View
4
Download
0
Category
Preview:
Citation preview
Tivoli SecureWayRisk Manager *"_8Of> 3 "Pf 7
Tivoli SecureWayRisk Manager *"_8Of> 3 "Pf 7
Tivoli SecureWay Risk Manager *"_8O(2000 j 12 B)
f(yw
Copyright © 2000 by Tivoli Systems Inc., an IBM Company, including this documentation and allsoftware.All rights reserved.;\4U Tivoli 53+>m~mI$-i9C,r_4U IBM M'-irmI$-iPX Tivoli z7D=<9C#4- Tivoli 53+>BHifmI,{9TNNN=rNNVN(gSD"z5D"E'D"b'D"/'D"K$DHH)T>iDNN?VxP4F"*<"D4,f"Zlw53Pr-kINNFczoT#Tivoli 53+>ZhzFwv)zT:9CDNNzwIAD5D2=4rd|N=4F7DP^mI,0aG?vbyD4F7&XP Tivoli Systemsf(yw#4- Tivoli 53+>BHifmI,;Zhf(PDd|({#>D5";<8CZzz,"RGT04VZDyS1Dy!a)D,;PNNN=D#$#
XKjw\xPX>D5DyP##,|(JzTMJCZ3X(C>D###
Lj
TBz7{G T i v o l i 53r I B M +>DLj:A I X "D B 2"F i r s t S e c u r e" I B M "
OS/2"RS/6000"SecureWay"Tivoli"Tivoli Management Environment"TME 10 EnterpriseConsole"TME FrameworkM TME 10#
Microsoft"Internet Explorer"Windows"Windows NTM WindowsUjG"m+>DLjr"aLj#
UNIX G Open GroupZ@zMd|zR@Rq<"aDLj#
JavaMyPDyZ JavaDLjrUjG Sun+>DLj#
ActionMedia"LANDesk"MMX"<ZM ProShareG"X{+>Z@zMd|zRDLjr"aLj#
>D5Pya=Dd|+>"z7M~q{FI\Gd|+>DLjr~qj>#
yw
>vfoP}C Tivoli 53+>r IBM +>Dz7"Lrr~q,";b6EryPP Tivoli
53+>r IBM +>5qDzRa)b)z7"Lrr~q#,12;5>;I9C Tivoli 5
3+>r IBM +>Dz7"Lrr~q#;*;V8 Tivoli 53+>r IBM +>D*6z(
rd|\(I#$DO(({,NN&\`1Dz7"Lrr~q<Izf>vfoy}CDb
)z7"Lrr~q#kd|z7;p9C1,}KG)I Tivoli 53+>r IBM +>w78
wDz7b,d@@Mi$yIC'TP:p#
Tivoli 53+>r IBM +>I\Q5Pr}Zjkk>D5Z]PXDwn&CLr({#a)
>D5"4ZhC'9Cb)({DNNmI#PXmI$i/DBK,C'ITk IBM
Director of Licensing, IBM Corporation, North Castle Drive, Armonk, New York 10504-1785,
U.S.A. if*5#
TBNd;JCZ"zr>k)k1X(I;;BDd|zR:
IBM +>04VZDyS1vfKi,;vNNw7r5>D##,|(+;V^Z^V&T"Iz[TrJCZXb?D5>###;)XxZ3)BqP;JmEzw7r5>D##,rK>unI\;JOz#
KE"I\|,<u;<7M!"ms#K&DE"a(ZDxP|D,b)|DaO"ZKE
"D^)fP#IBM I\aZ;wNNywDivB,ZNN1rDxM/r|D>E"Phv
Dz7M/rLr#
KE"PTG IBM Web >cD}C;G*Ka)=c,ZNNiv<;d1b)>cD###
b)>cODJO";GK IBM z7JOD;?V,9Cb)>cDgUIC'TPP##
©COPYRIGHT INTERNATIONAL BUSINESS MACHINES CORPORATION 2000. ALLRIGHTS RESERVED.
@z~.C'^(({ * 9C"4Fr96<*\=k IBM +>)pD GSA ADP=S-iyf(unD^F#
iiiRisk Manager *"_8O
iv f> 3 "Pf 7
?<
0T . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii
>8OfrDTs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii
XAD5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .viii
`XD5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .viii
>8ODZ] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .viii
>8O9CD<( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix
kM''V*5. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix
Risk Manager WebE" . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix
Z1B ri . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
(e Risk ManagerB~` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
*"2+T`XB~A Risk Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
j< TEC Jdw. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
TEC B~/I$_ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Risk ManagerB~/I$_ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Z2B B+Pw`MD}](# . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
;c=h . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
>} 1:FTP G<JO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
!qy` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
X*tT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
}]ZrtT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
hCtT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
BAROC D~u? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
k RM_MiscEvents`X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
q=D~u? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
>} 2:ELUd;c . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
!qy` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
hCtT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
vRisk Manager *"_8O
BAROC D~u? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
q=D~u? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
h*NGDXc . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Z3B Risk Manager Jdw5V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
B~E"D6q . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
TEC SNMPJdw"bBn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
TEC UNIX U>D~Jdw"bBn. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
TEC NT B~U>Jdw"bBn. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
(FJdw"bBn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Risk ManagerB~/I$_"bBn. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Z4B Risk Manager B~/I$_ . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
9C&CLr`LSZ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
rmad_initialize. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
rmad_send_message. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
rmad_terminate. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
rmad_info. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
9C Perl SZ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
9C|nPSZ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
wrmsendmsg. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
wrmadmin. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
riskmgr_gencds. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
4SA2mb . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
wT Risk Manager EIF. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
w} . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
vi f> 3 "Pf 7
0T
>8OV[:
¶ gNQBDrVPDVklb&CLr(+Pw)M Tivo l i
SecureWay Risk Manager(TsrF* Risk Manager)/IZ;p#
¶ gN*"zT:DVklbB~DB~Jdw,KB~JdwG*
xg"wz"Web 73MXbh*xXFD#
¶ gN9CZ>8OPF* Risk Manager EIFD0Risk ManagerB~
/I$_1# Risk Manager EIFG;v$_d,{C|IT)953
E"Mk Risk Manager`XDB~,IT9C Tivoli Enterprise
Console (TEC)4`XM\mb)B~#
>8OfrDTs>8OITozz`4;)m~4v?ITmDB~`X&CLra)
Dxg2+T,N{>iPD+Pw#|bMK;)z&1KbDEn
TcP'X*"BDB~Jdw9dI Tivoli SecureWay Risk Manager
a)DJdw#
>8OY(zQ-DAK6Tivoli SecureWay Risk ManagerC'8O7
M6"P5w7#,19Y(z_8TBZ]D$w-i,"T|GP
K;(Dy>mb#
¶ 53Mxg2+T
¶ 53Mxg\m
¶ IBM AIX "Sun Solarisr Windows NTYw53
¶ Tivoli Framework
¶ C r C++ `LoT
¶ xJ-i
viiRisk Manager *"_8O
XAD5Z9C0Tivoli SecureWay Risk ManagerB~/I$_1.0,kHl
$TBVa:
¶ 6Tivoli SecureWay Risk ManagerC'8O7
>8Oa)KXZ Risk ManagerDj8E"MXZVPD Risk
ManagerB~JdwDj8hv#
¶ Tivoli Enterprise Console Event Adapter Guide
>8Oa)KXZVPDB~JdwDj8hv#
¶ Tivoli Event Integration Facility User’s Guide
>8OV[gN9C0B~/I$_1(EIF) *"TmDB~Jdw#
ITy]xg73MXbDh*XFJdw#
`XD5TBVa9dKXAD5P|,DE":
¶ 6Tivoli Enterprise ConsoleC'8O7
>8Oa)KXZ9C Enterprise ConsoleDj8E"#
¶ Tivoli Enterprise Console Rule Builder’s Guide
>8Oa)KXZgN`4M/IBfrDj8E"#
¶ Tivoli Enterprise Console Reference Manual
>ia)KXZ|nPSZDj8E"#
¶ Tivoli Framework Planning and Installation Guide"6Tivoli Framework
C'8O7M Tivoli Framework Reference Manual
b)i.a)KXZ@f"\mZc"\m1"_Tr"E*D
~"(*"Nq"wHM|nPSZ (CLI) |nDj8E"#
>8ODZ]>8O|,TBE":
¶ Z73D:B+Pw`MD}](#;hvZVv4T+PwDE"
M4(B~`TYVKE"PwCDxL#
viii f> 3 "Pf 7
¶ Z333D:Risk ManagerJdw5V;y]&CLrr+PwDX
T,a)8OToz!qnQ=(#
¶ Z373D:Risk ManagerB~/I$_;a)XZgN9Ck0Risk
ManagerB~/I$_1;pa)D&\Dj8E"#
>8O9CD<(>8OTXbuoMYw9C;,VM<(#b)<(_PgB,e:
<( be
Ve|n"X|V"j>"URL Md|Xkj+4U-D9C
DE"TVeVMvV#
1eXka)Dd?r5T0BuoT1eVMvV#?wD
%JMLo2T1eVMvV#
Hme zk>}"dvM53{"THmeVMvV#
kM''V*5g{v=XZ Tivoli z7D'Q,ITCJ
http://www.support.tivoli.com i40Tivoli 'V1w3#4S"a;
M'"am%.s,MITCJ Web ODm`M''V~q#
9CTBg0Ekk@zDM''V*5:Tivoli EkG 1 – 800 – 848
– 6548 (1-800 – TIVOLI8),IBM EkG 1 – 800 – 237 – 5511(r(
KEks4 8 r_t 8)#b=vEk<a+g0*A0Tivoli M''V
tPPD1#
RGG#Vb}=z9C Tivoli z7MD5D-i,"RG#6-za
)Dx(i#g{PXZKD5D"Mr(i,k"MgSJ~A
pubs@tivoli.com#
Risk Manager Web E"Tivoli M IBM Tivoli M'ITiR=XZNN Tivoli SecureWayz7
M Risk ManagerD*zE"#
ixRisk Manager *"_8O
PX Risk ManagerDnBz7|BM~qE"DX*E",kSTB
Web >c*<CJ:
http://www.tivoli.com/support/secure_download_bridge.html
Tivoli SecureWay Risk Managerz7DE",kCJK Web >c:
http://www.tivoli.com/products/index/secureway_risk_mgr/
d| Tivoli Security Managementz7DE",kCJK Web ;C:
http://www.tivoli.com/products/solutions/security/
x f> 3 "Pf 7
ri
Tivoli SecureWay Risk Manager(Tivoli SecureWaygU\mw)*4T
;,&CLrM+PwRk2+`XDE"/Oa)K2+\m53,
b)&CLrM+Pw|,+;v^ZVklb+Pw#
Z>8OP,uo+Pw8DGw*}]4D&CLrMz7,b)}
]4+I* Tivoli Enterprise ConsoleB~"PI\*"= Tivoli
Enterprise ConsoleB~~qw#uoJdw8&CLr,|SU+Pw
zzD}]"Q|1wB~xPq=/,;sMA$tK Risk Manager
B~`X~qwDB~~qw#,1,+Pw9\4PkJdwX*D
&\#
uoVklb+Pw8(f2+T`XE"DNN`MD+Pw#Risk
Manager&mNN`M2+T`XE"x;^F*Vklb53D#fE
n#+Pw;+IT`X53M&CLr,9IT`Xxg#w*`X
n/a{,+PwZB~m%(P1r28OX/f)PzIE"#b
)B~m>IIn/rk2+T`XJb#Risk Managera)DJdw
ITSU+PwB~#5VVP&CLr(g@p=r4!>Lr)J
dw,T0lbB&CLrM+Pw4*"2+T`XB~A Risk
Manager~qwGPCD#
>8Oa)KZ5VB Risk ManagerJdw1,rlbVP&CLrT
92+T`XB~\;*"A Risk ManagerB~`X~qw1h*DE
"#
+2+T`XDB~*"A Risk ManagerB~`X~qwDEcP:
1
1Risk Manager *"_8O
1.ri
¶ Risk ManagerB~`X~qwIT*Ss6'+PwSUD2+T`
XB~a)_6`X,bIToz{%TxXF(lR,2IT\
sLHO(zT512+T~2D6p#
¶ (}/P\mT%w"~2M)6D`X,Tivoli \m1IT{C
TEC B~XF(DEc,"RT`&D2+k)xPl&#
¶ Z TEC X5}]bPi5"MA Risk ManagerB~`X~qwD
B~#I Risk ManagementU/DE"T9C Enterprise Risk
Management8OPD Tivoli Decision SupportxPDVvP'#K
Tivoli Decision Support8Oa)K2+53(g@p="Vklb
53"4!>&CLrMd|&CLr)D2+T`Xn/Ev#
M'T4MZ}=&CLrIT(}*"2+T`XB~A Risk
Manager4{CKEc#
P=vX|=h,|Gk*" Risk ManagerJdwMlbVP&CLr
`X,rKIT+2+T`XB~*"A Risk ManagerB~`X~qw
xP51`XM}]I/#
¶ (e Risk ManagerB~`
¶ *"2+T`XB~A Risk Manager
(e Risk Manager B~`Z<Gk*"B~A Risk ManagerB~`X~qw`XDzF.0,&
1WHmbh*"MA Risk ManagerD}]XT#Kb9&CmbgN
+KE"3dAB~`,KB~`ITI Risk ManagermbM&m#
IZ Risk ManagerB~`X~qwfZZ TEC 73,rK+k}]X
kZ TEC B~m%P,"Ry]* Risk ManagerXp(eDB~`@
N9l}]#
Z TEC B~~qwO,Risk ManagerB~`X~qw&m}kB~,
zIBD TEC B~,"`&DZ TEC B~XF(OT>b)B~#
Risk ManagerB~`X~qw4PD&mG Risk ManagerD;vX|
=f#Z&mP,4TB~DE"kd|B~SUDE"[/Z;p#
;s4U#=Vva{}]/#lb=DIIn/rJbF*w*Qw
2 f> 3 "Pf 7
#=Da{,F*4v,|Z TEC B~XF(4&* TEC B~#Risk
ManagerB~`X~qwD?DG@@4T`v+PwDVklbE",
"TrwDq=m>`XDE"#
PXhFzcNN&CLrr+PwX(h*D Risk ManagerB~`1
h*DE",kN{Z73D:B+Pw`MD}](#;#
*"2+T`XB~A Risk ManagermbKI&CLrr+Pw"MA Risk ManagerDB~s,9Xk<G
gNnCX5J6q"*"B~A Risk Manager#
3Risk Manager *"_8O
1.ri
IT<GD;,zF|,:
¶ j< TEC Jdw
¶ TEC B~/I$_
¶ Risk ManagerB~/I$_
j< TEC JdwTivoli a)K TEC B~JdwDj</#TEC B~JdwGm~Lr,
|ITU/E",4P>X}K"+`XB~*;IIT*"A TEC M
Risk ManagerDq=#b)Jdw5JOG;/D,bb6E+#fV
Pxg\mM2+T&CLrx;vNN|D#TEC B~Jdw6qD
B~ITkd| Risk ManagerB~;p\]WX*"A`XD Risk
ManagerB~`X~qw#;)|#CD TEC Jdw:
Tivoli Logfile Jdw
KJdwSU4T UNIX syslogd X$LrD-<U>D~E
",4Uya)Dq=D~PDfqxPq=/""MA TEC
B~~qw#
Tivoli NT Event Log Jdw
KJdwA! Windows NT 53OzIDB~,4Ua)Dq
=D~PDfqxPq=/"+d*"A TEC B~~qw#
Tivoli SNMP Jdw
r%xg\m-i (SNMP)Jdw6q SNMP]e,4U`(
eod (CDS)D~PDfqxPq=/"+d"MA TEC B~
~qw#
TEC B~/I$_Tivoli Kc|,;v9C wpostemsg LrD|nP/},ITC|4
"MB~A TEC B~~qw#`FDLr(postemsg Lr)2IT+
B~SG Tivoli 53*"A TEC B~~qw#
0Tivoli Enterprise ConsoleB~/I$_1(TEC EIF)*"MB~A TEC
B~~qw,a)K&CLr`LSZ (API) Dr%/M`X*Db#
4 f> 3 "Pf 7
Risk Manager B~/I$_0Risk ManagerB~/I$_1 (Risk Manager EIF)*"MB~AB~
~qwa)Kv?D$_|#K$_|P|,K C oTLrD&CLr
`LSZ (API)"|nP/}MxP Perl#iD Perl'V,TcS Perl
E>1SCJ Risk Manager EIF API#
5Risk Manager *"_8O
1.ri
6 f> 3 "Pf 7
B+Pw`MD}](#
+B+Pw`M/IA Risk Manager}LPDX|=hGVv+Pwy
a)E"M4(B~`Tm>KE"#K}](#xL<BK+PwE
"S+Pw>Xq=3dA Risk Manager TECB~q=#JdwVd
`{F"nd`tT#
IT9C\`=(4PXBq=/xLM+a{B~+MA TEC ~q
w#g{+PwzIJ1D SNMP ]er53U>(r NT U>)u
?,rIT9CVP0TEC Logfile Jdw1r0TEC SNMPJdw1#
g{9CK0Logfile Jdw1,rXk*"J1Dq=D~#g{9C
K0SNMPJdw1,rXk*"J1D CDSD~#m;v!n+*"
;vPdD@"Jdw,KJdw+>X+PwB~E"*;IJ1D
SNMP]er53U>(r NT U>)u?#YNh*5wDG,Xk
*"3Vq=r CDS D~#m;v!n+9C0Risk ManagerB~/
I$_1 (EIF) *";v1SD(GPdD)@"Jdw#ns,g{1
S&m+Pw4zk2G;v!n,rPI\9C Risk Manager EIF+
Jdw&\9(A+Pw&CLrP#
+Pw`MDB`(eGX|=h#&CP8<G+PwB~gNJO
RM_SensorEvent `a9 (sensor_abstract.baroc)#(#Z4(B`1,
&C9CZ RM_SensorEvent `wPnMD(nWcDrn_eD)J1y`#Z RM_SensorEvent wPDy`;C=M,E"M=_e,=j8#(}SwP!I\MDy`PIz,B`ITa)!I\_eD
`XE"x`XxL#9h*"bDG7(`tTDOm1!5-#h
*P+PwDncN*6"+PwDc:-iMT+Pw\&DM[V
v#
2
7Risk Manager *"_8O
2.B+Pw`MD}](#
WH,Z*"B+Pw`M1,kND:;c=h;P*q-D;c=
hPm#dN,jI;N>}+PwxLITY}5w\`j8E",
K+PwzI+*xP`XD2+T`XE"#;sxvm;v|(K
+Pw"MDE"D}S,"ME"ECZ}]bPx;G`XD#n
s,9PZ*" Risk ManagerDB+Pw`M1XkNGDn`X*
c#
;c=h*"BD+Pw`M1kq-TB=h#
1. VvB~}]"4(`cN#
2. S sensor_abstract.barocD~hvDwP!q;v`IzyPB`#
": 1!ivB,TEC 3.7frZw*6`5}D+kB~P!q#
6`G&ZcNa9W?D`#g{P;v`Cwd|`Dy
`,r Risk Managerfr+4;=w*Ky`5}DNNB
~#
3. +B+PwDyP`D~Ck%v C Tsy>G<w (BAROC) D
~P#
4. 4UZ{Vd`A`D`pP#
5. 9C category_assign u?mSNNZ{DX(`D`p8(A
riskmgr_categories.proD~#
6. +BD BAROC D~CZ`&D Risk Manager?<#
TZ Windows NT,?<*
%BINDIR%\RISKMGR\corr\tec
TZ UNIX,?<*
$BINDIR/RISKMGR/corr/tec
7. mSBD BAROC D~{A|,Z riskmgr_baroc.lstPDD~Pm
Da2#
TZ Windows NT,(;KD~D?<*
%BINDIR%\RISKMGR\corr
8 f> 3 "Pf 7
TZ UNIX,KD~yZD?<G
$BINDIR/RISKMGR/corr
8. k7#*B+Pw`M"M TEC B~DJdw8(K`{"J1X
ndK`tT#
9. g{PX*k4(;vq=D~ (.fmt) r`(eod (.cds)D~"
+|G20ZJdwO#
10. Z TEC B~~qwO|B Risk Manageri~#
11. KP rmcorr_cfg –update #
12. g{Q-TV$==+B BAROC D~0kfrb,ryPXhv
DMGXBt/ TEC B~~qw#
>} 1:FTP G<JOvZY}5wD?D,IT<G+{* ftp_watcherD+Pw/IA Risk
ManagerDNq#Kb,YhKB+PwlbD~+d-i (FTP) DG
<JO(Zd|BiP)xRh*+ FTP G<JOB~DE""MA
Risk Manager,bb6EQ20KP Risk Manageri~D TEC B~~
qw#Yh ftp_watcher$_* FTP G<JOa)KTBE":
¶ 4 IP X7
¶ ?DX+^(wz{
¶ T<G<C'DC'{
¶ T<G<1dD1dAG(SqV~N1d:1970/1/1 00:00:00*<
G}Dk})#Kq=;l** EPOCH#
!qy`K?VhvKS sensor_abstract.baroc̀cNP*B~!q;vy`Dx
L#
TZ ftp_watcher&CLrzID FTP G<JOB~,K&G(}
sensor_abstract.baroccNa9Z!qy`1ICD76#
¶ RM_SensorEvent :\GS sensor_abstract.baroc̀cND%K*<#
¶ RM_IDSEvent:KB~IT1wn/DVklb53`M#
9Risk Manager *"_8O
2.B+Pw`MD}](#
¶ RM_IDSNetwork:fZ4M?DXrKGxg`Mn/#
¶ RM_User:|,;vC'#
rK,y`DnU!qG RM_User#
X*tTX*tTGC4j6+PwD#dPP r m _ S e n s o r T y p e M
rm_SensorIPAddr (r rm_SensorHostname )#g{;PhCb)tT,r`X&m+'\,B~OXT+hC* UNKNOWN#
Kb,TZw*S RM_IDSEvent IzvD`5}DB~,XkZ4wzM?DXwzPAYa);vwzE"#wzE"ITG IP X7
( rm_Des t ina t i on IPAddr , rm_Source IPAddr )rwz{(rm_DestinationHostname ,rm_SourceHostname )#g{H;P?DXwzDICE"V;P4wzDICE",r`X&m+'\x
RB~OXT+hC* UNKNOWN#"b,TZdMD RM_IDSEventB~,Z}?DXwzM4wzDE"<IC#
"b,d; rm_Timestamp M rm_TimestampFmt hCGG?FT
D,+Gg{;9CJ1DhC,razI+kB~D RM_InputErr msB~#9h5C"bDG,d;d|tTGG?FTD,+Gg{h
C;J1,r`X5M TEC XF(O(Z}]bZrP)E"DPCT
+<I\aP\sLHDuY#
}]ZrtTRisk ManagerhCZ}]biRP9CD8vtT#b)tT(#;I
JdwhC#Z riskmgr.barocM sensor_abstract.barocD~P,+tT
4M sub_source hC*1!5#,y,r* Risk ManagerndtT
origin "sub_origin M hostname ,rK;&CIJdwhC#g{J
dwhCKb)tT,|G+;2G#
10 f> 3 "Pf 7
BmxvKI Risk ManagerhCD}]ZrtT#
` tT 5 "M
* source RISKMGR hCyPD Risk
Manager`#
RM_SensorEvent sub_source SENSOREVENT ;PZ{D5
},&C2GQ
IzD`
RM_MiscEvent sub_source MISCEVENT
RM_IDSEvent sub_source IDSEVENT
RM_SensorEvent origin rm_SensorIPAddr 2GJdw5#
g{;IC,h
C*1!5:
0.0.0.0#
RM_SensorEvent sub_source rm_SensorType
RM_SensorEvent hostname rm_SensorHostname
RM_MiscEvent rm_Category C'T(e
hCtT*7( RM_User DtT(|,QLPDtT),ITZ20K Risk
Manageri~D0Tivoli \mr (TMR)153O9C wrb -lsrbclass |
n:
wrb -lsrbclass RM_User -detailed rulebase_name
`{F tT
RM_User
ISA
RM_Service
server_handle
date_reception
event_handle
source
sub_source
11Risk Manager *"_8O
2.B+Pw`MD}](#
origin
sub_origin
hostname
adapter_host
date
status
administrator
acl
credibility
severity
msg
msg_catalog
msg_index
duration
num_actions
repeat_count
cause_date_reception
cause_event_handle
server_path
rm_Version
rm_Timestamp
rm_TimestampFmt
rm_Timestamp32
rm_SensorToken
rm_DestinationToken
rm_SourceToken
rm_SensorType
rm_SensorHostname
rm_SensorIPAddr
rm_SensorPID
rm_SensorOS
rm_DestinationHostname
rm_DestinationIPAddr
rm_SourceHostname
rm_SourceIPAddr
rm_SpoofedSourceKnown
12 f> 3 "Pf 7
rm_Signature
rm_Description
rm_Level
rm_Correlate
rm_NameType
rm_NameID
rm_NameData
rm_Protocol
rm_SrcPort
rm_DstPort
rm_Servicename
rm_User
rm_Password
"b,SZ;v= server_path yPtT<tZ0TEC rootB~1`#
T rm_ *7DtTGZ Risk Manager`P(eD#
TBxvKZ?v`P(eD|X*tTPm,b)`|,KSn%c
D EVENT `=nsD RM_User `#T?vtTxvKTBE":
tT: tT{F
`M: `MM1!5(g{P)#
9CZ`X&mP: m>KtTGqCZ`X&m#
hC: hCK5DdM=(#BAROC"Adapterr=_.;#
tTITCJdwD}]r_Z BAROC D~PD1
!5xPhC#
hv: TtTDrLhv,dP|,hCtT51*<GD
yPJb#
EVENT `DtTb)tTGZ%cD TEC ` EVENT P(eD#|GT?vB~<I
C,P8vXpX*,r*|GZ TEC XF(D;,VNPw*T>V
{.9C#";GZ EVENT (eDyPtT<GgK#
tT: OXT
`M: 6YOXT,1!5 = /f
13Risk Manager *"_8O
2.B+Pw`MD}](#
9CZ`X&mP: q
hC: BAROC
hv: Kn&CGTB!nPD;v(4UOXT6p]v
D3r):HARMLESS"MINOR"WARNING M
CRITICAL#Kn+T>Z TEC XF(O#g{Z9
C Risk Manager̀ Xfr&mB~1vVJb,rB
~OXT+hC* UNKNOWN#
tT: date
`M: V{.
9CZ`X&mP: q
hC: Jdw
hv: ;cGg02000/7/4 12:30:441q=DTK45IAD
1dAG,|m>B~zID1d#g{Jdw;P
hCKtT,TEC +S date_reception ndKt
T#
tT: hostname
`M: V{.,1!5 = ’N/A’ #
9CZ`X&mP: q
hC: 4hC#I Risk Managernd#
hv: +PwyKPDwz{#R i s k M a n a g e r C
rm_SensorHostname DE"ndKn#Kn+T>
Z TEC XF(D Hostname VNP#
tT: msg
`M: V{.
9CZ`X&mP: q
hC: Jdw
hv: B~DrLhv#r*KtTT>Z TEC XF(D
0{"1VN,yT|DhC\X*#g{Jdw;
PhCK5RfZICD rm_SignatureE",rIC
KE"hC#
14 f> 3 "Pf 7
4T RM_SensorEvent `DtTb)GIT* RM_SensorEvent B~hCDtT#
tT: rm_SensorType
`M: V{.,1!5 = ’N/A’ #
9CZ`X&mP: G
hC: Jdwr BAROC
hv: +Pw`MD{F(}g,ftp_watcher)#KtTI
TZJdwPhC"kB~;p"M,rhC*Z
BAROCD~B`u?PD1!5#x;=DV[kN
D rm_SensorToken #
tT: rm_SensorIPAddr r rm_SensorHostname
`M: V{.,1!5 = ’0.0.0.0’ r ’N/A’
9CZ`X&mP: G
hC: Jdw
hv: +Pw5}Dwzj6E"#h* IP X7rwz{
(EH!q+^({)4j6+Pw5}#KzwG
+PwyKPDzw#g{=_<IC,k+?a
)#g{vP;vICxRIT!q,ka) IP X
7#K IP X7C4j6+Pw,yT|XkG(;
D#g{9CG+^(Dwz{,r(;T5C#
D#}g,KPZ m a c h i n e 1 . s u b 1 . c o mM
machine1.sub2.comD+Pw<IT(f5TmKPZ
machine1O#ZKVivB,4T=v~qwDB~Z
`X&m1aO"Z;p#
tT: rm_SensorPID
`M: V{.,1!5 =‘’
9CZ`X&mP: q
hC: Jdw
hv: +PwDxLj6#ZICRPC1hCKtT#
tT: rm_SensorOS
`M: V{.,1!5 =“ ’
9CZ`X&mP: q
15Risk Manager *"_8O
2.B+Pw`MD}](#
hC: Jdw
hv: +PwKPDYw53#ZICRPC1hCKtT
tT: rm_Timestamp
`M: V{.,1!5 = ’N/A’
9CZ`X&mP: G
hC: Jdw
hv: rm_Timestamp kIIn/vV`X*D1dAG#
EH!CDq=G epoch1d,K1dGSqV~N
1d 1970/1/1 00:00:00*<Dk}m>D1d#*;
IKq=D]6G9C UNIX C b}L mktime(g{IC)#;cD[nG*q!kn/D"z!I\
|D1dAG#tT rm_TimestampFmt ITC48(8Cq=#g{;PICD1dAG,tT
rm_TimestampFmt &ChC* ‘NONE’#KViv
Ba9C date_reception 5#date_reception GB
~=o TECB~~qwD1d#g{Z&m1dAG
E"1vm,r9C date_reception 5"zI;v
RM_InputErr msB~#
tT: rm_TimestampFmt
`M: V{.,1!5 = ’N/A’
9CZ`X&mP: G
hC: BAROC rJdw
hv: KtT7(ZhC rm_Timestamp 19CDq=#I
\D5G:
rm_TimestampFmt DI\5G:
N/A K5G1!5#K1a9C d a t e _ r e c e p t i o n "zI
RM_InputErr msB~#
NONE 1dAGE";IC,+9C date_reception #9C_:9C
SNMP JdwD Cisco7Iw#
EPOCHK1dAGGSqV~N1d:1970/1/1 00:00:00*<G}Dk
16 f> 3 "Pf 7
}#9C_:9CKJdwA0TEC U>D~Jdw1D
NetRanger#9C{eJdwA0TEC U>D~Jdw1D Web
IDS#9C1SD Risk Manager EIFD Check Point FireWall-1#
TIME1 K1dAGT ‘Aug 10 2000 13:49:21’q=vV#9C_:9C
0TEC U>D~Jdw1D Cisco Secure PIX Firewall#
TIME2 K1dAGT ‘Apr 6 09:48:21’q=vV#9C_:j<0TEC
U>D~Jdw1#9C0TECU>D~Jdw1D OS UNIX#
TIME3 K1dAGT ‘Thursday, August 10, 2000 11:20:37’q=vV#
9C_:9C0TEC SNMPJdw1D ISS RealSecure#
TIME4 K1dAGT ‘Sep 07 12:28:44 2000’q=vV#9C_:9C
0TEC NT U>D~Jdw1D OS NT#9C0TEC NT U>
D~Jdw1D Norton AntiVirus#
tT: rm_Signature
`M: V{.,1!5 = ’N/A’
9CZ`X&mP: q
hC: Jdw
hv: xvIIn/DrLhvD;NV{.#|j8Dh
v(+`T452rL)I\Z rm_DescriptionP#"b,d; rm_Signature ?0;PCZ`X,
+GZ+4I\avV#*K'VK&\,&C,&
#V){Mz7`M(z7`M = @p="7Iw"
yZxgD IDS"yZwzD IDS,HH)D;B#
Z){Pd?E"D}?&Cn!/#S`XD[c
44,){PDd?E"&CGPCD#xk){D
d?E"D`M!vZB~D`M#}g,|, cgi
E>DII Web n/|, cgi E>{F,+1Y4
M?DXE"#
tT: rm_Description
`M: V{.,1!5 =‘’
9CZ`X&mP: q
hC: Jdw
17Risk Manager *"_8O
2.B+Pw`MD}](#
hv: xvIIn/rLhvD;NV{.#KtTDX*
T(#;O*NZ rm_Signature DhC#"b,
TEC T STRING `MP 255 vV{D^F#
tT: rm_Level
`M: {},1!5 = 1.0
9CZ`X&mP: G
hC: BAROC
hv: C4*B~DOXT6phC}V5#Z BAROC D
~DyP`P<&C|,_P1!5DKtT,by
C'M\(}^D1!5aIXwZ Risk Manager#
9CKtTITwZ Risk Manager,(}vSru!
|D5,ITx3B~`M(}g,x(`DB~)
;v`TZd|B~`M|_r|MDOXT(b?
rOXT)#+5hC* 1.0G{eOD#;cD8<
G9C0M = 0.5,P = 1.0,_ = 2.01#K5MZ
riskmgr_thresholds.proP(eDP5`X#}g,g{
r m _ L e v e l = 1 . 0 RfZhC
threshold(‘situation1’,_,5,20,100, 200,_,_,_) ,r1
SU=s< 20vB~1,+azIOXT*0/f1
D Situation 1B~#"b,r*9CK1d%u/
},yTI\h*`Z 20vB~(xRb)B~ZS
U1dOXk\S|)#,1h*"bK>}YhK
&P4T>&Z'dX;D Situation 2r Situation 3
B~#ns,k"b,K>}YhvvpB~D-<
OXT6p(rm_Level 5)Z4vB~OXT6pD7(PpwC#Z`X&m7(K;5PB~`XR
$wKOXT6pvSDOmT1,4vB~DOX
T6pITH[}D-<5T"_;c#
tT: rm_DestinationIPAddr r
rm_DestinationHostname
`M: V{.,1!5 = ’0.0.0.0’ r ’N/A’
9CZ`X&mP: G
hC: Jdw
18 f> 3 "Pf 7
hv: ?DXwzDwzj6E"#Kn/D?jr?DX
wzD IP X7rwz{(EH!q+^({)#g{
=_<IC,k+?a)#g{vP;vICxRI
T!q,ka) IP X7#TyZwz`MD IDS +
Pw,KtT(#G+PwZdOKPDwz#K IP
X7C4j6`X&mDwz,yT|XkG(;
D#g{9CG+^(wz{,r(;T5C#D#
}g,wz machine1.sub1.comM machine1.sub2.com
I\<(f* machine1#KVivB,kb=vwz
`XDB~Z`X&m1+aO#bGCZ[/DX
|V.;(<B;,`MD4v)#
tT: rm_SourceIPAddr r rm_SourceHostname
`M: V{.,1!5 = ’0.0.0.0’ r ’N/A’
9CZ`X&mP: G
hC: Jdw
hv: 4wzDwz6pE"#n/4wzD IP X7rwz
{(EH!q+^({)#g{=_<IC,k+?
a)#g{vP;vICxRIT!q,ka) IP X
7#TyZwz`MD IDS +Pw,KtT;cG^
XD#K IP X7C4j6`X&mDwz,yT|X
kG(;D#g{9CG+^(Dwz{,r(;T
5C#D#}g,wz machine1.sub1.comM
machine1.sub2.comI\<(f* machine1#KViv
B,kb=vwz`XDB~Z`X&m1+aO
"#bG9CZ[/PD;v\?(<B;,`MD
4v)#kNG;c,%w-#|,gS[-D(1
lD)4wzE"#
tT: rm_SpoofedSourceKnown
`M: V{.,1!5 = ‘no’
9CZ`X&mP: G
hC: Jdw
hv: 5 yes m>+PwQ-P\&lb4E"GqQ-;gS[-r1l#"b,5 no ";m>4E";P;1l#
19Risk Manager *"_8O
2.B+Pw`MD}](#
tT: rm_Correlate
`M: V{.,1!5r`xd/
9CZ`X&mP: G
hC: Jdwr BAROC
hv: 5Gm>B~+;X*#5qm>;aP[/r`X
&m#KtTGCZB~E"CZ}]Zrn/PD
B~D#+Pwj6E"M?DXwzj6E"T-
&m}D,";C4nd origin "sub_origin M
hostname #
4T RM_IDSEvent `DtTb)GIT* RM_IDSEvent B~hCDtT#
tT: rm_NameType "rm_NameID M rm_NameData
`M: V{.
9CZ`X&mP: q
hC: Jdw
hv: b)tTa)K9Cj<53(g BugTraqr CVE)
4j6W\%wTM)6TD&\#
}g:
rm_NameType : STRING, default = "Unspecified";#Type of IDrm_NameID : STRING, default = ""; #String containing IDrm_Namedata : STRING, default = ""; #String containing additional info
tT rm_NameType &C!CTB5.;:
5 be
“CVE” CVE j6
“BugTraq” BugTraqj6
“Vendor” )&L(eDj6
“Unspecified” [1!5]
20 f> 3 "Pf 7
4T RM_IDSNetwork `DtTTBGZ RM_IDSNetwork `P(eDtT#
tT: rm_Protocol
`M: V{.,1!5 =‘unknown’
9CZ`X&mP: q
hC: Jdwr BAROC
hv: -i#ZICRX*1hC#
4T RM_Service `DtTTBGZ RM_Service `P(eDtT#
tT: rm_DestinationPort
`M: V{.,1!5 = ’N/A’
9CZ`X&mP: q
hC: Jdwr BAROC
hv: V{.N=D?DXKZ#ZICRX*1hC
tT: rm_SourcePort
`M: V{.,1!5 = ’N/A’
9CZ`X&mP: q
hC: Jdwr BAROC
hv: V{.N=D4KZ#ZICRX*1hC#
tT: rm_ServiceName
`M: V{.,1!5 = ’N/A’
9CZ`X&mP: q
hC: Jdwr BAROC
hv: ~q{#ZICRX*1hC#
4T RM_User `DtTTBGZ RM_User `P(eDtT#
tT: rm_User
`M: V{.,^1!5
21Risk Manager *"_8O
2.B+Pw`MD}](#
9CZ`X&mP: q
hC: Jdwr BAROC
hv: C'{#
tT: rm_Password
`M: V{.,1!5 = ’N/A’
9CZ`X&mP: q
hC: Jdwr BAROC
hv: Zn#ZICRX*1hC
BAROC D~u?BAROC D~ ftp_watcher.barocDu?I\4FgBiN:
#-------------------------------------------TEC_CLASS:FW_FTPLoginFailure ISA RM_UserDEFINES {rm_SensorType: default = 'ftp_watcher';rm_TimestampFmt: default = 'EPOCH';rm_Level : default=1.0;rm_Servicename : default = 'ftp';rm_User: default='N/A';
};END#------------------------------------------
k RM_MiscEvents `Xd; rm_Correlate 1!5* no , +GTZ!PDB~I\#{hC*
yes#}g,4T Web~qwDELUd;cB~I\G\=%wDa
{#hC rm-Correlate* yesI\<B Risk ManagerTb)B~xP
`X"T>4v#
q=D~u?g{ ftp_watcher*9C0TECU>D~1Jdwr9Cq=D~D Risk
Manager EIF,rh*q=D~#YhI ftp_watcherzIDCZ FTPG
<JOD53U>u?gB:
"Aug 6 16:14:46 myhost ftp_watcher myhost.sub.com933948886 john_doe dest.host.com 1.2.3.4 ftp login failure"
22 f> 3 "Pf 7
q=D~u?rI\4FgB:
//-----------------------------------------------------------//"Aug 6 16:14:46 myhost ftp_watcher myhost.sub.com 933948886// john_doe dest.host.com 1.2.3.4 ftp login failure"FORMAT FW_FTPLoginFailure%t %s ftp_watcher %s %s %s %s %s %s*date $1rm_Timestamp $4rm_TimestampFmt EPOCHrm_SensorHostname $3rm_Signature $8rm_DestinationHostname $6rm_SourceIPAddr $7rm_User $5rm_SensorType ftp_watcherEND//-----------------------------------------------------------
//-----------------------------------------------------------// "Aug 6 16:14:46 myhost ftp_watcher myhost.sub.com 933948886// john_doe dest.host.com 1.2.3.4 ftp login failure"FORMAT FW_FTPLoginFailure FOLLOWS FW_Base%t %s ftp_watcher %s %s %s %s %s %s*rm_Signature $8rm_DestinationHostname $6rm_SourceIPAddr $7rm_User $5END//-----------------------------------------------------------
hC rm_SensorType Dm;VzFG+|hC*1!5,CZkB+
Pw`X*D?vB`#9CKq=D~(rZJdw6phCKt
T)PdEc,;h*Z;&hC|,Zd|\``(eP|<;YG
1!5#9Cq=D~D1cG:azInbDxg(E?,r*}]
kB~G;p"MD#
"b,y>u?k`cN^X#B5O,q=D~T`cNDLP=f
A^y*#
23Risk Manager *"_8O
2.B+Pw`MD}](#
>} 2:ELUd;c0;>}\wTk2+TPXxRB~E"|,yP Risk Manager̀ X
&mh*D`X}]#Bf,RGY<G;v>},ZK>}P,&C
Lr"MDE"M2+T;G1S`X,xR";|,yPT`XPo
zDE"#
ZK>}P,<GVPD;Fw disk_watcherD&CLr,|Q-KP
Z\`53O,RT53u?DN=a)K/f#Kb,YhK&CL
rlbEL}/wUdGq;c,xRr*i5h*+KE""MA Risk
Manager#Yh disk_watcher+Pwa)KELUd;c4,BDTBE
":
¶ (fKivDzwDwz{
¶ Ud;cEL}/wD{F
¶ Zj<53U>q=PD1dAG
!qy`ZKivB,!qy`G`Tr%D#
¶ RM_SensorEvent :\GS sensor_abstract̀ cND%K*<#
¶ RM_MiscEvent :KB~;\;O*G IDS `MDn/#
rKns!qDDy`G RM_MiscEvent #
hCtT** RM_MiscEvent 7(tT(|,LPtT),ITZ20K Risk
Manageri~D TMR 53O9C wrb -lsrbclass |n:
wrb -lsrbclass RM_MiscEvent -detailed rulebasename
`{F tT
RM_MiscEvent
ISA
RM_SensorEvent
server_handle
date_reception
event_handle
24 f> 3 "Pf 7
source
sub_source
origin
sub_origin
hostname
adapter_host
date
status
administrator
acl
credibility
severity
msg
msg_catalog
msg_index
duration
num_actions
repeat_count
cause_date_reception
cause_event_handle
server_path
rm_Version
rm_Timestamp
rm_Timestamp32
rm_SensorToken
rm_DestinationToken
rm_SourceToken
rm_SensorType
rm_SensorHostname
rm_SensorIPAddr
rm_SensorPID
rm_SensorOS
rm_DestinationHostname
rm_DestinationIPAddr
rm_SourceHostname
rm_SourceIPAddr
25Risk Manager *"_8O
2.B+Pw`MD}](#
rm_SpoofedSourceKnown
rm_Signature
rm_Description
rm_Level
rm_TimestampFmt
rm_Correlate
rm_ClassCategories
rm_Category
rm_ObjectType
rm_Object
rm_Action
"b,SZ;v= server_path DyPtT<tZ0TEC root B~1
`#T rm_ *7DtTGZ Risk Manager`P(eD#
TOs?VtTZ0;v>}P<QV[#yTK&V[Dw*9cZ
ZS RM_MiscEvent IzvD`DBtT#T?vtTxvKTBE
":
tT: tTD{F
`M: g{PD0,G`MM1!5#
9CZ`X&mP: m>KtTZ`XxLPGq9C#
hC: hCK5DdM=(#BAROC"Jdwr=_.
;#tTITCJdwD}]r_4 BAROC D~P
D1!54xPhC#
hv: TtTm>DBiDrLDhv,dP|,hCtT
51*<GDNNJb#
4T RM_MiscEvent `DtTb)GIT* RM_MiscEvent B~hCDtT#
tT: rm_Category
`M: V{.
9CZ`X&mP: q
hC: BAROC
26 f> 3 "Pf 7
hv: 9CKtT*SnB~xP`pVi,CZ}]Z
r#(iZ4(B5.0ZJ1DX=9CTBDV
{.5#
4(B5.09CTBV{.5:
0Configuration1 dCQ|D
0State1 Ts4,Q|D
0AccountAdmin1 C',i,ACL |D
0Access1 wvCJv(
0Policy1 }g,2+_T|D
0Installation1 TsQ20/6X
0Error1 vVms
0Misc1 4V`D|D
0Unknown1 4*D`p
tT: rm_ObjectType
`M: V{.
9CZ`X&mP: q
hC: BAROC
hv: T}]Zr*?D,9CKtTj6TsDTJ#(
iZ4(B5.0ZJ1DX=9CTBDV{.
5:
0User1
0Group1
0ACL1
0System1
0File1
0Address1
0Router1
0Application1
0Domain1
0Misc1
0Drive1
tT: rm_Object
27Risk Manager *"_8O
2.B+Pw`MD}](#
`M: V{.
9CZ`X&mP: q
hC: Jdw
hv: Ts{F,gC'"wz"&CLr"h8{HH#
tT: rm_Action
`M: V{.
9CZ`X&mP: q
hC: BAROC
hv: YwD6Y#!q\nChvB~D5#
06Y1rm_misc_actionE
1 NONE2 CREATE3 MODIFY4 DELETE5 START6 RESTART7 STOP8 CONNECT9 DISCONNECT10 ENABLE11 DISABLE12 FORWARD13 SAVE14 RESTORE15 ALLOW16 DENY17 OPEN18 CLOSE19 USE20 BIND21 FAIL22 UNKNOWNEND
BAROC D~u?BAROC D~ disk_watcher.barocDu?4FgBiN:
#-------------------------------------------------------------TEC_CLASS:DW_DriveFull ISA RM_MiscEventDEFINES {rm_SensorType: default = 'disk_watcher'
28 f> 3 "Pf 7
rm_TimestampFmt: default = 'TIME2';rm_Correlate: default = 'no';rm_Level : default=1.0;rm_Category : default = 'Error';rm_ObjectType: default='Drive';rm_Action: default='FAIL'
};END#-------------------------------------------------------------
q=D~u?r* disk_watchernI\9C0TEC U>D~1Jdw,yTh*q=
D~#Yh disk_watcher*ELUd;cOX/fzID53U>u?
4FgBiN:
"Aug 6 16:14:46 myhost disk_watcher myhost.sub.com Drive: E"
q=D~u?rI\4FgB:
//-----------------------------------------------------------//"Aug 6 16:14:46 myhost disk_watcher myhost.sub.com Drive: E"FORMAT DW_DriveFull%t %s disk_watcher %s Drive: %sdate $1rm_Timestamp $1rm_TimestampFmt TIME2rm_SensorHostname $3rm_SensorType disk_watcherrm_Object $4rm_Signature PRINTF("Disk full for disk: %s",rm_Object)END//-----------------------------------------------------------
q=D~*7-#P;vy>u?,;sZdO9CX|V FOLLOWS
4("#KzFITC4hC+PwDyPB~`D2,tT#}g,
ITCK=(hCtT rm_SensorTypeM rm_TimestampFmt#q=D~
u?rI\4FgB:
/-----------------------------------------------------------//"Aug 6 16:14:46 myhost disk_watcher myhost.sub.com Drive: E"FORMAT DW_Base%t %s disk_watcher %s %s*date $1rm_Timestamp $1rm_TimestampFmt TIME2rm_SensorHostname $3
29Risk Manager *"_8O
2.B+Pw`MD}](#
rm_SensorType disk_watcherEND//-----------------------------------------------------------
//-----------------------------------------------------------//"Aug 6 16:14:46 myhost disk_watcher myhost.sub.com Drive: E"FORMAT DW_DriveFull FOLLOWS DW_Base%t %s ftp_watcher %s Drive: %srm_Object $4rm_Signature PRINTF("Disk full for disk: %s",rm_Object)END//-----------------------------------------------------------
hC rm_SensorTypeDm;VzFG+|hC*1!5,CZkB+P
w`X*D?vB`#9CKq=D~(rZJdw6phCKtT)
PdEc,;h*Z;&hC|,Zd|\``(eP|<;YG1!
5#9Cq=D~D1cG:azInbDxg(E?,r*}]kB
~G;p"MD#
"b,y>u?k`cN^X#B5O,q=D~T`cNDLP=f
A^y*#
h*NGDXc
¶ k!I\9C;Z sensor_abstract.barocwWcD`xPIz#by
ITx Risk Managera)XZB~`M!I\_eDDE"#
¶ kn!/BtT}?#IT4(=StT,xRbTq!E"45
Pbe,+Gk"b=SE"";\; Risk ManageryC#
¶ S sensor_abstract.barocwIz`1;\Iz;z#d;ITZ!q
D sensor_abstract.baroc̀B4(T:DcNa9(P1aPC),
+G,Ms0fa=D=StT,k"b Risk Manager;a9CK
=SE"#
"b:1!ivB,TEC 3.7 fr!qG6`5}D}kB~#6`G;ZcNa9W?D`#g{;v`Cwd|`Dy`,r RiskManager fr+;a4{w*Ky`5}DNNB~#
¶ k7#`{T+Pw`M45IT7O#}g,yP ftp_watcher`
IT FW_ *7,FTPG<JOB~ITFw FW_FTPLoginFailure#
30 f> 3 "Pf 7
¶ k7#tT{T+Pw`M45IT7O#}g,yP ftp_watchert
TIT fw_ *7#
¶ k+yP`4k BAROC D~(}g,ftp_watcher.baroc)#
¶ kG!*hCTBtT:
rm_TimestampkIIn/X*D1dAG#EH!Cq=G epoch,Kq=
GSqV~N1d 1970/1/1 00:00:00*<Dk}#
rm_TimestampFmt}Z9CD1dAGq=#1!5G ‘N/A’ #"b,K1!5
+<B RM_InputErrB~DzI#
rm_SensorType+Pw`M{F(}g f t p _ w a t c h e r)#KtTCZ
ignore_sensor_creation "downgrade_sensor_creation(kND riskmgr_hosts.pro)"RTsfD}]bQw\X
*#KtTITZJdwPhC"kB~;p"M,r_h
C*Z BAROC D~PD1!5#
rm_SensorIPAddr r rm_SensorHostname+Pw5}Dwzj6E"#
¶ kp^D sensor_abstract.barocr riskmgr.baroc#
¶ kphC sourcer sub_source tT#Risk ManagerahCb)
tT#B5O,g{ZJdwPhCKtT sub_source ""MKB
~,B~~qwavVbvms,B~2;aC=&m#
¶ }Gr*d|?DDh*(gZq=D~P),kphC origin "
sub_origin r hostname tT#Risk ManagerahCb)tT,
"2GIJdwhCDNN5#
31Risk Manager *"_8O
2.B+Pw`MD}](#
32 f> 3 "Pf 7
Risk Manager Jdw5V
>BD?DG8<jI++PwrVP&CLr/IA Risk Manager1
h*D=h#>BY(zQ-4UZ73D:B+Pw`MD}](
#;PD8<(eK+*"A Risk ManagerX(D TEC B~#
B~E"D6qIT9C;,=(6qMXBq=/<BD TEC B~,"+d+MA
Risk Manager TEC~qw#TB8OITozz*&CLrr+Pw7
(nQ=(#
ZbTCZ6qB~M*"B~A Risk ManagerD;,D<uDXw
1,kNGTBwn:
1. K<uGqa)XhE"?bG;vX|D"bBn#}g,+P
wQ-zIK SNMP ]e,+G,TZk Risk ManagerDj+/
I,K]eI\"4|,yP`XE"#
2. K<uZ51`X}LPGqa)J1DT\?
3. GqIT\]WD^D+PwTa)_PyhB~E"DZ{B
~?g{Gby,+a0l=v_#}g,d;+PwQ-+|D
B~4k UNIX 53U>,+GI\3vzPK$DtT";IC#
g{IT^D+Pw4zzh*D+7E",rIT<G^D+P
wT|,53U>u?PD=SE"#
}g,VPD&CLrzzD53U>u?;c;|,'Vq=D
UZM1dE"#r*EH!CDq=G EPOCH,g{I\,IT<
3
33Risk Manager *"_8O
3.R
iskM
anagerJdw5V
G|D&CLrT|, EPOCH q=DUZM1d#XZ Risk
Managery'Vq=DUZM1dDE",kNDZ73D:B+Pw
`MD}](#;#
TEC SNMP Jdw"bBng{+PwQ-zIKJ1DxPXhE"D SNMP]e,rIT9C
TEC SNMPJdw#g{9C SNMP Jdw,rXk*";vJ1D
CDSD~#CDSD~|,K;)(e,SNMPJdw9Cb)(e+X
bD SNMP ]e3dAZ{D Risk ManagerB~(e#I SNMP J
dwzzD Risk ManagerB~(eXkk(eZ+Pw`X* BAROC
D~PDB~(e%d#
TEC UNIX U>D~Jdw"bBng{+PwQ-+J1DB~G<4k UNIX 53U>D~,rIT9
CVPD0TEC U>D~Jdw1#g{9CK0U>D~Jdw1,r
Xk*"J1Dq=D~#a)Dq=D~|,K;)(e,0U>D
~1Jdw9Cb)(e+XbD53U>G<3dAZ{D Risk
ManagerB~(e#"b,(}9C gencds |n,q=D~IT9l0U>D~1Jdw9CD CDS D~#
TEC NT B~U>Jdw"bBng{+PwKPZ Windows NTORQ-+J1DB~G<4k0NT B
~U>1,rIT9CVPD0TEC NT B~U>Jdw1#g{9CK
0NT B~U>Jdw1rXk*"J1Dq=D~#a)Dq=D~|
,K;)(e,0NT B~U>1Jdw9Cb)(e+XbD53U>
G<3dAZ{D Risk ManagerB~(e#"b,(}9C gencds |nIT9Cq=D~9l0B~U>1Jdw9CD CDS D~#
(FJdw"bBng{+Pw>mD^D;]W4P,rm;v!nG*";vPdD@
"DJdw,KJdwIT{CVPD TEC JdwDEc,++PwB
~E"*;IJ1D SNMP]er53U>(r NT U>)u?#YN
?w,Xk*";vq=D~ (.fmt) r`(eodD~ (.cds) #
34 f> 3 "Pf 7
(FJdwr+Pw>mD*"_2Pd|D!n#
1. JdwITkM0TEC B~/I$_1(Event Integration Facility, EIF)
;pa)Db4S#EIF ba)K`Tr%D API 4"MB~A TEC
~qw#
2. JdwIT9C Tivoli D wpostemsg |nP/}"MB~A Risk
Manager#KbP;v`FD postemsg |n,|2ITC4*"G
Tivoli 53DB~A TEC#
3. JdwIT9CxPv?$_/D Risk Manager EIF4"MB~A
TEC ~qw#Risk Manager EIF|,K C oTLrD API,;v
"MB~D|nP/}MP Perl#iD Perl'V,9CK'VIT
S Perl E>1SCJK API#
Risk Manager B~/I$_"bBn`TZ TEC ;pa)D TEC EIF b,T Risk Manager EIF@[1,
k"b Risk Manager EIF$_`TZ TEC EIFG%@,X;;,D(|
;Gfz7)#Risk Manager EIFa)KTBSZ:
¶ >X C SZ(9C2mb)
¶ Perl SZ(9Ck Risk Manager Perl Support20m~|;pa)
D Perl #i)
¶ C4"M TEC {"D|nP/}(9C wrmsendmsg |n)
Risk Manager EIF$_a)KH TEC 3.6.2 EIFbM wpostemsg r
postemsg $_|E=DT\#
C &CLrI9C Risk Manager EIFCJ%v Risk Manager EIF2m
b#;PX*4(&CLrD TME MG TME f>,K&CLr4S
Z;,D EIF bP#
Risk Manager EIF9Cj<q=D~a)kU>D~Jdw`,`MD
#=%d\&#K#=%dTyP Risk Manager EIFSZ(C APIs"Perl
APIs M wrmsendmsg |n)<IC#&CLrITC=V;,Dq=
(} Risk Manager EIF"MB~#
¶ q=/DV{.,dPa)KtTM5T#
35Risk Manager *"_8O
3.R
iskM
anagerJdw5V
¶ ^q=DV{.,Risk Manager EIF9Cq=D~+KV{.D*X
3dAB~`"tT{M5T#
(}9Ck Risk Manager EIF;pa)D riskmgr_gencds |n,I
T+ Risk Manager EIFdC*9C;vr`v&CLrq=D~#Risk
Manager EIF2a)K>X PerlSZ(9Ck Risk ManagerD Perlm
~|;pa)D Perl #i)#
9C Risk Manager EIFx;Gd|$HfZD$_1*<GDBi:
Z PerlLrU/-<}]Rh* TEC B~DP'zI1,Risk Manager
EIF Perl#iSZHS PerlLrwC wpostemsg r postemsg P'#
Risk Manager EIF PerlSZ2a)q=/$_,bG wpostemsg r
postemsg y;\a)D#Risk Manager Perl Supporta)K Perl#i,
b9 Perl LrIT1SCJ Risk Manager EIF API#
Risk Manager EIF API9a)K;)$_,9Cb)$_IT90V<
=`Sw1D*"dC]W,K`SwC4zY9C Risk Manager EIF
D&CLrD4,#TB DM 4G**"0Risk Manager̀ S/O1x
(eD#"b,KE"vT9C Risk Manager EIF$_D&CLrP
C:
¶ Jdw4,(*Q(eD Risk ManagerJdw5X Risk Manager EIF
&CLrD4,(}g,up r down))
¶ Jdw5}(5XKPZ53OD Risk ManagerJdw}?)
¶ JdwB~F}(5XIQ(eD Risk ManagerJdw"MDB~
}?)
Kbk"b:Risk Manager EIF'V("Z TEC EIF bD%K,bb
6ETZ Risk Manager EIF,TEC EIF a)D}K\&IC#
36 f> 3 "Pf 7
Risk Manager B~/I$_
TB Risk ManagerB~/I$_SZIC:
¶ >X C SZ(9C2mb)
¶ Perl SZ
¶ |nPSZ(9C wrmsendmsg |n)
9C&CLr`LSZ>BV[TB Risk Manager&CLr`LSZ (API) "a)|`XZ
b)0Risk ManagerB~/I$_1API Do(MoeDE":
¶ rmad_initialize
¶ rmad_send_message
¶ rmad_terminate
¶ rmad_info
4
37Risk Manager *"_8O
4.R
iskM
anagerB~/I$
_
rmad_initializeb) API wC8nC4t/ru</0Risk ManagerB~/I$_1X
$Lr#K API wC8nt/ Risk ManagerJdwX$Lr,"u<
/ Risk ManagerJdwM0Risk ManagerB~/I$_1X$Lr.
dD(E(@#
TZ Perl E>,k9C rmadpm_initalize #
K API wC8nGI!D#;c,ZX$Lr4t/1,&CLr9C
rmad_send_message API 4t/0Risk ManagerB~/I$_1X$
Lr#
o(
#include rmad.h
int rmad_initialize( void);
C(K API wC8nu</0Risk ManagerB~/I$_1X$Lr#
5X50Risk ManagerB~/I$_15XTB5:
0 I&jI#
G 0vm#
38 f> 3 "Pf 7
rmad_send_messageJdw9CK API wC8n"MB~AB~~qw#
TZ Perl E>,k9C rmadpm_send_message #
o(
#include rmad.h
int rmad_send_message(char * eventData,int eventFormat
);
N}
char * eventData– dkC48(*1wB~"MAB~~qwD}]DV{.#
¶ g{B~q=Gq=/}],V{.I\`FgBiN:
RM_GenericIDS;severity=\"FATAL\";rm_SensorHostname=\"foobar\"
¶ g{B~q=;Gq=/}],V{.I\`FgBiN:
RM_GenericIDS May 30 14:42:30 myhost log[1024]: 0x38d62a88 1 4000/4000/520 [Packet sent] 9.3.5.234 9.3.4.456
int eventFormat– dkC48(1wB~"MAB~~qwD}]Dq=D{}5#Kq
=D5GI eventFormatN}!qD#5 0 m>Gq=/}];51 m>q=/}]#
C(K API wC8n"MB~A0Risk ManagerB~/I$_1X$Lr#
IJdwa)x API DB~}]ITCTBN;N=a):
¶ tT/5Tq=,r*q=/A`PDV{.5#
¶ yZ`(eod (.cds)D~q=DtT/5T,Kq=G*Jdw(
eD#
Kq=GIZ~vN}!qD#5 0 m>Gq=/}];5 1 m>q=/}]#
39Risk Manager *"_8O
4.R
iskM
anagerB~/I$
_
g{B~q=hC* 0,&CLr+:pa)q=D~#Kq=D~Cw
r i s k m g r _ g e n c d s |nDdk44( r m a d . c d s D~#
rmad_send_message API 9CKD~43d4q=/DV{.AJ1
DB~`#
5X5Risk ManagerB~/I$_5XTB5:
0 3{jI#
G 0vm#
40 f> 3 "Pf 7
rmad_terminate9C API wC8nIT#90Risk ManagerB~/I$_1DxL#
TZ Perl E>,k9C rmadpm_terminate #
o(
#include rmad.h
void rmad_terminate(int forceflag);
N}
int forceflag – dkg{h*?FXU0Risk ManagerB~/I$_1,khC*G 0
5
C(K API U9k0Risk ManagerB~/I$_1X$LrD(E,"ME
Jdwu</xLPVdDyPJ4#
5X5Risk ManagerB~/I$_5XTB5:
0 3{jI#
G 0vm#
41Risk Manager *"_8O
4.R
iskM
anagerB~/I$
_
rmad_info9CK API wC8nITi/XZ0Risk ManagerB~/I$_1DE
"#
TZ Perl E>,k9C rmadpm_info #
o(
#include rmad.h
void rmad_info(int infoType,char* buf,int bufsize)
N}
int infoType – dk#{Di/`M#IT9CTB5.;:
RM_VERSION*0Risk ManagerB~/I$_15X(;f>DV{.j
6#
RM_ACTIVE5XXZ0Risk ManagerB~/I$_1X$Lr10Gq
$nDE"#
RM_ADAPTERS5X10Q-9C0Risk ManagerB~/I$_1"aDJ
dwDE"#
RM_NUMBER5X}ZKPDJdwD}?#
char* buf – dk/dvh*i/DE"y5XD:ex#
int bufsize– dk/dvIC4ndD:exs!#
42 f> 3 "Pf 7
C(9CK API wC8nITi/XZ0Risk ManagerB~/I$_1DE
"#
5X50Risk ManagerB~/I$_15XTB5:
0 3{jI#
G 0vm#
43Risk Manager *"_8O
4.R
iskM
anagerB~/I$
_
9C Perl SZRisk Managera)D Perl#ia)K=0Risk ManagerB~/I$_1
D Perl SZ#0Risk ManagerB~/I$_1PERL #iITMNN
PERLE>;p9C#*S PERLE>wC Risk Manager0B~/I$
_1API,Xk200Risk ManagerB~/I$_1M Risk Manager Perl
Support#
9C Perl API IT:
u</ 9CdCE"u</b#}g:
rmadpm::rmadpm_initialize( );
"MB~
"M+*Vv"+]x TEC B~~qwDV{.#}g:
my $syslogStr = "$ltime $lhost $ident\[$$\]: $printStr"'$return = rmadpm::rmadpm_send_message ($syslogStr, 0);
U9 XU0Risk ManagerB~/I$_1a0#}g:
rmadpm::rmadpm_terminate(0);
0Risk ManagerB~/I$_1PERL #iPa)TB Perl API,Z
rmadpm.pmD~PITR=|G:
rmadpm_initialize ( )
rmadpm_send_message ( )
rmadpm_terminate ( )
44 f> 3 "Pf 7
9C|nPSZ*0Risk ManagerB~/I$_1(eD}v|nPSZ#KZa)K
|`XZb) Risk Manager EIF|nDo(MoeDE":
¶ wrmsendmsg
¶ wrmadmin
¶ riskmgr_gencds
45Risk Manager *"_8O
4.R
iskM
anagerB~/I$
_
wrmsendmsg9CK|nIT*"B~A TEC B~~qw#
o(
wrmsendmsg [-f] [{"}]]
dP:
–f 8(K{"}]*tT/5T#g{4a) –f !n,r;(*9C riskmgr_gencds |n4+&CLrDq=D~&CZ
Risk Manager EIFdC#XZ riskmgr_gencds |nDE"k
NDZ493D:riskmgr_gencds;#
{"}]
8(B~}],K}]a"Mx+Cb,;sY"MxB~~
qw#g{Z|nPP48({"}],rZ{ISj<dk
PC=K}]#
C(K|nS\TB=Vq=DB~{":
¶ |,;vr`vtT{M5TDq=V{.#
¶ Xk9C Risk Manager EIFD .cdsM .fmt D~q=/D-<}]#
0Risk ManagerB~/I$_1Z"MB~A TEC B~~qw.0+
V{.}]q=/#
TBGa)tTM5TDV{.D>}#"b –f j>m>V{.GQq=/D,V{.DZ;v5G TEC B~Ts`{#
wrmsendmsg -f "NIDS_DOS;date='12:22:23';rm_SensorIPAddr=11.34.65.99;rm_Timestamp=0x39d8e8ff;rm_DestinationIPAddr=10.0.0.3"
TBGa)4q=/DV{.D>}#0Risk ManagerB~/I$_1
CDS (.cds)D~+C4VvKV{.,VdTs`{,"Z"MB~A
TEC .0VdJ1DtT5#
wrmsendmsg "Oct 3 12:22:23 2000 syslog NIDS foo.tivoli.com0x39d8e8ff 10.0.0.3"
46 f> 3 "Pf 7
5X50Risk ManagerB~/I$_15XTB5:
0 3{jI#
G 05X;vms"r!msE"#
47Risk Manager *"_8O
4.R
iskM
anagerB~/I$
_
wrmadmin9CK|nIT4PT0Risk ManagerB~/I$_1X$LrM2m
bD\mNq#
o(
wrmadmin [-kill | -info]
dP:
–kill U9r#90Risk ManagerB~/I$_1X$Lr#
–info ksT>}ZKPDJdwDE"#
C(K|nP=v!n:
¶ –kill !nU90Risk ManagerB~/I$_1#1&CLrwCX$
Lr1,0Risk ManagerB~/I$_1X$LraT/XBt/#
(iZ^D rmad.confdCD~s9CK!n#
¶ –info !nT>f>E"M9C0Risk ManagerB~/I$_1"a
DJdwDE"#
K|nPSZ9CZ0Risk ManagerB~/I$_1P(eDSZ,b
yMITxPT0Risk ManagerB~/I$_1X$LrM2mb$_
D\mn/#
5X50Risk ManagerB~/I$_15XTB5:
0 3{jI#
G 05X;vms"r!msE"#
48 f> 3 "Pf 7
riskmgr_gencds9CK|nIT=Sq=D~E"A rmad.cdsD~#
o(
riskmgr_gencds filename.fmt > filename.cds
K&q=D~{8(Kh*&mDq=D~D{F#
C(9CK|nzIk0Risk ManagerB~/I$_1;p9CD`(eo
d (CDS) D~#0Risk ManagerB~/I$_1"4|,1!D CDS
D~#Z0Risk ManagerB~/I$_1&CLr9C4q=/DB~
{"V{.1h* CDS D~#
ZKivB,IT9CJ1Dq=D~ (.fmt) 4zIXhD CDSD~#
5X50Risk ManagerB~/I$_15XTB5:
0 3{jI#
G 05X;vms"r!msE"#
49Risk Manager *"_8O
4.R
iskM
anagerB~/I$
_
4SA2mb*Kk C oT;p9C,0Risk ManagerB~/I$_1|,K;vB
~&CLr`LSZ (API) b#k Risk Manager;pa)"9C0Risk
ManagerB~/I$_1DJdw,r**"MB~AB~~qwyT&
CkKb4S#
¶ JdwD AIX fh* librmad.abD~#
¶ JdwD Solarisfh* librmad.sobD~#
¶ JdwD Windowsfh* rmad.lib bD~#
*0Risk ManagerB~/I$_1D Tivoli MG Tivoli fa)K,y
Db#9C,yDbb6E;h*4(&CLrD Tivoli MG Tivoli
f#
0Risk ManagerB~/I$_12mba)K9 Risk ManagerJdw
IT"MB~AB~~qwDSZ#
0Risk ManagerB~/I$_1API |,:
¶ rmad_initialize
¶ rmad_send_message
¶ rmad_terminate
¶ rmad_info
wT Risk Manager EIF0Risk ManagerB~/I$_19zITzYk*wTDB~,S-<
B~*<&m1=|;OzrI&"MAB~~qw#zYa{4kU
>D~ (.err),KD~ITZ=(DTB?<PiR:
Windows NT:
..\RISKMGR\Adapters\etc\rmad.log
UNIX:
../RISKMGR/Adapters/etc/rmad.log
50 f> 3 "Pf 7
*t/G<,kZ rmad.confdCD~P8( RmadLogging X|V:
RmadLogging=YES
g{48(* YES r yes,G<;{C#
msD~PDf6*sdCwTMzY!n#msD~(#P)9{
.err#g,TB>}y>,(}9C AdapterErrorFile X|V,ITZ
dCD~P8(msD~D{F:
AdapterErrorFile=/usr/tecad/rmad_filename.err
g{Z CDSrq=D~P|DB~(e,rIT9CmsD~(eh*
zYD5,byM\7O0Risk ManagerB~/I$_1kBDB~(
e$wGq<C#
*T>JOD7P76,k|DmsD~PyP /dev/null 5}*/tmp/rmad_ filename.errors #
msD~D?;PITBE"iI:
#i{F ms6p dvD~
dP:
#i{F 8(Kh*wTrzYD/}rxLD`M#P'D5
*:
ERRORms/}#
UTILS 5CLr/}#
PARSERVv/}#
KERNEL;cDZKYw#
SELECT!qxL#
51Risk Manager *"_8O
4.R
iskM
anagerB~/I$
_
FETCHCfxL#
MAP 3dxL#
DRIVER}/Lr(C?~#
DRVSPECSNMP Xb}/w?~#
TECIOB~~qwdk/dv (I/O)#
ms6p 8(h*0RDmsrh*4PDzYD`M#P'D
5*:
MINORN*ms#
MAJORw*ms#
FATALB|ms#
LOW n!zY#
NORMAL}#zY#
VERBOSEj8zY#
dvD~ 8(dvy4kDD~D{F#
52 f> 3 "Pf 7
w}
[B]>iDa9 viii
>ifrTs vii
[C]i/
Risk ManagerB~/I$_ 42
vfo
Tivoli SecureWayz7 x
u</
9C API 38
9C PERL E> 44
+Pw 1
+Pw,*" 8
[D](eB~` 2
A_ vii
[F]"MB~
9C API 39
9C PERL E> 44
"MB~}]AB~~qw 46
=Sq=D~ 49
[G]q=D~u? 22, 29
$_d (toolkit) 37
XUKa0 41, 44
XZ>8O vii
\mNq 48
\m1,Tivoli
D5 viii
iI
9CD<( ix
Perl SZ 44
Risk ManagerB~/I$_|n 45
Risk ManagerB~/I$_ API 37
[J]y` 9, 10, 24
/I$_ 4, 5
ri 1
SZ
|nPSZ 45
API 37
Perl 44
[K]*"B+Pw 8
M''V ix
53Risk Manager *"_8O
w}
[L]`(eod (CDS) D~ 49
[M]|n
gencds 34
postemsg 4, 35, 36
riskmgr_gencds 36, 39, 46, 49
wpostemsg 4, 35, 36
wrb 11
wrmadmin 48
wrmsendmsg 35, 46
|nPSZ 45
|n,Risk ManagerB~/I$_
riskmgr_gencds 49
wrmadmin 48
wrmsendmsg 46
[Q]t/
risk managerB~/I$_ 38
0TE" vii
Vklb+Pw 1
[S]hCtT 11, 24
B~
"MAB~~qw 39
B~/I$_
Risk Manager 5
Tivoli Enterprise Console 4
B~/I$_ (EIF) viii
B~/I$_(kND Risk ManagerB~/
I$_) 37, 39
B~` 2
Jdw 1
Jdw,TEC 4
i.
a9 viii
}]Zr 10
[T]#9
9C PERL E> 41
9C Perl E> 44
Risk ManagerB~/I$_xL 41
[W]D5
TEC X*z7 viii
[X]]e 4
!qy` 9, 10, 24
[Y]OX/f 1
&CLr`LSZ 37
<( ix
54 f> 3 "Pf 7
[Z]'V,Tivoli M' ix
4P\mNq 48
U9Ka0 41, 44
*"B~ 4
4v 3
AAPI /}
rmad_info 42
rmad_initialize 38
rmad_send_message 39
rmad_terminate 41
BBAROC D~u? 22, 28
EEVENT ` 13
FFTP G<JO 9
Ggencds|n 34
NNT Event LogJdw 4
PPerl E>
rmadpm_info 42
rmadpm_initialize 44
rmadpm_send_message 44
rmadpm_terminate 44
Perl SZ 44
PERL #i
rmadpm_initialize 38
rmadpm_send_message 39
rmadpm_terminate 41
portemsg|n 4, 35, 36
RRisk Manager
B~/I$_ 5
B~/I$_($_d) 37
B~` 2
*"2+TB~A 4
TEC Jdw 4
Web E" x
Risk ManagerB~/I$_ 5
i/ 42
u</b 44
"MB~ 44
|n 45
#9 44
Perl API 44
riskmgr_gencds|n 49
wrmadmin|n 48
wrmsendmsg|n 46
55Risk Manager *"_8O
w}
risk managerB~/I$_
"MB~A 39
SZ 37
t/ 38
#9 41
API 37
riskmgr_gencds|n 36, 39, 46, 49
rmadpm_info Perl API 42
rmadpm_initialize Perl API 38, 44
rmadpm_send_message Perl API 39, 44
rmadpm_terminate API 44
rmadpm_terminate Perl API 41, 44
rmad.cdsD~ 49
rmad_info API 42
rmad_initialize API 38
rmad_send_message API 38, 39
rmad_terminate API 41
RM_IDSEvent 9, 10, 11, 20
RM_IDSNetwork 9, 21
RM_MiscEvent 11, 22, 24, 26
RM_SensorEvent 7, 9, 11, 15, 24
RM_Service 21
rm_Timestamp 10
RM_User 10, 11, 21
SSNMP Jdw 4
TTEC
D5 viii
TEC B~/I$_ 4
TEC Jdw 4
Tivoli
2+\m Web E" x
M''V ix
B~/I$_ (EIF) viii
SecureWayz7 Web >c x
Tivoli Enterprise Console(kND
TEC) viii
Tivoli Logfile Jdw 4
UUNIX Jdw 4
WWeb >c
2+\mE" x
Tivoli M''V ix
Tivoli SecureWayz7 x
Tivoli SecureWay Risk Manager x
Windows NTJdw 4
wportemsg|n 4, 35, 36
wrb |n 11, 24
wrmadmin|n 48
wrmsendmsg|n 35, 46
56 f> 3 "Pf 7
Pz!"
GB84-0437-00
Recommended