1.0 Understanding Security Agent for UNIX

Securing and monitoring the performance of your UNIX and Linux environments can be expensive and time-consuming. The enterprise performance and security managers experience the following challenges:

  • Deficits in UNIX and Linux security and system expertise.

  • Managing various operating systems including Red Hat, AIX, HP-UX, Solaris, and SUSE Linux.

  • Controlling access to privileged commands and sensitive resources.

  • Lacking intrusion detection and response systems to handle both real and potential security breaches.

Security Agent for UNIX (Agent) helps you effectively address these challenges by enabling NetIQ security products, such as Secure Configuration Manager, Change Guardian, and Sentinel, to monitor the configuration and risk compliance of your UNIX and Linux environments.

The Agent validates the configuration of UNIX and Linux endpoints to ensure compliance with corporate security policies and find potential vulnerabilities. An endpoint represents an Agent-monitored operating system, application, web server, or database instance.

It collects security compliance information from one or more endpoints in one or many domains. The Agent receives requests from NetIQ security products and runs commands or responds by returning data, status, or results. It runs locally on the computers throughout your enterprise.

Figure 1-1 Security Agent for UNIX Architecture

You can deploy and manage Security Agent for UNIX using the following:

  • NetIQ UNIX Agent Manager (UAM): A console and data store that you can use to manage all your Security Agent for UNIX components across your enterprise. UNIX Agent Manager runs on Windows, UNIX, and Linux operating systems. Most features can be accessed from a command line as well as the console.

  • Change Guardian Agent Manager (CG AM): A web console that provides a central location from where you can manage your agents, organize your assets in groups, and remotely install and update agents on assets. It helps you maintain your environment by keeping track of agents that are not communicating and allows you to either fix the agent or remove it from your environment.

Both UAM and CG AM allow you to remotely install one or more Agents. They also allow you to install and reconfigure the selected Agent components directly on the assets you need to monitor without having to interact with the Agents individually. However, when using any one of the Agent managers (either UAM or CG AM), only specific functionalities are available. Depending on your requirements, you can decide whether you need to install UAM, CG AM, or both. UAM and CG AM can coexist.

The following tables list the comparison of functionalities of UAM and CG AM:

Table 1-1 UAM and CG AM Comparison for all Security Products

Function

UAM

CG AM

(Change Guardian 5.0 and later)

Agent deployment

Performed by UAM server

Performed by process running on each agent

Audit diagnostics

Yes

No

Enhanced certificate management

No

Yes

Asset view

Shows which agent components (Change Guardian, SCM, Sentinel) are enabled on each asset

Shows which assets have some components enabled (but not which specific components)

Monitoring the agent status

Yes

No

Patch release

Yes for all patches

Yes, only for patches bundled in Change Guardian release

Licensing and availability

Available with a licensed instance of Change Guardian, Secure Configuration Manager, or Sentinel

Available with a licensed and installed instance of Change Guardian 5.0 and later

Table 1-2 UAM and CG AM Comparison for Change Guardian

Function

UAM

CG AM

(Change Guardian 5.0 and later)

Remote agent installation, upgrades, reconfiguration, and uninstallation

Yes

Yes

Table 1-3 UAM and CG AM Comparison for Sentinel

Function

UAM

CG AM

(Change Guardian 5.0 and later)

Remote agent installation, upgrades, reconfiguration, and uninstallation

Yes

Yes, if your existing deployment of agent has Change Guardian enabled

Sentinel rule deployment

Yes

No

Sentinel Oracle endpoint management

Yes

No

Table 1-4 UAM and CG AM Comparison for SCM

Function

UAM

CG AM

(Change Guardian 5.0 and later)

Remote agent installation, upgrades, reconfiguration, and uninstallation

Yes

Yes, only for upgrade, reconfiguration, and uninstallation.

For new installations, use UAM.

Security check execution on endpoints

Yes

No

When you install an Agent, you can choose which NetIQ security products (Sentinel, Change Guardian, or Secure Configuration Manager) will monitor the computer on which the Agent resides. A single Agent can perform monitoring for one or more NetIQ security products. Each NetIQ security product has its own method for registering the Agents and configuring the Agent to send the proper data. These NetIQ security products are referred as Agent components.

For Sentinel, you must deploy rules on the Sentinel Agent by using UAM. The events are filtered and forwarded to the Sentinel server based on the rules deployed. You can monitor the most complex IT environments and obtain the security required to protect your IT environment.

For Change Guardian, deploy policies to monitor critical files on Change Guardian Agent via policy editor. The events are filtered and forwarded to the Change Guardian server based on the policies assigned. You can monitor security event details that pinpoint the who, what, when, where, and authorization status of a change or activity, including before and after details of the change.

For Secure Configuration Manager, the Agent also responds to requests for data sent from core services in the form of security checks and policy templates. Policy templates are groups of security checks to audit a specific series of IT controls that match a security policy standard. The Agent translates the security checks into queries and forwards to its monitored endpoints. After receiving responses to the queries, the Agent sends a report with the results to the Secure Configuration Manager server.