1. About Verisys

1.1. What is Verisys?

Verisys is an advanced system and file integrity monitoring solution for Windows, Linux and network devices that allows you to maintain the integrity of business critical files and data by detecting unauthorised changes.

Centralised Administration

A key component of Verisys is the central administration console, which allows you to configure and control all of the Verisys Agents deployed across your enterprise. The central Verisys Console simplifies the management of large or distributed Agent deployments and enables centralised integrity checks, reporting and licensing administration.

The deployed Verisys Agents examine a large number of properties and attributes of each file, as well as utilising strong cryptography, to ascertain whether any changes have been made. You can change the properties that are scanned for each file, group files together and schedule integrity checks to run unattended. By using the reporting and alerting tools, Verisys will automatically send an email to alert key personnel of unauthorised changes, write to the windows event log, send events to syslog, run an arbitrary command or generate a discrepancy report.

File integrity monitoring is an important aspect of a proactive company IT policy, auditing and achieving regulatory compliance (such as PCI DSS or SOX). Key to compliance measures is your systems achieving a known and trusted state - and being able to demonstrate that your systems maintain this state. Verisys File Integrity Monitor provides a simple solution to your compliance requirements, giving you confidence that the integrity of your business data has not been compromised.

The Verisys Console and Agents enable widespread monitoring and reporting of your business systems allowing you to establish a comprehensive audit trail, while simplifying and bolstering your IT security through improved change management and integrity monitoring.

2. Deploying Verisys

2.1. Licensing

Verisys is licensed based on the number of Agents you deploy to monitor servers or workstations – no license is required for the Verisys Console. Each license entitles you to deploy one Verisys Agent to a single server or workstation.

In order to use the Verisys Console to manage deployed Verisys Agents you will need to install license files in the Console. This a simple process and is detailed here.

If you lose your license files please contact [email protected] with your company details and purchase information and we can supply you with replacements.

Additional licenses can be purchased at https://www.ionx.co.uk.

2.2. Security Certificates

In order to install the Verisys Console or the Verisys Agent you will require a Verisys certificate, which you will receive when you purchase Verisys. The same certificate must be installed to the Verisys Console and Agents, as it is used to secure communications between the Console and Agents.

If you lose your Verisys certificate please contact [email protected] with your company details and purchase information and we can supply you with a new certificate.

2.3. Minimum Hardware and Software Requirements

The Verisys Console and Agent require Microsoft .NET Framework 4.0 or 4.5 when installed on Microsoft Windows. Please note that Verisys Console is not supported on Linux systems.

2.3.1. Agent

In order to install the Verisys Agent your system must meet the following requirements:

Processor:

1GHz x86-compatible or x64-compatible CPU

Memory:

256MB (512MB recommended)

Hard Disk:

250MB of available space

Network:

Wired or wireless Ethernet

Operating System:

Microsoft Windows XP Professional SP3

Microsoft Windows Vista

Microsoft Windows 7

Microsoft Windows 8.1

Microsoft Windows 10

Microsoft Windows Server 2003

Microsoft Windows Server 2003 R2

Microsoft Windows Server 2008

Microsoft Windows Server 2008 R2

Microsoft Windows Server 2012

Microsoft Windows Server 2012 R2

Microsoft Windows Server 2016

CentOS 5.6 – 7.2

Red Hat Enterprise Linux 5.2 – 7.2

SUSE Linux Enterprise Server 11 SP1 – 11 SP3

Debian 7.6.0

Ubuntu 12.04 – 16.04

2.3.2. Console

In order to install the Verisys Console your system must meet the following requirements:

Processor:

1GHz x86-compatible or x64-compatible CPU

Memory:

512MB (1GB recommended)

Hard Disk:

300MB of available space

Network:

Wired or wireless Ethernet

Operating System:

Microsoft Windows XP Professional SP3

Microsoft Windows Vista

Microsoft Windows 7

Microsoft Windows 8.1

Microsoft Windows 10

Microsoft Windows Server 2003

Microsoft Windows Server 2003 R2

Microsoft Windows Server 2008

Microsoft Windows Server 2008 R2

Microsoft Windows Server 2012

Microsoft Windows Server 2012 R2

Microsoft Windows Server 2016

2.4. Installing Verisys Agent

2.4.1. Microsoft Windows

Before installing the Verisys Agent, ensure you have a Verisys Certificate. There are two installers for the Verisys Agent; one for x86 systems and another for x64 systems. When you purchase Verisys you will receive both. Follow the steps below to install Verisys Agent:

  1. Double-click the .MSI file and follow the instructions on each screen

Agent Installer
  1. During installation you will be prompted to select your Verisys Certificate. You can use the browse button Browse to browse to your certificate

Agent Certificate
  1. The installation wizard will complete the installation, and the Verisys Agent service will automatically be started

By default the Verisys Agent will listen for connections from the Verisys Console on TCP port 3313, on all interfaces. You should not normally need to change this, but if required you can do so using the Verisys Agent Configuration Utility, which is installed with the Verisys Agent

2.4.2. Linux

Before installing the Verisys Agent, ensure you have a Verisys Certificate. There are two installers for the Verisys Agent; one for x86 systems and another for x64 systems. When you purchase Verisys you will receive both. Follow the steps below to install Verisys Agent:

  1. Copy the installer and Verisys Certificate to the target machine

  2. Ensure the installer is executable by running the following command:

chmod +x verisys-agent-x64.sh
  1. Running as root, execute the installer

For x64:

./verisys-agent-x64.sh

For x86:

./verisys-agent-x86.sh
  1. A summary of the installation configuration will be displayed. If you wish to proceed with the displayed settings, press y, otherwise press n and a list of configurable options will be displayed

  2. The EULA will be displayed and must be accepted before installation can continue

  3. The installer will complete the installation, and the Verisys Agent service (verisys-agent) will automatically be started

2.5. Installing Verisys Console

Before installing the Verisys Console, ensure you have a Verisys Certificate. There are two installers for the Verisys Console; one for x86 systems and another for x64 systems. When you purchase Verisys you will receive both. Follow the steps below to install Verisys Console:

  1. Double-click the .MSI file and follow the instructions on each screen

Console Installer
  1. During installation you will be prompted to select your Verisys Certificate. You can use the browse button Browse to browse to your certificate

Console Certificate
  1. During installation you will be prompted to enter a login password. Users will not be able to start the Verisys Console without first entering this password

Console Password
  1. During installation you will be prompted to select reports database options. The reports database is used to store discrepancy reports that have been gathered from deployed Agents.

You can select SQLite (which requires no further configuration), or advanced users can select Microsoft SQL Server. SQLite is recommended for small deployments (1-20 Agents), while Microsoft SQL Server is recommended for larger deployments (20+ Agents) where you have an existing installation of Microsoft SQL Server.

If using Microsoft SQL Server you will need to provide connection details so the Verisys Console can communicate with the database server. You will also need to specify the name of a database that Verisys will use to store discrepancy reports – for new installations this must be an empty database, but if you are upgrading an existing Verisys Console installation you should supply the name of your existing database. The credentials used must have db_owner access to the database. You may need to contact your Database Administrator if you do not have this information.

Reports Database
  1. The installation wizard will complete the installation

  2. Upon starting the Verisys Console you will need to install licenses before you can start managing deployed Agents

2.6. Firewalls

By default the Verisys Console communicates with deployed Agents using TCP port 3313. Note that on Windows systems you can change the port Agents listen on using the Verisys Agent Configuration Utility, which is installed with the Verisys Agent. On Linux systems it can be changed by editing the file /opt/ionx/verisys-agent/etc/verisys-agent.conf and then restarting the verisys-agent service.

Firewalls

When monitoring network devices, network device rules are assigned to Agents that perform the integrity checks. The Agents must be able to communicate with the network devices on the appropriate TCP port (e.g. 23 for Telnet, 22 for SSH/SCP/SFTP).

3. Concepts & Navigation

3.1. Verisys File Integrity Monitoring

File integrity monitoring is an important aspect of a proactive company IT policy, auditing and achieving regulatory compliance (such as PCI DSS or SOX). Key to compliance measures is your systems achieving a known and trusted state - and being able to demonstrate that your systems maintain this state. Verisys File Integrity Monitor provides a simple solution to your compliance requirements, giving you confidence that the integrity of your business data has not been compromised.

A baseline snapshot of the current system state is taken and according to your configuration Verisys will automatically compare the system against this baseline to detect any changes. Using the Console, you can also start an integrity check manually at any time.

Verisys Agents examine a large number of properties and attributes of each file to ascertain whether any changes have been made. Rather than simply check basic object properties, Verisys performs a complex cryptographic hashing algorithm on the actual data contained within each file - if files are altered in any way, Verisys will detect it.

Using the Verisys Console, agents can be configured to monitor specific files or groups of files using wildcards, and can recurse through a directory structure. You may have different monitoring requirements for some objects (for example you may wish log files to be able to grow but want to detect any alterations to previously logged data). Verisys accordingly allows to you configure different monitoring levels to give you control over what properties are observed.

In your environment some system objects may be more critical than others, so Verisys allows you to set a priority for each monitoring rule, enabling different actions to be taken automatically.

Operating system and application templates for common system configurations are included to help you get started.

3.2. Verisys Console

A key component of Verisys is the central administration console, which allows you to configure and control all of the Verisys Agents deployed across your enterprise. The central console simplifies the management of large or distributed agent deployments and enables centralised integrity checks, reporting and licensing administration.

Jobs and rulesets can be configured and published to any number of agents using the Verisys Console, which reduces errors and rollout time, and simplifies the implementation of compliance procedures.

Automated integrity checks can be scheduled from the Verisys Console including the ability to configure responsive actions to take once an integrity check has identified discrepancies. Integrity checks can also be initiated on an ad-hoc basis, giving you complete control over the integrity of your workstations, servers and network devices.

The Verisys Console also provides a central point for all your reporting requirements. Using the intuitive interface you can generate reports in a number of formats based on your desired search criteria.

The Verisys Console is comprised of 5 main pages that can be accessed from the left menu or using the tabs:

Console

3.3. Key Concepts

Agents

Agents are deployed to servers and workstations to monitor file integrity, and can be configured and managed from the central administration console. Normally the Console will be installed on an administrator’s workstation, while the Agent is installed to servers and workstations to be monitored, but you can also install both the Console and an Agent to a single machine if desired.

Each Agent is assigned jobs that define when automated integrity checks should be carried out, and the actions to take when discrepancies are detected. Rulesets are assigned to Jobs to specify the objects to be monitored.

Rulesets

Rulesets are used to group together rules that define what files, registry keys and network devices are to be monitored. For example, you can create a ruleset for Windows Server 2016 and apply it to all of your Windows Server 2016 servers in a single step.

You can create your own custom rulesets, or use the templates supplied with Verisys to get started quickly.

Rules

Rules define the files, registry keys and network devices to be monitored, and are contained within rulesets.

Some objects may be more critical than others, so you can set a priority for each rule. The priority will appear on reports and can also optionally be used as a threshold to conditionally perform actions.

Jobs

Jobs are used to schedule automated integrity checks so you can protect your systems without manual intervention. For example, you can specify that all of your file servers should run an integrity check once a day, and all of your payment processing servers should run an integrity check once every 2 hours.

For more information about scheduled jobs, see the section Jobs.

Actions

Actions specify actions to be taken after running an automated integrity check. For example, you can specify that a discrepancy report should be emailed to an administrator or sent to a syslog server. An action can also be used to automatically update the baseline after performing an integrity check.

You can optionally state that one or more actions are only to be taken if discrepancies over a specified priority threshold are detected – for example, you may only wish to email an administrator if high priority discrepancies are detected.

For more information on actions, see the section Actions.

4. Configuration

4.1. Typical Flow of Configuration Steps

config flow

4.2. Licenses

From the Licensing page you can manage Verisys Agent licenses. You must install one or more valid license files before you can manage any Agents from the Console.

When you purchase licenses from Ionx you will receive a license file to install in the Console. You can use the Add button Add to browse for new license files to install.

Licensing
Licensing Requirements
  • 1 Verisys license is required for each server or workstation

  • 1 Verisys license is required for each unique IP/hostname monitored by network device rules.

4.3. Agents

4.3.1. Adding and Modifying Agents

From the Agents page you can configure deployed Agents. In the image below we can see two Agents being managed through the Console:

Console

After installing the Verisys Agent to a remote server or workstation you can manage it through the Verisys Console.

You can create a new agent by right-clicking on the root Agents node in the list of Agents and selecting New Agent from the popup menu:

New Agent

Alternatively, you can add a new Agent by using the Add button: Add

You can modify an existing Agent by double-clicking on it, or by right-clicking on it and selecting Modify from the popup menu:

Modify Agent

When adding or modifying an Agent you will be presented with the following dialog box:

New Agent
Display Name

The name that will be displayed in the Verisys Console and appear on reports

Hostname/IP

The address that will be used to connect to the deployed Agent from the Console

Port

The TCP port the deployed Agent is listening on

4.3.2. Publishing the Configuration to Agents

After modifying or assigning rules, rulesets or scheduled jobs, a small out of sync image Out of Sync will be displayed beside any affected Agents. In order for Agents to receive the updated configuration you must publish it to them.

Before you can publish the configuration you must save it using the save button Save on the toolbar.

Once the configuration has been saved you can publish it to all Agents using the publish button Publish on the toolbar.

Alternatively, you can publish to individual Agents by selecting one or more in the list of Agents, right-clicking and selecting Publish Configuration from the menu:

Publish

Note that Agents will automatically perform a new baseline snapshot when they receive an updated configuration

4.4. Rulesets and Rules

From the Rulesets tab you can manage rulesets, which group together rules to determine what objects to monitor. Rulesets can be assigned to Jobs on the Agents tab. As seen below, rulesets are presented in an expandable tree, with folder icons next to rulesets and gear icons next to child rules:

Publish

4.4.1. Template Rulesets

Verisys ships with a number of template rulesets for common system configurations. For example, there are template rulesets for Microsoft Windows Server 2008 and Microsoft SQL Server 2008. Using template rulesets can help you quickly start monitoring file integrity, but of course you are free to make changes or create your own rulesets from scratch.

From the Rulesets page you can add a template ruleset by right-clicking on the root Rulesets node in the tree and selecting Load Template Ruleset from the popup menu:

Load Template Ruleset

Alternatively, you can add a template ruleset by using the small arrow attached to the Add button and selecting Load Template Ruleset from the popup menu:

Add
Add Template

4.4.2. Custom Rulesets

You can create a new, empty ruleset by right-clicking on the root Rulesets node in the tree and selecting New Ruleset from the popup menu:

New Ruleset

Alternatively, you can add a new, empty ruleset by using the Add button: Add

When creating a ruleset, you will be asked to set the type to either Windows or Linux/Unix. You should select the appropriate type for your Agents.

You can modify an existing ruleset by right-clicking on it and selecting modify from the popup menu:

Modify Ruleset

To add a new rule to a ruleset, right-click on the ruleset and select New Rule from the popup menu:

New Rule

The following sections detail each of the different types of rule.

4.4.3. Merging Rulesets

You can merge two or more rulesets into a single ruleset – for example, if you have a Windows 2012 server that is running Microsoft SQL Server 2012, you can load the ruleset templates for Microsoft Windows Server 2012 and Microsoft SQL Server 2012, and then merge them into a single ruleset that can be assigned to the Agent running on that server.

To merge rulesets, go to the Rulesets tab and select one of the rulesets you wish to merge with others. Right-click on it and select Merge Rulesets:

Merge Rulesets

In the dialog box, select all of the rulesets you wish to merge the ruleset with and click OK:

Merge Rulesets

You will then be prompted to enter a name for the new ruleset. After supplying this, the new ruleset will be created, and will be visible in the tree.

4.4.4. Filesystem Rules

When configuring filesystem rules you will be presented with the following dialog box

Filesystem Rule
Path

The full name of the path to be monitored. If the example above we see the C:\Windows directory is being monitored. You can manually enter the path, or use the browse button Browse to locate it

Recurse

This checkbox specifies whether or not Verisys should recurse down through the folder structure, or only monitor the folder specified in the Path field

Monitor Last Access Time

This checkbox is used to specify whether or not Verisys should monitor the last accessed time attribute of files. Please note that, for performance reasons, by default Microsoft Windows Vista, Microsoft Windows 7, Microsoft Windows 10, Microsoft Windows Server 2008, Microsoft Windows Server 2012 and Microsoft Windows Server 2016 do not track the last accessed time. If you wish to enable last accessed time tracking on these systems you can do so by changed the value of the following registry entry to 0:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem\NtfsDisableLastAccessUpdate
Strict Directory Checking

This checkbox, which is only valid for Linux rules, will flag directories as modified or accessed when any of their contents are modified or accessed

Type

Specifies the type of monitoring to take place. The following options are available:

Normal

This ‘standard’ monitoring type monitors changes to the widest range of properties and should be used for files that are not expected to change frequently under normal operating conditions (for example, executable files, system libraries or drivers)

Fast

The fast monitoring type monitors the same properties as normal type, but does not utilise a cryptographic hashing algorithm on the contents of files. We recommend the normal type for most scenarios, but fast mode can be useful in certain scenarios where performance is crucial

Log File/Data File

The log file/data file type can be used to monitor files for which the contents are expected to change over time. This monitoring type will not detect changes to the content of files, but will detect attribute and security changes or files being deleted

Growing Log File

The growing log file type can be used to monitor growing log files. This type allows new data to be added to the files being monitored, but will detect changes to previously written data

This monitoring type can be used to achieve compliance with PCI DSS section 10.5.5

The following options are available only on rulesets for Linux systems

Configuration File

The configuration file monitoring type can be used to monitor configuration files that may be regenerated by the system under normal operating conditions. It monitors the same properties as normal type, but does not monitor the last modified time or index node - any changes to the actual content of monitored files will be detected

Device/Process

The device/process type can be used to monitor devices and processes (i.e. files in /dev and /proc). As the content of such files is expected to change under normal operating conditions, it monitors only the owner, group owner, permissions and file type properties

Include/Exclude

These fields are optionally used to state which files and folders within the specified Path are to be monitored. Asterisk ‘’* can be used as a wildcard, and you can separate multiple filters using a semicolon ‘;’.

Include and Exclude

In the example above we can see that .exe, .com, .dll, .drv and .sys files are being monitored in the C:\Windows directory. The Recurse option is selected, so Verisys will recurse down the folder structure monitoring matching files, but the Exclude rule specified above will prevent Verisys from monitoring the Temp folder.

Note the Exclude rule in the example contains a directory separator (backslash) - Verisys matches the inclusion and exclusion filters against the full path, rather than just the filename.

4.4.5. Windows Registry Rules

When configuring Windows registry rules you will be presented with the following dialog box:

Windows Registry Rule
Path

This is the full name of the registry path to be monitored. If the example above, we see the following key is being monitored:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\

You can manually enter the path, or use the browse button Browse to locate it.

Recurse

This checkbox specifies whether or not Verisys should recurse down through the registry structure, or only monitor the registry key specified in the Path field

Include/Exclude

These fields are optionally used to state which registry keys and values within the specified Path are to be monitored. Asterisk ‘’* can be used as a wildcard, and you can separate multiple filters using a semicolon ‘;’

Include and Exclude

In the example above we can see that only specific sub-keys of the following registry key are being monitored:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\

The Recurse option is selected, so Verisys will recurse down the registry structure monitoring those keys and values that match the Include rule and do not match the Exclude rule

4.4.6. Network Device Rules

Network device rules are assigned to the Agents that are to execute them - those Agents must therefore be able to communicate with the target network devices, so changes to your firewall configuration may be required.

Verisys ships with presets for various network devices, including Cisco, Juniper, Palo Alto and F5. You can also use the Custom connection type to connect to any network device that supports Telnet, SSH, SCP or SFTP.

After configuring connection details, you can use Test Connection to check that you are able to connect to the device with the specified credentials.

When configuring one of the preset network device rules you will be presented with the following dialog box:

Network Device Rule
Protocol

The Protocol dropdown will contain all valid protocols for the selected Connection Type. While Telnet may be available for some Connection Types, it is recommended to use one of the secure protocols, SSH, SCP or SFTP.

Authentication

Both Password and Public Key authentication are available, depending on the selected Protocol.

Public Key Authentication

When using Public Key authentication, private keys in both OpenSSH and ssh.com format are supported.

When configuring a custom rule, the details to be configured depend on the chosen Protocol. For file-based protocols, SCP and SFTP, you must add the paths of files to be monitored:

Network Device Files

For text-based protocols, Telnet and SSH, you must define a script to retrieve the results to be monitored:

Network Device Script

The Validate button can be used to parse your script to check the syntax is correct. The Full Screen button will pop out a text editor into a new, full screen window.

Scripts are defined VISL (Verisys Interactive Script Language), which is similar to expect. More details can be found in the following section.

Verisys Interactive Script Language

VISL (Verisys Interactive Script Language) allows you to define scripts to interact with text-based protocols such as Telnet and SSH. The goal is to capture responses from network devices as one or more named results to be monitored for changes. For example, on a Cisco IOS device you would capture the response to the show startup-config command as a result.

In general, the pattern used in VISL scripts is to send a command, and then expect a particular response, which can be captured as a result.

The available commands are described below, and complete examples can be found in Appendix B.

send command

The send command is used to send a command to the server. The command should be either a quoted string or a variable that contains the command to be sent.

send "show running-config"
send $my_command
expect pattern

The expect command waits until pattern is matched in the response received from the server, or the timeout is reached.

Patterns can be a literal string, a regular expression, or a variable containing either of these:

expect "# "
expect ".+[>#]\s?$"
expect $prompt

By default, the timeout is 5 seconds. This can be changed by using the set command to set the value of the special timeout variable to the desired timeout, in seconds:

set timeout to "20"
set name to value

The set command is used to store values in named variables, for use in the script. For example, you may wish to store the prompt you expect to receive from the server:

set any_prompt to ".+[>#]\s?$"
result name is pattern

The result command is used to create a result to be monitored from the previous server response.

Pattern must be a regular expression, or a variable containing one. A named capture group called result can be used in the regular expression, otherwise all matching characters will be used.

As an example, you may wish to capture everything received up until the command prompt:

result running-config is "^(?<result>.*)\r\n[^\r\n]+#\s?$"
when value [not] match pattern

The when command is used to enter a conditional block (curly braces are used to open and close the block), where the contents of the block are only executed if the value matches the pattern (or does not match when not is used).

For example, on a Juniper device we want to check if we are in cli mode, and send the cli command if not:

set cli_prompt to ".+>\s$"

when $response not match $cli_prompt {
  send "cli"
  expect $cli_prompt
}
Variables

Named variables are used to store values for use in the script, particularly where you may wish to reuse the same value several times in a script.

Variables are set using the set command. Variables are used with a dollar sign followed by the variable name:

$my_variable

Some variable names are reserved for use by Verisys. While their value cannot be changed, you can use them in VISL scripts.

Variable Description

username

The username set for the network device rule in the Verisys Console

password

The password set for the network device rule in the Verisys Console

password2

For Cisco IOS devices only, the enable password set for the network device rule in the Verisys Console

connection_method

The protocol being used to connect to the server (either SSH or Telnet)

response

The last response received from the server

Comments

Comments can be added to scripts to add explanation. Comment lines must start with 2 forward slashes //:

// This is a comment that will not be parsed as part of the VISL script

4.5. Jobs

Jobs are used to group rulesets together for execution at schedule intervals, so you can protect your systems without manual intervention. For example, you can specify that all of your file servers should run an integrity check once a day, and all of your payment processing servers should run an integrity check once every 2 hours. Jobs can be assigned to Agents from the Agents page.

As seen below, jobs are presented in a list:

Jobs

You can create a new job by right-clicking inside the list of jobs and selecting New Job from the popup menu:

New Job

Alternatively, you can add a new job by using the Add button: Add

You can modify an existing job by right-clicking on it and selecting modify from the popup menu:

Modify Job

When adding or modifying a scheduled job you will be presented with the following dialog box:

New Job
Name

The name that will be displayed in the Verisys Console and appear on reports

Start Time

The date and time that the automated integrity check should be performed at.

Recurrence

How often the job should be automatically executed. The following options are available:

  • Never (the job will never be started automatically and can only be executed manually in the Console, or by a scripted integrity check.

  • Once

  • Minutes

  • Hourly

  • Daily

  • Weekly

  • Monthly

When selecting Minutes, Hourly or Daily, a control will be displayed to allow you to choose the interval at which the scheduled job should run. For example, you can specify that a scheduled job should run every 6 hours.

The Actions list is used to specify one or more actions to be taken after running an automated integrity check. By default an action is added to automatically update the baseline after automated integrity checks – this ensures that discrepancies noted on previous integrity checks are not reported on subsequent checks. If this is not the behaviour you want, this action may be deleted.

More information on actions can be found in the following section.

4.6. Actions

4.6.1. Overview

Post-job actions allow you to specify one or more actions to be taken after running an automated integrity check. For example, you can specify that a discrepancy report should be emailed to an administrator or sent to a syslog server. A post-job action can also be used to automatically update the baseline after performing an integrity check. By default such a post-job action is added, ensuring that discrepancies noted on previous integrity checks are not reported on subsequent checks. If this is not the behaviour you want, this post-job action may be deleted.

You can optionally state that one of more actions are only to be taken if discrepancies meeting a specified priority threshold are detected – for example, you may only wish to email an administrator if high priority discrepancies are detected.

When adding or modifying a scheduled job you can see the post-job actions attached to that job presented as a list:

Actions

The Add, Delete and Modify buttons can be used to work with post-job actions.

Several types of post-job action are available, which will only be executed if the minimum discrepancy threshold is met (with the exception of the Update Baseline action, which will only be executed if the maximum discrepancy threshold is not met):

Update Baseline

Update the baseline snapshot

Save Report

Saves a discrepancy report to disk. A selection of formats is available

Log to Windows Event Log

Log discrepancy information to the Windows Event Log, either individually or as a summary (Windows only)

Log to Remote Syslog

Log discrepancy information to a remote syslog server, either individually or as a summary

Log to Local Syslog

Log discrepancy information to the syslog server, either individually or as a summary (Linux only)

Send Email

Sends an email containing discrepancy information to one or more recipients

Run Command

Runs an arbitrary command

There are some parameters that are common to all post-job action types:

Job
Name

This is a name of your choosing that will be displayed in the Verisys Console.

Threshold

Allows you to specify the conditions under which a post-job action will be executed.

In the example above it is set to Low, so the post-job action will run if any discrepancies with at least this priority are detected.

When it is set to None (the default), the post-job action will be executed even if no discrepancies are detected.

Execution notes

This is shown to clarify the conditions under which each post-job action will run:

Job Execution Notes

4.6.2. Update Baseline

The Update Baseline action is used to update the baseline snapshot after a scheduled integrity check has been performed. When configuring this post-job action you will be presented with the following dialog box:

Update Baseline Action

4.6.3. Save Report

The Save Report action is used to save a discrepancy report to disk after a scheduled integrity check has been performed. When configuring this post-job action you will be presented with the following dialog box:

Save Report Action
Format

used to specify which Specifies the format to save the report in. You can choose to save reports in HTML, CSV or XML format, in varying levels of detail

Path

specifies the location the generated report should be saved to. This can be a standard filesystem path or, on Windows, a UNC path

Filename

Specifies which filename the report should be saved to within the Path. A fixed filename can be entered, or you can use variables to instruct Verisys to generate a filename (as can be seen in the above image). A table containing all valid variables can be found in Appendix A.

4.6.4. Log to Windows Event Log (Windows Only)

The Log to Windows Event Log action is used to log discrepancy information to the Windows Event Log after a scheduled integrity check has been performed. When configuring this action you will be presented with the following dialog box:

Windows Event Log Action

If Type is checked each individual discrepancy will be logged as a separate event log entry, otherwise a single event log entry containing a summary will be logged.

The ID of logged events is set depending on the highest priority discrepancy that was observed during the integrity check:

Priority Event Log ID

None

1000

Low

2100

Medium

2200

High

2300

Emergency

2400

4.6.5. Log to Remote Syslog

The Log to Remote Syslog action is used to log discrepancy information to a remote syslog server after a scheduled integrity check has been performed. When configuring this post-job action you will be presented with the following dialog box:

Remote Syslog Action
IP Address

The IP address of the syslog server to send messages to

Port

The UDP port the syslog server is listening on

Type

When checked, each individual discrepancy will be logged as a separate syslog entry, otherwise a single syslog entry containing a summary will be logged

4.6.6. Log to Local Syslog (Linux Only)

The Log to Local Syslog action is used to log discrepancy information to the local syslog server running on the same system as the Verisys Agent. This post-job action is only available on Linux systems. When configuring this post-job action you will be presented with the following dialog box:

Local Syslog Action
Type

When checked, each individual discrepancy will be logged as a separate syslog entry, otherwise a single syslog entry containing a summary will be logged

4.6.7. Send Email

The Send Email action is used to send an email containing discrepancy information to one or more recipients after a scheduled integrity check has been performed. An SMTP server is required to send emails.

Note that emails are sent by the individual Agents, not the Console, so depending on your environment you may need to create firewall rules to allow your Agents to communicate with your SMTP server.

When configuring this post-job action you will be presented with the following dialog box:

Email Action
Host

The hostname or IP address of the SMTP server to use

Port

The TCP port the SMTP server is listening on

Use SSL/TLS

This should be checked if the SMTP server supports SSL/TLS secured connections

User and Password

If your SMTP server requires authentication, User and Password must be completed with the credentials to logon to the SMTP server with. If your SMTP server does not require authentication, both of these fields should be left empty

From

The email address to send the email from.

To

The email addresses to send the email to. Multiple email addresses can be separated using a semicolon ‘;’

Attach discrepancy report

Whether to attach a discrepancy report to the email. If unchecked, the email will contain only a short discrepancy summary in the body

4.6.8. Run Command

The Run Command action is used to run an arbitrary command after a scheduled integrity check has been performed. When configuring this post-job action you will be presented with the following dialog box:

Run Command Action
Command

The executable file (executable files are, for example, .exe, .com, .cmd or .bat files) to run

Start In

The start directory for the command

Parameters

Can optionally be used to pass arguments to the command. Static text can be entered, or you can use variables to instruct Verisys to generate arguments (as can be seen in the above image). A table containing all valid variables can be found in Appendix A.

4.7. Changing the Console Login Password

When logged into the Verisys Console, you can change the login password at any time by selecting Change Login Password from the Configuration menu.

Change Console Password

5. Operation & Reporting

5.1. Manually Starting Integrity Checks

As well as utilising scheduled jobs to run automated integrity checks, you can manually start an integrity check from the Console by selecting one or more Agents, right-clicking and selecting Start Integrity Check:

Start Integrity Check

This will start all jobs on the selected Agents. You can start only a specific job, right-click the job instead of the Agent.

Selecting Start Integrity Check & Baseline will cause the selected Agents to perform an integrity check, and then to also force an update of the baseline.

When a manual integrity check completes, any actions associated with the Agent will be executed.

5.2. Downloading Reports from Agents

You can download discrepancy reports generated by deployed Verisys Agents to the Verisys Console reports database. Once reports have been downloaded, you can then run reports from the Console, which are based on the discrepancy data downloaded from Agents.

To download reports from all Agents, press the download button Download on the toolbar.

By default, Agents retain discrepancy reports for 45 days before they are automatically deleted. You can use the Verisys Agent Configuration Utility to change this if required.

5.3. Running Reports

Using the data stored in the reports database, Verisys allows you to generate reports based on your desired criteria. The image below shows the Reports page:

Reports
Report Format

Specifies how the generated report should be formatted, and what level of detail it should contain

Date Range, Agents and Rulesets

These can optionally be used to constrain the data that will appear in the generated report

Download New Discrepancy Data From Agents

When checked, any new discrepancy data will be downloaded from Agents before running the report

When you are ready to run the report, press the Execute button.

5.4. Purging the Reports Database

As your reports database grows, it may take longer to generate reports. In such a case you may wish to purge the database by deleting old reports from it that are no longer of value. To do this, select Purge Reports Database from the Tools menu and you will be presented with the following dialog box:

Purge Reports Database

Select a cut-off date and press the OK button to begin purging the database of old data.

Note that Verisys support the use of either SQLite or Microsoft SQL Server as the reports database. SQLite is recommended for small deployments (1-20 Agents), while Microsoft SQL Server is recommended for larger deployments (20+ Agents) where you have an existing installation of Microsoft SQL Server.

6. Advanced Topics

6.1. Agent Configuration Utility

The Verisys Agent Configuration Utility is installed on Windows systems with the Verisys Agent, and can be used to configure Agent parameters.

By default the Verisys Agent listens for connections on all available network interfaces (using IP address 0.0.0.0). If required, you can use the Verisys Agent Configuration Utility to listen only on a specific IP address.

The Verisys Agent Configuration Utility can also be used to configure the logging level, which determines how much diagnostic information is written to log files during operation. The default value is Info. Because additional logging may adversely affect performance, we recommend this is only changed temporarily if requested by Ionx Support as part of an active support case.

By default, Agents retain discrepancy reports for 45 days before they are automatically deleted. You can use the Verisys Agent Configuration Utility to change this if required.

6.2. Running the Agent Using a Custom Account

6.2.1. Windows

If you wish to run the Verisys Agent using an account other than the default (Local System Account), you must ensure that the account has access to the filesystem and registry objects that you wish to monitor, as well as having access to the Verisys installation directory. The account must additionally possess the SeSecurityPrivilege right (which is used to determine filesystem audit details) – this can be granted using the Windows Group Policy tool.

6.2.2. Linux

If you wish to run the Verisys Agent using an account other than the default (root), you must ensure that the account has access to the filesystem objects that you wish to monitor. The user and group accounts can be changed by using the -u and -g command line options with the installer, for example:

./verisys-agent-x64.sh –u my_user –g my_group

6.3. Exporting Rulesets as Templates

multiple instances of the Verisys Console, and you want a convenient way of reusing your custom rulesets.

You can export a ruleset from the Verisys Console by right-clicking it and selecting Export Ruleset as Template:

Export Ruleset Template

Note that when you export a ruleset it will not contain any configurable paths; upon loading the exported ruleset, it will be loaded with all paths exactly as they were when they were exported.

You can optionally add configurable paths to exported rulesets by manually modifying the saved XML file (for example, in notepad). You can do this by using a special notation in the Path XML element – note the section in bold below, which makes the Windows directory a configurable path:

<Path>?Windows Path|C:\Windows?\system32\drivers\etc</Path>

The general syntax is:

?NAME OF PATH|DEFAULT PATH?

Where NAME OF PATH is the name to be displayed in the Verisys Console when loading the template ruleset, and DEFAULT PATH is the default path when creating a new ruleset from the template.

6.4. Unattended Console Installation

It is possible to perform an unattended installation of the Verisys Console using a command similar to the one shown below:

msiexec /i "C:\Install\Verisys Console Setup x86.msi" /qn /l*v "Install.log" AUTO="YES" TARGETDIR="C:\Program Files\Ionx\Verisys Console\" PASSWORD="MyPassword" CERTFILE="C:\Install\Verisys.pfx"

In the command shown above, the text highlighted in bold should be substituted as follows:

C:\Install\Verisys Console Setup x86.msi

The full path to the Verisys Console installation file

C:\Program Files\Ionx\Verisys Console\

The full installation path

MyPassword

The Console login password

C:\Install\Verisys.pfx

Full path to a valid Verisys certificate

If there any are issues during installation, they will be recorded in the Windows Event Log and MSI installation log file (specified in the example command above as install.log).

Note that when using unattended installation mode, only the zero-configuration SQLite database is supported as the reporting database.

6.5. Unattended Agent Installation

It is possible to perform an unattended installation of the Verisys Agent on Windows systems using a command similar to the one shown below:

msiexec /i "C:\Install\Verisys Agent Setup x86.msi" /qn /l*v "Install.log" AUTO="YES" TARGETDIR="C:\Program Files\Ionx\Verisys Agent\" SVCUSERNAME="" SVCPASSWORD="" CERTFILE="C:\Install\Verisys.pfx"

In the command shown above, the text highlighted in bold should be substituted as follows:

C:\Install\Verisys Agent Setup x86.msi

The full path to the Verisys Agent installation file

C:\Program Files\Ionx\Verisys Agent\

The full installation path

C:\Install\Verisys.pfx

Full path to a valid Verisys certificate

If there any are issues during installation, they will be recorded in the Windows Event Log and MSI installation log file (specified in the example command above as install.log).

6.6. Scripting Integrity Checks

On Windows systems it is possible to request that a Verisys Agent performs an ad-hoc integrity check without using the Console. This is accomplished using a command line tool, the Verisys Integrity Check Utility. By default this tool is installed to C:\Program Files\Ionx\Verisys Agent Utility.

When using the utility, you can specify the ID of a single job to be executed. Alternatively, omitting a job ID will cause all jobs assigned to the Agent to be executed. You can find all available job IDs with the *--show-job*s parameter:

Ionx.Verisys.Agent.RunUtil.exe --show-jobs

The utility has two operating modes: preconfigured and custom. In preconfigured mode the Agent will carry out the actions assigned to the specified job:

Ionx.Verisys.Agent.RunUtil.exe --preconfigured --job=6d6554ab-62bd-4468-b3ba-3c27f5fe5ae2

Custom mode allows you to specify which actions should be carried out after the Agent has completed an integrity check. The example below will start an integrity check, and then log discrepancies to both a syslog server and the Windows Event Log:

Ionx.Verisys.Agent.RunUtil.exe --custom --job=6d6554ab-62bd-4468-b3ba-3c27f5fe5ae2 --syslog –syslog-log-individually --syslog-server-name=192.168.6.59 --eventlog

To display all available parameters, use the following command:

Ionx.Verisys.Agent.RunUtil.exe --help

6.7. Changing Certificates

If your security certificates expire or are compromised, Verisys provides command line utilities to allow replacing them without losing any data. These utilities decrypt Verisys data using your existing certificate, and the re-encrypt it with your new certificate.

These tools can be found within the installation folders of the Verisys Console and Agent. Note that they can only be executed by an administrator.

To change the certificate used by a Verisys Agent (note that this tool can only be ran from within the Verisys Agent installation folder):

Ionx.Verisys.Agent.ReEncryptUtil.exe --cert=C:\Path\To\existing.pfx --new-cert=C:\Path\To\new.pfx

To change the certificate used by the Verisys Console:

Ionx.Verisys.Console.ReEncryptUtil.exe --path=C:\Path\To\Verisys\Console --cert=C:\Path\To\existing.pfx --new-cert=C:\Path\To\new.pfx

7. Backup

7.1. Agent (Windows)

The Verisys Agent configuration and data are contained within the following files:

C:\Program Files\Ionx\Verisys Agent\Ionx.Verisys.Agent.exe.config
C:\Program Files\Ionx\Verisys Agent\agent.dat
C:\Program Files\Ionx\Verisys Agent\snapshot-*.db
C:\Program Files\Ionx\Verisys Agent\Reports\*.dat

7.2. Agent (Linux)

The Verisys Agent configuration and data are contained within the following files:

/opt/ionx/verisys-agent/etc/verisys-agent.conf
/opt/ionx/verisys-agent/etc/agent.dat
/opt/ionx/verisys-agent/var/data/snapshot-*.db
/opt/ionx/verisys-agent/var/data/reports/*.dat

7.3. Console

The Verisys Console configuration and data are contained within the following files:

C:\Program Files\Ionx\Verisys Console\Ionx.Verisys.Console.exe.config
C:\Program Files\Ionx\Verisys Console\Configuration\config.dat
C:\Program Files\Ionx\Verisys Console\Licenses\*.license

Additionally on installations using the zero-configuration SQLite database:

C:\Program Files\Ionx\Verisys Console\Reports.db

8. Troubleshooting

  1. What do I do if I forget the Console password?

    You will need to re-install the Console to set a new password

  2. I can’t add any more Agents - I get a message saying I don’t have enough licenses

    You can purchase additional Agent licenses from the Ionx website.

  3. I’ve lost the license files I purchased

    Please contact [email protected] with your company details and purchase information and we can supply you with replacements.

  4. I’ve lost my Verisys security certificate

    Please contact [email protected] with your company details and purchase information and we can supply you with a new certificate.

  5. The Console can’t communicate with one of my Agents

    • Ensure the Agent service is running

    • Ensure that a firewall is not preventing communication from the Console to the Agent

    • Ensure the same Verisys security certificate is installed to both the Console and the Agent

  6. Can I install the Console to multiple machines?

    Yes, you can install the Console to any number of machines, as long as each Console monitors different Agents (using different Console installations to monitor the same Agents is not supported). You will still need to purchase a separate license for each Agent. We recommend you use a distinct Verisys security certificate for each Console – if you require additional Verisys security certificates, please contact [email protected] with your company details and purchase information and we can supply you with new certificates free of charge.

  7. Can I install the Console and Agent on a single machine?

    Yes, you can install both the Verisys Console and Agent to the same machine.

  8. Does Verisys produce any log files?

    Yes, they are stored in the Logs folder within the Agent and Console installation directories

9. Appendices

9.1. Appendix A: Variables

Variable Description

$ID$

Discrepancy report ID

$TOTAL$

Number of discrepancies detected

$MAX_PRIORITY$

Highest priority discrepancy detected

$AGENT_DISPLAY_NAME$

Display name of the Verisys Agent

$AGENT_HOSTNAME$

Hostname/IP address of the Verisys Agent

$AGENT_PORT$

TCP port the Verisys Agent is running on

$RULESET_NAME$

Name of the ruleset that detected the discrepancies

$yyyy$

Current 4-digit year, e.g. 2010

$yy$

Current 2-digit year, e.g. 10

$MM$

Current 2-digit month, e.g. 04

$MMM$

Short name for current month, e.g. Apr

$MMMM$

Full name for current month, e.g. April

$dd$

Current 2-digit day of the month, e.g. 09

$ddd$

Short name for current day of the week, e.g. Tue

$dddd$

Full name for current day of the week, e.g. Tuesday

$HH$

Current 2-digit hour, e.g. 23

$mm$

Current 2-digit minute, e.g. 48

$ss$

Current 2-digit second, e.g. 48

$fff$

3 significant digits of the current second, e.g 872

9.2. Appendix B: VISL Samples

9.2.1. Cisco IOS-XR

// Note that variables $username, $password, $connection_method and $response are set by Verisys

set prompt to ".+#\s?$"
set username_prompt to "Username:\s?$"
set password_prompt to "Password:\s?$"

// Capture everything after the first bang until before the prompt
set result_match to "(?<result>[!].*)(?:(?:\r\n)|\r|\n)[^\r\n]+#\s?$"

// Logon is automatic for SSH, but must be done interactively for telnet
when $connection_method match "telnet" {
  expect $username_prompt
  send $username

  expect $password_prompt
  send $password
}

// All users get the same prompt in IOS-XR
expect $prompt

// Disable 'more'
send "terminal length 0"
expect $prompt

send "show running-config"
expect $prompt
result running-config is $result_match

9.2.2. Juniper Junos

// Note that variables $username, $password, $enable_password, $connection_method and $response are set by Verisys

set any_prompt to ".+(?:[>#]|@%)\s$"
set cli_prompt to ".+>\s$"
set username_prompt to "login(?:\sas)?:\s$"
set password_prompt to "Password:$"

// Capture everything before the prompt
set result_match to "^(?<result>.*?)(?=(?:(?:\r\n)|\r|\n)[^\r\n]+(?:[>#]|@%)\s$)"

// Logon is automatic for SSH, but must be done interactively for telnet
when $connection_method match "telnet" {
  expect $username_prompt
  send $username

  expect $password_prompt
  send $password
}

// Depending on the system, we might not start in operational mode
expect $any_prompt

// If we are not already in operational mode, enter it now
when $response not match $cli_prompt {
  send "cli"
  expect $cli_prompt
}

send "show configuration | no-more"
expect $cli_prompt
result configuration is $result_match

9.3. Appendix C: License Notices

© 2010 Ionx. All rights reserved.

Microsoft and Windows are registered trademarks of Microsoft Corporation.

This product includes software components licensed under the Apache Software License, version 2.0. The license text is available at http://www.apache.org/licenses/LICENSE-2.0.

This product includes the Mono runtime licensed under the GNU Library GPL 2.0. The license text is available at http://www.gnu.org/copyleft/library.html#SEC1.

This product includes NHibernate software components, licensed under the LGPL license, version 2.0. The license text is available at http://www.gnu.org/copyleft/lesser.html.

This product includes The Saxon XSLT and XQuery Processor software components from Saxonica Limited, licensed under the MPL license, version 1.0. The license text is available at http://www.mozilla.org/MPL/. The Saxonica homepage can be found at http://www.saxonica.com.

This product includes NHibernate software components, licensed under the LGPL license. The license text is available at http://www.gnu.org/licenses/lgpl-2.1.html.

This product includes IKVM.NET software components, licensed under the zlib license. The license text is available at http://opensource.org/licenses/Zlib.

This product includes software components that are copyright © Binarymission Technologies Limited, UK.

This product includes Fluent NHibernate software components, licensed under the BSD license:

Copyright (c) 2008-2009, James Gregory and contributors
All rights reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

- Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
- Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
- Neither the name of James Gregory nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

This product contains Mono class libraries, licensed under the MIT X11 license:

Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in
all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
THE SOFTWARE.

This product contains software components written by wyDay, licensed under the BSD license:

Copyright (c) 2009, wyDay
All rights reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

- Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
- Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

This product includes software components written by Martin R. Gagné, licensed under the BSD license:

Copyright ©2006, 2007, Martin R. Gagné ([email protected])
All rights reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

- Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
- Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

This product includes software components written by Mathew Hall, licensed under the BSD license.

Copyright © 2004-2005, Mathew Hall
All rights reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

- Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
- Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

This product includes software components written by Novell and Federico Di Gregorio, licensed under the MIT X11 license:

Authors:
 Jonathan Pryor <[email protected]>
 Federico Di Gregorio <[email protected]>

Copyright (C) 2008 Novell (http://www.novell.com)
Copyright (C) 2009 Federico Di Gregorio.

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

This product includes software components written by Jacob Slusser, licensed under the MIT license:

Copyright (c) 2016, Jacob Slusser, https://github.com/jacobslusser

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

This product includes software components written by Neil Hodgson, licensed as follows:

Copyright 1998-2003 by Neil Hodgson <[email protected]>

All Rights Reserved

Permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation.

NEIL HODGSON DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO EVENT SHALL NEIL HODGSON BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER  TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.