How does the automatic archive restore work in VigilEnt Security Agent for BEA WebLogic? (NETIQKB26168)

  • 7726168
  • 02-Feb-2007
  • 08-Sep-2008

Resolution

goal
How does the automatic archive restore work in VigilEnt Security Agent for BEA WebLogic?

fact
VigilEnt Security Agent for BEA WebLogic 1.0

fact
VigilEnt Security Agent for BEA WebLogic 1.1

fact
VigilEnt Security Agent for BEA WebLogic 1.1.1

fix

The automatic archive restore feature performs the same functions as a manual restore. In sequence, its behavior follows the steps below for a locked-down server:

  1. The file system checker detects changes to the file system according to the schedule that the administrator defines.

  2. If the notifier agent is configured and active, the file system checker sends notification to the system administrator that files have changed.

  3. The archive restorer does nothing and waits for another scheduled evaluation of the file system by the file system checker. If more changes have occurred, it continues to wait until the file system checker returns two consecutive reports with the same number of changes in them. This indicates that changes to the monitored file system have stopped. (Every time the file system checker runs, notification is sent to the administrator.)

  4. The archive restorer preserves the modified (or hacked) files of the locked-down content in a new archive.

  5. All the files of the locked-down content are deleted.

  6. The most recent baseline archive of the locked-down content is restored.

  7. The newly restored contents are re-archived to create a new baseline for comparison and restoration. This occurs at the next scheduled execution of the lockdown agent.


note
The archive restore mechanism checks only for changes to the locked down system. It has no way to determine if the changes made to files are legitimate or illegitimate changes. Therefore, the administrator must deactivate the lockdown mechanism when making changes to the content. After changes to the contents are complete, the administrator should lock down the contents again to create a new baseline archive.

Additional Information

Formerly known as NETIQKB26168

Feedback service temporarily unavailable. For content questions or problems, please contact Support.