eTrust Audit Administrator Guide

Transcription

This documentation and related computer software program (hereinafter referred to as the “Documentation”) is for
the end user’s informational purposes only and is subject to change or withdrawal by Computer Associates
International, Inc. (“CA”) at any time.
THIS DOCUMENTATION MAY NOT BE COPIED, TRANSFERRED, REPRODUCED, DISCLOSED OR
DUPLICATED, IN WHOLE OR IN PART, WITHOUT THE PRIOR WRITTEN CONSENT OF CA. THIS
DOCUMENTATION IS PROPRIETARY INFORMATION OF CA AND PROTECTED BY THE COPYRIGHT LAWS
OF THE UNITED STATES AND INTERNATIONAL TREATIES.
TO THE EXTENT PERMITTED BY APPLICABLE LAW, CA PROVIDES THIS DOCUMENTATION “AS IS”
WITHOUT WARRANTY OF ANY KIND, INCLUDING WITHOUT LIMITATION, ANY IMPLIED WARRANTIES
OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NONINFRINGEMENT. IN NO EVENT
WILL CA BE LIABLE TO THE END USER OR ANY THIRD PARTY FOR ANY LOSS OR DAMAGE, DIRECT OR
INDIRECT, FROM THE USE OF THIS DOCUMENTATION, INCLUDING WITHOUT LIMITATION, LOST
PROFITS, BUSINESS INTERRUPTION, GOODWILL OR LOST DATA, EVEN IF CA IS EXPRESSLY ADVISED OF
SUCH LOSS OR DAMAGE.
THE USE OF ANY PRODUCT REFERENCED IN THIS DOCUMENTATION AND THIS DOCUMENTATION IS
GOVERNED BY THE END USER’S APPLICABLE LICENSE AGREEMENT.
The manufacturer of this documentation is Computer Associates International, Inc.
Provided with “Restricted Rights” as set forth in 48 C.F.R. Section 12.212, 48 C.F.R. Sections 52.227-19(c)(1) and (2) or
DFARS Section 252.227.7013(c)(1)(ii) or applicable successor provisions.
 1999-2001 Computer Associates International, Inc., One Computer Associates Plaza, Islandia, New York 11749.
Portions of this product  1999-2001 Memco Software Ltd., a CA company. All rights reserved.
All trademarks, trade names, service marks, or logos referenced herein belong to their respective companies.
Contents
Chapter 1: Preface .................................................................1-1
eTrust Audit Advantages .................................................................................................................................... 1-1
Accountability ................................................................................................................................................ 1-2
Native Auditing Supported by eTrust Audit 1.5 ...................................................................................... 1-3
What Happens to Native Auditing? ........................................................................................................... 1-3
How eTrust Audit 1.5 Empowers Your Auditing ............................................................................................ 1-6
Components of eTrust Audit 1.5......................................................................................................................... 1-6
Architecture ........................................................................................................................................................... 1-9
The importance of eTrust Audit ....................................................................................................................... 1-10
Getting started with eTrust Audit 1.5 .............................................................................................................. 1-15
Product information .................................................................................................................................... 1-15
Chapter 2: Pre-Installation Planning .....................................2-1
Planning What to Audit ....................................................................................................................................... 2-1
The Client............................................................................................................................................................... 2-2
The Policy Manager.............................................................................................................................................. 2-5
Data Tools ............................................................................................................................................................ 2-10
System requirements .......................................................................................................................................... 2-14
Chapter 3: Installing eTrust Audit...........................................3-1
Installing the Client .............................................................................................................................................. 3-1
Installing the Policy Manager.............................................................................................................................. 3-5
Installing Data Tools............................................................................................................................................. 3-6
Starting the Services ...................................................................................................................................... 3-8
Chapter 4: Policy Management............................................4-1
Database.......................................................................................................................................................... 4-2
Contents
iii
Service ..............................................................................................................................................................4-2
Policy Manager GUI..............................................................................................................................................4-2
Policies .............................................................................................................................................................4-3
Audit Nodes..................................................................................................................................................4-14
Policy Activation Log...................................................................................................................................4-19
The Users Window.......................................................................................................................................4-21
Chapter 5: Data Tools.............................................................5-1
Database ..........................................................................................................................................................5-1
Service ..............................................................................................................................................................5-2
Audit Viewer..........................................................................................................................................................5-2
The Audit Reporter .............................................................................................................................................5-18
Security Monitor ..................................................................................................................................................5-22
Chapter 6: Services ................................................................6-1
The eAudit recorder service.................................................................................................................................6-1
The eAudit SNMP recorder service ....................................................................................................................6-6
The redirector service............................................................................................................................................6-8
The Collector Service...........................................................................................................................................6-10
The Log Router Service.......................................................................................................................................6-12
The router configuration File ......................................................................................................................6-14
The Action Manager Service ..............................................................................................................................6-15
The eAudit Distribution Agent Service ............................................................................................................6-20
The eAudit Distribution Server Service............................................................................................................6-22
The Portmap Service ...........................................................................................................................................6-23
Chapter 7: Registry Keys and ini Files...................................7-1
Windows.................................................................................................................................................................7-1
Current Version .....................................................................................................................................................7-2
Components ...........................................................................................................................................................7-2
Paths ........................................................................................................................................................................7-2
Ports.........................................................................................................................................................................7-2
RPC..........................................................................................................................................................................7-4
Messages .................................................................................................................................................................7-4
Severity ............................................................................................................................................................7-4
Targets..............................................................................................................................................................7-5
Mail..........................................................................................................................................................................7-6
iv
Client ...................................................................................................................................................................... 7-6
SeOS................................................................................................................................................................. 7-6
Recorders ........................................................................................................................................................ 7-7
Redirector ....................................................................................................................................................... 7-8
Router............................................................................................................................................................ 7-10
Management Agent ..................................................................................................................................... 7-14
Policy Manager ................................................................................................................................................... 7-17
Database........................................................................................................................................................ 7-17
Distribution Log........................................................................................................................................... 7-17
Distribution Server ...................................................................................................................................... 7-17
Data Server .......................................................................................................................................................... 7-19
Database........................................................................................................................................................ 7-20
Viewer ........................................................................................................................................................... 7-20
Collector........................................................................................................................................................ 7-21
Reports .......................................................................................................................................................... 7-21
Monitors ............................................................................................................................................................... 7-22
Security Monitor .......................................................................................................................................... 7-22
UNIX..................................................................................................................................................................... 7-23
eAudit.ini ............................................................................................................................................................. 7-23
Current Version ........................................................................................................................................... 7-23
Components ................................................................................................................................................. 7-23
Paths .............................................................................................................................................................. 7-23
Ports............................................................................................................................................................... 7-24
Messages ....................................................................................................................................................... 7-25
Mail................................................................................................................................................................ 7-26
Client ............................................................................................................................................................. 7-27
Recorders ...................................................................................................................................................... 7-27
Router............................................................................................................................................................ 7-27
Management Agent ..................................................................................................................................... 7-31
recorder.ini........................................................................................................................................................... 7-33
Appendix A: Advanced Options ......................................... A-1
Encryption ............................................................................................................................................................ A-2
SMTP ..................................................................................................................................................................... A-4
Firewall.................................................................................................................................................................. A-4
Configuring an Oracle client .............................................................................................................................. A-4
Windows NT Authentication with Microsoft SQL Server ............................................................................. A-5
Changing the Database Type ............................................................................................................................. A-6
Policy Manager Options ..................................................................................................................................... A-7
The Rule Wizard .................................................................................................................................................. A-8
Contents
v
Reduce Events Example ........................................................................................................................... A-14
Customizing the Viewers ................................................................................................................................. A-14
Column Width ............................................................................................................................................ A-15
Window/Table Properties ........................................................................................................................ A-16
Data Styles ................................................................................................................................................... A-16
Encup .................................................................................................................................................................. A-17
Security-related Windows NT Event IDs ....................................................................................................... A-17
Debug .................................................................................................................................................................. A-20
Example for Debug .................................................................................................................................... A-20
Appendix B: Submit API .........................................................B-1
Mapping ......................................................................................................................................................... B-1
Message routing ............................................................................................................................................ B-1
Submitting a Message to the Router ........................................................................................................... B-2
If submit fails ................................................................................................................................................. B-2
Compiling and linking......................................................................................................................................... B-2
Library ............................................................................................................................................................ B-2
Sample SAPI usage............................................................................................................................................... B-3
SAPI reference....................................................................................................................................................... B-5
SAPI_Init......................................................................................................................................................... B-6
SAPI_NewMessage ....................................................................................................................................... B-6
SAPI_AddItem............................................................................................................................................... B-6
SAPI_SubmitMsg .......................................................................................................................................... B-7
SAPI_RemoveMessage ................................................................................................................................. B-8
SAPI_ DumpMessage ................................................................................................................................... B-8
SAPI_DestroyCTX ......................................................................................................................................... B-9
SAPI_SetRouter ............................................................................................................................................. B-9
SAPI_SetRouterPort .................................................................................................................................... B-11
SAPI_ SetRouterTimeout............................................................................................................................ B-11
SAPI return codes and errors............................................................................................................................ B-11
Fields for the SAPI.............................................................................................................................................. B-14
Field Properties............................................................................................................................................ B-14
Examples of mapping ........................................................................................................................................ B-15
Mandatory fields for event identification ................................................................................................ B-15
Common predefined fields for event identification ............................................................................... B-17
Optional predefined fields for event identification ................................................................................ B-18
Common predefined fields for event description ................................................................................... B-18
Mapping events to predefined categories................................................................................................ B-21
System Access .............................................................................................................................................. B-22
Account Management................................................................................................................................. B-23
vi
Object Access................................................................................................................................................B-24
Policy Management .....................................................................................................................................B-27
Security Systems Status ..............................................................................................................................B-27
Network ........................................................................................................................................................B-28
Detailed Tracking ........................................................................................................................................B-30
System/Application, Administration and General Events....................................................................B-31
Fields internal to eTrust Audit...................................................................................................................B-31
Reserved Keywords.....................................................................................................................................B-32
Contents
vii
Chapter
1
Preface
This book is a complete guide to eTrust Audit 1.5.
This book was written for auditors and system administrators who are
implementing and maintaining protected environments supported by eTrust
Audit 1.5, and who may be users of other products pertaining to the eTrust
family.
eTrust Audit Advantages
eTrust Audit 1.5:
■
■
■
■
■
Provides a rich set of out-of-the-box host-based intrusion detection policies,
which allow you to protect your whole enterprise across heterogeneous
environments
Collects and archives security audit data from various sources in a consistent,
searchable format with powerful filters, reporting and analyzing capabilities
Has a flexible architecture, which makes it suitable for the needs of small
businesses as well as for large enterprises
Lets you define your own policies by using a simple graphical interface,
which guides you through the steps of defining a new policy
Responds to suspicious events with e-mail, pop-up messages, scrolling alerts,
and other actions
Preface
1–1
eTrust Audit puts powerful tools at your disposal:
■
■
■
■
■
■
eTrust Audit filters, forwards, and centralizes audit data from different
applications, platforms, and operating systems. For details, see Native
Auditing Supported by eTrust Audit 1.5 in this chapter.
An API lets you expand eTrust Audit’s recording facilities to the clients of
your choice, thus letting you incorporate Windows NT, Windows 2000 and
UNIX applications.
A single management GUI lets you control policies system-wide.
When suspicious events are detected, then besides writing to the database or
to a file, eTrust Audit can respond by:
-
Sending e-mail
-
Sending pop-up screen messages
-
Displaying scrolling alerts
-
Sending messages to Unicenter TNG
-
Running user-defined executable programs and batch files
-
Sending SNMP traps
eTrust Audit uses a highly flexible multi-tier architecture. Events from each
station can be forwarded to anywhere in the network for storage, actions, or
additional processing.
eTrust Audit includes an API that lets you customize responses to audit
events by adding new actions
Accountability
Network security administrators face three challenges, known as the
“Security AAA”:
■
Authentication — who is it?
■
Authorization — what is allowed?
■
Accountability — who did what?
The first two items are up to you to control with administrative or security tools,
either native or third party such as eTrust Access Control.
Native auditing event logs provide the basis for accountability. These logs are
written by most operating systems, DBMSs, and commercial and homegrown
applications to reflect the actual transactions performed by them, immediately
after the transactions are completed.
1–2
Native Auditing Supported by eTrust Audit 1.5
■
Windows NT/2000
■
UNIX (syslog, sulog, and others — expandable on demand)
■
Other eTrust products, such as:
-
eTrust Access Control
-
eTrust Intrusion Detection
-
eTrust Single Sign On
-
eTrust VPN
-
eTrust content inspection
-
Other eTrust products soon to be added
■
Netscape Enterprise Server
■
Apache Web Server
■
Oracle Server Enterprise Edition
■
OS/390 CA - Top Secret (through SNMP)
■
OS/390 CA - ACF2 (through SNMP)
■
CA-TNG (through SNMP)
■
OS/390 IBM - RACF (through SNMP)
■
Any source that can send SNMP traps
eTrust Audit 1.5 accepts data from any platform or application by using its
Submit API (SAPI) or eAudit SNMP recorder. You can configure virtually any
platform, including mainframe, to submit its events to an eTrust Audit router for
further handling. All information is mapped into a uniform format, which highly
resembles the format of NT Event Viewer. You can also create an Audit recorder
(in UNIX only).
Without eTrust Audit, data from these logs stays where it originated — on local
systems. Native auditing does not forward or collect data.
What Happens to Native Auditing?
The native auditing offered by applications and operating systems is uniformly
underutilized.
Turned on
Turned off
So much data is created that important
events cannot be found
No data
Preface 1–3
Turned on
Turned off
Auditors use different tools for each
environment
No data
The result in either case: organizations do not know what is happening on their
systems.
Native auditing is seldom used effectively because:
■
Logs grow large and are overwritten
■
Data is written locally and discarded
■
Tools for sorting and analyzing data are insufficient
■
There is no central control of policies
■
Events that happen on different hosts cannot be correlated, because of the
following reasons:
- Cross-platform analysis is impossible
- Audit format is different
- Reduction capabilities are limited
- Alerting facilities and analysis tools are non-existent
- UNIX systems create insufficient audit data
- Viewing tools are inadequate
eTrust Audit 1.5 solves these problems by offering full control on recording
native auditing:
■
Audit file size is controlled, with an additional back-up option
■
Data is recorded into central databases
■
Data is mapped to a common format, while preserving the original data
■
One smart tool is used for sorting, filtering, and analyzing the data
■
Security policies are centrally controlled
■
Cross-platform is built-in
■
■
1–4
Events that take place on different hosts and different platforms can be
correlated
eTrust Audit 1.5 Viewer GUI offers a powerful viewing tool
Weakness of Windows
NT Native Auditing
Administrators have full control of objects on a domain (or, if they do not have
control, they can take it). This makes the Administrator accounts and
Administrators group powerful tools for intruders, which is a severe security
weakness in Windows NT.
For example, when intruders attempt a password attack in Windows NT, they
may soon reach the Bad Password limit for the account and be locked out, unless
they were attempting to break into an Administrator account.
Windows NT does not provide lockout for Administrator accounts.
The lockout event appears in the event log only for the workstation where the
bad passwords were entered, and only if that workstation enabled auditing for
failed logon/logoff events. No event is ever logged at the domain controller.
■
■
■
Without eTrust Audit, the auditor who suspects an improper use of an account
must search the event logs of all client stations to find the lockout.
With eTrust Audit, the sequence of events appears in the event database;
appropriate alerts are distributed in near-realtime.
With eTrust Access Control, properly configured, no intrusion can occur; a
detailed description of the attempted intrusion is forwarded to eTrust Audit.
Preface 1–5
How eTrust Audit 1.5 Empowers Your Auditing
How eTrust Audit 1.5 Empowers Your Auditing
Properly configured, your native auditing provides eTrust Audit 1.5 with many
types of events, such as:
■
Logon/logoff and other security events
■
User administration
■
File, directory, and (in Windows NT) registry access
■
Audit policy changes
■
Object access
■
System events
■
Application events
In themselves, these events are routine occurrences which may take place on a
network thousands of times each day. However, under certain circumstances,
they can constitute suspicious events.
In addition, using eTrust Audit lets you create new event sources, by specifying
customized criteria for indicating security breaches.
Patterns of Suspicious Activity
By using Policy Manager’s out-of-the-box security policies, you can use native
auditing events to detect intrusion patterns such as:
■
■
■
■
Password guessing and theft of password files. (For example: if a user
performs three failed access attempts on the same computer and succeeds
only in the fourth attempt, or if a user performs three failed access attempts
on three different computers, operated by three different operating systems,
in a very short period).
Illegal use of administrative privileges to define new accounts
Illegal access to critical resources such as system files and sensitive registry
entries
Hiding actions, such as clearing or resetting auditing, performing changes in
audit setup, and hiding the origins of activity
■
Deleting, replacing, or modifying important data
■
Shutdowns of services and systems
Components of eTrust Audit 1.5
1–6
eTrust Audit 1.5 offers almost limitless flexibility in a multi-tier architecture.
Every computer in your network can participate as a client, and any user in your
network can receive eTrust Audit’s alerts, mail, and system status notifications.
Properly configured, eTrust Audit’s services can transmit events through
firewalls and across the Internet to forward audit data protected by the
encryption method of your choice.
The components of eTrust Audit 1.5 include:
■
■
■
Services — collect and forward audit data, generating actions and alerts
Databases — event databases that store audit data for analysis and
management, and a configuration database that stores your intrusion
detection policies
Graphical user interfaces:
– Policy Manager manages policy administration
– Audit Viewer displays, sorts and filters audit events stored in central
databases. You can also save your own customized filters for future use.
- Audit Reporter lets you view and schedule detailed, graphic reports
based on the event database
- Security Monitor displays scrolling alerts in near real-time
Actions
eTrust Audit creates a local data file of selected events on each client system and
delivers the data to its dedicated event databases. In addition, selected records
can be written to files sent to SNMP servers and Unicenter TNG, or send e-mail
notifications to specific users, security administrators and so on.
Preface 1–7
Policy Management
The composition of rules in the Policy Manager GUI follows an intuitive scheme.
Rules can be added at any point in a hierarchy, and are held to incorporate all the
conditions applying at that point and above.
For example, to generate an action whenever an administrator logs on to a
Windows NT server named Techserv, you do not have to write a rule including
Logon, S, Administrator, and other features of the event. You only need to
navigate to the rule for successful logons by administrators and add a rule with a
single condition - that the computer name is Techserv. If you want to ensure that
the action you specify does not duplicate an action already configured for that
event, you can specify a rule dictating that this action is performed only once. Do
that by highlighting the required policy (NT, UNIX and so on) and selecting the
Summary command from the Policy menu. Alternatively, highlight the policy
and then right-click and select Summary from the pop-up menu.
1–8
Architecture
Architecture
eTrust Audit 1.5 uses a highly flexible multi-tier architecture. Any number of
clients, servers, and database stations can be incorporated in the auditing
hierarchy. Each client may include several Audit Nodes (ANs). For instance, if
the client is running both UNIX and Netscape Server on the same computer, both
ANs will be monitored by a single eTrust Audit client.
Preface 1–9
The importance of eTrust Audit
eTrust Audit 1.5 helps security administrators understand and analyze audit
data:
■
Record only the events you choose
■
Redirect events only as appropriate
■
■
Save data in a common format, while preserving the original native auditing
data
Use out-of-the-box intrusion detection policies for the operating system log
files
In native auditing, all events are given precisely the same treatment: they are
recorded in the log. In eTrust Audit 1.5, each event is treated individually. You
can customize responses to suit your auditing priorities. You can intercept the
events you choose and redirect them as appropriate, while preserving native
auditing data unchanged.
eTrust Audit 1.5 can give you as many layers of filtering as you wish. You tell
eTrust Audit:
■
What events to copy from native auditing, and what events to ignore
■
What events should be forwarded for collection in a database
■
What events require prompt attention
■
What events constitute security emergencies
Cross-Platform Data Integration
eTrust Audit 1.5 records audit data from many applications and operating
systems, as previously detailed in this chapter under the Native Auditing
Supported by eTrust Audit 1.5 section.
Cross-Platform Event Management
Besides detecting suspicious events, eTrust Audit 1.5 doubles as an event
manager. eTrust Audit 1.5 collects events across platforms and operating systems
into a comprehensive event database, accessible through a custom Viewer. Data
from all clients is displayed in one consistent format. The commercial relational
databases used by eTrust Audit 1.5 — Microsoft Access, Oracle Server, and
Microsoft SQL Server — can hold very large amounts of data.
1–10
The Audit Viewer lets you view different types of events in different colors, as
shown in the following illustration:
In addition, the Audit Viewer provides powerful administrative options:
■
Filtering — select which records will be displayed, based on criteria you
choose. You can also create filters for different users, thus letting them see
only certain components. The Viewer also lets you save your own
customized filters for future use.
■
Sorting — sort data by any field, such as the user, computer, domain, or time
■
Tracking — follow events related to a single user or file
■
Printing – print events and detailed events
■
Reports — view, create, and schedule a variety of text and graphical reports
With these tools, you can easily analyze events, even when the database contains
millions of records.
Preface 1–11
Data Analysis
An event database may contain millions of records. eTrust Audit 1.5 lets you
filter them with precision. As shown in the following example, you can create
filters that search for highly specific events. Text fields can contain simple regular
expressions.
1–12
Scalability
Filtering and alerting can be performed at any location you choose, while multitier routing solves the problem of scalability.
In other words, you can route events from any client or server to any target
anywhere on the network. You may wish to create a strict hierarchy, but you can
bypass it at any time.
Out-of-the-Box Intrusion Detection Policies
eTrust Audit 1.5 ships with ready-to-use intrusion detection policies. Each policy
can be tailored to your specific auditing goals on a specific operating system or
server platform — an Audit Node.
Each policy lets you select and deselect events. By default, no event is selected.
Preface 1–13
By using Policy Manager, you can distribute the policy to appropriate targets
throughout your network. The success of policy distribution is monitored in a
dedicated window.
Audit Nodes
Audit node (AN) is an abstraction denoting each system from which you would
like to retrieve auditing information.
By using Policy Manager, you can designate AN groups that combine native
auditing systems on different hosts, and then distribute each policy to its
appropriate AN group. Policy Manager also lets you configure and save a userdefined audit node type to be added as a new audit information source. For
details, see Audit Nodes in the “Pre-Installation planning” chapter.
1–14
Getting started with eTrust Audit 1.5
Getting started with eTrust Audit 1.5
The following table outlines the recommended approach for learning about
eTrust Audit 1.5.
What You Should Do …
How to Do It …
Install all the components of eTrust
Audit 1.5 on a single machine
Review the instructions beginning with
Installing the Client in the “Installing
eTrust Audit 1.5” chapter of this guide
Customize your configuration and
build your auditing hierarchy
See the information beginning with
Installing the Client in “Installing
eTrust Audit 1.5” chapter of this guide
Create and administer effective
intrusion detection and event
management policies
See Policies in the “Policy
Management” c
chapter of this guide
Related Documents and Training
As mentioned earlier in this chapter, in Native Auditing Supported by eTrust
Audit 1.5 , eTrust Audit 1.5 can help you handle audit information from many
operating systems and applications.
■
■
■
■
■
For information regarding other products of the eTrust family (such as eTrust
Access Control for Windows NT and for UNIX, eTrust Intrusion Detection
and eTrust Single Sign-On), See the respective product documentation for
details.
For information about organized training, or for other product information,
contact your marketing representative.
For details regarding other products that are supported by eTrust Audit 1.5,
see the respective product documentation.
Several good third-party books on Windows NT are widely available.
Resources such as the Microsoft TechNet Technical Information Network
CD-ROM also contain helpful articles on securing Windows NT and
Windows 2000 installations.
Product information
Improvements are continuously being made to the products documented in this
book. Contact your marketing representative for up-to-date information.
Preface 1–15
Chapter
2
Pre-Installation Planning
Installing eTrust Audit takes only a few moments, but before you start this
process, you must take the time to understand the product’s components and
how they relate to your existing event logs and your auditing goals.
You should plan your auditing hierarchy, and be aware of technical issues
affecting installation.
When you install eTrust Audit 1.5, you choose among three components:
■
■
■
The Client software must be installed on each system you want to audit. This
software consists of related agents and services.
The Policy Manager includes the Policy Manager graphical user interface and
associated services and databases. The policy manager components do not
require a dedicated host, but they should reside on a fast, stable machine.
Data Tools include the event database, Audit Viewer, Security Monitor, Audit
Reporter, and the Collector service. We recommend a strong, dedicated
computer with enough free space for the Collector service.
Planning What to Audit
eTrust Audit relies on data generated by native operating systems auditing
(Windows NT and UNIX) as well as by eTrust products. Configure the auditing
programs with care.
Avoid collecting unnecessary information that can strain personnel and system
resources.
Consider implementing the following steps regarding security administrators:
■
■
You can maximize accountability by separating auditing and administrative
roles, and by distributing auditing responsibilities.
You can configure the client to forward certain types of records instantly to
several Collector stations or e-mail accounts, so that even an administrator
cannot tamper with audit data.
2–1
The Client
■
You will probably find it convenient to put security administrators into a
group of their own (a recommended name for the group is sysaudit). To
manage groups, use eTrust Access Control if you have it, or use Windows
NT User Manager.
eTrust Access Control for UNIX and eTrust Access Control for Windows
eTrust Access Control for UNIX and eTrust Access Control for Windows are
Computer Associates products that enhance and supplement native auditing.
eTrust Access Control provides important protection for Windows NT and UNIX
systems, including virus and Trojan horse detection.
■
■
If you are running eTrust Access Control for Windows, then you can use it
for auditing. Wherever you are set up to record Windows NT audit records,
you will automatically record any audit records from eTrust Access Control
for Windows as well.
If you are running eTrust Access Control for UNIX, you can receive audit
data from there as well.
Windows NT 4.0
Unless you turn on Windows NT auditing for events such as Logon/Logoff,
eTrust Audit 1.5 cannot collect and analyze these events.
■
By using The Policy Manager’s NT Policies window, you can configure
remotely the elements of the system native auditing.
The Client
Every computer in the network that is to be audited must have the client
software installed. The client software collects local audit data from various
applications and from the operating systems of the platforms for which it is
available, as previously detailed in Platform. After collecting the local audit data,
it sends this data to other stations, and issues notifications and alerts.
Tip: For Windows NT installations, ensure that you include the PDC (Primary
Domain Controller), where domain administration events are logged.
Regardless of which Windows NT Server computer you use to make changes
in User Manager for Domains, events are logged only at the PDC.
2–2
The Client
Platform
The eTrust Audit 1.5 client is available for:
■
Windows NT 4.0 (SP 3 and higher); Windows 2000 (and SP 1)
■
Solaris 2.5.1 and higher (HPUX, AIX and LINUX in future service packs)
You may use UNIX recorders for submitting events from additional log files, by
adding parsing configuration files (MP files).
Note that API is available only for these platforms.
The Client Architecture
The client comprises:
■
■
■
■
■
■
eAudit recorder (SeLogRec.exe on NT and acrecorderd on UNIX) modules
for each platform, which collect and forward messages from native auditing
present on the client to eTrust Audit 1.5 router.
eAudit Redirector (SeLogRd.exe - on NT only), receives all events from the
NT recorder and sends them to the router.
eAudit log router (ACLOGRD.exe on NT and aclogrd on UNIX) applies
filtering rules to events and determines what actions will be issued.
eAudit SNMP recorder (SNMPREC.EXE on NT and snmprec on UNIX)
eAudit action manager (ACACTMGR.exe on Windows NT and acactmgr on
UNIX), which initiates actions, either local or remote, and carries out
responses to audit events, including:
-
E-mail messages
-
Sending alerts to Security Monitor
-
Screen pop-up messages
-
Forwarding messages by SNMP protocol
-
Sending alerts to Security Monitor
-
Sending to Collector for collecting data for further using by Audit
Viewer, Reporter and other tools
-
Forwarding messages to other routers
-
Sending events to Unicenter TNG
-
Lines to files
-
Running program and scripts
eAudit distribution agent (ACDISTAGN.exe on Windows NT and Acdistagn
on UNIX)), specific to each platform that reacts to instructions from the
policy distribution server.
2–3
The Client
It is possible to separate the eAudit recorder and router — for example, if there is
not enough free disk space for queues, or that the host is not powerful enough to
run a router.
The following illustration shows the elements normally present on an eTrust
Audit 1.5 client:
Each AN type requires a different eAudit recorder module. For example:
■
■
In Windows NT, events are forwarded to the router by a recorder service and
a redirector service.
On each client located on a UNIX host, a generic recorder controls recorder
modules for various audit nodes. The generic recorder does not provide
filtering. Instead, it controls the frequency and intensity of message
forwarding to the router.
The generic recorder has two types of modules:
■
One module – for the UNIX native logs, Netscape log and Apache log
■
An Oracle module – for the Oracle log (audit node)
In case a UNIX host runs two audit nodes: one of the Oracle type and one of the
UNIX type, we need to use the modules mentioned previously to be able to get
messages from the two audit nodes. Each module sends messages to the router
and then the messages are processed as shown in the previous illustration.
2–4
The Policy Manager
The Policy Manager
The Policy Manager software includes database, services, and a graphical user
interface, shown in the following illustration.
Platform
Policy Manager requires x86 machines running Windows NT 4, SP 5 and higher,
or Windows 2000.
Database
The policy manager database uses Microsoft Access database for storing the
policies and the policy activation log.
You should decide on which host to install policy manager. Afterwards, assign
this host’s IP address or host’s name to all clients in the system as a trusted
server, the only server from which the client will accept new policies.
2–5
The Policy Manager
Services
The manager software includes the eAudit distribution server. This server
receives policies from the Policy Manager and sends them to the eAudit
distribution agents, which are part of The Client software.
Policy Manager GUI
Policy Manager lets you manage and distribute policies enterprise-wide by using
four separate GUI windows:
■
Policies
■
Audit nodes
■
Policy Activation Log
■
Users
Policies
The Policies window currently displays policies as logically nested in up to 16
hierarchical levels of rules.
When you install eTrust Audit 1.5, you can take advantage of many out-of-thebox policies, or create user-defined policies from scratch.
Two types of pre-defined rules exist:
■
2–6
Suspicious events rules let you choose among out-of-the-box policies that
generate actions such as e-mail or alerts in response to possible security
violations. You can add conditions to any rule; for example, within
The Policy Manager
Logon/Logoff, you could add a condition monitoring Logons by a specific
user.
■
Collection rules let you set eTrust Audit router for handling events and
sending them to the Collector to be stored in the database for future use.
In addition, the user can define and add custom rules by using the wizard.
In Windows NT and Windows 2000, the user can change audit policy for audit
nodes.
2–7
The Policy Manager
Audit Nodes
Audit Node (AN) is an abstraction denoting each system or application from
which you would like to retrieve auditing information.
In a network environment, one host may run several different applications, and
one type of application may run on several different hosts. Under such
circumstances, it would not make sense to designate either the host or the server
as an AN.
Instead, you designate each instance of the AN by type and current location, by
default, the logical name of the AN (usually, the operating system or service
type), plus the host name. You apply your policies to AN groups as you
configure them in this window.
Each AN can belong to only one group. Only one policy can apply to each AN
group.
2–8
The Policy Manager
The Policy Activation Log window lets you follow the success of the eAudit
distribution server’s asynchronous transmissions from your configuration
database.
The Activation log notifies you if some instance of an AN is unavailable or
improperly configured, so that you can take corrective action.
Users
The Users window lets you configure the users of eTrust Audit Policy Manager.
Each user can be authorized to:
■
Configure policies
■
Distribute policies
■
Manage users
2–9
Data Tools
Data Tools
The Data Tools package includes the event database and four components:
■
Collector service
■
Audit Viewer
■
Audit Reporter
■
Security Monitor.
Recommended Configuration
A Collector station needs a dedicated processor with a minimum speed of 350
MHz and at least 128 MB of RAM. The event database requires 1-2 KB of disk
space per record.
Choosing a Database
eTrust Audit 1.5 can use three commercial relational databases — Microsoft
Access (versions 97 and higher) , Oracle Server (versions 7.0 and 8.05), or
Microsoft SQL Server (versions 6.5, 7.0 and 2000). By using ODBC (open
database connectivity), the database is used by Audit Viewer, Audit Reporter,
and Audit Collector.
■
■
■
Microsoft Access is configured as the default choice.
For Oracle Server, you must create the database and configure an Oracle
client on each machine that needs access to the audit database before
installation. For details, see Configuring an Oracle client in the Appendix.
For Microsoft SQL Server, you must create the database before installation.
For configuring the type of authentication for the SQL server, see Windows
NT Authentication with Microsoft SQL Server in Appendix.
Note: If during setup you select Oracle or SQL as your database, then for both
types Setup lets you select the option of creating new tables. Ensure that you
create new tables only once per database. (Each time you choose the Create New
Tables option, your existing data is erased). You may install several Collector
services that write to one database.
Audit Viewer
You can configure eTrust Audit to collect records across platforms and from
many different stations into a single event database. Audit Viewer uses standard
DBMS technology and ODBC connectivity.
2–10
Data Tools
You can view, print, and archive your audit logs like any other database. Audit
Viewer’s precise filtering helps you focus on particular audit data, and you can
print reports according to useful, flexible criteria.
You can use the strong filtering mechanism and save the filters for future use by
a specific user or all the users.
Security Monitor
Security Monitor shows you audit records by using a GUI, much as Audit Viewer
does, but Security Monitor is intended for events that deserve attention in nearrealtime. Because Security Monitor is a Viewer for the very latest alerts, it differs
from Audit Viewer in a number of ways:
■
By default, the data scrolls past as you watch
■
You save audit data manually in files to which you give names
■
Security Monitor has no report generation, no filtering, and no multiple
windowing
Audit Reporter
The Audit Reporter lets you view selected data from the eTrust Audit event
database in the form of graphic or detail reports. You can generate reports for
immediate viewing, or you can schedule reports to be generated later.
Several formats are available for the reports, including text file, Word document,
HTML, and Crystal Reports.
Collector Service
The Collector service receives records from action managers and enters them into
the event database. For detailed description of the Collector service parameters,
see The Collector Service in the “Services” chapter.
2–11
Data Tools
Event Database
As previously mentioned in this chapter in Choosing a Database, eTrust Audit
1.5 uses ODBC for the event database used by the Collector service, Audit
Viewer and Audit Reporter. If you do not already have current ODBC drivers,
then you can install them from the eTrust Audit 1.5 CD as part of Microsoft Data
Access Pack.
Audit Viewer, Audit Reporter, and the Collector service must log in to the event
database. For Audit Viewer, the user enters a username and password. However,
it may not be desirable to require manual entry of the username and password
each time the Collector service starts. To configure the Collector service to log in
to the database, use one of the following two ways:
■
■
During setup, provide a username and password to eTrust Audit 1.5, so that
the Collector service will log in silently.
For Microsoft SQL Server, configure the ODBC drivers to use Windows NT’s
native authentication.
Microsoft Access
If you select to use a Microsoft Access database, no configuration tasks are
required. The database will be created and configured for you automatically. The
Collector service, Audit Viewer and Audit Reporter will have automatic access.
Note that you have no need to install Microsoft Access itself. eTrust Audit 1.5’s
Collector will write to the .mdb file that is created in your system, and you do not
need to handle this file yourself.
Microsoft SQL Server
For Microsoft SQL Server, you must create the event database before installing
the Collector or Viewer software. You can configure Microsoft SQL Server to use
Windows NT authentication to log in to the database automatically when the
Collector service starts.
Oracle Server
For Oracle Server, you must create the event database before installing the
Collector or Viewer software. Before you install Collector, Viewer, and Reporter,
you must create an Oracle client at each host that will run these components.
Configure the client by using the Oracle Net8 Easy Config utility. See
Configuring an Oracle client in the Appendix.
2–12
Data Tools
Note that if the Collector service resides on the same machine where the Oracle
Server is located, you may need to define a depend-on-service regarding Oracle
services.
Data Flow
The following illustration reviews how the eTrust Audit 1.5 components work
together.
2–13
System requirements
Sample Configuration
The following illustration shows how a simple network might use the
components of eTrust Audit 1.5.
System requirements
eTrust Audit 1.5 has certain requirements with regard to your operating system,
hardware, database, mail, and firewall. You should also take some planning
considerations into account.
Operating System
eTrust Audit 1.5 components can run on the following operation systems:
■
Client
Windows NT 4.0 SP 3 or higher
Windows 2000
UNIX – Sun Solaris 2.5.1 and higher
2–14
System requirements
■
Policy Manager and Data Tools
Windows NT 4.0 SP 5 or higher
Windows 2000
Hardware
To accomplish installation, each PC needs a CD-ROM drive or access to the CDROM drive on another station.
The disk space required for eTrust Audit 1.5 varies according to the components
you install and the number of records you maintain.
■
■
■
To install all the eTrust Audit 1.5 components, you need at least 70 MB free
on a hard drive in Windows NT, and at least 57 on UNIX. Normally not all
components are installed at all stations.
For the hardest working of the eTrust Audit 1.5 services, the Collector
service, a dedicated computer with a strong CPU is recommended. At the
least, yours should provide a processing speed of 350 MHz and 128 MB of
RAM. The event database needs additional disk space — approximately 0.6K
per record for Oracle Server and Microsoft Access or 2K per record for
Microsoft SQL Server.
Note that if you install the router service on the client, this service requires
space for queues, in which case you need to have a disk space of at least
25MB (on Windows NT) or 15MB (on UNIX).
Database
See the Event Database part in the Data Tools section in this chapter.
Mail
eTrust Audit 1.5 is configured to use only Simple Mail Transfer Protocol (SMTP)
for any e-mail notifications it issues.
Firewall
It is not generally advisable to place the following eTrust Audit 1.5 components
on opposite sides of a firewall:
■
eAudit recorder - Remote Router
■
Local Router – Remote Router
■
Local Router – Remote Collector
2–15
System requirements
■
Local Router – Remote Security Monitor
Because the eAudit recorder and router services use RPC to route audit records,
and there is no way to know which port the portmapper will assign to the
receiver service, placing the Collector or the other router behind a firewall does
not allow simple blocking of UDP ports.
For Windows NT 4.0 and Windows 2000, note that eTrust Audit 1.5 installs the Sun
RPC portmapper. You should not remove or disable this service while running
eTrust Audit 1.5.
If you must separate the components with a firewall, configure eTrust Audit 1.5
as instructed on Firewall in the Appendix.
Encryption
As installed, eTrust Audit 1.5 has 56-bit DES encryption specified for the transfer
of audit information from station to station. For instructions on changing the
encryption key or eliminating encryption, see Encryption in the Appendix.
Note that in eTrust Audit 1.5, the user name and password that are used for the
connection to the database are encrypted, so that they are displayed in their
encrypted form in the registry editor file. To change the name and password
manually, use the Encup utility, described in Appendix A.
Besides using the Policy Manager, you can also configure the native auditing for
events and control access to objects by using Windows NT User Manager for
domains.
You can turn on file, directory, and registry key auditing by using:
■
NT Explorer’s file and directory properties for Security and auditing.
■
Auditing and Security options in RegEdt32.exe
Several good third-party books on Windows NT are widely available. Resources
such as the Microsoft TechNet Technical Information Network CD-ROM also contain
helpful articles on securing Windows NT installations.
2–16
System requirements
Oracle Enterprise Edition
Oracle Server generates a native auditing event log, which is read by eTrust
Audit 1.5. For details, see the chapters that refer to database security and
Auditing, in Oracle8 literature.
Netscape Enterprise Server
Like Oracle Server, Netscape server generates a native auditing event log, which
is read by eTrust Audit 1.5. For details, see the chapters that refer to monitoring
the server in Netscape Enterprise Server’s literature.
Apache Web server
eTrust Audit 1.5 can read event logs created by Apache Web Server version
1.3.12, which just like Netscape server generates a native auditing event log. For
details, see the chapter that refers to securing the web server in Apache Web
Server’s literature.
UNIX
eTrust Audit 1.5 can read event logs created by Sun Solaris 2.5.1 to 2.7 (HPUX,
AIX and LINUX in future service packs).
When working with UNIX operating systems, eTrust Audit 1.5 reads and
processes all system messages generated in files such as syslogd, as well as other
daemons and programs directed by the user.
For details, see the chapters that refer to database security and Auditing, in UNIX
operation systems literature.
2–17
Chapter
3
Installing eTrust Audit
eTrust Audit installation consists of three component packages:
■
Client
■
Policy Manager
■
Data Tools
You must install and configure eTrust Audit client on every station in the
auditing hierarchy.
For Windows NT installations, it is mostly recommended that you install the
eTrust Audit 1.5 client on your primary domain controllers (PDCs), where
domain administration events are logged.
It is recommended that you restart each computer after installation.
Installing the Client
Before installing the Client on Windows NT, ensure that you know the location
(host name or IP address) of the policy manager host and the self-monitor host,
because you should indicate the location of these hosts during the installation.
The client software collects local audit data, sends audit data to other stations,
and issues notifications and alerts. You need this software on every station that is
to be audited.
The client software includes the distribution agent, eAudit recorder, router, and
action manager. There is no graphical user interface. You configure the services,
telling the software what events to record and transmit, at installation and by
using the Policy Manager.
3–1
Installing the Client on Windows NT
To install the client on Windows NT, follow these steps:
1.
If any applications are running, it is recommended that you close them all. If
you have uninstalled eTrust Audit 1.5 since the last time you restarted your
computer, it is recommended that you restart before beginning installation.
2.
Insert the eTrust Audit 1.5 CD-ROM. The setup program runs
automatically.
If you are using a remote CD drive, select Run from the Windows NT
Start menu. In the text box, specify eTrust Audit 1.5’s setup program. For
example, if drive E: contains the eTrust Audit 1.5 CD-ROM, enter:
E:\Pe_x86.exe
Then click OK.
Alternatively, if you downloaded and unzipped the software, run
client.exe from the temporary directory.
Note: You can also perform the installation by running the Client.exe file
from the Client Windows NT setup directory.
3.
Select Components
From the eTrust Product Explorer, specify which components you want
to install - in this case, eTrust Audit Client for Windows NT.
When you install eTrust Audit Client for Windows NT, you can choose
between custom and standard installation. This document details the
phases of a custom installation.
3–2
Custom Installation
When you are performing a custom installation, note the following:
1.
Immediately after choosing the custom installation, the Optional
Components dialog appears, prompting you to choose which optional
components to install. As mentioned in this dialog, required components are
not listed in the dialog and are always installed.
2.
The Destination Folder section of the dialog lets you choose a destination
other than the system default (c:\program files\ eTrustAudit). However,
you should install eTrust Audit 1.5 on a local disk and not on a network
drive. If you check the Router box, the router will be installed on a local host,
meaning it will handle events from the same computer on which you now
install the client. However, if you choose to install the router on another
host, by selecting not to check its box, you will be prompted later to enter the
host name or IP address of that remote host. Note that the default router
location can be edited at any time by using the registry key.
3.
After being asked to select a program folder, the next dialog displays a list of
event sources from which you can choose. Leave the default event sources
(NT System, NT Security and NT Application event logs).
4.
Two sequential dialogs prompt you to indicate a host.
■
■
5.
The Self-Monitoring host will receive eTrust Audit 1.5’s internal messages. In
this dialog, enter the address (IP address or host name) of the host where the
Security Monitor will be installed later, displaying eTrust Audit’s internal
messages. You can leave this dialog empty and click Next. Installing the
Security Monitor is part of the Data Tools installation. You can add the
service later by editing the registry keys. For details, see Monitor Parameters
in the “Registry Keys” chapter.
The following dialog, Client Management, prompts you to indicate the
location of the host that will run eTrust Audit Policy Manager. If you do not
know the name of such a host, click Next.
Note: during setup, you can define only one server as a trusted server,
recognized by the Distribution Agent Service. However, you can add later
more servers to be recognized as trusted servers, by editing the key of the
Distribution Agent Service. This key is found in the Management Agent
section of the registry keys
If, in the beginning of the installation you did not check the Router box,
meaning you wanted the router not to be installed locally, the Host Router
dialog is now displayed, prompting you to type the DNS name or IP address
of that host.
3–3
6.
The next dialog prompts you to choose your mail SMTP server.
Enter the name of your organization mail server, if it is different from the
default mailsrv. Click Next.
7.
In the last dialog, you are asked whether you like to configure eTrust Audit
services for automatic or manual startup.
If you select Manual, you can run these services either from the command
line with the -start parameter or by opening the Services window,
highlighting the required services, and clicking Start. Having made your
decision, click Next to review your chosen settings and start the installation.
Silent Setup Option
If you want to install the client over the whole network without repeating this
procedure, you can use the “silent setup” option, which lets you skip the whole
question phase by preparing an “answer file.” To do that, follow these steps:
1.
First you have to make a template setup that will make an "answer File"
(*.iss) from the command prompt, where the client.exe is: client -a -r -f1Path
(Path where you what to save the iss file), for example:
client -a -r -f1Z:\users\Mycroft\silent.iss
2.
Now you can install the product "Silently" or over the network, by using
third party utilities such as PCAnywhere , Unicenter RCO or RConsole from
the Resource Kit. To install the client over the network, enter the command
prompt client -a –s –f1Path (where Path is the location of the .iss file), for
example:
client -s -a -s -f1Z:\users\Mycroft\silent.iss
Installing the Client on UNIX
You must have root authority to install eTrust Audit 1.5.
To install the file on UNIX, you need to have the product itself and the
installation file. For example, if you install the file on SOLARIS system, you need
the two following files:
■
_SOLARIS_AC1.5.xx.tar.Z (The product itself, where xx is the build number)
■
install_eTrustAudit (The installation file)
From the installation directory (<cdrom_mount>/eTrust/Audit/Client/Solaris),
run the script install_eTrustAudit. If you are running eTrust Access Control, you
receive a message instructing you to stop the eTrust Access Control daemon.
3–4
Installing the Policy Manager
The setup program asks for the host name or IP address of the policy
management host - the management station from which you want this client to
receive its audit policies. The next dialog asks for the self-monitoring host – the
host where the self-monitor will reside.
Next, you should identify which recorder modules you would like to activate:
syslog, su_log, Netscape, Oracle, and Apache.
After Installing the Client on UNIX
■
When installation is complete, the daemons should run automatically. If not,
run the eTrust Audit daemons — aclogrd, acactmngr, acrecorderd, and
acdistagn — from the command line:
/etc/rc2.d/S77<daemon name> start
(for example) /etc/rc2.d/S77aclogrd start
■
■
Even after you have installed the client and run all its services, the router will
not write events to queues until it gets policy files from the Policy Manager.
If you are reinstalling, be aware that the .dat files and action queues remain
unchanged after the reinstall of eTrust Audit 1.5 (provided, of course, that
eTrust Audit was not uninstalled prior to reinstallation).
Installing the Policy Manager
Policy Manager employs one service — the eAudit distribution server — and a
configuration database employing ODBC connectivity, plus a GUI.
eTrust Audit uses a standard installation wizard. Here is how to perform
installation:
1.
If any applications are running, it is recommended that you close them all.
2.
Insert the eTrust Audit 1.5 CD-ROM.
3.
Select Run from the Windows NT Start menu. In the text box, specify eTrust
Audit 1.5’s setup program. For example, if drive E: contains the eTrust Audit
1.5 CD-ROM, enter:
E:\ pe_x86.exe
And then click OK.
4.
Setup reminds you to close any applications that may be running. If you
want to close them, click Exit Setup, close the applications, and restart the
setup program. Otherwise, click Next.
3–5
Installing Data Tools
PolicyManager.exe from the temporary directory.
5.
In the Destination Path dialog, choose the destination folder on which
Policy Manager will be installed and then click Next.
6.
In the following dialog, you are asked to indicate the program folder. Accept
the default program folder (eTrustAudit) or select another one, and then
click Next.
7.
The next dialog prompts you to indicate the name of the authorized user
who will initially be able to run the Policy Manager.
8.
Next, you are asked to enter a password to protect you Policy Manager
database:
9.
Now the same dialog shown earlier in this chapter, bearing the title SelfMonitoring Host appears, asking you to indicate the DNS name or IP
address of the said host.
10. Click Next. You can modify the location of the Self-Monitoring Host later by
editing the registry keys. For details, see Monitor Parameters in the
“Registry Keys” chapter. Press Next and click OK in the dialog warning you
that the security monitor is not yet installed.
11. Next, you are asked whether you like to configure eTrust Audit 1.5 services
for automatic or manual startup. If you select Manual, you can run these
services either from the DOS command line with the -start parameter or by
opening the Services Window and then choosing the relevant service.
12. The last dialog, bearing the title Start Installation, displays all data
accumulated so far and asks you to confirm the data by pressing Continue.
Review the data and press the button when ready to start the installation.
When you install data tools, you can select whether to install one or more of the
following optional components:
■
■
3–6
Audit Viewer is a tool for auditors. It lets auditors collect records across
platforms and from many different stations into a single event log, which can
be viewed, printed, archived and filtered like any other database.
Security Monitor, likewise, is a tool for auditors and security managers.
When the Security Monitor window is open, alerts scroll past in near realtime. When the window is closed, the application is still running in the
background, and a light bulb icon in the tray icon bar in the system tray
alerts to new data.
■
■
The Collector service. This service, which exists only in Windows NT and
Windows 2000 platforms, receives information from other stations where
eTrust Audit 1.5 is running and writes it to the event database.
The Reporter displays the reports that are generated by filtering the
database.
eTrust Audit 1.5 uses a standard installation wizard. Here is how to perform
installation:
1. If any applications are running, it is recommended that you close them all.
2. Insert the eTrust Audit 1.5 CD-ROM.
3. Select Run from the Windows NT Start menu. In the text box, specify eTrust
Audit 1.5’s setup program. For example, if drive E: contains the eTrust Audit
1.5 CD-ROM, enter:
E:\ pe_x86.exe
And then click OK.
4. Setup reminds you to close any applications that may be running. If you
want to close them, click Exit Setup, close the applications, and restart the
setup program. Otherwise, click Next.
DataTools.exe from the temporary directory.
5. In the Setup Type dialog, choose the one more suitable for you (Custom or
Standard) and then click Next.
6. The following dialog lets you choose which optional components you want
to install, among the following components:
■
Viewer
■
Security Monitor
■
Collector
■
Reporter
As noted in the dialog, required components are not listed in the dialog and
are always installed.
7. In the next dialog, select the database type or leave the default choice –
Microsoft Access, and then click Next. Note that if you choose Microsoft
Access, setup is transparent. For both Microsoft SQL Server and Oracle
Server, a DBA must set up the database before the Collector software is
installed. Otherwise, eTrust Audit’s tables will be created in a default
database, and not in their own dedicated database.
8. The following dialog prompts you to indicate the name of your SMTP
server. Enter the name of your organization mail server, if it is different from
the default mailsrv. Click Next.
3–7
9. Indicate the location (host name or IP address) of your self-monitoring host
and click Next to review your settings and start the installation process,
same as you did when you installed the Client software.
10. The last dialog, bearing the title Start Installation, displays all data
accumulated so far and asks you to confirm the data by pressing Continue.
Review the data and press the button when ready to start the installation.
Starting the Services
The first time you start eTrust Audit 1.5, you start the services either
automatically or by running them from the command line with the -start
parameter.
Windows NT and Windows 2000 let you use the Control Panel’s Services dialog
box to start the services on successive occasions.
The Portmap service, available only in Windows NT and Windows 2000, is
common to all components of the software. This service supports SUN RPC
protocol.
Other services are:
Client services:
■
eAudit event recorder (selogrec.exe for Windows NT or Windows 2000,
acrecorderd for UNIX). For details on NT event recorder, see the Recorder
Service for NT section in the services chapter. For details on the recorder for
UNIX, see the Recorder Daemon for UNIX
section in the same chapter.
■
■
■
■
■
3–8
eAudit redirector for NT (selogrd.exe). For details, see The redirector service
in the “Services” chapter. This service does not exist in UNIX environment.
eAudit SNMP recorder (snmprec.exe). For details, see The eAudit SNMP
recorder service in the “Services” chapter. For details on the SNMP recorder
for UNIX, see SNMP Recorder Parameters for UNIX in the same chapter.
eAudit log router (aclogrd.exe). For details, see The Log Router Service in
the “Services” chapter. For details on the eAudit log router for UNIX, see the
Log Router UNIX Parameters in the same chapter.
eAudit action manager (acactmgr.exe). For details, see The Action Manager
Service in the “Services” chapter. For details on the Action manager service
for UNIX, see the Log Router UNIX Parameters in the same chapter.
eAudit distribution agent (acdistagn.exe). For details, see The eAudit
Distribution Agent Service in the “Services” chapter. For details on the
eAudit distribution agent for UNIX, see Distribution Agent UNIX
Parameters in the same chapter.
Data Tools’ services:
■
eAudit Collector service (selogrcd.exe). For details, see The Collector Service
in the “Services” chapter.
Policy Manager services:
■
eAudit distribution service (acdistsrv.exe). For details, see The eAudit
Distribution Server in the “Services” chapter.
Starting Services in Windows NT or Windows 2000
As mentioned earlier, the first time you start eTrust Audit 1.5, you start the
services either automatically or by running them from the command line with
the -start parameter. In addition, Windows NT and Windows 2000 let you use
the Control Panel’s Services dialog box to start the services on successive
occasions. This section details both ways.
Starting the services for the first time
You may have configured the services to start automatically and restarted since
then. If not, start the services at the appropriate stations. Use the Windows NT
Control Panel - Services dialog, or enter these commands in the DOS command
line (where audit is the installation directory you specified in step 5 of the
installation procedure):
Command name
Description
audit\bin\SeLogRec –start
(the eAudit recorder service)
audit\bin\SeLogRcd –start
(the eAudit Collector service)
audit\bin\selogrd –start
(the eAudit redirector service)
audit\bin\aclogrd –start
(The eAudit router service)
audit\bin\acactmgr –start
(The eAudit action manager service)
audit\bin\acdistsrv –start
(The eAudit distribution server service)
audit\bin\acdistagn –start
(The eAudit distribution agent service)
Starting the services on successive occasions
You can start the services from the command line as you may have done the first
time, or you can open the Windows NT or Windows 2000 Control Panel (from
Settings on the Start menu) and use the Services dialog box, for starting the
3–9
services automatically.
The eTrust Audit 1.5 services are listed as:
■
eAudit Action Manager
■
eAudit Collector
■
eAudit Distribution Agent
■
eAudit Distribution Server
■
eAudit Log Router
■
eAudit Portmap
■
eAudit Recorder
■
eAudit Redirector
■
eAudit SNMP Recorder
Starting Services in UNIX
You can start all eAudit UNIX daemons in one of the two following ways:
■
Running the daemon directly.
■
Running a script from init directory: /etc/rc2.d/S77daemon_name start
Before running the daemon directly, you should export the required
environment variables to the current shell (Bourne or Korn) by running the script
ac_set_env.sh from /usr/eaudit/bin
For example: % . /usr/eaudit/bin/ac_set_env.sh
(% stands for UNIX prompt)
3–10
Chapter
4
Policy Management
The Policy Manager software includes database, service, and a graphical user
interface, shown in the following illustration.
The policy manager includes four windows:
■
Policies window
■
Audit Nodes window
■
Policy activation log window
■
Users window
Policy Management
4–1
Policy Manager GUI
Database
The Policy Manager database uses Microsoft Access database for storing the
policies, audit nodes and their groups, as well as the policy activation log.
Service
The manager software includes The eAudit Distribution Server , which receives
policies from the Policy Manager and sends them to the eAudit distribution
agents. The eAudit Distribution Agent Service is a part of the client software.
Policy Manager GUI
Policy Manager lets you manage and distribute policies enterprise-wide by using
the following GUI windows:
4–2
■
Policies
■
Audit nodes
■
Policy Activation log
■
Users window
Policy Manager GUI
Policies
The Policies window currently displays policies as logically nested in up to 16
hierarchical levels of rules.
When you install eTrust Audit 1.5, you can take advantage of many out-of-thebox policies.
Two types of pre-defined rules exist:
■
Suspicious events rules
These events let you choose among out-of-the-box policies that generate
actions such as e-mail or alerts in response to possible security violations.
You can add conditions to any rule — for example, within Logon/Logoff,
you could add a condition monitoring Logons by a specific user.
■
Collection rules
These rules let you set eTrust Audit 1.5 router for handling events and
sending them to the Collector to be stored in the database for future use.
The Default Policies folder is essentially read-only. This folder does not let the
user change hierarchy, but only define actions and choose rules.
To create new policies, new rules and so on, it is recommended that you make a
copy of the existing Policies folder, by using the regular copy and paste
operation.
Policy Management
4–3
Policy Manager GUI
Auditing NT Policy
To audit NT policy, highlight the policy and right-click. Select Properties from
the pop-up menu, and then select the Audit tab, partly shown below. Check the
events you want to audit. Note that if you check the File and Object Access box,
the Select Critical Objects button is enabled.
Click on this button to select the critical objects that you want to audit, be it files,
directories, or registry keys. The critical objects tab, partly shown below, also lets
you add, edit, or delete critical objects.
4–4
Policy Manager GUI
Note: To enable auditing, the file system must be NTFS.
Policy Management
4–5
Policy Manager GUI
Creating a New Rule
Besides creating new policies, you can define and add custom rules, by right
clicking on the appropriate policy or rule and then selecting the New Rule
command.
1.
4–6
The Rule Wizard opens, offering you two ways to define custom rules: by
using a wizard or by using an editor.
Policy Manager GUI
2. If you choose the Using editor option and then click Next, the next dialog lets
you enter the rule filter and its condition in free text. Choosing the Using
wizard option leads to the dialog shown in the following illustration, which
lets you include conditions from a list of pre-defined fields:
Policy Management
4–7
Policy Manager GUI
3. Whether you create the rule by using the wizard or the editor, in either way
the next dialog is Actions, which lets you select actions to be issued when the
event occurs:
This dialog lets you select the action type and add targets to the list that is
linked to the action type. Every action must have a target linked to it. An
action can be performed for any target (on a local server or on a remote
server).
4. Click Finish to end the process and create a new rule.
4–8
Policy Manager GUI
If you want to ensure that the action you specify does not duplicate an action
already configured for that event, you can specify a rule dictating that this action
is performed only once. Do that by highlighting the required policy (NT, UNIX
and so on) and selecting the Summary command from the Policy menu.
Alternatively, highlight the policy and then right-click and select Summary from
the pop-up menu.
Creating a New Policy
1. To create a new policy, highlight any policy folder, and perform one of the
following operations:
■
Right click to select the New Policy command from the pop-up menu
■
Click Ctrl + N
■
Select the New command from the File menu
■
Select the New icon from the toolbar
(Note that in the Default Policies folder, the New Policy command is
disabled in the pop-up menu, but you can select this command by using one
of the other three ways previously mentioned).
Policy Management
4–9
Policy Manager GUI
2. The Policy Wizard opens:
This window lets you create policy by template (a ready, pre-defined policy)
or by AN type, in which case a new, empty policy without any rule is
created.
Note that besides the pre-defined policy templates, you can save an existing
policy as a template by right-clicking the policy and selecting the Save as
Template command.
4–10
Policy Manager GUI
You may want to create a new policy from scratch for an AN for which a
template already exists (for example, Netscape). The Default Policies folder
does not let you do that, because it disables the existing templates area. Note,
however, that you can perform this operation in a copied Policy folder. In
such case, it is recommended that in the copied folder you erase the existing
template so that you can create a new one. Alternatively, you can create an
entirely new folder in which to make new policies.
3. If you are working in a copied folder and you try to create a new policy with
the same name of an existing policy without erasing first the existing
template, the following message appears:
4. Assign a name and description to the new policy and click Finish. (If you
create an NT policy, two additional dialogs prompt you to select critical files
and critical registry keys).
Note that you can define audit properties for Windows NT policy.
Policy Management
4–11
Policy Manager GUI
Activating and Deactivating Policy Folder
1. To activate a policy folder, highlight this folder and then perform one of the
following actions:
■
Right-click the folder and then select the Activate command, or:
■
Select the Activate command from the Policy menu, or:
■
Select the Activate All command from the Policy menu (if you want to
activate all policy folders).
Note that if you want to activate a policy folder, you need to select at least
one rule in that folder; otherwise, a message similar to the following one is
displayed:
A rule to which no action is defined is displayed in white, as shown in the
following illustration:
2. To select an action for this rule, highlight the rule, right click, and then
choose the Properties command. The Properties dialog, like the one shown in
the following illustration, appears. Switch to the Actions tab and select at
least one action:
4–12
Policy Manager GUI
3. Having selected at least one action, click OK to close the Properties window.
Note that the events group is now displayed in blue. Click the bell icon to
change its color to red (a toggle), indicating that the rule is selected:
4. Now that the rule is selected, you can activate its policy folder.
A policy folder can have three activation statuses:
Icon
Status
Policy not activated
Policy activated
Policy modified (after it was activated)
Policy Management
4–13
Policy Manager GUI
Audit Nodes
Audit Node (AN) is an abstraction denoting each system or application from
which you would like to retrieve auditing information.
In a network environment, one host may run several different applications, and
one type of application may run on several different hosts. Under such
circumstances, it would not make sense to designate either the host or the server
as an AN.
Instead, you designate each instance of the AN by type and current location —
by default, the logical name of the AN (usually, the operating system or service
type), plus the host name.
You apply your policies to AN groups as you configure them in this window.
Each AN can belong to only one group. Only one policy can apply to each AN
group.
An audit node can be created in any AN group. When you delete an AN from its
group, this AN is deleted altogether. You can move an AN from one AN group
to another by using the drag and drop operation.
4–14
Policy Manager GUI
The Definitions tab in AN group Properties dialog, partly shown below, displays
a list of action types and relevant remote servers.
Policy Management
4–15
Policy Manager GUI
You can define a remote server for any action type and use this definition in the
Actions tab of the policy rule.
Audit Node Groups can have three statuses:
Icon
Status
Black screen - indicating that no policy
folder was activated for this audit node
group, or that a policy folder was
detached from the group.
Blue screen - indicating that a policy
folder was activated for this audit node
group, and definitions of remote
servers were not changed.
Indicating that a policy folder was
activated for this audit node group, but
definitions of remote servers were
changed.
4–16
Policy Manager GUI
To reactivate policy for a specific audit node group, right-click the group and
choose the Policy Reactivate command from the pop-up menu. Note that this
option is enabled if policy folder attached to the group is activated.
You can also add or delete audit types.
To add a new audit node type, choose AN Types from the File menu. In the
Audit Node Types dialog box, which appears now, enter a name and description
for the new audit type, and then click Add. The prompt shown in the following
illustration appears:
Policy Management
4–17
Policy Manager GUI
To delete an audit node type, highlight one of the types that appear in the
Existing AN types section, at the top of the Audit Node Types dialog box, and
click Delete. Note that you can delete AN types that you created, but not predefined AN types.
The audit node icon comprises three elements: a computer, a status icon, and a
triangular background of the status icon.
The triangular background can be displayed in several forms:
Icon
Description
Indicating the audit node initial status.
Indicating that the policy was activated successfully.
Indicating that a problem occurred during policy activation attempt.
Indicating that a fatal error occurred during policy activation. No
attempts will now be performed.
Notification message that can be sent during the policy distribution
process.
Indicating that the policy was removed successfully.
Indicating that a problem occurred during policy removal attempt.
Indicating that a fatal error occurred during policy removal. No
attempts will now be performed.
Notification message that can be sent during the policy removal
process.
Audit Node Statuses
The Policy Manager estimates two audit node statuses: either a policy exists there
or not.
Icon
Description
Blue screen - policy exists on the audit
node.
Black screen - policy does not exist on
the audit node.
4–18
Policy Manager GUI
For a specific audit node, you can also deactivate the policy, and not just
reactivate it, like in audit node groups. To do that, highlight the audit node and
right click to display the following pop-up menu:
The Policy Reactivate command is enabled if audit node group containing the
audit node is active and the policy folder attached to this group is activated.
The Policy Deactivate command is enabled if there is a policy on the audit node
and the audit node group is not active or is modified.
The Policy Activation Log Viewer lets you follow the success of the eAudit
distribution server’s asynchronous transmissions of policies.
The Activation log notifies you if some instance of an AN is unavailable or
improperly configured, so that you can take corrective action.
Two dialog types help to simplify your work:
■
Event Detail dialog – Displays the same data that appears in the event line,
but lets you view and print it.
Policy Management
4–19
Policy Manager GUI
■
Log Filter dialog - Lets you filter the types of event that you want to include
in the log.
You can open the activation log by right clicking on the audit node and selecting
the Show Policy Activation Log command.
Having selected the activation log, the log matching the audit node from which it
was opened is now displayed.
4–20
Policy Manager GUI
You can also open the activation log by right clicking on the Policy folder and
selecting the Show Policy Activation Log command. In such case, the log
matching the policy from which it was opened is displayed.
The Users Window
The Users window lets you configure the users of eTrust Audit Policy Manager.
You need to be included in a user window in order to open the Policy Manager
application.
Each user can be authorized to:
■
■
Configure policies, by checking the Policy configuration box. You can change
existing policies, define new policies, change existing rules (including filters,
actions and targets), and define new ones.
Manage users by checking the User Management box. A user manager can
define new users, change permissions of existing users, and delete existing
users.
Note that if only one user with user management capability exists in the
system, you cannot delete this user or cancel their user management
capability. In such case, the warning shown in the following illustration is
displayed:
Policy Management
4–21
Policy Manager GUI
■
■
4–22
Besides defining new users, the user can also add new users from the dropdown menu in the New User dialog box. Of course, to appear in the list in
this dialog box, a user should first be defined in the user manager (in
Windows NT) or in Local Users and Groups (in Windows 2000).
Distribute policies, by checking the Policy Distribution box. Lets you define
groups of audit nodes, the audit node itself, change the way audit nodes
belong to various auditing groups, attach and detach policies to audit nodes
groups. You can also activate or deactivate policy, as well as defining or
removing new types of audit nodes.
Chapter
5
Data Tools
Three graphical user interfaces (GUIs) are at your service for viewing audit data:
■
■
■
Audit Viewer displays the event database and lets you create reports by
using the eAudit Reporter
The Audit Reporter displays the reports that are generated by filtering the
database in the Audit Viewer.
Security Monitor scrolls alerts in near-realtime
This chapter will help you interpret Audit Viewer and Security Monitor records,
manage your data, and customize the interfaces.
Database
eTrust Audit 1.5 can use three commercial relational databases — Microsoft
Access (versions 97 and higher) , Oracle Server (versions 7.0 and 8.05), or
Microsoft SQL Server (versions 6.5, 7.0 and 2000). By using ODBC (open
database connectivity), the database is used by Audit Viewer, Audit Reporter,
and Audit Collector.
■
■
■
Microsoft Access is configured as the default choice.
For Oracle Server, you must create the database and configure an Oracle
client on each machine that needs access to the audit database before
installation. For details, see Configuring an Oracle client in the Appendix.
For Microsoft SQL Server, you must create the database before installation.
For configuring the type of authentication for the SQL server, see Windows
NT Authentication with Microsoft SQL Server in Appendix.
Note: If during setup you select Oracle or SQL as your database, then for both
types Setup lets you select the option of creating new tables. Ensure that you
create new tables only once per database. (Each time you choose the Create New
Tables option, your existing data is erased). You may install several Collector
services that write to one database.
Data Tools
5–1
Audit Viewer
Service
The manager software includes The Collector Service, which is located in
audit\bin (where audit is the directory in which you installed eTrust Audit
1.5). This service receives information from other stations where eTrust Audit 1.5
is running and writes it to the event database.
Audit Viewer
Audit Viewer shows you audit information, much as the Windows NT Event
Viewer does, but Audit Viewer has many advantages:
■
■
■
■
■
You can configure eTrust Audit 1.5 to collect records from different stations
and platforms into a single event database for use by Audit Viewer.
Audit Viewer’s precise filtering helps you focus on particular audit data.
Audit Viewer can handle large databases; the event database is governed by
standard DBMS technology.
By using the eAudit Reporter, you can schedule, display and print well
formatted reports according to useful, flexible criteria.
You can archive and print your event data like any other database material.
Audit Viewer is one of the components of eTrust Audit Data Tools. When you
installed eTrust Audit 1.5, you should have installed the Viewer software on one
or more auditor stations.
With Audit Viewer, you view the event database created by the Collector service.
You may install the Collector and Viewer software together, but it is not a
requirement. You can use Audit Viewer on one machine to view the event
database on another.
Note for Microsoft Access Users
If you are using the Microsoft Access database type and you want to use Audit
Viewer to access a database located on another computer, you must first map the
remote drive to your machine, and then set up the System DSN.
Microsoft Access limits the size of the database to one gigabyte or approximately
one million records. To back up the database, you should:
5–2
1.
Stop the Collector service and the Audit Viewers.
2.
Rename the event database (SeOSData.mdb) as you wish.
3.
Copy the file SeOSDataBak.mdb.
Audit Viewer
4.
Rename the copy of SeOSDataBak.mdb to SeOSData.mdb.
5.
Restart the Collector service and the Audit Viewers.
Starting Audit Viewer
Start Audit Viewer like any other Windows NT program. Its program folder was
specified at installation. By default, it is eTrust Audit\bin.
This applies for
Oracle and SQL
only
When Audit Viewer starts, you may be asked for the database name, user name,
and password, unless they are recorded in the registry (see Database in the
“Registry Keys” chapter).
The event database appears in a window, sorted by timestamp, with the newest
records at the top. You can resize it just like any other standard application
window. Besides the scroll bars and arrow keys, you can use the View menu’s
commands (First Record, Previous Record, Next Record, Last Record) and the
corresponding toolbar icons to navigate among the records.
Note: If your database is very large, you may get a message telling you to filter
the records. This message means that it would be wise to filter the data before
searching for a particular record. For details on filtering records, see Filtering the
Records in this chapter.
Remember, there will be no data if the eTrust Audit 1.5 services have not been
running (see Starting the Services in the “Installing eTrust Audit” chapter).
Note that for records to appear in Audit Viewer:
■
■
The client’s recorder service must be configured to collect events from at least
one source
The client’s redirector configuration file must contain rules specifying that
records be forwarded to Router
■
The Router (On NT) must have at least one rule, with Action Collector.
■
The Collector service must write collected records to the event database
For details, consult the chapters on the respective services.
Data Tools
5–3
Audit Viewer
Selecting Event Databases for Viewing
By default, Audit Viewer shows you the event database with the data source
name (DSN) eAudit_DSN. However, you can use Audit Viewer to view different
event databases. You can view as many databases as you wish, or you can open
more than one copy of the same database and apply different filtering and
sorting options.
To see additional databases, you need to create a system DSN for each one. When
you select New from File menu, you see a list of all available system DSNs, and
you can choose the remote event database you want to view.
You can also enter a list of relevant DSNs in the registry; for details, see Database
in the “Registry Keys” chapter. If a list is present, choosing New from File menu
lets you only see the DSNs in the list. The registry also lets you change the default
DSN.
Examining the Event Database
Each record consists of nine fields.
Title
Description
(Untitled column at
far left)
The icons shown in the following illustration characterize
events. For certain miscellaneous events, classified as
“other” events, there is no icon.
Information
Warning Error
Audit Success Audit
Others
Failure
5–4
Time Stamp
The time when the event originated on the client machine,
adjusted to the local time in case of time zone differences.
Log Name
NT-Application, NT-System, NT-Security, eTrust AC
(eTrust Access Control), SW3 (eTrust Intrusion Detection),
Netscape, UNIX, Oracle and Apache.
Computer Name
The name of the station where the event occurred.
Domain Name
The name of a Windows NT domain (not applicable for
UNIX).
User
The name of the user who performed the action.
Audit Viewer
Title
Description
Source
The program or resource through which the event was
executed.
For Windows NT events, it is the same as in the Windows
NT Event Viewer. For other events, it could be an eTrust
Audit 1.5 source (such as any of the three eAudit services),
a eTrust Access Control services, or an external program as
reported by eTrust Access Control.
Event Category
Account Management, Administration, Logon/Logoff, and
so on. The tokens are different for Windows NT and for
eTrust Access Control.
Event ID
The Windows NT event ID, or if the record came from
eTrust Access Control, the stage number. Double-click the
record for an explanation. A table of Security-related
Windows NT Event IDs is included in the Appendix.
Refresh
As new events are added to the database, Audit Viewer does not add them
automatically to your display. You can, however, manually refresh the display to
include the latest additions. To do that, select Refresh from the View menu or use
<F5>.
Finding a Particular Record
You can find records according to the text of any given field.
1.
Click in the column where you expect to find a particular string of text. For
example, if you are looking for records reporting Logon/Logoff events, click
in the Event Category column.
2.
Select Find from the Edit menu, or use the shortcut <Ctrl><f>. Enter a string
in the dialog box that appears.
You can choose whether to match the case of your string, and whether to
search Up or Down.
3.
When you click Find Next in the dialog box, the cursor — the triangle in the
leftmost column — jumps to the closest matching record in the specified
direction. The match is highlighted by a rectangle around the cell.
4.
To find the next match, click Find Next again. Even when the dialog box is no
longer displayed, you can use <F3> or select Find Next from the Edit menu.
Data Tools
5–5
Audit Viewer
Displaying an Event in Detail
To see any event in further detail, you can use any of these techniques:
■
■
■
Double-click inside the record.
Click inside the record to select it, and then select Event Detail from the View
menu.
Click inside the record to select it, right-click and select Event Detail from the
pop-up menu.
The Details of Event dialog box appears. Notice that it includes buttons for
switching to the previous or next event and for printing the current details.
Whereas the top part of the Details box is standard, the bottom part — the
Description — is application-dependent. For details regarding how to
understand descriptions of various native operating system events or application,
see the appropriate documentation of each operating system.
5–6
Audit Viewer
Sorting the Records
You can sort the displayed records chronologically or alphanumerically. You can
sort in ascending or descending order.
Sorting by Record Number
When Audit Viewer opens, records are sorted by timestamp. The timestamp
gives the time of the occurrence of the event on the client machine. When it is
displayed, the timestamp is adjusted for any difference in time zone between the
client and the Collector.
The record number reflects the order in which the records arrived at the
Collector, regardless of delays in transmission.
To sort by record number, select Sort from the View menu and then select the By
Record Number option.
Sorting Alphanumerically
To sort alphanumerically by any of the columns, you can use any of three
techniques:
■
■
■
■
Position the mouse cursor over the title of the column that you want to sort.
The pointer changes its shape into an arrow. Then Double-click. To reverse
the order of the sort, double-click again.
Select the column by which you want to sort. It does not matter which line
you select.
Select Sort from the View menu and then select the By Current Column
option
Select the column that you want to sort by, and then right-click and select
Sort from the pop-up menu.
The sort operation may take some time, and it will include a secondary sort (in
records where the column is identical) by time.
To reverse the sequence of the sort, re-select the same sorting method. For
example, if you are currently sorting bottom-to-top by timestamp and you want
to sort top-to-bottom by timestamp, double-click on the Time Stamp column
header, or select the column and use the menu.
Data Tools
5–7
Audit Viewer
Filtering the Records
You can filter the event data — that is, specify criteria by which records will be
displayed or hidden — according to fields or according to events. You can also
filter by file, which means specifying one or more files and finding all the events
that directly concern them.
■
■
■
When you filter by fields, events are filtered by the contents of the fields
(column headings) you see in Audit Viewer. You can easily filter Windows
NT events by using event IDs. A table of Security-related Windows NT
Event IDs is included in the Appendix.
The menus for filtering by events were originally designed for eTrust Access
Control, incorporating its classes and commands. However, you can map all
events to eTrust Audit 1.5’s generic filters.
You can define and use a unique filter per database and save it for a specific
user. The window title indicates the DSN name (also known as audit events
database) and the type of filter you use. In addition, you can open more than
one view for different databases.
Filter Bar
On the left side of the screen, you can see the filter bar. This area contains pre-
5–8
Audit Viewer
defined filters, such as Last 7 days’ record and administration records. In
addition, this bar contains a filter that bears the user’s name. The following
illustration shows the filter bar docked, with the user filter at the bottom.
All new filters you add will be under the filter that bears the user name. To add
new filters, right-click in the filter bar to display the following menu:
Having defined the way to filter, either by fields or by events, as described later,
you are required to define the filter properties, such as field or event types or
filtering range. Having done that and pressed Save, you are prompted to assign a
name for the newly created filter, and to determine whether it will be available to
all users or only to the current user:
Data Tools
5–9
Audit Viewer
The new filter is added under the “user” filters. Having added the new filter, you
can now make it a start-up filter, to be used the next time you start the viewer. To
do that, right-click the filter and select the Use as Startup command.
Filtering by Fields
5–10
1.
To filter by fields, you can use either of these techniques:
■
Select Filter by Fields from the Filter menu.
■
Alternatively, click the toolbar’s Filter by Fields icon.
Audit Viewer
2.
A dialog box opens, displaying the filtering options. The filtering is
cumulatively restrictive. That is to say, if you specify several criteria then the
filter will admit only those records that meet all the criteria.
Data Tools
5–11
Audit Viewer
By default, the first time you start the Viewer, no records are excluded. By
changing the specifications, you exclude records that are not of interest to you.
You can then save your customized filters by checking the appropriate box.
At the top of the dialog box, you can specify what time-range interests you.
In the time fields, click on any of the numbers and use the small arrow buttons. In
the date field, click on the arrow to drop down a calendar.
In the calendar, you can click on the year and use the accompanying arrow
buttons to change it; click on the month and choose another month from a list; or
click on any day of the month to select that day and close the calendar.
To reorient yourself by jumping to the current date, click on the Today line at the
bottom of the calendar or use the right-hand mouse button.
In the bottom section of the form, each field corresponds to a column in the main
window. In each field, you can enter a string you want to match. Select Not to
exclude records that match your string.
If your event database type is Oracle Server or case-sensitive Microsoft SQL
Server, fields will be case-sensitive.
You can use the asterisk (*) and question mark (?) as wildcard characters. You
can filter by more than one string if you separate them with commas. The filter
will work on data that matches any of the strings.
If you want to define the filter as a startup filter (that is: the default filter to be
used when the Viewer starts), you can do it from the dialog box or by rightclicking the filter and selecting the Use as Startup option. Note that after defining
the filter as a startup filter, the Reset Startup Filter icon and command are
enabled.
5–12
Audit Viewer
Filtering by Event
To filter by event, you can select Filter by Event from the Filter menu, or click the
toolbar’s Filter by Event icon.
A dialog box opens, displaying the filtering options.
You can specify a range of dates just as you can when you filter by fields, as
described in the Filtering by Fields section of this chapter.
Data Tools
5–13
Audit Viewer
In the next part of the dialog box, the three fields correspond to columns in the
main Audit Viewer window. By filling one or more fields, you make Audit
Viewer include only the records that match your specifications in those fields.
You can use the asterisk (*) and question-mark (?) as wildcard characters.
Field
Description
Domain
The Windows NT domain (not
applicable for UNIX).
Computer
The host station where the event
occurred.
Log Name
NT-Application, NT-System, NTSecurity, eTrust AC (eTrust Access
Control), UNIX, Netscape, Oracle,
Apache
The third part of the dialog box includes checkboxes for events, with associated
tabs beneath. The page for each tab includes text boxes.
The text boxes permit the use of commas, question marks (one unknown
character), and asterisks (any number of unknown characters). For example, to
display records for users named admin1, admin2, and guest1 through guest100,
enter admin?,guest* in a ”user” field.
5–14
Audit Viewer
When you select a tab in the Events section of the dialog, drop-down menus and
text boxes allow you to enter criteria for filtering. Filtering by event was
originally designed to match eTrust Access Control events, but you can also filter
for events from Windows NT.
Event
Mapping to Windows NT events
Administration
The Windows NT events User Right
Assigned and User Right Removed are
included under Change User. Local and
global groups are treated as equivalent.
Login
Logon/logoff events. In the “Login
From” field, you can enter the name of
the computer, and in the “Login To”
field, the name of the domain.
Network
eTrust Access Control and eTrust
Audit only.
Resource
Object such as a file or a registry key.
Trusted Program
eTrust Access Control only (a trusted
program will not run in any altered
form).
Tracking
The PROCESS class will catch events
592 and 593.
Filtering by File
When eTrust Audit 1.5 reports that a user or program has opened a file, the file
name appears in the corresponding audit record. Further events concerning that
file are reported without the filename. But if you filter by file, eTrust Audit 1.5
will single out each complete series of events that unfolds from the opening of a
specified file.
In filtering by file, you can specify one or more files or filename patterns. You can
use the comma, asterisk, and question mark. For example:
■
■
■
You can enter myfile to mean the file named myfile.
You can enter myfile, file_? to mean the file named myfile and all files named
file_1, file_2, file_a, file_b, and so on.
You can enter myfile, file_?, *setup* to mean the file named myfile; all files
named file_1, file_2, file_a, file_b, and so on.; and all files named setup.exe,
newsetup, mysetup.log, and so on.
Data Tools
5–15
Audit Viewer
The Filter by file command is on the Filter menu. When you select the command,
a dialog box appears. Enter the name of the file, and click OK.
After the filtering, Windows NT events in the main window are organized in
sets. Each set corresponds to the opening and subsequent handling of a file.
The main window shows the set’s first event (the opening of the file). If there are
more events in the set, a “+” icon appears in the leftmost column. Click on the
“+” icon for a record to list its entire set.
The listing of the full set of events occurs in a separate window. You can display
details of each event, and in general, you can work in the new window much as
you work in the main window. Two additional buttons, Previous and Next, move
from set to set.
Like filtering by file, tracking by event shows you a complete series of audit
records relating to an object — such as a file or a registry key — even though only
the first of the records contains the object’s name. (The first record reports the
opening of the object.)
To track what happens concerning an opened object:
1.
Select the record that reports the opening of the object.
2.
Select Track Event from the Filter menu, or right-click and select Track Event
from the pop-up menu that appears.
Unfiltering
To restore the complete list of events, select Show all events from the Filter menu
or select the toolbar’s View All events icon.
Copying Records into Other Applications
You can copy records to the Windows clipboard in order to paste them into
documents handled by other applications.
By using the mouse, <Shift>, and <Ctrl>, highlight the records you want to copy.
Then select Edit from the Copy menu or press <Ctrl><C>.
The information is copied to the Windows NT clipboard, and you can paste it
into other applications.
5–16
Audit Viewer
Printing Records
With the File menu, you can print either the entire filtered display or the details
of specified records.
To check in advance, what the printout will look like, select Print Preview from
the File menu. Ensure that the column widths on screen are set appropriately for
your printout.
To change print parameters, select Print Setup and Page Setup from the File
menu. Save your Page Setup if you want to use it again.
Select Print from the File menu, or click Print. Use the Print dialog box that
appears.
The printout conforms to the styles and properties currently used in the Main
window. (Styles and properties include fonts, colors, and so on. See Customizing
the Viewers in the “Appendix” chapter for details how to edit them.)
Headers and footers
If you want to adjust the header or footer for the printout, select Header/Footer
from the File menu.
Note the use of the $ sign. As you enter text for your header or footer, you can
include the following variables.
Variable
Description
$A
Application name
$D
Date
$F
Document’s filename
$N
Number of pages
$P
Page number
Control the fonts of the header and footer separately. You can save your
specifications in a profile for future use.
Printing record details
To print details of one or more records:
1.
Select the records. You do not need to open the “Details of Event” box. You
can use <Shift>Click and <Ctrl>Click to select continuous and discontinuous
groups of records.
Data Tools
5–17
The Audit Reporter
2.
If you would like to check in advance, what the printout would look like,
select Print Detail Preview from the File menu.
To change print parameters, select Print Setup from the File menu.
3.
Select Print Detail from the File menu. Use the Print dialog box that appears.
Closing Audit Viewer
You close Audit Viewer like any other Windows program. Select Exit from the
File menu, use the Close button on the main window, or use <Alt><F4>.
The Audit Reporter
Displaying and Printing Reports
To receive the reports you want:
Select Report Manager from the Report menu or open the Audit Reporter from
the eTrust Audit program group. A list of reports is displayed, letting you choose
the reports you want to view from the sources you use. In the example shown in
the following illustration, we can see the eTrust Audit 1.5 reports, which are
arranged by five main events.
5–18
The Audit Reporter
The second tab – Scheduled Reports – displays the list of reports that run in prespecified intervals.
Data Tools
5–19
The Audit Reporter
To add a report to the scheduled reports list, or to customize its settings and
output type, highlight a report and then right-click. In the example shown in the
following illustration, we have chosen the Shutdown report:
If you choose the Add to Schedule option, the following dialog opens:
Note that this report is highly customizable, letting you select between four
formats for displaying your report, as well as several pre-defined days on which
the report will run (such as: next Tuesday, every Tuesday, today and tomorrow).
You can also assign a user-defined file, which the report will overwrite each time
that it is transferred.
5–20
The Audit Reporter
To customize the data displayed in the report, click Options:
In the example shown here, we have chosen to limit the report, by displaying
only the events of the current week in a specific computer used by a specific user
name. The other tab lets you select the database from which to gather the data, as
well as testing the database connection:
Data Tools
5–21
Security Monitor
Note that unlike the reports you view on the screen, scheduled reports can only
be sent to the printer.
The resulted report displays a list of all days available, and lets us choose which
day to view. You can use the two icons shown in the following illustration to
refresh the screen and view the log of reports generated so far.
Searching within reports
By using the toolbar, you can search downward for text strings within reports
printed to the screen.
Security Monitor
Security Monitor shows you audit records, much as Audit Viewer does, but
Security Monitor is intended for events that deserve attention in near-realtime.
Because Security Monitor is a Viewer for the very latest alerts, it differs from
Audit Viewer in a number of ways:
■
■
■
■
Security Monitor is intended for the display of exceptional, high-priority
alerts.
By default, the data scrolls past as you watch. When you stop scrolling, data
is held in a buffer, which can hold up to 10,000 alerts (default: 100).
The alerts currently displayed are saved when you close Security Monitor,
and will be visible the next time you open it. You can save the current set of
alerts as a text file at any time.
Security Monitor has no report generation, no filtering, and no multiple
windowing. It lets you copy records, as does Audit Viewer, but its Edit menu
has no Copy command; you use <Ctrl><C> instead.
Starting Security Monitor
When you installed eTrust Audit 1.5, you should have installed Security Monitor
(the monitor software) on one or more security administrator stations. Records
reach Security Monitor by having Monitor designated as a destination, as
described in The router configuration File in the “Services” chapter.
5–22
Security Monitor
By default, Security Monitor runs automatically on startup. To open the Security
Monitor window, right-click the light bulb icon in the system tray, or start
Security Monitor as you would any other Windows NT program. Its program
folder was specified at installation. By default, it is eTrust Audit\bin.
Whenever Security Monitor is running, its light bulb icon appears in your system
tray. When there is no data, the bulb is white. When an alert arrives, the bulb
turns yellow and glow lines appear.
No data
Data
The Security Monitor also doubles for internal eAudit events. You should
install one Security Monitor for this purpose. This monitor will be your “Self
monitor” host, required for the client installation.
Running Minimized
You can run Security Monitor minimized, with the light bulb icon in the system
tray, by starting SecMonW.exe with the parameter -tray.
Freezing the Scrolling
To stop Security Monitor from scrolling data out of the visible part of the list,
click the Stop/Restart button or select Stop Scroll from the View menu.
Both on the View menu and as a toolbar button, Stop Scroll is a toggle. While
scrolling is stopped, a checkmark appears and the button is highlighted.
Scrolling is halted
Scrolling is proceeding
Specifying the Data Quantity
After accumulating a certain number of records, Security Monitor deletes an old
record each time a new one arrives.
Data Tools
5–23
Security Monitor
To specify how many records Security Monitor accumulates before deleting any
old ones — that is, the maximum number of records that will be on hand at any
given moment for you to scroll through:
1.
Select Options from the View menu. A dialog box appears.
2.
In the dialog box, enter the number of records that you want Security
Monitor to keep at hand — up to 10,000. You can save as few as 100.
However, if too few records are held in the buffer, it may be difficult to stop
scrolling.
Saving Alerts
To save the currently displayed alerts, select Save As from the File menu. The
alerts are saved to a text file.
Clearing the Security Monitor Window
You can clear the Security Monitor window, discarding all the records. Click
Clear Events.
The alerts disappear from the Security Monitor window.
Closing Security Monitor
Closing the Security Monitor window and shutting down the redirection of data
into Security Monitor are two different things.
5–24
Security Monitor
■
■
■
By closing the Security Monitor window, you hide the monitor but you do
not turn it off. Closing the window does not stop information from flowing
into Security Monitor.
To hide the monitor, you can select Exit from the File menu, use the Close
button on the main window, or use <Alt><F4>.
To shut down Security Monitor, halting the flow of information, you need to
use the light bulb icon in the system tray.
Right-click the icon and choose Close from the pop-up menu. The icon
disappears and redirection to Security Monitor stops.
Data Tools
5–25
Chapter
6
Services
eTrust Audit includes several services, which enable the information flow in this
product by collecting , reading, and forwarding information from all sources in
the system. Some of these services work only in Windows NT, while others
operate also in UNIX.
This chapter describes in detail the eTrust Audit service.
The eAudit recorder service
Recorder Service for NT
The eAudit recorder service, SeLogRec, brings a computer’s Windows NT audit
information into the local audit file for further handling by eTrust Audit.
For instructions on starting the service, see Starting the Services in the
“Installing eTrust Audit” chapter.
Services
6–1
SeLogRec
Description
SeLogRec is the eAudit recorder service. It intercepts
Windows NT audit events and stores them in the local audit
file for eTrust Audit 1.5 to display, act on, or forward.
SeLogRec.exe is located in audit\bin (where audit is the
directory in which you installed eTrust Audit 1.5).
You can edit the recorder configuration file to specify which
events are to be recorded. For details, see The Recorder
Configuration File in this chapter.
To allow the recorder service to run when eTrust Access
Control is stopped, you must edit the emulate registry key,
which is found under the SeOS key
(HKEY_LOCAL_MACHINE\SOFTWARE\ComputerAssociat
es\etrustAudit\Client\SeOS\emulate), so that
emulate value=1.
Syntax
6–2
SeLogRec options
Option
Description
-install
Installs the service
-start
Registers the service with
Windows NT and then
starts the service.
–stop
Stops the service
-remove
Stops the service and
unregisters it as a service
of Windows NT,
removing it from the
Control Panel’s Services
dialog box.
-help
Displays these syntax
options
Recorder Daemon for UNIX
The eAudit Recorder daemon, acrecorderd, prepares the logs created by UNIX
operating system, by third-party applications running on the UNIX station, or
both, for further handling by eTrust Audit. The daemon reads the logs and,
where possible, sends them to the Audit Router daemon.
acrecorderd
The eAudit recorder daemon
Description
acrecorderd is the eAudit Recorder daemon. It takes UNIX
audit events and, where possible, sends them to the Audit
Router daemon, aclogrd.
You can edit the recorder configuration file to specify which
events are to be recorded. For details, see The Recorder
Configuration File in this chapter.
To allow the recorder service to run when eTrust Access
Control is stopped, you must edit the emulate registry key,
which is found under the SeOS key
(HKEY_LOCAL_MACHINE\SOFTWARE\ComputerAssociat
es\etrustAudit\Client\SeOS\emulate), so that
emulate value=1.
Syntax
acrecorderd options
Option
Description
-start
Starts the daemon
-install
Places the executable into
the operating system
initialization directory
–stop
Stops the daemon
-remove
Removes the executable
from the operating system
initialization directory
-help
options
Services
6–3
Note: You can start the daemons in one of the two following ways:
■
Running the daemon directly from UNIX shell
■
Running a script from init directory: /etc/rc2.d/S77daemon_name start
Before running the daemon directly, you should export the required environment
variables to the current shell (Bourne or Korn) by running the script ac_set_env.sh
from /usr/eaudit/bin
For example: % . /usr/eaudit/bin/ac_set_env.sh
(% stands for UNIX prompt)
This note is valid for all eAudit UNIX daemons.
Daemon name
eAudit Log Recorder
Daemon Location
/usr/eaudit/bin/acrecorderd
Usage: acrecorderd action [debug_options]
Options
Action:
-start
start daemon
-stop
stop daemon
-install
install daemon
-remove
remove daemon
-help
show this message
The Recorder Configuration File
In the recorder configuration file, each line (other than comment lines) provides
criteria for bringing audit records into the local audit file from Windows NT. A
record is admitted and handled by eTrust Audit 1.5 if it matches the criteria of
any line in the file. If the record does not match a line, then eTrust Audit 1.5 will
ignore the record. The file is selogrec.cfg in the audit\etc directory, where audit is
the directory in which you installed eTrust Audit 1.5. This file defines which NT
logs will be read, according to the client.
The format is explained in the following example. Note that commas are used as
delimiters within the three-part Resource specification, while semicolons are
used elsewhere. The file is case-sensitive.
6–4
You can select the way to filter the events that are recorded by using the
following mask:
<Log Name>;<Resource>;<User>;<Result>
The default values, which can be selected during installation, are:
■
NT-System;*;*;*
■
NT-Security;*;*;*
■
NT-Application;*;*;*
For more in-depth information regarding this issue, see the selogrec.cfg file in
the \eTrust Audit\etc directory.
The access results Success and Failure typically refer to logins, while Info reports
on successful application startups. Warning refers to possible problems, while
Error indicates a more severe problem.
Comment lines
To create a comment line, begin it with a semicolon (;), pound sign (#), or
exclamation point (!). For example, —
! Here are four comment lines. If you wanted to
! use the fourth one as a rule, you could simply
! erase the "!" mark from its start.
! NT-Security;Security,Detailed Tracking,593;jerry;S
The asterisk as wildcard
You can use an asterisk (*), signifying any number of wildcards, for any field
except the event log name. If you wish, you can use a single asterisk for the threepart Resource field; for example, to indicate “all Windows NT security log
events, regardless of resource, user, and result”:
NT-Security;*;*;*
The question mark (?) represents a single wildcard character.
Services
6–5
The eAudit SNMP recorder service
Here is another example, specifying all Windows NT Application log events that
are Information events with the eTrust Audit 1.5 Collector service as their source,
regardless of event category, event ID, and user:
NT-Application;eAudit Col*,*,*;*;I
Registry Keys
The registry includes a key for the eAudit recorder service, under
HKEY_LOCAL_MACHINE\SOFTWARE\ComputerAssociates\etrustAudit\
Client\Recorders\NT Recorder
For a comprehensive description of its values, see The Recorder Configuration
File in this chapter.
The eAudit recorder service uses the following values located in the
HKEY_LOCAL_MACHINE\SOFTWARE\ComputerAssociates\eTrust Audit
1.5\Client\SeOS\logmgr key:
■
audit_log
■
audit_size
■
audit_back
In addition, if the eTrust Access Control software is installed, the eAudit recorder
service uses the emulate value, located under the SeOS key in
HKEY_LOCAL_MACHINE\SOFTWARE\Memco\SeOS\SeOS
The eAudit SNMP recorder service, Snmprec, traps SNMP messages sent to
either a UNIX station or an NT station. The trapped messages are then passed on
to a router – by default the local host or however the defaultrouter key was
defined in the Recorders section of the registry.
6–6
SnmpRec
Description
SNMP recorder traps SNMP messages
and sends these messages to the default
router.
By default, SNMP recorder traps
messages that are sent to port 162. This
default port can be changed by setting
the SNMPRecorderPort key in the
following registry section.
(HKEY_LOCAL_MACHINE\SOFTWA
RE\ComputerAssociates\eTrust
Audit\Ports).
For more information, see the
SNMPRecorderPort in the Ports section
of the “Registry Keys” chapter.
Service Name
Service Location
\eTrust Audit\bin\snmprec.exe
Options
action:
-start
start service
-stop
stop service
-install
install service
-remove
remove service
-help
show this message
SNMP Recorder Parameters for UNIX
Daemon Name
Service Location
/usr/eaudit/bin/snmprec
Usage: snmprec action [debug_options]
Services
6–7
The redirector service
Options
action:
-start
start daemon
-stop
stop daemon
-install
install daemon
-remove
remove daemon
-help
show this message
Registry Keys
The registry includes a key for the eAudit snmprecorder service, under
(HKEY_LOCAL_MACHINE\SOFTWARE\ComputerAssociates\eTrust
Audit\client\recorders\SNMP recorder).
The SNMP recorder sends its messages to the default router, located under
HKEY_LOCAL_MACHINE\SOFTWARE\ComputerAssociates\eTrust
Audit\Client\Recorders\DefaultRouter.
The SNMP recorder sends to the MP file, which is located under
Audit\Client\Recorders\SNMP Recorder\cfg\snmptd_rec.mp.
The redirector service, SeLogRd, which operates only in Windows NT and
Windows 2000 environments, reads the local audit file created by the eAudit
recorder service and forwards it to the router. The local audit file contains events
originating on the local machine. You control SeLogRd by editing the
configuration file, logroute.cfg. For more details, see The Redirector
Configuration File, later in this chapter.
eTrust Audit sets limits to the size of the audit files. As a result, when events are
generated faster than they can be forwarded — for example, if a Router service is
not running or during a peak situation — it is possible to lose data.
You can guarantee delivery of records to the Router by using one of the following
two ways:
Allowing the files to exceed their prescribed maximum size, by increasing the
maximal file size with the registry value audit_size in the logmgr key.
6–8
Disabling the option to overwrite backup files, by setting the value of the
OverWriteBackup entry in the registry keys for Redirector.
For instructions on starting the service, see Starting the Services on the
SeLogRd
Description
SeLogRd is the redirector service. It
handles the contents of the local audit
file according to the instructions in the
redirector configuration file.
SeLogRd can pass information to a
router, whether local or remote.
Location
Syntax
SeLogRd.exe is located in audit\bin
(where audit is the directory in which
you installed eTrust Audit 1.5).
SeLogRd options
Option
Description
-install
-start
Windows NT and then
starts the service.
-stop
Stops the service
-remove
Unregisters the service as
a service of Windows NT,
dialog box.
-help
options.
The Redirector Configuration File
The redirector configuration file tells what should be sent where. By default,
everything is sent to the router (local or remote).
Services
6–9
The Collector Service
While running, the service periodically reconfigures itself according to the file
contents.
For SeLogRd, the configuration file is logroute.cfg, located in the audit\bin
folder.
Registry Keys for SeLogRd
The registry includes a key for the redirector service:
HKEY_LOCAL_MACHINE\SOFTWARE\ComputerAssociates\etrustAudit\
Client\Redirector. For a comprehensive description of its values, see the
Redirector key.
In addition, the redirector service uses the following values located in
Audit\Client\SeOS\logmgr:
■
audit_log
■
audit_size
■
audit_back
The Collector service, SeLogRcd, exists only in Windows NT and Windows 2000
platforms. This service receives information from other stations where eTrust
Audit 1.5 is running and writes it to the event database.
SeLogRcd
The Collector service
Description
SeLogRcd.exe, the Collector service, is
located in audit\bin (where audit is
the directory in which you installed
eTrust Audit 1.5). Whenever the Action
Manager service forwards records as the
action collector, they are accepted by
SeLogRcd at the target station and
written to the event database.
If the Collector service is not running,
the routers will stop trying to send to it.
6–10
Syntax
SeLogRcd options
Option
Description
-install
-start
Windows NT and then
starts the service.
When the service starts,
you are asked for the
event database name,
user name, and password,
unless they are recorded
in the registry. (Under
normal conditions, this is
irrelevant for Microsoft
Access.)
-stop
Stops the service
-remove
Stops the service and
unregisters it as a service
of Windows NT,
registry and from the
dialog box.
-help
options.
Registry Keys
The Collector service uses the following values located in
Audit\Data Server\Database:
■
Audit DSN
■
Database
■
User
■
Password
Services
6–11
The Log Router Service
The router service aclogRd operates in the NT and UNIX environments. Events
from a number of different sources are forwarded to aclogRd. The service reads
the *.cfg files that are found under \eTrust Audit\cfg directory (in NT) or
/usr/eaudit/cfg (in UNIX). These *.cfg files contain filters that are made up of
rules and actions. By using these rules, aclogrd filters the forwarded events and
discards some of them.
All the logs the audit router receives from other recorders are written into queues
in the directories defined in the registry keys in Windows NT (or in ini file in
UNIX), under:
Audit\Client\Router\Queue Manager\Queues.
The three pre-defined directories are:
■
Default
■
AlertQueue
■
CollectionQueue
However, you can define your own directories.
The type of queue to which the Router writes depend on the rules defined in the
Queue Rules section (for example:
Audit\Client\Router\Queue Manager\Queues\AlertQueue\Queue Rules). A
queue rule can have two forms:
rule_name
action; target name (for a specific target)
rule_name
action (for all targets)
For example: if the cfg file contains rule with action Collector, the records should
be written to the collection queue, because this queue, as defined by the Queue
rules, includes the rule Collector.
You can add rules in the registry, to customize your settings. For example:
Actions that are not defined by default to be directed to the alert queue or the
collection queue are directed to the Default directory. If you do want other
actions to be directed to the alert or collection queue, you should add a rule to
define such situation. In the following example, the ‘file’ rule was add to define
that actions of this type be directed to this queue, and not to Default directory.
6–12
Certain actions are attached to the events that are kept, which are then placed in
a number of different queues.
For instructions on starting the service, see Starting the Services on the
aclogRd
The router service
Description
aclogRd is the router service. It handles
received events according to the filters
of the router configuration file.
aclogRd.exe is located in audit\bin
(where audit is the directory in which
you installed eTrust Audit 1.5).
Syntax
aclogRd options
Options
Action
-start
start service
-stop
stop service
-install
install service
-remove
remove service
-debug
switch to debug mode
-help
show this message
Services
6–13
Log Router UNIX Parameters
Daemon Name
Daemon Location
eAudit Log Router
/usr/eaudit/bin/aclogrd
Usage: aclogrd option [debug_options]
Options are the same as in Windows NT
The router configuration File
The router filter events and decide what action should be performed on these
events according to configuration files.
The following is a brief example of the language used in a configuration file:
Statements
Rule
Configuration File
Language Example
Description
select_NT
Every rule must start with the word Rule
and have at least one action or one Do
group.
(name of rule)
Action
Monitor;localhost (target
name)
Defines the action associated with the
event. Possible actions include: monitor,
file, Collector, and so on.
Include int
Log ~"^NT"
Include int is the internal language. Log
~"^NT" is the condition for including the
event.
Exclude int
Log ~"^Oracle"
Exclude int is the internal language. Log
~"^Oracle" is the condition for excluding
the event.
Do group
group_NT
Can be used for activating another rule or
for implementing a nesting of rules
Group
group_NT
Contains a list of rules
Do Int Define
$Host_%Location%_Count
Value(1)
This defines an internal integer variable
that has the value of 1. Whatever is
between % (such as %location%) is
replaced by embedded text. In this case, it
would be whatever value location is.
$Host_%Location%_Count
exists
Test for the existence of the variable
$Host_%Location%_FailedCount
6–14
The Action Manager Service
Configuration File
Language Example
Description
Incr
Host_%Location%_Count
Increments the internally defined variable
Decr
Host_%Location%_Count
Decrements the internally defined variable
Integer:
$Host_%Location%_FailedCo
unt equal to 3
A conditional statement checking whether
the internal variable equals 3
Do Int Define
$AlertEvent Src("eTrust
Policy Manager")
Type("Alert")
Define variable to generate new event
Do Int Set
$AlertEvent.User
Sets the value of User in the generated
event by copying the value contained in
the token User, which is found in the
event currently filtered.
Do Int Delete
$AlertEvent
Statements
User
Deletes the generated events.
Registry Keys for aclogrd
The registry includes a key for the router service:
Audit\Client\Router. For a comprehensive description of its values, see
Router key.
The action manager service performs all actions that are entered into
configuration files (*.cfg). The action manager reads from queues and performs
actions defined per event.
The queues have parameters, which define their maximum action time,
maximum file number and so on. For more details regarding the queue
parameters, see Queue Parameters in the “Registry Keys” chapter.
Services
6–15
Actions managed by the Action Manager
Collector
The Collector action states that the action manager should send the records
received from the queue to a Collector on a user-defined host (hostname), as
shown in the following example:
Action Collector;hostname
Monitor
The Monitor action states that the action manager should send the records
received from the queue to eTrust Audit security monitor on a user-defined host
(hostname), as shown in the following example:
Action monitor; localhost
Screen
The Screen action sends pop-up messages to the screen.
Action screen; target name
Mail
The Mail action states that the action manager should send the records received
from the queue to a specific mail address.
Action mail;[email protected]
6–16
SNMP
SNMP recorder traps SNMP messages and passes these messages on to the
default router on the local station.
Action SNMP; localhost
File
The File action writes messages to a file, instead of mailing them or displaying
them on the screen.
Action file; file; full path
Route
The Route action moves router events to a remote host, where the router of that
host handles them.
Action route; host name
Remote
The Remote action moves records from a queue to a remote router and performs
any action on this remote host. For example:
Action remote; moriarity;monitor;adler.
Program
Running an executable or batch file
When you define an action with the name program, the event is written to a file.
The file name and the file location (the directory to which the file was written)
are transferred as one string to the program you want to run.
The user can now open the file and continue from there.
Services
6–17
For the program action, the formats for the action and target fields in the router
configuration file are as follows.
program;\path\progname.exe;additional parameter;timeout
or
program;\path\progname.bat; additional parameter;timeout
If the program is located in the system environment variable path or in
audit\bin, the path may be omitted. The use of quotation marks is not allowed.
When you run a batch file, it contains the same parameters as a program.
When you run a program or a batch file, the following procedure takes place:
The event is written into a file located in the TEMP directory (currently
%TEMP%).
The program itself gets the file name and the directory path.
By using your API, you can open the file, retrieve the appropriate information,
and run your software accordingly.
It is the responsibility of the user program to parse the additional parameter
string.
To specify the target program’s location, do one of the following:
■
■
Use the full path name.
Ensure that the program file is in the directory defined by the %path%
environment variable.
Timeout
The optional timeout (in seconds) to terminate the program may be added after
the final parameter string.
The default timeout is 30 seconds. If the program has not exited when the
timeout expires, it will be terminated.
6–18
Unicenter
When you specify the action unicenter, selected events are handed off to the
local Unicenter agents for forwarding to the Unicenter TNG Event Console on the
specified host. Status codes from eTrust Access Control are translated to their
generic equivalents. In the Unicenter TNG Event Console, events display color
codes and status icons.
Action unicenter; host name
Service Name
Service Location
eAudit Action
Manager
\eTrust Audit\bin\acactmgr.exe
Options
Action:
-start
start service
-stop
stop service
-install
service
-remove
remove service
-help
show this message
Parameters for UNIX
Service Name
Service Location
eAudit Action Manager
/usr/eaudit/bin/acactmgr
Usage: acatmgr option [debug_options]
Options
Action:
-start
start daemon
-stop
stop daemon
-install
install daemon
-remove
remove daemon
-help
show this message
Services
6–19
The eAudit Distribution Agent Service
The Distribution Agent Service, which is registered as the management agent
Service, runs on UNIX and NT. This service is used for receiving policy files from
the policy manager through distribution server or for removing old policy files if
instructed by the distribution server.
During setup, you can define only one server as a trusted server, recognized by
the Distribution Agent Service. However, you can add later more servers to be
recognized as trusted servers, by editing the key of the Distribution Agent
Service. This key is found in the Management Agent section of the registry keys,
under:
Audit\Client\Management Agent.
Under this key, you can find the types of audit nodes
Note that in the Policy Manager you can create a new audit node type by
selecting AN Types from the File menu, when you are in the Audit Nodes
window. Enter the new AN type name (for example: eTrust VPN), and then
confirm this operation.
Having added a new AN type in the Policy Manager window, you must add this
type to the registry to get a configuration file for it. Note that the name you add
to the registry must be identical to the name you add in the Policy Manager
window. Copy the parameters and values from another key, such as eTrust
Access Control.
In Windows NT, the service changes the auditing according to the policy it
receives. The service notifies the router to update the policy to get new rules.
The distribution agent can accept policy files only from the audit node types that
were previously listed.
6–20
Service Name
Service Location
eAudit Distribution
\eTrust Audit\bin\acdistagn.exe
Agent
Usage: acdistagn option [debug_options]
Options
Action:
-start
start service
-stop
stop service
-install
install service
-remove
remove service
-help
show this message
Note: Both the distribution server and the distribution agent services work with
TCP/IP port 8025. You can change that port by using the registry and adding a
special port. For details, see the Ports section of the Registry Keys and ini Files
chapter.
Distribution Agent UNIX Parameters
Service Name
Service Location
eAudit Distribution
Agent
/usr/eaudit/bin/acdistagn
Usage: acdistagn option [debug_options]
Options
Action:
-start
start daemon
-stop
stop daemon
-install
install daemon
-remove
remove daemon
-help
show this message
Services
6–21
The eAudit Distribution Server Service
The eAudit Distribution Server Service
The Distribution Server Service runs only on NT. This server, used for
distributing the policy files amongst the clients, must run on the same station
where the policy manager is located.
While activating the policy from the policy manager, the relevant commands
reach the distribution queue. The Distribution server reads the distribution
queue, selects from the compiled policy files, processes them, and sends them to
the agents according to the commands.
The Distribution Server tries to connect to the distribution agent. In case the
connection succeeded, the agent starts receiving configuration files. After the
transmission operation was terminated successfully, the log is updated.
In case the connection trial failed (or in case the initial connection succeeded but
afterwards a failure occurred), the transmission command is delayed. After a
pre-defined time period (by default: 24 hours) of failed connection trials, the
distribution server terminates the transmission trials and updates the log.
The key of the Distribution server is found under:
Audit\Policy Manager\Distribution Server. Under this key, you can find the
queue manager parameters.
Note: Both the distribution server and the distribution agent services work with
TCP/IP port 8025. You can change that port by using the registry and adding a
special port. For details, see the Ports section of the Registry Keys and ini Files
chapter.
eAudit distribution server Parameters
Service name
Service location
eAudit Distribution
Server
\eTrust Audit\bin\acdistsrv.exe
Usage: acdistsrv [debug_options]
6–22
The Portmap Service
Option
Action:
-start
Registers the service with Windows NT and then starts
the service.
-stop
stop service
-install
install service
-remove
Stops the service and unregisters it as a service of
Windows NT, removing it from the Control Panel’s
Services dialog box.
-help
show this message
The Portmap Service
For Windows NT 4.0 and Windows 2000, note that eTrust Audit 1.5 installs the Sun
RPC portmapper.
The portmapper manages a table of correspondences between ports (logical
communications channels) and the services registered at them. It provides a
standard way for a client to look up the TCP/IP or UDP/IP port number of an
RPC program supported by the server. This service runs on all hosts on which
eTrust Audit 1.5’s components are installed.
Service Name
Service Location
eAudit Portmap
\eTrust Audit\bin\Portmap.exe
usage:
inst_pm <full pathname\\portmap.exe
to install portmap, or:
inst_pm remove to remove it
Services
6–23
Chapter
7
Registry Keys and ini Files
This chapter is divided into two parts:
The first part summarizes the items in the Windows NT registry that belong to
eTrust Audit 1.5, and are located under
HKEY_LOCAL_MACHINE\SOFTWARE\ComputerAssociates\
etrustAudit.
The second part details the parallel items in the UNIX system, which contains
only the client suite.
Note: this chapter describes only keys and files that are
user-configurable.
Windows
Note:
The etrustAudit root
(HKEY_LOCAL_MACHINE\SOFTWARE\ComputerAssociates\eTrust Audit)
will henceforth be referred to in this document as Audit.
7–1
Current Version
Current Version
Under Audit\CurrentVersion
Name
Data
InstallDate
Date of the installation
day
MajorVersion
Major version number
MinorVersion
Minor version number
UserName
Name of the user who
installed the software
Default Value
Components
Paths
Under Audit\Paths
Name
Data
RootPath
Default Value
…\eTrust Audit
BinPath
Location of the binary
files library
bin\
LibPath
Location of file library
lib\
DllPath
Location of the dll files
library
bin\
Ports
Under Audit\Ports
Notes:
•
7–2
These keys are to be used in one of the following two cases:
Ports
•
The default port is busy.
•
The service cannot get the dynamic port from the portmapper.
Name
Data
Default Value
MonitorPort
Type = String Value
By default port is
assigned by portmapper
Value = port number
Used by Action Manager
(action "monitor") and
Monitor
RouterPort
By default port is
Type = String Value
Value = port number
Used by Redirector and
Router
RouterSapiPort
By default port is
Type = String Value
Value = port number
Used by SAPI senders
and Router
CollectorPort
By default port is
Type = String Value
Value = port number
(action "collector")
DistributionPort
8025
Type = String Value
Value = port number
Used by Distribution
Server and Distribution
Agent
SNMPRecorderPort
Type = String Value
162
Value = port number
Used by SNMPRecorder
SNMPTrapPort
162
Type = String Value
Value = port number
(action "snmp")
7–3
RPC
RPC
Under Audit\RPC
Name
Data
Default Value
PortmapName
Name of the program that Portmap.exe
operates as portmapper
Messages
Under Audit\Messages
Name
Data
Default Value
MessageFile
Message file location
….eTrust Audit\messages\
message.txt
Severity
Under Audit\Messages\Severity\
Under this key, you can find several keys with the same values: Targets
(Mandatory) and SkipTimeout (Optional). Only the default SkipTimeout value
differs in each key.
In the example below, we show the first key with the two values, and then a table
with the list of Default SkipTimeout Values in the other keys.
Fatal
Name
Data
Targets
SkipTimeout
7–4
Default Value
Monitor,Log
Minimal timeout
between two identical
messages
0 seconds
Messages
Key Name
Default SkipTimeout Value
Critical
0 seconds
Error
60 seconds
Warning
60 seconds
Info
60 seconds
Targets
Monitor
Under Audit\Messages\Targets\Monitor
Name
Data
LibraryName
GMON
Default Value
Parameters
Under Audit\Messages\Targets\Monitor\Parameters
Name
Data
Default Value
Host
The location of the self
monitor host
MonitorPort
This parameter is relevant
if the self-monitor host is
used as a predefined port
for recieving alerts (see
the Ports section),
(Optional value)
RetryTimeout
How long to wait before
retrying to connect
3600 seconds (60 minutes)
TransmitTimeout
How long to wait in the
transmission request
5 seconds
7–5
Mail
Mail
Under Audit\Mail
Name
Data
Default Value
ServerType
SMTP. This value cannot
be changed.
MailServer
mailsrv – the default (or
any other mail server
name you indicated
when you installed the
product)
mailsrv
Sender
The user whose account
we use to send mail if
needed
Administrator
Client
SeOS
logmgr
Under Audit\Client\SeOS\logmgr
7–6
Name
Data
audit_back
eTrust Audit \dat\log\
The name of the backup file
seos_audit.bak
for the local audit file. When
the local audit file reaches the
size specified by the audit_size
parameter, it is given this
name and the old file with this
name is discarded.
audit_log
The name of the local audit
file. The recorder service
writes to the file named here,
and the redirector service
reads from it.
Default Value
eTrust Audit \dat\log\seos.audit
Client
Name
Data
Default Value
audit_size
The maximum size, in KB, for
the local audit file
3000
error_back
The name of a file used
internally
eTrust Audit \dat\ log\
seos_error.bak
error_log
The name of a file used
internally
eTrust Audit \dat\ log\seos.error
Recorders
Under Audit\Client\Recorders
Name
Data
Default Value
DefaultRouter
The host name or IP
address of the computer
that runs the eTrust
Audit router
localhost
NT Recorder
Under Audit\Client\Recorders\NT Recorder
Name
Data
Default Value
DataFile
The name of a file that the
recorder service uses
internally.
…eTrust Audit\dat\
recorders\selogrec.dat.
This location should not
be changed.
FilterFile
The name of the recorder
configuration file.
…eTrust Audit\etc\
selogrec.cfg
SearchStringsFile
recorder service uses
internally.
…eTrust Audit\etc\
selogrec.str.
Whether to import prior
Windows NT audit logs.
This value is generated
during setup and should
not be changed.
SkipImportLogs
This location should not
be changed.
7–7
Client
Name
Data
Default Value
Interval
The time the service
suspends (sleeps) without
writing any data from the
event log. (Optional Value)
10 seconds
MaxSeqNoSleep
The maximum number of
records written before
sleeping. (Optional Value)
50
SNMP Recorder
Under Audit\Client\Recorders\SNMP Recorder
Name
Data
Default Value
MPFile
Mapping file used for
parsing received
messages
cfg\snmptd_rec.mp
Redirector
Under Audit\Client\Redirector
7–8
Name
Data
Default Value
DataFile
redirector service uses
internally
Audit\dat\recorders\
logroute.dat. This location
should not be changed.
MailSubject
The subject line for eTrust
Audit 1.5’s outgoing e-mail.
Notification from eTrust
Audit 1.5
RouteFile
The name of the redirector
configuration file.
eTrust Audit \etc\
logroute.cfg
SendTimeout
The time SeLogRd waits for
confirmation from the router
before resending a message. If
the timeout period is too short,
the same message may appear
in the database several times.
(Optional value).
25 seconds
Client
Name
Data
Default Value
Interval
The time that the redirector
service sleeps without writing
any data from the log.
(Optional value).
MaxSeqNoSleep
records written before
sleeping. (Optional value).
50
SpeedBackup
This value affects the values of
Interval and MaxSeqNoSleep,
previously mentioned. The
value of MaxSeqNoSleep is
multiplied by the value of
SpeedBackup to give an
effective value. The value of
Interval is divided by the
value of SpeedBackup to give
an effective value. The
effective value has a set
minimum of 1 second.
(Optional value).
2
ChangeLogFactor
The number of sleep periods
before retrying failed targets.
(Optional value).
3
SavePeriod
The time before the current
position of the redirector
service in seos.audit is stored
in logroute.dat. (Optional
value).
10 minutes
OverWriteBackup
When this parameter is set at 1,
the redirector service closes the
backup file during sleep
periods, allowing it to be
erased.
5 seconds
1
Data
Under Audit\Client\Redirector\Data
Name
Data
Default Value
7–9
Client
Name
Data
Default Value
LastBackupLogFileSignature A value unique for
each SeoSAudit.bak
file
LogFileSignature
seos_audit.bak
A value unique for
seos.audit
each SeoSAudit.log file
Router
Under Audit\Client\Router
Name
Data
Default Value
RulesDirectory
cfg\
(Optional value)
Rules extension
cfg
Queue Manager
Queues
Under Audit\Client\Router\Queue Manager\Queues
Name
Data
Default value
DirectoryName
Directory
name
…eTrust Audit \dat\Queue\route
AlertQueue
Queue Rules
Under Audit\Client\Router\Queue Manager\Queues\AlertQueue\ Queue
Rules
Note that the rule name is unimportant, and can be changed by the user. The
Data section indicates which action will be performed and which target the action
reaches. In case the target is not indicated, it means that only the action is of
importance.
Name
7–10
Data
Default value
Client
Name
Data
Default value
monitor
Action name and Target,
delimited by semi-colon
monitor;
snmp
Action name and Target,
delimited by semi-colon
snmp;
screen
Target and action name
screen;
Queue Parameters
Under Audit\Client\Router\Queue Manager\ Queues\ AlertQueue\ Queue
Parameters
Name
Data
Default Value
MaxFileNum
10
MaxFileSize
500KB
MaxActionTime
The maximal time the action
manager operates in the queue
before moving to another
queue.
500 milliseconds
MinActionTime
The minimal time the action
queue.
20 milliseconds
SleepTime
3 seconds
RetryDelay
The amount of time that passes
before trying to transmit a
message again.
MaxLifeTime
The maximal time a message
can be in the queue before it is
erased.
86400 sec (24 hours)
7–11
Client
Name
Data
Default Value
DeleteOldFiles
When this parameter is set at 1, 1
then when the number of files
in the queue equals the number
set in the MaxFileNum
parameter, the oldest file should
be deleted.
If you do not want to loose any
record, set this parameter to 0. If
you do not want the router to
stop until the oldest file is
processed, set the parameter to
1.
(Optional value)
CollectionQueue
Queue Rules
Under Audit\Client\Router\Queue Manager\Queues\ CollectionQueue\
Queue Rules
Name
Data
Collector
Default Value
Collector;
Queue Parameters
Under Audit\Client\Router\Queue Manager\Queues\CollectionQueue\
Queue Parameters
These keys are identical to the alertqueue queue parameters, but some of them
have different default values.
Name
7–12
Data
Default Value
MaxFileNum
10
MaxFileSize
500KB
MaxActionTime
500 milliseconds
MinActionTime
10 milliseconds
Client
Name
Data
Default Value
SleepTime
3 seconds
RetryDelay
MaxLifeTime
259200 sec (72 hours)
DeleteOldFiles
1
Default
Queue Rules
Under Audit\Client\Router\Queue Manager\Queues\Default\ Queue Rules
The default key has no key rules; it gets all the rules of the other keys.
Queue Parameters
Under Audit\Client\Router\Queue Manager\Queues\Default\ Queue
Parameters
These keys are identical to the AlertQueue queue parameters, but some of them
have different default values.
Name
Data
Default Value
MaxFileNum
10
MaxFileSize
500KB
MaxActionTime
500 milliseconds
MinActionTime
10 milliseconds
SleepTime
3 seconds
RetryDelay
MaxLifeTime
DeleteOldFiles
1
Actions
file
monitor
7–13
Client
collector
mail
Parameters
Under Audit\Client\Router\Queue Manager\Actions\Mail\Parameters
Name
Data
Default Value
MailSubject
The subject line for
eTrust Audit 1.5’s
outgoing e-mail.
Notification from eTrust Audit
1.5
(eTrustAudit: Notification)
screen
remote
route
snmp
program
unicenter
Management Agent
Under Audit\Client\Management Agent
Name
Data
Default Value
TrustedServers
The host in which policy
manager is installed – the
server or servers from
which the client will
accept new policies.
During setup, you can
define only one server as
a trusted server,
recognized by the
Distribution Agent
Service.
This value lets you add
more servers to be
recognized as trusted
servers, by editing the
value and adding more
servers, separated by a
comma
7–14
Client
Parameters
Under Audit\Client\Management Agent\Parameters
All the keys listed below are optional
Name
Data
Default Value
TmpPolicyDir
Temporary policy
directory
…eTrust Audit\dat\ tmp\
agent_tmp_policies
ConnectionTimeout
600 seconds
ReceiveTimeout
Internal parameter for
the TCP session
10 seconds
SendTimeout
the TCP session
10 seconds
DistributionTimeout
The time period from the 800 seconds
start of the session until
the agent receives the
policy
AN Types
Under Audit\Client\Management Agent\AN Types\, you can find the different
event log sources.
Note: all the following event log sources have a Parameters section that contains
no values.
NT
Under Audit\Client\Management Agent\AN Types\NT
Name
Data
LibraryName
TALR
Default Value
UNIX
Under Audit\Client\Management Agent\AN Types\UNIX
Name
Data
Default Value
7–15
Client
Name
Data
LibraryName
TGNR
Default Value
Under Audit\Client\Management Agent\AN Types\eTrust Access Control
Name
Data
LibraryName
TGNR
Default Value
Oracle
Under Audit\Client\Management Agent\AN Types\Oracle
Name
Data
LibraryName
TGNR
Default Value
Netscape
Under Audit\Client\Management Agent\AN Types\Netscape
Name
Data
LibraryName
TGNR
Default Value
Apache
Under Audit\Client\Management Agent\ AN Types\ Apache
7–16
Name
Data
LibraryName
TGNR
Default Value
Policy Manager
Policy Manager
Database
Under Audit\Policy Manager\Database
Name
Data
Default Value
DSN
Data source name
eAuditPMDB
UserName
Name of the user
(encrypted)
Password
User-defined password
(encrypted)
Distribution Log
Under Audit\Policy Manager\Distribution Log
Name
Data
Default Value
MaxLogSize
DelPartSize
10000 records
How many records to
500
erase when maximum log
size is reached.
Distribution Server
Under Audit\Policy Manager\Distribution Server
Name
Data
Default Value
OutputDir
Output directory
…\eTrust Audit\dat\AN
Queue Manager
Queues
DistributionQueue
7–17
Policy Manager
Queue Rules
Under Audit\Policy Manager\Distribution Server\Queue Manager\Queues\
DistributionQueue\Queue Rules
Name
Data
Default Value
distribute
distribute;
remove
remove;
Queue Parameters
Under Audit\Policy Manager\Distribution Server\Queue Manager\
Queues\DistributionQueue\Queue Parameters
Name
Data
MaxFileNum
10
MaxFileSize
100KB
MaxActionTime
500 milliseconds
before moving to another queue
MinActionTime
queue.
SleepTime
7–18
Default Value
50 milliseconds
10 seconds
RetryDelay
message again
1800 seconds (30
minutes)
MaxLifeTime
erased
Data Server
Name
Data
Default Value
DeleteOldFiles
be deleted.
policy, set this parameter to 0. If
you do not want the Policy
Manager to stop until the oldest
file is processed, set the
parameter to 1.
(Optional value)
Default
Queue Rules
The default key has no key rules; it gets all the rules of the other keys.
Queue Parameters
Under Audit\Policy Manager\Distribution Server\Queue
Manager\Queues\Default\ Queue Parameters
Same parameters as in the distribution queue, with the same default values.
Actions
distribute
remove
Data Server
Under Audit\Data Server
7–19
Data Server
Database
Under Audit\Data Server\Database
Name
Data
Default Value
AuditDSN
The data source name (DSN) for eAudit_DSN
the event database. The Collector
service writes to the database
with the DSN given here, and
Audit Viewer displays it on
startup. To switch to a different
database, you can use the ODBC
tool in Windows NT’s Control
Panel (or the Administrative
Tools in the Control Panel, in
Windows 2000) to set up a new
database with the same DSN. If
you want to start a new database
with a new DSN, you need to
match this value to it.
Password
The password for the event
database
No default; if data is
absent, it is requested
when the Collector
service or Viewer starts.
The password is
displayed in an encrypted
form in the registry keys.
User
The username for the event
database, displayed in an
encrypted form in the registry
keys
No default; if data is
absent, it is requested
when the Collector
service or Viewer starts.
Note that both the user name and the password can be replaced by using the
Encup utility.
Viewer
Under Audit\Data Server\Viewer
Name
7–20
Data
Default Value
Data Server
Name
Data
Default Value
FiltersDir
Full path to the directory
where filter definition files
are stored
…eTrust Audit \dat\filters\
IniFile
Full path to the directory
where the ini file is stored
…eTrust Audit
\ini\SeAuditW.ini
Filters
Under Audit\Data Server\Viewer\Filters
Under this key, you can find three pre-defined values:
•
Pre-defined
•
Startup
•
All
Each filter has one key.
Collector
Under Audit\Data Server\Collector
All the keys of this section are optional.
Name
Data
Default value
CollectFile
The name of the audit collect
file
eTrust Audit\dat/log\
seos.collect.audit
Reports
Under Audit\Data Server\Reports
Default Value
Name
Data
ReportsDir
Root directory for reports …\eTrust Audit\dat\
reports
7–21
Monitors
Name
Data
Default value
ReadyReportsDir
Saved reports directory
Saved\
(Optional value)
TemplatesDir
Report templates
directory
Templates\
MailSubject
E-Mail notification
message subject
Notification from eAudit
Report Generator
MailBody
E-Mail notification
message body
Report has been created
successfully. You can
view the report using
eAudit Reporter.
Monitors
Security Monitor
Under Audit\Monitors\Security Monitor
7–22
Name
Data
Default Value
EventData
If this value is defined, the
events currently displayed are
saved to a file every time you
close Security Monitor. When
you reopen Security Monitor,
the contents of the file are
displayed again, and new
alerts are added.
eTrust Audit\etc\ events.data
IniFile
Full path to the ini file location eTrust Audit\ini\
SecMonW.ini
UNIX
UNIX
As mentioned earlier, the UNIX version contains only the client suite.
The ini files in UNIX are similar to the registry mechanism in NT. eTrust Audit’s
ini files, eaudit.ini and recorder.ini, are found under eaudit_root/ini/
eAudit.ini
In this file, you can find the following sections:
Current Version
This section is similar to the one that is found in NT, and contains the same
parameters:
Name
Data
Default Value
InstallDate
Date of the installation
day
MajorVersion
Major version number
MinorVersion
Minor version number
UserName
Name of the user who
installed the software
Components
Paths
Name
Data
RootPath
BinPath
Default Value
eaudit_root/
Location of the binary files
library
bin/
7–23
eAudit.ini
Name
Data
Default Value
LibPath
Location of file library
lib/
DllPath
Location of the dll files library
lib/
Ports
Notes:
•
These parameters are to be used in one of the following two cases:
•
The default port is busy.
•
The service cannot get the dynamic port from the portmapper.
Name
Data
Default Value
MonitorPort
Type = String Value
By default port is
Value = port number
(action "monitor") and
Monitor
RouterPort
Type = stringvalue
Value = port number
By default port is
Used by Redirector and
Router
RouterSapiPort
Type = String Value
Value = port number
By default port is
Used by SAPI senders
and Router
CollectorPort
Type = String Value
Value = port number
(action "collector")
7–24
By default port is
eAudit.ini
Name
Data
Default Value
DistributionPort
Type = String Value
8025
Value = port number
Used by Distribution
Server and Distribution
Agent
SNMPRecorderPort
162
Type = String Value
Value = port number
Used by SNMPRecorder
SNMPTrapPort
162
Type = String Value
Value = port number
(action "snmp")
Messages
Name
Data
Default Value
MessageFile
Message file location
eaudit_root/messages/
message.txt
Severity
Under this section, you can find several sub-sections with the same values:
Targets (Mandatory) and SkipTimeout (Optional). Only the default SkipTimeout
value differs in each sub-section.
In the example below, we show the first sub-section with the two values, and
then a table with the list of Default SkipTimeout Values in the other sub-sections.
Fatal
Name
Data
Targets
SkipTimeout
Default Value
Monitor,Log
Minimal timeout
between two identical
messages
0 seconds
7–25
eAudit.ini
Sub-section Name
Default SkipTimeout Value
Critical
0 seconds
Error
60 seconds
Warning
60 seconds
Info
60 seconds
Targets
Monitor
Name
Data
Default Value
LibraryName
GMON
Name
Data
Host
The location of the self
monitor host
MonitorPort
In case the monitor host
and the local host are
found on opposite sides
of the firewall, the
monitor can be defined by
the user and not only by
port mapping (Optional
value)
RetryTimeout
How long to wait before
retrying to connect
TransmitTimeout
How long to wait in the
transmission request
5 seconds
Parameters
Mail
For future use.
7–26
Default Value
eAudit.ini
Client
Recorders
Name
Data
Default Value
RecordersIniFile
The path to the recorders ini/recorder.ini
ini file
DefaultRouter
Default router that
should be used by any
recorder. An empty
parameter means using a
local host
SNMP Recorder
Name
Data
Default Value
MPFile
Mapping file used
for parsing
received messages
cfg/snmptd_rec.mp
Router
Name
Data
Default Value
RulesDirectory
cfg/
(Optional value)
Rules extension
cfg
Queue MANAGER
Queues
Name
Data
Default value
DirectoryName
Directory
name
…eaudit_root/dat/Queue/route
AlertQueue
7–27
eAudit.ini
Queue Rules
Name
Data
Default Value
monitor
monitor;
screen
screen;
snmp
snmp;
Queue Parameters
Name
Data
MaxFileNum
10
MaxFileSize
500KB
MaxActionTime
queue.
500 milliseconds
MinActionTime
queue.
20 milliseconds
SleepTime
7–28
Default Value
3 seconds
RetryDelay
message again.
MaxLifeTime
erased.
eAudit.ini
Name
Data
Default Value
DeleteOldFiles
be deleted.
record, set this parameter to 0. If
you do not want the router to
stop until the oldest file is
processed, set the parameter to
1.
(Optional value)
CollectionQueue
Queue Rules
Name
Data
Collector
Collector;
Queue Parameters
These parameters are identical to the alertqueue queue parameters, but some of
them have different default values.
Name
Data
Default Value
MaxFileNum
10
MaxFileSize
500KB
MaxActionTime
500 milliseconds
MinActionTime
10 milliseconds
SleepTime
3 seconds
RetryDelay
MaxLifeTime
259200 sec (72 hours)
DeleteOldFiles
1
7–29
eAudit.ini
Default
Queue Rules
The default sub-section has no key rules; it gets all the rules of the other subsections.
Queue Parameters
These parameters are identical to the AlertQueue queue parameters, but some of
them have different default values.
Name
Data
Default Value
MaxFileNum
10
MaxFileSize
500KB
MaxActionTime
500 milliseconds
MinActionTime
10 milliseconds
SleepTime
3 seconds
RetryDelay
MaxLifeTime
DeleteOldFiles
1
Actions
Mail
Parameters
Name
Data
Default Value
MailSubject
The subject line for
eTrust Audit 1.5’s
outgoing e-mail.
Notification from eTrust Audit
1.5
(eTrustAudit: Notification)
Unicenter
7–30
eAudit.ini
Parameters
Name
Data
UnicenterHome
Used by script to
set environment
variables.
(Optional value)
Default Value
Management Agent
Name
Data
Default Value
TrustedServers
The host in which policy
manager is installed – the
server or servers from
which the client will
accept new policies.
During setup, you can
define only one server as
a trusted server,
recognized by the
Distribution Agent
Service.
This value lets you add
more servers to be
recognized as trusted
servers, by editing the
value and adding more
servers, separated by a
comma.
Parameters
All the values listed below are optional
Name
Data
Default Value
TmpPolicyDir
Temporary policy
directory
…eaudit_root/dat/ tmp/
agent_tmp_policies
ConnectionTimeout
600 seconds
ReceiveTimeout
the TCP session
10 seconds
SendTimeout
the TCP session
10 seconds
7–31
eAudit.ini
Name
Data
Default Value
DistributionTimeout
The time period from the 800 seconds
start of the session until
the agent receives the
policy
AN Types
Under AN Types, you can find the different event log sources.
Note: all the following event log sources have a Parameters section that contains
no values.
NT
Name
Data
LibraryName
TALR
Name
Data
LibraryName
TGNR
Name
Data
LibraryName
TGNR
Name
Data
LibraryName
TGNR
Default Value
UNIX
Default Value
Default Value
Oracle
7–32
Default Value
recorder.ini
Netscape
Name
Data
LibraryName
TGNR
Name
Data
LibraryName
TGNR
Default Value
Apache
Default Value
recorder.ini
Recorder Modules
The recorders supported by eTrust Audit in UNIX are:
•
File Spooler (UNIX native recorder)
•
Netscape
•
Apache
•
Oracle
Each recorder has its own section in the recorder.ini file, which bears its name.
The following tables will detail the various parts of the recorders, as mentioned
in the sections devoted to each recorder, while indicating which of the definitions
or parameters are found in all recorder sections and which are specific to a
certain kind of recorder.
Definitions
The following definitions are found in all UNIX recorders supported by eTrust
Audit, except for the last definition, ORACLE_HOME, which is found only in the
Oracle recorder:
Definition
Meaning
Default Value
7–33
recorder.ini
Definition
Meaning
ModuleName
Unique name for the
Recorder Module
LibraryPrefix
Prefix for the Recorder
Module's library name
Active
Activating the recorder
module
SleepInterval
The time, in seconds, that
the service sleeps after
each record. Default: 1
SendInterval
The time, in seconds, that
the service sleeps after
each record. Default: 10
MaxSeqNoSleep
records sent before
sleeping. Default: 50
ORACLE_HOME
Where Oracle would be
found on file system
Default Value
Parameters
The Parameters section is found in all UNIX recorders supported by eTrust
Audit. However, there is a significant difference between Oracle and other
recorder in regard to this section:
•
In all recorders except for oracle, you can find two parameters under this section.
DatFilePath is a mandatory parameter, found in all UNIX recorders supported
by eTrust Audit.
MPDebug is an optional parameter and is found in all recorders except Oracle.
•
Except for the DatFilePath parameter described earlier, and the MP file, which is
found under the Log Data section in the other recorders, and is therefore described
under that section, Oracle has additional parameters, which are not found in the
other recorders. These are the other parameters in this table.
Parameter Name
7–34
Meaning
Default Value
recorder.ini
Default Value
Parameter Name
Meaning
DatFilePath
Relative path to the .dat UNIX file
dat/recorders/syslog.dat
Netscape dat/recorders/netscape.da
t
Apache –
dat/recorders/apache.dat
Oracle dat/recorders/oracle.dat
MPDebug
1 – debug information
for message parser is
generated
ORACLE_SID
DB name on local
machine
TWO_TASK
Remote database host
name
Password
User password
Username
User name
ORCALE_HOME/network
/admin/tnsnames.ora
Log Data
Under this section, you can find parameters for the log. The file spooler has two
logs: syslog and sulog. Other recorders have only one log, which bears their
name: Netscape or Apache.
Notes:
•
This section is not found in the Oracle recorder directory, and the only parameter
here that is found also in Oracle is the MPfile parameter, which is located under the
Parameter section in Oracle.
•
The ConfigFile and Source parameters are found only in syslog.
Parameter
Meaning
LogName
The recorder name – Unix,
Netscape or Apache
Default Value
7–35
recorder.ini
Parameter
Meaning
Default Value
StartOver
1 - Restarts reading the log files
(ignores the .dat file)
0
SendUnmatched
0 – sends only logs that are
matched to mp file.
0
1 - sends all events
SkipCurrentLogs
0 – skips the log files defined
under log_files
0
MPfile
Relative path to .mp file
UNIX –
cfg/syslog.mp, or:
cfg/sulog.mp
Netscape –
cfg/netscape.mp
Apache –
cfg/apache.mp
Oracle –
cfg/oracle.mp
ConfigFile
Relative path to syslog
configuration file
/etc/syslog.conf
Source
0 – taking the log files defined in
the default configuration file
under the ConfigFile parameter,
plus all log files found in the
LogFiles section
1
1 - taking only the log files
defined in the default
configuration file
LogFiles
List of paths to log files from
which records are to be read
In sulog – log1
In Nestscape NETSCAPE_LOGS
In Apache APACHE_LOGS
7–36
Appendix
A
Advanced Options
This chapter contains information regarding the following tasks:
■
■
■
■
■
Changing your encryption key, changing your encryption method, or
eliminating encryption
Changing the value for MailSender in the registry keys for mail action for the
SMTPserver
Setting up eTrust Audit 1.5 with a firewall between components
Preparing your computer to use the Collector or Viewer software with the
Oracle Server database type
Configuring Microsoft SQL Server to let the Collector service access the event
database by using Windows NT native authentication
■
Changing your database type
■
Using advanced Policy Manager options
■
Using the Rule Wizard
■
Customizing the eAudit viewer
■
Using the Encup utility
■
Security-related Windows NT Event Ids
■
Debug Options
Advanced Options
A–1
Encryption
Encryption
By default, the information eTrust Audit 1.5 sends from station to station is
encrypted.
You can change your encryption key, switch to a different encryption cipher, or
turn off encryption. Whatever you do about encryption, you should do the same
thing at every station where eTrust Audit 1.5 is installed. Note, however, that
unencrypted information will be accepted from all sources.
As originally installed, eTrust Audit 1.5 uses 56-bit DES encryption.
Changing Your Encryption Key
You can change the encryption key at any time, and you can change back to the
default key at any time. But whenever you change the key at any station, you
must make the same change at all stations.
eTrust Audit generates new keys by using the MD5 hashing function. They can
be based on a file or string of any size.
To change the encryption key:
A–2
1.
Stop the eTrust Audit 1.5 services and Security Monitor, if installed.
2.
From the command line, use the setkey utility, located in the audit\bin
directory (where audit is the directory in which you installed eTrust Audit
1.5).
Encryption
3.
Restart the services and Security Monitor.
Setkey options
Option
Description
-c
Clears the user key and sets a default
key
-f[e] filename
Specifies the contents of filename as the
basis for the new encryption key. If the
file is not in the current directory, you
can include an absolute or relative
pathname.
If you use -fe, the file is then deleted. If
you use -f, the file remains.
-help
Displays these syntax options.
-k newkey.
Installs newkey as the basis for the new
encryption key.
Turning off Encryption
To turn off encryption in Windows NT or Windows 2000, delete the
\winnt\system32\adcipher.dll file.
To turn off encryption in UNIX, delete the /usr/lib/adcipher.so file.
Advanced Options
A–3
SMTP
SMTP
eTrust Audit 1.5 uses SMTP by default.
If you are having trouble with mail delivery that uses SMTP, you may need to
change the value for MailSender in the registry keys for mail action
(HKEY_LOCAL_MACHINE\SOFTWARE\ComputerAssociates\etrustAudit\
Mail).
For certain SMTP servers, the value of MailSender must represent an existing
mail account, with the format name@domain — for example,
[email protected].
Firewall
If you are installing Security Monitor, the Router or the Collector service on one
side of a firewall, and the recorder and router services on the opposite side, and
the firewall allows port 111 from outside the network (portmapper port), then no
further action is necessary. But if the firewall does not allow communication to
the portmapper in the protected network, the client and the server (the redirector
service, the router service and the Collector service) must be made to agree on a
specific port.
You can ensure agreement by setting the same value in the registry at the client
and Collector stations.
1.
At the client stations, edit the registry keys under
Audit 1.5\Ports (for example:
Audit 1.5\ports\MonitorPort). For details, see Ports.
2.
Enter the same name and value at the target station.
Configuring an Oracle client
At each station where you want to work with an Oracle Server database, you
must configure an Oracle-Net client. To do so, use the Oracle Net8 Easy Config
utility in the Oracle for NT application group.
1.
Ensure that you have the following information (if you are unsure, consult
your Oracle Server DBA):
The Oracle Server’s host name
A–4
Windows NT Authentication with Microsoft SQL Server
The Oracle Server’s port number (usually 1521)
The username and password of the Oracle account where the eTrust Audit
1.5 tables are defined
2.
Next, start the Oracle Net8 Easy Config utility and request Add New Service.
3.
Choose a name for the service. Any name is acceptable, but it is
recommended to use the same name for all users.
4.
In the next dialog, select TCP/IP.
5.
Specify the host name. Unless you have a local reason to change the port
number, leave 1521 selected.
6.
Specify the database SID name.
7.
Check the new connection by clicking the Test Service option.
8.
Enter the username and password, and then click Test. If the result is
positive, the connection is properly defined. Otherwise, consult your Oracle
Server DBA.
Windows NT Authentication with Microsoft SQL Server
In configuring the Collector service’s login to the event database, you have two
options — Microsoft SQL Server authentication and Windows NT authentication
with the network login ID.
Microsoft SQL Server authentication requires you to enter a username and
password each time the Collector service starts. Windows NT authentication
allows a silent login.
Advanced Options
A–5
Changing the Database Type
To use Windows NT authentication, several configuration tasks are required. If
you have any questions, consult your DBA.
■
■
■
■
■
The Collector should be in the same domain as the database, or in a trusted
domain.
The user account for the Collector service in Microsoft SQL Server should be
preconfigured in Windows NT. It is recommended to create a new user with
a single account name for use in both Windows NT and Microsoft SQL
Server. In Microsoft SQL Server, make the event database the default
database for the account. The Collector service will log in to the database
under this account.
The Login Security Mode for the database must be either “Windows NT
Integrated” or “Mixed.”
You must configure the ODBC drivers appropriately, either during eTrust
Audit 1.5 setup or from the Control Panel in NT (or the Administrative Tools
in the Control Panel, in Windows 2000). Select Windows NT authentication
with the network login ID.
After eTrust Audit 1.5 installation, you must configure the Collector service
to access the database as the new user you created. In the Control Panel’s
Services dialog, select the “eAudit Collector” and click Startup, Log On As
This Account. Then select the user you created for the Collector service.
Changing the Database Type
At installation time, you specify the database type for the event database:
Microsoft Access (versions 97 and higher) , Oracle Server (versions 7.0 and 8.05),
or Microsoft SQL Server (versions 6.5, 7.0 and 2000)
To change the database type, it is recommended that you reinstall the Collector.
Note that in such case, the data stored in the old database will not be moved to
the new database.
A–6
1.
Use the ODBC tool in Windows NT’s control panel (or the Administrative
Tools in the Control Panel, in Windows 2000) to set up your new database.
2.
If there is a difference in DSN between the old and new databases, update
the Audit value under the
Audit 1.5\Data Server\Database key. You can also use this key to update the
username and password by using the Encup utility.
Policy Manager Options
Policy Manager Options
You can control the refresh rate of two of the Policy Manager windows and the
Policy Manager appearance by using the Options tool or by selecting the Options
command from the Tools menu, as shown in the following illustration:
The Options window has two tabs: Data View and Appearance, as shown here:
The Data View tab lets you set the automatic refresh time of the Audit Nodes and
Policy Activation Log windows.
Advanced Options
A–7
The Rule Wizard
The Appearance tab lets you display large buttons at the toolbar, as well as
displaying the main window in a workbook (spreadsheet) style.
The Rule Wizard
The rule wizard lets you create rules by using the Include Events and Exclude
Event buttons. The two following figures show how you can define conditions
with the Field button, as shown in the following illustration:
A–8
The Rule Wizard
Advanced Options
A–9
The Rule Wizard
A–10
The Rule Wizard
Here we have seen how to include events where NT event type is equal to
success. Of course, you can also exclude events and use other operations such as
different than, less than and so on. In the example shown in the following
illustration we have included and excluded several event types with various
operations:
When you create a filter that can include several “Include events” and “Exclude
events ” condition groups, the relation between the condition groups is this:
(Include Or Include) And (Exclude Or Exclude).
To understand that, let us create a filter that includes the following sub-condition
groups:
■
■
■
■
Include all events that happened until 19/6/2001, whose severity is
“Critical,” or:
Include all events that happened from 19/6/2001 onwards:
Exclude all events that happened on the 13/6/2001, whose severity is
“Critical,” or:
Exclude all events that happened on the 20/6/2001.
Advanced Options
A–11
The Rule Wizard
To create this filter, click Include events and add the first condition: Severity
equal to Critical.
Now click Add to List. Note that as long as you do not click Exclude events, or
click again Include events, any condition you add by using Add to List is joined
to the same condition group to which the previous one belongs, with an “and”
relation.
Now select the field Date less than 19 Jun 2001 and click again Add to List. The
event should now meet those two conditions: having a “Critical” severity type
and happening before the 19/6/2000.
Now click on Include events to add another condition group. When you add a
condition group this way, it means that the event should now meet the
conditions specified in the first condition group or the in the newly created
group.
A–12
The Rule Wizard
Define the condition shown in the following illustration, and then click Add to
List:
Now click Exclude events. By so doing, you state that besides meeting the
conditions specified in one of the two condition groups mentioned earlier, the
event must meet all conditions mentioned from now on.
Add the two conditions shown in the following illustration, and click Add to List
after each condition:
Now click again Exclude events and add the following condition:
Our task is now complete. If you want to view the script of the conditions, click
Show script. If you want to remove one of the conditions, click Remove. You can
use this button in two ways:
■
Remove a condition.
To do that, highlight the line of that condition and click Remove.
Note that if you remove the first condition, as shown previously, the other
condition’s text is changed (from “and date” to “where date”).
■
Remove a condition group
Advanced Options
A–13
Customizing the Viewers
To do that, highlight the line with the Include events or Exclude events token
and click remove. All that group conditions (that is, all lines until the next
Include events or Exclude events line) will be deleted.
Reduce Events Example
Sometimes we may have events that occur many times in a certain time frame,
but we would like to be notified only about the first event, or perhaps only once
or a few times a day.
For example: if we have a vast number of computers in the organization , we may
receive notifications of licensing expiration events every twenty minutes, thus
getting thousands of notification regarding the same event, when we want to be
notified only about the first one. The same may occur when the user’s computer
is connected to the network on hours when he is not authorized to work. In such
case, we may get warning notification every few minutes, and eventually our
database will be filled with thousands of unwanted records. The following
example shows you how to exclude the unwanted event notifications in a certain
time frame.
The event will be processed once, and only when the time frame that we set is
passed will the event be reprocessed. (The time frame of 3600, mentioned in the
example, is indicated in seconds).
After you create a rule regarding a specific event, you need to add manually such
definition to the rule in order to add this definition for implanting an action and
distributing the policy.
Exclude Int
$Host_%SAPI_LOCATION_FLD_RL%_UserName_%SAPI_USER_FLD_RL%_Count exists
Do Int
Define $Host_%SAPI_LOCATION_FLD_RL%_UserName_%SAPI_USER_FLD_RL%_Count
Value(1) ExpireSinceLastModified(3600)
Note: This rule should be handled with much care, because using it may cause
loss of events. You need to be very precise about the type of events that would
activate this rule.
The main windows of both Audit Viewer and Security Monitor are customizable.
■
A–14
You can hide and redisplay the toolbar and status bar.
■
You can add up to 10 user-defined columns.
■
You can resize columns.
■
■
You can change certain graphical properties of the window and table as a
whole, such as line colors and current-cell highlighting.
You can change the graphical style of specific data types; for example, you
can change the font and color of numeric fields.
Column Width
To change column width, or even eliminate a column, follow these steps:
1.
Position the pointer between column titles. The pointer’s shape changes to a
double arrow.
2.
Press the mouse button and drag the pointer laterally. You can drag the
pointer until the column disappears.
The next time you open a Viewer window, the columns will reappear with their
default widths.
Advanced Options
A–15
Window/Table Properties
To change characteristics of the window and the table as a whole, select
Properties from the Edit menu and use the dialog box that appears. To preserve
your changes, check the Save settings to profile box.
Data Styles
Select Styles from the Edit menu. A list of data types that can be reformatted
appears. Select a type, and then click Change. Tabs provide access to all editable
characteristics such as fonts, colors, alignment, and the width and appearance of
borders.
A–16
Encup
Encup
The Encup utility passes a buffer that contains either a user name or a password
associated with that user name. The source of the information is either a file or
standard input.
The information is then encrypted and returned either to a file or to standard
output.
For more detailed explanation regarding Encup, run encup –help from the
command line
Security-related Windows NT Event IDs
The following events are among those directly involved in security.
Event ID
Description
512
Windows NT startup
513
Windows NT shutdown
514
Authentication package has been
loaded
515
Trusted logon process has been
registered
Advanced Options
A–17
A–18
Event ID
Description
516
Some audit messages have been
discarded (full queue)
517
The event log was cleared
518
Notification package has been loaded
528
Successful logon
529
Failed logon — unknown user name or
bad password
530
Failed logon — time restriction
violation
531
Failed logon — account disabled
532
Failed logon — account expired
533
Failed logon — user not permitted at
this computer
534
Failed logon — logon type not
permitted for this user
535
Failed logon — password expired
536
Failed logon — Netlogon component
not active
537
Failed logon — unexpected error
538
Logoff
539
Failed logon — account locked out
560
Object open
561
Handle allocated
562
Handle closed
563
Object open for delete
564
Object deleted
576
Special privileges assigned to new
logon
577
Privilege service called
578
Privileged object operation
592
New process created
Event ID
Description
593
Process exited
594
Handle duplicated
595
Indirect access to an object
608
User right assigned
609
User right removed
610
New trusted domain
611
Removing trusted domain
612
Audit policy change
624
User account created
625
Account type changed
626
Account enabled
627
Change password attempt
628
Password set
629
Account disabled
630
Account deleted
631
Global group created
632
Global group member added
633
Global group member removed
634
Global group deleted
635
Local group created
636
Local group member added
637
Local group member removed
638
Local group deleted
639
Local group changed
640
General account database changed
641
Global group changed
642
User account changed
643
Domain policy changed
Advanced Options
A–19
Debug
Debug
All debug options described in the following example are non-supported
features, used only for when you switch to debug mode.
The features are identical for all services.
Example for Debug
The eAudit Recorder Service
Parameters for NT
Option
-debug
Description
Specifies the debug mode (not for
regular use).
Debug information is sent to the
command prompt window from which
the SeLogRec command was sent. To
terminate debug mode, press Enter.
–backuplog
Backs up the audit log
Parameters for UNIX
debug_options:
A–20
-trace
switch on TRACE
-dbglvl <n>
debug level n (from 1 to 5)
-dest1 <dest>
use dest as primary output for debug
information
-dest2 <dest>
use dest as secondary output for debug
information (where destinations can be
STDOUT, STDERR or <FILE>)
Appendix
B
Submit API
eTrust Audit provides an API, the Submit API (SAPI), to submit audit events to
the eTrust Audit router. The Submit API provides a simple means of adding new
sources of audit information to eTrust Audit. Any third-party application
intended to submit events to eTrust Audit should use the SAPI calls.
Because the ultimate objective of eTrust Audit is to enable event analysis, both
online and offline, it is important that events from different sources conform to a
single concept. On the other hand, it is vital that native auditing information be
preserved. The SAPI allows for both:
■
■
■
If a submitted application's events are to be analyzed by eTrust Audit, it
should map events to the common format. The unified format simplifies
management, reporting, and analysis. For example, Intrusion Detection rules
for generic events such as logon/logoff can be easily administered crossplatform.
Translators are functions that translate external data representation (such as
UNIX time_t) to SAPI internal string format. Each translator is identified by
name. Currently three translators are supported: string, timet and long.
The client is free to add fields for native information. If the fields have been
registered with the eTrust Audit database, auditors can report on events
from a certain source by using the terms specific to the source.
Mapping
Messages are created by mapping to fields defined in the header file
AC_SAPITokens.h. The SAPI format is completely free. However, some fields are
mandatory and others are strongly recommended.
Message routing
After mapping, the resulting message is submitted to a router. By default, events
are submitted to the router resident on the local machine. You can configure the
SAPI to submit to the router of your choice.
Submit API
B–1
Compiling and linking
Following a successful submit operation, eTrust Audit provides guaranteed
delivery according to the filters and actions specified in the router’s filter rules
file (router.cfg).
Submitting a Message to the Router
Tip: You must use SAPI_Init before any other SAPI function.
Submitting events to the SAPI has a simple flow. Follow these steps:
1.
Create a SAPI context by using SAPI_Init. The context is helpful in the case of
multiple threads.
2.
Create a message handle by using SAPI_NewMessage.
3.
By using the message handle, you add items (fields) to the message with
SAPI_AddItem.
4.
With the same handle, submit the message to the router with
SAPI_SubmitMsg.
5.
After a message has been successfully submitted, use SAPI_RemoveMessage
to clear it from memory.
If submit fails
If the attempt to submit a message fails, you may either remove it, or try to
submit it again. If the message is not removed, it stays in memory.
Note that after the first submit attempt, the message is locked and cannot be
changed.
Compiling and linking
To use the Submit API, you will be required to include a header file with
prototypes and structure definitions in your source code. The header file is
etsapi.h
For mapping, use AC_SAPITokens.h.
Library
SAPI on Solaris UNIX platform includes two shared libraries: etsapi.so and
etbase.so. In Windows NT, the corresponding files are etsapi.dll and etbase.dll.
B–2
Sample SAPI usage
Sample SAPI usage
The following is a simple example of SAPI usage.
The application below will send a single message containing three fields
(timestamp, user, and category of event).
Note that SAPI_Init and SAPI_Destroy should be used only once per application
— not once per message as in this demonstration.
#include "etsapi.h"
#include "AC_SAPITokens.h"
/*
* Usage : test [host]
*/
int main(int argc, char *argv[])
{
SAPI_CTX
ctx;
/* SAPI context
*/
SAPI_HANDLE_l
h;
/* handle for new message
*/
SMStatus
rv;
/* return value to check
*/
SMStatus
remote_rv;
/* return value from the receiver */
Char
msg_buffer[1024];
long
eventId
char
category[] = "General";
char
logname[]
= "test_log";
char
source[]
= "test_recorder";
char
info[]
= "test_recorder information";
rv = SAPI_Init(&ctx, NULL);
= 123456;
/* Create a new SAPI context */
if (rv != SAPI_SUCCESS)
{
printf("SAPI_Init: failed code : 0x%X\n", rv);
return 1;
}
/* set destination host, default - localhost */
if (argc > 1)
{
rv = SAPI_SetRouter(ctx, argv[1]);
{
Submit API
B–3
Sample SAPI usage
printf("SAPI_SetRouter: host = '%s', failed code : 0x%X\n",
argv[1], rv);
return 1;
}
}
else
printf("Set destination host %s\n", argv[1]);
rv = SAPI_NewMessage(ctx, &h); /* Create a new SAPI message */
{
printf("SAPI_NewMessage: failed code : 0x%X\n", rv);
return 1;
}
/* Add a new items to a message */
rv = SAPI_AddItem(ctx, h,
SAPI_TRANS_DATATYPE_STRING,
SAPI_CATEGORY_FLD,
category);
{
printf("SAPI_AddItem: failed code : 0x%X\n", rv);
return 1;
}
SAPI_TRANS_DATATYPE_LONG,
SAPI_NATIVEID_FLD,
&eventId);
{
return 1;
}
SAPI_LOGNAME_FLD,
logname);
{
return 1;
}
SAPI_SOURCE_FLD,
source);
{
return 1;
}
SAPI_INFO_FLD,
info);
{
return 1;
B–4
SAPI reference
}
/* Print the content of a message to a buffer */
rv = SAPI_DumpMessage(ctx, h, msg_buffer, sizeof(msg_buffer));
{
printf("SAPI_DumpMessage: failed code : 0x%X\n", rv);
return 1;
}
else
{
printf("SAPI message:\n %s\n", msg_buffer);
}
/*Submits the message to a SAPI router.*/
rv = SAPI_SubmitMsg(ctx, h, &remote_rv);
if (rv == SAPI_SUCCESS)
printf("SAPI_SubmitMsg OK, remote return code : 0x%X\n", remote_rv);
else
printf("SAPI_SubmitMsg: failed code :0x%X\n", rv);
/*Remove a message from the given context.*/
rv = SAPI_RemoveMessage(ctx, h);
{
printf("SAPI_RemoveMessage: failed code : 0x%X\n", rv);
return 1;
}
/* destroy SAPI context and free all its allocations */
rv = SAPI_DestroyCTX(ctx);
{
printf("SAPI_DestroyCTX: failed code :0x%X\n", rv);
return 1;
}
}
return 0;
SAPI reference
SAPI functions employ the following type definitions.
Type
Purpose
SAPI_CTX
SAPI context contains state information
for all SAPI calls
SAPI_HANDLE_l
SAPI message handles used for
referring to specific messages
SAPI_HANDLE_lp
The SAPI uses the functions on the following pages to pass messages to the
eTrust Audit router.
Submit API
B–5
SAPI reference
SAPI_Init
Note: This function must be called before any other SAPI functions can be used.
Syntax
SMStatus SAPI_Init( SAPI_CTX
char
*ctx,
*config );
Parameter
Description
ctx
Address of pointer to SAPI context
config
Configuration (reserved for future use)
SAPI_NewMessage
Syntax
SMStatus SAPI_NewMessage( SAPI_CTX
SAPI_HANDLE_lp
* ctx,
Handle );
Parameter
Description
ctx
SAPI context
This parameter’s value originates with
SAPI_Init.
handle
Address of the handle to return on
success
Description
Creates a handle to new message in the given context. The message is also filled
with automatic arguments for mandatory fields with their default values.
Return Values
The function returns SAPI_SUCCESS on success and SAPI_BADCTX_RC for an
invalid SAPI context.
SAPI_AddItem
Syntax
B–6
SMStatus SAPI_AddItem( SAPI_CTX
ctx,
SAPI_HANDLE_l
handle,
char
*item_type,
char
*name,
SAPI reference
void
Parameter
Description
ctx
SAPI context
*value );
SAPI_Init.
handle
Handle to a message
SAPI_NewMessage.
item_type
The external raw data type.
Currently available item types are —
“long” — value should point to address
of long
“string” — value should point to a null
terminated char string
“timet” — value should point to the
address of a time_t
name
The item name
value
The binary raw data
Description
Adds a new Item to a message. If an Item by the given name already exists, it is
replaced by the given Item.
Return Values
SAPI_SubmitMsg
Syntax
SMStatus SAPI_SubmitMsg( SAPI_CTX
ctx,
SAPI_HANDLE_l
handle,
SMStatus
*sapi_remote_rv );
Parameter
Description
ctx
SAPI context
SAPI_Init.
Submit API
B–7
SAPI reference
handle
Handle of a message to submit
SAPI_NewMessage.
sapi_remote_rv
Description
Return value of the remote function
Submits the message to a SAPI router.
Note that after the message has been submitted, you must free it with
SAPI_RemoveMessage.
Return Values
The function returns SAPI_SUCCESS on success.
SAPI_RemoveMessage
Syntax
SMStatus SAPI_RemoveMessage( SAPI_CTX
SAPI_HANDLE_l
Parameter
Description
ctx
SAPI context
ctx,
Handle );
SAPI_Init.
handle
Handle of message to remove
SAPI_NewMessage.
Description
Remove a message in the given context. Use the function to clear sent messages
from memory.
Return Values
SAPI_ DumpMessage
Syntax
B–8
SMStatus SAPI_DumpMessage( SAPI_CTX
ctx,
SAPI_HANDLE_l
handle,
char
* buffer,
SAPI reference
int
Parameter
Description
ctx
SAPI context
Size );
SAPI_Init.
handle
handle of message to dump
SAPI_NewMessage.
buffer
buffer to output
size
buffer size
Description
Print the content of a message in the given context to a buffer. Function prints the
string values of the message fields.
Return Values
The function returns SAPI_SUCCESS on success, SAPI_BADCTX_RC for an
invalid SAPI context and SAPI_BADPARAM_RC for too small buffer size.
SAPI_DestroyCTX
Syntax
SMStatus SAPI_DestroyCTX( SAPI_CTX
Parameter
Description
ctx
SAPI context
Ctx );
This parameter’s value originates with SAPI_Init.
Description
Frees current SAPI context and all unsent messages and gracefully shuts the
client side of SAPI.
Return Values
The function returns SAPI_SUCCESS on success.
SAPI_SetRouter
Syntax
SMStatus SAPI_SetRouter( SAPI_CTX
unsigned short
Ctx,
hostname );
Submit API
B–9
SAPI reference
Parameter
Description
ctx
SAPI context created by SAPI_Init
function call
hostname
Name of host where router resides
Description
Registers the name of a new router host.
Return Values
The function returns SAPI_SUCCESS on success and SAPI_BADPARAM_RC for
an invalid context.
B–10
SAPI return codes and errors
SAPI_SetRouterPort
Syntax
SMStatus SAPI_SetRouterPort( SAPI_CTX
unsigned short
Ctx,
Portnum );
Parameter
Description
ctx
SAPI context created by SAPI_Init function call
portnum
user defined port number to be register in portmap
0 - port number will be set by portmap
Description
Change the default SAPI router port number.
Return Values
SAPI_ SetRouterTimeout
Syntax
SMStatus SAPI_SetRouterTimeout( SAPI_CTX
unsigned long
Ctx,
Timeout );
Parameter
Description
ctx
SAPI context created by SAPI_Init function call
timeout
user defined timeout
Description
Change the default SAPI router timeout.
Return Values
The following macros process return codes for all SAPI calls.
Submit API
B–11
Each return code is composed from (most to least):
■
■
■
B–12
1 bit — success or failure code
16 bits — software component ID number. In the case of the SAPI, the ID
number is 11 (SAPI_RC_BASE).
12 bits — meaningful portion of return code
Macro
Purpose
_SM_IS_FAIL(rc) (rc>>30)
The macro checks whether the call
failed. In case of failure, the macro
returns TRUE or 1.
_SM_RC_PKG(rc) ((rc>>12)&0xffff)
The macro extracts and returns the
software component ID number.
_SM_RC_CODE(rc) (rc&0xfff)
The macro extracts and returns the
meaningful portion of the return code.
Below are return and error codes as defined in etsapi.h
Name
Construction
Meaning
SAPI_SUCCESS
0
Function returned
successfully.
SAPI_MALLOC_RC
_SM_RC_FAIL(SAPI_RC_BASE,1)
SAPI could not allocate
memory.
SAPI_NOHANDLE_RC
Requested SAPI message
handle could not be found.
SAPI_BADPARAM_RC
Function received a bad
parameter (most
commonly a NULL
pointer).
SAPI_NOITEM_RC
Low-level internal code,
should not appear in
normal operation.
SAPI_ALRDYEXIST_RC
A field by the same name
already exists in the
message.
SAPI_UNSUPPORTED_RC
Unsupported SAPI type.
SAPI_NOAUTOARG_RC
_SM_RC_SUCCESS(SAPI_RC_BASE,7)
normal operation.
SAPI_BADCTX_RC
Function got an invalid
SAPI context for input.
SAPI_MSGLOCKED_RC
normal operation.
SAPI_NOTHINGTOSEND_RC _SM_RC_SUCCESS(SAPI_RC_BASE,10)
normal operation.
SAPI_NOTREROUTING_RC
normal operation.
SAPI_REROUTINGMODE_RC _SM_RC_FAIL(SAPI_RC_BASE,12)
normal operation.
Submit API
B–13
Fields for the SAPI
Fields for the SAPI
The SAPI format is completely free, except for certain mandatory fields,
generally, those affecting intrusion detection and security auditing. If the
submitting application does not provide values for such fields, the SAPI will
provide a default value.
Additional fields can be added as you choose. However, for security-related
events it is strongly recommended to map to the predefined SAPI fields. Unless
events map to the SAPI fields, they will be treated generically by the eTrust
Audit viewers.
Predefined fields are defined in the file AC_SAPITokens.h. User-defined field
names should begin with the name of the source of the event. This unique name
should be identical with the log name.
It is recommended to identify the source in all user-defined field names. For
example, the first of these two macro definitions is specific to the SAPI and the
second, to Oracle.
#define SAPI_DATE_FLD
#define ORA_AUDIT_OPTION
”Date”
“ORA_Audit_Option”
Field Properties
Each SAPI field has three properties: name, type, and value. Field types are
assigned when submitting messages. Available types are date, string and long.
The SAPI fields discussed below are organized by priority.
!
!
!
B–14
Mandatory fields must be present in every record.
Common predefined fields are important for event identification and
description.
Optional, category-specific fields provide further characterization of events.
Other fields are specific to event sources.
Examples of mapping
Examples of mapping
The following are examples of mapping of SAPI fields.
Event
User
Category
Subcategory
ObjClass
ObjName
Oper
User account
was created
“Administrator”
Account
Management
Administration
USER
newuser
Create
Registry key
was deleted
“richard”
Object Access
Administration
REGKEY
“HKEY_USERS\ Delete
...“
Process was
“joan”
stopped (NT)
Object Access
Activation
PROCESS
“FINDFAST.
EXE”
Windows NT “SYSTEM”
was shut
down
Security
Systems
A file was
opened for
read
Object Access
“joan”
OS
Usage
FILE
Stop
Stop
“c:\winnt\
system.ini”
Read
Mandatory fields for event identification
The SAPI requires that certain fields be present in each message you submit.
These fields contain data on the time, place, and status of events. For some fields,
values are strictly predefined.
Mandatory field name
Available values for event
identification (mandatory fields)
SAPI_LOCATION_FLD “Location”
Name of the host where the event was
originated. Name format is UNIX
qualified name or UNC (if DNS is not
available).
Examples:
host.mydomain.com (UNIX qualified
name)
\\mydomain\host (UNC).
Default value: name of machine where
submitter is resident
Submit API
B–15
Examples of mapping
SAPI_LOGNAME_FLD “Log”
Logical log name that uniquely
identifies the native auditing type
(logical name of the source of audit
information).
Examples:
NT-System, NT-Application
UNIX for syslog and sulog files, Oracle
for Oracle logs and so on.
Default value: the submitter must
supply the contents for this field
SAPI_SOURCE_FLD “Src”
Name of the software component that
issued the event. Note that the audit
mechanism may serve more than one
process or application. When a native
auditing environment has more than
one instance on the same machine, this
field will contain the instance
identification.
Examples:
Windows NT — Security, Disk,
NETLOGON
UNIX — telnetd, ftpd
Default value: the submitter must
supply the contents for this field
SAPI_DATE_FLD “Date”
When the event was originated. Date
contains both date and time in standard
ISO format (text format that includes
date, time and time zone).
Examples:
20010201T080001-0500 means Feb. 1,
2001at 8:00:01 EST
20010202T080001+0000 means Feb. 2,
2001 at 8:00:01 GMT
Default value: Date and time at
machine where the event is submitted
B–16
Examples of mapping
SAPI_STATUS_FLD “Status”
Status, which the event describes.
Values for Status are strictly
predefined:
“S” SAPI_STATUS_SUCCESS — event
for a successful operation
“F” SAPI_STATUS_FAILURE —
event for a failure operation
“D” SAPI_STATUS_DENIED — event
for a failure operation where the reason
is insufficient privileges.
We recommend that you use “F”
SAPI_STATUS_FAILURE even for
failure operations that is caused by
insufficient privileges.
Note: all source specific statues should
be converted into one of SAPI statuses.
To keep the original value put it into
specific field
<SRC>_Status, where <SRC> is an
unique identifies the source of audit
information.
Default value: “S”
Common predefined fields for event identification
The following fields are used by most events. They are not mandatory, but they
are strongly recommended for each SAPI message.
Field name
Field value
SAPI_USER_FLD “User”
The name of the user (or principal as
some systems define) who performed
the audited operation.
Examples:
Windows NT — Administrator,
my_domain\john
UNIX — “root,” “john”
Default value: none
Submit API
B–17
Examples of mapping
Field name
Field value
SAPI_USERID_FLD “UID”
Native user ID.
Examples:
Windows NT — S-1-5-21-17935294201590284213-401-284377-1208
UNIX — 0 (root user)
Optional predefined fields for event identification
Certain fields providing event identification are optional.
Field name
Field value
SAPI_LOCATIONIP_FLD “LocationIP” IP address where the event was
originated.
Example:
141.202.248.116
SAPI_LOGFILENAME_FLD “LogF”
Physical file name (full path name), if
available, in cases where the audit does
not reside in a fixed file.
Example:
UNIX — /usr/logs/trace1.log
SAPI_RECORDERVER_FLD “RecVer”
Version of the submitter for the native
auditing environment.
Common predefined fields for event description
The following fields provide general information about events. They are not
mandatory, but it is recommended to set their values (if available) for each SAPI
message.
Reserved fields specific to predefined security event categories are listed later in
this chapter.
Field name
B–18
description
Examples of mapping
Field name
description
SAPI_CATEGORY_FLD “Category”
Security-related events fall into
predefined categories. If the event
belongs to one of the categories, it is
highly recommended to set the field’s
value. The field can be left empty, or it
can have a user-defined category if the
predefined values are not matched.
Examples:
“System Access”
SAPI_CATEGORY_SYSACC
for any logon or logoff operation
“Account Management”
SAPI_CATEGORY_ACCOUNT
for user account definition
SAPI_SUBCAT_FLD “Subcat”
Enables subdivision of events within a
category. You can fill this field by using
either a pre-defined value or any other
string value.
SAPI_SEVERITY_FLD “Severity”
Logical severity of the event set by
eTrust Audit policies (not by
application severity).
Values for Severity are strictly
predefined.
“0” SAPI_SEVERITY_INFO
“1” SAPI_SEVERITY_WARNING
“2” SAPI_SEVERITY_CRITICAL
“3” SAPI_SEVERITY_FATAL
SAPI_OPERATION_FLD “Oper”
The operation performed on an object.
Values are chosen from a list of
predefined values. In cases where the
predefined values are not suitable,
native auditing values may be used.
Examples:
“Write” SAPI_OPER_WRITE — edited
a file or registry key
“Start” SAPI_OPER_START — started
a service
Submit API
B–19
Examples of mapping
Field name
description
SAPI_OBJCLASS_FLD “ObjClass”
The class of the object of the operation.
Values are chosen from a list of
predefined values. In cases where the
predefined values are not suitable,
Examples:
“FILE,” “REGKEY”
SAPI_OBJNAME_FLD “ObjName”
Name of the object on which the
operation is performed.
Examples:
“C:\WINNT\system.ini” — a file name
“notepad.exe” — a process name
SAPI_OBJCLASS2_FLD “SObjClass”
Class of the second object that
participated in the event (if it exists).
Example:
“Group” — in case of joining a user to a
group
SAPI_OBJNAME2_FLD “SObjName”
Name of the second object that
participated in the event (if it exists).
Example:
“Administrators” — as the name of the
group a user was added to
SAPI_NATIVEOID_FLD “OID”
Native object ID (handle) from auditing
or operating system.
Example:
Windows NT — “24”
SAPI_PID_FLD “PID”
Process ID of the process that
performed the operation, if available.
Example:
WINDOWS NT — “2309196368”
B–20
Examples of mapping
Field name
description
SAPI_NATIVEID_FLD “NID”
Native ID of the event, in native
auditing environments that enumerate
events.
Example:
Windows NT — “562” for closed
handle event, “592” for process creation
SAPI_INFO_FLD “Info”
Free-text event information.
Examples:
Windows NT —
A process has exited.
Process ID: 215487040
User Name:
user_john
Domain:
My_Domain
Logon ID:
(0x0,0x3ED6)
UNIX —
printer/tcp: “Print services stopped”
Mapping events to predefined categories
For each security event category, records can be built from a certain set of SAPI
fields, in addition to the mandatory identifying fields.
Predefined security-related categories are:
■
System Access
■
Account Management
■
Object Access
■
Policy Management
■
Security Systems Status
■
Network
■
Detailed Tracking
Other events (generally, start and stop notifications for applications) fall into the
one of the following categories:
■
System \ Application
Submit API
B–21
Examples of mapping
■
Administration
■
General
System Access
System access events include logon, logoff, and change of user identity
(impersonation).
Field name
Available values for System Access
“System Access”
SAPI_CATEGORY_SYSACC
SAPI_SOURCE_FLD “Src”
The software component that generated
the message.
Examples:
Windows NT — “Security”
UNIX — “login,” “telnetd,”
in.telnetd,” rshd,” “in.rshd,”
“Xsession” (XDMCP), “ftpd,” “in.ftpd,”
“rlogind,” “in.rlogind,” “fingerd,”
ffingerd”
"Logon" SAPI_OPER_LOGON
"Logoff" SAPI_OPER_LOGOFF
Name of the logged-on user
SAPI_SURROGATEUSER NAME_FLD Name of the new user when logging on
from another user. For example, the
“SurrogateUser”
UNIX command su root generates a
(optional)
SurrogateUser value of “root.”
B–22
May contain reason for failed logon
Examples of mapping
Field name
Available values for System Access
SAPI_LOGONTYPE_FLD
For logon operations, the type of logon.
Values for LogonType are strictly
predefined.
“LogonType”
Examples:
“Interactive”
SAPI_LOGONTYPE_INTERACTIVE —
local user logon
“Server” SAPI_LOGONTYPE_SERVER
— logon to server, domain or shared
drive
SAPI_TERMINAL_FLD “Term”
(optional)
Terminal name or ID from which the
operation is initiated.
Example:
“pts/7”
SAPI_REMOTEHOST_FLD “RemHost” Name or address of the remote host for
operations that are performed remotely
(optional)
(name should follow Location field
format)
Account Management
Account management events include the creation, changing, and deletion of
users, groups, profiles and roles, as well as the granting of permissions.
For security purposes, special care should be taken to audit the addition of users
to the administrators group, and the addition of significant authorizations.
The management of permissions on the system level is mapped to “Account
Management,” and the management of auditing is mapped to “Policy
Management.” For individual objects, both permissions and auditing setups are
mapped to “Object Access.”
Field name
Available values for Account
Management
“Account Management”
SAPI_CATEGORY_ACCOUNT
Submit API
B–23
Examples of mapping
Field name
Available values for Account
Management
“Permission”
SAPI_SUBCAT_PERMISSION
“Audit” SAPI_SUBCAT_AUDIT
“Password”
SAPI_SUBCAT_PASSWORD
Some possible values are predefined.
For example:
“Create” SAPI_OPER_CREATE
“Delete” SAPI_OPER_DELETE
“ChangeProperty”
SAPI_OPER_CHANGEPROPERTY
“Lock” SAPI_OPER_LOCK
“Unlock SAPI_OPER_UNLOCK
“USER” SAPI_OBJCLASS_USER
“GROUP” SAPI_OBJCLASS_GROUP
Name of user or group.
SAPI_OBJCLASS2_FLD “SObjClass”
Class of the secondary object.
Examples:
When adding a user to a group,
“USER” is the primary object and
“GROUP” is the secondary object.
When changing permissions, the
secondary object is “PRIVILEGE”
SAPI_OBJCLASS_PRIVILEGE.
SAPI_OBJNAME2_FLD “SObjName”
Name of the secondary object.
Free-text description of the operation.
Object Access
Object access events include any access to resources such as files and the registry.
Usually these accesses are audited only for critical objects.
For individual objects, both permissions and auditing setups are mapped to
“Object Access.” The management of permissions on the system level is mapped
to “Account Management.”
B–24
Examples of mapping
Field name
Available values for Object Access
“Object Access”
SAPI_CATEGORY_OBJACC
“Password”
SAPI_SUBCAT_PASSWORD
“Usage” SAPI_SUBCAT_USAGE
“Activation”
SAPI_SUBCAT_ACTIVATION
“Permission”
Name of the object on which the
operation is performed. In cases where
the predefined values are not suitable,
Examples:
“REGKEY” — for registry key
“FILE” – for file or folder
Name of the accessed object.
Submit API
B–25
Examples of mapping
Field name
Available values for Object Access
For example:
“Execute” SAPI_OPER_EXECUTE
“Start” SAPI_OPER_START_RL
"Stop" SAPI_OPER_STOP
"Kill" SAPI_OPER_KILL
“ChangeProperty”
SAPI_OPER_CHANGEPROPERTY
“Rename” SAPI_OPER_RENAME
“TakeOwnership”
SAPI_OPER_TAKEOWNERSHIP
“ChangePermission”
SAPI_OPER_CHANGEPERMISSION
“Lock” SAPI_OPER_LOCK
“Unlock” SAPI_OPER_UNLOCK
“Open” SAPI_OPER_OPEN
“Read” SAPI_OPER_READ_RL
"Write" SAPI_OPER_WRITE
"Edit" SAPI_OPER_EDIT
SAPI_NATIVEOID_FLD (optional)
Object ID used by the native
environment
SAPI_PID_FLD (optional)
ID of the process that accesses the
object
SAPI_COMMAND_FLD “Command”
Original command that caused the
event (in case of a command line
interface usage).
(optional)
Example:
eTrust Access Control — Definition of
new resource “new user(john)”
B–26
Free-text event information
Examples of mapping
Policy Management
Policy management events include changes in audit policy, changes in password
policy, and other events on the system level. This category usually includes very
few events.
For individual objects, permissions and auditing setups are mapped to “Object
Access.”
Field name
Available values for Policy
Management
“Policy Management”
SAPI_CATEGORY_POLICY
“Activation”
SAPI_SUBCAT_ACTIVATION
“Permission”
For example:
“POLICY” SAPI_OBJCLASS_POLICY
Oracle — map “Audit_Option” to this
field
Object name
Security Systems Status
Security system status events include events related to the change in the status of
security systems. For example, the stopping and starting of operating systems
and the clearing of audit logs.
Field name
Available values for Security
Systems
Submit API
B–27
Examples of mapping
Field name
Available values for Security
Systems
“Security Systems”
SAPI_CATEGORY_SECURITYSYS
For example:
"Restart" SAPI_OPER_RESTART
“Startup” SAPI_OPER_STARTUP
"Shutdown" SAPI_OPER_SHUTDOWN
“Clear” SAPI_OPER_CLEAR
For example:
“Service” (or daemon)
SAPI_OBJCLASS_SERVICE
“Log” SAPI_OBJCLASS_LOG
“Process” SAPI_OBJCLASS_PROCESS
“OS” SAPI_OBJCLASS_OS
Name of started or stopped program
Network
Network events include:
■
Incoming and outgoing communication events from eTrust Access Control
■
eTrust Intrusion Detection (former SessionWall)
■
Events from other network products to be integrated with eTrust Audit
Network events should map to identification fields.
Field name
Available values for Network
“Network”
SAPI_CATEGORY_NETWORK
“Connect” SAPI_OPER_CONNECT
"Disconnect
"SAPI_OPER_DISCONNECT
B–28
Examples of mapping
Field name
Available values for Network
For example:
“PORT” SAPI_OBJCLASS_PORT
PORT
"HOST" SAPI_OBJCLASS_HOST
"TERMINAL"
SAPI_OBJCLASS_TERMINAL
"DOMAIN"
SAPI_OBJCLASS_DOMAIN
"PROCESS"
SAPI_OBJCLASS_PROCESS
“PRINTER”
API_OBJCLASS_PRINTER_RL
Object name, name of host, terminal,
domain and so on
The following additional fields contain network objects.
Field name
Available values for network objects
SAPI_REMOTEIP_FLD “RemIP”
Remote IP address
SAPI_AFTYPE_FLD “AddressFamily”
Address family
Submit API
B–29
Examples of mapping
Field name
Available values for network objects
SAPI_NETSERVICENAME_FLD
Service or daemon
“NetServiceName”
Example:
“FTP”
SAPI_PORT_FLD “Port”
Local port number
Example: “7890”
SAPI_REMOTEPORT_FLD
Remote port number.
“RemotePort”
Example: “8765”
SAPI_PROTOCOL_FLD
Protocol
“Protocol”
Examples: “TCP,” “UDP”
Detailed Tracking
Both Windows NT and eTrust Access Control offer detailed tracking — in
Windows NT, for processes (by PID). In eTrust Access Control, tracking can be
activated for other fields as well.
Field name
Available values for Detailed
Tracking
“Detailed Tracking”
SAPI_CATEGORY_TRACKING
For example:
“Start” SAPI_OPER_START
“Stop” SAPI_OPER_STOP
B–30
Example: “PROCESS”
SAPI_OBJCLASS_PROCESS
SAPI_PID_FLD “PID”
Process ID
Object name, name of started or
stopped program
Event description
User name
SAPI_USERID_FLD “UID”
User ID
Examples of mapping
Field name
Available values for Detailed
Tracking
SAPI_SURROGATEUSER NAME_FLD Name of new identity of a user who
changed his identity via set user etc.
“SurrogateUser”
(available on systems that retain the
original identity).
Example:
UNIX — for set user operation,
UserName may be “john” and
SurrogateUser may be “root”
SAPI_SURROGATEUSERID _FLD
“SurrogateUId”
SAPI_EUSERNAME_FLD
“EffectiveUser”
SAPI_EUSERID_FLD
“EffectiveUserId”
The ID of the SurrogateUser, as
explained above.
Effective user name. The effective user
is the user whose rights are in effect for
the described event.
The ID of the effective user, as
explained above.
System/Application, Administration and General Events
These events include start and stop notifications for applications not directly
involved in security auditing (that is, not mapped to another category). Fields
will be application-specific. Identification fields are mandatory.
Field name
Available values for System and
Application
“System and Application”
SAPI_CATEGORY_STATUS
"Administration"
SAPI_CATEGORY_ADMIN
"General"
SAPI_CATEGORY_GENERAL
Fields internal to eTrust Audit
Internal fields may be filled for each event by eTrust Audit. These fields may be
present in each record, but need not be filled by third-party submitters.
Submit API
B–31
Examples of mapping
Internal field name
Description
SAPI_ROUTINGINFO_FLD
“RoutInfo”
For debug purposes only — a
concatenation of the names of all the
routers that have handled the event.
SAPI_RULENAME_FLD “Rule”
For debug purposes only — name of
the eTrust Audit policy that originated
the event.
Reserved Keywords
The following words may not be used as field names, since they have specific
meanings in the filter language.
ADD
AM
AT
CASE
CI
CS
DATE_YACC
DAY
DECR
DECREMENT
DEFINE
DELETE
DELETE_YACC
DIFFERENT
DY
EQUAL
EXISTS
FATAL_ERROR
GREATER
INCR
INCREMENT
INSENSITIVE
INTEGER
LESS
MATCHES
MONTH
NAME
NEWEVENT
NOT
NUMBER
OF
OR
PART
PM
REL_OP
SCAN_ERROR
SENSITIVE
SET
STRING
STRING_CONST
B–32
Examples of mapping
SUB
SUBTRACT
THAN
TIME
TIMESTAMP
TO
VARIABLE
YR
The names of months (JAN-DEC) are also reserved.
Submit API
B–33
Index
By Fields, 5-2
By File, 5-3
Filter Bar, 5-2
Unfiltering, 5-3
A
accountability, 1-1
alerts, 1-1
architecture, 1-1
Audit Viewer, 3-7
C
client software, 3-1
Control Panel, 3-7
D
Data Tools, 2-1
E
eTrust Access Control, 2-1
Working with the recorder, 6-1, 6-2
F
Filtering the Records, 5-2
By Event, 5-2
H
hierarchy, 3-1
M
mail protocol, 2-2
manager components, 2-1, 4-1
N
native auditing, 1-1
R
RegEdt32
RegEdit, 2-2
requirements, 2-1
S
SAPI
Index–1
error codes, B-10
return codes, B-10
type definitions, B-5
SAPI functions
SAPI_AddItem, B-5, B-6, B-8, B-9
SAPI_SubmitMsg, B-7
scalability, 1-1
Security Monitor, 2-1, 3-7
Index–2
SMTP, 2-2
Sorting event database records, 5-2
Alphanumerically, 5-2
BY record number, 5-2
system considerations, 2-1

eTrust Audit Administrator Guide

Transcription

Similar documents

Presentation

Trans-tasman regulatory findings

Invu Document Management Product Sheet

maryland division of financial regulation

Invu Document Management Product Sheet

The Sindicatura approach

What is CETech? - CE Systems, your technical file solution

Case 4for4

chalr p A Talbot - Mid Devon District Council