How to Disable a SCSP DCS agent running on a Linux system.

book

Article ID: 181561

calendar_today

Updated On:

Products

Critical System Protection Data Center Security Server Data Center Security Server Advanced

Issue/Introduction

 

Resolution

 

  1. Apply the Null policy via the manager
  2. or
  3. Login to machine as 'root' and run the following commands:
  4. ./sisipsconfig.sh –r (this forces the agent to run the built-in policy that is the equivalent of the NULL policy)
  5. Then
  6. Login to machine as 'root' and run the following commands:
    1. Disable IPS and RT-FIM drivers:
      • su - sisips
      • ./sisipsconfig.sh –i (in 5.2.9 and later you can use -ips off instead so you do not have to worry about the toggle affect)
        As this is a toggle, make sure output shows that you have disabled the prevention driver
      • ./sisipsconfig.sh –rtfim off
      • exit
  7. Stop the daemons (as root):
    1. /etc/init.d/sisipsagent stop
    2. /etc/init.d/sisidsagent stop
    3. /etc/init.d/sisipsutil stop
  8. Disable Agent startup scripts:
    Rename the agent scripts, which temporarily breaks any symbolic links in the rc#.d startup scripts:
    1. mv /etc/init.d/sisipsagent /etc/init.d/sisipsagentOFF
    2. mv /etc/init.d/sisidsagent /etc/init.d/sisidsagentOFF
    3. mv /etc/init.d/sisipsutil /etc/init.d/sisipsutilOFF
  9. Reboot system to cause drivers to be disabled.