Proventia Server for Linux 1.5.2 Fix Pack 4 README ======================================================================== ======================================================================== ABSTRACT ======================================================================== Proventia Server for Linux 1.5.2 fix pack 4 installation package. This cumulative installation increments the agent version to 1.5.2.4. ======================================================================== SUMMARY ======================================================================== Readme file for: Proventia Server for Linux Product/Component Release: 1.5.2.4 Update Name: 1.5.2.4-ISS-PSL-FP004 Platforms: All supported platforms Publication date: October 21, 2013 Last Modification date: October 21, 2013 © Copyright IBM Corporation 2013. Please read this document in its entirety. ======================================================================== CONTENTS ======================================================================== * List of enhancements * List of APARs addressed * List of internally identified defects addressed * Installation information * Post-installation information * Additional information * Files included in this update * Contacting IBM Support ======================================================================== LIST OF ENHANCEMENTS ======================================================================== Enhancements new to 1.5.2.4: 1. In addition to updating an existing installation, the fix pack installer may be used to install the software without having to previously install the base Proventia Server for Linux 1.5.2 package. 2. Support for IBM HTTP Server 8.5 is added. The following combinations of IBM HTTP Server 8.5 and operating system architecture are now supported: o IBM HTTP Server 8.5 32-bit (on 32-bit or 64-bit operating systems) o IBM HTTP Server 8.5 64-bit NOTE: Web server SSL traffic inspection support remains limited to Intel architecture platforms. Support for Web server SSL traffic inspection for newly supported Web servers is enabled after installing the fix pack by running a new command, /opt/ISS/etc/configure_mod_rs. Information for running this command can be found in the section below "CONFIGURING WEB SERVER SSL TRAFFIC INSPECTION INFORMATION" Enhancements new to 1.5.2.3: None. Enhancements new to 1.5.2.2 (limited availability): None. Enhancements new to 1.5.2.1: 1. Web server SSL traffic inspection is extended to support the following Web servers. A leading '*' indicates a newly supported Web server. o Apache 2.0 32-bit (on 32-bit operating systems) o Apache 2.2 32-bit (on 32-bit operating systems) o Apache 2.2 32-bit (on 64-bit operating systems) o * Apache 2.2 64-bit o * IBM HTTP Server 7.0 32-bit (on 32-bit or 64-bit operating systems) o * IBM HTTP Server 8.0 32-bit (on 32-bit or 64-bit operating systems) o * IBM HTTP Server 8.0 64-bit NOTE: Web server SSL traffic inspection support remains limited to Intel architecture platforms. Support for Web server SSL traffic inspection for newly supported Web servers is enabled after installing the fix pack by running a new command, /opt/ISS/etc/configure_mod_rs. Information for running this command can be found in the section below "CONFIGURING WEB SERVER SSL TRAFFIC INSPECTION INFORMATION" ======================================================================== LIST OF APARS ADDRESSED ======================================================================== APARs addressed by 1.5.2.4: None. APARs addressed by 1.5.2.3: IV26032 Need to move /tmp/isslum-ctrl file to the /var/run directory The agent relied on the persistence of the isslum-ctrl and other files in /tmp. The agent components that rely on this persistence now utilize the /var/run directory hierarchy for such files. APARs addressed by 1.5.2.2 (limited availability): None. APARs addressed by 1.5.2.1: None. ======================================================================== LIST OF INTERNALLY IDENTIFIED DEFECTS ADDRESSED ======================================================================== Internally identified defects addressed by 1.5.2.4: 13319 Returned user-defined syslog file names specified by wild card contain an extra slash. 13276 Long syslog lines truncated unexpectedly when returned to SiteProtector. Limit should be 4K. 14544 Agent status goes to Active with Errors after upgrade. 29837 ids.excludeinterfaces should be able to contain white space characters. 40844 Installation can hang if stale NFS mounts are present on the system. 41669 Systems with rsyslogd version 5 (RHEL 6.3 or later) must have rsyslogd restarted by installer rather sent HUP signal to reload configuration. 43170 The configure_mod_rs script does not work on SLES endpoints if /usr/sbin/apache2ctl is specified. 43654 PSL Agent's issDaemon process sometimes does not stop successfully. 44056 Template files are not preserved on configuration making future upgrades more difficult than necessary. Template file are now preserved. 44058 Agent should release license and indicate stopped status to SiteProtector when shutdown. 44588 issCSF may terminate unexpectedly in rare circumstances. 45244 issCSF may spin on termination if the number of text log monitoring groups is reduced. 45702 Repeated installation and uninstallation may create a situation where the SSL inspection module IPC resources do not get correctly initialized causing SSL inspection not to operate. 45802 The SSL inspection module may cause IBM HTTP Server to crash on shutdown with messages in the web server log indicating pure virtual function calls. Internally identified defects addressed by 1.5.2.3: 17108 Web plug-in does not always pass sufficient data to PAM. 17133 In limited circumstances, the PSL agent may not block TCP traffic that should be blocked. 17944 Enhanced apache module logging. Logging performed by the PSL module is now better integrated to the apache logging subsystem. 19166 Performance enhancements to network traffic inspection 20044 In limited circumstances, TCP reset packets for connections closed by the agent would not be transmitted. Internally identified defects addressed by 1.5.2.2 (limited availability): 16881 Fix pack installation would partially succeed and then fail silently if the security content (PAM) RPM was at the same or later level than the security content included in the fix pack. 17125 Fix pack installation would not install 64-bit security content (PAM) on a 64-bit system if the existing 32-bit PAM was at the same or later level than the security content included in the fix pack. 17191 The pslconfig utility does not validate port ranges correctly. Ranges where the end port comes lexically before the start port are rejected even though when compared numerically they should be considered valid. For example the range 80-100 was rejected when it should have been accepted. Internally identified defects addressed by 1.5.2.1: 14070 32-bit Web servers running on 64-bit platforms can not be protected with the SSL protection module. 14079 Web server module does not handle PAM tuning parameters. ======================================================================== INSTALLATION INFORMATION ======================================================================== The fix pack is available both as an X-Press Update (XPU) from the IBM Security download center and a self-extracting shell archive (shar) from IBM Support Fix Central. The XPU package can be applied to any existing Proventia Server for Linux installation from version 1.5 provided the platform requirements are met. Please review the current System Requirements Document for details of platform requirements. A link to this document is provided at the end of this section. The shar package can be applied to any existing Proventia Server for Linux installation from version 1.5.2. The shar package can also be used to install the full software on a system without Proventia Server for Linux already installed. To install the shell archive fix pack: As the root user run the shar file corresponding to the Linux distribution you have: On Intel systems: RedHat: # sh ./1.5.2.4-ISS-PSL-LinuxIntel-RHEL-FP004.sh SuSE: # sh ./1.5.2.4-ISS-PSL-LinuxIntel-SLES-FP004.sh On zSeries systems: RedHat: # sh ./1.5.2.4-ISS-PSL-LinuxS390-RHEL-FP004.sh SuSE: # sh ./1.5.2.4-ISS-PSL-LinuxS390-SLES-FP004.sh For complete information about hardware and software compatibility, see the detailed system requirements document at http://publib.boulder.ibm.com/infocenter/sprotect/v2r8m0/topic/com.ibm.psl.doc_1.5/concepts/psl_pdf_container.htm If the Proventia Server services are running when the fix pack is installed, then the services are automatically stopped and restarted. The agent version might be displayed as an earlier version than 1.5.2.4 because the iss-spa service can be started to send a heartbeat to SiteProtector while Fix Pack 4 is being installed. After Fix Pack 4 is installed and the iss-spa service sends another heartbeat to SiteProtector, the agent version will appear correctly as 1.5.2.4. ======================================================================== POST-INSTALLATION INFORMATION ======================================================================== If you are making use of the SSL traffic inspection support of Proventia Server for Linux then you will need to restart any integrated Web servers after application of the fix pack. This must be done manually after the fix pack has been installed either as an X-Press Update or as a shell archive. To identify the set of Web servers integrated with Proventia Server for Linux on a particular system examine the file: /opt/ISS/proventia_server_1/ApacheRootInfo ======================================================================== CONFIGURING WEB SERVER SSL TRAFFIC INSPECTION INFORMATION ======================================================================== Support for Web server SSL traffic inspection for newly supported Web servers is enabled after installing the fix pack by running a new command. The new command has the following syntax: NOTE: Web server SSL traffic inspection support remains limited to Intel architecture platforms. # /opt/ISS/etc/configure_mod_rs APACHE_BIN APACHE_CONF where: APACHE_BIN is the full path to the Web server's apachectl or httpd programs. For IBM HTTP Server specify the apachectl program. For Apache specify the httpd program. APACHE_CONF is the full path to the Web server's configuration file. For example, to enable SSL traffic inspection for an IBM HTTP Server Web server installed to the /opt/IBM/HTTPServer directory the configure_mod_rs command should be executed as: # /opt/ISS/etc/configure_mod_rs /opt/IBM/HTTPServer/bin/apachectl \ /opt/IBM/HTTPServer/conf/httpd.conf The Web server must then be restarted. ======================================================================== ADDITIONAL INFORMATION ======================================================================== Packet data is stored in the socket receive buffer of the kernel. If this buffer becomes full, PSL receives ENOBUF errors on the socket and the packet is dropped. To prevent this situation from occurring, you can use the following tuning parameters to increase the socket buffer size: net.core.rmem_default net.core.rmem_max Implement these parameters when you install the fix pack. You must restart the Proventia Server for Linux sensor to ensure that the new socket buffer size is used by the sensor. If your network performance continues to degrade after you install this fix pack, then you must implement and tune these parameters. System Administrators can determine whether these parameters need to be tuned by monitoring the /proc/net/ip_queue file for the amount of "netlink drops" received. To implement the tuning parameters: 1. Verify existing settings by using the command: # sysctl -a | grep core.rmem 2. Ensure that the minimum recommendation of 4194304 is set: # sysctl -w net.core.rmem_max=4194304 # sysctl -w net.core.rmem_default=4194304 NOTE: This setting is fine for most scenarios, but if you determine that it is inadequate for your system, then increase it in 1 MB increments. 3. Repeat Step 1 to verify the setting. 4. Restart the sensor. This procedure will not be persistent across reboots of the system. To ensure that these settings stay persistent, add the new values to the file /etc/sysctl.conf. Example: Edit /etc/sysctl.conf Add net.core.rmem_default = 4194304 net.core.rmem_max = 4194304 ======================================================================== FILES INCLUDED IN THIS UPDATE ======================================================================== The files included in this update and their check sums are: MD5 ------ 1.5.2.4-ISS-PSL-LinuxIntel-RHEL-FP004.sh: 313f50810f0036468958a19bf128f994 1.5.2.4-ISS-PSL-LinuxIntel-SLES-FP004.sh: f0607d60d1f1274d4c61a60cb398eb3a 1.5.2.4-ISS-PSL-LinuxS390-RHEL-FP004.sh: edfb0e82d9b10e82d255654adc02cb9c 1.5.2.4-ISS-PSL-LinuxS390-SLES-FP004.sh: 8b2c067f667d5ced57598baf2d88082e SHA1 ------ 1.5.2.4-ISS-PSL-LinuxIntel-RHEL-FP004.sh: d72370ee8d7d4d7122cc7b2a1ddca1c726ae8b91 1.5.2.4-ISS-PSL-LinuxIntel-SLES-FP004.sh: d70d729c2536571021e7581fb434d8cd26fd4a79 1.5.2.4-ISS-PSL-LinuxS390-RHEL-FP004.sh: 07aedf77be76f168458265ad07a39ddf00fa1c3e 1.5.2.4-ISS-PSL-LinuxS390-SLES-FP004.sh 391cae85666c27db00664311dbb84028a90458e0 SHA256 ------- 1.5.2.4-ISS-PSL-LinuxIntel-RHEL-FP004.sh: 12ad30bb4573319a4cde5a777e39b0f6d8c1e9280e011a77f24ceeaf68ddfd4a 1.5.2.4-ISS-PSL-LinuxIntel-SLES-FP004.sh: fde1c4ce2f3fe7b4571f8bc8f0ffe64c47950bee1a1ea7636a8e9fd02346a201 1.5.2.4-ISS-PSL-LinuxS390-RHEL-FP004.sh: 426cac4f8dcc2c53c043fd9f96f0bc195b5f8c52777554ac814aa6374c936df2 1.5.2.4-ISS-PSL-LinuxS390-SLES-FP004.sh: 1b04775bca9f9869cc16cba240b9146bc2bcf2fa88232454f4f4327d65498d8f ======================================================================== CONTACTING IBM SUPPORT ======================================================================== To Contact IBM Support Worldwide Phone: Call IBM Support by selecting phone number from this location: http://www.ibm.com/planetwide When prompted for type of support, select option 2 for Software Support. You will need to provide your IBM Customer Number (ICN). Electronically: Go to https://www.ibm.com/support/servicerequest and open a new service request. ===========================================================================