ibmpublib.boulder.ibm.com/tividd/td/trm/sc23-4823-00/... · $s9h
TRANSCRIPT
IBM Tivoli Risk Manager ���������
����� 4.1
SC88-9513-00
(Q865'SC23-4823-00)
���
IBM Tivoli Risk Manager ���������
����� 4.1
SC88-9513-00
(Q865'SC23-4823-00)
���
m
\q*hS\qGRp9k=Jr4HQKJk0K" 181Z<8NXU? D. C-v`YK-\5lF$kpsr*I_/@
5$#
\qO"77$GG@-5lF$J$Bj"IBM Tivoli Risk Manager P<8gs 4.1 NJ_N9YFNjj<9*
hSbG#U#1<7gsK,Q5l^9#
\^Ke"kKX9k4U+d46[O"!N URL +i*wj/@5$##eN2MK5;F$?@-^9#
http://www.ibm.com/jp/manuals/main/mail.html
J*"|\ IBM /TN^Ke"kO$s?<MCHP3Gb4X~$?@1^9#\7/O
http://www.ibm.com/jp/manuals/ NV4m8KD$FWr4w/@5$#
(URL O"Q9KJklg,"j^9)
!6!5' SC23–4823–00
IBM Tivoli Risk Manager Adapters Guide
Version 4.1
!/!T' |\"$&S<&(`t0qR
!4!v' J7gJk&is2<8&5]<H
h1~ 2002.12
3N8qGO"?.@+N™W3"?.@+N™W9"?.Q47C/N™W3"?.Q47C/N™W5"*hS?.Q
47C/N™W7rHQ7F$^9#3N(qN*)O"JbK|\,J(qHHQ@sryk7HQ7F$kbNG9#
U)sHH7F5G#=9k3HOX_5lF$^9#
���* �����™W3������™W9���������™W3���������™W5���������™W7
© Copyright International Business Machines Corporation 2001, 2002. All rights reserved.
© Copyright IBM Japan 2002
��
^(,- . . . . . . . . . . . . . . vii\qNP]IT . . . . . . . . . . . . . vii\qN=. . . . . . . . . . . . . . . viiqA . . . . . . . . . . . . . . . . viii
Tivoli Risk Manager qA . . . . . . . . viii0sroHJkqA . . . . . . . . . . viiiX"qA . . . . . . . . . . . . . . ixTivoli Risk Manager *si$sps . . . . . ixqA&=JKD$FN4U+ . . . . . . . . ix
+9?^<&5]<HHN"m . . . . . . . . x"/;7SjF#< . . . . . . . . . . . . x\qN=-,' . . . . . . . . . . . . . x
qNKX9k,' . . . . . . . . . . . . x?>,' . . . . . . . . . . . . . . . x
h 1 O Tivoli Risk Manager "@W?< 1Tivoli Enterprise Console "@W?< . . . . . . 1Tivoli Risk Manager "@W?< . . . . . . . . 3
Tivoli Risk Manager "@W?<N~jh . . . . 3Tivoli Risk Manager Client . . . . . . . . . . 4
Tivoli Enterprise Console "@W?< - s TME . . 4Tivoli Risk Manager Client GN Tivoli RiskManager "@W?<N=.. . . . . . . . . 5
*Zl<F#s0&79F`Wo . . . . . . . 5U)<^CH&U!$k . . . . . . . . . . 10Tivoli Risk Manager H"@W?<NU)<^CH&
U!$kNkg . . . . . . . . . . . . . 11"@W?<=.!= (ACF) rHQ7?""@W?<
N=.H[[ . . . . . . . . . . . . . . 12
h 2 O Cisco Secure IDS Q"@W?
< . . . . . . . . . . . . . . . . . 15"@W?<N5W . . . . . . . . . . . . 15*Zl<F#s0&79F`Wo . . . . . . 16Tivoli Enterprise Console Correlation . . . . . 17
;s5<N5b . . . . . . . . . . . . . 17$s9H<k*hS=. . . . . . . . . . . 18
Cisco Secure IDS Data Feed 3s]<MsHGH
Q5lk"@W?<N=. . . . . . . . . 18Tivoli Event Integration Facility GHQ9k"@W
?<N=. . . . . . . . . . . . . . 19=.Nc . . . . . . . . . . . . . . 20Tivoli Enterprise Console Logfile "@W?<rH
Q9k?aN"@W?<=. (Windows"Solaris^?O Linux). . . . . . . . . . . . . 21
"@W?<I}?9/ . . . . . . . . . . . 23"@W?<N+O . . . . . . . . . . . 23"@W?<Nd_ . . . . . . . . . . . 23
Tivoli Enterprise Console ?9/ . . . . . . . 23Cisco Secure IDS "@W?<N+O . . . . . 24
Cisco Secure IDS "@W?<Nd_ . . . . . 24Cisco Secure IDS Data Feed N=. . . . . . 24
=N>NmUv`/dj . . . . . . . . . . 25Cisco Secure IDS Data Feed GN"Cisco SecureIDS "@W?<&P9&(i<d\3X"(i<
Nrh . . . . . . . . . . . . . . . 25
h 3 O ISS RealSecure IDS Q"@W
?< . . . . . . . . . . . . . . . . 27"@W?<N5W . . . . . . . . . . . . 27*Zl<F#s0&79F`Wo . . . . . . 29
;s5<N5b . . . . . . . . . . . . . 29SNMP HiCW . . . . . . . . . . . . 29Tivoli Enterprise Console Correlation . . . . . 30
$s9H<k*hS=. . . . . . . . . . . 30]j7<Nn.*hS,Q . . . . . . . . . 30$YsHQYNGg= . . . . . . . . . . 31UNIX QN TME J0N SNMP "@W?<N;
CH"CW . . . . . . . . . . . . . 31"@W?<I}?9/ . . . . . . . . . . . 32
SNMP "@W?<N+O . . . . . . . . . 32SNMP "@W?<Nd_ . . . . . . . . . 32
=N>NmUv`/dj . . . . . . . . . . 33
h 4 O Cisco k<?<Q"@W?< . . 35"@W?<N5W . . . . . . . . . . . . 35*Zl<F#s0&79F`Wo . . . . . . 37Tivoli Enterprise Console Correlation . . . . . 37
$s9H<k*hS=. . . . . . . . . . . 37UNIX QN TME J0N SNMP "@W?<N;
CH"CW . . . . . . . . . . . . . 38"@W?<I}?9/ . . . . . . . . . . . 38
SNMP "@W?<N+O . . . . . . . . . 38SNMP "@W?<Nd_ . . . . . . . . . 39SNMP G<bsNd_. . . . . . . . . . 39$YsH&5<P<NQ9 . . . . . . . . 40UNIX 5<S9&U!$kNT8 . . . . . . 40
=N>NmUv` . . . . . . . . . . . . 40Cisco k<?<NHiCW . . . . . . . . 40
h 5 O Cisco Secure PIX Firewall Q
"@W?< . . . . . . . . . . . . . 43"@W?<N5W . . . . . . . . . . . . 43;s5<Nm0&aC;<8N^CTs0 . . . 43Tivoli Enterprise Console Correlation . . . . . 44*Zl<F#s0&79F`Wo . . . . . . 44
=JN5b . . . . . . . . . . . . . . 45U!$"&)<kI}$YsH . . . . . . . 45Risk Manager GNU!$"&)<k&$YsHN
jX . . . . . . . . . . . . . . . . 45
© Copyright IBM Corp. 2001, 2002 iii
$s9H<k . . . . . . . . . . . . . . 47=. . . . . . . . . . . . . . . . . . 48
Cisco Secure PIX Firewall Q"@W?<N=. . 48Cisco Secure PIX Firewall N=. . . . . . . 50
Tivoli Enterprise Console ?9/ . . . . . . . 50Cisco Secure PIX Firewall ?9/r/T9k0K 50Q9o<I*hS?9/psN]n . . . . . 51;s5<&"/;9=.NQ9 . . . . . . . 51;s5<=.psN=( . . . . . . . . . 53;s5<&m.s0=.NQ9 . . . . . . . 54
"@W?<I}?9/ . . . . . . . . . . . 55$YsHr79F`&m0Xm.s09k . . . 55=.U!$kNT8 . . . . . . . . . . 56?9/&i$Vij<Nn.HP? . . . . . 57
h 6 O Check Point Firewall-1 Q"@
W?< . . . . . . . . . . . . . . . 59"@W?<N5W . . . . . . . . . . . . 59*Zl<F#s0&79F`Wo . . . . . . 60
=JN5b . . . . . . . . . . . . . . 60LEA \3*hS SAM \3KP9kU!$"&
)<k . . . . . . . . . . . . . . . 61U!$"&)<kI}$YsH . . . . . . . 61U!$"&)<k&$YsH . . . . . . . 62Tivoli Risk Manager 5<P<XN Check PointFireWall-1 "i<`N>w . . . . . . . . 62
$s9H<k*hS=. . . . . . . . . . . 62OPSEC LEA *hS SAM L.rvD9k?aN
Check Point FireWall-1 =. . . . . . . . . 63Check Point "@W?<r OPSEC LEA ^?OSAM /i$"sHH7F=.9k}! . . . . 65Tivoli Enterprise Console Logfile "@W?<rH
Q9k?aN"@W?<=. (Windows"Solaris^?O Linux). . . . . . . . . . . . . 67
"@W?<I}?9/ . . . . . . . . . . . 68"@W?<GN Check Point FireWall-1 "i<`
h}Q]j7<N_j . . . . . . . . . . 68Tivoli Enterprise Console ?9/ . . . . . . 69
=N>NmUv` . . . . . . . . . . . . 75(i<h} . . . . . . . . . . . . . 75Check Point FireWall-1 m0&aC;<8*hS
0- . . . . . . . . . . . . . . . . 75/3j&k(i< . . . . . . . . . . . 77
h 7 O McAfee Alert Manager Q"@
W?< . . . . . . . . . . . . . . . 79"@W?<N5W . . . . . . . . . . . . 79*Zl<F#s0&79F`Wo . . . . . . 79
=JN5b . . . . . . . . . . . . . . 80"@W?<N5b . . . . . . . . . . . . 81$s9H<k*hS=. . . . . . . . . . . 82$s9H<kN0K . . . . . . . . . . 82$s9H<k&9FCW . . . . . . . . . 82
h 8 O Norton AntiVirus Q"@W?< 85"@W?<N5W . . . . . . . . . . . . 85
*Zl<F#s0&79F`Wo . . . . . . 85;s5<N5b . . . . . . . . . . . . 85Tivoli Enterprise Console Correlation . . . . . 86Norton AntiVirus $YsH . . . . . . . . 86
"@W?<N5b . . . . . . . . . . . . 87$s9H<k*hS=. . . . . . . . . . . 88$s9H<kN0K . . . . . . . . . . 88$s9H<k&9FCW . . . . . . . . . 88
h 9 O Host Intrusion Detection Q"
@W?< . . . . . . . . . . . . . . 91"@W?<N5W . . . . . . . . . . . . 91*Zl<F#s0&79F`Wo . . . . . . 91
"@W?<N5b . . . . . . . . . . . . 93$s9H<k*hS=. . . . . . . . . . . 93$s9H<kN0K . . . . . . . . . . 93$s9H<k&9FCW . . . . . . . . . 94
Tivoli Enterprise Console ?9/ . . . . . . . 95$YsHF:rHQD=K9k}! . . . . . 95$YsHF:rHQTDK9k}! . . . . . 95
h 10 O [9H/~!N - HP-UX11i Q
"@W?< . . . . . . . . . . . . . 97"@W?<N5W . . . . . . . . . . . . 97*Zl<F#s0&79F`Wo . . . . . . 97
=JN5b . . . . . . . . . . . . . . 98"@W?<N5b . . . . . . . . . . . . 99$s9H<k . . . . . . . . . . . . . 100$s9H<k&9FCW . . . . . . . . . 100Tivoli Risk Manager 3.8 K"@W?<r$s9
H<k9k?aNICnH . . . . . . . . 101=.,5oKTolF$k+I&+NN'jg 101"@W?<N"s$s9H<k . . . . . . 102Tivoli Risk Manager 3.8 eN"@W?<r"s
$s9H<k9k?aNICnH . . . . . . 103
h 11 O Tivoli Access Manager 4.1Q"@W?< . . . . . . . . . . . . 105"@W?<N5W . . . . . . . . . . . . 105*Zl<F#s0&79F`Wo . . . . . . 105
=JN5b . . . . . . . . . . . . . . 106"@W?<N5b . . . . . . . . . . . . 108$s9H<k*hS=. . . . . . . . . . . 109$s9H<kN0K . . . . . . . . . . 109$s9H<k&9FCW . . . . . . . . . 110Tivoli Risk Manager 3.8 K"@W?<r$s9
H<k9k?aNICnH . . . . . . . . 118$s9H<kN5o*;r!:9kjg . . . 119HiVk7e<F#s0 . . . . . . . . . 119"@W?<N"s$s9H<k . . . . . . 121Tivoli Risk Manager 3.8 eN"@W?<r"s
$s9H<k9k?aNICnH . . . . . . 122"@W?<I}?9/ . . . . . . . . . . 122
Event Translator NI} . . . . . . . . . 122
iv IBM Tivoli Risk Manager "@W?<¥,$I
Tivoli Risk Manager Event Integration Facility G<bsNI} . . . . . . . . . . . . 123Tivoli Risk Manager 3s]<MsHN+O*h
Sd_ . . . . . . . . . . . . . . . 123Event Translator POU!$kN]i . . . . 124
=N>NmUv` . . . . . . . . . . . . 124Event Translator =.*W7gs . . . . . . 124
h 12 O Enterasys Dragon QN"@
W?< . . . . . . . . . . . . . . 129"@W?<N5W . . . . . . . . . . . . 129*Zl<F#s0&79F`Wo . . . . . . 129
Enterasys Dragon Bundle 5b . . . . . . . . 130Enterasys Dragon "@W?<N5b . . . . . . 131$s9H<k . . . . . . . . . . . . . 133$s9H<kN0K . . . . . . . . . . 133$s9H<k&9FCW . . . . . . . . . 133Tivoli Risk Manager 3.8 K"@W?<r$s9
H<k9k?aNICnH . . . . . . . . 135"@W?<N"s$s9H<k . . . . . . 135Tivoli Risk Manager 3.8 eN"@W?<r"s
$s9H<k9k?aNICnH . . . . . . 135=. . . . . . . . . . . . . . . . . 136
=.N0K . . . . . . . . . . . . . 136;s5<=.jg . . . . . . . . . . . 136"@W?<=.9FCW . . . . . . . . . 138=.,5oKTolF$k+I&+NN'jg 138
Tivoli Risk Manager Format File Utility . . . . . 139Tivoli Risk Manager Format File Utility N$s9H<k . . . . . . . . . . . . . . . 139Format File Utility rHQ7?U)<^CH&U
!$kN8. . . . . . . . . . . . . 1405sWk&7Jj* . . . . . . . . . . . 142
Tivoli Risk Manager N$s9H<kH=.Nc 143Dragon Squire"DPM/EFP N$s9H<k*hS
=. . . . . . . . . . . . . . . . 144Dragon Alarmtool N=. . . . . . . . . 145}gT/A'C/ . . . . . . . . . . . 146alarmtool.cfg Nc . . . . . . . . . . . 147
=N>NmUv`/dj . . . . . . . . . . 148Alarmtool N"i<H&aC;<8N|U . . . 148MCHo</\3 . . . . . . . . . . . 148Dragon $YsH&70KAc<N97 . . . . 148
h 13 O Symantec Intruder Alert Q
"@W?< . . . . . . . . . . . . . 149"@W?<N5W . . . . . . . . . . . . 149*Zl<F#s0&79F`Wo . . . . . . 149
=JN5b . . . . . . . . . . . . . . 150"@W?<N5b . . . . . . . . . . . . 151$s9H<k . . . . . . . . . . . . . 152$s9H<kN0K . . . . . . . . . . 152$s9H<k&9FCW . . . . . . . . . 152$s9H<kN5o*;r!:9kjg . . . 153Tivoli Risk Manager 3.8 K"@W?<r$s9
H<k9k?aNICnH . . . . . . . . 154"@W?<N"s$s9H<k . . . . . . 154HiVk7e<F#s0 . . . . . . . . . 155
U? A. Cisco Secure IDS "?C/&
70KAc< . . . . . . . . . . . . 159
U? B. ISS RealSecure IDS "?C/&70KAc< . . . . . . . . . . 167MCHo</&"?C/&70KAc< . . . . 16779F`&"?C/&70KAc< . . . . . . 169
U? C. McAfee Alert ManagerSensor Q"@W?<NaC;<8 . . . 171
U? D. C-v` . . . . . . . . . . 181&8 . . . . . . . . . . . . . . . . 182
Ql8 . . . . . . . . . . . . . . 185
wz . . . . . . . . . . . . . . . 191
\! v
vi IBM Tivoli Risk Manager "@W?<¥,$I
����
\qGO"IBM® Tivoli® Risk Manager "@W?< (\qGO Tivoli Risk Manager
"@W?<HFS^9) N$s9H<k"=."*hSI}N}!KD$FRY^
9#
�������
\qO"IT, Tivoli Management Framework *hS Tivoli Enterprise Console K
X9k=wN1r}CF$F"!N3HrB]KP37F$k3Hr0sK7F$
^9#
v 5<I&Q<F#<N/~!N"Wj1<7gsN$s9H<k*hSHQ#
v =JN$s9H<k (Tivoli Risk Manager GO Tivoli G9/HCWrHQ7F&
J$a<8,$s9H<k5lk?a)#
v Tivoli "@W?<=.!= (ACF) *hS"@W?<=.WmU!$k (ACP) N
HQ#
Tivoli Risk Manager "@W?<O"MCHo</&;-ejF#<&]j7<"C
K/~!N79F` (IDS) N$sWjasH4vT~1NbNG9#f<6<O"
MCHo</&;-ejF#<NBQ*JN1,"j"Aw)fWmH3k/$s?
<MCH&WmH3k (TCP/IP)"MCHo<-s0NpC50"*hSP)Xj5
l?MCHo</KD$F=,K}r7F$k,W,"j^9#
�����
=J*hS\qKC(il?G7NQ9bFKD$FO"VTivoli Risk Manager j
j<9psWr2H7F/@5$#
v 1Z<8NXh 1 O Tivoli Risk Manager "@W?<Y GO"MCHo</
Tivoli Risk Manager "@W?<GHQ5lkU!$kKD$Fb@7^9#
v 15Z<8NXh 2 O Cisco Secure IDS Q"@W?<YGO"Cisco® Secure
IDS™ (l NetRanger) KD$Fb@7^9#
v 27Z<8NXh 3 O ISS RealSecure IDS Q"@W?<YGO"ISS® RealSecure
IDS™ Q"@W?<KD$Fb@7^9#
v 35Z<8NXh 4 O Cisco k<?<Q"@W?<YGO"Cisco® k<?<Q"
@W?<KD$Fb@7^9#
v 43Z<8NXh 5 O Cisco Secure PIX Firewall Q"@W?<YGO"Cisco
Secure PIX Firewall™ Q"@W?<KD$Fb@7^9#
v 59Z<8NXh 6 O Check Point Firewall-1 Q"@W?<YGO"CheckPoint®
FireWall-1™ Q"@W?<KD$Fb@7^9#
v 79Z<8NXh 7 O McAfee Alert Manager Q"@W?<YGO"McAfee®
Alert Manager™ Q"@W?<KD$Fb@7^9#
v 85Z<8NXh 8 O Norton AntiVirus Q"@W?<YGO"Norton®
AntiVirus™ Q"@W?<KD$Fb@7^9#
© Copyright IBM Corp. 2001, 2002 vii
v 91Z<8NXh 9 O Host Intrusion Detection Q"@W?<YGO"Host
Intrusion Detection™ Q"@W?<KD$Fb@7^9#
v 105Z<8NXh 11 O Tivoli Access Manager 4.1 Q"@W?<YGO"Tivoli
Access Manager™ 4.1 Q"@W?<KD$Fb@7^9#
v 129Z<8NXh 12 O Enterasys Dragon QN"@W?<YGO"Enterasys®
Dragon™ Q"@W?<KD$Fb@7^9#
v 149Z<8NXh 13 O Symantec Intruder Alert Q"@W?<YGO"
Symantec® Intruder Alert™ Q"@W?<KD$Fb@7^9#
3N,$IKO"/~!NQl8";-ejF#<X"Ql"*hSwz,^^l
F$^9#
��
Tivoli Risk Manager ��
Tivoli Risk Manager NqAO!NH*jG9#
v VTivoli Risk Manager f<6<:&,$I P<8gs 4.1WGO" Tivoli Risk
Manager N$s9H<k"=."*hSI}}!N[+"Tivoli Risk Manager N
F3s]<MsHN5WKD$Fbb@7F$^9#
v VTivoli Risk Manager jj<9ps P<8gs 4.1WKO"Tivoli Risk Manager
N$s9H<k*hSI}NG*J,Nps,-\5lF$^9#
v VTivoli Risk Manager "@W?<&,$I P<8gs 4.1WGO"=_~jG-
k Tivoli Risk Manager "@W?<KD$F\7/b@7F$^9#
v VTivoli Risk Manager GYmCQ<:¥,$I P<8gs 4.1WKO"Tivoli
Risk Manager Event Integration Facility N5W"API"*hS3^sIT$s?<
U'<9KD$FNpsH&K"H+N Tivoli Risk Manager _9"@W?<r
n.9k}!KD$FNpsb-\5lF$^9#
v VTivoli Risk Manager dj=L,$I P<8gs 4.1WKO"lS-,"j04
G@rJdj=LWm;9"*hS Tivoli Risk Manager ,m0n9k6xN=
LKr)Dvc,-\5lF$^9#
v VTivoli Risk Manager Read Me First CardWGO"Tivoli Risk Manager qAN"
/;9}!"*hS\*/P]ITKD$F(7F$^9#
���������
Tivoli Enterprise Console rHQ9k]OJ<NqANbFr}r7F*$F/@5
$#
v VTivoli Framework Planning and Installation GuideW"VTivoli Framework f<6
<:&,$IW"*hSVTivoli Framework jU!ls9&^Ke"kW
3liNqAO"G9/HCW"I}P]N<I""I_K9Hl<?<"]j
7<&j<8gs"WmU!$k"mU"?9/"918e<js0"*hS3
^sIT$s?<U'<9 (CLI) 3^sIKD$F\7/b@7^9#
v VTivoli Enterprise Console f<6<:&,$IW
3NqAO"Tivoli Enterprise Console NHQKD$F\7/-\7^9#
v VTivoli Enterprise Console "@W?<¥,$IW
viii IBM Tivoli Risk Manager "@W?<¥,$I
3NqAO"=_~jG-k Tivoli Enterprise Console "@W?<KD$F\7
/b@7^9#
����
J<NqAO"0sroHJkqAK-\5lF$kpsrd-9kbNG9#
v VTivoli Enterprise Console k<k¥Sk@<Q,$IW
3NqAO"7,k<krn.7F}g9k}!KD$F\7/-\7^9#
v VTivoli Event Integration Facility f<6<:¥,$IW
3NqAO"Event Integration Facility (EIF) rHQ7F"f<6<H+N$Ys
H&"@W?<r+/9k}!rb@7^9#$YsH&"@W?<O"f<6
<NMCHo</D-*hSCjNK<:Kgo;FAe<Ks09k3H,D
=G9#
v VTivoli Enterprise Console jU!ls9¥^Ke"kW
3N,$IGO"3^sITN3^sIKD$F\R7F$^9#
v VTivoli Management Framework 3.7 ?9/¥i$Vij<@l+/TNjz-W
3N,$IKO"?9/&i$Vij<@lrHQ7F?9/&i$Vij<r
+/9k}N?aNps,-\5lF$^9#
Tivoli Risk Manager ����
IBM *hS Tivoli N*RMO"Tivoli ;-ejF#<=J*hS Tivoli Risk
Manager KX9k*si$spsr~j9k3H,G-^9#
Tivoli Risk Manager "@W?<O"=_ Tivoli Risk Manager N 5]<H Web 5
$H+i~jD= (=J CD XN}?Of_) KJj^7?#3lKhj"7jj
<9N Tivoli Risk Manager +i"~I5l?7,N"@W?<rDLK[[9k
3Hb"*RMKHCF,WJ"@W?<N_@&sm<I9k3HbD=HJC
F$^9#
Tivoli Risk Manager "@W?<Nlg"G7N=J"CWG<H (Tivoli Risk
Manager KX9k;s5<&70KAc<*hS5<S9Npsr^`) ,"J<
N5$HGs!5lF$^9#
http://www.ibm.com/software/sysmgmt/products/
support/IBMTivoliRiskManager.html
Tivoli Risk Manager =JKX9kpsO"!N Web 5$HGs!5lF$^9#
http://www.ibm.com/software/sysmgmt/products/risk-mgr.html
>N Tivoli ;-ejF#<I}=JKX9kpsO"!N Web 5$HGs!5l
F$^9#
http://www.ibm.com/software/sysmgmt/
�������� ��
\^Ke"kKX9k4U+d46[O"!N URL +i*wj/@5$##eN
2MK5;F$?@-^9#
http://www.ibm.com/jp/manuals/main/mail.html
^(,- ix
��� ����������
qA*hS+9?^<&5]<HKD$FODH4vwK*d$go;/@5$#
���������
"/;7SjF#<!=O"?0c2^?OkPc2JIHNKc2r}Df<6
<,=UH&'"&Wm@/Hrw,KHQG-kh&K5]<H7^9#3N=
JNgWJ"/;7SjF#<!=rHQ7F"J<NnH,T(^9#
v hLI_hj=UH&'"dG#8?k;<g.uVJINYgF/Nm8<r
HQ7F"hLK=(5lkbFr9/3H,G-^9#\=JG3liNF/
Nm8<rHQ9k]N\YKD$FO"YgF/Nm8<N=JqAr2H7
F/@5$#
v hLeK=(5lkbFrHg9k3H,G-^9#
5iK"=JqAKP7Fb""/;7SjF#<rYg9k!=r9j~`Q9
,C(il^7?#
v qAO9YF"HTML A0*hSQ9D=J PDF A0Gs!5lF$F"hL
I_hj=UH&'"r,Q9k!q,f<6<KP7FGgBK?(ilF$
^9#
v kPc2N"kf<6<,$a<8NbFr}rG-kh&K"qAbN$a<
8O9YFeXF-9HGs!5lF$^9#
�������
\qK*$F"Windows® 79F` HO"Windows NT® ^?O Windows 2000 *
Zl<F#s0&79F`rHQ9k3sTe<?<&79F`rX7^9#
UNIX 79F` HO"AIX®"Linux"Solaris™ *Zl<F#s0D- (J< Solaris
HFS^9) *Zl<F#s0&79F`JINh&J UNIX™ *Zl<F#s
0&79F`rHQ9k3sTe<?<&79F`rX7^9#
�������
\qGO"CLJQld"/7gsKD$FqNKX9k$/D+N,'rHQ7
^9#=l>lN,'KO!Nh&JU#,"j^9#
,' U#
@z 3^sI"-<o<I"Ui0JINpsO@zG(7^9#
$?jC/f<6<N~O9k,WN"kQt"*hS7,NQlO$?jC/
G(7^9#/45l?ldgb"$?jC/ G(7^9#
������ 3<G#s0c"PO"*hSU!$k>O������G(7^9#
����
\qGO"J<N?>,'rHQ7F$^9#
RMINSTDIRTivoli Risk Manager N$s9H<kljG9#33KO"79F`eN
x IBM Tivoli Risk Manager "@W?<¥,$I
RISKMGR 5VG#l/Hj<,^^l^9#c(P"Solaris 79F`Nl
g"$s9H<k&G#l/Hj<O /opt/RISKMGR H$C?>0KJj^
9#
Solaris *Zl<F#s0D-
Solaris HFPl^9#
Tivoli Risk Manager Agent(<8'sHHFPl^9#Tivoli Risk Manager Agent N3HrX9lg
KHQ5lF$^9#
Tivoli Risk Manager Client/i$"sHHFPl^9#Tivoli Risk Manager Client N3HrX9lg
KHQ5lF$^9#
Tivoli Risk Manager Distributed Correlation Server,6jX5<P<HFPl^9#Tivoli Risk Manager Distributed Correlation
Server N3HrX9lgKHQ5lF$^9#
Tivoli Risk Manager Gateway2<H&'$HFPl^9#Tivoli Risk Manager Gateway N3HrX9l
gKHQ5lF$^9#
Tivoli Risk Manager Event Server$YsH&5<P<HFPl^9#Tivoli Enterprise Console 5<P<rH
Q9k Tivoli Risk Manager 5<P<N3HrX9lgKHQ5lF$^
9#
Tivoli Enterprise Console f<6<&$s?<U'<9
$YsH&3s=<kHFPl^9#f<6<&$s?<U'<9^?O3
s=<kN3HrX9lgKHQ5lF$^9#
^(,- xi
xii IBM Tivoli Risk Manager "@W?<¥,$I
� 1 � Tivoli Risk Manager �����
3NOO"J<N;/7gs+i=.5lF$^9#
v XTivoli Enterprise Console "@W?<Y
v 3Z<8NXTivoli Risk Manager "@W?<Y
v 4Z<8NXTivoli Risk Manager ClientY
v 5Z<8NX*Zl<F#s0&79F`WoY
v 10Z<8NXU)<^CH&U!$kY
v 11Z<8NXTivoli Risk Manager H"@W?<NU)<^CH&U!$kNk
gY
v 12Z<8NX"@W?<=.!= (ACF) rHQ7?""@W?<N=.H[
[Y
Tivoli Enterprise Console �����
Tivoli O"$YsHrU)<^CH7F Tivoli Enterprise Console 5<P<X>w9
k?aNFQ Tivoli Enterprise Console "@W?<rs!7F$^9#Tivoli Risk
Manager "@W?<*hS;s5<O"?/Nlg"Tivoli Risk Manager $YsH
rU)<^CH7?j$YsH&5<P<K>w9kH-"Tivoli Enterprise
Console "@W?<N!=rxQ7F$^9#
j=<9O"@W?<KhCFbK?<5l^9#bK?<P]Nj=<9+i8
.5l?$YsHr"@W?<,!P9kH""@W?<O=N$YsHrU)<
^CH7F"=lr$YsH&5<P<Kw.7^9#"@W?<O"B]K$Y
sHr8.7F$kbK?<P]Nj=<9+i$YsHru.9k3HbG-^
97"=<9,m0&U!$kraC;<8G979k?SK"=.D=J$s?
<PkG ASCII m0&U!$kr4Yk3HbG-^9#
"@W?<O"Tivoli $s?<U'<9 ^?O Tivoli J0N$s?<U'<9 r
HQ7F"Tivoli $YsH&5<P<K$YsHrw.9k3H,G-^9#
Tivoli $s?<U'<9O"Tivoli Management Framework KhCFs!5lk5<
S9rHQ7F"\3rN)7^9#Tivoli J0N$s?<U'<9O"8`Wm
;9VL.a+K:` ([9H>d$s?<MCH&WmH3k (IP) "Il9&U
)<^CHJI) rHQ7F"\3rN)7^9#
(sI]$sHeK$s9H<k5l?"@W?<O"=N$YsHr(sI]$
sH&2<H&'$Kw.7^9#!K"(sI]$sH&2<H&'$,$Ys
HrPsIk7F"Tivoli $YsH&5<P<K>w7^9#
Tivoli Risk Manager G5]<H5lF$k(sI]$sHQ Tivoli Enterprise
Console "@W?<KO"UNIX 79F`Q Tivoli Logfile "@W?<*hS
Windows 79F`Q Windows Event Log "@W?<,"j^9#SNMP "@W?
<b5]<H5lF$^9#
© Copyright IBM Corp. 2001, 2002 1
m: \qGO""@W?<, Tivoli Logfile "@W?<"Windows Event Log "@
W?<"^?O SNMP "@W?<NIlG"k+rXj9keojK"lL*
JQlG"k Tivoli Enterprise Console "@W?<rHQ7^9#
;s5<+i/T5l?$YsHO",ZJm.s0!=K>w5l"33G",
ZJ Tivoli Enterprise Console "@W?<KhCFh}5l?e"Tivoli Enterprise
Console K>w5l^9#$YsH&5<P<"^?O,6jX5<P<GO"jX
,Tol^9#Tivoli Risk Manager Correlation HO"IDS $YsHr+0*K0k
<W=7"MCHo</N;-ejF#<uVrJiK==7?T/Ac<rn.
9k0nG9#VTivoli Risk Manager f<6<:&,$IWNXTivoli Risk
Manager Event Server N=.Yr2H7F/@5$#F Tivoli Enterprise Console
"@W?<Oi|$YsH&i$Vij<KU07F$^9#3Ni$Vij<
O"v0jA5l?$YsH&;CHKP7F90KHQD=J5]<Hrs!7
^9#J<NU!$kO$YsH&i$Vij<r=.7^9#
BAROC U!$k$YsH&/i9N BAROC U!$kO"k<k&;CHb+i$Ys
H&5<P<XN$YsHr,`7^9#$YsH&/i9O""@W?<
+i$YsH&5<P<Xw.5lkpsKD$F""@W?<H$Ys
H&5<P<VGgU7?bFG9#Tivoli Risk Manager GO"5]<H
5lF$k;s5<*hS"@W?<QK=l>l BAROC U!$k,Q
U5lF$^9#
U)<^CH&U!$k
3liN"@W?<KX9k$YsH&/i9NQ9O"U)<^CH&U
!$kGBT5l"=NU)<^CH&U!$k+i7,N/i9jA9F
<HasH (.cds) U!$k,8.5l^9#U)<^CH&U!$kK
O"$YsH&=<9+ihj~^lkaC;<8NU)<^CH,jA5
l^9#U)<^CH&U!$kO"Tivoli Enterprise Console "@W?<
QN/i9jA9F<HasH (.cds) U!$kr8.9k?aKbHQ5
l^9#Tivoli Risk Manager GO"5]<H5lF$k;s5<*hS"
@W?<QK=l>l"U)<^CH (.fmt) U!$k,QU5lF$^
9#
/i9jA9F<HasH (.cds) U!$kTivoli Enterprise Console "@W?<O .cds U!$krHQ7F"$YsH
r$YsH&5<P<K>w9k0K"D9N$YsHr$YsH&/i9
K^CW7"$YsH0-rjA7^9#Tivoli Risk Manager O SNMP "
@W?<rHQ9k"@W?< (ISS RealSecure Q"@W?<*hS Cisco
k<?<Q"@W?<) K .cds U!$krs!7^9#
3liNU!$krQ99k3HKhj"$YsHN/i9rIC"Q9"
*hSXj9k3H,G-^9#"@W?<HHbKs!5lF$ki|$
YsH&i$Vij<O"3N"@W?<KhCFh}5lk&L$YsH
r5]<H7^9#^?"$YsH&i$Vij<O"7,$YsHjAr
n.9k?aNcrs!7^9#
2 IBM Tivoli Risk Manager "@W?<¥,$I
Tivoli Risk Manager �����
Tivoli Risk Manager "@W?<O";s5<+iX"psrhj~sG Tivoli
Enterprise Console $YsHbK^CTs07F"=N$YsHr>w9kr\r4
&=UH&'"&3s]<MsHG9#"@W?<H7FO";s5<H>\KP
C9kh&_W5l?+9?`&=UH&'" (c(P"Tivoli Risk Manager Cisco
Secure IDS "@W?<) d"FQ Tivoli Enterprise Console "@W?<JI,"j
^9#
Tivoli Risk Manager "@W?<NJ+Gb4/lL*JNO"8`N Tivoli
Enterprise Console "@W?< (Logfile"Event Log"^?O SNMP "@W?<) G
9#3liN"@W?<GO"GU)kHN$YsH&/i9NaC;<8&U)
<^CH,"Tivoli Risk Manager Gs!5lF$k$YsH&/i9NaC;<
8&U)<^CHGV-9(ilk+"^?Od-5l^9#3liN Tivoli Risk
Manager G-NU)<^CH&U!$kKhCF"?/N5<I&Q<F#<=;
-ejF#<&;s5<*hS"Wj1<7gsr5]<H9k"$YsH&/i
9NaC;<8&U)<^CHjA,s!5lF$^9#
"Wj1<7gsNJ+KO"UNIX syslog"Windows Event Log"^?OF-9
H&U!$kK$YsH&aC;<8rm0PO7J$bNd"$YsHr SNMP
HiCWH7F8.7J$bNb"j^9#3liN"Wj1<7gsKO"jl
<7gJk&G<?Y<9bN"Wj1<7gs&Wm0i_s0&$s?<U'
<9"^?Om0&G<?rp7F$YsHps,s!5lkbNb"j^9#
Tivoli Risk Manager "@W?<GO"=UH&'"&Wm0i`N~j*hSh
}"Tivoli Risk Manager XN$YsHNwPKhj"3liN?$WN"Wj1<
7gsr5]<H7F$^9#3liNWm0i`+i Tivoli Risk Manager XN
$YsHNwPKO"#t"k}!N&AN 1 D,HQ5l^9# Tivoli
Enterprise Console"^?O Tivoli Risk Manager Client X>\$YsHrw.9kK
O"$YsH>w API"Tivoli Risk Manager Event Integration Facility
(RMEIF)"Tivoli Risk Manager Agent NltrHQ7^9#Tivoli Risk Manager
Agent *hS Tivoli Risk Manager Event Integration Facility KD$F\YO"
VTivoli Risk Manager f<6<:&,$IW*hSVTivoli Risk Manager GYmC
Q<:&,$IWr2H7F/@5$#^?"$YsHNa=/*hSU)<^C
HND=J79F`&m0&U!$k^?OF-9H&U!$kKq-~sG"
Tivoli Enterprise Console ^?O Tivoli Risk Manager Client Kw.9k3HbG-
^9#
Tivoli Risk Manager ���������
Tivoli Risk Manager "@W?<O"=_ Tivoli Risk Manager N5]<H Web 5
$H+i~jD= (=J CD GNPYOf_) KJj^7?#3lKhj"7jj
<9N Tivoli Risk Manager +i"~I5l?7,N"@W?<rDLK[[9k
3Hb"*RMKHCF,WJ"@W?<N_@&sm<I9k3HbD=HJC
F$^9#
Tivoli Risk Manager "@W?<Nlg"G7N=J"CWG<H (Tivoli Risk
Manager KX9k;s5<&70KAc<*hS5<S9Npsr^`) ,"J<
N5$HGs!5lF$^9#
h 1 O Tivoli Risk Manager "@W?< 3
http://www.ibm.com/software/sysmgmt/
products/support/IBMTivoliRiskManager.html
Tivoli Risk Manager Client8.5l? Tivoli Enterprise Console $YsH,>\$YsH&5<P<K>w5
lkh&K"@W?<r=.9k3HbD=G9,"Tivoli Risk Manager "@W?
<HloK Tivoli Risk Manager /i$"sH&=UH&'"rGWm$7F"=
N$YsH,/i$"sHK>\k<F#s05lkh&K"@W?<r=.7F
*/H"5^6^Jx@r@k3H,"j^9#c(P"J<Nh&Jx@,"j
^9#
v /i$"sHKhCF"Tivoli Risk Manager 5<P<K$YsHr\w9k?a
N?MJHis9]<H&a+K:` (1cJ=1CH&Y<9NL.";-e
"J Tivoli Management Environment (TME) Y<9NL."Secure Socket Layer
(SSL) L.JI) ,s!5l^9#3l[I-OJ*rhO""@W?<GO5
]<H5lF$J$N,lL*G9#
v /i$"sHKhCF"E#$YsH^?O`w$YsHr8s9kWs!=,
s!5l^9#Ws!=rHQ9k3HKhCF"gLNE#$YsHr5<P
<Xw.9keojK"fS*/tNWsQ_$YsH,>w5l^9#3NW
sO"MCHo</&HiU#C/N:/"5<P<iYNZ:"X"9k$Y
sH&j]8Hj<K]I5lkpsNZ:KDJ,j^9#
v /i$"sHKhCF"+9?`&"@W?<*hS;s5<N?/ (Cisco
Secure IDS MCHo</&;s5<Q"@W?<*hS Tivoli Risk Managers
Web IDS ;s5<r^`) KhCFxQ5lkaC;<8&U)<^CH!=,
s!5l^9#
v 5<P<^?O2<H&'$,HQT=KJC?lgO"/i$"sHKhC
F"$YsHNU#k?<`n"#t5<P<XN$YsHNk<F#s0"*
hS$YsHNFk<F#s0H$C?@pJPh,s!5l^9#
v /i$"sHKhCF""@W?<,HQ9k-oaF1cJ$YsH>w API
,s!5l^9#3N API rHQ7F"H+N Tivoli Risk Manager _9"@W
?<r+/9k3H,G-^9#
Tivoli Enterprise Console ����� - � TMETivoli Risk Manager /i$"sH&=UH&'"r Tivoli Risk Manager "@W?
<HloKGWm$7F"=N$YsHr>\/i$"sHKk<F#s09kh
&K"@W?<r=.9kKO"s;-e" (s TME) Tivoli Enterprise Console "
@W?<r$s9H<k7FHQ9k,W,"j^9#Tivoli Risk Manager Agent
O"Risk Manager Client QK=.9k3HG"Tivoli J0N$s?<U'<9rH
CFw.5l?$YsH,u.5lk_WKJj^9#Tivoli J0N$s?<U'
<9O"8`Wm;9VL.a+K:` ([9H>d$s?<MCH&WmH3k
(IP) "Il9&U)<^CHJI) rHQ7F"\3rN)7^9#s TME Tivoli
Enterprise Console "@W?<KO"Tivoli J0N$s?<U'<9,HQ5l^
9#Tivoli J0N$s?<U'<9GOs;-e"J\3,N)5lk?a"Risk
Manager Agent r Risk Manager Client QK=.9kH"GU)kHGOm<+
k&[9H+iN_$YsH,u.5lkh&KJk?a"$YsH&G<?N;
-ejF#<,]}5l^9#Tivoli Risk Manager Event Integration Facility rHQ
7F$YsHrw.9k Risk Manager "@W?<NlgO"s TME "@W?<
4 IBM Tivoli Risk Manager "@W?<¥,$I
N$s9H<kOTWG9#$YsH>w API rHQ9klg"0sroH7F"
3liN"@W?<QN Risk Manager Client ,,WG9#
Tivoli Enterprise Console "@W?<N$s9H<k*hS=.KD$FO"VTivoli
Enterprise Console "@W?<¥,$IWr2H7F/@5$#Tivoli Enterprise
Console "@W?<N$s9H<kO"Tivoli Risk Manager "@W?<Ng>r$
s9H<k9k?aN0sroHJCF$^9#Tivoli Risk Manager "@W?<N
$s9H<k*hS=.KD$FO"3N,$IG"=N"@W?<G-NOr2
H7F/@5$#
Tivoli Risk Manager Client �� Tivoli Risk Manager ��������
s TME Tivoli Enterprise Console "@W?<r"Tivoli Risk Manager Client K$Y
sHrw.9k=.K9kKO"/i$"sHN[9H>r ServerLocation HX
j7"/i$"sHN$YsHu.]<Hr ServerPort(local_only_receiver.confclient bNGU)kHN$YsHu.]<HO 5529)
HXj7^9#3liNQia<?<O"Tivoli Enterprise Console "@W?<=.
U!$kbK"j^9#
Tivoli Risk Manager Client N=.KD$FN\YO"VTivoli Risk Manager f<6
<:&,$IWr2H7F/@5$#
��������������
Tivoli Risk Manager "@W?<O"Tivoli Risk Manager P<8gs 4.1 *hS
Tivoli Risk Manager P<8gs 3.8 N>}G5]<H5lF$^9#J<N3s]
<MsH,5]<H7F$k&LWiCH[<`K~8F"F"@W?<QN5]
<HP]*Zl<F#s0&79F`,[JCF$^9#
v Tivoli Risk Manager P<8gs 4.1 Agent
v Tivoli Risk Manager P<8gs 3.8 Event Integration Facility (RMEIF)
v Tivoli Risk Manager "@W?<¥=UH&'"
v Tivoli Enterprise Console "@W?<
v 5<I&Q<F#<=bK?<&=UH&'" (;s5<&=UH&'"HbF
S^9)
5]<HN=fN!NsVHbK$s9H<k5lk3s]<MsHWKO"F"
@W?<GHQ5lk3s]<MsH,-\5lF$^9#
Tivoli Risk Manager Agent (Transport)3lO"Tivoli Risk Manager 4.1 Client ,"Tivoli Enterprise Console "@W?<H
loK";s5<&[9H&79F`K$s9H<k5lF$k3Hr(7^9#
"@W?<O"Tivoli Risk Manager Client K$YsH,w.5lkh&K=.G-
^9#Tivoli Risk Manager Agent r Client HloK$s9H<k7F*/3HKh
j"$YsHNWs@1GJ/"SSL"TME ^?O s TME WmH3krHQ7
?"CW9Hj<`&$YsHAwbTolkh&KJj^9#
Tivoli Risk Manager Agent (Transport/Tivoli Risk Manager Event IntegrationFacility)
h 1 O Tivoli Risk Manager "@W?< 5
3lO"Tivoli Risk Manager 4.1 Client ,";s5<&[9H&79F`K$s9
H<k5lF$k3Hr(7^9#3Nlg" Tivoli Risk Manager "@W?<&
=UH&'"rHQ7F;s5<&G<?,h@5l"Tivoli Risk Manager Event
Integration Facility API rHQ7F Tivoli Risk Manager Agent K$YsH,w.5
l^9#Tivoli Risk Manager Agent r Client HloK$s9H<k7F*/3HK
hj"$YsHNWs@1GJ/"SSL"TME ^?O s TME WmH3krHQ
7?"CW9Hj<`&$YsHAwbTolkh&KJj^9#
Tivoli Risk Manager Event Integration Facility3lO"Tivoli Risk Manager Event Integration Facility 3s]<MsH,";s5
<&[9H&79F`K$s9H<k5lF$k3Hr(7^9#3Nlg"
Tivoli Risk Manager "@W?<&=UH&'"rHQ7F;s5<&G<?,h@
5l"Tivoli Risk Manager Event Integration Facility API rHQ7F Tivoli Risk
Manager Event Integration Facility 3s]<MsHK$YsH,w.5l^9#Tivoli
Risk Manager Event Integration Facility KhCF"$YsHNWs@1GJ/"TME
^?O s TME WmH3krHQ7?"CW9Hj<`&$YsHAwbTolk
h&KJj^9#
Tivoli Enterprise Console "@W?<
3lO"Tivoli Enterprise Console "@W?<,";s5<&[9H&79F`K$
s9H<k5lF$k3Hr(7^9#;s5<¥G<?rh@9klgd"TME
^?Os TME WmH3krHQ7F Tivoli Enterprise Console 5<P<K$Ys
Hrw.9klgO"3N"@W?<rHQ7^9#
Tivoli Risk Manager P<8gs 3.8 G"7,^?O"CWG<H5l?"@W?<
rHQ9k]KO"Tivoli Risk Manager k<k&Y<9bN baroc U!$kr"C
WG<H7F*/,W,"j^9#F"@W?<NWoO"=N"@W?<NO"
^?O@&sm<ID=J"@W?<&QC1<8KU0N readme U!$kbK
-\5lF$^9#
F"@W?<QN5]<HP]*Zl<F#s0&79F`O"!N=Kj9H5
lF$^9#
6 IBM Tivoli Risk Manager "@W?<¥,$I
=1.
FT
ivol
iR
isk
Man
ager"@W?
<QN5]
<H
P]*Zl
<F#s0
&79F`
Ris
kM
anag
er"@W?
<
HbK$s9H
<k5lk
3s]
<MsH
AIX
4.3.
3A
IX5.
1S
ola
ris
7S
ola
ris
8L
inu
xR
edH
at6.
2/7.
0
Lin
ux
Red
Hat
7.2
Lin
ux
Su
SE
7.3
zLin
ux
Win
NT
4.0
Win
2KW
inX
PH
P-U
X11
i
Hos
tID
ST
ivol
iR
isk
Man
ager
Age
nt
(Tra
nspo
rt)
XX
XX
XX
XX
X
Tiv
oli
Ent
erpr
ise
Con
sole"@
W?
<
XX
XX
XX
XX
XX
X
Che
ckPo
int
FW-1
(4.1
/N
G)
Tiv
oli
Ris
kM
anag
erA
gent
(Tra
nspo
rt/T
ivol
iR
isk
Man
ager
Eve
ntIn
tegr
atio
nFa
cilit
y)
XX
X
Tiv
oli
Ris
kM
anag
erE
vent
Inte
grat
ion
Faci
lity
XX
XX
X
Tiv
oli
Ent
erpr
ise
Con
sole"@
W?
<
XX
XX
X
Cis
coSe
cure
IDS
(S(2
9))
Tiv
oli
Ris
kM
anag
erA
gent
(Tra
nspo
rt/T
ivol
iR
isk
Man
ager
Eve
ntIn
tegr
atio
nFa
cilit
y)
XX
X
Tiv
oli
Ris
kM
anag
erE
vent
Inte
grat
ion
Faci
lity
XX
Lin
ux
Ker
nal
2.2.
16
XX
Tiv
oli
Ent
erpr
ise
Con
sole"@
W?
<
XX
Lin
ux
Ker
nal
2.2.
16
XX
Cis
coSe
cure
PIX
FW(6
.1)
Tiv
oli
Ris
kM
anag
erA
gent
(Tra
nspo
rt)
XX
XX
X
Tiv
oli
Ent
erpr
ise
Con
sole"@
W?
<
XX
XX
XX
ISS
Rea
lSec
ure
IDS
(Ser
ver
Sens
or5.
5"
Net
wor
kSe
nsor
6.0)
SNM
P
Tiv
oli
Ris
kM
anag
erA
gent
(Tra
nspo
rt)
XX
XX
X
Tiv
oli
Ent
erpr
ise
Con
sole"@
W?
<
XX
XX
XX
h 1 O Tivoli Risk Manager "@W?< 7
=1.
FT
ivol
iR
isk
Man
ager"@W?
<QN5]
<H
P]*Zl
<F#s0
&79F`
(3-
)
Ris
kM
anag
er"@W?
<
HbK$s9H
<k5lk
3s]
<MsH
AIX
4.3.
3A
IX5.
1S
ola
ris
7S
ola
ris
8L
inu
xR
edH
at6.
2/7.
0
Lin
ux
Red
Hat
7.2
Lin
ux
Su
SE
7.3
zLin
ux
Win
NT
4.0
Win
2KW
inX
PH
P-U
X11
i
Cis
cok
<?
<(I
OS
v11.
2)SN
MP
Tiv
oli
Ris
kM
anag
erA
gent
(Tra
nspo
rt)
XX
XX
X
Tiv
oli
Ent
erpr
ise
Con
sole"@
W?
<
XX
XX
XX
Nor
ton
Ant
i-V
irus
(7.5
)
Tiv
oli
Ris
kM
anag
erA
gent
(Tra
nspo
rt)
XX
Tiv
oli
Ent
erpr
ise
Con
sole"@
W?
<
XX
McA
fee
Ale
rt
Man
ager
(4.5
)
Tiv
oli
Ris
kM
anag
erA
gent
(Tra
nspo
rt)
XX
Tiv
oli
Ent
erpr
ise
Con
sole"@
W?
<
XX
Ent
eras
ysD
rago
n5.
0
Dra
gon
Squi
re-
Hos
t
IDS
Dra
gon
Sens
or-
Net
IDS
Tiv
oli
Ris
kM
anag
erA
gent
(Tra
nspo
rt)
XX
Tiv
oli
Ent
erpr
ise
Con
sole"@
W?
<
XX
X
IBM
Tiv
oli
Acc
ess
Man
ager
(4.1
)
Acc
ess
Man
ager
for
e-B
usin
ess
Acc
ess
Man
ager
for
Bus
ines
sIn
tegr
atio
n
Tiv
oli
Ris
kM
anag
erA
gent
(Tra
nspo
rt/T
ivol
iR
isk
Man
ager
Eve
ntIn
tegr
atio
nFa
cilit
y)
XX
XX
Tiv
oli
Ris
kM
anag
erE
vent
Inte
grat
ion
Faci
lity
XX
XX
X
Tiv
oli
Ent
erpr
ise
Con
sole"@
W?
<
XX
XX
X
8 IBM Tivoli Risk Manager "@W?<¥,$I
=1.
FT
ivol
iR
isk
Man
ager"@W?
<QN5]
<H
P]*Zl
<F#s0
&79F`
(3-
)
Ris
kM
anag
er"@W?
<
HbK$s9H
<k5lk
3s]
<MsH
AIX
4.3.
3A
IX5.
1S
ola
ris
7S
ola
ris
8L
inu
xR
edH
at6.
2/7.
0
Lin
ux
Red
Hat
7.2
Lin
ux
Su
SE
7.3
zLin
ux
Win
NT
4.0
Win
2KW
inX
PH
P-U
X11
i
Sym
ante
cIn
trud
er
Ale
rt(3
.6)
Tiv
oli
Ris
kM
anag
erA
gent
(Tra
nspo
rt)
XX
XX
X
Tiv
oli
Ris
kM
anag
erE
vent
Inte
grat
ion
Faci
lity
XX
XX
XX
Tiv
oli
Ent
erpr
ise
Con
sole"@
W?
<
XX
XX
XX
XX
X
h 1 O Tivoli Risk Manager "@W?< 9
��� ������
Tivoli Risk Manager U)<^CH&U!$kO"!NH*jG9#
= 2. Tivoli Risk Manager U)<^CH&U!$k
Tivoli Risk ManagerU)<^CH&
U!$k
Tivoli Risk Manager"@W?<
"@W?<&?$W WiCHU)<`
pix.fmt Cisco Secure PIX
Firewall Q"@W?<
Tivoli Logfile "@W
?<
UNIX 79F`
pix_nt.fmt Cisco Secure PIX
Firewall Q"@W?<
Windows Event Log
"@W?<
Windows 79F`
csids.fmt Cisco Secure IDS Q
"@W?<
Tivoli Risk Manager
EIF
UNIX *hS
Windows 79F`
m0¥U!$k&"@
W?<
UNIX 79F`
csids.nt.fmt Cisco Secure IDS Q
"@W?<
Windows Event Log
"@W?<
Windows 79F`
os_aix.fmt Host IDS Q"@W?
<
m0¥U!$k&"@
W?<
AIX 79F`
os_solaris.fmt Host IDS Q"@W?
<
m0¥U!$k&"@
W?<
Solaris *Zl<F#
s0D-
os_nt.fmt Host IDS Q"@W?
<
Windows Event Log
"@W?<
Windows 79F`
os_linux.fmt Host IDS Q"@W?
<
m0¥U!$k&"@
W?<
Linux 79F`
os_hpux.fmt Host IDS Q"@W?
<
m0¥U!$k&"@
W?<
HP-UX
rnmac.fmt McAfee Alert
Manager Q"@W?
<
Windows Event Log
"@W?<
Windows 79F`
rmnav.fmt Norton AntiVirus Q"
@W?<
Windows Event Log
"@W?<
Windows 79F`
cpfw.fmt Check Point
FireWall-1 Q"@W
?<
Tivoli Risk Manager
EIF
UNIX *hS
Windows 79F`
m0¥U!$k&"@
W?<
UNIX 79F`
cpfw.nt.fmt Check Point
FireWall-1 Q"@W
?<
Windows Event Log
"@W?<
Windows 79F`
tecad_snmp.cds Cisco k<?< ISS
RealSecure IDS Q"
@W?<
SNMP "@W?< UNIX *hS
Windows 79F`
dragon-base.fmt Enterasys Dragon Q
N"@W?<
m0¥U!$k&"@
W?<
UNIX 79F`
10 IBM Tivoli Risk Manager "@W?<¥,$I
= 2. Tivoli Risk Manager U)<^CH&U!$k (3-)
Tivoli Risk ManagerU)<^CH&
U!$k
Tivoli Risk Manager"@W?<
"@W?<&?$W WiCHU)<`
am41log.fmt Tivoli Access Manager
4.1 Q"@W?<
Tivoli Risk Manager
EIF
UNIX *hS
Windows 79F`
m0¥U!$k&"@
W?<
UNIX *hS
Windows 79F`
IntruderAlert.fmt Symantec Intruder
Alert Q"@W?<
m0¥U!$k&"@
W?<
UNIX *hS
Windows 79F`
m: Cisco k<?<*hS ISS RealSecure Q"@W?<O Tivoli SNMP "@W?
<rHQ7^9#3N"@W?<O"Tivoli Risk Manager N tecad_snmp.cds
P<8gsrHQ7F=.7J1lPJj^;s#
Tivoli Risk Manager ���������� ������ ���
wrmcrtcds O"Tivoli Risk Manager "@W?<*hS;s5<N$s9H<kK
H&\*G_W5l?bNG9#wrmcrtcds O"j9H&U!$k+iI_hC?
U)<^CH&U!$kNj9H+i"kgU)<^CH&U!$k (.fmt U!$
k) *hS/i9jA9F<HasH&U!$k (.cds U!$k) rn.9k3^s
IG9#3N3^sIO"riskmgr_gencds 3^sIrHQ7F"kg cds U!$
kr8.7^9#
=8:
wrmcrtcds [-base BaseName] [-list ListFile] [-files FileName1 ...]
INPUT PARAMETERS
-base kgU!$krn.9klg"*hS=NkgU!$k+i/i9jA9F
<HasH&U!$krn.9klgKHQ5lk"p\Q9>
(BaseName) rXj7^9#kgU)<^CH&U!$kNQ9>O"
BaseName.fmt G9#wrmcrtcds 3^sIO"j9H&U!$krh}7
F"7,Kn.5l? BaseName.fmt U!$kNvxKj9HbNFU!$
kr3T<7^9#j9H&U!$kbNsVis/T (3asHTr|/)
K"-zJQ9>J0N9Hjs0d"I_hjQKO+1J$9Hjs0
,^^lF$klg"wrmcrtcds 3^sIO"f<6<KP7FYpaC
;<8r=(7F"j9H&U!$kNh}r3T7^9#
-list 1 DNkgU)<^CH&U!$kK"k5lk"U)<^CH&U!$k
Nj9HJ<QU!$kNQ9>rXj7^9#j9H&U!$kKO"0
4$~Q9>Nj9H (FTK 1 DNQ9>) r^ak,W,"j^9#U
!$kKO"Vis/Tr^ak3H,G-k[+"sVis/Nh,8z
H7FN # (]sI-f) G1L5lk3asHTr^ak3HbG-^
9#3asHNem (=N3asHH18T) KQ9>r31k3HOG-
J$NGmU7F/@5$#
-files j9H&U!$kKIC7F"n.5lkkgU)<^CH&U!$k*h
S/i9jA9F<HasH&U!$kK$s/k<I9k?aN" 1 D
^?O#tNU!$kN04$~Q9>rXj7^9#-files Ui0U-G
h 1 O Tivoli Risk Manager "@W?< 11
O5lkU!$k>,04$~Q9>GOJ$lg"^?OU!$kr+1
J$lg" wrmcrtcds O(i<ra7^9#-files Ui0rHQ9kl
g"GeNUi0H7FXj7F/@5$#-files Ui0K3/`\O9Y
F"U!$k>Qia<?<H7F7olk?aG9#
j9H&U!$kbN9YFNTKP7F"7,N BaseName.fmt U!$kNn.
h},0;7?i"J<N3^sIrBT7F/i9jA9F<HasH&U!$
krn.7^9#
riskmgr_gencds BaseName.fmt
5iK=NPOr BaseName.cds U!$kKwP7^9#
-base Ui0*hS -list Ui0O>}Hb*W7gsG9#-base Ui0rO5
J$H"p\Q9>KOJ<NGU)kH,HQ5l^9#
$RMHOME/RISKMGR/etc/rmad (UNIX Nlg) ^?O
%RMHOME%¥RISKMGR¥etc¥rmad (Windows Nlg)
33G"
RMHOME $s9H<k&G#l/Hj<r=7^9#-list Ui0rO5J$H"j
9H&U!$kNQ9>KOJ<NGU)kH,HQ5l^9#
$RMHOME/RISKMGR/etc/rmad.lst (UNIX Nlg) ^?O
%RMHOME%¥RISKMGR¥etc¥rmad.lst (Windows Nlg)
33G"
RMHOME $s9H<k&G#l/Hj<r=7^9#
m: wrmcrtcds 3^sINGU)kH&Qia<?<MO"fmt U!$kN^<8
*hS cds U!$kNn.r\*H7?bNG9#3liNU!$k
(rmad.fmt"rmad.cds) O"Tivoli Risk Manager Event Integration Facility $Ys
H>w API GHQ5l^9#3Nf<F#jF#<O Tivoli Risk Manager
Client HloK$s9H<k5l^9#3Nf<F#jF#<r"Tivoli
Enterprise Console "@W?<GHQ7F"fmt U!$kN^<8*hS cds U
!$kN8.N\*KHQ9kKO"j9H*hSY<9>r>NMGV-9
(k,W,"j^9#eojK"logfile_gencds ^?O win_gencds f<F#j
F#<rHQ7F"fmt U!$k+i cds U!$krn.9k3HbG-^
9#3liNf<F#jF#<NHQ!O"VTivoli Enterprise Console "@W
?<¥,$IWKb@5lF$^9#
��������� (ACF) �����������������
^?""@W?<=.!= (ACF) rHQ7F"Tivoli D-N(sI]$sHeG"
U)<^CH&U!$k"=.U!$k".cds"*hS70KAc<&U!$kN=
.H[[r7^9#
ACF r(sI]$sH&2<H&'$H18I}P]N<IeK$s9H<k7
F"Tivoli "@W?<*hS"@W?<X"U!$kr(sI]$sHK[[9k
3H,G-^9#ACF r Tivoli I}j<8gs (Tivoli Management Region
(TMR)) 4NG(sI]$sH&2<H&'$H7F=.5l?9YFNI}P]N
12 IBM Tivoli Risk Manager "@W?<¥,$I
<IeK$s9H<k9k3H,EWG9#^?"ACF r Tivoli I}j<8gs
(Tivoli Management Region (TMR)) 5<P<=NbNKb$s9H<k7^9#
ACF GN$s9H<kKD$FOVTivoli Enterprise Console f<6<:¥,$IW
Kb@5lF$^9#
h 1 O Tivoli Risk Manager "@W?< 13
14 IBM Tivoli Risk Manager "@W?<¥,$I
� 2 � Cisco Secure IDS ������
3NOKO"J<NbF,^^lF$^9#
v X"@W?<N5WY
v 17Z<8NX;s5<N5bY
v 18Z<8NX$s9H<k*hS=.Y
v 23Z<8NX"@W?<I}?9/Y
v 23Z<8NXTivoli Enterprise Console ?9/Y
v 25Z<8NX=N>NmUv`/djY
Cisco Secure IDS "?C/&70KAc<Nj9HKD$FO" 159Z<8NXU
? A. Cisco Secure IDS "?C/&70KAc<Y r2H7F/@5$#
��������
Tivoli Risk Manager KO"Cisco Secure IDS QN"@W?< ,^^lF$^9#
3lO"Cisco Secure /~!N79F` (Cisco Secure Intrusion Detection System)
(Cisco Secure IDS H7FbNilk) ,8.9k$YsHr Tivoli Enterprise
Console $YsHK^CW7^9#J<N Cisco Secure IDS ;s5<+i$YsH
rhj~`3H,G-^9#
Cisco Secure IDS 4210 ;s5<
3N;s5<O"$5'N"/F#SF#<KhkMCHo</N#Gr!
P9k"MCHo</&;-ejF#<!oG9#45-Mbps D-r5]<H
7F$^9#
Cisco Secure IDS 4230 ;s5<
3N;s5<O"$5'N"/F#SF#<KhkMCHo</N#Gr!
P9k"MCHo</&;-ejF#<!oG9#100-Mbps D-r5]<
H7F$^9#
Cisco Catalyst 6000 U!_j<N/~!Nb8e<k
Cisco Catalyst 6000 IDS b8e<kO"Cisco Catalyst 6000 b.ZjX(
!oK$s9H<kG-k=UH&'"&3s]<MsHG9#3Nb8e
<kO"ZjX(!=H;-ejF#<!=r1lN!oK}g9k3HK
hj"$5'N-Ur}C?"/F#SF#<6br!P7^9#
© Copyright IBM Corp. 2001, 2002 15
��������������
Tivoli Risk Manager Adapter for Cisco Secure IDS O"J<N*Zl<F#s0&
79F`G5]<H5lF$^9#
= 3. 5]<HP]WiCHU)<`
Cisco Secure IDS (S(29))
HbK$s9H<k5l
k3s]<MsH
Solaris 7 Solaris 8 LinuxRedHat6.2/7.0
Win NT4.0
Win 2K
Tivoli Risk Manager
Agent (Transport/Tivoli
Risk Manager Event
Integration Facility)
X X X
Tivoli Risk Manager
Event Integration Facility
X X Linux
Kernal
2.2.16
X X
Tivoli Enterprise Console
"@W?<
X X Linux
Kernal
2.2.16
X X
d)QCA&lYkH79F`Wo:
v 129 MB JeNabj<rk\7? Service Pack 6.0 rHQ9k Windows NT
4.0#
v 128 MB JeNabj<rk\7? 500 MHz Wm;C5<rHQ9k Windows
2000#
v 128 MB Nabj<rk\7? Sun Solaris *Zl<F#s0D- (Solaris)
2.6"2.7"*hS 2.8#
– Solaris libCrun QCA
– Solaris 2.6 QCA # 105591-09
– Solaris 2.7 QCA # 106327-08
– Solaris 2.8 QCA # 108434-01
m: QCAN$s9H<kr*;7?i"Cisco SDK r$s9H<k9k0K"
^7srjV<H9k,W,"j^9#
v Linux (Intel) +<Mk 2.2.16"Libc 6"*hS 128 MB Je Nabj<
v Cisco Secure IDS Data Feed N$s9H<kh}N?aKO"Korn 7'k RPM
(/bin/ksh) ,[9H&^7sK$s9H<k5lF$J1lPJj^;s#
16 IBM Tivoli Risk Manager "@W?<¥,$I
Cisco Secure IDS NqAO"J<N Web 5$HG~jG-^9#
http://www.cisco.com
Tivoli Enterprise Console CorrelationCisco Secure IDS O"MCHo</eN"/F#SF#<rbK?<7"=lr=
[5lk6bN{NNQ?<s (70KAc<) HM-go;^9#Cisco Secure
IDS Sensor OlW9kbNr+D1kH"CSIDS Data Feed 3s]<MsHrHQ
7F"Tivoli Risk Manager Adapter for Cisco Secure IDS K"i<`rw.7^
9#Tivoli Risk Manager Adapter for Cisco Secure IDS O"Tivoli Risk Manager
Event Integration Facility rHQ7F"3N$YsHr$YsH&5<P<Kw.7
^9#
Tivoli Risk Manager O Cisco Secure IDS $YsHr">N?$WN;s5<+i
w.5lk=N>N$YsHHX"U1"Tivoli Risk Manager "I_K9Hl<?
<,/~!N$YsH4NrD.G-kh&K7^9#
������
Cisco Secure /~!N79F` (J0N NetRanger) O"MCHo</K*1k5v
D"/F#SF#<r!P7"sp7"*;5;kh&_W5l?"kH,ONj
"k?$`/~!N79F`G9#Cisco Secure IDS QN"@W?<O"+RNM
CHo</,bt=<9^?O0t=<9+iN6bru1F$k+I&+r'1
9k,WN"kkHGHQ5l^9#Cisco Secure IDS KO"J<Nh&J3s]
<MsH,^^lF$^9#
v ;s5< - MCHo</r9-cs7"IP MCHo</&HiU#C/rh}
7F"EWJ;-ejF#<&$YsHrG#l/?<K>w9kMCHo</
uV#
^ 1. Cisco Secure IDS Q"@W?<N^
h 2 O Cisco Secure IDS Q"@W?< 17
v G#l/?< - 1 D^?O#tN;s5<rbK?<7F",6MCHo</V
N;-ejF#<rI}9kf{3s=<k#
v ]j7<&^M<8c< - b& 1 DN3s=<k=.#
v ]9H&*U#9 - WmWi(?j<\3Y<9NWmH3krHQ9k Cisco
Secure IDS ^?O NetRanger 5<S9NL.eNr@#
���� �����
Cisco Secure IDS Q"@W?<O"*Zl<F#s0&79F`NG-N$s9H
<k}0rHQ7F$s9H<k5l^9#3N$s9H<kN]KO"Windows
Nlg InstallShield"Solaris Nlg pkgadd"Linux Nlg rpm ,,WG9#
m:
1. Linux G Cisco Secure IDS Data Feed N$s9H<kh}rT&?aKO"
Korn 7'k RPM (/bin/ksh) ,[9H&^7sK$s9H<k5lF$k,W,
"j^9#
2. UNIX ^?O Linux 79F`eG Cisco Secure IDS Q"@W?<r=.9k0
K"!N9/jWHrBT7F"Tivoli Event Integration Facility D-r;CH"
CW7^9#
. /etc/Tivoli/rma_eif_env.sh
UNIX *hS Linux K"Cisco Secure IDS Q"@W?<KhCFHQ5lk Cisco
Secure IDS Data Feed 3s]<MsHr$s9H<k9kH"79F`eG*<W
s&Q9o<IrHQ7FVnetrangrWf<6<&"+&sH,n.5l^9#Cisco
Secure IDS Q"@W?<r$s9H<k7*(?i"I}TQ9o<IrHQ7F
3N"+&sHr]n9k3Hr*+a7^9#
m:
1. Solaris *hS Linux GN$s9H<kGO"GU)kHG CSIDS Data Feed
3s]<MsH,n.5l^9#Windows GN$s9H<kGO"Tivoli Risk
Manager bin G#l/Hj<rQ97F"J<NBTD=U!$krBT9k,
W,"j^9#
csidsInstall.2.5.NT.exe
2. Solaris eG"syslog K$YsH,w.5lkh&K"@W?<r=.7F$s
9H<k9kH-KO" Solaris syslog aC;<8 ID *W7gsrHQTDK
9k,W,"j^9# /kernel/drv/log.conf bK msgid=0 r,:_j7F*
$F/@5$#Tivoli Event Integration Facility API K$YsH,/w5lkh
&K"@W?<r=.9klg"/kernel/drv/log.conf bN msgid _jMO
X8"j^;s#
Cisco Secure IDS Data Feed !��"���������
������
Cisco Secure IDS Data Feed r=.9k0K"/i$"sH&^7sK$YsH,
w.5lkh&K;s5<r=.7F*/,W,"j^9#/i$"sH&^7s
O"Cisco Secure IDS Data Feed *hS"Cisco Secure IDS Q"@W?<N$s9
H<kh^7sG9#Cisco Secure Policy Manager ^?O Cisco Secure IDS
Director rHQ7F;s5<r=.9k}! (IAirHQ9k+KhCF[Jk)
18 IBM Tivoli Risk Manager "@W?<¥,$I
N4L*J\YKD$FO"VCisco Secure IDS User GuideWr2H7F/@5
$#3N]"LoO"!N=.9FCWrBT9k,W,"j^9#
1. ;s5<N{NN[9HNj9HK7,[9H>rIC7F"[9H ID rn.
7^9#[9H ID O"eG,WKJj^9#
2. "@W?<&[9HK;s5<HL.9k"Br?(^9#
3. "@W?<&[9Hr";s5<N$YsH8hj9HNfKH_~_^9#
4. 9YFN70KAc<NV8h (destination)WsK"@W?<&[9H,H_~
^lF$k3HrN'7^9#
5. "@W?<&[9HN IP "Il9r";s5<NP)psj9HKIC7^
9#
e-N9FCWr0;7?i"J<N9FCWrBT7F""@W?<Q Cisco
Secure IDS Data Feed 3s]<MsHr=.7^9#CSIDS Data Feed 3s]<M
sHO"Cisco Secure IDS Q"@W?<H;s5<VNL.$s?<U'<9G
9#
1. csidsDataFeed 3^sIKHQ5lk";s5<N IP "Il9"*hSd-
psrXj7^9#3NpsO";s5<K9GK=.5lF$kbNGJ1l
PJj^;s#=NpsO";s5<=.D<k (Director ^?O Policy
Manager) +ih@G-^9#
2. J<N csidsDataFeed 3^sIr/T7F";s5<N[9HKX9kpsr
Xj7^9#
csidsDataFeed cfg_remote add[-ip sensor_ip_address][-po port_number][-on orgname][-oi orgnumber][-hn host_name][-hi sensor_id][-hb nnn]
c:
csidsDataFeed cfg_remote add -ip 9.41.2.176 -po 45000 -on RiskManager-oi 42 -hn luckyhost -hi 5 -hb 100
3. J<Nh&J csidsDataFeed 3^sIr/T7F"m<+k&"@W?<N[
9HKX9kpsrXj7^9#
csidsDataFeed cfg_local update[-po port_number][-on orgname][-oi orgnumber][-hn adapter_hostname][-hi adapter_host_id]
c:
csidsDataFeed cfg_local update -on RiskManager -oi 42 -hn thegrill -hi 6
Tivoli Event Integration Facility �������������
Cisco Secure IDS Q"@W?<NGU)kH=.GO"Cisco Secure IDS $YsH
O"Tivoli Event Integration Facility Kw.5l"33+i Tivoli Risk Manager 5
<P<Kw.5l^9#Cisco Secure IDS $YsHr Tivoli Enterprise Console $
h 2 O Cisco Secure IDS Q"@W?< 19
YsHK57/^CTs09k?aKO"Cisco Secure IDS Q"@W?<&U!$
k,HQ5lkh&K Tivoli Event Integration Facility r+9?^$:9k,W,"
j^9#
m: Windows *hS UNIX/Linux NIAiN79F`K*$Fb"Tivoli Event
Integration Facility GO" csids.fmt U!$k,HQ5l^9#G-N$s9
H<k&^M<8c<KhCF"csids.fmt U!$k,+0*K Tivoli Risk
Manager EIF rmad.fmt U)<^CH&U!$kN*<K^<85l?eG"
riskmgr_gencds 3^sINBTKhj"rmad.cds U!$k,Fn.5l^
9#
����
UNIX *hS Windows N>}NWiCHU)<`GN Cisco Secure IDS "@W?
<N04J=.KD$FN\YO"J<K-R7^9#
UNIX ��� LinuxUNIX *hS Linux GN04J=.NcKD$FN\YO"J<K-R7^9#
1. "@W?<ND-9/jWHrBT7^9#
. /etc/Tivoli/rma_eif_env.sh
2. G#l/Hj<r $NETRANGER/bin/ KQ97F"Cisco Data Feed 3s]<Ms
Hr=.7^9#
csidsDataFeed cfg_remote add -ip 9.41.2.176 -po 45000 -on RiskManager-oi 42 -hn luckyhost -hi 5 -hb 100
csidsDataFeed cfg_local update -on RiskManager -oi 42 -hn thegrill -hi 6
3. G#l/Hj<r $RMADHOME/etc/ KQ97^9#
4. rmad.fmt *hS rmad.cds r=.7^9#
a. csids.fmt r rmad.fmt K3T<^?OIC7^9#
b. 7,N CDS U!$kr8.7^9#
../bin/riskmgr_gencds rmad.fmt > rmad.cds
5. "@W?<rGPC0&b<IGBT7F";s5<XN\3rF9H7^9#
rma_csids -d 4
PONc:
HRMCI0012I: ����������������������������(Running in debug mode. All output directed to terminal.)HRMCI0009I: �������� ��������... (Initializing, please wait...)HRMCI0011I: ��������(Initialization complete.)Jul 18 08:46:31 THEGRILL rma_csids[1460]: 0x3d367f55 4.0 6103/ 6103/0 42,5,10008[Proxied_RPC_Request] 9.48.168.107:4265 9.48.175.255:111Jul 18 08:56:15 THEGRILL rma_csids[1460]: 0x3d367f59 4.0 6103/ 6103/0 42,5,10008[Proxied_RPC_Request] 9.48.168.107:4265 9.48.175.255:111Jul 18 08:56:15 THEGRILL rma_csids[1460]: 0x3d367f5f 4.0 6103/ 6103/0 42,5,10008[Proxied_RPC_Request] 9.48.168.107:4265 9.48.175.255:111Jul 18 08:56:15 THEGRILL rma_csids[1460]: 0x3d367f67 4.0 6103/ 6103/0 42,5,10008[Proxied_RPC_Request] 9.48.168.107:4265 9.48.175.255:111
6. "@W?<QN start | stop 3^sIr/T7^9#
Linux:
/etc/rc.d/init.d/rma_csids-init start | stop
Solaris:
20 IBM Tivoli Risk Manager "@W?<¥,$I
/etc/init.d/rma_csids-init start | stop
WindowsWindows GN04J=.NcKD$FN\YO"J<K-R7^9#
1. 3^sI&WmsWH+i"Data Feed 3s]<MsHr=.7^9#
C:¥> csidsDataFeed cfg_remote add -ip 9.48.172.245 -po 45000 -onRiskManager -oi 42 -hn luckyhost -hi 5 -hb 100
C:¥> csidsDataFeed cfg_local update -po 45000 -on RiskManager -oi 42-hn thegrill -hi 6
2. "@W?<rGPC0&b<IGBT7F";s5<XN\3rF9H7^9#
C:¥> rma_csids -d 4
PONc:
HRMCI0012I: ����������������������������(Running in debug mode. All output directed to terminal.)HRMCI0009I: �������� ��������... (Initializing, please wait...)HRMCI0011I: ��������(Initialization complete.)Jul 18 08:46:31 THEGRILL rma_csids[1460]: 0x3d367f55 4.0 6103/ 6103/0 42,5,10008[Proxied_RPC_Request] 9.48.168.107:4265 9.48.175.255:111Jul 18 08:56:15 THEGRILL rma_csids[1460]: 0x3d367f59 4.0 6103/ 6103/0 42,5,10008[Proxied_RPC_Request] 9.48.168.107:4265 9.48.175.255:111Jul 18 08:56:15 THEGRILL rma_csids[1460]: 0x3d367f5f 4.0 6103/ 6103/0 42,5,10008[Proxied_RPC_Request] 9.48.168.107:4265 9.48.175.255:111Jul 18 08:56:15 THEGRILL rma_csids[1460]: 0x3d367f67 4.0 6103/ 6103/0 42,5,10008[Proxied_RPC_Request] 9.48.168.107:4265 9.48.175.255:111
3. \3N=.,0;7F"5oKn09kh&KJC?i"jV<HeK+0O0
9kh&K""@W?<r Windows 5<S9H7F$s9H<k7^9#
C:¥> rma_csids -i
4. 7,N5<S9rO07^9#
C:¥> net start rma_csids
m: 9YFNYp*hS(i<&aC;<8O"Windows GO"Wj1<7gs&
$YsH&m0K"UNIX ^?O Linux GO79F`&m0 (syslog) Kq-~
^l^9#
Tivoli Enterprise Console Logfile �������������
������� (Windows�Solaris ��� Linux)"@W?<NGU)kH&b<IGO""@W?<O Tivoli Event Integration
Facility ,$YsHNw.hKJj^9,"79F`&m0,$YsHNw.hKJ
kh&K=.9k3HbG-^9#Windows QN79F`&m0O Windows "W
j1<7gs&$YsH&m0G9,"Solaris *hS Linux QN79F`&m0O
syslog G9#79F`&m0,$YsHNw.hKJkh&K"@W?<r=.7
F*/H"Tivoli Enterprise Console Logfile "@W?<rHQ7F"Risk Manager
5<P<K$YsHr>wG-kh&KJj^9#Tivoli Enterprise Console Logfile
"@W?<KD$FO"VTivoli Enterprise Console "@W?<¥,$IWr2H7
F/@5$#
����
UNIX ��� Linux:
1. "@W?<ND-9/jWHrBT7^9#
h 2 O Cisco Secure IDS Q"@W?< 21
. /etc/Tivoli/rma_eif_env.sh
2. "@W?<N3^sITXkWr=(7"-e *hS -w *W7gsrHQ7
F""@W?<+iYp*hS$YsH,wP5lkNrN'7F/@5$#
rma_csids -hHRMCI0027I Risk Manager Adapter for Cisco Secureintrusion detection system 4.1.0.0 S(30).HRMCI0013I Usage: rma_csids [OPTIONS]-h or --help Print help and exit-v or --version Print version and exit-dINT or --debug=INT Number of messages to output then exit-eSTRING or --event-output=STRING term | rmeif | syslog | file-wSTRING or --warning-output=STRING term | rmeif | syslog | fileHRMCI9999I Exiting.
3. "@W?<NO09/jWH $RMADHOME/bin/rma_csids-init r"Yp*h
S$YsH,9YF79F`&m0KwP5lkh&K"-w syslog *hS -esyslog 3^sIT*W7gsrIC7FQ97F/@5$#c:
’start’)# Start the Cisco Secure IDS Adapter#if [ "$PID" = "" ]then
$NETRANGER/bin/csidsDataFeed stop -f$NETRANGER/bin/removeSemas$RMADHOME/bin/rma_csids -w syslog -e syslog&
fi;;
U!$kr]I7^9#
4. GeK""@W?<NU)<^CH&U!$k csids.fmt r Tivoli Enterprise
Console Logfile "@W?<NU)<^CH&U!$kK^<87F"7,N
CDS U!$kr8.7^9#3NBTKD$FO"VTivoli Enterprise Console
"@W?<¥,$IWr2H7F/@5$#
Windows:Windows P<8gsN"@W?<O"Windows 5<S9H7FBT5lk?a"
Windows l89Hj<bK3^sIT*W7gsr$s9H<k7F*/,W,"
j^9#
1. "@W?<N3^sITXkWr=(7"-e *hS -w *W7gsrHQ7
F""@W?<+iYp*hS$YsH,wP5lkNrN'7F/@5$#-i*W7gs*hS -r *W7gsrHQ7?H-K""@W?<, Windows 5
<S9H7F$s9H<k"*hS|n5lk3HbN'7F/@5$#
C:¥>rma_csids -hHRMCI0027I: Risk Manager Adapter for Cisco Secure IDS 4.1.0.0 S(30)HRMCI0013I: Usage: rma_csids [OPTIONS]...
-h or --help Print help and exit-v or --version Print version and exit-dINT or --debug=INT Number of events to output then exit-eSTRING or --event-output=STRING term | rmeif | syslog | file-wSTRING or --warning-output=STRING term | rmeif | syslog | file-i or --install-service Install as NT service-r or --remove-service Remove as NT service
HRMCI9999I: Exiting...
2. J<N3^sIrBT9kH""@W?<, Windows 5<S9H7F$s9H
<k5l"Yp*hS$YsH,9YF79F`&m0 (Windows "Wj1<7
gs&$YsH&m0) KwP5l^9#
22 IBM Tivoli Risk Manager "@W?<¥,$I
f:¥>rma_csids -i -w syslog -e syslogHRMCI0030I: Attempting to install service: rma_csidsHRMCI0031I: Service installed: rma_csidsHRMCI9999I: Exiting...
3. GeK""@W?<NU)<^CH&U!$k csids.nt.fmt r Tivoli
Enterprise Console Logfile "@W?<NU)<^CH&U!$kK^<87F"
7,N CDS U!$kr8.7^9#3NBTKD$FO"VTivoli Enterprise
Console "@W?<¥,$IWr2H7F/@5$#
����������
3N;/7gsGO"Tivoli "I_K9Hl<?<, Tivoli Risk Manager Adapter
for Cisco Secure IDS KP7FBT9knHKD$Fb@7^9#
��������
=.,0;7?i"Tivoli Enterprise Console ?9/rHQ7F"@W?<r+O7
^9# 24Z<8NXCisco Secure IDS "@W?<N+OYNb@r2H9k+""
k$Oj0G"@W?<r+O9klgO"!NH*j~O7F/@5$#
Linux 79F`:
/etc/rc.d/init.d/rma_csids-init start
Solaris 79F`:
/etc/init.d/rma_csids-init start
Windows 79F`:
net start rma_csids
��������
79F`rFO09kH"Tivoli Risk Manager O Cisco Secure IDS Q"@W?<
rG<bsH7F+O9kh&K;CH"CW7^9#Cisco Secure IDS Q"@W
?<rj0Gd_9kKO"!NH*j~O7^9#
Linux 79F`:
/etc/rc.d/init.d/rma_csids-init stop
Solaris 79F`:
/etc/init.d/rma_csids-init stop
Windows 79F`:
net stop rma_csids
Tivoli Enterprise Console ���Tivoli Risk Manager KO"H+N?9/&i$Vij<,"j^9#Tivoli Risk
Manager O?9/&i$Vij<rGU)kHN Tivoli Enterprise Console ]j7
<&j<8gs"TEC-Region K$s9H<k7^9#Tivoli Enterprise Console ?
9/O"Tivoli (sI]$sH*hSI}P]N<IeG5]<H5l^9#\Y
KD$FO"Tivoli Management Framework NqAr2H7F/@5$#Tivoli
h 2 O Cisco Secure IDS Q"@W?< 23
Enterprise Console ?9/rBT9k0K",:¤"@W?<r Tivoli (sI]$s
HeK$s9H<k7F*$F/@5$#
Tivoli Risk Manager O"Cisco Secure IDS Q"@W?<KP7FJ<N Tivoli
Enterprise Console ?9/rs!7^9#
v Cisco_Start_Secure_IDS_Adapter_on_Linux
v Cisco_Start_Secure_IDS_Adapter_on_Solaris
v Cisco_Start_Secure_IDS_Adapter_on_Windows
v Cisco_Stop_Secure_IDS_Adapter_on_Linux
v Cisco_Stop_Secure_IDS_Adapter_on_Solaris
v Cisco_Stop_Secure_IDS_Adapter_on_Windows
v Cisco_Configure_DataFeed_Component
Cisco Secure IDS ��������
1. Tivoli G9/HCWG"VRisk Manager Task Library (Risk Manager ?9/¥i$Vij<)WH$&iYkNU$? Tivoli Enterprise Console ?9/&i
$Vij<r/jC/7^9#
2. HQ7F$k*Zl<F#s0&79F`KX"7? Tivoli Enterprise Console
?9/r/jC/7^9#
v VCisco_Start_Secure_IDS_Adapter_on_LinuxW
v VCisco_Start_Secure_IDS_Adapter_on_SolarisW
v VCisco_Start_Secure_IDS_Adapter_on_WindowsW
Cisco Secure IDS ��������
1. Tivoli G9/HCWG"VRisk Manager Task Library (Risk Manager ?9/¥i$Vij<)WH$&iYkNU$? Tivoli Enterprise Console ?9/&i
$Vij<r/jC/7^9#
2. HQ7F$k*Zl<F#s0&79F`KX"7? Tivoli Enterprise Console
?9/r/jC/7^9#
v VCisco_Stop_Secure_IDS_Adapter_on_LinuxW
v VCisco_Stop_Secure_IDS_Adapter_on_SolarisW
v VCisco_Stop_Secure_IDS_Adapter_on_WindowsW
Cisco Secure IDS Data Feed ���
3N?9/GO"Cisco Secure IDS QK";s5<H Tivoli Risk Manager "@W
?<VNL.,;CH"CW5l^9#
Tivoli Enterprise Console ?9/rHQ7F Cisco Secure IDS Q"@W?<N Data
Feed r=.9kKO"J<NnHrT$^9#
1. Tivoli G9/HCWG"VRisk Manager Task Library (Risk Manager ?9/¥i$Vij<)WH$&iYkNU$? Tivoli Enterprise Console ?9/&i
$Vij<r/jC/7^9#
2. VCisco_Configure_DataFeed_ComponentW?9/r/jC/7^9#
24 IBM Tivoli Risk Manager "@W?<¥,$I
��������/��
Cisco Secure IDS Data Feed ���Cisco Secure IDS ������#��$������$����
"@W?<KhCFVP9¥(i< (Bus Error)WaC;<8^?O\3X"(i<
,=(5l?lg"=lirCn9kKO"J<N3^sIrHQ7^9#
UNIX ��� Linux ����:% cd $NETRANGER/bin% csidsDataFeed stop% removeSemas
3liN3^sINBTeO"J<N3^sIrHQ7F" $NETRANGER/tmp G#
l/Hj<*hS $NETRANGER/tmp/queues G#l/Hj<bNU!$kr9YFo
|7F/@5$#
% cd $NETRANGER/tmp% rm *.*% cd queues% rm *.*
Windows ����:% cd %NETRANGER%¥bin% csidsDataFeed stop% cd %NETRANGER%¥tmp
3liN3^sINBTeO"J<N3^sIrHQ7F"%NETRANGER%¥tmp G#
l/Hj<*hS %NETRANGER%¥tmp¥queues G#l/Hj<bNU!$kr9YF
o|7F/@5$#
% del *.*% cd queues% del *.*
h 2 O Cisco Secure IDS Q"@W?< 25
26 IBM Tivoli Risk Manager "@W?<¥,$I
� 3 � ISS RealSecure IDS ������
3NOGO"J<Npsrs!7^9#
v X"@W?<N5WY
v 30Z<8NX$s9H<k*hS=.Y
v 30Z<8NX]j7<Nn.*hS,QY
v 32Z<8NX"@W?<I}?9/Y
v 33Z<8NX=N>NmUv`/djY
Internet Security Systems RealSecure Intrusion Detection System (ISS RealSecure IDS)
"?C/&70KAc<NlwO" 167Z<8NXU? B. ISS RealSecure IDS "
?C/&70KAc<Yr2H7F/@5$#
ISS RealSecure IDS =JKX9kpsO"!N Web 5$H+i~jG-^9#
http://www.iss.net
��������
Internet Security Systems (ISS) O"}g5l?/~!NWiCHU)<`G"k
ISS RealSecure IDS rs!7^9#ISS RealSecure IDS O8`KpE/"Wm<A
rHQ7F"MCHo</&HiU#C/H[9H&m0&(sHj<r"{NN
6ba=CI^?O=[5lk6ba=CIHfS7^9#ISS RealSecure IDS
O"?/NMCHo</*hS79F`I}"Wj1<7gsHFWK}gG-^
9#
ISS RealSecure IDS ;s5<O"MCHo</&Y<9N6bd79F`&(<8
'sHN6br!P9kH"SNMP HiCWrw.7^9#Tivoli SNMP "@W?
<,BT5lF$k Windows 79F` ^?O UNIX 79F` N$:l+N79
F`K3liN SNMP HiCW,>\w.5lkh&K"ISS RealSecure IDS r
=.9k3H,G-^9#
Tivoli Risk Manager Adapter for ISS RealSecure IDS O"ISS RealSecure $YsH
rhj~sGjXN?a$YsH&5<P<K>w9kh& Tivoli SNMP "@W?
<r=.9kU!$k+i=.5l^9#U!$kO!NH*jG9#
v tecad_snmp.cds
v tecad_snmp.oid
ISS RealSecure IDS U!$kQ"@W?<O"Tivoli Enterprise Console SNMP "@
W?<,V+lF$k[9HeK"j^9#
© Copyright IBM Corp. 2001, 2002 27
!N^O"ISS RealSecure IDS Q Tivoli Risk Manager "@W?<H$YsH&5
<P<NVN5,X8r(7^9#3N^GO"TEC O Tivoli Enterprise Console
rX7^9#
^ 2. ISS RealSecure IDS Q"@W?<N^
28 IBM Tivoli Risk Manager "@W?<¥,$I
��������������
ISS RealSecure IDS Q Tivoli Risk Manager "@W?<O"!N*Zl<F#s
0&79F`G5]<H5lF$^9#
= 4. 5]<HP]WiCHU)<`
ISS RealSecure IDS (Server Sensor 5.5"Network Sensor 6.0) SNMP
HbK$s9
H<k5lk
3s]<Ms
H
AIX 4.3.3 AIX 5.1 Solaris 7 Solaris 8 WinNT 4.0 Win2K
Tivoli Risk
Manager Agent
(Transport)
X X X X X
Tivoli
Enterprise
Console "@
W?<
X X X X X X
������
ISS RealSecure IDS Q Tivoli Risk Manager "@W?<O"!N ISS RealSecure
IDS =JG0n7^9#
v ISS RealSecure IDS Server Sensor
v ISS RealSecure IDS Network Sensor
?MJMCHo</uVdU#<Ac<&3s]<MsHKgo;F ISS
RealSecure IDS bK?<&Qia<?<r40G-^9#3liNQia<?<r
f{3s=<k+i=.9k3H,G-^9#
ISS RealSecure IDS =JKOJ<Nb8e<k,"j^9#
v MCHo</&Q1CHr}89k(s8s
v 1 D^?O#tN(s8srbK?<9k^M<8c<
v 79F`&m0rbK?<9k79F`&(<8'sH
GbNQU)<^s9r@k?aKO"(s8s4HKlQN3sTe<?<rH
Q7"1 fNf{3sTe<?<GI}!=rBT7F/@5$#
Tivoli Risk Manager N$s9H<k&QC1<8KO" SNMP "@W?<r=
.7F ISS RealSecure IDS "i<`r Tivoli Enterprise Console $YsHK^CW
9k?aKHQ9k" Tivoli Risk Manager .cds *hS .oid =.U!$k,^^l
F$^9#
SNMP ���Tivoli Risk Manager N tecad_snmp.cds U!$krHQ7F SNMP "@W?<r
=.9kH"SNMP "@W?<O SNMP HiCWN!N 2 DN+F4j<r!P
7^9#3liN6bO"ISS RealSecure IDS ;s5<NMCHo</&(<8'
sH,bK?<7^9#
h 3 O ISS RealSecure IDS Q"@W?< 29
v MCHo</&Y<9N6b
MCHo</KP7FC(ilk6b#
167Z<8NXMCHo</&"?C/&70KAc<YK"Tivoli Risk
Manager KhCF=_5]<H5lF$kMCHo</&Y<9N6br(9
ISS RealSecure IDS SNMP $YsHNlwr(7^9#
v 5<P<&(<8'sH6b
MCHo</GOJ/"D9N[9HK~1FC(ilk6b#
169Z<8NX79F`&"?C/&70KAc<YK"Tivoli Risk Manager K
hCF=_5]<H5lF$k79F`&(<8'sH6br(9 ISS
RealSecure IDS SNMP $YsHNlwr(7^9#
Tivoli Enterprise Console CorrelationTivoli Enterprise Console SNMP "@W?<O"Windows NT eGBT7F$k ISS
RealSecure IDS Management Console +iw.5lk SNMP HiCWr'17^
9#SNMP "@W?<O3liN SNMP $YsHr Tivoli Enterprise Console $Y
sHK^CW7" Tivoli Enterprise Console $YsHO$YsH&5<P<Kw.
5l"jX5l^9#
���� �����
ISS RealSecure IDS Q"@W?<N$s9H<kH=.O"!NjgGTCF/@
5$#
1. Tivoli Enterprise Console SNMP "@W?<r$s9H<k7^9#qN*Jj
gKD$FO"VTivoli Enterprise Console "@W?<&,$IWr2H7F/
@5$#
2. ISS RealSecure IDS Q"@W?<N/i9jA9F<HasH&U!$k
(tecad_snmp.cds) rT87^9#3NU!$kbK"kTWJ`\r3asH=
9k3HKhj""@W?<r40G-^9#
3. Risk Manager Adapter for ISS RealSecure IDS QC1<8KU07F$k
tecad_snmp.cds U!$kH tecad_snmp.oid U!$kr,Q9k3HKhj"
SNMP "@W?<r=.7^9#
4. /~!N$YsHr SNMP $YsHH7Fw.9kh&K ISS RealSecure IDS
;s5<r=.7^9#
5. ]j7<&U!$kr+9?^$:7"$YsHNQYr_j9kh&K ISS
RealSecure IDS ;s5<r=.7^9#
������������
ISS RealSecure IDS N+9?^$:D=J]j7<&U!$kO"HQD=J IDS
70KAc<HHQG-J$ IDS 70KAc<rXj7^9#^?"F70KAc
<NlWKP9k79F`N?~b1L7^9#ISS RealSecure IDS ]j7<&(
G#?<rHQ7F"77$]j7<rn.9k+"{8N]j7<r977^
9#3N]j7<Khj"$YsH&G<?Y<9 (logdb) K-?5lk70KA
c<,hj7^9#ISS RealSecure IDS $YsH&G<?Y<9K]I5lk$Y
sHO"ISS RealSecure IDS Q"@W?<,h}9k$YsHKBil^9#
30 IBM Tivoli Risk Manager "@W?<¥,$I
!P!=rn.7"IP "Il9r ISS RealSecure IDS Q"@W?<N IP "Il
9K_j9k}!KD$FO"ISS RealSecure IDS qAr2H7F/@5$#^
?"ISS RealSecure IDS Q"@W?<N tecad_snmp.cds U!$kKhCF5]<
H5lF$k$YsH4HK"~zr Tivoli Enterprise Console SNMP "@W?<
(HiCWu.&) N IP "Il9K_j9k}!KD$FNb@b2H7F/@5
$#
�%�������
F ISS RealSecure IDS !P!=4HK"!P!=Nm0K]I5lk$YsH,3
s=<kN$YsH&G<?Y<9K>w5lkQYrGg=7F/@5$#QY
rGg=9k3HKhCF"Tivoli Enterprise Console N$YsH&3s=<kK*
1k$YsHNj"k?$`-?,~15l^9#
QYrGg=9k}!KD$FO"ISS RealSecure IDS qAr2H7F/@5$#
d)5lk_jO"1 DNm0K]I5lkGg-?t, 5000"G<?Y<91|
be`@, 1%"5iK0*G<?Y<9&"CWm<IN*rG9#
UNIX �� TME ��� SNMP ������������
Tivoli SNMP "@W?<N$s9H<k}!N04Jb@O"VTivoli Enterprise
Console "@W?<¥,$IWr2H7F/@5$#"@W?<r$s9H<k7?
H-O""@W?<,$YsH&5<P<^?O Tivoli Risk Manager Client KQ1
CHrNBKP)XjG-kh&K7F/@5$#
TME J0N SNMP "@W?<r_j9kKO"J<NnHrT$^9#
1. SNMP "@W?<r$s9H<k7^9#c(P"Solaris 79F`eG SNMP
"@W?<r /test/riskmgr/snmp/ G#l/Hj<K$s9H<k9kKO"
pkgadd rHQ7^9#
2. SNMP "@W?<r$s9H<k7?G#l/Hj<K\07^9#
3. tecad_snmp.conf =.U!$krT87"ServerLocation r^`Tr57^
9#
4. 3NTr!Nh&KQ97^9#
ServerLocation=IP address
33G"IP "Il9O"$YsH&5<P<N IP "Il9"^?O Tivoli
Risk Manager Client N IP "Il9G9#Lo"Tivoli Risk Manager Client O
SNMP "@W?<H18[9HeK$s9H<k5l^9#
5. $YsH&5<P<, Windows NT 79F`Nlg"^?O$YsHr Tivoli
Risk Manager Client Kw.7F$klgO"!NTbIC7F/@5$#
ServerPort=5529
6. SNMP HiCWru.9kh&K"/etc/services U!$kbN!N(sHj<
rQ97^9#/etc/services U!$kK!NTrIC7^9#
snmp-trap 162/tcpsnmp-trap 162/udp
7. Tivoli Enterprise Console $YsHN server tecad_snmp.cds U!$kH
tecad_snmp.oid U!$kr" Tivoli Risk Manager KU09kbNK (,WJ4
0rTC?eG) V-9(^9#
h 3 O ISS RealSecure IDS Q"@W?< 31
m: ISS RealSecure IDS Q"@W?<H Cisco k<?<Q"@W?<OIAib
Tivoli SNMP "@W?<&U!$kH Risk Manager "@W?<&U!$k
(tecad_snmp.cds"tecad_snmp.oid) rHQ7^9#Cisco k<?<+iHi
CWrhj~`lgO"3Njgr+jV9,WO"j^;s#
����������
3N;/7gsGO""I_K9Hl<?<, ISS RealSecure IDS QN"@W?<
KP7FBT9knHKD$Fb@7^9#
SNMP ��������
ISS RealSecure IDS Q"@W?<H Cisco k<?<Q"@W?<OIAib Tivoli
SNMP "@W?<rHQ7^9# ISS RealSecure IDS Q"@W?<r+O9k
H"Cisco k<?<QN SNMP "@W?<b+O5l^9#
Tivoli SNMP "@W?<&=UH&'"r$s9H<k7?G#l/Hj<K\0
7^9#GU)kHNLVOWiCHU)<`KhCF!Nh&K[Jj^9#
Windows 79F`:
%LCFROOT%¥bin¥w32-ix86¥tme¥tec¥adapters¥bin¥net start tecsnmpadapter
Windows NT NlgO"V3sHm<k QMkWrHQ7F SNMP "@W?<r
+O9k3HbG-^9#
AIX:
$LCFROOT/bin/aix4-r1/TME/TEC/adapters/bin/init.tecad_snmp start
Solaris:
$LCFROOT/bin/solaris2/TME/TEC/adapters/bin/init.tecad_snmp start
SNMP ��������
ISS RealSecure Q"@W?<H Cisco k<?<Q"@W?<OIAib Tivoli
SNMP "@W?<rHQ7^9#ISS RealSecure Q SNMP "@W?<rd_9k
lgO"Cisco k<?<QN SNMP "@W?<bd_9k3HKJj^9#
Tivoli SNMP "@W?<&=UH&'"r$s9H<k7?G#l/Hj<K\0
7^9#GU)kHNLVOWiCHU)<`KhCF!Nh&K[Jj^9#
Windows 79F`:
%LCFROOT%¥bin¥w32-ix86¥tme¥tec¥adapters¥bin¥net stop tecsnmpadapter
AIX 79F`:
$LCFROOT/bin/aix4-r1/TME/TEC/adapters/bin/init.tecad_snmp stop
Solaris 79F`:
$LCFROOT/bin/solaris2/TME/TEC/adapters/bin/init.tecad_snmp stop
32 IBM Tivoli Risk Manager "@W?<¥,$I
��������/��
Real Secure "@W?<rBT9kH"!N(i<,/89k3H,"j^9#
Unexpected fallback to current time because timestamp error for class RS_XXX
33G"XXX O$YsH&/i9N>0G9#3N(i<O"HQ9k?$`&9
?sWNA0,[JkP<8gs 6.0 hj0N Real Secure "@W?<G/87^
9#3Ndjr$59kKO" realsecure.baroc U!$krT87"GU)kH
N rm_TimestampFmt 0-NMr TIME5 +i TIME3 KlgQ97^9#
3liNQ9r,Q9k?aKO"(<8'sHrd_7"F/07F/@5$#
h 3 O ISS RealSecure IDS Q"@W?< 33
34 IBM Tivoli Risk Manager "@W?<¥,$I
� 4 � Cisco ���������
3NOGO"J<Npsrs!7^9#
v X"@W?<N5WY
v 37Z<8NX$s9H<k*hS=.Y
v 38Z<8NX"@W?<I}?9/Y
v 40Z<8NX=N>NmUv`Y
Cisco ,8q=7? mibs"traps"oid JINpsO"J<K(9 Cisco N Web 5
$HK"j^9#
http://www.cisco.com
^?"VTivoli Enterprise Console "@W?<¥,$IWN SNMP "@W?<KX9
kOb2H7F/@5$#
��������
Cisco k<?<OHiCWr!P7F SNMP $YsHr8.7^9#SNMP $Ys
HO"Tivoli SNMP "@W?<,T/7F$k Windows 79F`^?O UNIX 7
9F`K">\w.9k3H,G-^9#
Cisco k<?<QN Tivoli Risk Manager "@W?<O"Cisco k<?<&$YsH
rhj~sG"$YsH&5<P<K>w7FX"U1rT&h&K Tivoli SNMP
"@W?<r=.9k?aNU!$k+i=.5lF$^9#U!$kO!NH*
jG9#
v tecad_snmp.cds
v tecad_snmp.oid
Cisco k<?<Q"@W?<NU!$kO"Tivoli Enterprise Console SNMP "@W
?<,[V5lF$k(sI]$sHK"j^9#
© Copyright IBM Corp. 2001, 2002 35
<N^O"Cisco k<?<N3s]<MsH&"<-F/Ac<r(7?bNG9#
^fN TEC O"Tivoli Enterprise Console N3HrX7F$^9#
^ 3. Cisco k<?<Q"@W?<N^
36 IBM Tivoli Risk Manager "@W?<¥,$I
��������������
Cisco k<?<Q Tivoli Risk Manager "@W?<O"J<N*Zl<F#s0&7
9F`G5]<H5lF$^9#
= 5. 5]<HP]WiCHU)<`
Cisco k<?< (IOS v11.2) SNMP
HbK$s9
H<k5lk
3s]<Ms
H
AIX 4.3.3 AIX 5.1 Solaris 7 Solaris 8 WinNT 4.0 Win2K
Tivoli Risk
Manager
Agent
(Transport)
X X X X X
Tivoli
Enterprise
Console "@
W?<
X X X X X X
Tivoli Enterprise Console CorrelationTivoli Enterprise Console SNMP "@W?<O Cisco k<?<KhCFw.5lk
SNMP HiCWr'17F"=liN SNMP $YsHr Tivoli Enterprise Console
$YsHK^CW7^9#SNMP "@W?<O Tivoli Enterprise Console $YsH
r$YsH&5<P<Kw.7F"X"U1rT$^9#
Tivoli Risk Manager O Cisco k<?<&$YsHr">N?$WN;s5<+iw
.5lk=N>N$YsHHX"U1"Tivoli Risk Manager "I_K9Hl<?<
,/~!N$YsH4NrD.G-kh&K7^9#
SNMP X"/i9O"sensor_abstract.baroc U!$k*hS riskmgr.baroc U!
$kN/i9KhCF[Jj^9#crouter_snmp.baroc U!$kKO Cisco k<?
<QN/i9NI8*,^^lF$^9#
���� �����
Cisco k<?<Q"@W?<r$s9H<k7"=.9kKO"J<N9FCWK>
CF/@5$#
1. Tivoli Enterprise Console SNMP "@W?<r$s9H<k7^9#qN*Jj
gKD$FO"VTivoli Enterprise Console "@W?<¥,$IWr2H7F/@
5$#
2. Cisco k<?<N/i9jAU!$k (tecad_snmp.cds) rT87^9#3NU
!$kbK"kTWJ`\r3asH=9k3HKhj""@W?<r40G-
^9#
3. Cisco k<?<Q Risk Manager "@W?<&QC1<8KU0N
tecad_snmp.cds U!$k*hS tecad_snmp.oid U!$kr,Q7F"SNMP
"@W?<r=.7^9#
h 4 O Cisco k<?<Q"@W?< 37
4. Cisco k<?<r"SNMP $YsHH7FNHiCWrw.9kh&K=.7
^9#
UNIX �� TME ��� SNMP ������������
Tivoli SNMP "@W?<N$s9H<k}!N04Jb@O"VTivoli Enterprise
Console "@W?<¥,$IWr2H7F/@5$#$s9H<k,0;7?i""
@W?<+i$YsH&5<P<^?O Risk Manager Client KQ1CHrw.G
-kh&K7^9#
TME J0N SNMP "@W?<r_j9kKO"J<NnHrT$^9#
1. SNMP "@W?<r$s9H<k7^9#c(P"Solaris 79F`eG SNMP
"@W?<r /test/riskmgr/snmp/ G#l/Hj<K$s9H<k9kKO"
pkgadd rHQ7^9#
2. SNMP "@W?<r$s9H<k7?G#l/Hj<K\07^9#
cd /test/riskmgr/snmp/etc
3. tecad_snmp.conf =.U!$krT87" ServerLocation r^`Tr57^9#
3NTr!Nh&KQ97^9#
ServerLocation=1.2.3.4
33G"1.2.3.4 O"$YsH&5<P<^?O Tivoli Risk Manager Client N
IP "Il9r(7^9#Lo"Tivoli Risk Manager Client O SNMP "@W?
<H18[9HeK$s9H<k5l^9#
4. $YsH&5<P<, Windows NT 79F`Nlg"^?O$YsHr Tivoli
Risk Manager Client Kw.7F$klgO"!NTbIC7F/@5$#
ServerPort=5529
5. SNMP HiCWru.9kh&K"/etc/services U!$kbN!N(sHj<
rQ97^9# /etc/services U!$kK!NTrIC7^9#
snmp-trap 162/tcpsnmp-trap 162/udp
6. $YsH&5<P<N tecad_snmp.cds U!$k*hS tecad_snmp.oid U!$
kr"(Ae<Ks0K,WJ"CWG<H,Qs@) Tivoli Risk Manager Kh
CFs!5lkU!$kGV-9(^9#
m: ISS RealSecure IDS Q"@W?<H Cisco k<?<Q"@W?<OIAib
Tivoli SNMP "@W?<&U!$kH Risk Manager "@W?<¥U!$k
(tecad_snmp.cds"tecad_snmp.oid) rHQ7^9#Cisco k<?<+iHi
CWrhj~`lgO"3Njgr+jV9,WO"j^;s#
����������
3N;/7gsGO"Cisco k<?<Q"@W?<N?9/KD$Fb@7^9#
SNMP ��������
Internet Security System (ISS) RealSecure Q"@W?<H Cisco k<?<Q"@W
?<OIAib Tivoli SNMP "@W?<rHQ7^9#ISS RealSecure IDS Q
SNMP "@W?<r+O9kH"Cisco k<?<Q SNMP "@W?<b+O5l^
9#
38 IBM Tivoli Risk Manager "@W?<¥,$I
SNMP "@W?<rj0G+O9kKO"Tivoli SNMP "@W?<&=UH&'"
r$s9H<k7?G#l/Hj<K\07^9#WiCHU)<`LNGU)k
HNLVO!NH*jG9#
Windows NT 79F`:
%LCFROOT%¥bin¥w32-ix86¥tme¥tec¥adapters¥bin¥net start tecsnmpadapter
Windows NT NlgO"V3sHm<k QMkWrHQ7F SNMP "@W?<r
+O9k3HbG-^9#
AIX 79F`:
$LCFROOT/aix4-r1/TME/TEC/adapters/bin/init.tecad_snmp start
Solaris *Zl<F#s0D- (Solaris) 79F`:
$LCFROOT/solaris2/TME/TEC/adapters/bin/init.tecad_snmp start
SNMP ��������
ISS RealSecure IDS Q"@W?<H Cisco k<?<Q"@W?<OIAib Tivoli
SNMP "@W?<rHQ7^9#ISS RealSecure IDS Q SNMP "@W?<rd_
9kH"Cisco k<?<Q SNMP "@W?<bd_5l^9#3lO" 2 DN"
@W?<,&LNU!$k tecad_snmp.cds H tecad_snmp.oid r&Q7F$k?
aG9#
SNMP "@W?<rj0Gd_9kKO"Tivoli SNMP "@W?<&=UH&'"
r$s9H<k7?G#l/Hj<K\07^9#WiCHU)<`LNGU)k
HNLVO!NH*jG9#
Windows NT 79F`:
%LCFROOT%¥bin¥w32-ix86¥tme¥tec¥adapters¥bin¥net stop tecsnmpadapter
Windows NT NlgO"V3sHm<k QMkWrHQ7F SNMP "@W?<r
d_9k3HbG-^9#
AIX 79F`:
/$LCFROOT/aix4-r1/TME/TEC/adapters/bin/init.tecad_snmp stop
Solaris 79F`:
/$LCFROOT/solaris2/TME/TEC/adapters/bin/init.tecad_snmp stop
SNMP &�'���
ISS RealSecure IDS Q"@W?<H Cisco k<?<Q"@W?<OIAib Tivoli
SNMP "@W?<rHQ7^9#ISS RealSecure IDS Q SNMP G<bsrd_9
kH"Cisco k<?<QN SNMP G<bsbd_7^9#
SNMP G<bsrd_9kKO"J<Nh&K7^9#
1. J<r~O7F SNMP G<bsN ID r+D1^9#
ps -ef | grep snmpd
2. !N3^sIr/T7^9#
kill -9 pid
h 4 O Cisco k<?<Q"@W?< 39
33G"pid O"SNMP G<bsN ID G9#
�%����#����
Tivoli J0ND-GO (s TME "@W?<rHQ7F$klg)"$YsH&5<
P<K$YsH,>w5lkh&K tecad_snmp.conf =.U!$krT87^9#
3NU!$krT89kKO"J<Nh&K7^9#
1. Tivoli Enterprise Console SNMP "@W?<r$s9H<k7? /etc G#l/H
j<K\07^9#
2. tecad_snmp.conf U!$krT87F"!N(sHj<rQ97^9#
ServerLocation=ip_address
ip_address O"$YsH&5<P<^?O Tivoli Risk Manager Client N IP "
Il9G9#
UNIX �������� ���
SNMP HiCWru.9kh&K"UNIX /etc/services U!$kbN!N(sH
j<rQ97^9#
snmp-trap 162/tcp # snmp monitor trap portsnmp-trap 162/udp # snmp monitor trap port
��������
Cisco �������
SNMP Tivoli Enterprise Console "@W?<O SNMP P<8gs 1 NHiCWrh
}7^9#
Cisco ���������
J<Nj9HO"$YsH&5<P<K>w5lk Tivoli Risk Manager $YsH
r8.9k"Cisco G-NHiCWr(7?bNG9#
(s?<Wi$: HiCWN?$W
1.3.6.1.4.1.9.2.11.1 logonIntruder
1.3.6.1.4.1.437.1.1.3 logonIntruder
1.3.6.1.4.1.437.1.1.3 broadcastStorm
1.3.6.1.4.1.9 reload
1.3.6.1.4.1.9 tcpConnectionClose
������
J<Nj9HO"FoN+F4j< (=."H]m8<"]<H"k<HQ9JI)
K09kHiCWr(7?bNG9#
1.3.6.1.4.1.9.9.43.2 ciscoConfigManEvent
1.3.6.1.4.1.9.5 sysConfigChangeTrap
1.3.6.1.2.1.47.2 entConfigChange
40 IBM Tivoli Risk Manager "@W?<¥,$I
1.3.6.1.2.1.17 newRoot
1.3.6.1.2.1.17 topologyChange
1.3.6.1.4.1.9.1.111.1.2.3 cat2600TsDmnNewRoot
1.3.6.1.4.1.9.1.111.1.2.3 cat2600TsDmnTopologyChange
1.3.6.1.4.1.9.2.11.1 ipAddressChange
1.3.6.1.4.1.437.1.1.3 ipAddressChange
1.3.6.1.4.1.9.5.14.1.1 ciscoEsStackCfgChange
1.3.6.1.4.1.9.5.14.4 ciscoEsPortStrNFwdEntry
1.3.6.1.4.1.9.5.14.8 ciscoEsVLANNewRoot
1.3.6.1.4.1.9.5.14.8 ciscoEsVLANTopologyChange
���� SNMP �������
J<Nj9HO"lL*J SNMP 'Zc2HiCWN+F4j<K09kHiCW
r(7?bNG9#
1.3.6.1.2.1.11 authenticationFailure
h 4 O Cisco k<?<Q"@W?< 41
42 IBM Tivoli Risk Manager "@W?<¥,$I
� 5 � Cisco Secure PIX Firewall ������
3NOGO"J<Npsrs!7^9#
v X"@W?<N5WY
v 45Z<8NX=JN5bY
v 47Z<8NX$s9H<kY
v 48Z<8NX=.Y
v 50Z<8NXTivoli Enterprise Console ?9/Y
v 55Z<8NX"@W?<I}?9/Y
Cisco Secure PIX Firewall NqAO"J<N Web 5$HK"j^9#
http://www.cisco.com
��������
Cisco Private Internet Exchange (PIX) Firewall O";-ejF#<&]j7<XNQ
9*hS;-ejF#<&]j7<KP7Fn_il?6br!P7F-?9k"
TNNU!$"&)<kG9# Tivoli Risk Manager KO Tivoli Logfile "@W?<
(UNIX Q) *hS Windows Event Log "@W?<N?aNH%!=,"j^9#
\qGO"J<NQlrHQ7F$^9#
v Tivoli Logfile "@W?< (UNIX Q) *hS Windows Event Log "@W?<
O"Cisco Secure PIX Firewall Q"@W?<HFPlF$^9#
v Cisco Secure PIX Firewall O"Tivoli Risk Manager ;s5<HFPlF$^9#
Cisco Secure PIX Firewall Q"@W?<O"Tivoli Logfile "@W?<&U)<^C
H&U!$k*hS Windows Event Log "@W?<&U)<^CH&U!$k (=
l>l"pix.fmt *hS pix_nt.fmt) G=.5lF$^9#Tivoli Risk Manager O
3liNU)<^CH&U!$krHQ7F";-e"&"@W?<r=.7^
9#3N"@W?<O Cisco Secure PIX Firewall ;s5<KhCFm0PO5l?
$YsHrhj~sG"8.5lkm0&aC;<8r Tivoli Enterprise Console
$YsHK^CW7^9#
Cisco Secure PIX Firewall Q"@W?<O"Cisco Secure PIX Firewall ;s5<+
iNm0&aC;<8,w.5lkh&K=.5lF$k[9HKos7^9#3
N[9HO"UNIX 79F`^?O Windows 79F`N$:l+G9#Windows
79F`&[9HXNm.s0KO Cisco PIX Firewall Syslog Server (PFSS) ,,
WG9#
����(��)���*� �+�
Tivoli Risk Manager O";s5<Nm0&aC;<8EgYr Tivoli Enterprise
Console $YsHEgYK!Nh&K^CW7^9#
© Copyright IBM Corp. 2001, 2002 43
Cisco Secure PIX Firewall m0&aC;<8
EgY
Tivoli Enterprise Console $YsHN
EgY
7 GPC0 HARMLESS
6 ps HARMLESS
5 LN HARMLESS
4 Yp WARNING
3 (i< MINOR
2 /jF#+k CRITICAL
1 "i<H CRITICAL
0 [^ FATAL
Tivoli Enterprise Console CorrelationCisco Secure PIX Firewall O"Tivoli Logfile "@W?< (*hS syslogd) (UNIX
Q)"Windows Event Log "@W?< (*hS PFSS) rHQ7F$YsHr8.7
^9#Windows"AIX"^?O Solaris 79F`GO"Cisco Secure PIX Firewall K
hCFm0PO5l?U!$"&)<kX"N$YsH,""@W?<KhCF'
15l^9#Cisco Secure PIX Firewall Q"@W?<O"3liN$YsHr
Tivoli Enterprise Console $YsHK^CW7^9#Tivoli Risk Manager U)<^C
H&U!$kOU!$"&)<k&$YsHr Tivoli Risk Manager $YsHK^
CW7"$YsH&5<P<O3N Tivoli Risk Manager $YsHHNX"U1r
T$^9#
Tivoli Risk Manager O"pix.baroc U!$kr$YsH&5<P<eK$s9H<
k7^9#3N BAROC U!$kKhCF"$YsH&5<P<O"u.9k
Cisco Secure PIX Firewall $YsHr'17Fh}9k3H,G-^9#Cisco
Secure PIX Firewall $YsHO!N 2 DN+F4j<K,1il^9#
v /~X"
v s/~X"
Tivoli Risk Manager O/~X"$YsHr RM_IDSEvent /i9KjA7"s/
~X"$YsHr RM_MiscEvent /i9KjA7^9#
��������������
Cisco Secure PIX Firewall Q Tivoli Risk Manager "@W?<O"J<N*Zl<F
#s0&79F`G5]<H5lF$^9#
= 6. 5]<HP]WiCHU)<`
Cisco Secure PIX FW(6.1)
HbK$s9
H<k5lk
3s]<Ms
H
AIX 4.3.3 AIX 5.1 Solaris 7 Solaris 8 WinNT 4.0 Win2K
Tivoli Risk
Manager
Agent
(Transport)
X X X X X
44 IBM Tivoli Risk Manager "@W?<¥,$I
= 6. 5]<HP]WiCHU)<` (3-)
Tivoli
Enterprise
Console "@
W?<
X X X X X X
�����
Cisco Secure PIX Firewall Model 506 ;s5<O"=Np\=UH&'"H7FN
FQ*Zl<F#s0&79F`r}?J$NG"MCHo</!oH+J93H
,G-^9#3N;s5<O"bK?<*hS"<+$VQKm0&aC;<8r
jb<H&[9HKw.9kh&K=.7J1lPJj^;s#Tivoli Management
Enterprise (TME) "@W?<H%!=O3Njb<H&[9HK$s9H<k7^
9#"@W?<O Tivoli Risk Manager NH%!=rHQ7F"m0PO5lk
Cisco Secure PIX Firewall m0&aC;<8rbK?<7^9#UNIX 79F`G
O"aC;<8Nm0POK syslogd ,HQ5l^9#Windows 79F`GO"a
C;<8Nm0POK Cisco PIX Firewall Syslog Server ,HQ5l^9#
=Nm0&aC;<8, Tivoli Risk Manager H%U)<^CH&U!$kNU)
<^CH&9F<HasHHlW9kH";-e"&"@W?<O=Nm0&aC
;<8+iEWJpsr}87"=lr Tivoli Risk Manager $YsHH7F$Y
sH&5<P<K>w7^9#
PFSS O Cisco Secure PIX Firewall Model 506 KOU07F$^;s#3lO
Cisco Web 5$H+i@&sm<I9k,W,"j^9#PFSS N@&sm<I"
$s9H<k"*hS=.KD$FO"VInstallation Guide for the Cisco Secure
PIX Firewall Version 5.1Wr2H7F/@5$#
m: Cisco PIX Firewall Syslog Server (PFSS) rHQ7F$klgO"Windows NT
Service Pack 6 r$s9H<k9k3Hr*+a7^9#
����,�� ���%�
U!$"&)<kO"btMCHo</N]nKr)DHHbK"/~KP9k"
i<HrP9h&K_W5lF$^9#U!$"&)<kO"U!$"&)<kX
"N$YsHr"$/D+N[Jk+F4j<K,1Fl]<H7^9#U!$"
&)<kX"N$YsHKO"!NbN,"j^9#
v 'ZN:T
v vDN:T
v \3Nq]
v MCHo</&"Il9Q9 (NAT) *hS]<H&"Il9Q9 (PAT) Nc2
Risk Manager ������,�� ��%����
Tivoli Risk Manager jXGO"4 DN0-KG@rJCF"$YsH&G<?,G
<?NQ?<sKP~7F$k+I&+r4Y^9#
v =<9 IP "Il9
v 8h IP "Il9
h 5 O Cisco Secure PIX Firewall Q"@W?< 45
v "?C/&70KAc<
v +9?^< ID (*W7gs)
U!$"&)<kOlLKm0&aC;<8KOU!$"&)<k&;s5<N[
9H IP "Il9rq-~_^;s,"~^"m0&aC;<8KU!$"&)<
kN$s?<U'<9>,=lk3H,"j^9# UNIX GO"Tivoli Logfile "
@W?< (syslogd) ,"aC;<8Nh,K=Nm0&aC;<8w.&N IP "I
l9r+0*KUC7^9#Windows GO"3lrT&h&K PFSS r=.9k3
HOG-^;s#
Cisco Secure PIX Firewall for Windows Q"@W?<Nlg"
rm_SensorHostname 0-*hS rm_SensorIPAddr 0-,"Cisco Secure PIX
Firewall ;s5<N[9H>H IP "Il9GOJ/"Tivoli Risk Manager "@W
?<H PFSS ,T/7F$k[9HN[9H>H IP "Il9K_j5l^9#
Cisco Secure PIX Firewall for Windows Q"@W?<O";s5<+iN3li 2
DNEgJpsK"/;9G-J$?a"!K,ZJps — Tivoli Risk Manager
"@W?<H PFSS ,BT7F$k[9HN[9H>rHQ7F3liN0-r_
j7^9#D^j"$YsH&5<P<K;s5<psH7F>w5lkpsO"
B]KO Tivoli Risk Manager "@W?<N[9HpsH$&3HKJj^9#
GgG 10 DN Cisco Secure PIX Firewall ;s5<+im0&aC;<8ru.9
kh&K PFSS r=.9k3H,G-^9#3N=.GO"3N 10 DN Cisco
Secure PIX Firewall ;s5<+i/.5lk$YsHO9YF"1 DN;s5<+
iN$YsHH7F=(5l^9#
UNIX 79F`Nlg"rm_SensorIPAddr 0-O"syslogd 9Hjs0N 2 V\
NMG"k Cisco Secure PIX Firewall ;s5<N IP "Il9K_j5l^9#
Cisco Secure PIX Firewall ;s5<N[9H>OHQG-J$?a
rm_SensorHostname 0-OM N/A K_j5l"3li 2 DNX"9kMO
UNIX 79F`GT/7F$k Cisco Secure PIX Firewall Q"@W?<K0g9k
h&]?l^9#
UNIX 79F`H Windows 79F`NIAiNlgKb"Cisco Secure PIX
Firewall Q"@W?<,""?C+<N[9H>d6bN?<2CHKX9kps
ru.9k3HO"j^;s#U!$"&)<kO IP X (Q1CH) U#k?<G
"k?a"IP "Il9@1,HQG-k#lNG<?G9#U#k?<O"6bK
X87F$k[9H IP "Il9eN>0kC/"CWKD$FN[jrT$^;
s (^?"BTN?aN?$`"&Hbhj^;s)#3N?aK"Cisco Secure PIX
Firewall QN"@W?<O rm_SourceHostname H rm_DestinationHostnameNIAib_j7^;s#3liN$YsH0-O"GU)kHM N/A N^^G9#
=NG<?,9Hjs0bK"klgO"PIX Firewall "@W?<KhCF
rm_SourceIPAddr *hS rm_DestinationIPAddr ,_j5l^9#
[HsIN Cisco Secure PIX Firewall m0&aC;<8KO IP "Il9,^^l
F$^9,"8`"?C/&70KAc<O^^lF$^;s#3lO"U!$"
&)<k,3N70KAc<NP=r,:7b6bH7F=G9ko1GOJ$?
aG9#
46 IBM Tivoli Risk Manager "@W?<¥,$I
�����%����� Cisco Secure PIX Firewall ��-./�
[HsIN Cisco Secure PIX Firewall m0&l3<IKO IP "Il9,^^lF
$^9,"8`"?C/&70KAc<O^^lF$^;s#/~X"N Cisco
Secure PIX Firewall m0&aC;<8KX7F"Tivoli Risk Manager GO"70K
Ac<H7F!N9Hjs0,s!5l^9#
fw_conn_deny \3,]'5l?#
fw_pkt_modified Cisco Secure PIX Firewall O]4N?aKQ1CHrQ97
?#
fw_xlate_deny MCHo</&"Il9Q9 (NAT) ^?O]<H&"Il9Q
9 (PAT) N:TKhj"Q1CH,|n5l?#
fw_tunn_deny HsMkNEf=^?OEf=r|,]'5l?#
fw_acl_deny "/;9&0k<WvDN:TKhj"Q1CH,|n5l
?#
fw_auth_deny 'ZN:TKhj"Q1CH,|n5l?#
fw_ipsec HsMkbN IPSEC VPN $YsHN'Z,:T7?D=-,
"k#
������%����� Cisco Secure PIX Firewall ��-./�
/~r1L7J$ Cisco Secure PIX Firewall $YsHKD$FO"Cisco Secure
PIX Firewall Q"@W?<, RM_MiscEvent +iI87?/i9K$YsHrw
.7^9#Cisco Secure PIX Firewall Q"@W?<O"s/~X" Nm0&aC;
<8r!Nh&K3<I=7^9#
fw_pixfw_signature Cisco Secure PIX Firewall catchall 70KAc<#
fw_snmp 7sWk&MCHo</I}WmH3k (SNMP) $YsH#
fw_conn_permit \3,vD5l?#
fw_xlate_permit MCHo</&"Il9Q9 (NAT) ^?O]<H&"Il9
Q9 (PAT) ,5oG"k#
fw_failover "kU!$"&)<k+i=NPC/"CWXNU'$k*<
P< (bDQ-!=) ,/87?#
fw_authentication 'Z$YsH#
fw_routing U!$"&)<kK*1kk<F#s0dj#
fw_configuration U!$"&)<kN=.NQ9^?O=lKX9kdj#
fw_internal U!$"&)<kK*1kbt(i<#
����
Cisco Secure PIX Firewall Q"@W?<r$s9H<k9k0K""i+8a"
Cisco Secure PIX Firewall ;s5<r$s9H<k7F*+J1lPJj^;s#
^?"4HQNWiCHU)<`Q"@W?<b$s9H<k7J1lPJj^;
s#$s9H<kjgKD$FO"VTivoli Enterprise Console "@W?<¥,$
IWr2H7F/@5$#
h 5 O Cisco Secure PIX Firewall Q"@W?< 47
Cisco Secure PIX Firewall N Tivoli Enterprise Console ?9/,BT7F$k79F
`H1879F`K"Tivoli Risk Manager Perl 5]<Hr$s9H<k7F*+J
1lPJj^;s#
"@W?<O"Tivoli D-N Tivoli (sI]$sH+"Tivoli J0NN<IK$s
9H<kG-^9#
. /etc/Tivoli/rma_eif_env.sh
��
Tivoli D-G Cisco Secure PIX Firewall Q"@W?<r=.9kKO"!N?9/
rBT7^9#
1. ,WK~8F"Cisco Secure PIX Firewall Q"@W?<NU)<^CH&U!$
krT87^9#Cisco Secure PIX Firewall Q"@W?<O"3NU)<^C
H&U!$kbN(sHj<r*r7F3asH=9k3HKhCF40G-^
9#
UNIX 79F`pix.fmt
Windows 79F`pix_nt.fmt
2. \qN 11Z<8NXTivoli Risk Manager H"@W?<NU)<^CH&U!$
kNkgY^?OVTivoli Enterprise Console "@W?<¥,$IWNb@K>C
F"Tivoli Risk Manager "@W?<&U)<^CH&U!$kH Tivoli U)<
^CH&U!$kr^<87F+i"/i9jA9F<HasH (.cds) U!$k
r8.7^9#
UNIX 79F`pix.fmt U!$kr{8N tecad_logfile.fmt U!$kNvxKUC7
^9#
m: Solaris eG$s9H<k9kH-O"Solaris syslog aC;<8 ID
*W7gsrHQTDK9k,W,"j^9#
/kernel/drv/log.conf bK msgid=0 r,:_j7F*$F/@5
$#
Windows 79F`pix_nt.fmt U!$kr{8N tecad_nt.fmt U!$kNvxKUC7^
9#
3. J<N:v9kU!$kr,Q7^9#
UNIX 79F`:pix.fmt
Windows 79F`:pix_nt.fmt
Cisco Secure PIX Firewall ���������
Cisco Secure PIX Firewall Q"@W?<rHQ9k]KO"m<+k TCP/IP ]<
HK PIX $YsH,>w5lkh&K"Tivoli Enterprise Console Logfile "@W?
48 IBM Tivoli Risk Manager "@W?<¥,$I
< (^?O Windows Event Log "@W?<) r=.7F/@5$#"@W?<,
Tivoli Risk Manager 3.8 HloK$s9H<k5lF$klgO Tivoli Risk
Manager Event Integration Facility Gs!5lkm<+k TCP/IP ]<Hr""@W
?<, Tivoli Risk Manager 4.1 HloK$s9H<k5lF$klgO Tivoli
Risk Manager Client Gs!5lkm<+k TCP/IP ]<Hr PIX $YsHN>w
hK7^9#
Tivoli Risk Manager Event Integration Facility ^?O Tivoli Risk Manager Client r
$YsHN>whK9kH"Tivoli Risk Manager Ws(s8sGh}5l^9#
Tivoli Risk Manager 3.8 Nlg"Tivoli Risk Manager Event Integration Facility Nm
<+k TCP/IP ]<Hr PIX $YsHN>whK9kKO"J<N9FCWrBT
7^9#
1. s TME P<8gsN UNIX Logfile "@W?<"^?Os TME P<8gsN
Windows Event Log "@W?<,$s9H<k5lF$k3HrN'7^9#
2. Tivoli Risk Manager Event Integration Facility ,$s9H<k5lF$k3Hr
N'7^9#
3. PIX U)<^CH&U!$k pix.fmt rHQ9kh& UNIX Logfile "@W?
<r=.9k+"pix_nt.fmt U)<^CH&U!$krHQ9kh& Windows
Event Log "@W?<r=.7^9#
4. "@W?<QN=.U!$k (tecad_logfile.conf ^?O tecad_win.conf) b
KJ<NQia<?<r_j7F"m<+k&]<H,$YsHNw.hKJk
h&K"@W?<r=.7^9#
ServerLocation=localhostServerPort=5529
5. Tivoli Risk Manager Event Integration Facility =.U!$k (rmad.conf) bKJ
<NQia<?<r_j7F"Tivoli Enterprise Console 5<P<,$YsHN
w.hKJkh&K Tivoli Risk Manager Event Integration Facility r=.7^
9#
ServerLocation=tecserver
33G"tecserver Of<6<ND-K"k Tivoli Enterprise Console 5<P<N
[9H>G9#
ServerPort=5529
?@7"3N5<P<, UNIX 5<P<Nlg"ServerPort O 0 G9#
Tivoli Risk Manager 4.1 Nlg"Tivoli Risk Manager Client Nm<+k TCP/IP ]
<Hr PIX $YsHN>whK9kKO"J<N9FCWrBT7^9#
1. s TME P<8gsN UNIX Logfile "@W?<"^?Os TME P<8gsN
Windows Event Log "@W?<,$s9H<k5lF$k3HrN'7^9#
2. Tivoli Risk Manager Client ,$s9H<k5lF$k3HrN'7^9#
3. PIX U)<^CH&U!$k pix.fmt rHQ9kh& UNIX Logfile "@W?<
r=.9k+"pix_nt.fmt U)<^CH&U!$krHQ9kh& Windows
Event Log "@W?<r=.7^9#
4. "@W?<QN=.U!$k (tecad_logfile.conf ^?O tecad_win.conf) b
KJ<NQia<?<r_j7F"m<+k&]<H,$YsHNw.hKJk
h&K"@W?<r=.7^9#
h 5 O Cisco Secure PIX Firewall Q"@W?< 49
ServerLocation=localhostServerPort=5529
$s9H<kfK"Tivoli Risk Manager Tivoli Enterprise Console 5<P<,$
YsHNwPhKJkh&K"Risk Manager Client ,=.5l^9#
Cisco Secure PIX Firewall ���
i|$s9H<kH ACF =.NeO"J<N9FCWrBT7F"Cisco Secure
PIX Firewall r=.7^9#
1. Tivoli Enterprise Console GO PIX_Configure_Firewall_Logging ?9/rHQ
7F"Cisco Secure PIX Firewall ;s5<N$YsHNm0PO}!r=.7^
9#b@KD$FO" 54Z<8NX;s5<&m.s0=.NQ9Yr2H7
F/@5$#
2. Cisco Secure PIX Firewall Q"@W?<rHQ9k0K";s5<Km0*s7
F"/mC/_jr!Nh&K=.7^9#
clock set hh:mm:ss month day year
3. Windows Event Log "@W?<rHQ9klgO"=.U!$k tecad_nt.conf
rT87^9#b@KD$FO" 56Z<8NX=.U!$kNT8Yr2H7
F/@5$#
4. ;-e"&"@W?<rd_7FFO07"=.NQ9r-zK7^9#
Tivoli Enterprise Console ���
m: Tivoli Enterprise Console N Cisco Secure PIX Firewall ?9/O"AIX *hS
Solaris NWiCHU)<`GN_HQD=G9#
Tivoli Risk Manager O"Cisco Secure PIX Firewall QN Tivoli Enterprise Console
?9/rs!7^9#
v PIX_Configure_Firewall_Access O";s5<N"/;9=.rQ97^9#
v PIX_Show_Firewall_Configuration O";s5<N=.psr=(7^9#
v PIX_Configure_Firewall_Logging O";s5<Nm.s0=.rQ97^9#
m: Cisco Secure PIX Firewall N Tivoli Enterprise Console ?9/O"AIX *hS
Solaris NWiCHU)<`GN_HQD=G9#
Cisco Secure PIX Firewall ���������
Tivoli Enterprise Console G Cisco Secure PIX Firewall ?9/rHQ9k0K"J<
N@rN'7F/@5$#
v Cisco Secure PIX Firewall ?9/,BT7F$k79F`H1879F`K"
Tivoli Risk Manager Perl 5]<Hr$s9H<k7F*+J1lPJj^;s#
AIX *hS Solaris GO""@W?<N?9/K,WJ Perl 5]<H, Tivoli
Risk Manager KhCFH_~^lF$^9#
v Tivoli Enterprise Console N"I_K9Hl<?<O";s5<N IP "Il9"
;s5<NQ9o<I"*hS;s5<N enable Q9o<IrNCF*+J1
lPJj^;s#3lOC"3^sIr;s5<eGBT9k"Brh@9k?
aK,WG9#;-e"&MCHo</+i;s5<Nbt$s?<U'<9K
50 IBM Tivoli Risk Manager "@W?<¥,$I
telnet Gm0$s9kKOvD,,WG9#3NvDO"U!$"&)<kN"
I_K9Hl<?<,j0GXj7^9#
v U!$"&)<kN"I_K9Hl<?<O"Tivoli Enterprise Console "I_K
9Hl<?<K3N 2 DNQ9o<IrNi;k3HKhCF"Tivoli Enterprise
Console ?9/KP9kG**J)f"r}D3HKJj^9#U!$"&)<
kN"I_K9Hl<?<O"Tivoli Enterprise Console "I_K9Hl<?<N
U!$"&)<k!=r|n9k?aNQ9o<IrQ99k3H,G-^9#
U!$"&)<kN"I_K9Hl<?<O",WJQ9o<IrO90K"
Tivoli Enterprise Console "I_K9Hl<?<,=N5$HN;-ejF#<&
]j7<r=,K}r7F$k+I&+N'7J1lPJj^;s#G**K"
U!$"&)<kN"I_K9Hl<?<OU!$"&)<kKm0$s9k?
aN!=r]}7F*-"Tivoli Enterprise Console "I_K9Hl<?<,
Tivoli Enterprise Console ?9/rp7F/T7?T,WJ3^sIrK~7^
9#Tivoli Enterprise Console "I_K9Hl<?<O"Q9o<IrQ97?
j"U!$"&)<kN"I_K9Hl<?<rmC/"&H7?jOG-^;
s#
0�1�������������
=.3^sI (Q9o<Ir^`) O"?9/rBT7F$k[9H+i Cisco
Secure PIX Firewall ;s5<K"Ef=5l:Kw.5l^9#Q9o<IKP7
FOEf=d]4-!:,TolJ$?a"Tivoli Enterprise Console ?9/rBT
7F$k[9HH Cisco Secure PIX Firewall ;s5<VN>[Wi$Y<H&MC
Ho</ (VPN) HsMkrjA7Fn05;F/@5$#VPN HsMkNjA*
hSn0Nb@KD$FO"VConfiguration Guide for the Cisco Secure PIX
Firewall Version 5.1Wr2H7F/@5$#
�������������
3N Tivoli Enterprise Console ?9/O";s5<N=.rQ99klg"^?O
\3rVmC/=/sVmC/=9klgKHQ7^9#Tivoli Enterprise Console ?
9/rBT9k0K¤,:¤"@W?<r(sI]$sHeK$s9H<k7F*$
F/@5$#
;s5<&"/;9=.rQ99kKO"J<NnHrT$^9#
1. Tivoli G9/HCWG"VRisk Manager Task Library (Risk Manager ?9/¥i$Vij<)WH$&iYkNU$? Tivoli Enterprise Console ?9/&i
$Vij<r/jC/7^9#
2. VPIX_Configure_Firewall_AccessW?9/r*r7^9#
3. ?9/G-NQia<?<r_j7^9#_jG-kQia<?<O!NH*j
G9#
IP address (IP "Il9) "/;9=.rQ97?$ Cisco Secure PIX Firewall ;s5<N
IP "Il9rXj7^9#3NQia<?<O,\G9#
Telnet password
(Telnet Q9o<I)
Cisco Secure PIX Firewall ;s5<XN"/;9r'D9k telnet
Q9o<IrXj7^9#3NQia<?<O,\G9#
Configuration (enable)
password (=.
(enable) Q9o<I)
Cisco Secure PIX Firewall ;s5<N=.rQ99k3Hr'D9
k enable Q9o<IrXj7^9#3NQia<?<O,\G
9#
h 5 O Cisco Secure PIX Firewall Q"@W?< 51
Action ("/7gs) 3NQia<?<O,\G9#J<N;s5<&"/7gsNf+
i"/7gsr 1 DXj7^9#
v 7,N]'NIC
v {8N]'N|n
DjNQia<?<,"J0KIC7?]'NQia<?<H5
NKlW9kh&K7J1lPJj^;s#
v =TN Cisco Secure PIX Firewall "/;9=.N=(#
3NQia<?<rHQ9kH"Cisco Secure PIX Firewall N"
/;9&j9H""/;9&0k<W"*hSEf=^CW,=
(5l^9#3liO"eN"/7gsN?aN,ZJ"/;
9&j9Hr1L9k?aKHQG-^9#
3NGU)kHMO 7,N]'NICG9#3NQia<?<O
,\G9#
Access list ("/;9&
j9H)
]'rIC^?O|n9k Cisco Secure PIX Firewall ;s5<N
"/;9&j9HrXj7^9#
"/;9&j9H,{K8_7F$klgO"VShow access("/;9N=()WrXj7F3NQia<?<rHQ9k3HK
hCF",ZJ"/;9&j9Hr*r7F/@5$#
"/;9&j9H,8_7F$J$lgO"77$"/;9&j9
H,n.5l^9,"3lO$s?<U'<9^?OEf=^CW
KOP$sI5l^;s#Cisco Secure PIX Firewall ;s5<GP
$sIrj0GBT7J1lPJj^;s#P$sI,0;9k^
G"HiU#C/O]'5l^;s#
3NQia<?<O,\G9#
Protocol (WmH3k) ]'"/7gsN IP WmH3krXj7^9#
Cisco Secure PIX Firewall ;s5<,5]<H9k IP WmH3k
Vf (c"6) ^?O IP WmH3k&jFik> (c"tcp) rX
jG-^9#
3NQia<?<rVis/K7?lg" IP WmH3k
(TCP"UDP"ICMP) O]'5l^9#
3NQia<?<O*W7gsG9#
Source IP address (=<
9 IP "Il9)
]'"/7gsN=<9 IP "Il9rXj7^9#
3NQia<?<O"1l[9HH7FXj9k+"source IPaddress mask (=<9 IP "Il9&^9/) Qia<?<rH
Q7F5VMCHo</H7FXj9k3H,G-^9#
CjN IP "Il9HNVNe.H/.N>}NQ1CHr]'9
kKO"b&lY3N?9/rBT7F"Cisco Secure PIX
Firewall ;s5<N"/;9=.K 2 D\N]'X(rIC7F
/@5$#
3NQia<?<rVis/K7F*/H"9YFN=<9 IP "
Il9+i8h IP "Il9XNQ1CH,]'5l^9#
3NQia<?<O*W7gsG9#
52 IBM Tivoli Risk Manager "@W?<¥,$I
Source IP address mask
(=<9 IP "Il9&
^9/)
]'"/7gsN=<9 IP "Il9&^9/rXj7^9#
5VMCHo</4Nr 1 DN=<9H7F]'9kKO"5V
MCHo</N IP "Il9&^9/ (c"255.255.255.240) rX
j7F/@5$#
3NQia<?<rVis/K7F"source IP address (=<9
IP "Il9) Qia<?<rXj7?lg"=<9 IP "Il9
O1l[9Hr(9bNH+J5l^9#
3NQia<?<O*W7gsG9#
Destination IP address
(8h IP "Il9)
]'"/7gsN8h IP "Il9rXj7^9#
3N8h IP "Il9O"1l[9HH7FXj9k+"
destination IP address mask (8h IP "Il9&^9/) Qia<?<rHQ7F5VMCHo</H7FXj9k3H,G-^
9#
CjN IP "Il9HNVNe.H/.N>}NQ1CHr]'9
kKO"b&lY3N?9/rBT7F"Cisco Secure PIX
Firewall ;s5<N"/;9=.K 2 D\N]'X(rIC7F
/@5$#
3NQia<?<rVis/K7F*/H"9YFN=<9 IP "
Il9+i8h IP "Il9XNQ1CH,]'5l^9#3NQ
ia<?<O*W7gsG9#
Destination port (8h]
<H)
]'"/7gsN8h]<HrXj7^9#
]'"/7gsN=<9&]<HrXj9k3HOG-^;s#
Cisco Secure PIX Firewall ;s5<,5]<H9k]<HVf
(c"80) ^?O]<H&jFik> (c"www) rXjG-^9#
3NQia<?<O*W7gsG9#
����������
;s5<N=_N=.r=(9kKO"3N Tivoli Enterprise Console ?9/rH
Q7^9#3N?9/rHQ7F"5$HN;-ejF#<&]j7<,57/$
sWjasH5lF$k+I&+r!:9k3H,G-^9#Tivoli Enterprise
Console ?9/rBT9k0K¤,:¤"@W?<r(sI]$sHeK$s9H<k
7F*$F/@5$#
1. Tivoli G9/HCWG"VRisk Manager Task Library (Risk Manager ?9/¥i$Vij<)WH$&iYkNU$? Tivoli Enterprise Console ?9/&i
$Vij<r/jC/7^9#
2. VPIX_Show_Firewall_ConfigurationWr/jC/7^9#
3. ?9/G-NQia<?<r_j7^9#!NQia<?<,9YF,WG9#
IP address (IP "Il9) =.r=(7?$ Cisco Secure PIX Firewall ;s5<N IP "I
l9rXj7^9#
Telnet password
(Telnet Q9o<I)
Cisco Secure PIX Firewall ;s5<XN"/;9r'D9k telnet
Q9o<IrXj7^9#
h 5 O Cisco Secure PIX Firewall Q"@W?< 53
Configuration (enable)
password (=. (enable)
Q9o<I)
3lO"Cisco Secure PIX Firewall ;s5<=.N2Hr'D9k
enable Q9o<IG9#
Show configuration (=.
N=()
VYesWr*r9kH"Cisco Secure PIX Firewall ;s5<N=_
N=.,=(5l^9#POKO"P<8gs"=."abj<&
VmC/"$s?<U'<9"Wm;9"U'$k*<P<,^^
l^9#
Show connections (\3
N=()
VYesWr*r9kH"Cisco Secure PIX Firewall ;s5<eN=
_"/F#VJ\3,=(5l^9#
Show user
authentications (f<6<
'ZN=()
VYesWr*r9kH"Cisco Secure PIX Firewall ;s5<eN=
_Nf<6<'Z*hSvD,=(5l^9#
Show telnets (Telnet N
=()
VYesWr*r9kH"Cisco Secure PIX Firewall ;s5<XN=
TN telnet ;C7gs (3N;s5<rP37J$;C7gs) ,
=(5l^9#3Nj9HO"m0$s7F$k Cisco Secure PIX
Firewall "I_K9Hl<?<G=.5l^9#3lKO"3N
Tivoli Enterprise Console ?9/N telnet ;C7gsb^^l^
9#
����(2������
3N Tivoli Enterprise Console ?9/rHQ7F"U!$"&)<kr77$ Tivoli
Risk Manager ;s5<H7FH_~akh&K;s5<Nm.s0=.rQ99k
3H,G-^9#Tivoli Enterprise Console ?9/rBT9k0K¤,:""@W?
<r(sI]$sHeK$s9H<k7F*$F/@5$#
Cisco Secure PIX Firewall m.s0r=.9kKO"J<NnHrT$^9#
1. Tivoli G9/HCWG"VRisk Manager Task Library (Risk Manager ?9/¥i$Vij<)WH$&iYkNU$? Tivoli Enterprise Console ?9/&i
$Vij<r/jC/7^9#
2. VPIX_Configure_Firewall_LoggingWr*r7^9#
3. ?9/G-NQia<?<r_j7^9#Qia<?<O!NH*jG9#
IP address (IP "Il9) m.s0=.rQ97?$ Cisco Secure PIX Firewall ;s5<N
IP "Il9rXj7^9#
3NQia<?<O,\G9#
Telnet password
(Telnet Q9o<I)
Cisco Secure PIX Firewall ;s5<XN"/;9r'D9k telnet
Q9o<IrXj7^9#
3NQia<?<O,\G9#
Configuration (enable)
password (=.
(enable) Q9o<I)
Cisco Secure PIX Firewall ;s5<N=.rQ99k3Hr'D9
k enable Q9o<IrXj7^9#
3NQia<?<O,\G9#
54 IBM Tivoli Risk Manager "@W?<¥,$I
Logging host
interface name (m.s
0&[9H&$s?<U
'<9>)
Cisco Secure PIX Firewall ,m0&5<P<QKHQ9k$s?<
U'<9N>0rXj7^9#
Cisco Secure PIX Firewall Q"@W?<O"m0&5<P<NaC
;<8rbK?<7F"=lir$YsH&5<P<K>w7^
9#
3NGU)kHMO inside G9#3NQia<?<O*W7gs
G9#
Logging host IP
address (m.s0&[9
H IP "Il9)
Cisco Secure PIX Firewall Q"@W?<,bK?<9km0&5<
P<N IP "Il9rXj7^9#
3NQia<?<O*W7gsG9#
Logging trap level (m.
s0&HiCW&lY
k)
m0&5<P<Kw.5l?e Cisco Secure PIX Firewall Q"@
W?<+i$YsH&5<P<Kw.5lkm0&aC;<8Nl
YkrXj7^9#
~OG<?O9Hjs0 (c"errors) ^?OtM (c"3) GXj
7^9#
3NGU)kHMO errors G9#3NQia<?<O*W7gs
G9#
Logging facility (m.s
0!=)
m0&aC;<8HloKw.9k syslog !=VfrXj7^
9#
3NGU)kHMO 20 G9#3lO"LOCAL4 !=Km0&a
C;<8rw.9k?aNlYk, 20 G"k3Hr(7^9#
3NQia<?<O*W7gsG9#
Logging enabled (m.s
0HQD=)
VYesWr*r9kH"Cisco Secure PIX Firewall ;s5<eGm
.s0,HQD=KJj^9#
VNoWr*r9kH"m.s0,HQTDKJj^9#m0&a
C;<8,m0&5<P<Kw.5l?j"Cisco Secure PIX
Firewall Q"@W?<KhCF$YsH&5<P<K>w5lk3
HO"j^;s#
3NGU)kHMO Yes G9#3NQia<?<O,\G9#
����������
J<N;/7gsGO"Cisco Secure PIX Firewall Q"@W?<GHQD=J?9
/KD$Fb@7^9#
�%�������(��(2���
Tivoli Risk Manager U0N Tivoli Enterprise Console ?9/rHQ9k@1GJ
/";-e"&"@W?<,m0&aC;<8Nw.hKJkh&K Cisco Secure
PIX Firewall rj0G=.9k3HbG-^9# TME "@W?<O"UNIX ^7
sGT07F$k Tivoli Logfile "@W?< (syslogd)"^?O Cisco PIX Firewall
Server (PFSS) ,T07F$k Windows ^7sNIAi+KJj^9#
h 5 O Cisco Secure PIX Firewall Q"@W?< 55
Cisco Secure PIX Firewall rm.s0QK=.9k,W,"j^9#m0&aC;
<8O"Tivoli Risk Manager GH%!=rHQ7F Tivoli Logfile "@W?<rB
T7F$k[9HKw.9kh&K7F/@5$#
Cisco Secure PIX Firewall =.3^sIH=l>lNb@O"!NH*jG9#
logging on m0-?hN[9HK~1Fm0&aC;<
8Nw.r+O7^9#
logging host [if_name] ip_addr m0&aC;<8Nw.hN[9HrXj7
^9#;-e"&"@W?<^?O Cisco
Secure PIX Firewall Q"@W?<,T09k
[9HK_j7F/@5$#
logging trap level Cisco Secure PIX Firewall Q"@W?<,"
EgY 3 ((i<) N$YsHrEgY 0 ([
^vV) K<2F>w9kh&K9kKO"
level r 3 K_j7^9#
logging facility facility m0&aC;<8ru1hk syslog 5<P<
!=rXj7^9#m0&aC;<8r
LOCAL4 !=Xw.9kKO"lYkr 20KXj7^9#
timestamp logging w.5lkFm0&aC;<8K?$`&9
?sWMrU1k3HrXj7^9#3N3
^sIr/T9klgO"clock set 3^sIb/T9k,W,"j^9#
no logging message log_id Cisco Secure PIX Firewall G"D9Nm0&
aC;<8r^)7^9#%PIX-6-302010 r
^)9klg"log_id r 302010 KXj7^
9#
3N3^sIO*W7gsG9#
clock set hh:mm:ss month day year Cisco Secure PIX Firewall N/mC/_jG
OnH|rlYK_jG-^9,"Cisco
Secure PIX Firewall Q"@W?<GOnr_
j7F+i|r_j7^9#
����� ���
Windows Event Log "@W?<rH&lg"tecad_nt.conf U!$krT87"!
N`\rIC7^9#U!$kbN 1 TK4F-9HrIC7F/@5$#33G
O"(sHj<OZ<8bK}^kh&"#tNTKo?CF,d7F$^9#
LogSources=pfss_install_dir¥monday.log,pfss_install_dir¥tuesday.log,pfss_install_dir¥wednesday.log,pfss_install_dir¥thursday.log,pfss_install_dir¥friday.log,pfss_install_dir¥saturday.log,pfss_install_dir¥sunday.log
5iK"!N`\rLNTKIC7^9#
PollInterval=1
56 IBM Tivoli Risk Manager "@W?<¥,$I
�����3��������
?9/&i$Vij<O"Cisco Secure PIX Firewall Q"@W?<N$s9H<k
~K+0*Kn.5lP?5l^9#?@7"Tivoli wtll 3^sIrH&H"
Tivoli ]j7<&j<8gsbK?9/&i$Vij<rP?9k3H,G-^
9#
?9/&i$Vij<rj0Gn.9kKO"wtll 3^sIrH$"?9/rn.
9k]j7<&j<8gsrXj7^9#
Windows 79F`:
wtll -r -p TEC-Region -P $CPP_LOCATION%BINDIR%¥RISKMGR¥corr¥tasks¥rmt_tasks.tll -P
UNIX 79F`:
wtll -r -p TEC-Region -P $CPP_LOCATION$BINDIR/RISKMGR/corr/tasks/rmt_tasks.tll -P
33G"CPP_LOCATION H BINDIR O"cpp WjWm;C5<HG#l/Hj<
XNB]NQ9NLVG9#3NLVK"=l>lN$YsH&5<P<&P$J
j<,~lil^9#5iK".dsl U!$kb .tll U!$kH18G#l/Hj<
KJ1lPJj^;s#
!NLVK cpp Wm0i`r$s9H<k9kh&K7F/@5$ (^?O=U
H&js/rs!)#
/usr/ccs/lib/cpp
^?O"cpp 3^sI,8_9kG#l/Hj<r"79F` PATH D-QtX
IC7^9#
h 5 O Cisco Secure PIX Firewall Q"@W?< 57
58 IBM Tivoli Risk Manager "@W?<¥,$I
� 6 � Check Point Firewall-1 ������
3NOGO"J<Npsrs!7^9#
v X"@W?<N5WY
v 60Z<8NX=JN5bY
v 62Z<8NX$s9H<k*hS=.Y
v 68Z<8NX"@W?<I}?9/Y
v 75Z<8NX=N>NmUv`Y
Check Point™ FireWall-1® KD$FNb@KO"Check Point FireWall-1 =JN,j
NQlrHQ7F$^9#
Check Point Software Technologies OPSEC™ Software Development Kit (OPSEC
SDK) KD$FN\7$psO"J<N Web 5$HK"j^9#
http://www.checkpoint.com/opsec/cp_products/opsec_sdk.html b7/O
http://www.checkpoint.com/opsecsdk
��������
Tivoli Risk Manager KO"Check Point FireWall-1 Q"@W?<,U07F$^
9#3N"@W?<O"Check Point FireWall-1 ,8.9kU!$"&)<k/~!
N"i<`r"$YsH&5<P<X>w5lk$YsHK^CW7^9#
U!$"&)<kO"/~KP9k"i<Hr/9k?a@1GJ/"btMCH
o</N]nKr)Dh&K_W5lF$^9#U!$"&)<kO"U!$"&
)<kX"N$YsHr"$/D+N[Jk+F4j<K,1Fl]<H7^9#
U!$"&)<kX"N$YsHKO"!NbN,"j^9#
v 'ZN:T
v vDN:T
v \3Nq]
v MCHo</&"Il9Q9 (NAT)/]<H&"Il9Q9 (PAT) NQ9c2
Check Point FireWall-1 Q"@W?<O"Check Point Open Platform for Secure
Enterprise Connectivity (OPSEC) 5<P<H Log Export API (LEA) rH$"U!$
"&)<kN"i<Hr8.7^9#^?"Suspicious Activity Monitor (SAM) rH
Q7F"U!$"&)<kKP9k)fbTol^9#
Check Point FireWall-1 Q"@W?<O"Tivoli Risk Manager Event Integration
Facility (EIF) ^?O Tivoli Enterprise Console 79F`&m0&"@W?<rH
$"jXN?aK$YsHr$YsH&5<P<X>w7^9#
Tivoli Risk Manager Q"@W?<GO"Feature Pack 1 J_r,Q9k3HKh
j"Check Point FireWall-1 NG ,5]<H5l^9#
© Copyright IBM Corp. 2001, 2002 59
��������������
Check Point FireWall-1 Q Tivoli Risk Manager "@W?<O"J<N*Zl<F#
s0&79F`G5]<H5lF$^9#
= 7. 5]<HP]WiCHU)<`
Check Point FW-1(4.1 / NG)
HbK$s9H
<k5lk3s
]<MsH
Solaris 7 Solaris 8 Linux RedHat 6.2/7.0
WinNT 4.0 Win2K
Tivoli Risk
Manager Agent
(Transport/RMEIF)
X X X
Tivoli Risk
Manager Event
Integration
Facility
X X X X X
Tivoli Enterprise
Console "@W
?<
X X X X X
�����
Check Point FireWall-1 Nu7&-!=N*+2G"Check Point FireWall-1 rHC
?"/F#V\3O"MCHo</^?O2<H&'$c2N/8~Gbh7F:
olk3H,"j^;s#
Check Point FireWall-1 =JOJ<rT$^9#
v VPN-1™/FireWall-1 +i"j"k?$`&m0psHR9Hj<&m0psrB
4J}!GhjP7^9#
v ;-ejF#<&$YsHN,OHl]<HrT$^9#
v Tivoli Risk Manager JIN(s?<Wi$:&$YsHI}79F`H}gG-
^9#
60 IBM Tivoli Risk Manager "@W?<¥,$I
LEA ����� SAM ���������,��
U!$"&)<kN;-ejF#<&]j7<KO"FW1_ica_pull"FW1_lea"*h
S FW1_sam \3ru1~lk?aNk<k,,WG9#!N$:l+N\3?$
WG VPN-1/FireWall-1 rXj9k3H,G-^9#
v Z@qN'Z*hSEf= [sslca]
v Z@qN'Z*hSCn [sslca_clear]
����,�� ���%�
Tivoli Risk Manager KO"l"NU!$"&)<k&$YsHjA,"j"Tivoli
Risk Manager O3lir+0*K$YsH&5<P<Xm<I7^9#3N$Ys
HjA2KO"U!$"&)<k/~NB]N!P@1GJ/"U!$"&)<
k&=UH&'"N?QNl]<Hb^^l^9#
Tivoli Risk Manager GO"Check Point FireWall-1 $YsH&/i9r cpfw.baroc
U!$kGs!7^9#3lO"Tivoli Risk Manager 5<P<NQC1<8H&
K$s9H<k5l^9#
^ 4. Check Point FireWall-1 3s]<MsH&"<-F/Ac<Q"@W?<
h 6 O Check Point Firewall-1 Q"@W?< 61
IN"Wj1<7gs^?OU!$"&)<k=Jb"3liN Tivoli Risk
Manager U!$"&)<k&$YsH&/i9rHCF""i<Hr Tivoli Risk
Manager Xw.9k3H,G-^9#
����,�� ��%�
/~!N$YsHO"U!$"&)<kKBu5lF$k;-ejF#<&]j7
<HX"7F$^9#U!$"&)<k&;-ejF#<&]j7<KO"U!$
"&)<kGvD^?Oq]9kh&=.7?""/;9&?$W,^^lF$^
9#U!$"&)<kN"I_K9Hl<?<O3lrQ9G-^9#Check Point
FireWall-1 Q Tivoli Risk Manager "@W?<O"!N?$WNU!$"&)<k&
$YsHr8.7^9#
)f$YsH:CPFW_Control
f<6<'Z$YsH:CPFW_Auth_Deny
CPFW_Auth_Permit
Internet Control Message Protocol (ICMP) $YsH:CPFW_ICMP_Deny
CPFW_ICMP_Permit
5<S9&$YsH:CPFW_Service_Deny
CPFW_Service_Permit
CPFW_FTP_Deny
CPFW_FTP_Permit
CPFW_HTTP_Deny
CPFW_HTTP_Permit
CPFW_Telnet_Deny
CPFW_Telnet_Permit
CPFW_Login_Deny
CPFW_Login_Permit
Tivoli Risk Manager ��#��� Check Point FireWall-1 ������
GU)kHGO"Tivoli Risk Manager O"EgY0-, WARNING N Tivoli Risk
Manager $YsHK Check Point FireWall-1 "i<`r^CW7"EgY0-,
HARMLESS N Tivoli Risk Manager $YsHK)fpsr^CW7^9#3N_j
O"cpfw.baroc U!$kGQ99k3H,G-^9#
���� �����
3NOGO"Check Point FireWall-1 Q"@W?<N$s9H<k*hS=.N}!
KD$Fb@7^9#
62 IBM Tivoli Risk Manager "@W?<¥,$I
Check Point FireWall-1 Q"@W?<r$s9H<k9k0K"Check Point
FireWall-1 =Jr$s9H<k7^9#Check Point FireWall-1 Q"@W?<O"7
9F`NG-N$s9H<k}!rHQ7F$s9H<kG-^9#
m: Solaris *Zl<F#s0D- (Solaris) eG$s9H<k9kH-KO"Solaris
syslog aC;<8 ID *W7gsrHQTDK9k,W,"j^9#
/kernel/drv/log.conf bK msgid=0 r,:_j7F*$F/@5$# Tivoli
Event Integration Facility API K$YsH,/w5lkh&K"@W?<r=.
9klg"/kernel/drv/log.conf bN msgid _jMOX8"j^;s#
OPSEC LEA ��� SAM ���������� Check PointFireWall-1 ��
m: Windows *hS UNIX/Linux NIAiN79F`K*$Fb"Tivoli Event
Integration Facility GO"cpfw.fmt U!$k,HQ5l^9#G-N$s9H
<k&^M<8c<KhCF"cpfw.fmt U!$k,+0*K Tivoli Event
Integration Facility rmad.fmt U)<^CH&U!$kN*<K^<85l?e
G"riskmgr_gencds 3^sINBTKhj"rmad.cds U!$k,Fn.5l
^9#
+O9k0K"VCheck Point VPN-1/FireWall-1 Administration GuideWG"
Suspicious Activity Monitoring (SAM) *hS Log Export API (LEA) r2H7F/
@5$#
FireWall-1 NG Feature Pack 1 J_G Tivoli Risk Manager "@W?<r=.9k]
KO"Secure Internal Communication (SIC) rHQ9k,W,"j^9#
Tivoli Risk Manager "@W?<N$s9H<k*hS=.N0K"Tivoli Risk
Manager "@W?<H FireWall-1 VN SIC .jX8rN)9k,W,"j^9#
=N?aKO"FireWall-l ^7sGJ<N9FCWrBT7F/@5$#
1. Tivoli Risk Manager Check Point "@W?<&[9HQNMCHo</&*V8
'/Hrn.7^9#3lrT&KO"J<NnHrT$^9#
a. Check Point Policy Editor r+$F"aKe<+iVI} (Manage)Wr*r
7"VMCHo</&*V8'/H (Network Objects)Wr*r7^9#
VMCHo</&*V8'/H (Network Objects)WQMkGV7, (New)Wr/jC/7F"ImCW@&s&j9H+iVo</9F<7gs...(Workstation...)Wr*r7^9#
b. V>0 (Name)WU#<kIG"Tivoli Risk Manager Check Point "@W?<
rT05;k79F`N[9H>r~O7^9#VIP "Il9 (IP
Address)WU#<kIK IP "Il9r~O7F"V"Il9Nh@ (GetAddress)Wr/jC/7^9#
c. VOKWr/jC/7^9#
2. FireWall-1 Policy Editor btG"Tivoli Risk Manager "@W?<QN OPSEC
"Wj1<7gs&*V8'/Hrn.7^9#
a. Check Point Policy Editor r+$F"VI} (Manage)WaKe<+i
VOPSEC "Wj1<7gs.. (OPSEC Applications..)Wr*r7^9#
h 6 O Check Point Firewall-1 Q"@W?< 63
b. V7, (New)W\?sr/jC/7"7,N OPSEC "Wj1<7gsrn
.7F"ImCW@&s&aKe<+iVOPSEC "Wj1<7gs..(OPSEC Applications..)Wr*r7^9#
c. VOPSEC "Wj1<7gs&WmQF#< (OPSEC Application Properties)W
&#sI&G"(sF#F#<N>0rn.7^9#Tivoli Risk Manager "
@W?<=.~KO3N OPSEC "Wj1<7gs>,HQ5lk3HKm
U7F/@5$#
d. Risk Manager Check Point "@W?<,T/9k[9Hr*r7^9#3N
[9HO"9FCW 1 Gn.5l?MCHo</&*V8'/HG9#
e. VjAQ_f<6< (User defined)WrYs@<H7F*r7^9#V/i
$"sH&(sF#F#< (Client Entities)Wj9H&\C/9<tN
VLEAWrA'C/7^9#
m: Suspicious Activity Monitoring (SAM) rHQ7F$klgO"VSAMW
A'C/&\C/9b*r9k,W,"j^9#
f. VL. (Communication)W\?sr/jC/7^9#
g. [9HH/i$"sHVGNL.KHQ5lkQ9o<Ir~O7^9#
Vi|= (Initialize)Wr/jC/7^9#3NQ9o<IO"eG Tivoli
Risk Manager "@W?<r=.9kH-KHQ5l^9#
h. Tivoli Risk Manager [9HeG opsec_pull_cert "Wj1<7gs,h}
5lk^GO".jX8NuV,V.jX8rN);:Ki|= (Initializedby trust not established)WK_j5lF$^9#VL.
(Communication)W&#sI&,D8"VOPSEC "Wj1<7gs&WmQF
#< (OPSEC Application Properties)W&#sI&Kaj^9#
i. =_V;-e"JbtL. (Secure Internal Communication)W<tK DN 9H
js0,_j5lF$k3HrN'7F/@5$#3lO"/i$"sHN
SIC (sF#F#<>G9#3NMO/i$"sH=.fK rma_cpfw.conf
=.U!$kbGHQ5lk3HKmU7F/@5$#
j. VOKWr/jC/7^9#
3. 5<P<N SIC (sF#F#<>rh@9k,W,"j^9#3NMO ]j7
<&(G#?<Gh@G-^9#J<Nh&KBT7^9#
a. Policy Editor NG G"VI} (Manage)WaKe<+iVMCHo</&*V
8'/H... (Network Objects...)Wr*r7^9#VMCHo</&*V8
'/H (Network Objects)W&#sI&,=(5l^9#
b. I}5<P<r=9MCHo</&*V8'/Hr*r7F"VT8
(Edit)Wr/jC/7^9#Vo</9F<7gsNWmQF#<
(Workstation Properties)W&#sI&,=(5l^9#
c. V;-e"JbtL. (Secure Internal Communication)W<tKj9H5l?
DN Nl3<Irn.7^9#3lO OPSEC "Wj1<7gsN=.KH
Q5l^9#
4. Check Point FireWall-1 G ]j7<&(G#?<rHQ7F7,]j7<rn.
7"Tivoli Risk Manager "@W?<&[9H*hS Check Point OPSEC 5<P
<N$s9H<khHJk[9H+iN LEA HiU#C/rvD7^9#3l
OLo FW1_ica_pull"FW_lea *hS FW_sam G9#
5. Q9bFr]I7F"]j7<&(G#?<rD8^9#
64 IBM Tivoli Risk Manager "@W?<¥,$I
Check Point ������ OPSEC LEA ��� SAM ���
����������
3N;/7gsGO"f<6<,=.~KT89kU!$kKD$Fb@7^9#
m:
1. Check Point FireWall-1 Q"@W?<N Windows Install Shield QC1<8G
O"+0*K,WJ=.G<?N~OrWa9kWmsWH,P5l""@W?
<N=.U!$k,975l^9#INh&J$s9H<kN]Kb"
opsec_pull_cert 9FCWO,\G9#
2. UNIX ^?O Linux 79F`eG Check Point FireWall-1 Q"@W?<r=.
9k0K"!N9/jWHrBT7F"Tivoli Event Integration Facility D-r;
CH"CW7^9#
. /etc/Tivoli/rma_eif_env.sh
1. J<NX(O"sslca ^?O sslca_clear rHQ7? Tivoli Risk Manager "@W
?<N;CH"CW}!Nb@G9#Tivoli Risk Manager N$s9H<kG
O"sslca (Check Point Firewall-1 NG N$s9H<kNGU)kH) ,GU)k
HGHQ5l^9#
a. Tivoli Risk Manager bin G#l/Hj<bK"k opsec_pull_cert Wm0i`rHQ7F"[email protected]^9#3^sI&WmsWHr+$F"3
NG#l/Hj<KJS2<H7^9#
UNIX *hS LINUX 79F`:
$RMADHOME/bin/opsec_pull_cert
Windows 79F`:
%RMADHOME%¥bin¥opsec_pull_cert
b. !Nh&K~O7^9#
opsec_pull_cert -h host or ip -n client_opsec_entity_name -p pwd
33G"
v host or ip O"[9H+"I}5<P<Q IP N$:l+G9#
v client_opsec_entity_name O"VOPSEC "Wj1<7gsNWmQF#<
(OPSEC Application Properties)W@$"m0G_j5l? OPSEC "Wj
1<7gsN>0G9#
v pwd O"OPSEC "Wj1<7gsN;CH"CWfKVL.
(Communication)W@$"m0G_j5l?Q9o<IG9#
c:
f:¥>opsec_pull_cert -h 104.48.36.101 -n RMThegrill -p passwordThe full entity sic name is:CN=RMThegrill,O=snackbar..6e9fc4Certificate was created successfully and writtento "e:¥Program Files¥Tivoli¥RISKMGR¥etc¥opsec.p12"
3N3^sIrBT9kH"Secure Internal Communication (SIC) Z@q,"
%OPSECDIR% D-QtNfNG#l/Hj<&;CHKJ<5l^9#Z
@qO opsec.p12 H$&U!$kK]I5l^9#
2. J<Nh&K7F"Tivoli Risk Manager "@W?<N=.U!$krQ97^
9#
h 6 O Check Point Firewall-1 Q"@W?< 65
a. %RMADHOME%¥etc G#l/Hj<bK"k rma_cpfw.conf U!$krT87
^9#
Windows NT:
%RMADHOME%¥etc¥rma_cpfw.conf
Solaris:
$RMADHOME/etc/rma_cpfw.conf
b. =.U!$kbK"kJ<NTr"5<P<*hS]<H, Tivoli Risk
Manager "@W?<KP?5lkh&KQ97^9#
lea_server ip server iplea_server auth_port 18184lea_server auth_type auth type
lea_server opsec_entity_sic_name server sic nameopsec_sic_name client sic nameopsec_sslca_file opsec cert filenameopsec_sic_policy_file policy filename
sam_server ip server ipsam_server auth_port 18183sam_server auth_type auth type
33G"
v auth type O"sslca ^?O sslca_clear N$:l+G9#
v server sic name O"OPSEC 5<P<&(sF#F#<N DN G9#
v client sic name O"OPSEC /i$"sH&(sF#F#<N DN G9#
v opsec cert filename O"opsec_pull_cert Wm0i`KU1il?>0G9#
U!$k>rXj7J$lgNGU)kHO opsec.p12 G9#
v policy filename O"GU)kHN rma_cpfw_sic.conf (Tivoli Risk Manager
"@W?<K:U5lF$kU!$kN>0) N^^K7F*/,W,"
j^9#
c:
lea_server ip 104.48.36.101lea_server auth_port 18184lea_server auth_type sslca
opsec_sic_name "CN=RMThegrill,O=snackbar..6e9fc4"opsec_sslca_file opsec.p12opsec_sic_policy_file rma_cpfw_sic.conf
sam_server ip 104.48.36.101sam_server auth_port 18183sam_server auth_type sslca
c. U!$kr]I7^9#
m: Check Point N"LEA *hS SAM QGU)kHL.b<IO sslca G"
j"GU)kHN]<HO 18184 *hS 18183 G9#3liNGU)kH
rQ97?lgO"5<P<N fwopsec.conf U!$kKP7Fb"P~9
kQ9rT&,W,"j^9#
3. "@W?<rGPC0&b<IGBT7^9#
# rma_cpfw -d 4
66 IBM Tivoli Risk Manager "@W?<¥,$I
4. Windows 79F`Nlg""@W?<r Windows 5<S9H7F$s9H<k
7F/@5$#!N3^sIrBT7^9#
# rma_cpfw -i
^7sNjV<H~K"@W?<,FO05l^9#
5. Linux ^?O UNIX Nlg"J<N3^sIrBT7^9#
$RMADHOME/bin/rma_cpfw-init start
Tivoli Enterprise Console Logfile �������������
������� (Windows�Solaris ��� Linux)"@W?<NGU)kH&b<IGO"Tivoli Risk Manger Event Integration Facility
,$YsHNw.hKJj^9,"79F`&m0,$YsHNw.hKJkh&
K=.9k3HbG-^9#Windows QN79F`&m0O Windows "Wj1<
7gs&$YsH&m0G9,"Solaris *hS Linux QN79F`&m0O syslog
G9#79F`&m0,$YsHNw.hKJkh&K"@W?<r=.7F*/
H"Tivoli Enterprise Console Logfile "@W?<rHQ7F"Risk Manager 5<P
<K$YsHr>wG-kh&KJj^9#Tivoli Enterprise Console Logfile "@W
?<KD$FO"VTivoli Enterprise Console "@W?<¥,$IWr2H7F/@
5$#
����
UNIX ��� Linux:
1. "@W?<ND-9/jWHrBT7^9#
. /etc/Tivoli/rma_eif_env.sh
2. "@W?<N3^sITXkWr=(7^9#-e *hS -w *W7gsrHQ
7F""@W?<+iYp*hS$YsH,wP5lkNrN'7F/@5$#
rma_cpfw -hHRMCP0017I Risk Manager Adapter for Check Point FireWall-1 4.1.0.0.HRMCP0018I Usage: rma_cpfw [OPTIONS]-h or --help Print help and exit-v or --version Print version and exit-dINT or --debug=INT Number of messages to output then exit-eSTRING or --event-output=STRING term | rmeif | syslog | file-wSTRING or --warning-output=STRING term | rmeif | syslog | fileHRMCP9999I Exiting.
3. "@W?<NO09/jWH $RMADHOME/bin/rma_cpfw-init r"Yp*hS$
YsH,9YF79F`&m0KwP5lkh&K"-w syslog *hS -e syslog
3^sIT*W7gsrIC7FQ97F/@5$#
’start’)# Export OPSECDIR environment variable required by Check Point FW-1OPSECDIR=$RMADHOME/etcexport OPSECDIR# Start adapter process to run in the background.if [ "$PID" = "" ]then
$RMADHOME/bin/rma_cpfw -w syslog -e syslog&fi;;
U!$kr]I7^9#
h 6 O Check Point Firewall-1 Q"@W?< 67
4. GeK""@W?<NU)<^CH&U!$k cpfw.fmt r Tivoli Enterprise
Console Logfile "@W?<NU)<^CH&U!$kK^<87F"7,N
CDS U!$kr8.7^9#\YKD$FO"VTivoli Enterprise Console "@
W?<¥,$IWr2H7F/@5$#
Windows: Windows P<8gsN"@W?<O"Windows 5<S9H7FBT5
lk?a"Windows l89Hj<bK3^sIT*W7gsr$s9H<k7F*
/,W,"j^9#
1. "@W?<N3^sITXkWr=(7"-e *hS -w *W7gsrHQ7
F""@W?<+iYp*hS$YsH,wP5lkNrN'7F/@5$#-i*W7gs*hS -r *W7gsrHQ7?H-K""@W?<, Windows 5
<S9H7F$s9H<k"|n5lk3HbN'7F/@5$#
C:¥>rma_cpfw -hHRMCI0017I: Risk Manager Adapter for Check Point FireWall-1 4.1.0.0HRMCI0018I: Usage: rma_cpfw [OPTIONS]...-h or --help Print help and exit-v or --version Print version and exit-dINT or --debug=INT Number of events to output then exit-eSTRING or --event-output=STRING term | rmeif | syslog | file-wSTRING or --warning-output=STRING term | rmeif | syslog | file-i or --install-service Install as NT service-r or --remove-service Remove as NT serviceHRMCI9999I: Exiting...
2. J<N3^sIrBT9kH""@W?<, Windows 5<S9H7F$s9H
<k5l"Yp*hS$YsH,9YF79F`&m0 (Windows "Wj1<7
gs&$YsH&m0) KwP5l^9#
f:¥>rma_cpfw -i -w syslog -e syslogHRMCP0011I: Attempting to install service: rma_cpfwHRMCP0012I: Service installed: rma_cpfwHRMCP0036I: Use "net start rma_cpfw" to execute application.HRMCI9999I: Exiting...
3. GeK""@W?<NU)<^CH&U!$k cpfw.nt.fmt r Tivoli Enterprise
Console Logfile "@W?<NU)<^CH&U!$kK^<87^9#7,N
CDS U!$kr8.7^9#\YKD$FO"VTivoli Enterprise Console
��������Wr2H7F/@5$#
����������
������� Check Point FireWall-1 ���������
����
Check Point FireWall-1 ]j7<rjA9kH"]j7<,Hj,<5l?H-Nh
}rXj9k?aN_jM,"=N]j7<bKH_~^l^9#=N_jMN3
HrHiC/ H$$^9#
J<K"5]<H5lF$kHiC/rs2"=liNHiC/,"i<`H+J
5lk+I&+r(7^9#
HiC/ $s?<;WH*hSh}N-5
m0 J7
"+&sH J7
68 IBM Tivoli Risk Manager "@W?<¥,$I
"i<H "j
a<k "j
SNMP "j
f<6< "j
]j7<rV"i<H (Alert)W"Va<k (Mail)W"VSNMPW"^?OVf<6
<jA (User defined)WK_j7"=lr Tivoli Risk Manager 5<P<G$s?<
;WH7Fh}7^9#Vm0 (Log)W*hSV"+&sH (Account)WHiC/
O"$s?<;WH*hSh}NP]KOJj^;s#
V"i<H (Alert)W"Va<k (Mail)W"VSNMPW"*hSVf<6<jA (User
defined)WHiC/Om0Kq-~^l"Check Point Log Viewer G=(5l^9#
J<NnHrTCF"3liN9FCWrGU)kHKQ97^9#
1. Check Point FireWall-1 Policy Editor rHQ7F"U!$"&)<k&k<k&
Y<9bNHiC-s0psrV"i<H (ALERT)W"Va<k
(Mail)W"VSNMP HiCW (SNMP Trap)W"^?OVf<6<jA
(UserDefined)WK_j7^9#Vm0 (Log)W^?OV"+&sF#s0
(Accounting)WN_jO"5k5lk?ah}5l^;s#
2. U!$"&)<k&^7sKk<k&Y<9rF5V_CH7^9#
Tivoli Enterprise Console ���Tivoli Enterprise Console ?9/rHQ7F"CjNj9/KPh9k3H,G-^
9#6brK_7h&H7F$klg"Cj5l?j9/KP7FacK?~7J
$h&K7F/@5$#6bK(~7F7^&H"jvK7EJQ1CH&U#k
?<Nk<krTQUK-z=7F7^&D=-,"j^9#=Nl}G"=N?
~O/~T,;-ejF#<&]j7<rsrG-J$h&"7EJbNK9k,
W,"j^9#Tivoli Risk Manager NU!$"&)<k&$YsHrbK?<9k
3HKhj";-ejF#<&]j7<r409k3H,G-^9#
Tivoli Risk Manager N?9/&i$Vij<N?9/rH&3HKhj"U!$"
&)<k&$YsHKP~G-^9#
Tivoli Risk Manager KO"H+N?9/&i$Vij<G"k Risk Manager Task
Library ,"j^9#Tivoli Risk Manager O"?9/&i$Vij<rGU)kH
N Tivoli Enterprise Console ]j7<&j<8gs"TEC-Region K$s9H<k7
^9# Tivoli Enterprise Console N?9/O"Tivoli I}P]N<I"*hS Tivoli
(sI]$sHeGN_5]<H5l^9#Tivoli (sI]$sHN$s9H<k
*hS=.KD$FN\YO"Tivoli Framework NqAr2H7F/@5$#
Tivoli Risk Manager KO"Check Point FireWall-1 Q"@W?<N?aK!N
Tivoli Enterprise Console ?9/,w(ilF$^9#
v CheckPoint_Start_Firewall_Adapter_on_Windows
v CheckPoint_Start_Firewall_Adapter_on_Linux
v CheckPoint_Start_Firewall_Adapter_on_Solaris
v CheckPoint_FW-1_Manage_by_IP_Address
v CheckPoint_FW-1_Manage_by_Source_and_Destination
h 6 O Check Point Firewall-1 Q"@W?< 69
v CheckPoint_Stop_Firewall_Adapter_on_Windows
v CheckPoint_Stop_Firewall_Adapter_on_Solaris
v CheckPoint_Stop_Firewall_Adapter_on_Linux
Check Point FireWall-1 Q"@W?<Nj0KhkO0*hSd_KD$FO"J<
NqAr2H7F/@5$#
v 74Z<8NXCheck Point FireWall-1 G<bsN+OY
v 74Z<8NXCheck Point FireWall-1 G<bsNd_Y
Tivoli Enterprise Console ���������
Check Point FireWall-1 Q"@W?<,$s9H<k5lF*j"?9/,BT5l
k(sI]$sH,,ZK=.5lF$k3HrN'7F/@5$#
Windows NT ����
Check Point FireWall-1 Q"@W?<r+O9kKO"J<N9FCWK>CF/@
5$#
1. Check Point FireWall-1 Q"@W?<r+O9k0K"=_N Check Point
FireWall-1 m0&U!$k`\r|n7^9#Check Point FireWall-1 Log
Viewer G"VU!$k (File)W"V|n (Purge)WNgK/jC/7^9#
2. Tivoli G9/HCWG"VRisk Manager Task Library (Risk Manager ?9/¥i$Vij<)WH$&iYkNU$? Tivoli Enterprise Console ?9/&i
$Vij<r/jC/7^9#
3. VCheckPoint_Start_Firewall_Adapter_on_WindowsWr/jC/7F"Tivoli
Risk Manager "@W?<r+O7^9#
Solaris ����
Check Point FireWall-1 Q"@W?<r+O9kKO"J<N9FCWK>CF/@
5$#
1. Check Point FireWall-1 Q"@W?<r+O9k0K"{8N Check Point
FireWall-1 m0&U!$k`\r|n7^9#Check Point FireWall-1 Log
Viewer G"VU!$k (File)W"V|n (Purge)WNgK/jC/7^9#
2. Tivoli G9/HCWG"VRisk Manager Task Library (Risk Manager ?9/¥i$Vij<)WH$&iYkNU$? Tivoli Enterprise Console ?9/&i
$Vij<r/jC/7^9#
3. VCheckPoint_Start_Firewall_Adapter_on_SolarisWr/jC/7F"Tivoli
Risk Manager "@W?<r+O7^9#
Linux ����
Check Point FireWall-1 Q"@W?<r+O9kKO"J<N9FCWK>CF/@
5$#
1. Check Point FireWall-1 Q"@W?<r+O9k0K"{8N Check Point
FireWall-1 m0&U!$k`\r|n7^9#Check Point FireWall-1 Log
Viewer G"VU!$k (File)W"V|n (Purge)WNgK/jC/7^9#
2. Tivoli G9/HCWG"VRisk Manager Task Library (Risk Manager ?9/¥i$Vij<)WH$&iYkNU$? Tivoli Enterprise Console ?9/&i
$Vij<r/jC/7^9#
70 IBM Tivoli Risk Manager "@W?<¥,$I
3. VCheckPoint_Start_Firewall_Adapter_on_LinuxWr/jC/7F"Tivoli
Risk Manager "@W?<r+O7^9#
IP ���������
SAM /i$"sHWar SAM 5<P<Kw.9kKO"!NnHrT$^9#
1. Tivoli G9/HCWG"VRisk Manager Task Library (Risk Manager ?9/¥i$Vij<)WH$&iYkNU$? Tivoli Enterprise Console ?9/&i
$Vij<r/jC/7^9#
2. VCheckPoint_FW-1_Manage_by_IP_AddressWr/jC/7^9#
m: 3N?9/O"Solaris *hS Windows GN_5]<H5l^9#
3. OPSEC SAM 5<P<N"/7gsKjv9k"BT=jN"/7gsr*r7
^9#
m: OPSEC SAM 5<P<N NOTIFY "/7gsrXj9klg"VFkWQ
ia<?<rH$^9#
CheckPoint_FW-1_Manage_by_IP_Address ?9/rXj9kH"CjN IP "Il
9~1KXj7? SAM "/7gs,+O5l^9#=N IP "Il9,"\3
N=<9JN+"8hJN+""k$O=<9H8hN>}JN+rXj9k3
H,G-^9#
IP WmH3kKO"!NbN,"j^9#
1 : ICMP ($s?<MCH&3sHm<k&aC;<8&WmH3k)
2 : IGMP ($s?<MCH&0k<WI}WmH3k)
3 : GGP (2<H&'$VWmH3k -- HQ9Y-GO"j^;s)
6 : TCP (Aw)fWmH3k)
12 : PUP
17 : UDP (f<6<&G<?0i`&WmH3k)
22 : IDP ($s?<MCH&G<?0i`&WmH3k)
77 : sx0N Net Disk Protocol
255 : $C) IP Q1CH
4. ,WK~8F"!Nm0&*W7gsNf+i",WH9km0*hS"i<H
NH_go;r*r7^9#
\Ym0 "i<H
\Ym0 "i<HJ7
Wsm0 "i<H
Wsm0 "i<HJ7
m0J7 "i<HJ7
5. U!$"&)<k&[9H&^7sN!Npsrj;CH7^9#
3N"/7gs,~;9k^G
NCt
GU)kHMO 0 G9#<mO""/7gsN~;,J$
3Hr(7^9#
h 6 O Check Point Firewall-1 Q"@W?< 71
IP "Il9N?$W !N*rh,"j^9#
v =<9
v 8h
v =<9^?O8h
IP "Il9 GU)kHMO 0.0.0.0 G9#
6. V_jHBT (Set & Execute)Wr/jC/7" SAM 5<P<XN SAM /
i$"sHWaNw.r+O7^9#
4���������������
SAM /i$"sHWar SAM 5<P<Kw.9kKO"!NnHrT$^9#
1. Tivoli G9/HCWG"VRisk Manager Task Library (Risk Manager ?9/¥i$Vij<)WH$&iYkNU$? Tivoli Enterprise Console ?9/&i
$Vij<r/jC/7^9#
2. VCheckPoint_FW-1_Manage_by_Source_and_DestinationWr/jC/7^
9#
m: 3N?9/O"Solaris *hS Windows GN_5]<H5l^9#
3. OPSEC SAM 5<P<N"/7gsKjv9k"BT=jN"/7gsr*r7
^9#
m: OPSEC SAM 5<P<N NOTIFY "/7gsrXj9klg"VFkWQ
ia<?<rH$^9#
= 8. SAM 5<P<*hS Tivoli Enterprise Console N"/7gs>
SAM 5<P<N
"/7gs>
Tivoli EnterpriseConsole ?9/N"/7gs>
Action ("/7gs)
WATCH Fk IPaddr HNVGN\3nTO9YF"
Xj5l?m.s0&lYkGm0-?
5l^9#
INHIBIT X_ IPaddr HNVGN\3nTO9YFX
_5l"Xj5l?m.s0&lYkG
m0-?5l^9#
INHIBITCLOSE X_7F/m<: VX_WNH-H1MG9,"IPaddrHNVK\3,"kH"=liN\3,
/m<:5l^9#3N"/7gs&?
9/XNQia<?<O"hjC9?9
/NQia<?<H18GJ1lPJj
^;s (~;O|/)#
CANCELWATCH FkNhjC7 CjNVFkW^?OVLNW"/7g
sNzLrhjC7^9#
72 IBM Tivoli Risk Manager "@W?<¥,$I
= 8. SAM 5<P<*hS Tivoli Enterprise Console N"/7gs> (3-)
SAM 5<P<N
"/7gs>
Tivoli EnterpriseConsole ?9/N"/7gs>
Action ("/7gs)
CANCELINHIBIT X_NhjC7 VX_W"^?OVX_7F/m<:W
"/7gsNzLrhjC7^9#
VX_7F/m<:WG/m<:5lk
\3,"klg"=liN\3OFN)
5l^;s#3N?9/XNQia<?
<O"hjC9?9/NQia<?<H
18GJ1lPJj^;s (?$`"&
HO|/)#
CANCELALL 9YFhjC7 0N"/7gsr9YFhjC7^9#
4. !Nm0&*W7gsNf+i",WH9km0*hS"i<HNH_go;r
*r7^9#
\Ym0 "i<H
\Ym0 "i<HJ7
Wsm0 "i<H
Wsm0 "i<HJ7
m0J7 "i<HJ7
5. ,WK~8F"U!$"&)<k&[9H&^7sKX9k!Npsrj;CH
7^9#
3N"/7gs,~;9k^GNC
t
M (0A300 C) r~O7^9#GU)kHMO 0 G9#<mO""/7gsN~;,J$3Hr(7^
9#
=<9 IP "Il9 GU)kHMO 0.0.0.0 G9#
8h IP "Il9 GU)kHMO 0.0.0.0 G9#
3N Tivoli Enterprise Console ?9/
rFSP9H-N8h]<H
GU)kHMO 8080 G9#
IP WmH3k GU)kHMO TCP G9#
TCP"ICMP"IGMP"GGP"PUP"UDP"IDP" Net
Disk Protocol"^?O$C) IP Q1CHr^`*r
`\G9#
6. V_jHBT (Set & Execute)Wr/jC/7" SAM 5<P<XN SAM /
i$"sHWaNw.r+O7^9#
Windows NT ����������
Windows NT eG Check Point FireWall-1 Q"@W?<rd_9kKO"!NnH
rT$^9#
1. Tivoli G9/HCWG"VRisk Manager Task Library (Risk Manager ?9/¥i$Vij<)WH$&iYkNU$? Tivoli Enterprise Console ?9/&i
$Vij<r/jC/7^9#
h 6 O Check Point Firewall-1 Q"@W?< 73
2. VCheckPoint_Stop_Firewall_Adapter_on_WindowsWr/jC/7F""@
W?<rd_7^9#
3. Check Point FireWall-1 Q"@W?<rFO09k0K"=_N Check Point
FireWall-1 m0&U!$k`\r|n7^9#Check Point FireWall-1 Log
Viewer G"VU!$k (File)W"V|n (Purge)WNgK/jC/7^9#
Solaris ����������
Solaris eG Check Point FireWall-1 Q"@W?<rd_9kKO"!NnHrT$
^9#
1. Tivoli G9/HCWG"VRisk Manager Task Library (Risk Manager ?9/¥i$Vij<)WH$&iYkNU$? Tivoli Enterprise Console ?9/&i
$Vij<r/jC/7^9#
2. VCheckPoint_Stop_Firewall_Adapter_on_SolarisWr/jC/7F""@W
?<rd_7^9#
3. Check Point FireWall-1 Q"@W?<rFO09k0K"=_N Check Point
FireWall-1 m0&U!$k`\r|n7^9#Check Point FireWall-1 Log
Viewer G"VU!$k (File)W"V|n (Purge)WNgK/jC/7^9#
Linux ����������
Linux eG Check Point FireWall-1 Q"@W?<rd_9kKO"!NnHrT$
^9#
1. Tivoli G9/HCWG"VRisk Manager Task Library (Risk Manager ?9/¥i$Vij<)WH$&iYkNU$? Tivoli Enterprise Console ?9/&i
$Vij<r/jC/7^9#
2. VCheckPoint_Stop_Firewall_Adapter_on_LinuxWr/jC/7F""@W?
<rd_7^9#
3. Check Point FireWall-1 Q"@W?<rFO09k0K"=_N Check Point
FireWall-1 m0&U!$k`\r|n7^9#Check Point FireWall-1 Log
Viewer G"VU!$k (File)W"V|n (Purge)WNgK/jC/7^9#
Check Point FireWall-1 &�'���
Solaris eG Check Point FireWall-1 Q"@W?<NG<bsrj0GFO09kK
O"!NH*j~O7^9#
/etc/init.d/rma_cpfw-init start
Windows NT eG Check Point FireWall-1 Q"@W?<N5<S9rj0GFO0
9kKO"!NH*j~O7^9#
net start rma_cpfw
Linux eG Check Point FireWall-1 Q"@W?<NG<bsrj0GFO09kK
O"!NH*j~O7^9#
/etc/rc.d/rma_cpfw-init start
Check Point FireWall-1 &�'���
Solaris eG Check Point FireWall-1 Q"@W?<NG<bsrj0Gd_9kK
O"!NH*j~O7^9#
/etc/init.d/rma_cpfw-init stop
74 IBM Tivoli Risk Manager "@W?<¥,$I
Windows NT eG Check Point FireWall-1 Q"@W?<N5<S9rj0GFO0
9kKO"!NH*j~O7^9#
net stop rma_cpfw
Linux eG Check Point FireWall-1 Q"@W?<NG<bsrj0Gd_9kK
O"!NH*j~O7^9#
/etc/rc.d/rma_cpfw-init stop
��������
$���
Windows NT GO"/87?(i<,9YF Windows NT Event Viewer Kw.5
l^9#Solaris O"(i<r SYSLOG G<bsKw.7^9#
Check Point FireWall-1 (��)���*����
jX(s8sNk<kO"hjr<9]K!N 3 DN0-rM87^9#
v =<9 IP "Il9
v 8h IP "Il9
v "?C/&70KAc<
Tivoli Risk Manager U!$"&)<k&"@W?<N9?<?<&;CHGO"U
!$"&)<k&;s5<N70KAc<O"IAiN"@W?<Gb18G9#
Cisco Secure PIX Firewall Q"@W?<KO"EgYVf,"j^9#Check Point
FireWall-1 Q"@W?<KO"EgYVf,"j^;s#=Neoj"]j7<N
k<kK/~"i<H,djvFil^9#
�����(��)���*
[HsIN Check Point FireWall-1 m0&l3<IKO IP "Il9,"j^9
,"8`*J"?C/&70KAc<O"j^;s#/~X"N Check Point
FireWall-1 m0&aC;<8KX7F"Tivoli Risk Manager GO"70KAc<H
7F!N9Hjs0,s!5l^9#
fw_conn_deny \3,q]5l^7?#
fw_conn_permit \3,vD5l^7?#
fw_auth_deny f<6<O\3rq]5l^7?#
fw_auth_perint f<6<O\3rvD5l^7?#
�������(��)���*
/~X"J0N Check Point FireWall-1 m0&aC;<8KX7F"Tivoli Risk
Manager GO"70KAc<H7F!N9Hjs0,s!5l^9#
fw_control Check Point =.Q9Nlg#
fw_log_switch Check Point m0&U!$kNZjX(^?OQ9Nlg#
fw_log_eof Check Point m0&U!$kN*;Nlg#
h 6 O Check Point Firewall-1 Q"@W?< 75
����,�� ����
/~X"/i9 RM_Service *hS=N5V/i9 RM_ICMP"^?Os/~/i
9 RM_MiscEvent (^?O=N>}) KD$F"cpfw.baroc U!$kKO"EgY
lYkr^a"U!$"&)<kG-NU#<kIr_j9k3H,G-^9#
U!$"&)<kX"NG<?0-r"<=K-\7^9#
0- b@ -zJM
cpfw_action U!$"&)<k>
olk"/7gs#
Check Point N"/7gsKO"!
NbN,"j^9#
drop
reject
accept
control (ctl)
=N>
cpfw_additional_info 0-K_j5lF$J$
=N>N Check Point p
s#
cpfw_alert Check Point "i<HN
?$W#
![alert]
![userauthalert]
cpfw_ifdir $s?<U'<9N}
~#
inbound
outbound
cpfw_ifname $s?<U'<9N>
0#
ether ($<5MCH)
token (H</sjs0)
fddi (U!$P<,6G<?
&$s?<U'<9)
ppp (point-to-point
WmH3k)
atm (s1|
Awb<I)
cpfw_len Q1CH&5$: (P$
Ht)#
cpfw_lognum U!$"&)<k&m
0&U!$kK^^lk
l3<INTVf#
Check Point m0&U!$kNTV
f#
cpfw_protocol WmH3k# !N\3WmH3kMN&AGdj
vFkbN#
TCP
UDP
ICMP
=N>
cpfw_reason ;-ejF#<&"i<
HN Check Point N}
3#
cpfw_rule ;-ejF#<&"i<
Hr/85;? Check
Point ]j7<&k<kN
Vf#
76 IBM Tivoli Risk Manager "@W?<¥,$I
0- b@ -zJM
cpfw_type Check Point N$Ys
H&?$W#
$YsHN?$WKO"!NbN,
"j^9#
control
alert
user
cpfw_user ;-ejF#<&"i<
Hrz-/37?f<6
<#
�����$�
opsec_pull_cert O"J<Nh&Ju7NH-K(i<,/3kD=-,"j^
9#
v "@W?<HN SIC L.,V.jX8NN) (Trust established)Wb<IG9G
KN)5lF$kH-#
f:¥>opsec_pull_cert -h 104.48.36.101 -n RMThegrill -p passwordOpsec error. rc=-1 err=-93 The referred entity does not exist in theCertificate Authority
v Q9o<I,57/J$H-#
f:¥>opsec_pull_cert -h 104.48.36.101 -n RMThegrill -p badpasswordOpsec error. rc=-1 err=-94 There was a problem when trying to establishan SSL connection, probably peer was not authenticated
v VcC? Opsec "Wj1<7gs>,HQ5lF$kH-#
f:¥>opsec_pull_cert -h 104.48.36.101 -n WrongName -p passwordOpsec error. rc=-1 err=-93 The referred entity does not exist in theCertificate Authority
Check Point OPSEC API O"V(i<J7 (NO Error)WH$&T5J(i<&aC
;<8ra7^9#3NV(i<J7 (NO Error)WH$&aC;<8OLo""@
W?<N=.U!$kGN(i<"^?O opsec.p12"rma_cpfw_sic.conf U!$k
Ngn,6xG/87^9#
f:¥>rma_cpfw -d 20HRMCP0037I: Running in debug mode. All output directed to terminal.HRMCP0000I: Initializing, please wait...HRMCP0004E: NO Error: C:¥IBM¥RISKMGR¥etc¥rma_cpfw.conf.HRMCP0004E: NO Error: rma_cpfw.conf.HRMCP9999I: Exiting...
h 6 O Check Point Firewall-1 Q"@W?< 77
78 IBM Tivoli Risk Manager "@W?<¥,$I
� 7 � McAfee Alert Manager ������
3NOGO"J<Npsrs!7^9#
v X"@W?<N5WY
v 80Z<8NX=JN5bY
v 81Z<8NX"@W?<N5bY
v 82Z<8NX$s9H<k*hS=.Y
McAfee Alert Manager ;s5<NaC;<8NlwKD$FO" 171Z<8NXU
? C. McAfee Alert Manager Sensor Q"@W?<NaC;<8Yr2H7F/@5
$#
��������
Tivoli Risk Manager KO"McAfee Alert Manager Q"@W?<,^^lF$^9#
3N"@W?<O"McAfee AntiVirus Scanning =JKhCF8.5l"McAfee
Alert Manager KhCF}85lk"i<`r Tivoli Enterprise Console $YsHK
^CW7^9#
3N"@W?<OMCHo</G McAfee Alert Manager rHQ7F$klgK$
s9H<kG-^9#McAfee Alert Manager O"TN5lF$k AntiVirus
Scanning =JN McAfee Active Virus Defense (AVD) 9$<HNltH7Fs!5
l^9#
McAfee Alert Manager *hS McAfee Active Virus Defense 9$<HKX9kqA
O"http://www.mcafeeb2b.com"http://www.nai.com JI"Network Associates, Inc. N
Web 5$H+i~jG-^9#
��������������
McAfee Alert Manager Q Tivoli Risk Manager "@W?<O"Windows 79F`e
G5]<H5l^9#
= 9. 5]<HP]WiCHU)<`
McAfee Alert Manager (4.5)
HbK$s9H<k5lk
3s]<MsH
WinNT 4.0 Win2K
Tivoli Risk Manager Agent X X
Tivoli Enterprise Console "@W
?<
X X
© Copyright IBM Corp. 2001, 2002 79
�����
McAfee Alert Manager O"&$k9!P"&$k9jAU!$kN97JINEW
J$YsHK~z7F McAfee AntiVirus 9-cs=J,8.9k"i<H&aC;
<8Nf{}8]$sHHJj^9#Tivoli Risk Manager Event Log "@W?<,
3liN"i<Hr Windows "Wj1<7gs&$YsH&m0+iI_hCF
Tivoli Enterprise Console $YsHK^CW7^9#
Alert ManagerO"McAfee NetShield (Windows NT *hS Windows 2000 Q) *h
S McAfee WebShield SMTP (Windows NT *hS Windows 2000 Q) K^^lF
$^9#McAfee Alert Manager O"!N McAfee AntiVirus Point of Entry Scanners
KhCF8.5lk"i<H&aC;<8r}87^9#
VirusScanG9/HCW~1N&$k9!P&|n!=rs!7^9#G9/HCW&
9-cs"ERa<k&9-cs"@&sm<I&U#k?<"Java "W
lCH H ActiveX 3sHm<kN$s?<MCH&U#k?<r5]<H
7^9#
VirusScan WirelessHS?ps<v (PDA) ~1N&$k9!P&|n!=rs!7^9#
NetShield5<P<&lYkN&$k9!P&|n!=rs!7^9#
GroupShieldLotus® Domino™ *hS Microsoft Exchange 0k<W&'"&5<P<~
1&$k9!P&|n!=rs!7^9#
WebShieldSMTP 2<H&'$~1N&$k9!P&|n!=rs!7^9#
McAfee Alert Manager O"&$k9&9-cs&(s8s+iu.7?"i<H&
aC;<8,=9&$k9&9-cs&$YsHrI}TKLN9k?aNaC;
<8s0}!r$/D+s!7F$^9#GU)kHGHQ5lk}!N 1 DO"
Alert Manager ,$s9H<k5lF$k Alert Manager 5<P<eN Windows
Event Log N-?G9#\qGO"3N79F`r Alert Manager 5<P< HFS
^9#
McAfee Alert Manager KO McAfee NetShield ,PsIk5l"Lo"3N 2 DN
3s]<MsHO1lN5<P<K$s9H<k5l^9#bK?<P]N McAfee
NetShield "/F#SF#<NcH7F"&$k9jAU!$kN97"*hS&$
k9&9-cs&(s8sXN"CW0l<I,"j^9#
80 IBM Tivoli Risk Manager "@W?<¥,$I
��������
!N^O"McAfee Alert Manager Q"@W?<N3s]<MsH&"<-F/Ac
<r(7^9#^NfNVTECWH$&9Hjs0O"Tivoli Enterprise Console r
(7^9#
Tivoli Risk Manager Adapter for McAfee Alert Manager O"Tivoli Enterprise
Console N Windows Event Log "@W?<H Tivoli Enterprise Console "@W?
<&5]<H&U!$k2+i=.5l^9#3lO!N79F`G5]<H5l
^9#
v Windows NT 5<P<
v Windows 2000 5<P<
v Windows 2000 "IPs9H¥5<P<
Tivoli Enterprise Console Windows Event Log "@W?<O"Windows N"Wj1
<7gs&$YsH&m0Kq-~^l? McAfee Alert Manager &$k9&9-
^ 5. McAfee Alert Manager Q"@W?<N3s]<MsH
h 7 O McAfee Alert Manager Q"@W?< 81
cs&$YsHrhj~_^9#McAfee Alert Manager O"GU)kHGO"u1
hC?&$k9&9-cs&$YsHr Windows Event Log K-?7^9#
Tivoli Risk Manager "@W?<&U)<^CH&U!$k rmmac.fmt O"!N3
HrT$^9#
v $YsH&m0+iI_~` McAfee Alert Manager aC;<8NU)<^CH
rjA7^9#
v FaC;<8r Tivoli Enterprise Console $YsH&/i9HM-go;^9#
v aC;<8Npsr"Tivoli Enterprise Console 5<P<,'1G-k$YsHN
U)<^CHKQ97^9#
Tivoli Risk Manager KO"BAROC U!$k rmvirus.baroc b^^lF$^9#3
NU!$kO"McAfee Alert Manager "i<H&aC;<8+in.5lk&$k
9I}$YsH&/i9rjA7^9#3NU!$kO"Tivoli Enterprise Console
5<P<N$s9H<k&QC1<8NltH7F$s9H<k5l"Tivoli
Enterprise Console k<k&Y<9NltH7F+0*Km<I5l^9#
3liN$YsH&/i9O"&$k9!Pd"&$k9jAU!$kN97"&
$k9&9-cs&(s8sN97JI"McAfee AntiVirus =JN`n$YsHr
=7^9#3liN$YsH&/i9OFQ-,"k?a">N"sA&$k9=
JG$YsHrjA9k]KbHQG-^9#"sA&#k9&$YsHO9Y
F"riskmgr.baroc *hS sensor_abstract.barocGjA5lF$k Tivoli Risk
Manager $YsH&/i9KpE/bNG9#
���� �����
���� ��
McAfee Alert Manager Q Tivoli Risk Manager "@W?<r$s9H<k9k0
K"!NnHrB\7F/@5$#
1. McAfee Alert Manager Q"@W?<r$s9H<k9k0K McAfee Alert
Manager =Jr$s9H<k7F/@5$#McAfee Alert Manager O"McAfee
NetShield ^?O WebShield =JN$s9H<k~K$s9H<k5l^9#$
s9H<kjgKD$FO"3liN=JKU07F$kqAr2H7F/@5
$#\qGO"5<I&Q<F#<N/~!N79F`&;s5<N$s9H<
kH=.KD$FN\7$b@O"j^;s#\YO"=JNqAr2H7F/
@5$#
2. McAfee Alert Manager Q"@W?<r$s9H<k9k0K Tivoli Manager
Framework "@W?<r$s9H<k7F/@5$#$s9H<kjgKD$F
O"VTivoli Enterprise Console "@W?<&,$IWr2H7F/@5$#
���� �����
Tivoli Risk Manager "@W?<NU)<^CH&U!$kH Windows Event Log
"@W?<NU)<^CH&U!$krkg9k0K"rmmac.fmt U!$kGD9
NaC;<8&U)<^CHjAr*r7FT89k3HKhCF"Windows "W
82 IBM Tivoli Risk Manager "@W?<¥,$I
j1<7gs&$YsH&m0+i"IN McAfee "i<H&aC;<8rhj~
`+r_jG-^9#jgKD$FO"VTivoli Enterprise Console "@W?<&,
$IWr2H7F/@5$#
McAfee Alert Manager O"!NjgG$s9H<k7^9#
1. Windows Event Log "@W?<NU)<^CH&U!$k tecad_win.fmt NG
eK rmmac.fmt U!$kNbFrC(k3HKhCF"Tivoli Risk Manager "
@W?<NU)<^CH&U!$kH Tivoli Management Framework "@W?<
NU)<^CH&U!$kHrkg7^9#
VTivoli Enterprise Console "@W?<&,$IWGb@5lF$kh&K
win_gencds f<F#jF#<rHQ9k+"\q 11Z<8NXTivoli Risk
Manager H"@W?<NU)<^CH&U!$kNkgYNjgK>$"cds U
!$krn.7^9#
2. "@W?<rO0^?OFO07^9#
h 7 O McAfee Alert Manager Q"@W?< 83
84 IBM Tivoli Risk Manager "@W?<¥,$I
� 8 � Norton AntiVirus ������
3NOGO"J<Npsrs!7^9#
v X"@W?<N5WY
v 87Z<8NX"@W?<N5bY
v 88Z<8NX$s9H<k*hS=.Y
��������
Tivoli Risk Manager KO"TNN Norton AntiVirus =JKhCF8.5lk"i<
`r Tivoli Enterprise Console $YsHK^CW9k Norton AntiVirus Q"@W?
<,^^lF$^9#
��������������
Norton AntiVirus Q Tivoli Risk Manager "@W?<O"!N*Zl<F#s0&7
9F`G5]<H5lF$^9#
= 10. 5]<HP]WiCHU)<`
Norton Anti-Virus (7.5)
HbK$s9H<k5lk
3s]<MsH
WinNT 4.0 Win2K
Tivoli Risk Manager Agent
(Transport)
X X
Tivoli Enterprise Console "@W
?<
X X
������
Symantec Norton AntiVirus Corporate Edition O"-Ur}CFn.5l? ActiveX
3<I*hS Java "WlCH"5iKHm$NZO+i79F`r]n9kH1~
K"$s?<MCH&5<U#sNBTfb79F`r]n7^9#3lKhj"
#(J&#k9KP7F"5]<HP]WiCHU)<`Gj"k?$`NIf,
Tol^9#
Norton AntiVirus $YsHKX9kqAO"Symantec N Web 5$HK"j^9#
!N5$HK"kqAVNorton AntiVirus Corporate Edition Event IDs ExplainedWr
2H7F/@5$#
http://service1/symantec.com/SUPPORT/nav.nsf/
© Copyright IBM Corp. 2001, 2002 85
Tivoli Enterprise Console CorrelationTivoli Event Log "@W?<O"Norton AntiVirus KhCF8.5l?&$k9X"
N$YsHr'17^9#Norton AntiVirus Q"@W?<O"3liN$YsHr
Tivoli Enterprise Console $YsHX^CW7^9#!$G"$YsH&5<P<X
w.5lFjX5;il^9#
"sA&#k9&$YsHO9YF"riskmgr.baroc *hS
sensor_abstract.baroc GjA5lF$k Tivoli Risk Manager $YsH&/i9
KpE/bNG9#
Norton AntiVirus �%�Tivoli Risk Manager O"Norton AntiVirus KhCF[.5lk$YsH&aC;<
8r5]<H7^9#$YsH ID VfG1L5lk!N Norton AntiVirus $Ys
H, Tivoli Risk Manager rmnav.fmt U)<^CH&U!$kKhjhj~^l^
9#
$YsHVf $YsHNEgY 88?3H
2 LN &#k9&9-cs,0;7^7?#
3 LN &#k9&9-cs,+O7^7?#
5 Yp 6wU!$k,+D+j^7?#
6 Yp CjNU!$kr+/H-K"(i<,/87^7
?#
7 LN &#k9jANm<I,Tol^7?#
13 LN Norton AntiVirus 5<S9,7cCH@&s5l^
9#
14 LN Norton AntiVirus 5<S9,+O5l^9#
16 LN jAN97,@&sm<I5l^9#
21 (i< &#k9&9-cs,GAZil^7?#
86 IBM Tivoli Risk Manager "@W?<¥,$I
��������
!N^O"Norton AntiVirus Q"@W?<N3s]<MsH&"<-F/Ac<r
(7^9#^NfNVTECWH$&9Hjs0O"Tivoli Enterprise Console r(7
^9#
Norton AntiVirus Q Tivoli Risk Manager "@W?<KO"Tivoli Enterprise Console
Windows Event Log "@W?<H Tivoli Enterprise Console "@W?<&5]<
H&U!$k2,^^lF$^9#
Tivoli Enterprise Console Windows Event Log "@W?<O"Windows "Wj1<
7gs&$YsH&m0Kq-~^l? Norton AntiVirus &$k9&9-cs&$
YsHrhj~_^9#Norton AntiVirus O"GU)kHGO"&$k9&9-c
s&$YsHr$YsH&m0K-?7^9#
Tivoli Risk Manager "@W?<&U)<^CH&U!$k rmnav.fmt GO"!N
3HrT$^9#
^ 6. Norton AntiVirus Q"@W?<+iNG<?&Um<
h 8 O Norton AntiVirus Q"@W?< 87
v $YsH&m0+iI_~` Norton AntiVirus aC;<8NU)<^CHrjA
7^9#
v FaC;<8r Tivoli Enterprise Console $YsH&/i9HM-go;^9#
v aC;<8Npsr"Tivoli Enterprise Console 5<P<,'1G-k$YsHN
U)<^CHKQ97^9#
3NU!$kO"Norton AntiVirus 5<P<H18WiCHU)<`eK Tivoli
Enterprise Console "@W?<H&K$s9H<k5l^9#
Tivoli Risk Manager KO"BAROC U!$k rmvirus.baroc b^^lF$^9#3
NU!$kO"Norton AntiVirus $YsH&aC;<8+in.5lk&$k9I
}$YsH&/i9rjA7^9#3NU!$kO"Tivoli Risk Manager 5<P<
N$s9H<kfK$s9H<k5l"Tivoli Enterprise Console k<k&Y<9N
ltH7Fm<I5l^9#
3liN$YsH&/i9O"&$k9!Pd"&$k9jAU!$kN97"&
$k9&9-cs&(s8sN97JI"Norton AntiVirus =JN`n$YsHr
=7^9#3liN$YsH&/i9OFQ-,"k?a">N"sA&$k9=
JG$YsHrjA9k]KbHQG-^9#
���� �����
3N;/7gsGO Tivoli Risk Manager Adapter for Norton AntiVirus "@W?<
N$s9H<kH=.N}!rb@7^9#
���� ��
Tivoli Risk Manager Adapter for Norton AntiVirus "@W?<r$s9H<k9k0
K"!NnHrB\7F/@5$#
1. =UH&'"WoH$s9H<kNpsO"VTivoli Risk Manager jj<9p
sWr2H7F/@5$#
2. Norton AntiVirus Q Tivoli Risk Manager "@W?<r$s9H<k9k0K"
Symantec Norton AntiVirus =Jr$s9H<k7F/@5$#=JKU07F$
kjgqK>CF/@5$#
3. Norton AntiVirus Q"@W?<r$s9H<k9k0K"HQfNWiCHU)
<`~1N Tivoli Management Framework "@W?<r$s9H<k7^9#$
s9H<kjgKD$FO"VTivoli Enterprise Console "@W?<&,$IW
r2H7F/@5$#
���� �����
Tivoli Risk Manager "@W?<NU)<^CH&U!$kH Windows Event Log
"@W?<NU)<^CH&U!$krkg9k0K"rmnav.fmt U!$kGD9
NaC;<8&U)<^CHjAr*r7FT89k3HKhCF"Windows "W
j1<7gs&$YsH&m0+iIN Norton AntiVirus $YsHrhj~`+r
XjG-^9#jgKD$FO"VTivoli Enterprise Console "@W?<¥,$IW
r2H7F/@5$#
Norton AntiVirus Q"@W?<O"!NjgG$s9H<k7^9#
88 IBM Tivoli Risk Manager "@W?<¥,$I
1. Windows Event Log "@W?<NU)<^CH&U!$k tecad_win.fmt NG
eK rmnav.fmt U!$kNbFrC(k3HKhCF"Tivoli Risk Manager "
@W?<NU)<^CH&U!$kH Tivoli Management Framework "@W?<
NU)<^CH&U!$kHrkg7^9#
VTivoli Enterprise Console "@W?<¥,$IWGb@5lF$kh&K
win_gencds f<F#jF#<rHQ9k+"\q 11Z<8NXTivoli Risk
Manager H"@W?<NU)<^CH&U!$kNkgYNjgK>$"cds U
!$krn.7^9#
2. "@W?<rO0^?OFO07^9#
h 8 O Norton AntiVirus Q"@W?< 89
90 IBM Tivoli Risk Manager "@W?<¥,$I
� 9 � Host Intrusion Detection ������
3NOGO"J<Npsrs!7^9#
v X"@W?<N5WY
v 93Z<8NX"@W?<N5bY
v 93Z<8NX$s9H<k*hS=.Y
v 94Z<8NX$s9H<k&9FCWY
v 95Z<8NXTivoli Enterprise Console ?9/Y
��������
Tivoli Risk Manager KO"Host Intrusion Detection (Host IDS) Q"@W?<,"j
^9#3lKhj"]n5l?*Zl<F#s0&79F`N!=r;J&3HJ
/"=N*Zl<F#s0&79F`K"@W?<r8+7"p\*Zl<F#s
0&79F`N;-ejF#<r/=9k3H,G-^9#
Host IDS Q Tivoli Risk Manager "@W?<O"Windows 79F` ^?O UNIX
79F` KhCF!P5l"-?5lk$YsHr Tivoli Enterprise Console $Y
sHK^CW7^9#Host IDS N Tivoli Risk Manager "@W?<O" UNIX 7
9F` NlgKO Tivoli Logfile "@W?< (syslogd)"Windows 79F`Nlg
KO Windows Event Log "@W?<rHQ7"$YsHr Tivoli Enterprise
Console 5<P<Kw.7^9#
Host IDS Q Tivoli Risk Manager "@W?<O"Tivoli Logfile "@W?<r=.9
k*Zl<F#s0&79F`G-NU)<^CH&U!$k2+i=.5l"3
lKhj"*Zl<F#s0&79F`KhCF-?5lk$YsHrhj~_"
jXN?a$YsH&5<P<K>w7^9#
Host IDS Q"@W?<O"P~9k"@W?<,$s9H<k5lF$k79F`
eK"j^9#
��������������
Host IDS Q Tivoli Risk Manager "@W?<O"!NZ<8K(9$/D+N*Z
l<F#s0&79F`G5]<H5lF$^9#
© Copyright IBM Corp. 2001, 2002 91
=11
.5]
<H
P]WiCHU)
<`
Hos
tID
S
HbK$s9
H<k5lk
3s]
<Ms
H
AIX
4.3.
3A
IX5.
1S
ola
ris
7S
ola
ris
8L
inu
xR
edH
at6.
2/7.
0
Lin
ux
Red
Hat
7.2
Lin
ux
Su
SE
7.3
zLin
ux
Win
NT
4.0
Win
2KH
P-U
X11
i
Tiv
oli
Ris
k
Man
ager
Age
nt
(Tra
nspo
rt)
XX
XX
XX
XX
X
Tiv
oli
Ent
erpr
ise
Con
sole"@W
?<
XX
XX
XX
XX
XX
X
92 IBM Tivoli Risk Manager "@W?<¥,$I
��������
Host IDS Q"@W?<O"*Zl<F#s0&79F`KhCF-?5lk"/F
#SF#<rFk9k?aK"*Zl<F#s0&79F`rbK?<7^9#$
YsH,/89kH"*Zl<F#s0&79F`O79F`&m0KaC;<8
rq-~_^9#
Host IDS Q"@W?<O"!P5lF3liN79F`&m0Kq-~^l?$Y
sHr"Tivoli Logfile "@W?<rHQ7F Tivoli Risk Manager $YsHKQ9
7^9#=Ne"$YsHO$YsH&5<P<Kw.5lFjX,Tol^9#
P~9k Tivoli "@W?<r=.7^9#
Windows 79F`Windows Event Log "@W?<r=.7F"Tivoli Risk Manager U0NU
)<^CH&U!$k os_nt.fmt K\R5lF$k$YsHr^akh&
K7F/@5$#
AIX 79F`Tivoli Logfile "@W?< (syslogd) r=.7F"Tivoli Risk Manager U0
NU)<^CH&U!$k os_aix.fmt K\R5lF$k$YsHr^ak
h&K7F/@5$#
Solaris *Zl<F#s0D- (Solaris) 79F`Tivoli Logfile "@W?< (syslogd) r=.7F"Tivoli Risk Manager U0
NU)<^CH&U!$k os_solaris.fmt K\R5lF$k$YsHr^
akh&K7F/@5$#
Linux 79F`Tivoli Logfile "@W?< (syslogd) r=.7F"Tivoli Risk Manager U0
NU)<^CH&U!$k os_linux.fmt K\R5lF$k$YsHr^a
kh&K7F/@5$#
HP-UX 79F`Tivoli Logfile "@W?< (syslogd) r=.7F"Tivoli Risk Manager U0
NU)<^CH&U!$k os_hpux.fmt K\R5lF$k$YsHr^a
kh&K7F/@5$#
m: HP-UX Q Host IDS "@W?<N\YKD$FO" 97Z<8NXh 10 O [
9H/~!N - HP-UX11i Q"@W?<Yr2H7F/@5$#
Tivoli Risk Manager O"*Zl<F#s0&79F`&$YsHH>N Tivoli Risk
Manager "@W?<KhCF!P5lk$YsHrjX5;""I_K9Hl<?
<,/~!N$YsHr4N*KD.G-kh&K7^9#
���� �����
���� ��
Host IDS Q Tivoli Risk Manager "@W?<r$s9H<k9k0K"!NnHr
B\7F/@5$#
h 9 O Host Intrusion Detection Q"@W?< 93
1. =UH&'"WoH$s9H<kNpsO"VTivoli Risk Manager jj<9p
sWr2H7F/@5$#
2. "@W?<r$s9H<k9k0K"Tivoli Management Framework "@W?<
r$s9H<k7F/@5$#$s9H<kjgKD$FO"VTivoli Enterprise
Console "@W?<&,$IWr2H7F/@5$#
���� �����
Host IDS Q"@W?<r=.9kKO"!N9FCWrBT7^9#
1. Host IDS Q"@W?<O"3NU)<^CH&U!$kbN(sHj<r*r
7F3asH=9k3HKhCF407^9#*r7?*Zl<F#s0&79
F`N Host IDS Q"@W?<NU)<^CH&U!$krT87^9#
2. Tivoli Risk Manager "@W?<NU)<^CH&U!$kr Tivoli U)<^C
H&U!$kK^<87^9#VTivoli Enterprise Console "@W?<¥,$IW
Gb@5lF$kh&K win_gencds f<F#jF#<rHQ9k+"\q
11Z<8NXTivoli Risk Manager H"@W?<NU)<^CH&U!$kNk
gYNjgK>$"cds U!$krn.7^9#
AIX 79F`{8N tecad_logfile.fmt U!$kNGeK os_aix.fmt U!$krI
C7^9#
Solaris 79F`{8N tecad_logfile.fmt U!$kNGeK os_solaris.fmt U!$k
rIC7^9#
Windows 79F`{8N tecad_nt.fmt U!$kNGeK os_nt.fmt U!$krIC7^
9#
Linux {8N tecad_logfile.fmt U!$kNGeK os_linux.fmt U!$kr
IC7^9#
HP-UX{8N tecad_logfile.fmt U!$kNGeK os_hpux.fmt U!$kr
IC7^9#
3. "@W?<rFO07F/@5$#
m:
1. Solaris Host IDS "@W?<rHQ7F$kH-O"Solaris syslog aC;<8
ID *W7gsrHQTDK9k,W,"j^9#/kernel/drv/log.conf bK
msgid=0 r,:_j7F*$F/@5$#
2. DBCS D-G wtdumprl 3^sIrHQfN*RMO"Windows 2000 +iN
DBCS aC;<8,57/=(5lkh&K"tecad_win.conf U!$kNQi
a<?< NO_UTF8_CONVERSION , YES K_j5lF$k3HrN'7F/
@5$#
Tivoli Risk Manager O"Tivoli Risk Manager r;CH"CW9kH-K"$Ys
H&5<P<K"k$YsHjAr+0*Km<I7^9#
94 IBM Tivoli Risk Manager "@W?<¥,$I
Tivoli Enterprise Console ���Tivoli Risk Manager KO"H+N?9/&i$Vij<G"k Tivoli Risk Manager
Task Library ,"j^9#Tivoli Risk Manager O"?9/&i$Vij<rGU)
kHN Tivoli Enterprise Console ]j7<&j<8gs"TEC-Region K$s9H<
k7^9#Tivoli Enterprise Console ?9/O"Tivoli I}P]N<I*hS Tivoli
(sI]$sHG5]<H5lF$^9#Tivoli (sI]$sHN$s9H<k*
hS=.KD$FN\YO"Tivoli Framework NqAr2H7F/@5$#
Tivoli Risk Manager KO";-ejF#<F:rHQD=^?OHQTDK9k3
HKhj"Windows *Zl<F#s0&79F`KhCF;-ejF#<&$Ys
HrhjH`+I&+r)f9k Tivoli Enterprise Console ?9/,"j^9#
3liN Tivoli Risk Manager ?9/rBT9kKO"=N?9/rBT9k(s
I]$sHK rmt_ntaudit.exe Wm0i`,$s9H<k5lF$k,W,"j^
9#3NWm0i`O"Tivoli Risk Manager /i$"sHH&K %RMADHOME%¥bin
G#l/Hj<K$s9H<k5l^9#
�%������������
Windows $YsHF:rHQD=K9kKO"!NnHrT$^9#
1. Tivoli G9/HCWGVRisk Manager Task Library (Risk Manager ?9/¥i$
Vij<)WH=(5lF$k Tivoli Enterprise Console ?9/&i$Vij<
r/jC/7^9#
2. VWindows_Enable_Event_AuditingWr/jC/7^9#
3. u>9kF:Qia<?<rXj7^9#
4. V_jHBT (Set & Execute)Wr/jC/7^9#Windows $YsHF:,
HQD=KJj^9#
�%������������
Windows $YsHF:rHQTDK9kKO"!NnHrT$^9#
1. Tivoli G9/HCWGVRisk Manager Task Librar (Risk Manager ?9/¥i$V
ij<)WH=(5lF$k Tivoli Enterprise Console ?9/&i$Vij<r/
jC/7^9#
2. VWindows_Disable_Event_AuditingWr/jC/7^9#
3. u>9kF:Qia<?<rXj7^9#
4. V_jHBT (Set & Execute)Wr/jC/7^9#Windows $YsHF:,
HQTDKJj^9#
h 9 O Host Intrusion Detection Q"@W?< 95
96 IBM Tivoli Risk Manager "@W?<¥,$I
� 10 � 5������ - HP-UX11i ������
3NOO"J<N;/7gs+i=.5lF$^9#
v X"@W?<N5WY
v 98Z<8NX=JN5bY
v 99Z<8NX"@W?<N5bY
v 100Z<8NX$s9H<kY
��������
UNIX Y<9N*Zl<F#s0&79F`H7F"HP-UX O#tf<6<&"/
;9*hSjb<H&"/;9JIN!=r5]<H7^9#HP-UX Q IBM
Tivoli Risk Manager "@W?<Khj"I}TO HP-UX eG#tf<6<&"/
;9&$YsH*hSjb<H&"/;9&$YsHrFk7"TvJ"/;9r
!P9kjJ,@il^9#
HP-UX 79F`&+<MkO"79F`bNQ9rFk7"=lK~8F79F
`&m0&G<bsKaC;<8rw.7^9#79F`&m0&G<bsO"P
~9kaC;<8r79F`&m0&U!$kKPO7^9#79F`&m0N=
.,57/TolF$lP"inetd HN\3"su (f<6<ZjX( - switch user)
3^sIN/T"79F`&m0&G<bsN@&s~JIN$YsH,m0Kh
j~^l^9#
��������������
HP-UX Q Tivoli Risk Manager "@W?<O"HP-UX P<8gs 11.0 *hS 11i
eGT/7^9#
HP-UX11i Q Tivoli Risk Manager "@W?<O" Tivoli Risk Manager P<8gs
4.1 *hS Tivoli Risk Manager P<8gs 3.8 H"09kh&_W5lF$^
9#
Tivoli Risk Manager P<8gs 3.8 rHQfN*RMO"Tivoli Risk Manager k
<k&Y<9"*hS generic.baroc"sensor_abstract_supp.baroc N 2 DNU
!$kr@&sm<I7"979k,W,"j^9#3N 2 DNU!$kO&K"
Tivoli Risk Manager 5]<H Web 5$H+i~jD=J Host IDS QC1<8K
^^lF$^9#3N 2 DNU!$kO"3liN"@W?<r Tivoli Risk
Manager 3.8 H&KHQ9k?aNe}_9-r5]<H7^9#Tivoli Risk
Manager 3.8 k<k&Y<9N97KD$FNpsO"VIBM Tivoli Risk Manager
f<6<:&,$I P<8gs 3.8 WK"j^9#
Tivoli Risk Manager P<8gs 4.1 rHQfN*RMO"Risk Manager Tivoli
Enterprise Console 5<P<N97rT&,WO"j^;s#k<k&Y<9O3N
"@W?<r5]<H9kh&GU)kHG57/=.5l"3liNU!$kK
^^lF$k,WJ$YsH&/i9jAr^sG$^9#
© Copyright IBM Corp. 2001, 2002 97
�����
HP-UX O"Hewlett-Packard =S8M9&5<P<"HP 9000 7j<:QN UNIX
Y<9N*Zl<F#s0&79F`G9#
!N=O"3NOGHQ5lF$k HP-UX H+NQlN$/D+r(7F$^
9#
>0 HP-UX 79F`Nlj 2Hh
79F`&m0&G<bs&
Wm;9
/etc/syslogd syslogd N^Ke"k&Z<
8
79F`&m0&G<bs=
.U!$k
/etc/syslog.conf syslogd N^Ke"k&Z<
8
79F`&m0&U!$k /var/adm/syslog/syslog.log syslogd N^Ke"k&Z<
8
79F`&m.s0 API /usr/include/syslog.h syslog N^Ke"k&Z<8
inetd G<bs&Wm;9 /usr/sbin/inetd inetd N^Ke"k&Z<8
inetd G<bs=.U!$k /etc/inetd.conf inetd N^Ke"k&Z<8
98 IBM Tivoli Risk Manager "@W?<¥,$I
��������
3NOGb@5lF$k}g=je<7gsO"1 DJeN HP-UX 79F`rI
}9kI}TKP7F"1 UjK$J,i[9H/~r!P9k!=rs!7^
9#3N!=GO"Tivoli Risk Manager jX(s8sN@p-,hQ5lF$^
9#
HP-UX *Zl<F#s0&79F`O"79F`&$YsHrm0&U!$kK-
?7^9#Tivoli Risk Manager O"3liN79F`&m0&$YsHNbK?<
Nf4@H7FHQG-^9#^?"Tivoli Risk Manager O HP-UX Logfile "@
W?<bs!7^9#3N"@W?<O"HP-UX 79F`&m0rFk7"m0&
(sHj<r Tivoli Enterprise Console $YsHNAG Tivoli Enterprise Console 5
<P<K>w9kh&=.5lF$^9#3NOGb@5lF$k"@W?<O"
8`N Tivoli Enterprise Console Logfile "@W?<rHQ7F HP-UX 79F`&
m0rFk7^9#U)<^CH&U!$k"os_hpux.fmt O"HP-UX 79F`&
(sHj<r Tivoli Risk Manager $YsHK^CW9kh&_W5l^7?#
!N^O"Tivoli Risk Manager H HP-UX m0&U!$kHN}gr(7^9#
h 10 O [9H/~!N - HP-UX11i Q"@W?< 99
����
3N;/7gsN$s9H<k&9FCWO"!NQia<?<rHQ7F$^
9#
HP-UX HP-UX ^7srX7^9#
$BINDIRTivoli Enterprise Console 5<P<r^sG$k^7seN Tivoli Risk
Manager N$s9H<k&G#l/Hj<rX7^9#^?"source 3^s
IG Tivoli D-,=<9H7Fhj~^lkH-K_j5lkD-QtG
9#
$s9H<kjgGO"HP-UX Logfile "@W?<,G#l/Hj< /usr/tecad
K$s9H<k5lF$k3H"*hS TECADHOME D-Qt, /usr/tecad K
_j5lF$k3Hr0sK7F$^9#HP-UX Logfile "@W?<N$s9H<
k}!N\YKD$FO"VIBM Tivoli Enterprise Console "@W?<&,$IWr
2H7F/@5$#
���� �����
1. !N3^sIrBT7"Tivoli Enterprise Console Log File "@W?<rd_7
^9#
HP-UX/usr/tecad/bin/init.tecad_logfile stop
2. U!$k os_hpux11i.fmt r HP-UX ^7seN /usr/tecad/etc/C G#l/H
j<K3T<7^9#
3. !N3^sIG"U!$k /usr/tecad/etc/C/tecad_logfile.fmt rPC/"C
W7^9#
cp /usr/tecad/etc/C/tecad_logfile.fmt /usr/tecad/etc/C/tecad_logfile.fmt.old
4. !N3^sIG"U!$k /usr/tecad/etc/C/os_hpux11i.fmt N>0r
/usr/tecad/etc/C/tecad_logfile.fmt KQ97^9#
mv /usr/tecad/etc/C/os_hpux11i.fmt /usr/tecad/etc/C/tecad_logfile.fmt
m: U!$k>O tecad_logfile.fmt K9k,W,"j^9#
5. !N3^sIG (B]O 1 TG~O7F/@5$)""@W?<N CDS U!$
kr8.7^9#
/usr/tecad/bin/logfile_gencds /usr/tecad/etc/C/tecad_logfile.fmt> /usr/tecad/etc/tecad_logfile.cds
6. "@W?<=.U!$kG!NQia<?<,HQTDKJCF$k3HrN'
7^9#
#Filter:Class=Logfile_Base#Filter:Class=Logfile_Sendmail#Filter:Class=Amd_Unmounted#Filter:Class=Amd_Mounted
7. "@W?<,57/=.5lF$k3HrN'7?e"!N3^sIG"@W?
<r+O7^9#
/usr/tecad/bin/init.tecad_logfile start&
"k$O"!N3^sIKhj""@W?<rGPC0&b<IGFk9k3H
bG-^9#
100 IBM Tivoli Risk Manager "@W?<¥,$I
/usr/tecad/bin/init.tecad_logfile -d start&
"@W?<O"generic.baroc H$&U!$k,57/=.5l"Tivoli Risk
Manager ^7seK8_7F$k3HK++CF$^9#3NU!$kO" Tivoli
Risk Manager 3.8 *hS 4.1 K^^lF$^9#Tivoli Risk Manager ^7seG"
m0¥U!$k&"@W?<+i$YsHru1hkH-K=8(i<,/89kl
gO"3NU!$k,8_7J$+"57/=.5lF$J$D=-,"j^9#
generic.baroc N=.N\YKD$FO"VIBM Tivoli Risk Manager f<6<:&
,$IWr2H7F/@5$#
Tivoli Risk Manager 3.8 ���������� ����
�����
Tivoli Risk Manager P<8gs 3.8 Nf<6<O"Risk Manager 5<P<eNk
<k&Y<9rU!$k generic.baroc *hS sensor_abstract_supp.baroc G9
79k?aK"!NICnH,,WG9#
1. U!$k generic.baroc *hS sensor_abstract_supp.baroc rG#l/Hj
< $BINDIR/RISKMGR/corr/tec K3T<7^9#
2. generic.baroc rU!$k $BINDIR /RISKMGR/corr/riskmgr_baroc.lst K"j
9HNG*(sHj<H7FIC7^9#
m: 3liN(sHj<NgxOEWG9#generic.baroc O"j9HbG
sensor_abstract.baroc N<KV/,W,"j^9#
3. sensor_abstract_supp.baroc rU!$k
$BINDIR/RISKMGR/corr/riskmgr_baroc.lst K"sensor_abstract.baroc N<N
GiN(sHj<H7FIC7^9#
m: 3liN(sHj<NgxOEWG9#sensor_abstract_supp.baroc O"
sensor_abstract.baroc N<G"+D>N9YFN(sHj<NeKV/,
W,"j^9#
4. GiK3^sI&7'kG Tivoli D-r=<9H7Fhj~`3HKhj"{
8Nk<k&Y<9r977^9#bash 3^sIrBT7F"bash 3^sI&
7'kr~O7^9#3^sI&WmsWHG"G#l/Hj<
$BINDIR/RISKMGR/corr K\07"!N3^sIrBT7^9#
./rmcorr_cfg -update
Tivoli Enterprise Console 5<P<,d_7?e"5oKF+7^9#
m: "@W?<O"3liN baroc U!$k, Risk Manager k<k&Y<9Nl
tH7F57/=.5lF$k3HK++CF$^9#Tivoli Risk Manager ^
7seG"m0¥U!$k&"@W?<+i$YsHru1hkH-K=8(i
<,/89klgO"3NU!$k,8_7J$+"57/=.5lF$J$
D=-,"j^9#k<k&Y<9N97N\YKD$FO"VIBM Tivoli Risk
Manager f<6<:&,$IWr2H7F/@5$#
������ ����!"�!�����
m0&U!$k&"@W?<,5oK$s9H<k5l?3HrN'9kKO"!
Nh&K7^9#
h 10 O [9H/~!N - HP-UX11i Q"@W?< 101
1. HQfN Tivoli Risk Manager ^7seG Tivoli Enterprise Console Km0$s
7^9#
2. Tivoli D-r=<9H7Fhj~s@3^sI&&#sI&r+-^9#!N3
^sIr~O7^9#
%windir%¥System32¥cmd.exe /k C:¥winnt¥system32¥drivers¥etc¥tivoli¥setup_env.cmd
3. 3^sI wtdumprl rBT7^9#
4. j9HK=(5lk$YsHNaC;<8N*ojN}K"V79F`&m.s
0&G<bs,FO07^7? (System Logging daemon restarted)WH$&9H
js0,^^lF$k3HrN'7^9#3NaC;<8O"sys m0,
tecad_logfile "@W?<KhCFF+5lkH-Kn.5l"(sHj<,
sys m0&U!$kKq-~^l^9#
3N$YsHO""@W?<N$s9H<k,5oKTol?3Hr(7^9#
3N$YsHru1hCF$J$lgO"!N3HrN'7F/@5$#
v /usr/tecad/etc/tecad_logfile.conf U!$kK57$ IP "Il9,^^l
F$k+
v /usr/tecad/etc/C NfN fmt U!$kN>0, tecad_lofile.fmt KJCF
$k+
v init.tecad_logfile Wm;9,BT5lF$k+ (ps -ef | grep init rBT
7FN')
�����������
3N;/7gsNo|NjgGO"!NQia<?<rHQ7F$^9#
HP-UX HP-UX ^7srX7^9#
$BINDIRTivoli Enterprise Console 5<P<r^sG$k^7seN Tivoli Risk
Manager N$s9H<k&G#l/Hj<rX7^9#^?"source 3^s
IG Tivoli D-,=<9H7Fhj~^lkH-K_j5lkD-QtG
9#
1. HP-UX ^7seG TECADHOME D-Qt,_j5lF$J$H-O"!N3
^sIrBT7F_j7F/@5$#
export TECADHOME=/usr/tecad
2. m0¥U!$k&"@W?<,T/fNlgO"!N3^sIrBT7Fd_7
^9#
HP-UX/usr/tecad/bin/init.tecad_logfile stop
3. !N3^sIr/T7^9#
HP-UX/usr/tecad/bin/tecad-remove-logfile.sh
m: !N3^sIG"m0¥U!$k&"@W?<ro|9kH"
/etc/Tivoli/tecad/bin/tecad-remove-logfile.sh
U!$k*hSG#l/Hj<Nlt,o|5lJ$3H,"j^9#3l
iO"UNIX 3^sIN rm *hS rmdir rBT9k3HKhCFj0G
o|G-^9#
102 IBM Tivoli Risk Manager "@W?<¥,$I
Tivoli Risk Manager 3.8 ������������� �
��������
Tivoli Risk Manager 3.8 Nf<6<O"Tivoli Risk Manager 3.8 Q"@W?<r|
n9k]"!NICnHrB\9k,W,"j^9#Tivoli Risk Manager 4.1 Nf
<6<O"!NjgrT&,WO"j^;s#
m: !NnHrB\9k0K"k<k&Y<9Km<I5lF$kU!$k
generic.baroc KM89k>N"@W?<, Tivoli Risk Manager 3.8 5<P<
K$YsHrw.7F$k+I&+N'9k,W,"j^9#=Nh&J"@
W?<,8_9klgO"!NnHrB\7J$G/@5$#
1. U!$k $BINDIR/RISKMGR/corr/riskmgr_baroc.lst +i(sHj<
generic.baroc ro|7^9#
2. U!$k $BINDIR/RISKMGR/corr/riskmgr_baroc.lst +i(sHj<
sensor_abstract_supp.baroc ro|7^9#
3. U!$k $BINDIR/RISKMGR/corr/tec/generic.baroc r79F`+ij0Go|
7^9#
4. U!$k $BINDIR/RISKMGR/corr/tec/ sensor_abstract_supp.baroc r79F`
+ij0Go|7^9#
5. GiK3^sI&7'kG Tivoli D-r=<9H7Fhj~`3HKhj"{
8Nk<k&Y<9r977^9#bash 3^sIrBT7F"bash 3^sI&
7'kr~O7^9#3^sI&WmsWHG"G#l/Hj<
$BINDIR/RISKMGR/corr K\07"!N3^sIrBT7^9#
./rmcorr_cfg -update
Tivoli Enterprise Console 5<P<,d_7?e"5oKF+7^9#
h 10 O [9H/~!N - HP-UX11i Q"@W?< 103
104 IBM Tivoli Risk Manager "@W?<¥,$I
� 11 � Tivoli Access Manager 4.1 ������
3NOGO"J<Npsrs!7^9#
v X"@W?<N5WY
v 106Z<8NX=JN5bY
v 108Z<8NX"@W?<N5bY
v 109Z<8NX$s9H<k*hS=.Y
v 122Z<8NX"@W?<I}?9/Y
v 124Z<8NX=N>NmUv`Y
��������
Tivoli Access Manager 4.1 Q Tivoli Risk Manager "@W?< (J<""@W?<H
FS^9) O"Tivoli Access Manager 4.1 +iF:m0rhj~sG"Tivoli Risk
Manager G,O5lkh&KFU)<^CH7^9#
"@W?<,!=9k?aK,WJ Tivoli Access Manager *hS Tivoli Risk
Manager N3s]<MsHH7FO"J<NbN,"j^9#
pdacld Tivoli Access Manager QNF:m0N-?rBT7^9#Tivoli
Access Manager Authorization Server P$Jj<BTD=U!$
kHbFS^9#
Event Translator Tivoli Access Manager F:m0rhj~_"=lir Tivoli
Risk Manager XN>wQKFU)<^CH9kr\r4CF$
^9#
Tivoli Risk ManagerEvent IntegrationFacility
Event Translator "Wj1<7gs,$YsH&5<P<K$Y
sHrw.9k\*KHQ9k"$YsH API i$Vij<,
^^lF$^9#
Tivoli EnterpriseConsole Logfile "@W?<
Event Translator "Wj1<7gsNPOU!$k+i$YsH
rI_hCF"$YsH&5<P<Kw.7^9#
��������������
Tivoli Access Manager 4.1 Q Tivoli Risk Manager "@W?<O"J<N*Zl<
F#s0&79F`G5]<H5lF$^9#
= 12. 5]<HP]WiCHU)<`
Tivoli Access Manager 4.1 Q"@W?<
HbK$s9H
<k5lk3s
]<MsH
AIX 4.3.3 Solaris 7 Solaris 8 WinNT 4.0 Win2K
© Copyright IBM Corp. 2001, 2002 105
= 12. 5]<HP]WiCHU)<` (3-)
Tivoli Risk
Manager Agent
(Transport/Tivoli
Risk Manager
Event Integration
Facility)
X X X
Tivoli Risk
Manager Event
Integration
Facility
X X X X X
Tivoli Enterprise
Console "@W
?<
X X X X X
Tivoli Access Manager 4.1Q Tivoli Risk Manager "@W?<O"Tivoli Risk
Manager P<8gs 4.1 *hS P<8gs 3.8 NIAiGb0n9kh&K_W
5lF$^9#
Risk Manager P<8gs 3.8 rHQfN*RMO"Tivoli Risk Manager k<k&
Y<9rU!$k generic.baroc *hS sensor_abstract_supp.baroc H&K@&
sm<I7"979k,W,"j^9#IAiNU!$kb"Tivoli Risk Manager
N5]<H Web 5$H+i~jD=J Tivoli Access Manager "@W?<&QC1
<8K^^lF$^9#3liNU!$kO"Risk Manager 3.8 HNe}_9-r
5]<H7F$^9#Tivoli Risk Manager 3.8 k<k&Y<9N97KD$FNp
sO"VIBM Tivoli Risk Manager f<6<:&,$I P<8gs 3.8Wr2H7F
/@5$#
Tivoli Risk Manager P<8gs 4.1 rHQfN*RMO"Tivoli Enterprise Console
5<P<N97rT&,WO"j^;s#k<k&Y<9O3N"@W?<r5]
<H9kh&GU)kHG57/=.5l"3liNU!$kK^^lF$k,W
J$YsH&/i9jAr^sG$^9#
�����
Tivoli Access Manager O"e-S8M9*hS,6"Wj1<7gsKP~7?]j
7<I}D<kG9#3ND<krHQ9k3HG"e-S8M9&;-ejF#<q
QN2}"kHN;-ejF#<&=je<7gsN#(="WiCH[<`VN
;-ejF#<&]j7<B\T=JIN]jKPhG-^9#Tivoli Access
Manager GO"DQ-Nb$8fvD5<S9rs!7"S8M9KTDgJ,6
?psNI}N~erD=K7F$^9#^?"Tivoli Access Manager rHQ9k
3HG"EWJpsXN"/;9rFW"+D;-e"K7"\RdS8M9&Q
<HJ<JIHN3_eK1<7gs,/=5l^9#
WebSEAL O"WiCHU)<`KX8J/9YFN Web 5<P<XN"/;9r
I}9k"Tivoli Access Manager 3s]<MsHG9#WebSEAL rHQ9k3H
G"HQ7F$k Web j=<9r1lN@}* Web 9Z<9H7F8fI}9k
3H,G-^9#
106 IBM Tivoli Risk Manager "@W?<¥,$I
Tivoli Access Manager GO"+R+/N"Wj1<7gs+i Tivoli Access
Manager 5<S9K"/;99k?aN"Wj1<7gs API ,s!5lF$^
9#Tivoli Access Manager GO"J2EE 8` JAAS (Java 'Z/vD5<S9: Java
Authentication and Authorization Service) ,5]<H5lF$F"M$F#VN Java
"Wj1<7gs+i Tivoli Access Manager K"/;97FvDN=jrT(k
h&KJCF$^9#Tivoli Access Manager KO"Open Group N8`'D C @l
N API (AZN-API) b$sWjasH5lF$F"3lKhj"C API FSP7r
T&"Wj1<7gsO Tivoli Access Manager vD*hSqJ5<S9rHQG
-^9#
Tivoli Access Manager N\YpsO"Tivoli Access Manager 4.1 NqAr2H7F
/@5$#3NqAO"IT, Tivoli Access Manager 4.1 N`n*hSI}K:L
7F$k3Hr0sH7F$^9#
h 11 O Tivoli Access Manager 4.1 Q"@W?< 107
��������
}gO"Tivoli Risk Manager KhkbK?<r,WH9k[+"pdacld XNm0P
ON?aN9YFN Tivoli Access Manager 4.1 3s]<MsHr,WH7^9#
Event Translator (pdacld KhjBT5lkP$Jj<BTD=U!$k) O"Tivoli
Access Manager F:m0rVQ$WWa+K:`rp7F Tivoli Risk Manager 5
<P<K>w7^9#Event Translator O"#tN^7seK[VD=G"$YsH
>wQN 2 DNa=CINIAi+l}^?O>}rHQG-^9#Event
Translator GO"=.*W7gsKhj"Tivoli Risk Manager Event Integration
Facility"Tivoli Enterprise Console Logfile "@W?<""k$O=N>}rHQ7
?$YsHw.,D=HJCF$^9#
Tivoli Risk Manager *hS Tivoli Access Manager 4.1 }gN"<-F/Ac<
r"<^K(7^9#
^ 7. Tivoli Access Manager "<-F/Ac<rHQ7? Tivoli Risk Manager }g
108 IBM Tivoli Risk Manager "@W?<¥,$I
���� �����
���� ��
Event Translator O"Tivoli Risk Manager Event Integration Facility Khk}!H
Tivoli Enterprise Console m0&U!$k&"@W?<Khk}!N 2 o`N&A
IAi+rHQ7F"Tivoli Risk Manager XN$YsH>wrD=K7F$^9#
}grT&KO"Tivoli Access Manager Authorization Server r"Event Translator
XNQ$Wrp7FPO,q-~^lkh&K=.9k,W,"j^9# Tivoli
Access Manager Authorization Server NF$s9?s9K_jD=J*W7gsH7
FO"J<N 3 o`,"j^9#
v 9YFN Tivoli Access Manager 3s]<MsH+i9YFN?$WN$YsH
r"Event Translator N1l$s9?s9Kq-~`#
v 1 DN Tivoli Access Manager 3s]<MsH+i9YFN?$WN$YsH
r"Event Translator N1l$s9?s9Kq-~`#
v $/D+No`N Tivoli Access Manager 3s]<MsHrp7F"3s]<M
sH4HK Event Translator N1l$s9?s9Km0rPO9k#
3liN*W7gsKD$FO"$s9H<k&9FCWG\7/b@7^9#
b& 1 DNGWm$&*W7gsH7FO"5^6^J Tivoli Access Manager 3
s]<MsHrp7F"$/D+N8fm.s0&]$sHN 1 DKm0PO9k
}!,"j^9#3N*W7gsrHQ9kH"F:aC;<8N)fr/=7"
9k<WCHrbak3H,G-^9#
^?"0N;/7gsGRY?h&K"J<N 3 DNGWm$asH&*W7gs
N$:l+rHQ7F"Event Translator N$YsHr Tivoli Risk Manager 5<P
<Kw.9k3H,G-^9#
v Event Translator N$YsHr Tivoli Risk Manager Event Integration Facility rp
7F Tivoli Risk Manager 5<P<Kw.9k#
v Event Translator N$YsHr Tivoli Enterprise Console Logfile "@W?<rp7
F Tivoli Risk Manager 5<P<Kw.9k#
v $YsHr Tivoli Risk Manager Event Integration Facility *hS Tivoli Enterprise
Console Logfile "@W?<N>}rp7F Tivoli Risk Manager 5<P<Kw.
9k#
79F`&QU)<^s9N~eN?aKO"Tivoli Risk Manager Event Integration
Facility rHQ7F$YsHr Tivoli Risk Manager 5<P<Kw.7F/@5$#
Tivoli Enterprise Console Logfile "@W?<rHQ7F"Tivoli Access Manager N
$YsHr Tivoli Risk Manager K>w9k]KO"Tivoli Enterprise Console
Logfile "@W?<r Tivoli Access Manager Authorization Server 4.1 H18^7s
eK$s9H<k7F*/,W,"j^9#Tivoli Enterprise Console Logfile "@W
?<N$s9H<kN\YO"VTivoli Enterprise Console "@W?<&,$IWK
-\5lF$^9#
h 11 O Tivoli Access Manager 4.1 Q"@W?< 109
���� �����
������0�6�*����
5]<H5lF$k*Zl<F#s0&79F`NWiCHU)<`KO$/D+
No`,"j"=l>lKJ<N"@W?<&QC1<8&U!$k,P~7F$
^9#
*Zl<F#s0&79F` $s9H<k&QC1<8
Solaris RMAMAdapter.pkg
AIX RMAMAdapter
Windows RMAMAdapter.exe
������0�6�*�����
GWm$asH&WiCHU)<`K,ZJ$s9H<k&QC1<8rBT7^
9#
v Solaris Nlg"pkgadd rHQ7F/@5$#c:
pkgadd -d RMAMAdapter.pkg RMAM
v AIX Nlg"SMIT rHQ7F/@5$#
v Windows Nlg"RMAMAdapter.exe rBT7F"InstallShield N$s9H<kr
+O7F/@5$#
"@W?<N$s9H<kh}GO"?<2CHN*Zl<F#s0&79F`K
~8F"J<NljKU!$k,$s9H<k5l^9#
*Zl<F#s0&79F` $s9H<k&G#l/Hj<
Solaris /opt/am41rm38_Adapter
AIX /opt/am41rm38_Adapter
Windows ¥Program Files¥am41rm38_Adapter (^?O$s9H<kfK
Xj5l?lj)
pdacld �'���(��������!��"���
Tivoli Access Manager Authorization Server O"Tivoli Risk Manager K>w5lk
Tivoli Access Manager $YsH,GiK~e9k8hG9#Tivoli Access Manager
3s]<MsHO"sVL.rHQ7F pdacld Kq-~_rT&h&K=.9k,
W,"j^9#pdacld XNq-~_rT& Tivoli Access Manager 3s]<MsH
N\YKD$FO"VIBM Tivoli Access Manager 4.1 Base Installation GuideWr2
H7F/@5$#
Tivoli Access Manager NF3s]<MsHQN=.U!$krJ<Kj9H7^
9#3liNU!$kNljO"WiCHU)<`*hS$s9H<k&G#l/
Hj<K~8F[Jj^9#
110 IBM Tivoli Risk Manager "@W?<¥,$I
= 13. Tivoli Access Manager 3s]<MsHHX"9k=.U!$k
Tivoli Access Manager3s]<MsH
=.U!$k
pdmgrd — Access Manager ]j7<¥
5<P<
ivmgrd.conf
pdacld — Tivoli Access Manager
Authorization Server
ivacld.conf
WebSEAL webseald.conf
Web Wi0$s pdwebpi.conf
AMBI pdmqazn.conf
WebSEAL-lite wslpdazn.conf
+9?`N AZN API "Wj1<7gsrHQ7F$klgO"P~9k AZNAPI N=.U!$krLVXj9k,W,"j^9#
Tivoli Access Manager =.U!$kN9YFKJ<N(sHj<,^^lF$^
9#3liN(sHj<K"jb<H&N pdacld ^7s (J<NcGO"TCP ]
<H 7136 eK"k host1) K>w5lkF:m0rXj7^9#jb<H&^7s
K\(G-J$lgO"U!$k (J<NcGO cachefile H$&U!$k) KF
:,q-~^l^9#-cC7e&U!$kO"8_7F$J1lPn.5l^
9#3N(sHj<O"Tivoli Access Manager 3s]<MsHN9YFK"1lN
bN,HQ5l^9#3N(sHj<O [aznapi-configuration] 9?s6 (1 TG
~O) N<tK"j^9#
[aznapi-configuration]logcfg=audit:remote server=host1,port=7136,buffer_size=512,compress=yes, error_retry=2,path=cachefile pdacld_audit.remote.cache,flush_interval=2,rebind_retry=30
m: [aznapi-configuration] 9?s6bN logaudit Qia<?<,3asHU15
lF$k+"m.s0,HQD=HJkh&K yes K_j5lF$k3HrN
'7F/@5$#
�'�� Tivoli Access Manager Authorization Server(pdacld) ���
}grT&KO"Tivoli Access Manager Authorization Server r"Event Translator
XNQ$Wrp7FPO,q-~^lkh&K=.9k,W,"j^9# Tivoli
Access Manager Authorization Server NF$s9?s9K_jD=J*W7gsH7
FO"J<N 3 o`,"j^9#
v 9YFN^7s+i9YFN?$WN$YsHr"Event Translator N1l$s9
?s9Kq-~`#
v 1 DN^7s+i9YFN?$WN$YsHr"Event Translator N1l$s9?
s9Kq-~`#
v $/D+No`N Tivoli Access Manager 3s]<MsHrp7F"3s]<M
sH4HK Event Translator N1l$s9?s9Km0rPO9k#
Tivoli Access Manager Authorization Server N=.O"J<Nh&JU!$kGBT
5l^9#
Windows NT 4.0 *hS Windows 2000:%PD_HOME%¥etc¥ivacld.conf
h 11 O Tivoli Access Manager 4.1 Q"@W?< 111
UNIX WiCHU)<`:$PD_HOME/etc/ivacld.conf
�#���%�� Event Translator ����������$�����
:Tivoli Access Manager Authorization Server =.U!$kbN
[aznapi-configuration] 9?s6N<tKO"eRNm0=.(sHj<r-R9
k,W,"j^9#
logcfg Qia<?<KO"Event Translator P$Jj<BTD=U!$kXNdP
Q9r^aJ1lPJj^;s#Windows WiCHU)<`Nlg"U!$kH%
Rr^ak,W,"j^9 (=.U!$kXNjPQ9OHQG-^;s)#UNIX
WiCHU)<`GO"P$Jj<BTD=U!$kKU!$kH%Rr^a^;
s#evttrans.conf O"Tivoli Risk Manager Event Translator N=.U!$kG9#
U!$k>XNQ9K9Z<9r^aklgO"sEzQdrHQ7FU!$k&
Q9rXj7F/@5$#
J<N=.cGO"9YFN?$WN$YsH,"Event Translator N1l$s9?
s9Kq-~^l^9#Event Translator O"/opt/PolicyDirector/bin H$&G#
l/Hj<K$s9H<k5l"Event Translator N=.U!$kO
/opt/PolicyDirector/etc H$&G#l/Hj<K$s9H<k5l^9#
c: (1 TG~O)
Windows NT 4.0 *hS Windows 2000
[aznapi-configuration]logcfg = remote.audit:pipe path="C:¥Program Files¥Tivoli¥PolicyDirector¥bin¥evttrans.exe" -f"C:¥Program Files¥Tivoli¥Policy Director¥etc¥evttrans.conf"
UNIX WiCHU)<`
[aznapi-configuration]logcfg = remote.audit:pipe path=/opt/PolicyDirector/bin/evttrans-f /opt/PolicyDirector/etc/evttrans.conf
�#���%����� �!% Event Translator ��������
��$�����:Tivoli Access Manager Authorization Server =.U!$kbN
[aznapi-configuration] 9?s6N<tKO"eRNm0=.(sHj<r-R9
k,W,"j^9#
logcfg Qia<?<KO"Event Translator P$Jj<BTD=U!$kXNdP
Q9r^aJ1lPJj^;s#Windows WiCHU)<`Nlg"U!$kH%
Rr^ak,W,"j^9#UNIX WiCHU)<`GO"P$Jj<BTD=U
!$kKU!$kH%Rr^a^;s#evttrans.conf O"Tivoli Risk Manager
Event Translator N=.U!$kG9#
J<N=.cGO"CjN^7s (machine-x) +i9YFN?$WN$YsH,"
Event Translator N1l$s9?s9Kq-~^l^9#Event Translator O"
/opt/PolicyDirector/bin H$&G#l/Hj<K$s9H<k5l"Event
Translator N=.U!$kO /opt/PolicyDirector/etc H$&G#l/Hj<K$
s9H<k5l^9#
112 IBM Tivoli Risk Manager "@W?<¥,$I
c: (1 TG~O)
Windows NT 4.0 *hS Windows 2000
[aznapi-configuration]logcfg = remote.audit.machine-x:pipepath="C:¥Program Files¥Tivoli¥Policy Director¥bin¥evttrans.exe"-f "C:¥Program Files¥Tivoli¥Policy Director¥etc¥evttrans.conf"
UNIX WiCHU)<`
[aznapi-configuration]logcfg = remote.audit.machine-x:pipe path=/opt/PolicyDirector/bin/evttrans-f /opt/PolicyDirector/etc/evttrans.conf
Event Translator ������������&�����!��"���
�:Tivoli Access Manager Authorization Server =.U!$kbN
[aznapi-configuration] 9?s6N<tKO"eRNm0=.(sHj<r-R9
k,W,"j^9#
logcfg Qia<?<KO"Event Translator P$Jj<BTD=U!$kXNdP
Q9r^aJ1lPJj^;s#Windows WiCHU)<`Nlg"U!$kH%
Rr^ak,W,"j^9# UNIX WiCHU)<`GO"P$Jj<BTD=U
!$kKU!$kH%Rr^a^;s#evttrans.conf O"Tivoli Risk Manager
Event Translator N=.U!$kG9#
J<N=.cGO"$/D+No`N Tivoli Access Manager 3s]<MsHrp
7F"3s]<MsH4HK Event Translator N1l$s9?s9Km0PO5l
^9#^7s (machine-x) eN pdmgrd (Access Manager ]j7<¥5<P<) +i
Event Translator XNQ$WrL7Fm0PO5l? Tivoli Access Manager F:$
YsHO9YF"3liN(sHj<KhCFXj5l^9#Event Translator O"
/opt/PolicyDirector/bin H$&G#l/Hj<K$s9H<k5l"Event
Translator N=.U!$kO /opt/PolicyDirector/etc H$&G#l/Hj<K$
s9H<k5l^9#
c: (1 TG~O)
Windows NT 4.0 *hS Windows 2000
[aznapi-configuration]logcfg = remote.audit.machine-x.pdmgrd:pipepath="C:¥Program Files¥Tivoli¥Policy Director¥bin¥evttrans.exe"-f "C:¥Program Files¥Tivoli¥Policy Director¥etc¥evttrans.conf"
UNIX WiCHU)<`
[aznapi-configuration]logcfg = remote.audit.machine-x.pdmgrd:pipepath=/opt/PolicyDirector/bin/evttrans-f /opt/PolicyDirector/etc/evttrans.conf
Event Translator N1l$s9?s9XNq-~_rT&3s]<MsH^?O^7
s4HK"eRN=.r+jV9,W,"j^9#=N>N3s]<MsHO!N
H*jG9#
v Tivoli Access Manager Authorization Server (pdacld)
v Tivoli Access Manager Authorization API "Wj1<7gs
v Tivoli Access Manager WebSEAL HTTP Server
v Tivoli Access Manager Web Wi0$s
h 11 O Tivoli Access Manager 4.1 Q"@W?< 113
���%��������
Tivoli Access Manager G8.5l?vD$YsHQK"vD$YsHr8.9k*
V8'/HK Protected Object Policy (POP) rUC7F*/,W,"j^9#
pdadmin D<krHQ7F POP rn.7UC9kKO"lcH7F"J<Nh&
J3^sI&7<1s9Khk}!,s2il^9#
pdadmin> login -a sec_master -p xxxxxxpdadmin> pop create pop-for-azn-audit-eventpdadmin> pop modify pop-for-azn-audit-event set audit-level permit,denypdadmin> pop attach /<application (e.g. WebSEAL)>/machine-x pop-for-azn-audit-event
Event Translator �����
Event Translator BTD=P$Jj<&U!$k (evttrans)"Event Translator F-
9H&U!$k (evttrans.conf)"*hS Event Translator Error Messages F-9
H&U!$k (messages.cat) O"GWm$asHQ^7seK"k,ZJG#l/
Hj<K3T<7F/@5$#Event Translator BTD=P$Jj<&U!$kO"
Tivoli Access Manager Authorization Server N=.Q_Q$WPOH18ljKJ1
lPJj^;s#
Event Translator r$s9H<k7?e"=N=.U!$k (-f Ui0U-) N2H
,D=KJj^9#c(P"Event Translator N5sWk=.U!$k,
evttrans.conf G"klgO"J<N3^sIr/T7F/@5$#
evttrans -f evttrans.conf
Event Translator N/03^sIO"Lo Tivoli Access Manager Authorization
Server N=.NfK_j5l^9#Event Translator QN3^sIT*W7gsO"
[+Kb"j^9# 122Z<8NX"@W?<I}?9/Yr2H7F/@5$#
UNIX WiCHU)<`GO"Event Translator P$Jj<BTD=U!$k"
Event Translator =.U!$k*hS Event Translator aC;<8&+?m0&U!
$kK",ZJ;-ejF#<vD,_j5lF$k3HrN'7F/@5$#3
liNU!$kNj-"O"Tivoli Access Manager Authorization Server P$Jj<
BTD=U!$k9YFK1lNbNrHQ9k,W,"j^9#5?*Jj-T
>H7FO"ivmgr ,s2il^9#,WJ Event Translator U!$kj-"O"
J<N UNIX 3^sIGQ95l^9#
chown ivmgr:ivmgr evttranschown ivmgr:ivmgr evttrans.confchown ivmgr:ivmgr messages.cat
Tivoli Risk Manager Event Integration Facility ��������
� Event Translator �� (�)G1NkLr@k?aKO"Tivoli Risk Manager Event Integration Facility ,HQ5
lkh&K Event Translator r=.7F/@5$#Tivoli Risk Manager Event
Integration Facility O"Risk Manager P<8gs 3.8 GOLDN3s]<MsHH
7F$s9H<k5lkNKP7F"Risk Manager P<8gs 4.1 GO Risk
Manager Client NTDgJt,H7F$s9H<k5l^9#
3N"@W?<, Risk Manager P<8gs 3.8 GT/7F$klgO"GWm$
asHQ^7seK Tivoli Risk Manager Event Integration Facility QC1<8r,
:$s9H<k7F/@5$#3N"@W?<, Risk Manager 4.1 GT/7F$k
lgO"Risk Manager Client QC1<8r,:$s9H<k7F/@5$#
114 IBM Tivoli Risk Manager "@W?<¥,$I
m: =.*W7gsN\YKD$FO" 124Z<8NXEvent Translator =.*W7
gsYr2H7F/@5$#
1. F-9H&(G#?<G Event Translator =.F-9H&U!$kr+$F"
RMEIF 0-r yes H$&MK_j7^9#
RMEIF = yes
2. ,WK~8F"RMEIF-retry-interval 0-*hS RMEIF-max-retries 0-rT
87^9#
3. 9FCW 2 G_j5l? RMEIF rp7Fm.s0,9YF0;7?i"
LOGGING 0-r no K_j7^9#
LOGGING = no
4. time 0-r TIME2 H$&MKT87^9#
time = TIME2
5. {8N(sHj<r3asH=9k+04K|n7F"input 0-NM,8_7
J$h&K7F/@5$#IAiN}!rHQ9klgKb",WJ=.G"k
8`~O+i Event Translator ,I_hjrTCF$k3HrN'7F/@5
$#
# input=somefile
m: 3NMrXj7F*/3HG"HiVk7e<F#s0N\*KHQ9k3
H,G-^9#
6. U!$kr]I7^9#
Tivoli Enterprise Console Logfile �������������
Event Translator ��
Event Translator r"Tivoli Enterprise Console Logfile "@W?<,HQ5lk=.
K9kKO"J<NnHrT$^9#
m: =.*W7gsN\YKD$FO" 124Z<8NXEvent Translator =.*W7
gsY r2H7F/@5$#
1. Tivoli Enterprise Console Logfile "@W?<rGWm$asHQ^7sK$s9
H<k7^9#
2. F-9H&(G#?<G Event Translator =.U!$kr+$F"RMEIF 0-
r no K_j7^9#
RMEIF = no
3. ,WK~8F"PCU!<0-r_j7^9#
4. LOGGING 0-r yes K_j7^9#
LOGGING = yes
5. time 0-r TIME2 K_j7^9#
time = TIME2
6. Tivoli Enterprise Console Logfile "@W?<GbK?<5lkU!$k,Xj5
lkh&K output 0-r_j7^9#c:
output = /tmp/out.txt
3NU!$kO"Tivoli Enterprise Console Logfile "@W?<rbK?<9kh
&K_j5l?U!$kH1lNU!$kGJ1lPJj^;s#
h 11 O Tivoli Access Manager 4.1 Q"@W?< 115
7. {8N(sHj<r3asH=9k+04K|n7F" input 0-NM,8_
7J$h&K7F/@5$#IAiN}!rHQ9klgKb",WJ=.G
"k8`~O+i Event Translator ,I_hjrTCF$k3HrN'7F/
@5$#
m: 3NMr_j7F*/3HG"HiVk7e<F#s0N\*KHQ9k
3H,G-^9#
8. U!$kr]I7^9#
9. F-9H&(G#?<G"Tivoli Enterprise Console Logfile "@W?<=.U!
$kr+-^9#
Windows NT 4.0 *hS Windows 2000%TECADHOME%¥etc¥tecad_logfile.conf
UNIX WiCHU)<`
$TECADHOME/etc/tecad_logfile.conf
10. bK?<P]NU!$k,Xj5lkh&K"(sHj< LogSources rT8
(^?OIC) 7^9#c:
LogSources=/tmp/out.txt
11. Tivoli Enterprise Console Logfile "@W?<=.U!$kGHQD=J=.*W
7gsO"[+Kb"j^9#3liN*W7gsN\YKD$FO"VTivoli
Enterprise Console "@W?<¥,$IWr2H7F/@5$#
Tivoli Risk Manager Event Integration Facility ����� ��
�������
U)<^CHjAU!$k+i Tivoli Risk Manager Event Integration Facility CDS
U!$k (rmad.cds) r8.9kKO"riskmgr_gencds "Wj1<7gs&D<
krHQ7^9#
Windows NT 4.0 ��� Windows 2000 ��:
1. 3^sI&WmsWH+i"J<N3^sIr/T7^9#
copy path-to-am41log.fmt %RMADHOME%¥etc¥rmad.fmt
2. {8NU)<^CHjAU!$kreq-9k+I&+NN'raakWmsW
H,P5l?i"yes r~O7^9#
3. !N3^sIr/T7^9#
%RMADHOME%¥bin¥riskmgr_gencds %RMADHOME%¥etc¥rmad.fmt > %RMADHOME%¥etc¥rmad.cds
4. Tivoli Risk Manager Event Integration Facility ^?O Risk Manager Client rF
O07^9#
wrmadmin -restart
UNIX ���������:
1. 3^sI&7'kr+-^9#
2. !N3^sIr/T7^9#
. /etc/Tivoli/rma_eif_env.shcp path-to-am41log.fmt %RMADHOME%/etc/rmad.fmt
3. {8NU)<^CHjAU!$kreq-9k+I&+NN'raakWmsW
H,P5l?i"yes r~O7^9#
116 IBM Tivoli Risk Manager "@W?<¥,$I
4. !N3^sIr/T7^9#
%RMADHOME%/bin/riskmgr_gencds %RMADHOME%/etc/rmad.fmt > %RMADHOME%/etc/rmad.cds
5. Tivoli Risk Manager ^?O Risk Manager Client rFO07^9#
wrmadmin -restart
%RMADHOME%¥etc¥rmad.conf U!$k (Windows NT 4.0 *hS Windows 2000 Nl
g)"^?O %RMADHOME%/etc/rmad.conf U!$k (UNIX WiCHU)<`Nlg)
GHQD=J*W7gsO"[+Kb"j^9#3liN*W7gsN\YKD$
FO"VIBM Tivoli Risk Manager f<6<:&,$IWr2H7F/@5$#
Tivoli Enterprise Console Logfile ���������� ���
������
U)<^CHjAU!$k+i Tivoli Enterprise Console "@W?<QN CDS U!
$k (tecad_logfile.cds) r8.9kKO"logfile_gencds "Wj1<7gs&D
<krHQ7^9#
Windows NT 4.0 ��� Windows 2000 ��:
1. cmd WmsWH+i"J<N3^sIr/T7^9#
copy path-to-am41log.fmt %TECADHOME%¥etc¥C¥tecad_win.fmt
2. {8NU)<^CHjAU!$kreq-9k+I&+NN'raakWmsW
H,P5l?i"yes r~O7^9#
3. J<N3^sIr/T (1 TG~O) 7^9#
%TECADHOME%¥bin¥win_gencds %TECADHOME%¥etc¥C¥tecad_win.fmt >%TECADHOME%¥etc¥tecad_win.cds
4. "@W?<rFO07F/@5$#
%TECADHOME%¥etc¥tecad_logfile.conf U!$kGHQD=J=.*W7gsO"[
+Kb"j^9#3liN*W7gsN\YKD$FO"VTivoli Enterprise
Console "@W?<¥,$IWr2H7F/@5$#
UNIX ���������:
1. 3^sI&7'kr+-^9#
2. !N3^sIr/T7^9#
cp path-to-am41log.fmt $TECADHOME/etc/C/tecad_logfile.fmt
3. {8NU)<^CHjAU!$kreq-9k+I&+NN'raakWmsW
H,P5l?i"yes r~O7^9#
4. J<N3^sIr/T (1 TG~O) 7^9#
$TECADHOME/bin/logfile_gencds $TECADHOME/etc/C/tecad_logfile.fmt >$TECADHOME/etc/tecad_logfile.cds
5. "@W?<rFO07F/@5$#
$TECADHOME/etc/tecad_logfile.conf U!$kGHQD=J=.*W7gsO"[
+Kb"j^9#3liN*W7gsN\YKD$FO"VTivoli Enterprise
Console "@W?<¥,$IWr2H7F/@5$#
h 11 O Tivoli Access Manager 4.1 Q"@W?< 117
Tivoli Enterprise Console Logfile ��������
Tivoli Enterprise Console Logfile "@W?<O"Tivoli Risk Manager 5<P<^?
O Tivoli Risk Manager Client ,$YsHN>whKJkh&K=.9k,W,"j
^9#3Nh}O"Tivoli Enterprise Console "@W?<¥,$I Krb5lF$^
9#
Tivoli Risk Manager Event Integration Facility ���
Tivoli Risk Manager Event Integration Facility O"Tivoli Risk Manager 5<P<^
?O Tivoli Risk Manager Client ,$YsHN>whKJkh&K=.9k,W,"
j^9#\YKD$FO"VTivoli Risk Manager f<6<:&,$IWr2H7F
/@5$#
Tivoli Risk Manager 3.8 ���������� ����
�����
Tivoli Risk Manager P<8gs 3.8 f<6<Nlg"Tivoli Risk Manager 5<P
<Nk<k&Y<9r generic.baroc U!$k*hS
sensor_abstract_supp.baroc U!$kG979kKO"J<NIC9FCWrBT
9k,W,"j^9#
1. U!$k generic.baroc *hS sensor_abstract_supp.baroc r
$BINDIR/RISKMGR/corr/tec K3T<7^9#
2. generic.baroc r $BINDIR/RISKMGR/corr/riskmgr_baroc.lst U!$kKIC7
F"j9HbNGeN(sHj<K7^9#
m: 3liN(sHj<NgxOEWG9#generic.baroc O"j9HbG
sensor_abstract.baroc N<KV/,W,"j^9#
3. sensor_abstract_supp.baroc rU!$k
$BINDIR/RISKMGR/corr/riskmgr_baroc.lst K"sensor_abstract.baroc N<N
GiN(sHj<H7FIC7^9#
m: 3liN(sHj<NgxOEWG9#sensor_abstract_supp.baroc O"
sensor_abstract.baroc N<G"+D>N9YFN(sHj<NeKV/,
W,"j^9#
4. GiK3^sI&7'kG Tivoli D-rps;H7F2H7F"{8Nk<
k&Y<9r977^9#bash 3^sIrBT7F"bash 3^sI&7'kr
~O7^9#3^sI¥WmsWHG"G#l/Hj< $BINDIR/RISKMGR/corr
K\07"!N3^sIrBT7^9#
./rmcorr_cfg -update
Tivoli Enterprise Console 5<P<,d_7?e"5oKF+7^9#
m: "@W?<O"3liN baroc U!$kKM89k?a"baroc U!$kO
Tivoli Risk Manager k<k&Y<9NltH7F57/=.5lF$J1l
PJj^;s#Tivoli Risk Manager ^7seG"m0¥U!$k¥"@W?<
+i$YsHru1hkH-K=8(i<,/89klgO"3NU!$k
,8_7J$+"57/=.5lF$J$D=-,"j^9#k<k&Y<
9N97N\YKD$FO"VTivoli Risk Manager f<6<:&,$IWr
2H7F/@5$#
118 IBM Tivoli Risk Manager "@W?<¥,$I
���� ������������
"@W?<&3s]<MsHr=.7Fn05;?e"J<NF9HrHQ7F"
}g,57/0n7F$k3HrN'7F/@5$#
1. Tivoli Access Manager G"m0&aC;<8r8.7^9#3lO"WebSEAL
XNm0$s (.y^?OT.y) NnTH1MKFWKT&3H,G-^9
(pdacld , WebSEAL F:$YsHrm0K-?9kh&=.5lF$klg)#
2. Tivoli Enterprise Console Logfile "@W?<,"$YsHNbK?<*hS>w
rT&=.KJCF$F"7+bGPC0&b<IGO05lklg ( 122Z<
8NX"@W?<I}?9/Yr2H)"=N"@W?<G$YsHr0g5;
k,W,"j^9#
3. Tivoli Risk Manager Event Integration Facility r$YsH>wKHQ9kKO"
=N]K Tivoli Risk Manager Event Integration Facility G<bs,T/7F$J
1lPJj^;s ( 122Z<8NX"@W?<I}?9/Yr2H)#
4. Tivoli Risk Manager 5<P<K$YsH,~e9k3HrN'7^9#
�3 �7����
eN^O"$YsHN5?*JUm<r(7?bNG9#$YsH&=<9+i
Tivoli Enterprise Console Reception ^GNQ9KO"J<N 2 Lj,M(il^
9#
v $YsH * A * B * C * D * Tivoli Enterprise Console Reception
v $YsH * A * E * F * Tivoli Enterprise Console Reception
$YsH,INQ9rhk+O"Event Translator N=.K~8F[Jj^9#3N
;/7gsGO"=<9Khk$YsHPO, Tivoli Enterprise Console Reception
K5oK~e7J$lgNHiVk7e<F#s0KD$Frb7^9#J<N;
/7gsrI`]KO"eN^r2H7F/@5$#
A O@GN$YsHh}NBTN'
A O@K$YsH,~e7J$lg"J<N 2 DN6x,M(il^9#
v Tivoli Access Manager Authorization Server ,"Event Translator XNQ$Wrp
7FPOrO9?aN,ZJ=.KJCF$J$#
v Tivoli Access Manager 3s]<MsH,$YsHr8.7J$#
pdacld Nm.s0,5oKn07F$k3HrN'7F/@5$#(Q$WNeoj
K) U!$kKm0rPO9kh&K pdacld rF=.7F"m0PO,U!$kK
^ 8. Tivoli Access Manager $YsHNUm<
h 11 O Tivoli Access Manager 4.1 Q"@W?< 119
u.5lF$k3HrN'7F/@5$#pdacld N=.h}KD$FO"VIBM
Tivoli Access Manager 4.1 Base Administration GuideWK\7/rb5lF$^9#
B O@GN$YsHh}NBTN'
B O@K$YsH,~e7F$J$lg"Event Translator ,57/=.5lF$J
$?a"U!$kXNq-~_,TolF$^;s#
Event Translator =.U!$kbKJ<N0-,_j5lF$k3HrN'7F/@
5$#
LOGGING = yesoutput = file
Event Translator =.U!$kbGO"MNg8z.8z,hL5l^9#=N?
a"YES ^?O Yes H$&MO"PO0-H7FT,ZG9#PO0-bKXj5
l?U!$kXNq-~_"/;9,vD5lkh&K",ZJvDr*Zl<F
#s0&79F`G_j9kh&K7F/@5$#Tivoli Access Manager
Authorization Server ," -f Ui0U-NjjN=.U!$krHQ9k?aN,
ZJ=.KJCF$k+I&+bN'7F/@5$# 114Z<8NXEvent
Translator N$s9H<kYr2H7F/@5$#
C O@GN$YsHh}NBTN'
Tivoli Enterprise Console Logfile "@W?<,T/7F$k3HrN'7^9#T/
7F$klgO""@W?<rd_7F=.r!:7F/@5$#bK?<P]N
U!$k,"Event Translator Nq-~_hU!$kH1lNU!$kG"k3Hr
N'7^9#PO0-bKXj5l?U!$kXNI_hj"/;9,vD5lk
h&K",ZJvDr*Zl<F#s0&79F`G_j9kh&K7F/@5
$#Tivoli Enterprise Console 5<P<,$YsHN>whKJkh&K"@W?<
,57/=.5lF$k+I&+bN'7F/@5$#cds U!$k, etc G#l
/Hj<KJ<5l"fmt U!$k, C G#l/Hj< (^?O:v9k@lNG
#l/Hj<) KJ<5lkh&K7^9#3lO"J<Nh&KU!$kG_j
7^9#
Windows NT 4.0 *hS Windows 2000
%TECADHOME%¥etc¥tecad_logfile.conf
UNIX
$TECADHOME/etc/tecad_logfile.conf
Tivoli Enterprise Console Logfile "@W?<rFO07F/@5$#Tivoli
Enterprise Console Logfile "@W?<rGPC0&b<IGO07F"$YsHr
0g5;F$k+I&+rA'C/7F/@5$ ( 122Z<8NX"@W?<I}
?9/Yr2H)# Tivoli Enterprise Console Logfile "@W?<N=.N\YO"
VTivoli Enterprise Console "@W?<¥,$IWK-\5lF$^9#
D O@GN$YsHh}NBTN'
Tivoli D-rps;H7F2H7F"Tivoli Enterprise Console Reception K$Ys
H,~e9k3HrN'7^9#!N3^sIr/T7^9#
120 IBM Tivoli Risk Manager "@W?<¥,$I
Windows NT 4.0 *hS Windows 2000%SystemRoot%¥system32¥drivers¥etc¥Tivoli¥setup_env.cmd
UNIX G Bourne 7'krHQ7F$klg
. /etc/Tivoli/setup_env.sh
UNIX G C 7'krHQ7F$klg
source /etc/Tivoli/setup_env.csh
Tivoli ,ps;H7F57/2H5lF$k3HO"J<NPO (^?O1MNP
O) GN'5l^9#
Tivoli environment variables configured.
!K"Tivoli 3^sI wtdumprl (u.m0N@sW) r/T7^9#Tivoli
Enterprise Console Reception K~e7?$YsH,9YFPO5l^9#
E *hS F O@GN$YsHh}NBTN'
E O@K~e9k$YsHO"Event Translator Nbt!=G9#Tivoli Risk
Manager Event Integration Facility QC1<8,57/$s9H<k5lF$k3H
rN'7^9#Tivoli Risk Manager Event Integration Facility QC1<8r Tivoli
Enterprise Console Reception 5<P<K$YsHr>w9k=.K7F/@5$#
Tivoli Risk Manager Event Integration Facility KU)<^CHjA,$s9H<k5
lF$k3HrN'7F/@5$#
Event Translator , Tivoli Risk Manager Event Integration Facility HNL.fKdj
r!P7?lgO"=N=.Q_(i<PO9Hj<`K(i<,q-~^l^
9#Event Translator ,5oK Tivoli Risk Manager Event Integration Facility HL.
7F$klg"djO Tivoli Risk Manager Event Integration Facility N=.K"j
^9#Tivoli Risk Manager Event Integration Facility G<bs,BT5lF$k3H
rN'7F/@5$ ( 122Z<8NX"@W?<I}?9/Yr2H)#
Event Translator , Event Translator Error Messages U!$kNm<IK:T7?l
g"^?O Event Translator N=.U!$kbKaC;<8&+?m0&U!$k
,Xj5lF$J$lg""Wj1<7gsO(i<&aC;<8rP5:K*;
7^9,"ajMra=/9k3HG"3N6xr=L9k3H,G-^9#<m
J0NajMO"Event Translator btN(i<r(7^9#
�����������
"s$s9H<kN0K""@W?<rd_7F/@5$#
CjNWiCHU)<`&?$WNQC1<8r"s$s9H<k9klgO"L
oN79F`&D<krHQ7^9#
v Solaris Nlg"pkgrm rHQ7F/@5$#c:
pkgrm RMAM
v AIX Nlg"smit rHQ7F/@5$#
v Windows Nlg"V3sHm<k QMkWNVWm0i`NICHo|WrH
Q7^9#
h 11 O Tivoli Access Manager 4.1 Q"@W?< 121
Event Translator ,$DGb$YsHrm0K-?9kh&=.5lF$klg
(Event Translator =.U!$kbK output 0-,Xj5lF$F"LOGGING 0-
, yes K_j5lF$klg)"3liNU!$kro|7F*/,W,"j^9#
Event Translator KF:m0&aC;<8r>w7J$h&K"f{N Tivoli Access
Manager Authorization Server rF=.7F/@5$#
f{N Access Manager Authorization Server KF:m0&aC;<8r>w7J$
h&K"FoN"/;9&^M<8c<&3s]<MsHrF=.7F/@5$#
Tivoli Risk Manager 3.8 ������������� �
��������
Tivoli Risk Manager 3.8 Nf<6<O"Tivoli Risk Manager 3.8 Q"@W?<r|
n9k]"!NICnHrB\9k,W,"j^9#Tivoli Risk Manager 4.1 f<
6<O"3liN9FCWrJ,G-^9#
J<N9FCWrBT9k]KO"k<k&Y<9Km<I5lk generic.baroc
U!$kKM89k"@W?<NfK"Risk Manager 3.8 5<P<r$YsHw.
hH9k"@W?<,>Kb"k+"v0K=G7F*/,W,"j^9#=Nh
&J"@W?<,8_9klgO"!NnHrB\7J$G/@5$#
1. U!$k $BINDIR/RISKMGR/corr/riskmgr_baroc.lst +i(sHj<
generic.baroc r|n7^9#
2. U!$k $BINDIR/RISKMGR/corr/riskmgr_baroc.lst +i(sHj<
sensor_abstract_supp.baroc ro|7^9#
3. ���� $BINDIR/RISKMGR/corr/tec/generic.baroc r79F`+ij0Go|
7^9#
4. ���� $BINDIR/RISKMGR/corr/tec/sensor_abstract_supp.baroc r79F`
+ij0Go|7^9#
5. GiK3^sI&7'kG Tivoli D-rps;H7F2H7F"{8Nk<
k&Y<9r977^9# bash 3^sIrBT7F"bash 3^sI&7'k
r~O7^9# $BINDIR/RISKMGR/corr G#l/Hj<XJS2<H7F"J<
N3^sIrBT7^9#
./rmcorr_cfg -update
Tivoli Enterprise Console 5<P<,d_7?e"5oKF+7^9#
����������
Event Translator ���
J<N Event Translator 3^sIO"5]<H5lF$k9YFNWiCHU)<
`eGBT5l^9#
Event Translator �#�*8�.9��
Event Translator r -v *W7gsU-GBT7^9#
evttrans -v
122 IBM Tivoli Risk Manager "@W?<¥,$I
Event Translator ���������
Event Translator r -h ^?O -? *W7gsU-GBT7^9#
evttrans -hevttrans -?
Event Translator �$�����&��
djGGKHQD=JU!$kK(i<rw.9kh&"Event Translator r=.G
-^9#
Tivoli Risk Manager Event Integration Facility &�'���
Tivoli Risk Manager Event Integration Facility &�'����
���
Windows NT 4.0 *hSWindows 2000
%RMADHOME%¥bin¥wrmadmin -info
UNIX WiCHU)<` /opt/RISKMGR/bin/wrmadmin -info
m: LoO"Tivoli Access Manager $YsHHloK Event Translator ,iaF/
05lk^GO"Tivoli Risk Manager Event Integration Facility G<bsOBT
5l^;s#
Tivoli Risk Manager Event Integration Facility &�'���
Windows NT 4.0 *hSWindows 2000
%RMADHOME%¥bin¥wrmadmin -restart
UNIX WiCHU)<` /opt/RISKMGR/bin/wrmadmin -restart
Tivoli Risk Manager Event Integration Facility &�'���
Windows NT 4.0 *hSWindows 2000
%RMADHOME%¥bin¥wrmadmin -kill
UNIX WiCHU)<` /opt/RISKMGR/bin/wrmadmin -kill
Tivoli Risk Manager !��"���������
Tivoli Enterprise Console Logfile ��������
79F`&m.s0&G<bsNfGrsr9k?aKO"Tivoli Enterprise
Console Logfile "@W?<r -s *W7gsU-GO09kh&*+a7^9#
Windows NT 4.0 *hSWindows 2000
%TECADHOME%¥bin¥init.tecad_logfile -s start
UNIX WiCHU)<` $TECADHOME/bin/init.tecad_logfile -s start&
h 11 O Tivoli Access Manager 4.1 Q"@W?< 123
&#���'���� Tivoli Enterprise Console Logfile ��������
Windows NT 4.0 *hSWindows 2000
%TECADHOME%¥bin¥init.tecad_logfile -s -d start
UNIX WiCHU)<` $TECADHOME/bin/init.tecad_logfile -s -d start&
m: Tivoli Enterprise Console Logfile "@W?<G$YsHr0g5;k4HK"
Logfile "@W?<,O05l?3s=<kK"aC;<8,w.5l^9#
Tivoli Enterprise Console Logfile ��������
Windows NT 4.0 *hSWindows 2000
%TECADHOME%¥bin¥init.tecad_logfile -s stop
UNIX WiCHU)<` $TECADHOME/bin/init.tecad_logfile -s stop
m: Logfile "@W?<NO0~K -s *W7gsrHQ7?lgO"-s *W7gsN_rHQ7F Logfile "@W?<rd_7F/@5$#
Event Translator ����� ���
Event Translator ,U!$kXNPOrT&h&=.5lF$klg (Event
Translator =.U!$kbK output 0-,Xj5lF$F"LOGGING 0-, yes
K_j5lF$klg)"POU!$k,}g7FTvJ5$:KJj"9GKh}
5l?ps,hj~^lk3H,"j^9#3Nlg""<-F/Ac<rd_7
FU!$kro|7F+i""<-F/Ac<rFO07F/@5$#
��������
Event Translator �����8
5sWkN Event Translator =.F-9H&U!$k (evttrans.conf) O"}gQ
C1<8KPsIk5l^9#
J<NHTC/GO"Event Translator =.U!$kN=.*W7gsKD$Fb@
7^9#
m: =.U!$kbtGO"TbNur8z,5k5l"MNg8z.8z,hL
5l^9#Tr3asH=9kKOOC7eV#W8zrHQ7^9#
inputinput 0-KO"Event Translator ~OG<?Nljr=.7^9#Q$Wrp7?
pdacld Nm.s0GO"3N*W7gsrXj7J$G"GU)kHMG"k
stdin (standard input) ,HQ5lkh&K7F/@5$#HiVk7e<F#s0
N\*KO">N~O=<9rXjG-^9#
c:
# This entry will cause the Event Translator to read input from# the file somefile.txt. If the file somefile.txt# is unable to be opened the default value (standard input) is used.
124 IBM Tivoli Risk Manager "@W?<¥,$I
input=somefile.txt
# This entry is commented such that input assumes# its default value of standard input (stdin).# This is the recommended configuration for pdacld# logging via a pipe to the Event Translator.#input=ignorethis
outputoutput 0-KO"Event Translator POG<?Nljr=.7^9# Tivoli
Enterprise Console Logfile "@W?<r$YsH>wN\*KHQ7F$klg"
output 0-r"Tivoli Enterprise Console "@W?<NbK?<P]H7F=.5
lF$kU!$kH1lNU!$kK_j9k,W,"j^9#LOGGING 0-,
yes K_j5lF$J$lg"3N*W7gsO5k5l^9#GU)kHMG"k
stdout (8`PO) O"output N~OrJ,9k3HKhCFXjG-^9#GU)
kHMO"HiVk7e<F#s0N\*KN_Q$k3H,G-^9#
c:
# This entry will cause the Event Translator to write output# to the file somefile.txtoutput=somefile.txt
# This entry is commented such that output assumes its default# value of standard output (stdout).#output=ignorethis
$�
error 0-KO"Event Translator ,(i<rq-~`ljr_j7^9#Mr~O
7J$lg"GU)kHMG"k stderr (8`(i<) ,Xj5l^9#
c:
# This entry will cause the Event Translator to write# error information to the file somefile.txterror=somefile.txt
# This entry is commented such that error output assumes# its default value of standard error (stderr).#error=ignorethis
LOGGINGLOGGING 0-O"Event Translator +i Tivoli Risk Manager Logfile "@W?<
rp7?$YsH>wrHQD=^?OHQTDK7^9#Mr~O7J$lg"
GU)kHMG"k no ,Xj5l^9#-zMO yes H no G9#
c:
# This entry will cause the Event Translator to send# events to a file to be monitored by the# TEC Logfile Adapter.LOGGING=yes
# This entry is commented such that LOGGING assumes# its default value of no.# LOGGING=yes
h 11 O Tivoli Access Manager 4.1 Q"@W?< 125
RMEIFRMEIF 0-O" Event Translator +i Tivoli Risk Manager Event Integration
Facility rp7?$YsH>wrHQD=^?OHQTDK7^9#MrXj7J$
lg"GU)kHMG"k yes ,HQ5l^9#RMEIF NMO yes H no G9#
c:
# This entry will cause the Event Translator not to# send events via RMEIF.RMEIF=no
# This entry is commented such that RMEIF assumes# its default value of yes.#RMEIF=no
RMEIF-retry-intervalRMEIF-retry-interval 0-KO"V`w,G-F$^;s (not ready)W^?OV+
Of (starting)WNuVNH-K Tivoli Risk Manager Event Integration Facility rp
7F$YsHNw.rFnT9k~VH (C) rXj7^9#Mr~O7J$lg"
GU)kHMG"k 0 ,Xj5l^9#RMEIF 0-,-zHJk?aKO"3N
0-M, yes (GU)kHO yes) G"RMEIF-max-retries NMO 0 hjg-$M
,,WG9#
c:
# This entry will cause the Event Translator to# retry sending events via RMEIF# every 2 seconds if they are unsuccessful.RMEIF-retry-interval=2
# This entry is commented such that RMEIF-retry-interval# assumes its default value of 0.# RMEIF-retry-interval=2
RMEIF-max-retriesRMEIF-max-retries 0-KO"V`w,G-F$^;s (not ready)W^?OV+O
f (starting)WNuVNH-K Event Translator , Tivoli Risk Manager Event
Integration Facility rp7F$YsHN>wrFnT9kGgstrXj7^9#M
r_j7J$lg"GU)kHMG"k 0 ,HQ5l^9#3N0-M, yes (G
U)kHO yes) NH-" RMEIF 0-,-zHJj^9#
c:
# This entry will cause the Event Translator to retry# sending events via RMEIF a maximum of 20 times.RMEIF-max-retries=20
# This entry is commented such that RMEIF-max-retries# assumes its default value of 0.#RMEIF-max-retries=20
messages-filemessages-file 0-KO"aC;<8&U!$kNljrjA7^9#aC;<
8&U!$k,Xj5lF$J$lg"^?OU!$kr+/H-K(i<,/8
7?lgKO"(i<&aC;<8,=(5l^;s#
c:
126 IBM Tivoli Risk Manager "@W?<¥,$I
# This entry will cause the Event Translator to# read messages from a file in the location# /opt/PolicyDirector/bin/messages.catmessages-file=/opt/PolicyDirector/bin/messages.cat
# This entry is commented such that no messages file is# specified. No error messages will be seen.#messages-file=ignore
bufferbuffer 0-KO"Event Translator , pdacld +iPONFTrI_hkPCU!<
N5$:r_j7^9#3N5$:O"pdacld KhCF8.5l?"m0PONT
NGg9NdjMH7FXj9kN,G,G9#djM,"pdacld G8.5l?m
0PONGg9Ky7$lg"^?OGg9ro:+KesklgK"GINQU
)<^s9,/x5l^9#djM,Gg9N>,^?O=lr<sC?lgO"
QU)<^s9K-FA,ZS^9#MO 1 Je,-zG9#0-NGU)kHO
512 G9#
c:
# Specifying 1024 characters as the maximum length of a# line of output from pdacld.buffer=1024
# This line is commented such that the buffer assumes# its default value of 512 characters length.#buffer=128
h 11 O Tivoli Access Manager 4.1 Q"@W?< 127
128 IBM Tivoli Risk Manager "@W?<¥,$I
� 12 � Enterasys Dragon �������
3N8qKO"!N;/7gs,^^lF$^9#
v X"@W?<N5WY
v 130Z<8NXEnterasys Dragon Bundle 5bY
v 131Z<8NXEnterasys Dragon "@W?<N5bY
v 133Z<8NX$s9H<kY
v 136Z<8NX=.Y
v 139Z<8NXTivoli Risk Manager Format File UtilityY
v 142Z<8NX5sWk&7Jj*Y
v 148Z<8NX=N>NmUv`/djY
��������
Tivoli Risk Manager Adapter for the Enterasys Dragon Alarmtool Agent O"Enterasys
Dragon Intrusion Detection ;s5<KhCF!P5l?B]N/~$YsH*hS
/~HM(ilk$YsHr Tivoli Enterprise Console $YsHK^CW7^9#
3liN Tivoli Enterprise Console $YsHO"Tivoli Enterprise Console 5<P<
*hS3s=<kKhCFjX*hS=(9k3H,G-^9#3lKhj"Tivoli
Enterprise Console 5<P<*hS3s=<kO"Enterasys Dragon ;s5<,!P
9k$UN/~$YsHN=("0}"hVrT&f4*Jj]8Hj<*hS5
<P<HJk3H,G-^9#
3N"@W?<O"MCHo</G Enterasys Dragon Bundle rBT7F$klgK
$s9H<kG-^9#
��������������
9YFN Dragon /~!N$YsHrhj~`?a"f4N Dragon DPM 3s]<
MsHH EFP 3s]<MsHO"Tivoli Risk Manager "@W?<,8_9k[9
HKV/,W,"j^9#!N=O""@W?<,5]<H5lF$k*Zl<F
#s0&79F`r(7^9#3liN*Zl<F#s0&79F`N)sO
Dragon ;s5<K,Q5lJ$NGmU7F/@5$#
Enterasys Dragon Q Tivoli Risk Manager "@W?<O"#tN*Zl<F#s0&
79F`G5]<H5lF$^9#
= 14. 5]<HP]WiCHU)<`
Enterasys Dragon QN"@W?<
HbK$s9H<k5lk
3s]<MsH
Solaris 7 Solaris 8 Linux
Tivoli Risk Manager Agent
(Transport)
X X
Red Hat 7.2
© Copyright IBM Corp. 2001, 2002 129
= 14. 5]<HP]WiCHU)<` (3-)
Tivoli Enterprise Console "@W?< X X X
Red Hat 7.2
Tivoli Risk Manager Adapter for Enterasys Dragon "@W?<O"Tivoli Risk
Manager P<8gs 4.1 *hS Tivoli Risk Manager P<8gs 3.8 N>}H"0
9kh&_W5lF$^9#
Risk Manager P<8gs 3.8 rHQfN*RMO"Tivoli Risk Manager k<k&
Y<9rU!$k generic.baroc *hS sensor_abstract_supp.baroc H&K@&
sm<I7"979k,W,"j^9#3liNU!$kO&K"Tivoli Risk
Manager N5]<H Web 5$H+i~jD=J Enterasys Dragon "@W?<&Q
C1<8K^^lF$^9#3N 2 DNU!$kO"3liN"@W?<N Risk
Manager 3.8 HNe}_9-r5]<H7^9#Tivoli Risk Manager 3.8 k<k&
Y<9N97KD$FNpsO"VIBM Tivoli Risk Manager f<6<:&,$I
P<8gs 3.8Wr2H7F/@5$#
Tivoli Risk Manager P<8gs 4.1 rHQfN*RMO"Tivoli Enterprise Console
5<P<N97rT&,WO"j^;s#k<k&Y<9O3N"@W?<r5]
<H9kh&GU)kHG57/=.5l"3liNU!$kK^^lF$k,W
J$YsH&/i9jAr^sG$^9#
Enterasys Dragon Bundle ��
The Enterasys Dragon 5.0 Bundle O"Enterasys Intrusion Detection Software =je
<7gsr=7^9#Dragon Bundle KO";s5<"$YsH&Um<&Wm;
C5<JEvent Flow Processors: EFP)"Dragon (<8'sH"Dragon ]j7<&^
M<8c (Dragon Policy Manger: DPM) N 4 DN3s]<MsH,"j^9#!K
(9NO"Dragon 3s]<MsHN5,b@G9#3liN3s]<MsHKD$
FN\YO"Enterasys Dragon N Web 5$H+i~jG-^9#
;s5<O"Dragon Squire H7FNilF$k HIDS QH"Dragon Sensor H7F
NilF$k NIDS QN 2 o`N_G9#Dragon Squire O"l"N70KAc<
H=.KpE$F[9H&79F`N"/F#SF#<rFk7^9#Dragon
Sensor O"l"N70KAc<HMCHo</_jKpE$FMCHo</N"/
F#SF#<ru0*KFk7^9#;s5<NrdO"79F`^?Om0&U
!$k+i""k$O=NrdKhCFOMCHo</+i"$C)N/~$Ys
H&G<?r!P7"Dragon $YsHr DPM ^?O EFP KA#9k3HG9#
EFP O"1 DJeN;s5<+i$YsHru.7^9#3liN$YsHO"L
N EFP K>w9k3Hb"Dragon Agent KhCFm<+kKh}9k3Hb">
wHm<+kGNh}N>}rT&3HbG-^9#EFP rMCHo</=.K7
F$YsHN8srD=KG-^9#=3GO"=l>lN*RM,+,NMCH
o</G8.5l?$YsHN=(Hh}N_T&3H,G-"I}P];-ej
F#<&WmP$@<O"9YFN*RMNMCHo</KhCF8.5lk$Y
sHN=(Hh}rT&3H,G-^9#
130 IBM Tivoli Risk Manager "@W?<¥,$I
Dragon (<8'sHKO 5 o`"j"=l>l,H+Nrdr}CF$^9#!
N(<8'sH,"j^9#
v Dragon G<?Y<9&(<8'sH
v MD5Sum (<8'sH
v #=(<8'sH
v Alarmtool Agent
v (/9]<H&m0&(<8'sH
$YsH, EFP eK8s5lk?a"(<8'sHO=l>lN$YsHKP7F
H+Nh}rT&3H,G-^9#^?"Enterasys Dragon "@W?<O"
Alarmtool Agent rHQ7^9#Alarmtool Agent O"CjN$YsHN/8K~8
F"i<Hr8.9k?aKHQ5l^9#
Dragon ]j7<&^M<8c (Dragon Policy Manager: DPM) O";s5<N]j
7<Hu7rI}9k?aKHQ5l^9#DPM Khj"70KAc<&i$Vi
j<dMCHo</_jJIN;s5<=.N@YrQ99k3H,G-"3li
N77$=.rEf=5l?\3rL8FI}P];s5<K@&sm<IG-^
9#3liNQ9O9YF"DPM GUI H7FNilF$k Web 3sFsD+i
Tol^9#DPM GUI O"Dragon =UH&'"KPsIk5lF$^9#
Enterasys Dragon ��������
!N^O"Enterasys Dragon Q"@W?<N3s]<MsH&"<-F/Ac<r
(7F$^9#^fNVTECWO"Tivoli Enterprise Console rX7F$^9#
h 12 O Enterasys Dragon QN"@W?< 131
Tivoli Risk Manager Adapter for Enterasys Dragon O"!NWG+i=.5l^9#
v Tivoli Enterprise Console UNIX Logfile "@W?<
v Tivoli Enterprise Console "@W?<&5]<H&U!$k (fmt U!$k)
v Dragon 70KAc<&U!$k+i"@W?<&U)<^CH&U!$kr=[
9k?aKHQ5lk Risk Manager Format File Utility
v i|N Dragon 70KAc<&U!$k2+i=[5l?U)<^CH&U!$
k2
Dragon $YsH, Tivoli Enterprise Console UNIX Logfile KxQD=KJkNO"
Dragon Alarmtool Agent ,=l>lN Dragon $YsHN79F`&m0&(sH
j<rn.9kH-G9#
Tivoli Risk Manager "@W?<&U)<^CH&U!$k dragon_xxx.fmt (33
G" xxx OG-N9Hjs0r=9) Khj""@W?<O=l>lN Dragon $
YsHKP7F!Nh}rT&3H,G-^9#
v 79F`&m0&U!$k+iI_hk Enterasys Dragon 79F`&m0&(s
Hj<NU)<^CHrjA9k#
v F79F`&m0&(sHj<H Tivoli Risk Manager $YsH&/i9HrM
-go;"P~9k Tivoli Risk Manager $YsH&/i90-ri|=7Fj
XH"<+$VrD=K9k#
Tivoli Risk Manager "@W?<&U)<^CH&U!$k dragon_xxx .fmt (33G
xxx O"G-N9Hjs0) O"Alarmtool Agent N syslog (sHj<NU)<^
CHrjA7^9#3NU!$kKhj""@W?<O=l>lN Dragon $Ys
HKP7F!Nh}rBTG-^9#
v F syslog (sHj<H Tivoli Risk Manager $YsH&/i9HrM-go;"
P~9k Tivoli Risk Manager $YsH&/i90-ri|=7FjXH"<+
$VrD=K9k#
v F79F`&m0&(sHj<Npsr"Tivoli Enterprise Console 5<P<H_
9-,"k$YsHNU)<^CHKQ99k#
Tivoli Risk Manager "@W?<O"BAROC U!$k generic.baroc rHQ7^
9#3NU!$kO"Dragon $YsHN79F`&m0&(sHj<r Tivoli Risk
Manager $YsHKQ99kH-KHQ9k$YsH&/i9rjA7^9#3N
U!$kO"Tivoli Risk Manager 5<P<N$s9H<k&QC1<8NltH7
F^^lF*j"Tivoli Enterprise Console k<k&Y<9NltH7F+0*Km
<I5l^9#generic.baroc bGjA5l?9YFN$YsH&/i9O"
riskmgr.baroc *hS sensor_abstract.baroc GjA5lF$k Tivoli Risk
Manager $YsH&/i9KpE/bNG9#
Enterasys Dragon Bundle HN04J}g, Tivoli Risk Manager "@W?<KhC
FB=7F$k?a"Dragon KhCF8.5lk9YFN/~!N$YsHrHi
CW7"Tivoli Risk Manager $YsHH7F Tivoli Enterprise Console *hS
Tivoli Risk Manager5<P<Kw.G-^9#Dragon Alarmtool Agent Khj"
Dragon $YsHr"i<HH7F==G-^9#3liN"i<HO"79F`&
m0&U!$kNm0&(sHj<G9#"i<H,79F`&m0&U!$kK
^ 9. Enterasys Dragon QN Tivoli Risk Manager "@W?<'
132 IBM Tivoli Risk Manager "@W?<¥,$I
-?5lkH"Tivoli Risk Manager "@W?<O3liN$YsHr Tivoli Risk
Manager $YsHH7Fhj~_"Tivoli Risk Manager/Tivoli Enterprise Console 5
<P<KA#7^9#$YsHO Tivoli Risk Manager jXKxQD=G"Tivoli
Enterprise Console rHQ7F=(5l^9#3lKhj"Tivoli Risk Manager O8
f5<P<H7F!=7"Dragon Bundle IDS =UH&'"KhCF!P5lk9
YFN/~6brhj~`3H,G-^9#
����
���� ��
Tivoli Risk Manager Adapter for Enterasys Dragon r$s9H<k7F=.9k0
K"!NnHrB\7F/@5$#
1. Enterasys Dragon Bundle ,MCHo</K$s9H<k5lF$k3HrN'7
^9#f4HJk Dragon DPM 3s]<MsH*hS Dragon EFP 3s]<M
sHr^`[9HN[9H>HMCHo</&"Il9rN'7F/@5$#^
?"Dragon Alarmtool Agent N=.N?aK"MCHo</G9YFN Dragon
;s5< (Dragon Squire H Dragon Sensor) K?(ilF$k;s5<>bN'
9k,W,"j^9#Dragon ;s5<N?>8`O"Dragon Squire NlgO
hostname-hids"Dragon Sensor NlgO hostname-nids G9#$s9H<kH
=.NjgKD$FO"VDragon 5.0 - Install GuideWr2H7F/@5$#
2. Tivoli Risk Manager 5<P<H=N0sroHJk=JrMCHo</bN[
9HK$s9H<k7"=.7^9#3N[9HN[9H>HMCHo</&"
Il9rN'7F/@5$#$s9H<kH=.NjgKD$FO"VTivoli
Risk Manager f<6<:&,$IWr2H7F/@5$#
3. eN9FCW 1 GXj7?[9HeK Tivoli Enterprise Console UNIX Logfile
"@W?<r$s9H<k7"=.7F*/,W,"j^9#3N"@W?<
O"f4HJk Dragon DPM 3s]<MsH*hS Dragon EFP 3s]<Ms
H,8_9k[9HeKV/,W,"j^9#$s9H<kH=.NjgKD$
FO"VTivoli Enterprise Console "@W?<&,$IWr2H7F/@5$#
!N;/7gsGO"3N[9HrVDRAGON-HOSTWH=-7^9#
4. ~jD=J Apache NG7P<8gs (^?O IBM HTTP Server) ,
DRAGON-HOST K$s9H<k5lF$k3HrN'7F/@5$#Apache
O"Enterasys Dragon j"k?$`&3s=<kN=.KHQ7^9#
m: IBM HTTP Server O"Risk Manager 4.1 H&KHQ9k?aKs!5lk
bNG"Risk Manager N=J CD K}?5lF$^9#
���� �����
1. DragonRMAdaptor_Install.tar.gz tar U!$kNbFrjP9k3HKhj"
Enterasys Dragon Q IBM Tivoli Risk Manager "@W?<r DRAGON-HOST K
$s9H<k7^9#
"@W?<K,WJ9YFNU!$kHI-easF<7gs,~C?G#l/
Hj< /opt/RISKMGR/DragonRMAdaptor ,n.5l^9#
h 12 O Enterasys Dragon QN"@W?< 133
a. RiskMgrFormatFileUtility_Install.tar.gz tar U!$kNbFrjP7"
Risk Manager Format File Utility K"/;97^9#3N tar U!$k
O"/opt/RISKMGR/DragonRMAdaptor/bin 5VG#l/Hj<bK8_7^
9#
b. DragonAdaptorFormatFiles.tar.gz tar U!$kNbFrjP7"^CWQ_
N Risk Manager U)<^CH&U!$kK"/;97^9#3N tar U!
$kO"/opt/RISKMGR/DragonRMAdaptor/etc 5VG#l/Hj<bK8_7
^9#
2. Risk Manager Format File Utility rHQ7F";-e"JMCHo</bGT/
7F$k9YFN Dragon ;s5<,HQ9k9YFN Dragon 70KAc<&
U!$kQN Tivoli Risk Manager U)<^CH&U!$krn.7^9 (3N
f<F#jF#<N\YH$s9H<kjgKD$FO" 139Z<8NXTivoli
Risk Manager Format File UtilityYr2HK#3lKhj"9YFN Dragon $Y
sHrh}9k3H,G-"NBK"HQfN9YFN Dragon $YsH&70
KAc<,,ZJ Risk Manager $YsH&/i9K^CW5l?3HKJj^
9#^CW5lF$J$$YsH&70KAc<O"GU)kHG"$YsH&
/i9 RMG_NoMapping K_j5l^9#Dragon 70KAc<&U!$kQ
N9YFN Risk Manager U)<^CH&U!$krn.7?e"=N9YFr
Y<9&U)<^CH&U!$k dragon-base.fmt KIC7^9#
3. U!$k dragon-base.fmt NbFrm0&U!$k&U)<^CH&U!$k
tecad_logfile.fmt KIC7^9#Dragon KhCF8.5lk$YsHJ0N
$YsHNhj~_K m0¥U!$k&"@W?<,HQ5lF$J$lgO"
U!$k tecad_logfile.fmt NbFrU!$k dragon-base.fmt NbFKV-
9(k,W,"j^9#$:lNlgb"U!$k tecad_logfile.fmt N3T
<rn.7",WK~8F|5G-kh&K7F*-^9#
4. !N3^sIr (1 TG) ~O7"77$ CDS U!$krn.7^9#
$TECADHOME/bin/logfile_gencds$TECADHOME/etc/C/tecad_logfile.fmt > $TECADHOME/etc/tecad_logfile.cds
D-Qt TECADHOME O"Tivoli Enterprise Console UNIX Logfile "@W?<
N$s9H<k~K*r7?$s9H<k&Q9G9#d)5lk$s9H<
k&Q9O" /usr/tecad G9#
77$ CDS U!$kN8.~K(i<,/87J$3H"*hSm0¥U!$
k&"@W?<,(i<J7G/09k3HrN'7F/@5$#
5. !N3^sIrBT7F Tivoli Enterprise Console UNIX Logfile "@W?<rF
O07^9#
$TECADHOME/bin/init.tecad_logfile stop$TECADHOME/bin/init.tecad_logfile start &
m:
1. Solaris eG$s9H<k9kH-O"Solaris syslog aC;<8 ID *W7gs
rHQTDK9k,W,"j^9#/kernel/drv/log.conf bK msgid=0 r,
:_j7F*$F/@5$#
2. Risk Manager 4.1 Client ,$s9H<k5lF$klgO"wrmcrtcds f<F
#jF#<rHQ7F"?(il? fmt U!$kNj9H+i1lN fmt U!
$kr=[7"cds U!$kr8.G-^9#3N3^sIN\YKD$FO"
VTivoli Risk Manager f<6<:&,$IWr2H7F/@5$#
134 IBM Tivoli Risk Manager "@W?<¥,$I
Tivoli Risk Manager 3.8 ���������� ����
�����
Tivoli Risk Manager P<8gs 3.8 Nf<6<O"Risk Manager 5<P<eNk
<k&Y<9rU!$k generic.baroc *hS sensor_abstract_supp.baroc G9
79k?aK"!NICnH,,WG9#
1. U!$k generic.baroc *hS sensor_abstract_supp.baroc rG#l/Hj
< $BINDIR /RISKMGR/corr/tec K3T<7^9#
2. generic.baroc rU!$k $BINDIR /RISKMGR/corr/riskmgr_baroc.lst K"j
9HNG*(sHj<H7FIC7^9#
m: 3liN(sHj<NgxOEWG9#generic.baroc O"j9HbG
sensor_abstract.baroc N<KV/,W,"j^9#
3. sensor_abstract_supp.baroc rU!$k $BINDIR
/RISKMGR/corr/riskmgr_baroc.lst K"sensor_abstract.baroc N<NGiN(
sHj<H7FIC7^9#
m: 3liN(sHj<NgxOEWG9#sensor_abstract_supp.baroc O"
sensor_abstract.baroc N<G"+D>N9YFN(sHj<NeKV/,
W,"j^9#
4. GiK3^sI&7'kG Tivoli D-r=<9H7Fhj~`3HKhj"{
8Nk<k&Y<9r977^9#bash 3^sIrBT7F"bash 3^sI&
7'kr~O7^9#3^sI&WmsWHG"G#l/Hj<
$BINDIR /RISKMGR/corr K\07"!N3^sIrBT7^9#
./rmcorr_cfg -update
Tivoli Enterprise Console 5<P<,d_7?e"5oKF+7^9#
m: "@W?<O"3liNU!$k, Risk Manager k<k&Y<9NltH
7F57/=.5lF$k3HK++CF$^9#Tivoli Risk Manager ^7
seG Logfile "@W?<+i$YsHru1hkH-K=8(i<,/8
9klgO"3NU!$k,8_7J$+"57/=.5lF$J$D=-
,"j^9#k<k&Y<9N97N\YKD$FO"VIBM Tivoli Risk
Manager f<6<:&,$IWr2H7F/@5$#
�����������
"@W?<r"s$s9H<k9kKO"J<NnHrT$^9#
1. tecad_logfile.fmt U!$kKIC7? dragon-base.fmt Nt,ro|7"3
NU!$kNbFr|57^9#
2. hK\R7?h&K tecad_logfile.cds U!$kr8.7>7",WJlgO
Tivoli Enterprise Console UNIX Logfile "@W?<rF+7^9#
Tivoli Risk Manager 3.8 ������������� �
��������
Tivoli Risk Manager 3.8 Nf<6<O"Tivoli Risk Manager 3.8 Q"@W?<r|
n9k]"!NICnHrB\9k,W,"j^9#Tivoli Risk Manager 4.1 Nf
<6<O"!NjgrT&,WO"j^;s#
h 12 O Enterasys Dragon QN"@W?< 135
!NnHrB\9k0K"k<k&Y<9Km<I5lF$kU!$k
generic.baroc KM89k>N"@W?<, Tivoli Risk Manager 3.8 5<P<K$
YsHrw.7F$k+I&+rN'9k,W,"j^9#=Nh&J"@W?<
,8_9klgO"!NnHrB\7J$G/@5$#
1. U!$k $BINDIR/RISKMGR/corr/riskmgr_baroc.lst +i(sHj<
generic.baroc ro|7^9#
2. U!$k $BINDIR/RISKMGR/corr/riskmgr_baroc.lst +i(sHj<
sensor_abstract_supp.baroc ro|7^9#
3. U!$k $BINDIR/RISKMGR/corr/tec/generic.baroc r79F`+ij0Go|
7^9#
4. U!$k $BINDIR/RISKMGR/corr/tec/sensor_abstract_supp.baroc r79F`
+ij0Go|7^9#
5. GiK3^sI&7'kG Tivoli D-r=<9H7Fhj~`3HKhj"{
8Nk<k&Y<9r977^9#bash 3^sIrBT7F"bash 3^sI&
7'kr~O7^9#3^sI&WmsWHG"G#l/Hj<
$BINDIR/RISKMGR/corr K\07"!N3^sIrBT7^9#
./rmcorr_cfg -update
Tivoli Enterprise Console 5<P<,d_7?e"5oKF+7^9#
��
����
"@W?<N=.rOak0K"!NnHrB\7F/@5$#
1. DRAGON-HOST K9YFN Dragon (<8'sH,$s9H<k5l"=.5
lF$k3HrN'7^9#3liN(<8'sHKO"Dragon DB Agent"MD5 Sum Agent"Export Log Agent"*hS Real Time Console ,"j^9,"GbEWJNO Dragon Alarmtool Agent G9#
2. qAVDragon 5.0 - Event analysis Consoles and CLI ToolsWGb@5lF$kj
gK>$"DRAGON-HOST eK$s9H<k5lF$k Web 5<P<r
Dragon 3s=<kQK=.7^9#3NnHGO"77$9/jWHL>r$
/D+IC7^9# DRAGON-HOST eN http://localhost/dragon K"/;
97"3s=<k,!=7"xQD=G"k3HrN'7^9#policy
manager"real time console"forensics console"trending console"*hS
alarmtool config XNjs/r^` Enterasys Dragon 3s=<k&Z<8XNj
s/rh@9k,W,"j^9#
�������
"@W?<G#l,WJ=.nHO"Dragon Alarmtool Agent N?aN=.G9#
=.O"Web Y<9N Dragon 3s=<k+i alarmtool.config js/rHQ9
k+"alarmtool.cfg U!$krj0GT89k3HKhCFB\G-^9#3N
qAGO"j0=.Njgrb@7^9#j0=.b"3s=<k+iH18h&
KJ1KT&3H,G-^9#Dragon Alarmtool Agent N\YKD$FO"
VDragon 5.0 - Alarmtool Configuration guideWr2H7F/@5$#3NqAO"
136 IBM Tivoli Risk Manager "@W?<¥,$I
Ys@<N URL +i~jG-^9#3NeK(9jgGO"$DRAGHOME H$&
QtrHQ7F$^9#3lO"DRAGON-HOST eN Dragon Bundle N$s9H<
k&Q9G9#
1. DRAGON-HOSTeG"$DRAGHOME/alarmtool.cfg U!$kN3T<rn.7"=
lrT8N?aK+-^9#
2. !N=8G"filter_dragon_events H$&>0N Alarmtool Agent U#k?<rn
.7^9#
filter filter_dragon_events {rule sensor hostname1rule sensor hostname2rule sensor hostname3...}
3NU#k?<N\*O"Dragon ;s5<G"k9YFN[9H+i Dragon
KhCF8.5lk9YFN$YsHrhj~`3HG9#rule sensorhostname GU#k?<rn.9kH"Dragon ;s5<N>0K hostnameH$&9Hjs0,^^lF$k[9H+i9YFN$YsH,hj~^l^
9#=l>lN Dragon ;s5<&[9HKD$F"=N[9H+i9YFN$
YsHrhj~`77$U#k?<rn.9k,W,"j^9#Dragon ;s5
<N?>8`O"Dragon Squire NlgO hostname-hids"Dragon Sensor Nl
gO hostname-nids G9#IP "Il9rU#k?<`n9kk<kbD=G
9#c(P"rule ip dst 10.123.234.12 O"8h IP "Il9 10.123.234.12
+i9YFN$YsHrhj~_^9#U#k?<N\YKD$FO"Enterasys
N Web 5$H+i~jD=JVDragon Alarmtool Configuration GuideWr2H
7F/@5$#
3. !N=8G"notify_dragon_events H$&>0N Alarmtool Agent notification a
=CIrn.7^9#
notify notify_dragon_events {time-period alwayssyslog always {level alertfacility usermessage sensor:%SENSOR% SIP:%SIP% DIP:%DIP% EVENT:%NAME%
SPORT:%SPORT% DPORT:%DPORT% %DATE% %TIME% %ALERT%}
}
3N notification a=CIrHQ9kh&KjA5lF$k9YFN Alarmtool
Agent "i<HN=l>lKD$F""i<HN8.~K79F`&m0Km
0&(sHj<,n.5l^9#aC;<80-NU)<^CHOsoKEWJ
?a"Q97J$G/@5$#
3NU)<^CHrQ99kH"Tivoli Risk Manager Logfile "@W?<,79
F`&m0bNm0&(sHj<r!PG-:"=NkL"Dragon $YsHr
hj~aJ/Jj^9#
~VHOoKGU)kHNbNG"j"alarmtool.cfg U!$kK9GK8_7
F$^9#8_7F$J$lgO"LNa=CIN(sHj<N0K!N=8r
IC7F/@5$#
time-period always {monday 0000-2400tuesday 0000-2400
h 12 O Enterasys Dragon QN"@W?< 137
wednesday 0000-2400thursday 0000-2400friday 0000-2400saturday 0000-2400sunday 0000-2400
}
4. !N=8G"dragon_events H$&>0N Alarmtool Agent "i<Hrn.7^
9#
alert dragon_events {filter dragon_eventsnotify dragon_events
}
3N"i<HO"alarmtool.cfg U!$kGhKjA7?U#k?<&k<kH
LNa=CIrHQ7^9#bK?<fNMCHo</eN=l>lN Dragon
;s5<KD$F"=N;s5<N>0r9-cs9k77$k<krU#k?
<KIC7^9#Dragon ;s5<N8`N?>,'O"Dragon Squire (HIDS)
NlgO hostname-hids"Dragon Sensor (NIDS) NlgO hostname-nids G
9#8`N?>,',HQ5lF$klgO"k<kKhCF hostname r9-
csG-^9#8`N?>,',HQ5lF$J$lgO"9Hjs0,;s5
<>r=7F$k3HrN'7F/@5$#>Nu7GO"=<9^?O8hN
IP "Il9KX9kk<krHQ7^9#
5. DRAGON-HOST eN Dragon rFO07^9#!N3^sIrBT7F/@5
$#
$DRAGHOME/dragonctl stop$DRAGHOME/dragonctl start
Alarmtool Agent NO0~K(i<,/87J$3HrN'7F/@5$#(i
< (LoO=8rO(i<) ,/87?lgO"(i<r$57?e"Dragon r
FO07F/@5$#
�����������
^@b@5lF$J$ Tivoli Risk Manager "@W?<N=.O,W"j^;s#
������ ����!"�!�����
1. DRAGON-HOST eG Dragon rO07"Dragon ;s5< (Dragon Squire) rB
TfN[9HG!N3^sIrBT7^9#
$DRAGHOME/dragctl start
(i<,/87J$3HrN'7^9#>}N[9HG!N3^sIrBT7"
Dragon ,T/7F$k3HrN'7^9#
ps -fu dragon
2. DRAGON-HOST eG"Tivoli Enterprise Console Logfile "@W?<rGPC
0&b<IGO07^9#
/usr/tecad/bin/init.tecad_logfile -d start &
"@W?<,T/7F$k3HrN'7^9#
run ps -ef | grep tecad
"@W?<N/0fK(i<,/87J$3HrN'7F/@5$#
138 IBM Tivoli Risk Manager "@W?<¥,$I
3. GiK Tivoli D- (setup_env.sh) r=<9H7Fhj~_"wstatesvr rBT
9k3HKhj"Tivoli Enterprise Console 5<P<,T/7F$k3HrN'
7^9#5<P<O"wstartesvr 3^sIGO07"wstopesvr 3^sIGd
_9k3H,G-^9#\YKD$FO"VTivoli Enterprise Console jU!l
s9&^Ke"kWr2H7F/@5$#
4. Tivoli Risk Manager U)<^CH&U!$kN$s9H<kH8.,*oCF
$k Dragon ]j7<&U!$k+i{NN Dragon $YsHr8.7^9#
Dragon j"k?$`&3s=<kN 30 ,Ac<HG DRAGON-HOST eN
DPM ,m0ru.7?3HrN'9k+"sum_event/sum_db 3^sIrHQ7
^9#
5. DRAGON-HOST eG tail 3^sIrHQ7"Alarmtool Agent KhCF79F
`&m0,8.5l?3HrN'7^9#Tivoli Enterprise Console Logfile "@
W?<,O07?^7seG Tivoli Risk Manager $YsH,=(5lk3Hr
N'7^9#Tivoli Enterprise Console "@W?<,GPC0&b<IGT/7
F$k?a"3N$YsHNm0O8`POK=(5l^9#
6. Tivoli Enterprise Console 5<P<rBT7F$k[9HeN Tivoli D-r=<
9H7Fhj~s@ bash ;C7gsG"wtdumprl *hS wtdumper rBT7
^9#$YsHO">}N3^sINj9HbNGe (^?OGeKa$) N$
YsHH7F=(5l^9#
7. tec_console rO07",ZJ0k<WK$YsH,=(5lk3H"*hS=
N0-, Dragon $YsH>H?$Wr?G7F$k3HrN'7^9#
Tivoli Risk Manager Format File UtilityTivoli Risk Manager Format File Utility O"Tivoli Risk Manager Dragon "@W?<
QN Tivoli Risk Manager U)<^CH&U!$krn.9k Java "Wj1<7g
sG9#Format File Utility Khj"f<6<O Dragon 70KAc<&U!$k
(H%RO Dragon ;s5<N?$WK~8F *.lib ^?O *.pollib)"*hS3l
iN70KAc<Nlt"^?O9YFr*rG-^9#70KAc<O"Tivoli
Risk Manager U)<^CH&U!$k&/i9jANn.KHQ5l^9#f<6
<O"Dragon 70KAc<H Tivoli Risk Manager $YsH&/i9HNVN^C
Ts0r)fG-^9#
3Nf<F#jF#<O Java "Wj1<7gsN?a"WiCHU)<`KM87
^;s#?@7"3Nf<F#jF#<rHQ9k?aKO"JDK 1.4 QC1<8
,$s9H<k5lF$k,W,"j^9#3Nf<F#jF#<O Windows H
UNIX N>}NWiCHU)<`GBTG-^9,"8.5lkU)<^CH&U
!$kO"Central Dragon DPM/EFP H Tivoli Risk Manager Logfile "@W?<r
BTfN UNIX [9HeGHQ9k,W,"j^9#
Dragon 70KAc<&U!$kO Dragon Rider U)<^CHG"k3H,EWG
9# Dragon 70KAc<&U!$kO9YF Enterasys Dragon N5]<H Web
5$H+i Dragon Rider U)<^CHG@&sm<IG-^9#
Tivoli Risk Manager Format File Utility �����
Java "Wj1<7gs Risk Manager Format File Utility N$s9H<kO"!Nj
gGT$^9#
h 12 O Enterasys Dragon QN"@W?< 139
1. JDK 1.4 QC1<8,^@$s9H<k5lF$J$lgO$s9H<k7^
9#
2. /opt/RISKMGR/DragonRMadaptor/bin 5VG#l/Hj<+i
RiskMgrFormatFileUtility_Install_V1.0.tar.gz U!$kr~j7^9#
3. RiskMgrFormatFileUtility_Install_V1.0.tar.gz tar U!$kNbFrjP7^
9#
UNIX WiCHU)<`GO"*r7?$s9H<k&G#l/Hj<+i!N
3^sIrBT7^9#
tar -xzvf RiskMgrFormatFileUtility_Install_V1.0.tar
Windows GO"WinZip rHQ7FU!$krjP7^9#
Format File Utility �������� ������ ��
!K(9NO"Tivoli Risk Manager Format File Utility rHQ7FU)<^CH&
U!$krn.9k?aK,WJjgG9#
1. D-Qt CLASSPATH rn.7"$s9H<k5lF$k JDK1.4 Ni$V
ij<&Q9H Tivoli Risk Manager Format File Utility N$s9H<k&Q9
r3NQtKJ<7^9#=N?aKO"Windows WiCHU)<`GO"
V3sHm<k QMkWNV79F`NWmQF#WrHQ7F"
CLASSPATH 79F`D-QtrIC7^9#^?"UNIX WiCHU)<`
GO"3^sIT+i>\ CLASSPATH D-r(/9]<H7^9 ("k$
O"+,Nf<6< .profile KIC7^9)#D-QtN_j}!K+.,J
$lgO"79F`I}TKjL7F/@5$#
2. f<F#jF#<rO09k?aK"!N3^sIrBT7^9#
UNIX: start_util.sh
Windows: start_util.bat
VTivoli Risk Manager U)<^CH&U!$k&f<F#jF#< (Tivoli
Risk Manager Format File Utility)W@$"m0,=(5l^9#
3. V70KAc<&U!$kN*r (Select Signature File)W\?sr/jC/7^9#V+/(Open)W@$"m0,=(5l^9#70KAc<&U!$k
,8_9kG#l/Hj<r*r7"V+/(Open)W\?sr/jC/7^9#
140 IBM Tivoli Risk Manager "@W?<¥,$I
4. VxQD=J70KAc< (Available Signatures)WH$&?$HkN9/m<k
D=Jj9HK Dragon 70KAc<>Nj9H,=(5l^9#
u>9k70KAc<r/4=(7 (9YFr*r9klgO ctrl a -<r!
7)"&pu\?sr/jC/7F"*r7? Dragon 70KAc<rV*r5
l?70KAc< (Selected Signatures)W9/m<kD=j9HK\07^9#
V*r5l?70KAc< (Selected Signatures)W9/m<kD=j9H+i7
0KAc<ro|9kKO"TWJ70KAc<r/4=(7"8pu\?s
r/jC/7^9#,WJ70KAc<r*r7?e"VOKWr/jC/7^
9#
5. *r5lF$k70KAc<Nj9H,=(5l^9#3NUl<`+i"*
r5lF$k9YFN Dragon 70KAc<K,7? Tivoli Risk Manager $
YsH&/i9rdjvFk3HKJj^9#
6. CjN Dragon 70KAc<N\Yb@r@kKO"70KAc<>NYK"
kV70KAc<Nb@ (Signature Description)WsG8^&9&\?sr!7
^9#
7. Dragon 70KAc<Nb@rIs@e"u>9k70KAc<>KP~9kT
NVTivoli Risk Manager $YsH&/i9 (Tivoli Risk Manager Event
Class)WsG8^&9&\?sr/jC/9k3HKhCF",ZJ Tivoli Risk
Manager $YsH&/i9r*r7^9#\C/9rHQ7F*rrT$^
9#Tivoli Risk Manager $YsH&/i9KD$FO"VIBM Tivoli Risk
Manager GYmCQ<:&,$IWr2H7F/@5$#3NqAO"IBM
Tivoli N5]<H Web 5$H+i~jG-^9#
8. 3Nh}r+jV7F"9YFN Dragon 70KAc<N$YsH&/i9r
*r7^9#Tivoli Risk Manager $YsH&/i9,*r5lF$J$
Dragon 70KAc<KO"GU)kHG"Tivoli Risk Manager $YsH&/
i9 RMG_NoMapping ,HQ5l^9#$YsH&/i9,Xj5lF$J
$ Dragon 70KAc<+i RMG_NoMapping /i9XN^CTs0O"U
)<^CH&U!$k dragon-base.fmt NU)<^CH&/i9jA+iE[
*KTol^9#7?,CF"@(*K^CW7?/J$ Dragon 70KAc
<O"8.fN=_NU)<^CH&U!$kKIC9k70KAc<H7F
*r7J$G/@5$# Dragon 70KAc<r*r7>9lgO"VhjC
h 12 O Enterasys Dragon QN"@W?< 141
7(Cancel)W\?sr/jC/7F9FCW 4 Kaj^9#,WJ9YFN^
CTs0r~O7?e"V70KAc<&U!$kNn. (Create SignatureFile)W\?sr/jC/7^9#
9. U)<^CH&U!$kN>0HQ9O",WK~8FQ9G-^9#GU)
kHNU!$k>O"Dragon 70KAc<&U!$kN>0KpE$FU1i
l^9#GU)kHNQ9b"Dragon 70KAc<&U!$kH18KJj^
9#Xj9kQ9O8_7F$k,W,"j^9#8_7J$Q9rXj9k
H"(i<,=(5l^9#3Nf<F#jF#<OG#l/Hj<rn.7
^;s#d)5lkQ9O"Tivoli Risk Manager Logfile "@W?<N$s9H
<k&Q9N<K"k etc G#l/Hj<G9#!Nh&KT$^9#
UNIX: /usr/tecad/etc
Windows: %SystemDrive%¥Tivoli¥tecwin¥etc
Vn. (Create)W\?sr/jC/7"*r7?G#l/Hj<&Q9K77
$U)<^CH&U!$krn.7^9#GiK"IAiN9/m<kD=j
9HKb70KAc<,^^lF$J$Ul<`,=(5l^9#
10. u>9k9YFN Dragon 70KAc<KD$F"jgN 3 A 9 r+jV7
^9#Dragon 70KAc<&U!$kO"Enterasys Dragon N5]<H Web
5$H+i Dragon Rider U)<^CHG@&sm<IG-^9#
�� ��:��
eN^G(5lF$k Dragon 3s]<MsHN"<-F/Ac<O"Dragon $s
9H<k&,$I+izQ5l?bNG"kg DPM/EFP "<-F/Ac< H7F
NilF$^9#3N Dragon "<-F/Ac<N\YKD$FO" Enterasys N
Web 5$HK"k Dragon $s9H<k&,$Ir2H7F/@5$#>N"<-
F/Ac<O"}g"@W?<rQ97^;s#"@W?<KHCF-oaFEW
JNO"f4HJk DPM [9HG Alarmtool Agent ,=.5l"T/7F$k3
^ 10. 5sWk&7Jj*N"<-F/Ac<
142 IBM Tivoli Risk Manager "@W?<¥,$I
HG9#3lKhj"Dragon KhCF8.5lk9YFN$YsHr Tivoli Risk
Manager ,NBKhj~`h&KJj^9#f4HJk DPM [9HG Alarmtool
Agent ,=.5lF*i:"T/7F$J$lgO""<-F/Ac<bN=_N
DPM/EFP H18O}GJ$ Dragon ;s5<+iN$YsHOhj~^l^;s#
HOST1 O"TMF (Tivoli Management Framework)"5iK Tivoli Risk Manager 5
<P<,$s9H<k5l? Tivoli Enterprise Console 5<P<*hS3s=<k
r^sG$^9#3N[9HO"MCHo</D-N;sHik Tivoli Risk
Manager/Tivoli Enterprise Console 5<P<H7FNrdr}A"*Zl<F#s
0&79F`H7F Windows 2000 "IPs9H&5<P<,T/7F$^9#3
lO"Dragon KhCF8.5l?$YsHr^` Tivoli Risk Manager $YsHN
;sHik&j]8Hj<G9#
HOST2 O"Tivoli Risk Manager Logfile "@W?<H&K"Dragon PsIkN
DPM"EFP"Alarmtool NF(<8'sH&3s]<MsHr^sG$^9#HOST2
KO 2 DNrd,"j^9#;sHik Dragon 5<P<H7FNrdH"Tivoli
Risk Manager ;s5< (3N7Jj*GO Tivoli Risk Manager Logfile "@W?
<) H7FNrdG9#HOST2 O"*Zl<F#s0&79F`H7F Linux Red
Hat 7.0 rBTG-^9#1 DJeN Dragon ;s5<+i$YsH,u.5l"
Alarmtool Agent Khkh}Ne"3liN$YsHO79F`&m0
/var/log/messages Kw.5l^9#"i<H,79F`&m0K-?5lkH"
Tivoli Risk Manager Logfile "@W?<,3liN"i<Hr Tivoli Risk Manager
$YsHH7FHiCW7"Tivoli Enterprise Console 5<P< (HOST1) KA#7
^9#$YsHO=3Gh}5l"Tivoli Enterprise Console eK=(5l^9# .
HOST3 O"Dragon Sensor/Squire 3s]<MsHr^sG$^9#;s5<Nrd
O"/~!N79F`&$YsHr8.7"=liN$YsHr HOST2 eN;s
Hik DPM KA#9k3HG9#\C/9O"Linux Red Hat 7.0 *Zl<F#
s0&79F`rBTG-^9#
!NjgO"eN^K"k$YsH&Um<rb@9kbNG9#
1. HOST3 eN Dragon Squire ;s5<,$YsHr!P7"!P7?$YsHr
HOST2 eN DPM 5<P<Kw.7^9#
2. HOST2 K"kjs0&PCU!<bK$YsH,J<5lkH">AK
Alarmtool Agent ,=N$YsHrh}7"HOST2 eN79F`&m0K"i<
Hrw.7^9#
3. 79F`&m0&(sHj<,n.5lkH">AK Tivoli Risk Manager
Logfile "@W?<,3Nm0r Tivoli Risk Manager $YsHH7F'17"P
~9k Tivoli Risk Manager $YsHr HOST1 eN Tivoli Enterprise Console
5<P<Kw.7^9#=Ne"$YsHO,WK~8FjX5l"Tivoli
Enterprise Console eK=(5l^9#
Tivoli Risk Manager ����� �����
1. TMF"Tivoli Enterprise Console 5<P<*hS3s=<k"Tivoli Risk Manager
5<P<r HOST1 K$s9H<k7^9#
2. /usr/tecad G#l/Hj<N<N HOST2 K Tivoli Enterprise Console Linux
Logfile "@W?<r$s9H<k7^9#
h 12 O Enterasys Dragon QN"@W?< 143
m: 3lO"3NcN?aNs TME G"@W?<G9#"@W?<N}gG-
N=.O"TME "@W?<Hs TME "@W?<NIAi,HQ5lF$
Fb18G9#
tecad_logfile.cfg rBT7""@W?<N HOST1 XN ServerLocation (^
?O HOST1 N IP "Il9) r Tivoli Enterprise Console 5<P<QK=.7
^9#Tivoli Enterprise Console 5<P<, Windows 79F`eGT/7F$k
?a"tecad_logfile.conf U!$krQ97"ServerPort Vfr 5529 K_j
7^9#
3. 3liN3s]<MsHr=.7"Tivoli Enterprise Console Logfile "@W?<
N0n,5oG"k3H"*hS Tivoli Enterprise Console 5<P<, Logfile
"@W?<+i$YsHrhj~_"=(7F$k3HrN'7^9#
FTP"SU"^?O Telnet N;C7gsrHQ7F"k<H'ZN.y":TJ
IN$YsHr8.7^9#Tivoli Enterprise Console Logfile "@W?<,$Y
sHrhj~sG Tivoli Enterprise Console 5<P<Kw.7F$k3H"*h
Sw.hN5<P<N3s=<kK$YsH,=(5lk3H,N'G-k^
G"!N9FCWKJ^J$G/@5$#$YsH,hj~^lF$J$lg
O"^:"/usr/tecad/etc/tecad_logfile.fmt U!$kbN"@W?<N70
KAc<,79F`&m0&U!$k (/var/log/messages) G8.5lF$kB
]Nm0N57$70KAc<G"k3HrN'7^9#$5,,WJlgO"
70KAc<rQ97"CDS U!$kr8.7>7^9 (9FCW 5 r2H)#
HiVk7e<F#s0NjgKD$FO"Tivoli Enterprise Console 5<P<
*hS Tivoli Risk Manager Nf<6<&,$Ir2H7F/@5$#3liN
qAO"IBM N5]<H Web 5$H+i~jD=G9#
4. Dragon }gU)<^CH&U!$k (dragon-linux.fmt) r HOST2 K$s9H
<k7^9#U!$k dragon-linux.fmt NbFrU!$k tecad_logfile.fmt
NbFKIC7^9#
5. !N3^sIrBT7"77$ CDS U!$kr8.7^9#3N3^sIO"
1 TG~O7^9#
/usr/tecad/bin/logfile_gencds/usr/etc/C/tecad_logfile.fmt > /usr/tecad/etc/tecad_logfile.cds
77$ CDS U!$kN8.~K(i<,/87J$3H"m0¥U!$k&"
@W?<,z-3-(i<J7G/09k3HrN'7F/@5$#U!$k
/usr/tecad/etc/tecad_logfile.err rQ99k3HKhCF"m0¥U!$k&
"@W?<NGPC0rHQD=K9k3H,G-^9#/dev/null Nt,
r"/usr/tecad/etc/tecad_logfile.log Nh&J,ZJU!$k>HQ9KV
-9(^9#GPC0N\YKD$FO"VTivoli Enterprise Console "@W?
<&,$IWr2H7F/@5$#
Dragon Squire�DPM/EFP ����� �����
1. Dragon Squire (^?O Dragon Sensor""k$O=N>}) r HOST3 K$s9
H<k7^9#kg DPM/EFP "<-F/Ac< N?aN Dragon f<6<&
,$IK"k";s5<N$s9H<kH=.NjgK>$^9#
2. Dragon DPM 3s]<MsH*hS EFP 3s]<MsHr HOST2 K$s9H
<k7^9#kg DPM/EFP "<-F/Ac< N?aN Dragon f<6<&,
$IK"k"(<8'sHJ0N DPM H EFP N$s9H<kH=.NjgK
>CF/@5$#Dragon DB Agent"MD5 Sum Agent"Export Log Agent"Real
144 IBM Tivoli Risk Manager "@W?<¥,$I
Time Console"=7FGbEWJ Dragon Alarmtool Agent r^`9YFN
Dragon (<8'sHrHQD=K7F/@5$#
3. Apache (^?O Risk Manager 4.1 K^^lF$k IBM HTTP Server) r
HOST2 K$s9H<k7^9#Enterasys N Web 5$H+i~jD=J Dragon
Console Nf<6<&,$IK-R5lF$kjgK>CF"Web 5<P<r
Dragon 3s=<kQK=.7^9#3N3s=<kN=.GO"77$9/j
WHL>r$/D+IC9k,W,"j^9#http://localhost/dragon K"/
;97"3s=<k,!=7"xQD=G"k3HrN'7^9#policy
manager"real time console"forensics console"trending console"*hS
Alarmtool config XNjs/r^` Enterasys Dragon 3s=<k&Z<8XNj
s/rh@9k,W,"j^9#
4. Dragon Squire HIDS ;s5<rBTfG"HOST2 *hS HOST3 N>}G
Dragon ,O07?lgO"HOST2 eNVi&6<+i http://localhost/dragon K
"/;97^9#Policy Manger Squire Configuration 3s=<kK\07"
HOST3 eN Dragon Squire r Linux aC;<8QK=.7^9#=lKO"
Linux ]j7<r*r7"V-e< (queue)W\?sr*r7^9#Q9bFr
;s5<K,Q9kh&X(9kWmsWH,=(5l^9#=(5lkX(K
>CF/@5$#
5. !N9FCWK\k0K"Dragon Squire"Dragon DPM"*hS Dragon EFP ,
57/=.5l"T/7F$k3HrN'7^9#F9HrT&KO"b&l
Y"FTP"SU"^?O Telnet N;C7gsrHQ7F HOST3 XNk<H'Z
rn_^9#j"k?$`&3s=<kK""k$O sum_db 3^sI*hS
sum_event 3^sIrBT9k3HKhCF"$YsH,=(5l^9#
Dragon $YsH,8.5lF$J$lgO"ping rHQ7FMCHo</\3
rA'C/7"/usr/dragon/dsquire/conf/dsquire.conf U!$kbN Dragon
70KAc<, HOST3 eN /var/log/messages K^^lkm0HlW7F$
k3HrN'7^9#HiVk7e<F#s0N\YKD$FO"Dragon Nq
Ar2H7F/@5$#
Dragon Alarmtool ���
1. HOST2 eG"/usr/dragon/alarmtool.cfg U!$kN3T<rn.7"=lr
T8N?aK+-^9#
2. !N=8G"filter_dragon_events H$&>0N Alarmtool Agent U#k?<rn
.7^9#
filter filter_dragon_events {rule sensor hilux}
3NU#k?<O"[9H HOST3 +i Dragon KhCF8.5lk9YFN$
YsHrhj~`,W,"j^9#k<k rule sensor hilux GU#k?<r8.
9kH"=N[9H>K HILUX H$&5V&9Hjs0,^^lF$k[9H
+i9YFN$YsH,hj~^l^9#
3. !N=8G"notify_dragon_events H$&>0N Alarmtool Agent notification a
=CIrn.7^9#
notify notify_dragon_events {time-period alwayssyslog always {level alert
h 12 O Enterasys Dragon QN"@W?< 145
facility usermessage sensor:%SENSOR% SIP:%SIP% DIP:%DIP% EVENT:%NAME% SPORT
:%SPORT% DPORT:%DPORT% %DATE% %TIME% %ALERT%}
}
4. ~VHOoK GU)kHNbNG"j"alarmtool.cfg U!$kK9GK8_
7F$^9#8_7F$J$lgO"LNa=CIN(sHj<NeK!N=8
rIC7F/@5$#
time-period always {monday 0000-2400tuesday 0000-2400wednesday 0000-2400thursday 0000-2400friday 0000-2400saturday 0000-2400sunday 0000-2400
}
5. !N=8G"dragon_events H$&>0N Alarmtool Agent "i<Hrn.7^
9#
alert dragon_events {filter filter_dragon_eventsnotify notify_dragon_events
}
6. !N3^sIrBT7"HOST2 eG Dragon rFO07^9#
/usr/dragon/dragctl stop/usr/dragon/dragctl start
Alarmtool Agent NO0~K(i<,/87J$3HrN'7F/@5$#(i
<,/87?lgO"=lir (LoO=8rO(i<) $57?e"Dragon r
FO07F/@5$#
����.9��
1. !N3^sIrBT7"HOST2 *hS HOST3 eG Dragon rO07^9#
/usr/dragon/dragonctl start
(i<,/87J$3HrN'7^9#HOST2 *hS HOST3 N>}G Dragon
,T/7F$k3HrN'7^9#
run ps -fu dragon
2. HOST2 eG"Tivoli Enterprise Console Logfile "@W?<rGPC0&b<IG
O07^9#
/usr/tecad/bin/init.tecad_logfile -d start &
"@W?<,T/7F$k3HrN'7^9#
ps -ef | grep tecad
"@W?<N/0~K(i<,/87J+C?3HrN'7F/@5$#
3. GiK Tivoli D- (setup_env.sh) r=<9H7Fhj~_"wstatesvr rBT
9k3HKhj"Tivoli Enterprise Console 5<P<,T/7F$k3HrN'
7^9#5<P<O"wstartesvr 3^sIGO07"wstopesvr 3^sIGd
_9k3H,G-^9#\YKD$FO"VTivoli Enterprise Console jU!l
s9&^Ke"kWr2H7F/@5$#
146 IBM Tivoli Risk Manager "@W?<¥,$I
4. FTP ^?O SU Gk<H'Zrn_F"HOST3 +iN$YsHr8.7^9#
Dragon j"k?$`&3s=<k N 30 ,Ac<HG DPM ,m0ru.7?
3HrN'7^9 (^?O"sum_event/sum_db 3^sIrHQ7^9)#
5. HOST2 eG /var/log/messages KP7F tail 3^sIrBT9k3HKhj"
Alarmtool Agent KhCF79F`&m0,8.5l?3HrN'7^9#Tivoli
Enterprise Console Logfile "@W?<,O07?^7seG Tivoli Risk Manager
$YsH,=(5lk3HrN'7^9#GPC0&b<IGT/7F$k?
a"3N$YsHNm0O8`POK=(5l^9#
6. HOST1 eN Tivoli D-,=<9H7Fhj~^lF$k bash ;C7gsG
wtdumprl *hS wtdumper rBT7^9#$YsHO">}N3^sINj
9HbNGe (^?OGeKa$) N$YsHH7F=(5l^9#
7. tec_console rO07",ZJ0k<WK$YsH,=(5lk3H"*hS=N
0-, Dragon $YsH>r?G7F$k3HrN'7^9#
alarmtool.cfg ��
daemonize nologfile logs/alarmtool.logpidfile .alarmtool.pidsnmp-interface 9.185.206.232sendmail /usr/sbin/sendmail -t -Umax-summary-events 100ring-buffer {
shmem-key 42consumer-id 6000cache .cache
}time-period weekday {
monday 0900-1700tuesday 0900-1700wednesday 0900-1700thursday 0900-1700friday 0900-1700
}time-period off-hours {
monday 0000-0900monday 1700-2400tuesday 0000-0900tuesday 1700-2400wednesday 0000-0900wednesday 1700-2400thursday 0000-0900thursday 1700-2400friday 0000-0900friday 1700-2400saturday 0000-2400sunday 0000-2400
}time-period always {
monday 0000-2400tuesday 0000-2400wednesday 0000-2400thursday 0000-2400friday 0000-2400saturday 0000-2400sunday 0000-2400
}notify notify_dragon_events {
time-period alwayslog {
filename logs/alert.log
h 12 O Enterasys Dragon QN"@W?< 147
message sensor:%SENSOR% SIP:%SIP% DIP:%DIP% EVENT:%NAME% SPORT:%SPORT% DPORT:%DPORT% %DATE% %TIME% %ALERT%
}syslog always {
level alertfacility usermessage sensor:%SENSOR% SIP:%SIP% DIP:%DIP% EVENT:%NAME% SPORT
:%SPORT% DPORT:%DPORT% %DATE% %TIME% %ALERT%}
}filter filter_dragon_events {
rule sensor hilux}alert dragon_events {
filter filter_dragon_eventsnotify notify_dragon_events
}
��������/��
Alarmtool �����)���*���
Alarmtool Agent ,xQG-k$YsH&G<?O"kxY)B5lF$^9#$Y
sHNhj\YJt,KX9kG<?O"79F`&m0K8.5lk"i<H&
m0KICG-^;s#c(P"k<HXN SU rn_F:T7?f<6<N ID
r-?9k3HOG-^;s#79F`I}T,3Nh&J\YJG<?r4Yk
KO";s5<&[9H&m0XN"/;9"rh@9k+"Dragon j"k?$
`&3s=<kK$YsHr=(9k,W,"j^9#
"��1����
MCHo</bN^7sN\3,djKJk3H,"j^9#9YFN[9H,_
$K ping G-k3H"*hS DNS (sHj<,G7NbNG"k3HrN'9k
3HKhCF"9YFN[9H,L.G-k3HrN'7F/@5$#
Dragon �%����-./����
Dragon O"70KAc<H70KAc<&U!$kNj9HXN97HICrQ3
*KTCF$^9#77$70KAc<O"Tivoli Risk Manager "@W?<KhC
Fhj~^l"GU)kHN$YsH&/i9 RMG_NoMapping K^CW5l^9#77$70KAc<&U!$k^?O975l?70KAc<&U!$k,
Dragon ;s5<KxQD=KJC?H-O"Risk Manager Format File Utility rH
Q7F77$70KAc<r^CW7"975l?U)<^CH (fmtKU!$kr
8.7F/@5$#3NnHKhj"Risk Manager $YsH&/i9XN70KA
c<N5NJ^CTs0,]Z5l^9#
148 IBM Tivoli Risk Manager "@W?<¥,$I
� 13 � Symantec Intruder Alert ������
3NOGO"J<Npsrs!7^9#
v X"@W?<N5WY
v 150Z<8NX=JN5bY
v 151Z<8NX"@W?<N5bY
v 152Z<8NX$s9H<kY
��������
Tivoli Risk Manager Adapter for Symantec Intruder Alert O"Symantec Intruder Alert
(<8'sHKhCFB]K!P5lk/~$YsH^?O!P5lkD=-N"
k/~$YsHr Tivoli Enterprise Console $YsHK^CW7^9#^CW5l
? Tivoli Enterprise Console $YsHO>AK Tivoli Enterprise Console 5<P<K
hCFjX7"=(9k3H,G-^9#
3N"@W?<O"Symantec Intruder Alert rBT7F$klgK$s9H<kG-
^9#3lKhj"Tivoli Enterprise Console 5<P<*hS3s=<kO"
Symantec Intruder Alert (<8'sHKhCF!P5lk"ifk$YsHr=(
7"0}7"h}rT&;sHik&j]8Hj<*hS;sHik&5<P<H
7FxQG-^9#
��������������
Tivoli Risk Manager Adapter for Symantec Intruder Alert O"!N*Zl<F#s
0&79F`G5]<H5l^9#
Symantec Intruder Alert Q"@W?<
HbK$s9
H<k5lk
3s]<Ms
H
AIX4.3.3
AIX 5.1 Solaris7
Solaris8
WinNT4.0
Win2K WinXP
Tivoli Risk
Manager
Agent
(Transport)
X X X X X
Tivoli
Enterprise
Console "@
W?<
X X X X X X
Tivoli Risk Manager Adapter for Symantec Intruder Alert O"Tivoli Risk Manager P
<8gs 4.1 *hS Tivoli Risk Manager P<8gs 3.8 N>}H"09kh&_
W5lF$^9#
© Copyright IBM Corp. 2001, 2002 149
Risk Manager P<8gs 3.8 rHQfN*RMO"Tivoli Risk Manager k<k&
Y<9r generic.baroc *hS sensor_abstract_supp.baroc N 2 DNU!$k
H&K@&sm<I7"979k,W,"j^9#3liNU!$kO&K"Tivoli
Risk Manager N5]<H Web 5$H+i~jD=J Symantec Intruder Alert QC
1<8K^^lF$^9#3N 2 DNU!$kO"3liN"@W?<N Risk
Manager 3.8 HNe}_9-r5]<H7^9#Tivoli Risk Manager 3.8 k<k&
Y<9N97KD$FNpsO"VIBM Tivoli Risk Manager f<6<:&,$I
P<8gs 3.8WNXh 5 O Risk Manager Server CorrelationYK"j^9#
Tivoli Risk Manager P<8gs 4.1 rHQfN*RMO"Tivoli Enterprise Console
5<P<N97rT&,WO"j^;s#k<k&Y<9O3N"@W?<r5]
<H9kh&GU)kHG57/=.5l"3liNU!$kK^^lF$k,W
J$YsH&/i9jAr^sG$^9#
"@W?<O"Symantec Intruder Alert P<8gs 3.6.1"*hS IAquery 3.5
International H 3.6 Domestic eGT/9kh&Kn.5lF$^9#
�����
Symantec Intruder Alert 3.6.1 O"Symantec N Host Intrusion Detection Software =
je<7gsG9#Tivoli Risk Manager H1M"Intruder Alert O(<8'sHHF
PlkH+N Host Intrusion Detection System (HIDS) ;s5<r}CF$^9#
Intruder Alert "<-F/Ac<KO"(<8'sH"^M<8c<""I_K9H
l<?<"$YsH&Se<"<N 4 DN3s]<MsH,"j^9#IA Query
$YsHI}5<S9HFPlkICf<F#jF#<r Symantec +i~jG-
^9#3N"@W?<KO3Nf<F#jF#<,,WKJj^9#
!NpsO"Symantec Intruder Alert N3s]<MsHN5Wr(7^9#Intruder
Alert =JN\YKD$FO"Symantec Intruder Alert N Web 5$Hr2H7F/
@5$#
Symantec Intruder Alert (<8'sHO"l"Nk<kKpE$F[9H&79F`
N"/F#SF#<rFk7^9#Intruder Alert NQC1<8KOGU)kHNk
<k2,^^lF$^9#77$k<kr$s]<H^?On.9k3Hb"{8
Nk<krQ97"979k3HbG-^9#(<8'sHNrdO"k<kKp
E$FCjN79F`&"/F#SF#<rFk7"k<kKhCFjA5lF$
kh}rBT9k3HG9#e=*Jh}H7F"ERa<kNw.^?O Intruder
Alert $YsH&m0XNm0&aC;<8Nw.,"j^9#X"9kk<kN8
^jO"]j7<KhCF^Hak3H,G-^9#
k<kHh}KX9k\YpsO"VIntruder Alert User’s GuideWK"j^9# h
}r^sG$kk<krO09k$YsHKD$FNpsO"Intruder Alert $Ys
H&Se<"<rHQ7F=(G-^9#
Intruder Alert N$YsH&m0K-?5lk$YsHpsO"Intruder Alert IA
Query D<kKhCFjP7"5iKh}9k3H,G-^9#3^sIrBT9
k3HG$YsHpsrh}7?j"FWK$YsHpsrF-9H&U!$kK
q-~s@jG-^9#
150 IBM Tivoli Risk Manager "@W?<¥,$I
��������
Symantec Intruder Alert Q Tivoli Risk Manager "@W?<O"Tivoli Enterprise
Console Logfile "@W?<*hS Tivoli Enterprise Console "@W?<N5]<
H&U!$kKpE$F$^9#Symantec Intruder Alert $YsHO"Tivoli
Enterprise Console Logfile "@W?<,Fk9kh&=.5lF$kF-9H&U
!$kK Symantec Intruder Alert IA Query D<k,$YsHpsrq-~s@~@
G Tivoli Enterprise Console Logfile KxQG-kh&KJj^9#
Tivoli Risk Manager "@W?<&U)<^CH&U!$k IntruderAlert.fmt
O"&LNF-9H&U!$k+iI_hk Symantec Intruder Alert m0&(sH
j<NU)<^CHrjA7""@W?<,=l>lN Intruder Alert $YsHKP
7F!Nh}rBTG-kh&K7^9#
v =l>lNF-9H&U!$k&(sHj<H Tivoli Risk Manager $YsH&
/i9HrM-go;"P~9k Tivoli Risk Manager $YsH&/i90-r
i|=7FjXH"<+$VrD=K9k#
v =l>lN79F`&m0&(sHj<Npsr"Tivoli Enterprise Console 5<
P<,}rG-k$YsHNU)<^CHKQ99k#
Symantec Intruder Alert Q Tivoli Risk Manager "@W?<O"generic.baroc Gj
A5lF$k$YsH&/i9KpE$F$YsHr8.7^9#3NU!$k
O" Tivoli Risk Manager 5<P<N$s9H<k&QC1<8NltH7F^^
lF*j"Tivoli Enterprise Console k<k&Y<9NltH7F+0*Km<I5
l^9#generic.baroc bGjA5l?9YFN$YsH&/i9O"
riskmgr.baroc *hS sensor_abstract.baroc GjA5lF$k Tivoli Risk
Manager $YsH&/i9KpE/bNG9#
Symantec Intruder Alert HN04J}g, Tivoli Risk Manager "@W?<KhCF
B=7F$k?a"Symantec Intruder Alert KhCF8.5lk9YFN/~!N$
YsHrHiCW7"Tivoli Risk Manager $YsHH7F Tivoli Enterprise Console
*hS Tivoli Risk Manager 5<P<Kw.G-^9#
^ 11. Tivoli Risk Manager, Symantec Intruder Alert }gN3s]<MsH&"<-F/Ac
<
h 13 O Symantec Intruder Alert Q"@W?< 151
����
���� ��
Symantec Intruder Alert Q Tivoli Risk Manager "@W?<r$s9H<k7"=.
9k0K"!Nj9HK(9nHrB\7F/@5$#
m: Tivoli Risk Manager Logfile "@W?<O"Symantec ITA ^M<8c<H18
79F`eK8_9k,W,"j^9#
1. Symantec Intruder Alert N^M<8c<H(<8'sHrMCHo</NltH
7F$s9H<k7^9#
2. $YsHNjP5K7?$^M<8c<rFkG-kh&K"Symantec Intruder
Alert Administrator r$s9H<k7^9#
3. Intruder Alert Manager ,$s9H<k5lF$kF79F`K Symantec
Intruder Alert IA Query D<kr$s9H<k7^9#
4. Tivoli Risk Manager 5<P<H=N0sroHJk=JrMCHo</bN[
9HK$s9H<k7"=.7^9#3N[9HN[9H>HMCHo</&"
Il9rN'7F/@5$#$s9H<kH=.NjgKD$FO"VTivoli
Risk Manager f<6<:&,$IWr2H7F/@5$#
5. F Intruder Alert Manager ,$s9H<k5lF$k#tN[9HK Tivoli
Enterprise Console Logfile "@W?<r$s9H<k7"=.7^9#
���� �����
IntruderAlertRMAdaptor.tar.gz tar U!$kNbFrjP9k3HKhj"u>9
k Intruder Alert ^M<8c<&79F`eK Symantec Intruder Alert Q Tivoli
Risk Manager "@W?<r$s9H<k7^9#
tar U!$kKO"!NU!$k,^^lF$^9#
IntruderAlert.fmt Tivoli Enterprise Console Logfile "@W?<&U)<^CH&U
!$k
config.iaq Intruder Alert IA Query =.U!$kN5sWk
iaquery.fmt Intruder Alert IA Query U)<^CH&U!$k
tecad_win.conf Windows Logfile "@W?<=.U!$kN5sWk
tecad_logfile.conf UNIX Logfile "@W?<=.U!$kN5sWk
ita_utest.sh F9HQN$YsHrF-9H&U!$kK~O9k7'k&9
/jWH
ita_utest_awk.txt ita-utest.sh KhCFHQ5lk AWK Wm0i`
Tivoli Enterprise Console Logfile ��������
1. Tivoli Enterprise Console Logfile "@W?<rd_7F/@5$#
2. Log File "@W?<rHQ7F Intruder Alert H&K>N=<9+i Risk
Manager $YsHrhj~`lgO"Log File "@W?<&U)<^CH&U!
$kNbFr IntruderAlert.fmt U!$kNbFKIC7^9#
152 IBM Tivoli Risk Manager "@W?<¥,$I
Log File "@W?<rHQ7F Intruder Alert +iN Risk Manager $YsHN
_hj~`lgO"Log File "@W?<&U)<^CH&U!$kNbFr
IntruderAlert.fmt U!$kNbFKV-9(^9#
IAiNlgb"Log File "@W?<&U)<^CH&U!$kN3T<rn.
7",WK~8F*j8JkNU!$kr|5G-kh&K7F*-^9#
3. VTivoli Enterprise Console "@W?<&,$IWGb@5lF$kh&K
gencds f<F#jF#<rHQ9k+"\q 11Z<8NXTivoli Risk
Manager H"@W?<NU)<^CH&U!$kNkgYNjgK>$"cds U
!$kr8.7^9#
4. =_$s9H<k5lF$k Tivoli Enterprise Console Logfile "@W?<N=.
U!$k tecad_win.conf ^?O tecad_logfile.conf rT87F LogSources
0-r"IA Query D<kN=.~KXj7?U!$kK_j7^9#3lKh
j"IA Query D<k,PO9kF-9H&U!$kN$YsHrFk9kh&
K7^9#
5. Tivoli Enterprise Console Logfile "@W?<rFO07^9#
Configuring Symantec Intruder Alert IA Query ���
1. IA Query D<krd_7^9#
2. Symantec Intruder Alert Administrator rHQ7""@W?<~1N$YsHH}
85HJk=l>lN^M<8c<Nf<6<rn.7^9#f<6<>O"c
(P IAquery ,,7F$^9#3Nf<6<KO View Event Information "xN
_r?(">N"xO?(J$G/@5$#
3. config.iaq IA Query =.r Intruder Alert Manager N[<`&G#l/Hj<
^?O$s9H<k&G#l/Hj<K3T<7^9#
4. config.iaq r!Nh&KT87^9#
v managers Qia<?<NMrB]N^M<8c<>HlW5;^9#
v user Qia<?<NMr9FCW 2 Gn.7?f<6<HlW5;^9#
v password Qia<?<NMr"9FCW 2 Gn.7?f<6<N?aK~
O7?Q9o<IHlW5;^9#
output Qia<?<GXj9kU!$k>HQ9,"Tivoli Enterprise Console
Logfile "@W?<=.U!$kN LogSources Qia<?<KhCFjA5l
kbNHlW9kh&K7^9#mode Qia<?<, real_time K_j5lF
$k3HrN'7^9#
5. iaquery.fmt =.r Intruder Alert Manager N[<`&G#l/Hj<^?O$
s9H<k&G#l/Hj<K3T<7^9#
6. IA Query D<krFO07^9#
���� ������������
1. Logfile "@W?<N CDS U!$k8.~K(i<,/87J+C?3HrN
'7F/@5$#
2. V$YsH&Se<"<K-?9kJRecord to Event Viewer)WN0nrBTf
K"Symantec Intruder Alert KhCFjA5lF$k$YsHr8.7^9#"
h 13 O Symantec Intruder Alert Q"@W?< 153
k$O"s!5l?7'k&9/jWHH awk Wm0i`rHQ7F"(/9
]<H5l? Intruder Alert ]j7<&U!$k+iF-9H&U!$kK$Y
sHrq-~`3H,G-^9#
3. eN9FCWG$YsH,8.5l?lgO"Tivoli Enterprise Console 5<P
<*hS3s=<kG$YsHrN'7^9#Tivoli Enterprise Console +i
wtdumprl 3^sI*hS wtdumper 3^sIrHQ7F"$YsH, Tivoli
Enterprise Console 5<P<KA#5l?3HrN'7^9#
Tivoli Risk Manager 3.8 ���������� ����
�����
Tivoli Risk Manager P<8gs 3.8 Nf<6<O"Risk Manager 5<P<eNk
<k&Y<9rU!$k generic.baroc *hS sensor_abstract_supp.baroc G9
79k?aK"!NICnH,,WG9#
1. U!$k generic.baroc *hS sensor_abstract_supp.baroc rG#l/Hj
< $BINDIR/RISKMGR/corr/tec K3T<7^9#
2. generic.baroc rU!$k $BINDIR/RISKMGR/corr/riskmgr_baroc.lst K"j9
HNG*(sHj<H7FIC7^9#
m: 3liN(sHj<NgxOEWG9#generic.baroc O"j9HbG
sensor_abstract.baroc N<KV/,W,"j^9#
3. sensor_abstract_supp.baroc rU!$k
$BINDIR/RISKMGR/corr/riskmgr_baroc.lst K"sensor_abstract.baroc N<N
GiN(sHj<H7FIC7^9#
m: 3liN(sHj<NgxOEWG9#sensor_abstract_supp.baroc O"
sensor_abstract.baroc N<G"+D>N9YFN(sHj<NeKV/,
W,"j^9#
4. GiK3^sI&7'kG Tivoli D-r=<9H7Fhj~`3HKhj"{
8Nk<k&Y<9r977^9#bash 3^sIrBT7F"bash 3^sI&
7'kr~O7^9#3^sI&WmsWHG"G#l/Hj<
$BINDIR/RISKMGR/corr K\07"!N3^sIrBT7^9#
./rmcorr_cfg -update
Tivoli Enterprise Console 5<P<,d_7?e"5oKF+7^9#
m: "@W?<O"3liNU!$k, Risk Manager k<k&Y<9NltH7F
57/=.5lF$k3HK++CF$^9#Tivoli Risk Manager ^7se
G"m0¥U!$k&"@W?<+i$YsHru1hkH-K=8(i<,/
89klgO"3NU!$k,8_7J$+"57/=.5lF$J$D=-
,"j^9#k<k&Y<9N97N\YKD$FO"VIBM Tivoli Risk
Manager f<6<:&,$IWr2H7F/@5$#
�����������
1. $s9H<k~Kn.7?PC/"CW&3T<+i Log File "@W?<&U
)<^CH&U!$kNbFr|57^9#
2. CDS U!$kr8.7>7^9#\7$}!KD$FO"VTivoli Enterprise
Console "@W?<&,$IWr2H7F/@5$#
154 IBM Tivoli Risk Manager "@W?<¥,$I
3. Tivoli Enterprise Console Logfile "@W?<r^@BT9k,W,"klgO"
FO07^9#
Tivoli Risk Manager 3.8 ������������� ���
������
Tivoli Risk Manager 3.8 Nf<6<O"Tivoli Risk Manager 3.8 Q"@W?<r|
n9k]"!NICnHrB\9k,W,"j^9#Tivoli Risk Manager 4.1 Nf
<6<O"!NjgrT&,WO"j^;s#
!NnHrB\9k0K"U!$k generic.baroc KM89k>N"@W?<,
Tivoli Risk Manager 3.8 5<P<K$YsHrw.7F$k+I&+N'9k,W
,"j^9#=Nh&J"@W?<,8_9klgO"!NnHrB\7J$G/
@5$#
1. U!$k $BINDIR/RISKMGR/corr/riskmgr_baroc.lst +i(sHj<
generic.baroc ro|7^9#
2. U!$k $BINDIR/RISKMGR/corr/riskmgr_baroc.lst +i(sHj<
sensor_abstract_supp.baroc ro|7^9#
3. U!$k $BINDIR/RISKMGR/corr/tec/generic.baroc r79F`+ij0Go|
7^9#
4. U!$k $BINDIR/RISKMGR/corr/tec/sensor_abstract_supp.baroc r79F`+ij0Go|7^9#
5. GiK3^sI&7'kG Tivoli D-r=<9H7Fhj~`3HKhj"{
8Nk<k&Y<9r977^9#bash 3^sIrBT7F"bash 3^sI&
7'kr~O7^9#3^sI&WmsWHG"G#l/Hj<
$BINDIR/RISKMGR/corr K\07"!N3^sIrBT7^9#
./rmcorr_cfg -update
Tivoli Enterprise Console 5<P<,d_7?e"5oKF+7^9#
�3 �7����
^ 12. HiVk7e<F#s0&]$sHr(7?"@W?<Nh}Um<
h 13 O Symantec Intruder Alert Q"@W?< 155
eN^O""@W?<rP39k$YsH&Um<r(7F$^9#!NHiVk
7e<F#s0Nb@O"^N A"B"*hS C rX7F$^9#
]$sH A
$YsH,]$sH A K~#7F$k+I&+O"!N}!GN'G-^9#
?(il?V$YsH&Se<"<K-?9k (Record to Event Viewer)WH$&h
}r^` Symantec Intruder Alert D<kNlg"$YsHN8.O Symantec
Intruder Alert Event Viewer D<krHQ7FN'G-^9#]$sH A G$YsH,=(5lJ$lgO"!Ndj,M(il^9#
1. k<kKV$YsH&Se<"<K-?9k (Record to Event Viewer)WH$&
h},^^lF$^;s#=NlgO"V$YsH&Se<"<K-?9k
(Record to Event Viewer)WH$&h}r^`LNk<kr*r7F/@5$#
2. Symantec Intruder Alert N$s9H<k,57/"j^;s#Symantec K"m
7"3NdjKD$FjL7F/@5$#
]$sH B
$YsH,]$sH A K~#7F$k3HrN'7?e"$YsH,]$sH BK~#7F$k+I&+O"IA Query =.U!$kNPOH7FXj5lF$kF
-9H&U!$kr=(9k3HKhCFN'G-^9#
]$sH B G$YsH,=(5lJ$lgO"!Ndj,M(il^9#
1. IAquery ,T/7F$^;s#
2. IAquery =.U!$k,8_7J$+"57$ljKV+lF$^;s#
3. IAquery ,57/=.5lF$^;s#IAquery =.U!$kN managers"
mgr_port"user"password"mode"query"poll_interval"*hSquery_port NF=.`\rA'C/7F/@5$#^?"IAquery m0&U!
$k (iaquery.log) bA'C/7F/@5$#3NU!$kO"Intruder Alerts
^M<8c<N$s9H<k/[<`&G#l/Hj<K8_7^9#
4. IAquery U)<^CH&U!$k,8_7J$+"57$ljKV+lF$^;
s#
5. IAquery U)<^CH&U!$k,57/"j^;s#9JoA""@W?<&
QC1<8K^^lF$?U!$kGO"j^;s#
]$sH C
$YsH,]$sH B K~#7F$k3HrN'7?e"$YsH,]$sH C
K~#7F$k+I&+O"Risk Manager 5<P<eG wtdumprl 3^sI (Risk
Manager u.m0N$YsHr=(9k3^sI) rHQ7F$YsHr=(9k
3HKhCFN'G-^9#
]$sH C G$YsH,=(5lJ$lgO"!Ndj,M(il^9#
1. Tivoli Enterprise Console Logfile "@W?<,T/7F$^;s#
2. Tivoli Enterprise Console Logfile "@W?<,"IAquery KhCFq-~^l?
F-9H&U!$k+i$YsHrI_hkh&=.5lF$^;s#
156 IBM Tivoli Risk Manager "@W?<¥,$I
3. Tivoli Enterprise Console Logfile "@W?<,"Risk Manager 5<P<K$Ys
Hrw.9kh&=.5lF$^;s#
4. Tivoli Enterprise Console Logfile "@W?<,57$0nr7F$k+I&+
O"Tivoli Enterprise Console Logfile "@W?<NbK?<P]H7F=.5l
?F-9H&U!$kK$/D+N$YsHr>\8.9k3HKhCFN'G
-^9#=N?aKO""@W?<&QC1<8K^^lF$k ita_utest.sh7'k&9/jWH*hS ita_utest_awk.txt awk Wm0i`rHQ7F"
Symantec Intruder Alert KhCF(/9]<H5l?]j7<&U!$k+i$
YsHr8.7^9#]j7<&U!$kN(/9]<H}!KD$FO"
VSymantec Intruder Alert User GuideWr2H7F/@5$#
h 13 O Symantec Intruder Alert Q"@W?< 157
158 IBM Tivoli Risk Manager "@W?<¥,$I
�� A. Cisco Secure IDS �������-./�
J<O"\qNPG~@GHQD=J Cisco Secure IDS $YsHNlwG9#3l
iO"Cisco Secure IDS QN Tivoli Risk Manager "@W?<KhCF@(*KH
iCW5l":v9k"@W?<&l3<IK^CW5l^9#
sig_1000 IP options-Bad Option List
sig_1001 IP options-Record Packet Route
sig_1002 IP options-Timestamp
sig_1003 IP options-Provide s,c,h,tcc
sig_1004 IP options-Loose Source Route
sig_1005 IP options-SATNET ID
sig_1006 IP options-Strict Source Route
sig_1100 IP Fragment Attack
sig_1101 Unknown IP Protocol
sig_1102 Impossible IP Packet
sig_1103 IP Fragments Overlap
sig_1104 IP Localhost Source Spoof
sig_1200 IP Fragmentation Buffer Full
sig_1201 IP Fragment Overlap
sig_1202 IP Fragment Overrun - Datagram Too Long
sig_1203 IP Fragment Overwrite - Data is Overwritten
sig_1204 IP Fragment Missing Initial Fragment
sig_1205 IP Fragment Too Many Datagrams
sig_1206 IP Fragment Too Small
sig_1207 IP Fragment Too Many Frags
sig_1208 IP Fragment Incomplete Datagram
sig_1220 Jolt2 Fragment Reassembly DoS attack NEW
sig_2000 ICMP Echo Reply
sig_2001 ICMP Host Unreachable
sig_2002 ICMP Source Quench
sig_2003 ICMP Redirect
sig_2004 ICMP Echo Request
sig_2005 ICMP Time Exceeded for a Datagram
sig_2006 ICMP Parameter Problem on Datagram
sig_2007 ICMP Timestamp Request
sig_2008 ICMP Timestamp Reply
sig_2009 ICMP Information Request
sig_2010 ICMP Information Reply
sig_2011 ICMP Address Mask Request
sig_2012 ICMP Address Mask Reply
sig_2100 ICMP Network Sweep w/Echo
sig_2101 ICMP Network Sweep w/Timestamp
sig_2102 ICMP Network Sweep w/Address Mask
sig_2150 Fragmented ICMP Traffic
© Copyright IBM Corp. 2001, 2002 159
sig_2151 Large ICMP Traffic
sig_2152 ICMP Flood
sig_2153 Smurf
sig_2154 Ping of Death Attack
sig_3000 TCP Ports
sig_3001 TCP Port Sweep
sig_3002 TCP SYN Port Sweep
sig_3003 TCP Frag SYN Port Sweep
sig_3005 TCP FIN Port Sweep
sig_3006 TCP Frag FIN Port Sweep
sig_3010 TCP High Port Sweep
sig_3011 TCP FIN High Port Sweep
sig_3012 TCP Frag FIN High Port Sweep
sig_3015 TCP Null Port Sweep
sig_3016 TCP Frag Null Port Sweep
sig_3020 TCP SYN FIN Port Sweep
sig_3021 TCP Frag SYN FIN Port Sweep
sig_3030 TCP SYN Host Sweep
sig_3031 TCP FRAG SYN Host Sweep
sig_3032 TCP FIN Host Sweep
sig_3033 TCP FRAG FIN Host Sweep
sig_3034 TCP NULL Host Sweep
sig_3035 TCP FRAG NULL Host Sweep
sig_3036 TCP SYN FIN Host Sweep
sig_3037 TCP FRAG SYN FIN Host Sweep
sig_3038 Fragmented NULL TCP Packet
sig_3039 Fragmented Orphaned FIN packet
sig_3040 NULL TCP Packet
sig_3041 SYN/FIN Packet
sig_3042 Orphaned Fin Packet
sig_3043 Fragmented SYN/FIN Packet
sig_3045 Queso Sweep
sig_3050 Half-open SYN Attack
sig_3100 Smail Attack
sig_3101 Sendmail Invalid Recipient
sig_3102 Sendmail Invalid Sender
sig_3103 Sendmail Reconnaissance
sig_3104 Archaic Sendmail Attacks
sig_3105 Sendmail Decode Alias
sig_3106 Mail Spam
sig_3107 Majordomo Execute Attack
sig_3108 MIME Overflow Bug
sig_3109 Q-Mail Length Crash
sig_3110 Suspicious Mail Attachment
sig_3150 FTP Remote Command Execution
sig_3151 FTP SYST Command Attempt
sig_3152 FTP CWD ~root
sig_3153 FTP Improper Address Specified
160 IBM Tivoli Risk Manager "@W?<¥,$I
sig_3154 FTP Improper Port Specified
sig_3155 FTP RETR Pipe Filename Command Execution
sig_3156 FTP STOR Pipe Filename Command Execution
sig_3157 FTP PASV Port Spoof
sig_3200 WWW Phf Attack
sig_3201 WWW General cgi-bin Attack
sig_3202 WWW .url File Requested
sig_3203 WWW .lnk File Requested
sig_3204 WWW .bat File Requested
sig_3205 HTML File Has .url Link
sig_3206 HTML File Has .lnk Link
sig_3207 HTML File Has .bat Link
sig_3208 WWW campas Attack
sig_3209 WWW Glimpse Server Attack
sig_3210 WWW IIS View Source Attack
sig_3211 WWW IIS Hex View Source Attack
sig_3212 WWW NPH-TEST-CGI Attack
sig_3213 WWW TEST-CGI Attack
sig_3214 IIS DOT DOT VIEW Attack
sig_3215 IIS DOT DOT EXECUTE Attack
sig_3216 IIS Dot Dot Crash Attack
sig_3217 WWW php View File Attack
sig_3218 WWW SGI Wrap Attack
sig_3219 WWW PHP Buffer Overflow
sig_3220 IIS Long URL Crash Bug
sig_3221 WWW cgi-viewsource Attack
sig_3222 WWW PHP Log Scripts Read Attack
sig_3223 WWW IRIX cgi-handler Attack
sig_3224 HTTP WebGais
sig_3225 HTTP Gais Websendmail
sig_3226 WWW Webdist Bug
sig_3227 WWW Htmlscript Bug
sig_3228 WWW Performer Bug
sig_3229 Website Win-C-Sample Buffer Overflow
sig_3230 Website Uploader
sig_3231 Novell convert
sig_3232 WWW finger attempt
sig_3233 WWW count-cgi Overflow
sig_3250 TCP Hijack
sig_3251 TCP Hijacking Simplex Mode
sig_3300 NetBIOS OOB Data
sig_3301 NETBIOS Stat
sig_3302 NETBIOS Session Setup Failure
sig_3303 Windows Guest Login
sig_3304 Windows Null Account Name
sig_3305 Windows Password File Access
sig_3306 Windows Registry Access
sig_3307 Windows Redbutton Attack
U? A. Cisco Secure IDS "?C/&70KAc< 161
sig_3308 Windows LSARPC Access
sig_3309 Windows SRVSVC Access
sig_3400 Sunkill
sig_3401 Telnet-IFS Match
sig_3450 Finger Bomb
sig_3500 Rlogin -froot Attack
sig_3525 IMAP Authenticate Buffer Overflow
sig_3526 Imap Login Buffer Overflow
sig_3530 Cisco Secure ACS Oversized TACACS+ Attack NEW
sig_3540 Cisco Secure ACS CSAdmin Attack NEW
sig_3550 POP Buffer Overflow
sig_3575 INN Buffer Overflow
sig_3576 INN Control Message Exploit
sig_3600 IOS Telnet Buffer Overflow
sig_3601 IOS Command History Exploit
sig_3602 Cisco IOS Identity
sig_3603 IOS Enable Bypass
sig_3650 SSH RSAREF2 Buffer Overflow
sig_3990 BackOrifice BO2K TCP Non Stealth
sig_3991 BackOrifice BO2K TCP Stealth 1
sig_3992 BackOrifice BO2K TCP Stealth 2
sig_4000 UDP Packet
sig_4001 UDP Port Sweep
sig_4002 UDP Flood
sig_4050 UDP Bomb
sig_4051 Snork
sig_4052 Chargen DoS
sig_4053 Back Orifice
sig_4054 RIP Trace
sig_4055 BackOrifice BO2K UDP
sig_4100 Tftp Passwd File
sig_4150 Ascend Denial of Service
sig_4500 Cisco IOS Embedded SNMP Community Names NEW
sig_4600 IOS UDP Bomb
sig_5034 WWW IIS newdsn attack
sig_5035 HTTP cgi HylaFAX Faxsurvey
sig_5036 WWW Windows Password File Access Attempt
sig_5037 WWW SGI MachineInfo Attack
sig_5038 WWW wwwsql file read Bug
sig_5039 WWW finger attempt
sig_5040 WWW Perl Interpreter Attack
sig_5041 WWW anyform attack
sig_5042 WWW CGI Valid Shell Access
sig_5043 WWW Cold Fusion Attack
sig_5044 WWW Webcom.se Guestbook attack
sig_5045 WWW xterm display attack
sig_5046 WWW dumpenv.pl recon
sig_5047 WWW Server Side Include POST attack
162 IBM Tivoli Risk Manager "@W?<¥,$I
sig_5048 WWW IIS BAT EXE attack
sig_5049 WWW IIS showcode.asp access
sig_5050 WWW IIS .htr Overflow Attack
sig_5051 IIS Double Byte Code Page
sig_5052 FrontPage Extensions PWD Open Attempt
sig_5053 FrontPage _vti_bin Directory List Attempt
sig_5054 WWWBoard Password
sig_5055 HTTP Basic Authentication Overflow
sig_5056 WWW Cisco IOS %% DoS
sig_5057 WWW Sambar Samples
sig_5058 WWW info2www Attack
sig_5059 WWW Alibaba Attack
sig_5060 WWW Excite AT-generate.cgi Access
sig_5061 WWW catalog_type.asp Access
sig_5062 WWW classifieds.cgi Attack
sig_5063 WWW dmblparser.exe Access
sig_5064 WWW imagemap.cgi Attack
sig_5065 WWW IRIX infosrch.cgi Attack
sig_5066 WWW man.sh Access
sig_5067 WWW plusmail Attack
sig_5068 WWW formmail.pl Access
sig_5069 WWW whois_raw.cgi Attack
sig_5070 WWW msadcs.dll Access
sig_5071 WWW msacds.dll Attack
sig_5072 WWW bizdb1-search.cgi Attack
sig_5073 WWW EZshopper loadpage.cgi Attack
sig_5074 WWW EZshopper search.cgi Attack
sig_5075 WWW IIS Virtualized UNC Bug
sig_5076 WWW webplus bug
sig_5077 WWW Excite AT-admin.cgi Access
sig_5078 WWW Piranha passwd attack
sig_5079 WWW PCCS MySQL Admin Access
sig_5080 WWW IBM WebSphere Access NEW
sig_5081 WWW WinNT cmd.exe Access NEW
sig_5083 WWW Virtual Vision FTP Browser Access NEW
sig_5084 WWW Alibaba Attack 2 NEW
sig_5085 WWW IIS Source Fragment Access NEW
sig_5086 WWW WEBactive Logfile Access NEW
sig_5087 WWW Sun Java Server Access NEW
sig_5088 WWW Akopia MiniVend Access NEW
sig_5089 WWW Big Brother Directory Access NEW
sig_5090 WWW FrontPage htimage.exe Access NEW
sig_5091 WWW Cart32 Remote Admin Access NEW
sig_5092 WWW CGI-World Poll It Access NEW
sig_5093 WWW PHP-Nuke admin.php3 Access NEW
sig_5095 WWW CGI Script Center Account Manager Attack NEW
sig_5096 WWW CGI Script Center Subscribe Me Attack NEW
sig_5097 WWW FrontPage MS-DOS Device Attack NEW
U? A. Cisco Secure IDS "?C/&70KAc< 163
sig_5099 WWW GWScripts News Publisher Access NEW
sig_5100 WWW CGI Center Auction Weaver File Access NEW
sig_5101 WWW CGI Center Auction Weaver Attack NEW
sig_5102 WWW phpPhotoAlbum explorer.php Access NEW
sig_5103 WWW SuSE Apache CGI Source Access NEW
sig_5104 WWW YaBB File Access NEW
sig_5105 WWW Ranson Johnson mailto.cgi Attack NEW
sig_5106 WWW Ranson Johnson mailform.pl Access NEW
sig_5107 WWW Mandrake Linux /perl Access NEW
sig_5108 WWW Netegrity Site Minder Access NEW
sig_5109 WWW Sambar Beta search.dll Access NEW
sig_5110 WWW SuSE Installed Packages Access NEW
sig_5111 WWW Solaris Answerbook 2 Access NEW
sig_5112 WWW Solaris Answerbook 2 Attack NEW
sig_5113 WWW CommuniGate Pro Access NEW
sig_5114 WWW IIS Unicode Attack NEW
sig_6001 Normal SATAN Probe
sig_6002 Heavy SATAN Probe
sig_6050 DNS HINFO Request
sig_6051 DNS Zone Transfer
sig_6052 DNS Zone Transfer from High Port
sig_6053 DNS Request for All Records
sig_6054 DNS Version Request
sig_6055 DNS Inverse Query Buffer Overflow
sig_6056 BIND NXT Buffer Overflow
sig_6057 BIND SIG Buffer Overflow
sig_6100 RPC Port Registration
sig_6101 RPC Port Unregistration
sig_6102 RPC Dump
sig_6103 Proxied RPC Request
sig_6104 RPC Set Spoof
sig_6105 RPC Unset Spoof
sig_6110 RPC RSTATD Sweep
sig_6111 RPC RUSERSD Sweep
sig_6112 RPC NFS Sweep
sig_6113 RPC MOUNTD Sweep
sig_6114 RPC YPPASSWDD Sweep
sig_6115 RPC SELECTION_SVC Sweep
sig_6116 RPC REXD Sweep
sig_6117 RPC STATUS Sweep
sig_6118 RPC ttdb Sweep
sig_6150 ypserv Portmap Request
sig_6151 ypbind Portmap Request
sig_6152 yppasswdd Portmap Request
sig_6153 ypupdated Portmap Request
sig_6154 ypxfrd Portmap Request
sig_6155 mountd Portmap Request
sig_6175 rexd Portmap Request
164 IBM Tivoli Risk Manager "@W?<¥,$I
sig_6180 rexd Attempt
sig_6190 statd Buffer Overflow
sig_6191 RPC.tooltalk buffer overflow
sig_6192 RPC mountd Buffer Overflow
sig_6193 RPC CMSD Buffer Overflow
sig_6194 sadmind RPC Buffer Overflow
sig_6195 RPC amd Buffer Overflow
sig_6200 Ident Buffer Overflow
sig_6201 Ident Newline
sig_6202 Ident Improper Request
sig_6250 FTP Authorization Failure
sig_6251 Telnet Authorization Failure
sig_6252 Rlogin Authorization Failure
sig_6253 POP3 Authorization Failure
sig_6255 SMB Authorization Failure
sig_6300 Loki ICMP Tunnelling
sig_6302 General Loki ICMP Tunneling
sig_6500 RingZero Trojan
sig_6501 TFN Client Request
sig_6502 TFN Server Reply
sig_6503 Stacheldraht Client Request
sig_6504 Stacheldraht Server Reply
sig_6505 Trinoo Client Request
sig_6506 Trinoo Server Reply
sig_6507 TFN2K Control Traffic
sig_6508 Mstream Control Traffic
sig_8000/2101 FTP Retrieve Password File
sig_8000/2302 Telnet-/etc/shadow Match
sig_8000/2303 Telnet-+ +
sig_8000/51301 Rlogin-IFS Match
sig_8000/51302 Rlogin-/etc/shadow Match
sig_8000/51303 Rlogin-+ +
sig_10000/1000 IP-Spoof Interface 1
sig_10000/1001 IP-Spoof Interface 2
U? A. Cisco Secure IDS "?C/&70KAc< 165
166 IBM Tivoli Risk Manager "@W?<¥,$I
�� B. ISS RealSecure IDS �������-./�
J<Nj9HO"=~@G ISS RealSecure IDS KhCF SNMP $YsHH7F
Tivoli Enterprise Console "@W?<Kw.5lk6br(7F$^9#3li,"
=_ Tivoli Enterprise Console SNMP "@W?<KhCF5]<H5lF$k"?
C/&70KAc<G9#
Tivoli Risk Manager G5]<H5lF$J$ ISS RealSecure IDS 6bO9YF"
V9YFa* (Catch All)W/i9K,`5l^9#
"��1����������-./�
HTTP..
HTTP Robots Txt
HTTP NCSA Buffer Overflow
HTTP NT8.3 Filename
HTTP Netscape Space View
HTTP Netscape Page Services
HTTP IE3 URL
HTTP IIS$DATA
HTTP PHF
HTTP UNIX Passwords
HTTP IE BAT
HTTP Nph Test Cgi
HTTP Shells
HTTP Test Cgi
HTTP WebSite Uploader
HTTP Sgi Handler
HTTP WebSite Sample
HTTP IISExAir DoS
HTTP Campas cgi-bin
HTTP HylaFax faxsurvey
HTTP Cold Fusion
HTTP IIS3 Asp Dot
HTTP IIS3 Asp 2e
HTTP WebFinger
HTTP Cachemgr
HTTP MachineInfo
HTTP Count
HTTP SiteCsc Access
HTTP Webgais
HTTP FormMail
HTTP Guestbook
HTTP Websendmail
HTTP Classifieds Post
© Copyright IBM Corp. 2001, 2002 167
HTTP Glimpse cgi-bin
HTTP HTMLScript
HTTP Novell Convert
HTTP Novell Files
HTTP PHP Overflow
HTTP Pfdisplay Read
HTTP Pfdisplay Execute
HTTP RegEcho
HTTP RpcNLog
HTTP SCO View-Source
HTTP SGI Wrap
HTTP SGI Webdist
HTTP Verity Search
HTTP Carbo Server
HTTP Info2WWW
HTTP JJ
HTTP Cdomain
ARP Host Down
Portmapper Program Dump Decode
IP HalfScan
Queso Scan
Rlogin -froot
Windows Access Error
Ftp SYST Command Decode
Ftp Root
FSP Detected
Finger User
Port Scan
UDP Port Scan
Kerberos User Snarf
DNS Length Overflow
Echo Denial of Service
Generic Intel Overflow
Mountd Export Decode
Mountd Mnt Decode
Nfs Mknod Check
Perl Fingerd Check
Email Expn
Email Vrfy
Email Vrfy Overflow
Email Helo Overflow
Email Ehlo
Email Pipe
Email Decode
Email Debug
Email Wiz
Email Qmail Length
Ident Error
168 IBM Tivoli Risk Manager "@W?<¥,$I
Snmp Activity
Snmp Set
Sun SNMP Backdoor
HP OpenView SNMP Backdoor
Imap User
Imap Password
Imap Overflow
POP Overflow
TearDrop
Land_UDP
Land Denial of Service Attack
Ident User Decoding
Finger Bomb
FTP Bounce
FTP Privileged Bounce Attack
Ping Flood
Smurf
Win IGMP
Windows Out Of Band
Ping Of Death
SYNFlood
IP Protocol Violation
BackOrifice
TrinooDaemon
NetBus_Pro
IPUnknownProtocol
IPFrag
Satan
ISS Scan Check
������������-./�
Login Successful
Logout
Guest
Use Of User Rights
Password change Failed
Password change Successful
Failed login - account locked out
Failed login - account expired
Failed login - bad username or password
Failed login - account disabled
Logon with Admin Privileges
Global group user added
Global group user removed
Local group changed
Local group created
Local group deleted
U? B. ISS RealSecure IDS "?C/&70KAc< 169
Local group user added
Local group user removed
Account policy change
User account changed
User account created
User account deleted
User right granted
User right revoked
Audit log cleared
Audit policy change
User added to local admin group
User admin right granted
Important programs
Privilege service called
Registry autorun changed
Program started
Program exited
Logon process registered
Brute Force login attack
Brute Force login attack Successful
Change password attack
Change password attack Successful
Registry eventlog settings changed
Registry NT security options changed
Failed change of important files
Config-log files deleted
Suspect port scan
Suspicious FTP connection
Suspicious IMAP connection
Suspicious Netstat connection
Suspicious POP3 connection
Suspicious POP2 connection
Suspicious SMTP connection
Suspicious Systat connection
Suspicious Telnet connection
Suspicious Whois connection
Suspicious WWW connection
Suspicious Finger connection
Suspicious Time connection
Suspicious SSH connection
Suspicious Sunrcp connection
Suspect Netbus
170 IBM Tivoli Risk Manager "@W?<¥,$I
�� C. McAfee Alert Manager Sensor �������)��
�*
Tivoli Risk Manager O"McAfee Alert Manager *hS McAfee NetShield KhCF
8.5lkaC;<8rhj~_^9#
McAfee Alert Manager O"9YFN McAfee AntiVirus Point of Entry Scanner Kh
CFHQ5lk&LN"i<H&aC;<82rs!7^9#McAfee Alert
Manager Message Utility rHQ7F"3liNaC;<8N=(*hSQ9rT&
3H,G-^9#
EW: aC;<8NQ9O"5EKTCF/@5$#aC;<8O"=JbNuV
r=7^9#aC;<8rQ99kH"aC;<8,w.5lk6xHJC?\v
NuV,#5lF7^&3H,"j^9#
Tivoli Risk Manager O"McAfee Alert Manager NP<8gs 4.5 H&K[[5l
?~@NuVN Alert Manager aC;<8Np\;CHr5]<H7^9#$:l
NaC;<8NA0rQ99klgb""@W?<NU)<^CH&U!$k
rmmac.fmt r977"Q9bFr?G5;k,W,"j^9#
McAfee Alert Manager GO"f<6<,D9NaC;<8rHQD=^?OHQT
DK7?j"-?P]NaC;<8rEgYKhCF*r7?jG-^9#
Tivoli Risk Manager O"McAfee NetShield 4.5 KhCF_j5lkaC;<8Nl
tb5]<H7^9#3liNaC;<8O"McAfee NetShield &$k9&9-c
s&3s]<MsHKX"9kEWJ"/F#SF#<r==7^9#
Tivoli Risk Manager NU)<^CH&U!$k rmmac.fmt KhCF"!N McAfee
Alert Manager aC;<8H NetShield aC;<8,hj~^l^9#
[HsINaC;<8, Alert Manager Event Log Alert: +iO^j^9#
v EgaC;<8
– U!$k %FILENAME% O"%VIRUSNAME% %VIRUSTYPE% K6w7F
$^9#(The file %FILENAME% is infected with %VIRUSNAME%
%VIRUSTYPE%.) !PKHQ5l?9-cs&(s8sNP<8gsO
%ENGINEVERSION%"DAT P<8gsO %DATVERSION% G9#(Detected
with Scan Engine %ENGINEVERSION% DAT version %DATVERSION%)
– U!$k %FILENAME% O"%VIRUSNAME% %VIRUSTYPE% K6w7F
$^9#(The file %FILENAME% is infected with %VIRUSNAME%
%VIRUSTYPE%.) =_N9-cs&(s8sNP<8gs
%ENGINEVERSION%"DAT P<8gs %DATVERSION% rHQ7FU!$
kr/j<Ks0G-^;s#(Unable to clean the file using the current Scan
engine version %ENGINEVERSION%)
© Copyright IBM Corp. 2001, 2002 171
– U!$k %FILENAME% O"%VIRUSNAME% %VIRUSTYPE% K6w7F
$^9#(The file %FILENAME% is infected with %VIRUSNAME%
%VIRUSTYPE%.) 6w7?U!$kro|G-^;s#(Unable to delete the
infected file.)
– Q39-cs+i %FILENAME% rBTG-^;s#(Unable to exclude
%FILENAME% from further scans.)
– U!$k %FILENAME% O"%VIRUSNAME% %VIRUSTYPE% K6w7F
$^9#(The file %FILENAME% is infected with %VIRUSNAME%
%VIRUSTYPE%.) U!$kXN"/;9,q]5l^7?#(Access to the file
was denied.) !PKHQ5l?9-cs&(s8sNP<8gsO
%ENGINEVERSION%"DAT P<8gsO %DATVERSION% G9#(Detected
using Scan engine version %ENGINEVERSION% DAT version
%DATVERSION%)
– U!$k %FILENAME% O"%VIRUSNAME% %VIRUSTYPE% K6w7F
$^9#(The file %FILENAME% is infected with the %VIRUSNAME%
%VIRUSTYPE%.) U!$krV%NhK\0G-^;s#(Unable to move the
file to the quarantine area.) !PKHQ5l?9-cs&(s8sNP<8gs
O %ENGINEVERSION%"DAT P<8gsO %DATVERSION% G9#
(Detected using Scan engine version %ENGINEVERSION% DAT version
%DATVERSION%)
– 79F`&abj<, %VIRUSNAME% %VIRUSTYPE% K6w7F$^9#
(System memory is infected with the %VIRUSNAME% %VIRUSTYPE%.) !P
KHQ5l?9-cs&(s8sNP<8gsO %ENGINEVERSION%"DAT
P<8gsO %DATVERSION% G9#(Detected using Scan engine version
%ENGINEVERSION% DAT version %DATVERSION%.)
– 9-csKhCF"V<H&l3<I, %VIRUSNAME% %VIRUSTYPE% K
6w7F$k3H,o+j^7?#(The scan found a boot record infected with
%VIRUSNAME% %VIRUSTYPE%.) !PKHQ5l?9-cs&(s8sNP
<8gsO %ENGINEVERSION%"DAT P<8gsO %DATVERSION% G
9#(Detected using Scan Engine version %ENGINEVERSION% DAT version
%DATVERSION%.)
– 9-csKhCF"6w7?U!$k,+D+j^7?#(The scan found
infected files.) !PKHQ5l?9-cs&(s8sNP<8gsO
%ENGINEVERSION%"DAT P<8gsO %DATVERSION% G9#(Scan
engine version %ENGINEVERSION% DAT version %DATVERSION%) 6wU
!$kO"9-cs&(s8sNP<8gs %ENGINEVERSION%"DAT P
<8gs %DATVERSION% rHQ7F!P5l"/j<Ks05l^7?#
(The scan found and cleaned infected files using Scan engine version
%ENGINEVERSION% DAT version %DATVERSION%.)
– 6w7?P$s@<&*V8'/H
– U!$k %FILENAME% O"%VIRUSNAME% %VIRUSTYPE% K6w7F
$^9#(The file %FILENAME% is infected with %VIRUSNAME%
%VIRUSTYPE%.) !PKHQ5l?NO Heuristics"9-cs¥(s8sO
%ENGINEVERSION%"DAT P<8gsO %DATVERSION% G9#(Detected
with Heuristics, Scan Engine %ENGINEVERSION% DAT version
%DATVERSION%)
172 IBM Tivoli Risk Manager "@W?<¥,$I
– Heuristics O"U!$k %FILENAME% , %VIRUSNAME% %VIRUSTYPE%
K6w7F$k3Hr!P7^7?#(Heuristics has detected that file
%FILENAME% is infected with %VIRUSNAME% %VIRUSTYPE%.) 6w7?
U!$kro|G-^;s#(Unable to delete the infected file.)
– Heuristics O"U!$k %FILENAME% , %VIRUSNAME% %VIRUSTYPE%
K6w7F$k3Hr!P7"U!$krV%NhK\07^7?#(Heuristics
has detected that file %FILENAME% is infected with %VIRUSNAME%
%VIRUSTYPE% and has moved the file to the quarantine area.) !PKHQ5
l?9-cs&(s8sNP<8gsO %ENGINEVERSION%"DAT P<8
gsO %DATVERSION% G9#(Detected using Scan engine version
%ENGINEVERSION% DAT version %DATVERSION%)
– Heuristics O"U!$k %FILENAME% , %VIRUSNAME% %VIRUSTYPE%
K6w7F$k3Hr!P7^7?#(Heuristics has detected that file
%FILENAME% is infected with %VIRUSNAME% %VIRUSTYPE%.) U!$k
rV%NhK\0G-^;s#(Unable to move the file to the quarantine area.)
!PKHQ5l?9-cs&(s8sNP<8gsO %ENGINEVERSION%"
DAT P<8gsO %DATVERSION% G9#(Detected using Scan engine
version %ENGINEVERSION% DAT version %DATVERSION%)
– 9-cs~"%VIRUSNAME% %VIRUSTYPE% K6w7?V<H&l3<I
r/j<Ks07h&H7F(i<,/87^7?#(The scan encountered an
error attempting to clean a boot record infected with %VIRUSNAME%
%VIRUSTYPE%.) !PKHQ5l?9-cs&(s8sNP<8gsO
%ENGINEVERSION%"DAT P<8gsO %DATVERSION% G9#(Detected
using Scan Engine version %ENGINEVERSION% DAT version
%DATVERSION%.)
– /.T %MAILFROMNAME%"8h %MAILTONAME%"o>
%MAILSUBJECTLINE% NERa<kN:UU!$k %FILENAME% ,&$
k9 %VIRUSNAME% K6w7F$^7?#(An email from
%MAILFROMNAME%, addressed to %MAILTONAME%, with subject
%MAILSUBJECTLINE% was infected with the virus %VIRUSNAME% in
attachment %FILENAME%.) :UU!$kO"9-cs&(s8sNP<8g
s %ENGINEVERSION%"DAT P<8gs %DATVERSION% G/j<Ks
0G-J+C??a"o|5l^7?#(The infected attachment could not be
cleaned with Scan engine version %ENGINEVERSION% DAT version
%DATVERSION%, and has been deleted.)
– 8h %MAILTONAME% (CC O %MAILCCNAME%)"/.T
%MAILFROMNAME%"o> %MAILSUBJECTLINE% NERa<k,&$k
9 %VIRUSNAME% K6w7F$^7?#(An email for %MAILTONAME%
(CC to %MAILCCNAME%) from %MAILFROMNAME% with the subject line
%MAILSUBJECTLINE% was infected with the virus %VIRUSNAME%.) ERa
<kOo|5l^7?#(The email has been deleted.)
– /.T %MAILFROMNAME%"8h %MAILTONAME%"o>
%MAILSUBJECTLINE% NERa<kN:UU!$k %FILENAME% ,&$
k9 %VIRUSNAME% K6w7F$^7?#(An email from
%MAILFROMNAME%, addressed to %MAILTONAME%, with subject
%MAILSUBJECTLINE% was Infected with the virus %VIRUSNAME% in
attachment %FILENAME%.) 6w7F$?:UU!$kO"9-cs&(s8
U? C. McAfee Alert Manager Sensor Q"@W?<NaC;<8 173
sNP<8gs %ENGINEVERSION%"DAT P<8gs %DATVERSION%
G/j<Ks0G-J+C??a"V%5l^7?#(The infected attachment
could not be cleaned with Scan engine version %ENGINEVERSION% DAT
version %DATVERSION%, and has been deleted and quarantined.)
v gWaC;<8
– U!$k %FILENAME% , %VIRUSNAME% %VIRUSTYPE% K6w7F$
^7?#(The file %FILENAME% was infected with %VIRUSNAME%
%VIRUSTYPE%.) 3NU!$kO"9-cs&(s8s&P<8gs
%ENGINEVERSION%"DAT P<8gs %DATVERSION% G5oK/j<K
s05l^7?#(The file was successfully cleaned with Scan engine version
%ENGINEVERSION% DAT version %DATVERSION%.)
– U!$k %FILENAME% O"%VIRUSNAME% %VIRUSTYPE% K6w7F
$^9#(The file %FILENAME% is infected with %VIRUSNAME%
%VIRUSTYPE%.) U!$kO"5oKo|5l^7?#(The file was
successfully deleted.)
– Heuristics O"U!$k %FILENAME% , %VIRUSNAME% %VIRUSTYPE%
K6w7F$k3Hr!P7^7?#(Heuristics has detected that file
%FILENAME% is infected with %VIRUSNAME% %VIRUSTYPE%.) U!$k
O"5oKo|5l^7?#(The file was successfully deleted.)
– 97K:T7^7?#$YsH&m0r2H7F/@5$#(The update failed;
see event log)
– "CW0l<IK:T7^7?#$YsH&m0r2H7F/@5$#(The
upgrade failed; see event log)
– 8h %MAILTONAME% (CC O %MAILCCNAME%)"/.T
%MAILFROMNAME%"o> %MAILSUBJECTLINE% NERa<k,&$k
9 %VIRUSNAME% K6w7F$^9#(An email for %MAILTONAME%
(CC to %MAILCCNAME%) from %MAILFROMNAME% with the subject line
%MAILSUBJECTLINE% is infected with the virus %VIRUSNAME%.)
– GgiYro,/87F$^9#(A maximum load condition is occuring!)
v ^$J<&aC;<8
– %FILENAME% bG^/m,!P5l^7?#(A macro was detected within
%FILENAME%.)
– ^/mO"%FILENAME% b+io|5l^7?#(A macro was deleted from
within %FILENAME%)
– /.T %MAILFROMNAME%"8h %MAILTONAME%"o>
%MAILSUBJECTLINE% NERa<kN:UU!$k %FILENAME% ,&$
k9 %VIRUSNAME% K6w7F$^7?#(An email from
%MAILFROMNAME%, addressed to %MAILTONAME%, with subject
%MAILSUBJECTLINE% was infected with the virus %VIRUSNAME% in
attachment %FILENAME%.) 6w7F$?:UU!$kO/j<Ks05l^
7?#(The infected attachment has been cleaned.)
– 8h %MAILTONAME% (CC O %MAILCCNAME%)"/.T
%MAILFROMNAME%"o> %MAILSUBJECTLINE% NERa<k,&$k
9 %VIRUSNAME% K6w7F$^9#(An email for %MAILTONAME%
(CC to %MAILCCNAME%) from %MAILFROMNAME% with the subject line
174 IBM Tivoli Risk Manager "@W?<¥,$I
%MAILSUBJECTLINE% is infected with the virus %VIRUSNAME%.) ERa<
kOV%5l^7?#(The email has been quarantined.)
– u.ERa<kO"G#9/&9Z<9Ku-,G-k^GfG7F$^9#
(Inbound email is being suspended until more disk space is available.)
– Yp - [o*;7^7?#(Warning - abnormal termination!)
– /.T %MAILFROMNAME%"8h %MAILTONAME%"o>
%MAILSUBJECTLINE% NERa<kN:UU!$k %FILENAME% ,&$
k9 %VIRUSNAME% K6w7F$^7?#(An email from
%MAILFROMNAME%, addressed to %MAILTONAME%, with subject
%MAILSUBJECTLINE% was infected with the virus %VIRUSNAME% in
attachment %FILENAME%.) 6w7F$?:UU!$kO/j<Ks05l"
V%5l^7?#(The infected attachment has been cleaned and quarantined.)
v YpaC;<8
– Q39-cs+iU!$k %FILENAME% ,BT5l^9#(The file
%FILENAME% will be excluded from further scans.)
– U!$k %FILENAME% O"%VIRUSNAME% %VIRUSTYPE% K6w7F
$^9#(The file %FILENAME% is infected with the %VIRUSNAME%
%VIRUSTYPE%.) 6wU!$kO"V%NhK\05l^7?#(The infected
file was moved to quarantine area.) !PKHQ5l?9-cs&(s8sNP
<8gsO %SCANENGINE%"DAT NP<8gsO %DATVERSION% G
9#(Detected using Scan engine version %SCANENGINE% DAT version
%DATVERSION%)
– 9-csO %GMTTIME% KhjC5l^7?#(The scan was cancelled at
time %GMTTIME%.)
– U!$k %FILENAME% N9-csf""/F#SF#<&m0&U!$k
XN"/;9&(i<,sp5l^7?#(The scan reported an error accessing
the activity log file while scanning file %FILENAME%.) HQ5l?9-cs&
(s8sNP<8gsO %ENGINEVERSION%"DAT P<8gsO
%DATVERSION% G9#(Scan engine version used is %ENGINEVERSION%
DAT version %DATVERSION%.)
– U!$k %FILENAME% N9-csf"abj<dj6j(i<,sp5l
^7?#(The scan reported a memory allocation error while scanning file
%FILENAME%.) HQ5l?9-cs&(s8sNP<8gsO
%ENGINEVERSION%"DAT P<8gsO %DATVERSION% G9#(Scan
engine version used is %ENGINEVERSION% DAT version %DATVERSION%)
– G#l/Hj<NQ9>,99.^9#(The directory path name is too long.)
Xj5l?ljN$/D+N`\r9-csG-^;sG7?#(The scan
could not scan some items in the specified location.) U!$k %FILENAME%
N9-csfK(i<,/87^7?#(Error occurred while scanning file
%FILENAME%.) HQ5l?9-cs&(s8sNP<8gsO
%ENGINEVERSION%"DAT P<8gsO %DATVERSION% G9#(Scan
engine version used is %ENGINEVERSION% DAT version %DATVERSION%.)
– U!$k %FILENAME% N9-csf"i$H&WmF/HN?aaG#"
K"/;9G-^;sG7?#(The scan could not access the media due to
write protection while scanning file %FILENAME%.) HQ5l?9-cs&(
U? C. McAfee Alert Manager Sensor Q"@W?<NaC;<8 175
s8sNP<8gsO %ENGINEVERSION%"DAT P<8gsO
%DATVERSION% G9#(Scan engine version used is %ENGINEVERSION%
DAT version %DATVERSION%.)
– U!$k %FILENAME% N9-csf"Xj5l?aG#"r+D1k3H
,G-^;sG7?#(The scan could not find the specified media while
scanning file %FILENAME%.) HQ5l?9-cs&(s8sNP<8gsO
%ENGINEVERSION%"DAT P<8gsO %DATVERSION% G9#(Scan
engine version used is %ENGINEVERSION% DAT version %DATVERSION%.)
– U!$k %FILENAME% N9-csfK5zJ9-cs`\,+D+j^7
?#(The scan found an invalid scan item while scanning file %FILENAME%.)
HQ5l?9-cs&(s8sNP<8gsO %ENGINEVERSION%"DAT
P<8gsO %DATVERSION% G9#(Scan engine version used is
%ENGINEVERSION% DAT version %DATVERSION%.)
– U!$k %FILENAME% N9-csfKU!$k I/O (i<,sp5l^7
?#(The scan reported a file I/O error while scanning file %FILENAME%.) H
Q5l?9-cs&(s8sNP<8gsO %ENGINEVERSION%"DAT P
<8gsO %DATVERSION% G9#(Scan engine version used is
%ENGINEVERSION% DAT version %DATVERSION%.)
– U!$k %FILENAME% N9-csfKG#9/ I/O (i<,sp5l^7
?#(The scan reported a disk I/O error while scanning file %FILENAME%.) H
Q5l?9-cs&(s8sNP<8gsO %ENGINEVERSION%"DAT P
<8gsO %DATVERSION% G9#(Scan engine version used is
%ENGINEVERSION% DAT version %DATVERSION%.)
– U!$k %FILENAME% N9-csfKlL79F`&(i<,sp5l^
7?#(The scan reported a general system error while scanning file
%FILENAME%.) HQ5l?9-cs&(s8sNP<8gsO
%ENGINEVERSION%"DAT P<8gsO %DATVERSION% G9#(Scan
engine version used is %ENGINEVERSION% DAT version %DATVERSION%.)
– U!$k %FILENAME% N9-csfKbt"Wj1<7gs&(i<,s
p5l^7?#(The scan reported an internal application error while scanning
file %FILENAME%.) HQ5l?9-cs&(s8sNP<8gsO
%ENGINEVERSION%"DAT P<8gsO %DATVERSION% G9#(Scan
engine version used is %ENGINEVERSION% DAT version %DATVERSION%.)
– Q9o<IG]n5l?U!$k %FILENAME% Nh}fK(i<,/87
^7?#(The Scan encountered an error while processing password protected file
%FILENAME%.) HQ5l?9-cs&(s8sNP<8gsO
%ENGINEVERSION%"DAT P<8gsO %DATVERSION% G9#(Scan
engine version used is %ENGINEVERSION% DAT version %DATVERSION%.)
– Q9o<IG]n5l?U!$k %FILENAME% r9-csG-^;sG7
?#(The Scan was unable to scan password protected file %FILENAME%.) H
Q5l?9-cs&(s8sNP<8gsO %ENGINEVERSION%"DAT P
<8gsO %DATVERSION% G9#(Scan engine version used is
%ENGINEVERSION% DAT version %DATVERSION%.)
– %FILENAME% N9-cs,9/++j9.F0;G-J+C??a"hjC
7F$^9#(The scan of %FILENAME% has taken too long to complete and
is being canceled.) HQ5l?9-cs&(s8sNP<8gsO
176 IBM Tivoli Risk Manager "@W?<¥,$I
%ENGINEVERSION%"DAT P<8gsO %DATVERSION% G9#(Scan
engine version used is %ENGINEVERSION% DAT version %DATVERSION%.)
– %VIRUSNAME% %VIRUSTYPE% K6w7F$?V<H&l3<I,/j<
Ks05l^7?#(The scan cleaned a boot record infected with the
%VIRUSNAME% %VIRUSTYPE%.) !PKHQ5l?9-cs&(s8sNP
<8gsO %ENGINEVERSION%"DAT P<8gsO %DATVERSION% G
9#(Detected using Scan Engine version %ENGINEVERSION% DAT version
%DATVERSION%.)
– "i<HNw.fK(i<,/87^7?#(An error occurred while sending
an alert.)
– 5zJ*W7gs,Xj5l^7?#(Invalid Options were Specified.)
– 918e<k5l??9/r+OG-^;s#(Unable to start scheduled task.)
– 918e<k5l??9/rd_9kH-K(i<,/87^7?#(Error
stopping scheduled task.)
– ?9/,hjC5l^7?#(Task was canceled.)
– m0&U!$k %FILENAME% XNq-~_fK(i<,/87^7?#(An
error occurred writing to the log file %FILENAME%.)
– abj<dj6j(i<,/3j^7?#(A memory allocation error occurred.)
– 9-csh}(i< (Scan Process Error)
– "CW0l<I,hjC5l^7?#(The upgrade was cancelled.)
– DAT P<8gs,77/"j^;s#(The DAT version was not new enough.)
9-cs&(s8sNP<8gsO %ENGINEVERSION%" DAT P<8gs
O %DATVERSION% G9#(Scan version %ENGINEVERSION% DAT version
%DATVERSION%.)
– /.T %MAILFROMNAME%"8h %MAILTONAME%"o>
%MAILSUBJECTLINE% NERa<k,3sFsD&U#k?<&k<k
%VIRUSNAME% rKj^7?#(An email from %MAILFROMNAME%,
addressed to %MAILTONAME%, with subject %MAILSUBJECTLINE% has
broken the Content Filter rule %VIRUSNAME%.) ERa<kOVmC/5l^
7?#(The email has been blocked.)
– 8h %MAILTONAME% (CC O %MAILCCNAME%)"/.T
%MAILFROMNAME%"o> %MAILSUBJECTLINE% NERa<k,3sF
sD&U#k?<&k<krKj^7?#(An email for %MAILTONAME%
(CC to %MAILCCNAME%) from %MAILFROMNAME% with the subject line
%MAILSUBJECTLINE% has broken a Content Filter rule.) ERa<kOVmC
/5l^7?#(The email has been blocked.)
– =,JG#9/&9Z<9,xQD=J?a"u.ERa<k,F+5l^7
?#(Inbound email has resumed, as sufficient disk space is available.)
v psaC;<8
– 9-cs,0;7^7?#(The scan completed.) 6wU!$kO+D+j^;
sG7?#(No infected files were found.) HQ5l?9-cs&(s8sNP
<8gsO %ENGINEVERSION%"DAT P<8gsO %DATVERSION% G
9#(Scan engine version used is %ENGINEVERSION% DAT version
%DATVERSION%.)
U? C. McAfee Alert Manager Sensor Q"@W?<NaC;<8 177
– 5<S9,+O5l^7?#(Service was started.)
– 5<S9,*;7^7?#(Service ended.)
– ?9/,5oK+O5l^7?#(Task was started successfully.)
– 918e<k5l??9/,d_7^7?#(Scheduled task was stopped.)
– ?9/O.y7^7?#(Task was successful.)
– *s"/;9&9-cs, %GMTTIME% K+O5l^7?#(On-access Scan
started at %GMTTIME%.) 9-cs&(s8sNP<8gsO
%ENGINEVERSION%"DAT P<8gsO %DATVERSION% G9#(Scan
version %ENGINEVERSION% DAT version %DATVERSION%.)
– *s"/;9&9-cs,d_7^7?#(On-access scan stopped.) 9-cs&
(s8sNP<8gsO %ENGINEVERSION%"DAT P<8gsO
%DATVERSION% G9#(Scan version %ENGINEVERSION% DAT version
%DATVERSION%.)
– 9-csN_jO %INFO% G7?#(Scan Settings were %INFO%.) 9-c
s&(s8sNP<8gsO %ENGINEVERSION%"DAT P<8gsO
%DATVERSION% G9#(Scan version %ENGINEVERSION% DAT version
%DATVERSION%.)
– EVENT_SCAN_ENDED
– 97K.y7^7?#(The update was successful.) 9-cs&(s8sNP<
8gsO %ENGINEVERSION%"DAT P<8gsO %DATVERSION% G
9#(Scan version %ENGINEVERSION% DAT version %DATVERSION%.)
– 97,BT5lF$^9#(The update is running.)
– 97,hjC5l^7?#(The update was canceled.)
– "CW0l<I,BT5lF$^9#(The upgrade is running.)
– DAT U!$kN*<H"CWG<HKhCF9-cs,hjC5l^7?#
(Scan was cancelled by autoupdate of DAT files.) 9-cs&(s8sNP<8
gsO %ENGINEVERSION%"DAT P<8gsO %DATVERSION% G9#
(Scan version %ENGINEVERSION% DAT version %DATVERSION%.)
– h},+O5l^7?#(Process started.)
– Wm;9,*;7^7?#(Process Ended.)
– *sG^sI&9-cs,+O5l^7?#(On-demand scan started)
– *sG^sI&9-cs,0;7^7?#(On Demand scan complete.) !P5
l?&$k9 %NUMVIRS%"/j<Ks0 %NUMCLEANED%"o|
%NUMDELETED%"V% %NUMQUARANTINED%#9-cs&(s8sNP
<8gsO %ENGINEVERSION%"DAT P<8gs %DATVERSION% G
9#(Viruses Found %NUMVIRS%, Cleaned %NUMCLEANED%, Deleted
%NUMDELETED%, Quarantined %NUMQUARANTINED%.Scan version
%ENGINEVERSION% DAT version %DATVERSION%.)
– %OS%"Wm;C5<&7j"kVf %PROCESSORSERIAL% (PIII N_) e
GBTfG9#(Running on %OS% with processor serial number
%PROCESSORSERIAL% (PIII only))
– +OWa,5oKh}5l^7?#(Startup request successfully processed.)
– 7cCH@&sWa,5oKh}5l^7?#(Shutdown request successfully
processed.)
178 IBM Tivoli Risk Manager "@W?<¥,$I
– %FILENAME% G77$ MIB U!$kr~jD=G9#(A New MIB File is
available at %FILENAME%)
– Alert Manager Service: Alert Manager Service ,+O5l^7?#(Alert
Manager Service: Alert Manager Service Started.)
– Network Associates AutoUpdate ,5oK+O5l^7?#(Network Associates
AutoUpdate started successfully.)
– Network Associates AutoUpdate ,5oKd_7^7?#(Network Associates
AutoUpdate stopped successfully.)
– 77$P<8gsO$s9H<k5lF$k=JH18G9#(The new
version is the same as the installed product.)
– DAT U!$kNP<8gsr %DATVERSION% K977F$^9#(Trying
to update to %DATVERSION% version of the DAT files.)
– NetShield 2000 McShield 5<S9,+O5l^7?# - %NUMVIRS% DN
&$k9r9-cs7F$^9#(NetShield 2000 McShield service started -
scanning for %NUMVIRS% viruses.) (s8sNP<8gs:
%ENGINEVERSION%"Ii$P<NP<8gs: %DATVERSION%"ICI
i$P<> : %DRIVERNAME%"ICIi$P<bN&$k9&70KAc
<Nt: %NUM%"ICIi$P<,!PG-k&$k9N>0:
%VIRUSNAMES% (Engine version : %ENGINEVERSION% Driver version :
%DATVERSION% Extra driver name : %DRIVERNAME% Number of virus
signatures in extra driver : %NUM% Names of viruses that extra driver can
detect : %VIRUSNAMES%)
U? C. McAfee Alert Manager Sensor Q"@W?<NaC;<8 179
180 IBM Tivoli Risk Manager "@W?<¥,$I
�� D. ����
\qOFq IBM ,s!9k=J*hS5<S9KD$Fn.7?bNG"j"\
qK-\N=J"5<S9"^?O!=,|\K*$FOs!5lF$J$lg,
"j^9#|\GxQD=J=J"5<S9"*hS!=KD$FO"|\ IBM
NDH4vwK*RM/@5$#\qG IBM =J"Wm0i`"^?O5<S9
K@Z7F$Fb"=N IBM =J"Wm0i`"^?O5<S9N_,HQD=
G"k3HrU#9kbNGO"j^;s#3liKe(F"IBM NN*j-"r
/29k3HNJ$"!=*K1yN=J"Wm0i`"^?O5<S9rHQ9
k3H,G-^9#?@7"IBM =J0N=JHH_go;?lg"=N`nN>
AH!ZKD$FO"*RMNU$GTCF$?@-^9#
IBM O"\qK-\5lF$kbFKX7FCv" (CvPjfNbNr^`) r
]-7F$klg,"j^9#\qNs!O"*RMK3liNCv"KD$FB
\"rvz9k3HrU#9kbNGO"j^;s#B\"NvzKD$FO"<
-N8hKqLKF4Hq/@5$#
)106-0032
l~TAh;\Z 3-2-31
IBM World Trade Asia Corporation
Licensing
J<N]ZO"q^?OOhN!'KhoJ$lgO",Q5l^;s#IBM *h
S=N>\^?OV\NRqRO"\qrCj*H7F=89k^^NuVGs!
7"&J-N]Z"Cj\*,g-N]Z*hS!'eNlS4]U$r^`9Y
FN@(b7/O[(N]ZU$rioJ$bNH7^9#q^?OOhKhCF
O"!'N/T,jKhj"]ZU$N)B,X8ilklg"/T,jN)Br
u1kbNH7^9#
\qOj|*K+>5l",WJQ9 (c(P";Q*KT,ZJ-Rdm"JI)
O"\qN!GKH_~^l^9#IBM O=pJ7K"o~"3N8qK-\5l
F$k=J^?OWm0i`KP7F"~I^?OQ9rT&3H,"j^9#
\qK*$F IBM J0N Web 5$HK@Z7F$klg,"j^9,"X9N?
a-\7?@1G"j"h7F=liN Web 5$Hrd)9kbNGO"j^;
s#=liN Web 5$HK"kqAO"3N IBM =JNqANltGO"j^;
s#=liN Web 5$HO"*RMNU$G4HQ/@5$#
IBM O"*RM,s!9k$+Jkpsb"*RMKP7FJsiA3bi&3H
NJ$"+i,ZH.:k}!G"HQb7/O[[9k3H,G-kbNH7^
9#
\Wm0i`Ni$;s9]}TG"(i) H+Kn.7?Wm0i`H=N>NWm
0i`J\Wm0i`r^`KHNVGNpsr9"*hS (ii) r95l?psN
j_xQrD=K9k3Hr\*H7F"\Wm0i`KX9kpsr,WH9k
}O"<-K"m7F/@5$#
IBM Corporation
© Copyright IBM Corp. 2001, 2002 181
2Z4A/10111400 Burnet RoadAustin, TX 78758U.S.A.
\Wm0i`KX9ke-NpsO",ZJHQroN<GHQ9k3H,G-^
9,"-~Nlgb"j^9#
\qGb@5lF$ki$;s9&Wm0i`^?O=N>Ni$;s9qAO"
IBM jjNWm0i`@sN@sr`"IBM Wm0i`N4HQro"^?O=l
H1yNr`KpE$F" IBM hjs!5l^9#
IBM J0N=JKX9kpsO"=N=JN!kT"PG*"b7/O=N>Nx
KxQD=J=<9+i~j7?bNG9#IBM O"=liN=JNF9HOTC
F*j^;s#7?,CF">R=JKX9kBT-"_9-"^?O=N>NW
aKD$FONZG-^;s# IBM J0N=JN-=KX9kAdO"=liN
=JN!kTK*j$7^9#
IBM N-hN}~^?OU~KX9k-RKD$FO"=pJ7KQ9^?O1s
5lklg,"j"1K\8r(7F$kbNG9#
\qKO"|oNH3h}GQ$ilkG<?dspqNc,^^lF$^9#h
jqN-r?(k?aK"=liNcKO"DM"kH"VisI""k$O=J
JIN>0,^^lF$klg,"j^9#3liN>NO9YFMuNbNG"
j">Nd;j,`w9kkH,B_7F$kH7Fb"=lOv3K9.^;
s#
3Npsr=UH3T<G4wKJCF$klgO"L?d+i<N^=O=(5
lJ$lg,"j^9#
��
J<O"IBM Corporation N&8G9#
AIX
DB2
IBM
IBM m4
OS/390
SecureWay
Tivoli
Tivoli m4
Universal Database
WebSphere
z/OS
zSeries
Lotus *hS Domino O"IBM Corporation *hS Lotus Development Corporation
N&8G9#
182 IBM Tivoli Risk Manager "@W?<¥,$I
Microsoft *hS Windows O"Microsoft Corporation NFq*hS=N>NqK*
1k&8G9#
Java *hS9YFN Java X"N&8*hSm4O"Sun Microsystems, Inc. NFq
*hS=N>NqK*1k&8^?OP?&8G9#
UNIX O"The Open Group ,i$;s97F$kFq*hS=N>NqK*1kP
?&8G9#
>NqR>"=J>*hS5<S9>JIO=l>lFRN&8^?OP?&8G
9#
U? D. C-v` 183
184 IBM Tivoli Risk Manager "@W?<¥,$I
���
N"TO
"@W?< (adapter). Risk Manager Nlg""@W
?<Oj=<9rbK?<7F"j=<9rI}G-k
h&K9k#"@W?<Ops ($YsH) rM@7"
$YsHr Tivoli Enterprise Console (TEC) GH(kA
0KQ99k#!$G"@W?<O"$YsHr TEC
Kw.9k#$YsH&"@W?<*hS TME "@W
?<b2H#
"@W?<=.!= (Adapter ConfigurationFacility). Tivoli D-GO"Tivoli "I_K9Hl<?
<,""@W?<=.WmU!$krHCF$YsH&
"@W?<rJ1K=.7+9?^$:G-kh&K9
k"0iU#+k&f<6<&$s?<U'<9#
"@W?<=.WmU!$k (Adapter ConfigurationProfile). "@W?<=.l3<IQN3sFJ<#"
@W?<=.WmU!$kO""@W?<=.(sI]
$sHX[[G-k#1 DJeN$YsH&"@W?<
KD$FNps,^^l"=.U!$kNm1<7g
s""@W?<ND-QtjA (5<P<Nm1<7g
sJI)"$YsH&U#k?<jA"*hS=N>NU
!$k[[Wa,^^lF$k#
"I_K9Hl<?< (administrator). rdr2H#
"i<` (alarm). T3J"/F#SF#<,"kH"
"I_K9Hl<?<&"i<`*hS=N>N=.D
=J~z,/07";-ejF#<I}No</m<I
rZ:9k#Tivoli Risk Manager "@W?<O"&QP
<8gsN ISS RealSecure *hS Cisco Secure IDS
(NetRanger) KhCF8.5lk"i<`r TEC $Y
sHK^CW9k#Tivoli f<6<Kl]<H5lk"
i<`NcKO"Web 9-cs (nTNj9H)"]<
H&9-cs (5<S9Nj9H)"*hSf<6<&m
0$sNnT (f<6<>Nj9H) ,^^lk# TEC
$YsHb2H#
$YsH (event). Tivoli D-K*1k"79F`&j
=<9"MCHo</&j=<9"^?OMCHo<
/&"Wj1<7gsNuVN-zJQ9#Tivoli Risk
Manager GO"djN$YsH"djrhN$YsH"
^?O5oJ?9/0;N$YsHr8.G-k#$Y
sHNcH7FO"LoNh}N+Odd_"h}N[
oJ*;"*hS5<P<Nm0nJI,"k#Tivoli
Risk Manager Nlg"$YsHO/~!N$YsHG
"k#
$YsH&"@W?< (event adapter). Tivoli D-K
*$F"$YsHr Tivoli Enterprise Console GH(k
A0KQ99k=UH&'"#$YsH&"@W?<
O"$YsHr$YsH&5<P<K>w9k#Tivoli
Event Integration Facility (EIF) ^?O Tivoli Risk
Manager rH&3HKhj"=l>lNMCHo</D
-dCjN,WK~8F405l?"H+N$YsH&
"@W?<r+/9k3H,G-k#"@W?<=.!
= (Adapter Configuration Facility) *hS"@W?<=
.WmU!$k (Adapter Configuration Profile) b2H#
$YsH&/i9 (event class). Tivoli D-K*1
k"$YsHNoL#$YsH&"@W?<,$Ys
H&5<P<Xw.9kpsN?$Wr(9#
$YsH&0k<W (event group). Tivoli D-K*
$F"CjNp`r~?9$YsHN8g#$YsH&
3s=<kN"$3sO"F$YsH&0k<Wr=
9#Tivoli "I_K9Hl<?<O"Cj,nNU$H
X8N"k$YsH&0k<WrbK?<G-k#
$YsH&0k<W&U#k?< (event groupfilter). Tivoli D-K*$F"$YsH&0k<W&U
#k?<O""@W?<&lYkGU#k?<5lk$
YsH&0k<W4HK"$YsHN/i9"=<9"
/8;rjA9k#
$YsH&3s=<k (event console). Tivoli D-K
*$F"79F`I}T,$YsH&5<P<+iG#
9QCA5l?$YsHr=(7~zG-kh&K9
k"0iU#+k&f<6<&$s?<U'<9
(GUI)#
$YsH&5<P< (event server). Tivoli D-K*
$F"$YsHrh}9kf{5<P<#$YsH&5
<P<O"e.$YsH4HK`\rn.9k#$Ys
H&5<P<O"$YsHrk<k&Y<9KM-go
;F>A7"$YsHX+0*K~z9k+"^?O$
YsHr+0*KQ99k+I&+rhj9k#5iK
$YsH&5<P<O"$YsH&3s=<kr=_N
$YsHpsG979k# 1 !$YsH&5<P<,
xQG-J$lg"$YsHr 2 !$YsH&5<P
<Xw.9k#
(sI]$sH&N<I (end point node).1) Tivoli I}j<8gs (TMR) NfG"I}`nN
?<2CHH7F1HG=.5l? Tivoli /i$"s
H# 2) 1 DN^N*<K"kN<I#~UN<IH1
Al#
© Copyright IBM Corp. 2001, 2002 185
N+TO
I}P]N<I (managed node). Tivoli D-K*$
F"Tivoli Enterprise Framework ,$s9H<k5lk
I}P]j=<9#
/i9 (class). *V8'/HX~_W^?OWm0i
_s0K*$F"&LNjAr&Q9k3HKhj"&
LNC-"!="0nr&Q9k*V8'/H2N3
H#0k<WNasP<N3Hr"/i9N$s9?s
9H$&#$YsH&/i9b2H#
0iU#+k&f<6<&$s?<U'<9 (graphicaluser interface). Tivoli D-K*$F"79F`I}
T,=l>lNMCHo</&3sTe<F#s0D-
rI}9k?aKH&0iU#+k&f<6<&$s?
<U'<9 (GUI)#Risk Manager $YsH&3s=<k
GO"Tivoli G9/HCW,Holk#$YsH&3s
=<kr2H#
6b (attack). vD5lF$J$M*,"MCHo<
/&79F`N!=rm1K5i=&H9k3H#/~
nTb2H#
N5TO
5<S9826b (Denial of Service attacks). 5$
P<6bNlo#
79F`e@Y>AWm@/H (vulnerabilityassessment products). 79F`e@Y>AWm@/
HGO"79F`r"/F#VK9-cs9k3HKh
CF"79F`I}TO"BTfNe@HJk5<S9
KD$FNsp"^?O=._9Nspru1k#
/~!N79F` (intrusion detection system). 1)
"/;9)fdU!$"&)<kJIN>N]n!=,
/~TKhCFKil?lgK""I_K9Hl<?<
,MCHo</N;}rI0?aKr)D;-ejF#
<&D<k#2) bK?<7F$kj=<9KP9k6b
NnT^?O6bN.yr!P9k#bK?<5lkj
=<9O"MCHo</NltGb[9H&79F`N
ltGb+^oJ$#
/~nT (intrusion attempt). vD5lF$J$M*
,"MCHo</&j=<9X"/;97?jKu7?
j7h&H9k3H#
9/jWH (script). l"N$YsHr=9@}=$#
;-e"&"@W?<. s!5lF$k,ZJU)<
^CH&U!$krH$"TEC $YsHr8.9k#
"@W?<O=UH&'"&Wm0i`G"j"psr
}87"m<+k&U#k?<`nrBT7"X8N"
k$YsHr TEC GH(kU)<^CHKQ99k#
Tivoli Risk Manager GO"IDS ;s5<G;-e"&
"@W?< (UNIX NlgO LogFile "@W?<"
Windows NT NlgO NT $YsH¥m0&"@W?<)
,,WKJk#"@W?< (adapter) *hS$YsH&
"@W?< (event adapter) b2H#
;s5< (sensor). $YsH&bK?<#
jX(s8s (correlation engine). Tivoli Risk
Manager k<k&(s8s#k<k&(s8sr2H#
0- (attribute). I}P]*V8'/HbK"j"*
V8'/H-&,OC-j7F$kps#0-KO"=
N0-GXj5lkpsNOOr(9V?$WWH"=
NOONfK^^lkVMW,"k#Tivoli Risk
Manager GO"F$YsH0-,v0jA5lF$k#
=l>lN$YsH0-KO>0HM,"j"3lO6
bNC-r=9QtG<?G"k#0-NA0O"
attribute_name=value HJk#"@W?<O"psr$Y
sH&/i9 K,1"3Npsr0-KU)<^CH
7"Tivoli $YsH&5<P<Kw.9k#
N?TO
Ev-!: (validation). G<?N5N5"^?OG<
?,"Wj1<7gs,J"k<k",'K`r7F$
k3Hr4Yk3H#
N1Y<9&79F` (knowledge-based system).N1Y<9&79F`O"{NN6b*hS79F`N
e@KD$FNpsNG<?Y<9r^`79F`&(
s8srH&#N1Y<9&79F`,Q?<sr'1
9kH"3liN(s8sO"79F`,6b5lF$
kH[j7F"i<`r/9k#N1G<?Y<9Kp
E/!NG"k?a"6"i<`Nf(OsoKc/J
k#
0nY<9&79F` (behavior-based system). 7
9F`&(s8srH$"LoN79F`0nbGk+
iNP9r!w9k3HKhj"/~Tr!N9k#3
Nh&J8`*J0nO"vF5lkf<6<hVrB
T9k]K"Hl<Ks0|Vr_j9k3HKhCF
jA9k#D^j"3Nh&J79F`GO"{NNQ
?<sHlW5;k3HNG-J$"/7gs,88k
?SK""i<`,/89k#lLK"0nY<9&7
9F`GO"soKb$f(G6"i<`,88kbN
N"$NN6br/+G-kH$&x@,"k#0nY
<9&79F`GO"(s8srD-Kgo;F409
k,W,"k#
186 IBM Tivoli Risk Manager "@W?<¥,$I
NJTO
MCHo</&Y<9&79F` (network-basedsystem). bK?<rT&[9H,6N7?MCHo<
/&Q1CHrL7Fpsr}89k#3liNQ1C
Hr,O9k3HKhj"f<6<hVrF=[9k3
H,G-k#MCHo</&Y<9ND<krH&H"
lYNbK?<GMCHo</4NKD$FNpsr~
jG-k?a"j-"N39Hrc/^(ilk#MC
Ho</&Y<9ND<kO""Wj1<7gs&G6
NG-J$clYkNQ1CH,X87?6br!NG
-k#?<2CH&"Wj1<7gsK~#7J$".
y7J+C?6bKD$Fb"MCHo</&Y<9N
D<kKhCFm0-?5lk#
NOTO
U!$"&)<k (firewall). 0N$&HbtNMCH
o</rhj}A"@NJG<?@1rLa5;k[9
H#
U)<^CH&U!$k (format file). U)<^C
H&U!$kO";-e"¥"@W?<QK CDS U!
$kr8.9k#U)<^CH&U!$kO"3liN
"@W?<N$YsH&/i9rQ97"U)<^C
H&U!$k+i77$ CDS U!$kr8.9k?a
KHQ5lk#Tivoli Risk Manager GO";-e"&"
@W?<,"G<?rM-go;F"Tivoli Enterprise
Console KAwG-kh&KU)<^CH7>9?a
K"3lrHQ9k#
sp"j[o (false negative). 6b,88Fb=J,
"i<`r8.7J$lgK/89k#/~TN"/7
gs,4/$U+l:KTolkD=-,"kNG"3
N1<9O@i+KdjG"k#7?,CF"IDS O
Tivoli "I_K9Hl<?<KP7"gfW@H$&V
cC?6Pr?(kD=-,"k#
sp"j5o (real positive). 6b,"j"=J,5
7/sp9kH-N$s9?s9#}[*J IDS G
O"6bOsp"j5oKJk#
spJ7[o (false positive). spJ7[oO"6b
,J$NK=J,"i<`r8.9klgK/89k#
spJ7[oKxx9k"I_K9Hl<?<,T,W
J"/7gsrhkD=-,"kNG"3N1<9Od
jHJklg,"k# IDS ,"I_K9Hl<?<N
#lNps;G"klg"v3""I_K9Hl<?<
O3l,spJ7[oG"k3HK$U+J$#7Pi
/9kH""I_K9Hl<?<O"3NCj"i<H
O6bKhkbNGOJ$Hd@7""i<`r5k9
kh&KJk+b7lJ$#7+7"=3KO"Tivoli
Risk Manager ,B]N6bb5k7F7^&D=-,
"k#
spJ75o (real negative). 6b,J$NG=J,
"i<`r/7J$H-N$s9?s9#}[*J IDS
GO"LoN^?Ou1~lD=J$YsHOspJ7
5oKJk#spJ75oO"aLO$YsHH7FB
N=5lk3HOJ$#F:$YsHN?tO3N+F
4j<K:v9k#
[9H (host). MCHo</K*$F"G<?L."
/;9}0,8_9kh}uV#
[9H&Y<9&79F` (host-based system). [
9H&Y<9&79F`O"79F`NF:m0rH
$"6br!w9k#"Wj1<7gs*hS*Zl<
F#s0&79F`O"3liNU!$kK`\rw.
G-k#7?,CF"[9H&Y<9&79F`O"f
<6<&;C7gsr8+7Ff/-ANbNG"k#
[9H&Y<9&D<kNx@O"9GK/87?$Y
sHr4Yk3HKhj"6bN.yH:Tr!:G-
k3HG"k#5iK"U!$k&"/;9^?OC"
5<S9XN"/;9JI"CjN79F`&"/F#
SF#<bbK?<9k#
NdTO
rd (roles). "I_K9Hl<?<NrdKO"
super"senior"admin"*hS user rd,"k#3li
NrdO"f<6<,$YsHK~z7Fv0Khai
l??9/2rBT9k3HrD=K9k"vDN8g
G"k#
%hY (priority). Tivoli Risk Manager O"b%hY"
i<`JINh&K""i<`K%hYrdjvFk#
c(P"UNIX syslogd %hgLQia<?<r_j9
k3H,G-k#;-e"&"@W?<Khk3lJ_
Nh}KD$F"$YsHrjb<H UNIX Y<9N
syslog G<bsXP)Xj9kH-KO"3NQia<
?<@1rH&#
NiTO
)}N (cube). ?!5N^?O PowerPlay )}NHb
FPlk#Cognos PowerPlay Transformer Khjn.5
lk .mdc U!$kN3H#$/D+N!5KT.5l
?,j (G<?) r^_"G<?Y<9NFoSe<r
s!9k#9YFN PowerPlay Se<&U!$k (.ppr)
O")}NU!$kKjA5l?Se<r]$sH9
k#
Ql8 187
k<k (rule). Tivoli D-K*$F"$YsH&5<P
<,$YsHVNX" ($YsHjX) r'17"=l
K~8F+0=5l?~zrBTG-kh&K9k"1
DJeN@}9F<HasHN8g#
k<k&(s8s (rules engine). k<k&(s8s
O"Tivoli Enterprise Console N4!t,G"k#3lO
l2Nk<krH$"$YsHKP7F"/7gsrB
T9k,W,"k+I&+r=L9k#
k<k&Y<9 (rule base). Tivoli D-K*$F"k
<kN8gG"j"k<k,n.5lkH-N$Ys
H&/i9jAN8g#Tivoli Enterprise Console O"$
YsHrI}9kH-K3Nk<k&Y<9rH&#H
%O"?/5sNk<k&Y<9rn.7"=l>lN
k<k&Y<9,"MCHo</&3sTe<F#s0
I}NDLN,Wr~?9h&K9k3H,G-k#
A
ACF. "@W?<=.!= (Adapter Configuration
Facility) r2H#
ACP. "@W?<=.WmU!$k (Adapter
Configuration Profile) r2H#
B
BAROC U!$k (BAROC file). C Khk*V8'
/HNp\l3<@< (BAROC) U!$k#$YsH&
5<P<bN"jAQ_$YsH&/i9Nbt=-#
Tivoli Risk Manager Nlg"BAROC U!$kO"
Tivoli Risk Manager "@W?<NCj?$WKhCF5
]<H5lF$k$YsHN/i9r-R9k#
E
EIF. Tivoli Event Integration Facility r2H#Tivoli
Risk Manager Event Integration Facility b2H#
G
GUI. 0iU#+k&f<6<&$s?<U'<9
(graphical user interface) r2H#
I
IDS. /~!N79F` (intrusion detection system) r
2H#
IIS. Internet Information Server r2H#
Internet Information Server (IIS). Microsoft Web 5
<P<#
J
Java >[^7s (Java Virtual Machine). Java =U
H&'"N?aK"79F`KM87J$$s?<U'
<9rs!9k=UH&'" (Java is?$`D-r^
`)#3NQlO"B]N Java >[^7srX9H-K
H&bNG"Java is?$`D-rX9o1GOJ$#
Java is?$`D- (Java Runtime Environment).Java =UH&'"Nis?$`D-rs!9k#Java
>[^7s (JVM) NeGT/9k#CKm-,J1l
P"3NQlO"Vi&6<"Web 5<P<""k$
O>N3sF-9HKhCFs!5lklLN Java B
TD-rX9bNG"Sun RG-N JRE =JrX9b
NGOJ$#
JRE. Java is?$`D- (Java Runtime Environment)
r2H#
JVM. Java >[^7s (Java Virtual Machine) r2
H#
P
Perl. Practical Extraction and Report Language#
Prolog. Programming in Logic#@}Wm0i`@lN
U!_j<+iNWm0i`@lN 1 D#
T
TEC. Tivoli Enterprise Console r2H#
TEC event. Tivoli Enterprise Console G-N$Ys
H#
Tivoli Enterprise Console. 79F`""Wj1<7
gs"MCHo</"*hSG<?Y<9&$YsHX
N$5"/7gsr}87"h}7"+0*K+O9k
Tivoli =J#3lO"9YFN=<9+iN$YsHN
f4@KJk#Tivoli Enterprise Console KO"8f*+
D4N*JMCHo</&3sTe<F#s0D-,w
(ilF$k#psr}89kH-KO,6$YsH&
bK?<,"psrh}9kH-KOf{$YsH&5
<P<,"=7F79F`I}TKpsr(9H-KO
,6$YsH&3s=<k,Holk#
Tivoli Event Integration Facility. J1J"Wj1<
7gs&Wm0i_s0&$s?<U'<9 (API) rs
!7"\R*hS Tivoli Q<HJ<,77$$Ys
188 IBM Tivoli Risk Manager "@W?<¥,$I
H&"@W?<r+/7F"$YsHr Tivoli
Enterprise Console X>wG-kh&K9k?aND<
k-CH#\RO"5<I&Q<F#<^?ORb+/
N"Wj1<7gs+i"$YsHrQ99k3HbG
-k#
Tivoli Management Environment. Tivoli Management
Framework rY<9K7? Tivoli "Wj1<7gs#
CjN\Rm1<7gsK$s9H<k5l"$m$m
JWiCHU)<`r6(FMCHo</&3sTe<
F#s0I}psK"/;99k#Tivoli D-K*$F
79F`I}TO"=UH&'"r[[7"f<6<=
.rI}7""/;9"rQ97"`nr+0=7"j
=<9rbK?<7"8gVr918e<k9k3H,
G-k#Tivoli Management Environment O"J0O
TME 10 HN7F$?#
Tivoli Management Framework. Tivoli Management
Environment =J2G"Wj1<7gsrBT9kH-
K,WKJkp\=UH&'"#3N=UH&'"N$
sUi,0(ilkH"Tivoli H Tivoli Q<HJ<N
79F`I}"Wj1<7gs&Wm0i`r}g9k
3H,G-k#Framework KO"!NbN,^^lk#
v *V8'/HWaVm<+< (oserv)
v ,6*V8'/H&G<?Y<9
v p\I}!=
v p\"Wj1<7gs&5<S9
v 0iU#+k&f<6<&$s?<U'<9 (GUI)
JINp\G9/HCW&5<S9
Tivoli Management Environment K*$FO"F/i$
"sH*hSF5<P<K Tivoli Management
Framework r$s9H<k9k#?@7"!NlgOc
0G"k#
v Tivoli Management Framework r/i$"sHNQ<
=Jk&3sTe<?<K$s9H<k7?3H,J
/" PC (<8'sHrQ<=Jk&3sTe<?<
K$s9H<k7F$klg#
v Tivoli I}j<8gs (TMR) 5<P<,"04J*
V8'/H&G<?Y<9r]}7F$k#lN5<
P<G"klg#
Tivoli Risk Manager Event Integration Facility. J
1J"Wj1<7gs&Wm0i_s0&$s?<U'
<9 (API) rs!7"\R*hS Tivoli Q<HJ<,
Tivoli SecureWay Risk Manager N77$$YsH&"
@W?<r+/7F"$YsHr Tivoli Enterprise
Console X>wG-kh&K9k?aND<k-CH#
\RO"5<I&Q<F#<^?ORb+/N"Wj1
<7gs+i"$YsHrQ99k3HbG-k#
Tivoli I}j<8gs (Tivoli Management Region).Tivoli Management Environment K*$F"TMR 5<P
<JiSK TMR 5<P<HkPlF$k/i$"sH
N8g#1 DNH%G#tN TMR r_j9k3H,G
-k#TMR Oj=<9N*}\3rX7"]j7<&
j<8gsOj=<9N@}T.rX9bNG"k#
TME. Tivoli Management Environment r2H#
TME "@W?< (TME adapter). ;-e"&"@W?
< (secure adapter) r2H#
TMR. Tivoli I}j<8gs (Tivoli Management
Region) r2H#
Ql8 189
190 IBM Tivoli Risk Manager "@W?<¥,$I
��
|\l, tz, Qz, Cl8zN
gK[s5lF$^9#J*, y
;H>y;O6;H1yK7ol
F$^9#
N"TO"<-F/Ac<
"@W?<"Symantec Intruder Alert
Q 151
[9H/~!N - HP-UX11i Q"@W
?< 99
Enterasys Dragon QN"@W?< 131
Tivoli Access Manager 4.1 Q"@W?
< 108
"/;7SjF#< x
"?C/&70KAc<
ISS RealSecure IDS 167
"?C/&70KAc<Nps
Cisco Secure IDS 17, 159
ISS RealSecure 27
"@W?<
~jh 3
FQ 3
Tivoli Enterprise console 1
"@W?<"Tivoli Risk Manager
[9H/~!N - HP-UX11i 97
"<-F/Ac< 99
$s9H<k 100
*Zl<F#s0&79F`Wo
97
|n 102
Check Point FireWall-1 59
$s9H<k*hS=. 62
*Zl<F#s0&79F`Wo
60
I}?9/ 68
Cisco Secure IDS
"<-F/Ac< 16
$s9H<k*hS=. 18
*Zl<F#s0&79F`Wo
16
Tivoli Enterprise Console
Correlation 17
Cisco Secure PIX Firewall 43
*Zl<F#s0&79F`Wo
44
I}?9/ 55
U!$"&)<k&$YsH 45
"@W?<"Tivoli Risk Manager (3-)
Cisco Secure PIX Firewall (3-)
Tivoli Enterprise Console
Correlation 44
Tivoli Enterprise Console ?9/
50
Cisco k<?< 35
$s9H<k*hS=. 37
*Zl<F#s0&79F`Wo
37
I}?9/ 38
Tivoli Enterprise Console
Correlation 37
Enterasys Dragon 129
"<-F/Ac< 131
$s9H<k 133
*Zl<F#s0&79F`Wo
129
=. 136
5sWk&7Jj* 142
70KAc<N97 148
|n 135
=N>NmUv` 148
MCHo</\3 148
U)<^CH&U!$k&f<F#
jF#< 139
dj 148
Alarmtool N"i<H&aC;<8
N|U 148
Host IDS 91
$s9H<k*hS=. 93
*Zl<F#s0&79F`Wo
91
Tivoli Enterprise Console ?9/
95
ISS RealSecure 27
ISS RealSecure IDS
$s9H<k*hS=. 30
*Zl<F#s0&79F`Wo
29
McAfee Alert Manager 79
$s9H<k*hS=. 82
*Zl<F#s0&79F`Wo
79
=JN5b 80
Norton AntiVirus 85
"<-F/Ac< 87
$s9H<k*hS=. 88
*Zl<F#s0&79F`Wo
85
Norton AntiVirus $YsH 86
"@W?<"Tivoli Risk Manager (3-)
Symantec Intruder Alert 149
"<-F/Ac< 151
$s9H<k 152
*Zl<F#s0&79F`Wo
149
HiVk7e<F#s0 155
Tivoli Access Manager 4.1 105
"<-F/Ac< 108
$s9H<k*hS=. 109
*Zl<F#s0&79F`Wo
105
I}?9/ 122
3s]<MsHNO0 123
3s]<MsHNd_ 124
|n 121
HiVk7e<F#s0 119
Event Translator N=. 124
Tivoli Risk Manager Event
Integration Facility G<bs 123
"@W?<=.!= (ACF) vii
"@W?<=.!= (Adapter
Configuration Facility) 12
"@W?<=.WmU!$k (ACP) vii
"@W?<N+O
Check Point FireWall-1 70
"@W?<N=.H[[ 12
"@W?<Nd_
Check Point FireWall-1 73
"I_K9Hl<?<"Tivoli
qA viii
"i<`&]j7<N_j
Check Point FireWall-1 68
"s$s9H<k
[9H/~!N - HP-UX11i Q"@W
?< 102
Enterasys Dragon QN"@W?< 135
Tivoli Access Manager 4.1 Q"@W?
< 121
$YsH (TEC event r2H) 188
$YsHF:
Host IDS Q"@W?< 95
$YsHN>w
Check Point FireWall-1 62
$YsHNm.s0
Cisco Secure PIX Firewall 55
$s9H<k
"@W?<" Symantec Intruder Alert
Q 152
[9H/~!N - HP-UX11i Q"@W
?< 100
© Copyright IBM Corp. 2001, 2002 191
$s9H<k (3-)
Check Point Firewall-1 Q"@W?<
62
Cisco Secure IDS Q"@W?< 18
Cisco Secure PIX Firewall Q"@W?
< 47
Cisco k<?<Q"@W?< 37
Enterasys Dragon QN"@W?< 133
Host IDS Q"@W?< 93
ISS RealSecure IDS Q"@W?< 30
McAfee Alert Manager Q"@W?<
82
Norton AntiVirus Q"@W?< 88
Tivoli Access Manager 4.1 Q"@W?
< 109
$s?<U'<9
0iU#+k&f<6<&$s?<U
'<9 (GUI) 185, 186
TEC $YsH&3s=<k 185
(i<
Check Point FireWall-1 77
Cisco Secure IDS Q"@W?< 25
ISS RealSecure IDS Q"@W?< 33
(i<h}
Check Point FireWall-1 75
*Zl<F#s0&79F`Wo 5
"@W?<" Symantec Intruder Alert
Q 149
[9H/~!N - HP-UX11i Q"@W
?< 97
Check Point Firewall-1 Q"@W?<
60
Cisco Secure IDS Q"@W?< 16
Cisco Secure PIX Firewall 44
Cisco k<?<Q"@W?< 37
Enterasys Dragon QN"@W?< 129
Host IDS Q"@W?< 91
ISS RealSecure IDS Q"@W?< 29
McAfee Alert Manager Q"@W?<
79
Norton AntiVirus Q"@W?< 85
Tivoli Access Manager 4.1 Q"@W?
< 105
*si$sps
Tivoli Risk Manager ix, 17
N+TO5W
Enterasys Dragon QN"@W?< 131
Tivoli Access Manager 4.1 Q"@W?
< 108
I}
Cisco Secure IDS Q"@W?< 23
Cisco k<?<Q"@W?< 38
ISS RealSecure N"@W?< 32
I}?9/
Check Point Firewall-1 Q"@W?<
68
Cisco Secure IDS Q"@W?< 23
Cisco k<?<Q"@W?< 38
ISS RealSecure N"@W?< 32
Tivoli Access Manager 4.1 Q"@W?
< 122
,'
qN x
?> x
/i9jA9F<HasH (.cds) U!$
k 2
kg
Tivoli Risk Manager H"@W?<NU
)<^CH& U!$k 11
=.
"@W?<H/i$"sH 5
Check Point Firewall-1 Q"@W?<
62
OPSEC LEA *hS SAM 63
OPSEC LEA ^?O SAM 65
Tivoli Enterprise Console Logfile "
@W?< 67
Cisco Secure IDS Q"@W?< 18
Cisco Secure PIX Firewall 50
Cisco Secure PIX Firewall Q"@W?
< 48
Cisco k<?<Q"@W?< 37
Enterasys Dragon QN"@W?< 136
Host IDS Q"@W?< 93
ISS RealSecure IDS Q"@W?< 30
McAfee Alert Manager Q"@W?<
82
Norton AntiVirus Q"@W?< 88
Tivoli Access Manager 4.1 Q"@W?
< 109
=.Nc
Cisco Secure IDS Q"@W?< 20
=.U!$k
Cisco Secure PIX Firewall 56
N5TO5sWk&7Jj*
Enterasys Dragon QN"@W?< 142
70KAc<
Cisco Secure PIX Firewall 47
70KAc<"/~
Cisco Secure PIX Firewall 47
70KAc<N97
Enterasys Dragon QN"@W?< 148
Rp
Cisco Secure PIX Firewall 43
ps"Tivoli Risk Manager viii
|n
[9H/~!N - HP-UX11i Q"@W
?< 102
Enterasys Dragon QN"@W?< 135
Tivoli Access Manager 4.1 Q"@W?
< 121
qNKX9k,' x
qA
Cisco Secure IDS 17
ISS RealSecure 27
ISS RealSecure IDS 27
Tivoli Enterprise Console N0sroH
7FN=J viii
Tivoli Risk Manager viii
HNc2 x
/~70KAc<
Cisco Secure PIX Firewall 47
;-e"&"@W?< (secure adapter)
jA 186
;s5<
Check Point FireWall-1 60
Cisco Secure IDS (NetRanger) =J
17
Cisco Secure PIX Firewall 45
ISS RealSecure IDS Q"@W?< 29
;s5<N5b
Check Point FireWall-1 60
;s5<&"/;9"Q9
Cisco Secure PIX Firewall 51
;s5<&m.s0"=(
Cisco Secure PIX Firewall 53
;s5<&m.s0"Q9
Cisco Secure PIX Firewall 54
=<9*hS8hKD$FNpsNWa
Check Point FireWall-1 72
N?TOP]IT vii
?9/
Cisco Secure PIX Firewall 55
Tivoli Access Manager 4.1 Q"@W?
< 122
?9/"I}
Cisco Secure IDS Q"@W?< 23
ISS RealSecure N"@W?< 32
?9/&i$Vij<
Cisco Secure PIX Firewall 57
Ae<Ks0
0nY<9/~!N79F` 186
G<bsN+O
Check Point FireWall-1 74
G<bsNd_
Check Point FireWall-1 74
d_
Cisco Secure IDS Q"@W?< 23
192 IBM Tivoli Risk Manager "@W?<¥,$I
Aw)fWmH3k / $s?<MCH&
WmH3k (TCP/IP) vii
IT vii
HiCW
Cisco k<?< 40
HiVk7e<F#s0
"@W?<" Symantec Intruder Alert
Q 155
NJTOMCHo</\3
Enterasys Dragon QN"@W?< 148
NOTOQ9o<I]n
Cisco Secure PIX Firewall 51
s TME
"@W?< 4
s/~70KAc<
Cisco Secure PIX Firewall 47
U!$"&)<kI}$YsH
Check Point FireWall-1 61
U!$"&)<k&$YsH
Check Point FireWall-1 62
U!$"&)<k&$YsHNjX
Cisco Secure PIX Firewall 45
U!$k
U)<^CH 10
am41log.fmt 10
csids.fmt 10
dragon-base.fmt 10
fmt 10
IntruderAlert.fmt 10
os_aix.fmt 10
os_nt.fmt 10
os_solaris.fmt 10
pix.fmt 10
pix_nt.fmt 10
rmnav.fmt 10
webids.nt,fmt 10
U#<IPC/"s!
qA ix
U)<^CH&U!$k 2, 10
kg 11
Ws 10
U)<^CH&U!$k"Tivoli
tecad_logfile.fmt 10
U)<^CH&U!$k&f<F#jF#
<
Enterasys Dragon QN"@W?< 139
$s9H<k 139
,O
MCHo</&Q1CH 187
\qKD$F vii
\qN=. vii
[9H/~!N - HP-UX11i""@W?<
97
"<-F/Ac< 99
$s9H<k 100
*Zl<F#s0& 79F`Wo 97
|n 102
N^TO^(,-ps vii
?>,' x
dj
Enterasys Dragon QN"@W?< 148
NdTOWs
"@W?<&?9/ 32
U)<^CH&U!$k 10
NiTOm0&aC;<8
Check Point FireWall-1 75
AACF 12
ACF GN=. 12
ACF ("@W?<=.!=) vii
ACF GN=. 12
ACP ("@W?<=.WmU!$k) vii
Alarmtool N"i<H&aC;<8N|U
Enterasys Dragon QN"@W?< 148
am41log.fmt U)<^CH&U!$k 10
BBAROC U!$k 2
sensor_abstract.baroc 10
Ccds U!$k 2
Check Point FireWall-1
"@W?<N+O 70
"@W?<Nd_ 73
"i<`&]j7<N_j 68
$YsHN>w 62
(i< 77
(i<h} 75
Check Point FireWall-1 (3-)
=.
OPSEC LEA *hS SAM 63
OPSEC LEA ^?O SAM 65
Tivoli Enterprise Console Logfile "
@W?< 67
Rp 59
;s5<N5b 60
=<9*hS8hKD$FNpsNW
a 72
G<bsN+O 74
G<bsNd_ 74
U!$"&)<kI}$YsH 61
U!$"&)<k&$YsH 62
m0&aC;<8*hS0- 75
IP "Il9NWa 71
LEA KP9kU!$"&)<k 61
Tivoli Enterprise Console ?9/ 69
Check Point Firewall-1 Q"@W?<
Tivoli Enterprise Console ?9/ 69
Check Point FireWall-1""@W?<
$s9H<k*hS=. 62
*Zl<F#s0& 79F`Wo 60
I}?9/ 68
Cisco Secure IDS
"?C/&70KAc< 159
=JqA 17
=JN Web 5$H 17
;s5< 17
Cisco Secure IDS Q"@W?<
I} 23
d_ 23
Cisco Secure IDS""@W?<
"<-F/Ac< 16
$s9H<k*hS=. 18
*Zl<F#s0&79F`Wo 16
I}?9/ 23
=.Nc 20
dj 25
m0&U!$k&"@W?< 21
Tivoli Enterprise Console
Correlation 17
Tivoli Enterprise Console ?9/ 23
Cisco Secure PIX Firewall
$YsHNm.s0 55
=.U!$k 56
Rp 43
/~70KAc< 47
;s5<N5b 45
?9/&i$Vij< 57
s/~70KAc< 47
Cisco Secure PIX Firewall""@W?<
43
$s9H<k 47
*Zl<F#s0&79F`Wo 44
=. 50
wz 193
Cisco Secure PIX Firewall""@W?<
(3-)
70KAc< 47
70KAc<"/~ 47
;s5<&"/;9"Q9 51
;s5<&m.s0"=( 53
;s5<&m.s0"Q9 54
?9/ 55
Q9o<I]n 51
Tivoli Enterprise Console
Correlation 44
Tivoli Enterprise Console ?9/ 50
Cisco k<?<
5W 35
HiCW 40
Cisco k<?<""@W?< 35
$s9H<k*hS=. 37
*Zl<F#s0&79F` Wo 37
I}?9/ 38
csids.fmt U)<^CH&U!$k 10
Ddragon-base.fmt U)<^CH&U!$k
10
EEIF (Event Integration Facility r2
H) 185
Enterasys Dragon""@W?< 129
"<-F/Ac< 131
"s$s9H<k 135
$s9H<k 133
*Zl<F#s0&79F` Wo
129
=. 136
5sWk&7Jj* 142
70KAc<N97 148
MCHo</\3 148
U)<^CH&U!$k&f<F#j
F#< 139
dj 148
Alarmtool N"i<H&aC;<8 N
|U 148
Event Integration Facilities 185
Event Logging API (LEA) 59
Event Translator
Tivoli Access Manager 4.1 Q"@W?
< 122
Event Translator N=.
Tivoli Access Manager 4.1 Q"@W?
< 124
HHost IDS
Tivoli Enterprise Console jX 93
Host IDS""@W?< 91
$s9H<k*hS=. 93
*Zl<F#s0&79F`Wo 91
Tivoli Enterprise Console ?9/ 95
IIntruderAlert.fmt U)<^CH&U!$k
10
IP "Il9NWa
Check Point FireWall-1 71
ISS RealSecure
qA 27
ISS RealSecure IDS
"?C/&70KAc< 167
qA 27
Web 5$H 27
ISS RealSecure IDS""@W?< 27
$s9H<k*hS=. 30
(i< 33
*Zl<F#s0&79F`Wo 29
I}?9/ 32
;s5< 29
SNMP HiCW 29
Tivoli Enterprise Console jX 30
ISS RealSecure N"@W?<
I} 32
I}?9/ 32
LLEA Event Logging API 59
LEA"U!$"&)<k\3KP~
Check Point FireWall-1 61
MMcAfee Alert Manager""@W?< 79
$s9H<k*hS=. 82
*Zl<F#s0&79F`Wo 79
=JN5b 80
;s5<NaC;<8 171
NNetRanger (Cisco Secure IDS =Jr2
H) 17
Norton AntiVirus
Tivoli Enterprise Console
Correlation 86
Norton AntiVirus $YsH 86
Norton AntiVirus""@W?< 85
"<-F/Ac< 87
$s9H<k*hS=. 88
*Zl<F#s0&79F`Wo 85
Norton AntiVirus $YsH 86
OOpen Platform for Security (OPSEC)
(OPSEC 5<P<r2H) 59
OPSEC 5<P< 59
os_aix.fmt U)<^CH&U!$k 10
os_nt.fmt U)<^CH&U!$k 10
os_solaris.fmt U)<^CH&U!$k
10
Ppix.fmt U)<^CH&U!$k 10
pix_nt.fmt U)<^CH&U!$k 10
Rrmnav.fmt U)<^CH&U!$k 10
SSNMP HiCW
ISS RealSecure IDS Q"@W?< 29
Symantec Intruder Alert Q"@W?<
149
"<-F/Ac< 151
$s9H<k 152
*Zl<F#s0&79F`Wo 149
HiVk7e<F#s0 155
TTCP/IP (Aw)fWmH3k / $s?<
MCH&WmH3k) vii
TEC events ($YsHr2H) 188
tecad_logfile.fmt 10
Tivoli
"@W?<=.!= (ACF) vii
"@W?<=.WmU!$k
(ACP) vii
;-ejF#<I} Web ps ix
Event Integration Facility (EIF) 185
Tivoli Access Manager 4.1""@W?<
105
"<-F/Ac< 108
$s9H<k 109
*Zl<F#s0&79F`Wo 105
I}?9/ 122
194 IBM Tivoli Risk Manager "@W?<¥,$I
Tivoli Access Manager 4.1""@W?<
(3-)
=. 109
3s]<MsHNd_ 124
|n 121
HiVk7e<F#s0 119
Event Translator 122
Event Translator N=. 124
Tivoli Risk Manager Event Integration
Facility G<bs 123
Tivoli Enterprise Console
"@W?< 1, 4
qA viii
Tivoli Enterprise Console Correlation
Cisco Secure IDS 17
Cisco Secure PIX Firewall 44
Tivoli Enterprise Console Logfile "@W?
<
Cisco Secure IDS Q"@W?<N=.
21
Tivoli Enterprise Console (TEC r2
H) 188
Tivoli Enterprise Console jX
Host IDS 93
ISS RealSecure IDS Q"@W?< 30
Norton AntiVirus 86
Tivoli Enterprise Console ?9/
Ws
Cisco Secure PIX Firewall 50
Check Point FireWall-1 69
Check Point Firewall-1 Q"@W?<
69
Cisco Secure IDS Q"@W?< 23
Cisco Secure PIX Firewall 50
Host IDS Q"@W?< 95
Tivoli Risk Manager
/i$"sH 4
qA viii
U)<^CH&U!$kNWs 10
ACF rHQ7?$s9H<k 12
Event Integration Facility 185
Tivoli Risk Manager Event Integration
Facility G<bs
Tivoli Access Manager 4.1 Q"@W?
< 123
Tivoli Risk Manager "@W?<
[9H/~!N - HP-UX11i 97
"<-F/Ac< 99
$s9H<k 100
*Zl<F#s0&79F`Wo
97
|n 102
Check Point FireWall-1 59
$s9H<k*hS=. 62
*Zl<F#s0&79F`Wo
60
Tivoli Risk Manager "@W?< (3-)
Check Point FireWall-1 (3-)
I}?9/ 68
Cisco Secure IDS
"<-F/Ac< 16
$s9H<k 18
*Zl<F#s0&79F`Wo
16
I}?9/ 23
=. 18
=.Nc 20
dj 25
m0&U!$k&"@W?< 21
Data Feed 3s]<MsH 18
EIF =. 19
Tivoli Enterprise Console
Correlation 17
Tivoli Enterprise Console ?9/
23
Cisco Secure PIX Firewall 43
$s9H<k 47
*Zl<F#s0&79F`Wo
44
I}?9/ 55
=. 48
U!$"&)<k&$YsH 45
Tivoli Enterprise Console
Correlation 44
Tivoli Enterprise Console ?9/
50
Cisco k<?< 35
$s9H<k*hS=. 37
*Zl<F#s0&79F`Wo
37
I}?9/ 38
Tivoli Enterprise Console
Correlation 37
Enterasys Dragon 129
"<-F/Ac< 131
$s9H<k 133
*Zl<F#s0&79F`Wo
129
=. 136
5sWk&7Jj* 142
70KAc<N97 148
|n 135
=N>NmUv` 148
MCHo</\3 148
U)<^CH&U!$k&f<F#
jF#< 139
dj 148
Alarmtool N"i<H&aC;<8
N|U 148
Host IDS 91
$s9H<k*hS=. 93
Tivoli Risk Manager "@W?< (3-)
Host IDS (3-)
*Zl<F#s0&79F`Wo
91
Tivoli Enterprise Console ?9/
95
ISS RealSecure 27
ISS RealSecure IDS
$s9H<k*hS=. 30
(i< 33
*Zl<F#s0&79F`Wo
29
;s5< 29
SNMP HiCW 29
Tivoli Enterprise Console jX 30
McAfee Alert Manager 79
$s9H<k*hS=. 82
*Zl<F#s0&79F`Wo
79
=JN5b 80
Norton AntiVirus 85
"<-F/Ac< 87
$s9H<k*hS=. 88
*Zl<F#s0&79F`Wo
85
Norton AntiVirus $YsH 86
Symantec Intruder Alert 149
"<-F/Ac< 151
$s9H<k 152
*Zl<F#s0&79F`Wo
149
HiVk7e<F#s0 155
Tivoli Access Manager 4.1 105
"<-F/Ac< 108
$s9H<k*hS=. 109
*Zl<F#s0&79F`Wo
105
I}?9/ 122
3s]<MsHNO0 123
3s]<MsHNd_ 124
|n 121
HiVk7e<F#s0 119
Event Translator N=. 124
Tivoli Risk Manager Event
Integration Facility G<bs 123
WWeb 5$H
;-ejF#<I}ps ix
Cisco Secure IDS =JqA 17
Internet Security Systems (ISS) 27
ISS RealSecure IDS =JqA 27
ISS RealSecure qA 27
Web qA
Cisco Secure IDS =J 17
wz 195
Web qA (3-)
ISS RealSecure IDS =J 27
Tivoli Risk Manager viii
webids.nt.fmt U)<^CH&U!$k 10
Windows 79F`
Check Point FireWall-1 "@W?<N
+O 70
196 IBM Tivoli Risk Manager "@W?<¥,$I
���
Printed in Japan
SC88-9513-00