Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
ii
1)
PROMPTLY RETURN THE SOFTWARE AND PROOF OF ENTITLEMENT TO THE PARTY FROM WHOM YOU ACQUIRED THEM
Definitions.
a)
b)
c)
d)
e)
f)
g)
h)
i)
j)
2)
License Grant.
4)
b)
b)
8)
15)
a)
b)
c)
Miscellaneous.
Except for actions for nonpayment or breach of
McAfees proprietary rights in the Software and
Documentation, no action, regardless of form,
arising out of this Agreement may be brought by
either party more than 2 years after a party knew
or should have known of the claim.
Any terms of this Agreement which by their
nature should survive the termination of this d)
Agreement shall survive such termination.
McAfee, Inc.
3965 Freedom Circle
Santa Clara, CA 95054
USA
Document Version:4.0
Product Version:Windows 6.0.0-340
(all except Windows NT and Windows
2000), Windows 5.1.2-8144 (only for
Windows NT and Windows 2000), AIX
5.1.2-8118, Linux 5.1.2-8120, HP-UX
5.1.2-8102, Solaris 5.1.2-8102
Publication Date: December 2011
Table of Contents
PREFACE............................................................................................................................................... 6
ABOUT THIS GUIDE ............................................................................................................................... 6
AUDIENCE ............................................................................................................................................ 6
DOCUMENT ORGANIZATION .................................................................................................................. 6
DOCUMENT CONVENTIONS .................................................................................................................... 7
CONTACTING SUPPORT .......................................................................................................................... 7
INTRODUCTION .................................................................................................................................. 8
PRODUCT FEATURES .............................................................................................................................. 9
SOLIDIFIERS COMMAND-LINE INTERPRETER .......................................................................................... 9
HELP FOR SOLIDIFIER COMMANDS ....................................................................................................... 10
LICENSING .......................................................................................................................................... 11
Adding a license ............................................................................................................................. 11
Listing license information ............................................................................................................. 11
SOLIDIFIER LOGS ................................................................................................................................ 11
CHANGE MONITORING ................................................................................................................... 13
WHAT CAN BE MONITORED? ................................................................................................................ 13
Default Change Monitoring Behavior ............................................................................................. 13
Enabling Change Monitoring ......................................................................................................... 14
Disabling Change Monitoring ........................................................................................................ 15
MONITORING FILE AND DIRECTORY CHANGES ..................................................................................... 16
Monitoring Network Shares ............................................................................................................ 16
Monitoring File Attribute Changes (Windows only) ........................................................................ 17
MONITORING PROCESS EXECUTION ..................................................................................................... 18
MONITORING USER ACCOUNT TRACKING (WINDOWS ONLY) ................................................................ 18
Setting Audit policies for a Non-Domain Controller on Windows 2000, Windows 2003,Windows XP,
Windows Vista, Windows 2008, and Windows 7 .............................................................................. 18
Setting Audit policies for a Domain Controller on Windows 2000, Windows 2003, and Windows
2008............................................................................................................................................... 19
Setting Audit policies on Windows NT............................................................................................. 19
CUSTOMIZATION OF FILTERS ...................................................................................................... 21
THE ROLE OF FILTERS ......................................................................................................................... 21
FILE/DIRECTORY NAME-BASED FILTERS .............................................................................................. 21
Include Filter for a File or Directory .............................................................................................. 22
Exclude Filter for a File or Directory ............................................................................................. 23
Removing a File or Directory Filter................................................................................................ 24
Removing All File or Directory Filters............................................................................................ 24
FILE E XTENSION BASED FILTERS ......................................................................................................... 24
Include Filter for an Extension ....................................................................................................... 25
Exclude Filter for an Extension ...................................................................................................... 25
Removing a File Extension Filter.................................................................................................... 26
Removing All File Extension Filters................................................................................................ 27
REGISTRY KEY FILTERS (WINDOWS ONLY) .......................................................................................... 27
Include Filter for a Registry Key..................................................................................................... 27
Exclude Filter for a Registry Key .................................................................................................... 28
Remove a Registry Key Filter ......................................................................................................... 28
Remove All Registry Key Filters ..................................................................................................... 28
USER NAME FILTERS ........................................................................................................................... 29
Exclude Filter for a User Name ...................................................................................................... 29
Remove a User Name Filter............................................................................................................ 29
Preface
About This Guide
This guide discusses how you can implement the Solidifier. It describes the configuration of the
Solidifier during the initial implementation and its ongoing maintenance. It also describes remote
administration and troubleshooting. This document is meant to serve as a comprehensive
reference for the initial set up and ongoing maintenance and administration of a host system.
Audience
The intended audience for this guide is the system administrator who will be responsible for
administering the Solidifier. The system administrator is assumed to be familiar with the IT
operations on systems including installation, configuration, etc. of application software and
monitoring system logs. Advanced knowledge of any specific operating system or application is
not required.
Document Organization
This guide is organized as follows:
Homepage: http://www.mcafee.com/us/products/change-control.aspx
Phone: +1-800-937-2237
Chapter Change Monitoring describes the monitoring of changes, the default change
monitoring behavior and how it is enabled and disabled.
Chapter, Customization of Filters introduces the notion of Filters and provides the
motivation for why their judicious use can tune the system dramatically to report
precisely those changes that are exceptions to the change policy.
Chapter, Routine Maintenance describes how the system can be updated either
manually or using program automation during maintenance windows.
Appendix: Command Quick Reference provides a quick reference for the CLI
commands.
Appendix: Diagnostic Tools describes several diagnostic tools that are packaged
together with the product.
Document Conventions
The following conventions distinguish different types of text:
CLI command syntax is preceded by the prompt > for Windows, by the prompt #
for UNIX, or by prompt > for commands that are applicable for both Windows and
UNIX.
Alternative arguments are separated by vertical bars, and are grouped within {curly
braces}.
Names of keys on the keyboard are in square braces, such as the [Tab] key.
Note: Means reader should take a note. Notes contain helpful suggestions or references to
material not covered in the guide.
Contacting Support
Homepage: http://www.mcafee.com/us/products/change-control.aspx
Phone: +1-800-937-2237
Introduction
Most IT organizations today recognize the central role that control over change plays for
achieving operational effectiveness. Many have invested in process automation tools such as a
Change Management system or a Service Desk. Yet, a gap persists between actual change activity
and the documented Change Management process. This change control gap results in manual
activity by IT departments to control and minimize the costs of change. McAfee Solidifier
bridges this gap by adding Control to Change Management. This is accomplished by providing
customers with real time visibility of changes being made, accountability to validate change
activity and technology-based enforcement of change policy. Solidifier is easily configurable to
increase the availability of IT services, accelerate the successful implementation of ITIL
(Information Technology Infrastructure Library) projects, and reduce the cost of compliance
initiatives such as Sarbanes-Oxley or PCI.
Solidifier is an operationally-friendly, low-touch, and low-overhead software product that can be
deployed on a wide range of hardware platforms. Solidifier provides change control on servers,
desktops, network devices such as switches, routers and firewalls, and databases.
Unlike scan-based solutions which take and compare snapshots of the state of a system, Solidifier
continuously tracks and validates every attempted change at the endpoint in real-time. This
approach has several important benefits:
Every attempted change can be validated in real-time, before the change is applied
Little overhead is incurred on the endpoint and there are no spikes in resource
utilization that could interfere with operations.
The ability to capture all changes across servers, desktops, and in real time enables immediate
alerts to exceptional change. It also creates a change database that is comprehensive and always
up-to-date. Intelligent filtering ensures that only relevant change makes it to the database and
minimizes consumption of network bandwidth. The Change Database becomes the foundation for
a powerful search capability that provides the rich forensic information needed to quickly
pinpoint the root cause of any change-related incident. This capability is fully effective even
when the system in question is offline.
Because every change is captured at that exact moment it occurs and includes rich information
including who made the change, highly accurate reconciliation with change tickets is possible.
Finally, the ability to detect and validate attempted change in real-time enables technical
enforcement of change policy. IT can now disallow out-of-policy changes attempted on target
systems before they occur. This greatly reduces change-related outages.
Real-time change visibility into change made across all systems is the foundation of Solidifier
product framework. It provides real-time change tracking with minimal consumption of CPU,
memory, disk and network resources. It comprehensively logs all change attempts made to files
and Windows registry keys on the target systems.
Pre-built and customized filters are available to limit change capture to items of interest. The
module provides rich information about change including where the change was made (which
server/servers), when it was made, which user or application made the change, and how the
change was made. The information is stored in an independent Change Database, separating the
actual storage of information from the system being tracked. The Change Database captures
changes across all networked systems, and provides change information for systems even when
they are down or offline.
Product features
Change Control allows you to monitor and prevent changes to the file system, registry, and user
accounts. You can view details of who made changes, which files were changed, and when and
how the changes were made. You can write protect critical files and registry keys from
unauthorized tampering. You can read protect sensitive files. To ease maintenance, you can
define trusted programs or users to allow updates to protected files and registry keys.
In effect, a change is permitted only if the change is applied in accordance with the update
policies. Using Change Control, you can:
Real-time monitoring for file and registry changes - Real-time monitoring eliminates the need
to perform scan after scan on endpoints and identifies transient change violations, such as
when a file is changed and restored to its earlier state.
Track content and attribute changes for a monitored file - If you enable content change tracking
for a file, any attribute or content change to the file creates a new file version. Although this
feature is available in standalone mode, it is useful and effective only in managed
environments (ePO deployments). For a file for which you are tracking content changes, you
can view and compare the different file versions or files (one the same or different endpoints)
and receive notifications via email whenever the file is modified.
Visibility to ad-hoc changes - Captures every change, including the time of the change, which
user made the change, what program was used to make the change, and whether the change
was made manually or by an authorized program.
Protection rules to eliminate ad-hoc changes - Write protection rules to prevent users from
creating new files (including directories and registry keys) and modifying existing files,
directories, and registry keys. Write-protecting a file or registry key renders it read only and
protects it from unanticipated updates.
2. Use the Start | Programs | McAfee | Solidifier | McAfee Solidifier Command Line menu
option.
You can also open a command prompt window and start executing Solidifier commands.
On UNIX
Open a UNIX terminal and start executing Solidifier commands on the command prompt. You
can access Solidifiers command-line interpreter sadmin from <ss-install-dir>/mcafee
/solidcore/bin/sadmin.
Or
# sadmin help
Help for a basic Solidifier command can be obtained in this command shell as follows:
> sadmin help command
Or
# sadmin help command
Or
# sadmin help-advanced
Or
# sadmin help-advanced command
10
Licensing
You can add another license or display licensing information of the product(s) installed on your
system. Currently, there are separate licenses for enabling the Change Control and Runtime
Control modules of the Solidifier.
Adding a license
Issue the command given below to add another license license_key.
> sadmin license add license_key
A reboot is required to activate the new features in the Windows Solidifier, as per the license
added. These new features may require additional configuration for the Solidifier to work
properly. Refer Advanced Configuration section for more details.
On UNIX, no reboot is required to activate the new features in the Solidifier, as per the license
added. However, Solidifier service restart is required.
The features already installed on the system will retain the same state (enabled or disabled) after
the new license has been added.
Note: You can add product license only when the Solidifier is running in Disabled mode.
The following listing is printed for the Change Control module license:
xxxx-xxxx-xxxx-xxxx-xxxx (Change Control, Unlimited)
The following listing is printed for the limited period Change Control module license (available
only on Windows):
xxxx-xxxx-xxxx-xxxx-xxxx (Change Control, 30 Day Trial)
Note: The sadmin license list command can be issued in all modes.
Solidifier Logs
Solidifier generates its own log (solidicore.log) and Solidifier-specific event logs are also written
to the system logs.
On Windows
Solidifier log file (solidcore.log) is generated in the Logs folder.
11
To view the event logs generated by Solidifier in the system logs, click at Start > Programs >
Administrative Tools > Event Viewer > Application menu option.
On UNIX
To view Solidifier log on UNIX, follow the steps given below:
1. Open the UNIX terminal.
2. Change to the /var/log/mcafee/solidcore directory using the following command:
# cd /var/log/mcafee/solidcore
solidcore.log
Solidifier event logs are added to the system logs generated in the /var/adm/messages (AIX),
/var/log/messages (Linux), /var/adm/messages (Solaris), or /var/adm/syslog (HP-UX) directory.
12
Change Monitoring
This chapter introduces you to the change actions that can be monitored, the monitoring of
change actions performed for files and directories that are local or on a network share, and
describes how change monitoring is enabled or disabled on the Solidifier.
This chapter covers the following topics:
Files
Process execution/termination
'*'
'HKEY_CLASSES_ROOT'
'HKEY_CURRENT_CONFIG'
'HKEY_CURRENT_USER'
'HKEY_LOCAL_MACHINE'
'HKEY_USERS'
13
The system must be rebooted when using full-feature mode (no restart is needed in
limited feature activation or reboot-free mode)
Note: Refer to Solidifier Logs section of this document for instructions on how to view events
generated by the Solidifier.
Reboot the computer.
Note: On UNIX, you can also enable change monitoring without reboot by enabling and
restarting the Solidifier service (scsrvc). Issue the following commands:
# sadmin enable
# <ss-path>/scripts/scsrvc restart
This denotes that the Solidifier has been enabled. You can also verify that the Solidifier is in
Enabled mode using the following command:
> sadmin status
14
McAfee Solidifier:
Enabled
McAfee Solidifier on reboot: Enabled
ePO Managed:
Disconnected
Local CLI access:
Recovered
[fstype]
* NTFS
[status]
Unsolidified
[driver status]
Attached
[volume]
C:\
[status]
Unsolidified
The Solidifiers status display will show that it is currently in Enabled mode but will enter
Disabled Mode after the next reboot:
> sadmin status
[volume]
C:\
15
McAfee Solidifier:
Enabled
McAfee Solidifier on reboot: Disabled
ePO Managed:
Disconnected
Local CLI access:
Recovered
[fstype]
* reiserfs
[status]
Unsolidified
Creation
Modification of contents
Deletion
Renaming
ACL modification
You can enable or disable file and directory change monitoring through the sadmin monitor
command.
Note: All hard links to a file or directory must also be added to the monitoring rules in addition to
the target file or directory. Then, the changes on the target and its hard link are individually
reported by Solidifier.
For all soft links or symbolic paths, only the target file name needs to be added to monitoring
rules after which Solidifier starts reporting changes done to that file.
16
FILE_ATTRIBUTE_ENCRYPTED
FILE_ATTRIBUTE_HIDDEN
FILE_ATTRIBUTE_OFFLINE
FILE_ATTRIBUTE_READONLY
FILE_ATTRIBUTE_SYSTEM
FILE_ATTRIBUTE_INDEX
You can enable or disable file attribute change monitoring through the mon-fattr feature.
The following event is raised in the Event log when an attribute is added to a file:
McAfee Solidifier detected addition of attribute 'attr_name' to file
'file_name' by program prog_name (User: user_name).
The following event is raised in the Event log when an attribute is removed from a file:
17
The following event is raised when process process-name (Process ID PID) having parent
process parent-process-name (Process ID PPID) is stopped by user user-name:
McAfee Solidifier detected exit of process process-name (Process Id: PID,
Parent Process Id: PPID, Parent Process -name: parent-process-name, User:
user-name, Original User: original-user-name).
18
The following event is raised when a logon is unsuccessfully attempted by user user-name of
domain domain-name on host machine host-machine:
"McAfee Solidifier detected 'failed' logon by domain-name/user-name on hostmachine"
The following event is raised when a logon is successfully attempted by user user-name of
domain domain-name from remote machine remote-machine using process process-name on host
machine host-machine:
"McAfee Solidifier detected 'successful' logon by domain-name/user-name on
host-machine (from remote-machine by process-name process)."
The following event is raised when a logon is unsuccessfully attempted by user user-name of
domain domain-name from remote machine remote-machine using process process-name on host
machine host-machine:
19
"McAfee Solidifier detected 'failed' logon by domain-name/user-name on hostmachine (from remote-machine by process-name process)."
The following event is raised when the user account user2-name of domain domain2-name is
created by user account user1-name of domain domain1-name:
"McAfee Solidifier detected 'creation' of user account domain2-name/user2-name
by domain1-name/user1-name."
The following event is raised when the user account user2-name of domain domain2-name is
deleted by user account user1-name of domain domain1-name:
"McAfee Solidifier detected 'deletion' of user account domain2-name/user2-name
by domain1-name/user1-name."
The following event is raised when user account user2-name of domain domain1-name is
modified by user account user1-name of domain domain1-name:
"McAfee Solidifier detected modification of user account domain2-name/user2name by domain1-name/user1-name. Modification type : modification-type."
Here, modification-type can be account locked, account unlocked, account enabled, account
disabled, and password changed.
20
Customization of Filters
This chapter introduces you to filters and how they should be used. Solidifier supports several
different types of filters to provide the flexibility for tuning the Change Monitoring and reporting
of change events to suite your specific business needs.
This chapter covers the following topics:
Filter Rules
Include filters cause events matching the filtering criterion to be reported to the user.
Exclude filters cause events matching the condition to be suppressed and not reported
to the user.
Filtering of Change Monitoring events is essential in order to govern the volume of change
events, primarily because a large volume of changes are program-generated and may not be worth
the attention of the Solidifier product administrator. In the extreme situation, where there is a lot
of programmatic and automatic change activity, a large volume of change events may overwhelm
the system generating the events. Filters ensure that only relevant change events are recorded.
This helps in reducing the noise on the system.
21
22
F+ "/nfsshare/shared/test1"
F+ "/usr/config"
F+ "/usr/test.sh"
The prefix F represents a File Filter; F+ indicates that the file is included for Change Monitoring.
View the files and folders on which filters have been applied using the following command:
> sadmin monitor list
After execution of this command, the following message appears on the screen:
FFFF-
"C:\Program Files"
"C:\test.doc"
"C:\WINDOWS\system32\config"
"\\192.168.82.24\shared"
View the files and directories on which filters have been applied using the following command:
# sadmin monitor list
After execution of this command, the following message appears on the screen:
23
F+ "/nfsshare/shared/test1"
F- "/usr/config"
F- "/usr/test.sh"
The F- indicates that the file is excluded from Change Monitoring.
View the files and folders on which filters have been applied using the following command:
> sadmin monitor list
24
The prefix X represents a File Extension Filter; X+ indicates that the file extension is included for
Change Monitoring.
25
The prefix X- indicates that the file extension is excluded from Change Monitoring.
26
X+
X+
F+
F+
"doc"
"exe"
"C:\test.doc"
"C:\test1.doc"
Remove all (Flush) File Extension Filters using the following command:
> sadmin monitor extn f
F- "C:\Program Files"
R+ "HKEY_LOCAL_MACHINE"
The prefix R represents a Registry Key Filter, R+ indicates that the registry key is included for
Change Monitoring.
27
F- "C:\Program Files"
R- "HKEY_LOCAL_MACHINE"
The prefix R- indicates that the registry key is excluded from Change Monitoring.
F- "C:\Program Files"
X+
F+
FR+
R+
"exe"
"C:\test.doc"
"C:\test1.doc"
"HKEY_CURRENT_USER"
"HKEY_LOCAL_MACHINE"
Remove all (Flush) File Extension Filters using the following command:
> sadmin monitor reg -f
28
X+ "exe"
F+ "C:\test.doc"
F- "C:\test1.doc"
The list displays that all Registry Key Filters have been removed
29
U- "Tom"
P+
X+
F+
F-
The prefix P represents a Process Name Filter, P+ indicates that the process name is included for
Change Monitoring.
On UNIX
Include a process name using the following command:
# sadmin monitor process -i mv
30
The prefix P represents a Process Name Filter; P+ indicates that the process name is included for
Change Monitoring.
After execution of this command, the following message appears on the screen:
PX+
F+
F-
The prefix P- indicates that the process name is excluded from Change Monitoring
On UNIX
Exclude a process name using the following command:
# sadmin monitor process -e mv
The prefix P- indicates that the process name is excluded from Change Monitoring.
31
X+ "exe"
F+ "C:\Program Files\McAfee\Solidcore"
F- "C:\Program Files"
The display shows that the Process Name Filter was removed.
On UNIX
Remove Process Name Filter using the following command:
# sadmin monitor process -r mv
P+
P+
X+
X+
F+
F+
"C:\Program Files\Messenger\msmsmg.exe"
"C:\Program Files\Internet Explorer\IEXPLORE.EXE"
"doc"
"exe"
"C:\test.doc"
"C:\test1.doc"
Remove all (Flush) the Process Name Filters using the following command:
> sadmin monitor process -f
32
X+
X+
F+
F+
"doc"
"exe"
"C:\test.doc"
"C:\test1.doc"
The display shows that there are no Process Name Filters in effect.
Filter Rules
Filter Precedence Rules
The highest level precedence rules for filters are as shown:
1. Filters based on user name will have highest precedence over all other filter rules.
2. Filters based on process name will have precedence over file extension and file name or
directory based filters.
3. Filters based on file extension will have precedence over filters based on file name.
4. Filters based on file names will have precedence over filters based on folder / directory name.
5. Within name based filters, the longest pathname will take precedence. For example,
On Windows, if folder C:\Folder1\Folder2 is included but folder C:\Folder1 is excluded, any
change operations performed on a file in folder C:\Folder1\Folder2 will record events
because C:\Folder1\Folder2 (longest pathname) has higher precedence over C:\Folder1.
Hence, all other folders present under C:\Folder1 will not be monitored.
On UNIX, if directory /usr/dir1/dir2 is included but /usr/dir1 is excluded, any
change operations performed on files in /usr/dir1/dir2 will record events because
/usr/dir1/dir2 (longest pathname) has higher precedence over /usr/dir1.
The sadmin monitor list lists the filters in the order in which checks are performed for a new
change event. This means list of filters is sorted in decreasing order of precedence.
33
On UNIX, for a File Extension filter created for the extension ps, change events
referencing ps.exe will not qualify but those referencing shutdown.ps and restart.ps
will.
34
2. The user name specified for the Filter is compared with the user name referenced in the
change event.
3. Spaces in user names should be specified within quotes.
4. On Windows, the Domain name can be a part of the user name. If the Domain name is not
specified, the user name is excluded for all Domains. For excluding all users from a particular
domain use MY-DOMAIN\* or *@MY-DOMAIN.
5. On Windows, the listing will show rules in the format DOMAIN-NAME\USER for all user
rules.
35
Deletion
Renaming
Modifying contents
Appending
Truncating
Changing owner
When a directory or volume is specified for write-protection, all files in that directory or volume
are added to the write protected list. The rules are inherited by sub-directories as well. Hence, all
file operations mentioned above cannot be performed on a file if it resides in a write-protected
directory or volume. Creation of new files is also denied. You are not allowed to rename the
parent directory if any file or directory resident in it is write-protected.
Note: On Windows and UNIX, all existing hard links to a file must be put under Solidifier
protection otherwise changes done to that file can still be made from an un-protected path. In
enabled mode, the Solidifier does not allow creation of hard links to a protected file.
For soft links or lofs mounts (--bind mount on Linux), only the actual file needs to be protected.
The protection is then enforced via symbolic links as well.
36
All operations mentioned above on a write-protected file, directory or volume are considered
unauthorized and are reported by Solidifier. Any unauthorized attempt is stopped and an event is
generated in the Event log.
Note: Please refrain from using this feature on the Solidifier internal files such as solidcore.log,
diag.log (created only on Windows), etc.
This feature is enabled by default. For this feature to work, the Solidifier should be running in
Enabled mode. You can view the operational mode of the Solidifier using the sadmin status
command.
Once the deny-write feature is enabled, writing data to protected files by updaters or signed
binaries (applicable only for Windows) is allowed through one of the following mechanisms:
The file has been marked as a signed binary (applicable only for Windows)
Enforcing write-protection
You can enforce write-protection rules on to a file, directory or volume in order to protect them
from unauthorized access. You should only write protect files that are not routinely being updated
by programs.
Note: On Windows, the write-protected files, directories and volumes can be neither compressed
nor encrypted.
The following command can be used to make files, such as configuration files, documents, etc.
read-only by making them write protected:
> sadmin write-protect i pathname
Or
> sadmin wp i pathname
The pathname signifies the complete path of the file, directory or volume to be write-protected.
For instance, to write protect a file, issue the following command:
On Windows
> sadmin write-protect -i "C:\test.txt"
On UNIX
# sadmin write-protect -i /test.sh
Note: You can also use the wildcard * character in the pathname which represents one complete
path component, for instance, C:\test\*\myfile.txt. However, the wild card * character should
not be used as the last component of the rule. The same rule applies on UNIX also.
37
The Event Log entry of the following form is generated for both Windows and UNIX:
Local Administrator executed command 'sadmin write-protect i <pathname>' at
Wed Apr 02 2008 20:30:05 (Return status: 0).
Note: On both Windows and UNIX, the hard link to a write-protected file should also be writeprotected so that it does not modify the original file.
For enforcing write-protection rules over mounted network file systems, the network path should
be specified in the sadmin wp command in any one of the following forms:
On Windows
\\server-name\share-name
\\server-ip\\share-name
mapped-drive-letter:\
For instance, a server named ftpserver with IP as 192.168.0.1 exporting a share named documents
and having been mapped to W:\ on the client machine be included as shown below to prevent any
writes to the share from this client machine.
\\ftpserver\documents or
\\192.168.0.1\documents or
W:\
On UNIX
/mount-point
Excluding write-protection
Exclusion means that the rule does not apply to the specified path used for excluding. You can
exclude a particular file, directory or volume from write-protection using the following
command:
> sadmin write-protect e pathname
Or
> sadmin wp e pathname
The pathname signifies the complete path of the file, directory or volume to be excluded from
write-protection.
For instance, to write unprotect a file, issue the following command:
On Windows
> sadmin write-protect -e "C:\test.txt"
38
On UNIX
# sadmin write-protect -e /test.sh
The Event Log entry of the following form is generated for both Windows and UNIX:
Local Administrator executed command 'sadmin write-protect e <pathname>' at
Wed Feb 02 2008 20:30:05 (Return status: 0).
Exclusion finds special significance in scenarios where the whole directory is write-protected and
you may choose to unprotect selective files in that protected directory. The applicability and
usage of write-protection rules vary depending upon your specific need and requirement.
Or
> sadmin wp r pathname
The pathname signifies the complete path of the file, directory or volume to be removed from
write-protection.
For instance,
On Windows
> sadmin write-protect -r "C:\test.txt"
On UNIX
# sadmin write-protect -r /test.sh
The Event Log entry of the following form is generated for both Windows and UNIX:
Local Administrator executed command 'sadmin write-protect r <pathname>' at
Wed Apr 02 2008 20:30:05 (Return status: 0).
Or
> sadmin wp l
39
The Event Log entry of the following form is generated for both Windows and UNIX:
Local Administrator executed command 'sadmin write-protect l' at Wed Apr 02
2008 20:30:05 (Return status: 0).
Or
> sadmin wp f
The Event Log entry of the following form is generated for both Windows and UNIX:
Local Administrator executed command 'sadmin write-protect f' at Wed Apr 02
2008 20:30:05 (Return status: 0).
40
Any unauthorized attempt made to read data from a read-protected file is stopped and an event is
generated in the Event log.
The deny-read feature is disabled by default. You can enable this feature using the following
command:
> sadmin features enable deny-read
The file has been marked as a signed binary (applicable only for Windows)
Note: In order to provide extra protection to a read protected file in every possible way so that its
contents are not allowed to be viewed either by renaming, copying or moving that file, you must
ensure that the file is write-protected also using the deny-write feature. A file that is only readprotected (and not write-protected also) becomes readable if it is renamed or copied/moved to
another location.
Enforcing read-protection
You can enforce read-protection rules on to a file, directory or volume in order to protect them
from unauthorized reading attempts.
Note: On Windows, the read-protected files, directories and volumes can be neither compressed
nor encrypted.
You should issue the following command to read protect a local file;
> sadmin read-protect i pathname
The pathname signifies the complete path of the file, directory or volume to be read-protected.
For instance, to read protect a file, issue the following command:
On Windows
> sadmin read-protect -i "C:\test.txt"
41
On UNIX
# sadmin read-protect -i /test.sh
Note: You can also use the wildcard * character in the pathname which represents one complete
path component, for instance, C:\test\*\myfile.txt. However, the wild card * character should
not be used as the last component of the rule. The same rule applies on UNIX also.
The Event Log entry of the following form is generated for both Windows and UNIX:
Local Administrator executed command 'read read-protect i <pathname>' at Wed
Apr 02 2008 20:30:05 (Return status: 0).
The enforcement of read-protection rules over mounted network file systems for deny read
feature remain same as that of deny write. The network path should be specified in the
sadmin rp command in any one of the following forms:
\\server\share
\\192.168.2.1\share
W:\
On UNIX
/mount-point
Or
> sadmin rp e pathname
Exclusion finds special significance in scenarios where the whole directory is read-protected and
you may choose to unprotect selective files in that protected directory. The applicability and
usage of this rule varies depending upon your specific need and requirement.
For instance, to read unprotect a file, issue the following command:
On Windows
> sadmin read-protect -e "C:\test.txt"
On UNIX
# sadmin read-protect -e /test.sh
42
The Event Log entry of the following form is generated for both Windows and UNIX:
Local Administrator executed command 'read-protect e <pathname>' at Wed Apr 02
2008 20:30:05 (Return status: 0).
Or
> sadmin rp r pathname
For instance, to restore read access to a file, issue the following command:
On Windows
> sadmin read-protect -r "C:\test.txt"
On UNIX
# sadmin read-protect -r /test.sh
The Event Log entry of the following form is generated for both Windows and UNIX:
Local Administrator executed command 'read-protect r <pathname>' at Wed Apr 02
2008 20:30:05 (Return status: 0).
Or
> sadmin rp l
The Event Log entry of the following form is generated for both Windows and UNIX:
Local Administrator executed command 'sadmin read-protect l' at Wed Apr 02
2008 20:30:05 (Return status: 0).
43
Or
> sadmin rp f
The Event Log entry of the following form is generated for both Windows and UNIX:
Local Administrator executed command 'sadmin read-protect f' at Wed Apr 02
2008 20:30:05 (Return status: 0).
Or
> sadmin wpr i registryname
For instance,
> sadmin wpr i HKEY_LOCAL_MACHINE\Software\Yahoo\Essentials
Note: A wildcard character (*) is supported in pathnames with the exception that it can only
represent one complete path component. For example, HKEY_LOCAL_MACHINE\*\Microsoft is
allowed while HKEY_LOCAL_MACHINE\* or HKEY_LOCAL_MACHINE\*\* is not supported. The
wildcard should not be used in the last path component otherwise the filter will not be effective.
This will protect the registry key from modification attempts and the following Event Log entry
will be generated when a change is attempted.
McAfee Solidifier prevented an attempt to modify Registry key
'HKEY_LOCAL_MACHINE\SOFTWARE\Yahoo\Essentials' by process
C:\WINDOWS\regedit.exe (Process Id: 2240, User: MYDOMAIN\Administrator).
An error message also appears saying that value contents cannot be edited/deleted/modified.
Note: New keys can be added in the registry but modification to a key is not allowed.
44
Restricted Behavior
Registry Protection is supported only for the HKEY_LOCAL_MACHINE registry key hive. For every
other hive, irrespective of whether it is a top level hive or just a symbolic link, registry protection
behavior is undefined.
Warning: Registry keys should be judiciously chosen for protection. Protecting incorrect keys
for protection can even lead to unspecified OS behavior. For example, you must not protect the
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services registry.
Or
> sadmin wpr e registryname
The Protection rules will be applied based on the longest prefix match. If you include
HKEY_LOCAL_MACHINE\Software for protection but exclude
HKEY_LOCAL_MACHINE\Software\Microsoft, then if any attempt is made to delete keys or values
under HKEY_LOCAL_MACHINE\Software\Microsoft (for example,
HKEY_LOCAL_MACHINE\Software\Microsoft\Office), the modification will succeed.
Or
> sadmin wpr r registryname
Or
> sadmin wpr l
After the successful execution of this command, the following message appears on the screen:
45
+ 'HKEY_LOCAL_MACHINE\Software\Yahoo\Essentials'
Control Settings
<installation path>\sadmin.exe
scormapl.dll
scormcpl.dll
scevtgen.exe
S3diag.log
evt_mcpl_cache_file
evt_mcpl_cache_file.tmp
S3observe.log
<installation path>\scsrvc.exe
46
File
Control Settings
<installation path>\passwd
<System32 folder>\drivers\swin.sys
In order to permit Solidifier upgrades, Product Integrity is disabled in Update mode even if the
feature is shown as enabled.
Only the Solidifier is permitted to change the values for the following registry keys:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\swin
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\scsrvc
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\Applicati
on\System Solidifier
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\swin\Enum
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\scsrvc\Enum
Note: The authorized updaters have been provided with the capability to override Product
Integrity. With Product Integrity enabled, the modifications to Solidifier-protected files and
registries can be done through the updaters command and the changes are also tracked by logging
events in the Event log.
On UNIX
File
Control Settings
/etc/mcafee/solidcore/solidcore.conf
Tamper-proofing enabled
47
All INF files when right clicked give install option. Installation is blocked by this option.
There are some INF files which can also be installed using certain exported functions from
setupapi.dll or advpack.dll. These installations are also blocked.
Any unauthorized attempt to install/uninstall a package is stopped and an event is generated in the
Event log.
File name
Manifest
The pkg-ctrl feature controls installation and uninstallation of all MSI -based
installers. The pkg-ctrl feature is enabled by default and can be managed by
using the following command:
> sadmin features enable/disable pkg-ctrl
Note: You must reboot the system after enabling or disabling this feature.
pkg-ctrl-inf
The pkg-ctrl-inf feature prevents installation and uninstallation of all INFbased installers. The pkg-ctrl-inf feature is disabled by default and can be
managed by using the following command:
> sadmin features enable/disable pkg-ctrl-inf
The installer has been marked as an updater using the sadmin updaters command.
The installation/uninstallation of the application can also be carried out in the update mode.
Exceptions
This section enumerates exceptional behaviors caused by interactions with Windows that are
documented here for the readers benefit.
When the 'Next' or 'Cancel' button is clicked on the Windows Components Wizard
window, even without making any changes to the selected components, the following
error message appears:
Some utilities like WinDriver tools (wdreg.exe) can bypass this mechanism and
install/uninstall .INF files.
Some optional Windows components can be installed using standard Windows tool like
secedit and gpupdate. By default, installation/uninstallation from these tools is not
prevented.
After installing the Fax Services from Add/Remove Programs > Add/Remove
Windows Components, Fax Services gets installed but several deny write errors related
to Spoolsv.exe are observed in the Event viewer. However, the Fax service works fine
even with these errors. This specific case appears when rundll32.exe has been added as
an updater candidate.
Some application executables like VNC server and client may not be able to execute
when this feature is enabled. On running these applications, the following event is
generated in the Event log:
49
Advanced Configuration
This chapter introduces the following advanced configuration topics:
Enabling a feature
To enable a feature, execute the following command:
> sadmin features enable featurename
The following Event Log entry is generated in the operating system logs:
Local Administrator executed command 'sadmin features enable featurename' at
Tue Apr 01 2008 11:52:05 (Return status: 0).
Disabling a feature
To disable a feature, execute the following command:
> sadmin features disable featurename
The following Event Log entry is generated in the operating system logs:
Local Administrator executed command 'sadmin features disable featurename' at
Tue Apr 01 2008 11:52:05 (Return status: 0).
Listing features
To view the complete listing of features along with their configured state, execute the following
command:
50
The following Event Log entry is generated in the operating system logs:
Local Administrator executed command 'sadmin features list' at Tue Apr 01 2008
11:52:05 (Return status: 0).
Please refer Appendix: Solidifier feature list to see the complete feature list.
Popup
Note: The Popup event sink is not available on UNIX. Also, the System Controller (sc) refers to
the McAfee ePO console.
For instance, the following command logs all the events onto the Operating system log:
> sadmin event sink -a ALL oslog
For instance, the following command does not log any event onto the Operating system log:
> sadmin event sink -r ALL oslog
51
Note: You can specify only one event name in the command.
52
The following Event Log entry is also generated in the operating system logs:
Local Administrator executed command 'sadmin config set EventCacheSize=<no>' at
Tue Apr 01 2008 10:41:50 (Return status: 0).
The following Event Log entry is also generated in the operating system logs:
Local Administrator executed command 'sadmin config set EventCacheWMHigh=<no>'
at Tue Apr 01 2008 10:46:50 (Return status: 0).
The following Event Log entry is also generated in the operating system logs:
Local Administrator executed command 'sadmin config set EventCacheWMLow=<no>'
at Tue Apr 01 2008 10:50:43 (Return status: 0).
You can configure this path so that the log file gets installed at a different location other than the
default one by modifying the value of the following registry key:
\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\swin\Parameters\LogFilePa
th
53
1. Changing this registry key to an incorrect value can adversely impact the functioning of the
Solidifier.
2. The specified path must only be for the system volume.
3. The specified path should not be relocated to network shares or mapped drives.
4. The full path including the drive letter must be specified in this registry key value.
5. The Solidifer service must be restarted for the change to be applicable.
6. The GatherInfo tool collects logs from the current logfile path (mentioned in registry) as well
as from the default installation location (McAfee\Solidcore\Logs).
On UNIX
At install time, the Solidifier installer creates a log file named solidcore.log in the
/var/log/mcafee/solidcore directory. You can configure this path so that the log file gets installed
at a different location other than the default one by modifying the value of the parameter
LogFilePath in /etc/mcafee/solidcore/solidcore.conf file.
You should note that:
1. The Solidifier service must be restarted for the change to be applicable.
2. The GatherInfo tool collects logs from the current logfile path (mentioned in solidcore.conf
file) as well as from the default installation location (/var/log/ mcafee/solidcore directory).
54
The following Event Log entry is also generated in the operating system logs:
Local Administrator executed command 'sadmin config set LogFileNum=<no>' at Tue
Apr 01 2008 15:51:19 (Return status: 0).
Note: The LogFileNum parameter when configured sets the number of files to be created only for
the solidcore.log file.
The above command ensures that no change events are issued when this process makes any
changes to any file.
Include the filter to track process iexplore.exe by issuing the following command:
> sadmin mon procexec i C:\Program Files\Internet
Explorer\iexplore.exe
Now, even while the process iexplore.exe has been excluded from the change event filtering rule,
any time this process is started or terminated, the process start and exit events will be logged for
this process.
Establish the filter rules on a user, john by issuing the following command:
> sadmin mon user e john
The above command ensures that no change events are raised when the changes are made by the
user John.
Include the filter to track process iexplore.exe by issuing the following command:
> sadmin mon procexec i C:\Program Files\Internet
Explorer\iexplore.exe
55
Now, even while the user John has been excluded from the change event filtering rule, any time
the user John starts the explorer, the process start and exit events will be logged for this process
Setting a password
Password protection is set using the following command:
> sadmin passwd
This command is used to set the password. It prompts for the old password (if password is set)
and then for the confirmation of the new password twice.
Deleting a password
An existing password can be deleted using the following command:
> sadmin passwd -d
56
57
Routine Maintenance
This chapter discusses the changes to the routine maintenance operations, which are performed
periodically and require the installation of new software or updates to existing software, after the
Solidifiers write-protections have been enabled.
This chapter covers the following topics:
Automated updates
Manual Updates
About Auto-Updaters
On Windows, auto-updaters are applications that update the system in an automated fashion or
according to a user-defined schedule. Typical examples are:
Software provisioning systems that download, install, and run new code, e.g.,
Microsoft software update, Tivoli, custom scripts.
Applications that create executable code at run time, e.g., antivirus, custom
applications.
Applications that write to existing system or application code on disk (binaries, DLLs,
scripts etc), e.g., backup agents, antivirus.
Automated updates
The Solidifier prevents the modification of protected executable files and also controls the
unauthorized installation/uninstallation of MSI-based installers without entering Update mode on
Windows. On UNIX, the Solidifier can prevent the modification or deletion of protected binaries
or scripts.
Note: Reboot is not required after adding MSI files to the updaters list.
It provides the updaters command to unconditionally authorize legitimate programs to update
software on a protected system and these legitimate programs are called authorized updaters.
58
Note: The write-protected files which are deleted or renamed in Update mode or through updaters
will continue to remain write-protected. As a result, a new file having the same name at the same
path cannot be created again in Enabled mode, unless the file is write-unprotected before its
deletion or renaming.
The above example unconditionally authorizes the Windows Installer for a HotFix, KB893803, to
perform updates on protected files or registry keys.
The following Event Log entry is also generated:
Local Administrator executed command 'sadmin updaters add WindowsInstallerKB893803-v2-x86.exe' at Fri Nov 02 2007 12:56:19 (Return status: 0).
Any MSI file can be added to the updaters list by using the following command:
> sadmin updaters add Ica32Pkg.msi
The above example unconditionally authorizes the Windows Installer for an MSI file,
Ica32Pkg.msi, to perform updates on protected files or registry keys.
The following Event Log entry is also generated:
Local Administrator executed command 'sadmin updaters add Ica32Pkg.msi at Fri
Nov 02 2007 15:36:19 (Return status: 0).
The following command sets iexplore.exe as an authorized updater only when it is launched by
svchost.exe as its parent
> sadmin updaters add -p svchost.exe iexplore.exe
The following command sets svchost.exe as an authorized updater only when its loads the library
system32\wuauserv.dll
> sadmin updaters add -l system32\wuauserv.dll svchost.exe
The following example illustrates the addition of Windows Updaters using a scheduled update.
The t option causes the associated tag, for example, Win_up_schedule1 to be written to the log
for all files.
> sadmin updaters add -t Win_up_schedule1 -l system32\wuauserv.dll
svchost.exe
> sadmin updaters add -t Win_up_schedule2 -l system32\wuaueng.dll
svchost.exe
59
On UNIX
Any binary or script file can be added to the updaters list by using the following command:
# sadmin updaters add test.sh
The above example unconditionally authorizes the test.sh script to perform updates on protected
files.
The following Event Log entry is also generated:
Local Administrator executed command 'sadmin updaters add test.sh' at Wed Apr
02 2008 12:56:19 (Return status: 0).
The following command sets child.sh as an authorized updater only when it is launched by
parent.sh as its parent:
# sadmin updaters add -p parent.sh child.sh
The following example illustrates the addition of updaters using a scheduled update. The t
option causes the associated tag, for example, tag1 to be written to the log for all files.
# sadmin updaters add -t tag1 test.sh
# sadmin updaters add -t tag2 test.sh
# sadmin updaters add -t tag3 -p parent.sh child.sh
Note: On Windows, you should re-start the system after adding authorized updaters.
Where updater_name provides the name of the updater that needs to be removed from the
authorized updaters list.
60
After execution of this command, the following message appears on the screen:
-t
AUTO_2
luall.exe
Manual Updates
Using the Update Window
Figure 1 summarizes the steps to implement the Update Mode on a Solidifier host:
61
To perform manual software update in Update Mode, perform the following steps:
Check the current status of the Solidifier using the following command:
> sadmin status
After execution of this command, the following message appears on the screen:
McAfee Solidifier:
Enabled
McAfee Solidifier on reboot: Enabled
After execution of this command, the following message appears on the screen:
McAfee Solidifier is in update mode.
The following Event Log entry is generated:
Local Administrator executed command 'sadmin bu' at Wed Apr 02 2008 13:37:21
(Return status: 0).
The Solidifier status during Update mode is viewed using the following command:
> sadmin status
After execution of this command, the following message appears on the screen:
62
McAfee Solidifier:
Update
McAfee Solidifier on reboot: Update
Now, you can perform software update actions: Add/delete/modify software on the computer.
On Windows
Double-click some program, for example, Windows2000-KB822831-x86-enu.exe to install it on
the computer. Follow the application installation procedures as presented through the setup
wizard. It may include restarting the computer.
Install the INF based driver, for instance, mmdriver.inf on your system.
After successful installation, the following Event Log entry is generated:
McAfee Solidifier allowed package modification of Installer: <installer_name>.
(Workflow Id: UPDATE_MODE: AUTO_2)
On UNIX
Likewise, install Apache on the UNIX Solidifier host.
After successful installation, normal file operation events such as FILE_CREATED_UPDATE,
FILE_MODIFIED_UPDATE, etc. are generated.
End Update mode using the following command:
> sadmin eu
After execution of this command, the following message appears on the screen:
McAfee solidifier exiting from update mode.
The following Event Log entry is generated:
Local Administrator executed command 'sadmin eu' at Wed Apr 02 2008 13:46:38
(Return status: 0).
Check the current status of the Solidifier using the following command:
> sadmin status
After execution of this command, the following message appears on the screen:
McAfee Solidifier:
Enabled
McAfee Solidifier on reboot: Enabled
63
Scripts as Updaters
Starting with version 4.9.0, you can also declare scripts as updaters so that the file changes made
by these scripts are treated as authorized changes.
Note: The Scripts as Updaters functionality is available on all Windows platforms except
Windows Vista (64-bit), Windows Server 2008 (64-bit), and Windows Server 2003 (IA64).
To declare a script as updater, use the following syntax:
> sadmin updaters add SCRIPT
Here, SCRIPT is the full path name of the script. For example:
> sadmin updaters add C:\myscripts\myscript12.bat
To unmark a script that was earlier declared as updater, use the following syntax:
> sadmin updaters remove SCRIPT
Here, SCRIPT is the full path name of the script. For example:
> sadmin updaters remove C:\myscripts\myscript42.bat
Note: Other updaters command arguments like -l, -p, are not applicable when you are
specifying a script as updater.
64
Troubleshooting
On Windows, Solidifier events can be viewed in the Application Event Logs: (Start menu
Programs Administrative Tools Event Viewer Application.
On UNIX, the Solidifier events can be viewed from the system logs in /var/adm/messages (AIX),
/var/log/messages (Linux), /var/adm/messages (Solaris), or /var/adm/syslog (HP-UX) directory.
Category
ACL_MODIFIED
Information
ACL_MODIFIED_UPDATE
Information
BOOTING_DISABLED
Warning
BOOTING_ENABLED
Information
BOOTING_UPDATE_MODE
Information
BEGIN_UPDATE
Information
COMMAND_EXECUTED
Information
DISABLED_DEFFERED
Warning
ENABLED_DEFFERED
Information
65
Event Name
Category
END_UPDATE
Information
*FILE_ATTR_CLEAR
Information
*FILE_ATTR_SET
Information
*FILE_ATTR_SET_UPDATE
Information
*FILE_ATTR_CLEAR_UPDATE
Information
FILE_CREATED
Information
FILE_DELETED
Information
FILE_MODIFIED
Information
FILE_ATTR_MODIFIED
Information
66
Event Name
Category
FILE_RENAMED
Information
FILE_CREATED_UPDATE
Information
FILE_DELETED_UPDATE
Information
FILE_MODIFIED_UPDATE
Information
FILE_ATTR_MODIFIED_UPDATE
Information
FILE_READ_UPDATE
Information
FILE_RENAMED_UPDATE
Information
WRITE_DENIED
Error
67
Event Name
Category
*OWNER_MODIFIED
Information
*OWNER_MODIFIED_UPDATE
Information
PROCESS_EXITED
Information
PROCESS_STARTED
Information
*REG_VALUE_WRITE_DENIED
Error
*REG_KEY_WRITE_DENIED
Error
*REG_KEY_CREATED
Information
*REG_KEY_DELETED
Information
68
Event Name
Category
*REG_VALUE_MODIFIED
Information
*REG_VALUE_DELETED
Information
*REG_KEY_CREATED_UPDATE
Information
*REG_KEY_DELETED_UPDATE
Information
*REG_VALUE_MODIFIED_UPDATE
Information
*REG_VALUE_DELETED_UPDATE
Information
STREAM_CREATED
Information
STREAM_DELETED
Information
69
Event Name
Category
STREAM_MODIFIED
Information
STREAM_ATTR_MODIFIED
Information
STREAM_CREATED_UPDATE
Information
STREAM_DELETED_UPDATE
Information
STREAM_MODIFIED_UPDATE
Information
STREAM_ATTR_MODIFIED_UPDAT
E
Information
STREAM_ATTR_SET
Information
STREAM_ATTR_CLEAR
Information
70
Event Name
Category
STREAM_ATTR_SET_UPDATE
Information
STREAM_ATTR_CLEAR_UPDATE
Information
STREAM_RENAMED
Information
STREAM_RENAMED_UPDATE
Information
*BOOTING_DISABLED_SAFEMODE
Warning
*BOOTING_DISABLED_INTERNAL_
ERROR
Error
ALERT_CACHE_OVERFLOW
Error
ALERT_CACHE_WM_BREACHED
Warning
ALERT_CACHE_WM_RECOVERED
Information
*PKG_MODIFICATION_PREVENTED
Error
71
Event Name
Category
*PKG_MODIFICATION_PREVENTE
D_2
Error
*PKG_MODIFICATION_ALLOWED_
UPDATE
Information
*SGN_MSI_SIGNATURE_MISMATC
H
Error
READ_DENIED
Error
UPDATE_MODE_DEFERRED
Information
*USER_LOGON_SUCCESS
Information
*USER_LOGON_FAIL
Information
*USER_LOGOFF
Information
*USER_ACCOUNT_CREATED
Information
The sink for the PKG_MODIFICATION_PREVENTED_2 event is Popup only and must not be modified.
72
Event Name
Category
*USER_ACCOUNT_DELETED
Information
*USER_ACCOUNT_MODIFIED
Information
modification_type
Cause
This problem occurs because the Mup.sys driver assumes that there must be
no more than three file-system filter drivers running at the same time. The
Mup.sys driver handles Distributed File System (DFS) file I/O requests. If
there are four or more file system filter drivers, the I/O request packet (IRP)
location buffer that is pre-allocated by Mup.sys will overflow. When this
occurs, the Stop error described above is displayed.
Refer to this link for the resolution:
http://support.microsoft.com/kb/906866
73
2) The feature in use is in disabled state. You can verify this using the
following command:
> sadmin features list
solidcore.log
solidcore.log.1
74
solidcore.log.2
solidcore.log.3
solidcore.log.4
The logs are rotated in the chronological order such that the solidcore.log file always has the
newest logs and solidcore.log.4 file has the oldest logs.
Note: The above information is based on the default settings of the solidcore.log file. However, if
you have configured any of the settings viz, size or number of this file, then you should take the
new configuration into consideration while trouble-shooting.
The Event Log shows that the Solidifier prevented the execution of unauthorized code. An error
message is displayed in the Event Viewer. No user action is required.
Note: The event logs will appear if the package control feature is in enabled state.
75
The Event Log shows that the Solidifier prevented the execution of unauthorized code. An error
message is displayed in the Event Viewer. No user action is required.
Note: The event logs will appear if the package control feature is in enabled state.
The Event Log shows that the Solidifier prevented the execution of unauthorized code. An error
message is displayed in the Event Viewer. No user action is required.
Note: The event logs will appear if the package control feature is in enabled state.
The Event Log shows that the Solidifier prevented the execution of unauthorized code. An error
message is displayed in the Event Viewer. No user action is required.
Note: The event logs will appear if the package control feature is in enabled state.
76
The Event Log shows that the Solidifier prevented an attempt to read a file. An error message is
displayed in the Event Viewer. No user action is required.
The Event Log shows that the Solidifier prevented the attempt to modify the registry key. An
error message is displayed in the Event Viewer. No user action is required.
77
This chapter discusses the syntax and usage of the sadmin commands. The sadmin commands
are divided into two categories: basic sadmin command and advanced sadmin commands.
All basic commands can be viewed using the help command and all advanced commands can be
viewed using the help-advanced command. The sadmin commands are case in-sensitive.
The commands can be issued in upper, lower and mixed case.
Table 1: Solidifier Administration Command Reference
Parameters
Required
server state or
mode to
execute
command
Type
begin-update
(bu)
sadmin bu
[work-flow id [comment]]
Enabled and
Disabled mode
Basic
disable
N/A
Enabled mode
Basic
enable
N/A
Disabled mode
Basic
end-update (eu)
sadmin eu
Update mode
Basic
help
Any mode
help-advanced
Any mode
Disabled mode
Basic
Any mode
Basic
license
sadmin license
add license-key
sadmin license list
monitor (mon)
On Windows:
sadmin monitor file
[ [-e | -i [-d [-n ENCODING] ] | -r]
[FILE | DIRECTORY | VOLUME]
... ] | -f
sadmin monitor reg [ [-e | -i | -r
] [REGISTRY-KEY] ... ] | -f
sadmin monitor extn [ [-e | -i | r] [FILE-EXTENSION] ... ] | -f
sadmin monitor process [ [-e | i | -r ] [PROCESS-NAME] ... ] | -f
sadmin monitor user [ [-e | -r ]
[USER-NAME] ... ] | -f
sadmin monitor procexec [ [-e |
78
Parameters
Required
server state or
mode to
execute
command
Type
-i | -r] [PROCESS-PATH |
DIRECTORY] ... ] | -f
sadmin monitor list
sadmin monitor flush
On UNIX:
sadmin monitor file [ [-e | -i | -r]
[FILE | DIRECTORY] ... ] | -f
sadmin monitor extn [ [-e | -i | r] [FILE-EXTENSION] ... ] | -f
sadmin monitor process [ [-e | i | -r] [PROCESS-NAME] ... ] | -f
sadmin monitor user [ [-e | -r]
[USER-NAME] ... ] | -f
sadmin monitor procexec [ [-e |
-i | -r] [PROCESS-PATH |
DIRECTORY] ... ] | -f
sadmin monitor list
sadmin monitor flush
passwd
Any mode
Basic
status
Any mode
Basic
updaters
On Windows:
Any mode
Basic
Any mode
Basic
N/A
79
Parameters
Required
server state or
mode to
execute
command
Type
attr
Any mode
Advanced
Any mode
Advanced
Any mode
Advanced
Any mode
Advanced
Any Mode
Advanced
event
features
lockdown
N/A
read-protect
(rp)
Advanced
sadmin read-protect -l
sadmin read-protect -f
80
Parameters
Required
server state or
mode to
execute
command
Type
recover
N/A
Any Mode
Advanced
write-protect
(wp)
Any Mode
Advanced
Any mode
Advanced
sadmin write-protect -l
sadmin write-protect -f
write-protectreg (wpr)
81
Role
ScAnalyzer
Discover the run-time characterization of a system and whether prerequisites for deploying the Solidifier are met
GatherInfo
ScAnalyzer
ScAnalyzer is a lightweight deployment tool which is used by field engineers, or professional
services personnel, for characterizing a hosts run-time environment, and discovering whether the
host satisfies the pre-requisites for installing Solidifier. The run-time characterization includes:
Operating system version
Service pack level
Processor and memory configuration
Installed applications
Installed Hot fixes
Installed services
System devices
List of running processes
List of open network ports
It is run once before and once more after Solidifier is installed to discover differences in the
run-time characterization and address them if necessary.
82
-v
[-c <checklist>]
-d
-o <output file>
-s <scan_file>
-q
-n
When ScAnalyzer is executed, it compares the software installed on the system with an
internal, prepackaged check list for creating a file named scanalysis.bat, which
lists all programs that Auto-Updaters and exceptions for bypassing the stringent API
validation checks. This file can be edited by the user for further customization. This file
should be used for effecting configuration changes for the Solidifier.
On Unix
The ScAnalyzer tool is available in <install-dir>/mcafee/solidcore/tools/scanalyzer/ folder. Issue
the following command to run the tool:
# ./scanalyzer.sh
-v or --version
83
-d <rep1 rep2>
-r <install path>
-o <output file>
-q
-n
On executing the ScAnalyzer tool, the data/report-<machine_name><date>_<time> file is generated in the current working directory.
GatherInfo
This tool gathers information related to log files, inventory, version, system state, etc. needed by a
Technical Support Engineer to troubleshoot field issues. It is shipped as a part of the Solidifier
product and is installed in the Solidifier installation directory.
Note: The GatherInfo tool collects logs from the installation directory path as well as from the
changed location
-v
-q
-x
On executing the GatherInfo tool, the gatherinfo.zip file is generated in the current
working directory. These logs can be used to identify the most common support issues.
On Unix
The GatherInfo tool is available in <install-dir>/mcafee/solidcore/tools/gatherinfo/ folder. Issue
the following command to run the tool:
# ./gatherinfo.sh
84
h or --help
-v or --version
-q
-n
On executing the GatherInfo tool, the gatherinfo-<machine_name><date>_<time>.tar.gz file is generated in the current working directory. These logs can
be used to identify the most common support issues.
85
86
*
*
*
*
*
*
*
*
*
*
EventCacheSize
EventCacheWMHigh
EventCacheWMLow
FailSafeConf
FeaturesEnabled
FeaturesEnabledOnReboot
FeaturesInstalled
FileAttrCTrack
FileDenyReadOptions
FileDenyWriteOptions
HeartbeatInterval
HeartbeatTimeout
LockdownStatus
LogFileNum
LogFilePath
LogFileSize
MobilityIntervalMax
MobilityIntervalMin
MobilityResponseTimeout
MobilityState
Proxy
RTEMode
RTEModeOnReboot
SCAddress1
SCAddress2
SCPort
SCUUID
SSTag
WorkFlowId
2 (0x2)
90 (0x5a)
70 (0x46)
0 (0x0)
67174417 (0x4010011)
67174417 (0x4010011)
69055086641 (0x1014010031)
4912 (0x1330)
735 (0x2df)
735 (0x2df)
2 (0x2)
120 (0x78)
0 (0x0)
4 (0x4)
/var/log/mcafee/solidcore
2048 (0x800)
30 (0x1e)
5 (0x5)
10 (0xa)
0 (0x0)
NULL
1 (0x1)
1 (0x1)
NULL
NULL
5125 (0x1405)
NULL
NULL
None
Note: All the parameter names preceded by * cannot be configured by the administrator. The
usage and steps to configure the rest of the parameters have been discussed in the relevant
sections of this document.
The NAME signifies the configuration parameter name. The VALUE refers to the new value
of the configuration parameter that is going to be applicable after the change.
87
Note: Starting with the 6.0.0, release, the feature list has been minimized to show only the
features that require tweaking for routine purposes.
On Windows, the following message is displayed at the command prompt (only commonly-used
features are listed below):
activex
deny-read
deny-write
enduser-notification
integrity
network-tracking
pkg-ctrl
Disabled
Disabled
Enabled
Enabled
Disabled
Disabled
Disabled
Disabled
Enabled
Disabled
Enabled
Enabled
Disabled
Enabled
88
Solaris 10 RBAC is the methodology that Solaris 10 uses to manage its users. This mechanism
does not affect the way Solidifier enforces at the global zone level. Solidifier creates an inventory
of all executables at the global zone level and enforces run-time enforcement on the solidified
files.
All Solidifier administrative users are created at the global level so each administrator has
visibility to the entire system. Solaris User Rights Management and Process Rights Management
89
offer fine-grained privileges in the kernel and user access space of Solaris. The practical benefit
of these technologies is the elimination of the need for applications or users to have unlimited
access to the system in order to perform their duties. The kernel itself in Solaris 10 checks only
for Process Rights Management attributes not 'root' or super-user access. Solidifier functions at
the global level and will log all changes and enforce security for each user on the system
regardless of the zone the user is in.
90
3. sadmin commands can only be executed from the global Zone Super Zone. In the case of
sparse Zone sub zone, sadmin commands are visible but cannot be executed.
4. Use absolute paths relative to the global zone in all Solidifier commands that require a
pathname. For example, name http.exe file located in Zone3 as /Zone/zone3/root/http.exe.
If the root of zone 'zone1' is /zone/1/root/, then issue the following command from the global
zone to write-protect file /foo in zone1:
# sadmin wp /zone/1/root/foo
For sparse zones, some file systems inside a zone may be loopback (lofs) mounts of a
physical file system present in the global zone. For such cases, the actual physical path should
be used in all Solidifier commands. For example, the /usr file system in sparse zone 'zone1'
may have the following mount table entry, indicating that it is a loopback mount of the /usr
file system present in global zone:
/usr - /zone/1/root/usr lofs - no ro,nodevices,nosub
Then, to make /usr/bin/touch file an updater, issue the following command from global zone:
# sadmin updaters add /zone/1/root/usr/bin/touch
91
92
For Shared System or Application WPAR, some file systems inside a WPAR may be
loopback (namefs) mounts of a physical file system present in the global environment. For
such cases, the actual physical path should be used in all Solidifier commands. For example,
the /usr file system in shared system WPAR 'wpar1' may have the following mount table
entry, indicating that it is a loopback mount of the /usr file system present in global
environment:
/usr
Then, to make the /usr/bin/touch file an updater, issue the following command from global
environment:
# sadmin updaters add /Wpar/wpar1/usr/bin/touch
93