Removing Server Sensor Network Modules from Solaris

This article documents the procedure for removing the Server Sensor network modules for Solaris in version 5.5 and higher.

Note: By removing these modules, you are thereby disabling the networking monitoring fundamentals of the Server Sensor.The RealSecure Server Sensor uses two modules for monitoring network traffic as it comes to the host. These two modules are rsdrv (the low module that looks at individual packets) and rstcp (the high module that correlates multiple packets). Some modules, not all, are imported into kernel space by the file: /etc/devlink.tab. This is the import file that Server Sensor uses to place the rsdrv module within the kernel in order to be referenced. The following steps are needed in order to remove the rsdrv (low) module.1.Edit (vi, emacs, etc.)/etc/devlink.tab and move to the line that reflects the following:type=ddi_pseudo;name=rsdrv;addr1=0rsdrv2.Remark that line at the beginning with the symbol "#". This will cause the module to be ignored during bootstrap.3.Move the actual module file into a directory for reference later, for this example /root will be used to store the kernel module.mv /kernel/drv/rsdrv /rootThis will only remove the low module. The next steps are used to remove rstcp (high) module:1. Move the actual rstcp module file into a directory for reference later, for this example /root will be used to store the kernel module.mv /kernel/strmod/rstcp /rootThis removes the rstcp module.NOTE: After completing the above, a reboot must occur. After a reboot of the host, in order to verify that the modules are not present, use the following command:modinfo | grep rsEnsure that the rsdrv and rstcp are not in the list that appears.NOTE: An error message will result in the syslogs that can be safely ignored. The message is as follows:Apr 26 09:40:10 host.network.net rsagent[PID]: Error in opening Protocol Sensor. Protocol Sensor is DISABLED.Upon completion of the uninstall, the server sensor will not be able to monitor for network events. Therefore, all decodes that are listed under the network tab are rendered inactive.In order to re-install the modules, use the reverse of the above steps. A reboot must occur after the install as well.