| May 1997
Digital Internal Use Only
README: Directions for POLYCENTER Security Compliance Manager (PSCM)
1. SPECIAL INSTRUCTIONS
A. DMS or RIS:
If your system is a DMS or RIS client, forward this information to the manager
of your server. If you have any problems getting this installed in a timely
manner on your server, contact your local Information Security contact listed
in www-is-security.mso.dec.com, under "Who are we", "CCS I.T. Security
Operations Group". DMS or RIS clients and servers should use the steps below
that are appropriate, but follow the instructions in the Installation Guide
to do the installation.
B. PSCM already installed:
If you have installed the POLYCENTER Security Compliance Manager for ULTRIX
V2.4 or V2.5 SSB kit, you must still copy and import the Required Inspector
and make sure you are sending your tokens to the correct SRF node. Copy the
appropriate Required Inspector as described in the "COPY FILES" section, and
follow the directions under "IMPORT REQUIRED INSPECTOR".
If you have an earlier version (prior to V2.5) of POLYCENTER Security
Compliance Manager for ULTRIX installed, deinstall it by using the
following command, filling in the appropriate subset name(s):
# setld -d SUBSETNAME
C. CHANGING NODE SENDING TOKENS TO
To see where you are currently sending tokens, invoke the setup utility
inspectsetup and choose option t, "List the Token Setup". To change where
you are currently sending tokens, choose option c "Configure the Token Setup"
Please ensure that you are sending tokens to the system identified on our
web page www-is-security.mso.dec.com, under "Unix Security","Where to send
your security tokens".
In inspectsetup, option c "Configure the Token Setup", you will be able to
enable or disable passthru server use, specify a new or different passthru
server, or specify a new or different POLYCENTER SRF node. See the
POLYCENTER Security Compliance Manager User's Guide for details on using the
setup utility.
D. SETTING UP IP NODE NAME AND NETWORK REGISTRATION
PSCM For Ultrix/OSF - IP Nodename Process
----------------------------------------------
To correct your node so that PSCM sends the correct nodename, you must ensure
that the hostname (for your nodename) in the /etc/hosts file on your system
looks similar to example number one (1).
EXAMPLE 1
---------
The entry for your nodename in the /etc/hosts file should look like:
16.121.0.15 nodename.site.dec.com nodename
Digital Internal Use Only
�
D. SETTING UP IP NODE NAME AND NETWORK REGISTRATION (con't)
If the entry for your nodename in the /etc/hosts file looks like the one in
example number two (2), you MUST edit the /etc/hosts file to contain the
correct format as shown in example number 1. Then you must execute another
"Required Inspector" and send a new Token with the new IP nodename.
EXAMPLE 2
---------
The entry is incorrect if it looks like the following:
16.121.0.15 nodename nodename.ogo.dec.com
Your IP nodename must be in the correct format:
nodename.site.dec.com
2. COPY FILES
================
Update section from release notes file when information is available
================
Copy the license, kit, Required Inspector, and documentation to an empty
directory on your system such as /usr/kits. The following PSCM/Unix V2.5 files
are located on node esrsf1.das.dec.com directory /unix/v2_5_alpha. They are
available via anonymous FTP.
*** PSCM VERSION 2.5 ***
Polycenter Security Compliance Manager V2.5 is located in
/unix/v2_5_alpha with the following files:
RI OSF 96_RI_osf.tar.Z
RI release notes 96_RI_release_notes
Pak PSCM Ultrix cm_pak_dec_internal.sh
RI critical OSF critical_96_RI_osf.tar.Z
PSCM/Unix (2.5) inspect250-alpha.tar.Z (mandatory for Unix V4)
PSCM release notes release_notes.txt
Digital Internal Use Only
�
2. COPY FILES (con't)
To use anonymous FTP, you must ensure that the node esrsf1.das.dec.com
is entered into the /etc/hosts file with the Internet address of
16.136.64.44
EXAMPLE 3: Entry in /etc/hosts file
---------
16.136.64.46 esrsf1.das.dec.com esrsf1
16.73.160.67 dlo09.dlo.dec.com dlo09
To ensure that you can reach esrsf1.das.dec.com after entering it into
the /etc/hosts file, use the command /etc/ping. This command should
reply with the following:
#/etc/ping esrsf1.das.dec.com
esrsf1.das.dec.com is alive
The FTP account name is anonymous; the password to this account is your
[email protected]. As shown below, copy files using the "get"
command; prior to copying binary files, issue the binary command to change the
mode to binary.
# FTP esrsf1.das.dec.com
Username: anonymous
Password:
FTP> cd unix/v2_5_alpha
FTP> get cm_pak_dec_internal.sh
(etc.
...
...)
FTP> binary
FTP> get inspect250-alpha.tar.Z
(etc.)
FTP> bye
If you have any problems reaching these files on any of the software
repositories listed in www-is-security.mso.dec.com, under "Unix Security",
"Software Respository" contact your local Information Security contact that
is also listed in www-is-security.mso.dec.com, under "Who are we", "CCS I.T.
Security Operations Group".
3. REGISTER LICENSE
==============
update this section with new license info
=================
Prior to installation, you must first register a License Management Facility
(LMF) PAK. This is done by running the shell script cm_pak_dec_internal.sh,
which you should have copied in the previous step. To run the script, execute
the script as shown below:
# sh cm_pak_dec_internal.sh
4. RESTORE KIT
The kit is bundled in a compressed tar file. To uncompress and untar the
net kit, use the following command, specifying either the RISC or VAX kit name
depending on the system you have.
# uncompress -c inspect240-{RISC|VAX}.tar.Z | tar xvf -
Digital Internal Use Only
�
5. INSTALL KIT
Follow the instructions in the installation guide and release notes to
install the kit, except that you will be installing from disk using the
command below:
# /usr/sbin/setld -l /usr/kits
During the installation, questions will be asked that you need to know the
answers to ahead of time. We are using POLYCENTER Security Compliance Manager
for Unix as a network testing tool, which means that each time the Required
Inspector runs, it will send a coded security status message, called a token,
to a node running POLYCENTER SRF.
WHERE TO SEND YOUR TOKENS:
To identify what node you are to send your tokens to, use our web page at
www-is-security.mso.dec.com, under "Unix Security","Where to send your
security tokens".
If you already have the correct version of POLYCENTER Security Compliance
Manager for Unix installed (V2.5), are running the Required Inspector
described in this document, but are not sending your tokens to the correct
location, figure out where your tokens should be sent and follow the directions
in "Changing node sending tokens to:" at the beginning of this document to
change where your tokens are being sent.
Below are questions and prompts you may need to answer during installation, and
help with what to enter.
=========================
update to correct installation questions
==========================
o Do you want to send tokens to an
Answer yes to this question.
o Do you want to configure this system as a passthru server?
Unless you have been identified to be a passthru server, you should answer
no. If you have been identified to be one, you should answer yes to this
question and supply the name of the POLYCENTER SRF node to send incoming
tokens to.
Digital Internal Use Only
�
6. IMPORT REQUIRED INSPECTOR
After you have completed the installation and passed the IVP, you must
import the Required Inspector using the setup utility. The Required Inspector
is bundled in a compressed tar file, which will be automatically uncompressed
and untared when you import it, and the Required Inspector will be placed in
the PSCM database. Enter the setup utility by typing:
# inspectsetup
Choose option i to Import the Required Inspector, and when it asks you the name
of the file to import, type in the name of the Required Inspector tar file,
such as /usr/kits/critical_96_RI_osf.tar.Z. When the script asks you if you
require the regeneration of the PSCM CRC database, answer no. Answering yes
to this question will modify the Required Inspector and invalidate your the
installation.
The Required Inspector has now been loaded and can be viewed by invoking
the PSCM user interface as shown in the next step.
******************************* WARNING ***************************************
* *
* THE ONLY ALLOWED MODIFICATION TO THE REQUIRED INSPECTOR IS TO CHANGE THE *
* START DATE/TIME TO SOMETHING LESS THE ITS CURRENT SETTING. MODIFYING ANY *
* OF THE PARAMETERS FOR THE REQUIRED INSPECTOR, INCLUDING CHANGING THE START *
* DATE/TIME TO A VALUE GREATER THAN ITS CURRENT SETTING WILL RESULT IN YOUR *
* SYSTEM BEING REPORTED OUT OF COMPLIANCE. *
* *
*******************************************************************************
7. RUN REQUIRED INSPECTOR
After you have imported The Required Inspector, you should run it to generate
a report and a token showing the violations. It will run automatically at 02:00
the next morning, but you may additionally run it at any time using the
execute option as described below.
Invoke the user interface:
# inspect
Digital Internal Use Only
�
Use the up and down arrows to highlight the Required Inspector, and use the
left and right arrows to highlight eXecute and RETURN. When you exit the
USER interface, the Required Inspector will run immediately. Using the
eXecute option will not modify the start time of 2 am, the Required Inspector
will still run again at that time.
When the Required Inspector finishes, it mails a report to a distribution list
you can modify. The default account is root, but you may modify that by
highlighting the Required Inspector, RETURNing on optIons, Opening the
Distribution list, and Adding or deleTing or Renaming a username.
8. FIX VIOLATIONS
When the Required Inspector has completed, there will be a report in the
root mailbox (and any others you have specified to receive the report)
that describes your system's violations, if any. To fix these violations, run
the lockdown file listed at the bottom of the report by running the script from
the system prompt, or highlight the Required Inspector via the POLYCENTER
Security Compliance Manager interface and choose the lockdown option.
It is advised that you look at the lockdown script before running it to make
sure that the changes it will make are compatible with your system. The file's
location and name is listed at the bottom of the report. Not all changes
required by the ULTRIX Security Standard and suggested by the Required
Inspector can be done via the lockdown scripts--the scripts may ask you to
make some changes manually.
If you have trouble interpreting any of the violations, refer to the
appropriate requirement in the ULTRIX Security Standard. After the violations
are corrected, run the Required Inspector again to get a new report and to
send a new token.
NOTE:
If any of the changes the lockdown script makes to your system causes problems,
there is an unlockdown script that will reverse the change the lockdown script
made. Be aware that any items you do not correct will cause your system to be
out of compliance with the ULTRIX Security Standard.
Digital Internal Use Only
�
9. MAINTAINING COMPLIANCE
To ensure that you are in compliance with the ULTRIX Security Standard
when your system runs the Required Inspector every 28 days, you can create
customized inspectors that run a few days before the Required Inspector is
scheduled to run, to test your system and fix any violations prior to the
Required Inspector sending a token. To do this, create a new inspector by
copying the Required Inspector and giving it another name. Modify this
inspector's options to give it an appropriate start date/time and make sure
that the lockdown flag is enabled to create a script to fix violations. After
you run this inspector, which won't send a token, you can fix the violations
as described in Step 8, and rerun it again to test your fixes.
HINTS FOR MAINTAINING COMPLIANCE:
Due to the way syslog files are created, correcting the permissions for the
file /usr/spool/mqueue/syslog only fixes the violation temporarily, it will
reoccur every time a new syslog file is created. To fix this permanently,
set the mode for syslog files to 600 by modifying the chmod command in the
cron-executed script /usr/adm/newsyslog, as described in Table 5 of the ULTRIX
Security Standard.
If the SUID and SGID files on your system are on root's PATH, but the Required
Inspector incorrectly reports that they are not on root's PATH, you may be
experiencing the "root's PATH environment variable" bug listed in the release
notes. See the release notes to determine if this is the case. The workaround
is to restart the PSCM daemon (inspectd) using the inspectsetup utility.
The ULTRIX Security Standard requires that /dev/console not have world- and
group-read access (although world-write access is permitted only when using
programs that require this access to send messages to the console), so the
Required Inspector checks for /dev/console to have a mode of 620. On certain
systems, dxsession changes the mode of /dev/console to 622 at login and logout,
so setting the mode of /dev/console to 620 does not fix this violation
permanently, it must be maintained by the user.
10. CONTACTS
If you have any problems copying PSCM related files, sending tokens, or
with anything listed in these directions, contact your local Information
Security contact that can be found on our web page at
www-is-security.mso.dec.com, under "Who are we", "CCS I.T.
Security Operations Group".
Comments and questions on POLYCENTER Security Compliance Manager can be
addressed in the VAXnotes conference IAMOK::INSPECT_SRF.NOTE. Note 4
in this conference is a FAQ list (Frequently Asked Questions).
Digital Internal Use Only
|