SCSP AIX Agent Enhancements

Article:HOWTO59000  |  Created: 2011-08-22  |  Updated: 2011-08-22  |  Article URL http://www.symantec.com/docs/HOWTO59000
Article Type
How To

Product(s)


This update is an installable binary containing the following two features on AIX platforms:

Support for AIX 7.1 operating system
Real-time File Integrity Monitoring on AIX 5.3 and 6.1

 

Support for AIX 7.1 operating system

With this release, only the Intrusion Detection feature is available on AIX 7.1.  No prevention (IPS) or real-time file integrity monitoring is available on AIX 7.1 with this release. All other IDS features available through the Unix Baseline Detection policy are supported: file monitoring in polling mode, log on/off and failed log on monitoring, user/group configuration monitoring, etc.

Real-Time File Integrity Monitoring now available for AIX

The Real-Time File Integrity Monitoring (RT-FIM) feature is now available on the following versions of AIX:

  • AIX 6.1
  • AIX 5.3 – 64-bit kernels only

The RT-FIM feature is automatically used whenever possible for monitoring files. The decision to use RT-FIM, or the more traditional polling-based FIM, is made by the SCSP agent every time policy changes are made. RT-FIM is used to monitor all files except in the following situations:

  • File systems mounted from remote servers, e.g. NFS or SMB file systems exported by remote systems and mounted on the AIX system. If any policies monitor files on remote file systems, those files are monitored using polling-based FIM.
  • Portions of local file systems that have been exported via NFS. The SCSP agent uses the ‘exportfs –v’ command to determine what is being exported. All directories exported via NFS are monitored using polling-based FIM. Other portions of the local file systems are monitored using RT-FIM.
    NOTE: The SCSP agent executes the ‘exportfs –v’ command only when the IDS daemon starts or when new Detection policies are applied to the system. If a system administrator modifies the list of exports while the system is running, the SCSP agent will not notice the change. The administrator should manually restart the IDS daemon after making any changes to the exported NFS configuration to ensure the SCSP agent is using the up-to-date information.

 


Attachments

SCSP AIX Agent Enhancements
agent-5.2.8.MP1-AIX.zip (15.3 MBytes)

Article URL http://www.symantec.com/docs/HOWTO59000


Terms of use for this information are found in Legal Notices