserved. The postpaid Reader's Comments forms at the end of this document request your critical evaluation to assist in preparing future documentation. The following are trademarks of Digital Equipment Corporation: DEC, DECsupport, POLYCENTER, TK, and the Digital Logo. OSF/1 and Motif are registered trademarks of Open Software Foundation, Inc. UNIX is a registered trademark of the X/Open Company Limited. All other trademarks and registered trademarks are the property of their respective holders. This document was prepared using VAX DOCUMENT Version 2.1. ________________________________________________________________ Contents Preface.................................................. v 1 Preparing for Installation 1.1 Checking the Media Software Distribution Kit.......................................... 1-1 1.2 Installation Procedure Requirements.......... 1-1 1.2.1 Privileges Needed for Installation....... 1-1 1.2.2 Hardware Requirements.................... 1-2 1.2.3 Software Requirements.................... 1-2 1.2.3.1 DEC OSF/1 Subsets Required for the Installation........................... 1-2 1.2.3.2 Enhanced Security Subsets.............. 1-3 1.2.3.3 Audit Subsystem........................ 1-4 1.2.4 Disk Space Requirements.................. 1-7 1.2.5 Determining Which POLYCENTER Security ID Subsets to Load ......................... 1-8 1.2.6 Special Requirements..................... 1-9 1.3 Creating a POLYCENTER Security ID Group...... 1-9 1.4 Backing Up the System Disk................... 1-10 1.5 License Registration......................... 1-10 1.6 Reporting Problems........................... 1-11 2 Installation 2.1 Mounting the CD-ROM ......................... 2-1 2.2 Installing POLYCENTER Security ID Locally.... 2-2 2.2.1 Responding to Installation Procedure Prompts.................................. 2-3 2.2.1.1 Selecting Subsets...................... 2-3 2.2.1.2 Setld Error Messages................... 2-3 iii 2.3 Installing POLYCENTER Security ID Using the RIS Utility.................................. 2-4 2.3.1 Installing POLYCENTER Security ID into a RIS Server Area.......................... 2-4 2.3.2 Configuring POLYCENTER Security ID on the RIS Client Systems....................... 2-8 2.4 Stopping the Installation.................... 2-8 2.5 Automated POLYCENTER Security ID Startup..... 2-9 3 After Installing POLYCENTER Security ID 3.1 Using Release Notes.......................... 3-1 3.2 Running the Installation Verification Procedure.................................... 3-1 3.3 Reinstalling POLYCENTER Security ID.......... 3-2 3.4 Deinstalling POLYCENTER Security ID.......... 3-2 3.5 Deleting POLYCENTER Security ID.............. 3-3 A Sample Installation and Installation Verification Procedures A.1 Sample Installation.......................... A-1 A.2 Sample Base System Installation Verification Procedure.................................... A-5 A.3 Sample Manager Interfaces Installation Verification Procedure....................... A-6 B Files Installed on Your System Index Tables 1-1 Required Subsets......................... 1-3 1-2 POLYCENTER Security ID Subset Sizes...... 1-8 B-1 POLYCENTER Security ID Files............. B-1 iv ________________________________________________________________ Preface This guide describes how to install POLYCENTER[TM] Security Intrusion Detector (POLYCENTER Security ID) for DEC[TM] OSF/1[R]. Audience This guide is intended for system managers who manage DEC OSF/1 systems. Structure of This Guide This guide is divided into three chapters and two appendixes: o Chapter 1 describes the operating system and hardware requirements for a POLYCENTER Security ID installation and the related procedures that you complete before installing POLYCENTER Security ID. o Chapter 2 describes the installation procedure. o Chapter 3 describes the postinstallation procedures that you can perform after installing POLYCENTER Security ID. o Appendix A contains a sample listing of the POLYCENTER Security ID installation. o Appendix B describes the files that the POLYCENTER Security ID installation modifies and installs on the system. v Associated Documents The following documents contain more information about POLYCENTER Security ID: o POLYCENTER Security Intrusion Detector for DEC OSF/1 User's Guide Related Documents See the following documents for information that is related to POLYCENTER Security ID: o DEC OSF/1 System Administration o DEC OSF/1 Sharing Software on a Local Area Network o DEC OSF/1 Enhanced Security o DEC OSF/1 Software License Management Conventions The following conventions are used in this guide: __________________________________________________________ Convention____Description_________________________________ Note A note contains information that is of special importance to the reader. Caution A caution contains information to prevent damage to the equipment. Monospace Monospace type indicates both system type displays and user input. It also indicates literal strings in text. UPPERCASE The DEC OSF/1 operating system differ- and entiates between lowercase and uppercase lowercase characters. You must type literal strings exactly as they appear in text and examples. Uppercase characters in operation names indicate the characters that you can enter to choose that operation. vi __________________________________________________________ Convention____Description_________________________________ boldface Boldface type in examples indicates user type input. Boldface type in text indicates the first instance of terms defined in the text. italic type Italic type emphasizes important informa- tion, indicates variables, and indicates the complete titles of manuals. % The percent sign (%) indicates the DEC OSF/1 unprivileged user prompt. # The number sign (#) indicates the DEC OSF/1 root account prompt. Ctrl/x Ctrl/x indicates that you hold down the Ctrl key while you press another key (indicated here by x). [ ] In format descriptions, brackets indicate optional elements. You can choose none, one, or all of the options. nn nnn.nnn A space character separates digits in nn numerals with 5 or more digits. For example, 10 000 equals ten thousand. n.nn A period in numerals signals the decimal point indicator. For example, 1.75 equals one and three-fourths. POLYCENTER The term POLYCENTER Security ID for DEC OSF Security /1 refers to the POLYCENTER Security ID for ID for DEC DEC OSF/1 software. OSF/1_____________________________________________________ vii 1 ________________________________________________________________ Preparing for Installation This chapter describes the preparations and requirements necessary for installing POLYCENTER Security ID. It contains information on the following: o Checking the media software distribution kit o Installation procedure requirements o Creating a POLYCENTER Security ID group o Backing up the system disk o License registration o Reporting problems 1.1 Checking the Media Software Distribution Kit Use the Bill of Materials (BOM) to check the contents of the software distribution kit. The kit includes this installation guide and a CD-ROM. 1.2 Installation Procedure Requirements The installation takes between 10 and 15 minutes to complete, depending on the system configuration. A Remote Installation Service (RIS) client installation can take longer, depending on the level of activity on the network. 1.2.1 Privileges Needed for Installation You must have superuser privileges to install POLYCENTER Security ID. Preparing for Installation 1-1 1.2.2 Hardware Requirements The following table describes the hardware required to install POLYCENTER Security ID: __________________________________________________________ Operating_System______Hardware_Requirements_______________ DEC OSF/1 One of the following: o DEC 2000 Workstation o DEC 3000 Workstation o DEC 4000 System o DEC 7000 System o DEC 10000 System o DEC 2100 Server __________________________________________________________ 1.2.3 Software Requirements To run POLYCENTER Security ID, the following software must be installed on the system: o DEC OSF/1 operating system (Version 2.0 or Version 3.0) o reference page software ________________________Note ________________________ Although the subsets listed in the following subsections may be present on the system, they may not be installed. These subsets must be installed before you can install POLYCENTER Security ID. _____________________________________________________ 1.2.3.1 DEC OSF/1 Subsets Required for the Installation Table 1-1 lists the DEC OSF/1 subsets that you must have installed on your system before you install POLYCENTER Security ID. 1-2 Preparing for Installation Table_1-1_Required_Subsets________________________________ Operating_System______Subsets_____________________________ DEC OSF/1 Version OSFBASExxx, OSFINETxxx, OSFMANOSxxx, 2.0_or_3.0____________OSFC2SECxxx_________________________ where: o xxx denotes either 200 (Version 2.0) or 300 (Version 3.0). 1.2.3.2 Enhanced Security Subsets POLYCENTER Security ID runs with either ENHANCED or BASE Security. The enhanced security subsets are shipped with DEC OSF/1, but they may not be installed. You can check if they are installed by entering the following command: # /usr/sbin/setld -i | grep SEC If the subsets are installed, the system responds with a display similar to the following: OSFC2SEC200 installed C2-Security (System Administration) OSFXC2SEC200 installed C2-Security GUI (System Administration) If, however, a not found message is displayed, enhanced security is either not installed, or is not running. To determine if ENHANCED security is running, enter the following command: # /usr/sbin/rcmgr get SECURITY If the string ENHANCED is returned, the system is running ENHANCED security. If the string BASE is returned, the system is running BASE security. If a string is not returned, the security level for the system has not been set. See the DEC OSF/1 Enhanced Security manual for information on how to set the security level on the system. Preparing for Installation 1-3 1.2.3.3 Audit Subsystem The audit subsystem must be set up for POLYCENTER Security ID to function. Use the audit_setup script to set up the audit subsystem. Enter the following command to start the audit_setup script: # /usr/sbin/audit_setup The audit_setup script displays the following: ***************************************************************** Audit Subsystem Setup Script ***************************************************************** The following steps will be taken to set up audit: 1) establish startup flags for the audit daemon, 2) establish startup flags for the auditmask 3) create the /dev/audit device (if needed), 4) configure a new kernel (if needed). Do you wish to have security auditing enabled as part of system initialization (answer 'n' to disable) ([y]/n)? Follow these steps to respond to the audit_setup script questions: 1. You must answer y to this question. This is because auditing must be running when POLYCENTER Security ID is started. When you have answered the question the setup script continues, as follows: ---------------------------- Audit Daemon Startup Flags ---------------------------- Some of the options to 'auditd' control: 1) destination of audit data, 2) destination of auditd messages, 3) action to take on an overflow condition, 4) enable accepting audit data from remote auditd's. Destination of audit data (file|host:) [/var/audit/auditlog]? 1-4 Preparing for Installation 2. Use the default file (press Return for the default), or enter the name of a new file. Do not enter the name of a host. POLYCENTER Security ID will not read audit logs that are not stored locally. If the directory structure that you nominate does not exist, a message similar to the following is displayed: Directory /var/audit/ does not exist; create it now (y/[n])) 3. Either press Return if you do not want to accept the directory, or enter y to accept the directory. If you do not accept the directory, you will be prompted to enter a new directory. When you have answered the question the setup script continues, as follows: Destination of audit messages [/var/audit/auditd_cons]? 4. Press Return to use the default destination or enter any convenient file. POLYCENTER Security ID does not monitor this file. When you have answered the question the setup script continues, as follows: Action to take on an overflow condition may be one of: 1) change audit data location according to '/etc/sec/auditd_loc' 2) suspend auditing until space becomes available 3) overwrite the current auditlog 4) terminate auditing 5) halt the system Action (1-5) [1]? 5. Enter 3 to overwrite the current audit log. The setup script continues, as follows: Accept data from remote auditd's (y/[n])? 6. Press Return to accept the default. The POLYCENTER Security ID rulebase is not designed to monitor multiple hosts. The audit_setup script continues as follows: Further options are available for advanced users of the audit system (please refer to the auditd man page). If you wish to specify any further options you may do so now ( for none): Preparing for Installation 1-5 7. Press Return to accept the default. The system displays: Startup flags for 'auditd' set to: -l /var/audit/auditlog -c /var/audit/auditd_cons -o overwrite Is this correct ([y]/n)? 8. Press Return to accept the default. The system displays: ------------------------- Auditmask Startup Flags ------------------------- The auditmask establishes which events get audited. This can be specified by: 1) having the auditmask read a list of events from a file, -or- 2) specifying a list of events on the command line. Events can refer to syscalls, trusted events, site-defined events, or alias names. The file '/etc/sec/audit_events' contains a list of all auditable system calls and trusted (application) events. You may either modify this file or use it as a template. The file '/etc/sec/event_aliases' contains a set of aliases by which logically related groupings of events may be constructed. You may modify this set of aliases to suit your site's requirements. Enter filename containing event list or * to indicate that events will be listed on the command line ( for no events): 9. Press Return to accept the default. The system displays: The auditmask also sets various style flags such as: 1) 'exec_argp' - audit argument vector to exec system calls 2) 'exec_envp' - audit environment vector to exec system calls 3) 'login_uname' - audit recorded username in failed login events Enable exec_argp ([y]/n)? 1-6 Preparing for Installation 10.Press Return to accept the default. The system displays: Enable exec_envp (y/[n])? 11.Press Return to accept the default. The system displays: Enable login_uname ([y]/n)? 12.Press Return to accept the default. The system displays: Startup flags for 'auditmask' set to: -s exec_argp -s login_uname Is this correct ([y]/n)? 13.Press Return to accept the default. The system displays: ---------------------- System Configuration ---------------------- alpha1 is already configured for security auditing (/sys/conf/alpha1) Would you like to start audit now ([y]/n)? 14.Press Return to accept the default. The system displays: '/usr/sbin/auditd' started. '/usr/sbin/auditmask' set. ***** AUDIT SETUP COMPLETE ***** The audit_setup script is now complete and your default audit subsystem is now configured. 1.2.4 Disk Space Requirements Table 1-2 lists the disk space requirements for the POLYCENTER Security ID software subsets. Compare the space required for subsets with the free space currently on the disks where POLYCENTER Security ID files will reside. Preparing for Installation 1-7 Table_1-2_POLYCENTER_Security_ID_Subset_Sizes_____________ Subset__________________Kilobytes_________________________ IDOABASE120 2,000 IDOAMAN120 2,500 Total: 4,500[1] [1]Refers_to_the_disk_space_occupied_by_the_files_after___ installation. If you are extracting files from media using the RIS utility, the POLYCENTER Security ID files are compressed during the extraction process and require only 2,200 Kilobytes. __________________________________________________________ To determine the current amount of free space for a directory path 1. Log in to the system where you plan to install POLYCENTER Security ID. 2. Enter the following command to display information about the space available on the system where the POLYCENTER Security ID files will reside: # df /usr/opt The system responds with a display similar to the following: Filesystem 512-blocks Used Avail Capacity Mounted on /dev/rd0g 819200 552946 235872 70% /usr 1.2.5 Determining Which POLYCENTER Security ID Subsets to Load Load one or both of these POLYCENTER Security ID subsets: ID Base System The POLYCENTER Security ID Base IDOABASE120 System contains the software for detecting and countering security events. ID Manager The POLYCENTER Security ID Manager Interfaces Interfaces allow you to manage the IDOAMAN120 base system software running on the local and remote hosts. 1-8 Preparing for Installation 1.2.6 Special Requirements When you want to install POLYCENTER Security ID subsets from the RIS server area of a remote system, first check with the site system manager to make sure that the following conditions are satisfied: o A POLYCENTER Security ID kit is installed in the RIS server area and is available for use o The system is registered as a RIS client If POLYCENTER Security ID subsets are available to you on a RIS server system, you must know the name of that system to start the installation procedure. 1.3 Creating a POLYCENTER Security ID Group Before you install POLYCENTER Security ID you must create a unique group called idadm for the POLYCENTER Security ID management utilities. To create the group, do one of the following: o On systems running Network Information Services (NIS), add the group to the remote server. See the NIS documentation set for more information. o On other systems, use the addgroup command to create the group in the /etc/group file. To use the addgroup command, do the following: 1. Enter the following command: # /usr/sbin/addgroup The system responds with the following message: Enter a new group name or to exit: 2. Enter idadm and press Return. The system responds with a message similar to the following: Enter a new group number [27]: 3. Press Return to accept the unique group number. See the addgroup(8) manpage for more information. Preparing for Installation 1-9 1.4 Backing Up the System Disk Digital[TM] recommends that you back up the system disk before installing software. Use the backup procedures that are established at your site. See the DEC OSF/1 documentation set for information on how to back up a system disk. 1.5 License Registration POLYCENTER Security ID includes support for the License Management Facility (LMF). You must register a License Product Authorization Key (PAK) in the License Database (LDB) before you use POLYCENTER Security ID on a newly licensed node. If you ordered the license and media together, the PAK may be shipped with the kit. If you did not, the PAK is shipped separately to the location specified on your license order. If you are installing POLYCENTER Security ID as an update on a node that is already licensed for this software, then the PAK registration requirements have already been completed. ______________________ Caution ______________________ You must register the PAK before installing POLYCENTER Security ID. _____________________________________________________ Register the PAK as follows: 1. Log in and become the superuser. 2. Enter the following command to use the lmf utility to register the PAK: # lmf register Edit the template and include the information provided in the POLYCTR-SID PAK. 3. Enter the following command to use the lmf utility to copy the license details to the kernel license cache: # lmf reset The system checks the kernel license cache to determine whether your system is authorized to act as a server. 1-10 Preparing for Installation 4. Enter the following command to check that the PAK is correctly registered: lmf list | grep POLYCTR LMF displays a message similar to the following showing the products registered, their status, and the number of users authorized to use the product: POLYCTR-SID active unlimited For more information on using the License Management Facility, see the DEC OSF/1 Software License Management manual or the lmf(8) reference page. 1.6 Reporting Problems If you believe an error is caused by a problem with POLYCENTER Security ID, take one of the following actions: o If you have a basic or DECsupport Software Agreement, call your Customer Support Center (CSC). The CSC provides telephone support for high-level advisory and remedial assistance. o If you have a Self-Maintenance Software Agreement, submit a Software Performance Report (SPR). o If you purchased POLYCENTER Security ID within the last 90 days and you think the problem is caused by a software error, submit an SPR. If you find an error in the POLYCENTER Security ID documentation, fill out and submit one of the Reader's Comments forms at the back of the document containing the error. Preparing for Installation 1-11 2 ________________________________________________________________ Installation This chapter describes the installation procedures for POLYCENTER Security Intrusion Detector. It contains information on the following: o Mounting the CD-ROM o Installing POLYCENTER Security ID locally o Installing POLYCENTER Security ID using the RIS utility o Stopping the installation o Automated POLYCENTER Security ID startup 2.1 Mounting the CD-ROM This section describes how to mount the CD-ROM to install software subsets. To install a software subset, log in as root and use the setld -l command with the following syntax: # /usr/sbin/setld [-D root_path] -l location [subset-id [subset-id...] ] The location variable specifies the location of the software subset that you want to install. You can specify the following location variables: o hostname Specifies the name of the remote host. o directory Specifies the disk distribution directory. The subset-id variable specifies the name of the subset. If you do not specify a subset-id variable, a list of subsets is displayed, allowing you to choose the ones to install. If you specify one or more subset-id variables, only those subsets are installed. Installation 2-1 To install subsets from CD-ROM, use the following procedure. The distribution path given in the following examples is for the operating system CD-ROM. For other distribution kits, refer to the document supplied by your software vendor. 1. If your CD-ROM disc is not already in its caddy, follow the instructions in the Compact Disc User's Guide. 2. To determine what drive the CD-ROM device is located on, use the following command: # file /dev/rrz*c Information from the file command is displayed. For example: /dev/rrz1c: character special (8/1026) SCSI #0 RZ25 disk #8 (SCSI ID #1) /dev/rrz2c: character special (8/2050) SCSI #0 RZ25 disk #16 (SCSI ID #2) /dev/rrz3c: character special (8/3074) SCSI #0 RZ26 disk #24 (SCSI ID #3) /dev/rrz4c: character special (8/4098) SCSI #0 RRD42 disk #32 (SCSI ID #4) In this output from the file command, RRD indicates the CD-ROM device. 3. To mount the distribution media, enter the following command. This example shows that the CD-ROM device is mounted on the c partition of the rz4 disk: # mount -rd /dev/rz4c /mnt 2.2 Installing POLYCENTER Security ID Locally In a local installation, the system on which you install POLYCENTER Security ID uses its own disks to run POLYCENTER Security ID. 1. Log in and become the superuser. 2. Mount the media on the appropriate drive as described in Section 2.1. 3. Enter a setld command with the -l load option and the name of the directory with the POLYCENTER Security ID subsets, /mnt/kit/IDOA120. For example: # setld -l /mnt/kit/IDOA120 2-2 Installation To install Digital layered products and third-party layered products on NFS clients, see the Network Administration and Problem Solving manual. 2.2.1 Responding to Installation Procedure Prompts This section explains the installation procedure prompts and displays. 2.2.1.1 Selecting Subsets After you enter the setld command for local installations or after you start the ris utility for server installa- tions, the installation procedure displays the names of the POLYCENTER Security ID subsets and asks you to specify the subsets that you want to load as follows: *** Enter Subset Selections *** The subsets listed below are optional: 1) ID Base System for DEC OSF/1 2) ID Manager Interfaces for DEC OSF/1 3) All of the Above 4) None of the Above 5) Exit without installing subsets Enter your choice(s): When installing from a RIS server, note that the subset numbers may vary depending on which products are available in the RIS area. To specify more than one subset, separate each number with a space, not a comma. After you enter the subset number and press Return, the installation procedure provides all the information required to successfully install POLYCENTER Security ID. Appendix A contains sample POLYCENTER Security ID installations. 2.2.1.2 Setld Error Messages If you encounter errors from the setld utility, see the Diagnostics section of the setld(8) reference page for an explanation of the error and the appropriate action to take. Installation 2-3 2.3 Installing POLYCENTER Security ID Using the RIS Utility You can use the Remote Installation Services (RIS) utility to install POLYCENTER Security ID by doing the following: 1. Installing POLYCENTER Security ID into a RIS server area 2. Configuring POLYCENTER Security ID on each client See the Sharing Software on a Local Area Network for more information on the RIS Utility. 2.3.1 Installing POLYCENTER Security ID into a RIS Server Area To install POLYCENTER Security ID on the server system, follow these steps: 1. Log in and become the superuser. 2. Mount the media on the appropriate drive as described in Section 2.1. 3. Enter the following command: # /usr/sbin/ris The RIS Utility displays the following menu: *** RIS Utility Main Menu *** a) - ADD a Client d) - DELETE software products i) - INSTALL software products l) - LIST registered clients m) - MODIFY a client r) - REMOVE a client s) - SHOW software products in remote installation environments x) - EXIT Enter your choice: 4. Enter i to install software. The RIS Utility displays messages and a menu similar to the following: 2-4 Installation The menu below offers you two software installation alternatives: 1) You can create a new area to serve either RISC or VAX clients by installing a software product. The ris utility automatically creates the new area. 2) You can install additional software to an existing area that serves either RISC or VAX clients. RIS Software Installation Menu: 1 Install Software to a New Area. 2 Add Software to an Existing Area. 3 Return to Previous Menu Enter your choice: 5. Enter 2 to add software to an existing area. The RIS Utility displays the following messages and prompt: You have chosen to add a product to an existing environment. The existing environment is /var/adm/ris/ris0.alpha. The RIS Utility displays the following message: Enter the device special file name or the path of the directory where the software is located, for example, /mnt/kit/IDOA120: 6. Enter the input device name, for example, /mnt/kit /IDOA120. The system displays the following menu: *** Enter Subset Selections *** The subsets listed below are optional: 1) POLYCENTER Security ID Base System for DEC OSF/1 2) POLYCENTER Security ID Man Pages for DEC OSF/1 3) All of the Above 4) None of the Above 5) Exit without installing subsets Enter your choice(s): 7. Enter the number corresponding to the menu item that you want to install. Installation 2-5 Menu item 3 installs all the components of POLYCENTER Security ID. If you specify more than one number, separate each number with a space. POLYCENTER Security ID displays a prompt similar to the following, asking you to confirm your choice: You are installing the following subsets: POLYCENTER Security ID Base System for DEC OSF/1 POLYCENTER Security ID Man Pages for DEC OSF/1 Is this correct? (y/n): 8. Enter y to confirm your choice. Enter n to return to the menu. After you enter this command, the installation procedure provides all the information required to successfully install POLYCENTER Security ID. Appendix A contains sample POLYCENTER Security ID installations. When the installation procedure has installed the subsets, the RIS Utility displays the following message: Media extraction complete. The RIS Utility then displays the RIS Menu. 9. Repeat steps a to e for each RIS client on which you want to install POLYCENTER Security ID. a. Enter m at the Enter your choice prompt on the Remote Installation Services Menu. The RIS Utility displays the following message and prompt: The following clients are available to modify: clienta clientb Enter the client processor's hostname: b. Enter the node name of the client that you want to modify at the Enter the client processor's hostname prompt. 2-6 Installation The RIS Utility displays the following message and prompt: Enter the client processor's hardware Ethernet address, for example, 08-00-2b-02-67-e1 [08-00-2b-14-ac-d1]: c. Enter the client processor's hardware Ethernet address or press Return to choose the default value. The RIS Utility displays messages and a prompt similar to the following: The existing environment is /usr/var/adm/ris/ris0.alpha. The client currently can install the following products from /usr/var/adm/ris/ris0.alpha: 'POLYCENTER Security ID for OSF/1 Base System for DEC OSF/1' 'POLYCENTER Security ID for OSF/1 Manual Pages for DEC OSF/1' Select one or more products for the client to install from /usr/var/adm/ris/ris0.alpha: Product Description 1 'POLYCENTER Security ID for OSF/1 Base System for DEC OSF/1' 2 'POLYCENTER Security ID for OSF/1 Manual Pages for DEC OSF/1' Enter one or more choices, for example, 1 2: d. Enter the numbers corresponding to the products that you want to install at the Enter one or more choices, for example, 1 2 prompt. Separate each choice with a space. The RIS Utility displays a message similar to the following: You chose the following products: 1 'POLYCENTER Security ID for OSF/1 Base' 2 'POLYCENTER Security ID for OSF/1 Manual Pages' Is that correct (y/n)? [y]: e. Enter y if the list is correct. If the list is not correct, enter n to return to step 4 and reenter the products. Installation 2-7 After modifying the client's records to include the list of products that you can install, the RIS Utility displays a message similar to the following: clienta has been modified. The installation procedure is now complete. 2.3.2 Configuring POLYCENTER Security ID on the RIS Client Systems After installing POLYCENTER Security ID into the server area, you must configure it on each client system as follows: 1. Log in to the client system and become the superuser. 2. Enter the following command: % setld -l server: IDOABASE120 IDOAMAN120 where: o server is the name of the server on which POLYCENTER Security ID is installed. After you enter this command, the installation procedure provides all the information required to successfully install POLYCENTER Security ID. Appendix A contains sample POLYCENTER Security ID installations. 2.4 Stopping the Installation You can stop the installation procedure by pressing Ctrl/C. However, the files created up to this point are not automatically deleted. To remove these files, enter commands similar to the following: # rm -rf /usr/opt/IDOA120 # rm -f /var/.smdb./IDOA* 2-8 Installation 2.5 Automated POLYCENTER Security ID Startup The installation procedure adds an entry similar to the following in the /etc/inittab file: id:23:respawn:/usr/sbin/id_mond This entry ensures that when the system is in run level 2 or run level 3, as defined by the init program, the system automatically restarts the intrusion detector monitor process, id_mond, when this process exits or is shut down. This ensures that id_mond is always running on the system. See the init(8) manpage for more information on run levels. See the POLYCENTER Security Intrusion Detector for DEC OSF/1 User's Guide for options that you can specify with id_mond. If you do not want id_mond to automatically restart, for example, when you want to modify the configuration file and try out new configurations, do the following: 1. Edit the /etc/inittab file and find the entry for POLYCENTER Security ID. This entry is similar to the following: id:23:respawn:/usr/sbin/id_mond 2. Substitute the word off for the word respawn. 3. Exit the file and enter the following command to instruct the init program to immediately reexamine the inittab file: # init q After you enter these commands, the system no longer automatically restarts id_mond. You can still manually run id_mond by entering the following command: # id_mond See the POLYCENTER Security Intrusion Detector for DEC OSF/1 User's Guide for information on modifying the configuration file. Installation 2-9 3 ________________________________________________________________ After Installing POLYCENTER Security ID This chapter describes the actions that you can perform after you install POLYCENTER Security ID. It gives information on the following: o Using release notes o Running the installation verification procedure (IVP) o Reinstalling POLYCENTER Security ID o Deinstalling POLYCENTER Security ID o Deleting POLYCENTER Security ID 3.1 Using Release Notes POLYCENTER Security Intrusion Detector provides online release notes. Digital strongly recommends that you read the release notes before using the product. The release notes may contain information about changes to the application. The release notes in ASCII format are located in the following file: /usr/opt/IDOA120/id_release_notes.txt 3.2 Running the Installation Verification Procedure After installing POLYCENTER Security Intrusion Detector (POLYCENTER Security ID), run the Installation Verification Procedures (IVP) to verify that the POLYCENTER Security ID software subsets are properly installed. The POLYCENTER Security ID Base System IVP verifies the installation by starting and shutting down POLYCENTER Security ID. After Installing POLYCENTER Security ID 3-1 The POLYCENTER Security ID Manager Interfaces IVP verifies the installation by running the keyboard, shell, and Motif manager interfaces. To run the IVP, specify the IDOABASE120 or IDOAMAN120 subset in the following command: # setld -v subset-name You may also want to run the IVP after a system failure to be sure that users can access POLYCENTER Security ID. If the verification process fails, check the /var/adm /fverify file and the /var/adm/id/id.errors file for information on diagnosing the problem. A sample POLYCENTER Security ID IVP is included in Appendix A. 3.3 Reinstalling POLYCENTER Security ID You can reinstall POLYCENTER Security ID at any time. However, when you reinstall POLYCENTER Security ID, you lose all of the inspectors in the database. If you want to maintain these inspectors, deinstall POLYCENTER Security ID and save the database before reinstalling it. 3.4 Deinstalling POLYCENTER Security ID Follow these steps to deinstall POLYCENTER Security ID on a local disk including systems in RIS server areas: 1. Enter the following command at the superuser prompt: # setld -d IDOABASE120 IDOAMAN120 The deinstallation procedure responds with a message and prompt similar to the following: Deleting POLYCENTER Security ID for DEC OSF/1 Man Pages (IDOAMAN120). Deleting POLYCENTER Security ID for DEC OSF/1 Base (IDOABASE120). You can save the POLYCENTER Security ID database. When you reinstall POLYCENTER Security ID, you can access the inspectors in this database. Do you want to save the POLYCENTER Security ID database? (y/n) [y]: 3-2 After Installing POLYCENTER Security ID 2. Enter y if you want to save the POLYCENTER Security ID database. Enter n if you do not want to save the POLYCENTER Security ID database. The deinstallation procedure continues and displays informational messages. The deinstallation procedure places a comment character before the POLYCENTER Security ID entry in the /etc /inittab file. When the procedure has finished, edit the /etc/inittab file and remove the POLYCENTER Security ID entry if it is no longer required. See Section 2.5 for more information on the /etc/inittab file. 3.5 Deleting POLYCENTER Security ID To delete all POLYCENTER Security ID files from the local disk, use the following commands: # rm -rf /usr/opt/IDOA120 # rm -f /usr/.smdb./IDOA* After you delete the POLYCENTER Security ID files, do the following: 1. Edit the /etc/inittab file and remove the POLYCENTER Security ID entry if it is no longer required. See Section 2.5 for more information on the /etc/inittab file. 2. Do one of the following: o On systems running NIS, remove the idadm group from the remote server. o On other systems, edit the /etc/group file and remove the idadm entry. After Installing POLYCENTER Security ID 3-3 A ________________________________________________________________ Sample Installation and Installation Verification Procedures This appendix contains samples of the following proce- dures: o An installation using tape media o A POLYCENTER Security ID Base System Installation Verification Procedure o A POLYCENTER Security ID Manager Interface Installation Verification Procedure A.1 Sample Installation The following shows a sample installation of POLYCENTER Security ID: # /usr/sbin/setld -l /mnt/kit/IDOA120 The subsets listed below are optional: There may be more optional subsets than can be presented on a single screen. If this is the case, you can choose subsets screen by screen or all at once on the last screen. All of the choices you make will be collected for your confirmation before any subsets are installed. 1) ID Base System for DEC OSF/1 2) ID Manager Interfaces for DEC OSF/1 Or you may choose one of the following options: 3) ALL of the above 4) CANCEL selections and redisplay menus 5) EXIT without installing any subsets Enter your choices or press RETURN to redisplay menus. Choices (for example, 1 2 4-6): 3 You are installing the following optional subsets: Sample Installation and Installation Verification Procedures A-1 ID Base System for DEC OSF/1 ID Manager Interfaces for DEC OSF/1 Is this correct? (y/n): y Checking file system space required to install selected subsets: File system space checked OK. Installing ID Base System (IDOABASE120)... POLYCENTER Security Intrusion Detector for DEC OSF/1 COPYRIGHT (c) 1993-1994, DIGITAL EQUIPMENT CORPORATION. ALL RIGHTS RESERVED. This software is furnished under a license and may be used and copied only in accordance with the terms of such license and with the inclusion of the above copyright notice. This software or any other copies thereof may not be provided or otherwise made available to any other person. No title to and ownership of the software is hereby transferred. The information in this software is subject to change without notice and should not be construed as a commitment by Digital Equipment Corporation. Press Return to continue The installation will take approximately 10 minutes. You will be asked a few questions during the installation. If you need more information to answer a question, you can type ? at the prompt or consult the Installation Guide. Press Return to continue ID Base System for DEC OSF/1 Copying from /mnt/kit (disk) Verifying Installing ID Manager Interfaces (IDOAMAN120)... POLYCENTER Security Intrusion Detector for DEC OSF/1 COPYRIGHT (c) 1993-1994, DIGITAL EQUIPMENT CORPORATION. ALL RIGHTS RESERVED. A-2 Sample Installation and Installation Verification Procedures This software is furnished under a license and may be used and copied only in accordance with the terms of such license and with the inclusion of the above copyright notice. This software or any other copies thereof may not be provided or otherwise made available to any other person. No title to and ownership of the software is hereby transferred. The information in this software is subject to change without notice and should not be construed as a commitment by Digital Equipment Corporation. Press Return to continue ID Manager Interfaces for DEC OSF/1 Copying from /mnt/kit (disk) Verifying POLYCENTER Security Intrusion Detector for DEC OSF/1 Base System successfully installed. Configuring "ID Base System for DEC OSF/1" (IDOABASE120) Configuring your system to run the POLYCENTER Security Intrusion Detector Base System... POLYCENTER Security Intrusion Detector for DEC OSF/1 Base System Configuration successfully completed. *** Base System IVP *** POLYCENTER Security Intrusion Detector for DEC OSF/1 COPYRIGHT (c) 1993-1994, DIGITAL EQUIPMENT CORPORATION. ALL RIGHTS RESERVED. This software is furnished under a license and may be used and copied only in accordance with the terms of such license and with the inclusion of the above copyright notice. This software or any other copies thereof may not be provided or otherwise made available to any other person. No title to and ownership of the software is hereby transferred The information in this software is subject to change without notice and should not be construed as a commitment by Digital Equipment Corporation. Press Return to continue You must have previously registered the POLYCTR-SID license PAK in the LMF database for this IVP to complete successfully. Sample Installation and Installation Verification Procedures A-3 You will be asked to answer a question at the beginning of the IVP. The IVP will take no more than 10 minutes to complete. For more information about the IVP, please consult the Installation Guide. Do you wish to run the Base System IVP at this time (y/n) [y]? n If you wish to run the Base System IVP later, type: /usr/sbin/setld -v IDOABASE120 POLYCENTER Security Intrusion Detector for DEC OSF/1 Manager Interfaces successfully installed. Configuring "ID Manager Interfaces for DEC OSF/1" (IDOAMAN120) Configuring your system to run the POLYCENTER Security Intrusion Detector Manager Interfaces... POLYCENTER Security Intrusion Detector for DEC OSF/1 Manager Interfaces Configuration successfully completed. *** Manager Interfaces IVP *** POLYCENTER Security Intrusion Detector for DEC OSF/1 COPYRIGHT (c) 1993-1994, DIGITAL EQUIPMENT CORPORATION. ALL RIGHTS RESERVED. This software is furnished under a license and may be used and copied only in accordance with the terms of such license and with the inclusion of the above copyright notice. This software or any other copies thereof may not be provided or otherwise made available to any other person. No title to and ownership of the software is hereby transferred The information in this software is subject to change without notice and should not be construed as a commitment by Digital Equipment Corporation. Press Return to continue Do you wish to run the Manager Interfaces IVP at this time (y/n) [y]?n If you wish to run the Manager Interfaces IVP later, type: /usr/sbin/setld -v IDOAMAN120 # A-4 Sample Installation and Installation Verification Procedures A.2 Sample Base System Installation Verification Procedure The following shows a sample of the Base System IVP being run after ID has been installed: # /usr/sbin/setld -v IDOABASE120 ID Base System for DEC OSF/1 (IDOABASE120) *** Base System IVP *** POLYCENTER Security Intrusion Detector for DEC OSF/1 COPYRIGHT (c) 1993-1994, DIGITAL EQUIPMENT CORPORATION. ALL RIGHTS RESERVED. This software is furnished under a license and may be used and copied only in accordance with the terms of such license and with the inclusion of the above copyright notice. This software or any other copies thereof may not be provided or otherwise made available to any other person. No title to and ownership of the software is hereby transferred The information in this software is subject to change without notice and should not be construed as a commitment by Digital Equipment Corporation. Press Return to continue You must have previously registered the POLYCTR-SID license PAK in the LMF database for this IVP to complete successfully. You will be asked to answer a question at the beginning of the IVP. The IVP will take no more than 10 minutes to complete. For more information about the IVP, please consult the Installation Guide. Do you wish to run the Base System IVP at this time (y/n) [y]? y The Base System IVP will start the POLYCENTER Security Intrusion Detector monitor daemon, id_mond, using these option defaults: Configuration File: -c /var/adm/id/id.conf Message Log File: -l /var/adm/id/id.log Error Log File: -e /var/adm/id/id.errors Do you wish to keep the POLYCENTER Security Intrusion Detector monitor daemon running after the Base System IVP completes (y/n) [y]? y Starting the POLYCENTER Security Intrusion Detector... [ id_mond ] Sample Installation and Installation Verification Procedures A-5 Initializing intrusion detection... POLYCENTER Security Intrusion Detector V1.2 is ready. POLYCENTER Security Intrusion Detector V1.2 is ready. POLYCENTER Security Intrusion Detector for DEC OSF/1 Base System IVP successfully completed. A.3 Sample Manager Interfaces Installation Verification Procedure POLYCENTER Security ID must be running before you run the manager interfaces IVP. The following shows a sample of the Manager Interfaces IVP: # /usr/sbin/setld -v IDOAMAN120 ID Manager Interfaces for DEC OSF/1 (IDOAMAN120) *** Manager Interfaces IVP *** POLYCENTER Security Intrusion Detector for DEC OSF/1 COPYRIGHT (c) 1993-1994, DIGITAL EQUIPMENT CORPORATION. ALL RIGHTS RESERVED. This software is furnished under a license and may be used and copied only in accordance with the terms of such license and with the inclusion of the above copyright notice. This software or any other copies thereof may not be provided or otherwise made available to any other person. No title to and ownership of the software is hereby transferred The information in this software is subject to change without notice and should not be construed as a commitment by Digital Equipment Corporation. Press Return to continue Do you wish to run the Manager Interfaces IVP at this time (y/n) [y]? y No DISPLAY defined. Do you wish to define a DISPLAY? If you do not, this procedure will terminate. Define a DISPLAY (y/n) [y]? Enter DISPLAY [:0.0]: barney:0.0 Running the Command-Line Manager Interface... [ id_cui /var/adm/id/hosts.id ] A-6 Sample Installation and Installation Verification Procedures POLYCENTER Security Intrusion Detector Copyright (c) Digital Equipment Corporation, 1993. All rights reserved. id 1 > Commands: show status show case show event delete case quit id 2 > ---------------------------------------------------------- Host : shyla.xla.bic.com Running since : Tue Jun 28 16:14:11 1994 Number of cases : 1 CASE-39 Profile: username : dbloggs object-name : /dev/ttyp4 object-name : dfAA14930 audit-id : 268 id 3 > Running the Manager Interface shell command... [ idsts -h /var/adm/id/hosts.id ] POLYCENTER Security Intrusion Detector Copyright (c) Digital Equipment Corporation, 1993. All rights reserved. ------------------------------------------------------------------------------ Host : shyla.xla.bic.com Running since : Tue Jun 28 16:14:11 1994 Number of cases : 1 CASE-39 Profile: username : dbloggs object-name : /dev/ttyp4 object-name : dfAA14930 audit-id : 268 The Motif Manager Interface will be displayed on barney:0.0. [ id_gui /var/adm/id/hosts.id -d barney:0.0 ] Sample Installation and Installation Verification Procedures A-7 Choose EXIT from the FILE menu to exit the Motif Manager Interface and complete the IVP. POLYCENTER Security Intrusion Detector for DEC OSF/1 Manager Interfaces IVP successfully completed. A-8 Sample Installation and Installation Verification Procedures B ________________________________________________________________ Files Installed on Your System This appendix describes the POLYCENTER Security ID files. Table_B-1_POLYCENTER_Security_ID_Files__________________________ Directory_______File_______________Description__________________ /var/adm/id id.conf Configuration file hosts.id Manager interface host file id_msg.cat Message catalog id.log.nnn Message log files id.errors id.pid /etc/sec audit_events.sysman An audit mask file which lists events that are always audited by the system, irrespective of the security events that are monitored by POLYCENTER Security ID. audit_events.disallowed An audit mask file which lists events that POLYCENTER Security ID does not allow to be audited. Auditing these events may create a large amount of audit data or may affect system performance. (continued on next page) Files Installed on Your System B-1 Table_B-1_(Cont.)_POLYCENTER_Security_ID_Files__________________ Directory_______File_______________Description__________________ /usr/bin id_gui Motif manager interface id_cui Manager interface iddel Manager interface shell idshow commands idsts /usr/sbin id_ard Audit reader daemon id_mond Intrusion detection daemon /usr/opt id_release_ Release notes /IDOA120 notes.txt /usr/man/man5 id.conf.5 Online reference pages idstat.hosts.5 /usr/man/man8 id_gui.8 Online reference pages id_commands.8 id_mond.8 iddel.8 idshow.8 id_cui.8 idsts.8 /var/adm/lmf POLYCTR-SID License PAK template file ________________________________________________________________ B-2 Files Installed on Your System ________________________________________________________________ Index B Distribution kit ___________________________ checking contents, 1-1 Backing up the system disk, 1-10 H__________________________ C Hardware requirements, 1-2 ___________________________ Client I__________________________ installing on a RIS Inspectors client, 2-8 losing during remote installation reinstallation, 3-2 services, 2-8 Installation procedure Command into a RIS client system, lmf, 1-10 2-8 rm, 2-8 into a RIS server area, setld, 2-8, 3-2 2-4 Ctrl/C stopping, 2-8 using, 2-8 Installation requirements, D 1-1 ___________________________ DEC OSF/1 K__________________________ reference page software Key subsets, 1-3 product authorization, required subsets, 1-2 1-10 version required, 1-2 DECstation, 1-2 L DECsystem, 1-2 ___________________________ Deinstallation procedure License management facility on a local disk, 3-2 , 1-10 Deinstalling Links retaining inspectors, 3-2 deleting files in symbolic links, 2-8 Index-1 LMF, 1-10 Requirements (cont'd) registering the PAK, 1-10 special, 1-9 lmf command, 1-10 time, 1-1 Local disk RIS client installation deinstallation procedure, time requirements, 1-1 3-2 RIS client system Logging in installing into, 2-8 as superuser, 1-1 RIS server area installation conditions, M__________________________ 1-9 Media installing into, 2-4 checking contents, 1-1 requirements, 1-9 rm command, 2-8 P__________________________ S PAK, 1-10 ___________________________ registering, 1-10 Server Privileges installing into a RIS checking login privileges server area, 2-4 , 1-1 remote installation required, 1-1 services, 2-4 superuser, 1-1 setld command, 2-8, 3-2 Product Authorization Key, Software kit 1-10 checking contents, 1-1 Software requirements R reference page software, ___________________________ 1-2 Reference page software, Special requirements, 1-9 1-2 Subsets required subsets (DEC OSF DEC OSF/1, 1-2 /1), 1-3 Superuser Reinstalling logging in as, 1-1 losing inspectors, 3-2 privilege, 1-1 Remote installation Supported systems services DECstation, 1-2 client, 2-8 DECsystem, 1-2 server, 2-4 Symbolic links Requirements deleting files in, 2-8 DEC OSF/1 subsets, 1-2 System disk for the installation, 1-1 backing up, 1-10 hardware, 1-2 Systems reference page software supported, 1-2 subsets (DEC OSF/1), 1-3 software, 1-2 Index-2 T__________________________ Time requirements, 1-1 RIS client installation, 1-1 Index-3