Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
1053
Views
0
Helpful
0
Comments

How to prevent users from disabling, changing or uninstalling the CSA agent

TCC_2
Level 10
Level 10

‎06-22-2009 05:12 PM - edited ‎03-08-2019 06:24 PM

Resolution

The Agent Service Control (ACS) rule can control whether administrators are allowed to stop agent security. This is through a net stop command on Microsoft Windows or through /etc/init.d/ciscosec stop on UNIX, and end users can disable security through the agent UI security slide bar. If you stop the agent security, this disables all rules until security is manually resumed or the system is rebooted.

If you use this rule in order to deny agent service stops, the agent service cannot be stopped on the system in question and therefore agents cannot be uninstalled.

Complete these steps in order to add these rules to your module:

  1. Choose Add Rule at the bottom of the rule list. A pop-up list of the available rule types appears.

  2. Choose the Agent Service Control Rule. This takes you to the configuration view for this rule type.

  3. In the Agent Service Control rule configuration view, enter this information:

    • Description—Enter a description of this rule. This description appears in the list view for the module. Optionally, expand the +Detailed field in order to enter a longer description.
    • Enabled—Use this checkbox in order to enable this rule within the module. It is enabled by default. If you do not select this checkbox, you can save this rule, but it is not active in the module and it is not distributed to groups.
  4. Complete this action and note that not all action types are available for this rule on Windows platforms.

    Select an action type from the pulldown list. Refer to the Rules: Action Options and Precedence section of Rule Module Configuration for more information on rule action types.

  5. And,
    • Log—Enable this checkbox in order to turn logging on for this rule. Generally, you want to turn logging on for all deny rules. This means that the denied system action in question is logged and sent to the server at regular time intervals.
    • Take precedence over other rules—Enable this checkbox in order to manipulate rule precedence so that this rule is evaluated before other similar rules. You should generally not require this checkbox. Do not use it without the comprehension of how it works. Refer to the Rules: Manipulating Precedence section of Rule Module Configuration for more information.

  6. When
    • Applications in any of these selected classes

      Choose one or more preconfigured application classes. Note that the entry is selected by default. You can use this default or you can unselect it and create your own application classes. Refer to Using Application Classes for more information and application class configuration details.

      Note:       On UNIX systems, anyone with root access can stop the agent service. IN order to prevent this, while you still allow administrators to stop the agent service, you need to configure an Agent Service Control rule in order to Deny from stopping the service. Then configure another Agent Service Control rule which Allows only a UNIX Secured Management application class to stop the service.

      But not in the following class—Optionally, select application classes here in order to exclude from the application class(es) that you have selected in the included applications field. Note that the entry is selected by default.
    • Attempt to disable agent security

      This checkbox controls whether users with administrator privileges can stop the agent service from the Service Control Manager or if thenet stop "Cisco Security Agent" is run from a command prompt on Windows or through /etc/init.d/ciscosec stop on UNIX.

      Note This also controls whether the Off setting on the agent security level slidebar allows the end user to turn agent security off. If you do not allow the stopping of the agent service, the Off level, if available, is ineffective. Refer to the Agent UI Control section of Available Rule Types for more information.
    • Attempt to modify local agent configuration

      The Cisco Security Agent has built-in global security policies, which protect agent binaries and data. Note that this protection is only offered when the agent service is running and is not stopped or in Test Mode. While you cannot turn these non-logged, built-in rules off while the agent is active, you can use this rule in order to monitor, terminate, or tag a process that attempts to modify the agent configuration.
  7. Choose Save.

Refer to Available Rule Types for more information and additional rules in order to control a different set of system resources.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents