Websense on CentOS 5

Websense is the current bane of my IT existence. The configuration of it, once it is installed is not too difficult. However, I've had the following issues:

1. Could not get Windows AD integration working in version 7.1 under Windows 2008 (32-bit) or CentOS 5. I know CentOS 5 is not supported...but try getting an all windows shop to pay for RHEL when Windows is free. I refuse to run production software on Windows is possible, it's come a long way....but it's still NOT a server platform as far as I'm concerned.

2. I was able to get Websense 6.3.3 with Windows AD integration working under CentOS 5. Installed relatively easy. I've installed, configured, and tested the following components with no issue under Centos 5:

• Policy Server
• User Service
  
• Filter Agent
• Product Integration (Checkpoint FW...the other bane of my IT existence)

3. DC Agent install is not available for linux under 6.3.3. This was something I missed, since I thought the last .3 meant minor revision...not removing a feature completely. So, I had a Windows 2003 server set-up and installed the DC Agent on it. Still could not get per user policies working. This was due to the fact that the dc_config.txt was not being created. This was solved with websense KB 3329, editing the transid.ini file. But this was the last bit in a long line of Websense failures...poor programming?

That said, the one component that I had serious trouble installing was the Logserver and ExplorerUI. This is due to the installation program using LD_LIBRARY_PATH, specifically it set LD_LIBRARY_PATH=${Logserver Install dir/lib} & LD_ASSUME_KERNEL="2.4.1". This prevented it from finding any of the standard shared libs, causing the following error:

./logserverd-dbsetup: error while loading shared libraries: libdl.so.2: cannot open shared object file: No such file or directory

At this point you have the logserver installed, but not running. So I did the following:

1. echo "/opt/Websense/UnixExplorer/logserverd/lib" >> /etc/ld.so.conf.d/websense-ux.conf
2. ldconfig -v
3. cd /opt/Websense/UnixExplorer/logserverd/bin/
4. ./logserverd-dbsetup.bin -sa
5. ./logserverd.bin &

I basically avoid the wrapper scripts and run the commands without setting the offending environment variables. I have added the Websense shared libraries to the system wide ld.so.conf which could be an issue for some sites, but this is a dedicated websense box so I don't have any issues with that. However, if I believe if you simply remove the LD_ASSUME_KERNAL line from the wrapper scripts and run you should be fine.

The key to the manual set-up I used, is to use the -sa switch to build the database, if you don't logging will work but when you pull up a report you will notice some information is unavailable (disposition, date/time, etc..).

You will then need to re-run the installation script to install the ExplorerUI, since the ExplorerUI won't install after the logserver installation fails.

For clean-up you will need to edit the scripts so that your service startup scripts work after reboot.

SecureID my CentOS 5

I ran into an issue recently installing SecurID authentication on a CentOS 5 server...so I decided to document how I got it working.

The Pre-Requisites:

• OS CentOS 5
• RSA Authentication Agent for PAM 6.0
• RSA Agent Host record configured

First, we make the VAR_ACE directory:

Centos # mkdir /var/ace
Centos # chown root:root /var/ace
Centos # chmod 700 /var/ace

Next we create the install directory under /opt (optional)

Centos # mkdir /opt/ace
Centos # chown root:root /var/ace


Now we install the Authentication Agent:

Centos # VAR_ACE=/var/ace; export VAR_ACE
Centos # tar xf AuthenticationAgent_60_PAM_95_060308.tar
Centos # ./install.sh

Follow the prompts, answering as necessary. At this point you should run a quick test to ensure SecurID is installed and working:

Centos# /opt/ace/pam/bin/acetest
Enter USERNAME:
Enter PASSCODE:
Authentication successful.
Centos #

Now we need to configure the SSHD to use SecureID:

Centos # vi /etc/pam.d/ssh

We comment out the first line:
#auth include system-auth

And add the following line:
auth required pam_securid.so


At this point, if you attempt to ssh in to the system you will NOT be able to. Looking at the logs you should see something like:

Oct 8 12:36:28 centos sshd[26923]: PAM [error: /lib/security/pam_securid.so: cannot restore segment prot after reloc: Permission denied]
Oct 8 12:36:28 centos sshd[26923]: PAM adding faulty module: /lib/security/pam_securid.so

A quick google search will show you that this is due to the SELinux enforcing. Now there are two options:

1) Shutdown SELinux: /usr/sbin/setenforce 0

2) Properly configure enforcement profile for the PAM module

Centos # ls --scontext /lib/security/pam_securid.so
system_u:object_r:ib_t /lib/security/pam_securid.so

To work properly the pam_securid module needs access to text relocation. To do this we add it to the correct profile for text relocation:

Centos # chcon -t texrel_shlib_t pam_securid.so
Centos # ls --scontext /lib/security/pam_securid.so
system_u:object_r:textrel_shlib_t /lib/security/pam_securid.so

Once that is done, you should be up and running with SecurID for SSH access