How to setup PortMon
To install PortMon, you need to download portmon3.xOSPlatform-m64.wzpkg, portmonWEB3.xe.tar, and also the wzshRUN wzsh runtime environment, and get license for both portmon and wzshRUN.
First, install wzshRUN:
# cd /tmp
# chmod +x wzshRUN*.wzpkg portmon3.2*.wzpkg
# ./wzshRUN*.wzpkg
# ./portmon3.2*.wzpkg
Then install the PortMon license to /usr/local/etc/wzshapp.licd/, and install wzshRUN license to /etc/wzshRUN.lic
And then change directory to your Apache web server's DocumentRoot (check Apache web server's configuration file on your machine to find out where is the DocumentRoot and where is the CGI directory), and create a sub-directory there:
# mkdir portmon; chmod 755 portmon
Depends whether you have a develpment machine which has same version of PHP and same or older version of OS, has gcc C compiler and php-devel package installed, if yes, then you should use that machine to build WZIS Software's PHP extension binary module wzis.so for that version of PHP, and then copy the wzis.so to production box, install it under the PHP's extension_dir on production box. Otherwise, your machine running PortMon should have php-devel and gcc installed, and to build and install the binary module, just run the wzisphpmodSRC1.x-OS.platform-m64.pkg file.
Also need to add
extension=wzis.so
to PHP's php.ini file.
and
# cd portmon
# tar xvf /path/to/portmonWEB3.xe.tar
# chmod 644 *
and then please check if PHP is installed and module for Apache configured, if not, do so as from version 3.0 onwards, PHP is needed for PortMon.
And also change the /var/portmon directory to be owned by the http server process owner ( you may check "ps -ef|grep httpd", to get the process owner name), assume it's called web-owner:
# chown web-owner /var/portmon
# chmod 600 /var/portmon
# chcon -R -t httpd_sys_content_t /var/portmon
# setsebool httpd_can_network_connect 1
The above 2 steps are needed for Linux with SELinux enabled.
To setup the initial password for administration of the PortMon, make sure the machine has httpd already running and php executable is included in the PATH environment, and then
# /opt/portmon/bin/setwebpass portmon
In addition to above steps, to run PortMon on system with SELinux, if it doesn't work as expected, you can either set SELinux mode for httpd as permissive or if you choose enforcing mode, you will need to test first temporarily change the mode to permissive, and then
1. cd /var/log/audit
2. cp -p audit.log audit.log.old
3. cp /dev/null audit.log
4. add monitors for different types of TCP services to PortMon, and use PortMon to see the results, and also test to bring down a service so to test the email that PortMon should send, confirm all are working as expected.
5. grep avc audit.log|audit2allow -M portmon
6. semodule -i portmon.pp
7. cp -p audit.log audit.log.1st
8. cp /dev/null audit.log
9. do another round of tests on PortMon.
10. grep avc audit.log
11. make sure the above does not show PortMon actions still have denied avc events, and jump to step 13. If it does, then
semodule -r portmon
grep avc audit.log audit.log.1st|audit2allow -M portmon
semodule -i portmon.pp
grep avc audit.log >>audit.log.1st
12. repeat steps 8-12.
13. Change SELinux mode to enforcing now: setenforce 1.
Also for better security, you can consider to use secure http. The following is a tutorial for how to set up https on with apache server:
how to set up https