136 Chapter 7: CSA Deployment — Quiet install—If the installer should not ask any questions of the user, select this option. Otherwise, the user is given both the option to control the installation path and the option to install the network shim. — Network shim—If this option is selected, the shim is installed. You can select this for a silent install only, which occurs when you, as the administrator, would need to make the decision for the user. Otherwise, the user is presented the option during a manual installation of the agent. — Cisco Trust Agent—If you would like the CSA installer to also install the Cisco Trust Agent (CTA), which is part of the Cisco Network Admission Control (NAC) solution, select this option. Selecting this gives you other configurable options, such as the ability to install the NAC certificate from the Cisco Security ACS server and other CTA parameters. Figure 7-3 Agent Kit Configuration Agent Installer 137 Step 5 After selecting the appropriate options for this kit, press Make kit to continue. Step 6 Finally, a screen displays the options selected and affirms the creation of the Agent Kit. You can always change the group assignments and, therefore, the initial policy for this kit, but you cannot edit the other parameters without recreating the kit entirely. Figure 7-4 displays the final screen. Figure 7-4 Agent Kit Completion NOTE It is important to note that this newly created kit cannot be used until the next rule generation is completed. Agent Kit Retrieval There are multiple methods used to retrieve Agent Kits. You can obtain an Agent Kit directly from the Systems>Agent Kits page of the CSA MC GUI, as displayed previously in Figure 7-1. Additionally, you can obtain the Agent Kit from the URL specific to the 138 Chapter 7: CSA Deployment Agent Kit you need by opening the Agent Kit from Systems>Agent Kits. This URL looks something like: https://csamc45/csamc45/webadmin?page=dwnl_agent_kit&id=13. Another method of retrieval is via a URL protected by a Secure Sockets Layer (SSL) that does not require authentication. This allows remote systems that do not have management credentials to pull the kit to their system for installation. The URL you would use in the remote web browser is https://CSA_MC_NAME/csamc45/kits. This URL redirects your browser to a web page with access to all current kits, as displayed in Figure 7-5. Figure 7-5 Remote Access to Agent Kits via URL You can also retrieve the URL directly from the folder on the local CSA MC itself. The folder location is <Program_Files>\CSCOpx\CSAMC45\bin\webserver\htdocs\ deploy_kits. In Figure 7-6, you can see all the kits located in this directory; this is how you would see them on your own MC. Agent Installer 139 Figure 7-6 Directory Access to Agent Kits on the CSA MC Agent Kit Dissection After you retrieve an Agent Kit, you can install it on the system. The executable file is nothing more than a self-extracting zipped file that contains all the installation components and initial configuration settings required. Double clicking this file starts the installation, which this chapter later discusses. First, you need to open the executable in WinZip to view the files and learn more about what makes up an installer. This allows you to create scripted installers you can use in login scripts and other distribution mechanisms, such as software distribution products from BigFix (www.BigFix.com) and Microsoft (www.Microsoft.com). Use any of the previously mentioned methods to retrieve an agent-installation executable and open the file in WinZip. You will see a set of files similar to the files shown in Figure 7-7. Figure 7-7 Agent Installer Contents as Viewed by WinZip 140 Chapter 7: CSA Deployment After you extract the files to a local folder, you can view the contents of most files. The following list provides the names of the files included in the installer, a brief description, and a screenshot when applicable: • agent.bundle—This file provides software version information, registration ID (ties the agent to this specific installation kit), CSA MC FQDN and IP address, and also ports used for communication. Figure 7-8 Contents of agent.bundle File • agent.rul—This file provides the agent with the initial combined ruleset valid and current at the time the Agent Kit was last updated during the most recent Generate rules prior to downloading. This file is not in a readable format. • agent.var—This file provides several variables the agent reads into its configuration. Many of the variables relate to query messages, but there are also variables that relate to protocol detection. Figure 7-9 displays a sample. Agent Installer 141 Figure 7-9 Contents of agent.var File • data1.zip, data2.zip, and data1.hdr—These files contain binary installation portions of the agent and should not be opened. • engine32.zip—This file contains primarily required DLL files for installation on the system. • layout.bin—This is another binary component used by the installer. • setup.exe—This file is the installation executable used to install the Agent Kit on the system. This file and its command-line parameters are discussed later in this chapter when you look at scripting an installation. • setup.ibt—This is a configuration file for installation that does need not to be opened. • setup.ini, setup.inx, and setup.iss—These files provide setup.exe and the included installshield installer parameters it needs to complete installation on the system. • sslca.cer—This is the self-signed root CA (Certificate Authority) certificate used to secure communication to and from the CSA MC from the agents, and it also ensures that the agent communicates with the correct CSA MC server and not an impostor. 142 Chapter 7: CSA Deployment Figure 7-10 sslca.cer Certificate from the CSA MC Contents When creating installers for your enterprise, you can extract the files in the previous list to a network location and use them in login scripts, other custom scripts, or software- distribution systems. The next section discusses the command-line parameters available to setup.exe that prove useful in many environments. Installation Parameters and Examples for SETUP.EXE When you created the original installation kit for the Agent Kit specified earlier in this chapter, you had the option to configure many settings, such as silent installation and the network shim. If you choose to install the Agent Kit using the original self-extracting zip executable, your parameters remain intact, but they are never truly silent because the installer still launches a few graphic popups. It is a noninteractive installer and does not require user input, but it is not hidden from the user’s view during installation. If you want to script a silent installer, you need to extract the Agent Kit files and place them in an accessible location. After you extract them, you can call the setup.exe installer with added command-line parameters to add numerous settings to the installer. The next sections explain the available command-line options for setup.exe and also provide some examples using the executable in real-world deployments. Installation Parameters and Examples for SETUP.EXE 143 Command-Line Parameters The setup.exe included in the zip file retrieved from the MC can use a few command-line parameters that you should be familiar with before attempting to write a scripted install. The majority of the following options all use settings of 0, which relates to disabled, and 1, which relates to enabled. • /s—Specifies a silent installation. • autolevel=X—Specifies the amount of interaction. Here X should be replaced by 0, 1, 2, or 3. —0 = This is the default and does not need specification. All errors, messages, questions, and warnings are displayed to the user. This is a fully interactive installation. —1 = No confirmations and no prompts for confirmations. Always take default actions. —2 = No warnings are displayed. —3 = Suppresses all warnings and errors but still shows status boxes to the user. • nshim=X—Specifies if the network shim should be installed. Here X should be set to 1 to enable the network shim. • install_cta=X—Specifies if the Trust Agent should be installed. Here X should be 1 to install the CTA installer packaged with the Agent Kit. • leave_cta=X—Controls whether or not the Trust agent should be uninstalled when the CSA software is uninstalled. Here X should be 1 if you will not uninstall the CTA when the Agent Kit is uninstalled. • reboot=X—Specifies if an automatic reboot should occur after installation completes. If X is set to 1, a reboot occurs. • rebootdelay=X—Specifies the amount of time before the automatic reboot occurs if reboot=1, as previously discussed. The reboot occurs in X seconds with a default of 300 seconds if not specified. • mt=removeall—Specifies that a complete uninstall should occur. This option removes the Agent Kit from the system. You must ensure that the user running the setup file can stop the agent service for a successful uninstallation. The preceding switches are passed at the command line to the setup.exe installer with leading – to denote each individual switch except for the silent install switch with is /s. The following section illustrates some examples. 144 Chapter 7: CSA Deployment Command-Line Installation Examples Using command-line parameters, you can script many types of agent installations. The following are a few examples: • Install the Agent Kit silently with no prompts and an automatic reboot. These are common installation options for mass deployment mechanisms. The only popup displayed is related to the fact that the agent is installing. setup.exe /s –-autolevel=3 –-reboot=1 • Install the Agent Kit silently with no prompts, an automatic reboot after 15 seconds, and CTA installation without removal at CSA uninstall time. setup.exe /s –-autolevel=3 –-reboot=1 –-rebootdelay=15 –- install_cta=1 –-leave_cta=1 • Uninstall the Agent Kit silently with no prompts. setup.exe /s –-mt=removeall –-autolevel=3 NOTE During scripted uninstallation, there might still be CSA query prompts for the user to turn off the agent service and run installation programs. Allowing Scripted Uninterrupted Uninstall When you attempt to run a silent command-line uninstallation, you often run into issues when the currently installed CSA policy queries prompt the user. These queries are typically related to stopping the agent service and running installation programs. You can circumvent these issues through CSA policy implementation and a tool like SysInternals PSEXEC, which allows you to run commands on local and remote systems as another user. To accomplish this, follow a few simple steps to make an additional policy that allows you to perform the unattended uninstallation without prompts. Step 1 Create two rule modules called Unattended CSA Uninstallation Rule Module and Unattended CSA Uninstallation Rule Module 2. Step 2 Set these rule modules to be enforced only when a User/Group state set is active. For our example, use the Administrator state set for Unattended CSA Uninstallation Rule Module and System Account state set for Unattended CSA Uninstallation Rule Module 2. Figure 7-11 shows an example of setting the state set. Installation Parameters and Examples for SETUP.EXE 145 Figure 7-11 New Rule Module with State Set Applied Step 3 Create a new policy called Unattended CSA Uninstallation Policy and associate the previously created rule modules from step 1 to this policy. Step 4 Add the necessary rules to the new rule modules: (a) Add an Agent Service Control rule to the Unattended CSA Uninstallation Rule Module, which will Allow <All Applications> (or specifically the csacontrol.exe application) to disable the Agent Service. (b) Add an Application Control rule to allow SVCHOST.EXE to run SETUP.EXE in the specified agent installer path in the Unattended CSA Uninstallation Rule Module 2. (c) Add any other rules necessary per your own testing and currently deployed policy. You can see the rules in the sample rule modules in Figures 7-12 and 7-13. [...]... Application and Association As stated earlier, CSA hosts are members of groups, and policies are applied to those groups Each policy is associated to one or more rule modules that contain the actual rules The effective CSA security policy that is applied to a host is the result of the combination of all rules associated with all the policies connected with the host' s member groups Some of the rules in different... system from the CSA MC console, simply navigate to the specific agent page and select Detailed Status and Diagnostics You can see from Figure 7-15 that the test system did in fact have the local Administrator account logged in, which allowed completion of the uninstallation without CSA queries 148 Chapter 7: CSA Deployment Figure 7-15 Diagnostics Displays Current State Sets NOTE The CSA product is extremely... combination of policies at each level of configuration The explanation generated from the link on the host detail screen is the result of the combination of all the rules in the combination of groups, policies, and modules associated with that host  162 Chapter 8: Basic Policy Builtin Desktop and Server Policies CSA 4.5 contains builtin desktop groups for Windows and Linux operating systems The following sections... expected to be servers, and there are no builtin desktop 166 Chapter 8: Basic Policy policies This does not mean that Solaris hosts cannot be used as desktops, but simply that CSA does not have default policies for Solaris workstations Policies for Solaris workstations can be created and can use rule modules from Linux, and in most cases, they work fine without modification It should come as no surprise that... down? CSA gives you the ability to effectively enforce your organization's information security policy We create rules in CSA that support a specific part or line of the policy The rules are members of rule modules Modules are groups of rules that are related to protecting a certain piece of information or network infrastructure under certain conditions Rule modules are then grouped into CSA policies CSA. .. Builtin Policy Details CSA has many default policies that provide a baseline for commonly configured operating systems and applications Although it is almost a certainty that policy and rule tweaking will be required to make CSA work in your environment, these policies are a great place to start The default policies are also good models to use to educate on what can be done with CSA rules and how they... they apply to them or their actions Either way, you cannot trust the users to enforce the security policy themselves CSA is designed to be the enforcement mechanism for the written security policy The rules and modules of CSA match up to the lines and sections of the written policy CSA is flexible in the way that policies are implemented and enforced Using the preceding example, you can perform the... server) with mp3 files, so that there is no available space for saving business data Remote users can also be troublesome for system availability Remote users with credentials to log onto a machine can perform many tasks on that machine as if they were local Sometimes remote users access a machine through a service that runs as the system process, which has unrestricted access to the system CSA protects... malicious behaviors CSA can use Application Execution Control rules to protect vulnerable components Using the Sasser Worm as an example, CSA prevents a known system vulnerability from leading to a system compromise in several ways, but the method we focus on is what happens right after the buffer overflow attack occurs The lsass.exe process attempts to open a command prompt on the system CSA, by default,... dynamic application classes, allow you to create policies that are granular and secure without opening permanent security holes in your systems Summary The CSA installation kit is a simple installer that runs directly or extracted and scripted using command-line parameters for automated installations When combined with login scripts and software distribution systems available from companies such as . communication to and from the CSA MC from the agents, and it also ensures that the agent communicates with the correct CSA MC server and not an impostor. 142 Chapter 7: CSA Deployment Figure 7-10. allowed completion of the uninstallation without CSA queries. 148 Chapter 7: CSA Deployment Figure 7-15 Diagnostics Displays Current State Sets NOTE The CSA product is extremely flexible. The use. The URL you would use in the remote web browser is https:/ /CSA_ MC_NAME/csamc45/kits. This URL redirects your browser to a web page with access to all current kits, as displayed in Figure 7-5. Figure