Installing AIX OS Sensor and WorkGroup Manger on NT 4.0 WS, what are the gotchas?

Hints for installing and configuring the AIX OS sensor 5.x on AIX 4.3.2 with Console 6.x on NT 4.0

ISS has documentation at http://www.iss.net/customer_care/resource_center/online_doc/

Necessary file for AIX install
s5.0.2000.174-AIX-4.3-release.gz

/opt/ISS
The ISS Sensor is installed in /opt/ISS by default. You may choose to create it's own filesystem to keep it from filling the root filesystem "/".


Installing and configuring the Management Console on NT 4.0

1. Check that MDAC 2.5 is installed.

2. Install Msde2000.exe, this isn't necessary if you already have SQL server on the workstation.

3. Install RealSecureWorkgroupManager60.exe
During the install, when it asks to harden the security of the RealSecure Console, say NO by checking the box "Do Not Lock Down".

When generating the private/public keys pairs, use the encryption provided by ISS called "ISS ECNRA Built-In Provider Strong Encryption Version /EC_KEYX EC239A01", give the keys a passphrase and make a copy of the keys in case you need to reinstall a WorkGroup Manager.

Follow these 2 steps BEFORE starting RealSecure for the first time.

1. Copy the license key "iss.key" to 3 places:

C:\Program Files\ISS
C:\Program Files\ISS\RealSecure 6.0 Console
C:\Program Files\ISS\RealSecure 6.0 Event Collector

2. Copy the public keys from the WorkGroup Manager to the Sensor server.

Location of public keys on WorkGroup Manager machine
C:\Program Files\ISS\issDaemon\Keys\Archives\CerticomNRA

Where to put the public keys on Sensor server
/opt/ISS/RealSecure/Keys/CerticomNRA

When starting the RealSecure WorkGroup Manager DON'T run the deployment wizard, it doesn't work correctly.

Adding an asset

From the Window "Managed Assets", choose Asset, Manage à
Click "ADD >>"

Choose Daemon, and type in the name of the server and the hostname or ip address.

Click "Add Asset", it will add the Daemon asset and then add the system agent.

Now choose the asset "system_agent_1". OK.

As long as all is successful, the status should show as connected and active in the "Managed Assets" window.

Configuring and Testing the policies

Deselect all the policies except those on the "Suspected Connections" tab in the Policy Editor. You may choose to setup custom policies that can search for patterns in the syslog.

To test that the policy is working for finger scans, try running the finger client from the sensor machine against itself. A machine "plato" can try to finger root on it's local machine with this line:
finger root@plato

A port scanner like nmap works well for checking, but be sure you have permission to use it on the sensor server.