How do you remove the Server Sensor network modules from Solaris?
This article documents the procedure for removing the Server Sensor network modules for Solaris in version 5.5 and higher.
Note: By removing these modules, you are disabling the networking monitoring fundamentals of the Server Sensor. The RealSecure Server Sensor uses two modules for monitoring network traffic as it comes to the host. These two modules are rsdrv (the low module that looks at individual packets) and rstcp (the high module that correlates multiple packets). Some modules, not all, are imported into kernel space by the file: /etc/devlink.tab. This is the import file that Server Sensor uses to place the rsdrv module within the kernel in order to be referenced.
The following steps are needed in order to remove the rsdrv (low) module.
- Edit (vi, emacs, etc.) the file /etc/devlink.tab and find the below line:
- Change this line by adding the "#" at the beginning. This will cause the module to be ignored during bootstrap.
- Move the module file into another directory for reference later, for this example /root will be used to store the kernel module. See the below command:
mv /kernel/drv/rsdrv /root
The next steps are used to remove rstcp (high) module.
- Move the rstcp module file into a directory for reference later, for this example /root will be used to store the kernel module. See the below command:
mv /kernel/strmod/rstcp /root
- Reboot the host server. After a reboot of the host, in order to verify that the modules are not present, use the following command:
modinfo | grep rs
- Ensure that the rsdrv and rstcp are not in the list that appears. An error message will result in the syslogs that can be safely ignored.
Apr 26 09:40:10 host.network.net rsagent[PID]: Error in opening Protocol Sensor. Protocol Sensor is DISABLED.