AlienVault Unified Security Management™ for Government v4.12
Transcription
AlienVault Unified Security Management™ for Government v4.12
AlienVault Unified Security Management™ for Government v4.12 & RT Logic CyberC4:Alert v4.12 Configuration for Common Criteria Copyright© 2016 AlienVault. All rights reserved. AlienVault Unified Security Management™ Configuration for Common Criteria DOCUMENT HISTORY AND VERSION CONTROL Edition Date of Issue Description of Change(s) 01 02 03 05/08/15 07/15/15 07/24/15 04 07/27/15 05 08/07/15 06 07 08 09 10 11 12 13 08/10/15 08/11/15 09/10/15 09/18/15 10/29/15 10/29/15 10/29/15 02/09/16 Initial Version Additional Content and Polish Updated to confirm changes suggested by lab, new instructions for Configuring Management Session Timeouts, User Activity Auditing Minimum password is now 15 for both web UI users and System Console user. Removed incorrect reference to [email protected], [email protected] ciphers. Document now includes documentation references. AVUG-00001 Edition 13 Changes to reflect the new stunnel configuration and FIPS version Addressing final round of comments Comments about the USM certificate and remote syslog Minor language changes to certificate information section Added Appendix A Removed a blank page and added Copyright information. Copyright© 2016 AlienVault. All rights reserved. 1 of 48 AlienVault Unified Security Management™ Configuration for Common Criteria 1 INTRODUCTION This guide provides the information an administrator would need to set up and administer the AlienVault USM for Government v4.12 or RT Logic CyberC4: Alert v4.12 network appliances in compliance with the Common Criteria evaluated configuration. Follow this guide in its entirety to ensure that the settings of each parameter match the specific configuration that was evaluated and certified as secure by the Common Criteria certification. 1.1 AUDIENCE This information is intended for use by administrators who are responsible for investigating and managing network security for their organization. To use this guide you must have knowledge of your organization’s network infrastructure and networking technologies. 1.2 ABOUT COMMON CRITERIA The Common Criteria for Information Technology Security Evaluation (ISO/IEC 15408) is an international standard for certification of the security of computer systems, networks, and application software. The certification ensures that the claims about the security attributes of the evaluated product were independently verified in the evaluated configuration operated in the specific environment. 1.3 RELATED DOCUMENTS For more information about AlienVault USM for Government, please refer to the following documents: Identifier Edition Security Target 1.9 AVUG-00107 01 AVUG-00116 01 AVUG-00127 01 AVUG-00131 01 AVUG-00133 01 AVUG-00135 01 AVUG-00153 01 AVUG-00160 01 AVUG-00161 01 AVUG-00163 01 AVUG-00164 01 AVUG-00185 01 TABLE 1: GUIDANCE DOCUMENTATION Title AlienVault USM for Government v4.12 Security Target User Management Guide Proxy Configuration HIDS Deployment on Windows Lifecycle of a Log Active Directory Integration USM Intrusion Detection Send Emails Triggered by Events Policy Management Fundamentals HIDS File Integrity Monitoring Correlation Reference Guide Customizing Correlation Directives or Cross Correlation Rules Netflow Collection These documents cover both evaluated and out-of-scope functionality. Please refer to the AlienVault USM for Government Security Target document for the scope of evaluated functionality. 1.4 EVALUATED CONFIGURATION The evaluated configuration consists of the AlienVault USM for Government hardware appliance. It consists of a USM Server, USM Logger, and USM Sensor built into a single all-in-one hardware appliance. While other configurations are possible, they were not evaluated. The Common Criteria configuration of AlienVault USM for Government was evaluated and found to mitigate stated threats when operated according to assumptions and security policies. The Common Criteria certification does not guarantee the product is secure in all circumstances and possible modes of operation. It is assumed that the system administrators install, manage, and use the AlienVault USM for Government appliance in accordance with the instructions in this document. AVUG-00001 Edition 13 Copyright© 2016 AlienVault. All rights reserved. 2 of 48 AlienVault Unified Security Management™ Configuration for Common Criteria 1.5 ASSUMPTIONS There are specific conditions that are assumed to exist in the AlienVault USM for Government Operational Environment. The following table lists assumptions about the Operational Environment. Assumptions for Operational Environment Banners Password Attributes General Purpose Physical Security Administration The device shall be configured to display a banner prior to the login process, appropriate to the organization. The device shall be configured to support password attributes that match the organization’s security policy. General-purpose computing capabilities are not used for any other purpose but as required for the operation, administration and support of the device. No additional software (user applications, compilers, etc.) will be installed or copied onto the device. The adequate physical security of the device will be provided by the operational environment. All administrators follow and apply all administrator guidance in a secure and trusted manner. TABLE 2: ASSUMPTIONS AVUG-00001 Edition 13 Copyright© 2016 AlienVault. All rights reserved. 3 of 48 AlienVault Unified Security Management™ Configuration for Common Criteria 2 HOW TO ACCESS YOUR SYSTEM In the evaluated configuration, AlienVault USM for Government is administered remotely via web interface over secure session and locally via the system console by attaching a keyboard, mouse, and monitor. The system console is intended for initial configuration and disaster recovery activities. Its use is considered ‘maintenance mode’. Once the device is configured, all further administration should be conducted via the web interface. 2.1 SYSTEM CONSOLE 2.1.1 LOCAL ACCESS USING A KEYBOARD, MOUSE AND MONITOR The appliance can be directly accessed by connecting a keyboard, mouse, and monitor to the appliance. This connection method is used to initially configure the appliance and perform maintenance activities as needed. Connect a mouse and keyboard to either the PS2 or USB ports as shown in Figure 1. Connect a monitor to the VGA port as shown in Figure 1. FIGURE 1: VIEW OF THE APPLIANCE BACK PANEL When you log into the appliance for the first time you will be required to change the password. Subsequent login attempts will not require a password change. Once you log into the system you will be presented with the AlienVault Setup screen within the system console as shown in Figure 2. FIGURE 2: CONSOLE LOGIN SCREEN Immediately after logging in an Access Disclaimer will be shown. Click “Yes” to continue as shown in Figure 3. FIGURE 3: SYSTEM CONSOLE DISCLAIMER SCREEN AVUG-00001 Edition 13 Copyright© 2016 AlienVault. All rights reserved. 4 of 48 AlienVault Unified Security Management™ Configuration for Common Criteria Once logged into the system console you will have access to the AlienVault Setup screen. See Figure 4. From there you will be able to set up the device for first time use and perform maintenance tasks. FIGURE 4: ALIENVAULT SYSTEM CONSOLE SETUP SCREEN To terminate the system console session, select <Exit> by pressing tab and press enter. FIGURE 5: SYSTEM CONSOLE EXIT 2.2 WEB INTERFACE This management interface must be configured using the system console before the web interface becomes accessible. See Section 3.1 for details. Once the appliance management interface has been configured, you can access the web user interface by logging in. 2.2.1 WEB INTERFACE LOGIN 1. Open a web browser and enter the IP address assigned to the AlienVault USM’s management interface in the navigation bar. FIGURE 6: ALIENVAULT USM WEB INTERFACE LOGIN PAGE 2. Enter a valid username and password and click ‘login’ AVUG-00001 Edition 13 Copyright© 2016 AlienVault. All rights reserved. 5 of 48 AlienVault Unified Security Management™ Configuration for Common Criteria 2.2.2 WEB UI NAVIGATION The USM for Government web UI has several main navigation sections. • • Dashboards – The dashboards provide summary level visibility into the information collected within USM for Government and the built-in tools. Analysis – The analysis tab includes views that allow you to interact with the data within USM for Government. The Analysis tab includes the following views: o o o o • Alarms. The alarms view allows you to interact with the alarms generated within the system. Security Events. This view allows you to search the event data within the system. Raw Logs. This view allows you to search the raw log data. Tickets. This view allows you to view and manage the tickets within the system. Environment – This tab provides you with views related to the environment that is being monitored by the USM for Government system. Views include: o o o o o o o o Assets. USM for Government includes a built-in asset management system that allows you to identify and monitor assets in your environment. Use this view to see the assets and asset details. Groups & Networks. USM for Government includes the ability to create asset groups and network groups for use with the assets discovery, asset management, vulnerability assessment, and other built-in capability. Use this view to see and manage the list of asset groups and network groups. Vulnerabilities. USM for Government includes a built-in vulnerability scanner. Use this view to view create a vulnerability scan, manage and view the results. Profiles. USM for Government includes an ability to profile the network traffic that is mirrored through the appliance. Use this view to review the network statistics and information collected. Netflow. USM for Government includes built-in netflow capability. Use this view to evaluate the netflow information captured by the appliance. Traffic Capture. USM for Government includes a built-in capability to capture raw traffic on the network. Use this view to manage and view the raw traffic. Availability. USM for Government includes an ability to perform availability monitoring the assets on the network. Use this view to manage and view the availability information. Detection. USM for Government includes an ability to perform host-based intrusion detection for assets on the network. Use this view to manage the HIDS functionality. • Reports – This tab provides you with built-in reports that you can run against the data collected and produced by the USM for Government appliance. • Configuration – This tab allows you to configure and manage the USM appliance. Views include: o o o Administration. Use this view to administer the various aspects of the USM for Government appliance. Deployment. Use this view to see and manage the USM for Government deployment. Threat Intelligence. Use this to view to see and manage the threat intelligence information that comes with USM for Government. To terminate Web UI session, click Logout button. F IGURE 7: WEB UI LOGOUT BUTTON AVUG-00001 Edition 13 Copyright© 2016 AlienVault. All rights reserved. 6 of 48 AlienVault Unified Security Management™ Configuration for Common Criteria 2.2.3 DASHBOARDS Once you log into the USM for Government appliance, the Executive dashboards are displayed. FIGURE 8: EXECUTIVE OVERVIEW DASHBOARD The Executive dashboard includes several panels: • • • • • • Latest SIEM vs. Logger Events – displays the number of events received and stored in the SIEM event database and events stored on the Logger. Information is displayed as a line chart showing the quantity of events over time. SIEM: Top 10 Events by Product Type – for environments that include multiple data sources, this panel shows the types of events captured. Information is displayed as a pie chart. Threat Level – displays the current threat level based on known information captured externally and identified by the appliance. Unresolved Alarms vs. Opened Tickets – displays a comparison between the alarms generated and tickets opened for the current day, previous two days, last week, and last 2 weeks. SIEM: Top 10 Event Categories – displays a pie chart of the top 10 event categories. SIEM: Events by Sensor / Data Source – displays a view of the event data captured by data source. Other dashboards available include: • • • Tickets – provides visibility into the status of the tickets created within the system, including ticket resolution time, ticket status, opened tickets by user, tickets closed by month, tickets by class, and ticket types. Security – provides visibility into the security of the environment being monitored. Panels on this dashboard include Top 10 Promiscuous Hosts, Security Events: Top 5 Alarms, Security Events: Top 5 Events, Top 10 Hosts with Multiple Events, Security Events Trend: Last Day, Security Events Trend: Last Week, Destination TCP Ports, and Destination UDP Ports. Taxonomy – provides visibility into the events related to different parts of the security taxonomy within USM for Government. Panels include Top 10 Hosts with Virus Detected, Successful Authentication Login vs. Failed Login Events, Malware Events by Time, Firewall Permit vs. Firewall Deny Events, System Events, Exploits Event Types, and Exploits Event Types. AVUG-00001 Edition 13 Copyright© 2016 AlienVault. All rights reserved. 7 of 48 AlienVault Unified Security Management™ Configuration for Common Criteria • Vulnerabilities – provides summary information about vulnerability information discovered by the built in USM for Government vulnerability scanner. Panels include Vulnerabilities by Severity, Vulnerabilities by Services, Top 10 Hosts, Top 10 Networks. 2.3 MANAGEMENT INTERFACE NETWORK SETTINGS After booting the appliance, connect to the system console and authenticate. For the initial login, the instructions how to authenticate will be displayed. After successful authentication you will be presented with the following menu: 1. Choose ‘System Preferences’ (menu option 1) and click ‘OK’ 2. Choose ‘Configure Network’ (menu option 0) and click ‘OK’ 3. Choose ‘Setup Management Network’ and click ‘OK’ AVUG-00001 Edition 13 Copyright© 2016 AlienVault. All rights reserved. 8 of 48 AlienVault Unified Security Management™ Configuration for Common Criteria 4. Choose to configure the Management Interface manually or using DHCP. This interface will be used to communicate with the AlienVault Server web interface and connect to the console from the network. “Manual Configuration” to provide all the desired network parameters “DHCP Configuration” to perform automatic network configuration using your DHCP server Only one Ethernet cable should be plugged in the appliance (eth0) during the initial network configuration. After configuring the management interface, all other network cables can be connected. 2.3.1 MANUAL CONFIGURATION 1. Enter IP Address. Then, press Enter to accept the selection (<OK>). 2. Enter Netmask. Then, press Enter to accept the selection (<OK>). AVUG-00001 Edition 13 Copyright© 2016 AlienVault. All rights reserved. 9 of 48 AlienVault Unified Security Management™ Configuration for Common Criteria 3. Enter Gateway Address. Then, press Enter to accept the selection (<OK>). 4. Enter DNS Server(s). Then, press Enter to accept the selection (<OK>). 5. Check the network configuration parameters provided. Press Enter to confirm the values (<Yes>) so the system can perform the appliance configuration. 2.3.2 DHCP CONFIGURATION The Dynamic Host Configuration Protocol (DHCP) is a standard network protocol used to dynamically configure network parameters. For this feature to work, the DHCP server must be present on the network. Check the network configuration parameters provided by your DHCP server. Press Enter to confirm the values (<Yes>) so the system can perform the appliance configuration. AVUG-00001 Edition 13 Copyright© 2016 AlienVault. All rights reserved. 10 of 48 AlienVault Unified Security Management™ Configuration for Common Criteria 2.4 SECURING ADMINISTRATIVE LOGIN 2.4.1 INITIAL SYSTEM CONSOLE LOGIN It is not possible to access the system without a user name and a password. The default user has username is ‘root’ and a randomly generated password. 1. Use initial credentials generated by the system to access the system. 2. Change initial password following you organization’s password policy The default password must be changed after initial login. 2.4.2 INITIAL WEB LOGIN It is not possible to access the system without a user name and a password. The default user has username ‘admin’ and password ‘admin’. You will be prompted to create unique account before accessing any other functionality of the system. 1. Use initial credentials to access the system AVUG-00001 Edition 13 Copyright© 2016 AlienVault. All rights reserved. 11 of 48 AlienVault Unified Security Management™ Configuration for Common Criteria 2. Change initial password following you organization’s password policy AVUG-00001 Edition 13 Copyright© 2016 AlienVault. All rights reserved. 12 of 48 AlienVault Unified Security Management™ Configuration for Common Criteria 3 SETTING UP THE COMMON CRITERIA CONFIGURATION 3.1 CHECKING SOFTWARE VERSION The current version of the USM for Government appliance can be checked from either the Web Interface or System Console. The Common Criteria certified version is USM for Government v4.12 3.1.1 CHECK SOFTWARE VERSION FROM THE WEB INTERFACE 1. 2. Log in to the web UI. Navigate to the Deployment information page by selecting Configuration Deployment from the main window. This is where you will find information about each of the nodes in the USM for Government deployment. 3. Select AlienVault Center in the sub-menu. By default this should be selected. 4. Under the AlienVault Components Information section double-click the node to configure or click the System Detail icon on the right. This will open the system detail view. 5. Under the Package Information section of the System Detail you will find a reference to the Current Version. AVUG-00001 Edition 13 Copyright© 2016 AlienVault. All rights reserved. 13 of 48 AlienVault Unified Security Management™ Configuration for Common Criteria 3.1.2 CHECK SOFTWARE VERSION FROM THE SYSTEM CONSOLE 1. 2. Connect via keyboard, mouse, and monitor to the System Console and Log in. The current version of the appliance is displayed on the top of the System Console screen. 3.2 UPGRADING SOFTWARE AlienVault USM for Government can be updated by following the procedures below. 3.2.1 UPDATE REQUIREMENTS • • • • Access to the USM for Government System Console USM version 4.12 or greater. ISO image provided by AlienVault. USB flash drive or external USB CD/DVD R/RW drive. 3.2.2 HOW TO OBTAIN THE SOFTWARE UPDATES Updates for USM for Government are made available by AlienVault on the AlienVault web site. Access to the update will require your product license key. Contact AlienVault technical support or open a support case to obtain the download location. The download package has been signed using a SHA1-512 hash and will require verification during the update process. See the signature verification steps below for instructions on how to verify the integrity of the downloaded package. 3.2.3 UPDATE PACKAGE VERIFICATION AVUG-00001 Edition 13 Copyright© 2016 AlienVault. All rights reserved. 14 of 48 AlienVault Unified Security Management™ Configuration for Common Criteria Package download verification must be done from a Mac OS or Linux-based system. Once you obtain the update package from AlienVault you will need to verify that the package is complete and has not been modified. Use the following steps to verify the package using the SHA1-512 hash provided by AlienVault. 1. Download the digest file from the AlienVault update server location provided to you by the AlienVault Technical Support Team. 2. Place the digest file in the same folder as the ISO update image. 3. Run the following command to verify the package. $ cat USM_SHA512SUM | grep <ISO_Image_Name> | sha512sum -c - For example, if the name of the ISO image is image.iso successful output of the command above will be: Image.iso : OK 3.2.4 PREPARE THE USB FLASH DRIVE Note that when using the instructions below all contents of the USB flash drive will be erased. Be sure to clear off any contents of the drive before proceeding. 3.2.4.1 USB DRIVE PREPARATION ON A LINUX SYSTEM 1. Insert the USB flash drive into the USB port. It is recommended to copy the ISO image in a temporary directory, for example “/tmp”. 2. Execute the following command to copy the ISO image: sudo dd if=<USB_image.iso> of=<USB_device> bs=4M <USB_image.iso> - replace this with the ISO image file path. Note that the ‘dd’ command requires that you write the fully qualified path of where the file is located. <USB_device> refers to the USB device name. • • For example, if the file name is called “image.iso” and it is located in “/home/user/temp”, and the device is “/dev/sdb”, the command to use would be: sudo dd if=/home/user/temp/image.iso of=/dev/sdb bs=4M 3. Once the USB drive has been written, unmount the drive and remove from the system. 3.2.4.2 1. 2. 3. USB DRIVE PREPARATION ON MAC OS X Insert the USB flash drive into the USB port Copy the image in a temporary directory or in your own user directory. Run the following command to identify the USB device name: diskutil list AVUG-00001 Edition 13 Copyright© 2016 AlienVault. All rights reserved. 15 of 48 AlienVault Unified Security Management™ Configuration for Common Criteria 4. Unmount the USB device before burning the image to the USB device. diskutil unmountDisk <USB_device> <USB_device> refers to the USB device name determined in the previous steps. • For example, using the output shown in Figure XXX, the device is /dev/disk1. The specific command to execute in this example is: diskutil unmountDisk /dev/disk1 5. Copy the image from the system to the USB drive sudo dd if=<USB_image.iso> of=<USB_device> bs=1m <USB_image.iso>, this must be replaced by the ISO image file path. Note that it is necessary to write the whole path where the file is located. <USB_device> refers to the USB device name. • • For example, if the file name is called “image.iso” and it is located in “/home/user/temp”, and the device is “/dev/sdb”, the command to use would be: sudo dd if=/home/user/temp/image.iso of=/dev/disk1 bs=1M 6. Eject the device from the system. diskutil eject <USB_device> <USB_device> refers to the USB device name. • 3.2.4.3 USB DRIVE PREPARATION ON WINDOWS AlienVault recommends that you use a USB Installer tool to create a bootable USB drive. Find it here: http://www.pendrivelinux.com/universal-usb-installer-easy-as-1-2-3/ 1. 2. 3. 4. 5. Copy the ISO image in a temporary directory or in your own user directory. Insert the USB flash drive into the USB port. Open the bootable USB creation tool. Choose the ISO image with the Disk image option. Select the USB drive and press OK. AVUG-00001 Edition 13 Copyright© 2016 AlienVault. All rights reserved. 16 of 48 AlienVault Unified Security Management™ Configuration for Common Criteria 3.2.5 PREPARING A CD Burn the ISO image file by using any CD burning software. 3.2.6 UPDATE THE USM FOR GOVERNMENT APPLIANCE 1. 2. 3. Connect the USB drive that contains the update image to the appliance USB port. Connect via keyboard, mouse, and monitor to the System Console and Log in. Navigate from the System Console main menu to the Update System option System Preferences Update AlienVault System Update (Offline). 4. You will be prompted to connect the USB drive to the system. If you haven’t already done so, connect the USB drive to the system USB port and press Enter to select the <OK> option. This will initiate the update process. 5. Connect your USB drive with the AlienVault Update System and click <OK>. This will initiate the update process. AVUG-00001 Edition 13 Copyright© 2016 AlienVault. All rights reserved. 17 of 48 AlienVault Unified Security Management™ Configuration for Common Criteria 6. The SHA digest will be displayed on the screen, so it can be compared with the one published in the AlienVault site, located here: http://offlineupdate.alienvault.com/files/niap/ 7. Compare the hash to ensure it is valid and hit [Enter] to continue. You will be asked to confirm that the hash value matches. Select <Yes> to proceed or <No> to abort the update process. 8. Once complete, the appliance will display the following screen: 9. Remove the USB device. 3.3 SYSTEM CLOCK MANAGEMENT 3.3.1 MANUALLY CONFIGURE THE SYSTEM CLOCK The simplest way to set the system clock is to set it manually from the USM for Government System Console. Follow the instructions below to manually set the system clock: 1. 2. Connect via keyboard, mouse, and monitor to the System Console and Log in. Navigate to the Setup Date/Time manually section of the System Console from the main menu: System Preferences Change Location Date and Time Setup Date/Time manually AVUG-00001 Edition 13 Copyright© 2016 AlienVault. All rights reserved. 18 of 48 AlienVault Unified Security Management™ Configuration for Common Criteria 3. Enter the date and time into the specified field using the specified format and then select the < OK > option. 4. Select the Apply all Changes option to apply the changes. Changes must be applied before the configuration change will take effect. 3.3.2 CONFIGURE SYSTEM CLOCK USING NTP FROM SYSTEM CONSOLE 1. 2. Connect via keyboard, mouse, and monitor to the System Console and Log in. Navigate to the Configure NTP Server settings from the system console main menu System Preferences Change Location Date and Time Configure NTP Server. AVUG-00001 Edition 13 Copyright© 2016 AlienVault. All rights reserved. 19 of 48 AlienVault Unified Security Management™ Configuration for Common Criteria 3. Enable the NTP server if not already enabled by selecting the Enable option and (<OK>). 4. Specify the NTP Server hostname or IP address and (<OK>). 5. 6. Choose (<Back>), (<Back>), (<Back>) to get back to the system console main menu. Select the Apply all Changes option to apply the changes. 7. Confirm the changes by selecting (<Yes>) at the confirmation window. If the setting is incorrect, select (<No>) and follow these instructions again. AVUG-00001 Edition 13 Copyright© 2016 AlienVault. All rights reserved. 20 of 48 AlienVault Unified Security Management™ Configuration for Common Criteria 8. This will initiate a reconfiguration of the AlienVault USM appliance. The reconfiguration process can take several minutes. Be patient. Once the reconfiguration is complete, you will be returned to the System Console main menu. 3.3.3 CONFIGURE NTP SERVER FROM WEB INTERFACE 1. 2. Log in to the appliance from the web UI. Navigate to the Deployment information page by selecting Configuration Deployment from the main window. 3. Under the AlienVault Components Information section double-click the node to configure or click the System Detail icon on the right. This will open the system detail view. AVUG-00001 Edition 13 Copyright© 2016 AlienVault. All rights reserved. 21 of 48 AlienVault Unified Security Management™ Configuration for Common Criteria 4. Click the General Configuration tab on the system detail view to see the General Configuration options. 5. 6. Change the NTP Server option from “No” to “Yes” if not already configured. Enter the NTP Server IP Address or hostname and Apply Changes. 7. The USM system will apply the changes and return you to the General Configuration window. 3.4 CONFIGURING EXTERNAL SYSLOG It is possible to send audit logs to an external syslog server configured with stunnel software to encrypt the connection: 1. 2. Log in to the appliance from the web UI. Navigate to the Deployment information page by selecting Configuration Administration from the main window. 3. On the Administration screen click on the Main tab and select the User Activity option. AVUG-00001 Edition 13 Copyright© 2016 AlienVault. All rights reserved. 22 of 48 AlienVault Unified Security Management™ Configuration for Common Criteria 4. Specify the IP address or hostname for the remote stunnel server that will forward to syslog in the Remote audit server entry box. Note that you must specify the port by adding “:port” on the end of the IP address. For example, 192.168.1.230:10514. 5. The certificate with the AlienVault USM for Government appliance key is required to send the syslog data to the remote syslog server. Verify that the syslog server is authorized the administrator must create a certificate for both the syslog server and USM for Government appliance. A trusted Certificate Authority must sign both the certificates. Combine the signed client certificate and it’s key into a file. To use the certificate, open that file with a text editor, copy the content, and paste it into the “Load audit server public key” field. Please take a look to the Appendix A, “How to configure STunnel to work with Alienvault USM for Government” if you need more details about how to generate a CA and how to sign certificates. 6. Click on the Update Configuration button on the right side of the screen to apply the changes. 3.5 CONFIGURING SECURITY 3.5.1 GENERATING HOST KEYS Host keys are generated automatically by the AlienVault USM for Government appliance the first time the system is started. No additional user intervention is required. 3.5.2 FIPS MODE The AlienVault USM for Government appliance is enabled by default to use FIPS compliant OpenSSL libraries for cryptographic communication. All application components that use cryptographic functionality utilize these libraries. USM for Government does not provide an option to disable FIPS mode. USM for Government includes the following FIPS certified OpenSSL packages: AVUG-00001 Edition 13 Copyright© 2016 AlienVault. All rights reserved. 23 of 48 AlienVault Unified Security Management™ Configuration for Common Criteria • • libssl1.0.0:amd64 version 1.0.1p-1+fips2.0.9 openssl-fips version 2.0.9-1 3.5.3 CONFIGURING PROTOCOLS AlienVault USM for Government is designed to use Common Criteria certified protocols only. The protocols included with the system include: • aes256-cbc • aes128-cbc These ciphers cannot be changed. 3.5.4 CONFIGURING PASSWORD ATTRIBUTES The password attributes for users within the AlienVault USM for Government system can be controlled by an administrator from within the Web UI. Attributes that can be changed include: Password Attribute Minimum Password Length Description This security setting establishes a minimum length for the password that can be used. The minimum value is 15. The maximum value is 255. This security setting establishes a maximum length for the password that Maximum Password Length can be used. The minimum value is 15. The maximum value is 255. This security setting determines the number of unique new passwords that Password History have to be associated with a user account before an old password can be reused. A value of “0” means that this setting is disabled. This security setting requires that users use a password that include at Complexity least three of the following types of characters: uppercase letters, lowercase letters, numbers, and special characters. Allowed values: Yes, No. This security setting requires users to wait a specified number of minutes Minimum Password Lifetime in before resetting their password again. A value of “0” disables this setting. Minutes Maximum Password Lifetime in Days This security setting forces a user to reset their password after a specified number of days. A value of “0” disables this setting. This security setting determines the number of times a user can incorrectly Failed Logon Attempts enter a password before getting locked out of the system. This security setting determines the number of minutes a locked-out Account Lockout Duration account remains locked out before automatically becoming unlocked. Default 15 32 0 No 0 0 5 5 Follow the steps below to change the attributes of the password that are required by the system. 1. 2. Log in to the appliance from the web UI. Navigate to the Deployment information page by selecting Configuration Administration from the main window. 3. On the Administration screen click on the Main tab and select the Password Policy option. AVUG-00001 Edition 13 Copyright© 2016 AlienVault. All rights reserved. 24 of 48 AlienVault Unified Security Management™ Configuration for Common Criteria 4. 5. Modify one or more of the password policy settings as desired. See above for a description of each password setting. Click on the Update Configuration button on the right side of the screen to apply the changes. 3.5.5 CONFIGURING MANAGEMENT SESSION TIMEOUTS The session timeout value for a user in the web UI and System Console can be configured. When this setting is configured the USM for Government appliance will force an inactive user to logout when the timeout period is reached. 1. 2. Log in to the appliance from the web UI. Navigate to the Deployment information page by selecting Configuration > Administration from the main window. 3. On the Administration screen click on the Main tab and select the User Activity option. 4. Enter a value into the Session Timeout (minutes) field to designate the period of time before a session logs the user out from the system. The default value is 10 minutes. AVUG-00001 Edition 13 Copyright© 2016 AlienVault. All rights reserved. 25 of 48 AlienVault Unified Security Management™ Configuration for Common Criteria 5. Click on the Update Configuration button on the right side of the screen to apply the changes. 3.5.6 CONFIGURING THE BANNER When a user logs into the AlienVault system either through the web UI or from the system console a system banner is displayed. The specific text of this banner can be modified using the following steps: 1. 2. Log in to the appliance from the web UI. Navigate to the Deployment information page by selecting Configuration Administration from the main window. 3. On the Administration screen click on the Main tab and select the Authorized Access Disclaimer option. 4. Enter the text to display to the user when a user attempts to log into the system either from the web UI or the system console. 5. Click on the Update Configuration button on the right side of the screen to apply the changes. AVUG-00001 Edition 13 Copyright© 2016 AlienVault. All rights reserved. 26 of 48 AlienVault Unified Security Management™ Configuration for Common Criteria 4 USER MANAGEMENT 4.1 SYSTEM CONSOLE SYSTEM ADMINISTRATORS 4.1.1 CHANGE ROOT PASSWORD FROM SYSTEM CONSOLE An administrator can change the password of the ‘root’ user on the system console by following the instructions below: 1. 2. Connect via keyboard, mouse, and monitor to the System Console and Log in. Select System Preferences > Change Password > Change Appliance root password. 3. You will be prompted to confirm that you want to change the root password. 4. Enter the new password and confirm by entering it again. Upon successful completion you will get the following confirmation message: AVUG-00001 Edition 13 Copyright© 2016 AlienVault. All rights reserved. 27 of 48 AlienVault Unified Security Management™ Configuration for Common Criteria 5. Exit the console. 4.1.2 ADD A USER IN THE SYSTEM CONSOLE Additional users cannot be granted access to the System Console. The system supports only a single system administrator. 4.2 USER INFORMATION The option to manage users is restricted to administrators. Using Primary Menu, select Configuration > Administration and then using the Secondary Menu select Users This screen contains the following information: • Login. Account credential required to access to AlienVault USM. It refers to the username used to access the • • • system. Next to “Login”, administrator users are represented with this icon in the list of displayed users. Name. Personal identifier. Email. This is the e-mail address of the user. It is used to send notifications, reports, etc., to the user. Visibility. This field informs about the group that the user belongs to. There are groups of objects used to simplify the asset management. • • • • Status. There are 2 types of status: enabled user ( ) and disabled user ( ). Language. The interface supports several languages and it is possible to set a default. The available languages are: English, Chinese simplified, Chinese traditional, French, German, Portuguese and Spanish. Creation date. The date on which that user has been created. Last login date. The last date on which that user has logged. 4.3 CREATE A NEW USER To create a new user, the authorized administrator should follow these steps: 1. Navigate to the Deployment information page by selecting Configuration Administration from the main window. AVUG-00001 Edition 13 Copyright© 2016 AlienVault. All rights reserved. 28 of 48 AlienVault Unified Security Management™ Configuration for Common Criteria 2. Click on ‘New’. 3. Populate the ‘New User’ form • • • User login. Enter a new user login. This is a mandatory field. User name. Enter a personal identifier, for example personal name. User email. Enter a new users email. AVUG-00001 Edition 13 Copyright© 2016 AlienVault. All rights reserved. 29 of 48 AlienVault Unified Security Management™ Configuration for Common Criteria • • • • • • User language. Select the interface language setting to be used by a new user. Timezone. Select a time zone from the list that appears by clicking on the combo box. Enter user password. Enter a password for the new account. This information is necessary to enter into AlienVault USM (see Error! Reference source not found.). Re-enter user password. Re-enter password for the new account. Ask to change password at next login. This option can be used to force a password change on a first login for a new user. Make this user a global admin’ toggle. Toggle this to assign the new user global admin role. Global admin users ha permissions to see all assets and all menu options. Global administrators are represented with this icon is displayed. whenever the list of users 4.4 MODIFY A USER To modify existing user’s account, the authorized administrator should follow these steps: 1. Navigate to the Deployment information page by selecting Configuration Administration from the main window. 2. From the ‘user information’ list Select the user you want to modify by clicking on the line of that user and click on Modify. You can also double-click on the line of that user or select the user you want to modify by clicking on the user name. AVUG-00001 Edition 13 Copyright© 2016 AlienVault. All rights reserved. 30 of 48 AlienVault Unified Security Management™ Configuration for Common Criteria 3. Modify relevant user information. 4. Once all changes have been made, re-enter password and click on SAVE to make changes take effect. 4.5 DELETE SELECTED USER To delete user’s account, the authorized administrator should follow these steps: 1. Navigate to the Deployment information page by selecting Configuration Administration from the main window. 2. 3. Select the user you want to delete by clicking on the line of that user and then selecting ‘Delete Selected’ The system will ask for confirmation and a screen similar to the following will appear: AVUG-00001 Edition 13 Copyright© 2016 AlienVault. All rights reserved. 31 of 48 AlienVault Unified Security Management™ Configuration for Common Criteria 4. Click OK and user will be permanently deleted. A user can be disabled instead of removed to retain the user configuration. A disabled user cannot access the system. 4.6 ENABLED AND DISABLED USERS It is possible to disable a user account. The status icon indicates that user is enabled and the icon indicates that the user account is disabled. Click on the icon to toggle the user status. Disabled users are locked out of the system. 4.6.1 DISABLE ACTIVE USERS 1. Choose “Configuration > Administration > Users > User Information” 2. Under the status column, click the green check mark to disable the user. Once clicked, the check mark will change to a red “X”. This indicates that the user is disabled. 4.6.2 ENABLE ACTIVE USERS 1. 2. Choose “Configuration > Administration > Users > User Information” Under the status column, click the red “X” to enable the user. Once clicked, the check mark will change to a green check mark. This indicates that the user is enabled. AVUG-00001 Edition 13 Copyright© 2016 AlienVault. All rights reserved. 32 of 48 AlienVault Unified Security Management™ Configuration for Common Criteria 5 AUDIT LOG RECORDS AlienVault USM for Government monitors all administrative activity on the appliance. When this activity happens, the system will generate an audit message that is stored on the system. The log message is stored locally and can be accessed directly from the appliance in the Raw Logs and sent via syslog to an external system. Its format in the Raw Logs is the following: Date : yyyy/mm/dd hh:mm:ss Type of log: syslog Sensor: AllInOne Source: AllInOne Device: AlienVault USM for Government IP Data: The data about that specific audit log 5.1 AUDITED EVENTS 5.1.1 GENERAL USER ACTIVITY LOGGING Most activity performed within USM for Government can be audited by configuring the user activity audit options in the system. The audit options available include: • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • Account locked: Too many failed login attempts Analysis – Alarm closed Analysis – Alarm deleted Analysis – Alarm open Analysis – Block of Alarms Anomalies - :Acked host:, date:, sensor: Anomalies - : Ignored host:, date:, sensor: Anomalies – Acked Anomalies – Deleted Configuration – New host scan configuration added Configuration – RRD profile added Configuration – Reset defaults values Configuration – User created Configuration – User deleted Configuration – User info modified Configuration – User password changed Configuration – configuration modified Correlation – Backlog delete Correlation Directives – directive Correlation Directives – Directive added Correlation Directives – Properties of directive deleted Correlation Directives – Properties of directive updated Dashboards – Modify configuration variable Incidents – Incident type: deleted Incidents – Modify incident type Incidents – New incident type Incidents – New tag added Incidents – Tag deleted Incidents – Tag modified Knowledge DB – Added relationship to Knowledge DB – Attached file to Knowledge DB – Deleted file Knowledge DB – Deleted relationship from with keyname Knowledge DB – Document deleted Knowledge DB – Document modified Monitor – Network Monitor – Riskmeter AVUG-00001 Edition 13 Copyright© 2016 AlienVault. All rights reserved. 33 of 48 AlienVault Unified Security Management™ Configuration for Common Criteria Monitor – Sensors Monitor – Sessions Policy & Actions – Action modified Policy & Actions – Action deleted Policy & Actions – New Action added Policy – Host group deleted Policy – New host group added Policy – Network group deleted Policy – Network group modified Policy – New network group added Policy – Order: change from to Policy – New policy added Policy – Policy deleted Policy – Policy modified Policy – New sensor added Policy – Sensor modified Policy – New signature group Policy – Signature group deleted Policy – Signature group modified Policy Group – Change order Reports – Incident deleted Reports – Incident modified Reports – Incident closed Reports – PDF report generated Reports – Security report generated Reports – Ticket deleted Reports – Ticket added to SIEM Components – Database Servers – Database server modified SIEM Components – Database Servers – New database added SIEM Components – Servers: New server added SIEM Components – Servers: Server modified SIEM Components – Servers: Server deleted SIEM Components – Webs Interfaces modified SIEM Components – Webs Interfaces deleted Tools – Backup deleted Tools – Backup restored Tools – Network scan User failed logon User logged in User logged out Vulnerabilities – Job: created Vulnerabilities – Job: deleted Vulnerabilities – Scheduled Job: created Vulnerabilities – Scheduled Job: deleted • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • 5.1.2 CONFIGURE GENERAL USER AUDIT LOGGING By default, all of the general audit logging is enabled on the USM for Government system. The administrator can change the audit configuration settings, however, by updating the list from within the User Activity section of the Configuration tab. 5.1.2.1 1. 2. 3. REMOVE A USER AUDIT OPTION From within the web UI, navigate to Configuration > Administration. Under the Users sub-menu select the Activity option. This will open up the audit configuration view. Select one of the audit items on the left under the section called “ACTIONS LOGGED” and either click the “-“ or drag it to the right hand box called “ACTIONS NOT LOGGED”. AVUG-00001 Edition 13 Copyright© 2016 AlienVault. All rights reserved. 34 of 48 AlienVault Unified Security Management™ Configuration for Common Criteria 4. 5. Repeat for any other audit configurations desired. Scroll to the bottom of the page and click the “Update Configuration” button. 5.1.2.2 ADD A USER AUDIT OPTION 1. 2. 3. From within the web UI, navigate to Configuration > Administration. Under the Users sub-menu select the Activity option. This will open up the audit configuration view. Select one of the audit items on the left under the section called “ACTIONS NOT LOGGED” and either click the “+“ or drag it to the right hand box called “ACTIONS LOGGED”. 4. 5. Repeat for any other audit configurations desired. Scroll to the bottom of the page and click the “Update Configuration” button. 5.1.2.3 VIEW GENERAL USER AUDIT EVENTS When a user takes an action that generates one of the general user audit events, the system will display the event in Settings > User Activity. 1. 2. Log into the USM for Government web UI. Navigate to Settings > User Activity. 3. Use the filtering options to filter the view to show only the events desired. AVUG-00001 Edition 13 Copyright© 2016 AlienVault. All rights reserved. 35 of 48 AlienVault Unified Security Management™ Configuration for Common Criteria 5.1.3 NON-CONFIGURABLE AUDIT EVENTS 5.1.3.1 AUDIT SERVICE SHUTDOWN This audit event is created when the onboard syslog service is shutdown. This occurs at system shutdown. These events can be found from within the USM for Government web UI. Follow these instructions: 1. 2. 3. Log into the USM for Government web UI. Navigate to Configuration > Components > AlienVault Center > Logs Select the Syslog sub-menu option to expand the ‘syslog’ events. Event Format: MMM DD HH:MM:SS VirtualUSMStandardSensor rsyslogd: [origin software=”rsyslogd” swVersion=”<version of the syslog daemon>” x-pid=”<PID of the syslog process>” x-info=”http://www.rsyslog.com”] Exiting on signal 15. ` 5.1.3.2 AUDIT SERVICE STARTUP This audit event is created when the onboard syslog service is started. This occurs at system startup. These events can be found from within the USM for Government web UI. Follow these instructions: 1. 2. 3. Log into the USM for Government web UI. Navigate to Configuration > Deployment > Components > AlienVault Center > Logs Select the Syslog sub-menu option to expand the ‘syslog’ events. Event Format: MMM DD HH:MM:SS VirtualUSMStandardSensor rsyslogd: [origin software=”rsyslogd” swVersion=”<version of the syslog daemon>” (re)start 5.1.3.3 LOGOUT FROM THE WEB UI This audit event is created when a user (administrative or otherwise) logs out of the USM for Government web UI. This event can be found in the AlienVault User Activity screen of the web UI. To access this event information, navigate to Settings > User Activity from within the web UI. 5.1.3.4 SUCCESSFUL LOGIN FROM THE WEB UI This audit event is created when a user (administrative or otherwise) successfully logs in to the USM for Government web UI. This event can be found in the AlienVault User Activity screen of the web UI. To access this event information, navigate to Settings > User Activity from within the web UI. 5.1.3.5 FAILED LOGIN FROM THE WEB UI AVUG-00001 Edition 13 Copyright© 2016 AlienVault. All rights reserved. 36 of 48 AlienVault Unified Security Management™ Configuration for Common Criteria This audit event is created when a user (administrative or otherwise) fails to log in to the USM for Government web UI successfully. This event can be found in the AlienVault User Activity screen of the web UI. To access this event information, navigate to Settings > User Activity from within the web UI. 5.1.3.6 SUCCESSFUL LOGIN FROM THE SYSTEM CONSOLE This audit event is created when the admin user successfully logs into the USM for Government System Console. This login attempt can be found by navigating to the system logs view within the web UI. To see these events: 1. 2. 3. Navigate to Configuration > Deployment > Components > AlienVault Center Select the Logs sub-menu From the System tab, click on ‘auth.log’. Event Format: MMM DD HH:MM:SS AllInOne sudo: pam_unix(sudo:session): session opened for user root by (uid=0) 5.1.3.7 LOGOUT FROM THE SYSTEM CONSOLE This audit event is created when the admin user logs out of the USM for Government System Console. This login attempt can be found by navigating to the system logs view within the web UI. To see these events: 1. 2. 3. Navigate to Configuration > Deployment > Components > AlienVault Center Select the Logs sub-menu From the System tab, click on ‘auth.log’. Event Format: MMM DD HH:MM:SS AllInOne sudo: pam_unix(sudo:session): session closed for user root 5.1.3.8 FAILED LOGON FROM SYSTEM CONSOLE This audit event is created when the admin user fails to log into the USM for Government System Console successfully. This event can be found by navigating to the Event Analysis view within the web UI. To see these events: 6 NAVIGATE TO ANALYSIS > SECURITY EVENTS (SIEM) VIEW. 7 UNDER THE DATA SOURCES FILTER CHOOSE “PAX_UNIX” TO FILTER DOWN TO THE FAILED AUTHENTICATION EVENTS. AVUG-00001 Edition 13 Copyright© 2016 AlienVault. All rights reserved. 37 of 48 AlienVault Unified Security Management™ Configuration for Common Criteria 7.1.1.1 WEB UI USER CHANGE OF PASSWORD This audit event is created when a USM for Government user attempts to change their password. This event can be found in the AlienVault User Activity screen of the web UI. To access this event information, navigate to Settings > User Activity from within the web UI. AVUG-00001 Edition 13 Copyright© 2016 AlienVault. All rights reserved. 38 of 48 AlienVault Unified Security Management™ Configuration for Common Criteria 7.1.1.2 SYSTEM CONSOLE CHANGE OF PASSWORD This audit event is created when a USM for Government user attempts to change the password of the system console root password. The event for this activity can be found by navigating to the ‘auth’ logs view within the web UI. To see these events: 1. 2. 3. Navigate to Configuration > Deployment > Components > AlienVault Center Select the Logs sub-menu From the System tab, click on ‘auth.log’. Event Format: MMM DD HH:MM:SS VirtualUSMAllInOne sshd[<PID>]: Accepted password for root from <ip address> port <port #> PID = process ID of the password change attempt IP address = IP address of the local system Port = Port used by the password change process 7.1.1.3 SYSTEM CLOCK CHANGE This audit event is created when the system clock on the USM for Government system changes. The event can be viewed from within the ‘syslog’ log view within the web UI. 1. 2. 3. Navigate to Configuration > Deployment > Components > AlienVault Center Select the Logs sub-menu From the System tab, select ‘syslog’ Event Format: MMM DD HH:MM:SS VirtualUSMAllinOne nagios3: Warning: A system time change of <time difference> has been detected. Compensating … 7.1.1.4 REMOTE SESSION TERMINATION DUE TO TIMEOUT This audit event is created when the web UI or System Console session for a user expires based on the timeout set for the USM for Government appliance. The session expiration and logout message is displayed in the Settings > User Activity section of the web UI . AVUG-00001 Edition 13 Copyright© 2016 AlienVault. All rights reserved. 39 of 48 AlienVault Unified Security Management™ Configuration for Common Criteria 8 TROUBLESHOOTING 8.1 POWER-ON SELF TESTS The AlienVault USM for Government appliance includes several self tests that will be run automatically when the appliance boots up. These tests include: 1. Check for Existing Hardware Availability. The device checks the hardware availability by evaluating the information from the previous system boot that is stored in the BIOS. The device sends an electronic pulse to each of the devices identified in the list to determine if the device is available and active. If the pulse is returned, the AlienVault USM for Government appliance knows that the hardware component is functional and ready for use. If it does not receive a response from the hardware component, it knows that the hardware component is not present or is faulty. If the device is found to be missing or faulty it is removed from the system startup and initialization process. 2. Check for New Hardware. At startup the USM for Government appliance will evaluate the system to determine if any new hardware has been attached. If new hardware is found it is added to the BIOS memory for use in the next boot cycle. Once the hardware checks are complete, the bootstrap loader is invoked to load the appliance operating system. If there is any error during the boot process, the boot process will be terminated, and the device will display informative error. 8.2 SYSTEM SOFTWARE SELF TESTS The AlienVault USM for Government appliance runs a series of software self tests while the device is running to ensure that the system remains healthy and functional. The system continually monitors the system processes to ensure that everything is up and running. It conducts automatic maintenance and repair processes and can execute meaningful causal actions in error situations. Specific self-tests / monitoring include: 1. Process failures. The system will automatically identify and start processes that are not running and restart processes that are not functioning properly or within operational parameters. Processes monitored include: • AlienVault API • AlienVault Forwarder • AlienVault Sensor • AlienVault Server • AlienVault databases • Memory Cache • AlienVault web server • AlienVault framework • Monitoring services such as Nagios, OpenVAS, ntop, nfcapd, etc. 2. Resource monitoring. If system uses more resources than expected the system will generate an alert to inform an administrator of the issue. There are multiple processes watched like Alienvault API, the AlienVault forwarding system, database, apache webserver, Alienvault framework, monitoring services (nagios, openvas, ntop, nfcapd…) or other services like AlienVault Sensor and server, Memcache or MongoDB. Also, some internal processes inside the AlienVault binaries test that the exchanged events works flawlessly . 8.3 FIPS SELF-TESTS The AlienVault USM for Government appliance includes several FIPS self-tests. They include: 1. DRBG Health Test. The FIPS DRBG generating function implements initialization health checks, periodic health checks and continuous health checks. Initialization checks are performed when a DRBG is first initiated (using FIPS_drbg_new() or FIPS_drbg_set()) when a DRBG is reseeded explicitly using FIPS_drbg_reseed(). The system relies on a FIPS-certified OpenSSL Module in FIPS modes for DRBG. The known answer tests on initialization are: AVUG-00001 Edition 13 Copyright© 2016 AlienVault. All rights reserved. 40 of 48 AlienVault Unified Security Management™ Configuration for Common Criteria The FIPS_mode_set() function performs all power-up self-tests listed above with no operator intervention required, returning a “1” if all power-up self-tests succeed, and a “0” otherwise. If any component of the power-up self-test fails, an internal flag is set to prevent subsequent invocation of any cryptographic function calls. The module will only enter the FIPS approved mode if the module is reloaded and the call to FIPS_mode_set() succeeds. Periodic health checks are performed based on health_check_interval calls. By default, the health checks are automatically performed every 2^24 generate operations. If a DRBG health check fails, the DRBG is placed in an error state and no further operations can be performed. This error state can only be cleared by un-instantiating and re-instantiating the DRBG. 2. Entropy Health Test. Each sample obtained from an entropy source is verified by the entropy estimate function prior to being added into the primary entropy pool. The purpose of this check is to make sure the entropy source is sufficiently unpredictable. In the case of entropy estimate function “failure”, the sample is assigned an entropy value of zero but still mixed into the pool. The LPRNG design ensures that non-random sample does not negatively affect existing entropy. 8.4 PROCESS LIST The AlienVault USM for Government appliance includes several processes that will run on the device during normal operation. The processes are not directly user-accessible. The TOE in its evaluated configuration includes the following processes that could run: Process Name Process Description MongoDB It stores data from the network regarding intelligence (who is the owner of a machine, the OS's in the network, open ports...) AVUG-00001 Edition 13 Copyright© 2016 AlienVault. All rights reserved. Process Execution Privilege Mongodb (user) 41 of 48 AlienVault Unified Security Management™ Configuration for Common Criteria Process Name Process Description epmd Erlang Port Mapper (for RabbitMQ) Process Execution Privilege rabbitmq (user) RabbitM Queue to handle Celery tasks rabbitmq (user) rsyslog receive and store logs, for the appliance itself and from the outside machines root fprobe NetFlow probe to analyze network data and make statistics root ha_logd High Availability read/write process for heartbit root munin-node root postfix Network resourc monitoring to help analyze resoruce trends. It generates statistics from network monitors systems, networks and infrastructure. Nagios offers monitoring and alerting services for servers, switches, applications and services. It alerts users when things go wrong and alerts them a second time when a the problem has been resolved Netflow capture daemon of the nfdump tools. It reads netflow data from the network and stores it into files A graphical web based front end for the nfdump netflow tools. It allows display data, navigate through the network data, process the netlow data... ntop shows the current network usage. It displays a list of hosts that are currently using the network and reports information concerning the (IP and non-IP) traffic generated and received by each host Send emails (if the user define them) in the Actions/Responses, inside Policies qmgr Postfix queue manager postfix (user) ossim-agent An agent is a set of python scripts that gathers and sends the output of the different plugin or tool to the correlation engine for further process. They receive data form different remote sources proxy to rewrite different packages, like ntop, to show the data inside the apache webserver Sniffer that reads data form the network to get open ports and operative systems of the network, to store them in DB manage connections to the CLI root It is a network Intrusion Detection System (IDS). It is based on rules (and is fully compatible with snort rules) to detect a variety of attacks / probes by searching packet content recveives the log messages and compares them to the rules. It will create alerts when a log message matches an applicable rule. The ossec-logcollector daemon monitors configured files and commands for new log messages it checks configured files for changes to the checksums, permissions or ownership root monitors agent connectivity and compress daily log files ossec root rabbitmq-server Manager daemon of the Open Vulnerability Assessment System (OpenVAS), it acts as a service and offers a communication protocol for its clients called OTP. The core task of the OpenVAS Scanner is the actual scan process. openvassd is in charge of executing many security tests against many target hosts in a highly optimized way, it is the scanner of OpenVAS. It inspects the remote hosts and attempts to list all the vulnerabilities and common misconfigurations that affects them Process to start RabbitMQ AMQP server (for Celery questions) beam helper functions to RabbitMQ rabbitmq (user) celery.bin.celer yd avapi (user) apache2 Celery is a distributed system to process vast amounts of messages, while providing operations with the tools required to maintain such a system.It’s a task queue with focus on real-time processing, while also supporting task scheduling. Inside Alienvault, it is involved in the API management, sending/receiving commands form different components The pickup daemon waits for hints that new mail has been dropped into the maildrop directory, and feeds it into the cleanup daemon webserver stunnel4 Process to send encrypted logs to a remote system root mysqld_safe DB startup script. root mysqld DB. It stores events from network in a normalized format, amongst other tings. mysql (user) av-forward It forwards events from one server to another macheted process to match regular expressions in the events received by the alienvault agent. asec (user) mixterd process that tries to identify on the fly the regular expressions of the logs that are received by alienvault-agent, which are not specified like other plugins. asec (user) nagios3 nfcapd nfsend ntop squid prads ssh suricata ossecanalysisd osseclogcollector ossecsyscheckd ossec-monitord openvasmd openvassd pickup AVUG-00001 Edition 13 Copyright© 2016 AlienVault. All rights reserved. nagios (user) www-data www-data ntop root root prads (user) root ossec root root root rabbitmq (user) postfix (user) root 42 of 48 AlienVault Unified Security Management™ Configuration for Common Criteria Process Name Process Description ossim-server Process that receives normalized data from the Agent, and then do all the correlation and insertion in DB. It is also the correlation system and alarm generator It is the default IDS inside the Alienvault USM system. It analyzes the network watching for attacks suricata AVUG-00001 Edition 13 Copyright© 2016 AlienVault. All rights reserved. Process Execution Privilege avserver root 43 of 48 AlienVault Unified Security Management™ Configuration for Common Criteria Appendix A HOW TO CONFIGURE STUNNEL TO WORK WITH ALIENVAULT USM FOR GOVERNMENT. 1 - GENERATING THE CERTIFICATES 1.1 - GENERATE THE CA CERTIFICATE A PEM pass phares is mandatory ( I've used "pepe") The common name is mandatory root@qa-dev:~/certs2# openssl req -out ca.pem -new -x509 -days 365 Generating a 2048 bit RSA private key ................+++ ............+++ writing new private key to 'privkey.pem' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----Country Name (2 letter code) [AU]: State or Province Name (full name) [Some-State]: Locality Name (eg, city) []: Organization Name (eg, company) [Internet Widgits Pty Ltd]: Organizational Unit Name (eg, section) []: Common Name (e.g. server FQDN or YOUR name) []:AlienVault Inc. Email Address []: root@qa-dev:~/certs2# 1.2 - CREATE SERVER CERTIFICATE 1.2.1 Create the server certificate key root@qa-dev:~/certs2# openssl genrsa -out server.key 2048 Generating RSA private key, 2048 bit long modulus ............................................+++ ....................................................................+++ e is 65537 (0x10001) root@qa-dev:~/certs2# 1.2.2 Create the server certificate requirement AVUG-00001 Edition 13 Copyright© 2016 AlienVault. All rights reserved. 44 of 48 AlienVault Unified Security Management™ Configuration for Common Criteria Create the server certificate requirement to be signed by the CA. The common name must be the hostname of the machine where stunnel server is installed. root@qa-dev:~/certs2# openssl req -key server.key -new -out server.req You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----Country Name (2 letter code) [AU]: State or Province Name (full name) [Some-State]: Locality Name (eg, city) []: Organization Name (eg, company) [Internet Widgits Pty Ltd]: Organizational Unit Name (eg, section) []: Common Name (e.g. server FQDN or YOUR name) []:qa-dev Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: root@qa-dev:~/certs2# 1.2.3 Sign the server certificate using the CA. Sign the server certificate using the CA. The process will ask for the CA pass phrase ("pepe") root@qa-dev:~/certs2# openssl x509 -req -in server.req -CA ca.pem -CAkey privkey.pem -CAcreateserial -out server.pem -days 365 Signature ok subject=/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=qa-dev Getting CA Private Key Enter pass phrase for privkey.pem: root@qa-dev:~/certs2# 1.3 - CREATE THE CLIENT CERTIFICATE 1.3.1 Create the client certificate key root@qa-dev:~/certs2# openssl genrsa -out client.key 2048 Generating RSA private key, 2048 bit long modulus ..............................+++ .............................................................................. ..................................+++ e is 65537 (0x10001) 1.3.2 Create the client certificate requirement Create the client certificate requirement to be signed by the CA. The common name must be the hostname of the alienvault appliance root@qa-dev:~/certs2# openssl req -key client.key -new -out client.req You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----Country Name (2 letter code) [AU]: State or Province Name (full name) [Some-State]: Locality Name (eg, city) []: Organization Name (eg, company) [Internet Widgits Pty Ltd]: Organizational Unit Name (eg, section) []: Common Name (e.g. server FQDN or YOUR name) []:AllInOne Email Address []: AVUG-00001 Edition 13 Copyright© 2016 AlienVault. All rights reserved. 45 of 48 AlienVault Unified Security Management™ Configuration for Common Criteria Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: 1.3.3 Sign the server certificate using the CA. Sign the client certificate using the CA. The process will ask for the CA pass phrase ("pepe") root@qa-dev:~/certs2# openssl x509 -req -in client.req -CA ca.pem -CAkey privkey.pem -out client.pem -days 365 Signature ok subject=/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=AllInOne Getting CA Private Key Enter pass phrase for privkey.pem: root@qa-dev:~/certs2# 1.3.4 Create the certificate for the appliance. Create one file certificate including the client cert and key. This certificate should be inserted in the alienvault appliance using the web interface root@qa-dev:~/certs2# cat client.pem client.key > allinone.pem AVUG-00001 Edition 13 Copyright© 2016 AlienVault. All rights reserved. 46 of 48 AlienVault Unified Security Management™ Configuration for Common Criteria 2 – CONFIGURING STUNNEL SERVER 2.1 - PERMISSIONS Be sure all certificates perms are 600 : # chmod * 600 2.2 – INSTALL STUNNEL #zypper install stunnel 2.3 – CONFIGURE STUNNEL Add the following lines to /etc/stunnel/stunnel.conf verify = 2 cert = /etc/stunnel/server.pem key = /etc/stunnel/server.key CAfile = /etc/stunnel/ca.pem client = no # The server certificate # The server key # The CA foreground=yes [ssyslog] accept = 10514 connect = 514 AVUG-00001 Edition 13 Copyright© 2016 AlienVault. All rights reserved. 47 of 48