eTrust Audit Getting Started

Transcription

etaudit_gs.doc, printed on 12/18/2002, at 9:34 AM
eTrust Audit

Getting Started
1.5
MAN12093912E
This documentation and related computer software program (hereinafter referred to as the
“Documentation”) is for the end user’s informational purposes only and is subject to change or
withdrawal by Computer Associates International, Inc. (“CA”) at any time.
This documentation may not be copied, transferred, reproduced, disclosed or duplicated, in whole
or in part, without the prior written consent of CA. This documentation is proprietary information
of CA and protected by the copyright laws of the United States and international treaties.
Notwithstanding the foregoing, licensed users may print a reasonable number of copies of this
documentation for their own internal use, provided that all CA copyright notices and legends are
affixed to each reproduced copy. Only authorized employees, consultants, or agents of the user
who are bound by the confidentiality provisions of the license for the software are permitted to
have access to such copies.
This right to print copies is limited to the period during which the license for the product remains
in full force and effect. Should the license terminate for any reason, it shall be the user’s
responsibility to return to CA the reproduced copies or to certify to CA that same have been
destroyed.
To the extent permitted by applicable law, CA provides this documentation “as is” without
warranty of any kind, including without limitation, any implied warranties of merchantability,
fitness for a particular purpose or noninfringement. In no event will CA be liable to the end user or
any third party for any loss or damage, direct or indirect, from the use of this documentation,
including without limitation, lost profits, business interruption, goodwill, or lost data, even if CA is
expressly advised of such loss or damage.
The use of any product referenced in this documentation and this documentation is governed by
the end user’s applicable license agreement.
The manufacturer of this documentation is Computer Associates International, Inc.
Provided with “Restricted Rights” as set forth in 48 C.F.R. Section 12.212, 48 C.F.R. Sections 52.22719(c)(1) and (2) or DFARS Section 252.227-7013(c)(1)(ii) or applicable successor provisions.
 2003 Computer Associates International, Inc.
All trademarks, trade names, service marks, and logos referenced herein belong to their respective
companies.
Contents
Chapter 1: Arm Your Enterprise
Monitor Your Enterprise With Our Leading Auditing Tool ......................... 1-1
The Purpose of This Guide .................................................. 1-2
Enterprise-wide Security: Bridging the Information Gap........................ 1-3
New With This Service Pack ................................................. 1-6
CA Services: Enabling Solutions Through Experience .......................... 1-6
CA Education Services ...................................................... 1-6
Computer Associates: The Software That Manages eBusiness ................... 1-7
For More Information ....................................................... 1-7
Chapter 2: The Essentials
What You Need to Know to Get Started .......................................... 2-1
The Basics ..................................................................... 2-1
Flexible Architecture ........................................................ 2-2
Firewall Friendly ........................................................... 2-2
Secure Transport ........................................................... 2-2
Wide Range of Configurations ............................................... 2-3
Versatile Filtering .......................................................... 2-3
Components ............................................................... 2-3
How eTrust Audit Works ....................................................... 2-8
Pre-Installation Considerations ................................................. 2-10
Firewall Considerations .................................................... 2-10
Encryption ................................................................ 2-11
Contents
iii
Security of the eTrust Audit Database Access Credentials .....................
Identify the Policy Management and Security Monitor Machines ..............
Installing eTrust Audit on Windows ............................................
Order of Installation .......................................................
Sample Installation on Windows ...............................................
Starting the Product Explorer ..............................................
Sample Client Installation ..................................................
Sample Policy Manager Installation .........................................
Sample Data Tools Installation .............................................
Verifying Your Installation ....................................................
What’s Next? .................................................................
2-11
2-12
2-13
2-13
2-14
2-15
2-17
2-25
2-31
2-37
2-38
Chapter 3: Creating Audit Node Groups
Implement Enterprise-wide Security Policies (Part 1) .............................. 3-1
Scenario ................................................................... 3-2
About the Policy Manager .................................................. 3-4
Start the Policy Manager........................................................ 3-5
Switch to Audit Node View ..................................................... 3-6
Step 1: Create an Audit Node Group ............................................. 3-8
Step 2: Add Members to the Audit Node Group ................................. 3-11
What’s Next? ................................................................. 3-17
Chapter 4: Creating Policies
Step 3: Create Policies .......................................................... 4-1
Create a Policy Folder ...................................................... 4-2
Add Windows Policy to the Policy Folder .................................... 4-6
Specify Properties for the Windows Policy................................... 4-10
Add UNIX Policy to Policy Folder .......................................... 4-15
Specify Events to Harvest .................................................. 4-19
What’s Next? ................................................................. 4-20
iv
Getting Started
Chapter 5: Creating Rules and Associations
Step 4: Specify Rules ............................................................ 5-2
Review Default Policies ..................................................... 5-4
Copy Default Policy Rules to Your Sample Policy .............................. 5-6
Specify Actions ............................................................ 5-10
Step 5: Create Associations ..................................................... 5-23
What’s Next .................................................................. 5-26
Chapter 6: Activating and Monitoring Policies
Step 6: Activate the Policy ....................................................... 6-2
Step 7: Monitor Deployment of the Policies ....................................... 6-6
Step 8: Viewing the Results ...................................................... 6-8
eTrust Audit Viewer ........................................................ 6-8
eTrust Audit Security Monitor ............................................... 6-9
What’s Next? ................................................................. 6-10
Chapter 7: Viewing, Monitoring, and Reporting on
Events
Viewer: Organize, Filter, and View Audit Data .................................... 7-2
Starting the Viewer ......................................................... 7-2
Filtering Events ............................................................ 7-3
Applying a Viewer Filter .................................................... 7-4
Saving a Viewer Filter....................................................... 7-5
Applying a Viewer Filter .................................................... 7-7
Deleting a Viewer Filter ..................................................... 7-7
Reporter: Customize Reports to Suit Your Organization ............................ 7-8
Starting the Reporter ........................................................ 7-8
Displaying and Printing Reports ............................................. 7-9
Scheduling Reports ........................................................ 7-10
Contents
v
Security Monitor: Critical Audit Data Delivered in Near-Real-time ................
Starting the Security Monitor ...............................................
Viewing Event Details .....................................................
What’s Next? .................................................................
7-14
7-15
7-16
7-17
Chapter 8: Frequently Asked Questions
Answers To Common Questions
................................................
8-1
Appendix A: Installing the Client Components on
UNIX
Pre-Installation Considerations .................................................. A-1
General Information ........................................................ A-1
Unicenter Information ...................................................... A-2
Check Point FireWall-1 Information.......................................... A-2
Netscape (iPlanet) Information .............................................. A-2
Pre-Installation Tasks .......................................................... A-3
Collect Oracle Information .................................................. A-3
Review Logging of UNIX Events ............................................ A-4
Installation Steps .............................................................. A-8
Appendix B: Installing the Data Tools Components
on UNIX
About the Data Tools Components ..............................................
Pre-Installation Considerations ..................................................
Pre-installation Tasks ..........................................................
Prepare the Oracle Database Environment ....................................
Installation Steps ..............................................................
Create Oracle Database Tables ..............................................
Install the eTrust Audit Data Tools...........................................
vi
Getting Started
B-1
B-2
B-2
B-3
B-7
B-8
B-9
Appendix C: Installing the Data Tools on SQL Server
Installation Steps .............................................................. C-2
Troubleshooting Problems with Data Tools and Microsoft SQL Server ............. C-12
Connection Failed ........................................................ C-12
Login Failed ............................................................. C-14
Appendix D: Installing the Data Tools on Oracle
Pre-Installation Tasks .......................................................... D-1
Prepare the Oracle Database Environment ................................... D-2
Installation Steps .............................................................. D-7
Troubleshooting Problems with Data Tools and Oracle .......................... D-17
Connection Failed ........................................................ D-17
Login Failed ............................................................. D-19
Appendix E: Performing a Custom Installation of the
Client Components
Installation Steps ............................................................... E-2
Appendix F: Performing a Custom Installation of the
Data Tools
Installation Steps ............................................................... F-1
Installing a Collection-Only Machine ......................................... F-6
Installing a Data Management Machine ...................................... F-11
Installing a Monitor-only Machine .......................................... F-17
Contents
vii
Appendix G: Manually Starting eTrust Audit
Services
Windows Platforms ............................................................ G-1
Using the Computer Management or Control Panel GUIs ...................... G-1
Using a Command Prompt Session .......................................... G-2
UNIX Platforms ............................................................... G-4
On Solaris ................................................................. G-4
On AIX ................................................................... G-5
On HP-UX ................................................................ G-6
On Tru64 and Linux ........................................................ G-7
viii
Getting Started
Chapter
1
Arm Your Enterprise
Monitor Your Enterprise With Our Leading Auditing
Tool
A fundamental requirement for system security is the ability to
detect and monitor activity. Recognizing this fundamental
requirement, many systems and applications generate audit trail
information. However, these important tasks are typically
considered of secondary importance (at best). As such, they are
not done properly, and do not provide adequate facilities for
managing, consolidating, retaining or reporting on this valuable
information.
eTrust™ Audit addresses these requirements with a superior
audit collection mechanism that can marshal a wide range of
audit trail data from a diverse set of systems, applications and
appliances. In addition, eTrust Audit lets you create and manage
a centralized policy regarding the retention of this valuable
information and also provides the following:
■
Consolidated views of the audit information collected
■
Versatile reporting
■
Highly customizable support for creating policies that can be
used to initiate alert or other actions in response to events
■
Integration with Unicenter® Event Management
■
Integration with the eTrust™ Security Command Center
Arm Your Enterprise
1–1
Monitor Your Enterprise With Our Leading Auditing Tool
With eTrust Audit, you can collect security event data from a
wide range of sources throughout your enterprise, such as the
following:
■
UNIX servers
■
Windows NT servers
■
Windows 2000 servers
■
Web servers
■
eTrust open systems products
■
eTrust mainframe security products such as eTrust™
CA-ACF2® Security and eTrust™ CA-Top Secret® Security
■
IBM mainframe security products such as RACF
■
And other sources as well
Plus, eTrust Audit stores this information in a central database
for easy access and reporting.
Administrators use eTrust Audit to monitor, respond to alerts,
and create reports for historical and forensic analysis. Most
importantly, administrators can collect the audit information
created by the diverse set of security tools in the enterprise, so
that they can reference a single source to support the important
tasks of security analysis (sometimes referred to as analytics)
required to effectively monitor and manage security in the
enterprise.
The Purpose of This Guide
This guide is intended to introduce you to eTrust Audit. When
you finish reading this guide, you will be familiar with the
capabilities of the product. More importantly, you will have a
basic functioning eTrust Audit system installed and running,
and you will have a basic understanding of to use eTrust Audit
to collect and manage security-related events across your
enterprise.
1–2
Getting Started
Enterprise-wide Security: Bridging the Information Gap
As corporate computer networks expand to include more
machines and applications, managing security-related events
becomes an increasingly complex task. While native operating
systems provide basic logging facilities, those facilities alone are
not sufficient to address the needs of the enterprise.
A Clear, Concise View of Security Related Data
eTrust Audit gives security and systems management teams the
unique ability to collect information from a wide variety of event
data sources into a single database and, in the process, place all
collected information into a common, intuitive format—
regardless of the event’s source, thus facilitating more rapid
analysis.
Innovative Design
eTrust Audit components are extremely flexible, and you can
deploy them in a wide variety of configurations. However,
regardless of their configuration, these components will work
together to provide you with comprehensive access to the audit
event information you require.
Support for Custom Pattern Recognition
Using its advanced tailoring and configuration facilities, you can
define criteria that eTrust Audit uses to recognize event patterns.
When it detects events that match a pattern, eTrust Audit can
automatically trigger actions. Included with eTrust Audit are
several examples of predefined pattern recognition
configurations that you can use as examples to help you quickly
and correctly develop settings that meet your needs.
Arm Your Enterprise
1–3
Scalability and Cross-Platform Performance
eTrust Audit includes store-and-forward capabilities that help
ensure the guaranteed delivery of audit messages to their final
locations. eTrust Audit uses technologies specifically designed
and tested to scale to the needs of today’s enterprise class
environments.
Open Design with SNMP Traps and Submit API Function Calls
To support rapidly evolving technology, eTrust Audit has an
open design that can accept event data submitted by many
systems, applications, and appliances.
The two primary ways to get information into eTrust Audit are
as follows:
Direct
eTrust Audit recorders are available for a variety of
applications and systems. These recorders are specifically
designed to “tap into” the event data sources created by a
given system, application, or appliance.
Indirect
While eTrust Audit includes a rich set of specific recorders (a
set that continues to expand), there are many applications,
systems, and appliances for which there might not be
specific eTrust Audit event recorders available. However,
that does not mean that the event data generated by those
applications, systems, and appliances is unavailable to
eTrust Audit.
1–4
Getting Started
eTrust Audit includes the following generic recorders that
you can use to indirectly access the audit trail event data
created by applications:
SNMP Trap Recorder
If your application, system, or appliance can issue
SNMP traps in response to detecting an event, those
events can be sent to a machine where the eTrust Audit
SNMP trap recorder is running, which in turn directs
that information to eTrust Audit.
System Log Recorder
Many applications direct their audit event information
to logging facilities that are provided by the operating
system. For example, on UNIX, it is common for events
to be sent to syslog, and on Windows platforms, it is
common to direct events to the Windows Event Log.
You can access data sent to either of these facilities using
the eTrust Audit System Log Recorder.
Generic Log Scraper
Some applications maintain their own log files, typically
as flat files. eTrust Audit also includes a log scraper
recorder (available on Windows and UNIX platforms)
that you can use to harvest event data from those types
of log files.
Custom Recorders Built Using SAPI
In addition to the variety of mechanisms previously
described that you can use to enable eTrust Audit to
harvest event data, eTrust Audit also includes the
Submit Application Programming Interface (SAPI).
Using SAPI, you can optionally create your own custom
recorders that tap into whatever event sources you
require, and can then provide that event data to eTrust
Audit. Through the direct and indirect audit event data
access mechanisms provided, you can easily customize
eTrust Audit to meet your organizational needs.
Arm Your Enterprise
1–5
New With This Service Pack
eTrust Audit 1.5 Service Pack 2 provides many enhancements.
To see a complete list, see the Release Summary.
CA Services: Enabling Solutions Through Experience
When it comes to getting on the information fast track, CA
Services can recommend and install a full suite of portal and
knowledge management solutions to keep your business
moving. And our associates offer the proprietary know-how on
custom-fitting your enterprise for solutions ranging from life
cycle management, data warehousing, and next-level business
intelligence. Our experts will leave you with the technology and
knowledge tools to fully collect, exploit, and leverage your data
resources and applications.
CA Education Services
Computer Associates Global Education Services (CA Education)
offerings include instructor-led and computer-based training,
product certification programs, third-party education programs,
distance learning, and software simulation. These services help
to expand the knowledge base so you are better able to use our
products more efficiently, contributing to your greater success.
CA Education has been developed to assist today’s technologists
in everything from understanding product capabilities to
implementation and quality performance.
Because the vast community of education seekers is varied, so
too are our methods of instruction. CA Education is committed
to provide a variety of alternatives to traditional instructor-led
training, including synchronous and asynchronous distance
learning, as well as Unicenter simulation.
For training that must be extended to a wider audience—for a
fraction of the cost and logistical hassle of sending everybody
away to a class—CA Education offers excellent distance learning
options.
1–6
Getting Started
Computer Associates: The Software That Manages eBusiness
The next generation of eBusiness promises unlimited
opportunities by leveraging existing business infrastructures and
adopting new technologies. At the same time, extremely
complicated management presents challenges—from managing
the computing devices to integrating and managing the
applications, data, and business processes within and across
organizational boundaries. Look to CA for the answers.
CA has the solutions available to help eBusinesses address these
important issues. Through industry-leading eBusiness Process
Management, eBusiness Information Management, and
eBusiness Infrastructure Management offerings, CA delivers the
only comprehensive, state-of-the-art solutions, serving all
stakeholders in this extended global economy.
For More Information
After walking through this Getting Started guide, you can refer to
the numerous resources available to you for additional
information. The online help system offers procedural
information and answers to questions you may encounter. You
can also press F1 on your keyboard for context-sensitive help on
the current dialog.
Your eTrust Audit CD contains useful instructional
documentation that showcases your software, as well as detailed
explanations about the product’s comprehensive, feature-rich
components.
In addition to the online help system, http://esupport.ca.com
offers procedural information and answers to any questions you
might have.
Arm Your Enterprise
1–7
Chapter
2
The Essentials
What You Need to Know to Get Started
This chapter describes the basic concepts and key components of
eTrust Audit, and provides an overview of how it works. As you
read these topics, you will learn what these components do, and
how they interact with one another so that you can quickly gain
an understanding of how to put eTrust Audit to work for you.
At the end of the chapter, we provide sample installation
scenarios that you can follow to establish a basic, but working
eTrust Audit environment.
The Basics
To ensure the best results, we strongly encourage you to review
the topics described in this chapter before you try to install
eTrust Audit.
The Essentials
2–1
The Basics
Flexible Architecture
eTrust Audit was designed with a highly flexible, multi-tiered
architecture capable of supporting large numbers of clients,
servers, and database stations that together serve as an
enterprise-wide auditing hierarchy. Every computer in your
network can potentially participate in the hierarchy as an audit
event source, and any user in your network can potentially
receive alerts, mail, and system status notifications from eTrust
Audit.
Firewall Friendly
eTrust Audit services can be configured to transmit events
securely through firewalls without requiring you to open a wide
range of ports (also known as services).
Secure Transport
Some enterprises might have to send sensitive audit event
information across the network and, in some cases, across the
Internet. Facilities included with eTrust Audit provide for the
secure transport of these important messages, which includes
the encryption of these messages in transit.
For information about encryption, firewalls, and ports, see the
Reference Guide.
2–2
Getting Started
The Basics
Wide Range of Configurations
The flexible architecture of eTrust Audit makes a wide range of
configuration choices available to you. Some implementations
might be simple, involving a single machine or a small set of
machines. Others might be highly complex, enterprise-scale
deployments, involving hundreds or thousands of machines.
The more advanced configurations take advantage of the
architectural elements of eTrust Audit that were specifically
designed to support hierarchical deployment. These hierarchies
are employed to route audit events from sources to collectors
across all manner of boundaries to be stored in the eTrust Audit
Collector database for analysis and management.
Versatile Filtering
Advanced filtering capabilities help you to dramatically improve
your “signal to noise ratio.” In other words, using the versatile
filtering capabilities of eTrust Audit, you can identify the audit
events that are of most interest to you and identify others that
are of little or no use to you. The events of interest are forwarded
to the appropriate collectors; those that are not can be discarded
or alternatively directed to lower priority collectors.
For information about using the filtering capabilities of eTrust
Audit, see the Policy Management Guide.
Components
The three primary eTrust Audit components are as follows:
■
Client
■
Policy Manager
■
Data Tools
The following topics briefly describe each of these components.
For more detailed information about these components, see the
Policy Management Guide.
The Essentials
2–3
The Basics
Client
The Client component is comprised of several subcomponents
that provide services that collect and forward audit event data,
which can in turn result in the generation of actions and alerts.
The following list describes the subcomponents:
Standard System Recorder
This recorder taps into the event data sent to the Windows
Event Log (on Windows platforms) and into event data sent
into the syslog daemon on UNIX and on Linux platforms.
This recorder enables any events sent to these standard
system logging facilities to be harvested by eTrust Audit for
processing.
Generic Log Scraper
The Generic Log Scraper is another recorder that can be
configured to harvest (clear text) events from third party
products that maintain their own logs as external “flat files.”
Other eTrust Audit Recorders (Available using Custom
Installation)
eTrust Audit includes a long and growing list of supported
recorders, including ones that can tap into event data from
Check Point FireWall-1, SNMP traps, and from the
mainframe security products, eTrust CA-Top Secret Security
and CA-ACF2 Security from Computer Associates, and
RACF from IBM. For more information about the currently
available eTrust Audit recorders, visit us at
http://esupport.ca.com.
Portmapper
The portmapper (Windows platforms only) manages the
logical communications channels required to provide a
standard way for a Client to access RPC services that it
might require.
Redirector
The Redirector (Windows platforms only) taps into local
eTrust Audit logs (created by the eTrust Audit Standard
System Recorder service) or logs created by eTrust™ Access
Control running on Windows systems, and automatically
redirects that audit data to a Router component on the same
or on another machine.
2–4
Getting Started
The Basics
Router
The Router acts primarily as a filtered message forwarder. It
analyzes the policies you create using the Policy Manager
(which will eventually be deployed as .cfg files found in the
installation_path\eTrust Audit\cfg directory), and then
follows those policy imperatives to examine audit events
that are sent to its attention. Based on the configuration
instructions you provide, the router identifies those records
that should be as follows:
■
Filtered out
■
Forwarded to the Action Manager
■
Forwarded to other eTrust Audit components for
additional processing or storage
Action Manager
The Action Manager processes events sent to it by the router.
You can instruct the Action Manager to automatically
perform a wide range of actions in response to receiving
specific audit events. The Action Manager gets its
instructions from the policies you create using the Policy
Manager and executes those actions as necessary and
appropriate to a specific audit event.
Distribution Agent
The Distribution Agent receives policy imperatives from the
Policy Manager, and places these policies into effect. These
policy imperatives are sent to the Distribution Agent by the
Distribution Server.
The Essentials
2–5
The Basics
Policy Manager
The Policy Manager component (available on Windows
platforms only) includes the following subcomponents:
Policy Manager
The Policy Manager interface is a Windows GUI that you
use to centrally manage eTrust Audit policies. Using the
Policy Manager, you can create, implement, and distribute
your organization’s eTrust Audit policies.
Distribution Server
The Distribution Server communicates with the Distribution
Agent and coordinates the delivery of eTrust Audit policies.
Data Tools
The Data Tools component is comprised of two major
components:
■
The Data Tools interface
■
The Collector database
The Data Tools GUI
The Data Tools interface is available only on Windows platforms
and is comprised of the following:
Viewer
The Viewer displays, sorts, and filters audit events retrieved
from a Collector database. The viewer also lets you save
your own customized filters for future use.
Reporter
The Reporter lets you view, create, and schedule detailed,
graphic reports from information extracted from the
Collector databases.
2–6
Getting Started
The Basics
Security Monitor
The Security Monitor lets you do the following:
■
■
Monitor specific events that you designate important
enough to monitor in near real time. The events can be
sent from a variety of different recorders.
Monitor eTrust Audit status and “self help” events.
These are events related to the status of eTrust Audit
components (for example, whether the Action Manager
is started).
The Collector Database
The Collector database is where eTrust Audit stores all of the
audit event data directed to it. eTrust Audit supports the
following underlying databases:
■
Microsoft SQL Server 7
■
Microsoft SQL Server 2000
■
Microsoft Access Database
■
Oracle (on NT, Windows 2000, and UNIX)
For the most up-to-date information about supported databases,
see readme_etrust_audit.html or http://esupport.ca.com.
The Essentials
2–7
How eTrust Audit Works
The following illustrates the basic flow of data between the
eTrust Audit components in a typical configuration:
Policy
Manager
Policy
Manager
GUI
Policies
Distribution
Queue
Distribution Server
Administrator Workstation
Client
Distribution Agent
Events
Client
Recorder
Router
Policy Filters
Filtered Events
SNMP
Program
Action
Queue
File
Program
Action Manager
Other Actions
Router
Action Collector
Screen
Event
Database
Action Monitor
E-mail
Unicenter
Security Monitor
Viewer
Data Tools
2–8
Getting Started
Reporter
The illustration describes the following flow:
■
■
■
An administrator uses the Policy Manager to create, activate,
and distribute policies that are stored in the policy
distribution queue and routed to Distribution Agents on
clients.
As events occur on clients, the Recorder harvests them and
sends them to the Router for processing. Using the policies
and filters created by the administrator, the Router stores
events in the action queue for processing by the Action
Manager.
The Action Manager, based on the policies you specify, can
do the following:
–
Take a direct action, such as executing a program,
sending an email, or routing the message to Unicenter.
–
Send the event to the Security Monitor so that an
administrator can determine what action to take.
–
Send the event to the Collector database where an
administrator can use the Viewer to display events or
use the Reporter to generate reports for later analysis.
The Essentials
2–9
Pre-Installation Considerations
The flexibility of the eTrust Audit architecture makes it possible
to deploy eTrust Audit in a wide variety of ways. Consider the
following “rules of thumb” when planning your eTrust Audit
implementation.
Note: eTrust Audit components can be installed in a Windows
or a UNIX environment. The components available for
installation, and the installation process itself, differ for each
environment. In this chapter, we guide you through a typical
installation on Windows 2000 using the default Microsoft Access
database. Additional documentation on performing installation
tasks on UNIX and other custom installation tasks on Windows
are available in appendixes of this guide.
Firewall Considerations
When using recorders to collect information from machines that
need to be directed to other eTrust Audit components on
opposite sides of a firewall, you should consider installing a
Router component on the same side of the firewall as the
Recorders. The Router will then be configured to forward events
through the firewall.
Taking this approach significantly reduces the number of ports
that would otherwise have to be opened through the firewall.
If for whatever reason it is not possible to install an Router on
the same side of the firewall as the Recorders, you will need to
open the firewall ports necessary to enable the Recorders to
communicate across the firewall using RPC, which typically
represents a wide range of ports.
Important note for users of Windows NT 4.0, Windows 2000,
and Windows XP! eTrust Audit makes extensive use of RPCs.
Therefore, we automatically install a version of the Sun RPC
portmapper to facilitate easy communication setup. Do not remove or
disable the Sun RPC portmapper we provide, unless you already have a
fully SUN RPC compatible portmapper installed on those machines.
2–10
Getting Started
Encryption
eTrust Audit provides facilities to encrypt information
transferred by eTrust Audit components across the network.
Your installation can implement your own encryption keys or
eliminate the use of encryption entirely.
For instructions about changing the encryption key or
eliminating encryption, see the Reference Guide.
Security of the eTrust Audit Database Access Credentials
The user name and password used to connect to the Collector
database are stored in an encrypted format and can only be
updated using the ENCUP utility included as part of your eTrust
Audit product.
For more information about the ENCUP utility, see the Reference
Guide.
The Essentials
2–11
Identify the Policy Management and Security Monitor Machines
When you install the Client components on Windows platforms,
you are asked to identify the machines that will serve as:
Security Monitor
The Client components send notifications about their status
(such as whether they are running) to the Security Monitor
machine you are asked to identify. The Security Monitor
machine is the focal point for determining whether all the
components of your eTrust Audit implements are properly
functioning.
Audit Policy Manager
The Client components receive policies from the Policy
Manager machine you are asked to identify. The Client
components use the host name to authenticate the identity of
the Policy Manager. The system you specify as the Policy
Manager pushes policy information to the client
components. Knowing the name of the Policy Manager
machine enables the eTrust Audit components to detect
when some other (unauthorized) system attempts to send
policies to the client components, and they would then
appropriately reject the policies. Only policies sent by the
Policy Manager you identify during the client components’
installation will be processed by those Client components.
SMTP Mail Server
You can configure the client components to optionally route
emails alerts to an administrator or operator by identifying
an SMTP mail server during the client components’
installation.
2–12
Getting Started
Installing eTrust Audit on Windows
Installing eTrust Audit on Windows
To install eTrust Audit, we recommend that you close any
applications you have running before you insert the CD-ROM.
After the installation media is mounted in the CD-ROM drive,
the installation should begin automatically.
Tip: If you are installing eTrust Audit in a Windows Domain
configuration, we recommend that you install the Client
components on your primary domain controllers (PDCs) so
that eTrust Audit can “tap into” domain administration
events that are logged only on the PDCs.
Order of Installation
We recommend that the eTrust Audit components be installed in
the following order:
1.
Client
2.
Audit Policy Manager
3.
Audit Data Tools
Note: The guided tour chapters included later in this guide
assume that the following have been installed using the sample
installation procedures described in the topics that follow:
■
Client
■
Policy Manager
■
Data Tools, specifically:
–
Reporter
–
Security Monitor
–
Viewer
–
Collector database
The Essentials
2–13
Sample Installation on Windows
The following topics present a sample installation of the major
eTrust Audit components on a Windows system. Your
installation and implementation of eTrust Audit will likely vary
somewhat from the installation presented in these topics.
Tip: We recommend that you install the eTrust Audit
components as described in the topics that follow, and then
proceed through the guided tour chapters that follow. Later
you can return to this guide and perform any other
installation tasks required to meet the needs of your
enterprise. These installations are described in the
appendixes.
2–14
Getting Started
Starting the Product Explorer
eTrust Audit provides an easy-to-use product explorer to install
components on Windows systems. To use the product explorer,
follow these steps:
1.
Insert the product installation CD into the CD-ROM drive.
The product explorer automatically starts, and the following
window appears:
Note: If this window does not appear, use Windows
Explorer, and execute the program PE_I386.exe located in
the root directory of the CD.
The Essentials
2–15
2.
Click the plus sign (+) to expand the eTrust Products branch
of the tree, and then expand the eTrust Audit V1.5SP2
branch to display the three major components as follows:
The first components that you install are the eTrust Audit
Client components.
2–16
Getting Started
Sample Client Installation
Follow these steps to install the Client components on Windows:
1.
Expand the Client branch.
After you expand the Client branch, your window looks as
follows:
For the purpose of this sample installation, install the eTrust
Audit Client components on a Windows 2000 platform.
The Essentials
2–17
2.
To do this, select the item eTrust Audit Client for Windows
NT/2000/XP.
The product explorer appears as follows:
After you select the product, two buttons become available
at the bottom of the window: Product Information and
Install. Use them as follows:
Product Information
Click the Product Information button to view special
installation notes, systems requirements, and so on. We
recommend that you review the product information
before you begin the installation.
Install
Initiate installation of the component.
3.
After reviewing the product information, click Install to
initiate the installation of the Client components.
When you click Install, the eTrust Audit Client component
installation starts.
2–18
Getting Started
4.
Accept the License Agreement by clicking Yes, and then
click Next until the Setup Type window appears:
5.
For the purpose of this sample installation, select Standard
from the list above, and then click Next.
6.
What follows are several standard installation windows that
let you specify alternative installation locations, and the
locations in the Start Menu to be used by eTrust Audit.
Accept the default by clicking Next, or enter your own
values.
The Essentials
2–19
The next window of particular interest asks you to specify
the name of the Security Monitor machine as follows:
7.
Specify the name of the Security Monitor machine. For the
purpose of this sample, install the Security Monitor
components on the current machine. To do this, enter
localhost in the Host field, and then click Next.
Note: If you are installing the Security Monitor components
on a machine other than the machine where you are
currently installing the Client components, specify that
machine name in the Host field, and then click Next.
After you specify the name of the Security Monitor machine
and click Next, the following warning appears because you
have not yet installed the Security Monitor on your machine
(localhost):
8.
2–20
Getting Started
Do not worry. You will install the Security Monitor later in
this chapter. Click OK to close the warning.
When you do, the Specify the Name of the eTrust Audit
Policy Manager Machine window appears:
9.
Specify the name of the Policy Manager machine. For the
purpose of this sample, install the Policy Manager
components on the current machine. To do this, enter
Note: If you are installing the Policy Manager components
After you click Next, the following window appears:
10. Do not worry. You will install the Policy Manager later in
The Essentials
2–21
When you do, the SMTP Server window appears:
11. The Client components can send alerts through a variety of
mechanisms, including email. You can do either of the
following:
■
■
To use this feature, enter the name of the email server to
which the Client components running on this machine
should route emails, and then click Next.
If you do not want to use this feature now, or if you are
not certain what machine name to enter here, leave the
Server field blank, and then click Next.
Note: You can configure email support at any time. See the
Reference Guide for details.
2–22
Getting Started
After you click Next, the eTrust Audit Services
Configuration window appears:
12. This window lets you change the account under which the
Client component services run. For the purpose of this
sample, accept the default of LocalSystem by clicking Next.
After you click Next, the Installation Verification window
appears:
The Essentials
2–23
This window lets you install template policies to route failed
login attempts to the machine you identified as the Security
Monitor (localhost). Viewing these events in the Security
Monitor verifies that you have successfully installed these
components. See Verifying Your Installation later in this
chapter for an example of the type of information the
Security Monitor should display after a successful
installation.
13. Click the check box, and then click Next.
As a final check, the installation displays a window listing
the choices that you have made. Click Continue after you
review your selections.
The installation begins displaying various status windows
that describe the progress of the eTrust Audit Client install.
When finished, the following window appears, indicating
that the install of the eTrust Audit Client component has
completed:
14. For the purpose of this sample installation, click Yes to start
the eTrust Audit Client Services.
2–24
Getting Started
Sample Policy Manager Installation
The next eTrust Audit component that you should install is the
Policy Manager. You can install this component only on
Windows systems.
To install the Policy Manager, use the product explorer again.
Note: In the sample window that follows, the eTrust Audit
Client for Windows NT/2000/XP is bold. This means that it is
already installed.
Perform the following steps:
1.
Expand the Policy Manager branch, and then select eTrust
Audit Policy Manager for Windows NT/2000/XP.
Important! As with any component you choose to install, click
Product Information to review special installation notes before you
click Install to begin the installation.
2.
After you review the product information, click Install. The
eTrust Audit Policy Manager installation begins.
The Essentials
2–25
3.
As in the previous installation, the next few windows ask
you to accept the License Agreement, and to shut down any
other products running on your system. After you do so, the
Authorized User window appears:
4.
Enter the Windows user name that is authorized to use the
Policy Manager, and then click Next.
The user name you specify here is the only user name that is
initially able to access the Policy Manager. By default, it
displays the name of the administrative user performing the
installation. You can grant access to more users after Policy
Manager is installed. See the Policy Management Guide for
more information.
2–26
Getting Started
The Database Password Protection window appears:
5.
Enter the password for the user name that has initial access
to the Policy Manager in the Password and Confirm fields,
and then click Next.
Tip: The first time you start the Policy Manager, you must
provide this user name and password to gain access.
You can change the password for the current user by using
the encup utility. See the Reference Guide for more
information.
The Essentials
2–27
The Specify Name of Monitor Machine window that follows
asks for the name of the Security Monitor machine to which
the Policy Manager sends notifications:
6.
For the purpose of this sample, you are going to install the
Security Monitor components on the same machine on
which you are now installing the Policy Manager. Enter
currently installing the Policy Manager, specify that machine
name in the Host field, and then click Next.
and click Next, the following warning appears because you
have not yet installed the Security Monitor on your machine
(localhost):
7.
2–28
Getting Started
Do not worry. You will install the Security Monitor later in
When you do, the eTrust Audit Policy Manager Services
Administration window appears:
8.
Use this window to specify whether the Policy Manager
services should be automatically started when this machine
is rebooted. Unless you have a reason why you want to start
the services manually, choose Configure Services for
Automatic Startup, and then click Next.
The Essentials
2–29
9.
This window lets you change the account under which the
eTrust Audit Distribution Server service runs. For the
purpose of this sample, accept the default of LocalSystem by
clicking Next.
10. As a final check, the installation displays a window listing
The installation proceeds. At the end of the installation, the
following window appears:
11. For the purpose of this sample, click Yes to start the eTrust
Audit Policy Manager services.
2–30
Getting Started
Sample Data Tools Installation
To install the Data Tools, use the product explorer again.
Perform the following steps:
1.
Expand the Data Tools branch, and then select eTrust Audit
Data Tools for Windows NT/2000/XP.
Important! As with any component you choose to install, click
Product Information to review special installation notes before you
click Install to begin the installation.
2.
eTrust Audit Data Tools installation begins.
The Essentials
2–31
2–32
Getting Started
3.
The next few windows ask you to accept the License
Agreement, and choose the installation path. After you do
so, the Setup Type window appears:
4.
For the purpose of this sample, select Standard, and then
click Next.
The Database Type window asks you to choose the type of
database that you want eTrust Audit to use as the Collector
database:
5.
For the purpose of this sample, choose Microsoft Access,
running on this machine, and then click Next.
Note: A version of the Microsoft Access database is
automatically provided for your use. Using Microsoft SQL
Server or Oracle as the underlying database requires that
you properly install and license these databases before you
install the Data Tools.
Tip: If you have an existing SQL Server or Oracle database
and would like to use it with eTrust Audit, see the
“Installing the Data Tools on SQL Server” or the “Installing
the Data Tools on Oracle” appendix.
The Essentials
2–33
After you click Next, the SMTP Server window appears:
6.
The Data Tools components can send alerts through a
variety of mechanisms, including email. You can do either of
the following:
■
■
which the Data Tools components running on this
machine should route emails.
2–34
Getting Started
The Specify Name of Monitor Machine window asks you to
specify the name of the Security Monitor machine to which
the Data Tools should send notifications:
7.
For the purpose of this sample, the Security Monitor
components are installed on the same machine on which you
are installing the Data Tools. Enter localhost in the Host
field, and then click Next.
The Essentials
2–35
8.
Data Tools services run. For the purpose of this sample,
accept the default of LocalSystem by clicking Next.
9.
10. For the purpose of this sample, click Yes to start the eTrust
Audit Data Tools services.
Congratulations! You have successfully created a sample eTrust
Audit environment.
2–36
Getting Started
Verifying Your Installation
Verifying Your Installation
After you complete the installation of the Data Tools
components, a light bulb appears in the system tray in the lower
right corner of your task bar. This icon represents the Security
Monitor. Double-click it to open the Security Monitor to ensure
that the installation verification messages are being properly
delivered.
A window that contains data similar to the following sample
appears:
This window shows that all the eTrust Audit services
successfully started.
The Essentials
2–37
What’s Next?
What’s Next?
With this basic introduction to eTrust Audit complete, the next
step is to get more familiar with the eTrust Audit Policy
Manager.
The next chapter starts the guided tour, which helps you learn
about the Policy Manager as you configure a sample working
eTrust Audit environment. The guided tour assumes you have
installed the Client components on a UNIX system, too. If you
would like to do so, see the “Installing the Client Components
on UNIX” appendix, and follow the steps to install the Client
components on UNIX. Otherwise, proceed with the sample as
though you installed onto a UNIX system. Of course, when
sample screens appear showing data from UNIX, you should
ignore the UNIX-related results.
2–38
Getting Started
Chapter
3
Creating Audit Node
Groups
Implement Enterprise-wide Security Policies (Part 1)
Now that you have installed and activated eTrust Audit, the next
step in the process is to put eTrust Audit to work for you.
In other words:
■
■
Each of the machines on which you have installed eTrust
Audit components will have several different sources of
audit event data available on them. For each of these event
sources, which events do you want to harvest? All or just a
subset?
For the events that you want to harvest, what do you want
eTrust Audit to do with them? Store them locally, forward
them somewhere, or initiate some kind of action?
In this chapter, you will proceed step by step through the
process of defining the policies required to put eTrust Audit to
work, using a common real-world requirement as the basis for
this scenario.
Note: The guided tour assumes you have installed the Client
components on a Windows and a UNIX system. Information
about how to install the Client components is described in the
“Installing the Client Components on UNIX” appendix of this
guide. You can use the tour that follows even if you do not have
any UNIX systems in your current eTrust Audit configuration.
Simply skip those tasks associated with UNIX systems, which
are easily identifiable.
Creating Audit Node Groups
3–1
Scenario
In this scenario, you want to get audit event data harvested from
UNIX sources and from Windows 2000 sources, and store this
event data in the Collector database running on Windows 2000.
Task Preview
The following process describes the major steps you will take to
configure your eTrust Audit system to harvest event data from
the Windows and UNIX sources and deliver it the Collector
database:
1.
Define an audit node group.
2.
Define audit nodes that are members of the audit node
group.
3.
Create policies that identify the events that should be
harvested from the Windows and UNIX sources.
4.
Specify rules that identify specific event record matching
criteria and actions to be taken.
5.
Associate the policies created in Steps 3 and 4, to the audit
node group that was created in Steps 1 and 2.
6.
Activate the policies.
7.
Monitor the deployment of the policies.
8.
View the results.
When you complete the sample steps, you will have a basic and
fully operational eTrust Audit environment and be familiar with
the major components of eTrust Audit that you will regularly
use.
3–2
Getting Started
Machine Configuration
The scenario involves two machines:
Machine 1
A Windows 2000 machine named SYSTEMA on which the
following eTrust Audit components are installed:
■
Client components
■
Data Tools (including the Collector database)
■
Policy Manager
Machine 2
A Solaris machine, named SYSTEMB on which the following
eTrust Audit components have been installed:
■
Client components
Objectives
This scenario guides you through the steps required to get the
eTrust Audit components that have been previously installed
working together to do the following:
1.
Enable you to work with messages written to the Windows
Event Logs as follows:
a.
The Client components running on the Windows
machine will harvest messages from the Windows Event
Logs.
b. The Data Tools components will store the messages in
the Collector database on the Windows machine, and
you can view them using other Data Tools components
(such as the Viewer or the Reporter) installed on that
machine.
3–3
2.
Enable you to work with messages written to the UNIX
syslog and sulog as follows:
a.
The Client components running on the Solaris machine
will harvest messages written to syslog and sulog.
b. The Client components running on the Solaris machine
will forward those harvested messages to the local
router on that UNIX machine.
c.
The local router will forward the messages to the
Collector database on the Windows machine, and you
can view them using the Data Tools installed on that
machine.
About the Policy Manager
You will use the Policy Manager to accomplish most of the
objectives in this scenario. The Policy Manager lets you define
and maintain eTrust Audit policies and runs only on Windows
systems.
3–4
Getting Started
Start the Policy Manager
Start the Policy Manager
To start the Policy Manager, go to the Windows machine where
you installed the Policy Manager components, and do the
following:
■
From the Start menu, choose Programs, Computer
Associates, eTrust, Audit, Policy Manager.
The Policy Manager window appears:
You use the Policy Manager to create the policies required to
complete the objectives of the scenario.
3–5
Switch to Audit Node View
Before you can create a policy, you must identify the objects to
which the policy applies. In other words, you must identify the
event sources on the specific machines that you want to target.
To do this, you create an audit node group (also known as an
AN group), and then identify the audit nodes (the specific
machines) that are part of that group.
■
Click Audit Nodes
3–6
Getting Started
To create an audit node group, click the Audit Nodes icon
on the left side of the Policy Manager window:
After you click the Audit Nodes icon, the window changes to
display the Audit Nodes view as follows:
In this initial Audit Nodes view, there are no defined target
audit node groups.
3–7
Step 1: Create an Audit Node Group
To begin, you must create an audit node group to represent the
machines and event sources from which you want to harvest
audit events.
To create a new audit node group, follow these steps:
1.
3–8
Getting Started
Right-click Targets, and choose New Group from the pop-up
menu as shown in the following illustration:
After you click New Group, the New Group dialog appears:
Use this dialog to create an audit node (AN) group. This AN
group serves as a single reference point for the eTrust Audit
recorders that you are going to use on the Windows and
UNIX platforms in this scenario.
2.
For the purpose of this sample scenario, enter
SampleScenario in the field at the top of the window, and
then enter a brief description in the Description field, such as
Audit Node Group that will represent the eTrust Audit
machines in the scenario.
Tip: When defining your eTrust Audit policies, we
recommend that you take advantage of the Description field
to record the purpose of each AN group. Some months from
now when you are updating policies, you will have a record
of your original intent.
3–9
3.
Click OK.
The Policy Manager window appears as follows with the
new AN group, SampleScenario, displayed in the tree and
its contents in the table on the right side of the window:
3–10
Getting Started
Step 2: Add Members to the Audit Node Group
Now that you have created the AN group, you must add
individual audit nodes to the AN group. These individual audit
nodes represent the audit event data sources (the Recorders) that
will participate as part of this AN group.
To add audit nodes to the AN group, follow these steps:
1.
Right-click the AN group object that you just created
(SampleScenario), and choose New AN from the pop-up
menu as shown in the following illustration:
3–11
After you choose New AN, the New Audit Node (AN)
dialog appears:
2.
Complete the fields on the dialog as follows to add the first
member to the AN group:
Host Name
For the purpose of this scenario, the first machine to add
to this AN group is the Windows 2000 machine,
SYSTEMA. Enter the name of the Windows system onto
which you installed the Client tools in the Host name
field.
Note: From this point forward, sample screens will
show SYSTEMA as the name of the Windows system.
Your screens should show the name of your Windows
system.
AN Type
The AN type identifies the type of audit node. An AN
type describes the class of Recorder running on the host
machine.
In this case, leave the AN Type as NT representing the
class of Recorders that is associated with the Windows
NT and Windows 2000 platforms (which includes the
recorder required to tap into the Windows Event Logs).
3–12
Getting Started
AN Name
As you entered characters into the Host name field, the
AN Name field was automatically filled for you. You
can ignore this field for now, as its value is not typically
used except when doing advanced policy
administration.
Add to Group
The name of the AN group that you are adding a
member to. The value of this field is already specified for
you.
Description
We recommend that you use the Description field to
record the reasons why you are adding this member to
this AN group.
When you finish entering values into the fields, your dialog
should resemble the following sample:
3.
Click OK.
3–13
After you click OK, the Policy Manager is updated with the
new AN, and looks similar to the following sample:
The audit node you just defined appears in the right pane,
meaning you successfully added this entry to the AN group.
However, you have done more than just add a machine to
this AN group; you added a machine and identified a class
of recorders that are going to be used on this machine (the
AN Type field was used to identify the class of recorders).
Now, you are ready to add the second audit node in the
scenario to this AN group.
4.
Right-click the AN group object that you just created
(SampleScenario), and choose New AN from the pop-up
menu.
After you choose New AN, the New Audit Node (AN)
dialog appears.
3–14
Getting Started
5.
Complete the fields on the dialog as follows to add the
second member to the AN group:
Host Name
For the purpose of this scenario, the second machine to
add to this AN group is the Solaris machine. Enter the
name of the UNIX system onto which you installed the
Client tools in the Host name field.
Note: From this point forward, sample screens will
show SYSTEMB as the name of the UNIX system. Your
screens should show the name of your UNIX system in
the Host name field.
AN Type
The AN type identifies the type of audit node. An AN
type describes the class of Recorder running on the host
machine.
In this case, you are adding a Solaris machine to this AN
group. Therefore, specifying this Solaris machine with
an AN Type of NT is not correct.
Rather, use the drop-down arrow (as shown in the
following sample dialog) to choose Unix. Unix
represents the class of Recorders associated with UNIX
platforms, which include the recorders required to tap
into syslog and sulog events.
3–15
AN Name
As you entered characters into the Host name field, the
AN Name field was automatically filled for you. You
can ignore this field for now, as its value is not typically
used except when doing advanced policy
administration.
Add to Group
The name of the AN group to which you are adding a
member. The value of this field is already specified for
you.
Description
We recommend that you use the Description field to
record the reasons why you are adding this member to
this AN group.
6.
When you finish entering values, click OK.
After you click OK, the Policy Manager is updated with the new
AN, and looks similar to the following sample:
3–16
Getting Started
What’s Next?
What’s Next?
You have learned how to perform some important tasks using
the Policy Manager including the following:
1.
2.
group.
Moreover, you have learned these skills on the road to creating a
working eTrust Audit environment.
In the next chapter, you continue completing the objectives in
the scenario while learning how to perform the following tasks:
3.
4.
3–17
Chapter
4
Creating Policies
In the previous chapter, you created an AN group and added
members to it. These are the first two steps in the sample
scenario:
1.
2.
group.
You will complete the following steps in this chapter:
3.
Step 3: Create Policies
So far you have created an AN group and added two ANs to the
group. The ANs identify both the systems on which the
Recorders have been installed and the class of recorder to use to
read the events. In this next step, you identify the specific types
of events that you want the previously installed Recorders to
harvest from the various system logs.
You do this by creating a policy folder and then creating policies
within that folder.
Creating Policies
4–1
Create a Policy Folder
To create a policy folder, follow these steps:
1.
Click Policies on the left side of the Policy Manager, as
shown in the following illustration:
Click Policies
After you click Policies, the Policy view appears as follows:
First, create a policy folder to hold the specific policies that
you are about to create.
4–2
Getting Started
2.
Right-click the white space area under the Default Policies
folder, and choose New from the pop-up menu as shown in
the following illustration:
After you choose New, the Policy Wizard appears:
Creating Policies
4–3
3.
Specify a name and description for the new folder as
follows:
a.
Enter SampleScenario in the Name field.
b. Enter a description in the Description field, such as
Policy Folder that is to be used for the sample scenario.
Your wizard should resemble the values in the following
sample:
4.
4–4
Getting Started
Click Finish.
The Policy Manager is updated and appears as follows with the
new policy folder you just created in the left pane:
Creating Policies
4–5
Add Windows Policy to the Policy Folder
The next step is to add specific policies to the policy folder that
you just created.
To add a policy to a policy folder, follow these steps:
1.
4–6
Getting Started
Right-click the SampleScenario policy folder, and choose
New Policy from the pop-up menu as shown in the
following sample:
The Policy Wizard appears:
For the purpose of this scenario, the first policy object to add
to this policy folder is for the Windows NT platform.
2.
Choose Policy by AN type, and then use the drop-down to
choose NT as shown in the following sample:
Creating Policies
4–7
The NT audit node type is the class associated with the
standard Windows NT and Windows 2000 recorders.
3.
Next, enter a name and description for this policy item as
follows:
a.
Enter a name for this policy item in the Name field, such
as SampleScenarioPolicyForWindows.
b. Enter a description for this policy item in the
Description, such as Windows policy that we will use to
support this sample scenario.
Your Policy Wizard should resemble the following sample:
4.
Click Finish.
The Policy Manager is updated.
5.
4–8
Getting Started
Expand the SampleScenario branch.
The new policy you just created appears in the left pane
beneath the SampleScenario policy folder:
Creating Policies
4–9
Specify Properties for the Windows Policy
The next step is to specify properties for the policy item that you
just created. Policy properties identify the types of events that
you want to monitor.
To specify the audit events to be monitored by this policy:
1.
4–10
Getting Started
Right-click the policy item you just created, and then choose
Properties from the pop-up menu as shown in the following
sample:
After you click Properties, the Properties dialog appears:
2.
To edit the policy settings, click the Audit tab.
Creating Policies
4–11
The following options appear on the Audit tab:
3.
4–12
Getting Started
To specify the events that you want to harvest click the
Audit These Events radio button.
The check boxes for the various audit events become enabled
as shown in the following sample:
4.
For the purpose of this scenario turn on all of these events,
except File and Object Access.
Creating Policies
4–13
To do this, check all of the boxes in the Success and Failure
columns except those for File and Object Access as shown in
the following sample:
Note: Setting up the File and Object Access auditing is easy
to do, but does introduce some additional policy
configuration steps that are not covered as part of this
scenario, which is why we ask you not to select them at this
time. For more information about File and Object Access
auditing, see the Policy Management Guide.
4.
Click OK to save your changes.
The Policy Manager is updated.
4–14
Getting Started
Add UNIX Policy to Policy Folder
Next, you must define a policy item for the Solaris system that is
part of the scenario.
To add a policy to a policy folder, follow these steps:
1.
Right-click the SampleScenario policy folder, and choose
New Policy from the pop-up menu as shown in the
following sample:
Creating Policies
4–15
The Policy Wizard appears:
For the purpose of this scenario, the second policy object to
add to this policy folder is for the Solaris platform.
2.
4–16
Getting Started
Choose Policy by AN type, and then use the drop-down to
choose Unix as shown in the following sample:
The UNIX audit node type is the class associated with the
standard UNIX recorders.
3.
Next, enter a name and description for this policy item as
follows:
a.
Enter a name for this policy item in the Name field, such
as SampleScenarioPolicyForUNIX.
b. Enter a description for this policy item in the
Description, such as UNIX policy that we will use to
support this sample scenario.
Your Policy Wizard should resemble the following sample:
4.
Click Finish.
Creating Policies
4–17
The Policy Manager is updated and appears as before with the
new policy you just created in the left pane beneath the
SampleScenarioPolicyForWindows policy as follows:
4–18
Getting Started
Specify Events to Harvest
For eTrust Audit to harvest events, those events must be there in
the first place. In other words, the Recorders cannot harvest
events from a Windows NT Event Log if Windows NT is not
generating those events. Similarly, Recorders cannot harvest
events from the UNIX event sources, if those sources are not
configured properly.
Windows
As part of the eTrust Audit Commit process, the Client
components deployed on the Windows platforms automatically
update the Windows Local Security Policies settings on the
machine where they are executing to ensure that the events that
you have indicated you want to harvest are being generated.
This is accomplished automatically for you by eTrust Audit by
using standard Windows interfaces.
UNIX
However, on UNIX platforms, where there are no standard
interfaces available to automatically update these settings on
your behalf, you might have to perform some manual
configuration tasks to ensure that the data that you want eTrust
Audit to harvest is actually being generated.
Most UNIX systems administrators are familiar with the process
of configuring syslog, sulog, and other facilities. However, if you
are not familiar with these UNIX configuration tasks, see the
“Installing the Data Tools Components on UNIX” appendix. It
includes examples of how to configure these systems
appropriately so that the event data that you want eTrust Audit
to harvest for you is available.
Creating Policies
4–19
What’s Next?
What’s Next?
You have now completed the first three steps of the scenario.
Specifically, you have done the following:
1.
Defined the AN group.
2.
Defined audit nodes that are members of the AN group.
3.
Created policies to identify the events that should be
In the next chapter, you complete the next two steps:
4–20
Getting Started
4.
criteria and the actions to be taken when the criteria is met.
5.
Associate the policies created in Steps 3 and 4 to the AN
group that you created in Steps 1 and 2 by attaching the
policy folder to the AN group.
Chapter
5
Creating Rules and
Associations
In the previous chapters, you created an AN group, added
members to it, and created policies for a Windows and a UNIX
system from which you want to harvest event data. These are the
first three steps in the sample scenario:
1.
2.
group.
3.
You will complete the following steps in this chapter:
4.
5.
Associate the policies created in Steps 3 and 4 to the audit
Creating Rules and Associations
5–1
Step 4: Specify Rules
Return to the Policy Manager and switch back to Policy view.
Your Policy Manager should look like the following sample:
So far you have identified the event sources that you want to tap
into (standard Windows events, and standard UNIX events). The
next step is to further qualify the types of events that you want
to harvest from those sources, and what actions you want eTrust
Audit to perform.
For example, when eTrust Audit detects a particular event, you
can tell it to do any of the following:
■
Forward the event to an alternate Router
■
Forward the event to the Collector database
■
5–2
Getting Started
Send the event to the Security Monitor to alert the user that
the event has occurred
■
■
Send the event to the Unicenter Event Management
components
Perform another action of your choice
You do this by defining rules.
Important! Defining rules is a very important policy configuration
task because the default rule under which eTrust Audit operates is to
ignore all of the events it encounters. In other words, if you do not
specify a rule for how an event should be handled, eTrust Audit
assumes that you are not interested in the event and ignores it.
When you define a rule, do two things:
■
■
Specify criteria—that is, a filter—that eTrust Audit uses to
determine which events are subject to the action described in
the rule
Specify the action you want eTrust Audit to take
In this scenario, rather than construct your own criteria, you are
going to take advantage of the extensive set of predefined rules
that are provided with eTrust Audit as default policies (also
known as sample templates).
5–3
Review Default Policies
To view the set of default policies, follow these steps:
1.
Expand the Default Policies branch of the tree, by clicking
the plus sign as shown in the following illustration:
Click the plus sign
(+) to expand the
tree
For the purpose of this scenario, you will use some of the
default NT and UNIX rules, specifically the collectionrelated rules.
2.
5–4
Getting Started
To access these collection-related rules, expand the Default
Policy branch until the NT and UNIX Collection Events
branches are visible in the tree on the left portion of the
Policy Manager.
Your Policy Manager should look as follows:
5–5
Copy Default Policy Rules to Your Sample Policy
To use the collection-event related rules from the Default Policies
area, copy and paste them on top of the policies in the
SampleScenario folder.
The default rules that you will use in this scenario appear in the
tree as follows:
NT Policy
Collection Events
NT-Application
Criteria to select all messages from the Windows
Event Viewer Application Log
NT-Security
Event Viewer Security Log
NT-System
Event Viewer System Log
UNIX Policy
Collection Events
5–6
Getting Started
To copy policies, follow these steps:
1.
Right-click the policy item, and the choose Copy from the
pop-up menu as shown in the following sample:
For example, right-click the NT-Application default policy
item, and then choose Copy from the pop-up menu.
5–7
2.
Right-click the policy item into which you want to paste the
default policy item, and choose Paste from the pop-up menu
as shown in the following sample:
For example, right-click the
SampleScenarioPolicyForWindows policy item, and choose
Paste from the pop-up menu.
5–8
Getting Started
After you complete the paste operation, the NT-Application
default policy appears under the
SampleScenarioPolicyForWindows policy item. Double-click
the SampleScenarioPolicyForWindows policy item to make
it appear as follows:
3.
Repeat this copy and paste operation on the NT-Security and
NT-System events so that they are both copied to the
SampleScenarioPolicyForWindows item.
4.
Next, copy the Collection Events item beneath Unix Policy,
and paste it into the SampleScenarioPolicyForUNIX item.
5.
When you finish, click the minus sign (-) to the right of
Default Policies to collapse that tree branch.
5–9
The Policy Manger window looks as follows:
Now that you have added filters to your policies, you can
specify actions.
Specify Actions
Let’s zoom in on the items in the policy tree:
The white bell to the left of the items in the tree, such as
NT-Application, indicates that while a valid rule exists, the rule
does not actually do anything because you have not provided an
action.
5–10
Getting Started
To specify actions, follow these steps:
1.
Right-click a rule, and choose Properties from the pop-up
menu as shown in the following sample:
For example, right-click NT-Application, and choose
Properties from the pop-up menu.
5–11
The Properties dialog appears:
2.
5–12
Getting Started
To specify an action, click the Actions tab.
The Actions tab appears:
Use the Actions tab to select the action you want performed
when an audit event record is detected that matches the
criteria specified in this rule. As you can see, several
different actions are available.
For the purpose of this scenario, you will specify the
following actions:
■
■
The Collector action for all of the rules you have defined.
The Collector action indicates that you want the event
records that match the criteria specified in this rule to be
sent to the Collector database.
The Security Monitor action for Windows Security
related events. This action indicates that you want the
event records that match the criteria specified in this
rule, to be sent to the Security Monitor.
5–13
Add the Collector Action
To specify the Collector action, follow these steps:
3.
Click the checkbox to the left of Collector, and then click
Add as shown in the following illustration:
Check Collector
Click Add
After you click Add, the Add Target dialog appears:
4.
5–14
Getting Started
Enter the host name (or IP address) of the machine where
the Collector database components are installed in the Host
Name or IP Address field, and then click OK. The target
machine is the system that you want this message sent to for
storing in a Collector database.
For the purpose of this scenario, the Collector database was
installed on a machine named SYSTEMA. Therefore, enter
SYSTEMA in the Host Name or IP Address field, and then
click OK.
Note: Substitute the name (or IP address) of the machine on
which you installed the Collector database components for
SYSTEMA.
When you click OK, the Actions tab appears as follows:
5.
Click OK again to save the action and target Collector
database information.
You just defined a Collector action, which indicates that
audit events that match the criteria specified in this rule are
sent to the Collector running on SYSTEMA.
5–15
After you click OK, the Policy Manager appears as follows:
The color of the bell next to the rule that you just added an
action to is blue. The blue bell indicates that you have an
action associated with this rule.
6.
5–16
Getting Started
Repeat Steps 1-6 for each of the other rules, so that each of
the rules have an action of Collector, with the same host
name as you just specified for the NT-Application rule.
When you finish defining these actions, the Policy Manager
looks as follows:
Notice that the bells are blue for all the policies indicating that
you have defined actions for them.
Add the Security Monitor Action
Now that you have assigned the Collector action to the policies,
it is time to add the Security Monitor action. The Security
Monitor action sends events to the Security Monitor. For the
purpose of this scenario, you will add a Security Monitor action
to the NT-Security policy object, and only that object. This will
result in those events (in addition to being sent to the Collector
database components) being sent to the Security Monitor.
5–17
To add an action to the NT-Security policy, follow these steps:
1.
5–18
Getting Started
Right-click the NT-Security policy item, and then choose
Properties from the pop-up menu as follows:
After you choose Properties, the following Properties dialog
appears:
2.
Click the Actions tab.
5–19
The Actions tab appears:
3.
5–20
Getting Started
In the top part of the window, use the scroll bar to scroll
down until you see Security Monitor, and then check
Security Monitor.
Your window should look as follows:
4.
In the Details portion of the window, click Add.
After you click Add, the Add Target dialog appears:
5.
Enter the host name (or IP address) of the machine where
the Security Monitor component (part of the Data Tools) is
installed in the Host Name or IP Address field, and then
click OK. The target machine is the system that you want
these messages sent to for display on the Security Monitor.
For the purpose of this scenario, the Security Monitor was
installed on a machine named SYSTEMA. Therefore, enter
SYSTEMA in the Host Name or IP Address field, and then
click OK.
5–21
Note: Substitute the name (or IP address) of the machine on
which you installed the Data Tools components for
SYSTEMA.
When you click OK, the Actions tab appears as follows:
6.
Click OK again to save the action and target Security
Monitor information.
The Policy Manager is visible again on the desktop.
5–22
Getting Started
Step 5: Create Associations
The next step is to establish a link or association between the AN
group object you created and populated in Steps 1 and 2 and the
policy folder that you created and populated in Steps 3 and 4.
If you do not create the association, eTrust Audit does not know
which policies apply to which groups.
To create the required associations, follow these steps:
1.
Collapse the SampleScenario item on the tree by clicking the
minus sign (-).
2.
Right-click the Sample Scenario item on the tree and choose
Attach AN Group from the pop-up menu as follows:
5–23
After you choose Attach AN Group, the Attach AN Groups
dialog appears:
5–24
Getting Started
3.
Check the SampleScenario AN group item, and then click
OK.
4.
Expand all levels of the SampleScenario policy folder.
The Policy Manager window appears as follows:
The associations between the AN group and the policy folder are
now in place.
5–25
What’s Next
What’s Next
You have now completed the first five steps of the scenario.
Specifically, you have done the following:
1.
2.
3.
4.
Specified rules that identify specific event record matching
criteria, and the actions to be taken when the criteria is met.
5.
Associated the policies created in Steps 3 and 4 to the AN
In the next chapter, you complete the final three steps:
5–26
Getting Started
6.
Activate the policy.
7.
Monitor the deployment of the policy you just activated.
8.
View the results.
Chapter
6
Activating and Monitoring
Policies
In the previous chapters, you completed the following steps in
the scenario:
1.
Defined an audit node group.
2.
Defined audit nodes that are members of the audit node
group.
3.
Created policies that identified the events that should be
4.
5.
Associated the policies created in Steps 3 and 4 to the audit
In this chapter, you complete the final three steps:
6.
Activate the policy.
7.
Monitor the deployment of the policy we just activated.
8.
View the results.
Activating and Monitoring Policies
6–1
Step 6: Activate the Policy
Now that you have associated a policy to an AN group, you
must activate the policy so that eTrust Audit starts harvesting
the events and sending them to the appropriate places.
To activate the policy, follow these steps:
1.
Expand the SampleScenario policy by clicking the plus sign
(+) so that your Policy Manager window looks as follows:
Notice that next to each of the policies that you defined there
is a blue bell. The blue bell indicates that the policies are
defined properly but are currently not eligible to be
activated. Therefore, you must “toggle” the eligibility setting
of these policies so that they are eligible for activation.
2.
Click the blue bell icon to the left of a policy item, for
example, NT-Application.
The color of the bell immediately changes to red, which
means that the policy is eligible for activation.
6–2
Getting Started
3.
Click each of the blue bell icons, one by one, until all of the
policies have red bell icons next to them as shown in the
following sample:
Now that you have made the individual rules eligible for
activation, (as indicated by the red bells), the next step is to
activate the entire policy folder object.
6–3
4.
Right-click the policy folder object that you want to activate,
and then choose Activate from the pop-up menu as shown
in the following sample:
When you choose Activate, the following dialog appears:
5.
6–4
Getting Started
Click Yes.
After you confirm your intention to activate the policies, the
Policy Manager changes as shown in the following illustration to
show the results of policy compilation:
The last line visible in the Compilation window indicates the
policy compilation successfully finished, which means that the
policies have been successfully processed by the Policy Manager
compiler to determine that they are suitable for deployment and
that the distribution policy is starting.
6–5
Step 7: Monitor Deployment of the Policies
When the policy compilation is completed, the eTrust Audit
Policy Manager automatically distributes the policies to the
appropriate machines (the machines you earlier identified as
members of the AN group).
To view the results of this activation and deployment, follow
these steps:
■
Click Policy Activation Log
6–6
Getting Started
Click the Policy Activation Log icon as shown in the
following illustration:
After you click Policy Activation Log, the Policy Manager
looks as follows:
If any errors are encountered in the distribution of the policies,
those errors will be reported here. See the online help for the
Policy Manager for additional information about these
distribution messages.
6–7
Step 8: Viewing the Results
The next step is to view the results of your efforts in the Viewer
and the Security Monitor.
eTrust Audit Viewer
The easiest way to view events routed to the Collector database
is to start the Viewer.
To start the Viewer, follow these steps:
■
From the Start menu, choose Program, Computer Associates,
eTrust, Audit, Viewer.
The Viewer looks like the following sample:
You should already see events from the sources you specified as
part of this sample scenario.
6–8
Getting Started
eTrust Audit Security Monitor
Remember that in addition to defining a Collector action, you
also defined a Security Monitor action and told eTrust Audit that
any events from the NT Security logs should be sent to the
Security Monitor.
To start the Security Monitor, follow these steps:
■
From the Start menu, choose Program, Computer Associates,
eTrust, Audit, Security Monitor.
The Security Monitor looks like the following sample:
You should already see events from the sources you specified as
part of this sample scenario.
6–9
What’s Next?
What’s Next?
Congratulations! You have defined the eTrust Audit policies
required to put eTrust Audit to work: you can now harvest audit
event data from UNIX sources and from Windows 2000 sources;
you can get this event data into a Windows 2000 Collector
database where that data is then available to you through eTrust
Audit Viewer; and you have directed eTrust Audit to direct
NT-Security related events to the Security Monitor.
Specifically, you have accomplished the following:
1.
2.
3.
4.
criteria, and the actions to be taken when the criteria is met
5.
Associated the policies created in Steps 3 and 4 to the AN
6.
Activated the policy.
7.
Monitored the deployment of the policy you just activated.
8.
Viewed the results.
The next chapter describes how to filter records in the Viewer
and how to generate reports.
6–10
Getting Started
Chapter
7
Viewing, Monitoring, and
Reporting on Events
This chapter provides a brief overview of the following Data
Tools components:
■
Viewer
■
Reporter
■
Security Monitor
Viewing, Monitoring, and Reporting on Events
7–1
Viewer: Organize, Filter, and View Audit Data
The Viewer is a versatile tool that lets you organize and view
audit data according to your specific needs.
With the Viewer, you can view, filter, and print your audit logs
as you can from any other database. The filter is a special utility
that lets you focus on particular audit information.
Starting the Viewer
To start the Viewer, click Start in the taskbar, and then choose
Programs, Computer Associates, eTrust, Audit, Viewer.
Note: If you are using Oracle or SQL Server, when you start the
Viewer, you might be asked for the server name, user name, and
password information required to connect to the database. See
the Reference Guide for further information.
7–2
Getting Started
Filtering Events
You use filters to streamline the kind of information you are
interested in viewing. Filter options are divided into three
categories:
■
■
■
Filter by Field
lets you filter by specific criteria and also
lets you perform a search in the Details/Info field.
Filter by Events
lets you filter according to different
types of events, such as Logon or Administration.
Filter by File
lets you track down sets of activities
performed on files according to the file name.
You invoke a filter by clicking the appropriate icon in the
toolbar, and then by selecting fields in the dialog that opens. The
filtered information is automatically displayed on screen.
When you open the Viewer, you might see a list of records. You
will apply a filter to streamline the information on screen.
7–3
Applying a Viewer Filter
The first filter we will describe is the Filter by Field.
1.
Click the Filter by Field
icon in the toolbar to open the
Filter by Fields dialog as follows:
2.
Under View From, click Events On and specify yesterday’s
date. Then, under View Through, click Events On and
specify today’s date.
3.
Under Types, uncheck all the options except Information.
4.
Click OK.
The Viewer will automatically update its contents to display
only those records that match the criteria.
7–4
Getting Started
Tip: You can save the filter for future use for all users or just
the current user.
Saving a Viewer Filter
The following example shows you how to create a filter for all
warnings and error message events and save it for subsequent
use.
1.
In the left pane of the Viewer, select the filter group for
which you want to create a new filter. You can add a new
filter to any group other than the Pre-defined filters group.
Right-click the group and select New Filter, then choose By
Fields as shown in the following:
7–5
The new Filter by Fields dialog appears:
2.
Under View From, leave the default First Event. Under View
Through, leave the default Last Event.
3.
Under Types, uncheck all the options except Warning and
Error.
4.
Click Save this filter definition for later use.
The Filter Name dialog appears:
7–6
Getting Started
5.
Enter the name WarningsAndErrors, click Current user only
as shown in the following dialog, and then click OK.
Your new filter appears in the left pane:
Applying a Viewer Filter
To apply a filter, simply double-click the filter in the left pane.
The filter will be automatically applied and the results of the
filter will appear automatically in the Viewer.
Deleting a Viewer Filter
To delete a filter, right-click it in the left pane and choose Delete.
7–7
Reporter: Customize Reports to Suit Your Organization
Reporter: Customize Reports to Suit Your
Organization
eTrust Audit makes it easy to schedule and tailor a wide range of
reports that keep you up to date on the security of your business.
Starting the Reporter
To start the Reporter, select Start Programs, Computer
Associates, eTrust, Audit, Reporter. The Reporter opens as
follows:
7–8
Getting Started
Displaying and Printing Reports
You can customize the Reporter to meet your needs. For
example, you can do the following:
■
■
■
■
■
■
Select from various display formats for your reports.
Select from several predefined schedules on which the
report will run.
Assign a user-defined file that the report will overwrite each
time it is transferred.
Tell eTrust Audit to notify you by email once the report is
complete.
Choose to limit the report using constraints such as time
frame or computer and user name.
Select the database from which eTrust Audit will gather the
report data.
7–9
Scheduling Reports
To schedule and view reports:
1.
In the folder General Reports, click the plus sign to view all
the reports.
The list expands to display all the general reports as follows:
2.
Right-click the report Details of Logon/Logoff events, and
then choose Add to Schedule from the drop-down menu.
The Add to Schedule dialog appears:
7–10
Getting Started
3.
Under Task, Format, choose HTML 3.0 document from the
drop-down menu. Leave the default value Schedule Next
and under Days, select the current day of the week. (In this
example, we chose Thursday.)
4.
To customize the data displayed in the report, click Options.
The following screen appears.
5.
In Query Dates, select Today only, and then click OK.
The Add to Schedule dialog reappears.
6.
In the Add to Schedule dialog, set the value of the At field to
one minute later than the actual computer time. Click OK
again to close the Add to Schedule dialog.
The report is automatically generated into the queue. A
message to indicate successful scheduling is displayed; click
OK.
7–11
7–12
Getting Started
7.
Select the tab Scheduled Reports to view the report name
and details:
8.
To immediately view the report, click the View Reports tab.
Then, in the right pane under Creation Time double-click the
report you want to open.
A new window opens displaying the selected report in this
particular case, using Internet Explorer, as follows:
7–13
Security Monitor: Critical Audit Data Delivered in Near-Real-time
Security Monitor: Critical Audit Data Delivered in
Near-Real-time
System administrators and security personnel can use the
Security Monitor to receive heads-up notification of potentially
significant events. The Security Monitor displays events that you
have indicated (through policy definition) that you want
brought to the specific attention of users of the Security Monitor.
The Security Monitor also doubles as an internal “messenger”
for eTrust Audit Services. During installation, you can configure
one Security Monitor to “hold or receive” all eTrust Audit
internal services messages.
Events that appear in the Security Monitor are events that you
specified should be directed to it, and they are sent directly to
the Security Monitor. These events are not stored by the Security
Monitor in a Collector database. (If you want these events stored
in a Collector database, you must specify that action using the
Policy Manager.)
Using facilities included with the Security Monitor, you can do
the following:
■
■
■
Specify how many records the monitor will display in its
“wrap around” buffer.
Save the records to a file.
Export selected events into any application using a Windows
copy command.
Note: The Security Monitor has no report generation, no
filtering, no multiple-windowing capabilities, and no ability to
display events that might have been sent to it while it was not
running. It is a (near) real-time monitor only.
7–14
Getting Started
Starting the Security Monitor
To start the Security Monitor, click Start, then choose Programs,
Computer Associates, eTrust, Audit, Security Monitor.
In the Windows system tray, a light bulb icon
the Security Monitor is running.
appears when
Tip: Glow lines appear around the yellow light bulb when a
new alert arrives; otherwise, the light bulb is white with no
glow lines.
You can open the Security Monitor by double-clicking the light
bulb icon. The Security Monitor window looks similar to the
following:
7–15
Viewing Event Details
To view detailed information about an event, double-click the
desired event to open the corresponding Event Detail window.
The event details display provides a full description of the event
selected. You can view the previous event (record) or the next
event from this window by clicking Previous or Next. You can
also print the event details.
This is an example of an Event Detail window:
7–16
Getting Started
What’s Next?
What’s Next?
Organizing, filtering, and viewing audit data is easy. You have
learned the basics about the Viewer, the Reporter and the
Security Monitor. In the following chapter, you will find answers
to common questions about eTrust Audit. Take a moment to
read through the material, as it provides valuable information to
increase your knowledge about your new software.
7–17
Chapter
8
Frequently Asked Questions
In this chapter, you will find answers to common questions
about eTrust Audit.
Question: Does eTrust Audit archive the audit collection?
Answer: Not directly; however, eTrust Audit sends events to a
commercial relational database (Oracle, SQL Server, and
Microsoft Access) and the data from those databases can be
managed and archived with standard database administration
tools.
Question: What is the overhead on the network caused by
eTrust Audit?
Answer: The overhead depends on the amount of data you want
to collect, on the type of events your system generates, and so
on. The average amount of data sent by Distribution Agent for
each audit record is approximately 300 bytes.
Question: How much disk space and memory are required for
the Collector system?
Answer: A Collector system needs a processor with a minimum
speed of 350 MHz and at least 128 MB of RAM. The event
database requires 0.6 KB to 2 KB per record.
8–1
Question: Where does filtering occur? Does filtering occur at the
initial recording point, where the routing agent is placed, or at
the Collector or later?
Answer: The filtering can be applied at any level of event
routing. It may be applied at the recorder service that defines
which events are submitted to eTrust Audit. It might be applied
on the client machine to define what events are sent to the
Collector.
Question: Does eTrust Audit pass information in clear text over
the wire?
Answer: Data transferred from the Recorder and SAPI client
(recorder) to router, from router to router, and from router to
Collector is protected by pluggable encryption. DES encryption
is the default.
Question: If I have an application that is not currently supported
by eTrust Audit, can I still route the application events to the
Collector?
Answer: You can provide the bridge between your application
and the Collector in several ways:
■
■
8–2
Getting Started
SNMP traps—You can use the eTrust Audit SNMP traps to
send standardized event information to the eTrust Audit
SNMP Recorder. Many products are readily available to
send such event information. This routing path must be
properly configured so that eTrust Audit will be able to
receive and handle this application information.
Submit API—This is a powerful and thorough method to
send event information to the Collector. By programming
with eTrust Audit Submit API function calls, applications
can send complete, detailed messages to eTrust Audit and in
turn eTrust Audit can perform more granular and more
intelligent analysis on the collected data, and activate alerts
when needed.
■
■
Standard System Logs—If your application sends messages
to the standard Windows Event Logs, or to the UNIX syslog,
eTrust Audit can harvest messages from those facilities’
generic “flat” log files. Included with eTrust Audit is a
facility known as the generic recorder. The generic recorder
can be configured to harvest messages from flat files, which
are used as log files by many applications. If your
application generates “flat file logs,” using the eTrust Audit
generic recorder might be another viable way of harvesting
event information from that application.
eTrust Products—You can send your application event
information from eTrust products to eTrust Audit. eTrust
Audit provides full support to most of the eTrust products
and can consolidate collected information for analysis and
pattern matching. In this way, application activities that are
tied to eTrust products or that can be captured by eTrust
products can send events to eTrust Audit through its related
eTrust product. For example, certain firewall products can
generate events based on network connections or application
sessions. In this case, firewall information can be captured
by eTrust™ Intrusion Detection, and be collected and sent to
eTrust Audit for analysis or archiving.
Question: Are there predefined rules that can be deployed right
away?
Answer: eTrust Audit provides several predefined rules that can
be deployed right away. Each policy is divided into two sections,
each with associated rules. The two sections include:
■
■
Collection rules: all the events from that source type
Suspicious events rules: security and system related events
that include:
–
Logon (successful/failure)
–
Critical objects tampering
–
Network connections
8–3
8–4
Getting Started
–
“Touching” OS/Application Super User
–
Account Management
–
Changing permissions or security policies
Appendix
A
Installing the Client
Components on UNIX
This is an optional installation step and is necessary only if you
plan to harvest audit data from UNIX or Linux servers.
This installation process requires you to provide answers to
several questions. To ensure proper results, we encourage you to
have answers prepared for these questions before beginning the
installation.
General Information
You should have answers to the following general questions
before beginning the installation of the Client components on
UNIX:
■
■
Name of the machine that will be serving as the Self-Monitor
host (also know as the Security Monitor)
Name of the Policy Manager machine (also known as the
Trusted Server)
Installing the Client Components on UNIX
A–1
Unicenter Information
eTrust Audit can forward designated audit events to Unicenter.
If you plan to enable this feature you will need to have the
following information available:
■
Path (directory name) where the Unicenter Event
Management components are installed.
Check Point FireWall-1 Information
If you are installing the eTrust Audit Recorder for Checkpoint
FireWall-1, you need the following information available:
■
Check Point server logical name
■
Check Point server host name or IP address
■
OPSEC port number
■
OPSEC connection type
Note: If you do not have the information above, check with your
Check Point FireWall-1 administrator, who should be able to
provide you this information.
Netscape (iPlanet) Information
If a Netscape (iPlanet) server is installed on this machine, and
you want eTrust Audit to tap into the Netscape (iPlanet) log, you
need the following information available:
■
A–2
Getting Started
Fully qualified path (file name) of the Netscape (iPlanet) log
file
Pre-Installation Tasks
When installing the Collector database, a separately licensed
version of Oracle must already be installed and properly
configured to run.
You must perform the following pre-installation tasks before
you try to install the Data Tools for use with an Oracle database.
Collect Oracle Information
If you will be installing the eTrust Audit Oracle Recorder, have
the following information available:
■
■
■
■
Oracle Home path; that is, where the Oracle client software
is installed on this machine
Oracle SID, if the Oracle database is running on this machine
Oracle service name, if the Oracle database is running on a
remote machine.
User name and password of an Oracle user ID with database
database administrator (DBA) privileges.
Oracle database administrator.
A–3
Review Logging of UNIX Events
The Recorder that you install on your UNIX system reviews the
information in syslog.conf and sulog to determine the names
and locations of the log files. Therefore, you should carefully
review the information in syslog.conf and sulog to be sure that
you are instructing your UNIX system to log events that you
want to harvest, view, and analyze using eTrust Audit.
Reviewing syslog.conf
This topic provides a brief overview of syslog.conf and some
guidelines for the types of entries you might find useful. You
should review the syslog.conf file on each of your UNIX systems
and the man pages for your UNIX systems for more information.
If you are familiar with syslog.conf conventions, skip to
Guidelines for syslog.conf Entries.
syslog.conf is the configuration file used by the syslogd system
log daemon, which reads messages and routes them to log files
and users. syslog.conf specifies the types and levels of messages
to write to a log file or route to a user.
syslog.conf consists of a number of entries with two fields
separated by a tab character:
selector
action
where:
selector
Is a list facilities and severity levels as follows:
facility.level;faciltyn.leveln…
See the UNIX man pages for a description of each of the
facilities and levels supported.
A–4
Getting Started
Some important facilities that you might choose to monitor
are as follows:
user
Messages generated by the user process
kern
Messages generated by the kernel
mail
Messages generated by the mail subsystem
daemon
Messages generated by the system daemons
auth
Messages generated by the authorization system,
including login and su
*
A mask that represents messages from all facilities
Some of the important levels (in order of descending
importance) that you might choose are described in the list
that follows. When you specify a level, such as alert, all
levels above that level are logged, too.
emerg
Conditions that would normally be broadcast to all users
alert
Conditions that should be corrected immediately, such
as a corrupted system database
crit
For warnings about critical conditions, such as device
errors
err
Conditions for other errors
warning
Warning messages
notice
Conditions that are not error conditions, but might
require special handling
A–5
info
Informational messages
debug
Messages that are used only to debug a program
none
No messages
action
Indicates where to forward the message. You can forward
the message to the following:
■
■
■
A file, such as /var/log/auth
The name of a remote host in the form @server so that
the syslog.conf file on that server determines the action
for the message
An asterisk (*), which means the message is written to all
logged-in users
Guidelines for syslog.conf Entries
Consult your enterprise security policy to determine what types
of messages you want to log. You might consider these
recommendations:
■
Write all messages issued by the login system at the info
level and above to a file. For example:
auth.info
/var/adm/syslog
You can specify any name for the file. eTrust Audit will
locate the file and harvest the messages in it.
■
Write all system messages to a file. For example:
*.err;kern.notice;auth.notice
*.err;kern.debug;daemon.notice;mail.crit
/dev/sysmsg
/var/adm/messages
The first line contains three specifications that log messages
to the /dev/sysmsg file. The file contains all messages at the
error level and above, all kernel messages at the notice level
and above, and all auth messages at the notice level and
above.
A–6
Getting Started
The second line contains four specifications. The file contains
all messages at the error level and above, all kernel messages
at the debug level and above, all daemon messages at the
notice level and above, and all mail messages at the critical
level and above.
Tip: Do not worry about logging the same facility and level
of messages to more than one file. eTrust Audit reviews the
timestamp and text of all messages and harvests only one
version of the message.
■
eTrust Audit ignores messages routed to users such as the
following:
*.alert;kern.err;daemon.err
*.alert
*.emerg
■
operator
root
*
Check the syslog.conf on other servers to make sure
messages routed to another server are written to a file. For
example, the following entry routes all auth facility
messages at the info level and above to the server named
systemq:
auth.info
@systemq
Review the syslog.conf file on systemq to ensure that these
messages are written to a file.
Reviewing sulog
sulog is a log file of all the attempts by users to issue the su
command, which is the command to become the superuser.
eTrust Audit harvests all events in sulog.
A–7
Installation Steps
Installation Steps
Use the following procedure to install the Client components on
UNIX:
1.
Login to the UNIX machine as root.
2.
Place the eTrust Audit Installation media into the CD-ROM
drive, and change to the installation directory for the Client
components for the version of UNIX you want to install as
follows:
cd
/CDROM_MOUNT_POINT/eTrust/Audit/Client/version_of_UNIX
where version_of_UNIX is one of the following:
3.
■
Aix
■
Hpux
■
Linux
■
Solaris
■
Tru64
Use the ls command to view the contents of that directory.
You will find three files in that directory, as follows:
■
A tar archive that contains the product install image:
_xxxxxxxxxxxxxxxxxx.tar.Z
where xxxxxxxxxxxxxx in the above will be substituted
for platform and build designation.
A–8
Getting Started
■
An installation shell script named install_eAuditClient.
■
An installation notes file named Install.txt.
Installation Steps
4.
While still logged in as root, begin installation by executing
the install_eAuditClient shell script. From the shell prompt,
enter the following command:
./install_eAuditClient
The installation script begins.
Tip: You might need to use the chmod a+x
install_eAuditClient command if the installation script fails
to start.
5.
Follow the instructions provided by the installation script.
A–9
Appendix
B
Installing the Data Tools
Components on UNIX
This is an optional installation step and is necessary only if you
plan to have the Collector running on UNIX using an Oracle
database.
About the Data Tools Components
As described in the chapter, “The Essentials,” the Data Tools are
comprised of two major components
1.
The Data Tools interface (Windows only)
2.
The Collector (Windows and UNIX)
This following topics guide you through the process of
preparing for installation of the Collector running on a UNIX
machine.
Installing the Data Tools Components on UNIX
B–1
The installation process requires you to provide answers to
several questions. To ensure proper results, you should have the
answers for these questions before beginning the installation of
the Collector on UNIX:
■
The name of the machine that will be serving as the SelfMonitor host (also known as the Security Monitor machine)
Pre-installation Tasks
When installing the Collector, a separately licensed version of
Oracle must already be installed and properly configured to run.
You or your Oracle DBA must perform the following tasks
before you try to install the Data Tools for use with an Oracle
database.
B–2
Getting Started
Prepare the Oracle Database Environment
The following administrative tasks must be performed by an
Oracle database administrator (DBA) before you begin the
installation of the Collector:
Create Oracle Tablespace
Create an Oracle tablespace for the Collector to use as a database
to store events.
The following sample illustrates the syntax for creating the
required tablespace using the Oracle tools.
create tablespace ca_audit datafile
'/oracle/oradata/YYY/ca_audit.dbf' size 100M;
where:
create tablespace
Is the action you want the Oracle tools to perform.
ca_audit
Is the name of the Oracle database tablespace being created.
datafile ‘/oracle/oradata/YYY/ca_audit.dbf’
Is the name to be assigned to the file that will contain the
tablespace being created. Substitute for
‘/oracle/oradata/YYY/ca_audit.dbf’ with whatever
filename your Oracle DBA determines.
size 100M
Is the initial size of the tablespace, 100 megabytes. The 100
MB size provided in this example is a reasonable value to
start with for most installations, but depending on the
amount of audit data you will be collecting, you may want
to increase or decrease this size.
B–3
Define Oracle User ID with DBA Privileges
Define an Oracle user ID with database administrator (DBA)
privileges that will be used by the Collector to write to the
tablespace. The tablespace just defined for use by the Collector
must be the default tablespace for this user.
requisite Oracle user ID with DBA privileges.
create user AuditDBA identified by AuditDBA default tablespace
ca_audit temporary tablespace temp;
where:
create user
AuditDBA
Is the user ID about to be created. You can substitute for
AuditDBA as you deem appropriate, but this is the user ID
that must be specified when asked for by the installation
process of the Data Tools.
default tablespace ca_audit
Specifies that this user’s default tablespace is the ca_audit
tablespace. The user ID must have this tablespace defined as
its default tablespace.
temporary tablespace temp;
Specifies that this user’s temporary (work) tablespace is the
temp table. Substitute for temp with whatever tablespace
your Oracle DBA indicates should be used for temp.
B–4
Getting Started
To complete installation of the Collector, have the following
information available:
■
■
■
■
remote machine
User name and password of an Oracle database user ID that
has the Oracle tablespace that you earlier created for use by
the Collector, defined as that user’s default workspace
Update tnsnames.ora
The Collector must have its own Oracle database service created
for it. You do this by modifying the Oracle configuration file
tnsnames.ora.
The following steps describe how to accomplish this task:
1.
Change to the Oracle home directory.
cd $ORACLE_HOME/network/administration/
In that directory, you will find a file named tnsnames.ora.
2.
Using an ASCII text editor, open the file tnsnames.ora, and
add the required configuration section to define the Oracle
service that will be used by the Collector.
B–5
Use the following sample code as a model:
NewServiceName =
(DESCRIPTION =description
)
(ADDRESS_LIST =
(ADDRESS = (PROTOCOL = TCP)(HOST = IPAddr)(PORT = port))
)
(CONNECT_DATA =
SERVICE_NAME = (SID =sid))
where:
NewServiceName
The name you want to assign to this new Oracle service. This
field is required.
description
A description for the new Oracle service. The keyword is
required, but you can leave the data field empty.
IPAddr
The IP address of the machine where the Oracle Database
Server physically resides and runs. This field is required.
port
The port number to be used by the Oracle client components
to attach to the Oracle server instance. Typically, this is port
1521. This field is required.
sid
The SID for the Oracle instance associated with this service.
This field is required.
Note: If you do not have the information above, or need help
configuring tnsnames.ora, check with your Oracle database
administrator.
B–6
Getting Started
Installation Steps
Installation Steps
Use the following procedure to install the Data Tools
components on UNIX:
1.
Log into the UNIX machine as root.
2.
Place the eTrust Audit installation media into the CD-ROM
drive.
3.
Change to the installation directory for the Data Tools for
the version of UNIX you want to install.
cd
/CDROM_drive/eTrust/Audit/DataTools/version_of_UNIX
where CD-ROM_drive is the path representing the CD-ROM
where the eTrust Audit installation media is mounted, and
version_of_UNIX is the version of UNIX onto which you
want to install the Data Tools, for example:
cd d:/eTrust/Audit/DataTools/Solaris
4.
Enter the ls command to view the contents of that directory.
You should find the following files in that directory:
■
A tar file that contains the product install image in the
form xxxxxxxxxxxxxx.tar.z for the platform and build
designation, for example:
SOLARISAC152.53.tar.Z
■
■
■
An installation shell script named install_eAuditDatSrv
An Oracle SQL script that is used to create the database
tables required named oracle.sql
Installation notes named Install.txt
B–7
Installation Steps
Create Oracle Database Tables
Before you install the Data Tools, you must create the database
tables in Oracle as follows:
1.
Log in with a user ID that is a member of the group sys, and
is also defined to Oracle as a user ID with DBA privileges
(typically, the root user ID has both of these privileges), and
execute the Oracle utility, SQLPLUS.
2.
After the utility starts, instruct it to execute the oracle.sql
script on the installation media using the following
command:
@file_name.sql
or
START file_name.sql
where file_name is the fully-qualified file name of the
oracle.sql script on the installation media, for example:
CDROM_drive/eTrust/Audit/DataTools/Solaris/oracle.sql
B–8
Getting Started
Installation Steps
Install the eTrust Audit Data Tools
After the database tables are created, you can install the Data
Tools as follows:
1.
While still logged in as root, execute the
install_eAuditDatSrv shell script, by entering the following
command:
CDROM_drive/eTrust/Audit/DataTools/version_of_UNIX/install_eAuditDatSrv
For example, the following command entered from the shell
prompt starts the installation shell script for the Solaris
version of UNIX:
./eTrust/Audit/DataTools/Solaris/install_eAuditDatSrv
The installation script begins.
Tip: You might need to use the chmod a+x
install_eAuditClient command if the installation script fails
to start.
2.
Follow the instructions in the installation script.
B–9
Appendix
C
Installing the Data Tools on
SQL Server
This appendix describes how to install the Data Tools on
Windows for use with an existing Microsoft SQL Server
database. It also describes how to troubleshoot common errors
experienced during the installation.
Installing the Data Tools on SQL Server
C–1
Installation Steps
Installation Steps
To configure the Data Tools to work with a local or remote
Microsoft SQL Server database, follow these steps:
1.
window appears:
C–2
Getting Started
Installation Steps
2.
C–3
Installation Steps
C–4
Getting Started
3.
Data Tools for Windows NT/2000/XP as shown in the
following window:
4.
eTrust Data Tools installation begins.
Installation Steps
5.
Agreement, and that you should close any Windows
applications. After you do so, the Setup Type window
appears:
6.
click Next.
C–5
Installation Steps
database:
7.
Select Microsoft SQL Server running on a local or remote
machine, and then click Next.
After you click Next, the Database Configuration window
appears:
C–6
Getting Started
Installation Steps
8.
Enter the name of the machine where the Microsoft SQL
Server database is running, and the user ID and password of
a Microsoft SQL Server database administrator.
9.
Before you click Next, we strongly recommend that you click
Test to confirm that the information you entered on this
window can connect to the SQL Server database.
If the information provided is correct, and the Microsoft SQL
Server database is running on the machine specified, the
10. Click Close to dismiss the Connection Test window, and
then click Next to continue.
Note: See the Troubleshooting Problems with Data Tools
and Microsoft SQL Server topic later in this chapter for
information about common errors that can result when the
test fails, and what to do to correct these errors.
C–7
Installation Steps
After you click Next, the Event Database window appears:
11. On this window, specify whether you want to create a new
Collector database or work with an existing Collector
database, as follows:
■
■
C–8
Getting Started
If you do not already have a Collector database installed
and formatted on the machine, choose Create a New
Event Database, and then click Next.
If you already have a Collector database installed and
formatted on the machine, choose Keep Existing Events
in Database, and then click Next.
Installation Steps
12. The Data Tools components can send alerts through a
variety of mechanisms, including email:
■
■
not certain what email server name to specify you can
leave the Server field blank, and click Next because you
can enable the email support at any time. See the
C–9
Installation Steps
The following window asks you to specify the name of the
Security Monitor machine to which the Data Tools should
send notifications:
13. For the purpose of this sample, the Security Monitor
component is installed on the same machine on which you
are currently installing the Data Tools. Therefore, enter
C–10
Getting Started
Installation Steps
eTrust Audit Data Tools services run. For the purpose of this
16. For the purpose this sample, click Yes to start the eTrust
Congratulations! You have successfully installed the Data Tools.
C–11
Troubleshooting Problems with Data Tools and Microsoft SQL Server
Troubleshooting Problems with Data Tools and
Microsoft SQL Server
This topic describes the following common errors:
■
Connection Failed
■
Login Failed
You should also see the “Database Considerations” chapter in
the Reference Guide.
Connection Failed
The following window appears when you test the connection
during the installation:
Check for the following causes:
■
■
C–12
Getting Started
The Microsoft SQL Server database is not currently running
on the machine you specified.
You did not spell the name of the machine correctly.
The Microsoft SQL Server Database is not currently running on the machine you
specified
Probable causes for this condition are as follows:
■
SQL Server might be shut down.
■
SQL Server might not be installed on this machine.
■
The remote machine might not be running.
■
A firewall might be blocking your access to that remote
machine).
Verify the status of these items with your network administrator.
Click Close to dismiss this window, and perform the test again
when the required system is available.
You did not spell the name of the machine correctly
Do either of the following:
■
■
If the machine name is correct, confirm that the machine is
running, and that the Microsoft SQL Server database is
running, and click Test again.
If the machine name is not correct, click Close to dismiss this
window, and correct the machine name in the previous
window.
C–13
Login Failed
You have entered an incorrect user ID and password.
Note: The user ID and password must be valid credentials for
accessing the Microsoft SQL Server database as a database
administrator.
Confirm that the user ID and password are valid and are
credentials for a Microsoft SQL Server database administrator.
C–14
Getting Started
14_oracle_dt_app.doc, printed on 12/18/2002, at 1:44 PM
Appendix
D
Installing the Data Tools on
Oracle
This appendix describes how to install the Data Tools on
Windows for use with an existing Oracle database. It also
describes how to troubleshoot common errors experienced
during the installation.
When installing the Collector, a separately licensed version of
Oracle must already be installed and properly configured to run.
You or your Oracle database administrator (DBA) must perform
the following tasks before you try to install the Data Tools for
use with an Oracle database.
Installing the Data Tools on Oracle
D–1
Prepare the Oracle Database Environment
The following administrative tasks must be performed by an
Oracle DBA before you begin the installation of the Collector.
Create Oracle Tablespace
Create an Oracle tablespace for the Collector to use as a database
to store events.
required tablespace using the Oracle tools.
create tablespace ca_audit datafile
'c:\oracle\oradata\YYY\ca_audit.dbf' size 100M;
where
create tablespace
ca_audit
Is the name of the Oracle database tablespace being created.
‘c:\oracle\datafile\oradata\YYY\ca_audit.dbf’
Is the name to be assigned to the file that will contain the
tablespace being created. Substitute for
‘c:\oracle\datafile\oradata\YYY\ca_audit.dbf’ with
whatever file name your Oracle DBA determines.
size 100M
Is the initial size of the tablespace, 100 megabytes. The 100
MB size provided in this example is a reasonable value to
start with for most installations, but depending on the
amount of audit data you will be collecting, you may want
to increase or decrease this size.
D–2
Getting Started
Define Oracle User ID with DBA Privileges
Define an Oracle user ID with database administrator (DBA)
privileges that will be used by the Collector to write to the
tablespace. The tablespace just defined for use by the Collector
must be the default tablespace for this user.
requisite Oracle user ID with DBA privileges.
create user AuditDBA identified by AuditDBA default tablespace
ca_audit temporary tablespace temp;
where:
create user
AuditDBA
Is the user ID about to be created. You can substitute for
AuditDBA as you deem appropriate, but this is the user ID
that must be specified when asked for by the installation
process of the Data Tools.
default tablespace ca_audit
Specifies that this user’s default tablespace is ca_audit
tablespace. The user ID must have this tablespace defined as
its default tablespace.
temporary tablespace temp;
Specifies that this user’s temporary (work) tablespace is the
temp table. Substitute for temp with whatever tablespace
your Oracle DBA indicates should be used for temp.
D–3
To complete installation of the Collector, have the following
information available:
■
■
■
■
remote machine
D–4
Getting Started
Configure an Oracle Client (If Accessing a Remote Oracle Database)
If the Oracle database that the Data Tools will be using is
installed on a different machine than the machine where you are
installing the Data Tools, then you must install the Oracle client
components and properly configure them on this machine to
access the database on the remote machine.
If the Oracle database resides on the same machine where the
Data Tools are being installed, then these client components are
already available and no additional configuration of the Oracle
client should be necessary.
This pre-installation task is typically required on those machines
where you want to install certain Data Tools components (for
example the Viewer, or the Reporter) to work on a remote Oracle
instance.
At each station where you want the Data Tools to be able to
access the Oracle database instance being used to store the
collected eTrust Audit event data, you must configure an Oracle
client.
To properly configure the Oracle client, you need the following
information:
■
■
■
Name or IP address of the machine where the Oracle Server
is installed (where the database resides)
The port number of the Oracle Server (usually 1521)
Note: If you do not have the information above, check with
your Oracle database administrator.
D–5
To configure an Oracle Client, perform the following steps:
1.
Start the Oracle configuration utility (Oracle Net8 Easy
Config utility for Oracle 8, or Net8 Configuration Assistant
for Oracle 8i and 9i), and then follow the utility instructions.
Choose Add New Service.
Any name is acceptable as a name of the new service, but we
recommend you use the same name for all users.
3.
Select TCP/IP as protocol for connection to the service.
4.
Specify the host name where the Oracle database server is
executing (where the database physically resides).
5.
Specify the port number (typically 1521).
6.
Specify the database SID.
7.
Check the new connection by clicking the Test Service
option.
8.
Enter the username and password, and then click Test. If the
result is positive, the connection is properly defined.
If the test fails, or you encounter other problems setting up the
Oracle client components, check with your Oracle database
administrator.
D–6
Getting Started
Installation Steps
Installation Steps
To configure the Data Tools to work with a local or remote
Oracle database, follow these steps:
1.
window appears:
D–7
Installation Steps
2.
D–8
Getting Started
Installation Steps
3.
following window:
4.
eTrust Data Tools installation begins.
D–9
Installation Steps
D–10
Getting Started
5.
Agreement, and that you should exit all Windows programs.
After you do so, the Setup Type window appears:
6.
click Next.
Installation Steps
database:
7.
Choose Oracle running on a local or remote machine, and
then click Next:
After you click Next, the Database Configuration window
appears:
D–11
Installation Steps
8.
Enter the name of the Oracle database service, and the user
ID and password of an Oracle user with DBA privileges.
9.
Before you click Next, we strongly recommend that you click
Test to confirm that the information you entered on this
window can connect to the Oracle database.
If the information provided is correct, and the Oracle
database is running on the machine specified, the following
window appears:
10. Click Close to dismiss the Connection Test window, and
then click Next to continue.
Note: See the Troubleshooting Problems with Data Tools
and Oracle topic later in this chapter for information about
common errors that can result when the test fails, and what
to do to correct these errors.
D–12
Getting Started
Installation Steps
After you click Next, the Event Database window appears:
11. On this window, specify whether you want to create a new
Collector database or work with an existing Collector
database, as follows:
■
■
If you do not already have a Collector database installed
and formatted on the machine, choose Create a New
Event Database, and then click Next.
If you have a Collector database installed and formatted
on the machine, choose Keep Existing Events in
Database, and then click Next.
D–13
Installation Steps
12. The Data Tools components can send alerts through a
■
■
D–14
Getting Started
If you do not want to use this feature now or if you are
not certain what email server name to specify, you can
leave the Server field blank, and click Next because you
Installation Steps
send notifications:
13. For the purpose of this sample, the Security Monitor is
installed on the same machine onto which you are currently
installing the Data Tools on. Therefore, enter localhost in the
Host field, and then click Next.
D–15
Installation Steps
Data Tools services run. For the purpose of this sample,
accept the default of LocalSystem by clicking Next.
16. For the purpose this sample, click Yes to start the eTrust
Congratulations! You have successfully installed the Data Tools.
D–16
Getting Started
Troubleshooting Problems with Data Tools and Oracle
Troubleshooting Problems with Data Tools and
Oracle
This topic describes the following common errors:
■
Connection Failed
■
Login Failed
Connection Failed
The following windows might appear when you test the
connection during the installation:
D–17
Check for the following causes:
■
■
The Oracle database is not currently running on the machine
you specified.
You did not spell the name of the machine correctly.
The Oracle Database is not currently running on the machine you specified
Probable causes for this condition are as follows:
■
Oracle might be shut down.
■
Oracle might not be installed on this machine.
■
The remote machine might not be running.
■
■
A firewall might be blocking your access to that remote
machine.
Your Oracle database might not be properly configured.
Write down the Oracle error message and provide this
information to your Oracle database administrator.
Verify the status of these items with your network administrator.
Click Close to dismiss this window, and perform the test again
when the required system is available.
You did not spell the name of the service correctly
Do either of the following:
■
■
D–18
Getting Started
If the service name is correct, confirm that the machine is
running, and that the Oracle database is running, and click
Test again.
If the service name is not correct, click Close to dismiss this
window, and correct the service name in the previous
window.
Login Failed
You have entered an incorrect user ID and password.
Note: The user ID and password must be valid credentials for
accessing the default Oracle tablespace as a database
administrator.
Confirm that the user ID and password are valid and are
credentials for an Oracle database administrator whose default
access is to the tablespace created for use with eTrust Audit.
D–19
Appendix
E
Performing a Custom
Installation of the Client
Components
This appendix describes how to perform a custom installation of
the Client components. If you are installing the Client
components on more than one system, perform this installation
on each system.
Performing a Custom Installation of the Client Components
E–1
Installation Steps
Installation Steps
To install the Client components, perform the following steps
using the product explorer:
1.
window appears:
E–2
Getting Started
Installation Steps
2.
The first components that you install are the eTrust Audit
Client components.
E–3
Installation Steps
3.
Expand the Client branch.
After you expand the Client branch, your window looks as
follows:
For the purpose of this sample installation, install the eTrust
Audit Client components on a Windows 2000 platform.
E–4
Getting Started
Installation Steps
4.
To do this, select the item for eTrust Audit Client for
Windows NT/2000/XP.
The product explorer appears as follows:
at the bottom of the window, Product Information and
Product Information
Install
Initiates installation of the component.
After having reviewed the information that is available by
clicking Product Information, click Install to initiate the
installation of the Client components.
E–5
Installation Steps
5.
Accept the License Agreement by clicking Yes, and then
click Next until the Setup Type window appears:
6.
For the purpose of the example, select Custom, and then
click Next.
On the following window, select the optional components
you want to install:
E–6
Getting Started
Installation Steps
Note: In this example, other eTrust Audit features are
already installed on this machine (such as Policy Manager),
so the destination folder is already set and cannot be
modified. If no eTrust Audit features were already installed,
you could browse for a different folder.
7.
For this example, select all components except
Documentation, and then click Next.
Note: In the sample, you selected the eTrust Audit SNMP
Recorder. You must perform additional installation and
configuration steps to properly enable the eTrust Audit
SNMP Recorder on Windows. See the Reference Guide.
The next window lets you select the NT event logs that you
want to audit. You can also choose to process all existing
events that reside in these logs. If you choose this option, all
events that already exist in these event logs, regardless of
how old they might be, are processed as soon as the eTrust
Audit services start. If you do not choose this option, only
new events are processed.
8.
For now, use the default settings, and then click Next to
continue.
E–7
Installation Steps
The next window lets you specify the name of the Security
Monitor machine to which the Client components should
send notifications:
9.
For the purpose of this example, the Security Monitor
components are on the same machine onto which you are
now installing the Client components. Therefore, enter
localhost in the Host field.
on a machine other than the machine onto which you are
currently installing the Client Components, specify that
machine name in the Host field.
E–8
Getting Started
Installation Steps
and click Next, the following warning appears if you have
not yet installed the Security Monitor on your machine
(localhost):
10. Do not worry. For more information on installing the
Security Monitor, see Sample Data Tools Installation in the
“eTrust Audit Essentials” chapter. Click OK to close the
warning.
A Client receives its policy configuration from a machine
where the Policy Manager is running. For proper
management of policy distribution, each client is configured
to work with a specific policy-source machine. After you
complete the Specify the Name of Monitor Machine and the
Warning (if it appears), the Specify Name of the eTrust
Audit Policy Manager Machine window appears:
E–9
Installation Steps
11. For the purpose of this example, the Policy Manager
components are on the same machine on which you are now
installing the Client components. Therefore, enter localhost
in the Host field.
Note: If you are installing the Policy Manager components
12. Do not worry. For more information about installing the
Policy Manager, see Sample Policy Manager Installation in
the “eTrust Audit Essentials” chapter. Click OK to close the
warning.
Next, configure the eTrust Audit Recorder for Check Point
Firewall-1. (This dialog appears because you selected this
component earlier in the procedure.)
E–10
Getting Started
Installation Steps
13. This dialog lets you manage a list of up to 10 Check Point
Firewall-1 servers from which this eTrust Audit Recorder
can receive events. Use the Add, Edit, Remove, and Remove
All buttons to modify the list of servers.
For example, if you click Add, the New Server dialog
appears:
14. Assuming you have a Check Point Firewall-1 server
running, use this dialog to specify its host name, OPSEC
port, connection type, and the types of logs (Secure or
Account) to audit. See your Check Point Firewall-1
documentation for information about these properties. Click
OK to accept these values, and then click Next to continue
the installation.
E–11
Installation Steps
After you click Next, the Generic Recorder Configuration
window appears:
15. Support for harvesting events from IIS, iPlanet, and other
log files is provided by a component known as the Generic
Recorder. To configure a Generic Recorder, select the
recorder that you want to configure, and then click
Configure. (If you want to add a new type of recorder to the
list, click Add.)
For example, suppose you check IIS, and then click
Configure. To configure the Generic Recorder to harvest
records from IIS, you must identify the log files that you
want the Generic Recorder to process.
E–12
Getting Started
Installation Steps
The Configure Generic Log Recorder window appears:
This screen is used to configure the Generic Recorder to
work with IIS. This screen is used to configure the Generic
Recorder to work with IIS. The first three fields are
automatically filled in for you and cannot be altered using
this window. These fields are filled in with correct values
necessary for the Generic Recorder to work with IIS.
Note: The Browse button to the right of the MP File field lets
you select a different MP file. We highly recommend that
you use the default MP file for IIS.
Tip: The support for harvesting messages from IIS is limited
to IIS logs that are produced in Microsoft IIS Log File
Format. The Generic Recorder harvests messages from “flat
log files,” and the only IIS log file format that the eTrust
Audit generic recorder can support is Microsoft IIS Log File
Format.
E–13
Installation Steps
Use this window to add the log files that you want to
monitor as follows:
a.
Click the New File button
.
A Browse button appears.
b. Click it and choose the log file that you want to add to
the list, and then click Open.
c.
You can add as many log files as you like. However, if
you want to mask the name of the log file so that the
Generic Recorder will harvest the records from all files,
click the entry in the list.
Now, you can edit the entry.
d. Use an asterisk character as a mask. By default, IIS log
files in Microsoft IIS Log File Format are named
inmmddyy.log. If you want to harvest events from all log
files named like this, use the following mask:
C:\WIN2K\system32\LogFiles\W3SVC1\in*.log
16. When you have finished making changes, click OK.
E–14
Getting Started
Installation Steps
The Generic Recorder Configuration window reappears:
17. If you want the Generic Recorder to automatically start
processing IIS logs whenever the system is restarted, check
the box to the left of the Microsoft IIS entry, and then click
Next.
E–15
Installation Steps
The SMTP Server window appears:
18. The Client components can send alerts through a variety of
mechanisms, including email. You can do either of the
following:
■
■
which the Client components running on this machine
should route emails, and then click Next.
E–16
Getting Started
Installation Steps
Next, choose how to administer the eTrust Audit Client
services using the following window:
19. Select whether you want the eTrust Audit Client services to
start automatically at system startup or to have them started
manually by an administrator.
For the purpose of this example, accept the default setting,
Configure services for automatic startup, and then click
Next.
E–17
Installation Steps
Client component services run. For the purpose of this
After you click Next, the Installation Verification window
appears:
E–18
Getting Started
Installation Steps
This window lets you install template policies to route failed
login attempts to the machine you identified as the Security
Monitor (localhost). Viewing these events in the Security
Monitor verifies that you have successfully installed these
components. See Verifying Your Installation later in this
chapter for an example of the type of information the
Security Monitor should display after a successful
installation.
21. Click the check box, and then click Next.
the choices that you have made. If you like, click Back to
make any changes. Otherwise, click Continue to start the
installation.
The installation begins displaying various status windows
that describe the progress of the eTrust Audit Client
installation.
22. For the purpose of this sample installation, click Yes to start
the eTrust Audit Client Services.
E–19
Appendix
F
Performing a Custom
Installation of the Data Tools
This appendix describes how to perform a custom installation of
the Data Tools. If you are installing the Data Tools on more than
one system, you will perform this installation on each system.
Installation Steps
Begin by following these steps:
1.
Insert the product installation CD. The product explorer
automatically starts, and the following window appears:
Performing a Custom Installation of the Data Tools
F–1
Installation Steps
2.
F–2
Getting Started
Expand the eTrust Audit V1.5SP2 product tree to display the
three major components as follows:
Installation Steps
3.
following illustration:
at the bottom of the window, Product Information and
Product Information
Install
Initiates installation of the component.
After having reviewed the information that is made
available by clicking Product Information, click Install to
initiate the installation of the Data Tools.
F–3
Installation Steps
4.
Accept the License Agreement, and then click Next a few
times, until the following window appears:
5.
For the purpose of the example, select Custom, and then
click Next.
The next window lets you select the optional components
you want to install:
F–4
Getting Started
Installation Steps
In this example, other eTrust Audit features are already
installed on this machine (such as Policy Manager), so the
destination folder is already set and cannot be modified. If
no eTrust Audit features were already installed, you could
browse for a different folder.
Selecting all components is equivalent to using the Standard
Setup option. For the purpose of this example, we will
examine several popular custom configurations:
■
■
■
A collection-only machine (select Collector only)
A data management machine (select everything except
Collector)
A monitor-only machine (select Security Monitor only)
F–5
Installation Steps
Installing a Collection-Only Machine
A collection-only machine has only the Collector running. It
collects auditing events from Client components and stores them
in the Collector database.
To install a collector-only machine, follow these steps:
1.
F–6
Getting Started
Check Collector in the Optional Components window (as
follows), and then click Next.
Installation Steps
The Database Type widow appears. Choose the type of
database:
2.
For the purpose of this sample, choose Microsoft Access
running on this machine, and then click Next.
Note: A version of the Microsoft Access database is
automatically provided for your use. Using Microsoft SQL
Server, or Oracle as the underlying database requires that
you separately license and properly install these databases
before you install the Data Tools.
Tip: For information about installing the Collector database
components running over SQL Server or Oracle databases,
see the “Installing the Data Tools on SQL Server” or the
“Installing the Data Tools on Oracle” appendix.
F–7
Installation Steps
After you click Next, the Specify Name of Monitor Machine
window appears. It asks you to specify the name of the
send notifications:
3.
F–8
Getting Started
For the purpose of this sample, the Security Monitor
components are (or will be) installed on a machine named
systemq. Therefore, enter systemq in the Host field, and then
click Next.
Installation Steps
After you click Next, the following window appears. Use it
to specify startup options for the Data Tools services:
4.
Select whether you want the Data Tools services (eTrust
Audit Collector and eTrust Audit Portmap) to start
automatically at system startup, or to have them started
manually by an administrator.
For the purpose of this example, accept the default,
Configure services for automatic setup, and then click Next.
F–9
Installation Steps
5.
Data Tools component services run. For the purpose of this
6.
7.
F–10
Getting Started
For the purpose of this sample, click Yes to start the eTrust
Installation Steps
Installing a Data Management Machine
A data management machine is a Windows machine that has all
of the Data Tools installed on it except the Collector database.
To install a data management machine, follow these steps:
1.
From Check Viewer, Security Monitor, and Reporter in the
Optional Components window (as follows), and then click
Next.
F–11
Installation Steps
After you click Next, the Database Type window appears:
You might find it odd that we’re asking you to specify a
database type when you just indicated that you did not want
to install the Collector database components. The reason you
are asked to specify the database type is because the
mechanisms that the Data Tools components use to access
the Collector database are different depending on the type of
underlying database.
For the purpose of this sample, the Data Collector database
is installed locally, and it is a Microsoft Access database.
2.
F–12
Getting Started
Select Microsoft Access running on a local or remote
machine and click Next.
Installation Steps
After you click Next, the Database Configuration dialog
appears:
3.
The Database Configuration window asks you to identify
where the underlying Microsoft Access database that is
being used by the Collector components is installed. Specify
the fully qualified path to the database, and then click Next.
Important! When performing a custom installation of the Data Tools
components of this type, you are telling the Data Tools that they are to
interface to a Collector database that has been previously installed on
this or some other machine.
F–13
Installation Steps
4.
The Data Tools components can send alerts through a
■
■
F–14
Getting Started
not certain which email server name to specify, you can
leave the server field blank, and click Next, because you
Installation Steps
send notifications:
5.
For the purpose of this sample, the Security Monitor is
installed on the same machine onto which you currently
installing the Data Tools. Therefore, enter localhost in the
Host field, and then click Next.
F–15
Installation Steps
6.
7.
8.
F–16
Getting Started
Installation Steps
Installing a Monitor-only Machine
A monitor-only machine has only one of the Data Tools
components installed on it, the Security Monitor. Typically
monitor-only machines are used by administrators to monitor
key events related to the status of eTrust Audit itself, such as
services starting or shutting down.
To install a monitor-only machine, follow these steps:
1.
Check Security Monitor in the Optional Components
window (as shown), and then click Next.
F–17
Installation Steps
2.
3.
4.
F–18
Getting Started
Appendix
G
Manually Starting eTrust
Audit Services
This appendix describes how to manually start the eTrust Audit
services on Windows and daemons on UNIX platforms.
Windows Platforms
You can manually start the eTrust Audit services on Windows
platforms using a GUI or from a command prompt.
Using the Computer Management or Control Panel GUIs
If you did not configure the services to start automatically, you
can start them from the Computer Management interface in
Windows 2000 or the Windows Control Panel Services applet.
The following services might be installed on your system:
■
eTrust Audit Action Manager
■
eTrust Audit Collector
■
eTrust Audit Distribution Agent
■
eTrust Audit Distribution Server
■
eTrust Audit Generic Recorder
■
eTrust Audit Log Router
■
eTrust Audit Portmap
■
eTrust Audit Recorder
Manually Starting eTrust Audit Services
G–1
Windows Platforms
■
eTrust Audit Redirector
■
eTrust Audit SNMP Recorder
To manually start a service, do one of the following steps:
■
Right-click a service and choose Start from the pop-up
menu.
The service starts.
■
Alternatively, you can right-click a service and choose
Properties from the pop-up menu. Then you can choose
Automatic as the startup type.
The service starts and the next time you reboot the system,
the service automatically starts.
Using a Command Prompt Session
You can also start the eTrust Audit services from a command
prompt session. The executables for the services are located in
the following directory:
installation_path\audit\bin
where installation_path is where you installed eTrust Audit.
To start these services manually, follow these steps:
1.
Open a command prompt session (cmd.exe).
2.
Change the directory to the location to where the eTrust
Audit services executables are installed, for example:
cd installation_path\eTrust\audit\bin
where installation_path is where you installed eTrust Audit.
G–2
Getting Started
Windows Platforms
3.
At the command prompt, enter the following command:
servicename -start
where servicename is one of the following:
acactmgr
The eTrust Audit Action Manager
acdistagn
The eTrust Audit Distribution Agent
acdistsrv
The eTrust Audit Distribution Server
aclogrd
The eTrust Audit Log Router
acrecorderd
The eTrust Audit Generic Recorder
selogrcd
The eTrust Audit Collector
selogrd
The eTrust Audit Redirector
selogrec
The eTrust Audit Recorder
snmprec
The eTrust Audit SNMP Recorder
The service starts.
G–3
UNIX Platforms
UNIX Platforms
If you did not configure the eTrust Audit daemons (services) to
start automatically, you can start them manually using the
following instructions:
1.
Log in as root.
2.
Using the Bourne or Korn shells, use the steps in the topic
for your UNIX platform.
On Solaris
From the shell prompt, enter the following command:
/etc/rc2.d/S77servicename start
acactmgr
acdistagn
aclogrd
acrecorderd
snmprec
aclogrcd
The service starts.
G–4
Getting Started
UNIX Platforms
On AIX
From the shell prompt, follow these steps:
1.
Enter the following command to set environment variables
in preparation for starting the eTrust Audit daemons:
. /usr/eaudit/bin/ac_set_env.sh
2.
Enter the following command to start a service:
/usr/eaudit/bin/servicename start
acactmgr
acdistagn
aclogrcd
aclogrd
acrecorderd
snmprec
The service starts.
G–5
UNIX Platforms
On HP-UX
From the shell prompt enter the following command:
/sbin/rc2.d/S770servicename start
acactmgr
acdistagn
aclogrcd
aclogrd
acrecorderd
snmprec
The service starts.
G–6
Getting Started
UNIX Platforms
On Tru64 and Linux
From the shell prompt, enter the following command:
/sbin/rc2.d/S77servicename start
acactmgr
acdistagn
aclogrcd
aclogrd
acrecorderd
snmprec
The service starts.
G–7
Index
A
Action Manager, 2-5
actions
Collector, 5-13
Security Monitor, 5-13
specifying for policies, 5-10
Collector
actions, 5-13
described, 2-7
installating a Collector-only machine,
F-6
custom components
Client, E-6
Data Tools, F-4
administrator
identifying at Policy Manager
installation, 2-26
custom installation steps
for Client, E-1
for Data Tools, F-1
AN Type, 3-12
D
audit node groups
associating with policies, 5-23
creating, 3-8
audit nodes
creating, 3-11
switching to, 3-6
B
bells, 5-16
C
Check Point Firewall-1
installing support for, E-10
Client components
described, 2-4
installation steps, 2-17
installation steps on on UNIX, A-8
daemons
starting and stopping, G-4
starting and stopping on AIX, G-5
starting and stopping on HP-UX, G-6
starting and stopping on Solaris, G-4
starting and stopping on Tru64, G-7
Data Management
installating a Data Management
machine, F-11
Data Tools
components, B-1
installing on Oracle, D-7
installing on SQL Server, C-2
database
selecting type, 2-33
database security, 2-11
Index–1
Distribution Agent, 2-5
M
Distribution Server, 2-6
E
Microsoft ISA
email
identifying the SMTP mail server at
installation time, 2-12
encryption, 2-11
encup utility, 2-11
MS Proxy
MS-IIS
N
event details, 7-16
Netscape information, A-2
F
New Group dialog, 3-9
filters
types of, 7-3
firewalls
considerations, 2-10
G
Generic Log Scraper, 2-4
Generic Recorder
automatic start, E-15
described, E-12
installing, E-12
selecting log files, E-13
I
installation verification, 2-37
iPlanet
O
Oracle
Client components preinstallation tasks,
A-3
collecting information about, A-3
configuring Oracle clients, D-5
creating database tables, B-8
database considerations, B-3, D-2
preinstallation tasks, B-2, D-1
P
policies
activating, 6-2
adding to a policy foloder, 4-6
associating with AN group, 5-23
confirming deployment, 6-6
copying and pasting, 5-6
deploying, 6-5
specifying properties, 4-10, 4-15
L
Policy Activation Log
starting, 6-6
Log Router, 2-5
policy folders
adding policies to, 4-6
creating, 4-2
Index–2
Getting Started
Policy Manager
described, 2-6
identifying at installation time, 2-12
identifying during Client install, 2-21
starting, 3-5
during Data Tools installation, 2-35
identifying at installation time, 2-12
identifying during Policy Manager
install, 2-28
installating a monitor-only machine,
F-17
starting, 6-9, 7-15
verifying the installation, 2-37
viewing event details, 7-16
policy properties, 4-10, 4-15
Portmapper, 2-4
and firewalls, 2-10
product explorer, 2-15
R
Recorder for Check Point Firewall-1, E-10
Recorders, 2-4
Redirector, 2-4
remote databases, D-5
report
scheduling, 7-10
Reporter
described, 2-6, 7-9
starting, 7-8
RPCs and firewalls, 2-10
rules
copying and pasting, 5-6
described, 5-2
parts of, 5-3
specifying action for, 5-10
S
scenario
basic steps, 3-2
described, 3-2
objectives, 3-3
services
using a command prompt to start and
stop, G-2
using the Control Panel to start and
stop, G-1
SMTP mail server
identifying during Data Tools install,
2-34
SQL Server
installing the Data Tools, C-2
Standard System Recorder, 2-4
status
of eTrust Audit components, 2-12
sulog
review, A-7
syslog.conf
guidelines, A-6
review, A-4
system overview, 2-8
system requirements, 2-18
T
tablespace on Oracle, D-2
Security Monitor
actions, 5-13
described, 2-7, 7-14
Index–3
U
event logging, A-4
installation steps, B-7
installing the Data Tools, B-9
UNIX
Client component installation steps, A-8
Client components Check Point
Firewall-1 preinstallation
considerations, A-2
Client components general
preinstallation considerations, A-1
Client components Netscape
Client components Unicenter
Data Tools preinstallation
considerations, B-2
Index–4
Getting Started
user ID with DBA privileges, D-3
V
Viewer
described, 2-6, 7-2
starting, 6-8, 7-2
Viewer filters
deleting, 7-7
saving, 7-5

eTrust Audit Getting Started

Transcription

Similar documents

Atlantis Energy Systems Inc.

Trans-tasman regulatory findings

maryland division of financial regulation

Regions CD Check Viewer Installation Guide

Untitled - Caja Rural Granada

Dianne Huffman CHAIR, AUDIT COMMITTEE

Food Safety

Z1000 LEAD AUDITOR 5 Days

Developing a Coding Strategy for ABF (Jacqui Curley)

4-D - Building an IA Function From The Ground-Up