ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

DCS IPS policy remains disabled for approx 10+ minutes after a power up cycle

book

Article ID: 239346

calendar_today

Updated On:

Products

Data Center Security Server Advanced

Issue/Introduction

Problem Scenario:

  1. A policy has been set to override for 30 minutes on a Linux server
  2. The Linux computer is shut down and is in an off state for an hour
  3. The computer is started up again. The expectation is that, since the override was for 30 minutes and the computer was off for 30 minutes longer than the override period, that the IPS/Prevention Policy will become effective immediately
  4. Instead, when Linux host is loads the agent, and the IPS driver--  the IPS continues to be in a  disabled state for approximately 8-10 minutes. Sometimes longer

Steps to Reproduce:

  1. Override the SDCSS Prevention policy for 15 minutes.
  2. Shutdown the host for 30 minutes. Let the override timer expire when the host is in power down state
  3. Power up the host.
  4. After power-up, observe that the Prevention Policy remains disabled Disabled even though the timer set by the user has expired.
  5. It takes approximately 8-10 minutes to update the Policy Prevention to Enable

 

Impact: 

SDCSS Agent is not adhering to the policy override timer set by the user. It is allowing additional time without IPS enabled.  This may lead to security attacks while the user is under false assumption that IPS would be enabled immediately after timer expiry.

Reproducible across multiple SDCS Agent versions.

Reproduced on SDCSS Agent Versions: 6.8.0 (build 309) , 6.8.2 (build 757) , 6.9.1 ( build 505 )

 

Cause

Minor defect corrected in the DCS agent for Linux 6.9.1.530 and later.

Environment

Release : 6.8x, 6.9.0x

Component : Default-Sym

OS : RHEL 7.6 /RHEL 7.9

 

Resolution

Upgrade the DCS agent for Linux t version 6.9.1.530 or later.