Removing Server Sensor network modules from Solaris

Technote (FAQ)


Question

How do you remove the Server Sensor network modules from Solaris?

Answer

This article documents the procedure for removing the Server Sensor network modules for Solaris in version 5.5 and higher.

Note: By removing these modules, you are disabling the networking monitoring fundamentals of the Server Sensor. The RealSecure Server Sensor uses two modules for monitoring network traffic as it comes to the host. These two modules are rsdrv (the low module that looks at individual packets) and rstcp (the high module that correlates multiple packets). Some modules, not all, are imported into kernel space by the file: /etc/devlink.tab. This is the import file that Server Sensor uses to place the rsdrv module within the kernel in order to be referenced.

The following steps are needed in order to remove the rsdrv (low) module.

  1. Edit (vi, emacs, etc.) the file /etc/devlink.tab and find the below line:

    type=ddi_pseudo;name=rsdrv;addr1=0rsdrv

  2. Change this line by adding the "#" at the beginning. This will cause the module to be ignored during bootstrap.

    Example:
    #type=ddi_pseudo;name=rsdrv;addr1=0rsdrv

  3. Move the module file into another directory for reference later, for this example /root will be used to store the kernel module. See the below command:

    mv /kernel/drv/rsdrv /root

The next steps are used to remove rstcp (high) module.

  1. Move the rstcp module file into a directory for reference later, for this example /root will be used to store the kernel module. See the below command:

    mv /kernel/strmod/rstcp /root

  2. Reboot the host server. After a reboot of the host, in order to verify that the modules are not present, use the following command:

    modinfo | grep rs

  3. Ensure that the rsdrv and rstcp are not in the list that appears. An error message will result in the syslogs that can be safely ignored.

    Example:
    Apr 26 09:40:10 host.network.net rsagent[PID]: Error in opening Protocol Sensor. Protocol Sensor is DISABLED.

Once the uninstall is completed, the server sensor will not be able to monitor for network events. Therefore, all decodes that are listed under the network tab are rendered inactive. In order to re-install the modules, use the reverse of the above steps. The host server will need to be reboot to complete the install.



Historical Number

407

Document information


More support for:

IBM Security Host Protection
RealSecure Server Sensor

Software version:

7.0 - SR 4.1, 7.0 - SR 4.2, 7.0 - SR 4.3, 7.0 - SR 4.4

Operating system(s):

Solaris

Reference #:

1434279

Modified date:

2015-02-16

Translate my page

Content navigation