Using Management Center for Cisco Security Agents 6.0.1 - Cisco Security Agent Overview [Cisco Security Agent]

Table Of Contents

Cisco Security Agent Overview

Overview

Downloading and Installing

The Agent User Interface

Agent User Interface Control Rule

Agent User Interface Screens

Status

Security Settings

Personal Firewall

AntiVirus Protection

File Protection

Untrusted Applications

User Query Responses

Events

Contact Information

Assigning Sounds to Agent Events

Cisco Security Agent Diagnostics

Resetting Cisco Security Agent

Cisco Security Agent Shortcut Menu

Disabling and Enabling Agent Security

Installing the Windows Agent

Uninstalling the Windows Agent

Agent Interaction with Windows Security Settings

Agent Disables Windows Firewall

Agent Status is not Reported in the Security Center

Common Windows Cisco Security Agent Error Codes

Installing the Solaris Agent

Uninstalling the Solaris Agent

UNIX Agent csactl Utility

Installing the Linux Agent

Uninstall Linux Agent

Command line method

GUI method

Cisco Security Agent Overview

Overview

This chapter describes the agent and provides information on the agent user interface. There is no configuration necessary on the part of the end user in order to run the agent software. Optionally, as the administrator, you can provide end users with an advanced UI that allows them to control their security settings and to use other added features.

If you have configured Query User rules, users should know how to respond to query pop-up boxes. This information and additional advanced UI configuration information is included in the Help provided with the agent user interface. You may want to refer end users to this agent help.

This section contains the following topics.

•Downloading and Installing

•The Agent User Interface

–Agent User Interface Control Rule

–Agent User Interface Screens

–Assigning Sounds to Agent Events

•Cisco Security Agent Diagnostics

•Resetting Cisco Security Agent

•Cisco Security Agent Shortcut Menu

•Disabling and Enabling Agent Security

•Installing the Windows Agent

•Uninstalling the Windows Agent

•Agent Interaction with Windows Security Settings

•Common Windows Cisco Security Agent Error Codes

•Installing the Solaris Agent

•Uninstalling the Solaris Agent

•UNIX Agent csactl Utility

•Installing the Linux Agent

•Uninstall Linux Agent

–Command line method

–GUI method

Downloading and Installing

Once you build an agent kit on CSA MC, you deliver the generated URL, via email for example, to end users so that they can download and install the Cisco Security Agent. They access the URL to download and then install the kit. This is the recommended method of agent kit distribution.

But you may also point users to a URL for the Management Center for the Cisco Security Agent (CSA MC). This URL will allow them to see all kits that are available. That URL is:
https://<CSA MC name>/csamc60/kits
If you are pointing users to the "kits" URL and you have multiple agent kits listed here, be sure to tell users which kits to download.

End users must have administrator privileges on their systems to install the agent. Systems on which agents are installed must meet the following requirements:

Table A-1 Agent Requirements (Windows

System Component

Requirement

Processor

Intel Pentium 200 MHz or higher

Note Up to eight physical processors are supported.

Operating Systems

•Windows Vista Business and Enterprise editions with service pack 0 or 1.

•Windows Server 2003 (Standard, Enterprise, Web, or Small Business Editions) Service Pack 0, 1, or 2

•Windows XP (Professional, Tablet PC Edition 2005, or Home Edition) Service Pack 0, 1, 2, or 3.

•Windows Embedded Point of Service (WEPOS) 1.1

•Windows 2000 (Professional, Server or Advanced Server) with Service Pack 0, 1, 2, 3, or 4

Note Citrix Metaframe and Citrix XP are supported. Terminal Services are supported on Windows 2003, Windows XP, and Windows 2000.

Supported language versions are as follows:

•For Windows 2003, XP, and 2000, all language versions, except Arabic and Hebrew, are supported.

Memory

256 MB minimum—all supported Windows 2003, Windows XP, and Windows 2000 platforms

512 MB minimum—for Windows Vista.

Hard Drive Space

60 MB or higher

Note This includes program and data.

Network

Ethernet

Note Maximum of 64 IP addresses supported on a system.

Note For a host to download an agent kit and communicate with the CSA MC, certain ports must be available. See "Port Availability Requirements" in Installing Management Center for Cisco Security Agents for more information about port requirements.

Note The Cisco Security Agent uses approximately 30 MB of memory. This applies to agents running on all supported Microsoft and UNIX platforms.

Caution When upgrading or changing operating systems, uninstall the agent first. When the new operating system is in place, you can install a new agent kit. Because the agent installation examines the operating system at install time and copies components accordingly, existing agent components may not be compatible with operating system changes.

To run the Cisco Security Agent on your Solaris server systems, the requirements are as follows:

Table A-2 Agent Requirements (Solaris)

System Component

Requirement

Processor

UltraSPARC 400 MHz or higher

Note Uni-processor, dual processor, and quad processor systems are supported.

Hardware platform

Sun4u for Solaris 8,9, and 10.

Operating Systems

•Solaris 10, 64 bit kernel, 6/06 edition or higher.

Recommended patch levels for Solaris 10: 120068-03: SunOS 5.10: in.telnetd Patch

•Solaris 9, 64 bit, patch version 111712-11 or higher installed.

•Solaris 8, 64 bit 12/02 edition or higher (This corresponds to kernel Generic_108528-18 or higher.)

Recommended patch levels for Solaris 8: 108434-17 and 108435-17

Note If you have the minimal Sun Solaris 8 installation (Core group) on the system to which you are installing the agent, the Solaris machine will be missing certain libraries and utilities the agent requires. Before you install the agent, you must install the "SUNWlibCx" library which can be found on the Solaris 8 Software disc (1 of 2) in the /Solaris_8/Product directory. Install using the pkgadd -d . SUNWlibCx command.

Memory

256 MB minimum for Solaris 8 and 9

512 MB minimum for Solaris 10

Hard Drive Space

50 MB or higher

Note This includes program and data.

Network

Ethernet

Note Maximum of 64 IP addresses supported on a system.

Note For a host to download an agent kit and communicate with the CSA MC, certain ports must be available. See "Port Availability Requirements" in Installing Management Center for Cisco Security Agents for more information about port requirements.

To run the Cisco Security Agent on your Linux systems, the requirements are as follows:

Table A-3 Agent Requirements (Linux)

System Component

Requirement

Processor

500 MHz or faster x86 processor (32 bits only)

Note Uni-processor, dual processor, and quad processor systems are supported.

Operating Systems

•Red Hat Enterprise Linux 5.0 with Update 1 or Update 2. These operating system implementations are supported for the Desktop, Server, and Advanced Platform releases.

Minimum supported kernel: 2.6.18

•Red Hat Enterprise Linux 4.0 WS, ES, or AS

Minimum supported kernel: 2.6.9-11

•Red Hat Enterprise Linux 3.0 WS, ES, or AS

Minimum supported kernel: 2.4.0

•SUSE Linux Enterprise 10, with Service Pack 2 for Server and Desktop editions.

Minimum supported kernel: 2.6.18

Memory

256 MB minimum

Hard Drive Space

50 MB or higher

Note This includes program and data.

Network

Ethernet

Note Maximum of 64 IP addresses supported on a system.

Note For a host to download an agent kit and communicate with the CSA MC, certain ports must be available. See "Port Availability Requirements" in Installing Management Center for Cisco Security Agents for more information about port requirements.

Caution On Linux systems, if you upgrade the kernel version or boot a different kernel version than the initial version where the agent was installed, you must uninstall and reinstall the agent.

Once users install agents on their systems, they are asked if they want to perform a reboot. (if Automatic reboot is not selected at kit creation time). Whether a system is rebooted or not, the agent service starts immediately and the system is protected.

If a system is not rebooted following the agent installation, the following functionality is not immediately available. (This functionality becomes available the next time the system is rebooted.)

Windows agents, when no reboot occurs after install, the following caveats exist

•Network Shield rules are not applied until the system is rebooted.

•Network access control rules only apply to new socket connections. Network server services should be stopped and restarted for full network access control security without a system reboot.

•Data access control rules are not applied until the web server service is restarted.

Solaris and Linux agents, when no reboot occurs after install, the following caveats exist

•Network access control rules only apply to new socket connections. Network server services should be stopped and restarted for full network access control security without a system reboot.

•Buffer overflow protection is only enforced for new processes.

•File access control rules only apply to newly opened files.

•Data access control rules are not applied until the web server service is restarted.

At this time, the agent automatically and transparently registers with CSA MC.

You can see which hosts have successfully registered by clicking the Hosts link available from the Systems category in the menu bar. This displays the hosts list view. All registered host system names appear here. Agents are now ready to receive policies.

The Agent User Interface

Note The Cisco Security Agent user interface does not run on Solaris systems. The Solaris agent has a utility (csactl) to provide some of the capabilities that the Windows and Linux agents provide in their user interface. See UNIX Agent csactl Utility for details. The Cisco Security Agent user interface appearance is the same on all Windows and Linux platforms.

Agent User Interface Control Rule

As the administrator, you decide which agent UI options to provide to the end user. These options are controlled by the Agent UI control rule. See Agent UI Control, page 6-4. Available options are as follows:

•Allow user to reset agent UI default settings—Selecting this checkbox in the Agent UI control rule causes the end user to have a product reset option available from the Start>Programs>Cisco>Cisco Security Agent menu. Selecting the "Reset Cisco Security Agent" option puts all agent settings back to their original states and clears almost all other user-configured settings. This does not clear configured Firewall Settings or File Protection settings. But if these features are enabled, they are disabled as this is the default factory setting. The information entered into the edit boxes for these features is not lost when a reset occurs.

•Allow user interaction—Selecting this checkbox in the Agent UI control rule causes the end user to have a visible and accessible agent UI, including a red flag in the system tray.

•Allow user access to agent configuration and contact information— Selecting this checkbox in the Agent UI control rule provides Status, Messages, and Contact Information features, including the ability to manually poll the MC. It also provides the User Query Responses window.

•Allow user to modify agent security settings—Selecting this checkbox in the Agent UI control rule provides System Security and Untrusted Applications features.

•Allow user to modify agent personal firewall settings—Selecting this checkbox in the Agent UI control rule provides Local Firewall Settings and File Protection features. (If you select this checkbox, you are providing the end user with controls that you have limited access to. Firewall queries and other information will not log the CSA MC event log.)

•Suppress taskbar notifications—Selecting this check box in the Agent UI control rule, greatly reduces CSA notifications to the user. If the option is selected, user interaction with CSA is changed in these ways:

–The user no longer receives balloon messages.

–The flag icon in the system tray on longer pulses.

–The user no longer receives tool-tip text in the task bar icon.

–The user will no longer hear sounds for security events. (For Windows platforms only.)

Note Users also have control over suppressing taskbar notifications. On the agent shortcut menu, users can select "Suppress Taskbar Notifications." If users choose to suppress taskbar notifications, then they gain control over turning this function on or off in the future. If an administrator changes the Suppress taskbar notifications check box in this rule after a user changes the setting, the administrator's action will have no affect on that user.

Agent User Interface Screens

To open the agent user interface, users can double-click on the agent icon in their system trays. The user interface opens on their desktop. The options available in the agent UI depend upon the features selected in the Agent UI control rule governing the agent in question. All possible agent features are described here.

Status

The Status screen shows users basic information about the Cisco Security Agent and provides users with information about software updates.

Figure A-1 Agent Status Screen

•Host name: The host name of the machine on which this agent is installed.

•Management Center: The name of the CSA MC server with which the agent is registered and from which the agent receive policies.

Generally, when the Management Center for Cisco Security Agents is in the "reachable" state, agents can send events to the MC and receive software and policy updates from the MC. The MC reachable state is reported in the Management Center field on the Status pane of the agent interface.

This is how the MC Reachable state is determined: Remote agents are initially in the MC "not reachable" state. CSA re-evaluates its MC Reachable state whenever the agent machine's routing table changes. Once the routing table changes, CSA tries to poll. If the poll is successful, the MC is "reachable" and if the poll is unsuccessful, the MC is "not reachable."

The MC Reachable state does not indicate whether the MC is "pingable" from the agent. Rather, the reachable state changes as the result of a routing table or IP address change that forces a new poll.

•Registration date: The date and time the agent registered with CSA MC.

•Last poll time: The last time the agent successfully polled CSA MC.

•Last download time: The date and time the agent last downloaded data from CSA MC.

•Software update: Lets users know if there is a software version Update Available for their agent.

•If users have the Cisco Trust Agent installed and are using Network Admission Control, the Network Admission Control posture result for the agent is displayed on the UI. For example, it may display the status as Healthy, Quarantine, Infected, etc.

Installing Software Updates

Occasionally, software updates are provided for agents. Administrators configure the central server to distribute the appropriate software updates to specified agents across the network. If there is a software update available for an agent, the agent will receive the update the next time it polls in. If the administrator has configured the update to prompt users before installing, users are notified when an update is available. Users can update at that time or postpone the update.

On Windows agents, after an update has taken place, users may be required to reboot their system within 5 minutes time. They cannot stop this reboot. They have 5 minutes to save any open documents.

On Linux agents, if the update requires a system reboot, a broadcast message will appear informing users that their system will be rebooted in 5 minutes.

See Modify Groups With Hosts That Meet a Search Criteria, page 3-32 for CSA MC configuration details.

Note Use the csactl utility (see page 26) on Solaris systems to check for updates and install them.

Poll for New configuration

Clicking the Poll button forces the agent to poll the management center immediately rather than waiting for the configured time interval to trigger a poll. This way, the agent receives any rule changes right away. Administrators may advise users to implement this fast polling if new rules are being deployed and tested.

Security Settings

The Security Settings screen allows users to manage their agent's security level, some aspects of its network connections, and its behavior following a local installation or uninstallation of software.

Figure A-2 Agent Security Settings Screen

Security Level

The Low, Medium, and High security levels allow users to select an administratively defined security policy. Each setting maps to a specified system state configured on the central management center. If administrators have not defined different levels of security states for the agents, moving the slidebar between security levels will not alter their security.

Some examples of how administrators might define various configuration levels are as follows:

A High security setting may cause the agent to detect a wide range of both known attacks and potential attack behavior. With high security enabled, these actions could be automatically denied when they are detected rather than giving you the option of allowing them via a query user pop-up box (as might be available in lower settings).

A Medium security setting may cause the agent to detect a wide range of attacks similar to those detected at the high setting. But this level might cause you to be presented with more query pop-up boxes to ensure that the action taking place is intended by you and not a type of attack.

A Low security setting may cause the agent to detect the more commonly known attacks that are easily distinguished from normal system behavior. In most cases, you could be queried as to whether the detected action should be allowed or not.

The Off security setting disables all agent security.

Caution In all cases, whether you have states defined for all security levels or not, moving the slidebar to Off will disable all agent security. When security is disabled, a red "x" appears over the agent flag.

Caution For Windows agents running CSA Antivirus: If the AntiVirus feature has quarantined files, and security is turned off, your computer is no longer protected from the files in the Quarantined files list.

Preventing New Network Connections

When the Network Lock checkbox is enabled, the agent will not allow any new network connections on the system. Disabling the checkbox disables the network lock.

Alternatively, users can set a time frame of 0-60 minutes of network access inactivity, before the agent automatically enforces a network lock on the system. When that time frame is reached, the Network Lock checkbox is automatically selected by the agent itself. Unselect the checkbox to turn it off again.

When a network lock is enforced on the system, existing network connections are not lost, but no new connections (in or out) are allowed.

Note If you have the Network Lock enabled and you reboot your system, Network Lock is no longer turned on after the reboot. (All other agent settings, except temporary query response caching, remain constant across reboots.)

Install / Uninstall Detected

The Cisco Security Agent temporarily suspends certain security settings when users are installing or uninstalling software that was downloaded over the network. If users select "Yes" when they are queried whether to allow an installation to proceed, an additional Resume button appears in the Security Settings window. If the agent doesn't automatically detect that the install has completed, users can click the Resume button to inform the agent when the install or uninstall process has finished. This way, the agent knows the process is done and it can reinstate all suspended security immediately. If users do not click the Resume button, the agent automatically reinstates suspended security after a certain period of time.

If the install/uninstall requires you to reboot the system when it completes, all agent security settings suspended during that time are reinstated at boot time whether users answered the agent installation completion query or not before rebooting.

Note In some cases, a virus can appear to be an install or uninstall program by attempting to delete or modify executables or other system files. When you install and uninstall software, the agent queries you to ensure that you are indeed altering a configuration intentionally and that some other unintended action is not taking place.

Personal Firewall

Personal Firewall settings restrict certain applications from making certain types of network connections.

Figure A-3 Agent Personal Firewall Screen

The Personal Firewall feature gives users the ability to add restrictions to the security policies created by system administrators. It is not possible to use this functionality to make security policies more permissive.

To use the Personal Firewall, click the Enable checkbox. If Local Learn Mode is not checked, then each time a new application attempts to connect to the network, users will be asked whether this connection should be permitted. If they respond no, then connections of this type will be denied in the future. If they respond yes, then future connections of this type will be allowed, assuming that they are not denied by other security policies.

After Enabling the Personal Firewall, users may find that they get a lot of query dialogs. By clicking the Local Learn Mode checkbox, users instruct CSA to assume that all network connections not otherwise denied by CSA policies are permitted. The application list on this screen will be populated and will indicate that these applications are allowed to make certain connections. In effect, the Local Learn Mode checkbox allows users to bypass the query boxes while CSA learns what connections are permissible. After a certain period of time, though, users should uncheck the Local Learn Mode box so that they will be queried when applications they use infrequently attempt to access the network.

Users can see what permissions have been assigned to specific applications based on the graphic that appears beside the application name in the edit box. If there is no graphic present for an application, that network permission type has not yet been assigned. An application can have up to 4 permission types assigned to it. Refer to the Permission Key below for a description of each possible network service graphic.

If users want to change the assigned permissions of a given application, they select it in the edit box and press the Delete key. When they click the Apply button, the delete takes effect on the system. When users next invoke the application, they will be queried. They should respond to the query accordingly to reset permissions for the application.

On Windows systems, users can remove items or choose a sorting order by right-clicking in the personal firewall window.

Note Users may be prompted several times in order for email applications to receive the various network permission types it optionally uses. In some cases, an email may have http links within it. If so, the agent prompts users to allow or deny your email application http access to the network. While waiting for your response, the agent pends the http request. As a result, even if users answer Yes to this permission, the http access may fail on the first attempt. If so, users should close their email application and open it again. Now the http permission for their email application will function normally.

Note If a host belongs to a group operating in Audit Mode, local firewall settings are ignored.

Table A-4 Permission Key

Symbol

Description

This indicates whether or not an application has email network permissions.

This indicates whether or not an application has http network permissions.

This indicates that an application can or cannot make network connections as a client.

This indicates that an application can or cannot make network connections as a server.

AntiVirus Protection

The AntiVirus screen allows users to update their local signature database, perform on-demand virus scans, and manage quarantined files.

Figure A-4 Agent AntiVirus Screen

Updating Signature Database

The AV signature update field indicates the last time that local signature database was updated. <Never> indicates that the local signature database installed with the agent has not been updated.

Clicking Update now manually retrieves updates to the signature database.

Last scanned file

The Last scanned file field shows the path to the last file scanned as a result of a CSA rule triggering the virus scan. The last file scanned after an On-demand scan does not appear in this field.

On-demand Scan

Clicking On-demand scan opens the AntiVirus On-demand scan window. To configure an on-demand scan, follow this procedure:

Step 1 Specify directories to be scanned: Click Add, browse to the drive or directory you want to scan for viruses and click OK. The path is added to the Directories to be scanned window. Repeat this step until you have specified all the locations you want to scan.

Note Directory scans are recursive. That is, all the subdirectories in the directory you specify will be scanned in addition to the directory you specify.

Note You can remove a directory from Directories to be scanned list by selecting the path and clicking Remove.

Step 2 Specify the scan speed:

–Fast: Performs the scan the most quickly and uses the most CPU resources. It may prevent you from performing other tasks.

–Normal: Performs the scan at a moderate pace and uses a moderate amount of CPU resources. It may impact other operations.

–Slow: Performs the scan at a slow pace and uses the least amount of CPU resources. It has the least impact on other operations.

Step 3 Click Start scan.

The Scan progress area displays the directory and file being scanned and a summary of the number of files scanned, files found to be infected, and elapsed time of the scan. When the scan is complete, the tile bar of the window will read, "AntiVirus On-demand scan [complete]."

Note If you want to stop the scan while it is running, click Stop scan. If you restart the scan, the scan will begin again at the beginning of the list of directories to be scanned.

Quarantined Files Tab

If a file is found to have a virus, it is quarantined in place and listed in the Quarantined files tab. A quarantined file is rendered inert by the CSA AntiVirus rules installed on the host.

You can delete quarantined files by selecting them from the list and clicking the Delete file(s) button. If you feel that a file has been quarantined erroneously, you can move it to the Restored files tab by selecting the file and clicking the Restore File(s) button. If a quarantined file is deleted from your computer for any reason, it is also removed from the Quarantined files list.

Caution If the CSA Security Level is set to Off, your computer is no longer protected from the files in the Quarantined files list.

Caution If CSA is reset, all files in the Quarantined files list are removed.

Restored Files Tab

A file listed in the Restored files tab was once quarantined, you determined that the file was not malicious and "restored" your access to it. Restoring a file does not give you additional access to it. For example, if you had read-only access to a file before it was quarantined, you will have read-only access to it after it is restored.

If you want to quarantine a file in the Restored files list, select it from the list and click Quarantine File(s). If a file in the Quarantined Files list is deleted from your computer for any reason, it is also removed from the Restored files list.

Caution If CSA is reset, all files in the Restored files list are removed.

File Protection

Through some simple configuration, the agent can protect specified local files and directories on your system from certain types of network access. This is useful if you have sensitive personal information stored on your system. Entering the name of the file or directory that you want to protect limits network access to that resource.

Windows users can add directories and files to the file protection field by browsing for them or by entering them in the edit field using proper syntax. Linux users can add individual files to the file protection field by entering them in the edit field.

Generally, if an application attempts to open a file and make a network connection, CSA queries the user to allow or deny the application from editing the file and from making the network connection. File protection also denies a protected file from being accessed from a mapped drive if you are in the Medium or High security state; if you are in a Low security state, you receive a query. File protection is built in to CSA, it is not defined by security policies.

Note Files and directory names must be added to the File Protection window using a specific syntax. That syntax is explained to end-users in the Cisco Security Agent online help.

Figure A-5 File Protection

Selecting a Directory to Protect

Windows users may browse to a directory and select it for protection.

Step 1 Select the Enable check box. This turns on file protection.

Step 2 Click Browse.

Step 3 Select the directory you want to protect and click Add; it appears in the edit field.

Step 4 (Optional) Using the required syntax, edit the path displayed in the edit field. This will allow you to generalize directory paths.

Step 5 Click Add. The information in the edit field is now added to the file protection pane and protected from all network access.

Step 6 Click Apply.

Step 7 When you are done adding files and folders to the file protection pane, click OK.

Entering Files and Directories to Protect

Linux and Windows users can enter the path of a directory or file for protection.

Step 1 Select the Enable check box. This turns on file protection.

Step 2 In the edit field, type the name of the file or folder you want to protect. Be sure to use the proper syntax.

Step 3 Click Add. This file or directory added to the file protection pane and is now protected from access by network applications.

Step 4 Click Apply.

Step 5 When you are done adding files and folders to the file protection pane, click OK.

Removing File Protection from Files and Directories (Windows)

Step 1 Right-click the file name or directory name in the file protection pane.

Step 2 Select Remove.

Step 3 Click Apply.

Step 4 When you are done removing files and folders from the file protection window, click OK.

Removing File Protection from Files and Directories (Linux)

Step 1 Select the file name or directory name in the file protection window.

Step 2 Click Delete.

Step 3 Click Apply.

Step 4 When you are done removing files and folders from the file protection window, click OK.

Disabling File Protection

To disable file protection, uncheck the Enable checkbox in the file protection window.

The contents of the file protection pane are saved for when you want to turn file protection on again.

Untrusted Applications

The Cisco Security Agent can keep track of downloaded files that are either applications or that could contain programmatic content such as scripts or macros. Depending on how the agent was configured by the system administrator, these files are considered Untrusted and their filenames are displayed in the Untrusted Applications edit box. The consequences of being labeled Untrusted are defined by the system administrator, but in general files listed here continue to operate, but under restrictions greater than those of trusted files. For example, untrusted applications may not be able to write to system executables or to registry keys that are typically targeted by viruses.

Note With the default Windows handling for file extensions, a .txt file would not be considered executable, and would not be marked as an Untrusted file.

Figure A-6 Agent Untrusted Applications Screen

For Windows agents, if users want to remove a file or program from the list of untrusted applications in the Untrusted Applications window, they right-click on the selected entry in the edit box and select Mark As Trusted. This removes the application from the untrusted list, making it trusted.

For Linux agents, if users want to remove a file or program from the list of untrusted applications in the Untrusted Applications window, they select the entry in the edit box and press the Delete key. When they click the Apply button, the delete takes effect on the system.

User Query Responses

This screen allows you to manage your responses to user queries.

Figure A-7 Agent User Query Responses Screen

Responding to Pop-up Query Boxes

The management center administrator can create rules that prompt users to allow or deny an action, or terminate a process, when an attempt is made by a process, to access resources on their system. In this case, if the rule in question is triggered, a pop-up box appears prompting users to select from several possible radio buttons and click Apply as follows:

•Yes: Allows the application access to the resource in question.

•No: Denies the application access to the resource in question.

•No, Terminate this application: Denies the application access to the resource in question and also attempts to terminate the application process. The name of the application in question is displayed with the terminate option.

Default Action - If users do not respond to the query within 5 minutes, an administrator-determined default action is automatically taken.

Don't ask again - The administrator can optionally display a "Don't ask again" checkbox on the query so that the user's response is remembered. If users select that checkbox when responding to the query, and the same query is triggered on the system, the remembered response is automatically taken and they are not queried again.

Query challenge - For added security, the administrator can optionally issue a query challenge on the query pop-up box. This ensures that the local user is answering the query and not a malicious remote user or program. To pass the challenge, users simply enter the information displayed in a graphic on the pop-up box itself.

Remembering and Caching Query Responses

When users are queried, the agent can remember their response permanently or temporarily. This way, if the same query is triggered again, the action is allowed, denied, or terminated based on what they answered previously without a pop-up query box appearing again either permanently, or for some period of time. In order to reduce the number of queries users must respond to, it is generally advantageous for them to permanently remember query responses.

For example, if users are queried as to whether an application can talk on the network and they respond by selecting the Yes radio button, clicking the Don't ask me again checkbox, and then clicking Apply, the Yes response is remembered permanently and that response appears in the edit field in this window. But if users are queried as to whether setup.exe can install software on their system and they respond by clicking the Yes radio button, but there is no Don't ask me again checkbox or it is there but they do not select it, this response is remembered temporarily and it does not appear in the edit field. It is the Don't ask me again checkbox that controls whether a query response is remembered permanently. The administrator decides whether or not users have the option to choose Don't ask me again.

Note Permanent responses are remembered across reboots. Temporarily cached responses are not remembered across reboots.

Note A query response is tied to the user who responded. On multi-user machines, multiple users may be asked the same question.

Note On Windows agents, users can sort User Query Responses in the edit field by right-clicking within in the edit field and selecting one of many Sort options.

"Undoing" or Deleting Your Response to a Query

If a response is only cached temporarily (for approximately an hour) users can click the Clear button in this window to delete all temporarily cached responses.

On Windows agents, to clear permanent responses listed in the agent User Query Responses window edit field, users right-click on a selected response in the edit field and select Remove. On Linux agents, to clear permanent responses listed in the agent User Query Responses window edit field, users select the response in the edit field and press the Delete key. When they click the Apply button, the delete takes effect on the system.

Events

The Events window displays security-related messages, system errors, and system status messages generated by Cisco Security Agent.

Figure A-8 Agent Events Screen

To view events, follow this procedure:

Step 1 Click Events in the Tasks area of the Cisco Security Agent interface.

Step 2 Select the set of events to display from the Event Type list box.

•Selecting Recent Events displays important security-related messages received by the agent beginning at the last time the agent interface was launched.

•Selecting All Logged Security Events displays all security-related messages received by the agent, including those generated before the agent interface was launched.

•Selecting All Logged Events & Debug Messages displays all security-related messages, system errors, and system status messages generated by Cisco Security Agent, including those generated before the agent interface was launched.

Clicking the View button launches a text file containing more detailed information than the event type you have chosen to display.

Clicking the Purge button clears the messages displayed by the Recent Events or All Logged Security Events event types. You can not purge the messages displayed by the All Logged Events & Debug Messages event type.

Contact Information

This window allows you to provide contact information to the administrator, including your name, telephone number, location, and email address. If your system administrator has requested that you enter this information, do so here and click the Apply button.

CSA MC receives this contact data and the administrator can now quickly locate you if your agent indicates that there is a problem.

Figure A-9 Agent Contact Information Screen

Assigning Sounds to Agent Events

Different sounds can be assigned to different agent events on Windows systems. Through your Windows operating system's Sounds and Multimedia Properties window, accessible from the Start>Settings>Control Panel window, you can assign specific sounds to Cisco Security Agent events. In the Sounds and Audio Devices Properties window, users scroll through the list of Sound Events in the Sounds tab to locate Cisco Security Agent and the list of available sound event assignments.

As an example, users can configure their system to generate a sound when the flag in the system tray begins flapping because a rule has been triggered. They can also have a sound occur when a Query User pop-up window appears and then have another sound occur when the countdown to respond to this query is down to 1 minute. Users must have a sound card installed to play these sounds.

Cisco Security Agent Diagnostics

This feature allows the agent to gather self-describing diagnostic information about the agent and about the system on which the agent runs. Generally, users should only select this if the administrator has requested that they do so. It may take some time to collect this data. Cisco Security Agent Diagnostics are available for Windows, Solaris, and Linux platforms.

On Windows systems, this setting is available from the Start>Programs>Cisco>Cisco Security Agent menu when the agent is installed. Selecting Cisco Security Agent Diagnostics causes the agent to gather information on the system and on the agent itself. When the collection is complete, a "csa-diagnostics.zip" file is created in the user's system temp directory. They should send this file to their administrator.

Host diagnostics are available locally to the Solaris and Linux end user by executing the ./diag shell script from the /opt/CSCOcsa/bin directory. This creates a csa-diagnostic.gz file in the /tmp directory.

Note The the same data can be collected remotely from the CSA MC. Only ask users to manually gather this data if for some reason remote diagnostics is not working.

Resetting Cisco Security Agent

Selecting the "Reset Cisco Security Agent" option puts all agent settings back to their original states and clears almost all other user-configured settings. This does not clear configured Firewall Settings or File Protection settings. But if Firewall Settings or File Protection settings are enabled, they are disabled after a reset as this is the default factory setting. The information entered into the edit boxes for these features is not lost.

On Windows systems, this setting is available from the Start>Programs>Cisco>Cisco Security Agent menu on systems where the agent is installed. On Linux systems, this setting is available from the Red Hat Application Menu>Cisco Security Agent menu on systems where the agent is installed.

Cisco Security Agent Shortcut Menu

Right-click the CSA icon in the system tray to view the agent's shortcut menu. These are the menu items and their functions:

Menu item

Description

Open Agent Panel

Launches Cisco Security Agent user interface. You can also do this by double-clicking the CSA icon.

Suppress Taskbar Notifications

Selecting this menu item changes your interaction with CSA is in these ways:

•The flag icon in the system tray on longer pulses.

•You no longer receives tool-tip text for the task bar icon.

•You no longer hear sounds for security events. (Windows only.)

•You no longer receive balloon message, such as the one below

Security Level

Allows you to set the security level to Off, Low, Medium, or High. This is equivalent to using the slide bar on the Security Settings screen.

Network Lock

Prevents new network connections to the host. This is the same as enabling the network lock on the Security Settings screen.

Help

(Linux only)

Launches Help for the CSA Agent Panel.

About

Displays the version number of CSA that is installed on your computer. This is the same as clicking the icon.

Exit Agent Panel

Closes the Cisco Security Agent user interface. Though the interface has been closed, CSA is still running and protecting your computer.

Note On Linux systems, the CSA icon is not visible in the system tray until you run it from the applications menu. Navigate Applications>Cisco Security Agent>Cisco Security Agent to run Cisco Security Agent.

Disabling and Enabling Agent Security

Provided there is not an Agent service control rule or Agent UI control rule (See Agent Service Control, page 6-2 and Agent UI Control, page 6-4 for rule details) that denies this action, all users can stop the security the agent provides on a Windows or Linux host by accessing the agent UI and clicking on the flag in the menu bar. If users move the slidebar (if present) to the Off setting, agent security enforcement stops.

Note If there is no agent UI on a system (no user interaction), the ability to turn off agent security is not available to non-administrative users.

Provided there is not an Agent service control rule that denies this action, Windows administrators can run the following commands from a command prompt window on the agent host system to stop and start the agent service:

net stop csagent

net start csagent

Note On Windows Vista desktops, standard users must elevate their privileges to "administrator" in order to run these commands.

Provided there is not an Agent service control rule that denies this action, administrators can stop and start the agent service on a UNIX (Solaris and Linux) host by running the following commands from a command prompt window on the agent host system:

/etc/init.d/ciscosec stop

/etc/init.d/ciscosec start

Caution Stopping agent security and/or stopping the agent service on any system disables all rules on that system. Starting the agent service and resuming security reinstates all rules.

Installing the Windows Agent

The Windows agent kit is a self-extracting executable. You can save the agent kit to disk and install it from there by double-clicking on the file, or you can choose to install it over the network from CSA MC.

Follow the installation prompts, clicking Next when appropriate. You can install to the default directory Program Files\Cisco\CSAgent or you can choose another directory.

Agent kits may be configured to require a reboot after the agent is installed, otherwise users are given the option to reboot. Some security is provided immediately after the agent is installed and before the machine is rebooted.

The following functionality is available only after the system has been rebooted:

•Network Shield rules are not applied.

•Network access control rules only apply to new socket connections. Network server services should be stopped and restarted for full network access control security without a system reboot.

•Data access control rules are not applied until the web server service is restarted.To benefit from all the security features of CSA, users should reboot their computer after the agent is installed.

See also Manual Agent Data Filter Installation, page 12-8 if you are installing a web server on the same server as the Windows agent.

See also Agent Interaction with Windows Security Settings for descriptions of how the agent interacts with the Windows Firewall and the Windows Security Center.

Uninstalling the Windows Agent

To uninstall the Cisco Security Agent, do the following:

Step 1 From the Start menu, go to Programs>Cisco>Cisco Security Agent>Uninstall Cisco Security Agent.

Step 2 Reboot the system when the uninstall is finished.

Agent Interaction with Windows Security Settings

The Cisco Security Agent automatically disables the Windows firewall and CSA's status will not be visible in the Windows Security Center if the host is joined to a domain.

Agent Disables Windows Firewall

The Cisco Security Agent automatically disables the Windows XP and Windows 2003 firewall. This is done per recommendation of Microsoft in their HELP guide for their firewall. If you want to read this recommendation, you can access the "Windows Security Center" console from a Windows XP or Windows 2003 installation, click on "Windows Firewall", and select "on." The firewall status will warn you as follows: "Two or more firewalls running at the same time can conflict with each other. For more information see Why you should only use one firewall."

Because the Cisco Security Agent, in part, utilizes firewall-like components, the agent disables the Windows firewall per the recommendation from Microsoft.

If Cisco Security Agent is uninstalled, the Windows Firewall is automatically re-enabled.

Agent Status is not Reported in the Security Center

If Cisco Security Agent is installed on a computer that is not joined to a domain, then the Windows Security Center provides a status message about CSA in the Firewall Programs status area. The message indicates if Cisco Security Agent is on or off.

If Cisco Security Agent is installed on a computer that is joined to a domain, then the Windows Security Center does not provide status messages about CSA.

If the system administrators for your enterprise want users to see status messages in the Windows Security Center about CSA, they will need to set this node to "on" in the Group Policy Object Editor (Gpedit.msc.):

Computer Configuration\Administrative Templates\Windows Components\Security Center

Common Windows Cisco Security Agent Error Codes

The following are the most commonly seen error codes for Windows agent installations.

2029 - OKENA_STATUS_DB_ERROR. This message usually indicates that the database is down or busy.

2030 - OKENA_STATUS_LICENSE_REACHED_LIMIT.

2031 - OKENA_STATUS_REGISTRATION_NOT_ALLOWED. This indicates that the CSA MC registration control is actively denying agent registration.

2035 - OKENA_STATUS_INVALID_LICENSE. This indicates that the license is corrupt or expired.

2037 - OKENA_STATUS_REGISTRATION_BACKOFF. This indicates that an agent with the same IP address has already registered with CSA MC in the past hour.

Installing the Solaris Agent

This section details the commands you enter and the subsequent output that is displayed when you install the Cisco Security Agent on Solaris systems. After you download the agent kit from CSA MC, do the following to unpack and install it. (Note that you can put the downloaded tar file in any temp directory. Do not put it in the opt directory; however, as you may then experience problems with the installation.)

Step 1 You must be super user on the system to install the agent package.
$ su
Step 2 Untar the agent kit. (In the following example, CSA-Server_6.0.1.100-setup.tar is the name of the agent kit.)
# tar xf CSA-Server_6.0.1.100-setup.tar
Step 3 Install the agent package. (Use the command listed below when you install. This command forces the installation to use a package administration file to check the system for the required OS software agent dependencies. If the required dependencies are not present, such as the "SUNWlibCx" library, the install aborts.)
# pkgadd -a CSCOcsa/reloc/cfg/admin -d . CSCOcsa
When the install is complete, the following is displayed:
The agent installed cleanly, but has not yet been started. The 
command: /etc/init.d/ciscosec start will start the agent. The agent 
will also start automatically upon reboot. A reboot is recommended to 
ensure complete system protection.
Step 4 Optionally, reboot the system by entering the following.
# shutdown -y -i6 -g0
Note If the Solaris system is not rebooted following the agent installation, the following functionality is not immediately available: Buffer overflow protection is only enforced for new processes, network access control rules only apply to new socket connections, file access control rules only apply to newly opened files, and data access control rules are not applied until the web server service is restarted. (This functionality becomes available the next time the system is rebooted.)

Note On Solaris 10, when you reboot the system after upgrading the agent, the system will perform the reboot once, display these messages, and reboot, automatically, again.

svc.startd[7]:system/csaservice : default failed: transitioned to maintenance (see 'svcs -xv for more details')

svc.startd[7]:system/webconsole :console failed: transitioned to maintenance (see 'svcs -xv for more details')

After second reboot, you will not receive any other messages and regarding CSA and CSA will be fully functional.

The agent installs into the following directory:
/opt/CSCOcsa
Some files are put into additional directories such as
/kernel/strmod/sparcv9, usr/lib/csa, /etc/init.d and /etc/rc?.d.

Note If you are upgrading the Solaris agent and you encounter the following error, "There is already an instance of the package and you cannot install due to administrator rules", you must edit the file /var/sadm/install/admin/default. Change "instance=unique" to "instance=overwrite" and then proceed with the upgrade.

Note See also Manual Agent Data Filter Installation, page 12-8 if you are installing a web server on the same server as the Solaris agent.

Uninstalling the Solaris Agent

When uninstalling the Solaris Agent you must be in a session which has permission to disable CSA. The Agent Service Control rules in the Base - CSA service control (Solaris) rule module provided with this release, define the sessions given permission to disable CSA.

While running the default Base - CSA service control (Solaris) rule module, booting directly into multi-user mode using the Command Line Login option or booting directly into single-user mode gives you the permission to uninstall CSA.

Note When running Solaris 10, if you boot into multi-user mode and then switch to single-user mode, you do not have permission to disable CSA.

To uninstall CSA:

Step 1 Boot directly into multi-user mode using the Command Line Login option or boot directly into single-user mode.

Step 2 Login as the root user.

Step 3 At the prompt, enter the following command:
# pkgrm CSCOcsa

Step 4 Reboot the machine.

Note If an agent is running a policy which contains an Agent self protection rule, the agent cannot be uninstalled unless your session has the permission to disable it. (Administrators can generally do this through a remote management session if the default policies applied to the CSA MC/VMS system are not changed to restrict this access.)

A shipped UNIX policy allows secured management applications to stop the agent service. For example, after having logged in by selecting Command Line Login in the options menu of the login screen, all login applications are considered secure management applications. You can now run the pkgrm command to uninstall the agent.

UNIX Agent csactl Utility

Because the Solaris Cisco Security Agent has no user interface, a utility is provided which allows you to check the Solaris agent status, poll in to CSA MC and re-enable logging. The command you enter to perform these functions is csactl.

Note Note that this utility has also been made available for Linux systems. Because Linux does provide an agent UI, using the csactl utility on Linux is optional.

Enter the csactl command as follows:
# /opt/CSCOcsa/bin/csactl <command>
Available commands are:

poll

Triggers an immediate poll of the management server. (Also lets you know if there is a software update available.)

resetlog

Resets the logging holdback -- allows all log messages.

status

Displays a small amount of status information.
(Also lets you know if there is a software update available.)

swupdate

Updates agent software.

info <text>

This is a mechanism for directly sending custom (informational) textual events to CSA MC. Once the message reaches the CSA MC, it can be viewed or a notification can be sent to an administrator.

warning <text>

This is a mechanism for directly sending custom (warning) textual events to CSA MC. Once the message reaches CSA MC, it can be viewed or a notification can be sent to an administrator.

alert <text>

This is a mechanism for directly sending custom (alert) textual events to CSA MC. Once the message reaches CSA MC, it can be viewed or a notification can be sent to an administrator.

about

Displays agent software version number.

The commands listed above are only available to root.

For example, poll in to CSA MC by entering the following:
# /opt/CSCOcsa/bin/csactl poll
Poll of management center succeeded
For example, check the status of the agent by entering the following:
# /opt/CSCOcsa/bin/csactl status
Status:
Management center: stormcenter
Registration time: 2006-11-20 15:19:16
Host id: {FG9DA858-6131-46E9-18BD-EE32BA2D0676}
Last download time: 2006-11-20 15:19:23
Last poll time: 2006-11-20 15:20:42
Software update: newer version is available
For example, to perform a software update:
# /opt/CSCOcsa/bin/csactl swupdate
Note You must reboot the system after performing a software update.

For example, re-enable logging if duplicate messages are being throttled:
# /opt/CSCOcsa/bin/csactl resetlog
Reset Log throttle sent to kernel
Installing the Linux Agent

This section details the commands you enter and the subsequent output that is displayed when you install the Cisco Security Agent on Linux systems.

When you download the Cisco Security Agent kit from CSA MC, do the following to unpack and install it.

Step 1 Move the tar file downloaded from CSA MC to a temporary directory, e.g.
$ mv CSA-Server_V5.2.0.218-lin-setup-1a969c667ddb0a2d2a8da3e7959a30b2.tar /tmp
Step 2 Untar the file.
$ cd /tmp
$ tar xvf CSA-Server_V5.2.0.218-lin-setup-1a969c667ddb0a2d2a8da3e7959a30b2.tar
Step 3 cd to CSCOcsa directory where the rpm package is located.
$ cd /tmp/CSCOcsa
Step 4 Run script install_rpm.sh as root.
# ./install_rpm.sh
The package will be installed to /opt/CSCOcsa, with some files being put into directories such as /lib/modules/CSCOcsa, /lib/csa, /etc/init.d and /etc/rc?.d.

Note CSAagent rpm packages are not relocatable.

Caution If a Linux system is not rebooted following the agent installation, the following functionality is not immediately available: Buffer overflow protection is only enforced for new processes, network access control rules only apply to new socket connections, file access control rules only apply to newly opened files, and data access control rules are not applied until the web server service is restarted. (This functionality becomes available the next time the system is rebooted.)

Note See also Manual Agent Data Filter Installation, page 12-8 if you are installing a web server on the same server as the Linux agent.

Uninstall Linux Agent

Cisco Security Agent can only be uninstalled by the "root" user. You can uninstall Cisco Security Agent through a command line or GUI interface.

Caution If an agent is running a policy which contains an Agent service control rule, the agent cannot be uninstalled unless this rule is disabled. (Administrators can generally do this through a remote management session if the default policies applied to the CSA MC system are not changed to restrict this access.) See Agent Service Control, page 6-2 for details on this rule type.

You can uninstall the linux agent regardless of policies if you login using single user mode.

Command line method

Step 1 Log on to the computer as the root user.

Step 2 Open a Terminal window.

Step 3 Connect to the /opt/CSCOcsa/bin directory, for example:

# cd /opt/CSCOcsa/bin

Step 4 To uninstall CSA, run the uninstall script. You are not prompted to confirm the uninstallation. At the prompt enter the following:

# sh ./uninstall

Step 5 After you have uninstalled CSA, you receive the message:

Cisco Security Agent has been uninstalled.

Step 6 At the Press Enter to exit... message, press Enter.

Step 7 Reboot the machine after the uninstallation has completed.

GUI method

Step 1 Log on to the computer as the root user.

Step 2 From the Red Hat Applications menu, navigate Cisco Security Agent > Uninstall Cisco Security Agent.

From the SUSE Computer menu, click More Applications and then click Uninstall Cisco Security Agent.

Step 3 When prompted, respond to the challenge to disable security for Cisco Security Agent by selecting Yes and clicking Apply.

Step 4 Enter the text in the challenge window and click OK. Cisco Security Agent is uninstalled.

Step 5 Press Enter to exit the Terminal window.

Step 6 Reboot the machine after the uninstallation has completed.