How to deploy WZSysGuard
As with some other security related software you may have, WZSysGuard's implementation needs some good planning work. A very important thing with WZSysGuard is you need to let us know who is the person in your security department that will receive the secret 32-Character license keyID when you buy WZSysGuard license, including this person's company email address. This person must not be a person who does system administration work. This keyID has to be kept secretly and safely, not be known to anyone other than security officers who safeguard the keyID.
This keyID is needed when first setup the WZSysGuard administration password, and when that password needs to be reset after forgotten. And, it's not needed in normal operation.
The person who is going to receive the secret license keyID needs to have GPG or PGP setup, and search our GPG key with name email@example.com from key server on the internet, email us the public key of the GPG, and we will use GPG to encrypt the 32 bytes keyID and send it to the person.
Your organization should use a Linux or Solaris/X86 machine with 2 DVD drives for hosting the WZSysGuard software no matter which UNIX flavor the target machine runs.
Initially, the WZSysGuard package should be installed on the target box and also the wzshRUN package (as you use wzpkg format packaging, you must also install wzpkgadm to manage the software on the system):
# cd /var/tmp
# /usr/bin/tar cvf /tmp/wzsgTargetServer.tar /usr/local/lib/wzsg
# rm -rf /usr/local/lib/wzsg/*
and move the /tmp/wzsgTargetServer.tar to the Linux or Solaris/X86 box, after that, on the X86 box, do
# cd /
# tar xvf /tmp/wzsgTargetServer.tar
# cd /usr/local/lib/
# mv wzsg wzsg.TargetServer
Then NFS export /usr/local/lib/wzsg.TargetServer readonly to world or target platform. And on the target machine, the filesystem has to be mounted to /usr/local/lib/wzsg/
Once the above is done, the system administrator for the target machine now needs to install the WZSysGuard license into /etc/WZSysGuard.lic file, after that, the file should look similar like this:
# cat /etc/WZSysGuard.lic
And also install the wzshRUN license into /etc/wzshRUN.lic.
And then the security officer needs to set up the WZSysGuard administration password by running:
# /usr/local/bin/wzappkey -p WZSysGuard
When no previous password is there, the command will ask for the 32-Character keyID which is also called Hex Key. And very important, both keyID and the WZSysGuard administration password must not be known to any system administrator.
When this is ready, the security officer should confirm the machine is clean, and then start to generate the registry files:
This command will ask for the WZSysGuard administration password for generating the registries and you will also be prompted to provide a checksum protection password, used for each registry file's checksum file.
And after all classes' registry files generated, set up jobs to run scan for each of the classes (except the prof which is for security trap detection, and has a web based interface to run by administrators before log on to the system).
For how to set up the jobs and what's the consideration, please refer to the WZSysGuard User Guide.
As WZSysGuard only scans for files on local filesystems, you must turn off automount service on the machine, and only allow to mount remote filesystem when that is from a machine which is also under WZSysGuard's protection.
During the first few weeks, securify officer should check to see what are the files that quite often get changed, are they device files? If they are device files, and the change is quite often and not very security sensitive, then you can probably consider to exclude these devices. This is the initial tuning need be done.
When device file related tuning has been done, then you can go to the X86 box, create a filesystem image to contain all the files/sub-directories under /usr/local/lib/wzsg.TargetServer, and put the image together with WZSysGuard for other servers' filesystem images to an iso image file or burn to CD/DVD. And then on the X86 box, mount the iso image or CD/DVD on the machine, and then mount the fs image using loop device to /usr/local/lib/wzsg.TargetServer.
After this, no one can change any part of the software.
If you need the seurity trap detection and trap triggering prevention functions, you need also install our CaclMgr software and license, plus the wzsgWEB module. Please refer to "How to setup and use security trap detection and verification web interface for WZSysGuard" for more details.