5.2.7MP1 Release_Notes

Release Notes for Symantec™Critical System ProtectionVersion 5.2 RU7 MP1

Release Notes forSymantec™ Critical SystemProtection Version 5.2 RU7MP1

This document includes the following topics:

■ About Symantec Critical System Protection

■ What's new in version 5.2 RU7 MP1

■ What's new in version 5.2 RU7

■ Additional release information

■ What you need to know before you install or upgrade your software

■ Known issues

■ Resolved issues

■ Legal Notice

About Symantec Critical System ProtectionWelcome to Symantec Critical System Protection, a flexible, multi-layer securitysolution for servers that detects abnormal system activities. Symantec CriticalSystem Protection prevents and blocks viruses and worms, hacking attacks, andzero-day vulnerability attacks. Symantec Critical SystemProtection also hardenssystems, enforcing behavior-based security policies on clients and servers.

Symantec Critical System Protection includes a management console and servercomponents, and agent components that enforce policies on computers. Themanagement server andmanagement console runonWindowsoperating systems.The agent runs on Windows and UNIX operating systems.

Among Symantec Critical System Protection's key features are:

■ Predefined application policies for commonMicrosoft interactive applications

■ Out-of-the-box policies that continuously lock down the operating system,high-risk applications, and databases to prevent unauthorized executablesfrom being introduced and run

■ Microsoft Windows, Sun Solaris, and Linux platform support

Among Symantec Critical System Protection's key benefits are:

■ Provides proactive, host-based security against day-zero attacks

■ Offers protection against buffer overflow and memory-based attacks

■ Helps to maintain compliance with security policies by providing granularcontrol over programs and data

What's new in version 5.2 RU7 MP1In addition to the features released in version 5.2 RU7, this release contains somenotable resolved issues.

See “Resolved issues ” on page 28.

What's new in version 5.2 RU7This release update contains a number of functional improvements for UNIX. Italso contains support for an additional UNIX platform and for some new kernelsthat run on existing supported platforms. Updates have been made to the UNIXagent.

Among the notable new features are the following items:

■ VMware ESX 4.1 Host IDS policy pack

■ VMware ESX Protection Policy IPS features

■ Host Intrusion Detection policies enhancements for UNIX

■ File monitoring enhancements for UNIX

■ Unicode Log Monitoring for UNIX

■ Wildcards for network addresses for UNIX

Release Notes for Symantec™ Critical System Protection Version 5.2 RU7 MP1What's new in version 5.2 RU7 MP1

4

■ Dynamic local subnet variable for UNIX IPS policies

■ IPS policy options consistency for UNIX policies

■ Support for new platforms

Features for IDS and IPS

VMware ESX 4.1 Host IDS policy packSymantec Critical System Protection now includes support for VMware ESX 4.1.The Symantec Critical System Protection Detection Policy Pack includes theESX_Server_Security_Hardening_Policy, which supports ESX 4.1. There is alsoan ESX Prevention Policy Workspace Pack that includes an ESX ProtectionWorkspace policy for IPS support.

You configure the new ESX Server Security Hardening Policy for IDS. The ESXProtection Workspace policy uses custom programs to allow write access to ESXconfiguration and data files and VMware Virtual Infrastructure networking. Ituses custom reference lists tomake it quicker and easier for you to customize thedefault ESX policy settings.

You use the standard UNIX IPS policy to handle the standard ESX service consolecomponents, such as the core operating system daemons. The standard policywas also modified to limit networking of non-ESX programs and to block writeaccess to ESX configuration and data files.

Together, the new policy pack and the modifications to the existing UNIX IPSpolicy provide the following benefits:

■ Provides centralized policy management.

■ Provides centralized enforcement.

■ Provides log aggregation of virtual and physical servers.

■ Monitors and reports on guest and host intrusions in real time.

■ Protects the ESX console operating system and guest operating systems andapplications with layered controls. Examples include firewall, device control,configuration, system lock down, administrator access control, and file systemprotection.

■ Provides out-of-the-box policies as a guide to hardening VMware.

■ Facilitates PCI compliance, including file integrity monitoring.

5Release Notes for Symantec™ Critical System Protection Version 5.2 RU7 MP1What's new in version 5.2 RU7

ESX 4.1 IDS policy features

The new VMware ESX 4.1 Host IDS policy pack provides ESX-specific monitoringfunctionality to secure the ESX host environment.

It provides extensive control over rule content, logic, and behavior from theconsole and increased granularity of rule logic control for advanced tuningcapabilities. It contains the following improvements:

■ Rule content can now be tuned more quickly and easily.

■ Rule criteria is now dynamic and fully viewable in the console.

■ Parameter values are pre-populated with default values and shown asparameter values under the rule option, which provides the standard on or offchoice.

■ You can now configure the parameter values. You can also set up select logicand ignore logic per rule, new event IDs, new registry paths, and so on fromwithin the console. Changes inuser-defined criteria are reflected in the console.

■ You can now mouse over each option that is set to see detailed descriptions ofthe set and its function.

TheVMwareESXServerSecurityHardeningpolicy includes the following top-leveloptions:

Table 1-1 Top-level options in the VMware ESX Server Security Hardeningpolicy

DescriptionTop-level option

Provides the easy setup of universal variables. It alsocontains a new choice group addition for file diff pollingintervals.

Global Settings

Provides the configuration of hardening options. Theconfigurable variables can each be hidden, if desired. It alsoincludes anewchoice group addition for rule severity.Userscan select a level rather than having to type in a numericalvalue.

Virtual MachineConfiguration Monitor

Provides the monitoring of critical files and directories.Users can base rules on the incoming flow and outgoingflow of specific data. Users can also enable and disablespecific virtual machine (VM) configurations.

ESX Host and VMware FileMonitor

Release Notes for Symantec™ Critical System Protection Version 5.2 RU7 MP1What's new in version 5.2 RU7

6

Table 1-1 Top-level options in the VMware ESX Server Security Hardeningpolicy (continued)

DescriptionTop-level option

Provides the following features:

■ Privileged user access and command monitoring.

■ Threshold monitoring with higher severity options forcustomers to choose for multiple failed logon events.

■ Customer logon detection by configuring time and daterestrictions.

■ Monitoring of privileged commands, by monitoring theuse of superuser (SUDO) daemon and the rootbash_history file.

ESX Host Command LineInterface (CLI) Monitor

Real-time monitoring of the ESX host firewall log,esx-firewall. Events are generated for possible maliciousactivity. Commands to allow all incoming as well as alloutgoing traffic are monitored. Nonstandard port andprotocol enablement ismonitored and events are generatedfor malicious activity and internal policy violation.

ESX Host Firewall Monitor

Provides detailed Web access monitoring. You can monitorfor a preset flood of invalid HTTP requests and can chooseto log individual invalid requests.

ESX Host AdministratorWeb Access Monitor

Monitors several means of possible attack conditions. Youcan monitor for HTTP/HTTPS vulnerability scanningactivity and system vulnerability scanning activity.

ESX Host Attack Detection


Table 1-2 Global Policy settings

OptionsSettings

■ Virtual Machine Volume PathPaths that contain the vmx configuration files. Bydefault, this path is set to /vmfs/volumes/* so that allchanges in this default locationare loggedwithout typingindividual virtual machine paths separately. Thislocation is the default location for most VMware ESXhost installations.

■ ESX Host Daemon Log LocationThe path that contains the VMware ESX host agent logto monitor for suspicious activity.

■ Root Bash History Log PathThe path that contains the Root Bash History Log tomonitor for root commands at the command lineinterface prompt.

■ ESX Host Firewall Log PathThe path that contains the ESX Host Firewall log tomonitor for suspicious activity.

ESX Host Server Log andVMX File Path Settings

■ Virtual Machine (VM) Configuration File ContentPolling IntervalThe polling interval for reporting configuration filescontent changes.

■ ESX Host and VMware File Content Polling IntervalThe polling interval for reporting host file and VMwarefile content changes.

ESX Host Server FileMonitoringPollingInterval

Table 1-3 Virtual Machine Configuration Monitor settings

OptionsSettings

Detects the addition of aVNC remote display to theVM.Useof theVNC remote display to view active VMs is not advisedas it provides access to the VM guest OS by any user.

VM Remote VNC DisplayConsole Enabled

Detects when VM users disable all forms of logging.VM Logging Disabled


8

Table 1-3 Virtual Machine Configuration Monitor settings (continued)

OptionsSettings

Detects the enablement of cut and paste operations to theVM configuration file, and changes to the suggested *.vmxconfiguration file settings that are used to disable suchoperations.

By default, users can cut and paste between the guest OSand the computer where the remote console is running.Unauthorized users and processesmay be able to access theclipboard for the VM console.

VMCopyandPasteBetweenGuest

Detects the removal ormodification of the setting to disablethe sending of informational messages to the ESX or ESXihost using VMware tools.

VM SetInfo MessagesEnabled

Detects the removal or addition of the setting to change thesize of informational messages that can be sent to the ESXor ESXi host using VMware tools. Unrestricted data flowcan let a denial-of-service attack use SetInfo messages toflood a host with packets and consume resources.

VM SetInfo Memory SizeChange

Detects the removal ormodification of the setting to disablethe ability of users to mount or connect devices on the hostserver.

VM Universal DeviceControl Enabled

Detects the removal or addition of the settings to disabledisk administration tools. This setting protects againstunauthorized users causing a denial of service condition onthe ESX host by repeatedly changing the size of the virtualdisk.

VM Disk AdministrationTools Enabled

The output of this rule contains the changed content ofchanges to all .vmx configuration files.

VMMonitorforAllChangesto VMX Files

Table 1-4 ESX Host and VMware File Monitor settings

OptionsSettings

Detects the modifications to the file. Allmodifications include the text content that wasadded to or removed from the file.

ESX Configuration State Files -ESX.conf


ESX Configuration State Files -Openwsman.conf


Table 1-4 ESX Host and VMware File Monitor settings (continued)

OptionsSettings

Detects the modifications to the files. Allmodifications include the text content that wasadded to or removed from the files.

ESXConfigurationStateFiles-LicenseFiles


ESX Configuration State Files -Proxy.XML

Detects the modifications to the files. Allmodifications include the text content that wasadded to or removed from the files.

ESX Configuration State Files - SSLKey and Cert Files


ESX Configuration State Files -Syslog.conf

Detects the modifications to the files. Allmodifications include the text content that wasadded to or removed from the file.

ESX Configuration State Files -Vmware_config

Detects the modifications to the files. Allmodifications include the text content that wasadded to or removed from the file.

ESX Configuration State Files -Vpxa.cfg

Detects the modifications to the files in thiscritical directory. All modifications include thetext content that was added to or removed fromthe files.

ESX Configuration State Directory -/etc/vmware/

Table 1-5 ESX Host Command Line Interface (CLI) Monitor settings

OptionsSettings

Provides the customization for monitoring thecritical files that are associatedwith the operationof the ESX Host and VMware in general. Itmonitors failed logon attempts by root andusers,and detection based on time of day or week.

CLI Login Detection

Provides the customization for monitoring thecommand activity that is associatedwith the ESXHost CLI. Monitors SUDO commands and all rootcommands.

CLI Command Monitoring


10

Table 1-6 ESX Host Firewall Monitor settings

OptionsSettings

Monitors the host ESX firewall for the "allincoming TCP/IP traffic is allowed" event.

HostESXFirewallAllowAllIncomingPorts

Monitors the host ESX firewall for the "alloutgoing TCP/IP traffic is allowed" event.

HostESXFirewallAllowAllOutgoingPorts

Monitors the host ESX firewall for the additionof a nonstandard port to either incoming rules oroutgoing rules.

Host ESX Firewall Non-StandardPort/Protocol Modification

Table 1-7 ESX Host Administrator Web Access Monitor settings

OptionsSettings

Detects the failed logon attempts.ESX Host Admin Web Access FailedLogin Detection

Detects the invalid HTTP requests that mayindicateWebvulnerability scanneror other abuse.

ESX Host Admin Web Access InvalidRequest Detection

Table 1-8 ESX Host Attack Detection settings

OptionsSettings

Lets you customize specific time and date valuesduringwhich the ESXHost attack detection rulesare disabled (whitelisted). Use this setting withspecific date and time values for scheduledvulnerability assessment scans in theenvironment. These restrictions are used to avoidfalse positives from otherwise known andscheduled vulnerability scanning activity.

Attack Detection Date and TimeRestrictions

Detects HTTP/HTTPS vulnerability scanningactivity.

HTTP/HTTPSVulnerabilityScanningActivity Detected

Detects ESX System vulnerability scanningactivity.

ESX System Vulnerability ScanningActivity Detected

Detects NMAP NSE vulnerability scanningactivity.

NMAP NSE Scanning ActivityDetected


VMware ESX Protection Policy IPS featuresRelease 5.2 RU7 contains a new IPS ESXProtection Policy to handle standard ESXservice console components, such as core operating system daemons. The newpolicy limits the networking of non-ESX programs and blocks write access to ESXconfiguration and data files. The IPS policy complements the newESX IDS ServerSecurity Hardening policy. The ESX Protection Policy features let you do thefollowing on ESX systems:

■ Harden the operating system environment

■ Control privileged users

■ Lock down configurations

■ Secure data and other system resources

■ Implement a Host firewall

■ Control the behavior of applications

ESX IPS policy custom programs and reference lists

Table 1-9 describes the reference lists that you can customize when you create acustom ESX IPS policy.

Table 1-9 Custom programs and reference lists

DescriptionName

A customizable list of file paths for the standard ESXdaemons or third-party tools that need write access tocritical VMware files and the network. Examples of suchfiles include vmware-watchdog, vmware-authd,vmware-hostd, and webAccess and any child processes.

ESX Daemon List

A customizable list of the file paths of interactive ESXcommand line tools and utilities or other third-party toolsthat needwrite access to critical VMware files. For example,configuration files and the VMware file system. Tools thatit controls include esxcfg-*, esxupdate, and vcb* (used forbackup and restore).

ESX Client Tools List


12

Table 1-9 Custom programs and reference lists (continued)

DescriptionName

A customizable list of ESX applications or OS applicationsthat you want to block from execution. A security bestpractice is to disable the services and applications that arenot required. For example, youmightwant to either removethe ESX webAccess service or block it. You can use theapplication blacklist to define and customize theapplications that should be blocked from starting.

For convenience, this list is referenced in both the Daemonand the Interactive Do Not start lists. The list is populatedwith an example entry for the webAccess daemon, but theoption is disabled by default.

ESX Application Blacklist

A customizable list of ESX file paths for writable data andconfiguration files, such as /etc/vmware/*,/root/.bash_history, and /var/log/vmware/*. This list canbe referenced globally to deny unrelated system and userprocesses write access to these files.

ESX Critical File List

A customizable list of valid inbound host IP addresses. Bydefault, the list includes “Any” (0.0.0.0/0) to providemaximumoperational compatibility upon first deployment.Enter the specific IP addresses or local subnet ranges inClassless Inter-Domain Routing (CIDR) notation to tightentheESXnetwork access restrictions. CIDRaddresses includean IPv4 32-bit or IPv6 128-bit IP address as well asinformation on how many bits are used for the networkprefix. For those bits not used, the corresponding bits in theIP address must be zero.

Note: The IPv6 short notation '::' used to compresssuccessive zeros is not supported. Use the fullrepresentation of the IP address instead.

Typically, this list should include the following systems:

■ vSphere servers, such as license servers, update servers,backup servers, and other ESX/ESXi hosts

■ SNMP management protocol servers

■ Client access points, such as the VI client, Web access,remotecli, ssh, and so on

ESX Inbound Host List


Table 1-9 Custom programs and reference lists (continued)

DescriptionName

A customizable list of valid outbound host IP addresses orCIDR address ranges. Some typical items that you mightwant to include in the list are as follows:

■ DNS servers

■ Network file servers

■ SNMP servers

■ Active Directory or LDAP servers

■ vSphere or vCenter servers

■ License servers

By default, the list includes an address for Any” (0.0.0.0/0)to providemaximumoperational compatibility for the initialdeployment. You can customize the list by entering thespecific IP addresses or local subnet ranges inCIDRnotationto tighten the ESX network access restrictions.

ESX Outbound Host List

A Custom Program component that you can use to controlthe behavior of the ESX daemons. Such daemons includevmware-hostd, vmware-authd, vmware-watchdog,webAccess, and any child processes.

Unlike the ESX Daemon List, this component allows theVMware-specific daemons to access such entities as thefollowing:

■ ESX configuration files

■ VMware file systems

■ Devices

■ SysCall options

■ The network

ESX Daemon Control

A Custom Program component. Used to control the ESXinteractive command line interface (CLI) tools and theutilities that console users or scripts can run. Tools that itcontrols include esxcfg-*, esxupdate, and vcb* (used forbackup and restore).

Unlike the default interactive process control, thiscomponent lets the VMware-specific CLI tools access ESXconfiguration files, VMware file systems, and devices. Useof the network is very limited.

ESX CLI Tools


14

Example deployment scenarios

Suggestions for the initial deployment phase:

■ Disable Global Prevention Mode and run only in IDS mode.

■ Deploy and observe the events that normal ESX operations generate. In atypical ESX environment, you should expect to see few or no events.

Suggestions for the first policy refinement phase:

■ Adjust critical file paths for non-default locations.

■ Add application paths to ESX Daemon and CLI Tools list for any third-partytools that need write access to ESX critical files or networking.

■ Open network ports for permitted activities, such as SSH outbound accessfrom an ESX host.

■ If the events that you see uncover additional resource usage, use the EventWizard to adjust the policy. Re-examine the events to determine how best tomake adjustments. Youmaywant to adjust the ESX reference lists, or youmaywant to use general program control change instead.

Suggestions for the policy hardening phase:

Table 1-10 Policy hardening

DescriptionTask

■ Tighten the Inbound/Outbound Address list. Adjust theAny setting (0.0.0.0/0) to reduce the scope of remotesystem interaction to only valid inbound and outboundaddresses or subnet ranges.

■ Customize the Network rules by closing unused serviceports. Remove the ports and the protocols that are notused in your environment, for example, updatemanager,backup manager, and Active Directory. Change loggingas desired for specific rules. Refine the ports and theprotocols that are used for specific ESX processes asdesired.

Network customization

Add program paths for the items that you don’t want toexecute. For example, you may want to add webAccess.

Blacklist customization


Table 1-10 Policy hardening (continued)

DescriptionTask

■ You may want to give users other than root the abilityto override policies.

■ You may want to give users other than root the abilityto runSymantecCritical SystemProtectionconfigurationtools.

■ Youmaywant to adjust the granularity of event logging.For example, youmaywant to record actions of interestsuch as updates to specific configuration files or theexecution of specific ESX tools.

Other customization

Features for IDS

Host Intrusion Detection policies enhancements for UNIXThe Host Intrusion Detection policies have been redesigned and rewritten toenhance stability, provide greater ease of use and detection accuracy, and addfunctionality.Multiple policieshavebeen reorganized into twobaselinemonitoringsolutions for the Windows and the UNIX operating system environments.

The enhancements for UNIX and Linux operating systems are new for release 5.2RU7. The Host Intrusion Detection policies enhancements for the Windowsoperating system environment have been available since release 5.2.6.

The UNIX Baseline policy includes the following improvements:

■ The IDS policy has been rewritten to improve functionality and accuracy inmonitoring security events.

■ The file monitoring area has been redesigned and rewritten to provide a largenumber of new file and directory monitoring functions. For example, you cannow control and enable the access, delete, modify, and create changemonitoring functions by group.

■ You cannowperformadvanced rule-by-rule tuningdirectly from theSymantecCritical System Protection console. These rules now also use ignore logic andselect logic methodology.

■ You can now configure and view all rule content from the Symantec CriticalSystemProtection console, which removes the need to use theAuthoringTool.

■ Policy option group naming conventions have been standardized for ease ofadministration. You can now enable and disable entire areas of the policieswith option check boxes.


16

■ Automatic application detection has been updated to enable and disablemonitoring without the need for administrators to configure the policyindividually per host.

■ You can now configure many parameter options individually for each rule.For example, you can configure the Rule Name, Rule Severity, and Rulemonitoring content separately for each rule.

■ You can now select a severity level for each rule. You no longer need to knowspecific numerical values for the severity base types.

■ NewWebattackdetection functionality has beenbuilt into thepolicy to providemonitoring ofWeb attacks. The types of attacks that are detected include basicSQL injection, directory traversal, vulnerable CGI requests, blacklist IPfunctionality, and vulnerability scanning detection.Malicious request strings,malicious extension requests, and malicious user agent strings are alsodetected.

■ You can now mouse over parts of the user interface to display descriptions toassist in policy navigation and rule-by-rule overview.

UNIX-specific policy changes include the following improvements:

■ Monitoring of individuals who log off of host systems.

■ New compatibility with Symantec AntiVirus for Linux.

■ New command monitoring that is accomplished by configuring the text logmonitoring of user-defined or root bash or ksh history files. Superuser DO(sudo) commandsare specificallymonitored forprivileged command inspectionand retention. This new functionality provides the ID of the userwhoperformsthe command, the exact commandperformed, andadatestampand timestamp.This functionality helps tomeet various regulatory compliance requirements.

■ Monitoring of suspicious binary file permission changes. This change helpsto ensure that critical command-line executables are not subject to themalicious permissions changes that malware typically performs.

■ Monitoring ofmalicious Loadable KernelModules (LKMs) to detect the loadingof known malware-related LKM modules.

■ Addition of a new System Hardening Monitor, which generates events whennew auto start daemons or programs, such as the rc.d script, are added. It alsomonitors specific changes to inittab, a critical system configuration file.

■ New UNIX malware detection that tracks file and directory creation activitiesfrom known UNIX forms of malware. Malware detection variants includerootkit detection and worm detection.


Table 1-11 illustrates how the existing policies from previous releases werecombined with new options into the 5.2 RU7 top-level option groups.

Table 1-11 Detection options organization map

Detection option organization in release5.2 RU7

Options in previous releases, with newmaterial noted

System User and Group Change MonitorUser/Group_Configuration

Privileged_User/Group_Configuration

System Login Activity and Access MonitorSystem_Logon_Failure

System_Logoff_Success

System_Failed_Access_Status

SystemPrivilegeCommandandBashHistoryMonitor

System_SUDO_Monitor

System_Root_Command_Monitor

System_User_Command_Monitor

System Hardening MonitorSystem_AutoStart_Change (rc*.d)

System_Service_Config_Monitor

System_Xserver_Configuration

System_RunLevel_Monitor (Inittab)

System_Sysconfig_Monitor (Sysconfig)

System File and Directory MonitorHost_IDS_File_Tampering

Critical_System_File_Monitor

System Symantec Software MonitorSymantec_AV_Linux_Client_Comms

Symantec_AV_Unix_Client_Comms

System External Device Activity MonitorUSB_Connectivity_Activity

CD/DVD_Burning_Activity

System Attack DetectionGeneric_Web_Attack_Detection

Malicious_LKM_Detection

Unix_Generic_ Malware_and_Rootkit_Detection

Unix_System_Time_Changed

Unix_System_Stack_Exec_Denied


18

Policies that perform administrative or troubleshooting activities for SymantecCritical System Protection agents and management server-specific policies werenot combined with the UNIX Baseline policy. The following policies were notcombined because they serve an administrative purpose outside of normaldetection functionality or facilitate the Global Watch functionality:

■ CSP_Agent_Diagnostics

■ CSP_Agent_Status

File monitoring improvements

Specific file monitoring changes include the following improvements:

■ You can control and enable the access, delete, modify, and create changemonitoring functions on a group-by-group basis.

■ You can control modification diff'ing, including algorithm selection on agroup-by-group basis.

■ You can set date and time restrictions within each specific file monitoringgroup.

■ You can tune the filemonitormodified detection operation for specific criteria,such as only for permission changes, size changes, bitmask changes, and soon.

■ You can use specific ignore logic criteria and select logic criteria in each filemonitoring group. For example, you can independently configure each filemonitoring group to ignore file paths or strings.

Advanced per-rule tuning improvements

Advanced per-rule tuning includes the following options for configuration:

■ Rule Name

■ Rule Severity

■ Rulemonitoring content, such as file paths, log file strings, select criteria, andignore criteria

■ Select logic, in the form of strings

■ Ignore logic, in the form of strings

■ Date and time restrictions, as applicable

Console changes

Symantec Critical System Protection provides specific content control per rulefrom the console. Each rule in the Baseline policy has required parameters. Theserules are now viewable and customizable from the console.


The options in Table 1-12 are available for each rule that is displayed in thePolicySettings pane.

Table 1-12 Rule options

DescriptionOption

The name that is associated with the rule that generates thespecific event. A single string value is allowed in the string field.

Rule Name

The severity of event. Available for each rule of the policy. Youcan only select one severity level, Info, Notice, Warning, Major,or Critical, for each rule.

Severity

Parameter options for file watch rules. You can use multiple filepathswith associatedwildcard entries in this string list. You canadd, edit, and remove file paths.

File Paths

Used in rule select logic. Symantec Critical System Protectionuses primary logic or initial sifting method for rule eventgeneration. Use an asterisk (*) to select all the events that thecriteria that you entered previously generate. For example,criteria such as (event IDs, file paths, or log strings previouslydefined. With this option you can specifically tune rules foradministrator needs.

For example, if you change the select string on a file watch rulefrom * to *Permission*, then that rule only generates a file watchevent if that event contains the string “Permission.” You canhavemultiple select strings in this string list. All strings are caseinsensitive. You can add, edit, and remove select strings.

Select Strings

Used in rule ignore logic. Symantec Critical System Protectionuses secondary ignore logic or ignore sifting method for ruleevent generation. Almost all rule parameter options contain ablank value, which signifies that a null value or no value isassociated with the ignore logic statement. Symantec CriticalSystem Protection ignores any string in this field other thanblank value uponpatternmatching on the final event generation.Ignore strings also provide you with the ability to performadvanced rule-by-rule tuning. You can have multiple ignorestrings in this string list. All strings are case insensitive. You canadd, edit, and remove ignore strings.

Ignore Strings

Note: Each parameter is preconfigured with default values to ensure thefunctionality of the rule. Changes to rule name and severity do not affect theoverall operation of the rule.


20

File monitoring enhancements for UNIXTo provide granular control overUNIX file changemonitoring, Symantec CriticalSystemProtectionmonitors near real-time changes on local file systems and fixedfile systems. It does notmonitor changes on removablemedia or remote networkdrives.

It no longer uses polling intervals. Symantec Critical System Protection uses theFIPS 180-2-compliant Secure Hash Algorithm (SHA-256) to calculate file hashesor checksums at runtime. The MD5 algorithm is no longer used or available.

For performance efficiency, you can enable or disable the checksum calculationfor each filewatch list. A single hash algorithm is used on all the files in awatchedlist.

Note: Symantec Critical System Protection continues to poll remote files, such asfiles on network drives or removable media, every specified interval to detectchanges.

How wildcard characters and recursion levels work in IDS file monitoring

When you use wildcard characters in IDS file monitoring, the following rulesapply:

■ Only the asterisk (*) and question mark (?) wildcard characters are allowed.

■ The asterisk (*) stands for one or more characters.

■ The question mark (?) stands for a single character only.

■ Wildcard characters are allowed only in the last element of file path. You canonly place a wildcard character after the last slash in a file path.

The following are examples of valid uses of wildcard characters in a file path:

■ /tmp/*

■ /tmp/L1/*.txt

■ /tmp/L2/*file*.ini

■ /tmp/L1/file?.ini

■ /tmp/L1/file?.*

The following are examples of invalid uses of wildcard characters in a file path:

■ /tmp/*/L3/*.txt

■ /tmp/L2/*/file?.txt


Recursion levels only work with the use of one or more wildcard characters. If afile path specification contains no wildcard character, then the recursion levelhas no effect. Rulesmayhave a specified recursion level and file pathswithmixedentries, where only some of the file paths contain wildcard characters. Recursionworks only with the file paths that contain one or more wildcard characters.

When both recursion and wildcard characters are specified, the folder path andfile name are considered separately. A file name that is specifiedwith one ormorewildcard characters is searched for in the givenpath and in anumber of subfolders.The number of subfolders that are searched is equal to the recursion level minus1. For example, if you configure a file path of /tmp/*.dll and a recursion level of3, that requests to monitor all DLL files in the /tmp folder three levels deep,including /tmp. The following DLL files are monitored for changes:

■ /tmp/my.dll

■ /tmp/L1/your.dll

■ /tmp/D1/ours.dll

■ /tmp/L1/L2/his.dll

■ /tmp/D1/D2/her.dll

In this example, the /tmp/D1/D2/D3/bad.dll file would not be monitored.

Unicode Log Monitoring for UNIXThe IDS agent logwatch collector now reads Unicode text log files, so that youcanmonitor the applications that output toUnicode log files or toUnicode format.

Features for IPS

Wildcards for network addresses for UNIXYou cannowuse the asteriskwildcard character (*) or an IP addresswith anetmaskto indicate a range of IP addresses in rules. This feature saves time when youconstruct a rule that requires you to enter a long list of IP addresses.

Note: This feature applies only to prevention policies.

Valid uses of the IP address with a netmask format include:192.168.1.0/255.255.255.0 or 10.160.0.85/255.255.0.255

Alternatively, you can use an asterisk as one or more of the four parts of an IPaddress. You cannot mix asterisks and other characters in a single octet.


22

Valid uses of the asterisk include 10.*.*.254 and10.160.*.85,which is the equivalentof using 10.160.0.85/255.255.0.255

Invalid uses include 10.*1.*.254 and 10.1.*.2*

Dynamic local subnet variable for UNIX IPS policiesUNIX primary policies now contain local subnet choices in the Network Choicesdrop-down list. This feature is similar to the existing Local IPs choice.

Note: This feature is available on Red Hat Enterprise Linux, SUSE EnterpriseLinux, and AIX. It is not supported on Solaris.

IPS policy options consistency for UNIX policiesIPS Per Process rule options are now available across all resource lists and in allnetwork rules in UNIX policies instead of only in the Default lists.

Support for new platformsSymantec Critical System Protection release 5.2 RU7 contains the following newsupport:

■ Full 64-bit support for IPS features on AIX 5.3 and 6.1

Note: IPS on 32-bit computers that run AIX is not supported in this release.

■ Full 32- and 64-bit support for IDS and IPS features on SUSE Linux 10 SP3

■ Full 32- and 64-bit support for IDS and IPS features on SUSE Linux 11 SP1

■ Full 32- and 64-bit support for IDS and IPS features on CentOS 5.xCentOS is supported by installing the RedHat Enterprise Linux 5 agent on thecomputers that run CentOS.

Note: At the time of this release, Symantec Critical System Protection supportsall current versions ofMicrosoft SQLServer 2005 andMicrosoft SQLServer 2008.Going forward, SymantecCritical SystemProtectionplans to support newversionsof Microsoft SQL Server as they are released.

If a newversion ofMicrosoft SQLServer is released that Symantec Critical SystemProtection does not support, that information should be specifically stated in thedocumentation for the next Symantec Critical System Protection release.


Additional release information

Creating custom policiesWhenyou createmultiple custompolicies forUNIXoperating systems, you shouldalways start from the sym_unix_protection_spb policy. Theunix_application_control_template policy is not supported as a base for custompolicies.

Note: For Windows custom policies, you can use the following policies as a basefor custom policies:

sym_win_protection_core_spb

sym_win_protection_ltd_exec_spb

sym_win_protection_strict_spb

How to correctly block telnet, ftp, rlogin, and similar servicesOn UNIX operating systems, the inetd daemon handles the initial networkconnection of some services, such as telnet, ftp, and rlogin, before the servicesare started. In the IPS policies, you can control the network connections for suchservices only byusing the inetd pset. You cannot control the network connectionsfrom the service’s own pset. By default, the inbound network rules for the inetdpset allows connections to the following ports: ftp (21), lp (515), telnet (23),unix-rexec (512), unix-rlogin (513), unix-rsh (514), and tftp (69).

The network rules are applied in the following order:

■ Pset-specific rules

■ Group level (daemon or interactive) rules

■ Global rules

This ordering means, for example, that if you have an Allow rule for telnet(23) inthe inetd pset inboundnetwork rules, any group level or global network rules thatyou add to restrict telnet have no effect.

What you need to know before you install or upgradeyour software

The Symantec Critical System Protection Installation Guide contains detailedinformation about how to install the Symantec Critical System Protection

Release Notes for Symantec™ Critical System Protection Version 5.2 RU7 MP1Additional release information

24

components. If you are installing for the first-time, you should install, configure,and test Symantec Critical System Protection in a test environment.

For informationaboutSymantecCritical SystemProtection features andplatforms,see the Platform and FeatureMatrix located in the docs folder on the product discthat contains this release.

Table 1-13 Overview of an installation

DescriptionActionStep

When planning your installation, you may need to consider the following:

■ Network architecture and policy distribution

■ Firewalls

■ Name resolution

■ IP routing

Plan the installation1

All the computers on which you install Symantec Critical System Protectionshould meet or exceed the recommended operating system and hardwarerequirements.

Review the systemrequirements

2

You can install the management console and management server on the samecomputer or on separate computers. You can install agents on any computer.All computers must run a supported operating system.

Decide on thecomputers to install thesoftware components

3

You can install the following management server installation types:

■ An evaluation installation that runs SQL Server 2005 Express on the localsystem

■ An evaluation installation that uses an existing MS SQL instance

■ A production installation with Tomcat and the database schema

■ The Tomcat component only

Decide on themanagement serverinstallation type

4

The installation packages unpack installation files into the directory that isspecified by the TEMP environment variable. The volume that contains thisdirectory must have at least 200 MB of available disk space. If this volume doesnot have the required disk space, you must change your TEMP environmentvariable.

Configure the TEMPenvironment variable

5

You begin the installation by installing the management server.

Management server installationpromptsyou to enter a series of values consistingof port numbers, user names, passwords, and so on. Each database that you caninstall uses different default settings and options for the management serverand database.

Install themanagementserver

6

25Release Notes for Symantec™ Critical System Protection Version 5.2 RU7 MP1What you need to know before you install or upgrade your software

Table 1-13 Overview of an installation (continued)

DescriptionActionStep

Install the management console after you install the management server.

The management console installation also installs the authoring environment.

Themanagement console installationdoesnot promptyou to enter port numbersor server names. You enter this information after installation, when youconfigure the management console.

Install themanagementconsole

7

Management console configuration prompts you to enter a series of valuesconsisting of port numbers, passwords, and a server name. In a few instances,the port numbers must match the port numbers that were specified duringmanagement server installation.

Configure themanagement console

8

Install the agents after you install themanagement server, and after you installand configure the management console.

The agent installation prompts you to enter a series of agent values consistingof port numbers, management server name, etc.

Install the agents9

Known issues

On computers that run AIX 5.3 and 6.1, users must be part of primarygroup “sisips” to override a protection policy

Whenyouuse thePolicyOverrideTool, only userswho aremembers of the “sisips”group can override a policy on computers that run AIX 5.3 and 6.1.

FileWatch collector generates a large number of events when used tomonitor files under the SCSP installation folder

Using the UNIX detection policies to monitor files or folders under the SCSPinstallation folder may continuously produce a large number of self-generatedFileWatch events.

Workaround: Avoid the use of FileWatch to monitor any file or folder under theSCSP installation folder.

Issue using symlink on ESX 4.1On computers that run ESX 4.1, the ESX Protection Policy does not block accessto files if there is a symlink to the directory that contains the files.

Release Notes for Symantec™ Critical System Protection Version 5.2 RU7 MP1Known issues

26

NFS Server Access Options do not control remote access to NFS v4files

Oncomputers that runLinux operating systems anduseNFSv4, theGlobalPolicyOptions > NFS Server Access Option > Alternate Privilege Level > Block allremote file access via NFS setting does not block remote access to NFS files.

To work around this issue, you can use NFS v3 on Linux, or you can block NFSaccess byunchecking the inboundnetwork rules fromDaemonOptions>DefaultDaemon Options > Network Controls > Inbound option.

Must disable Novell AppArmor and Security-Enhanced Linux (SELinux)to run Symantec Critical System Protection

Novell AppArmor on SUSE Linux and SELinux both interfere with the properperformance of Symantec Critical System Protection. If you use either or both ofthese, ensure that they are disabled on all the agent computers before you runSymantec Critical System Protection.

Remote users can access exported NFS shares on AIX, SUSE 10, andSUSE 11 computers even if the NFS Server Access Option is enabledin the prevention policy

Symantec Critical System Protection does not currently prevent remote accessto files that are exported via anNFS server onAIX, SUSE10, andSUSE11operatingsystems. The policy settings that are used are located in the IPS policy GlobalPolicy Options > NFS Server Access Options > Alternate Privilege Level. TheIPS driver does block access to files that are mounted locally via the NFS client.

There is currently no work around.

Unicode log file events are not reported in the console for AIXOn computers that run AIX, Symantec Critical System Protection does notcurrently process log file events from Unicode log files if the files do not containbyte-order markers.

There is currently no workaround.

File creation allowed first time with the use of symbolic links on 64-bitcomputers that run AIX

On 64-bit computers that run AIX 5.3 and AIX 6.1, Symantec Critical SystemProtection currently allows a user to create a file the first time in a protected

27Release Notes for Symantec™ Critical System Protection Version 5.2 RU7 MP1Known issues

directory if there is a symbolic link in the directory’s path. If the user subsequentlytries to create a file in the protected directory, the action is blocked appropriately.

There is currently no workaround.

Documentation errataPage 10 of the SymantecCritical SystemProtectionVersion5.2RU7UNIXBaselinePolicyReferenceGuide contains some incorrect information. The first bullet under"UNIX-specific policy changes include the following improvements:" is incorrectand should be ignored.

Resolved issues

Frequent stopping and starting of the SISIDSServiceThe issue that caused Windows 2003 32-bit servers to crash when theSISIDSService was frequently stopped and restarted has been fixed.

IPS core policy blocks agent computers from joining the domain asdomain controllers

You can now enable an Allow mounting of filesystems SysCall option under theService Options > Core OS Service Options> Startup Processes [system_ps]option group to allow agent computers to join a domain as a domain controller.This option has been added to the Windows Core, Strict, and Limited preventionpolicies.

IPS policy translation error when using the Files that can be modifiedwith logging on option

The issue that caused an IPS policy translation error when the Files that can bemodified with logging on option was used in a custom application configurationhas been fixed.

Failure to load driver and apply prevention policyThe issue that caused prevention policies to fail to apply when the Global PolicyOptions > Resource Lists > No-Access Resource Lists > Block and log all accessto these Registry keys as trivial option was used has been fixed.

Release Notes for Symantec™ Critical System Protection Version 5.2 RU7 MP1Resolved issues

28

w3wp.exe routed into svc_stdpriv_ps instead of into a custom PsetIPS policies now support routing the IIS worker process to a custom Pset.

Agent duplication in the databaseThe issue that causedmultiple duplicate agent entries to bemade in the databasehas been fixed.

Legal NoticeCopyright © 2011 Symantec Corporation. All rights reserved.

Symantec, the Symantec Logo, Bloodhound, Confidence Online, Digital ImmuneSystem, LiveUpdate, Norton, Sygate, and TruScan are trademarks or registeredtrademarks of Symantec Corporation or its affiliates in the U.S. and othercountries. Other names may be trademarks of their respective owners.

This Symantec product may contain third party software for which Symantec isrequired to provide attribution to the third party (“Third Party Programs”). Someof the Third Party Programs are available under open source or free softwarelicenses. The License Agreement accompanying the Software does not alter anyrights or obligations you may have under those open source or free softwarelicenses. Please see the Third Party Legal Notice Appendix to this Documentationor TPIP ReadMe File accompanying this Symantec product for more informationon the Third Party Programs.

The product described in this document is distributed under licenses restrictingits use, copying, distribution, and decompilation/reverse engineering. No part ofthis documentmay be reproduced in any formby anymeanswithout priorwrittenauthorization of Symantec Corporation and its licensors, if any.

THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIEDCONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANYIMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULARPURPOSEORNON-INFRINGEMENT,AREDISCLAIMED,EXCEPTTOTHEEXTENTTHAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTECCORPORATIONSHALLNOTBE LIABLE FOR INCIDENTALORCONSEQUENTIALDAMAGES IN CONNECTIONWITHTHE FURNISHING, PERFORMANCE, ORUSEOF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THISDOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.

TheLicensedSoftware andDocumentationaredeemed tobe commercial computersoftware as defined in FAR 12.212 and subject to restricted rights as defined inFAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" andDFARS 227.7202, "Rights in Commercial Computer Software or Commercial

29Release Notes for Symantec™ Critical System Protection Version 5.2 RU7 MP1Legal Notice

Computer SoftwareDocumentation", as applicable, and any successor regulations.Any use, modification, reproduction release, performance, display or disclosureof the Licensed Software and Documentation by the U.S. Government shall besolely in accordance with the terms of this Agreement.

Symantec Corporation350 Ellis StreetMountain View, CA 94043

http://www.symantec.com

Release Notes for Symantec™ Critical System Protection Version 5.2 RU7 MP1Legal Notice

30

http://www.symantec.com

5.2.7MP1 Release_Notes

Documents

Transcript of 5.2.7MP1 Release_Notes