Professional Documents
Culture Documents
Troubleshooting Guide
Version 2.0
Internet Security Systems, Inc.
6303 Barfield Road
Atlanta, Georgia 30328-4233
United States
(404) 236-2600
http://www.iss.net
© Internet Security Systems, Inc. 1994-2003. All rights reserved worldwide. Customers may make reasonable numbers of copies
of this publication for internal use only. This publication may not otherwise be copied or reproduced, in whole or in part, by any
other person or entity without the express prior written consent of Internet Security Systems, Inc.
Internet Security Systems, the Internet Security Systems logo, The Power To Protect, X-Force, ADDME, Internet Scanner, System
Scanner, Database Scanner, ActiveAlert, X-Press Update, FlexCheck, SecurePartner, SecureU, Secure Steps, SiteProtector, and
RealSecure are trademarks and service marks, and SAFEsuite a registered trademark, of Internet Security Systems, Inc.
Network ICE, ICEpac, and ICEcap are trademarks, and BlackICE is a licensed trademark, of Network ICE Corporation, a
wholly owned subsidiary of Internet Security Systems, Inc. SilentRunner is a registered trademark of Raytheon Company.
Acrobat and Adobe are registered trademarks of Adobe Systems Incorporated. Certicom is a trademark and Security Builder is
a registered trademark of Certicom Corp. Check Point, FireWall-1, OPSEC, Provider-1, and VPN-1 are registered trademarks of
Check Point Software Technologies Ltd. or its affiliates. Cisco and Cisco IOS are registered trademarks of Cisco Systems, Inc.
HP-UX and OpenView are registered trademarks of Hewlett-Packard Company. IBM and AIX are registered trademarks of IBM
Corporation. Intel and Pentium are registered trademarks of Intel. Lucent is a trademark of Lucent Technologies, Inc. ActiveX,
Microsoft, Windows, and Windows NT are either registered trademarks or trademarks of Microsoft Corporation. Net8, Oracle,
Oracle8, SQL*Loader, and SQL*Plus are trademarks or registered trademarks of Oracle Corporation. Seagate Crystal Reports,
Seagate Info, Seagate, Seagate Software, and the Seagate logo are trademarks or registered trademarks of Seagate Software
Holdings, Inc. and/or Seagate Technology, Inc. Secure Shell and SSH are trademarks or registered trademarks of SSH
Communications Security. iplanet, Sun, Sun Microsystems, the Sun Logo, Netra, SHIELD, Solaris, SPARC, and UltraSPARC are
trademarks or registered trademarks of Sun Microsystems, Inc. in the United States and other countries. All SPARC trademarks
are used under license and are trademarks or registered trademarks of SPARC International, Inc. in the United States and other
countries. Adaptive Server, SQL, SQL Server, and Sybase are trademarks of Sybase, Inc., its affiliates and licensers. Tivoli is a
registered trademark of Tivoli Systems Inc. UNIX is a registered trademark in the United States and other countries, licensed
exclusively through X/Open Company, Ltd. All other trademarks are the property of their respective owners and are used here
in an editorial context without intent of infringement. Specifications are subject to change without notice.
Disclaimer: The information contained in this document may change without notice, and may have been altered or changed if
you have received it from a source other than ISS or the X-Force. Use of this information constitutes acceptance for use in an
“AS IS” condition, without warranties of any kind, and any use of this information is at the user’s own risk. ISS and the X-Force
disclaim all warranties, either expressed or implied, including the warranties of merchantability and fitness for a particular
purpose. In no event shall ISS or the X-Force be liable for any damages whatsoever, including direct, indirect, incidental,
consequential or special damages, arising from the use or dissemination hereof, even if ISS or the X-Force has been advised of
the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental
damages, so the foregoing limitation may not apply.
Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by Internet Security Systems,
Inc. The views and opinions of authors expressed herein do not necessarily state or reflect those of Internet Security Systems,
Inc., and shall not be used for advertising or product endorsement purposes.
Links and addresses to Internet resources are inspected thoroughly prior to release, but the ever-changing nature of the Internet
prevents Internet Security Systems from guaranteeing the content or existence of the resource. When possible, the reference
contains alternate sites or keywords that could be used to acquire the information by other methods. If you find a broken or
inappropriate link, please send an email with the topic name, link, and its behavior to support@iss.net.
January 2003
Contents
Why Should I Read This Manual? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v
How to use RealSecure SiteProtector Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vi
iii
Contents
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
iv
Why Should I Read This Manual?
Overview
Introduction This manual describes the diagnostic capabilities of SiteProtector. The diagnostic
capabilities are provided by the Sensor Controller Diagnostics console and the debug logs
for each component. The Sensor Controller Diagnostics console uses the log files
generated by the SiteProtector components.
Scope The following table lists and describes the purpose of each chapter in this manual:
Chapter Purpose
Chapter 2: Log File Explains the options for setting up the Sensor
Diagnostics Controller Diagnostics console and how to activate
run-time debugging for the RealSecure sensor
controller and the RealSecure application server
Audience This Guide is for network or security administrators or any other individuals responsible
for installing SiteProtector and managing network security.
v
Why Should I Read This Manual?
If you do not already have these products installed, you can install them after you have
installed SiteProtector. The installation and user guides for the products are either n the
SiteProtector box and on the SiteProtector CD, or they are also available for download as
.pdf files from ISS’ Web site at http://www.iss.net/customer_care/
resource_center/online_doc.
RealSecure Server Sensor Provides information about installing RealSecure server sensors.
Installation Guide
RealSecure Network Sensor Discusses policies available for RealSecure network sensors.
Policy Guide
RealSecure Server Sensor Discusses policies available for RealSecure server sensors.
Policy Guide
Internet Scanner Installation Provides installation procedures and information for the Internet
Guide Scanner application.
Internet Scanner User Guide Explains how to configure and use the Internet Scanner
application to detect security vulnerabilities on your network.
vi
Chapter 1
Overview
Introduction This chapter provides descriptions and solutions for some of the issues you may
encounter when working with SiteProtector. If the solutions provided in this chapter do
not address your issue, contact ISS Technical Support at support@iss.net or (1) (888)
447-4861.
Topic Page
Installation/Uninstallation Issues 8
Operational Issues 10
1
Chapter 1: Solutions to Common Issues
Reference: For a detailed list of issues that SiteProtector customers have reported, see the
ISS Knowledgebase: http://iss.custhelp.com/cgi-bin/iss/login
SiteProtector issues an error message when you attempt to download logs on a network
sensor that is running on a Unix operating system. The error message also appears for
server sensor running on various operating systems.
1. Access the iss.access file in the issDaemon folder, and then modify the following
section in the file:
Note: The following text is only an example. The path on your computer may be
slightly different.
Before [\Paths\opt\ISS\issSensors\network_sensor_1\Logs\];
Edit ACL1 =S Role=Default FilePerms=RD
DirPerms=R;
Issue #2 Why do I get an “Out of Memory” error when I try to edit the global application list?
Description: If you import an application list with more than 8000-10000 entries into the
global application list or a policy, then an out of memory error can appear when you
attempt to edit the global application list.
2
Common Questions and Issues
Description: Using Named Instances within SQL Server 2000 can cause some updates to
fail if you are running a Custom Installation of SiteProtector. (Policy updates for Internet
Scanner, network sensor, and server sensor are most susceptible to this type of failure.)
When this happens, SiteProtector produces error messages, which state that the database
could not be reached or that the login failed.
1. On the Application Server computer, open the Control Panel, and then double-click
Administrative Tools-! Data Sources (ODBC).
The ODBC Data Source Administrator window opens.
2. Select the System DSN tab.
3. Click Add.
The Create New Data Source window opens.
4. Select SQL Server, and then click Finish.
The Create a New Data Source to SQL Server window opens.
5. In the Name field, type the following:
SiteProtectorAppServer
6. In the Server field, type your DNS Server name and instance using the following
format:
DBSERVER\InstanceName
7. Click Next.
8. Select With SQL Server authentication using a login ID and password entered by
user.
9. Type your user name in the Login ID field, and then type your password in the
Password field.
10. Click Next.
11. Select the Change Default Database to: check box, and then select RealSecureDB
from the drop down list.
12. Click Next, and then click Finish.
13. Click Test Connection to verify that the selected DSN works.
14. Click OK to complete the procedure.
Issue #4 How do I retrieve vulnerability information from a Deployment Manager that is located
outside my site?
3
Chapter 1: Solutions to Common Issues
Description: You can change the location from which the SiteProtector Console retrieves
vulnerability information by editing the Console preferences.
Issue # 5 Why won’t my network and/or server sensor communicate with SiteProtector?
Description: Although there can be many reasons for this, it may be due to the fact that
network sensor 6.0/6.5 and server sensor 6.0/6.0.1/6.5 will not communicate wih
SiteProtector if any of the SiteProtector Databridge sensors/scanners are installed. The
event log creates the following message when attempting to communicate with these
sensors:
Solution: To avoid this issue, install network sensor 6.0/6.5 and server sensor 6.0/6.0.1/6.5
before you install Internet Scanner Databridge, ICEcap Databridge, or System Scanner
Databridge.
Solution: The Desktop Controller password utility allows you to create a new password if
the original password is accidentally changed, deleted, or if your company policy requires
you to change your passwords periodically.
1. Double-click DCLogin.exe.
DCLogin.exe resides on the computer where your Desktop Controller is installed,
and it is usually in the following location: C:\Program Files\ISS\RealSecure
SiteProtector\Desktop Controller
2. Type the login name into the Login box.
Note: This field already contains the current login name for the Desktop Controller. If
you don't plan to change the login name with the password, you can leave this field as
is.
3. Type the password into the Password box.
4. Type the password again into the Confirm box.
4
Common Questions and Issues
5. Click Save.
6. In the Site Manager, stop, and then restart the Desktop Controller.
Issue #7 Why won’t my Application Server Service and/or my Sensor Controller Service start?
Solution: The Application Server password utility allows you to create a new password if
the original password is accidentally changed, deleted, or if your company policy requires
you to change your passwords periodically.
To change the password for your Sensor Controller and Application Server:
Issue #8 Why can’t I see my Desktop Protection agent in the SiteProtector Console?
Description: On the target computer (computer where your Desktop Protector agent is
installed), verify that the executable, blackd.exe, is running. You verify this under the
Processes tab in Windows Task Manager. If this process is not listed, you may need to limit
the final subdirectory in your Desktop Protection agent installation path to 17 characters
or less.
5
Chapter 1: Solutions to Common Issues
Solution: To limit the final subdirectory in your Desktop Protector agent installation path
to 17 characters or less:
1. Navigate to the root of the directory where the Desktop Protection agent is installed.
The default location is: \Program Files\ISS\issSensors\DesktopProtection
2. Double-click AgentRemove.exe.
3. In the Site Manager, select Sensor! Manage! Policy.
The Manage Policy window opens.
4. Select the appropriate policy.
This is the policy that was selected for the target computer.
5. Click View/Edit.
The Policy window opens.
6. Select Installation Configuration.
7. In the following fields, limit the final subdirectory in your Desktop Protector agent
installation path to 17 characters or less:
■ WinNT/2000 Install Path
■ Win 9x Install Path
8. Close the Policy window, saving the policy.
9. Right-click the group that contains the malfunctioning Desktop Protection agent, and
then select Desktop Protection! Generate Desktop Protection Build.
The Generate Desktop Protection Build window opens.
10. In the drop down menu, select the desired Desktop Controller, and then type a
description in the Description box.
11. Click OK.
12. After the Desktop Protection build is completed, navigate to the Desktop Protection
Build page in the target computer’s Web browser.
By default, this page is located on port 8085 of the computer where the Desktop
Controller resides.
13. Select the newly generated Desktop Protection build.
14. Select Open on the Download window.
The new agent build is installed.
Description: When you install the SiteProtector Console, the file structure and the
application registry may not be accessible for some users and groups that have limited
access privileges.
Note: You must be an administrator or user with access privileges that allow
modifications to the security settings for the SiteProtector Console installation.
6
Common Questions and Issues
Specifically, you must be able to change the file systems and registry settings that are
described in the following procedure:
7
Chapter 1: Solutions to Common Issues
Installation/Uninstallation Issues
Introduction This topic provides solutions to issues that you might encounter when installing or
uninstalling RealSecure SiteProtector components.
● EnterpriseDatabase
● EventCollector
● ApplicationServer
● Console
issApp login already Description: While installing the RealSecure application server, an error states that the
exists Application Server login issApp already exists; then, the installation process is
terminated.
Explanation: This usually occurs when you attempt to install the RealSecure application
server over an unsuccessful uninstallation. If the RealSecure application server or
RealSecure sensor controller services cannot be stopped during the uninstallation process,
the issApp login is still in use and cannot be deleted from the database.
1. Make sure both services (or applications, if running as such) are stopped.
2. Use SQL Server 2000 Enterprise Manager to manually delete the existing issApp
login, which is located in the /Security folder for the RealSecure Site database.
Event collector login Description: While uninstalling the event collector, an error states that the
cannot be deleted EventCollector_<machine> login cannot be deleted because the service is running; then,
the uninstallation process terminates.
● If you are uninstalling the RealSecure Site database, ignore this message and uninstall
the database; then, repeat the uninstallation process for the event collector.
● If you are not uninstalling the RealSecure Site database, stop the issDaemon service
and repeat the event collector uninstallation process. If the uninstallation process
proceeds, but you are warned that the login still exists, use the SQL Server 2000
Enterprise Manager to manually delete the existing EventCollector_<machine>
login, located in the Security folder for the RealSecure Site database.
Additional event Description: When you install an additional event collector, the encryption is not initially
collector encryption set.
8
Installation/Uninstallation Issues
Solution: After installing an additional event collector, you must stop, and then restart it to
set encryption.
Can’t stop the Description: You have removed the application server and the console, but can’t stop the
event collector event collector.
Database in use Description: While uninstalling the RealSecure Site database, an error states that the
error database is in use.
Solution: Use the SQL Server 2000 Enterprise Manager to manually kill all processes
associated with the RealSecure Site database; then, proceed with uninstalling the
database.
9
Chapter 1: Solutions to Common Issues
Operational Issues
Introduction This topic provides solutions to issues that you might encounter when operating
RealSecure SiteProtector.
Cannot log into Description: When I try to log on to SiteProtector, the following Certificate
SiteProtector Incompatibility window appears before I am prompted for my username and password.
What should I do?
● If your System Administrator confirms that they have updated the certificates, click
Valid. The newly-updated certificate will replace the previous certificate in the key
store for that server.
● If your System Administrator verifies that they have not updated certificates, then
click Invalid. The System Administrator should then contact ISS Technical Support
for assistance.
Software query on Description: After adding a host, querying the host for software returns no entries.
host returns no
entries Solution: Check to make sure the signature verification for the sensor is not failing. The
sensor should appear in the Application log portion of the Event Viewer for the
issDaemon on the host where the sensor is located.
Missing or invalid Description: After you add a license key through the SiteProtector console, the features do
license key errors not appear; but errors related to a missing or invalid license key appear.
10
Operational Issues
Explanation: The RealSecure sensor controller polls for license changes every 60 seconds,
so the change may not appear immediately.
Solution: Wait 60 seconds and then open the Add License window again to see if the
feature columns are populated. If the feature columns are populated, the license key has
been successfully imported.
Note: If you add license keys through the Sensor Controller Diagnostics console, the
effect is immediately apparent.
SiteProtector is not Description: You reinstalled Internet Scanner, and you are no longer collecting data.
collecting scanner
data Solution: You must also reinstall the Internet Scanner Databridge because the Internet
Scanner Databridge registers some of the Internet Scanner DLLs.
Your Event Description: Your event collector username/password was accidentally deleted, changed,
Collector password or has expired. The encryption authentication between the event collector and the site
was deleted or has database is no longer valid.
expired
Solution: You must generate a new set of keys by re-generating the user account. Contact
ISS Technical Support for assistance.
Sensor status is Description: The SiteProtector console displays an “Unknown” or “Not Responding”
“Unknown” or “Not status for one or more sensors.
Responding”
Under normal conditions, a sensor's status should be “Active” or “Stopped” if the sensor
is not assigned to an event collector. If the sensor is assigned to an event collector, the
status should be “Active” (if the sensor is currently connected to an event collector) or
“Offline” (if the event collector is unable to connect to the sensor).
Product Folder
11
Chapter 1: Solutions to Common Issues
Important: You need to examine both the Internet Scanner and Internet Scanner
Databridge folders for Internet Scanner installations.
Each Keys folder can contain subfolders for each key provider present (e.g. \RSA or
\CerticomNRA). At least one of these key provider subfolders should contain the
SiteProtector authentication key, which looks like
sp_con_<ApplicationServerDNS>_<####>.PubKey.
For example, if the RealSecure application server is present on a computer with the DNS
“bob”, then the computer containing a network sensor installation should have a file
called C:\Program
Files\ISS\issSensors\server_sensor_1\Keys\RSA\sp_con_bob_239.PubKey
(assuming RSA encryption. If this file is not present, or if the date does not match the date
of the corresponding key on the RealSecure application server computer, then you must
force the key to be pushed from the RealSecure application server to the local sensor.
The RealSecure application server authentication keys for SiteProtector are located in the
C:\Program Files\ISS\RealSecure SiteProtector\Application
Server\Keys\<key provider>\ folders.
Important: Make sure you compare keys in similar key provider subfolders. In the
example above, compare the sensor's RSA key folder to the Application Server's RSA key
folder.
1. Search for, then delete sp_con*.PubKey in the C:\Program Files\ISS folder and
below.
2. From a command prompt, type net stop issdaemon.
3. Edit C:\Program Files\ISS\issDaemon\crypt.policy file by changing the
“allowfirstconnection=<tab>L<tab>0;” string to
“allowfirstconnection<tab> =L<tab>1;”,
4. Save the file.
5. From a command prompt, type net start issdaemon.
6. From the SiteProtector console, issue a Start command to the sensor so that it will
attempt to connect. This should change the sensor status, though it may take a minute
or so. Verify that the key was pushed as described above.
Sensor status is Description: The SiteProtector console displays the status for one or more sensors as
“Offline” “Offline.”
Explanation: This could be the result of a missing or invalid event collector authentication
key on the sensor computer.
Solution: To verify that this is the problem, go to the Keys folder on the sensor computer.
Typical folders include the following:
Product Folder
12
Operational Issues
Product Folder
Important: You only need to examine the Internet Scanner Databridge folder for Internet
Scanner installations
Each Keys folder can contain subfolders for each key provider present (e.g., \RSA or
\CerticomNRA). At least one of these key provider subfolders should contain the event
collector authentication key, which looks like
rs_eng_<EventCollectorDNS>_<####>.PubKey.
For example, if the event collector is present on a computer with the DNS “bob”, then the
computer containing a network sensor installation should have a file called C:\Program
Files\ISS\issSensors\server_sensor_1\Keys\RSA\rs_eng_bob_239.PubKey
(assuming RSA encryption). If this file is not present, or if the date does not match the date
of the corresponding key on the event collector host, then you must force the key to be
pushed from the event collector to the local sensor.
The event collector computer’s authentication keys are located in the C:\Program
Files\ISS\RealSecure SiteProtector\Event Collector\Keys\<key provider>\
folders.
Important: Make sure you compare keys in similar key provider subfolders. In our
example above, compare the sensor’s RSA key folder to the event collector’s RSA key
folder.
1. From the SiteProtector console, issue a Stop command to the event collector, and wait
until its status changes to Stopped.
2. Select the sensor, right-click the sensor, and then select View/Edit from the pop-up
menu.
3. Change the Event Collector box to None, and then click OK.
4. Issue a Start command to the event collector, and then wait until its status changes to
either “Offline” or “Online.”
5. Select the sensor, right-click the sensor, and then select View/Edit from the pop-up
menu.
6. Change the Event Collector box from None to the appropriate event collector, and
then click OK.
This should change the sensor status to “Online” though it may take a minute or so.
Verify that the key was pushed as described previously.
13
Chapter 1: Solutions to Common Issues
14
Chapter 2
Overview
Introduction This chapter describes the extensive logging features that SiteProtector provides for each
component. These logs can help you identify problems with components or sensors.
For each type of log and configuration file, the following information is provided:
Viewing logs Most log files are text files that you can open with a standard text file editor. If a different
method is needed for a particular log file, it is explained with the description of that log.
Important: Be sure to use a text editor that can handle large files.
Topic Page
Installation Logs 17
Database Logs 19
15
Chapter 2: Log File Diagnostics
Topic Page
16
Installation Logs
Installation Logs
Introduction The SiteProtector installation process generates a log file for each SiteProtector component
installed. It also creates a detailed log file for each bulk copy of data loaded into a
particular table on the RealSecure Site database. The log files contain a line of text for each
action taking place.
Location of log files Table 1 provides the path of the log files on the computer where each component is
installed:
Component log files The log files created during installation depend on the type of installation (Basic or
for installation Custom). Table 2 contains the installation log files that may be generated during
installation, depending on the type of installation:
17
Chapter 2: Log File Diagnostics
Component log files Log files are always created when you uninstall SiteProtector. The names of the log files
for uninstallation are the same as those created during installation, but the contents are overwritten with the
uninstall process information if the original log files still exist.
Note: If errors or warnings occur during the installation process and you want to save the
exact messages for troubleshooting, rename the log files before invoking the uninstall
process.
Viewing the If an error or warning occurs during the installation or uninstallation process in normal
component log files mode, the View Log File check box on the Finish window at the end of the process will be
checked by default. This enables you to easily view the log file contents to determine the
reason for the error or warning.
RealSecure Site Approximately 50 pairs of log files are generated for each bulk copy that is created and
database table bulk populated for the RealSecure Site database. Table 3 describes those pairs of log files:
copy log files
Table Name Description
Note: Statistics for the number of rows copied for every bulk copy file that was installed/
uninstalled are included in the Enterprise_Database_Setup_Log.txt file. This file enables
you to go to one source to quickly determine which error messages/warnings occurred.
18
Database Logs
Database Logs
Introduction Database log information, such as errors, number of rows loaded, number of rows
rejected, and reason for row rejected, is logged to the messagelog table in the RealSecure
Site database.
Viewing database Use Microsoft SQL Server Enterprise Manager or Query Analyzer to view the
logs messagelog table.
Default logging level The default logging level is set to Warn Trace, which logs a limited set of significant
events.
Changing the You can change the logging level detail using the Sensor Controller Diagnostics console.
logging level See “Running commands on sensors” on page 52 for more information.
Recommendations Increasing the logging levels for an extended period of time can quickly fill the database.
for increased Use the following recommendations when increasing logging detail:
logging detail
● Increase the logging levels (i.e., setting the logging level to Full Trace) for short
intervals as needed to gather detailed information.
● Reset the trace level to Warn Trace after you finish collecting detailed information.
● Truncate this table after extended debugging, as well as during normal tracing if the
table becomes too large.
19
Chapter 2: Log File Diagnostics
Contents of the log The X-Press Update log file contains details of X-Press Update download activity and the
overall X-Press Update status. The log file includes the following:
Location of log files Table 4 provides the paths of the X-Press update log files:
Changing the To change the logging level for the X-Press Update log file:
X-Press Update
logging level 1. On the Options menu, select XPU Logging Level.
2. Select the logging level you want.
20
Setting Logging Levels
Note: Methods for viewing the log4j logs are explained in “Viewing log4j RealSecure
Application Server and RealSecure Sensor Controller Logs” on page 23.
Logging levels The log4j tool provides five priority levels of logging detail. (See documentation at http:/
/jakarta.apache.org/log4j/docs/manual.html.) The default logging level is set to
fatal, which only logs very serious errors.
The priority levels, in decreasing order of logging detail, consist of the following:
● DEBUG
● INFO
● WARN
● ERROR
● FATAL
Recommendations Increasing the logging levels for an extended period of time can quickly fill the log file.
for logging detail Follow these recommendations when increasing logging detail:
● Increase the logging levels for short intervals as needed to gather detailed
information.
● Delete the log files at any time, as they can quickly become large when logging details.
■ Delete the app_server.log, and then restart the RealSecure application server.
■ Delete the sensor_ctl.log, and then restart the RealSecure sensor controller.
● Read the log4j documentation for procedures for automatically rolling up the logs
into manageable sizes.
Where the logging The logging level is set in a properties file for each component. The properties file path
level is set and file name for the RealSecure application server are:
Important: The file must be present before any logging takes place.
21
Chapter 2: Log File Diagnostics
3. Replace the logging level with one of the five available logging levels.
Example: Change the logging level from FATAL to DEBUG.
4. Save the file.
Important: You must restart both the RealSecure application server before the logging
change takes effect.
22
Viewing log4j RealSecure Application Server and RealSecure Sensor Controller Logs
Location of log files Table 5 provides the paths of the run-time logs on the computer that hosts the RealSecure
application server and RealSecure sensor controller.
Viewing from the Events generated by the RealSecure application server and the RealSecure sensor
Event Viewer controller are logged to the Application Log in the Windows 2000 Event Viewer. The
Source names for the events are issSPAppService and issSPSenCtlService.
To view the events from the Windows 2000 Event Viewer Application Log:
1. Click Start on the taskbar, and then select Programs! Administrative Tools.
2. Double-click the Event Viewer icon.
3. In the left pane, select the application log.
4. In the right pane in the Source column, look for issSPAppService and
issSPSenCtlService.
Tip: Click the Source column to sort the list.
23
Chapter 2: Log File Diagnostics
How it works When you issue a command that involves displaying or modifying a property, response,
or policy file for an ISS Sensor or SiteProtector core component, copies of the remote
configuration and log files are placed on the computer where the RealSecure application
server is running.
Location of log files The path of the log files is C:\Program Files\ISS\RealSecure
SiteProtector\Application Server\temp\AppServer.
Changing logging To change logging levels for the RealSecure application server logs:
levels
● In the Sensor Controller Diagnostics console, right-click the SP Core component in the
Sensor window.
Important: The RealSecure application server does not use dynamic logging, so
changes to the logging levels are not in effect until you restart the RealSecure
application server service.
RealSecure The following common characteristics apply to all the RealSecure application server log
application server files:
logs
● The log file is overwritten each time RealSecure sensor controller restarts.
● The amount of detail collected depends on the current trace level.
Note: The log files can quickly become very large when the logging level is high.
Location of log files Additional logging for each issDaemon that the RealSecure application server
communicates with is also available. The path of the configuration files pertinent to the
issDaemon located at the given IP address is C:\Program Files\ISS\RealSecure
SiteProtector\Application Server\temp\Sensor
Controller\daemon@xxx.xxx.xxx.xxx.
24
RealSecure Application Server Logs
Note: The issDaemon log files are always available regardless of the trace level.
25
Chapter 2: Log File Diagnostics
How it works When you issue a command that involves displaying or modifying a property, response,
or policy file for an ISS Sensor or SiteProtector core components, copies of the remote
configuration and log files are placed on the computer where the RealSecure sensor
controller is running.
Dynamic logging Dynamic logging is in effect for the RealSecure sensor controller. That is, changes to the
levels logging levels go into effect immediately without restarting the RealSecure sensor
controller service.
RealSecure sensor The following common characteristics apply to all RealSecure sensor controller log files:
controller log files
● The log file is overwritten each time the RealSecure sensor controller restarts. This is
true only if the logging level is less than full. If the logging level is full then it will
append.
● The amount of detail collected depends on current trace level.
Note: The log files can quickly become large when the logging level is high.
Description of log Table 8 describes the log files for the RealSecure sensor controller.
files
Log File Name Description
26
RealSecure Sensor Controller Logs
27
Chapter 2: Log File Diagnostics
28
RealSecure Sensor Controller Internet Scanner Log Files
Location of log files The path of the configuration and log files for the Internet Scanner located at the given IP
address is C:\Program Files\ISS\RealSecure SiteProtector\Application
Server\temp\Sensor Controller\Internet_Scanner@xxx.xxx.xxx.xxx. The default
installation path of Internet Scanner is C:\Program Files\ISS\Scanner6.
Description of Table 10 describes the Internet Scanner configuration and log files:
configuration and
log files File Name Description
Location of Internet The path of the log files related to specific jobs (launched scans) for Internet Scanner is
Scanner job-specific C:\Program Files\ISS\RealSecure SiteProtector\Application
log files Server\temp\Sensor Controller\Internet_Scanner@xxx.xxx.xxx.xxx. The files
are located in subfolders according to the job name. By default, the path of configuration
files is C:\Program Files\ISS\Scanner6 on the computer the Internet Scanner is
hosted. The general form is as follows:
29
Chapter 2: Log File Diagnostics
30
RealSecure Sensor Controller Internet Scanner Databridge Log Files
Description of log Table 12 describes the Internet Scanner Databridge log files:
files
File Names Description
31
Chapter 2: Log File Diagnostics
If a job is successful, the following files are removed from the path list above:
● \<job #>\x.policy
● \<job #>\x.prop
● \<job #>\x.properties
● \<job #>\x.txt
Description of log Table 13 describes the RealSecure network sensor log files:
files
Log File Names Description
Note: All logging is saved for successful jobs, unless the logging level is turned off.
32
RealSecure Sensor Controller Server Sensor Log Files
Description of log Table 14 describes the RealSecure server sensor log files:
files
Log File Name Description
33
Chapter 2: Log File Diagnostics
Description of log Table 15 describes the RealSecure server sensor log file:
files
Log File Name Description
34
RealSecure Sensor Controller SiteProtector Core Log Files
35
Chapter 2: Log File Diagnostics
36
Chapter 3
Overview
Introduction This chapter explains the options for setting up the Sensor Controller Diagnostics console
and how to activate run-time debugging for the RealSecure sensor controller and the
RealSecure application server.
Options for the By default, the RealSecure sensor controller runs as a service without the Sensor
RealSecure sensor Controller Diagnostics console. When you run the Sensor Controller Diagnostics console,
controller you can run the RealSecure sensor controller either as a service or as a Java application.
● If you are only interested in logging data for sensors, you can use either method.
● If you are unable to start the RealSecure sensor controller as a service, you may start it
as a Java application. Starting it as a Java application is also the quicker way of setting
up run-time logging.
Log information For information about the debug logs for the RealSecure sensor controller and the
RealSecure application server, see the following:
Where to find the The Sensor Controller Diagnostics console is installed along with the RealSecure sensor
Sensor Controller controller and the RealSecure application server. The instructions for setting up the Sensor
Diagnostics console Controller Diagnostics console reference the default installation paths. If you installed
SiteProtector components to other paths, you must use those instead.
Topic Page
37
Chapter 3: Diagnostic and Debugging Setup
Note: When you set up the Sensor Controller Diagnostics console, you also activate the
run-time debug logs for the RealSecure sensor controller.
Starting the To start the RealSecure sensor controller from a command prompt window:
RealSecure Sensor
Controller from a 1. Click Start on the taskbar, and then select Settings! Control Panel.
command prompt
2. Double-click the Administrative Tools icon, and then double-click the Services icon.
3. Select the RealSecure SiteProtector Sensor Controller Service, and then click the Stop
button.
4. Click Start on the taskbar, and then select Programs! Accessories! Command
prompt.
5. Change directories to C:\Program Files\ISS\RealSecure
SiteProtector\Application Server\bin.
6. Type ccengine –debug, and then press ENTER.
A command prompt window appears, displaying logging information, and the
Sensor Controller Diagnostics console appears.
38
Setting up Runtime Logging for the SiteProtector Sensor Controller Service
Task overview Starting the Sensor Controller Diagnostics console with the RealSecure sensor controller
as a service is a four-task procedure:
● Stop the RealSecure SiteProtector sensor controller service using the Services
Administrative Tool.
● Edit the properties of the service (on the Log On tab) to enable the Allow service to
interact with desktop check box.
● Change the setting of the
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\issSPSenCtlServic
e\Parameters\ConsoleTrace registry key from N to Y.
● From a Command Prompt window, change directories to C:\Program
Files\ISS\RealSecure SiteProtector\Application Server\bin, and then run the
ccengine –debug command.
Procedure To start run-time logging with the RealSecure sensor controller as a service:
1. Click Start on the taskbar, and then select Settings! Control Panel.
2. Double-click the Administrative Tools icon, and then double-click the Services icon.
3. Select the RealSecure SiteProtector Sensor Controller Service, and then click the
Stop button.
4. Right-click the RealSecure SiteProtector Sensor Controller Service, and then select
Properties from the pop-up menu.
5. Select the Log On tab, and select the Allow service to interact with desktop check
box, and then click OK.
Tip: Do not close the Services window.
6. Click Start on the taskbar, and then select Run.
7. Type regedit, and then press ENTER.
The Registry Editor appears.
8. In the left pane, select HKEY_LOCAL_MACHINE! SYSTEM!
CurrentControlSet! Services! issSPAppService! Parameters.
9. In the right pane, double-click ConsoleTrace, type Y in the Value data box, and then
click OK.
10. In Services, select the RealSecure SiteProtector Sensor Controller Service, and then
click the Start button.
39
Chapter 3: Diagnostic and Debugging Setup
1. Click Start on the taskbar, and then select Settings! Control Panel.
2. Double-click the Administrative Tools icon, and then double-click the Services icon.
3. Select the RealSecure SiteProtector Application Service service, and then click the
Stop button.
4. Right-click the RealSecure SiteProtector Application Service service, and then select
Properties from the pop-up menu.
5. Select the Log On tab, and select the Allow service to interact with desktop check
box, and then click OK.
Tip: Do not close the Services window.
6. Click Start on the taskbar, and then select Run.
7. Type regedit, and then press ENTER.
The Registry Editor appears.
8. In the left pane, select HKEY_LOCAL_MACHINE! SYSTEM!
CurrentControlSet! Services! issSPAppService! Parameters.
9. In the right pane, double-click ConsoleTrace, type Y in the Value data box, and then
click OK.
10. In Services, select the RealSecure SiteProtector Application Service service, and then
click the Start button.
40
Chapter 4
Database Schema
Overview
Introduction This chapter contains the SiteProtector database schema.
Topic Page
Grouping Schema 42
X-Force Schema 45
Metrics Schema 46
ITSRO Schema 47
Statistics Schema 48
Staging Schema 51
Auditing Schema 52
41
42
Schema
Chapter 4: Database Schema
Hosts
UnGroupedHosts
HostID: int IDENTITY
HostID: int NOT NULL (FK)
HostIpAddress: varchar(47) NULL
UnGroupedStatus: tinyint NULL (FK)
Grouping Schema
Component
Policy ComponentID: int IDENTITY
PolicyVersion PolicyID: int IDENTITY RoleID: int NULL (FK) (AK1.3)
RoleID: int NOT NULL (FK)
Name: nvarchar(150) NOT NULL LastPushedPolicyID: int NULL (FK) Hosts
Version: varchar(100) NOT NULL
Description: nvarchar(80) NULL PropertyFileID: int NULL (FK)
HostID: int IDENTITY
DisplayVersion: varchar(100) NULL FileName: nvarchar(255) NULL HostID: int NULL (FK) (AK1.1)
Version: varchar(100) NULL Priority: numeric NOT NULL HostIpAddress: varchar(47) NULL
RoleID: int NULL (FK) Status: numeric NOT NULL HostDNSName: NVARCHAR(254) NULL
BinaryDataID: int NULL (FK) LastModifiedBy: nvarchar(60) NULL HostNBName: NVARCHAR(16) NULL
ResponseVersion
Deleted: numeric NOT NULL LastModifiedAt: datetime NULL HostNBDomain: nvarchar(16) NULL
RoleID: int NOT NULL (FK) Deleted: numeric NOT NULL HostOSName: nvarchar(64) NULL
LastModifiedAt: datetime NULL
Version: varchar(100) NOT NULL EventSourcePort: int NULL HostOSVersion: nvarchar(32) NULL
LastModifiedBy: nvarchar(60) NULL
DisplayVersion: varchar(100) NULL ReadOnly: tinyint NULL EventPort: int NULL HostOSRevisionLevel: varchar(32) NULL
EditorKey: varchar(50) NOT NULL Version: varchar(20) NULL HostOwner: nvarchar(50) NULL
Valid: tinyint NOT NULL SensorName: nvarchar(100) NULL (AK1.2) DateHostAdded: datetime NOT NULL
Policy: nvarchar(434) NULL GUID: varchar(36) NULL
Master: varchar(30) NULL HostIPNbr: numeric(10) NOT NULL (IE1.1)
AvailableXPU: varchar(40) NULL MacAddress: char(17) NULL
LastInstalledXPU: varchar(40) NULL DateHostUpdated: datetime NOT NULL (IE1.2)
Role LoggingLevel: tinyint NULL OSGroupID: int NULL (FK)
RoleID: int NOT NULL LicenseState: smallint NULL ISScanDate: datetime NULL (IE2.1)
RoleName: varchar(20) NOT NULL XPUState: smallint NULL StatNameID: int NULL (IE2.2)
ProductID: int NULL (FK) StateDescription: nvarchar(500) NULL
ClassName: varchar(255) NOT NULL (AK1.1) UnexpectedConfigChange: tinyint NULL
Namespace: varchar(255) NULL ModifiedBySensorController: tinyint NOT NULL
DaemonPort: int NULL
EventLogOption: tinyint NULL
Products SiteID: int NULL (FK)
ProductID: int NOT NULL LastPushedResponseID: int NULL (FK)
XPUDate: datetime NULL Sites
Command and Control Schema
Tasks
ControllerID: int NULL
BinaryData TaskID: int IDENTITY
BinaryDataID: int IDENTITY Groups JobTypeID: int NOT NULL (FK)
BinaryDataType: tinyint NULL (FK) GroupID: int IDENTITY (AK1.2) Name: varchar(60) NULL
Value: image NULL Descr: varchar(255) NULL
GroupName: nvarchar(64) NOT NULL LoadTableName: varchar(60) NULL
CheckSum: int NULL (IE1.1)
GroupDesc: nvarchar(255) NULL LoadStoredProcName: varchar(60) NULL
FileName: nvarchar(255) NULL DesktopAgentVersion RoleID: int NULL (FK) FormatFile: text NOT NULL
LastModifiedAt: datetime NULL GUID: varchar(36) NOT NULL GroupViewID: int NULL (FK) LoadSQLStatement: varchar(4000) NULL
Version: varchar(20) NOT NULL Deleted: tinyint NULL
ReadmeFileID: int NULL (FK) SiteID: int NULL (FK)
GroupTypeID: int NULL (FK) JobTypes
SPGroupID: int NULL JobTypeID: int IDENTITY
ParentGroupID: int NULL (FK) (AK1.1)
BinaryDataType RuleID: int NULL (FK) Descr: varchar(80) NOT NULL
BinaryDataType: tinyint NOT NULL
BinaryDataTypeDesc: nvarchar(60) NOT NULL
43
Command and Control Schema
44
Schema
Chapter 4: Database Schema
SecurityChecks
SourceHost SecChkID: int NOT NULL
TargetHost
SourceID: <Hosts.HostID> TagName: varchar(60) NOT NULL (AK1.1)
TargetID: <Hosts.HostID> SourceIpAddress: <Hosts.HostIpNbr> ChkName: varchar(40) NOT NULL
TargetIpAddress: <Hosts.HostIpNbr> SourceDNSName: <Hosts.HostDNSName> ChkBriefDesc: NVARCHAR(255) NULL
TargetDNSName: <Hosts.HostDNSName> SourceOSName: <Hosts.HostOSName> ChkDetailDesc: ntext NULL
TargetOSName: <Hosts.HostOSName> ChkDateReported: datetime NULL
Site Analysis Schema
SecurityChecks
SourceHost SecChkID: int NOT NULL
TargetHost
SourceID: <Hosts.HostID> TagName: varchar(60) NOT NULL (AK1.1)
TargetID: <Hosts.HostID> SourceIpAddress: <Hosts.HostIpNbr> ChkName: varchar(40) NOT NULL
TargetIpAddress: <Hosts.HostIpNbr> SourceDNSName: <Hosts.HostDNSName> ChkBriefDesc: NVARCHAR(255) NULL
TargetDNSName: <Hosts.HostDNSName> SourceOSName: <Hosts.HostOSName> ChkDetailDesc: ntext NULL
TargetOSName: <Hosts.HostOSName> ChkDateReported: datetime NULL
ChkDateEntered: datetime NULL
Hosts ChkDateChanged: datetime NULL
HostID: int IDENTITY ItemAffected: nvarchar(255) NULL
ObservanceColumn Discoverer: nvarchar(255) NULL
HostIpAddress: varchar(47) NULL
ConseqName: varchar(20) NULL
HostDNSName: NVARCHAR(254) NULL
DisplayName: varchar(100) NOT NULL ConseqBriefDesc: nvarchar(255) NULL
HostNBName: NVARCHAR(16) NULL
QualifiedColName: varchar(100) NULL ConseqDetailDesc: ntext NULL
HostNBDomain: nvarchar(16) NULL
TableName: varchar(100) NULL Obsolete: bit NOT NULL
HostOSName: nvarchar(64) NULL
ColName: varchar(100) NULL ReplacedBy: int NULL
HostOSVersion: nvarchar(32) NULL
PK_ColName: varchar(100) NULL VulnStatus: bit NOT NULL
HostOSRevisionLevel: varchar(32) NULL
HostOwner: nvarchar(50) NULL FK_ColName: varchar(100) NULL
DateHostAdded: datetime NOT NULL FK_TableName: varchar(100) NULL
GUID: varchar(36) NULL ColType: char(1) NULL
HostIPNbr: numeric(10) NOT NULL (IE1.1) JoinType: varchar(15) NULL
MacAddress: char(17) NULL FilterColName: varchar(100) NULL
DateHostUpdated: datetime NOT NULL (IE1.2)
ObservancesPurge
OSGroupID: int NULL (FK)
ISScanDate: datetime NULL (IE2.1) Observances ObservanceID: bigint NOT NULL
StatNameID: int NULL (IE2.2) ObservanceID: bigint NOT NULL
ObservanceTime: datetime NOT NULL (IE10.1,IE8.1,IE9.1)
SensorHost SecChkID: int NULL (FK) (IE9.4)
ObservanceType SensorID: int NOT NULL (IE4.1,IE9.5)
SensorID: Component.ComponentID: int IDENTITY SourceID: int NOT NULL (IE10.3,IE6.1,IE9.3)
SensorHostID: Hosts.HostID: int IDENTITY ObservanceType: tinyint NOT NULL
TargetID: int NOT NULL (IE10.2,IE5.1,IE9.2) Object
SensorIPAddress: Hosts.HostIPNbr: numeric(10) NOT NULL ObservanceTypeDesc: nvarchar(30) NULL ObservanceCount: int NULL
SensorDNSName: Hosts.HostDNSName: NVARCHAR(254) NULL ObjectID: int IDENTITY
ObjectID: int NULL (FK) (IE9.6)
SensorOSName: Hosts.HostOSName: nvarchar(64) NULL SeverityID: tinyint NULL (FK) (IE9.7) ObjectType: tinyint NOT NULL (FK) (IE2.2)
SensorName: Component.SensorName: nvarchar(100) NULL ClearedCount: int NULL ObjectName: nvarchar(200) NOT NULL (IE1.1,IE2.1)
VulnStatus VulnStatus: tinyint NULL (FK) (IE9.9)
VulnStatus: tinyint NOT NULL ObservanceType: tinyint NULL (FK) (IE9.8)
LastModifiedAt: datetime NULL (IE11.1)
Component VulnStatusDesc: nvarchar(60) NULL
ComponentID: int IDENTITY SortID: int NOT NULL ObjectView
45
X-Force Schema
46
Schema
Chapter 4: Database Schema
Metrics Schema
Severity HostCounts
SeverityID: tinyint NOT NULL CountDate: datetime NOT NULL
GroupID: int NOT NULL (FK)
SeverityDesc: nvarchar(10) NULL
HostCount: int NOT NULL
Metrics
MetricsType
GroupID: int NOT NULL (FK)
MetricsTypeID: int NOT NULL SeverityID: tinyint NOT NULL (FK)
Groups
Descr: nvarchar(30) NULL MetricsTypeID: int NOT NULL (FK)
DayID: int NOT NULL (FK) GroupID: int IDENTITY (AK1.2)
VulnStatus: tinyint NOT NULL (FK) GroupName: nvarchar(64) NOT NULL
SecChkID: int NULL GroupDesc: nvarchar(255) NULL
Counts: int NOT NULL RoleID: int NULL (FK)
GroupViewID: int NULL (FK)
Deleted: tinyint NULL
SiteID: int NULL (FK)
MetricsDay GroupTypeID: int NULL (FK)
DayID: int NOT NULL SPGroupID: int NULL
ParentGroupID: int NULL (FK) (AK1.1)
CurrentDate: datetime NOT NULL (AK1.1)
RejectMetrics RuleID: int NULL (FK)
DayNbr: smallint NOT NULL
DayOfWeek: nvarchar(20) NOT NULL
Month: smallint NOT NULL SiteID: int NULL
Quarter: smallint NOT NULL SPGroupID: int NOT NULL
VulnStatus
The following diagram displays the Metrics schema:
CheckProducts
CheckProductID: int NOT NULL Algorithm
SecChkID: int NOT NULL (FK) AlgorithmID: int NOT NULL
ProdVerID: int NOT NULL (FK) AlgorithmNum: int NOT NULL
Comment: varchar(4000) NULL NameSpace: char(10) NULL
FalseNegative: ntext NULL
FalsePositive: ntext NULL
ProductCheckName: varchar(120) NULL
AlgorithmID: int NULL (FK)
AlgorithmRating
AlgorithmID: int NOT NULL (FK)
RatingID: int NOT NULL (FK)
Rating
RatingID: int NOT NULL
RatingSet
RatingID: int NOT NULL (FK)
RatingAttributeID: int NOT NULL (FK)
RatingOrder: int NOT NULL
RatingAttribute
RatingAttributeID: int NOT NULL
RatingAttributeCodeID: int NOT NULL (FK)
The following diagram displays the ITSRO schema:
RatingAttributeCode
RatingAttributeCodeID: int NOT NULL
AttributeName: nvarchar(80) NOT NULL
47
ITSRO Schema
48
Schema
Chapter 4: Database Schema
Statistics Schema
StatAttribute
LicContactInfo
StatAttributeID: int NOT NULL
LicContactInfoGUID: nvarchar(40) NOT NULL
DataType: varchar(20) NOT NULL
Name: nvarchar(200) NOT NULL SubjectName: nvarchar(255) NOT NULL
Title: nvarchar(100) NULL
CompanyName: nvarchar(255) NULL
StatCatAtt Address1: nvarchar(255) NULL
StatAttributeID: int NOT NULL (FK) Address2: nvarchar(255) NULL
StatCategoryID: int NOT NULL (FK) City: nvarchar(100) NULL
State: nvarchar(50) NULL
PostCode: nvarchar(40) NULL
Country: nvarchar(60) NULL
Email: nvarchar(255) NULL
AdditionalInfo: nvarchar(255) NULL
StatCategory
StatCategoryID: int NOT NULL
LicConsqMessage
Name: nvarchar(200) NOT NULL
SensorData
SensorDataResponse
SensorDataID: bigint NOT NULL
SensorDataUpdates
AlertDataID: int NOT NULL
SensorDataID: bigint NOT NULL (FK)
AlertFormatVersion: int NULL wrk_SensorData
SensorDataID: bigint NOT NULL (FK) ResponseTypeName: varchar(32) NULL
AlertNameType: int NULL
AlertUpdateName: nvarchar(50) NULL ResponseName: nvarchar(32) NULL
AlertName: nvarchar(60) NULL
AlertUpdateOrder: int NULL Status: tinyint NULL
AlertDateTime: datetime NULL (IE8.2) SensorDataID: bigint NOT NULL
Sensor Data Schema
49
Sensor Data Schema
50
Schema
Chapter 4: Database Schema
SiteFilters
SiteFilterID: int
Site Filters Schema
Observances
ObservanceID: bigint SiteFilterTypeID: int (FK)
SiteFilterName: nvarchar(60)
Object ObservanceTime: datetime SiteFilterDesc: ntext
SecChkID: int (FK) FusionIgnoreFlag: bit
ObjectID: int
SensorID: int Deleted: tinyint
ObjectType: tinyint (FK) SourceID: int CreatedBy: varchar(60)
ObjectName: nvarchar(200) TargetID: int DateModified: datetime
ObservanceCount: int
ObjectID: int (FK)
SeverityID: tinyint (FK)
ClearedCount: int
VulnStatus: tinyint (FK) SiteFilterType
ObservanceType: tinyint (FK) SiteFilterTypeID: int
LastModifiedAt: datetime
SiteFilterType: char(2)
SiteFilterName: nvarchar(80)
ObservanceSiteFilters
ObservanceSiteFiltersView
ObservanceID: bigint
SiteFilterRuleID: int (FK) ObservanceID: ObservanceSiteFilters.ObservanceID: bigint NOT NULL
SiteFilterID: int (FK) SiteFilterID: ObservanceSiteFilters.SiteFilterID: int NOT NULL
SiteFilterType: SiteFilterType.SiteFilterType: char(2) NOT NULL
SiteFilterName: SiteFilters.SiteFilterName: nvarchar(60) NULL
SiteFilterDesc: <convert(varchar(4000...>
CreatedBy: SiteFilters.CreatedBy: varchar(60) NULL
SiteFilterRules
SiteFilterRuleID: int
SiteFilterID: int (FK)
SiteFilterStartDate: datetime SiteFilterView
SiteFilterEndDate: datetime
The following diagram displays the Site Filters schema:
SensorDataRejected wrk_SensorData
stg_AlertData SDAVPRejected
stg_AlertAVP SensorDataID: bigint NOT NULL
AlertDataID: bigint NOT NULL (IE1.1)
AlertFormatVersion: int NULL SecChkID: int NULL
AlertDataID: int NOT NULL AlertDataID: bigint NOT NULL (IE1.1)
AlertNameType: int NULL AlertDataID: int NOT NULL AlertName: nvarchar(60) NULL
AlertFormatVersion: int NULL AlertID: varchar(26) NULL
AlertName: nvarchar(60) NULL AttributeName: nvarchar(50) NULL AlertNameType: int NULL
AlertNameType: int NULL AttributeName: nvarchar(50) NULL
AlertDateTime: datetime NULL AttributeOrder: int NULL AlertTypeID: int NULL
AlertName: nvarchar(60) NULL AttributeOrder: int NULL
LocalTimezoneOffset: int NULL AttributeDataType: varchar(30) NULL ProductID: int NULL
AlertDateTime: datetime NULL AttributeDataType: varchar(30) NULL
AlertTimePrecision: int NULL AttributeValue: nvarchar(2000) NULL AlertDateTime: datetime NULL
LocalTimezoneOffset: int NULL AttributeValue: nvarchar(2000) NULL
AlertTimeSeqID: int NULL AttributeBlob: TEXT NULL AlertPriority: int NULL
AlertTimePrecision: int NULL AttributeBlob: TEXT NULL
AlertID: varchar(26) NULL AttributeSection: int NULL SrcAddressName: varchar(60) NULL
AlertTimeSeqID: int NULL AttributeSection: int NULL
SensorAddress: varchar(60) NULL SrcAddressInt: numeric(10) NULL
AlertID: char(26) NULL
SensorName: nvarchar(100) NULL DestAddressName: varchar(60) NULL
SensorAddress: varchar(60) NULL
ProductID: int NULL DestAddressInt: numeric(10) NULL
SensorName: nvarchar(100) NULL stg_AlertUpdates SDUpdatesRejected
AlertTypeID: int NULL SensorAddress: varchar(100) NULL
ProductID: int NULL
AlertPriority: int NULL SensorName: nvarchar(100) NULL
AlertTypeID: int NULL
AlertFlags: int NULL AlertDataID: int NOT NULL AlertDataID: bigint NOT NULL (IE1.1) SensorAddressInt: numeric(10) NULL
AlertPriority: int NULL
ProtocolID: int NULL AlertUpdateName: nvarchar(50) NULL AlertID: varchar(26) NULL ProcessingFlag: int NULL
AlertFlags: int NULL
SourcePort: int NULL AlertUpdateOrder: int NULL AlertUpdateName: nvarchar(50) NULL ObjectID: int NULL
ProtocolID: int NULL
SourcePortName: nvarchar(60) NULL AlertUpdateDataType: varchar(30) NULL AlertUpdateOrder: int NULL SourcePort: int NULL
SourcePort: int NULL
DestPortName: nvarchar(60) NULL AlertUpdateValue: nvarchar(2000) NULL AlertUpdateDataType: varchar(30) NULL DestPortName: nvarchar(60) NULL
ObjectName: nvarchar(2000) NULL
SrcAddressName: varchar(60) NULL AlertUpdateBlob: text NULL AlertUpdateValue: nvarchar(2000) NULL HostDNSName: nvarchar(254) NULL
SourcePortName: nvarchar(60) NULL
SrcAddressInt: numeric(10) NULL AlertUpdateSection: int NULL AlertUpdateBlob: text NULL HostNBDomain: nvarchar(255) NULL
DestPortName: nvarchar(60) NULL
DestAddressName: varchar(60) NULL AlertUpdateSection: int NULL HostNBName: nvarchar(20) NULL
SrcAddressName: varchar(60) NULL
DestAddressInt: numeric(10) NULL HostOSName: nvarchar(64) NULL
SrcAddressInt: numeric(10) NULL
SensorAddressInt: numeric(10) NULL HostOSVersion: nvarchar(32) NULL
DestAddressName: varchar(60) NULL stg_AlertResponse
AttackSuccessful: tinyint NULL HostGUID: varchar(36) NULL
DestAddressInt: numeric(10) NULL SDResponseRejected
AttackFragmented: tinyint NULL SrcHostID: int NULL
SensorAddressInt: numeric(10) NULL
AttackOrigin: nvarchar(60) NULL AlertDataID: int NOT NULL DstHostID: int NULL
AttackSuccessful: tinyint NULL
ResourceID: int NULL ResponseTypeName: varchar(32) NULL AlertDataID: bigint NOT NULL (IE1.1) ComponentID: int NULL
AttackFragmented: tinyint NULL
ResourceSubID: varchar(60) NULL ResponseName: nvarchar(32) NULL AlertID: varchar(26) NULL Cleared: char(1) NULL
AttackOrigin: nvarchar(60) NULL
Application: nvarchar(60) NULL Status: tinyint NULL ResponseTypeName: varchar(32) NULL VulnStatus: tinyint NULL
ResourceID: int NULL
UserName: nvarchar(60) NULL ResponseName: nvarchar(32) NULL RejectReason: varchar(200) NULL
ResourceSubID: varchar(60) NULL
HostGUID: varchar(36) NULL Status: tinyint NULL AlertCount: int NULL
Application: nvarchar(60) NULL RejectMetrics
The following table displays the Staging schema:
51
Staging Schema
52
Schema
Chapter 4: Database Schema
Auditing Schema
ErrorMessage
AuditEventCMD DBComponent
ErrorNumber: int NOT NULL
AuditEventCMDID: int IDENTITY DBComponentID: smallint IDENTITY
SeverityID: smallint NULL (FK)
EventDesc: nvarchar(100) NULL Name: varchar(30) NULL
MessageText: nvarchar(300) NULL
State: tinyint NULL
StateDescription: varchar(100) NULL
DBSubComponent
DBSubComponentID: smallint IDENTITY
DBComponentID: smallint NULL (FK) ErrorSeverity
AuditTrail ProcName: varchar(30) NULL SeverityID: smallint NOT NULL
AuditTrailID: int IDENTITY State: tinyint NULL
StateDateTime: datetime NULL Name: nvarchar(20) NOT NULL
AuditEventCMDID: int NULL (FK) StateDescription: varchar(100) NULL Description: nvarchar(80) NULL
UserName: nvarchar(75) NULL ReportToCaller: tinyint NOT NULL
AuditTime: datetime NULL SQLSeverity: char(2) NULL
LoggingLevel: tinyint NULL
Version
AuditInfo
AuditInfoID: int IDENTITY
VersionUpdates
AuditTrailID: int NULL (FK) MessageLog
ParamName: nvarchar(100) NULL MessageLogID: int IDENTITY
UpdateTag: char(40) NULL
The following diagram displays the Auditing schema:
UpdateStatus UpdateStepStatus
UpdateStatusID: int IDENTITY UpdateOperationStatus UpdateStepStatusID: int IDENTITY
Name: varchar(100) NOT NULL UpdateOperationStatusID: int IDENTITY
StepNbr: int NULL
StartTime: datetime NOT NULL TargetName: varchar(100) NOT NULL TaskName: varchar(50) NULL
Status: varchar(30) NULL Status: varchar(30) NULL Description: varchar(1000) NULL
ActionJobID: int NULL UpdateStatusID: int NULL (FK) PctComplete: smallint NOT NULL
TotalSteps: int NULL Duration: smalldatetime NULL DBTime: datetime NOT NULL
PctComplete: smallint NULL ComponentTime: datetime NULL
Status: varchar(30) NULL
UpdateOperationStatusID: int NULL (FK)
Schema
Groups
GroupID: int IDENTITY (AK1.2)
GroupName: nvarchar(64) NOT NULL
GroupDesc: nvarchar(255) NULL
RoleID: int NULL (FK)
GroupViewID: int NULL (FK)
Deleted: tinyint NULL
SiteID: int NULL (FK)
GroupTypeID: int NULL (FK)
SPGroupID: int NULL
ParentGroupID: int NULL (FK) (AK1.1) Sites
RuleID: int NULL (FK) SiteID: int IDENTITY(2,1)
Application Security Schema
UsersSites
UsersID: int NOT NULL (FK)
SiteID: int NOT NULL (FK)
Audit
Users ID: int IDENTITY
UsersID: int IDENTITY EntityID: int NOT NULL (IE1.1)
UserID: int NULL (FK)
Login: nvarchar(50) NOT NULL (AK1.1)
EntityName: varchar(60) NULL (IE1.2)
Domain: nvarchar(255) NOT NULL (AK1.2)
Descr: varchar(255) NULL
SID: varchar(50) NOT NULL (AK2.1)
Action: varchar(30) NULL
LastLogin: datetime NULL
SourceIP: varchar(47) NULL
The following diagram displays the Application Security schema:
53
Application Security Schema
54
Schema
Chapter 4: Database Schema
DesktopAgentVersion
ObjectType
BinaryDataType LicContactInfo GroupsParentChild
ObjectView
BinaryData License HostCounts Users
GroupPolicy
PolicyVersion Response UsersGroups Audit ObservanceType
Object
UsersSites Severity
Policy Sites
Role GroupView Observances
LastVulnStatus PlatformTypes
VulnStatus
Groups
UnGroupedStatus
ResponseVersion CheckPlatforms
GroupTypes
Platforms
UnGroupedHosts Remedies
GroupHostLinks
Services
Complete Database Schema
TagTranslation UDSecurityChecks
Hosts ActionDetails
ErrorMessage UpdateOperationStatus
AlgorithmRating
ErrorSeverity MessageLog
d l
debug logs logs, debug
installation 17 See debug logs
issDaemon 24
RealSecure application server 24–25
RealSecure application server, log4j 21 n
RealSecure sensor controller 26–35 network sensors
RealSecure sensor controller, log4j 21 debug logs 32
RealSecure Site database 19
RealSecure Site database, installation 18
See also Sensor Controller Diagnostics console
setting up 40
o
X-Press Update 20 online documentation (Help) vi
documentation
Internet Scanner Installation Guide vi
Internet Scanner User Guide vi
r
online documentation (Help) vi RealSecure application server
RealSecure Network Sensor Installation Guide vi debug logs 24–25
RealSecure Network Sensor Policy Guide vi RealSecure Network Sensor Installation Guide vi
RealSecure Server Sensor Installation Guide vi RealSecure Network Sensor Policy Guide vi
RealSecure Server Sensor Policy Guide vi RealSecure sensor controller
RealSecure SiteProtector Installation and Configuration debug logs 26–35
Guide Guide vi RealSecure Server Sensor Installation Guide vi
RealSecure Server Sensor Policy Guide vi
i s
installation
Sensor Controller Diagnostics console
logs 17
Internet Scanner starting 38
server sensors
debug logs 29–30
Internet Scanner Databridge debug logs 33
debug logs 31
Internet Scanner Installation Guide
Internet Scanner User Guide vi
vi
t
troubleshooting ??–35
55
Index
x
X-Press Updates
debug logs 20
56
Internet Security Systems, Inc. Software License Agreement
THIS SOFTWARE IS LICENSED, NOT SOLD. BY INSTALLING THIS SOFTWARE, YOU AGREE TO ALL OF THE
PROVISIONS OF THIS SOFTWARE LICENSE AGREEMENT (“LICENSE”). IF YOU ARE NOT WILLING TO BE
BOUND BY THIS LICENSE, RETURN ALL COPIES OF THE SOFTWARE AND LICENSE KEYS TO ISS WITHIN FIF-
TEEN (15) DAYS OF RECEIPT FOR A FULL REFUND OF ANY PAID LICENSE FEE. IF THE SOFTWARE WAS
OBTAINED BY DOWNLOAD, YOU MAY CERTIFY DESTRUCTION OF ALL COPIES AND LICENSE KEYS IN LIEU OF
RETURN.
1. License - Upon payment of the applicable fees, Internet Security Systems, Inc. (“ISS”) grants to you as the only end user (“Licensee”) a
nonexclusive and nontransferable, limited license for the accompanying ISS software product in machine-readable form and the related
documentation (“Software”) and the associated license key for use only on the specific network configuration, for the number and type of
devices, and for the time period (“Term”) that are specified in Licensee’s purchase order, as accepted and invoiced by ISS. ISS limits use
of Software based upon the number and type of devices upon which it may be installed, used, gather data from, or report on, depending
upon the specific Software licensed. A device includes any network addressable device connected to Licensee’s network, including
remotely, including but not limited to personal computers, workstations, servers, routers, hubs and printers. Licensee may reproduce,
install and use the Software on multiple devices, provided that the total number and type are authorized in Licensee’s purchase order, as
accepted by ISS. Licensee acknowledges that the license key provided by ISS may allow Licensee to reproduce, install and use the Soft-
ware on devices that could exceed the number of devices licensed hereunder. Licensee shall implement appropriate safeguards and
controls to prevent loss or disclosure of the license key and unauthorized or unlicensed use of the Software. Licensee may make a rea-
sonable number of backup copies of the Software and the associated license key solely for archival and disaster recovery purposes.
2. Evaluation License - If ISS is providing Licensee with the Software and related documentation on an evaluation trial basis at no cost, such license Term is 30
days from installation, unless a longer period is agreed to in writing by ISS. ISS recommends using Software for evaluation in a non-production, test environ-
ment. The following terms of this Section 2 additionally apply and supercede any conflicting provisions herein. Licensee agrees to remove the Software from the
authorized platform and return the Software and documentation to ISS upon expiration of the evaluation Term unless otherwise agreed by the parties in writing.
ISS has no obligation to provide support, maintenance, upgrades, modifications, or new releases to the Software under evaluation. LICENSEE AGREES THAT
THIS SOFTWARE AND RELATED DOCUMENTATION ARE BEING DELIVERED “AS IS “ WITHOUT WARRANTIES OF ANY KIND, INCLUDING WITH-
OUT LIMITATION ANY IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, TITLE OR NON-INFRINGEMENT.
IN NO EVENT WILL ISS BE LIABLE TO LICENSEE OR ANY OTHER PERSON FOR DAMAGES, DIRECT OR INDIRECT, OF ANY NATURE, OR
EXPENSES INCURRED BY LICENSEE IN CONNECTION WITH THE SOFTWARE LICENSED HEREUNDER. LICENSEE’S SOLE AND EXCLUSIVE REM-
EDY SHALL BE TO TERMINATE THIS EVALUATION LICENSE BY WRITTEN NOTICE TO ISS.
3. Covenants - ISS reserves all intellectual property rights in the Software. Licensee agrees: (i) the Software is owned by ISS and/or its licensors, is a valuable
trade secret of ISS, and is protected by copyright laws and international treaty provisions; (ii) to take all reasonable precautions to protect the Software from
unauthorized access, disclosure, copying or use; (iii) not to modify, adapt, translate, reverse engineer, decompile, disassemble, or otherwise attempt to discover
the source code of the Software; (iv) not to use ISS trademarks; (v) to reproduce all of ISS’ and its licensors’ copyright notices on any copies of the Software;
and (vi) not to transfer, lease, assign, sublicense, or distribute the Software or make it available for timesharing, service bureau, managed services offering, or
on-line use.
4. Support and Maintenance - During the term for which Licensee has paid the applicable support and maintenance fees, ISS will provide software maintenance
and support services that it makes generally available under its then current Maintenance and Support Policy. Support and maintenance include telephone sup-
port and electronic delivery to Licensee of error corrections and updates to the Software and documentation. The foregoing updates do not include new releases
or products that substantially increase functionality and are marketed separately by ISS to its customers in general.
5. Limited Warranty - The commencement date of this limited warranty is the date on which ISS furnishes to Licensee the license key for the Software. For a period
of ninety (90) days after the commencement date or for the Term (whichever is less), ISS warrants that the Licensed Software will conform to material opera-
tional specifications described in its then current documentation. However, this limited warranty shall not apply unless (i) the Software is installed, implemented,
and operated in accordance with all written instructions and documentation supplied by ISS, (ii) Licensee notifies ISS in writing of any nonconformity within the
warranty period, and (iii) Licensee has promptly and properly installed all corrections, new versions, and updates made available by ISS to Licensee. Further-
more, this limited warranty shall not apply to nonconformities arising from any of the following: (i) misuse of the Software, (ii) modification of the Software, (iii)
failure by Licensee to utilize compatible computer and networking hardware and software, or (iv) interaction with software or firmware not provided by ISS. If Lic-
ensee timely notifies ISS in writing of any such nonconformity, then ISS shall repair or replace the Software or, if ISS determines that repair or replacement is
impractical, ISS may terminate the applicable licenses and refund the applicable license fees, as the sole and exclusive remedies of Licensee for such noncon-
formity. THIS WARRANTY GIVES LICENSEE SPECIFIC LEGAL RIGHTS, AND LICENSEE MAY ALSO HAVE OTHER RIGHTS THAT VARY FROM JURIS-
DICTION TO JURISDICTION. ISS DOES NOT WARRANT THAT THE SOFTWARE WILL MEET LICENSEE’S REQUIREMENTS, THAT THE OPERATION
OF THE SOFTWARE WILL BE UNINTERRUPTED OR ERROR-FREE, OR THAT ALL SOFTWARE ERRORS WILL BE CORRECTED. LICENSEE UNDER-
STANDS AND AGREES THAT LICENSED SOFTWARE IS NO GUARANTEE AGAINST INTRUSIONS, VIRUSES, TROJAN HORSES, WORMS, TIME
BOMBS, CANCELBOTS OR OTHER SIMILAR HARMFUL OR DELETERIOUS PROGRAMMING ROUTINES AFFECTING LICENSEE’S NETWORK, OR
THAT ALL SECURITY THREATS AND VULNERABILITIES WILL BE DETECTED OR THAT THE PERFORMANCE OF THE LICENSED SOFTWARE WILL
RENDER LICENSEE’S SYSTEMS INVULNERABLE TO SECURITY BREACHES. THE REMEDIES SET OUT IN THIS SECTION 5 ARE THE SOLE AND
EXCLUSIVE REMEDIES FOR BREACH OF THIS LIMITED WARRANTY.
6. Warranty Disclaimer - EXCEPT FOR THE LIMITED WARRANTY PROVIDED ABOVE, THE SOFTWARE IS PROVIDED “AS IS” AND ISS HEREBY DIS-
CLAIMS ALL WARRANTIES, BOTH EXPRESS AND IMPLIED, INCLUDING IMPLIED WARRANTIES RESPECTING MERCHANTABILITY, TITLE, NONIN-
FRINGEMENT, AND FITNESS FOR A PARTICULAR PURPOSE. SOME JURISDICTIONS DO NOT ALLOW DISCLAIMERS OF IMPLIED WARRANTIES,
SO THE ABOVE LIMITATION MAY NOT APPLY TO LICENSEE. LICENSEE EXPRESSLY ACKNOWLEDGES THAT NO REPRESENTATIONS OTHER
THAN THOSE CONTAINED IN THIS LICENSE HAVE BEEN MADE REGARDING THE GOODS OR SERVICES TO BE PROVIDED HEREUNDER, AND
THAT LICENSEE HAS NOT RELIED ON ANY REPRESENTATION NOT EXPRESSLY SET OUT IN THIS LICENSE.
7. Proprietary Rights - ISS represents and warrants that ISS has the authority to license the rights to the Software that are granted herein. ISS shall defend and
indemnify Licensee from any final award of costs and damages against Licensee for any actions based on infringement of any U.S. copyright, trade secret, or
patent as a result of the use or distribution of a current, unmodified version of the Software; but only if ISS is promptly notified in writing of any such suit or claim,
and only if Licensee permits ISS to defend, compromise, or settle same, and only if Licensee provides all available information and reasonable assistance. The
foregoing is the exclusive remedy of Licensee and states the entire liability of ISS with respect to claims of infringement or misappropriation relating to the Soft-
ware.
8. Limitation of Liability - ISS’ ENTIRE LIABILITY FOR MONETARY DAMAGES ARISING OUT OF THIS LICENSE SHALL BE LIMITED TO THE AMOUNT OF
THE LICENSE FEES ACTUALLY PAID BY LICENSEE UNDER THIS LICENSE, PRORATED OVER A THREE-YEAR TERM FROM THE DATE LICENSEE
RECEIVED THE SOFTWARE. IN NO EVENT SHALL ISS BE LIABLE TO LICENSEE UNDER ANY THEORY INCLUDING CONTRACT AND TORT
(INCLUDING NEGLIGENCE AND STRICT PRODUCTS LIABILITY) FOR ANY SPECIAL, PUNITIVE, INDIRECT, INCIDENTAL OR CONSEQUENTIAL DAM-
AGES, INCLUDING, BUT NOT LIMITED TO, COSTS OF PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES, DAMAGES FOR LOST PROFITS,
LOSS OF DATA, LOSS OF USE, OR COMPUTER HARDWARE MALFUNCTION, EVEN IF ISS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES.
9. Termination - Licensee may terminate this License at any time by notifying ISS in writing. All rights granted under this License will terminate immediately, with-
out prior written notice from ISS, at the end of the term of the license, if not perpetual. If Licensee fails to comply with any provisions of this License, ISS may
immediately terminate this License if such default has not been cured within ten (10) days following written notice of default to Licensee. Upon termination or
expiration of the License, Licensee shall cease all use of the Software and destroy all copies of the Software and associated documentation. Termination of this
License shall not relieve Licensee of its obligation to pay all fees incurred prior to such termination and shall not limit either party from pursuing any other reme-
dies available to it.
10. General Provisions - This License, together with the identification of the Software, pricing and payment terms stated in the applicable Licensee purchase order
as accepted by ISS constitute the entire agreement between the parties respecting its subject matter. Standard and other additional terms or conditions con-
tained in any purchase order or similar document are hereby expressly rejected and shall have no force or effect. This License will be governed by the substan-
tive laws of the State of Georgia, USA, excluding the application of its conflicts of law rules. This License will not be governed by the United Nations Convention
on Contracts for the International Sale of Goods, the application of which is expressly excluded. If any part of this License is found void or unenforceable, it will
not affect the validity of the balance of the License, which shall remain valid and enforceable according to its terms. This License may only be modified in writing
signed by an authorized officer of ISS.
11. Notice to United States Government End Users - Licensee acknowledges that any Software furnished under this License is commercial computer software and
any documentation is commercial technical data developed at private expense and is provided with RESTRICTED RIGHTS. Any use, modification, reproduc-
tion, display, release, duplication or disclosure of this commercial computer software by the United States Government or its agencies is subject to the terms,
conditions and restrictions of this License in accordance with the United States Federal Acquisition Regulations at 48 C.F.R. Section 12.212 and DFAR Subsec-
tion 227.7202-3 and Clause 252.227-7015 or applicable subsequent regulations. Contractor/manufacturer is Internet Security Systems, Inc., 6303 Barfield
Road, Atlanta, GA 30328, USA.
12. Export and Import Controls; Use Restrictions - Licensee will not transfer, export, or reexport the Software, any related technology, or any direct product of either
except in full compliance with the export controls administered by the United States and other countries and any applicable import and use restrictions. Lic-
ensee agrees that it will not export or reexport such items to anyone on the U.S. Treasury Department’s list of Specially Designated Nationals or the U.S. Com-
merce Department’s Denied Persons List or Entity List or such additional lists as may be issued by the U.S. Government from time to time, or to any country to
which the United States has embargoed the export of goods, or for use with chemical or biological weapons, sensitive nuclear end-uses, or missiles. Licensee
represents and warrants that it is not located in, under control of, or a national or resident of any such country or on any such list. Many ISS software products
include encryption and export outside of the United States or Canada is strictly controlled by U.S. laws and regulations. Please contact ISS’ Customer Opera-
tions for export classification information relating to the Software (customer_ops@iss.net). Licensee understands that the foregoing obligations are U.S. legal
requirements and agrees that they shall survive any term or termination of this License.
13. Authority - Because the Software is designed to test or monitor the security of computer network systems and may disclose or create problems in the operation
of the systems tested, Licensee and the persons acting for Licensee represent and warrant that: (a) they are fully authorized by the Licensee and the owners of
the computer network for which the Software is licensed to enter into this License and to obtain and operate the Software in order to test and monitor that com-
puter network; (b) the Licensee and the owners of that computer network understand and accept the risks involved; and (c) the Licensee shall procure and use
the Software in accordance with all applicable laws, regulations and rules.
14. Disclaimers - Licensee acknowledges that some of the Software is designed to test the security of computer networks and may disclose or create problems in
the operation of the systems tested. Licensee further acknowledges that the Software is not fault tolerant and is not designed or intended for use in hazardous
environments requiring fail-safe operation, including, but not limited to, aircraft navigation, air traffic control systems, weapon systems, life-support systems,
nuclear facilities, or any other applications in which the failure of the Licensed Software could lead to death or personal injury, or severe physical or property
damage. ISS disclaims any implied warranty of fitness for High Risk Use. Licensee accepts the risk associated with the foregoing disclaimers and hereby
waives all rights, remedies, and causes of action against ISS and releases ISS from all liabilities arising therefrom.
15. Confidentiality - “Confidential Information” means all information proprietary to a party or its suppliers that is marked as confidential. Each party acknowledges
that during the term of this Agreement, it will be exposed to Confidential Information of the other party. The obligations of the party (“Receiving Party”) which
receives Confidential Information of the other party (“Disclosing Party”) with respect to any particular portion of the Disclosing Party’s Confidential Information
shall not attach or shall terminate when any of the following occurs: (i) it was in the public domain or generally available to the public at the time of disclosure to
the Receiving Party, (ii) it entered the public domain or became generally available to the public through no fault of the Receiving Party subsequent to the time
of disclosure to the Receiving Party, (iii) it was or is furnished to the Receiving Party by a third parting having the right to furnish it with no obligation of confiden-
tiality to the Disclosing Party, or (iv) it was independently developed by the Receiving Party by individuals not having access to the Confidential Information of
the Disclosing Party. Each party acknowledges that the use or disclosure of Confidential Information of the Disclosing Party in violation of this License could
severely and irreparably damage the economic interests of the Disclosing Party. The Receiving Party agrees not to disclose or use any Confidential Information
of the Disclosing Party in violation of this License and to use Confidential Information of the Disclosing Party solely for the purposes of this License. Upon
demand by the Disclosing Party and, in any event, upon expiration or termination of this License, the Receiving Party shall return to the Disclosing Party all cop-
ies of the Disclosing Party’s Confidential Information in the Receiving Party’s possession or control and destroy all derivatives and other vestiges of the Disclos-
ing Party’s Confidential Information obtained or created by the Disclosing Party. All Confidential Information of the Disclosing Party shall remain the exclusive
property of the Disclosing Party.
16. Compliance - From time to time, ISS may request Licensee to provide a certification that the Licensed Software is being used in accordance with the terms of
this License. If so requested, Licensee shall verify its compliance and deliver its certification within forty-five (45) days of the request. The certification shall state
Licensee’s compliance or non-compliance, including the extent of any non-compliance. ISS may also, at any time, upon thirty (30) days prior written notice, at its
own expense appoint a nationally recognized independent auditor, to whom Licensee has no reasonable objection, to audit and examine records at Licensee
offices during normal business hours, solely for the purpose of confirming that Licensee’s use of the Licensed Software is in compliance with the terms of this
License. ISS will use commercially reasonable efforts to have such audit conducted in a manner such that it will not unreasonably interfere with the normal busi-
ness operations of Licensee. If such audit should reveal that use of the Licensed Software has been expanded beyond the scope of use and/or the number of
Authorized Devices or Licensee certifies such non-compliance, ISS shall have the right to charge Licensee the applicable current list prices required to bring Lic-
ensee in compliance with its obligations hereunder with respect to its current use of the Licensed Software. In addition to the foregoing, ISS may pursue any
other rights and remedies it may have at law, in equity or under this License.
Revised December 20, 2002