TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems!
----------------------------------------------------------------------------
All of this is wrong. I am not positivie what teh doc says, but simply
stoping and starting the engine does not relinquish master console status.
ONLY the master Console can stop and start an engine, and maybe that's what
you are thinking of.
Also if it were true that "Anything that breaks that authenticated
connection will relinquish the MC status" then an intruder w/ a hacked
license key could simply force a tear down of the console-engine
communication, and then connect to that engine himself (only under certain
circumstances - Meaning authentication is turned off) and gain mast console
status. THis would be a HUGE security hole.
It may be helpful to understand how Master Console Status is decided.
First, it is decided by the Daemon. Don't let this mislead you. Someone
has to assign themselves Master Console status to begin with, and once you
are Master you can push policies, change MC status, etc. It will become
clearer in a second...
The issDaemon, which is what a console establishes a connection to teh
sensor through, reads the file issDaemon.policy. Inside this file there is
a line which designates which console is the Master Console. If there is an
entry into this field (IOW, MC has been assigned to someone) then the Daemon
will not let any changes be done by anyone other than the MC. If the
Daemon/engine is stopped and started, sure, the communication between the
console and engine are cut off, BUT when that issDaemon restarts guess what?
It reads that issDaemon.policy file, and as stated previously, it reads
which machine has MC status. THAT information is NOT changed by stopping
and starting an engine. The same goes for disrupting communications between
teh engine and console.
The status is read from that file, and that file does NOT change unless:
1) The Master Console forces the issDaemon to WRITE to that part of the
file, when the MC relinquishes Master Status
2) There is no master console status and someone (console) else connects to
that engine and takes MC status
3) You edit by hand the issDaemon.policy file.
That's it. If there is a machine that is assigned MC status and that
machine no longer exists for whatever reason, just edit out that machine
name from the master_console line in the issDaemon.policy and save it. I
cannot remember off hand is you need to stop & start the Daemon to force a
re-read of this file if you change it by hand, but I don't *think* so. I
think that it re-reads the file every time a new console tries to connect to
it. I'm just not 100% sure off of the top of my head.
Hope this helps clear things up!
Alex F
[EMAIL PROTECTED]
P.S. - If this contradicts what the doc says, please let us know *where* in
teh doc it states that and we will mark that as a bug and get it fixed.
THanks.
-----Original Message-----
From: Michael Wilson [mailto:[EMAIL PROTECTED]]
Sent: Thursday, August 24, 2000 4:25 PM
To: Norton.Stephen
Cc: [EMAIL PROTECTED]
Subject: RE: Changing Master Console Monitor
TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any
problems!
----------------------------------------------------------------------------
Stephen,
That's what I thought, and what the documentation says. However,
when we tried this, it didn't work. Very confusing; the network sensor
insisted that it was still under the control of a non-existent machine.
-Mike Wilson
-Sr. Security Specialist
-UNIFIED Technologies
-Troy, NY
On Thu, 24 Aug 2000, Norton.Stephen wrote:
> Stopping and restarting the network engines will also relinquish Master
> Console status. The console is authenticated to the sensor through a
secure
> channel. Anything that breaks that authenticated connection will
relinquish
> the MC status.
>
>
> Stephen P. Norton
> Franchise Tax Board
> [EMAIL PROTECTED]
>
>
> -----Original Message-----
> From: Michael Wilson [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, August 24, 2000 12:26 PM
> To: [EMAIL PROTECTED]
> Subject: RE: Changing Master Console Monitor
>
>
>
> TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message
to
> [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any
> problems!
>
----------------------------------------------------------------------------
>
>
> More interesting to me is the question of how you fix things if,
> for example, you have a master console assigned, but then that machine
> goes away for whatever reason, without backups. If you can't go and
> relinquish properly, then what? I imagine that this is the situation
> under discussion - otherwise he probably would have already tried to
> release it.
> I've got a situation like this at a customer site. In this case,
> it's immaterial, since we're doing a complete reinstall of the probes
> for other reasons anyway, but I'm curious to know how to make a probe
> release it's master without having the master available to make the
> request.
>
> -Mike Wilson
> -Sr. Security Specialist
> -UNIFIED Technologies
> -Troy, NY
>
> On Thu, 24 Aug 2000, Norton.Stephen wrote:
>
> >
> > TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message
> to
> > [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any
> problems!
> >
>
----------------------------------------------------------------------------
> >
> > The message indicates another console ('hostname') has obtained Master
> > Controller status. This is granted by the sensors on a first-come,
> > first-served basis. If you want your console to be the designated
Master
> > Controller, you will need to go to the 'hostname' console and relinquish
> the
> > Master Controller status, then go back to your console and re-add the
> > network engine. If you are only monitoring the engine, and not making
any
> > configuration changes, you shouldn't need Master Controller status.
> >
> >
> > Stephen P. Norton
> > Franchise Tax Board
> > [EMAIL PROTECTED]
>
