TSOM 4.1.1 Device Rules Update Package : 2012/06

Downloadable files


Abstract

TSOM 4.1.1 Device Rules Update Package for both the CMS and EAM(s)

Download Description

The following is a cumulative device rules update package - to be leveraged by the TSOM 4.1.1 Update Utility - as to update the EAM rules and CMS sensor-based tables.

ADVISORY

- There have been updates to the UCM.CFG file, please download and review.

- There have been updates to the README file with an overview to leverage new device support for: Oracle 10g audit logs, IBM AIX 5.x-6.1 audit logs, support for Bluecoat via UCM logs.

- Before applying this update to any EAM, check for the existence of:
TSOM_INSTALL_HOME/conduits/syslog/devices/SourceFire.pm
If this file exists, delete it as it is a replica of Sourcefire.pm

- If custom support for a device is being developed within a TSOM 4.1.1 deployment, it is imperative that a sensor_type_id of 10,000 or greater is used when populating the sensor_type table. To further clarify, IBM TSOM reserves sensor_type_id values of 1 through 9,999 for internal purposes. If any sensor_type_id - for custom device support rules - has a value that is less than 10,000, IBM TSOM Device Rules may not deploy properly.

- Device rules package includes experimental rules that are disabled by default. Before usage they have to be explicitly enabled in device rules configuration file. See README for more details.

Installation Instructions


Download the DeviceRules-20120622.jar file and store it to the CMS and all EAMs.

Note: EAM on Windows operating system does not support Device Rules written in Perl language, only Java based Device Rules are supported.

Installation instructions for TSOM 4.1.1 with Fix Pack 10 and above


UNIX, Linux and Windows; applies to CMS and EAM:
  1. The Device Rules Package must be upgraded consistently on all EAMs and on CMS.
  2. For every EAM and CMS, follow the steps below:
    1. Ensure you have root or Administrator access permission while upgrading the Device Rules.
    2. Stop the server before proceeding.
    3. Go to the directory where TSOM (<TSOM_HOME>) is installed and copy downloaded Device Rules Package DeviceRules-20120622.jar to the subdirectory devicerules_repository.
    4. Launch script devicerules_install.sh on UNIX or Linux or devicerules_install.bat on Windows, providing path to the Device Rules Package.
      • On UNIX or Linux: ./bin/devicerules_install.sh -file devicerules_repository/DeviceRules-20120622.jar install
      • On Windows: .\bin\devicerules_install.bat -file devicerules_repository\DeviceRules-20120622.jar install
  3. After successful installation, restart every EAM and CMS so that the updated rules can be used.


Installation instructions for TSOM 4.1.1 prior to Fix Pack 10; UNIX and Linux

Applies to CMS and EAM:
  1. The Device Rules Package must be upgraded consistently on all EAMs and on CMS.
  2. For every EAM and CMS, follow the steps below:
    1. Ensure you have root access permission while upgrading the Device Rules.
    2. If you have not already done so, go to the directory where TSOM is installed (<TSOM_HOME>) and correct <TSOM_HOME>/bin/dev_support.sh script as described below in the note. Otherwise the Device Rules Package will not be installed correctly.
    3. Copy the Device Rules Package DeviceRules-20120622.jar to a convenient location.
    4. Go to <TSOM_HOME> directory and launch dev_support.sh script providing the absolute path to the Device Rules Package as an argument :
      • ./bin/dev_support.sh -if /absolute/path/to/saved/DeviceRules-20120622.jar
  3. After successful installation, restart every EAM so that the updated rules can be leveraged.


NOTE: Due to the defect in ./bin/dev_support.sh script, it will not install Device Rules Package correctly.
Steps to fix bin/dev_support.sh script:
  1. To fix this issue, edit ./bin/dev_support.sh script
  2. In lines 99, 120 and 428 replace string 200* by string 20*.
  3. After doing so, the corresponding lines should look like:
  • CURPKGVER=`ls -d ${DEV_SUPPORT_BASE}/20* 2>/dev/null | sort -r | head -1 | awk -F/ '{print $NF}'`


Installation instructions for TSOM 4.1.1 prior to Fix Pack 10; Windows

EAM
  1. Windows EAM users can extract the Java rules from DeviceRules-20120622.jar archive and copy them to the directory: <TSOM_HOME>\conduits\<conduit name>\rules\system\
  2. After the files are copied, make sure to restart EAM.

CMS
  1. Windows CMS users can extract the file DeviceRules-current.sql from the DeviceRules-20120622.jar archive which defines database content modification for Device Rules Update.
  2. Apply manually the TSOM database changes as defined by DeviceRules-current.sql in the way appropriate for your database system.

Download package

Download RELEASE DATE LANGUAGE SIZE(Bytes) Download Options
What is Fix Central (FC)?
Device Rules 2012/06 README 2012-06-22 English 36130 FC FTP
Device Rules 2012/06 ucm.cfg 2012-06-22 English 81436 FC FTP
Device Rules 2012/06 2012-06-22 English 830796 FC FTP

Product Alias/Synonym

TSOM

Problems (APARS) fixed
IZ39417, IZ39418, IZ42756, IZ43341, IZ43754, IZ44116, IZ45438, IZ45452, IZ45733, IZ46175, IZ47046, IZ47059, IZ47665, IZ48165, IZ51063, IZ51658, IZ54255, IZ54879, IZ59902, IZ63356, IZ63560, IZ64704, IZ65378, IZ65441, IZ65453, IZ65973, IZ67330, IZ67484, IZ68797, IZ69816, IZ70766, IZ70766, IZ70880, IZ72299, IZ72299, IZ73693, IZ75048, IZ75170, IZ81397, IZ83035, IZ83505, IZ85105, IZ85911, IZ88212, IZ91367, IZ92577, IZ94527, IZ99024, IV04359, IV09074, IV13838, IV19855, IV17017

Rate this page:

(0 users)Average rating

Document information


More support for:

Tivoli Security Operations Manager
Event Aggregation

Software version:

4.1.1

Operating system(s):

AIX, Linux, Solaris, Windows

Software edition:

All Editions

Reference #:

4032835

Modified date:

2012-06-22

Translate my page

Machine Translation

Content navigation