10.6. Auditing and Monitoring IBM AIX

10.6 Auditing and Monitoring IBM AIX

2013 Quest Software, Inc. ALL RIGHTS RESERVED. This guide contains proprietary information protected by copyright. The software described in this guide is furnished under a software license or nondisclosure agreement. This software may be used or copied only in accordance with the terms of the applicable agreement. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose other than the purchaser s personal use without the written permission of Quest Software, Inc. The information in this document is provided in connection with Quest products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of Quest products. EXCEPT AS SET FORTH IN QUEST'S TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, QUEST ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL QUEST BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF QUEST HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Quest makes no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice. Quest does not make any commitment to update the information contained in this document. If you have any questions regarding your potential use of this material, contact: Quest Software World Headquarters LEGAL Dept 5 Polaris Way Aliso Viejo, CA 92656 www.quest.com Email: legal@quest.com Refer to our Web site (www.quest.com) for regional and international office information. Patents Protected by U.S. Patent # 7,979,494 and 8,185,598. Additional patents pending. TRADEMARKS Quest, Quest Software, the Quest Software logo, Simplicity at Work are trademarks and registered trademarks of Quest Software, Inc. For a complete list of Quest Software's trademarks, please see http://www.quest.com/legal/trademark-information.aspx. Other trademarks and registered trademarks are property of their respective owners. InTrust Version 10.6 Last updated February 21, 2013

Contents Introduction... 4 Setup... 5 Requirements... 5 Installation... 5 Getting Started... 8 Agent Setup... 8 Step 1: Install the Agent... 9 Step 2: Establishing a Connection with the Server... 10 Configuring Syslog... 11 Configuring AIX Audit Log... 12 InTrust Configuration... 13 Data Sources... 13 Auditing, Reporting, and Real-Time Monitoring... 16 Use Scenarios... 17 Syslog Configuration Monitoring... 17 Tracking Security Incidents... 17 Appendix A. Audit Log Event Format... 19 Appendix B. InTrust for IBM AIX Reports... 21 About Quest Software, Inc.... 22 Contacting Quest Software... 22 Contacting Quest Support... 22 Third Party Contributions... 23 3

Introduction The IBM AIX Knowledge Pack expands the auditing and reporting capabilities of Quest InTrust to IBM AIX. The Knowledge Pack enables InTrust to work with IBM AIX Syslog, text logs, and Audit log. The following table shows what you can audit and monitor on AIX: DATA SOURCE GATHERING REAL-TIME MONITORING Syslog messages X X Text logs of any format X Configuration file modification X X AIX audit logs X 4

Setup Requirements Installation Requirements The following components are required: InTrust 10.0 or later AIX 5L 5.3 or AIX V6 IBM C++ Runtime Environment Components for AIX (version 8.0 or later) must be installed on the AIX computers where you want to set up InTrust agents. This software is available from the IBM Web site at http://www-1.ibm.com/support/docview.wss?uid=swg24015708 Installation To enable AIX support in InTrust, the AIX Knowledge Pack must be installed on the InTrust server. The Knowledge Pack is installed as part of the main InTrust installation. The following objects are included: Data sources: AIX Audit Log AIX Syslog AIX Accounts Monitoring AIX Text Files Monitoring Gathering policies: AIX: Common Security Events AIX: All Syslog Messages AIX: Accounts monitoring AIX: Text files monitoring AIX: All Events from Audit Log AIX: filesystem events from Audit Log AIX: logins/logouts from Audit Log AIX: process execution events from Audit Log 5

AIX: system object events from Audit Log Import policies: AIX: Common Security Events AIX: All Syslog Messages AIX: Accounts monitoring AIX: Text files monitoring AIX: All Events from Audit Log AIX: filesystem events from Audit Log AIX: logins/logouts from Audit Log AIX: process execution events from Audit Log AIX: system object events from Audit Log Consolidation policies: AIX logs consolidation AIX logs consolidation for the last month Tasks: AIX logs daily collection AIX configuration changes daily collection AIX weekly reporting AIX hosts site AIX: security real-time monitoring policy Reports: AIX login statistics AIX successful logins AIX su activity AIX failed login attempts AIX multiple failed login attempts All AIX syslog events AIX User management AIX Group management AIX Group membership management AIX Configuration files modifications AIX File Permission Changes AIX Password Changes AIX Reboots Rules: su root succeeded Multiple failed logins Login authentication failed Failed su attempt Successful login by root User account created User account removed Group created Group removed User added to the group User removed from the group 6

Syslog.conf file modified Text file modified To install the Knowledge Pack, launch its setup package on the InTrust server. 7

Getting Started The related topics explain the steps you need to take to set up AIX auditing and monitoring, as follows: 1. Install the InTrust agent on each AIX host. 2. Adjust the configuration of Syslog, if necessary. 3. Complete the configuration in InTrust Manager. Agent Setup If you are deploying the agent on an AIX 5L host, make sure IBM C++ Runtime Environment Components for AIX (version 8.0 or later) are installed. For instructions on installing these components, see http://www-1.ibm.com/support/docview.wss?uid=swg21215669. InTrust agents are required for all InTrust auditing and real-time monitoring activities on AIX computers. Before you can audit or monitor such computers, you must do the following: 1. Install the agent. 2. Make the InTrust server aware of the agent and set up agent-to-server communication security. All agent setup procedures must be performed manually on AIX computers. Installing an agent does not make it usable by the server, but only prepares it (unpacks installation files, starts services, etc.). Please make sure that you establish a connection with the desired server. When planning where to install the agent, consider that it requires at least 260 megabytes of disk space (280MB recommended). In addition, make sure that you have enough disk space for the event cache, which is located in /var/intrust by default. You can change the location by editing the agent.ini file located in the directory where you install the agent. If you want to make agent configuration changes, you must complete them before you establish a connection with the InTrust server. To diagnose disk space usage, you can use the Agent-side backup failure and Agentside backup failure resolved rules. Although these rules monitor all kinds of backup failures, the most common reason for a failure is lack of disk space. 8

Uninstalling the agent does not automatically unregister it from InTrust servers. So, you should disconnect agent from each InTrust server it communicates with, for details see the Disconnecting the Agent from the Server section of the Step 2: Establishing a Connection with the Server topic. Step 1: Install the Agent To install an agent, complete the following steps: 1. Log in to the target computer. 2. Copy the adcscm_package.aix_ppc.sh installation script to a local folder on the target computer. This script is located in <InTrust_installation_folder>\InTrust\Server\ADC\Agent\aix_ppc on the InTrust server, where it is put during IBM AIX Knowledge Pack setup. If you use a protocol with text and binary modes for copying (for example, FTP), make sure the mode is set to binary before the copying starts. 3. Start the script:./adcscm_package.aix_ppc.sh You will be prompted to supply the path to the installation directory. 4. The script prompts you whether you want to configure system audit so that the InTrust agent can capture Audit log events. If you answer y, the following changes will be made to the /etc/security/audit/config file: In the start stanza of the file, the streammode option will be set to on. In the stream stanza, the cmds option will be set to the <agent_installation_directory>/intruststreamcmds file. Backup copy of the original /etc/security/audit/config file will be saved to the /etc/security/audit/config_intrust_backup file. After the installation, the agent will be started automatically. There is another way to specify the path to an installation directory supply the location right in the command line. For example:./adcscm_package.aix_ppc.sh /opt/intrustagent In this case the agent will be installed in /opt/intrustagent. To uninstall an agent from the AIX computer 1. Run the following script from the agent's working directory:./uninstall.sh 2. Restore the settings in the start and stream stanzas of the /etc/security/audit/config file to the state they were in before the InTrust agent installation. For that, use the backup stored in the /etc/security/audit/config_intrust_backup file 3. Restart system audit. 9

Step 2: Establishing a Connection with the Server InTrust 10.6 - Auditing and Monitoring IBM AIX To establish a connection between an agent and an InTrust server, log on to the computer where the agent is installed using the root account and run the following command:./adcscm -add ServerName Port [password] where: ServerName specifies the InTrust Server to which you bind the agent. This may be the NetBIOS name, FQDN, or IP address. Port specifies the port number at which the server listens to the requests coming from the agent (that is the same as the listening port you specified for the InTrust server during setup); the default port number is 900. Password is the password for initial agent-server authentication; it is required if the Use authentication option is enabled on the InTrust server (see the Authentication section below).by default this password is the same as the organization password supplied during InTrust Server installation; you can change the agent installation password in InTrust server properties. If you want to use an empty password, supply empty quotation marks ( ). If authentication is disabled on the InTrust server, do not specify any password. Disconnecting the Agent from the Server To disconnect the agent from the InTrust server, run the following command on the AIX computer where the agent is installed:./adcscm -remove ServerName Port Authentication The authentication process is two-sided (both server-side and agent-side) and based on the Secure Remote Password (SRP) protocol. In addition to authenticating clients to the server securely, the SRP exchanges a cryptographically-strong symmetric key as a byproduct of successful authentication, which enables the two parties to communicate steadily. After initial authentication is successfully performed, the authentication password will automatically be changed every week to secure communication between server and agents. The symmetric key is changed every hour. For manually installed agents, you first have to specify the password on the server. By default, this is the organization password you specified during setup. The authentication mechanism will use this password only when establishing connection for the first time; then this password will be changed regularly. If you want to use a password other than the default, take the following steps: 1. In Quest InTrust Manager Configuration Servers, right-click the server name and select Properties. 2. On the Agent tab, select Use authentication and supply a new password for initial authentication. 3. Provide this password to the agent by using the following command on the AIX computer where the agent is installed: 10

./adcscm -add ServerName Port Password Encryption InTrust 10.6 - Auditing and Monitoring IBM AIX Replace Password with the password that you specified in Step 2. You can select to encrypt data communicated between the agent and the server (encryption uses 3DES with a 168-bit key). By default, encryption is enabled. To enable or disable encryption manually 1. In InTrust Manager, open the properties of the server to which the agent reports. 2. On the Agent tab, select or clear the Use encryption check box. 3. Click Apply and close the dialog box. Registering an Agent Alias on the Server After the connection is established, you can register the agent access name (alias) that the server will use to communicate with the agent. Run the following command on the AIX computer where the agent resides:./adcscm -register ServerName Port Alias Replace Alias with the agent name that the server will use for communication with the agent. Agent names must be unique within the scope of an InTrust server. If you want to change the alias, unregister the current alias first. To do that, run the following command on the AIX computer where the agent resides:./adcscm -unregister ServerName Port Alias where Alias is the current agent s name. After that, register the new name as described above. You can view agent names and aliases in an agent s properties dialog box in InTrust Manager. Configuring Syslog Syslog is an important logging facility in AIX. Syslog functionality is provided by the syslogd daemon, which accepts messages from various sources that support logging, and either writes these messages to files or passes them on to other hosts in the network. The syslog.conf file specifies where syslogd sends a message depending on the parameters of the message. For a detailed description of this file's format, see the syslog.conf man page. When you install the InTrust agent on the AIX host, the necessary entries are automatically added to syslog.conf. You do not have to modify any message redirection settings manually. However, as long as you do not modify InTrust-related settings, it is up to you how you configure redirection of messages to other destinations. 11

Configuring AIX Audit Log The AIX audit system provides logging capability and handles system events in the following two ways: Writes event records to log files in "bin mode" Redirects messages to the specified destination in "stream mode" The InTrust agent on the AIX computer relies on stream mode for event records. Auditing starts according to audit system settings, including the following: Accounts to be audited Types of events to be audited for those accounts If your auditing is already configured the way you need, then you do not need to do any further configuration. However, you might still need to configure or adjust the audit settings, as described in the related topics. In this case you primarily need to edit the two settings listed above. Editing Audit Log Configuration Files AIX audit uses the settings in the following files: /etc/security/audit/config /etc/security/audit/events /etc/security/audit/objects /etc/security/audit/bincmds /etc/security/audit/streamcmds This section briefly describes only settings that specify auditable accounts and events. For detailed information about these and other settings, refer to the audit system man pages (man audit) and the Accounting and Auditing on AIX 5L IBM Red Book. The settings in question are configured in the /etc/security/audit/config file. If you did not enable system audit compatibility with the agent during setup, take the following additional steps to enable the InTrust agent to capture Audit log events: 1. In the start stanza of the file, set the streammode option to on: streammode = on 2. In the streams stanza, set the cmds option to the<agent_installation_directory>/intruststreamcmds file, which was created during setup. For example: cmds = /export/home/1604/intruststreamcmds The /etc/security/audit/config file also includes definitions of audit classes and assignments of those classes to individual user accounts. This part of the file looks similar to the following: 12

... classes: general=user_su,password_change,file_unlink,file_link,file_rename,fs_chdi r,fs_chroot,port_locked,port_change,fs_mkdir,fs_rmdir objects=s_environ_write,s_group_write,s_limits_write,s_login_write,s_pass WD_READ,S_PASSWD_WRITE,S_USER_WRITE,AUD_CONFIG_WR... users: root = general,objects,kernel,files... Auditing is configured on a per-user basis. Each audited account is assigned an audit class, which is a grouping of auditable event types. Audit classes are defined in the classes stanza and associated with individual users in the users stanza. You can use default AIX audit class presets, or define your own classes, and associate them with the users whose activity you want to audit. For details on event syntax and any other configuration options, refer to AIX documentation. After editing the /etc/security/audit/config file, restart system audit. InTrust Configuration After you have taken all the necessary configuration steps on the target AIX hosts, the InTrust Manager snap-in takes over all auditing and real-time monitoring operations. This section describes AIX-specific settings that are not explained in the other InTrust documentation. For more details, see the Data Sources topic. Data Sources The AIX Syslog and AIX Audit Log data sources represent the AIX audit trails. The "AIX Text Files Monitoring" and AIX Accounts Monitoring data sources work with files that are not audit trails. AIX Syslog Syslog auditing and real-time monitoring is based on the flow of data intended for the syslogd daemon. The AIX Syslog data source is used to analyze the data flow and capture only the necessary portions of it. This data source uses a list of regular expressions. When the data source is working, it applies the expressions, in the order specified, to each message. The order of the regular expressions matters because message processing stops as soon as the message matches one of the expressions. When parsing takes place, pairs of parentheses are used in regular expressions to break messages up into numbered fields. For example, the following regular expression: 13

^(.{15}) ([-[:alnum:]_.]+) (su)(\[[0-9]*\]){0,1}: \[ID ([0-9]+) [az]+\.[a-z]+\] ('su (.*)' succeeded for (.*) on (.*)) matches the following message: Dec 16 07:29:28 r5 su: [ID 366847 auth.notice] 'su root' succeeded for jsmith on /dev/pts/1 The result is an event with the following fields: FIELD NAME FIELD NUMBER FIELD CONTENTS Computer <2> r5 Description <6> su root succeeded for jsmith on /dev/pts/1 Event ID <5> 366847 Event Source <3> su Insertion String #1 <6> su root succeeded for jsmith on /dev/pts/1 Insertion String #11 <7> root Insertion String #12 <8> jsmith The last regular expression in the predefined data source is designed to match any message. This ensures that the message is not lost. The result of this regular expression is an event where the Description and Insertion String #1 fields both contain the descriptive part of the message, if a descriptive part is present. It is not recommended that you modify predefined regular expressions in the data source. These expressions are required for the reports that come with the AIX Knowledge Pack. These reports will ignore any data resulting from the use of custom regular expressions. If you create a custom Syslog data source with your own regular expressions, make sure you use customized reports based on the data that these regular expressions help capture. Including a lot of complex regular expressions in the data source may slow down Syslog processing significantly. AIX Audit Log In InTrust Manager, the AIX Audit log is represented by the AIX Audit Log data source. Use this data source in any gathering, consolidation and import policies that need to work with Audit log data. In addition to native Audit log events, the InTrust agent writes the following two events: EVENT ID MEANING 60000 The InTrust agent detected that AIX system audit had been stopped 14

EVENT ID MEANING 60001 The InTrust agent detected that AIX system audit had been started (either before or after the start of the agent itself) For information about the format of the resulting event records, see the Appendix A. Text File-Monitoring Data Sources The AIX Accounts Monitoring and AIX Text Files Monitoring scripted data sources are designed to parse specified files. Real-time monitoring rules use these data sources to monitor the files for changes. These scripted data sources are not designed for general-purpose auditing and monitoring of text-based logs. They should be used only on configuration files that preferably do not exceed 100 kilobytes. To collect large text-based logs, use Custom Text Log Events data sources, as described in the Auditing Custom Logs with InTrust document. To specify the file paths, edit the appropriate parameters of the data sources. For example, to monitor the /etc/hosts.allow and /etc/hosts.deny files, take the following steps: 1. Open the properties of the AIX Text Files Monitoring data source. 2. On the Parameters tab, select the TextFiles parameter and click Edit. 3. Supply /etc/hosts.allow and /etc/hosts.deny in the dialog box that appears. Similarly, you can edit the UsersFile and GroupsFile parameters of the AIX accounts monitoring data source if the location of the passwd and groups files differs from the default on your AIX hosts. Monitoring the passwd and groups files makes sense if your AIX environment does not use a directory solution. With a directory in place, information in these files is not important or representative. Script Event Provider Data Sources InTrust provides an additional option to create a custom data source using the Script Event Provider. This functionality allows to create a script that starts with pre-set frequency. Under some conditions that are specified in this script events are generated and then are passed to the InTrust agent. Events are stored in the agent's backup cache. From there, the events can be captured by the gathering or real-time monitoring engine. You can specify in the certain script: what information is stored and how it is ordered in the certain events, what conditions are required for event generation. To create a custom data source with Script Event Provider 1. Right-click the Configuration Data Sources node and select New Data Source. 15

2. In the New Data Source Wizard, select the Script Event Provider data source type. 3. On the Script step select the script language and enter your script text using XML editor. 4. On the same step specify a frequency of the script running. 5. Complete the remaining steps. Auditing, Reporting, and Real-Time Monitoring AIX auditing, reporting, and real-time monitoring is similar to working with any other system supported by InTrust. There is only one important difference that refers to active scheduling of the InTrust tasks. For information see the warning note below. An active schedule is required to make the agent cache events. If the schedule is disabled, no events are stored. Since all data sources described above use event caching, it is recommended that you use at least one task for the data sources that run regularly. If you want to gather data only on demand, you must still enable the schedule for your task or tasks, but set it to a point in the future or in the past. The other AIX auditing, reporting and real-time monitoring operations do not have special requirements, and you can perform them as described in the InTrust User Guide. 16

Use Scenarios This section describes typical situations in a production environment and outlines how InTrust helps handle them. For information about specific procedures, such as creating tasks and jobs or activating rules, see the InTrust User Guide. Syslog Configuration Monitoring Tracking Security Incidents Syslog Configuration Monitoring Suppose you use a finely-tuned Syslog audit policy in your environment. Your audit configuration has proven efficient and reliable, and you do not want anyone but a few trusted administrators to be able to change it. Even so, you want to know immediately if the audit policy is modified in any way. Use InTrust real-time monitoring capabilities to enable immediate notification. Syslog audit configuration is defined in the syslog.conf file, so the solution in this case is to monitor this file with InTrust and send an alert whenever the file is modified. Enable the Syslog.conf file modified rule and supply the appropriate file paths as the rule's parameter. Tracking Security Incidents You want to receive daily information about possible security issues in your environment, such as brute force attack attempts. You can achieve this by scheduling gathering and reporting jobs with InTrust. Take the following vdsteps: 1. Make sure that syslogd is running. 2. Create an InTrust task that gathers Syslog events from the appropriate site (gathering job) and builds reports based on the gathered data (reporting job).the resulting reports are stored in the local folder that is specified during InTrust installation (for details, see the Specifying reporting settings section in the InTrust Installation and Configuration Guide). 3. A good report for this scenario is AIX Multiple failed login attempts. It is up to you whether you want to store the gathered data in an InTrust repository. You can also include a notification job to get notified of task completion. 17

4. Schedule the task to run every morning at a convenient time. 18

Appendix A. Audit Log Event Format This section describes the format to which the InTrust agent converts the Audit log trails it receives. A typical Audit log trail is like this: Wed Jun 20 15:37:16 2007 FS_Mkdir jsmith OK smbd root 450648 245934 819443 00C8967E4C000000 mode: 755 dir: tmp/data From these trails, the agent produces event records for the audit database. Each event record has a fixed number of fields, which are described in the following table. These fields are always present, even if their values are empty. FIELD ProviderName Priority LocalTime GMT DataSourceName HostName DataSourceId Insertion String 1 Insertion String 2 Insertion String 3 Insertion String 4 Insertion String 5 Insertion String 6 DETAILS For all events, the value of this field is empty. For all events, the value of this field is 2, meaning Normal. The local time of the event. The time of the event represented in GMT format. For all events, the value of this field is "AIX 5L Audit Log" The name of the AIX host where the InTrust agent captured the event. InTrust's internal ID of the agent's AIX auditing engine. For all events, the value of this field is "{B0CAB4B0-F676-4E2A-A345- A6071279D8FC}" Event name such as FS_Rmdir, FILE_Unlink and so on. User account under which the program ran. This may not be the same as the user account that opened the login session. Auditing status according to system audit. Name of the program that caused the event. For events 60000 and 60001, the value is "InTrust collector for AIX audit log" User account that first opened the login session. In the course of the session, the account may have been substituted. Process ID of the program that caused the event. 19

FIELD Insertion String 7 Insertion String 8 Insertion String 9 DETAILS Process ID of the program's parent process. Thread ID of the program that caused the event. CPU ID used by the program. Insertion String 10 Same as Insertion String 2. Insertion String 11 Same as Insertion String 5. Insertion String 12 Description The formatted but unmodified contents of the audit trail. Events 60000 and 60001 provide their own descriptions. For other events, the value is the same as Insertion String 12. UserName Same as Insertion String 5. Category Same as Insertion String 1. Source Same as Insertion String 4. TimeGenerated TimeWritten EventType Event generation time in GMT format. Event record time in GMT format. For event 60000, the value of this field is 2, meaning Warning. For all other events, the value is 4, meaning Information. EventID Can be 0, 60000 or 60001. For all native Audit log events, the value of this field is 0. Events with the IDs 60000 and 60001 are not native events. They are generated by the agent when it detects system audit stop and start, respectively. PlatformID The ID of the AIX platform; 640 for all events. 20

Appendix B. InTrust for IBM AIX Reports This section briefly lists the categories of predefined InTrust reports that can be generated on event data collected from IBM AIX computers. Administrative activity: Account management Policy changes Permissions Management Reboots Logons For complete list of reports and report descriptions refer to the InTrust 10.6 Reports for IBM AIX HTML document. 21

About Quest Software, Inc. Established in 1987, Quest Software (Nasdaq: QSFT) provides simple and innovative IT management solutions that enable more than 100,000 global customers to save time and money across physical and virtual environments. Quest products solve complex IT challenges ranging from database management, data protection, identity and access management, monitoring, user workspace management to Windows management. For more information, visit www.quest.com. Contacting Quest Software Email Mail Web site info@quest.com Quest Software, Inc. World Headquarters 5 Polaris Way Aliso Viejo, CA 92656 USA www.quest.com Refer to our Web site for regional and international office information. Contacting Quest Support Quest Support is available to customers who have a trial version of a Quest product or who have purchased a Quest product and have a valid maintenance contract. Quest Support provides unlimited 24x7 access to our Support Portal at www.quest.com/support From our Support Portal, you can do the following: Retrieve thousands of solutions from our online Knowledge Base Download the latest releases and service packs Create, update and review Support cases View the Global Support Guide for a detailed explanation of support programs, online services, contact information, policies and procedures. The guide is available at: www.quest.com/support. 22

Third Party Contributions InTrust, version 10.6 contains some third party components (listed below). Copies of their licenses may be found at http://www.quest.com/legal/third-party-licenses.aspx. COMPONENT LICENSE OR ACKNOWLEDGEMENT boost 1.32.0 Boost License version 1.0 CLucene 0.9 Apache version 1.1 This product includes software developed by the Apache Software Foundation (http://www.apache.org.) expat 1.95.5 MIT flex 2.5.4, 2.5.25, 2.5.27 flex 2.5.25/27 GNU standard C++ class library 3* Net-SNMP 5.0.3 GPL 2.0 with the "runtime exception" Net-SNMP OpenSSL 0.9.6g OpenSSL 1.0 This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/) SpiderMonkey 1.5* Netscape Public License ("NPL") 1.1 Stanford SRP 1.7.5 Windows Installer XML toolset (WIX) 3.5.1811.0 Stanford SRP This product includes software developed by Tom Wu and Eugene Jhong for the SRP Distribution (http://srp.stanford.edu/). This product uses the "Secure Remote Password' cryptographic authentication system developed by Tom Wu (tjw@cs.stanford.edu). Common Public License 1.0 ZLib 1.1.4 zlib 1.2.3 Copyright 1995-2005 Jean-loup Gailly and Mark Adler libiconv 1.1 LGPL (GNU Lesser General Public License) 2.1 NLog 2.0 BSD - Kowalski 2011 * a copy of the source code for this component is available at http://rc.quest.com. License agreement texts are provided in the Third Party Licenses HTML document. 23