AlienVault Unified Security Management™ for Government v4.12

Transcription

AlienVault Unified Security Management™ for Government v4.12
AlienVault Unified Security Management™ for Government v4.12
&
RT Logic CyberC4:Alert v4.12
Configuration for Common Criteria
Copyright© 2016 AlienVault. All rights reserved.
AlienVault Unified Security Management™ Configuration for Common Criteria
DOCUMENT HISTORY AND VERSION CONTROL
Edition
Date of Issue
Description of Change(s)
01
02
03
05/08/15
07/15/15
07/24/15
04
07/27/15
05
08/07/15
06
07
08
09
10
11
12
13
08/10/15
08/11/15
09/10/15
09/18/15
10/29/15
10/29/15
10/29/15
02/09/16
Initial Version
Additional Content and Polish
Updated to confirm changes suggested by lab, new instructions for
Configuring Management Session Timeouts, User Activity Auditing
Minimum password is now 15 for both web UI users and System
Console user.
Removed incorrect reference to [email protected], [email protected] ciphers.
Document now includes documentation references.
AVUG-00001 Edition 13
Changes to reflect the new stunnel configuration and FIPS version
Addressing final round of comments
Comments about the USM certificate and remote syslog
Minor language changes to certificate information section
Added Appendix A
Removed a blank page and added Copyright information.
Copyright© 2016 AlienVault. All rights reserved.
1 of 48
AlienVault Unified Security Management™ Configuration for Common Criteria
1 INTRODUCTION
This guide provides the information an administrator would need to set up and administer the AlienVault USM for
Government v4.12 or RT Logic CyberC4: Alert v4.12 network appliances in compliance with the Common Criteria
evaluated configuration. Follow this guide in its entirety to ensure that the settings of each parameter match the specific
configuration that was evaluated and certified as secure by the Common Criteria certification.
1.1 AUDIENCE
This information is intended for use by administrators who are responsible for investigating and managing network security
for their organization. To use this guide you must have knowledge of your organization’s network infrastructure and
networking technologies.
1.2 ABOUT COMMON CRITERIA
The Common Criteria for Information Technology Security Evaluation (ISO/IEC 15408) is an international standard for
certification of the security of computer systems, networks, and application software. The certification ensures that the
claims about the security attributes of the evaluated product were independently verified in the evaluated configuration
operated in the specific environment.
1.3 RELATED DOCUMENTS
For more information about AlienVault USM for Government, please refer to the following documents:
Identifier
Edition
Security Target
1.9
AVUG-00107
01
AVUG-00116
01
AVUG-00127
01
AVUG-00131
01
AVUG-00133
01
AVUG-00135
01
AVUG-00153
01
AVUG-00160
01
AVUG-00161
01
AVUG-00163
01
AVUG-00164
01
AVUG-00185
01
TABLE 1: GUIDANCE DOCUMENTATION
Title
AlienVault USM for Government v4.12 Security Target
User Management Guide
Proxy Configuration
HIDS Deployment on Windows
Lifecycle of a Log
Active Directory Integration
USM Intrusion Detection
Send Emails Triggered by Events
Policy Management Fundamentals
HIDS File Integrity Monitoring
Correlation Reference Guide
Customizing Correlation Directives or Cross Correlation Rules
Netflow Collection
These documents cover both evaluated and out-of-scope functionality. Please refer to the AlienVault USM for Government
Security Target document for the scope of evaluated functionality.
1.4 EVALUATED CONFIGURATION
The evaluated configuration consists of the AlienVault USM for Government hardware appliance. It consists of a USM
Server, USM Logger, and USM Sensor built into a single all-in-one hardware appliance. While other configurations are
possible, they were not evaluated. The Common Criteria configuration of AlienVault USM for Government was evaluated
and found to mitigate stated threats when operated according to assumptions and security policies.
The Common Criteria certification does not guarantee the product is secure in all circumstances and possible modes of
operation. It is assumed that the system administrators install, manage, and use the AlienVault USM for Government
appliance in accordance with the instructions in this document.
AVUG-00001 Edition 13
Copyright© 2016 AlienVault. All rights reserved.
2 of 48
AlienVault Unified Security Management™ Configuration for Common Criteria
1.5 ASSUMPTIONS
There are specific conditions that are assumed to exist in the AlienVault USM for Government Operational Environment.
The following table lists assumptions about the Operational Environment.
Assumptions for Operational Environment
Banners
Password
Attributes
General Purpose
Physical Security
Administration
The device shall be configured to display a banner prior to the login process,
appropriate to the organization.
The device shall be configured to support password attributes that match the
organization’s security policy.
General-purpose computing capabilities are not used for any other purpose but as
required for the operation, administration and support of the device.
No additional software (user applications, compilers, etc.) will be installed or copied
onto the device.
The adequate physical security of the device will be provided by the operational
environment.
All administrators follow and apply all administrator guidance in a secure and trusted
manner.
TABLE 2: ASSUMPTIONS
AVUG-00001 Edition 13
Copyright© 2016 AlienVault. All rights reserved.
3 of 48
AlienVault Unified Security Management™ Configuration for Common Criteria
2 HOW TO ACCESS YOUR SYSTEM
In the evaluated configuration, AlienVault USM for Government is administered remotely via web interface over secure session
and locally via the system console by attaching a keyboard, mouse, and monitor. The system console is intended for initial
configuration and disaster recovery activities. Its use is considered ‘maintenance mode’. Once the device is configured, all
further administration should be conducted via the web interface.
2.1 SYSTEM CONSOLE
2.1.1 LOCAL ACCESS USING A KEYBOARD, MOUSE AND MONITOR
The appliance can be directly accessed by connecting a keyboard, mouse, and monitor to the appliance. This connection
method is used to initially configure the appliance and perform maintenance activities as needed. Connect a mouse and
keyboard to either the PS2 or USB ports as shown in Figure 1. Connect a monitor to the VGA port as shown in Figure 1.
FIGURE 1: VIEW OF THE APPLIANCE BACK PANEL
When you log into the appliance for the first time you will be required to change the password. Subsequent login attempts
will not require a password change. Once you log into the system you will be presented with the AlienVault Setup screen
within the system console as shown in Figure 2.
FIGURE 2: CONSOLE LOGIN SCREEN
Immediately after logging in an Access Disclaimer will be shown. Click “Yes” to continue as shown in Figure 3.
FIGURE 3: SYSTEM CONSOLE DISCLAIMER SCREEN
AVUG-00001 Edition 13
Copyright© 2016 AlienVault. All rights reserved.
4 of 48
AlienVault Unified Security Management™ Configuration for Common Criteria
Once logged into the system console you will have access to the AlienVault Setup screen. See Figure 4. From there you
will be able to set up the device for first time use and perform maintenance tasks.
FIGURE 4: ALIENVAULT SYSTEM CONSOLE SETUP SCREEN
To terminate the system console session, select <Exit> by pressing tab and press enter.
FIGURE 5: SYSTEM CONSOLE EXIT
2.2 WEB INTERFACE
This management interface must be configured using the system console before the
web interface becomes accessible. See Section 3.1 for details.
Once the appliance management interface has been configured, you can access the web user interface by logging in.
2.2.1 WEB INTERFACE LOGIN
1.
Open a web browser and enter the IP address assigned to the AlienVault USM’s management interface in the
navigation bar.
FIGURE 6: ALIENVAULT USM WEB INTERFACE LOGIN PAGE
2.
Enter a valid username and password and click ‘login’
AVUG-00001 Edition 13
Copyright© 2016 AlienVault. All rights reserved.
5 of 48
AlienVault Unified Security Management™ Configuration for Common Criteria
2.2.2 WEB UI NAVIGATION
The USM for Government web UI has several main navigation sections.
•
•
Dashboards – The dashboards provide summary level visibility into the information collected within USM for
Government and the built-in tools.
Analysis – The analysis tab includes views that allow you to interact with the data within USM for Government.
The Analysis tab includes the following views:
o
o
o
o
•
Alarms. The alarms view allows you to interact with the alarms generated within the system.
Security Events. This view allows you to search the event data within the system.
Raw Logs. This view allows you to search the raw log data.
Tickets. This view allows you to view and manage the tickets within the system.
Environment – This tab provides you with views related to the environment that is being monitored by the USM
for Government system. Views include:
o
o
o
o
o
o
o
o
Assets. USM for Government includes a built-in asset management system that allows you to identify
and monitor assets in your environment. Use this view to see the assets and asset details.
Groups & Networks. USM for Government includes the ability to create asset groups and network
groups for use with the assets discovery, asset management, vulnerability assessment, and other built-in
capability. Use this view to see and manage the list of asset groups and network groups.
Vulnerabilities. USM for Government includes a built-in vulnerability scanner. Use this view to view
create a vulnerability scan, manage and view the results.
Profiles. USM for Government includes an ability to profile the network traffic that is mirrored
through the appliance. Use this view to review the network statistics and information collected.
Netflow. USM for Government includes built-in netflow capability. Use this view to evaluate the
netflow information captured by the appliance.
Traffic Capture. USM for Government includes a built-in capability to capture raw traffic on the
network. Use this view to manage and view the raw traffic.
Availability. USM for Government includes an ability to perform availability monitoring the assets on
the network. Use this view to manage and view the availability information.
Detection. USM for Government includes an ability to perform host-based intrusion detection for
assets on the network. Use this view to manage the HIDS functionality.
•
Reports – This tab provides you with built-in reports that you can run against the data collected and produced by
the USM for Government appliance.
•
Configuration – This tab allows you to configure and manage the USM appliance. Views include:
o
o
o
Administration. Use this view to administer the various aspects of the USM for Government
appliance.
Deployment. Use this view to see and manage the USM for Government deployment.
Threat Intelligence. Use this to view to see and manage the threat intelligence information that comes
with USM for Government.
To terminate Web UI session, click Logout button.
F IGURE 7: WEB UI LOGOUT BUTTON
AVUG-00001 Edition 13
Copyright© 2016 AlienVault. All rights reserved.
6 of 48
AlienVault Unified Security Management™ Configuration for Common Criteria
2.2.3 DASHBOARDS
Once you log into the USM for Government appliance, the Executive dashboards are displayed.
FIGURE 8: EXECUTIVE OVERVIEW DASHBOARD
The Executive dashboard includes several panels:
•
•
•
•
•
•
Latest SIEM vs. Logger Events – displays the number of events received and stored in the SIEM event database
and events stored on the Logger. Information is displayed as a line chart showing the quantity of events over time.
SIEM: Top 10 Events by Product Type – for environments that include multiple data sources, this panel shows the
types of events captured. Information is displayed as a pie chart.
Threat Level – displays the current threat level based on known information captured externally and identified by
the appliance.
Unresolved Alarms vs. Opened Tickets – displays a comparison between the alarms generated and tickets opened
for the current day, previous two days, last week, and last 2 weeks.
SIEM: Top 10 Event Categories – displays a pie chart of the top 10 event categories.
SIEM: Events by Sensor / Data Source – displays a view of the event data captured by data source.
Other dashboards available include:
•
•
•
Tickets – provides visibility into the status of the tickets created within the system, including ticket resolution time,
ticket status, opened tickets by user, tickets closed by month, tickets by class, and ticket types.
Security – provides visibility into the security of the environment being monitored. Panels on this dashboard include
Top 10 Promiscuous Hosts, Security Events: Top 5 Alarms, Security Events: Top 5 Events, Top 10 Hosts with Multiple
Events, Security Events Trend: Last Day, Security Events Trend: Last Week, Destination TCP Ports, and Destination
UDP Ports.
Taxonomy – provides visibility into the events related to different parts of the security taxonomy within USM for
Government. Panels include Top 10 Hosts with Virus Detected, Successful Authentication Login vs. Failed Login
Events, Malware Events by Time, Firewall Permit vs. Firewall Deny Events, System Events, Exploits Event Types, and
Exploits Event Types.
AVUG-00001 Edition 13
Copyright© 2016 AlienVault. All rights reserved.
7 of 48
AlienVault Unified Security Management™ Configuration for Common Criteria
•
Vulnerabilities – provides summary information about vulnerability information discovered by the built in USM for
Government vulnerability scanner. Panels include Vulnerabilities by Severity, Vulnerabilities by Services, Top 10
Hosts, Top 10 Networks.
2.3 MANAGEMENT INTERFACE NETWORK SETTINGS
After booting the appliance, connect to the system console and authenticate. For the initial login, the instructions how to
authenticate will be displayed. After successful authentication you will be presented with the following menu:
1.
Choose ‘System Preferences’ (menu option 1) and click ‘OK’
2.
Choose ‘Configure Network’ (menu option 0) and click ‘OK’
3.
Choose ‘Setup Management Network’ and click ‘OK’
AVUG-00001 Edition 13
Copyright© 2016 AlienVault. All rights reserved.
8 of 48
AlienVault Unified Security Management™ Configuration for Common Criteria
4.
Choose to configure the Management Interface manually or using DHCP. This interface will be used to communicate with
the AlienVault Server web interface and connect to the console from the network.
“Manual Configuration” to provide all the desired network parameters
“DHCP Configuration” to perform automatic network configuration using your DHCP server
Only one Ethernet cable should be plugged in the appliance (eth0) during the
initial network configuration. After configuring the management interface, all
other network cables can be connected.
2.3.1 MANUAL CONFIGURATION
1.
Enter IP Address. Then, press Enter to accept the selection (<OK>).
2.
Enter Netmask. Then, press Enter to accept the selection (<OK>).
AVUG-00001 Edition 13
Copyright© 2016 AlienVault. All rights reserved.
9 of 48
AlienVault Unified Security Management™ Configuration for Common Criteria
3.
Enter Gateway Address. Then, press Enter to accept the selection (<OK>).
4.
Enter DNS Server(s). Then, press Enter to accept the selection (<OK>).
5.
Check the network configuration parameters provided. Press Enter to confirm the values (<Yes>) so the system can perform
the appliance configuration.
2.3.2 DHCP CONFIGURATION
The Dynamic Host Configuration Protocol (DHCP) is a standard network protocol used to dynamically configure network
parameters. For this feature to work, the DHCP server must be present on the network.
Check the network configuration parameters provided by your DHCP server. Press Enter to confirm the values (<Yes>) so
the system can perform the appliance configuration.
AVUG-00001 Edition 13
Copyright© 2016 AlienVault. All rights reserved.
10 of 48
AlienVault Unified Security Management™ Configuration for Common Criteria
2.4 SECURING ADMINISTRATIVE LOGIN
2.4.1 INITIAL SYSTEM CONSOLE LOGIN
It is not possible to access the system without a user name and a password. The default user has username is ‘root’ and a
randomly generated password.
1.
Use initial credentials generated by the system to access the system.
2.
Change initial password following you organization’s password policy
The default password must be changed after initial login.
2.4.2 INITIAL WEB LOGIN
It is not possible to access the system without a user name and a password. The default user has username ‘admin’ and
password ‘admin’. You will be prompted to create unique account before accessing any other functionality of the system.
1.
Use initial credentials to access the system
AVUG-00001 Edition 13
Copyright© 2016 AlienVault. All rights reserved.
11 of 48
AlienVault Unified Security Management™ Configuration for Common Criteria
2.
Change initial password following you organization’s password policy
AVUG-00001 Edition 13
Copyright© 2016 AlienVault. All rights reserved.
12 of 48
AlienVault Unified Security Management™ Configuration for Common Criteria
3 SETTING UP THE COMMON CRITERIA CONFIGURATION
3.1 CHECKING SOFTWARE VERSION
The current version of the USM for Government appliance can be checked from either the Web Interface or System
Console.
The Common Criteria certified version is USM for Government v4.12
3.1.1 CHECK SOFTWARE VERSION FROM THE WEB INTERFACE
1.
2.
Log in to the web UI.
Navigate to the Deployment information page by selecting Configuration  Deployment from the main window.
This is where you will find information about each of the nodes in the USM for Government deployment.
3.
Select AlienVault Center in the sub-menu. By default this should be selected.
4.
Under the AlienVault Components Information section double-click the node to configure or click the System Detail
icon on the right. This will open the system detail view.
5.
Under the Package Information section of the System Detail you will find a reference to the Current Version.
AVUG-00001 Edition 13
Copyright© 2016 AlienVault. All rights reserved.
13 of 48
AlienVault Unified Security Management™ Configuration for Common Criteria
3.1.2 CHECK SOFTWARE VERSION FROM THE SYSTEM CONSOLE
1.
2.
Connect via keyboard, mouse, and monitor to the System Console and Log in.
The current version of the appliance is displayed on the top of the System Console screen.
3.2 UPGRADING SOFTWARE
AlienVault USM for Government can be updated by following the procedures below.
3.2.1 UPDATE REQUIREMENTS
•
•
•
•
Access to the USM for Government System Console
USM version 4.12 or greater.
ISO image provided by AlienVault.
USB flash drive or external USB CD/DVD R/RW drive.
3.2.2 HOW TO OBTAIN THE SOFTWARE UPDATES
Updates for USM for Government are made available by AlienVault on the AlienVault web site. Access to the update will
require your product license key. Contact AlienVault technical support or open a support case to obtain the download
location.
The download package has been signed using a SHA1-512 hash and will require verification during the update process.
See the signature verification steps below for instructions on how to verify the integrity of the downloaded package.
3.2.3 UPDATE PACKAGE VERIFICATION
AVUG-00001 Edition 13
Copyright© 2016 AlienVault. All rights reserved.
14 of 48
AlienVault Unified Security Management™ Configuration for Common Criteria
Package download verification must be done from a Mac OS or Linux-based system.
Once you obtain the update package from AlienVault you will need to verify that the package is complete and has not been
modified. Use the following steps to verify the package using the SHA1-512 hash provided by AlienVault.
1.
Download the digest file from the AlienVault update server location provided to you by the AlienVault Technical
Support Team.
2.
Place the digest file in the same folder as the ISO update image.
3.
Run the following command to verify the package.
$ cat USM_SHA512SUM | grep <ISO_Image_Name> | sha512sum -c -
For example, if the name of the ISO image is image.iso successful output of the command above will be:
Image.iso : OK
3.2.4 PREPARE THE USB FLASH DRIVE
Note that when using the instructions below all contents of the USB flash drive will be
erased. Be sure to clear off any contents of the drive before proceeding.
3.2.4.1
USB DRIVE PREPARATION ON A LINUX SYSTEM
1.
Insert the USB flash drive into the USB port. It is recommended to copy the ISO image in a temporary directory, for
example “/tmp”.
2.
Execute the following command to copy the ISO image:
sudo dd if=<USB_image.iso> of=<USB_device> bs=4M
<USB_image.iso> - replace this with the ISO image file path. Note that the ‘dd’ command requires that you write
the fully qualified path of where the file is located.
<USB_device> refers to the USB device name.
•
•
For example, if the file name is called “image.iso” and it is located in “/home/user/temp”, and the device is “/dev/sdb”,
the command to use would be:
sudo dd if=/home/user/temp/image.iso of=/dev/sdb bs=4M
3.
Once the USB drive has been written, unmount the drive and remove from the system.
3.2.4.2
1.
2.
3.
USB DRIVE PREPARATION ON MAC OS X
Insert the USB flash drive into the USB port
Copy the image in a temporary directory or in your own user directory.
Run the following command to identify the USB device name:
diskutil list
AVUG-00001 Edition 13
Copyright© 2016 AlienVault. All rights reserved.
15 of 48
AlienVault Unified Security Management™ Configuration for Common Criteria
4.
Unmount the USB device before burning the image to the USB device.
diskutil unmountDisk <USB_device>
<USB_device> refers to the USB device name determined in the previous steps.
•
For example, using the output shown in Figure XXX, the device is /dev/disk1. The specific command to execute in this
example is:
diskutil unmountDisk /dev/disk1
5.
Copy the image from the system to the USB drive
sudo dd if=<USB_image.iso> of=<USB_device> bs=1m
<USB_image.iso>, this must be replaced by the ISO image file path. Note that it is necessary to write the whole
path where the file is located.
<USB_device> refers to the USB device name.
•
•
For example, if the file name is called “image.iso” and it is located in “/home/user/temp”, and the device is “/dev/sdb”,
the command to use would be:
sudo dd if=/home/user/temp/image.iso of=/dev/disk1 bs=1M
6.
Eject the device from the system.
diskutil eject <USB_device>
<USB_device> refers to the USB device name.
•
3.2.4.3
USB DRIVE PREPARATION ON WINDOWS
AlienVault recommends that you use a USB Installer tool to create a bootable USB
drive. Find it here: http://www.pendrivelinux.com/universal-usb-installer-easy-as-1-2-3/
1.
2.
3.
4.
5.
Copy the ISO image in a temporary directory or in your own user directory.
Insert the USB flash drive into the USB port.
Open the bootable USB creation tool.
Choose the ISO image with the Disk image option.
Select the USB drive and press OK.
AVUG-00001 Edition 13
Copyright© 2016 AlienVault. All rights reserved.
16 of 48
AlienVault Unified Security Management™ Configuration for Common Criteria
3.2.5 PREPARING A CD
Burn the ISO image file by using any CD burning software.
3.2.6 UPDATE THE USM FOR GOVERNMENT APPLIANCE
1.
2.
3.
Connect the USB drive that contains the update image to the appliance USB port.
Connect via keyboard, mouse, and monitor to the System Console and Log in.
Navigate from the System Console main menu to the Update System option
System Preferences  Update AlienVault System  Update (Offline).
4.
You will be prompted to connect the USB drive to the system. If you haven’t already done so, connect the USB drive
to the system USB port and press Enter to select the <OK> option. This will initiate the update process.
5.
Connect your USB drive with the AlienVault Update System and click <OK>. This will initiate the update process.
AVUG-00001 Edition 13
Copyright© 2016 AlienVault. All rights reserved.
17 of 48
AlienVault Unified Security Management™ Configuration for Common Criteria
6.
The SHA digest will be displayed on the screen, so it can be compared with the one published in the AlienVault site,
located here: http://offlineupdate.alienvault.com/files/niap/
7.
Compare the hash to ensure it is valid and hit [Enter] to continue. You will be asked to confirm that the hash value
matches. Select <Yes> to proceed or <No> to abort the update process.
8.
Once complete, the appliance will display the following screen:
9.
Remove the USB device.
3.3 SYSTEM CLOCK MANAGEMENT
3.3.1 MANUALLY CONFIGURE THE SYSTEM CLOCK
The simplest way to set the system clock is to set it manually from the USM for Government System Console. Follow the
instructions below to manually set the system clock:
1.
2.
Connect via keyboard, mouse, and monitor to the System Console and Log in.
Navigate to the Setup Date/Time manually section of the System Console from the main menu:
System Preferences  Change Location  Date and Time  Setup Date/Time manually
AVUG-00001 Edition 13
Copyright© 2016 AlienVault. All rights reserved.
18 of 48
AlienVault Unified Security Management™ Configuration for Common Criteria
3.
Enter the date and time into the specified field using the specified format and then select the < OK > option.
4.
Select the Apply all Changes option to apply the changes.
Changes must be applied before the configuration change will take effect.
3.3.2 CONFIGURE SYSTEM CLOCK USING NTP FROM SYSTEM CONSOLE
1.
2.
Connect via keyboard, mouse, and monitor to the System Console and Log in.
Navigate to the Configure NTP Server settings from the system console main menu
System Preferences  Change Location  Date and Time  Configure NTP Server.
AVUG-00001 Edition 13
Copyright© 2016 AlienVault. All rights reserved.
19 of 48
AlienVault Unified Security Management™ Configuration for Common Criteria
3.
Enable the NTP server if not already enabled by selecting the Enable option and (<OK>).
4.
Specify the NTP Server hostname or IP address and (<OK>).
5.
6.
Choose (<Back>), (<Back>), (<Back>) to get back to the system console main menu.
Select the Apply all Changes option to apply the changes.
7.
Confirm the changes by selecting (<Yes>) at the confirmation window. If the setting is incorrect, select (<No>) and
follow these instructions again.
AVUG-00001 Edition 13
Copyright© 2016 AlienVault. All rights reserved.
20 of 48
AlienVault Unified Security Management™ Configuration for Common Criteria
8.
This will initiate a reconfiguration of the AlienVault USM appliance.
The reconfiguration process can take several minutes. Be patient.
Once the reconfiguration is complete, you will be returned to the System Console main menu.
3.3.3 CONFIGURE NTP SERVER FROM WEB INTERFACE
1.
2.
Log in to the appliance from the web UI.
Navigate to the Deployment information page by selecting Configuration  Deployment from the main window.
3.
Under the AlienVault Components Information section double-click the node to configure or click the System Detail
icon on the right. This will open the system detail view.
AVUG-00001 Edition 13
Copyright© 2016 AlienVault. All rights reserved.
21 of 48
AlienVault Unified Security Management™ Configuration for Common Criteria
4.
Click the General Configuration tab on the system detail view to see the General Configuration options.
5.
6.
Change the NTP Server option from “No” to “Yes” if not already configured.
Enter the NTP Server IP Address or hostname and Apply Changes.
7.
The USM system will apply the changes and return you to the General Configuration window.
3.4 CONFIGURING EXTERNAL SYSLOG
It is possible to send audit logs to an external syslog server configured with stunnel software to encrypt the connection:
1.
2.
Log in to the appliance from the web UI.
Navigate to the Deployment information page by selecting Configuration  Administration from the main window.
3.
On the Administration screen click on the Main tab and select the User Activity option.
AVUG-00001 Edition 13
Copyright© 2016 AlienVault. All rights reserved.
22 of 48
AlienVault Unified Security Management™ Configuration for Common Criteria
4.
Specify the IP address or hostname for the remote stunnel server that will forward to syslog in the Remote audit server
entry box. Note that you must specify the port by adding “:port” on the end of the IP address. For example,
192.168.1.230:10514.
5.
The certificate with the AlienVault USM for Government appliance key is required to send the syslog data to the
remote syslog server.
Verify that the syslog server is authorized the administrator must create a certificate for both the syslog server and
USM for Government appliance. A trusted Certificate Authority must sign both the certificates. Combine the signed
client certificate and it’s key into a file. To use the certificate, open that file with a text editor, copy the content, and
paste it into the “Load audit server public key” field.
Please take a look to the Appendix A, “How to configure STunnel to work with Alienvault USM for Government” if
you need more details about how to generate a CA and how to sign certificates.
6.
Click on the Update Configuration button on the right side of the screen to apply the changes.
3.5 CONFIGURING SECURITY
3.5.1 GENERATING HOST KEYS
Host keys are generated automatically by the AlienVault USM for Government appliance the first time the system is
started. No additional user intervention is required.
3.5.2 FIPS MODE
The AlienVault USM for Government appliance is enabled by default to use FIPS compliant OpenSSL libraries for
cryptographic communication. All application components that use cryptographic functionality utilize these libraries.
USM for Government does not provide an option to disable FIPS mode.
USM for Government includes the following FIPS certified OpenSSL packages:
AVUG-00001 Edition 13
Copyright© 2016 AlienVault. All rights reserved.
23 of 48
AlienVault Unified Security Management™ Configuration for Common Criteria
•
•
libssl1.0.0:amd64 version 1.0.1p-1+fips2.0.9
openssl-fips version 2.0.9-1
3.5.3 CONFIGURING PROTOCOLS
AlienVault USM for Government is designed to use Common Criteria certified protocols only. The protocols included with
the system include:
•
aes256-cbc
•
aes128-cbc
These ciphers cannot be changed.
3.5.4 CONFIGURING PASSWORD ATTRIBUTES
The password attributes for users within the AlienVault USM for Government system can be controlled by an administrator
from within the Web UI. Attributes that can be changed include:
Password Attribute
Minimum Password Length
Description
This security setting establishes a minimum length for the password that
can be used. The minimum value is 15. The maximum value is 255.
This security setting establishes a maximum length for the password that
Maximum Password Length
can be used. The minimum value is 15. The maximum value is 255.
This security setting determines the number of unique new passwords that
Password History
have to be associated with a user account before an old password can be
reused. A value of “0” means that this setting is disabled.
This security setting requires that users use a password that include at
Complexity
least three of the following types of characters: uppercase letters,
lowercase letters, numbers, and special characters. Allowed values: Yes,
No.
This security setting requires users to wait a specified number of minutes
Minimum Password Lifetime in
before resetting their password again. A value of “0” disables this setting.
Minutes
Maximum Password Lifetime in Days This security setting forces a user to reset their password after a specified
number of days. A value of “0” disables this setting.
This security setting determines the number of times a user can incorrectly
Failed Logon Attempts
enter a password before getting locked out of the system.
This security setting determines the number of minutes a locked-out
Account Lockout Duration
account remains locked out before automatically becoming unlocked.
Default
15
32
0
No
0
0
5
5
Follow the steps below to change the attributes of the password that are required by the system.
1.
2.
Log in to the appliance from the web UI.
Navigate to the Deployment information page by selecting Configuration  Administration from the main window.
3.
On the Administration screen click on the Main tab and select the Password Policy option.
AVUG-00001 Edition 13
Copyright© 2016 AlienVault. All rights reserved.
24 of 48
AlienVault Unified Security Management™ Configuration for Common Criteria
4.
5.
Modify one or more of the password policy settings as desired. See above for a description of each password setting.
Click on the Update Configuration button on the right side of the screen to apply the changes.
3.5.5 CONFIGURING MANAGEMENT SESSION TIMEOUTS
The session timeout value for a user in the web UI and System Console can be configured. When this setting is configured
the USM for Government appliance will force an inactive user to logout when the timeout period is reached.
1.
2.
Log in to the appliance from the web UI.
Navigate to the Deployment information page by selecting Configuration > Administration from the main window.
3.
On the Administration screen click on the Main tab and select the User Activity option.
4.
Enter a value into the Session Timeout (minutes) field to designate the period of time before a session logs the user out
from the system. The default value is 10 minutes.
AVUG-00001 Edition 13
Copyright© 2016 AlienVault. All rights reserved.
25 of 48
AlienVault Unified Security Management™ Configuration for Common Criteria
5.
Click on the Update Configuration button on the right side of the screen to apply the changes.
3.5.6 CONFIGURING THE BANNER
When a user logs into the AlienVault system either through the web UI or from the system console a system banner is
displayed. The specific text of this banner can be modified using the following steps:
1.
2.
Log in to the appliance from the web UI.
Navigate to the Deployment information page by selecting Configuration  Administration from the main window.
3.
On the Administration screen click on the Main tab and select the Authorized Access Disclaimer option.
4.
Enter the text to display to the user when a user attempts to log into the system either from the web UI or the system
console.
5.
Click on the Update Configuration button on the right side of the screen to apply the changes.
AVUG-00001 Edition 13
Copyright© 2016 AlienVault. All rights reserved.
26 of 48
AlienVault Unified Security Management™ Configuration for Common Criteria
4 USER MANAGEMENT
4.1 SYSTEM CONSOLE SYSTEM ADMINISTRATORS
4.1.1 CHANGE ROOT PASSWORD FROM SYSTEM CONSOLE
An administrator can change the password of the ‘root’ user on the system console by following the instructions below:
1.
2.
Connect via keyboard, mouse, and monitor to the System Console and Log in.
Select System Preferences > Change Password > Change Appliance root password.
3.
You will be prompted to confirm that you want to change the root password.
4.
Enter the new password and confirm by entering it again. Upon successful completion you will get the following
confirmation message:
AVUG-00001 Edition 13
Copyright© 2016 AlienVault. All rights reserved.
27 of 48
AlienVault Unified Security Management™ Configuration for Common Criteria
5.
Exit the console.
4.1.2 ADD A USER IN THE SYSTEM CONSOLE
Additional users cannot be granted access to the System Console. The system supports only a single system administrator.
4.2 USER INFORMATION
The option to manage users is restricted to administrators.
Using Primary Menu, select Configuration > Administration and then using the Secondary Menu select Users
This screen contains the following information:
•
Login. Account credential required to access to AlienVault USM. It refers to the username used to access the
•
•
•
system. Next to “Login”, administrator users are represented with this icon
in the list of displayed users.
Name. Personal identifier.
Email. This is the e-mail address of the user. It is used to send notifications, reports, etc., to the user.
Visibility. This field informs about the group that the user belongs to. There are groups of objects used to
simplify the asset management.
•
•
•
•
Status. There are 2 types of status: enabled user (
) and disabled user ( ).
Language. The interface supports several languages and it is possible to set a default. The available languages
are: English, Chinese simplified, Chinese traditional, French, German, Portuguese and Spanish.
Creation date. The date on which that user has been created.
Last login date. The last date on which that user has logged.
4.3 CREATE A NEW USER
To create a new user, the authorized administrator should follow these steps:
1.
Navigate to the Deployment information page by selecting Configuration Administration from the main window.
AVUG-00001 Edition 13
Copyright© 2016 AlienVault. All rights reserved.
28 of 48
AlienVault Unified Security Management™ Configuration for Common Criteria
2.
Click on ‘New’.
3.
Populate the ‘New User’ form
•
•
•
User login. Enter a new user login. This is a mandatory field.
User name. Enter a personal identifier, for example personal name.
User email. Enter a new users email.
AVUG-00001 Edition 13
Copyright© 2016 AlienVault. All rights reserved.
29 of 48
AlienVault Unified Security Management™ Configuration for Common Criteria
•
•
•
•
•
•
User language. Select the interface language setting to be used by a new user.
Timezone. Select a time zone from the list that appears by clicking on the combo box.
Enter user password. Enter a password for the new account. This information is necessary to enter into
AlienVault USM (see Error! Reference source not found.).
Re-enter user password. Re-enter password for the new account.
Ask to change password at next login. This option can be used to force a password change on a first login for a
new user.
Make this user a global admin’ toggle. Toggle this to assign the new user global admin role. Global admin
users ha permissions to see all assets and all menu options.
Global administrators are represented with this icon
is displayed.
whenever the list of users
4.4 MODIFY A USER
To modify existing user’s account, the authorized administrator should follow these steps:
1.
Navigate to the Deployment information page by selecting Configuration Administration from the main window.
2.
From the ‘user information’ list
Select the user you want to modify by clicking on the line of that user and click on Modify. You can also double-click
on the line of that user or select the user you want to modify by clicking on the user name.
AVUG-00001 Edition 13
Copyright© 2016 AlienVault. All rights reserved.
30 of 48
AlienVault Unified Security Management™ Configuration for Common Criteria
3.
Modify relevant user information.
4.
Once all changes have been made, re-enter password and click on SAVE to make changes take effect.
4.5 DELETE SELECTED USER
To delete user’s account, the authorized administrator should follow these steps:
1.
Navigate to the Deployment information page by selecting Configuration Administration from the main window.
2.
3.
Select the user you want to delete by clicking on the line of that user and then selecting ‘Delete Selected’
The system will ask for confirmation and a screen similar to the following will appear:
AVUG-00001 Edition 13
Copyright© 2016 AlienVault. All rights reserved.
31 of 48
AlienVault Unified Security Management™ Configuration for Common Criteria
4.
Click OK and user will be permanently deleted.
A user can be disabled instead of removed to retain the user configuration.
A disabled user cannot access the system.
4.6 ENABLED AND DISABLED USERS
It is possible to disable a user account. The status icon
indicates that user is enabled and the icon
indicates that the
user account is disabled. Click on the icon to toggle the user status. Disabled users are locked out of the system.
4.6.1 DISABLE ACTIVE USERS
1.
Choose “Configuration > Administration > Users > User Information”
2.
Under the status column, click the green check mark to disable the user.
Once clicked, the check mark will change to a red “X”. This indicates that the user is disabled.
4.6.2 ENABLE ACTIVE USERS
1.
2.
Choose “Configuration > Administration > Users > User Information”
Under the status column, click the red “X” to enable the user.
Once clicked, the check mark will change to a green check mark. This indicates that the user is enabled.
AVUG-00001 Edition 13
Copyright© 2016 AlienVault. All rights reserved.
32 of 48
AlienVault Unified Security Management™ Configuration for Common Criteria
5 AUDIT LOG RECORDS
AlienVault USM for Government monitors all administrative activity on the appliance. When this activity happens, the
system will generate an audit message that is stored on the system. The log message is stored locally and can be accessed
directly from the appliance in the Raw Logs and sent via syslog to an external system.
Its format in the Raw Logs is the following:
Date : yyyy/mm/dd hh:mm:ss
Type of log: syslog
Sensor: AllInOne
Source: AllInOne
Device: AlienVault USM for Government IP
Data: The data about that specific audit log
5.1 AUDITED EVENTS
5.1.1 GENERAL USER ACTIVITY LOGGING
Most activity performed within USM for Government can be audited by configuring the user activity audit options in the
system. The audit options available include:
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Account locked: Too many failed login attempts
Analysis – Alarm closed
Analysis – Alarm deleted
Analysis – Alarm open
Analysis – Block of Alarms
Anomalies - :Acked host:, date:, sensor:
Anomalies - : Ignored host:, date:, sensor:
Anomalies – Acked
Anomalies – Deleted
Configuration – New host scan configuration added
Configuration – RRD profile added
Configuration – Reset defaults values
Configuration – User created
Configuration – User deleted
Configuration – User info modified
Configuration – User password changed
Configuration – configuration modified
Correlation – Backlog delete
Correlation Directives – directive
Correlation Directives – Directive added
Correlation Directives – Properties of directive deleted
Correlation Directives – Properties of directive updated
Dashboards – Modify configuration variable
Incidents – Incident type: deleted
Incidents – Modify incident type
Incidents – New incident type
Incidents – New tag added
Incidents – Tag deleted
Incidents – Tag modified
Knowledge DB – Added relationship to
Knowledge DB – Attached file to
Knowledge DB – Deleted file
Knowledge DB – Deleted relationship from with keyname
Knowledge DB – Document deleted
Knowledge DB – Document modified
Monitor – Network
Monitor – Riskmeter
AVUG-00001 Edition 13
Copyright© 2016 AlienVault. All rights reserved.
33 of 48
AlienVault Unified Security Management™ Configuration for Common Criteria
Monitor – Sensors
Monitor – Sessions
Policy & Actions – Action modified
Policy & Actions – Action deleted
Policy & Actions – New Action added
Policy – Host group deleted
Policy – New host group added
Policy – Network group deleted
Policy – Network group modified
Policy – New network group added
Policy – Order: change from to
Policy – New policy added
Policy – Policy deleted
Policy – Policy modified
Policy – New sensor added
Policy – Sensor modified
Policy – New signature group
Policy – Signature group deleted
Policy – Signature group modified
Policy Group – Change order
Reports – Incident deleted
Reports – Incident modified
Reports – Incident closed
Reports – PDF report generated
Reports – Security report generated
Reports – Ticket deleted
Reports – Ticket added to
SIEM Components – Database Servers – Database server modified
SIEM Components – Database Servers – New database added
SIEM Components – Servers: New server added
SIEM Components – Servers: Server modified
SIEM Components – Servers: Server deleted
SIEM Components – Webs Interfaces modified
SIEM Components – Webs Interfaces deleted
Tools – Backup deleted
Tools – Backup restored
Tools – Network scan
User failed logon
User logged in
User logged out
Vulnerabilities – Job: created
Vulnerabilities – Job: deleted
Vulnerabilities – Scheduled Job: created
Vulnerabilities – Scheduled Job: deleted
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
5.1.2 CONFIGURE GENERAL USER AUDIT LOGGING
By default, all of the general audit logging is enabled on the USM for Government system. The administrator can change
the audit configuration settings, however, by updating the list from within the User Activity section of the Configuration
tab.
5.1.2.1
1.
2.
3.
REMOVE A USER AUDIT OPTION
From within the web UI, navigate to Configuration > Administration.
Under the Users sub-menu select the Activity option. This will open up the audit configuration view.
Select one of the audit items on the left under the section called “ACTIONS LOGGED” and either click the “-“ or drag
it to the right hand box called “ACTIONS NOT LOGGED”.
AVUG-00001 Edition 13
Copyright© 2016 AlienVault. All rights reserved.
34 of 48
AlienVault Unified Security Management™ Configuration for Common Criteria
4.
5.
Repeat for any other audit configurations desired.
Scroll to the bottom of the page and click the “Update Configuration” button.
5.1.2.2
ADD A USER AUDIT OPTION
1.
2.
3.
From within the web UI, navigate to Configuration > Administration.
Under the Users sub-menu select the Activity option. This will open up the audit configuration view.
Select one of the audit items on the left under the section called “ACTIONS NOT LOGGED” and either click the “+“
or drag it to the right hand box called “ACTIONS LOGGED”.
4.
5.
Repeat for any other audit configurations desired.
Scroll to the bottom of the page and click the “Update Configuration” button.
5.1.2.3
VIEW GENERAL USER AUDIT EVENTS
When a user takes an action that generates one of the general user audit events, the system will display the event in Settings
> User Activity.
1.
2.
Log into the USM for Government web UI.
Navigate to Settings > User Activity.
3.
Use the filtering options to filter the view to show only the events desired.
AVUG-00001 Edition 13
Copyright© 2016 AlienVault. All rights reserved.
35 of 48
AlienVault Unified Security Management™ Configuration for Common Criteria
5.1.3 NON-CONFIGURABLE AUDIT EVENTS
5.1.3.1
AUDIT SERVICE SHUTDOWN
This audit event is created when the onboard syslog service is shutdown. This occurs at system shutdown. These events can
be found from within the USM for Government web UI. Follow these instructions:
1.
2.
3.
Log into the USM for Government web UI.
Navigate to Configuration > Components > AlienVault Center > Logs
Select the Syslog sub-menu option to expand the ‘syslog’ events.
Event Format:
MMM DD HH:MM:SS VirtualUSMStandardSensor rsyslogd: [origin software=”rsyslogd” swVersion=”<version of the
syslog daemon>” x-pid=”<PID of the syslog process>” x-info=”http://www.rsyslog.com”] Exiting on signal 15.
`
5.1.3.2
AUDIT SERVICE STARTUP
This audit event is created when the onboard syslog service is started. This occurs at system startup. These events can be
found from within the USM for Government web UI. Follow these instructions:
1.
2.
3.
Log into the USM for Government web UI.
Navigate to Configuration > Deployment > Components > AlienVault Center > Logs
Select the Syslog sub-menu option to expand the ‘syslog’ events.
Event Format:
MMM DD HH:MM:SS VirtualUSMStandardSensor rsyslogd: [origin software=”rsyslogd” swVersion=”<version of the
syslog daemon>” (re)start
5.1.3.3
LOGOUT FROM THE WEB UI
This audit event is created when a user (administrative or otherwise) logs out of the USM for Government web UI. This
event can be found in the AlienVault User Activity screen of the web UI. To access this event information, navigate to
Settings > User Activity from within the web UI.
5.1.3.4
SUCCESSFUL LOGIN FROM THE WEB UI
This audit event is created when a user (administrative or otherwise) successfully logs in to the USM for Government web
UI. This event can be found in the AlienVault User Activity screen of the web UI. To access this event information,
navigate to Settings > User Activity from within the web UI.
5.1.3.5
FAILED LOGIN FROM THE WEB UI
AVUG-00001 Edition 13
Copyright© 2016 AlienVault. All rights reserved.
36 of 48
AlienVault Unified Security Management™ Configuration for Common Criteria
This audit event is created when a user (administrative or otherwise) fails to log in to the USM for Government web UI
successfully. This event can be found in the AlienVault User Activity screen of the web UI. To access this event
information, navigate to Settings > User Activity from within the web UI.
5.1.3.6
SUCCESSFUL LOGIN FROM THE SYSTEM CONSOLE
This audit event is created when the admin user successfully logs into the USM for Government System Console. This login
attempt can be found by navigating to the system logs view within the web UI. To see these events:
1.
2.
3.
Navigate to Configuration > Deployment > Components > AlienVault Center
Select the Logs sub-menu
From the System tab, click on ‘auth.log’.
Event Format:
MMM DD HH:MM:SS AllInOne sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
5.1.3.7
LOGOUT FROM THE SYSTEM CONSOLE
This audit event is created when the admin user logs out of the USM for Government System Console. This login attempt
can be found by navigating to the system logs view within the web UI. To see these events:
1.
2.
3.
Navigate to Configuration > Deployment > Components > AlienVault Center
Select the Logs sub-menu
From the System tab, click on ‘auth.log’.
Event Format:
MMM DD HH:MM:SS AllInOne sudo: pam_unix(sudo:session): session closed for user root
5.1.3.8
FAILED LOGON FROM SYSTEM CONSOLE
This audit event is created when the admin user fails to log into the USM for Government System Console successfully. This
event can be found by navigating to the Event Analysis view within the web UI. To see these events:
6 NAVIGATE TO ANALYSIS > SECURITY EVENTS (SIEM)
VIEW.
7 UNDER THE DATA SOURCES FILTER CHOOSE “PAX_UNIX”
TO FILTER DOWN TO THE FAILED AUTHENTICATION
EVENTS.
AVUG-00001 Edition 13
Copyright© 2016 AlienVault. All rights reserved.
37 of 48
AlienVault Unified Security Management™ Configuration for Common Criteria
7.1.1.1
WEB UI USER CHANGE OF PASSWORD
This audit event is created when a USM for Government user attempts to change their password. This event can be found in
the AlienVault User Activity screen of the web UI. To access this event information, navigate to Settings > User Activity
from within the web UI.
AVUG-00001 Edition 13
Copyright© 2016 AlienVault. All rights reserved.
38 of 48
AlienVault Unified Security Management™ Configuration for Common Criteria
7.1.1.2
SYSTEM CONSOLE CHANGE OF PASSWORD
This audit event is created when a USM for Government user attempts to change the password of the system console root
password. The event for this activity can be found by navigating to the ‘auth’ logs view within the web UI. To see these
events:
1.
2.
3.
Navigate to Configuration > Deployment > Components > AlienVault Center
Select the Logs sub-menu
From the System tab, click on ‘auth.log’.
Event Format:
MMM DD HH:MM:SS VirtualUSMAllInOne sshd[<PID>]: Accepted password for root from <ip address> port <port #>
PID = process ID of the password change attempt
IP address = IP address of the local system
Port = Port used by the password change process
7.1.1.3
SYSTEM CLOCK CHANGE
This audit event is created when the system clock on the USM for Government system changes. The event can be viewed
from within the ‘syslog’ log view within the web UI.
1.
2.
3.
Navigate to Configuration > Deployment > Components > AlienVault Center
Select the Logs sub-menu
From the System tab, select ‘syslog’
Event Format:
MMM DD HH:MM:SS VirtualUSMAllinOne nagios3: Warning: A system time change of <time difference> has been
detected. Compensating …
7.1.1.4
REMOTE SESSION TERMINATION DUE TO TIMEOUT
This audit event is created when the web UI or System Console session for a user expires based on the timeout set for the
USM for Government appliance. The session expiration and logout message is displayed in the Settings > User Activity
section of the web UI .
AVUG-00001 Edition 13
Copyright© 2016 AlienVault. All rights reserved.
39 of 48
AlienVault Unified Security Management™ Configuration for Common Criteria
8 TROUBLESHOOTING
8.1 POWER-ON SELF TESTS
The AlienVault USM for Government appliance includes several self tests that will be run automatically when the appliance
boots up. These tests include:
1.
Check for Existing Hardware Availability. The device checks the hardware availability by evaluating the information
from the previous system boot that is stored in the BIOS. The device sends an electronic pulse to each of the devices
identified in the list to determine if the device is available and active. If the pulse is returned, the AlienVault USM for
Government appliance knows that the hardware component is functional and ready for use. If it does not receive a
response from the hardware component, it knows that the hardware component is not present or is faulty. If the device
is found to be missing or faulty it is removed from the system startup and initialization process.
2.
Check for New Hardware. At startup the USM for Government appliance will evaluate the system to determine if any
new hardware has been attached. If new hardware is found it is added to the BIOS memory for use in the next boot
cycle.
Once the hardware checks are complete, the bootstrap loader is invoked to load the appliance operating system. If there is
any error during the boot process, the boot process will be terminated, and the device will display informative error.
8.2 SYSTEM SOFTWARE SELF TESTS
The AlienVault USM for Government appliance runs a series of software self tests while the device is running to ensure that
the system remains healthy and functional. The system continually monitors the system processes to ensure that everything
is up and running. It conducts automatic maintenance and repair processes and can execute meaningful causal actions in
error situations. Specific self-tests / monitoring include:
1.
Process failures. The system will automatically identify and start processes that are not running and restart
processes that are not functioning properly or within operational parameters. Processes monitored include:
•
AlienVault API
•
AlienVault Forwarder
•
AlienVault Sensor
•
AlienVault Server
•
AlienVault databases
•
Memory Cache
•
AlienVault web server
•
AlienVault framework
•
Monitoring services such as Nagios, OpenVAS, ntop, nfcapd, etc.
2.
Resource monitoring. If system uses more resources than expected the system will generate an alert to inform an
administrator of the issue.
There are multiple processes watched like Alienvault API, the AlienVault forwarding system, database, apache webserver,
Alienvault framework, monitoring services (nagios, openvas, ntop, nfcapd…) or other services like AlienVault Sensor and server,
Memcache or MongoDB.
Also, some internal processes inside the AlienVault binaries test that the exchanged events works flawlessly .
8.3 FIPS SELF-TESTS
The AlienVault USM for Government appliance includes several FIPS self-tests. They include:
1.
DRBG Health Test. The FIPS DRBG generating function implements initialization health checks, periodic health
checks and continuous health checks.
Initialization checks are performed when a DRBG is first initiated (using FIPS_drbg_new() or FIPS_drbg_set()) when a
DRBG is reseeded explicitly using FIPS_drbg_reseed(). The system relies on a FIPS-certified OpenSSL Module in
FIPS modes for DRBG. The known answer tests on initialization are:
AVUG-00001 Edition 13
Copyright© 2016 AlienVault. All rights reserved.
40 of 48
AlienVault Unified Security Management™ Configuration for Common Criteria
The FIPS_mode_set() function performs all power-up self-tests listed above with no operator intervention required,
returning a “1” if all power-up self-tests succeed, and a “0” otherwise. If any component of the power-up self-test fails,
an internal flag is set to prevent subsequent invocation of any cryptographic function calls. The module will only enter
the FIPS approved mode if the module is reloaded and the call to FIPS_mode_set() succeeds.
Periodic health checks are performed based on health_check_interval calls. By default, the health checks are
automatically performed every 2^24 generate operations.
If a DRBG health check fails, the DRBG is placed in an error state and no further operations can be performed. This
error state can only be cleared by un-instantiating and re-instantiating the DRBG.
2.
Entropy Health Test. Each sample obtained from an entropy source is verified by the entropy estimate function prior
to being added into the primary entropy pool. The purpose of this check is to make sure the entropy source is sufficiently
unpredictable. In the case of entropy estimate function “failure”, the sample is assigned an entropy value of zero but still
mixed into the pool. The LPRNG design ensures that non-random sample does not negatively affect existing entropy.
8.4 PROCESS LIST
The AlienVault USM for Government appliance includes several processes that will run on the device during normal
operation. The processes are not directly user-accessible. The TOE in its evaluated configuration includes the following
processes that could run:
Process Name
Process Description
MongoDB
It stores data from the network regarding intelligence (who is the owner of a machine,
the OS's in the network, open ports...)
AVUG-00001 Edition 13
Copyright© 2016 AlienVault. All rights reserved.
Process Execution
Privilege
Mongodb (user)
41 of 48
AlienVault Unified Security Management™ Configuration for Common Criteria
Process Name
Process Description
epmd
Erlang Port Mapper (for RabbitMQ)
Process Execution
Privilege
rabbitmq (user)
RabbitM
Queue to handle Celery tasks
rabbitmq (user)
rsyslog
receive and store logs, for the appliance itself and from the outside machines
root
fprobe
NetFlow probe to analyze network data and make statistics
root
ha_logd
High Availability read/write process for heartbit
root
munin-node
root
postfix
Network resourc monitoring to help analyze resoruce trends. It generates statistics
from network
monitors systems, networks and infrastructure. Nagios offers monitoring and alerting
services for servers, switches, applications and services. It alerts users when things go
wrong and alerts them a second time when a the problem has been resolved
Netflow capture daemon of the nfdump tools. It reads netflow data from the network
and stores it into files
A graphical web based front end for the nfdump netflow tools. It allows display data,
navigate through the network data, process the netlow data...
ntop shows the current network usage. It displays a list of hosts that are currently
using the network and reports information concerning the (IP and non-IP) traffic
generated and received by each host
Send emails (if the user define them) in the Actions/Responses, inside Policies
qmgr
Postfix queue manager
postfix (user)
ossim-agent
An agent is a set of python scripts that gathers and sends the output of the different
plugin or tool to the correlation engine for further process. They receive data form
different remote sources
proxy to rewrite different packages, like ntop, to show the data inside the apache
webserver
Sniffer that reads data form the network to get open ports and operative systems of the
network, to store them in DB
manage connections to the CLI
root
It is a network Intrusion Detection System (IDS). It is based on rules (and is fully
compatible with snort rules) to detect a variety of attacks / probes by searching packet
content
recveives the log messages and compares them to the rules. It will create alerts when
a log message matches an applicable rule.
The ossec-logcollector daemon monitors configured files and commands for new log
messages
it checks configured files for changes to the checksums, permissions or ownership
root
monitors agent connectivity and compress daily log files
ossec
root
rabbitmq-server
Manager daemon of the Open Vulnerability Assessment System (OpenVAS), it acts as
a service and offers a communication protocol for its clients called OTP. The core task
of the OpenVAS Scanner is the actual scan process.
openvassd is in charge of executing many security tests against many target hosts in a
highly optimized way, it is the scanner of OpenVAS. It inspects the remote hosts and
attempts to list all the vulnerabilities and common misconfigurations that affects them
Process to start RabbitMQ AMQP server (for Celery questions)
beam
helper functions to RabbitMQ
rabbitmq (user)
celery.bin.celer
yd
avapi (user)
apache2
Celery is a distributed system to process vast amounts of messages, while providing
operations with the tools required to maintain such a system.It’s a task queue with
focus on real-time processing, while also supporting task scheduling. Inside Alienvault,
it is involved in the API management, sending/receiving commands form different
components
The pickup daemon waits for hints that new mail has been dropped into the maildrop
directory, and feeds it into the cleanup daemon
webserver
stunnel4
Process to send encrypted logs to a remote system
root
mysqld_safe
DB startup script.
root
mysqld
DB. It stores events from network in a normalized format, amongst other tings.
mysql (user)
av-forward
It forwards events from one server to another
macheted
process to match regular expressions in the events received by the alienvault agent.
asec (user)
mixterd
process that tries to identify on the fly the regular expressions of the logs that are
received by alienvault-agent, which are not specified like other plugins.
asec (user)
nagios3
nfcapd
nfsend
ntop
squid
prads
ssh
suricata
ossecanalysisd
osseclogcollector
ossecsyscheckd
ossec-monitord
openvasmd
openvassd
pickup
AVUG-00001 Edition 13
Copyright© 2016 AlienVault. All rights reserved.
nagios (user)
www-data
www-data
ntop
root
root
prads (user)
root
ossec
root
root
root
rabbitmq (user)
postfix (user)
root
42 of 48
AlienVault Unified Security Management™ Configuration for Common Criteria
Process Name
Process Description
ossim-server
Process that receives normalized data from the Agent, and then do all the correlation
and insertion in DB. It is also the correlation system and alarm generator
It is the default IDS inside the Alienvault USM system. It analyzes the network watching
for attacks
suricata
AVUG-00001 Edition 13
Copyright© 2016 AlienVault. All rights reserved.
Process Execution
Privilege
avserver
root
43 of 48
AlienVault Unified Security Management™ Configuration for Common Criteria
Appendix A
HOW TO CONFIGURE STUNNEL TO WORK WITH
ALIENVAULT USM FOR GOVERNMENT.
1 - GENERATING THE CERTIFICATES
1.1 - GENERATE THE CA CERTIFICATE


A PEM pass phares is mandatory ( I've used "pepe")
The common name is mandatory
root@qa-dev:~/certs2# openssl req -out ca.pem -new -x509 -days 365
Generating a 2048 bit RSA private key
................+++
............+++
writing new private key to 'privkey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
----You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
----Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:AlienVault Inc.
Email Address []:
root@qa-dev:~/certs2#
1.2 - CREATE SERVER CERTIFICATE
1.2.1 Create the server certificate key
root@qa-dev:~/certs2# openssl genrsa -out server.key 2048
Generating RSA private key, 2048 bit long modulus
............................................+++
....................................................................+++
e is 65537 (0x10001)
root@qa-dev:~/certs2#
1.2.2 Create the server certificate requirement
AVUG-00001 Edition 13
Copyright© 2016 AlienVault. All rights reserved.
44 of 48
AlienVault Unified Security Management™ Configuration for Common Criteria
Create the server certificate requirement to be signed by the CA. The common name must be the hostname of
the machine where stunnel server is installed.
root@qa-dev:~/certs2# openssl req -key server.key -new -out server.req
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
----Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:qa-dev
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
root@qa-dev:~/certs2#
1.2.3 Sign the server certificate using the CA.
Sign the server certificate using the CA. The process will ask for the CA pass phrase ("pepe")
root@qa-dev:~/certs2# openssl x509 -req -in server.req -CA ca.pem -CAkey
privkey.pem -CAcreateserial -out server.pem -days 365
Signature ok
subject=/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=qa-dev
Getting CA Private Key
Enter pass phrase for privkey.pem:
root@qa-dev:~/certs2#
1.3 - CREATE THE CLIENT CERTIFICATE
1.3.1 Create the client certificate key
root@qa-dev:~/certs2# openssl genrsa -out client.key 2048
Generating RSA private key, 2048 bit long modulus
..............................+++
..............................................................................
..................................+++
e is 65537 (0x10001)
1.3.2 Create the client certificate requirement
Create the client certificate requirement to be signed by the CA. The common name must be the hostname of
the alienvault appliance
root@qa-dev:~/certs2# openssl req -key client.key -new -out client.req
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
----Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:AllInOne
Email Address []:
AVUG-00001 Edition 13
Copyright© 2016 AlienVault. All rights reserved.
45 of 48
AlienVault Unified Security Management™ Configuration for Common Criteria
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
1.3.3 Sign the server certificate using the CA.
Sign the client certificate using the CA. The process will ask for the CA pass phrase ("pepe")
root@qa-dev:~/certs2# openssl x509 -req -in client.req -CA ca.pem -CAkey
privkey.pem -out client.pem -days 365
Signature ok
subject=/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=AllInOne
Getting CA Private Key
Enter pass phrase for privkey.pem:
root@qa-dev:~/certs2#
1.3.4 Create the certificate for the appliance.
Create one file certificate including the client cert and key. This certificate should be inserted in the
alienvault appliance using the web interface
root@qa-dev:~/certs2# cat client.pem client.key > allinone.pem
AVUG-00001 Edition 13
Copyright© 2016 AlienVault. All rights reserved.
46 of 48
AlienVault Unified Security Management™ Configuration for Common Criteria
2 – CONFIGURING STUNNEL SERVER
2.1 - PERMISSIONS
Be sure all certificates perms are 600 :
# chmod * 600
2.2 – INSTALL STUNNEL
#zypper install stunnel
2.3 – CONFIGURE STUNNEL
Add the following lines to /etc/stunnel/stunnel.conf
verify = 2
cert = /etc/stunnel/server.pem
key = /etc/stunnel/server.key
CAfile = /etc/stunnel/ca.pem
client = no
# The server certificate
# The server key
# The CA
foreground=yes
[ssyslog]
accept = 10514
connect = 514
AVUG-00001 Edition 13
Copyright© 2016 AlienVault. All rights reserved.
47 of 48