1.5.2.4-ISS-PSL-FP004 - Proventia Server for Linux 1.5.2 Fix Pack 4

Fix readme


Abstract

Proventia Server for Linux 1.5.2 fix pack 4 installation package. This cumulative installation increments the agent version to 1.5.2.4

Content

Important: When performing administration tasks via ssh or local console, configuration changes made to your IBM appliance by any user other than admin could degrade appliance performance. Installing or activating other services or applications may also impact appliance performance or security. IBM Infrastructure Security Support will not support configuration changes made using the root user account unless specifically directed by a support engineer or IBM documentation. The following DCF Technote content is supported. Any further changes made that are not included in this document will place your product into an unsupported state and IBM product support may require you to reimage your appliance to restore it to a supported state.




Proventia Server for Linux 1.5.2 Fix Pack 4 README
========================================================================


========================================================================
ABSTRACT
========================================================================

Proventia Server for Linux 1.5.2 fix pack 4 installation package.
This cumulative installation increments the agent version to 1.5.2.4.


========================================================================
SUMMARY
========================================================================
Readme file for: Proventia Server for Linux
Product/Component Release: 1.5.2.4
Update Name: 1.5.2.4-ISS-PSL-FP004
Platforms: All supported platforms
Publication date: October 21, 2013
Last Modification date: October 21, 2013

© Copyright IBM Corporation 2013.

Please read this document in its entirety.


========================================================================
CONTENTS
========================================================================

* List of enhancements
* List of APARs addressed
* List of internally identified defects addressed
* Installation information
* Post-installation information
* Additional information
* Files included in this update
* Contacting IBM Support


========================================================================
LIST OF ENHANCEMENTS
========================================================================

Enhancements new to 1.5.2.4:

1. In addition to updating an existing installation, the fix pack
installer may be used to install the software without having
to previously install the base Proventia Server for Linux 1.5.2
package.

2. Support for IBM HTTP Server 8.5 is added.

The following combinations of IBM HTTP Server 8.5 and operating system architecture are now supported:

o IBM HTTP Server 8.5 32-bit (on 32-bit or 64-bit operating systems)
o IBM HTTP Server 8.5 64-bit

NOTE: Web server SSL traffic inspection support remains limited to
Intel architecture platforms.

Support for Web server SSL traffic inspection for newly supported Web servers is enabled after installing the fix pack by running a new command, /opt/ISS/etc/configure_mod_rs. Information for running this command can be found in the section below "CONFIGURING WEB SERVER SSL TRAFFIC INSPECTION INFORMATION"

Enhancements new to 1.5.2.3:

None.

Enhancements new to 1.5.2.2 (limited availability):

None.

Enhancements new to 1.5.2.1:

1. Web server SSL traffic inspection is extended to support the following Web servers. A leading '*' indicates a newly supported Web server.

o Apache 2.0 32-bit (on 32-bit operating systems)
o Apache 2.2 32-bit (on 32-bit operating systems)
o Apache 2.2 32-bit (on 64-bit operating systems)
o * Apache 2.2 64-bit
o * IBM HTTP Server 7.0 32-bit (on 32-bit or 64-bit operating systems)
o * IBM HTTP Server 8.0 32-bit (on 32-bit or 64-bit operating systems)
o * IBM HTTP Server 8.0 64-bit

NOTE: Web server SSL traffic inspection support remains limited to
Intel architecture platforms.

Support for Web server SSL traffic inspection for newly supported Web servers is enabled after installing the fix pack by running a new command, /opt/ISS/etc/configure_mod_rs. Information for running this command can be found in the section below "CONFIGURING WEB SERVER SSL TRAFFIC INSPECTION INFORMATION"


========================================================================
LIST OF APARS ADDRESSED
========================================================================

APARs addressed by 1.5.2.4:

None.

APARs addressed by 1.5.2.3:

IV26032 Need to move /tmp/isslum-ctrl file to the /var/run directory

The agent relied on the persistence of the isslum-ctrl and
other files in /tmp. The agent components that rely on
this persistence now utilize the /var/run directory hierarchy
for such files.

APARs addressed by 1.5.2.2 (limited availability):

None.

APARs addressed by 1.5.2.1:

None.

========================================================================
LIST OF INTERNALLY IDENTIFIED DEFECTS ADDRESSED
========================================================================

Internally identified defects addressed by 1.5.2.4:

13319 - Returned user-defined syslog file names specified by wild card contain an extra slash.

13276 - Long syslog lines truncated unexpectedly when returned to SiteProtector. Limit should be 4K.

14544 - Agent status goes to Active with Errors after upgrade.

29837 - ids.excludeinterfaces should be able to contain white space characters.

40844 - Installation can hang if stale NFS mounts are present on the system.

41669 - Systems with rsyslogd version 5 (RHEL 6.3 or later) must have rsyslogd restarted by installer rather sent HUP signal to reload configuration.

43170 - The configure_mod_rs script does not work on SLES endpoints if /usr/sbin/apache2ctl is specified.

43654 - PSL Agent's issDaemon process sometimes does not stop successfully.

44056 - Template files are not preserved on configuration making future
upgrades more difficult than necessary. Template file are now
preserved.

44058 - Agent should release license and indicate stopped status to SiteProtector when shutdown.

44588 - issCSF may terminate unexpectedly in rare circumstances.

45244 - issCSF may spin on termination if the number of text log monitoring groups is reduced.

45702 - Repeated installation and uninstalling may create a situation where the SSL inspection module IPC resources do not get correctly initialized causing SSL inspection not to operate.

45802 - The SSL inspection module may cause IBM HTTP Server to crash on shutdown with messages in the web server log indicating pure virtual function calls.

Internally identified defects addressed by 1.5.2.3:

17108 - Web plug-in does not always pass sufficient data to PAM.

17133 - In limited circumstances, the PSL agent may not block TCP traffic that should be blocked.

17944 - Enhanced apache module logging. Logging performed by the PSL module is now better integrated to the apache logging subsystem.

19166 - Performance enhancements to network traffic inspection

20044 - In limited circumstances, TCP reset packets for connections closed by the agent would not be transmitted.

Internally identified defects addressed by 1.5.2.2 (limited availability):

16881 - Fix pack installation would partially succeed and then fail silently if the security content (PAM) RPM was at the same or later level than the security content included in the fix pack.

17125 - Fix pack installation would not install 64-bit security content (PAM) on a 64-bit system if the existing 32-bit PAM was at the same or later level than the security content included in the fix pack.

17191 - The pslconfig utility does not validate port ranges correctly. Ranges where the end port comes lexically before the start port are rejected even though when compared numerically they should be considered valid. For example the range 80-100 was rejected when it should have been accepted.

Internally identified defects addressed by 1.5.2.1:

14070 - 32-bit Web servers running on 64-bit platforms can not be protected with the SSL protection module.

14079 - Web server module does not handle PAM tuning parameters.

========================================================================
INSTALLATION INFORMATION
========================================================================

The fix pack is available both as an X-Press Update (XPU) from the IBM Security download center and a self-extracting shell archive (shar) from IBM Support Fix Central.

The XPU package can be applied to any existing Proventia Server for Linux installation from version 1.5 provided the platform requirements are met.

Please review the current System Requirements Document for details of platform requirements. A link to this document is provided at the end of this section.

The shar package can be applied to any existing Proventia Server for Linux installation from version 1.5.2.

The shar package can also be used to install the full software on a system without Proventia Server for Linux already installed.

To install the shell archive fix pack:

As the root user run the shar file corresponding to the Linux distribution you have:

On Intel systems:

RedHat:
# sh ./1.5.2.4-ISS-PSL-LinuxIntel-RHEL-FP004.sh

SuSE:
# sh ./1.5.2.4-ISS-PSL-LinuxIntel-SLES-FP004.sh

On zSeries systems:

RedHat:
# sh ./1.5.2.4-ISS-PSL-LinuxS390-RHEL-FP004.sh

SuSE:
# sh ./1.5.2.4-ISS-PSL-LinuxS390-SLES-FP004.sh


For complete information about hardware and software compatibility, see the detailed system requirements document at:

http://publib.boulder.ibm.com/infocenter/sprotect/v2r8m0/topic/com.ibm.psl.doc_1.5/concepts/psl_pdf_container.htm

If the Proventia Server services are running when the fix pack is installed, then the services are automatically stopped and restarted.

The agent version might be displayed as an earlier version than 1.5.2.4 because the iss-spa service can be started to send a heartbeat to SiteProtector while Fix Pack 4 is being installed. After Fix Pack 4 is installed and the iss-spa service sends another heartbeat to SiteProtector, the agent version will appear correctly as 1.5.2.4.

========================================================================
POST-INSTALLATION INFORMATION
========================================================================

If you are making use of the SSL traffic inspection support of Proventia Server for Linux then you will need to restart any integrated Web servers after application of the fix pack.

This must be done manually after the fix pack has been installed either as an X-Press Update or as a shell archive.

To identify the set of Web servers integrated with Proventia Server for Linux on a particular system examine the file:

/opt/ISS/proventia_server_1/ApacheRootInfo

========================================================================
CONFIGURING WEB SERVER SSL TRAFFIC INSPECTION INFORMATION
========================================================================

Support for Web server SSL traffic inspection for newly supported Web servers is enabled after installing the fix pack by running a new command. The new command has the following syntax:

NOTE: Web server SSL traffic inspection support remains limited to
Intel architecture platforms.

# /opt/ISS/etc/configure_mod_rs APACHE_BIN APACHE_CONF

where:

APACHE_BIN is the full path to the Web server's apachectl
or httpd programs. For IBM HTTP Server specify the
apachectl program. For Apache specify the httpd program.

APACHE_CONF is the full path to the Web server's
configuration file.

For example, to enable SSL traffic inspection for an IBM HTTP Server Web server installed to the /opt/IBM/HTTPServer directory the configure_mod_rs command should be executed as:

# /opt/ISS/etc/configure_mod_rs /opt/IBM/HTTPServer/bin/apachectl \
/opt/IBM/HTTPServer/conf/httpd.conf

The Web server must then be restarted.


========================================================================
ADDITIONAL INFORMATION
========================================================================

Packet data is stored in the socket receive buffer of the kernel. If this buffer becomes full, PSL receives ENOBUF errors on the socket and the packet is dropped.

To prevent this situation from occurring, you can use the following tuning parameters to increase the socket buffer size:

net.core.rmem_default
net.core.rmem_max

Implement these parameters when you install the fix pack. You must restart the Proventia Server for Linux sensor to ensure that the new socket buffer size is used by the sensor.

If your network performance continues to degrade after you install this fix pack, then you must implement and tune these parameters. System Administrators can determine whether these parameters need to be tuned by monitoring the /proc/net/ip_queue file for the amount of "netlink drops" received.

To implement the tuning parameters:

1. Verify existing settings by using the command:

# sysctl -a | grep core.rmem

2. Ensure that the minimum recommendation of 4194304 is set:

# sysctl -w net.core.rmem_max=4194304
# sysctl -w net.core.rmem_default=4194304

NOTE: This setting is fine for most scenarios, but if you
determine that it is inadequate for your system, then
increase it in 1 MB increments.

3. Repeat Step 1 to verify the setting.

4. Restart the sensor.

This procedure will not be persistent across reboots of the system. To ensure that these settings stay persistent, add the new values to the file:

/etc/sysctl.conf.

Example:

Edit /etc/sysctl.conf
Add
net.core.rmem_default = 4194304
net.core.rmem_max = 4194304


========================================================================
FILES INCLUDED IN THIS UPDATE
========================================================================

The files included in this update and their check sums are:

MD5
------

1.5.2.4-ISS-PSL-LinuxIntel-RHEL-FP004.sh:
313f50810f0036468958a19bf128f994

1.5.2.4-ISS-PSL-LinuxIntel-SLES-FP004.sh:
f0607d60d1f1274d4c61a60cb398eb3a

1.5.2.4-ISS-PSL-LinuxS390-RHEL-FP004.sh:
edfb0e82d9b10e82d255654adc02cb9c

1.5.2.4-ISS-PSL-LinuxS390-SLES-FP004.sh:
8b2c067f667d5ced57598baf2d88082e

SHA1
------

1.5.2.4-ISS-PSL-LinuxIntel-RHEL-FP004.sh:
d72370ee8d7d4d7122cc7b2a1ddca1c726ae8b91

1.5.2.4-ISS-PSL-LinuxIntel-SLES-FP004.sh:
d70d729c2536571021e7581fb434d8cd26fd4a79

1.5.2.4-ISS-PSL-LinuxS390-RHEL-FP004.sh:
07aedf77be76f168458265ad07a39ddf00fa1c3e

1.5.2.4-ISS-PSL-LinuxS390-SLES-FP004.sh
391cae85666c27db00664311dbb84028a90458e0

SHA256
-------

1.5.2.4-ISS-PSL-LinuxIntel-RHEL-FP004.sh:
12ad30bb4573319a4cde5a777e39b0f6d8c1e9280e011a77f24ceeaf68ddfd4a

1.5.2.4-ISS-PSL-LinuxIntel-SLES-FP004.sh:
fde1c4ce2f3fe7b4571f8bc8f0ffe64c47950bee1a1ea7636a8e9fd02346a201

1.5.2.4-ISS-PSL-LinuxS390-RHEL-FP004.sh:
426cac4f8dcc2c53c043fd9f96f0bc195b5f8c52777554ac814aa6374c936df2

1.5.2.4-ISS-PSL-LinuxS390-SLES-FP004.sh:
1b04775bca9f9869cc16cba240b9146bc2bcf2fa88232454f4f4327d65498d8f

========================================================================
CONTACTING IBM SUPPORT
========================================================================


To Contact IBM Support Worldwide

Phone:
Call IBM Support by selecting phone number from this location:
http://www.ibm.com/planetwide
When prompted for type of support, select option 2 for Software Support.
You will need to provide your IBM Customer Number (ICN).

Electronically:
Go to https://www.ibm.com/support/servicerequest
and open a new service request.


===========================================================================

Product Alias/Synonym

PSL

Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

IBM Security Host Protection
Proventia Server

Software version:

1.5.2

Operating system(s):

Linux

Software edition:

All Editions

Reference #:

1653086

Modified date:

2014-08-22

Translate my page

Machine Translation

Content navigation