To trigger a Host Intrusion Prevention (Host IPS) signature for Linux for testing purposes:
- Open a terminal window.
- To enable Host IPS signature violation events locally on the system, run the following commands.
NOTE: These commands can be run in conjunction (separated by a semicolon), or one at a time. In either scenario, the terminal prompts you for the UI password twice (once for each logging on command). These commands must start with bash, or you must change directory to /opt/McAfee/hip and then run ./hipts <command>.
bash /opt/McAfee/hip/hipts logging on
bash /opt/McAfee/hip/hipts message VIOLATIONS:on
bash /opt/McAfee/hip/hipts logging on; /opt/McAfee/hip/hipts message VIOLATIONS:on
- To verify that VIOLATIONS is ON, run the following command.
bash /opt/McAfee/hip/hipts status
The output is as follows:
Logging is ON
Message types logged (when Logging is ON):
ERROR ON
WARNING OFF
DEBUG OFF
INFO OFF
VIOLATIONS ON
- Open a new terminal window and run the following command:
tail -f /opt/McAfee/hip/log/HipShield.log
- Open a new terminal window and run the following command:
vi /opt/McAfee/hip/log/HipShield.log
- Signature 1051 must trigger in the first terminal window, as shown in the Example below:
NOTE: This signature is logged in the HipShield.log, regardless of the signature's logging status. The logging status enables Host IPS to generate an ePolicy Orchestrator (ePO) event for the signature violation. Signature 1051 Logging is disabled by default.
Example:
04-22 14:44:30 VIOLATION: [9] ------- Violation ---- Size 664 ----
<Event> <!-- Level=High, Reaction=Prevent -->
<EventData
SignatureID="1051"
SignatureName="Linux Agent Shielding - File Mod"
SeverityLevel="4"
Reaction="2"
ProcessUserName="root"
Process="/bin/vi"
IncidentTime="2010-04-22 14:44:26"
AllowEx="True"
SigRuleClass="UNIX_file"
ProcessId="9906"
Session=""
SigRuleDirective="write"/>
<Params>
<Param name="process chain">/sbin/init</Param>
<Param name="process chain">/usr/bin/gnome-terminal</Param>
<Param name="process chain">/bin/bash</Param>
<Param name="process chain">/bin/vi</Param>
<Param name="files">/opt/McAfee/hip/log/.HipShield.log.swp</Param>
</Params>
</Event>
------------------------------
- To close the terminal window, enter :q! or close the window.