s Installation and Administration Guide Installing and Using Endpoint Security Agent for Linux Server Version NGX 7.0 GA January 9, 2008 © 2008 Check Point Software Technologies Ltd All rights reserved This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions This publication and features described herein are subject to change without notice ©2003–2008 Check Point Software Technologies Ltd All rights reserved Check Point, AlertAdvisor, Application Intelligence, Check Point Endpoint Security, Check Point Express, Check Point Express CI, the Check Point logo, ClusterXL, Confidence Indexing, ConnectControl, Connectra, Connectra Accelerator Card, Cooperative Enforcement, Cooperative Security Alliance, CoreXL, CoSa, DefenseNet, Dynamic Shielding Architecture, Eventia, Eventia Analyzer, Eventia Reporter, Eventia Suite, FireWall-1, FireWall-1 GX, FireWall-1 SecureServer, FloodGate-1, Hacker ID, Hybrid Detection Engine, IMsecure, INSPECT, INSPECT XL, Integrity, Integrity Clientless Security, Integrity SecureClient, InterSpect, IPS-1, IQ Engine, MailSafe, NG, NGX, Open Security Extension, OPSEC, OSFirewall, Pointsec, Pointsec Mobile, Pointsec PC, Pointsec Protector, Policy Lifecycle Management, Provider-1, PureAdvantage, PURE Security, the puresecurity logo, Safe@Home, Safe@Office, SecureClient, SecureClient Mobile, SecureKnowledge, SecurePlatform, SecurePlatform Pro, SecuRemote, SecureServer, SecureUpdate, SecureXL, SecureXL Turbocard, Security Management Portal, Sentivist, SiteManager-1, SmartCenter, SmartCenter Express, SmartCenter Power, SmartCenter Pro, SmartCenter UTM, SmartConsole, SmartDashboard, SmartDefense, SmartDefense Advisor, Smarter Security, SmartLSM, SmartMap, SmartPortal, SmartUpdate, SmartView, SmartView Monitor, SmartView Reporter, SmartView Status, SmartViewTracker, SMP, SMP On-Demand, SofaWare, SSL Network Extender, Stateful Clustering, TrueVector, Turbocard, UAM, UserAuthority, User-to-Address Mapping, UTM-1, UTM-1 Edge, UTM-1 Edge Industrial, UTM-1 Total Security, VPN-1, VPN-1 Accelerator Card, VPN-1 Edge, VPN-1 Express, VPN-1 Express CI, VPN-1 Power, VPN-1 Power Multi-core, VPN-1 Power VSX, VPN-1 Pro, VPN-1 SecureClient, VPN-1 SecuRemote, VPN-1 SecureServer, VPN-1 UTM, VPN-1 UTM Edge, VPN-1 VSX, Web Intelligence, ZoneAlarm, ZoneAlarm Anti-Spyware, ZoneAlarm Antivirus, ZoneAlarm ForceField, ZoneAlarm Internet Security Suite, ZoneAlarm Pro, ZoneAlarm Secure Wireless Router, Zone Labs, and the Zone Labs logo are trademarks or registered trademarks of Check Point Software Technologies Ltd or its affiliates ZoneAlarm is a Check Point Software Technologies, Inc Company All other product names mentioned herein are trademarks or registered trademarks of their respective owners The products described in this document are protected by U.S Patent No 5,606,668, 5,835,726, 5,987,611, 6,496,935, 6,873,988, 6,850,943, and 7,165,076 and may be protected by other U.S Patents, foreign Contents Chapter Deployment Process and Requirements System Requirements Deployment workflow Chapter Managing Linux Computer Groups Managing Linux computer groups Creating a user catalog and group for Linux computers Setting the cm_auth parameter .7 Chapter Overview of Policy Settings Supported policy settings Understanding policy enforcement Disconnected policy for Linux options 10 Managing the disconnected policy 10 Chapter Installing and Configuring Endpoint Security Agent Determining the installation type 12 Installing using the installation script 13 Uninstalling using the installation script 15 Installing using the Endpoint Security Agent RPM 16 Before you begin .16 Building a customized RPM 17 Installing Endpoint Security Agent using RPM 17 Upgrading Endpoint Security Agent using RPM 18 Uninstalling Endpoint Security Agent using RPM 19 Customizing the Endpoint Security Agent configuration 20 Configuration file settings 20 Changing the Endpoint Security Server Connection Manager address 22 Changing the cm_auth parameter 22 Running Endpoint Security Agent 23 Using the command line interface .23 Using the Service Manager 25 Checking the Log .25 Endpoint Security Agent for Linux Chapter Deployment Process and Requirements In This Chapter System Requirements page Deployment workflow page Endpoint Security Agent for Linux® provides enterprise endpoint security for Linux users Use this guide to install and administer Endpoint Security Agent for Linux This document is intended specifically Endpoint Security Agent for Linux All references in this document to Endpoint Security Agent refer to the Linux version, unless otherwise specified This chapter provides the system requirements and an overview of the deployment and implementation process for Endpoint Security Agent for Linux in an established, Endpoint Security server-protected enterprise network System Requirements See the Endpoint Security Systems Requirements document for supported operating systems Deployment workflow To successfully deploy Endpoint Security Agent for Linux to endpoint computers on your Endpoint Security-protected network, perform the procedures below in order Each phase of the deployment process is dependant on the items you verified or configured in the previous phase Endpoint Security Agent for Linux To deploy Endpoint Security Agent for Linux: Create a user catalog and group for the protected Linux computers See “Creating a user catalog and group for Linux computers,” on page Create and assign an enterprise policy to the Linux user group First see “Overview of Policy Settings,” on page 8, then go to the Endpoint Security Administrator Guide for detailed instructions on creating, configuring, and assigning the enterprise policy Create and export a disconnected policy for Endpoint Security Agent First see “Supported policy settings,” on page 8, then go to the Endpoint Security Administrator Guide for detailed instructions on creating, configuring, and exporting a policy Install Endpoint Security Agent for Linux on the endpoint computers See “Installing and Configuring Endpoint Security Agent,” on page 12 Customize Endpoint Security Agent for Linux (optional) See “Customizing the Endpoint Security Agent configuration,” on page 20 Endpoint Security Agent for Linux Chapter Managing Linux Computer Groups In This Chapter Managing Linux computer groups page This chapter explains how to manage Linux computer groups and their policy assignments on the Endpoint Security server For step-by-step instructions on creating and assigning policies, refer to the Endpoint Security Administrator Guide To assign policies and ensure that those policies are exclusively deployed to the Linux users in your environment, you may isolate Linux users on your network You can this by creating user catalogs and configuring the ilagent.conf file to send the policies to that catalog The following describes some reasons you may want to design policies specifically for Endpoint Security Agent for Linux Setting specific security policies: You may wish your Linux users to have different security rules than your Windows users Reducing policy size: Since the Linux version of Endpoint Security Agent does not use program control, you can reduce your policy size for Linux users by disabling program control in the policy you define for them Disabling program control reduces the policy size by up to 80% by excluding the referenced program list from the policy Reducing the policy size may decrease your bandwidth requirements Managing Linux computer groups In order to assign an enterprise security policy to Linux users, you must create a user catalog group Endpoint Security Agent users get the policy assigned to their user catalog Linux users who are not identified as being part of that user catalog, get the default policy Endpoint Security Agent for Linux Endpoint Security Agent for Linux To manage Linux computer groups: Create a user catalog and group for Linux computers See “Creating a user catalog and group for Linux computers,” on page Set the cm_auth parameter to the catalog and group you created in step See “Setting the cm_auth parameter,” on page Creating a user catalog and group for Linux computers Create a new custom catalog and group that you can use to assign a policy to computers running Endpoint Security Agent To create a user catalog and group for protected Linux computers: Log onto the Endpoint Security Server administrator console Go to the Endpoint Manager page, and select New Catalog | Custom The New Custom Catalog page appears Complete fields for the custom catalog Click Save The new custom catalog for Linux is created Select the catalog you created in step 4, then click New Group Complete fields for the user group Click Save The new user group for Linux is created Setting the cm_auth parameter When configuring the ilagent.conf file, set the cm_auth parameter to the user catalog and group you created in “Creating a user catalog and group for Linux computers,” on page See “Customizing the Endpoint Security Agent configuration,” on page 20 for more information about setting the ilagent.conf file parameters Endpoint Security Agent for Linux Chapter Overview of Policy Settings In This Chapter Supported policy settings page Understanding policy enforcement page Managing the disconnected policy page 10 Endpoint Security Agent enforces the following two policies: The enterprise policy that is managed on the Endpoint Security server Server Endpoint Security Agents enforce this policy when the protected computer is connected to the Endpoint Security server The disconnected policy for Linux is centrally created but can only be managed on the protected computer You can configure Endpoint Security Agent to enforce this policy when the protected computer is not connected to the Endpoint Security server Use Policy Studio, as described in the Endpoint Security Administrator Guide, to manage enterprise policies and create and export a disconnected policy Supported policy settings Endpoint Security Agent enforces most classic firewall rule settings and connection state related client settings in an Endpoint Security security policy It ignores all other unsupported settings that are included in the policy The following describes Endpoint Security Agent supported policy settings: Names and Notes Policy information, name, description and notes, used to identify the policy on both Endpoint Security server and protected computer Most classic firewall rule settings Blocks or allows network traffic by source, destination, and protocol Endpoint Security Agent for Linux Endpoint Security Agent supports all classic firewall settings EXCEPT the following: Time and day settings Rules with these settings are enforced all the time IGMP protocol type and number Rules with these settings are enforced for all IGMP traffic If the computer is not compliant with the minimum version, Endpoint Security Agent logs the event in the log file The session is not restricted Client-Server Communications Heartbeat frequency and Log transfer frequency Policy Arbitration Rules Permit user to shutdown the Endpoint Security client when enterprise policy is active Enforce this policy when client is disconnected See the Endpoint Security Administrator Guide for policy configuration instructions Policy assignment Delivers enterprise security policies to protected computers To define a user group for Linux users, see “Creating a user catalog and group for Linux computers,” on page of this manual Understanding policy enforcement The policy Endpoint Security Agent enforces changes according to the protected computers connection state as follows: When the protected computer disconnects from Endpoint Security server On disconnection, Endpoint Security Agent loads and enforces the disconnected policy If you enable Enforce this policy when client is disconnected in the enterprise policy, Endpoint Security Agent enforces the enterprise policy whether it is connected or not When the protected computer connects to the Endpoint Security server On connection, Endpoint Security Agent loads and enforces the enterprise policy deployed by the server Endpoint Security Agent for Linux When the protected computer is connected and receives a different enterprise policy from Endpoint Security server Endpoint Security Agent loads and enforces the new enterprise policy The IPtable settings are overwritten by the new policy Endpoint Security Agent for Linux does not display any alerts to the user upon enforcement Disconnected policy for Linux options Consider the following options when setting up and configuring the disconnected policy for Linux: To provide a more permissive policy when protected computers are not connected, create and export a disconnected policy with limited number of classic firewall rules To reduce the policy size, set Program Rules, Program Control for policy_name: Disable program control This setting excludes the list of referenced programs from the policy To provide the same level of security when protected computers are not connected, in the enterprise policy set Client Settings, Policy arbitration rules: Enforce this policy when client is disconnected Endpoint Security Agent enforces the enterprise policy when disconnected To allow the users to configure their own security settings when the protected computer is not connected, not include a disconnected policy in the installation package or change the disconnected policy value in the Endpoint Security Agent configuration file to null Managing the disconnected policy This section explains how to change the name or location of the disconnected policy After you install the Endpoint Security Agent, you can modify the disconnected policy settings only on the protected computer If you modify settings or replace the disconnected policy (without changing the file name or location), simply restart Endpoint Security Agent No other configuration tasks are required You can configure Endpoint Security Agent to only enforce a policy when it is connected to the Endpoint Security server Server by setting the disconnected_policy value to null (““) in the Endpoint Security Agent configuration file To change the name or location of the disconnected policy: Using the Endpoint Security Administration Console, create and export a disconnected policy Endpoint Security Agent for Linux 10 Log onto the protected computer as root Copy the updated disconnected policy to the /usr/local/ilagent/etc directory If the policy name or location changed, update the configuration file a Open the configuration file with a text editor [root@localhost root] # vi /usr/local/ilagent/etc/ilagent.conf b Change the value of disconnected_policy parameter c Save your changes, then close the file Restart Endpoint Security Agent See “Running Endpoint Security Agent,” on page 23 for detailed instructions on starting and stopping the client The disconnected policy update is complete The disconnected policy IPtable settings are replaced with the disconnected policy settings Endpoint Security Agent for Linux 11 Chapter Installing and Configuring Endpoint Security Agent In This Chapter Determining the installation type page 12 Installing using the installation script page 13 Installing using the Endpoint Security Agent RPM page 16 Customizing the Endpoint Security Agent configuration page 20 Running Endpoint Security Agent page 23 This chapter explains how to install, upgrade, and remove the Endpoint Security Agent using either the RPM package manager or a standard installation script Before installing Endpoint Security Agent, you must perform the following steps: Configure a user catalog and group on Endpoint Security server Assign a policy to the user group Create and export a disconnected policy The Endpoint Security Agent starts immediately after installation, downloads the enterprise security policy and begins enforcing it Determining the installation type There are three methods to install Endpoint Security Agent, select the installation method that is best for your environment Installation script - This method requires manual input, but allows administrators to customize settings For example, to run Endpoint Security Agent in jail, you specify the installation directory and set the chroot_path See “Installing using the installation script,” on page 13 Endpoint Security Agent for Linux 12 Custom build an RPM file for your environment - This method decreases the work involved with large deployments by allowing you to install Endpoint Security Agent without having additional configuration steps However, it also requires that protected computers have the same configuration and requires the use of Endpoint Security Agent default configuration settings For example, use this method to install Endpoint Security Agent on ten computers that have the same disconnected policy, you can install Endpoint Security Agent on all their computers using the same customized RPM file See “Installing using the Endpoint Security Agent RPM,” on page 16 Pre-configured RPM file - This method allows you to perform large Endpoint Security Agent deployments using RPM package manager without creating a customized installation RPM It has two post installation configuration steps For example, use this installation method when you have a few computers that you want to run Endpoint Security Agent on See “Installing using the Endpoint Security Agent RPM,” on page 16 and “Building a customized RPM,” on page 17 Installing using the installation script This section explains how to install and uninstall Endpoint Security Agent on an Linux computer using the installation script These instructions explain how to a basic installation using the default settings The script allows you to configure the IP address of the Endpoint Security server, as well as choose the directory where Endpoint Security Agent is installed After installation, copy the disconnected policy to the computer and update the configuration file Use command line switch described in Table 4-1 to silently run the installation Table 4-1: Installation script options Option silent Description Install Endpoint Security Agent with the default settings Note the installer prompts you for the Endpoint Security server CM address To install using a script: Move the avalon-x.x.xxx.x.bin installation file and disconnected policy to the Linux endpoint computer On the endpoint computer, log in as root Change the mode of the Endpoint Security Agent installation files [root@localhost root] # chmod 755 avalon-x.x.xxx.x.bin Endpoint Security Agent for Linux 13 Execute the installation script [root@localhost root] # /avalon-x.x.xxx.x.bin To execute the script in silent mode and use the default settings in step 7, type the following command [root@localhost root] # /avalon-x.x.xxx.x.bin silent The installation script detects the operating system and directory structure Found RedHat OS Checking for iptables executables Checking for iptables filter table Checking for LOG iptables target Found LOG target Checking for ULOG iptables target Found ULOG target Checking for /proc/net/dev Checking for /dev/random Checking for /dev/null When prompted, enter the Endpoint Security server Connection Manager address Please enter Integrity Server CM address: https://225.225.225.225/cm When prompted, enter the catalog, group, and user information Please enter Integrity Server auth path: manual://// Enter the local Endpoint Security Agent information To accept the defaults, press return without entering any information You are not prompted for this information when running the installer silently a Enter the directory where you want Endpoint Security Agent to be installed Please enter target directory [default /usr/local/ilagent]: b Type Y to run Endpoint Security Agent in jail or N to run Endpoint Security Agent unprotected Chroot ilagent daemon to target directory? [y/n, default Y]: Checking for installed ilagent Y c For first time installations, you are prompted to create Endpoint Security Agent directories ir /usr/local/ilagent/bin does not exist Create? [y/n, default Y]: Y Automatically create all dirs? [y/n, default Y]: Y If you used a custom directory in step a, then verify that the default directory is the same Endpoint Security Agent for Linux 14 d Set up Endpoint Security Agent logging Create logrotate file for ilagent? [y/n, default Y]: Y Enter logrotate files path [default /etc/logrotate.d]: e Automatically create the Endpoint Security Agent start and stop scripts Create rc script for ilagent? [y/n, default Y]: Y Enter rc scripts path [default /etc/init.d]: Starting ilagent Starting ilagentd Copy the disconnected policy to the /usr/local/ilagent/etc [root@localhost root] # cp /tmp/disconnected.xml /usr/local/ilagent/etc/disconnected.xml Set the disconnected_policy parameter in the Agent configuration file to the location you specified in step 7, relative to the root directory The default value for the disconnected_policy parameter is “/etc/ disconnected.xml” After the installation is complete, Endpoint Security Agent automatically starts, connects to the Endpoint Security server, then downloads the enterprise security policy and begins enforcing the policy If the Endpoint Security server is not available, Endpoint Security Agent enforces the disconnected policy Uninstalling using the installation script This section explains how to uninstall Endpoint Security Agent using the installation script To uninstall Endpoint Security Agent: Log into the Linux computer as root Go to the Endpoint Security Agent bin directory [root@localhost root] # cd /usr/local/ilagent/bin If you installed Endpoint Security Agent in a different directory, be sure to go to that directory Execute the uninstall script [root@localhost bin] # /uninstall The uninstall log is saved as /var/log/ilagent_install.log After Endpoint Security Agent uninstall script is complete, remove the remaining Endpoint Security Agent directory [root@localhost root]# cd /usr/local [root@localhost root]# rm -Rf ilagent Endpoint Security Agent for Linux 15 Endpoint Security Agent and all related IPtables entries are removed from the computer The original IPtable settings are reset Installing using the Endpoint Security Agent RPM This section explains how to install and upgrade Endpoint Security Agent using RPM Package Manager The Endpoint Security Agent RPM uses all the default configuration settings except for the Endpoint Security server IP address and the disconnected policy You can customize the configuration by replacing the configuration file and restarting Endpoint Security Agent, after you install the product using RPM This section covers the following topics: “Before you begin,” on page 16 “Building a customized RPM,” on page 17 “Installing Endpoint Security Agent using RPM,” on page 17 “Upgrading Endpoint Security Agent using RPM,” on page 18 Before you begin Before you to install Endpoint Security Agent, define a user group for the protected computers, create and export a disconnected policy, and create and assign an enterprise policy to the user group on the Endpoint Security server, as explained in : , Managing Linux Computer Groups, on page Then gather and/or verify the following items: For customized RPM, Endpoint Security Agent RPM build script (ilagent-buildrpm-1.xxx.x-x.bin) For pre-configured RPM, Endpoint Security Agent RPM (avalon-x.x.xxx.xx.i386.rpm) RPM package manager version 4.2-1 or higher (rpm-build-4.2-1.i386.rpm) Disconnected policy Endpoint Security server Connection Manager address IPtable service installed and started Endpoint Security Agent for Linux 16 Building a customized RPM This section explains how to create a custom Endpoint Security Agent RPM that you can use to install or upgrade the Endpoint Security Agent In order to complete these steps, you need the items gathered in “Before you begin,” on page 16 You can log into the Endpoint Security server administration console from the computer where you are creating the Endpoint Security Agent RPM, then export the disconnected policy directly to the /tmp directory To build a custom Endpoint Security Agent RPM: Log in as root user Move the Endpoint Security Agent RPM build script, ilagent-build-rpm-1.xxx.xx.bin, and the disconnected policy to the computer Put the build script in the root directory and the disconnected policy into /tmp Change the mode of the ilagent-build-xxx.x.bin file [root@localhost root] # chmode 755 ilagent-build-rpm-1.xxx.x-x.bin Create the RPM file [root@localhost root] # /ilagent-build-rpm.2.0.001.0.bin cm_address cm_auth disconnected_policy_path The syntax of the command above is: ilagent-build-rpm-1.xxx.x-x.bin is the RPM build script cm_address is the connection manager address cm_auth is the user catalog, user group, and user disconnected_policy_path is the complete path and file name of the policy that Endpoint Security Agent enforces when it is not connected to the Endpoint Security server This setting is optional The script outputs the RPM to: /usr/src/redhat/RPMS/i386/avalon-x.x.xxx.x-x.i386.rpm Go to that directory and change the mode of the file [root@localhost root] # cd /usr/src/redhat/RPMS/i386 && chmod 755 avalon-x.x.xxx.xx.i386.rpm Installing Endpoint Security Agent using RPM This section explains how to install Endpoint Security Agent using the RPM package manager Endpoint Security Agent for Linux 17 If you install Endpoint Security Agent using the preconfigured RPM, then you must configure the Endpoint Security server Connection Manager address after the installation is complete (see “Customizing the Endpoint Security Agent configuration,” on page 20) To install using an RPM: Log in as root user Move the Endpoint Security Agent RPM, avalon-x.x.xxx.x-x.i386.rpm to the computer Verify that Endpoint Security Agent is not already installed on the computer [root@localhost root] # rpm -qa ilagent When the Endpoint Security Agent is already installed, the program name displays If it is installed, then either uninstall before continuing or follow the upgrade instructions in the next section Execute the installer [root@localhost root] # rpm -i ilagent-xxx.x.rpm Verify that the installation completed successfully [root@localhost root] # rpm -qa ilagent ilagent-xxx.x After the installation is complete, Endpoint Security Agent automatically starts, connects to the Endpoint Security server, then downloads the enterprise security policy and begins enforcing the policy If the Endpoint Security server is not available, Endpoint Security Agent enforces the disconnected policy Upgrading Endpoint Security Agent using RPM Upgrade previous versions of the Endpoint Security Agent using a customized RPM or pre-configured Endpoint Security Agent RPM You can also use the upgrade command, to change the disconnected policy or Endpoint Security server Connection Manager address First build a new RPM using the new IP address or disconnected policy, then follow the instructions in this section To upgrade using RPM: Log in as root user Endpoint Security Agent for Linux 18 Move the Endpoint Security Agent RPM, avalon-x.x.xxx.x-x.i386.rpm to the computer Verify that Endpoint Security Agent is already installed on the computer [root@localhost root] # rpm -qa ilagent When the Endpoint Security Agent is already installed, the program name displays If it is not installed, then use the first time installation instructions in the “Installing Endpoint Security Agent using RPM,” on page 17 Execute the upgrade [root@localhost root] # rpm -U ilagent-xxx.x.rpm Verify that the installation completed successfully [root@localhost root] # rpm -qa ilagent ilagent-xxx.x After the installation is complete, Endpoint Security Agent automatically starts, connects to the Endpoint Security server, then downloads the enterprise security policy and begins enforcing the policy If the Endpoint Security server is not available, Endpoint Security Agent enforces the disconnected policy Uninstalling Endpoint Security Agent using RPM This section explains how to remove Endpoint Security Agent using the RPM package manager When you remove the Endpoint Security Agent from the endpoint computer, the Endpoint Security Agent software and all of the firewall rules added to the iptables are removed To uninstall using RPM: Log in as root user Get the name of Endpoint Security Agent that is installed on the computer [root@localhost root] # rpm -qa ilagent ilagent-xxx.x Endpoint Security Agent program name displays If it is not installed, no information is returned Using the name of Endpoint Security Agent, execute the uninstall command [root@localhost root] # rpm -e ilagent-xxx.x Verify that the Endpoint Security Agent is no longer installed on the computer [root@localhost root] # rpm -qa ilagent [root@localhost root] # Endpoint Security Agent for Linux 19 To clean up the system, remove the ilagent directory and rpm file: [root@localhost root] # rm -Rf /usr/local/ilagent [root@localhost root] # rm -f /usr/src/redhat/RPMS/i386/ilagent-xxx.x.rpm When the uninstall using the Endpoint Security Agent RPM completes, Endpoint Security Agent and firewall rules added to iptables by the policy are removed from the computer Customizing the Endpoint Security Agent configuration This section explains the settings in the Endpoint Security Agent configuration file To customize the configuration, open the file with a text editor and change the settings Then restart Endpoint Security Agent to run the client with the new configuration Configuration file settings The configuration file is located in the /usr/local/ilagent/etc directory Table 4-2, “Endpoint Security Agent configuration settings,” on page 21 explains how to set each parameter If you run the Endpoint Security Agent or IPtables in jail, make all paths relative to chroot_path Sample configuration file Endpoint Security Agent for Linux 20 Table 4-2: Endpoint Security Agent configuration settings Parameter Description cm_address Endpoint Security server Connection Manager address cm_auth Catalog, group, and username this policy is assigned to is_port Endpoint Security server port Use the default setting of 5054 pidfile Complete path to ilagentd pid (process identifier) file cxn_signature Path to the file that contains a unique identifier of Endpoint Security Agent Primarily used for debugging ipt_accept_log_chain Chain where packet logging and accepting rules are placed ipt_drop_log_chain Chain where rules packet logging and dropping rules are placed ipt_accept_log_prefix Log messages prefix for accepted packets ipt_drop_log_prefix Log messages prefix for dropped packets ipt_log_source Name of firewall events log messages source Specify either the syslog file name or 'ULOG' value ipt_nl_group When using ULOG, specify the netlink group (1-32) to which the packet is sent See man iptables for details ipt_nl_qthreshold When using ULOG, specify the number of packets queued inside the kernel See man iptables for details ipt_log_limit Maximum number of packets logged per second ipt_log_limit_burst Affects packet shaping mechanism of IPtables See man iptables for details ipt_cmd Path of iptables executable ipt_restore Path of iptables-restore executable ipt_save Path of iptables-save executable disconnected_policy Path to the policy file Endpoint Security Agent enforces when disconnected from the Endpoint Security server See “Managing the disconnected policy,” on page 10 The default is ‘/etc/disconnected.xml’ You can disable the disconnected policy by removing the file specified here Endpoint Security Agent for Linux 21 Table 4-2: Endpoint Security Agent configuration settings (Continued) Parameter Description received_policy Path to the enterprise security policy Endpoint Security Agent enforces when connected to the Endpoint Security server chroot_path Complete path to jail directory When you enter a value, ilagentd calls chroot() to that directory This directory must contain all required files and libraries logfile Complete path to ilagentd log file The default is /usr/local/ ilagent/run/ilagent.log dumpfile Complete path to ilagentd dump file statusfile Complete path to ilagentd status file Changing the Endpoint Security Server Connection Manager address You may need to change the Endpoint Security server information in the configuration file, such as when the Endpoint Security server Connection Manager address changes or you installed Endpoint Security Agent using the provided RPM To change the Endpoint Security Server Connection Manager address: Open the configuration file with a text editor [root@localhost root] # vi /usr/local/ilagent/etc/ilagent.conf Change the value of cm_address parameter to the Endpoint Security server IP address Save your changes, then close the file Restart Endpoint Security Agent See “Running Endpoint Security Agent,” on page 23 for detailed instructions on starting and stopping the client Changing the cm_auth parameter You can change the cm_auth parameter to connect the Endpoint Security Agent using a different catalog, group, or user To change the cm_auth parameter Log into the Linux system and open a terminal window Endpoint Security Agent for Linux 22 Change the directory to /usr/local/ilagent/etc Open ilagent.conf Change the value of the the cm_auth parameter and save the file Restart Endpoint Security Agent It will connect to the sever using the new catalog, group, and user Running Endpoint Security Agent This section explains the different methods that you can use to start, stop or restart Endpoint Security Agent on the protected computer When you stop Endpoint Security Agent, the endpoint computer is no longer protected When you start Endpoint Security Agent, it immediately attempts to connect to the Endpoint Security server and begins enforcing the: Enterprise security policy if the connection is established Disconnected policy if the connection cannot be established Using the command line interface Starting, stopping and restarting Endpoint Security Agent from the CLI (command line interface) varies depending on the installation type Use the instructions that correspond to your installation The following table describes the options that are available from the CLI Table 4-3: Endpoint Security Agent command line interface options Option Description -c Specifies the complete path to the configuration file config When this option is used alone, it starts Endpoint Security Agent using the specified configuration file When options -s and -i are used, this option is required -h Displays ilagent version and lists available CLI options -i Displays Endpoint Security Agent status info Requires configuration file option -s Shuts down Endpoint Security Agent shutdown Requires configuration file option -V Displays Endpoint Security Agent version Endpoint Security Agent for Linux 23 Endpoint Security Agent RPM Log into the endpoint computer as root and use the following commands to start and stop Endpoint Security Agent RPM from the command line interface These commands start and stop Endpoint Security Agent even when a policy prevents the client from being shutdown To start Endpoint Security Agent: Type the following command to start Endpoint Security Agent: [root@localhost root] # /etc/init.d/ilagentd start To stop Endpoint Security Agent: Type the following command to stop Endpoint Security Agent: [root@localhost root] # /etc/init.d/ilagentd stop To restart Endpoint Security Agent: Type the following command to restart Endpoint Security Agent: [root@localhost root] # /etc/init.d/ilagentd stop && /etc/init.d/ilagentd start Endpoint Security Agent script Log into the endpoint computer as root and use the following commands to start and stop Endpoint Security Agent installed using the script from the command line interface If Endpoint Security Agent is enforcing a policy that prevents the client from being shutdown, Endpoint Security Agent cannot be stopped using any of the script stop or restart commands described in this section To start Endpoint Security Agent: Type the following command to start Endpoint Security Agent: [root@localhost root] # /usr/local/ilagent/bin/ilagentd To stop Endpoint Security Agent: Type the following command to stop Endpoint Security Agent: [root@localhost root] # /usr/local/ilagent/bin/ilagentd shutdown -c To restart Endpoint Security Agent: Type the following command to restart Endpoint Security Agent: Endpoint Security Agent for Linux 24 [root@localhost root] # /usr/local/ilagent/bin/ilagentd shutdown -c [root@localhost root] # /usr/local/ilagent/bin/ilagentd -c Using the Service Manager When Endpoint Security Agent is installed, you register it as a service Therefore, whether you installed Endpoint Security Agent using the installation script or with the RPM package manager, you can start, stop, and restart Endpoint Security Agent using the service manager interface To start, stop, or restart Endpoint Security Agent service: Open the services manager, then locate the ilagent service Click Start, Stop, or Restart The Endpoint Security Agent status changes according to the option you selected Checking the Log Endpoint Security Agent’s log file is located by default at /usr/local/ilagent/run/ ilagent.log You can view the log using any text editor Endpoint Security Agent for Linux 25 ... 17 Installing Endpoint Security Agent using RPM 17 Upgrading Endpoint Security Agent using RPM 18 Uninstalling Endpoint Security Agent using RPM 19 Customizing the Endpoint Security Agent. .. phase Endpoint Security Agent for Linux To deploy Endpoint Security Agent for Linux: Create a user catalog and group for the protected Linux computers See “Creating a user catalog and group for Linux. .. Agent version Endpoint Security Agent for Linux 23 Endpoint Security Agent RPM Log into the endpoint computer as root and use the following commands to start and stop Endpoint Security Agent