Symantec Enterprise Security Manager™ Installation Guide

Symantec Enterprise Security Manager™ Installation Guide

Version 6.0

Symantec Enterprise Security Manager Installation Guide

The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement.Documentation version 6.0PN: 10132731

Copyright noticeCopyright 1998–2003 Symantec Corporation.All Rights Reserved.Any technical documentation that is made available by Symantec Corporation is the copyrighted work of Symantec Corporation and is owned by Symantec Corporation.NO WARRANTY. The technical documentation is being delivered to you AS-IS and Symantec Corporation makes no warranty as to its accuracy or use. Any use of the technical documentation or the information contained therein is at the risk of the user. Documentation may include technical or other inaccuracies or typographical errors. Symantec reserves the right to make changes without prior notice.No part of this publication may be copied without the express written permission of Symantec Corporation, 20330 Stevens Creek Blvd., Cupertino, CA 95014.

TrademarksSymantec, the Symantec logo, and LiveUpdate are U.S. registered trademarks of Symantec Corporation. Symantec Enterprise Security Architecture, Symantec Enterprise Security Manager, Symantec Incident Manager, Symantec Security Response, and Symantec Vulnerability Assessment are trademarks of Symantec Corporation.Other brands and product names that are mentioned in this manual may be trademarks or registered trademarks of their respective companies and are hereby acknowledged.Printed in the United States of America.10 9 8 7 6 5 4 3 2 1

Technical support

As part of Symantec Security Response, the Symantec Global Technical Support group maintains support centers throughout the world. The Technical Support group’s primary role is to respond to specific questions on product feature/function, installation, and configuration, as well as to author content for our Web-accessible Knowledge Base. The Technical Support group works collaboratively with the other functional areas within Symantec to answer your questions in a timely fashion. For example, the Technical Support group works with Product Engineering as well as Symantec Security Response to provide Alerting Services and Virus Definition Updates for virus outbreaks and security alerts.

Symantec technical support offerings include:

■ A range of support options that gives you the flexibility to select the right amount of service for any size organization

■ Telephone and Web support components that provide rapid response and up-to-the-minute information

■ Upgrade insurance that delivers automatic software upgrade protection

■ Content Updates for virus definitions and security signatures that ensure the highest level of protection

■ Global support from Symantec Security Response experts, which is available 24 hours a day, 7 days a week worldwide in a variety of languages

■ Advanced features, such as the Symantec Alerting Service and Technical Account Manager role, that offer enhanced response and proactive security support

Please visit our Web site for current information on Support Programs. The specific features that are available may vary based on the level of support purchased and the specific product that you are using.

Licensing and registrationIf the product that you are implementing requires registration and/or a license key, the fastest and easiest way to register your service is to access the Symantec licensing and registration site at www.symantec.com/certificate. Alternatively, you may go to www.symantec.com/techsupp/ent/enterprise.htm, select the product that you wish to register, and from the Product Home Page, select the Licensing and Registration link.

Contacting Technical SupportCustomers with a current support agreement may contact the Technical Support group by phone or online at www.symantec.com/techsupp.

Customers with Platinum support agreements may contact Platinum Technical Support by the Platinum Web site at www-secure.symantec.com/platinum/.

When contacting the Technical Support group, please have the following:

■ Product release level

■ Hardware information

■ Available memory, disk space, NIC information

■ Operating system

■ Version and patch level

■ Network topology

■ Router, gateway, and IP address information

■ Problem description

■ Error messages/log files

■ Troubleshooting performed prior to contacting Symantec

■ Recent software configuration changes and/or network changes

Customer ServiceTo contact Enterprise Customer Service online, go to www.symantec.com, select the appropriate Global Site for your country, then choose Service and Support. Customer Service is available to assist with the following types of issues:

■ Questions regarding product licensing or serialization

■ Product registration updates such as address or name changes

■ General product information (features, language availability, local dealers)

■ Latest information on product updates and upgrades

■ Information on upgrade insurance and maintenance contracts

■ Information on Symantec Value License Program

■ Advice on Symantec's technical support options

■ Nontechnical presales questions

■ Missing or defective CD-ROMs or manuals

SYMANTEC SOFTWARE LICENSE AGREEMENTSymantec Enterprise Security Manager

SYMANTEC CORPORATION AND/OR ITS SUBSIDIARIES ("SYMANTEC") IS WILLING TO LICENSE THE SOFTWARE TO YOU AS AN INDIVIDUAL, THE COMPANY, OR THE LEGAL ENTITY THAT WILL BE UTILIZING THE SOFTWARE (REFERENCED BELOW AS "YOU" OR "YOUR") ONLY ON THE CONDITION THAT YOU ACCEPT ALL OF THE TERMS OF THIS LICENSE AGREEMENT. READ THE TERMS AND CONDITIONS OF THIS LICENSE AGREEMENT CAREFULLY BEFORE USING THE SOFTWARE. THIS IS A LEGAL AND ENFORCEABLE CONTRACT BETWEEN YOU AND THE LICENSOR. BY OPENING THIS PACKAGE, BREAKING THE SEAL, CLICKING THE "AGREE" OR "YES" BUTTON OR OTHERWISE INDICATING ASSENT ELECTRONICALLY, OR LOADING THE SOFTWARE, YOU AGREE TO THE TERMS AND CONDITIONS OF THIS AGREEMENT. IF YOU DO NOT AGREE TO THESE TERMS AND CONDITIONS, CLICK THE "I DO NOT AGREE" OR "NO" BUTTON OR OTHERWISE INDICATE REFUSAL AND MAKE NO FURTHER USE OF THE SOFTWARE.

1. License:The software and documentation that accompanies this license (collectively the "Software") is the proprietary property of Symantec or its licensors and is protected by copyright law. While Symantec continues to own the Software, You will have certain rights to use the Software after Your acceptance of this license. This license governs any releases, revisions, or enhancements to the Software that the Licensor may furnish to You. Except as may be modified by an applicable Symantec license certificate, license coupon, or license key (each a "License Module") that accompanies, precedes, or follows this license, and as may be further defined in the user documentation accompanying the Software, Your rights and obligations with respect to the use of this Software are as follows.

You may:A. use that number of copies of the Software as have been licensed to You by Symantec under a License Module. Permission to use the software to assess Desktop, Server or Network machines does not constitute permission to make additional copies of the Software. If no License Module accompanies, precedes, or follows this license, You may make one copy of the Software you are authorized to use on a single machine.

B. make one copy of the Software for archival purposes, or copy the Software onto the hard disk of Your computer and retain the original for archival purposes;C. use the Software to assess no more than the number of Desktop machines set forth under a License Module. "Desktop" means a desktop central processing unit for a single end user;D. use the Software to assess no more than the number of Server machines set forth under a License Module. "Server" means a central processing unit that acts as a server for other central processing units;E. use the Software to assess no more than the number of Network machines set forth under a License Module. "Network" means a system comprised of multiple machines, each of which can be assessed over the same network; F. use the Software in accordance with any written agreement between You and Symantec; andG. after written consent from Symantec, transfer the Software on a permanent basis to another person or entity, provided that You retain no copies of the Software and the transferee agrees to the terms of this license.

You may not:A. copy the printed documentation which accompanies the Software; B. use the Software to assess a Desktop, Server or Network machine for which You have not been granted permission under a License Module;C. sublicense, rent or lease any portion of the Software; reverse engineer, decompile, disassemble, modify, translate, make any attempt to discover the source code of the Software, or create derivative works from the Software; D. use the Software as part of a facility management, timesharing, service provider, or service bureau arrangement;E. continue to use a previously issued license key if You have received a new license key for such license, such as with a disk replacement set or an upgraded version of the Software, or in any other instance;F. continue to use a previous version or copy of the Software after You have installed a disk replacement set, an upgraded version, or other authorized replacement. Upon such replacement, all copies of the prior version must be destroyed; G. use a later version of the Software than is provided herewith unless you have purchased corresponding maintenance and/or upgrade insurance or have

otherwise separately acquired the right to use such later version;H. use, if You received the software distributed on media containing multiple Symantec products, any Symantec software on the media for which You have not received a permission in a License Module; nor I. use the Software in any manner not authorized by this license.

2. Content Updates:Certain Software utilize content that is updated from time to time (including but not limited to the following Software: antivirus software utilize updated virus definitions; content filtering software utilize updated URL lists; some firewall software utilize updated firewall rules; and vulnerability assessment products utilize updated vulnerability data; these updates are collectively referred to as "Content Updates"). You shall have the right to obtain Content Updates for any period for which You have purchased maintenance, except for those Content Updates that Symantec elects to make available by separate paid subscription, or for any period for which You have otherwise separately acquired the right to obtain Content Updates. Symantec reserves the right to designate specified Content Updates as requiring purchase of a separate subscription at any time and without notice to You; provided, however, that if You purchase maintenance hereunder that includes particular Content Updates on the date of purchase, You will not have to pay an additional fee to continue receiving such Content Updates through the term of such maintenance even if Symantec designates such Content Updates as requiring separate purchase. This License does not otherwise permit the licensee to obtain and use Content Updates.

3. Limited Warranty:Symantec warrants that the media on which the Software is distributed will be free from defects for a period of sixty (60) days from the date of delivery of the Software to You. Your sole remedy in the event of a breach of this warranty will be that Symantec will, at its option, replace any defective media returned to Symantec within the warranty period or refund the money You paid for the Software. Symantec does not warrant that the Software will meet Your requirements or that operation of the Software will be uninterrupted or that the Software will be error-free.

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, THE ABOVE WARRANTY IS EXCLUSIVE AND IN LIEU OF ALL OTHER WARRANTIES, WHETHER EXPRESS OR IMPLIED, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NONINFRINGEMENT OF

INTELLECTUAL PROPERTY RIGHTS. THIS WARRANTY GIVES YOU SPECIFIC LEGAL RIGHTS. YOU MAY HAVE OTHER RIGHTS, WHICH VARY FROM STATE TO STATE AND COUNTRY TO COUNTRY.

4. Disclaimer of Damages:SOME STATES AND COUNTRIES, INCLUDING MEMBER COUNTRIES OF THE EUROPEAN ECONOMIC AREA, DO NOT ALLOW THE LIMITATION OR EXCLUSION OF LIABILITY FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THE BELOW LIMITATION OR EXCLUSION MAY NOT APPLY TO YOU.

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW AND REGARDLESS OF WHETHER ANY REMEDY SET FORTH HEREIN FAILS OF ITS ESSENTIAL PURPOSE, IN NO EVENT WILL SYMANTEC BE LIABLE TO YOU FOR ANY SPECIAL, CONSEQUENTIAL, INDIRECT, OR SIMILAR DAMAGES, INCLUDING ANY LOST PROFITS OR LOST DATA ARISING OUT OF THE USE OR INABILITY TO USE THE SOFTWARE EVEN IF SYMANTEC HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

IN NO CASE SHALL SYMANTEC'S LIABILITY EXCEED THE PURCHASE PRICE FOR THE SOFTWARE. The disclaimers and limitations set forth above will apply regardless of whether or not You accept the Software.

5. U.S. Government Restricted Rights:RESTRICTED RIGHTS LEGEND. All Symantec products and documentation are commercial in nature. The software and software documentation are "Commercial Items," as that term is defined in 48 C.F.R. section 2.101, consisting of "Commercial Computer Software" and "Commercial Computer Software Documentation," as such terms are defined in 48 C.F.R. section 252.227-7014(a)(5) and 48 C.F.R. section 252.227-7014(a)(1), and used in 48 C.F.R. section 12.212 and 48 C.F.R. section 227.7202, as applicable. Consistent with 48 C.F.R. section 12.212, 48 C.F.R. section 252.227-7015, 48 C.F.R. section 227.7202 through 227.7202-4, 48 C.F.R. section 52.227-14, and other relevant sections of the Code of Federal Regulations, as applicable, Symantec's computer software and computer software documentation are licensed to United States Government end users with only those rights as granted to all other end users, according to the terms and conditions contained in this license agreement. Manufacturer is Symantec Corporation, 20330 Stevens Creek Blvd., Cupertino, CA 95014, United States of America.

6. Export Regulation:Export or re-export of this Software is governed by the laws and regulations of the United States and import laws and regulations of certain other countries. Export or re-export of the Software to any entity not authorized by, or that is specified by, the United States Federal Government is strictly prohibited.

7. General:If You are located in North America or Latin America, this Agreement will be governed by the laws of the State of California, United States of America. Otherwise, this Agreement will be governed by the laws of England and Wales. This Agreement and any related License Module is the entire agreement between You and Symantec relating to the Software and: (i) supersedes all prior or contemporaneous oral or written communications, proposals, and representations with respect to its subject matter; and (ii) prevails over any conflicting or additional terms of any quote, order, acknowledgment, or similar communications between the parties. This Agreement shall terminate upon Your breach of any term contained herein and You shall cease use of and destroy all copies of the Software. The disclaimers of warranties and damages and limitations on liability shall survive termination. Software and documentation is delivered Ex Works California, U.S.A. or Dublin, Ireland respectively (ICC INCOTERMS 2000). This Agreement may only be modified by a License Module that accompanies this license or by a written document that has been signed by both You and Symantec. Should You have any questions concerning this Agreement, or if You desire to contact Symantec for any reason, please write to: (i) Symantec Customer Service, 555 International Way, Springfield, OR 97477, U.S.A., (ii) Symantec Authorized Service Center, Postbus 1029, 3600 BA Maarssen, The Netherlands, or (iii) Symantec Customer Service, 1 Julius Ave, North Ryde, NSW 2113, Australia.

Contents

Technical support

Chapter 1 Before you installOrganizing network resources .......................................................................... 13

Grouping computers into domains ........................................................... 14Organizing NetWare/NDS contexts .......................................................... 15

Applying security policies .................................................................................. 18Mapping a formulated policy ..................................................................... 18Correlating checks with security modules ............................................... 19Addressing platform-specific vulnerabilities .......................................... 19Applying the Symantec ESM default policies ......................................... 21

Implementing security operations .................................................................... 22Piloting Symantec ESM at one location ................................................... 22Rolling out Symantec ESM ......................................................................... 26

Chapter 2 Installing Symantec ESM managers and agents on WindowsBefore you install ................................................................................................. 31System requirements .......................................................................................... 32

Operating requirements ............................................................................. 32Policy run disk space ................................................................................... 33CPU utilization ............................................................................................. 34Scalability parameters ................................................................................ 34

Installing ............................................................................................................... 35Installing Symantec ESM on a local computer ........................................ 35Silently installing Symantec ESM on a local computer ......................... 39Installing a Symantec ESM agent on a remote computer ..................... 42

Post-installation tasks ........................................................................................ 44Registering a Symantec ESM agent on a local computer ...................... 44Reregistering Symantec ESM agents to a manager ................................ 45Changing LiveUpdate on a local computer .............................................. 47Upgrading an older version of Symantec ESM ....................................... 48Changing a Symantec ESM agent port ..................................................... 51Uninstalling Symantec ESM from a local computer .............................. 52

10 Contents

Chapter 3 Installing Symantec ESM managers and agents on UNIXBefore you install ................................................................................................. 53System requirements .......................................................................................... 54

Operating requirements ............................................................................. 54Policy run disk space ................................................................................... 56CPU utilization ............................................................................................. 56Scalability parameters ................................................................................ 56

Installing ............................................................................................................... 57Installing Symantec ESM on a local computer ....................................... 57Using the command line options to install Symantec ESM .................. 61Installing Symantec ESM using Solaris PKGADD .................................. 66Installing a Symantec ESM agent on a remote computer ..................... 68

Post-installation tasks ........................................................................................ 76Registering a Symantec ESM agent on a local computer ...................... 76Reregistering Symantec ESM agents to a manager ............................... 77Changing LiveUpdate on a local computer .............................................. 80Upgrading an older version of Symantec ESM ....................................... 80Changing a Symantec ESM agent port ..................................................... 80Uninstalling Symantec ESM from a local computer .............................. 81

Chapter 4 Installing Symantec ESM agents on NetWare/NDSBefore you install ................................................................................................. 83System requirements .......................................................................................... 84

Operating requirements ............................................................................. 85Installing ............................................................................................................... 85

Installing a Symantec ESM agent on a local server ............................... 85Post-installation tasks ........................................................................................ 88

Registering a Symantec ESM agent on a local computer ...................... 88Reviewing a Symantec ESM agent context list ....................................... 89Creating an NDS context mini-agent on a local computer .................... 90Creating a server-only mini-agent on a local computer ........................ 91Upgrading an older version of Symantec ESM ....................................... 92Changing a Symantec ESM agent port ..................................................... 93Uninstalling Symantec ESM from a local computer .............................. 94

Chapter 5 Installing Symantec ESM agents on OS/400Before you install ................................................................................................. 95System requirements .......................................................................................... 96

Operating requirements ............................................................................. 96Installing ............................................................................................................... 96

Installing a Symantec ESM agent on an OS/400 .................................... 96

11Contents

Post-installation tasks ........................................................................................ 98Registering a Symantec ESM agent on a local computer ...................... 98Uninstalling Symantec ESM from a local computer .............................. 99

Chapter 6 Installing Symantec ESM agents on OpenVMSBefore you install ...............................................................................................101System requirements ........................................................................................102

Operating requirements ...........................................................................102Installing .............................................................................................................103

Installing a Symantec ESM agent on a local computer ........................103Post-installation tasks ......................................................................................105

Invoking the esmsetup command procedure on a local computer ....105Enabling network communications on a local computer ....................105Registering the Symantec ESM agent on a local computer ................106Reregistering Symantec ESM agents to a manager ..............................106Starting the Symantec ESM agent on a local computer ......................108Exiting the esmsetup command procedure on a local computer .......108Upgrading an older version of Symantec ESM .....................................109Changing a Symantec ESM agent port ...................................................109Uninstalling Symantec ESM from a local computer ............................109

Chapter 7 Installing Symantec ESM consolesBefore you install ...............................................................................................111System requirements ........................................................................................111

Operating requirements ...........................................................................112Scalability parameters ..............................................................................112

Installing .............................................................................................................113Installing Symantec ESM on a local computer ......................................113

Post-installation tasks ......................................................................................116Connecting a Symantec ESM console to a manager .............................116Upgrading an older version of the Symantec ESM console ................116Configuring the Symantec ESM console ................................................116Setting the Web browser ..........................................................................117Uninstalling the Symantec ESM console from a local computer .......117

Chapter 8 Installing Symantec ESM utilitiesBefore you install ...............................................................................................119System requirements ........................................................................................120

Operating requirements for Windows systems ....................................120Operating requirements for UNIX systems ...........................................120Policy run disk space .................................................................................121

12 Contents

Installing .............................................................................................................121Installing the Symantec ESM utilities on a local computer ................121

Post-installation tasks ......................................................................................124Upgrading an older version of the Symantec ESM utilities ................124Uninstalling the Symantec ESM utilities from Windows systems ....124Uninstalling the Symantec ESM utilities from UNIX systems ...........125

Chapter 9 Installing Symantec ESM application modules and policiesBefore you install ...............................................................................................127System requirements ........................................................................................128Installing .............................................................................................................128

Installing application modules and best practice policies ..................128

Appendix A Symantec ESM communicationsAbout Symantec ESM communications security ..........................................131Symantec ESM communication ports ............................................................132

Appendix B System assessment checklistAbout system assessment checklists ..............................................................135Manager checklist ..............................................................................................136Agent checklist ...................................................................................................137Console checklist ...............................................................................................138

Index

Chapter
1
Before you install

This chapter includes the following topics:

■ Organizing network resources

■ Applying security policies

■ Implementing security operations

Organizing network resourcesYou must organize your network resources into manageable domains and relate the appropriate sections of your company’s security policy to the security checks in Symantec ESM.

Note: All references to managers, agents, and consoles refer to Symantec ESM managers, Symantec ESM agents, and Symantec ESM consoles unless otherwise specified.

The Symantec ESM architecture consists of managers, agents, and consoles. You can install the manager and console components anywhere that resources allow. Install the agent components on every computer and server in the network, or run an agent as a proxy to gather data about another computer. The operating system environment determines the type of agent software that you can install on a particular computer.

The primary function of Symantec ESM is to collect and evaluate security-related information from the agents that comprise the network. On networks that have a large number of computers, Symantec ESM can gather a large amount of security information. You can organize the agents into areas of responsibility to make this information meaningful and usable.

List the pertinent information about the computers in your enterprise including their operating systems, locations, and networks, if you have more than one.

14 Before you installOrganizing network resources

Use the following selection criteria or create other criteria to group the computers into manageable domains.

Grouping computers into domainsNetwork resources can belong to more than one domain. Consider the following selection factors while you group your computers into domains:

■ Company security policy

If different security policies apply to some of the network resources, group your computers into domains according to security policy.

■ Organization

Group network resources by organization. For example, group the accounting computers into one domain, personnel computers into another domain, and production computers into a third domain.

■ Function

If some computers have dedicated functions, group computers with similar functions together in a domain. For example, group the network printers in a domain.

■ Physical location

Use physical location as a grouping criterion if the location of the computers affects the security level that you want to establish and maintain.

■ Security/administrator responsibility

If specific company security or system administrators have responsibility for the computers in an organization, group the computers for each administrator into a separate domain. For example, the domain of a corporate security administrator can consist of all the computers in a network domain.

For optimum functioning of the Symantec ESM program, assign computers that must comply with the same company security policy to the same domain. In addition, whenever possible, assign computers to domains within security administrator areas of responsibility. Symantec ESM lets you assign agents running on different platforms to the same domain. The default policies that install with Symantec ESM specify the security checks for all installed platforms. The following examples clarify the grouping process:

■ Grouping by physical location

A Symantec ESM manager has 60 agent computers in two buildings. Building A contains the administrative staff, personnel, and production departments. Building B contains the engineering and accounting departments. Different company policies cover the employees in Building A

15Before you installOrganizing network resources

and Building B. Different security officers have jurisdiction over the employees in each building.

In these circumstances, two domains, one for Building A and one for Building B, seems the logical grouping.

■ Grouping by company security policy

Another environment contains the same number of agents and the same number of computers. However, the company has located the administrative staff, accounting department, and personnel departments in an eastern state, and the engineers and production departments in a western state. One company policy applies to the administrative and personnel departments; a second policy applies to the accounting staff; and a third policy applies to the engineers and production personnel. One security officer has jurisdiction for all eastern personnel. Another security officer handles the western staff.

In this case, create three domains: Eastern 1 for the computers in the administrative and personnel departments, Eastern 2 for the computers in the accounting department, and Western for the computers in the engineering and production departments.

Organizing NetWare/NDS contextsInstall a Symantec ESM agent on each server with a NetWare/NDS operating system that you want to run server security checks.

Symantec ESM gives you the option to run Novell Directory Services (NDS) security checks when you install the Symantec ESM agent. You can assign the agent to run security checks on the entire NDS tree or on a portion of the tree. The agent can perform these NDS checks in addition to running security checks on the server where it resides.

If you decide to have the agent run NDS checks, the Symantec ESM installer prompts you to assign a context to the agent. The context specifies the section of the NDS tree that the agent checks with its NDS modules. Assign multiple contexts to have the agent check more than one section of the NDS tree.

You do not need to install an agent on every server to perform NDS security checks, but make sure that the contexts of the agents that are performing the NDS checks cover the entire NDS tree.

Issues that you need to consider when planning the organization of agent contexts include:

■ The location and rights of the Symantec ESM object

■ Server security modules

16 Before you installOrganizing network resources

■ Partition and replica considerations

■ The size and complexity of the tree

Symantec ESM object location and rightsTo run security checks on the NDS tree, a Symantec ESM agent must have access to each of the contexts in its agent context list. The Symantec ESM installer ensures this access by creating a secure pseudo-user object in the tree that only Symantec ESM can use. Symantec ESM NDS modules log on as this user.

Install the Symantec ESM object in any area of the tree and give it any name. By default, Symantec ESM creates the Symantec ESM object in the main organization container and names it Symantec ESM-<agent name>.

If you install an agent on a server that has a NetWare/NDS operating system, it must have a Symantec ESM object. This requirement applies to all agents, even those that do not run NDS security checks. To run server security checks, an agent must log on to the tree to find the NDS objects that correspond to local resources.

NDS/Server security modulesA Symantec ESM agent can perform NDS checks on each of its contexts in addition to running security checks on the server where it resides. Table 1-1 lists the NDS and Server modules for servers that have NetWare/NDS operating systems.

Table 1-1 NDS and server modules for NetWare/NDS servers

NDS modules Server modules

Account information File access

Account integrity File attributes

Login parameters File find

Object integrity File information

Password strength File access

System auditing File attributes

User files File find

17Before you installOrganizing network resources

Partitions and replica considerations A Symantec ESM agent running NDS checks always looks first to the replica on the agent server. This replica can be a Master, Read/Write, or Read-only replica. If the agent server does not have a Master, Read/Write, or Read-only replica of the partition, the Symantec ESM agent routes NDS check requests to the next available server.

A Symantec ESM agent can run on a server with a NetWare/NDS operating system that does not have a partition, and check a part of the tree that does not have a replica of the partition. However, to perform its security checks, the Symantec ESM agent routes NDS check requests to a server that has a replica of the partitions to check.

Server modules run on all servers that have NetWare/NDS operating systems.

To minimize network traffic and ensure optimum performance, run NDS checks only on servers with Master or Read-Write replicas of the partition that matches the part of the NDS tree that the agent is checking.

The size of the tree that the agent must check can also affect network traffic. A single agent that is checking a very large tree can generate a significant amount of network traffic. To minimize network traffic, configure agent servers that perform NDS checks with a Master, Read/Write, or Read-only replica of every partition.

You must synchronize the NDS replicas for Symantec ESM to return consistent security data. If you do not synchronize the NDS replicas, an agent without a replica may report different information from policy run to policy run.

NDS tree size and complexityThe size and complexity of the NDS tree determine the number of Symantec ESM agents that you need to run NDS security modules. This section suggests ways of configuring Symantec ESM agents to perform NDS checks on small, medium, and large trees.

■ Small Trees

For small or less complex trees, configure one agent to run NDS security checks from the root down the entire tree. In this instance, the agent context is the entire NDS tree. The selected agent can run server modules on its own server and NDS modules on the root, the organization, and each organizational unit of the NDS tree. The other agents that are on the NDS tree do not have agent contexts. They can run server module checks only on their own servers.

18 Before you installApplying security policies

■ Medium to large trees

Use more than one agent to perform NDS checks on medium to large NDS trees. Using several agents to perform NDS checks can keep Symantec ESM security reports at a manageable level. This can minimize network traffic and improve response time. Each selected agent can run NDS modules on its assigned organization or on the root of the NDS tree. The agent can also run server modules on its server.

■ Multiple agent contexts

Assign an agent to check more than one section of the NDS tree. The optimum configuration of agents depends on the configuration of the NDS tree. Some agents can run server modules on their servers and NDS modules on their agent contexts. Other agents can run server modules on their servers.

Applying security policiesSymantec ESM applies policies to domains to assess the security of network resources. Policies represent the standards that are established by security and administrative personnel, and the groups of checks that are derived from those standards. Domains contain the groups of agents that apply the policy checks.

Many companies have an established and documented security policy. Map the contents of the company policy to the default policies that install with Symantec ESM by enabling or disabling the checks in the policies and editing the name lists and templates in the checks.

If the company has not yet formulated a security policy, you can establish a security policy by writing a policy statement. Then map the various policy objectives in that statement to the checks in the Symantec ESM security modules.

If you write a policy statement, direct it to the business needs of the organization and the assets that you want to protect on the network. Make the policy statement concise. Refer to the documents that contain the company’s standards, guidelines, procedures, and user contracts. These documents usually contain specific information relating to the platforms, technology, applications, user responsibilities, and organizational structure. Change the underlying documents instead of modifying the policy statement.

Mapping a formulated policyThe mapping process converts your company’s policy statement to the equivalent Symantec ESM policy checks. To effectively map the company’s security policy, you must understand the characteristic vulnerabilities of the

19Before you installApplying security policies

operating systems on your network. Symantec ESM security checks provide protection in essential areas. The following areas commonly give rise to security problems:

■ User accounts and authorizations

■ Network and server settings

■ File systems and directories

Users initiate and direct the work that is done on computers; users manipulate directories, files, and queues; and networks connect computers and include the objects and files that help manage that connection. Start the mapping process by grouping security procedures into these three areas for each platform.

Correlating checks with security modulesFor information about editing modules and applying security checks, see the Symantec ESM Security Update User’s Guides for the Windows, UNIX, or NetWare/NDS operating systems. Download the latest version at http://securityresponse.symantec.com/.

The guides explain why Symantec ESM does each check, show how to demonstrate the check’s function, and tell how to solve the reported security vulnerability. The guides also describe how to edit the name lists, messages, and templates in the checks.

Addressing platform-specific vulnerabilities Three high-risk security areas exist on all computers. These areas include users, networks, and files. Possible problems and their prevention differ somewhat for each operating system. Vulnerabilities are almost inevitable. Employee activities require additional checks to protect sensitive data. Symantec ESM provides a necessary supplement to native security in these areas.

The next step in mapping your company security policy to Symantec ESM is to correlate the platform-specific security checks in Symantec ESM to your company’s security policy.

Windows operating systems■ Users

The Account Information, Account Integrity, Login Parameters, Password Strength, and User Files modules contain security checks that help reduce security risks in the user accounts area.

20 Before you installApplying security policies

■ Network

The Backup Integrity, Discovery, Network Integrity, Object Integrity, OS Patches, Startup Files, and System Auditing modules provide support in the network area.

■ Files The Disk Quota, Encrypted File System, File Attributes, File Watch, and Registry modules check for changes in critical files. The security checks in these modules help reduce the vulnerabilities in the files area.

UNIX operating systems ■ Users

Account configuration is the most vulnerable aspect of UNIX operating system security. The Account Integrity, Login Parameters, Password Strength, and User Files modules contain security checks that help reduce risks in this area.

■ Network

The ability of individual computers to communicate with other computers that are on the network multiplies the power of individual computers. Security consequently becomes a primary area of concern. Because of its high level of connectivity, UNIX is particularly vulnerable to remote attacks. The Discovery, Network Integrity, Object Integrity, OS Patches, Startup Files, System Auditing, System Mail, and System Queues modules include security checks that help reduce risks in the network area.

■ Files

The UNIX file system has built-in security features and utilities that can enhance security. The File Access, File Attributes, File Find, and File Watch modules have security checks that help identify security risks in the files area.

OS/400 operating systems ■ Users

The Account Integrity, Login Parameters, and Password Strength modules contain security checks that help reduce security risks in the user accounts area.

■ Network

The Backup Integrity, Device Integrity, Network Integrity, OS Patches, Startup Files, System Queues, SysVal Control, SysVal Security, and SysVal Storage modules provide support in the network area.

21Before you installApplying security policies

■ Files

The File Access (Queries), File Attributes, and Program Find (Queries) check for changes in critical files. The security checks in these modules help reduce the vulnerabilities in the files area.

NetWare/NDS operating systems ■ Users

Logon scripts require careful and constant scrutiny to ensure NetWare/NDS operating system security. The Account Information, Account Integrity, Login Parameters, Password Strength, and User Files modules provide security checks that help reduce risks in this area.

■ Network

Securing NetWare/NDS operating systems requires certain precautions in the network area. The Network Integrity, Object Integrity, Startup Files, and System Auditing modules include security checks that help reduce risks in this area.

■ Files

The File Access, File Attributes, File Find, and File Information modules contain security checks that help reduce risks in the files area.

OpenVMS operating systems ■ Users

You should not give users more privileges and rights than necessary. The Account Integrity, Login Parameters, Password Strength, and User Files modules include security checks that help reduce risks in this area.

■ Network

The Network Integrity, Object Integrity, Startup Files, System Auditing, System Mail, and System Queues modules contain security checks that help reduce risks in the network area.

■ Files (Objects)

Critical directories and files have particular protection needs. This is especially true of files containing executable code or sensitive information. The File Access, File Attributes, and File Find modules provide security checks that help reduce risks in this area.

Applying the Symantec ESM default policiesSymantec ESM provides seven default policies. These policies include Dynamic Assessment, Phase 1, Phase 2, Phase 3: Relaxed, Phase 3: Cautious, Phase 3:

22 Before you installImplementing security operations

Strict, and Queries. Use the default settings in these policies or change them to meet your security needs.

The Phase 1 policy consists of modules that check the most significant and potentially problematic security areas on any computer. Problems in these areas are important and easy to solve.

The Phase 2 policy includes the available Symantec ESM modules, but only the essential security checks in each module.

The Phase 3 default policy includes the following:

■ A relaxed version, which is identical to the Phase 2 default policy.

■ A cautious version, which contains additional checks.

■ A strict version, which includes even more security checks.

The Dynamic Assessment policy contains the executable code or scripts that users provide for the Integrated Command Engine module.

The Queries policy consists of modules that list information about users and accounts. It also identifies the computers on the network that are candidates to have Symantec ESM and Symantec Intruder Alert components installed.

Implementing security operationsPilot Symantec ESM at one location before installing the product company-wide. If policy runs indicate a need to revise the design, make the necessary changes.

Piloting Symantec ESM at one locationA pilot program at one location lets you accomplish the following:

■ Develop or refine the company’s security policies.

■ Become familiar with Symantec ESM.

■ Convince company administrators to accept the Symantec ESM security process.

To pilot Symantec ESM at one location

1 Select the configuration of managers and agents for the pilot program.

2 Assess the available disk space on the computers where you plan to install Symantec ESM components, then supply the path of an available directory for each operating system.

3 Establish TCP/IP connectivity among the computers in a heterogeneous trial configuration.

23Before you installImplementing security operations

4 Verify TCP/IP communications by sending a ping command to each agent computer from the manager computer and vice versa.

5 Locate a network CD-ROM drive. With this drive, determine the computer’s ability to distribute files using a file transfer program such as FTP.

Selecting the manager/agent configurationTo set up the pilot environment, create a miniature version of the larger environment where you intend Symantec ESM to run. Install it on three or four representative computers, and put it through its paces. The explanations, questions, and procedures that follow help you establish a reliable test environment and a successful pilot program for the site. Consider the following factors when selecting a manager computer:

■ The stability and robustness of the operating system

■ Whether the computer already functions as a network or group server

■ The operating system, memory, swap space, and free disk space of the host computer

■ The communication protocols that Symantec ESM uses for communications between managers and agents

A Symantec ESM manager can use several protocols when communicating with agents of different operating systems. For example, a manager that is running on a Windows operating system can use the TCP/IP protocol when communicating with agents that are running on Windows, UNIX, NetWare/NDS, and OpenVMS operating systems. The same manager can use the IPX/SPX protocol when communicating with agents that are running on Windows and NetWare/NDS operating systems.

Managers and agents can only communicate if their host computers use the same protocol. Table 1-2 lists the protocols and environments that Symantec ESM supports.

Table 1-2 Manager/agent communication protocols

Communication protocol Computing environment

TCP/IP On a Symantec ESM manager that uses only the TCP/IP protocol, register Symantec ESM agents on computers running Windows, UNIX, NetWare/NDS, and OpenVMS operating systems that use the TCP/IP protocol.


■ IPX/SPX Addresses

Any site that filters NetWare SAPs can create an IPXHOSTS.DAT file. This file is stored in the \SYMANTEC\ESM\CONFIG directory.

The format of the contents of the IPXHOSTS.DAT file is identical to that of a TCP/IP host file:

format: <address> <name>[<alternative name>...]

example: 12fb34da bigserver mainman theone

For servers that have NetWare/NDS operating systems, you do not have to specify the network node. It is always 1 in the IPX address. For example, use 12fb34da instead of 12fb34da:1 or 12fb34da:00000000001.

For Windows (NT, 2000, XP, and Server 2003) operating systems, you must specify the network node. For example, use 2fb34da:105900896301.

Use the .include command to include the contents of another IPXHOSTS.DAT file while reading the current file. This simplifies the maintenance of multiple IPXHOSTS.DAT files.

form: .include <filename>

example: .include SYS:\SHARED\IPXHOST.DAT

You can mix the .include command with other specific IPX entries, or it can be the sole content of the file.

■ IPX/SPX Ports

If you use IPX/SPX communications for NetWare or Windows agents, Symantec ESM installs the SPX_PORT.DAT file. Otherwise, Symantec ESM installs the SPX_PORT.ORG file. To enable IPX/SPX

IPX/SPX On a Symantec ESM manager that uses only the IPX/SPX protocol, register Symantec ESM agents on computers running Windows and NetWare/NDS operating systems that use the SPX/IPX protocol.

TCP/IP and IPX/SPX On a Symantec ESM manager that uses the TCP/IP and IPX/SPX protocol, register Symantec ESM agents on computers running Windows, UNIX, NetWare/NDS, and OpenVMS operating systems that use the TCP/IP protocol, and agents on computers running Windows and NetWare/NDS operating systems that use the SPX/IPX protocol.

Table 1-2 Manager/agent communication protocols



communications after installation, change the name of the SPX_PORT.ORG file to SPX_PORT.DAT.

The SPX_PORT.DAT file is located in the \SYMANTEC\ESM\CONFIG directory with the TCP_PORT.DAT file. The SPX_PORT.DAT file is exactly like the TCP_PORT.DAT file except that it contains port values for the NetWare/NDS agent and installation only. It does not contain port values for Symantec ESM agents that are running on UNIX and OpenVMS operating systems as they do not use the IPX/SPX protocol.

The SPX_PORT.DAT file specifies the SPX port and SAP numbers that the Symantec ESM network servers use. Novell has assigned these SPX port and SAP numbers to Symantec as part of the certification process.

The SPX port number that Symantec ESM managers use to listen for incoming connections, and that Symantec ESM consoles use when making connections to Symantec ESM managers, is 34918. If you enable the SAP option, Symantec ESM managers use SAP number 2320.

The SPX Port number that Symantec ESM agents use to listen for incoming connections is 34917. If you enable the SAP option, agents use SAP number 2321.

■ The communication protocols that Symantec ESM uses for communications between managers and consoles

Managers and consoles can only communicate if their host computers use the same protocol. Table 1-3 lists the protocols and environments that Symantec ESM supports.

Table 1-3 Manager/console communication protocols


TCP/IP On a Symantec ESM manager that uses only the TCP/IP protocol, connect Symantec ESM consoles on computers running Windows operating systems that use the TCP/IP protocol.

SPX/IPX On a Symantec ESM manager that uses only the SPX/IPX protocol, connect Symantec ESM consoles on computers running Windows operating systems that use the SPX/IPX protocol.

TCP/IP and IPX/SPX On a Symantec ESM manager that uses the TCP/IP and IPX/SPX protocol, connect Symantec ESM consoles on computers running Windows operating systems that use the TCP/IP or SPX/IPX protocol.


Configuring the pilot environmentWhen establishing the pilot environment, consider the essential functions of each Symantec ESM component. Then select at least one computer for each component. Fill out a System Assessment Checklist for each computer. See “About system assessment checklists” on page 135.

Running the pilot programAfter selecting the computers for the pilot program and completing the checklists, begin the pilot program by installing the Symantec ESM software.

To set up the pilot program

1 Install the Symantec ESM software on the selected computers. A typical installation includes:

■ Installing the Symantec ESM managers

■ Installing the Symantec ESM agents

■ Registering the Symantec ESM agents with the Symantec ESM managers

■ Installing the Symantec ESM utilities

■ Installing the Symantec ESM consoles

■ Connecting the Symantec ESM consoles to the Symantec ESM managers

2 Select a test policy (typically the Phase 1 policy).

3 Create a test domain.

4 Run the test policy on the test domain.

5 Create and review the report to determine the vulnerabilities in your test environment.

6 Change your security settings to make your computers conform with your security policy.

Rolling out Symantec ESMAfter you successfully pilot Symantec ESM in a controlled environment, develop a roll-out plan for the entire network. Use this section as a guideline. Your company’s views on security, installation of client/server systems, and management philosophy should modify the plan.


Planning the architecture The first step in planning the architecture is to determine where to install the Symantec ESM components.

■ Symantec ESM manager

Symantec ESM does not require a dedicated computer for the manager. However, for small installations that have only one manager, select a physically secure computer; that is, a room for the computer that you can lock. Do not select a development computer because the root password is well known.

In larger companies, the Symantec ESM architecture becomes organization specific. Some companies have dedicated system administrators. Others have a staff whose sole responsibilities are security compliance and monitoring. When this is the case, administrators may have a Symantec ESM manager or a small group of computers for their own domains. When departments, projects, or other in-place organizational structures are assigned Symantec ESM domains, consider designating multiple managers in the organization.

■ Symantec ESM agent

Every computer that is on the network must have a Symantec ESM agent or a Symantec ESM agent that can run as a proxy. The agent receives instructions from the manager, performs the interrogation of the computer, encodes the exception information, and securely transmits the results to the manager for reporting.

■ Overlapping managers

In some instances, single agents, or groups of agents, report to multiple managers. This occurs when a global function, like a corporate security group or corporate audit group, must access the corporation in addition to the local administrators. Symantec ESM agents can register with more than one manager. This allows you to create complex associations between managers and agents.

■ Symantec ESM utilities

Choose secure locations for the Symantec ESM utilities. These utilities let you copy Symantec ESM policies between Symantec ESM managers, transfer security information from Symantec ESM managers to an external database, or produce a wide range of reports from the external database.

■ Symantec ESM console

Choose appropriate locations for the Symantec ESM consoles. You can install Symantec ESM consoles on supported Windows operating systems. Symantec ESM consoles can connect to multiple managers.


Planning the implementationAfter you decide on the architecture, begin collecting data from the users who own the computers. Fill out a System Assessment Checklist for each computer. This ensures that you have the information that you need before the actual installation of the Symantec ESM software. See the checklist in the /docs directory on the installation CD-ROM.

Selecting a roll-out strategyUse the implementation plan to develop the Symantec ESM roll-out plan. The roll-out plan is a time line that specifies the Symantec ESM installation on each computer. This roll-out plan can also detail the method of installation. When using UNIX, download files with FTP and run them, or use the remote install feature.

Start the roll-out plan with a small subset of the organization, such as a department or a single functional group. Implement the roll-out plan in manageable phases to cover the installation of the remaining departments or functional areas.

Installing the Symantec ESM managersAfter you finish the roll-out plan, you can install the managers on the selected computers. The temporary licenses that ship with the product let you run the managers for 30 days. You must obtain permanent licenses within that time limit to continue using the managers.

Installing the Symantec ESM utilitiesAfter you install the managers, you can install the utilities on selected computers.

Installing the Symantec ESM consolesAfter you install the managers and utilities, you can install the consoles on the selected computers.

Installing the Symantec ESM agentsAfter you install the managers, utilities, and at least one console, you can install the agents on the supported computers in the network.

You can use the remote agent installation in Symantec ESM to speed up this process. The computer that runs the manager and the remote computer must both have the same kind of operating system, for example, Windows.


Creating a security policyAfter you install the Symantec ESM managers, agents, and consoles, use the default policies that install with Symantec ESM or create new policies.

■ For organizations that already have security policies in place, add the proper modules to a new policy, then access each of the Symantec ESM modules, and enable or disable the appropriate checks.

■ For organizations without formal security policies, use the default policies that install with Symantec ESM. Start with the Phase 1 policy. This policy checks the most significant security settings on computers and helps you secure the most problematic areas first.

Running the security policySelect the computers where you want to run the policy. For example, you may have twenty agent computers that you register with a manager. Create separate domains for the agents to reflect your organization’s needs. Each domain can contain a different mix of registered agents. Agents can belong to several domains. Run the policy on some or all of the agents in a domain.

Interpreting the resultsWhen Symantec ESM finishes running its security-compliance checks, obtain the results from the console. The grid displays the messages from the security checks. At this point, if you are a system administrator, determine the impact of each issue. If the risk outweighs the benefits, correct the situation.

If you are a security officer or an auditor, request reports that identify the noncompliant items. System administrators can use the information to correct the vulnerabilities.

Continuing the improvementWhen you bring your network resources into compliance with the policy, you are ready to increase the security level and look more deeply into computer system compliance. Following the Symantec ESM phased approach, run the default Phase 2 policy, and then the appropriate Phase 3 policy.

After your computers achieve the required security level, continue to improve the security of your network resources. Use LiveUpdate regularly to apply the new security updates.


Chapter
2
Installing Symantec ESM managers and agents on Windows


■ Before you install

■ System requirements

■ Installing

■ Post-installation tasks

Before you install Develop an implementation plan for rolling out Symantec ESM managers and agents on the computers in your network that have Windows operating systems. During the planning process, do the following:

■ Select the computers where you want to install Symantec ESM manager or agent software.

■ Obtain access to an account with administrator privileges on each selected computer.

32 Installing Symantec ESM managers and agents on WindowsSystem requirements

Note: To use the Symantec ESM remote agent installation feature on computers with Windows operating systems, the account that you use to log on to the remote computer must have rights to log on as a service and to act as part of the operating system. If the account on the computer installing the agent does not have these rights, use the Administrative Tools in Windows to change the local security policy and grant the rights to the account.

■ Select the Symantec ESM managers where you want to register each Symantec ESM agent. For each manager, list the name of the host computer, the name and password of an account on the manager with privileges to register Symantec ESM agents, the communication protocol, and the port number.

■ Select a password for the ESM super-user account on each manager. The super-user account has all of the privileges in Symantec ESM. Choose a password with six or more characters including at least one nonalphabetical character. Manager account passwords can have up to eight characters.

■ Identify the 19-character temporary license key that Symantec ships with each manager. The key consists of four groups of four characters with separating hyphens. The temporary license lets you install and run the Symantec ESM manager software for 30 days.

You can obtain a permanent license from the license administrator at Symantec. You must provide the manager computer’s ID and the number of agents that you plan to register.

If you install a manager without a license key, Symantec ESM lets you register only one agent with the manager. You cannot schedule any policy runs.

■ If you plan to install Symantec ESM on a backup domain controller, set up a Symantec ESM local group on the primary domain controller (PDC). This group contains the administrator account, plus the names of any users who will run Symantec ESM.

System requirementsComputers that have Windows operating systems must meet these minimum requirements to install and run Symantec ESM software.

33Installing Symantec ESM managers and agents on WindowsSystem requirements

Operating requirementsThe computers must meet the following minimum hardware requirements:

■ Intel compatible P120 or equivalent CPU

■ 128 MB RAM

■ 50 MB of free disk space

The computers that install Symantec ESM managers must have the following operating systems and service packs:

■ Windows server 2003

■ Windows 2000 professional, server, or advanced server with service pack 1.0 or higher

■ Windows NT 4.0 server and workstation with service pack 5.0 or higher

The computers that install Symantec ESM agents must have the following operating systems and service packs:

■ Windows server 2003

■ Windows XP professional

■ Windows 2000 professional, server, or advanced server with service pack 1.0 or higher

■ Windows NT 4.0 server and workstation with service pack 5.0 or higher

Policy run disk space These requirements do not include the disk space that Symantec ESM managers use to store policy run data. Disk space requirements for policy run data vary according to the number of agents in the policy runs and the number of reports that you retain on the computer.

You can estimate the additional disk space requirement by performing the following policy run disk space calculation:

Policy run disk space = P*A*M*4 kilobytes

Where:

■ P is the number of policy runs that you store on the manager

■ A is the number of agents in the largest domain

■ M is the number of modules in the largest policy

34 Installing Symantec ESM managers and agents on WindowsSystem requirements

For example, a manager with database purge values set to retain 30 policy runs, 400 agents in its largest domain, and 15 modules in its largest policy should have at least 720 MB of free disk space for policy runs. This requirement is in addition to the disk space that you must provide to install Symantec ESM on the computer.

Note: Symantec ESM managers that register a large number of agents should have several gigabytes of free disk space to store policy run data.

CPU utilizationSymantec ESM agents and modules run at idle priority. This means that the operating system gives them CPU time only when other threads and processes are waiting for I/O.

When Symantec ESM processes are running, the CPU can easily go to 100 percent utilization. This means that Symantec ESM processes are using the available, extra CPU cycles.

Symantec ESM processes do not take CPU resources from other processes. Higher priority processes can still get the CPU resources that they need.

Scalability parametersSymantec conducted scalability tests using 10baseT networks to establish the scalability parameters for Symantec ESM. The tests included:

■ Symantec ESM base scalability testing

This testing determined the minimum computer configuration, the maximum number of agents to register with a manager, and the maximum number of agents to include in a policy run. See Table 2-1, “Symantec ESM manager scalability,” on page 35.

■ Symantec ESM and Intruder Alert combined scalability testing

This testing confirmed that Symantec ESM and Symantec Intruder Alert managers could run on the same computer and support the specified number of agents. See Table 2-2, “Symantec ESM/Intruder Alert manager/agent scalability,” on page 35.

35Installing Symantec ESM managers and agents on WindowsInstalling

A Symantec ESM manager can scale to the indicated number of agents if its host computer has the RAM and free disk space in Table 2-1.

Note: You can estimate the additional free disk space that the Symantec ESM manager requires to store policy run data. See “CPU utilization” on page 34.

A Symantec ESM manager and Symantec Intruder Alert manager can run on the same computer. These managers can scale to the indicated number of agents per policy run and Intruder Alert applied policy if the host computer has the RAM and free disk space in Table 2-2.

Installing You can install Symantec ESM managers and agents on computers that have supported Windows operating systems. Symantec ESM installation tasks include:

■ Installing Symantec ESM on a local computer

■ Silently installing Symantec ESM on a local computer

■ Installing a Symantec ESM agent on a remote computer

Table 2-1 Symantec ESM manager scalability

RAM Free disk space Maximum number of registered agents

Number of agents per policy run

128 MB 200 MB Symantec ESM: 2,000 Symantec ESM: 400

Table 2-2 Symantec ESM/Intruder Alert manager/agent scalability

RAM Free disk space Registered agents Number of agents

128 MB 200 MB Symantec ESM: 2,000 Symantec ESM: 400 per policy run

Intruder Alert: 100 per applied policy

36 Installing Symantec ESM managers and agents on WindowsInstalling

Installing Symantec ESM on a local computerThis task is mandatory if your implementation plan requires the computer to function as a Symantec ESM manager or agent. The installation process consists of extracting the Symantec ESM files from the CD-ROM, running the installation program, and registering the Symantec ESM agents with their managers.

■ If the roll-out plan includes Symantec ESM managers that run on Windows operating systems, you must perform this task to install the managers. You can use the Symantec ESM console and the managers to install Symantec ESM agents on remote computers that have Windows operating systems. See “Installing a Symantec ESM agent on a remote computer” on page 42.

■ If the plan limits Symantec ESM managers to computers that run on UNIX operating systems, you must perform this task to install Symantec ESM agents on computers that have Windows operating systems.

Symantec distributes Symantec ESM software on an ISO 9660 (High Sierra Format) CD-ROM disk. To access this software, at least one computer with a Windows operating system must have access to a CD-ROM drive.

Symantec locates the programs for each product on the CD-ROM according to the following two directory structures:

■ \vendor\os\architecture\product

■ \vendor\os\architecture\util

Where:

■ vendor is the name of the operating system vendor; for example, microsoft

■ os is the operating system name; for example, winnt

■ architecture is the CPU type; for example, intel

■ product is the product name that Symantec abbreviates to three characters plus the product version; for example, esm60

■ util contains any additional files that are necessary or useful to the installation or registration process

Symantec provides the software files in ordinary format for computers that have Windows operating systems.

To install Symantec ESM on a local computer

The installation process includes the following steps:

■ Starting the Symantec ESM installer

■ Selecting the type of installation

■ Performing the installation


To start the Symantec ESM installer

1 On a computer with a Windows operating system, log on as administrator or administrator-equivalent.

2 Do one of the following:

■ To use the autorun feature, insert the Symantec ESM CD-ROM in the computer’s CD-ROM drive.

In the Overview dialog box, click Next.

In the next dialog box, check the ESM Manager/Agent Install check box. Uncheck the other check boxes if you want to prevent the Symantec ESM console or the Symantec ESM utilities from installing on the computer. Then click Next.

In the last dialog box, click Finish.

■ To manually start the Symantec ESM manager/agent installer, access the CD-ROM drive or the network installation directory if you copy the files to a hard disk. Change to the \microsft\winnt\intel\esm60 folder, and double-click setup.exe.

To select the type of installation

1 In the Welcome dialog box, click Next.

2 In the Software License Agreement dialog box, click Yes if you agree to the terms of the License Agreement.

3 In the Setup Type dialog box, do one of the following:

■ Click Full installation to perform a Symantec ESM manager and agent installation. See “To install or upgrade a Symantec ESM manager and agent” on this page.

■ Click Agent only to perform a Symantec ESM agent installation. See “To install or upgrade a Symantec ESM agent” on page 39.

■ Click Manager only to perform a Symantec ESM manager installation. See “To install or upgrade a Symantec ESM manager” on page 39.

To install or upgrade a Symantec ESM manager and agent

1 In the Choose Destination Location dialog box, do one of the following:

■ Click Next to install the files in the C:\Program Files\Symantec\ESM folder.

■ Click Browse to select another folder.

Do not choose the root folder. There are security issues if you select a volume that does not use the NTFS file system.


2 In the Select Program Folder dialog box, do one of the following:

■ Click Next to install the program icons in the default C:\Program Files\Symantec folder.

■ Scroll down the list to select another folder.

3 In the first Select Options dialog box, do one of the following:

■ Click Keep ESM folders in the personal area.

■ Click Keep ESM folders in the common area.

4 In the second Select Options dialog box, do the following:

■ Check the Allow installation to set license for ESM manager check box to install the manager license key.

■ Check the Allow installation to create ESM local group check box to set up the local Symantec ESM group on the primary domain controller.

5 In the Symantec ESM Account Password dialog box, type the password for the ESM super-user account.

6 In the Symantec ESM License Key dialog box, type the 19 character Symantec ESM license key and the maximum number of agents that can register with the manager.

Note: The Symantec ESM installer skips this step if you uncheck the Allow installation to set license for ESM manager check box in step 4.

7 In the Enable IPX/SPX Protocol dialog box, click Disable IPX/SPX if your network does not use the IPX/SPX communication protocol.

■ Symantec ESM always enables the TCP/IP protocol.

■ To enable the IPX/SPX protocol later, stop the Symantec ESM manager or agent services, rename the spx_port.org file to spx_port.dat in the \symantec\esm\config directory, and restart the Symantec ESM manager or agent services.

8 In the Register Agent dialog box, type the information that the Symantec ESM installer uses to register the agent. The installer displays the information for the installing manager. For each additional manager that you want to register the agent, do the following:

■ Type the name of the Symantec ESM manager.

■ Type the name of a Symantec ESM user account with privileges on the manager to register the agent.

■ Type the password of the user account.


■ Select the TCP/IP communication protocol for all environments except IPX/SPX homogeneous networks.

■ Type the port number for the Symantec ESM manager. See Table A-1, “Symantec ESM communication ports,” on page 132.

Click the left arrow button to add the manager. The Symantec ESM installer prompts for the agent name. The manager uses the agent name to look up the IP address of the agent computer. This name can have up to 61 characters.

Note: Computers that run Symantec managers and agents must use the same communication protocol to register the agents.

9 In the LiveUpdate Options dialog box, do one of the following:

■ Click Disable to disable LiveUpdate on the agent.

■ Click Enable to enable the managers that register the agent to LiveUpdate the agent.

■ Click Selective to select the managers that can LiveUpdate the agent.

10 In the Setup Complete dialog box, click Finish.

To install or upgrade a Symantec ESM agent

◆ Perform the Symantec ESM agent installation. Agent installations include the steps in a manager and agent installation except steps 4 - 6. See “To install or upgrade a Symantec ESM manager and agent” on page 37.

To install or upgrade a Symantec ESM manager

◆ Perform the Symantec ESM manager installation. Manager installations include steps 1 - 7 of a full installation. See “To install or upgrade a Symantec ESM manager and agent” on page 37.

Silently installing Symantec ESM on a local computerThis task is optional. When you install Symantec ESM, the installer prompts for necessary information such as the type of installation or the name of a directory. If you use the same settings to install Symantec ESM on a large number of computers, you can avoid these prompts by performing silent installations. The silent installation feature lets you install Symantec ESM managers or agents, and register Symantec ESM agents to managers.

You cannot use the silent installation feature to install Symantec ESM agents on remote computers or to install consoles or utilities on local or remote computers.


Creating a response fileYou must create a response file to use the silent installation feature. This file provides the necessary information to the Symantec ESM installer.

Note: Symantec ESM stores the manager password as plain text in the response file. To preserve system security, delete the response file from the computer immediately after installation. Do not use the silent installation feature if temporarily storing plain text passwords violates your security policy.

To create a response file

You can create a response file by running the Symantec ESM setup program interactively using the -r option. This method creates the setup.iss file in the %systemroot% directory (the environment variable %systemroot% points to this directory). You can also use a text editor to create a response file.

To create a response file using the -r method


2 At the system command prompt, change to the Symantec ESM CD-ROM.

3 Change to the microsft\winnt\intel\esm60 folder.

4 Type setup -r

5 Select the desired Symantec ESM installation option. See “To select the type of installation” on page 37.

6 Perform the selected Symantec ESM installation on the host computer. See “To install or upgrade a Symantec ESM manager and agent” on page 37.

To create a response file using the text editor method

1 Use a text editor to create the setup.iss response file. Table 2-3 lists the different types of response files. You can find these sample *.iss files in the \symantec\esm\setup\examples folder.

Table 2-3 Sample *.iss response files

Response files Description

agent.iss This file contains the responses for a Symantec ESM agent installation.

manageronly.iss This file contains the responses for a Symantec ESM manager installation.


2 Type the responses for the type of installation that you want to perform.

3 You must name the response file: setup.iss. The silent Symantec ESM installer cannot perform the installation if you use any other file name.

Performing a silent installationYou must perform a silent installation on a local computer.

To perform a silent installation


2 Copy the installation files from the Symantec ESM CD-ROM to a network installation folder or a local folder.

3 Copy the setup.iss response file to the folder that contains the setup.exe file. Symantec ESM installs the setup.exe program in the Symantec\ESM\setup folder by default.

4 At the system command prompt, change to the microsft\winnt\intel\esm60 folder.

5 Type setup -s

Checking the status of a silent installationSilent installations do not display status information.

To check the status of a silent installation

1 On the computer that is performing the silent installation, open a text editor.

2 Change to the folder containing the setup.iss file.

3 Open the setup.log file.

register.iss This file contains the responses to register a Symantec ESM agent to specific managers.

Table 2-3 Sample *.iss response files

Response files Description


4 In the [ResponseResult] section, find the line, ResultCode = x (x is a number).

■ If there is no ResultCode line, the silent installation is still running.

■ If ResultCode = 0, the installation completed successfully. Table 2-4 describes the ResultCodes.

Installing a Symantec ESM agent on a remote computerThis task is optional. If you administer Symantec ESM on a large network, you can use the remote installation option in the Symantec ESM console to minimize your time and effort. The manager computer and the remote computer that installs the agent software must have Windows operating systems.

Note: Because of enhanced security, you cannot use the Remote Agent Installation wizard in the Symantec ESM console to install Symantec ESM agents on remote computers that have Windows NT operating systems.

You can use the Discovery module in the Symantec ESM console to search the TCP/IP ports that are on the network. The Discovery module attempts to identify any computers and Symantec ESM components that it finds.

The grid in the Symantec ESM console lists the names and types of computers that the module finds, indicating which computers are candidates for Symantec ESM or Intruder Alert agent installations.

Table 2-4 Setup.log file result codes

ResultCode Description

0 Success

-1 General error

-3 Required data not found in the SETUP.ISS file

-4 Not enough memory is available

-5 File does not exist

-6 Cannot write to the response file

-9 Not a valid list type (string or number)

-10 Data type is invalid

-11 Unknown error during setup

-12 Dialogs are out of order


After you set the remote-installation process in motion, Symantec ESM quickly does the following:

■ The Symantec ESM manager creates a remote installation share.

■ The Symantec ESM console copies the update service files to the remote installation share on the manager computer.

■ The Symantec ESM console directs the manager to contact and verify the remote computer.

■ The Symantec ESM manager copies a remote installation service to the remote computer and starts the service.

■ The remote installation service searches for volumes with sufficient space to accommodate the product files and requests that you specify a destination location for them.

■ The Symantec ESM manager creates a Symantec ESM folder on the remote computer and copies the update service files to the folder.

■ The Symantec ESM manager directs the remote computer to run the agent installation program and register the agent to the manager.

■ After the installation finishes, the Symantec ESM console directs the manager to shut down the remote installation service on the agent, delete the update files, and remove the remote installation share.

To use the Symantec ESM console remote installation option

The remote installation process includes the following steps:

■ Identifying Symantec ESM agent candidate computers

■ Accessing the Remote Agent Installation wizard

■ Using the Remote Agent Installation wizard

To identify Symantec ESM candidate computers

1 Connect the Symantec ESM console to a Symantec ESM manager on a computer that has a Windows operating system. Use an account on the manager with rights to modify all domains, policies, and templates.

2 In the Queries policy, drag the Discovery module and drop it on any agent in any domain.

3 After the module finishes, click the policy run in the summary branch to view the results.

44 Installing Symantec ESM managers and agents on WindowsPost-installation tasks

To access the Remote Agent Installation wizard


■ Right-click a Symantec ESM candidate computer in the grid.

■ Right-click the Symantec ESM manager that will register the agent.

2 Click Remote Install.

To use the Remote Agent Installation wizard

1 In the Remote Host dialog box, type the name of the remote host computer.

2 In the Remote Privileged Account dialog box, type the user name, password, and domain of an account on the manager with rights to install Symantec ESM agent software on the remote computer.

Note: To use the Symantec ESM remote agent installation feature on computers with Windows operating systems, the account that you use to log on to the remote computer must have rights to log on as a service and to act as part of the operating system. If the account on the computer installing the agent does not have these rights, use the Administrative Tools in Windows to change the local security policy and grant the rights to the account.

3 In the Installation CD Drive dialog box, select the CD-ROM drive.

4 In the Connection Method dialog box, do one of the following:

■ Click TCP/IP if your network uses the TCP/IP protocol.

■ Click IPX if your network uses the IPX/SPX protocol.

5 In the Remote Progress dialog box, click Finish.

6 In the Remote Installation Directories dialog box, specify the directory on the remote computer where you want to install the Symantec ESM files.

7 In the Remote Progress dialog box, click Close.

Post-installation tasksSymantec ESM post-installation tasks include:

■ Registering a Symantec ESM agent on a local computer

■ Reregistering Symantec ESM agents to a manager

■ Changing LiveUpdate on a local computer

■ Upgrading an older version of Symantec ESM

45Installing Symantec ESM managers and agents on WindowsPost-installation tasks

■ Changing a Symantec ESM agent port

■ Uninstalling Symantec ESM from a local computer

Registering a Symantec ESM agent on a local computerThis task is optional. Registering a Symantec ESM agent with a manager establishes secured communications between the agent and manager. Each agent must register to at least one manager.

Do not use more than one agent name to register a Symantec ESM agent to a manager. Symantec ESM reports an error when you try to run policies on the agent.

Do not register the Symantec ESM agent to an earlier version of a manager. This causes database errors on the manager. Instead, upgrade the managers that are on the network to the latest Symantec ESM version before registering the agent.

The manager must be running to register the agent. If the manager is not running, you can restart the manager and use the Register agent option in the Symantec ESM installer to register the agent.

On networks that use IPX/SPX communications, Symantec ESM agents cannot register with managers if the host computers are not running the IPX/SPX communication protocol.

Symantec ESM agents that register before a manager upgrade will continue to function with the manager after the upgrade. However, you must upgrade these agents to use the new functions and features.

To run the registration program

1 On a computer with a Windows operating system that is running a Symantec ESM agent, log on as administrator or administrator-equivalent.

2 On the task bar, click Start > Programs > Symantec > ESM. > ESM setup.



5 In the Setup type dialog box, click Register Agent.

6 In the Register Agent dialog box, do the following:

■ Type the name of the Symantec ESM manager.

■ Type the name of a Symantec ESM user account with privileges on the manager to register the agent.

■ Type the password of the user account.


■ Select the TCP/IP communication protocol for all environments except IPX/SPX homogeneous networks.

■ Type the port number for the Symantec ESM manager. See Table A-1, “Symantec ESM communication ports,” on page 132.

Click the left arrow button to add the manager. The Symantec ESM installer prompts for the agent name. This name can have up to 61 characters.

After you type the information for the last manager, the agent attempts to register with each manager in the list.


Reregistering Symantec ESM agents to a managerThis task is optional. Symantec ESM lets you reregister agents with a manager that has recovered from a problem such as a host computer failure. Symantec ESM reregistration tasks include:

■ Exporting the Symantec ESM reregistration agent list

■ Configuring Symantec ESM agents for remote reregistration

■ Reregistering the Symantec ESM agents

Exporting the Symantec ESM reregistration agent list You must create and export a property file to use the Symantec ESM agent reregistration feature. The property file provides necessary information to the Symantec ESM manager during the reregistration process.

Use the Symantec ESM console to create the property file. The file lists the manager, the registered agents, the ports, and the communication protocols. The property file is a plain text, tab delimited file. For security purposes, store the file in a safe location.

The property file has the following format: manager_name<tab>manager_port agent_1_name<tab>agent_1_port<tab>agent_1_protocol

For example:

Manager1 5600Agent1 5601 8Agent2 5601 8.Agent2000 5601 8

The first line in the file must contain the name of the manager and its port. The information for each agent must follow on a separate line.


To export the Symantec ESM agent list

1 On a computer with a Windows operating system that is running a Symantec ESM console, in the enterprise tree, right-click the appropriate manager.

2 Select Export Agent List.

3 In the Save Agent List dialog box, do the following:

■ Type the name of the agent list file.

■ Select a folder location to save the file.

■ Click Save.

4 Click OK.

Configuring Symantec ESM agents for remote reregistrationBefore you can reregister Symantec ESM agents to a manager, you must configure the agents to accept reregistration commands from the manager. You must do this just before starting the reregistration process. To minimize the risk to network security, you can specify the amount of time, in minutes, that the agent can accept reregistration requests. By default, the manager has 180 minutes to reregister the agent. Use the -h option to display information about the reregistration command. Use the -t option to change the time limit. For example, -t 60 stops the agent from accepting reregistration requests after 60 minutes.

To configure Symantec ESM agents for remote reregistration


2 Insert the Symantec ESM 6.0 CD-ROM in the computer’s CD-ROM drive.

3 Copy the rereg.exe program from the microsft\winnt\intel\util folder on the CD-ROM to the \Program Files\Symantec\ESM\bin\<operating system> folder.


■ Type rereg.exe at the command line prompt to use the 180 minute default time limit.

■ Type rereg.exe -t (x), where x is the time limit in minutes.

Reregistering the Symantec ESM agents Use the Symantec ESM console to start the agent reregistration process.


To reregister Symantec ESM agents


2 Select Register Agents to Manager.

3 Do the following:

■ Type the user name and password of an account on the manager with rights to modify all domains, policies, and templates.

■ Click Browse to find the agent list that applies to the manager.

4 Click Finish to start the remote reregistration process.

5 Click Done after the remote reregistration process finishes.

Changing LiveUpdate on a local computerThis task is optional. Symantec ESM uses LiveUpdate technology to upgrade Symantec ESM agent software and install new security updates.

To change LiveUpdate for a Symantec ESM agent on a local computer


2 On the task bar, click Start > Programs > Symantec > ESM > ESM setup.



5 In the Setup type dialog box, click LiveUpdate.

6 In the LiveUpdate Options dialog box, do one of the following:

■ Click Disable to disable LiveUpdate on the agent.

■ Click Enable to enable the managers that register the agent to LiveUpdate the agent.

■ Click Selective to select the managers that can LiveUpdate the agent.



Upgrading an older version of Symantec ESMThis task is optional. To use the new functions in this release, upgrade the Symantec ESM software. Upgrading Symantec ESM includes:

■ Installing the current version of Symantec ESM software on computers running Symantec ESM managers.

■ Installing the current version of Symantec ESM software on computers running Symantec ESM consoles.

■ Running LiveUpdate on a Symantec ESM console that you connect to the upgraded Symantec ESM managers that are on the network. This process ensures that the managers have the latest Symantec ESM security update or agent software.

■ Using the Symantec ESM console to make the Symantec ESM agents updatable from at least one Symantec ESM manager. Then use the Symantec ESM console to start the agent update process.

■ When the agent update process finishes, start the security update process. Use the Symantec ESM console to edit the security checks, templates, and name lists in the latest security update to conform with company policy. Then run the Symantec ESM policy on a manager domain to update the updatable agents in the domain. If you run the policy on the All agents domain, the manager can update its updatable agents.

Backward compatibilitySymantec ESM 6.0 managers are backward compatible with Symantec ESM 5.5 agents. Symantec ESM agents that you register to a manager prior to an upgrade continue to function with the manager after the upgrade. Symantec does not support any other backward compatibility.

Symantec ESM encrypts all internal communication between managers and agents. The Symantec ESM 6.0 manager has the ability to adjust its encryption level to support the encryption level of the agent. Therefore, communications between a Symantec ESM 5.5 agent and a Symantec ESM 6.0 manager uses the encryption method of the Symantec ESM 5.5 agent.

Preserving user dataSymantec ESM preserves user customized data while upgrading from an older version of Symantec ESM to a newer version. This data includes user modifications to policies, domains, templates, suppressions, and customized messages from the .m files.

Symantec ESM does not preserve .fmt files because they are obsolete.


During the upgrade process:

■ Symantec ESM preserves any unexpired suppressions of security report items.

■ Symantec ESM stores template data in the \esm\template directory. During an upgrade, Symantec ESM preserves any modifications to the template files while it merges the new template information in the upgrade.

■ Symantec ESM saves any changes that customize the policy database. These changes include the security checks that you enable in the security modules, as well as any changes to the name lists.

■ Symantec ESM preserves any changes to the message database that result from changes to the .m files, if the customized value of the modified messages is set to “1” in the .m files.

Customized protection applies only to messages in the .m files. Security option information such as the names of the security checks and the online help have neither a customized flag nor the same protection.

■ Symantec ESM overwrites the .m files. This does not affect any customized messages because the message database protects them. However, you lose the source of the customized messages.

Save the modified .m files in a backup directory. After a successful upgrade, do not replace the .m files in the upgrade with the modified .m files. This causes errors. Instead, manually change the messages in the upgraded .m files using the procedures in the Symantec ESM Security Update User’s Guides for the Windows, UNIX, or NetWare/NDS operating systems. Download the latest version at http://securityresponse.symantec.com/.

■ Symantec ESM preserves any changes that customize the Domains database. This includes all agent registrations to the manager and agent domains that you create on the manager.

Symantec ESM agents continue to belong to a minimum of two domains: the All agents domain and the domain of the agent operating system. For example, a Symantec ESM agent on a computer that has a Windows 2000 operating system belongs to both the All agents domain and the Windows 2000 agents domain.

■ Symantec ESM ports existing summary database information to the new sumfinal database on the manager.

■ Symantec ESM converts the access records in the manager access database. Use the Symantec ESM console to add, modify, or delete the access rights of all Symantec ESM manager accounts except the Symantec ESM super-user account.


■ Symantec ESM replaces the registered manager information in the agent’s \esm\config\manager.dat file. Agents register only with the manager that initiates the upgrade. You must register each agent to any other managers.

■ Symantec ESM overwrites the other files in the \esm\config directory. Users must customize the new files.

Upgrading Symantec ESM agentsSymantec uses LiveUpdate technology instead of tune-up packs or tune-up patches to upgrade Symantec ESM agent software or install new security updates. Symantec ESM managers that run on Windows or UNIX operating systems can upgrade version5.5 agents that run on Windows operating systems.

To upgrade Symantec ESM agents

1 Connect a Symantec ESM console to the Symantec ESM managers with registered agents that you want to upgrade. Use an account with rights to modify all domains, policies, and templates.

2 Right-click the All agents domain and then click Change update properties.

■ Select agents in the Non-updatable column that you intend to upgrade and click the right arrow to make them updatable.

■ Select agents in the Updatable column that you do not want to upgrade and click the left arrow to make them non-updatable.

3 Click LiveUpdate on the tool bar to run the LiveUpdate wizard. The wizard can use the Internet, a CD-ROM, or network drive to get the latest updates.


5 Click Next to download the updates to the Symantec ESM console.

6 Select the managers that you want to update.

■ If the update includes an agent software upgrade, you must perform the upgrade manually from the Symantec ESM console. See the Symantec ESM 6.0 User’s Manual. To upgrade the updatable agents in the domain, right-click a domain and then click Remote upgrade. To upgrade a specific updatable agent, right-click the agent and then click Remote upgrade.

You must manually reregister each agent to its former managers except the manager that is performing the upgrade.

■ If the update includes a Symantec ESM security update, the managers transfer the new modules to the agent during the next policy run.


Changing a Symantec ESM agent portThis task is optional. Symantec ESM uses specific ports. See Table A-1, “Symantec ESM communication ports,” on page 132.

To change a Symantec ESM agent port

1 Do the following to stop the Symantec ESM agent:

■ Double-click Services in the Windows control panel.

■ Click Enterprise security agent.

■ Click the Stop button.


■ If the agent uses the TCP communications protocol, access the \esm\config\tcp_port.dat file and change the agent port number to the desired port number.

■ If the agent uses the SPX communications protocol, access the \esm\config\ipx_port.dat file and change the agent port number to the desired port number.

3 Do the following to start the Symantec ESM agent:

■ Double-click Services in the Windows control panel.

■ Click Enterprise security agent.

■ Click the Start button.

4 Reregister the agent with the manager. See “Registering a Symantec ESM agent on a local computer” on page 45.

Uninstalling Symantec ESM from a local computerThis task is optional. On computers that have Windows operating systems, use Add/Remove Programs in the Control Panel to remove everything under the Symantec ESM directory. It removes any files, reports, executable code, and services that Symantec ESM creates during installation. It also removes the Symantec ESM icons from the program menu.

Before you remove Symantec ESM, make sure that you are not using the Symantec ESM directory or any of its subdirectories. If you are using a Symantec ESM directory or subdirectory, the uninstall program reports an error message and does not remove that directory.

Note: Unpredictable results can occur if you uninstall a Symantec ESM agent during a policy run that includes the agent.


To uninstall Symantec ESM from a local computer

1 Log on to the host computer as administrator or administrator-equivalent.

2 Click Start > Settings > Control Panel.

3 Double-click Add/Remove Programs.

4 Select Symantec ESM 6.0 from the list.

5 Click Change/Remove.

6 Click Yes.


Chapter
3
Installing Symantec ESM managers and agents on UNIX




■ Installing


Before you install Develop an implementation plan for rolling out Symantec ESM managers and agents on the computers in your network that have UNIX operating systems. During the planning process, do the following:

■ Select the computers where you want to install Symantec ESM manager and agent software.

■ Obtain access to an account with root privileges on each selected computer.


54 Installing Symantec ESM managers and agents on UNIXSystem requirements

■ Select a password for the Symantec ESM super-user account on each manager. The super-user account has all of the privileges in Symantec ESM. Choose a password with six or more characters including at least one nonalphabetical character. Manager account passwords can have up to eight characters.

■ Identify the 19-character temporary license key that Symantec ships with each manager. The key consists of four groups of four characters with separating hyphens. The temporary license lets you install and run the Symantec ESM manager software for 30 days.

You can obtain a permanent license from the license administrator at Symantec. You must provide the manager computer’s ID and the number of agents that you plan to register.

If you install a manager without a license key, Symantec ESM lets you register only one agent with the manager. You cannot schedule any policy runs.

System requirementsComputers that have UNIX operating systems must meet these minimum requirements to install and run Symantec ESM software.

Operating requirementsThe computers must meet the minimum hardware requirements in Table 3-1.

The computers must meet the minimum free disk space requirements in Table 3-2.

Table 3-1 Minimum CPU, RAM, and swap computer resources

Description Manager and agent Agent only

CPU 276 MHz 276 MHz

RAM 128 MB 64 MB

Swap 256 MB 128 MB

Table 3-2 Free disk space computer resources

Operating system Manager and agent Agent only

AIX 82 MB 62 MB

HP-UX 58 MB 42 MB

55Installing Symantec ESM managers and agents on UNIXSystem requirements

The computers that install Symantec ESM managers must have the operating system versions in Table 3-3.

The computers that install Symantec ESM agents must have the operating system versions in Table 3-4.

The computers that install Symantec ESM managers or agents must have the latest operating system patches.

Red Hat Linux Not supported 17 MB

SGI Irix Not supported 38 MB

Solaris 52 MB 40 MB

Tru64/OSF1 Not supported 46 MB

Table 3-3 Symantec ESM manager operating system versions

Platforms Versions

AIX 4.3.1, 4.3.3, 5.1, and 5.2

HP-UX 10.20, 11, 11i

Solaris 2.5.1, 2.6, 2.7, 2.8, 2.9

Table 3-4 Symantec ESM agent operating system versions

Platforms Versions

AIX 4.3.1, 4.3.3, 5.1, and 5.2

HP-UX 10.20, 11, 11i

Red Hat Linux 7.1, 7.2, 7.3

SGI Irix 6.3

Solaris 2.5.1, 2.6, 2.7, 2.8, 2.9

Tru64/OSF1 4.0, 5.1

Table 3-2 Free disk space computer resources

Operating system Manager and agent Agent only

56 Installing Symantec ESM managers and agents on UNIXSystem requirements

Policy run disk space These requirements do not include the disk space that Symantec ESM managers use to store policy run data. You can estimate the additional disk space requirement by performing a policy run disk space calculation. See “Policy run disk space” on page 33.

CPU utilizationSymantec ESM agents and modules run at idle priority. This means that the operating system gives them CPU time only when other threads and processes are waiting for I/O. See “CPU utilization” on page 34.

Scalability parametersSymantec conducted scalability tests using 10baseT networks to establish the scalability parameters for Symantec ESM. See “Scalability parameters” on page 34.

A Symantec ESM manager can scale to the indicated number of agents if its host computer has the RAM, swap space, and free disk space in Table 3-5.

You can estimate the additional free disk space that the Symantec ESM manager requires to store policy run data. See “Policy run disk space” on page 33.

A Symantec ESM manager and Symantec Intruder Alert manager can run on the same computer. These managers can scale to the indicated number of agents per policy run and Intruder Alert applied policy if the host computer has the RAM, swap space, and free disk space in Table 3-6.

Table 3-5 Symantec ESM manager scalability

RAM Swap space Free disk space Registered agents Number of agents

128 MB 256 MB 50 MB Symantec ESM: 2,000 Symantec ESM: 400 per policy run


RAM Swap space Free disk space Registered agents Number of agents

128 MB 256 MB 50 MB Symantec ESM: 2,000 Symantec ESM: 400 per policy run

Symantec Intruder Alert: 100 per applied policy

57Installing Symantec ESM managers and agents on UNIXInstalling

Installing You can install Symantec ESM managers and agents on computers that have supported UNIX operating systems. Symantec ESM installation tasks include:

■ Installing Symantec ESM on a local computer

■ Using the command line options to install Symantec ESM

■ Installing Symantec ESM using Solaris PKGADD

■ Installing a Symantec ESM agent on a remote computer

Installing Symantec ESM on a local computerThis task is mandatory if your implementation plan requires the computer to function as a Symantec ESM manager or agent. The installation process consists of extracting the Symantec ESM files from the CD-ROM, running the installation program, and registering the Symantec ESM agents with their managers.

■ If the roll-out plan includes Symantec ESM managers that run on UNIX operating systems, you must perform this task to install the managers. You can use the Symantec ESM console and the managers to install Symantec ESM agents on remote computers that have UNIX operating systems. See “Installing a Symantec ESM agent on a remote computer” on page 68.

■ If the plan limits Symantec ESM managers to computers that run on Windows operating systems, you must perform this task to install Symantec ESM agents on computers that have UNIX operating systems.

Symantec distributes Symantec ESM software on an ISO 9660 (High Sierra Format) CD-ROM disk. To access this software, at least one computer with a UNIX operating system must have access to a CD-ROM drive.




Where:

■ vendor is the name of the operating system vendor; for example, sun

■ os is the operating system name; for example, solaris

■ architecture is the CPU type; for example, sparc

58 Installing Symantec ESM managers and agents on UNIXInstalling


■ util contains any additional files necessary or useful to the installation or registration process

Symantec provides the software files in a compressed-format tar file for computers that have UNIX operating systems. The CD-ROM contains the following installation files:

■ esmsetup is the installation program

■ esmtgz is the compressed tar file that contains the Symantec ESM software

■ gzip is the GNU uncompress utility

■ esmuppd is the remote agent install/upgrade daemon



■ Mounting the CD-ROM drive




To mount the CD-ROM drive

1 Use su or log in to root on a computer with a UNIX operating system that has access to a CD-ROM drive.

2 Type the appropriate command to mount the CD-ROM drive to device /cdrom. The CD-ROM drive device and name may differ from those in Table 3-7.

Table 3-7 UNIX CD-ROM mount commands

Platform CD-ROM mount commands

AIX Use smit to mount the CD-ROM or type the following command:

mount -v cdrfs -r /dev/device/cdrom

HP-UX Type this command:

mount -F cdfs -o cdcase /dev/dsk/device/cdrom

Red Hat Linux Insert the CD-ROM. The automounter mounts it on /mnt/cdrom.



1 Use su or log in to root on the computer with a UNIX operating system that you are using to install the Symantec ESM software.

2 Type ./esmsetup to run the Symantec ESM installer from the CD-ROM.

You can also run the Symantec ESM installer from the /tmp directory if you use gzip to extract the file from the CD-ROM. See “To extract the file from the CD-ROM” on page 72.


1 Type 2 to install a manager or agent on a local computer.

2 Type A if you agree to the terms of the License Agreement.


■ Type 1 to perform a Symantec ESM agent installation. See “To install or upgrade a Symantec ESM agent” on page 60.

■ Type 2 to perform a Symantec ESM manager and agent installation. See “To install or upgrade a Symantec ESM manager and agent” on this page.

■ Type 3 to perform a Symantec ESM manager installation. See “To install or upgrade a Symantec ESM manager” on page 61.

SGI IRIX Insert the CD-ROM. The mediad daemon automatically mounts the CD-ROM on /cdrom.

Solaris Insert the CD-ROM. The vold daemon mounts it on /cdrom. If vold is not running, use this command:

mount -F hsfs -r /dev/device/cdrom

Tru64/OSF1 Use this command:

mount -t cdfs -r -o noversion /dev/device/cdrom

Table 3-7 UNIX CD-ROM mount commands

Platform CD-ROM mount commands




■ Type the name of the directory where you want to install the Symantec ESM files.

Do not choose the root folder. The Symantec ESM installer creates the directory if it does not already exist. In addition, the installer creates a /esm symbolic link that points to the directory.

■ Type a '?' to list the partitions that have sufficient disk space to install Symantec ESM.

2 Type the name of the user who will own the Symantec ESM files.

3 Type the group ownership of the Symantec ESM files.


■ Type the name of the CD-ROM drive containing the distribution media.

■ Type the full path name of the tar/tgz file on a disk.

■ Type the special device file name of the tape drive containing the installation tape.

5 Type a password for the ESM super-user account on the manager.

6 Retype the ESM super-user account password.

7 Type the 19 character Symantec ESM license key.

8 Type the maximum number of agents that can register with the manager.

9 Type the name of the computer that is installing the Symantec ESM agent. The Symantec ESM manager uses the name to look up the IP address of the agent computer. This name can have up to 61 characters.


■ Type 1 to disable LiveUpdate on the agent.

■ Type 2 to enable the managers that register the agent to LiveUpdate the agent.

■ Type 3 to select the managers that can LiveUpdate the agent.


◆ Perform the Symantec ESM agent installation. Agent installations include the steps in a manager and agent installation except steps 5 - 8. See “To install or upgrade a Symantec ESM manager and agent” on page 60.


To install or upgrade a Symantec ESM manager

◆ Perform the Symantec ESM manager installation. Manager installations include steps 1 - 8 of a manager and agent installation. See “To install or upgrade a Symantec ESM manager and agent” on page 60.

Using the command line options to install Symantec ESM This task is optional. When you install Symantec ESM, the installer prompts for necessary information such as the type of installation or the name of a directory. You can use Symantec ESM command line options to avoid these prompts. The command line options let you install Symantec ESM managers or agents on local computers and install Symantec ESM agents on remote computers.

Using the help option You can use the help option to display the local and remote installation command line options.

Local installation usage:

esmsetup [-acm] [-p phases] [-d directory] [-u user] [-g group] [-t tape] [-M master] [-O port] [-U Symantec ESM_user -W Symantec ESM_password] [-L license -A no_of_agents] [-N agent_name] [-B LiveUpdate manager] [-b]

Remote installation usage:

esmsetup -r [-S remote_computer] [-R remote_password] [-U Symantec ESM_user] [-P Symantec ESM_password] [-d remote_directory][-c cdrom_directory] [-B LiveUpdate manager] [-b]

To use the help option

◆ Type ./esmsetup -h to display the command line options.

Using the local command line optionsYou can use the command line options in Table 3-8 to install a Symantec ESM manager or agent on a local computer.

Table 3-8 Local command line installation options

Option Description

-a Installs or upgrades a Symantec ESM agent on a local computer.

-c Installs or upgrades a Symantec ESM manager and agent on a local computer.


-m Installs or upgrades a Symantec ESM manager on a local computer.

-p Specifies the installation phases to include (enter 1-14 separated by commas). These phases include:PHASE 1: Checking system configuration and host information...PHASE 2: Creating and/or checking Symantec ESM directory... PHASE 3: Extracting Symantec ESM files....PHASE 4: Creating files and directories... PHASE 5: Installing tune-up pack...PHASE 6: Creating system-specific directories...PHASE 7: Setting file ownership...PHASE 8: Setting file permissions...PHASE 9: Starting Symantec ESM servers...PHASE 10: Setting default Symantec ESM superuser account password...PHASE 11: Creating Symantec ESMrc...PHASE 12: Installing Symantec ESM license information...PHASE 13: Registering this agent with Symantec ESM manager(s)...PHASE 14: Configuring LiveUpdate for this agent...

-d Specifies the directory where Symantec ESM installs on the local computer. If the string “esm” is not part of the path, “symantec/esm” will be added to it. The directory will be created if it does not exist.

-u Specifies the user owner of the Symantec ESM files.

-g Specifies the group owner of the Symantec ESM files.

-t Specifies the location of the Symantec ESM installation files.

-M Specifies the Symantec ESM manager name.

-O Specifies the Symantec ESM port number.

-U Specifies the ESM account name on the local computer.

-W Specifies the ESM super-user account password on the local computer.

-L Specifies the 19-character Symantec ESM license key.

-A Specifies the number of licensed Symantec ESM agents that can register with the manager.

-N Specifies the agent name that the manager uses to look up the agent’s IP address. This name can have up to 61 characters.

-b Lets the managers that register the agent LiveUpdate the agent.

-B Specifies the manager that can LiveUpdate the agent.

Table 3-8 Local command line installation options

Option Description


Note: You must use the -U and -W options together. In addition, you must use the -L and -A options together.

To use the local command line options

The first example lets you install an agent on a local computer so that the managers that register the agent can LiveUpdate the agent. The second example lets you install an agent on a local computer and specify the managers that can LiveUpdate the agent.

To install a local agent that all registered managers can LiveUpdate

1 Use the information in Table 3-9 for this example.

2 Type ./esmsetup -a -p 1,2,3,4,5,6,7,8,9,10,11,12,13,14 -d symantec/esm -u root -g sys -t /cdrom -M gs1001 -O 5600 -U esm -W sec+3ity -N gs1101 -b

Table 3-9 Example command line option values

Option title Option Option values

phases -p 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14

directory -d symantec/esm

user owner -u root

group owner -g sys

installation file location -t /cdrom

Symantec ESM manager -M gs1001

Symantec ESM port -O 5600

Symantec ESM account name -U esm

Symantec ESM password -W sec+3ity

Symantec ESM agent name -N gs1101


To install a local agent that specific managers can LiveUpdate


2 Type ./esmsetup -a -p 1,2,3,4,5,6,7,8,9,10,11,12,13,14 -d symantec/esm -u root -g sys -t /cdrom -M gs1001 -O 5600 -U esm -W sec+3ity -N gs1101 -B gs1001

Using the remote command line optionsYou can use the command line options in Table 3-11 to install a Symantec ESM agent on a remote computer.



phases -p 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14


user owner -u root

group owner -g sys

installation file location -t /cdrom

Symantec ESM manager -M gs1001

Symantec ESM port -O 5600


Symantec ESM password -W sec+3ity

Symantec ESM agent name -N gs1101

LiveUpdate manager -B gs1001

Table 3-11 Remote command line installation options

Option Description

-r installs or upgrades a Symantec ESM agent on a remote computer.

-S specifies the name of the remote computer.

-R specifies the system password on the remote computer.

-U specifies the Symantec ESM account name on the remote computer.

-P specifies the Symantec ESM account password on the remote computer.


To use the remote command line options

The first example lets you install an agent on a remote computer so that the managers that register the agent can LiveUpdate the agent. The second example lets you install an agent on a remote computer and specify the managers that can LiveUpdate the agent.

To install a remote agent that all registered managers can LiveUpdate


2 Type ./esmsetup -r -S gs1118 -R sys+8sec -U esm -P se8+21ty -d symantec/esm -c /cdrom -b

-d specifies the directory where Symantec ESM installs on the remote computer. If the string “esm” is not part of the path, “symantec/esm” will be added to it. The directory will be created if it does not already exist.

-c specifies the location for the Symantec ESM installation files.

-b lets the managers that register the agent also LiveUpdate the agent.

-B specifies the manager that can LiveUpdate the agent.



remote computer name -S gs1118

remote computer password -R sys+8sec


Symantec ESM password -P se8+21ty


installation file location -c /cdrom

Table 3-11 Remote command line installation options

Option Description


To install a remote agent that specific managers can LiveUpdate


2 Type ./esmsetup -r -S gs1118 -R sys+8sec -U esm -P se8+21ty -d symantec/esm -c /cdrom -B gs1001

Installing Symantec ESM using Solaris PKGADDThis task is optional. For Solaris 2.x systems only, you can use the Solaris package add facility to install Symantec ESM.

To install Symantec ESM using Solaris PKGADD






1 Use su or log in to root on a computer with a UNIX operating system that you are using to install the Symantec ESM software.

2 Mount the Symantec ESM software CD-ROM on the host computer. See “To mount the CD-ROM drive” on page 58.

3 Type cd /sun/solaris/sparc/esm60 to change to the Symantec ESM installation directory.



remote computer name -S gs1118

remote computer password -R sys+8sec


Symantec ESM password -P se8+21ty


installation file location -c /cdrom

LiveUpdate manager -B gs1001


4 Type ./pkgsetup to use Solaris PKGADD to start the Symantec ESM installer.

5 Type the name of the directory where you want to install the Symantec ESM pkgadd installation files. Specify a directory other than root on a volume that has at least 20 MB of free disk space. The Symantec ESM installer creates the directory if it does not exist.


◆ Do one of the following:

■ Type M to perform a Symantec ESM manager and agent installation.

See “To install or upgrade a Symantec ESM manager and agent” on this page.

■ Type A to perform a Symantec ESM agent installation.

See “To install or upgrade a Symantec ESM agent” on page 68.


1 Type the name of the directory where you want to install the Symantec ESM files. Do not choose the root folder. The Symantec ESM installer creates the directory if it does not exist. In addition, the installer creates a /esm symbolic link that points to the directory.

2 Type the name of the user who will own the Symantec ESM files.

3 Type the group ownership of the Symantec ESM files.

4 Type the name of the temporary directory containing the Symantec ESM pkgadd installation files.

5 Type the name of the tar/tgz file in the temporary directory. The default file name is esm.tgz.

6 Type a password for the ESM super-user account on the manager.

7 Retype the ESM super-user account password.


9 Type the 19-character Symantec ESM license key.

10 Type the maximum number of agents that can register with the manager.



1 Type the name of the directory where you want to install the Symantec ESM files.

2 Type the name of the temporary directory containing the Symantec ESM pkgadd installation files.

3 Type the name of the tar/tgz file in the temporary directory. The default file name is esm.tgz.

4 Type the name of the manager computer that you want to register the agent.

5 Type the manager port number. The default port number is 5600.

6 Type the name of an account on the Symantec ESM manager with rights to register agents.

7 Type the password of the manager account.

Installing a Symantec ESM agent on a remote computerThis task is optional. You can install or upgrade Symantec ESM on remote computers by doing one of the following:

■ If you administer Symantec ESM on a large network, you can use the remote installation option in the Symantec ESM console to minimize your time and effort. The manager computer and the remote computer installing the agent software must have UNIX operating systems. Symantec ESM can determine the type of UNIX operating system that is running on the computer. The installer copies and installs the appropriate agent software files on the remote computer.

You can also use the esmsetup program on a Symantec ESM manager to install the agent software on a remote computer.

■ You can FTP the tar file and install Symantec ESM on remote computers with TELNET. To install the Symantec ESM agent, you must extract the tar file from the transport medium to a temporary directory, expand the file if it has been compressed, and run the Symantec ESM installer. If you install one Symantec ESM agent, you can use an NFS mount to make the Symantec ESM agent software available to other computers.


Using the Symantec ESM console remote installation optionRemote computers with UNIX operating systems that install Symantec ESM agents must meet the following additional operating requirements:

■ The remote host /tmp directory must have sufficient free disk space for the esm.tgz file and approximately 100K more for the other required files.

■ The remote host must be running the rexec daemon.

■ The remote host must be r command accessible (rsh, rcp, ...).

You can use the Discovery module in the Symantec ESM console to search the TCP/IP ports that are on the network. The Discovery module attempts to identify any computers and Symantec ESM components that it finds. The grid in the Symantec ESM console lists the names and types of computers that the module finds, indicating which computers are candidates for Symantec ESM or Symantec Intruder Alert agent installations.

After you begin the remote-installation process, Symantec ESM does the following:

■ The Symantec ESM manager creates a remote installation share.

■ The Symantec ESM console copies the update service files to the remote installation share on the manager computer.

■ The Symantec ESM console directs the manager to contact and verify the remote computer.

■ The Symantec ESM manager copies a remote installation service to the remote computer and starts the service.

■ The remote installation service searches for volumes with sufficient space to accommodate the product files and requests that you specify a destination location for them.

■ The Symantec ESM manager creates an ESM folder on the remote computer and copies the update service files to the folder.

■ The Symantec ESM manager directs the remote computer to run the agent installation program and register the agent to the manager.

■ After the installation finishes, the Symantec ESM console directs the manager to shut down the remote installation service on the agent, delete the update files, and remove the remote installation share.


To use the Symantec ESM console remote installation option


■ Identifying Symantec ESM agent candidate computers

■ Starting the Remote Agent Installation wizard

■ Using the Remote Agent Installation wizard

To identify Symantec ESM candidate computers

1 Connect the Symantec ESM console to a manager on a computer that has a UNIX operating system. Use a manager account with rights to modify all domains, policies, and templates.

2 In the Queries policy, drag the Discovery module and drop it on any agent in any domain.

3 After the module finishes, click the policy run in the summary branch to view the results.

To start the Remote Agent Installation wizard


■ Right-click the name of a Symantec ESM candidate computer in the grid.

■ Right-click the Symantec ESM manager where you plan to register the agent.

2 Click Remote Install.

To use the Remote Agent Installation wizard

1 In the Remote Host dialog box, type the name of the remote host computer.

2 In the Remote Privileged Account dialog box, type the user name, password, and domain of an account with privileges to install the Symantec ESM agent software on the remote computer.

3 In the Installation CD Drive dialog box, select the CD-ROM drive volume.

4 In the Connection Method dialog box, click TCP/IP.

5 In the Remote Progress dialog box, click Finish.

6 In the Remote Installation Directories dialog box, select the installation directory for the Symantec ESM files on the remote host computer.

7 In the Remote Progress dialog box, click Close.


Using the esmsetup remote installation optionYou must use a Symantec ESM manager that is running on a computer with a UNIX operating system to run the esmsetup installer.

To use the esmsetup remote installation option


■ Starting the esmsetup installer


■ Using the esmsetup installer

To start the esmsetup installer

1 Use su or log in to root on a computer with a UNIX operating system that is running a Symantec ESM manager.

2 Mount the Symantec ESM CD-ROM on the computer. See “To mount the CD-ROM drive” on page 58.

3 Start the Symantec ESM installer. See “To start the Symantec ESM installer” on page 59.


1 Type 4 to select the post-installation configuration options.

2 Type 5 to perform a remote agent installation.

To use the esmsetup installer

1 Type the name of an account on the Symantec ESM manager with rights to perform remote agent installations.


3 Type the name of the remote computer that is installing the Symantec ESM agent. The Symantec ESM manager uses the name to look up the IP address of the agent computer. This name can have up to 61 characters.

4 Type the password of an account with root privileges on the remote computer.

5 Type the location of the CD-ROM drive containing the distribution media.

You must provide the root path name of the CD-ROM drive or the disk containing the Symantec ESM compressed file. In UNIX, a disk can mean either a local or a mounted hard drive. The esmsetup installer requires the full platform directory structure to do a remote install to a domain containing a variety of platforms.


6 Type the name of the directory where you want to install the Symantec ESM files. Symantec ESM checks the directory structure on the remote system and displays the Symantec ESM directory from a previous installation or a directory with sufficient space as the default location.

Using the FTP uncompressed file remote installation optionIf you experience problems mounting the CD-ROM, you can use the following installation method. This method requires several steps but avoids the need to distribute the gzip program to the target systems. However, uncompressed files take longer to transfer across the network and require more disk space.

To use the FTP uncompressed file remote installation option

The commands in this section relate to a Solaris-SPARC remote computer installation. The process includes the following steps:

■ Extracting the file from the CD-ROM

You can find the esm.tgz compressed tar file, a standard UNIX tar (tape archive) file, on the CD-ROM in the same directory as the esmsetup program. Symantec compressed the file with the gzip compression utility. This utility is a product of, and copyrighted by, the Free Software Foundation. The source code is available from Symantec for a nominal processing fee. You can find the gzip executable on the CD-ROM in the utilities directory.

■ Copying the file

Use any file transfer program to copy the /tmp/esm60.tar file to a remote computer that is on the network. If you use FTP to do tar file transfers, you must select binary mode.

■ Finishing the installation

The Symantec ESM installation can now proceed on the remote system. You must specify the full path name of the tar file on the disk.

To extract the file from the CD-ROM

1 Use su or log in to root on a computer with a UNIX operating system that has a CD-ROM drive.

2 Mount the Symantec ESM CD-ROM. See “To mount the CD-ROM drive” on page 58.

3 Type cd /cdrom/<vendor>/<os>/<hardware>/esm60/Substitute the vendor, os (operating system), and hardware that apply to the computer.

4 Type ../util/gzip -dc esm.tgz > /tmp/esm60.tar


The gzip command creates the /tmp/esm60.tar file for the Symantec ESM installation. The -d option decompresses the file and the -c option sends the decompressed file to standard output.

Note: Many computers have a default blocking factor of 512 bytes. As a result, the tar program reads 512 bytes at a time. You can use the buffer-size option to increase the blocking factor and the efficiency of the transfer. UNIX online documentation provides information about the parameters in the buffer-size option. See the dd command man page.

To copy the file

1 Type FTP <targetsys> to start the file transfer protocol. Targetsys is the name of the remote host computer. Provide the user name and password of an account with root access on the target system.

2 Type binary to change the transfer mode to binary.

3 Type cd /tmp to change to a temporary directory on the target computer.

4 Type put /tmp/esm60.tar to transfer the esm.tar file to the remote host computer.

5 Type quit to exit FTP.

To finish the installation

1 Use su or log in to root on the remote computer with a UNIX operating system that you are using to install the Symantec ESM agent.


3 Type tar -xvpf /tmp/esm60.tar to extract the esmsetup installer from the Symantec ESM tar file.

4 Type bin/solaris-sparc/esmsetup to run the esmsetup installer.

5 Type Name [/dev/rst0]: /tmp/esm60.tar for the full path name of the tar file.


7 Type rm esmsetup esm60.tar to remove the temporary files after the computer finishes installing the Symantec ESM agent.


Using the FTP compressed file remote installation optionIf you experience problems mounting the CD-ROM, you can use the following installation method to install the esmsetup program directly from a compressed tar file. This method requires less disk space and produces faster transfers across the network. However, you must distribute the gzip program to each target system and locate the gzip executable in the path where you install the program. The commands in this section relate to a Solaris-SPARC remote computer installation. The process includes the following steps:

To use the FTP compressed file remote installation option

1 Type FTP <targetsys> to start the file transfer protocol. Targetsys is the name of the remote host computer.


3 Type the following to copy the esm.tgz file and the gzip utility to the remote host computer: lcd /cdrom/<vendor>/<os>/<hardware>/esm60binput esm.tgz

cd /usr/bin

lcd ./util

put gzip

Substitute the vendor, os (operating system), and hardware that apply to the computer.

4 Type quit to exit FTP.

5 Use su or log in to root on the remote computer with a UNIX operating system that you are using to install the Symantec ESM agent.

6 Type chmod 755 /usr/bin/gzip to set the permissions for gzip.

7 Type the following to extract the setup program:

cd /tmp

gzip -dc /tmp/esm60.tgz > /tmp/esm60.tar

tar -xvpf /tmp/esm60.tar.

8 Type bin/solaris-sparc/esmsetup to run the esmsetup installer.

9 Type Name [/dev/rst0]: /tmp/esm60.tar to enter the full path name of the tar file.


11 Type rm esmsetup esm60.tar usr/bin/gzip to remove the temporary files after the computer finishes installing the Symantec ESM agent.


Using an NFS mount point for remote computersIf you have more than one computer running the same type and version of UNIX, you can use NFS to make Symantec ESM available to the computers that are on the network. This method of distributing the product helps conserve disk space by storing the files on a server, then exporting from the server to the Symantec ESM agent computers. The Symantec ESM manager license specifies the maximum number of agents that the server can export.

To use an NFS mount point

To implement this distribution, you must export the ESM directory with root access and read/write permissions. You do not need to mount the ESM directory with setuid access on the agent system because ESM does not use any setuid files. However, you must prepare a directory on the agent computer to receive the files. After you mount the files and run esmsetup, you can run the program and access its features.

To use the preferred method

1 Use su or log in to root on a computer with a UNIX operating system that is running a Symantec ESM manager.

2 Type /esm/esmrc to start the Symantec ESM manager server.

3 Type ls -l /esm to determine the full directory path of the Symantec ESM files.

4 Export the Symantec ESM directory, with root access and with read/write permissions, from the manager computer to the agent computer where you want to use NFS to mount the files.

Because the export procedure differs from one UNIX operating system to another, confer with the system administrator or check the instructions about exporting directories in the reference manual.

5 Use su or log in to root on the computer with a UNIX operating system that is running the Symantec ESM agent.

6 Type # mkdir /esm to create a directory to mount the files.

7 Type # mount <host>:/<source directory> /esm to use NFS to mount the Symantec ESM directory.

For this command, <host> is the exporting server, <source directory> is the directory containing the installed Symantec ESM files, and /esm is the mount point on the receiving computer.

8 Run /esm/esmsetup.

9 Type 4 to select the Post-installation configuration options.

76 Installing Symantec ESM managers and agents on UNIXPost-installation tasks

10 Type 3 to configure the directories for an NFS installation.

11 Follow the online directives at the Directory configuration prompt.

To use an alternate method

1 Type # mount host:/<source directory> /<target directory> to mount the software from the host directory to the target directory.

For example, mount host:/secure/esm /home/mydir

2 Type # ln -s /<target directory> /esm to link /esm to the target directory.

For example, ln -s /home/mydir /esm




■ Changing LiveUpdate on a local computer




Registering a Symantec ESM agent on a local computerThis task is optional. Registering a Symantec ESM agent with a manager establishes secured communications between the agent and manager. Each agent must register to at least one manager.


Do not register the Symantec ESM agent to an earlier version of a manager. This causes database errors on the manager. Instead, upgrade the managers that are on the network to the latest Symantec ESM version before registering the agent.


Symantec ESM agents that register before a manager upgrade continue to function with the manager after the upgrade. However, you must upgrade these agents to use the new functions and features.

77Installing Symantec ESM managers and agents on UNIXPost-installation tasks

To register a Symantec ESM agent on a local computer

The registration process includes the following steps:


■ Selecting the Symantec ESM agent registration option

■ Registering the Symantec ESM agent


1 Use su or log in to root on a computer with a UNIX operating system that is running a Symantec ESM agent.



To select the Symantec ESM agent registration option

1 Type 4 to select the post-installation configuration options.

2 Type 4 to register a Symantec ESM agent with a manager.

To register the Symantec ESM agent

1 Type the name of the manager computer that you want to register the agent.




5 Type the name of the Symantec ESM agent computer that you want to register with the manager. The Symantec ESM manager uses the name to look up the IP address of the agent computer. This name can have up to 61 characters.

Reregistering Symantec ESM agents to a managerThis task is optional. Symantec ESM lets you reregister agents with a manager that has recovered from a problem such as a host computer failure.


Symantec ESM reregistration tasks include:





Use the Symantec ESM console to create the property file. The file lists the manager, the registered agents, the ports, and the communication protocols. The property file is a plain text, tab delimited file. For security purposes, store the file in a safe location.

The property file has the following format: manager_name<tab>manager_port<tab>manager_protocolagent_1_name<tab>agent_1_port<tab>agent_1_protocolagent_2_name<tab>agent_2_port<tab>agent_2_protocol. . agent_2000_name<tab>agent_2000_port<tab>agent_2000_protocol

The first line in the file must contain the name of the manager, its port, and protocol. The information for each agent must follow on a separate line.


1 On the Symantec ESM console, in the enterprise tree, right-click the appropriate manager.





■ Click Save.

4 Click OK.


Configuring Symantec ESM agents for remote reregistrationBefore you can reregister Symantec ESM agents to a manager, you must configure the agents to accept reregistration commands from the manager. You must do this just before starting the reregistration process. To minimize the risk to network security, you can specify the amount of time, in minutes, that the agent can accept reregistration requests. By default, the manager has 180 minutes to reregister the agent. Use the -h option to display information about the reregistration command. Use the -t option to change the time limit. For example, -t 60 stops the agent from accepting reregistration requests after 60 minutes.


1 Use su or log in to root if the agent that is running on the computer is included in the agent list for the manager.

2 Mount the Symantec ESM 6.0 CD-ROM on the computer. See “To mount the CD-ROM drive” on page 58.

3 Type cd /cdrom/<vendor>/<os>/<architecture>/util/.

Substitute the vendor, operating system, and CPU type that apply to the computer.

4 Type cp rereg /esm/bin/<architecture> to copy the rereg program from the util directory on the CD-ROM to the /esm/bin/<architecture> directory.


■ Type rereg at the command line prompt to use the 180 minute default time limit.

■ Type rereg -t (x), where x is the time limit in minutes.



1 On the Symantec ESM console, in the enterprise tree, right-click the appropriate manager.


3 Do the following:






Changing LiveUpdate on a local computerThis task is optional. Symantec ESM uses LiveUpdate technology to upgrade Symantec ESM agent software or install new security updates.

To modify LiveUpdate for a Symantec ESM agent on a local computer

1 Use su or log in to root on a computer with a UNIX operating system where you are modifying LiveUpdate.



4 Type 3 to select the Advanced installation options.

5 Type 14 at the Symantec ESM installation phases prompt.

6 At the LiveUpdate prompt, do one of the following:

■ Type 1 to disable LiveUpdate on the agent.

■ Type 2 to enable the managers that register the agent to LiveUpdate the agent.

■ Type 3 to select the managers that can LiveUpdate the agent.

Upgrading an older version of Symantec ESMThis task is optional. To use the new functions in this release, you must upgrade the Symantec ESM software. See “Upgrading an older version of Symantec ESM” on page 48.

To upgrade Symantec ESM, do one of the following:

■ See “Installing Symantec ESM on a local computer” on page 57.

■ See “Installing a Symantec ESM agent on a remote computer” on page 68.

Changing a Symantec ESM agent portThis task is optional. Symantec ESM uses specific ports. See Table A-1, “Symantec ESM communication ports,” on page 132.


To change a Symantec ESM agent port

1 Do the following:

■ Use su or log in to root on a computer with a UNIX operating system that is running a Symantec ESM manager.

■ Mount the Symantec ESM CD-ROM on the computer. See “To mount the CD-ROM drive” on page 58.

■ Start the Symantec ESM installer. See “To start the Symantec ESM installer” on page 59.

■ Type 4 to select the Post-installation configuration options.

■ Type 2 to shut down the Symantec ESM agent.

2 Access the /esm/config/tcp_port.dat file and change the agent port to the desired port number.

3 Restart the Symantec ESM agent.

■ Start the Symantec ESM installer.

■ Type 4 to select the Post-installation configuration options.

■ Type 1 to start the Symantec ESM software.


The manager must be listening on the specified port before it can register the agent.

Uninstalling Symantec ESM from a local computerThis task is optional. On computers that have a UNIX operating system, the esmdeinstall program removes everything under the /esm directory. It also removes the files, links, ESM daemons, and rc scripts that Symantec ESM creates during installation.

Before uninstalling Symantec ESM, make sure that you not using the Symantec ESM directory or any of its subdirectories. If you are using a Symantec ESM directory or subdirectory, the esmdeinstall program reports an error message and does not remove the directory.




1 Type /esm/esmdeinstall. The Symantec ESM uninstaller displays the following message:

Warning...

You are running the Symantec ESM deinstallation program. This program will remove all Symantec ESM related files including the results of all security policies that have been run.

2 Type Yes to remove Symantec ESM.

Chapter
4
Installing Symantec ESM agents on NetWare/NDS




■ Installing


Before you install Develop an implementation plan for rolling out Symantec ESM agents on the servers that are in your network that have NetWare/NDS operating systems. During the planning process, do the following:

■ Select the servers where you want to install Symantec ESM agent software.

■ Obtain access to an account with administrator privileges on each selected server.

For the initial ESM agent installation on a server, obtain administrator rights from the [Root] down. The ESMSETUP.NLM uses administrator rights to create a new ESM object on the NDS tree. Subsequent installations of ESM require administrator rights to the containers that are in the desired agent context list of the new installation, but not over the entire NDS tree. List the Symantec ESM agents that you intend to register with each Symantec ESM manager. Include the manager computer’s ID, the name and password of an account with privileges to register Symantec ESM agents, the communication protocol, and the port number.

84 Installing Symantec ESM agents on NetWare/NDSSystem requirements


Note: Symantec ESM managers run only on computers that have Windows or UNIX operating systems.

■ Confirm that each selected server has the required CLIB updates. Servers that run Symantec ESM should use CLIB update D. A problem with subsequent CLIB updates (LIBUPE, LIBUPF, and LIBUPG; Service Packs 4 and 5) causes NWDSSearch to lose 16-bytes per iteration on NLM platforms. See the Novell notice at: http://developer.novell.com/engsup/sample/tids/indskbh/ indskbh.htm

To determine if a server has a version of CLIB with this problem, at the system console prompt, type: modules clib.

Note: In this release, the certified Symantec ESM 5.0 agent installs on servers with NetWare/NDS operating systems. Do not upgrade your agents if the servers are already running this version of the Symantec ESM software.

If the server has versions 4.11J, 4.11K, or 4.11L, then some ESM NLMs may display the following message after they unload:<date> <time>: SERVER-4.11-2715Module did not release XXX resourcesModule: <module>Resource: Small Memory AllocationsDescription: Alloc Memory (Bytes)

According to the notice, Novell has fixed the problem. The fix is available in the release of LIBUPH.EXE, Support Pack 6, and SDK Release 16. Also, despite the message, the NetWare OS recovers unreleased resources and the server continues to run normally.

System requirementsServers with NetWare/NDS operating systems must meet these minimum requirements to install and run Symantec ESM agent software.

85Installing Symantec ESM agents on NetWare/NDSInstalling

Operating requirementsServers that install Symantec ESM must meet the following minimum hardware requirements before loading the Symantec ESM NLMs:


■ 16 MB RAM


Note: Symantec ESM does not support disk space limitations on NetWare/NDS operating systems. Do not restrict the disk space in the Symantec ESM directory on NetWare/NDS operating systems.

If a Symantec ESM NLM (esmsetup, manager, agent, module, and so on) is unable to allocate enough memory to proceed, it aborts to free resources for the operating system and other applications. Symantec ESM logs errors in the log file for server NLMs and the module report for module NLMs.

Servers that install Symantec ESM agents must have one of the following operating systems:

■ NetWare/NDS version 4.x



Installing You can install Symantec ESM agents on servers that have supported NetWare/NDS operating systems. Use the file server console to install the Symantec ESM software.

Installing a Symantec ESM agent on a local serverThis task is mandatory if your implementation plan requires the server to function as a Symantec ESM agent. The installation process consists of copying the Symantec ESM files from the CD-ROM, running the installation program, and registering the Symantec ESM agents with their managers.

Symantec distributes Symantec ESM software on an ISO 9660 (High Sierra Format) CD-ROM disk. To access this software, at least one server with a NetWare/NDS operating system or one computer with a Windows operating system must have access to a CD-ROM drive.

86 Installing Symantec ESM agents on NetWare/NDSInstalling




Where:

■ vendor is the name of the operating system vendor; for example, novell

■ os is the operating system name; for example, nwnds

■ architecture is the CPU type; for example, intel



Symantec provides the ESM agent NLM files in ordinary format for servers that have NetWare/NDS operating systems.

To install Symantec ESM on a local server


■ Copying the Symantec ESM NLM files




To copy the Symantec ESM NLM files


■ If a server with a NetWare/NDS operating system has a CD-ROM drive, mount the CD-ROM on the server and load the ESM files.

■ If none of the servers have CD-ROM drives, mount the CD-ROM on a computer that has a Windows operating system. Copy the ESM files from the CD-ROM to a directory on the server.

2 Do the following:

■ Map an available network drive on the server.

■ Create the Symantec ESM directory by typing: MAP X=SYS:AXENT\SYS\ESM\INSTALL

87Installing Symantec ESM agents on NetWare/NDSInstalling

■ Change to the target directory and drive.

■ Copy the files from the product directory of the CD-ROM to the target directory on the mapped network drive by typing:

COPY <CD-ROM DRIVE>:\NWNDS\INTEL\ESM50\*.* <MAPPED NETWORK DRIVE>


1 Log on to the console of a server that is running the NetWare/NDS operating system using an account with administrator privileges. You can also connect to the server using the remote RCONSOLE utility on a computer that has a Windows operating system.


■ For a NetWare-volume mount, type:

LOAD[VOLNAME]:\NOVELL\NWNDS\INTEL\ESM50\ESMSETUP

■ For a Windows mount, type:

LOAD SYS:AXENT\SYS\ESM\INSTALL\ESMSETUP

Note: To stop the Symantec ESM installer, type: UNLOAD ESMSETUP.


1 Type 1 to perform the Symantec ESM agent installation.

2 Type 1 to perform the Basic installation.


1 Type the complete path name of the directory where you want to install the Symantec ESM files. The Symantec ESM installer creates the directory if it does not exist.

2 Type the name of the manager where you want to register the agent. You can type a list of managers separated by commas or spaces.


■ Type 1 to use the SPX protocol.

Symantec ESM supports this protocol on servers that run NetWare/NDS 4x and 5x operating systems.

■ Type 2 to use the TCP/IP protocol.

Symantec ESM supports this protocol on servers that run NetWare/NDS 4x, 5x, and 6x operating systems.


88 Installing Symantec ESM agents on NetWare/NDSPost-installation tasks


6 Type the password for the Symantec ESM manager account.



■ Reviewing a Symantec ESM agent context list

■ Creating an NDS context mini-agent on a local computer

■ Creating a server-only mini-agent on a local computer




Registering a Symantec ESM agent on a local computerThis task is optional. Registering a Symantec ESM agent with a manager establishes secured communications between the agent and manager. Each agent must register with at least one manager.


Do not register the Symantec ESM agent to an earlier version of a manager. This causes database errors on the manager. Instead, upgrade the managers to the latest Symantec ESM version before registering the agent.


On networks that use IPX/SPX communications, Symantec ESM agents cannot register with managers if the host computers are not running the IPX/SPX communication protocol.


89Installing Symantec ESM agents on NetWare/NDSPost-installation tasks

To register a Symantec ESM agent on a local computer

The registration process includes the following steps:


■ Selecting the Symantec ESM agent registration option

■ Registering the Symantec ESM agent


◆ Load the Symantec ESM installer. See “To start the Symantec ESM installer” on page 87.

To select the Symantec ESM agent registration option

1 Type 2 to use the Post-installation options.

2 Type 1 to register the Symantec ESM agent with a manager.


1 Type the name of the manager where you want to register the agent. You can type a list of managers separated by commas or spaces.








5 Type the password of the Symantec ESM manager account.

Reviewing a Symantec ESM agent context listThis task is optional. You can use the Symantec ESM installer to review a Symantec ESM agent context list.


To review the agent context list on a local computer

The agent context change process includes the following steps:


■ Selecting the Symantec ESM agent context review option



To review or create the Symantec ESM agent context


2 Type 3 to review or create the Symantec ESM agent context.

3 Do one of the following at the create prompt:

■ Type Y to create a Symantec ESM object with an agent context list.

■ Type N to leave the agent without a Symantec ESM agent context list.

4 Do one of the following at the change prompt:

■ Type Y to change the agent context list.

■ Type N to leave the agent context list unchanged.

5 Type the fully distinguished name of an account with administrator rights to create the Symantec ESM object. For example, admin.company name.

6 Type the password of the administrator account.

7 Type Y if you want the agent to perform NDS checks.

8 Type Y if you want the agent to check the entire tree.

9 Type the name that you want to give the Symantec ESM object.

10 Type the context where you want to create the Symantec ESM object.

Creating an NDS context mini-agent on a local computerThis task is optional. You can use the Symantec ESM installer to create an NDS context mini-agent.


To create an NDS context mini-agent on a local computer

The NDS context mini-agent creation process includes the following steps:


■ Selecting the Symantec ESM NDS context mini-agent option

■ Creating the Symantec ESM NDS context mini-agent



To select the Symantec ESM NDS context mini-agent creation option


2 Type 4 to create a Symantec ESM NDS context mini-agent.

To create the Symantec ESM NDS context mini-agent

1 Type Y if the Symantec ESM installer prompts you to apply a patch to the agent.

2 Type the name of the Symantec ESM manager that you want to cooperate with the agent. You can type a list of managers separated by commas or spaces.









Creating a server-only mini-agent on a local computerThis task is optional. You can use the Symantec ESM installer to create a server-only mini-agent.


To create a server-only mini-agent on a local computer

The server only mini-agent creation process includes the following steps:


■ Selecting the Symantec ESM server-only mini-agent option

■ Creating the Symantec ESM server-only mini-agent



To select the Symantec ESM server-only mini-agent creation option


2 Type 5 to create a Symantec ESM server-only mini-agent.

To create the Symantec ESM server-only mini-agent

1 Type Y if the Symantec ESM installer prompts you to apply a patch to the agent.

2 Type the name of the Symantec ESM manager that you want to cooperate with the agent. You can type a list of managers separated by commas or spaces.









Upgrading an older version of Symantec ESMThis task is optional. To upgrade an older version of the Symantec ESM agent, shut down the agent and then load the new version. See “Upgrading an older version of Symantec ESM” on page 48.


To upgrade the Symantec ESM agent:


■ Log on to the console of a server running the NetWare/NDS operating system using an account with administrator privileges.

■ Connect to the server using the remote RCONSOLE utility on a computer that has a Windows operating system.

2 Type <server name>: UNLOAD Symantec ESMAGENT.NLM.

3 To upgrade Symantec ESM on the agent computer, see “Installing a Symantec ESM agent on a local server” on page 85.

Changing a Symantec ESM agent portThis task is optional. ESM uses specific ports. See Table A-1, “Symantec ESM communication ports,” on page 132.

To change a Symantec ESM agent port:




2 Type <server name>: UNLOAD ESMAGENT.NLM to stop the Symantec ESM agent.


■ If the agent uses the TCP communications protocol, access the \ESM\CONFIG\TCP_PORT.DAT file and change the agent port number to the desired port number.

■ If the agent uses the SPX communications protocol, access the \ESM\CONFIG\IPX_PORT.DAT file and change the agent port number to the desired port number.

4 Type <server name>: UNLOAD ESMAGENT.NLM. to restart the Symantec ESM agent.




Uninstalling Symantec ESM from a local computerThis task is optional. On servers that have NetWare/NDS operating systems, manually remove everything under the Symantec ESM directory including any files, generated reports, executables, and the objects that the Symantec ESM installer creates during installation.


To uninstall the Symantec ESM agent:




2 Type <server name>: UNLOAD ESMAGENT.NLM to stop the Symantec ESM agent.

3 On the Windows computer, do the following:

■ Use Windows Explorer to delete the ESM directory and its subdirectories. The default directory is AXENT\ESM.

Optionally, type the DELTREE command at the DOS command prompt.

■ Delete the Symantec ESM files from the server SYS:SYSTEM directory.

■ Access the NWADMIN NetWare utility, then delete the ESM object.

■ Access the NDS manager utility, then use the NDS Schema manager utility to delete the AXENT: ESM Agent Class, then find and delete the AXENT: ESM Agent Context List.

Chapter
5
Installing Symantec ESM agents on OS/400




■ Installing


Before you install Develop an implementation plan for rolling out Symantec ESM agents on the IBM iSeries computers in your network that have OS/400 operating systems. During the planning process, do the following:

■ Select the computers where you want to install Symantec ESM agent software.

■ Obtain access to the QSECOFR account on each selected computer.


Add the managers to the OS/400 TCP/IP host table by typing CFGTCP and selecting option 10.


96 Installing Symantec ESM agents on OS/400System requirements

System requirementsComputers that have OS/400 operating systems must meet these minimum requirements to install and run Symantec ESM software.

Operating requirementsComputers that install Symantec ESM must meet the following minimum hardware requirements:

■ IBM OS/400 VSR1M0

■ 4096 MB RAM memory


■ 1024 MB pool size

Installing You can install Symantec ESM agents on IBM iSeries computers that have OS/400 operating systems.

Installing a Symantec ESM agent on an OS/400This task is mandatory if your implementation plan requires the OS/400 to function as a Symantec ESM agent. The installation process consists of extracting the Symantec ESM libraries from the CD-ROM, running the installation program, and registering the Symantec ESM agents with their managers.

Symantec distributes Symantec ESM software on an ISO 9660 (High Sierra Format) CD-ROM disk. To access this software, at least one OS/400 must have access to a CD-ROM drive.

To install a Symantec ESM agent on an OS/400





■ Registering the agent to a manager

97Installing Symantec ESM agents on OS/400Installing


1 Insert the Symantec ESM CD-ROM in the computer’s CD-ROM drive.

2 Log in to the computer with an OS/400 operating system as QSECOFR.

3 Type LODRUN DEVICE <OPT01>

OPT01 is the default name of the CD-ROM drive. If your OS/400 uses a different name for the CD-ROM drive, substitute the correct name in the command.


1 Type Y to select the New Install option.

2 Select Enter=Accept if you agree to the terms of the Software License agreement.

To install a Symantec ESM agent

1 Type N in the Transfer data field.

2 Do one of the following in the Submit to batch field:

■ Type N, then press Tab. This lets you install the software interactively and locks the workstation until you finish the installation.

■ Type Y, then press Tab. This lets you submit the installation as a batch job using the OS/400 SBMJOB command. After the batch file finishes, you must register the Symantec ESM agent to a Symantec ESM manager using the ESM menu option.

3 Type the name of the media device. The default media device is the OS/400 CD-ROM. This field is protected when the OS/400 runs the Lodrun command.

Press F3 if the Lodrun command is incorrect. Then repeat the steps to start the Symantec ESM installer with the correct device.


■ Press Tab to accept the default Symantec ESM agent software library. The default name of the ESM agent software library is ESMSAVF.

■ Type the name of a preferred software library and press Tab to use a different library,

5 Press Tab to accept the default Symantec ESM installation library. The default name of the library is APYESM.

Note: Do not rename the Symantec ESM installation library.

98 Installing Symantec ESM agents on OS/400Post-installation tasks


■ Press Tab to accept the default name of the message queue that receives the install messages. The default message queue name is USRPFR. Installation messages are sent to the profile that is used to perform the install.

■ Type the name of the preferred message queue and press Tab.

7 Press Enter to execute the command. If you chose the batch file option in step 2, the OS/400 SBMJOB command screen lets you set the batch file execution options. For SBMJOB parameter details, see the appropriate IBM documentation.

The OS/400 displays status messages while the ESM Agent software installation is in progress.




Registering a Symantec ESM agent on a local computerRegistering a Symantec ESM agent with a manager establishes secured communications between the agent and manager. Each agent must register to at least one manager.


Do not register the Symantec ESM agent to an earlier version of a manager. This causes database errors on the manager. Instead, upgrade the managers to the latest Symantec ESM version before registering the agent.



99Installing Symantec ESM agents on OS/400Post-installation tasks

To register the Symantec ESM agent to a manager

1 Log in to the OS/400 using ESM as the profile.

Note: You must change the password after the first login.

2 On the ESM main menu, select Register with Manager.

3 Specify the following information:

■ TCP/IP port number

■ ESM user name

■ ESM profile password

■ ESM manager name

4 At the system command prompt, select Enter to end the terminal session.

Uninstalling Symantec ESM from a local computerUninstalling the Symantec ESM agent removes any files, reports, executable code, and services that Symantec ESM creates during installation.

Before you remove Symantec ESM, make sure that you are not using the Symantec ESM libraries. If you are using a Symantec ESM library, the uninstall program reports an error message and does not remove that library.



1 Log in to the IBM iSeries computer with an OS/400 operating system as QSECOFR.

2 Type CALL PGM(QGPL/RMVESM) at the command line.

Note: You can run the command in the background using the OS/400 SBMJOB command. See the appropriate IBM documentation.

100 Installing Symantec ESM agents on OS/400Post-installation tasks

Chapter
6
Installing Symantec ESM agents on OpenVMS




■ Installing


Before you install Develop an implementation plan for rolling out Symantec ESM agents on the computers in your network that have OpenVMS operating systems. During the planning process, do the following:

■ Select the computers where you want to install Symantec ESM agent software.

■ Obtain access to an account with system privileges on each selected computer. Table 6-1 lists the privileges that the account must have to invoke the ESMSETUP.COM command procedure. The ESMSETUP.COM command procedure performs certain functions that require specific privileges. For example, registering a Symantec ESM agent, configuring the network settings for Symantec ESM, and starting up or shutting down the Symantec ESM agent.

Table 6-1 ESMSETUP.COM account privileges

Account Privileges Account Privileges Account Privileges

CMKRNL OPER SYSNAM

102 Installing Symantec ESM agents on OpenVMSSystem requirements



■ Select a communication protocol for the Symantec ESM agents. Symantec ESM supports Multinet TCP/IP, UCX, and TCPware.

Note: In this release, the Symantec ESM 5.1 agent installs on computers with OpenVMS operating systems. Do not upgrade your agents if these computers are already running this version of the Symantec ESM software.

System requirementsComputers that have OpenVMS operating systems must meet these minimum requirements to install and run Symantec ESM software.

Operating requirementsComputers that install Symantec ESM must meet the following minimum hardware requirements:

■ Alpha processors on DECstations and DECsystems


■ CD-ROM drive that complies with the ISO9660 standard

Computers that install Symantec ESM agents must have VMS 7.2 or VMS 7.3 operating systems.

DETACH PRMMBX SYSPRV

EXQUOTA SETPRV TMPBMX

NETMBX SYSLCK WORLD

Table 6-1 ESMSETUP.COM account privileges

Account Privileges Account Privileges Account Privileges

103Installing Symantec ESM agents on OpenVMSInstalling

Installing You can install Symantec ESM agents on computers that have supported OpenVMS operating systems.

Installing a Symantec ESM agent on a local computerThis task is mandatory if your implementation plan requires the computer to function as a Symantec ESM agent. The installation process consists of extracting the Symantec ESM files from the CD-ROM, running the installation program, and registering the Symantec ESM agents with their managers.





Where:

■ vendor is the name of the operating system vendor; for example, dec

■ os is the operating system name; for example, vms

■ architecture is the CPU type; for example, axp



Symantec provides ESM saveset files in zip format. Run the unzip utility to uncompress the files. The utility names the uncompressed files esm060.a and esm060.b.



■ Copying and uncompressing the Symantec ESM files



104 Installing Symantec ESM agents on OpenVMSInstalling

To copy and uncompress the Symantec ESM files

1 Create a temp directory.

2 Type Mount/override=id devname (example [DKA400:])

3 Type Copy devname: [xxx.xxx.util]unzip.exe sys$system:

4 Type Copy devname: [xxx.xxx.esm60]esmaxp.zip temp:

5 Type Set default temp:

6 Type mcr unzip esmaxp.zip

Note: The utility uncompresses and renames the Symantec ESM saveset files to esm060.a and esm060.b.

To start the installation program

1 Log in to a computer running the OpenVMS operating system using an account with SYSTEM privileges.

2 Type $ @sys$update:vmsinstal esm temp:

3 Type Yes if the current account quota settings are satisfactory.

4 Type Yes if the current system disk backup is satisfactory.

To install the Symantec ESM agent

1 Type Yes to install the Symantec ESM agent software.


■ Type Yes to install in a cluster environment. Type the names of all the nodes in the cluster that you want to share the installation as agents. Then type Yes if the list is correct.

■ Type No to install in a non-cluster environment.

3 Specify the name of the directory where you want to install the Symantec ESM files. The installer uses the SYS$SYSTEM:[SYMANTEC.ESM] directory by default.

4 Type Yes if you want to purge the old files.

5 Type Yes if you want to use the ESM_SERVER account with its unique UIC value.

105Installing Symantec ESM agents on OpenVMSPost-installation tasks


■ Invoking the esmsetup command procedure on a local computer

■ Enabling network communications on a local computer

■ Registering the Symantec ESM agent on a local computer


■ Starting the Symantec ESM agent on a local computer

■ Exiting the esmsetup command procedure on a local computer




Invoking the esmsetup command procedure on a local computerThis task is mandatory. You must invoke the esmsetup command procedure to enable network communications, register, and startup the Symantec ESM agent.

To invoke the esmsetup command procedure

1 Type Set default esm_bin:

2 Type @esm_bin: esmsetup

Enabling network communications on a local computerThis task is mandatory. You must enable communications between the Symantec ESM agent and manager. Symantec ESM supports the Multinet TCP/IP, UCX, and TCPware protocols. See Table A-1, “Symantec ESM communication ports,” on page 132.

To enable network communications

1 Type network at the configuration procedure prompt.

2 Type Yes to continue.

3 Type 5601 or the current agent port number.

4 Type Yes to save the configuration.

106 Installing Symantec ESM agents on OpenVMSPost-installation tasks

Registering the Symantec ESM agent on a local computerThis task is mandatory. Registering the Symantec ESM agent with a manager establishes secure communications between the agent and manager. Each agent must register with at least one manager.


1 Type register at the configuration procedure prompt.

2 Type the name of the manager that you want to register the agent. You can type a list of managers separated by spaces.





Note: Do not use more than one agent name to register a Symantec ESM agent to a manager. Symantec ESM reports an error when you try to run policies on the agent.

Reregistering Symantec ESM agents to a managerThis task is optional. Symantec ESM lets you reregister agents with a manager that is recovering from a problem such as a host computer failure. Symantec ESM reregistration tasks include:





Use the Symantec ESM console to create the property file. The file lists the manager, the registered agents, the ports, and the communication protocols.


The property file is a plain text, tab delimited file. For security purposes, store the file in a safe location.

The property file has the following format: manager_name<tab>manager_port<tab>manager_protocolagent_1_name<tab>agent_1_port<tab>agent_1_protocolagent_2_name<tab>agent_2_port<tab>agent_2_protocol. . agent_2000_name<tab>agent_2000_port<tab>agent_2000_protocol

The first line in the file must contain the name of the manager, its port, and protocol. The information for each agent must follow on a separate line.







■ Click Save.

4 Click OK.

Configuring Symantec ESM agents for remote reregistrationBefore you can reregister Symantec ESM agents to a manager, you must configure the agents to accept reregistration commands from the manager. You must do this just before starting the reregistration process. To minimize the risk to network security, you can specify the amount of time, in minutes, that the agent can accept reregistration requests. By default, the manager has 180 minutes to reregister the agent. Use the - h option to display information about the reregistration command. Use the -t option to change the time limit. For example, -t 60 stops the agent from accepting reregistration requests after 60 minutes.


1 Log in to a computer with an OpenVMS operating system that is running a Symantec ESM agent using an account with SYSTEM privileges.

2 Create a temp directory.


3 Type Mount/override=id devname (example [DKA400:])

4 Type Copy devname: [xxx.xxx.util]rereg.exe sys$system:

5 Type Set default temp:


■ Type mcr rereg.exe to use the 180 minute default time limit.

■ Type mcr rereg.exe -t (x), where x is the time limit in minutes.





3 Do the following:





Starting the Symantec ESM agent on a local computerThis task is mandatory. Starting the Symantec ESM agent enables the agent services.

To start the Symantec ESM agent

◆ Type startup at the configuration procedure prompt.

Exiting the esmsetup command procedure on a local computerThis task is optional.

To exit the esmsetup command procedure

◆ Type exit at the configuration procedure prompt.


Upgrading an older version of Symantec ESMThis task is optional. To upgrade an older version of the Symantec ESM agent, shut down the agent and then install the new version. See “Upgrading an older version of Symantec ESM” on page 48.

To shutdown the Symantec ESM agent

1 Type shutdown at the configuration procedure prompt.

2 To upgrade Symantec ESM on the agent computer, see “Installing a Symantec ESM agent on a local computer” on page 103.

Changing a Symantec ESM agent portThis task is optional. ESM uses specific ports. See Table A-1, “Symantec ESM communication ports,” on page 132.

To change a Symantec ESM agent port:


2 Access the /esm/config/tcp_port.dat file and change the agent port number to the desired port number.

3 Type startup at the configuration procedure prompt.

4 Reregister the agent with the manager. See “Registering the Symantec ESM agent on a local computer” on page 106.


Uninstalling Symantec ESM from a local computerThis task is optional. On computers with OpenVMS operating systems, manually remove everything under the Symantec ESM directory including any files, generated reports, and executables.


To remove the Symantec ESM agent


2 Delete the ESM directory and its subdirectories. The default directory is SYS$SYSDEVICE:[SYMANTEC.ESM].


Chapter
7
Installing Symantec ESM consoles




■ Installing


Before you install Develop an implementation plan for rolling out Symantec ESM consoles on the computers in your network that have Windows operating systems. During the planning process, do the following:

■ Select the computers where you want to install Symantec ESM console software.

■ Obtain access to an account with administrator privileges on each selected computer.

■ Select a user name and password for the initial Symantec ESM console account.

System requirementsComputers that have Windows operating systems must meet these minimum requirements to install and run Symantec ESM software.

112 Installing Symantec ESM consolesSystem requirements

Operating requirementsThe computers must meet the following minimum hardware requirements:


■ 64 MB RAM


The computers that install Symantec ESM consoles must have the following operating systems, the latest service packs, and Distributed Component Object Model (DCOM 95):

■ Windows 2003 server

■ Windows XP

■ Windows 2000

■ Windows NT 4.0

■ Windows 98

Scalability parametersA Symantec ESM manager, agent, and console that install on the same computer can scale to the indicated number of agents if its host computer has the RAM and free disk space in Table 7-1.

Note: You can estimate the additional free disk space that the Symantec ESM manager requires to store policy run data. See “Policy run disk space” on page 33.

Table 7-1 Symantec ESM manager, agent, and console scalability

RAM Free disk space Maximum number of registered agents

Number of agents per policy run

128 MB 200 MB Symantec ESM: 2000 Symantec ESM: 400

113Installing Symantec ESM consolesInstalling

The ESM console takes longer to update and requires more memory and disk space if you have more than 100 agents registered to a manager. ESM consoles can scale to the indicated number of managers in Table 7-2.

Installing You can install Symantec ESM consoles on computers that have supported Windows operating systems.

Installing Symantec ESM on a local computerThis task is mandatory if your implementation plan requires the computer to function as a Symantec ESM console. The installation process consists of extracting the Symantec ESM files from the CD-ROM and running the installation program.


Symantec locates the programs for the Symantec ESM console on the CD-ROM in the \esmcon folder. Symantec provides the software files in ordinary format for Windows computers.






Number of registered agents per Symantec ESM manager

Number of registered agents for all Symantec ESM managers

2,000 10,000

114 Installing Symantec ESM consolesInstalling






In the next dialog box, check the ESM Console Install check box. Clear the other check boxes to prevent the Symantec ESM manager, agent, or utilities from installing on the computer. Then click Next.


■ To manually start the Symantec ESM console installer, access the CD-ROM drive or the network installation directory if you copy the files to a hard disk, change to the \esmcon folder, and double-click setup.exe.

To install or upgrade a Symantec ESM console


2 In the Software License Agreement dialog box, if you agree to the terms of the License Agreement, click Yes.

3 In the Information dialog box, click Next.

4 In the Initial Account dialog box, type a user name and password to set up the first Symantec ESM console account. The console account password can have up to 32 characters. The console account keeps the user’s trend database, console settings, and enterprise workspace configuration private.

To use the functions in a manager, you must connect the console to the manager using a manager account with the appropriate rights.

5 In the Install Java v1.3 dialog box, check the Include Java v1.3 installation checkbox if you do not have Java v1.3 installed on the computer.


■ To install in the C:\Program Files\Symantec\ESM Enterprise Console folder, click Next.

■ To select another folder, click Browse.


7 In the Start Copying Files dialog box, click Next.

8 In the Question dialog box, click Yes to install LiveUpdate.

115Installing Symantec ESM consolesInstalling

9 In the Configure Data Source for Report Viewer dialog box, do one of the following:

■ Click Yes, if you have an SQL database or a .mdb file already set up for Symantec ESM reporting and you want to configure ODBC.

Start by choosing the type of data source:

Select File data source to create a file-based data source that all users with access to the database can share.

Select User data source to create a data source that only you can access on the host system.

Select System data source to create a data source that all users with access to the host system can access.

Continue by choosing the ODBC driver:

Select Microsoft Access driver (*.mdb) for an ODBC database.

Select Microsoft ODBC for ORACLE driver for an ORACLE database.

Finish by choosing the data source name and database:

Select ESMReports as the data source name and ESMSchema.mdb as the database for the default ESM Reports tool.

Enter a new data source name and database to select your own custom XML report files and database. You can use the ESMSchema.mdb database and ESMReports data source as examples.

■ Click No, if you have already installed the Microsoft Access ODBC database, driver, and data source name using the ESM utilities setup program, or the computer installing the ESM console does not have ODBC drivers.

For computers without ODBC drivers, you can install ODBC drivers using the custom setup options in the ESM utilities setup program. See “Installing the ESM utilities” on page 7.3.

Click Start > Control Panel, and then double-click ODBC Data Source to configure the data source.


The installation program may prompt you to reboot the computer if you install the Symantec ESM console on an older version of a supported Windows operating system.

116 Installing Symantec ESM consolesPost-installation tasks


■ Connecting a Symantec ESM console to a manager

■ Upgrading an older version of the Symantec ESM console

■ Configuring the Symantec ESM console

■ Setting the Web browser

■ Uninstalling the Symantec ESM console from a local computer

Connecting a Symantec ESM console to a managerThis task is mandatory. You must connect the Symantec ESM console to a manager using a manager account with the necessary rights to perform functions and view security information. See the Symantec ESM 6.0 User’s Guide.

Upgrading an older version of the Symantec ESM consoleThis task is optional. Due to new features and changes in the communication protocol, the Symantec ESM 6.0 console can only connect to Symantec ESM 6.0 managers. To upgrade an older version of the Symantec ESM console, you must install the new version. See “Upgrading an older version of Symantec ESM” on page 48.

When you install the new version of the console, the Symantec ESM installer:

■ Archives the existing user database files. You cannot access the archived user database files with the new console. You can only use the archived database files for custom reporting.

■ Converts the existing user environments to work with the new console.

Configuring the Symantec ESM consoleSymantec ESM graphics in printed reports look best when you set the Windows display to at least 256 colors and 800 by 600 pixels.

117Installing Symantec ESM consolesPost-installation tasks

To verify the display settings

1 On the task bar, click Start > Settings > Control Panel > Display, and then click the Settings tab.

2 Do the following:

■ Color palette

Set this option to at least 256 colors, although the ESM console can run in 16 colors.

■ Desktop area

Set this option to at least 800 by 600 pixels, although the ESM console can run in 640 by 480 pixels.

Setting the Web browser Use the default Web browser or choose another browser for the Symantec ESM help links. Symantec ESM help contains links to the Symantec Web site at http:/securityresponse.symantec.com/.

The Symantec ESM console automatically launches the system default browser to display ESM reports. Most browsers are already set to handle .htm and .html files. If your browser does not support frames, disable the show table of contents option in the report options. This change causes the browser to open the report.html version of a report.

Uninstalling the Symantec ESM console from a local computerThis task is optional. On Windows computers, use Add/Remove Programs in the Control Panel to remove everything under the Symantec ESM console directory. It removes any files, reports, executable code, and services that Symantec ESM creates during installation. It also removes the Symantec ESM console icons from the program menu.

You must close the Symantec ESM console before you remove the software. The uninstall program cannot remove the software if you leave the Symantec ESM console running.

Note: Unpredictable results can occur if you uninstall a Symantec ESM console during a policy run that includes the console.

118 Installing Symantec ESM consolesPost-installation tasks


1 On a computer with a Windows operating system that is running the Symantec ESM console, log on as administrator or administrator-equivalent.



4 Select the ESM 6.0 Enterprise Console from the list.


6 Click Yes.

Chapter
8
Installing Symantec ESM utilities




■ Installing


Before you install Develop an implementation plan for rolling out the Symantec ESM utilities on the computers in your network that have Windows or UNIX operating systems. During the planning process, do the following:

■ Select the computers where you want to install the Symantec ESM utilities.

■ Obtain access to accounts with administrator privileges on computers that have Windows operating systems.

■ Obtain access to accounts with root privileges on computers that have UNIX operating systems.

■ Upgrade the Symantec ESM managers that are on the network to version 6.0 or later. The ESM Policy tool cannot run with earlier versions of Symantec ESM manager software.

■ Provide access to Java v1.3.

■ On Windows systems, choose options in the ESM installation program that install the Java runtime environment.

■ On UNIX systems, provide the path to the Java runtime environment.

120 Installing Symantec ESM utilitiesSystem requirements

■ Provide access to Java v1.4x.

■ On systems that use the Database Conversion Tool with ORACLE 9i and the ORACLE ODBC drivers, you must install JRE 1.4x. You can download the Java runtime environment from the Sun Microsystems WEB site at http://java.sun.com/.

■ On systems that use the Database Conversion Tool with ORACLE 9i and the native ORACLE drivers, you can use JRE v1.3.

System requirementsComputers with Windows or UNIX operating systems must meet these minimum requirements to install and run Symantec ESM utilities.

Operating requirements for Windows systemsThe computers must meet the following minimum hardware requirements:


■ 32 MB RAM


The computers must have the following operating systems, the latest service packs, and Distributed Component Object Model (DCOM 95):

■ Windows 2003 server

■ Windows XP

■ Windows 2000

■ Windows NT 4.0

Operating requirements for UNIX systemsThe computers must meet the following minimum hardware requirements:

■ 276 MHz or equivalent CPU

■ 64 MB RAM

■ 128 MB of swap space


121Installing Symantec ESM utilitiesInstalling

The computers must have the operating system versions in Table 8-1.

Policy run disk space These requirements do not include the disk space that the Symantec ESM utilities use to store policy run data from the managers. You can estimate the additional disk space requirement by performing a policy run disk space calculation. See “Policy run disk space” on page 33.

Installing You can install Symantec ESM utilities on computers that have supported Windows or UNIX operating systems.

Installing the Symantec ESM utilities on a local computerThis task is mandatory if your implementation plan requires the computer to run the Symantec ESM utilities. The installation process consists of extracting the Symantec ESM files from the CD-ROM and running the installation program.

To install the Symantec ESM utilities on a local computer

Symantec distributes ESM utilities software on an ISO 9660 (High Sierra Format) CD-ROM disk. To access this software, at least one computer with a Windows or UNIX operating system must have access to a CD-ROM drive.

■ For Windows installations, Symantec locates the programs associated with the ESM utilities on the CD-ROM in the \esmtools folder. Symantec provides the setup files in ordinary format.

■ For UNIX installations, Symantec locates the programs associated with the ESM utilities on the CD-ROM in the same compressed-format tar file that is used to install the ESM manager or agent. See “To extract the file from the CD-ROM” on page 72.

Table 8-1 Symantec ESM utilities operating system versions

Platforms Versions

AIX 4.3.1, 4.3.3, 5.1, and 5.2

HP-UX 10.20, 11, 11i

Solaris 2.5.1, 2.6, 2.7, 2.8, 2.9

122 Installing Symantec ESM utilitiesInstalling

To start the installation program on Windows





In the next dialog box, check the ESM Utilities check box. Clear the other check boxes to prevent the Symantec ESM manager, agent, or console from installing on the computer. Then click Next.


■ To start the Symantec ESM console installer, access the CD-ROM drive or the network installation directory if you copy the files to a hard disk, change to the \esmtools folder, and double-click setup.exe.

To start the installation program on UNIX

1 Use su or log in to root on a computer with a UNIX operating system that has a CD-ROM drive.



To install or upgrade Symantec ESM utilities on Windows


2 In the Software License Agreement dialog box, if you agree to the terms of the License Agreement, click Yes.


■ To install in the C:\Program Files\Symantec\ESM Utilities folder, click Next.

■ To select another folder, click Browse.


4 In the Setup Type dialog box, do one of the following:

■ Select the Typical option to install the ESM Policy tool, the ESM Database Conversion tool, the ESM Reports tool, the default Microsoft Access database, the Java runtime environment, and the ODBC drivers.

123Installing Symantec ESM utilitiesInstalling

■ Select the Compact option to install the ESM Policy tool, the ESM Database Conversion tool, the ESM Reports tool, and the Java runtime environment.

■ Select the Custom option to specify the options to install. These options include: the ESM Policy tool, the ESM Database Conversion tool, the ESM Reports tool, the Microsoft Access database, the Java runtime environment, and the ODBC drivers.

Select the Reporting option to install the ESM Reports tool. This tool has a set of pre-defined Crystal report files.

Select the ESM Database Conversion tool to export information from one or more ESM managers, running on supported Windows or UNIX systems, to an external database such as Microsoft Access, Microsoft Sequel Server 7, or ORACLE 8. If you are using an ORACLE or Sequel Server database, run the create.sql script in the MSSQL directory after you finish installing the ESM utilities. This script creates the required database schema tables and procedures. Applications or databases such as ORACLE 8i may install earlier versions of Java. To restore the ESM Database Conversion tool, reinstall the Java runtime portion of the ESM utilities.

Select the ESM Policy tool to export or import Policy definitions for ESM managers.

Select the Default Database option to install the ODBC database, driver, and data source name.

Select the Java runtime environment option to install the environment required by the Database Conversion tool and Policy tool.

Select the ODBC Drivers option to install Microsoft ODBC on the system.

5 In the Start Copying Files dialog box, click Next.

If the computer installs the Java runtime environment:

■ Follow the instructions in the Software license agreement screen.

■ Select a directory for the Java runtime environment on a volume that uses the NTFS file system.

■ If the computer installs the default database, follow the instructions in the End user license screen.


To start the installation program on UNIX

1 Type 6 to install the Java tools on a local computer.

2 Type A if you agree to the terms of the License Agreement.

3 Type the full path of the Java VM including the executable name.

124 Installing Symantec ESM utilitiesPost-installation tasks

4 Type the full path of the JDBC driver.

5 Type the name of the Oracle server.

6 Type the port of the Oracle server.

7 Type the SID of the Oracle server.


■ Type the name of the CD-ROM drive containing the distribution media.

■ Type the full path name of the tar/tgz file on a disk.

■ Type the special device file name of the tape drive containing the installation tape.

9 After completing the Symantec ESM utilities installation, run the create.sql script in the mssql directory. This script creates the required database schema tables and procedures for the ORACLE database.


■ Upgrading an older version of the Symantec ESM utilities

■ Uninstalling the Symantec ESM utilities from Windows systems

■ Uninstalling the Symantec ESM utilities from UNIX systems

Upgrading an older version of the Symantec ESM utilitiesThis task is optional. To upgrade an older version of the Symantec ESM utilities, you must install the new version.

Uninstalling the Symantec ESM utilities from Windows systemsThis task is optional. On Windows computers, use Add/Remove Programs in the Control Panel to remove everything under the Symantec ESM utilities directory. It removes any files, reports, executable code, and services that Symantec ESM creates during installation. It also removes the Symantec ESM utilities icons from the program menu.

You must close the Symantec ESM utilities before you remove the software. If you leave Symantec ESM utilities running, the uninstall program cannot remove the software.

125Installing Symantec ESM utilitiesPost-installation tasks

To uninstall Symantec ESM from Windows systems

1 On a computer with a Windows operating system that is running Symantec ESM utilities, log on as administrator or administrator-equivalent.



4 Select the ESM Utilities from the list.


6 Click Yes.

Uninstalling the Symantec ESM utilities from UNIX systemsOn UNIX systems, the esmtoolsdeinstall program removes all ESM Java tool related files from the system.

To uninstall Symantec ESM from UNIX systems

1 Type ./esmtoolsdeinstall at the system command prompt.

2 Type Yes when you see the following message:

Warning...

You are running the ESM Java tools deinstallation program on ESM Java tools installed at /esm. This program will remove all ESM Java tools related files.

Are you sure you want to continue [no]:

126 Installing Symantec ESM utilitiesPost-installation tasks

Chapter
9
Installing Symantec ESM application modules and policies




■ Installing

Before you install Do the following for each computer that has a Symantec ESM manager or agent:

■ Upgrade Symantec ESM to the current version.

■ Upgrade the modules to the current Security Update.

■ Make sure that the computer has installed the Java 2 Runtime Environment.

■ Obtain access to an account with the following privileges:

■ Administrator privileges on a Window or NetWare/NDS operating system

■ Root privileges on a UNIX operating system

■ System privileges on an OpenVMS operating system

■ List the communication protocol and port

■ Install the application module TPI executable (if applicable). See the product’s User’s Guide or Best Practice Policy Manual.

128 Installing Symantec ESM application modules and policiesSystem requirements

The following released and planned application modules require the installation of their own TPI executables.

■ Symantec ESM for Databases 2.0

■ Symantec ESM for Databases 3.0

■ Symantec ESM for Firewalls 1.0

■ Symantec ESM for Firewalls 2.0

Installation procedures for TPI files vary according to product and operating system. See the Best Practice Policy Manual that accompanies each policy.

Symantec ESM best practice policies for Web servers and standards-based policies such as HIPAA and CIS Benchmarks do not require their own TPI executables.

System requirementsInstalling or upgrading best practice policies does not change the minimum operating requirements of the installing computer.

Installing You can install best practice policies on computers that have supported Windows, UNIX, NetWare/NDS, or OpenVMS operating systems.

Installing application modules and best practice policiesThis task is mandatory if the best practice policy applies to the computer’s operating system. The installation process consists of running the best practice policy from the CD-ROM.

To install the application module or best practice policy

1 Run the BestPractice_<application>_<platform>executable file on your CD-ROM.

Software files are named by architectural structure. For example, in Symantec ESM for Databases, the TPI executable for Oracle on a Solaris Sparc machine is: /solaris-sparc/oracle92/esmora3.tpi.

The Symantec ESM Best Practice Policy for HIPAA on Windows 2000 is BestPractice_Windows_2000_HIPAA_<date>.

2 Click Next to close the InstallShield Welcome dialog box.

3 Click Yes to start installing the best practice policies.

129Installing Symantec ESM application modules and policiesInstalling

4 Enter the requested manager information.

5 Click Next.

6 Click Finish.

130 Installing Symantec ESM application modules and policiesInstalling

Appendix
A
Symantec ESM communications

This appendix includes the following topics:

■ About Symantec ESM communications security

■ Symantec ESM communication ports

About Symantec ESM communications securitySymantec ESM protects the security information that it gathers from the computers on your network as follows:

■ Symantec ESM encrypts the account names, passwords, and other data that it stores on your computers and transfers over your network.

■ Symantec ESM authenticates each incoming and outgoing connection to ensure that both connections involve valid Symantec ESM software. To initiate the authentication process, Symantec ESM uses the Diffie-Helman algorithm to exchange secure keys between Symantec ESM components. Symantec ESM uses the secure key to initialize the DESX encryption engine. After that, Symantec ESM encrypts all communication between the components using the industry standard DESX algorithm. The originator verifies the transformed key. Unauthorized users cannot easily spoof Symantec ESM connections because Diffie-Helman exchanges a different key each time.

■ Every process involving Symantec ESM agents, the Symantec ESM console, or the installation program that connects to a Symantec ESM manager must have an authorized Symantec ESM access record. These access records consist of a name and a password.

132 Symantec ESM communicationsSymantec ESM communication ports

ESM encrypts the password using an algorithm that is similar to the encryption algorithm that most UNIX operating systems use in the /etc/passwd or /etc/shadow files. Symantec ESM stores the encrypted password in a Symantec ESM data file. Only privileged users such as root, supervisor, system, or administrator can access the file.

If a Symantec ESM manager rejects an access record password, Symantec ESM delays for a second before returning an acknowledgment. This delay can defeat brute force attacks against passwords.

■ Symantec ESM protects agents from unauthorized access through the manager registration process. Agents accept network connections only from Symantec ESM managers with whom they have previously registered.

Symantec ESM maintains a list of authorized managers on each agent in the /esm/config/manager.dat file. The agent checks this file each time a manager attempts a connection. The file stores the Symantec ESM manager name for the TCP/IP or IPX/SPX communication protocols.

■ Before Symantec ESM can make a change to a system file using a correction from the Symantec ESM console, it requires the user to log on to the system. Only a valid privileged system account can authorize the agent to perform the correction.

Symantec ESM communication portsSymantec ESM uses the ports in Table A-1 to communicate between managers and agents.

Table A-1 Symantec ESM communication ports

Operating system

Symantec ESM version

Port monitored by

Protocol Port

Windows Server 2003

6.0 ESM manager TCP 5600

6.0 ESM agent TCP 5601

6.0 ESM manager SPX 34918

6.0 ESM agent SPX 34917

Windows XP 6.0, 5.5 ESM agent TCP 5601

6.0, 5.5 ESM agent SPX 34917

133Symantec ESM communicationsSymantec ESM communication ports

Symantec ESM also use the following ports:

■ Symantec ESM managers use port 5599 for connections to perform remote installations or remote upgrades of systems that connect using the TCP protocol.

■ Symantec ESM managers use ports in the range from 1024 to 5000 that TCP dynamically allocates for servers to use when making connections to clients.

■ The Symantec ESM console uses the appropriate manager port number to initiate a connection with a Symantec ESM manager. After the Symantec ESM console establishes a connection, it can transmit instructions and receive security data. The Symantec ESM console does not require a port number because Symantec ESM managers do not initiate connections to the Symantec ESM console.

■ You must open any firewalls that separate Symantec ESM components to the ports in Table A-1, port 5599, and ports ranging from 1024 to 5000. In some situations, you may have to modify or create a firewall proxy or tunnel to enable Symantec ESM component connections through a firewall.

Windows 2000 6.0, 5.5 ESM manager TCP 5600

6.0, 5.5 ESM agent TCP 5601

6.0, 5.5 ESM manager SPX 34918

6.0, 5.5 ESM agent SPX 34917

Windows NT 6.0, 5.5 ESM manager TCP 5600


6.0, 5.5 ESM manager SPX 34918

6.0, 5.5 ESM agent SPX 34917

UNIX 6.0, 5.5 ESM manager TCP 5600


OS/400 6.0 ESM agent TCP 5601

NetWare/NDS 5.0 ESM agent TCP 5601

5.0 ESM agent SPX 34917

OpenVMS 5.1 ESM agent TCP 5601

Table A-1 Symantec ESM communication ports

Operating system

Symantec ESM version

Port monitored by

Protocol Port

134 Symantec ESM communicationsSymantec ESM communication ports

■ Virtually all TCP applications require the opening of ports 1024 to 5000 as a standard practice. Servers making connections back to clients reserve the ports in this range. You must open these ports in both directions. This is a secure practice, as long as the TCP servers do not listen within this port range.

Appendix
B
System assessment checklist

This appendix includes the following topic:

■ About system assessment checklists

■ Manager checklist

■ Agent checklist

■ Console checklist

About system assessment checklistsFill out a system assessment checklist for each computer that you select for your Symantec ESM pilot program. The information that you enter on the checklists lets you verify that the selected computers can function as Symantec ESM managers, agents, and consoles. You can use the checklists to do the following:

■ Assess the available disk space on the computers where you plan to install Symantec ESM components.

■ Establish TCP/IP connectivity among the computers in a heterogeneous trial configuration.

■ Verify TCP/IP communications by sending a ping command to each agent computer from the manager computer and vice versa.

■ Select the network CD-ROM drive. With this drive, determine the computer’s ability to distribute files using a file transfer program such as FTP.

See the System requirements in the Symantec ESM 6.0 Installation Guide for the computers that you select to install the managers, agents, and consoles.

136 System assessment checklistManager checklist

Manager checklist

Table B-1 Manager checklist

Question Response

What is the system’s name?

What is the system’s communication protocol address?

What operating system is this computer running?

What version of the operating system is this system running?

Does the system have sufficient memory and free disk space to load and run the software?

For UNIX systems, does the system have sufficient swap space to run the software?

What is the installation file system path name?

For UNIX systems installing ESM utilities, what is the Java runtime environment path name?

Do you have access to a privileged account on the system?

What CD-ROM drive can you use to load the software?

Can you ping all of the systems listed in the agent section?

Can you ping all of the systems listed in the console section?

Must a system administrator install the ESM software?

137System assessment checklistAgent checklist

Agent checklist

Table B-2 Agent checklist

Question Response






For UNIX systems, does the system have sufficient swap space to run the software?

For OS/400 systems, is the pool size large enough to run the software?


For UNIX systems installing ESM utilities, what is the Java runtime environment path name?



Can you ping all of the systems listed in the manager section?


138 System assessment checklistConsole checklist

Console checklist

Table B-3 Console checklist

Question Response









Can you ping all of the systems listed in the manager section?


Index

Aagent context list

review on NetWare/NDS 89agent grouping factor

function 14organization 14security policy 14

AIXmount on 58

applying default policies 21applying security policies 18architecture

planning ESM rollout 27

Bbefore installing

agent on NetWare/NDS 83agent on OpenVMS 101agent on OS/400 95console on Windows 111manager/agent on UNIX 53manager/agent on Windows 31modules 127policies 127utilities on Windows 119

Ccalculating

policy run disk space 33changing agent port

on NetWare/NDS 93on OpenVMS 109on UNIX 80on Windows 51

changing LiveUpdateon UNIX 80on Windows 47

command lineinstalling on UNIX 61

company security policy 18complexity

NDS tree 17NDS tree size 17

computersgrouping into domains 14

configurationmanager/agent 22, 23

configuringconsole on Windows 116pilot environment 26

connecting consoleto manager 116

console installingWindows 113

console operating requirementsWindows 112

converting policy statement 18correlating checks

with security modules 19cpu utilization 34create context mini-agent

on NetWare/NDS 90create server-only mini-agent

on NetWare/NDS 91

Ddefault policies

applying 21disk space

policy run 33domains

grouping computers 14

140 Index

Eediting

modules 19name lists 19security checks 19templates 19

enabling network communicationson OpenVMS 105

ESMpilot program

first steps 22system assessment checklist 26

rollout plan architecture 27ESM agent

changing a port on UNIX 80changing a port on Windows 51remote upgrade on Windows

using ESM console 50ESM manager/agent

installation on UNIXusing Solaris PKGADD 66

ESM objectlocation and rights 16

establishingsecurity policy 18

exiting esmsetupon OpenVMS 108

Ffiles security precautions

NetWare/NDS 21OpenVMS 21OS/400 21UNIX 20Windows 20

formulated policymapping 18

functionas agent grouping factor 14

Ggrouping computers into domains 14

HHP-UX

mount on 58

Iimplementing

ESM at one location 22security operations 22security policy 18

installation on UNIXESM manager/agent

using Solaris PKGADD 66installing

modules 128on NetWare/NDS 85on OpenVMS 103on OS/400 96policies 128

installing on UNIXcommand line 61Solaris pkgadd 66

invoking esmsetupon OpenVMS 105

IRIXmount on 59

LLiveUpdate

changing on UNIX 80changing on Windows 47

locationESM object 16

Mmanager

connecting console 116manager/agent

configuration 23selecting configuration 22system assessment checklist 26

manager/agent installingUNIX 57Windows 35

manager/agent operating requirementsUNIX 54Windows 32

mappingformulated policy 18security policy 18

mini-agent context listcreate on NetWare/NDS 90

141Index

mini-agent server-onlycreate on NetWare/NDS 91

modulesbefore installing 127installing 128NDS Server security 16operating requirements 128

mount command 58mount on

AIX 58HP-UX 58IRIX 59Solaris 59

NNDS

replica considerations 17NDS tree

size and complexity 17NDS tree size

complexity 17NDS/Server

security modules 16NetWare/NDS

before installing 83changing agent port 93create context mini-agent 90create server-only mini-agent 91installing 85operating requirements 85organizing contexts 15register agent 88review agent contest list 89security checks 19upgrading Symantec ESM 92

network resourcesorganizing 13

network security precautionsNetWare/NDS 21OpenVMS 21OS/400 20UNIX 20Windows 20

NFS-mountalternate method 76

Oobject location and rights

Symantec EMS 16OpenVMS

before installing 101changing agent port 109enabling network communications 105exiting esmsetup 108installing 103invoking esmsetup 105register agent 106reregister agent 106security checks 19starting agent 108upgrading Symantec ESM 109

OpenVMS operating requirements 102operating requirements

modules 128NetWare/NDS 85OpenVMS 102OS/400 96policies 128

organizationas agent grouping factor 14

organizing NetWare/NDS contexts 15organizing network resources 13OS/400

before installing 95installing 96operating requirements 96register agent 98

Ppartitions

replica considerations 17pilot environment

configuring 26pilot program

running 26piloting Symantec ESM 22planning

ESM rollout 27platform-specific

vulnerabilities 19

142 Index

policiesbefore installing 127installing 128operating requirements 128

policy rundisk space 33

policy statementmapping 18

port changingESM agent on UNIX 80ESM agent on Windows 51

primary domain controller 37

Rregister agent

on NetWare/NDS 88on OpenVMS 106on OS/400 98on UNIX 76on Windows 44

remote installationon UNIX 68on Windows 42

remote upgrade on WindowsESM agent

using ESM console 50replica considerations

NDS partitions 17partitions 17

reregister agenton OpenVMS 106on UNIX 77on Windows 45

review agent context liston NetWare/NDS 89

rightsESM object 16

rolling outSymantec ESM 26

rollout planESM architecture 27

runningpilot program 26

Sscalability parameters console

Windows 112

scalability parameters manager/agentUNIX 56Windows 34

securityin files area 20, 21in network area 20, 21in users area 19, 20, 21mapping a policy 18

security checksNetWare/NDS 19OpenVMS 19UNIX 19Windows 19

security modulescorrelating checks 19NDS/Server 16

security operationsimplementing 22

security policiesapplying 18

security policyas agent grouping factor 14establishing 18

selecting configurationmanager/agent 22

setting Web browseron Windows 117

silently installing manager/agenton Windows 39

sizeNDS tree 17

Solarismount on 59

Solaris PKGADDESM manager/agent on UNIX 66

Solaris pkgaddinstalling on UNIX 66

starting agenton OpenVMS 108

Symantec ESMobject location and rights 16piloting at one location 22rolling out 26uninstalling on NetWare/NDS 94uninstalling on OpenVMS 109uninstalling on OS/400 99

system assessment checklistESM pilot program 26

143Index

Uuninstalling console

on Windows 117uninstalling manager/agent

on UNIX 81on Windows 52

uninstalling on NetWare/NDSSymantec ESM 94

uninstalling on OpenVMSSymantec ESM 109

uninstalling on OS/400Symantec ESM 99

uninstalling utilitieson UNIX 125on Windows 124

UNIXbefore installing manager/agent 53changing agent port 80changing ESM agent port 80installing manager/agent 57manager/agent operating requirements 54register agent 76remote installation 68reregister agent 77scalability parameters manager/agent 56security checks 19uninstalling manager/agent 81uninstalling utilities 125utilities operating requirements 120

updatesecurity user guide 19

upgrading consoleon Windows 116

upgrading manager/agenton Windows 48

upgrading Symantec ESMon NetWare/NDS 92on OpenVMS 109

upgrading utilitieson Windows 124

users security precautionsNetWare/NDS 21OpenVMS 21OS/400 20UNIX 20Windows 19

utilitationcpu 34

utilities installingWindows 121

utilities operating requirementsUNIX 120Windows 120

utilities policy run disk spaceWindows 121

Vvulnerabilities

platform specific 19

WWindows

before installing console 111before installing manager/agent 31before installing utilities 119changing agent port 51changing ESM agent port 51configuring console 116console operating requirements 112installing console 113installing manager/agent 35installing utilities 121manager/agent operating requirements 32register agent 44remote installation 42reregister agent 45scalability parameters console 112scalability parameters manager/agent 34security checks 19setting Web browser 117silently installing manager/agent 39uninstalling console 117uninstalling manager/agent 52uninstalling utilities 124upgrading console 116upgrading manager/agent 48upgrading utilities 124utilities operating requirements 120utilities policy run disk space 121

144 Index

Date post:	15-Feb-2022
Category:	Documents
Upload:	others
View:	9 times
Download:	0 times

Symantec Enterprise Security Manager™ Installation Guide

Documents