Halo Operations Guide For Users of CloudPassage Halo

Transcription

Halo Operations Guide For Users of CloudPassage Halo
Halo Operations Guide
For Users of CloudPassage Halo
Who should read this guide?
PART 1
BASIC HALO OPERATIONS
Using the Halo Portal
Log Into the Portal
Get Help
Change Your Password
Manage Your Account and Subscription
Invite and Manage Halo Users
Invite a New User
Edit an Existing User
Deactivate or Delete a User
Setting Up Servers and Server Groups
1. Install Daemons
Install Linux Daemons
Install Windows Daemons With the Installer
Install Windows Daemons from the Command Line
Install a Daemon on Your Gold Master Server
Deploy Daemons in Bulk With Automation Tools and Scripts
Add Custom Labels to Your Servers
Run your Halo Daemons in Read-Only Mode
Uninstall Halo Daemons
2. Organize Your Servers Into Groups
Design Your Groups
Create Your Groups
Maintain and Manage Your Groups
3. Assign Servers to Groups
Manually Assign Servers to Groups
Automatically Assign Servers to Groups
Maintain and Manage Your Servers
Activating Halo Features to Protect Your Servers
Choose the Halo Features to Activate
1
Assign Policies to Server Groups
Conduct Scans
Configure Automatic Scans
Manually Scan Selected Servers
Using the CloudPassage API
About the API
API Examples and Sample Code
PART 2
HALO ISSUES AND EVENTS
About Issues, Events, and Alerts
Defining Your Issues, Events, and Alerts
Flag Policy Issues for Logging and Alerting
Set Up a Special Events Policy
Set Up Alert Profiles
Addressing Issues
View a Server Group's Summary of Issues
Analyze a Server's Current Issues
View the History of an Issue
Act On Reported Issues
Addressing Events
View a Server Group's Summary of Events
Analyze a Server's Most Recent Events
Filter and View a Server or Group's Event History
Act On Reported Events
APPENDIXES
A Halo Site Administration
Users
API Keys
Authentication Settings
Scanner Settings
Daemon Settings
Advanced Settings
Set GhostPorts Session Length
List IP Addresses Authorized to Access Halo Portal
Choose Your Email Preferences
Enable Halo Beta Features
Audit Events
Master Account
B Multi-Factor Authentication
Enable Multi-Factor Authentication for a User
Log In With Multi-Factor Authentication
Verify Your Phone Number (for SMS Authentication)
2
Authenticate With an SMS Code
Authenticate With a YubiKey
Site Administrators: Set Up a Backup Authentication Method!
C Search Expression Syntax
Who should read this guide?
The Halo Operations Guide explains everything you need to know in order to access, configure, use, and administer
the CloudPassage Halo service—allowing you to provide strong, dynamic protection to all of your cloud and physical
servers all across the globe. From your first login to the Portal, through your first Daemon installations and your first
scans, all the way to your interpretation and remediation of a variety of security risks that your server fleet may face,
this guide steps you through the procedures and best practices that can guard your assets and intellectual property
against malicious actions.
Whether you are
A security specialist responsible for interpreting and acting on security issues and events
A DevOps architect responsible for designing Halo protection for your organization
A Security Ops admin responsible for implementing strong policies to secure your server infrastructure
A sysadmin responsible for conducting ongoing Halo operations across your networks
...this guide can help you to understand and take full advantage of the power of Halo in your work.
Note: This guide does not exist alone. It is the core document in a suite of guides that describe in detail each of
the specific security features and modules that Halo offers. The entire suite is available on the
CloudPassage Customer Support site, in the Documentation Forums.
PART 1
BASIC HALO OPERATIONS
CloudPassage Halo is a software-as-a-service offering that provides strong security for your cloud servers, across all
public, private, and hybrid could environments. In use, the components of Halo are distributed across the customer's
clouds and other clouds, as shown below.
3
The Halo Daemon is a lightweight and secure software component that runs as a service on each cloud server.
The Daemon monitors important server security factors, communicates with the Halo Grid as needed, and takes
actions based on pre-configured or customized security policies.
The Halo Grid is a powerful elastic compute grid that provides sophisticated analytics that evaluate data collected
by the Halo Daemons. The Halo Grid does the "heavy lifting" on behalf of the Daemons, preserving customer
server resources and performance.
The Halo Portal is the convenient "single pane of glass" used to manage all Halo product capabilities, create
policies, set up alerting, view reports, manage users, and other tasks.
The CloudPassage API gives you an alternative to the Halo Portal for managing Halo operations. Your
developers can create new tools or add Halo capability to existing tools.
Through the Halo Portal, you apply Halo's group-based policy management to efficiently add and manage security to
server fleets of all sizes. You can apply security policies at initial server launch, or at any time for operational servers.
Halo automatically monitors all servers and reports any security violations in real time. You can view recent and
historical violations in the Portal, and you can use the Portal to create, assign, and retire policies as needed.
All Halo users automatically have access to the Portal to create and manage server groups, control their Halo
accounts, apply any available Halo security features, conduct scans to detect security issues, respond to events and
alerts, and automate tasks through the CloudPassage API. Depending on your subscription and your account type,
you may also be able to install Halo Daemons, add and manage new Halo users, and activate additional Halo security
features.
Note: This document describes all Portal features, equivalent to what a Halo site administrator with a Halo
Professional subscription can access.
Topics:
Using the Halo Portal
Setting Up Servers and Server Groups
Activating Halo Features to Protect Your Infrastructure
Using the CloudPassage API
4
Using the Halo Portal
The Halo Portal is your view into your organization's Halo account and your control panel for managing it. the Portal
gives you access to all Halo features, activities, and information that you are authorized to view or manipulate.
Note also that only your account's information appears; you can see nothing of other Halo accounts, just as other
accounts' users can see nothing of yours.
Depending on your Halo subscription plan and the type of Halo user you are, you may be able to use the Portal to
Manage your password and account.
Invite others to become Halo users within your account.
Set Halo server groups, install Halo Daemons, and assign servers to groups.
Use Halo features to protect your servers' configurations, firewalls, file integrity, exploit resistance, or user access.
Manage the site settings for your Halo account—for example, configure security settings or manage API keys.
Create security policies that define issues to track, events to log, and alerts to send.
Review scan results for detected security issues and logged events.
Use this information to perform remediations or initiate incident response procedures, as indicated.
This section shows you how to perform the above tasks and more.
Note: If you are interested in a highly abbreviated tutorial to get you started with Halo, consider the
Halo QuickStart.
Log Into the Portal
You start using Halo by logging into the Halo Portal. Depending on your organization's policies, you will log in using
either password authentication or two-factor authentication.
1. Use your browser to log into the Halo Portal, at https://portal.cloudpassage.com. The Portal login page appears:
2. Enter your Halo username and password.
3. Click Submit.
5
For multi-factor authentication only:
After you enter your username and password, the Multi-Factor Authentication page for either SMS or YubiKey
appears. (If you are enabled for both types of authentication, the page allows you to choose which to use.)
Enter your SMS authentication code or insert your YubiKey. See Authenticate With an SMS Code or Authenticate
With a YubiKey for details.
If your password or multi-factor authentication is successful, the login is complete and the Halo Dashboard page
appears.
4. From the Dashboard, use the links and menus to access any of your available Halo features and information.
Besides logging into the Portal, you can also use the login page to reset your Halo password or even to register for
Halo if you aren't yet a user.
Note: Certain aspects and requirements for your organization's Halo login process are under the control and
responsibility of your Halo site administrator(s). If you are a site administrator, see Authentication Settings
for an explanation of the settings that you can modify. See also Advanced Settings if you need to control
the IP addresses from which Halo users are permitted to log in.
Get Help
Whenever you are logged into the Halo Portal, help with learning or using Halo is always just a few clicks away.
Select Support > Getting Started With Halo to view a short document that walks you through using Halo.
Select Support > File Support Request to contact CloudPassage Customer Support for help.
Select Support > Documentation and Forums to open the following dialog box:
6
To look up information about Halo, click Browse Documentation or Browse Support Forums to peruse the
documents in the Customer Support forums, including the Halo product documentation. See About the Support
Forums for more information.
To search for documentation on a specific topic, enter the topic into the field and click Search. Links to relevant
forum and documentation articles containing that term appear below the search box:
If instead you want to file a request for help with Customer Support, click File a Support Request . The New
Support Request form opens:
7
Fill in the fields of the form and click Submit. A support ticket for you is entered into the system. The support
team will contact you by email within 24 hours.
About the Support Forums
CloudPassage sponsors a number of user forums on the CloudPassage Support Community site. These forums are
open to the public and are a great source of information and ideas on how to learn and use CloudPassage Halo.
There are over 25 active forums, in the following categories:
Product Updates. Several forums, including "Release Notes" and "Customer Notifications".
Documentation. About a dozen forums, one for each available product guide.
Frequently Asked Question s. Several forums answering questions about Halo in general.
Feature FAQ. Forums answering specific questions about specific Halo features.
Tips and Tricks. Videos and insider insights from CloudPassage developers on how to harness the power of
Halo.
All documents in the forums are indexed for searching, making answers easy to find. You can also submit your own
questions, ideas, tips, and articles in the forums to help your fellow users or to receive help yourself.
Note: The Halo product team periodically runs beta programs on new features and content. If you'd like to
become one of our next beta testers, email us at [email protected].
Change Your Password
When you need or wish to change your Halo password, you can do that from within the Halo Portal by selecting My
Account from the User menu (your name in the page header).
The Password Reset section of your account page lists your organization's password requirements (modifiable by a
site administrator; see Halo Site Administration ). It also includes fields for entering your current and requested new
password. Enter the information and click Save to submit the change request.
8
Note that you can also request a new password without being logged into the Portal. Click Reset your password on
the Portal login page and follow the instructions.
Manage Your Account and Subscription
To review or edit the details of your Halo account, select My Account from the User menu (your name in the Portal
page header). There you can view or change your username, first and last name, and time zone. And you can
choose to stop receiving daily status emails from CloudPassage, if you wish.
Note that you can't change your email address on this page. If you need to associate a different email address
with your account, contact a Halo site administrator within your organization. If you are a site administrator, you
can change your own email address and the email addresses of other users on another page; see Edit an Existing
User.
You can also reset your Halo password from this page, as described in Change Your Password .
If you are a Halo site administrator, you can also see and in some cases change the details of your Halo subscription
plan. Select Manage Subscription from the Site Administrator menu (the gears icon [
header).
] in the Portal page
Note: If you purchased Halo from CloudPassage with a purchase order or contract, you will not be able to
manage your subscription on this page. Instead, please contact Customer Support or your CloudPassage
account representative.
If the Manage Subscription page is available to you, you can use it to
9
Change the details of your billing plan (for example, the minimum number of servers you are billed for), update
your payment-card information, and view your invoices.
View your server-hour usage for the current billing period.
Upgrade or downgrade your Halo subscription plan (Halo Basic, Halo NetSec, Halo Pro).
Cancel your Halo subscription.
Halo standard users (non-site-administrators) do not have access to the Manage Subscription page.
Note: Your organization's Halo account may be registered directly with CloudPassage, or it may be registered
with a third party that manages your security services through a CloudPassage master account. If you are
a Halo site administrator, you have the ability to link your account to a master account or disconnect from
that master account. See Master Account for more information.
Invite and Manage Halo Users
If you are a Halo site administrator, one of your privileges is the ability to add other users to your Halo account. (Other
site-administrator responsibilities are described in Halo Site Administration.)
Having multiple users allows you to spread responsibility for separate Halo tasks (such as server-group administration
versus policy design versus security-event response) across multiple specialists in your organization.
Select Site Administration from the Site Administrator menu (the gears icon
in the Portal page header), then
select the Users tab. The User Administration table displays information about all current Halo users in your
organization. If there are many users, the list may break across several pages. You can sort the list by any of the
columns, and you can search for a value that appears in any column.
10
If you want to add a new Halo user to the account, click Invite New User (see next).
If you want to delete or deactivate a user, see Deactivate or Delete a User .
If you want to edit the information for an existing user, click Edit for that user. (See Edit an Existing User .)
Invite a New User
When you click Invite New User on the User Administration page, the following page appears. You "invite" a user
because the candidate receives an email invitation from Halo, and the user account is not active until the invitee
accepts by logging into the Portal.
1. To prepare the invitation, start by filling in the required personal information about the invited user.
Note that the username must be unique among all Halo users. A good way to ensure a unique name is to use
your email address as your username.
11
2. Decide whether to enable Portal access for the user. (A server administrator who will use Halo only for GhostPorts
multi-factor authentication to servers will not need Portal access.)
If the user is to have Portal access, decide whether it is to be as a standard user or as a site administrator. The
following table explains the differences.
Portal access
Site administrator
Standard user
GhostPorts-only
View the Halo Dashboard
✓
✓
View Security Events History, Scan History
✓
✓
Run scans
✓
✓
Install Daemons (can access Daemon Registration Key)
✓
Manage the Halo subscription
✓
Administer the Halo site (see Halo Site Administration )
✓
Manage "My Account"
✓
✓
Open GhostPorts
✓
✓
✓
Manage policies, exceptions, alert profiles
✓
✓
Access Halo Customer Support
✓
✓
3. Decide whether to enable multi-factor authentication for the user. There are two reasons for doing this:
The user will be using GhostPorts to log onto to one or more Halo-protected servers. See Using GhostPorts
Multi-Factor Authentication With CloudPassage Halo for details on why and how to use GhostPorts.
The user will be logging into the Halo Portal with two-factor authentication. See Two-factor authentication for
details on enabling it for your Halo users.
To enable two-factor authentication, first specify the user's authentication method. Select SMS code and Halo
Password, YubiKey and Halo Password , or both. The page expands to display additional fields.
4. Enter the required information into the fields. For detailed instructions, see Enable Two-Factor Authentication for a
User.
5. Select the GhostPorts checkbox if you want to enable GhostPorts access for the user, and have already enabled
multi-factor authentication.
6. Click Invite to commit your settings and close the Invite New User page. The user will receive the invitation by
email.
Edit an Existing User
When you click Edit for a Halo user listed on the User Administration page, the following page appears. Note that on
this page you can change only the following:
The user's email address
The user's multi-factor authentication enablement
The user's Portal access and user type
The user's GhostPorts enablement
12
See the descriptions of those fields in the previous section ( Invite a New User ) if you need more information.
Users can themselves change other information about their accounts on a different page; see Manage Your Account
and Subscription for details.
Deactivate or Delete a User
The Halo Portal gives you two ways to remove a Halo user from your organization's Halo account:
You can deactivate the user if he or she is no longer using Halo and is not expected to return to active status in
the near future. The user can no longer log into the Portal, but the user's name remains (marked "deactivated") on
the list of Halo users on the Site Administration page, the user's profile information is retained, and the user can
easily be re-activated by a Halo Site Administrator.
To deactivate a user, locate the user's name in the table on the Users tab of the Portal's Site Administration page,
then click Deactivate for that user in the Status column.
You can delete the user if it is certain that the user will never be re-activated, and if it is appropriate to destroy all
information about the user. A deleted user is not listed on the Site Administration page and cannot be reactivated; however, all historical information about the user is retained in the Halo database for audit purposes.
To delete a user, locate the user's name in the table on the Users tab of the Portal's Site Administration page,
then click Delete for that user in the Status column.
Setting Up Servers and Server Groups
Readying your servers to be protected by CloudPassage Halo is a fairly simple three-step process:
1. Install a Halo Daemon on each server that is to be protected.
2. Create groups of structurally and functionally similar servers.
3. Assign each protected server to its appropriate server group.
You can perform the first two steps in either order: install Daemons first and then define groups, or define groups first
and then install Daemons.
13
Also, you can perform the steps manually through the Halo Portal, or in an automated fashion through integration with
third-party provisioning tools or by executing scripts that leverage the CloudPassage API.
1. Install Daemons
Every Halo-protected server must have a running Halo Daemon that performs security tasks and communicates with
the Halo Grid on a regular basis.
When you first log into the Halo Portal, you are prompted to install Daemons. When you are ready to do that, click
either Install Linux Daemons or Install Windows Daemons and follow the instructions on the page. Then repeat
the process for each of your servers.
If you need to find these pages again, navigate in the Halo Portal to Servers > Install Linux Daemons or
Servers > Install Windows Daemons .
You can install the Daemons manually, or you can automate the installation process .
Note: If you are a Halo site administrator, you have the ability to configure certain aspects of the behavior of
installed Daemons. See Daemon Settings for an explanation.
Install Linux Daemons
For every Linux server that you want Halo to protect, repeat the following steps:
1. Install a version of the sudo package on the server.
2. SSH into the server.
3. From your browser, log into Halo and follow instructions to download the correct script for your Linux distribution.
Or SSH into the server and download the script directly to the server.
4. On the server, execute the entire script at once, or perform each of its commands interactively, as shown on the
instructions page. The script supplies your unique Daemon registration key to Halo.
That's it! Your Linux server now appears in the Halo Portal Dashboard, in the All Servers group.
Performing an upgrade installation on Linux:
On any of the supported Linux platforms, you perform an upgrade installation by executing the appropriate upgrade
script for the platform. Download the script from the Install Linux Daemons page in the Halo Portal.
If you perform an upgrade while the older Daemon is running, the new Daemon will start automatically when the
14
upgrade is complete. If you stop the older Daemon and then upgrade, the new Daemon will not start automatically.
Configuring Linux Daemons for a proxy:
If your Linux server is configured to use a proxy, you'll need to supply the proxy information to Halo so that the
server's Daemon will be able to communicate with the Halo Grid. You can do that by adding the following options to
the command line when you first start the Halo Daemon (the same time that you supply the Daemon registration key):
--proxy=ip:port --proxy-user= username --proxy-password= userpassword
On subsequent starts, it is not necessary to include the proxy-related options (or the Daemon registration key) on the
command line. Note that if you later remove proxy support from the server, you should restart the Daemon and use
the --noproxy option. Or, if the proxy information changes, you can restart and include the updated values for the
proxy-related options.
Install Windows Daemons With the Installer
For every Windows server that you want Halo to protect, repeat the following steps:
1. Remotely log into your Windows server and start Internet Explorer as administrator.
2. From IE on the server, Log into the CloudPassage Halo Portal.
3. Navigate to Servers > Install Windows Daemons and download the Halo Daemon installer.
4. Run the installer and enter your Daemon registration key.
That's it! Your Windows server now appears in the Halo Portal Dashboard, in the All Servers group.
Performing an upgrade installation on Windows:
If you are upgrading from a 64-bit Halo Daemon (version 2.7.8 or later), you need not perform any explicit upgrade
procedure. The Windows installer senses that there is an existing Daemon and takes the appropriate upgrade
steps.
If you are upgrading from a 32-bit Halo Daemon (version 2.5.6 or earlier), take these steps:
a. Connect to your server through RDP and open Add/Remove Programs.
b. Remove the Daemon from your server by following the steps in Uninstall Halo Daemons.
c. In the Halo Portal, note the server group that the (now deactivated) server belongs to. Then move the server
into the "Retired" group, or simply delete it from Halo if you do not want to preserve a record of its configuration
or history.
d. Proceed to install the new server as described above.
15
e. Back in the Halo Portal, select your server from the "Unassigned" group and add it back into its appropriate
server group.
Note that Halo considers this as a new installation rather than an upgrade, since the configuration of your 32-bit
server and its server-group assignment are not carried over to your 64-bit server.
Configuring Windows Daemons for a proxy:
If your Windows server is configured to use a proxy, you'll need to supply the proxy information to Halo so that the
server's Daemon will be able to communicate with the Halo Grid. You can do that in the Windows Daemon installer,
on the Enter Proxy Information screen:
If you later remove proxy support from the server, you can use the Windows Service Manager to stop and restart the
service, specifying /noproxy in the Service Manager's "switches to pass to the service" field. Or, if the proxy
information changes, you can restart and include the updated values for the /proxy, /proxy-user, and /proxypassword options in the "switches..." field.
Install Windows Daemons From the Command Line
You can use the CloudPassage installer in a non-interactive mode to install a Halo Daemon without user intervention.
This capability allows you schedule installs, perform remote installs without a remote administrator, and use a single
command to bulk-provision an entire server installation with Halo Daemons.
Note: The non-interactive installer works for upgrade installs as well as for new installs. See Performing an
upgrade installation on Windows , above, for information on upgrading from different Daemon versions.
1. Run a command-prompt window as administrator: right-click the command-prompt icon (for example, in the Start
menu) and select Run as administrator from the context menu.
2. Change the current directory to the folder that contains the Halo installer file.
3. Execute a command with the following syntax:
cphalo-x.y.z-win64.exe /S /DAEMON-KEY= RegKey [/D=installdir] [/TAG=servertag]
[/NOSTART]
where
x.y.z
= The version number of the Windows Daemon that you are installing. The version number is
part of the filename of the downloaded installer executable.
S
= Specifies that the installation should be silent (unattended). Must be uppercase.
RegKey
= Your 32-character Halo Daemon registration key.
installdir = (optional) The directory into which to install the Daemon. If you specify nothing, the Daemon is
16
installed in the Program Files folder. (Enclose the path in quotes if it contains spaces.)
servertag = (optional) This Daemon's server tag. See Automatically Assign Servers to Groups .
NOSTART
= (optional) Specifies that the Daemon should not start up after installation. By default, the
Daemon starts when installation completes.
After you have constructed this command line, you can execute it directly or you can enclose it in a batch file for later
execution.
Install a Daemon on Your Gold Master Server
If you use "gold master" versions of your servers as templates from which to create cloud instances, you may want to
install Halo Daemons on the gold masters. Then, when you create server instances, each will already have an
installed daemon.
The installation process is the same as for installing on a cloud server. And CloudPassage recommends that you
start the Halo Daemon service after installing, by leaving the Start CloudPassage Halo Daemon now checkbox
selected. Doing that will ensure that any cloud instances created from the gold master will have unique Halo IDs and
will receive all updated Halo policies.
Deploy Daemons in Bulk With Automation Tools and Scripts
You can integrate Halo with cloud management and IT automation tools—such as RightScale, Puppet Labs Puppet,
and OpsCode Chef—to transparently embed Halo security into an automated server provisioning process. For
example:
Puppet is a well-known tool that you can use to provision Halo across multiple servers. CloudPassage has made
an example Puppet module available to customers. It uses a standalone Puppet deployment in which both the
master and agent are running on the same server. You may wish to use our Puppet example as a starting point
for developing your own automated Halo provisioning method. See this Blog post for more details.
CloudPassage has also prepared a pair of Chef cookbooks—one for Linux servers and one for Windows servers—
containing recipes for installing Halo Demons on your servers. You would add the appropriate cookbook to your
Chef run list, and then execute the run list on a set of servers. See this Blog post for more details.
CloudPassage has also created integration scripts with RightScale to automate the installation of Halo Daemons in
a RightScale-managed environment. The RightScript works with any type of RightScale account, and can be run
as either a boot script or an operational script. See this forum post on the CloudPassage Support site for more
details.
Add Custom Labels to Your Servers
An optional label attribute has been added to Halo servers. The attribute is called label in the Halo portal, and
server_label in the Halo API. It is an alternative to the existing hostname and FQDN attributes assigned to each
server. If a non-null value exists for a server's label attribute, the label is displayed everywhere in the portal UI, in
place of the hostname or FQDN.
The label attribute has been implemented to allow you to use Halo to assign more user-friendly or explanatory names
to your servers.
Note: A server label can be up to 80 characters long and can contain only alphanumeric characters plus dots,
dashes, and underscores. No spaces or other characters are allowed.
You cannot specify a server label from within the Halo portal or through the Halo API; instead, you add a parameter to
the Halo agent's startup command, as follows:
(Linux) Modify the agent startup script:
17
Use the --server-label option on the start command line, as in
sudo /etc/init.d/cphalod start --daemon-key= yourDaemonKey --server-label=yourServerLabel
(Windows) Execute an unattended installation:
Use the /server-label yourServerLabel option on the command line.
(Windows) Use the Windows Service Manager after installation:
a. Open the Services control panel. For example, from the Start menu, select Administrative Tools and then
Services.
b. Right-click the line for the CloudPassage Halo Daemon service, then select Properties from the drop-down
menu.
c. In the Properties dialog, enter the label assignment in the Start parameters field, using this format:
/server-label=yourServerLabel
d. Now start the service by clicking Start.
Important: Do not click OK without first clicking Start. If you click OK first, the tag will not be assigned to
the agent.
Run Your Halo Daemons in Read-Only Mode
On both Linux and Windows platforms, the Halo Daemon can be set to run in read-only mode. In that mode, the
Daemon is not able to make any changes to the host on which it runs, but it is otherwise a fully functional Halo
Daemon. In enterprise environments in which the security team does not have the authority to employ tools that have
privileged access to the organization's servers, running Halo in read-only mode is a viable alternative that retains
most Halo capabilities.
While running in read-only mode, an agent cannot update its host's firewall, it cannot support GhostPorts Multi-Factor
Authentication, and it cannot create, delete, or make any changes to a server's local user accounts.
You specify the running mode at agent startup:
On Windows, add a mode flag with a value of either read or read/write to the start command. (Default =
18
read/write.)
On Linux, add add a --readonly option with a value of either true or false to the start command. (Default =
false.)
The mode setting persists through Daemon restarts and upgrades. Therefore, to switch from read-only mode back to
read/write mode, you need to explicitly reset it, as in mode=read/write or --readonly=false.
Uninstall Halo Daemons
If you no longer want Halo to protect a server, you can uninstall its Halo Daemon. Once you do that, the server does
not appear on the Dashboard or other pages in the Halo Portal, and you can no longer access it or manipulate it from
the Portal.
Note: Uninstallation instructions appear on the Daemon installation pages of the Halo Portal.
Uninstalling on Linux
For Debian or Ubuntu, run this command on a server to remove its Daemon:
sudo apt-get purge cphalo
For CentOS, Fedora, RHEL, and Amazon Linux AMI, run this command on a server to remove its Daemon:
sudo yum remove cphalo
Uninstalling on Windows
Through the Windows user interface:
You can uninstall the Halo Daemon using Add/Remove Programs.
1. From the Start menu, select Administrative Tools > Services .
2. In the Services control panel, locate the Halo Daemon service, and stop it if it is running.
3. Open the Add/Remove Programs control panel.
4. Select the Halo Daemon service from the list, and click Uninstall.
The Halo installer launches, displaying the Uninstall page:
5. Click Uninstall. The Halo Daemon is removed from your server.
19
From the command line:
You may be able to use the following command to silently uninstall the Halo Daemon from a server:
installDir\Uninstall.exe /S
where installDir is the Daemon's installation directory (by default C:\Program Files\CloudPassage or
C:\Program Files (x86)\CloudPassage ).
Note: If User Account Control is enabled on a server, it may not be possible to execute this script unattended on
that server.
2. Organize Your Servers Into Groups
The concept of server groups is fundamental to Halo. Halo uses group-based policy management, meaning that an
individual security policy is designed to apply to any number of individual servers of a given kind. There is no need to
create an individual policy for each individual server. By applying policies in this manner, you can efficiently scale your
protection to fleets of thousands of servers. And in the dynamic environment of the cloud, Halo can instantly apply the
proper group policy to any newly cloned or burst server.
Design Your Groups
A server group is a set of similar servers—such as all of the web servers, or all of the load-balancers—that can share
a single Halo security policy. For example, all servers in a given group will use the same firewall policy and the same
configuration policy. In the Halo Portal, you will assign a policy to a server group, not to an individual server. So you'll
need to create server groups before any of your Halo policies can take effect.
To come up with the best set of groups for your organization, examine all of the servers you currently use, and
categorize them in terms of platform, applications, and purpose, while trying to end up with the smallest possible
number of groups.
The basic idea is that all the servers in a group need to be very similar (same O.S. and version, same applications,
same firewall needs, same local user accounts) because a single set of policies covers all of them. However, it is not
always strictly true:
You can mix Linux and Windows servers in the same server group for those features (such as dynamic firewalls,
configuration security monitoring, and file integrity monitoring) that allow assigning both a Windows and a Linux
policy to a group.
20
You can do this because Halo automatically applies only Windows policies to Windows servers, and only Linux
policies to Linux servers.
Servers (of a given platform) within a group must have identical firewall needs if you are implementing Halo
firewalls.
Servers (of a given platform) within a group must have identical or very similar system-file and directory structures
if you are implementing system configuration scanning or file integrity monitoring at the system level.
Servers (of a given platform) within a group must have the same general application security needs if you are
extending configuration security monitoring or file integrity monitoring to the application level.
You probably will not want to mix strongly dissimilar distributions of the Linux platform (Ubuntu with CentOS, for
example) within a server group, as this will make it harder to define configuration-policy rules that apply across all
servers.
You can share a single policy among several groups when that makes sense. For example, a web-server group
might need a different firewall policy from a database-server group, but if the two groups' operating systems are
identical, they might be able to share the same system-level configuration policy.
Create Your Groups
Once you have designed your groups, create them in the Halo Portal. On the Dashboard page, click the Add a New
Group link at the bottom of the list of server groups.
For now, just give each group a name and optionally a description; you'll assign servers and policies to the groups
later. The group now appears in the list of server groups on the Dashboard.
About Halo built-in server groups
Halo includes several built-in groups that you can use in special situations.
All Servers. This meta-group consists of all servers that have an installed Halo Daemon, regardless of whether
they are assigned to an actual server group. As soon as you install a Daemon on a server, it appears in this server
group, from which you can assign it to the server group of your choice. (Retired servers are not listed under this
group.)
21
Unassigned. This group consists of all servers that have not been assigned to a server group (although they do
appear in the "All Servers" meta-group). As soon as you install a Daemon on a server, it appears in this server
group, from which you can move it to the server group of your choice.
Retired. This group consists of all servers that explicitly have been retired (see Maintain and Manage Your
Servers). Move servers to this group when they are no longer used and you expect never to use them again.
Unretired. This group consists of servers that were retired, but are now deemed useful again. Note that when a
server is retired, it loses its server-group membership; therefore, unretiring it puts it into the "Unretired" group, not
into its previous server group. However, you can assign servers from this group to any actual server group for reuse.
Maintain and Manage Your Groups
Use the Halo Portal on an ongoing basis to manage your server groups. You can edit a group's name, add or remove
any of its servers, and add or remove security policies as noted in Assign Policies to Server Groups .
When you no longer need a given server group, you can delete it. Select the server group on the Halo Dashboard,
and click Delete below the group's name. If the group contains servers, Halo moves those servers to the
"Unassigned" group and then permanently deletes the group.
3. Assign Servers to Groups
If you have both created Halo groups and installed Halo daemons on your servers, you can now assign the servers to
the groups. A server must be a member of a group to receive the Halo security policies that protect it.
Manually Assign Servers to Groups
1. On the Halo Portal Dashboard page, Locate the servers on which you have installed Daemons. They should be
listed in the "Unassigned" group, and also in the "All Servers" meta-group. ("Unassigned" includes only servers
that have Daemons but belong to no server group. "All Servers" includes every server in your installation that has
an installed Daemon, whether or not it belongs to a group.)
2. For each server group that you have created, select the checkboxes for all of the servers that you want to assign
to that group, then select Move Server(s) from the Actions drop-down list, and then select from the group list the
22
name of the group to move those servers into.
Your selected servers are now assigned to their server group. As you create policies (see following sections), you can
return to the Dashboard page to assign them to the appropriate groups.
Automatically Assign Servers to Groups
Halo also allows you to automate the process of assigning servers to groups, bypassing manual assignment in the
Portal. To set it up, do this:
1. When you create or edit a server group in the Halo Portal, specify a server tag for that group. The server tag is a
string of your choice. Enter the string into the Server Tag field on the Edit Group Details page for that group.
Note: A server tag can be up to 40 characters long and can contain only alphanumeric characters plus dots,
dashes, and underscores. No spaces or other characters are allowed.
2. Then, when you install a Halo Daemon on a server, supply the server tag of the group to be associated with that
daemon. If a daemon's server tag matches that of any existing server group, that server is automatically assigned
to the group whenever the Daemon starts up.
There are several ways to assign a server tag to a Daemon:
(Linux) Modify the server startup script:
Use the --tag option on the start command line, as in
sudo /etc/init.d/cphalod start --daemon-key= your-daemon-key --tag= servertag
(Windows) Run the installer:
The installer includes a screen that you can enter the tag into.
(Windows) Execute an unattended installation:
Use the /TAG servertag option on the command line.
23
(Windows) Use the Windows Service Manager after installation:
a. Open the Services control panel. For example, from the Start menu, select Administrative Tools and then
Services.
b. Right-click the line for the CloudPassage Halo Daemon service, then select Properties from the drop-down
menu.
c. In the Properties dialog, enter the tag assignment in the Start parameters field, using this format:
/tag=tagName
d. Now start the service by clicking Start.
Important: Do not click OK without first clicking Start. If you click OK first, the tag will not be assigned
to the Daemon.
Note: It is also possible to add servers to groups programmatically. See the Servers section of the
CloudPassage API Developer Guide for details.
Maintain and Manage Your Servers
Use the Halo Portal on an ongoing basis to manage any of your servers. On the Dashboard page, activate a Halo
), then select a server group (or "All Servers"). Then scroll or search to find the
module by clicking its icon (such as
server(s) of interest, selecting the checkbox for each server you want to act on.
Searching for a server
To use the Dashboard search to find a server, enter any portion of the server's hostname, fully qualified domain name
(FQDN), or server label into the search box, then click Search. The search results are limited to the currently active
Halo module and the currently selected server group.
From the search results, select the checkboxes of the servers you want to act on.
Acting on a selection of servers
24
Once you have selected one or more servers to act on, use the Actions drop-down menu to
Launch scans of the servers.
Move the servers servers from one server group to another, including "Unassigned" if you do not want the servers
to belong to any group.
Retire the servers if they are not currently needed, putting them into the "Retired" group.
Unretire the servers from the "Retired" group, transferring them to the "Unassigned" server group (and "All
Servers" as well).
Delete the servers when you no longer need them and are sure that you never will again. The servers disappear
from the server group on the Dashboard and cannot be recovered.
Note: The Delete action removes the server's record from Halo, but it does not uninstall the Halo Daemon
from the server, and the Linux or Windows server still exists as a virtual or physical server, even
though it is no longer visible to Halo. To actually remove the Daemon from the server, follow the
instructions in Uninstall Halo Daemons.
Activating Halo Features to Protect Your Infrastructure
The capabilities of Halo to protect your server infrastructure can be grouped within the general areas of
Server integrity and intrusion detection
Firewall and access control
Security event logging and alerting
Within each of these security categories, you can enable the specific Halo features necessary to achieve both broad
and deep protection for your server fleet.
Whether your goal is to meet organizational or regulatory compliance objectives, to protect valuable intellectual
property, or to guard against destructive attacks on your organizational infrastructure, deploying the appropriate set of
Halo features can significantly strengthen the security posture of your systems and applications, regardless of
architecture.
Choose the Halo Features to Activate
Depending on your Halo subscription plan, you may have access to only a subset of these security features, or you
may be able to implement them all. Implementation is in general fast and simple.
25
Threat Management:
Configuration security monitoring . Automatically monitor operating system and application configurations,
processes, network services, privileges, and more.
Available on Windows and Linux platforms. Requires a Halo Professional subscription. Implement it by creating
configuration policies or cloning them from templates, and then assigning them to server groups. See Monitoring
Server Configuration Security With CloudPassage Halo for details.
File integrity monitoring . Use cryptographic signatures to detect unexpected changes to system binaries,
configuration files, source code, and other critical files (including registry keys on Windows servers).
Available on Windows and Linux platforms. Requires a Halo Professional subscription. Implement it by creating or
cloning file integrity policies, running baseline scans, and assigning the baselines and policies to server groups.
See Monitoring Server File Integrity With CloudPassage Halo for details.
Software vulnerability assessment . Scan the packages installed on your server for security vulnerabilities
(NIST CVEs).
Available on Linux platforms. Requires a Halo Professional subscription. Implementing it requires no action; it is
always enabled. See Assessing Software Vulnerabilities With CloudPassage Halo for details.
Access Control:
Firewall automation . Centrally manage host-based firewalls including automatic updates for when servers are
added, changed or retired.
Available on Windows and Linux platforms. Available to all Halo users. Implement it by creating firewall policies
and assigning them to server groups. See Automating Server Firewalls With CloudPassage Halo for details.
GhostPorts multi-factor authentication . Use strong authentication to dynamically provision and de-
provision network access for authorized users.
Available on Windows and Linux platform. Requires a Halo NetSec or Professional subscription. Implement it by
enabling specific users and modifying certain firewall policies. See Using GhostPorts Two-Factor Authentication
With CloudPassage Halo for details.
Server account management . Evaluate who has accounts on which cloud servers, what privileges they
operate under, and how accounts are being used.
Available on Linux platforms. Requires a Halo NetSec or Professional subscription. See Managing Server
Accounts With CloudPassage Halo for details.
Threat Detection:
Log-Based Intrusion Detection . Monitor system and application log files across your servers, generate
alerts whenever events that could indicate compromise or attack are logged.
Available on Windows and Linux platforms. Requires a Halo Professional subscription. Implement it by creating or
customizing a log-based intrusion detection policy that specifies which log files to inspect and what event text or ID
to alert on. See Using Log-Based Intrusion Detection with CloudPassage Halo for details.
Event logging and alerting . Securely store and generate real-time alerts for server creation, changes,
exposures, policy violations, and more.
Available on Windows and Linux platforms. Available to all Halo users. Implement it by flagging policy rules for
logging and alerting, and by creating special events policies. See Defining Your Issues, Events, and Alerts in this
document for details.
Consult the above-mentioned documents for the complete instructions you need to implement and manage these
Halo features. Then continue with this Operations Guide for
Instructions for assigning feature-specific policies to server groups and running scans of your servers.
26
Information needed by site administrators for ongoing Halo configuration and administration.
Instructions for all Halo users on how to set up and interpret security issues, events, and alerts across all Halo
features.
Assign Policies to Server Groups
Once you have implemented one or more Halo features, you can then complete the setup of any of your server
groups. The final step is to assign a Halo security policy to the group. In particular, you cannot use firewall
automation, configuration security monitoring, or file integrity monitoring until you assign the appropriate policy to the
appropriate group or groups.
Do that from the Halo Portal Dashboard by first choosing to edit a particular server group:
Then make the policy assignment on the group's Edit Details page:
These instructions may also be found in the individual feature documents listed in the previous section.
Note also that other server-group settings you can enter on this page include Special Events Policy and Alert
Profiles (described later, under Set Up a Special Events Policy and Set Up Alert Profiles ), and Server Tag
(described earlier, under Automatically Assign Servers to Groups ).
Conduct Scans
Once you have set up and configured one or more Halo features, use the Halo Portal on an ongoing basis to scan
your servers and interpret the results.
For configuration security monitoring, file integrity monitoring software vulnerability assessment, and server account
management, you can conduct scans of your servers either manually or automatically.
27
Configure Automatic Scans
If you are a Halo site administrator, you can enable, disable, and schedule automatic scans of your servers. Select
Site Administration from the Site Administrator menu (the gears icon
the Scanner Settings tab.
in the Portal page header), then click
For each Halo feature, select the checkbox to enable automatic scanning, and choose a scan frequency (from hourly
to weekly). Select Execute scan on daemon start if you want each server to be initially scanned as soon as its
Daemon starts up, instead of at a default time of day. (This is recommended, to avoid having all servers on your
network being scanned at the same time.)
To turn autoscanning off, clear the Enable Automatic Scanning checkbox.
You can modify certain other scan settings on this page:
Mark finding as Failed if the check was indeterminate . See About Indeterminate Results in Monitoring Server
Configuration Security for an explanation of when you might want to enable this setting for configuration scans.
Mark finding as Critical if CVSS score is above . Default threshold value = 5.00. See Adjust the Vulnerability
Threshold in Assessing Software Vulnerabilities for an explanation of when you might want to alter this value in
software vulnerability scans.
Generate a separate event for every change detected by a file integrity monitoring rule . Select or clear the
checkbox, depending on whether you want to group all the changes detected for a given policy target into a single
event or issue. See Specifying File integrity Monitoring Settings (in Monitoring Server File integrity with
CloudPassage Halo) for further explanation.
Manually Scan Selected Servers
28
At any time, you can manually kick off a scan of a single server, a selected set of servers, or all servers in a given
server group. You might want to run a manual scan if, for example, you have just remediated a reported issue or
vulnerability and you don't want to wait for the next scheduled scan to verify that the issue is no longer reported in the
scan results.
On the Portal Dashboard, select any server group (including "All Servers", if desired) and scroll or search for servers
of interest. Use the checkboxes to select a single server, multiple servers, or all servers in the group. Then select
Launch Scan from the Actions menu. Your scan starts immediately.
After a manual or automatic scan completes, you can interpret the resulting security issues and events. See Part 2 of
this document, Halo Issues and Events , for suggestions on how to proceed. See also the individual guides listed
above, under Choose the Halo Features to Activate , for instructions specific to each feature.
Using the CloudPassage API
The CloudPassage application programming interface (API) offers a secure, authenticated way for programs to
directly access Halo functionality. Your client software can automatically perform many of the same functions that
Halo Portal users perform manually, such as creating and managing policies, creating or deleting server groups, and
running scans.
All Halo users have access to the API.
About the API
The CloudPassage API is a representational state transfer (REST) API. Its calls accept and return stored Halo
resources. You access those resources through URL paths. To make an API call, your application submits an HTTP
request and parses the response. The request and response are both in Javascript Object Notation (JSON) format.
Authentication and API Keys
All access to the CloudPassage API requires authentication. First, your application or script client must authenticate
with Halo to request an access token for the session. Your client then submits that token with every API call that it
makes. (Note that the token is valid for only 15 minutes, so if your session lasts longer than that, you'll need to obtain
another token.)
Your client must provide client credentials in the form of an API key when making the token request. One
responsibility of a Halo site administrator is to generate API keys for use by Halo client programs that access the API.
Your API keys are available in the Halo Portal, on the API Keys tab of the Site Administration page. See API Keys for
instructions on generating API keys and using them in your programs.
API Coverage
The API allows you to automate many aspects of Halo functionality. These are the API endpoints, the Halo resources
that you can manipulate in various ways through calls to the API:
Users [Halo users]
Server Commands
Server Groups
Server Scans
Servers
Scan History
29
Server Accounts
Configuration Policies
File Integrity Policies
Firewall Interfaces
Special Events Policies
File Integrity Baselines
Firewall Services
Events
Firewall Policies
Firewall Zones
Alert Profiles
Firewall Rules
Log-Based Intrusion Detection Policies
Saved Searches
Documentation
The CloudPassage API is fully documented in the CloudPassage API Developer Guide . Related blog posts are also
available, on the Cloud Security Blog .
API Examples, Sample Code, and the Halo Toolbox
CloudPassage customers have used the API to construct their own server-security management tools and to
integrate Halo with other systems. CloudPassage employees have also created code samples, scripts and libraries
that use the API to accomplish various useful tasks.
The Halo Toolbox is a set of GitHub repositories where CloudPassage customers and employees can share and
compare code that automates tasks by calling the CloudPassage API. The Toolbox facilitates collaboration:
You are encouraged to fork any of the repo's in the toolbox that interest you, then extend or improve them.
If you would like to share your extension or improvement, just send a pull request.
Click Watch for any repo to be alerted of changes to it.
The following are a few examples of the kinds of automation and integration solutions that have been developed by
customers and employees and posted to the Toolbox.
Authenticating to Halo and retrieving user or server information
Any client that uses the API must first authenticate to the Halo API's "Authorization" endpoint by providing the Halo
account's API key, and then submit the returned session token when making each API call. This ensures constant
API security.
The authentication method is an HTTPS POST call, as documented in the CloudPassage API Developer Guide . But
your software can use other languages to accomplish this task, as in this Python example:
connection = httplib.HTTPSConnection(host)
authstring = "Basic " + base64.b64encode(clientid + ":" + clientsecret)
header = {"Authorization": authstring}
params = urllib.urlencode({'grant_type': 'client_credentials'})
connection.request("POST", '/oauth/access_token', params, header)
response = connection.getresponse()
jsondata = response.read().decode()
data = json.loads(jsondata)
key = data['access_token']
...or as in this Ruby example:
client = OAuth2::Client.new(clientid, clientsecret,
:connection_opts => { :proxy => my_proxy },
:site => "https://#{host}",
:token_url => '/oauth/access_token'
)
token = client.client_credentials.get_token.token
After authenticating, your client could, for example, call the API's "Servers" endpoint to retrieve information for all
active Halo-protected servers, and then print out a list of server names before closing the connection. The call is
30
documented in the API Guide as an HTTPS GET request. In Python, it might look like this:
tokenheader = {"Authorization": 'Bearer ' + key}
connection.request("GET", "/v1/servers", '', tokenheader)
response = connection.getresponse()
jsondata = response.read().decode()
data = json.loads(jsondata)
# iterate through json result and print out hostnames
servers = data['servers']
for server in servers:
print server['hostname']
connection.close()
...or in Ruby, like this:
result = RestClient.get "https://#{host}/v1/servers", {
'Authorization' => "Bearer #{token}"
}
data = JSON result.body
servers = data['servers']
servers.each do |server|
puts server['connecting_ip_address'] + " " + server['hostname']
end
To examine the complete source code of these specific examples in the Toolbox, go to
https://github.com/cloudpassage/api_examples.
Exporting Halo events to third-party SIEM or log-management tools
The CloudPassage API includes an "Events" endpoint that clients can query to obtain complete information on all
Halo security events (for example, detected server configuration errors or file-tampering) within a range of dates. You
can use this capability to create an integration tool that feeds event data to a third-party tool for analysis.
CloudPassage has developed such a tool (the Halo Event Connector) and has made it available to customers. The
tool provides direct integration with Splunk Enterprise and SumoLogic, and integration through syslog to ArcSight and
other tools. For more information, see https://github.com/cloudpassage/halo-event-connector-python.
Other example API client code
Here are a few other code examples that you can examine by browsing through the Toolbox. They demonstrate a
variety of ways that you can exploit the power of the CloudPassage API to automate and streamline your serversecurity monitoring tasks.
Manipulating Halo server firewall policies
Two Ruby examples use the API to add a rule to a firewall policy and to modify a firewall policy's source or
destination IP zone.
Copying security policies and saving to archives
An example Ruby script downloads all firewall policies and file integrity policies for a Halo account, and formats
them as a report for use in auditing policy changes.
Discovering servers that have no installed Halo Daemon
An example script uses the Ruby fog library to retrieve all of your server IP addresses from cloud providers and
31
then cross-checks them against servers that have installed Halo daemons, to let you determine whether you have
any unprotected cloud servers.
Scanning servers within a group to detect differences among them
A script calls the "Server Issues" method of the Servers API endpoint for all servers in each server group in turn,
analyzes the results, and prepares a report for each group that summarizes how well the servers in the group
have the same consistent configuration status.
Detecting server-local accounts whose passwords should be changed
A script searches all of your Linux servers for local user accounts whose passwords are stale or expired and
should be changed. The script accesses the Servers API endpoint to examine all local accounts on all servers in
all server groups, then reports on any accounts whose last change date is older than the system-specified
maximum password age.
Identifying the IP addresses from which Halo users have logged into the Portal
This sample accesses the Events API endpoint and extracts the values of the user name, IP address, and country
of every Halo login event within the time range that you choose.
Besides browsing the Toolbox, be sure to consult the CloudPassage API Developer Guide and the Integrations forum
on the CloudPassage Support site to learn more about leveraging the CloudPassage API and integrating Halo with
your other tools.
PART 2
HALO ISSUES AND EVENTS
The security logging and alerting capabilities of Halo report on a broad range of important audit events and detailed
scan results. A Halo user specifies which issues are to be logged, which ones should be considered critical, which
should generate alerts, and who should receive the alerts that are sent. Given the flexibility and speed of Halo, you
can use server groups and alert profiles, along with a special events policy and scan results to create the right
alerting scenarios for rapid security response and compliance automation.
Topics:
About Issues, Events, and Alerts
Defining Your Issues, Events, and Alerts
Addressing Issues
Addressing Events
About Issues, Events, and Alerts
32
Halo reports important security occurrences or states regarding your servers in three forms—as issues, as events,
and as alerts. All three forms are closely related, although not identical.
An issue is a scan result—a detected software vulnerability, a failed configuration policy rule, or a changed file
integrity target. For configuration scanning and file integrity scanning, the rules and targets in your policies list the
violations that are to be considered issues. For vulnerability scanning, the current state of the NIST database
defines what software packages, if present, will be flagged as issues by Halo.
An event is a logged configuration or file integrity issue, or a detected software vulnerability or other special event
(as defined by your special events policy; see Set Up a Special Events Policy ). For configuration scanning and file
integrity scanning, you specify for each policy rule or target whether its violation should not only generate an issue,
but be logged as an event as well. For special events, you similarly specify for each potential event whether or not
you want it to be logged as an event. (Special events do not appear as issues.)
Audit events make up another class of events. They are user actions, such as logins to Halo or changes to a
policy, that are recorded for auditing purposes. By default all audit events are logged, but those settings are
configurable; see Audit Events.
An alert is an email notification sent to you or others to announce that a particular event has occurred. Alerts can
give your security personnel essentially immediate notice that an event, possibly critical, has occurred in your
servers or network. The details of the event are described in the alert so that immediate action can be taken.
For configuration scanning, file integrity scanning, and special events, you indicate for each specified event
whether it should also trigger an alert. (By default audit events are not alertable, but those settings are
configurable; see Audit Events.)
You can think of issues as casting the broadest net to capture potential security risks on your servers. The set of
events that you define can be just as broad (if you log every issue), or it can be somewhat more targeted toward
those issues that you feel are more likely to indicate a significant security problem. And the set of alerts you define
should be much smaller, restricted to the subset of events for which time-critical response is imperative.
Where do you go to view and address these occurrences?
You can view issues on an individual server's Scan Details page (accessed from the Portal Dashboard), on a
server's Scan History page (accessed from its Scan Details page), or on the general Server Scan History page
(accessed from the Servers menu).
You can view events on an individual server's Security Events page (accessed from the Dashboard) and on the
general Security Events History page (accessed from the Servers menu).
Alerts appear in the email in-boxes of the individuals (who do not have to be Halo users) who have been specified
as alert recipients.
Typically, there is a large overlap between issues and events. Most issues that you want to be reported should
probably also be logged as event , so you will mark them for logging. However, any rules or targets that you do not
mark for logging will appear as scan-result issues but will not appear as events.
The rest of Part 2 of this document describes how to set up, make use of, and interpret your issues, events, and
alerts.
Defining Your Issues, Events, and Alerts
In Halo, it is the responsibility of your organization to define
33
The specific set of configurations or occurrences that should be considered security issues.
The subset of issues that should be flagged as critical.
The subset of issues that should trigger events.
The set of other events that should be defined.
The subset of events that should trigger email alerts to appropriate personnel.
Even if you use the default security polices provided with Halo, you still need to make these decisions; some default
policies may not flag any issues as critical and may not mark any events to trigger alerts.
Flag Policy Issues for Logging and Alerting
When you create or edit a Halo security policy, you may be able to enable logging for individual rules in the policy.
Different Halo features handle event logging somewhat differently.
Configuration Issues and Events
While creating or editing a configuration policy, you can use the Log checkbox to specify for each rule whether it
should be logged:
You can also select the Critical checkbox if you want both the issue and the event to be considered especially
when displayed in a list. By default, critical issues/events
high priority. Critical issues or events are marked with
are sorted to the top of the list.
If you have elected to log an issue, then also select Alert if you want an alert to be sent as a result of the event's
occurrence. The alert is sent to all persons on the alert profile(s) assigned to the same server group that this rule's
policy is assigned to; see Set Up Alert Profiles for details.
File Integrity Issues and Events
If you are creating or editing a file integrity policy, note that there is no Log checkbox for a target; changes to
every target are reported as issues and also logged as events.
You can select the Flag Critical checkbox if you want the issue and event to be considered high priority and
in lists. You can also select Send Alert if you want an alert to be sent when the event occurs.
marked with
See Set Up Alert Profiles for information on specifying alert recipients.
34
Firewall Events
Halo server firewalls can generate logged events. Linux and Windows firewalls handle logging differently: On
Linux, you can turn logging on or off for each individual firewall rule; for Windows, only a few events are logged
and you turn logging on or off for a firewall policy as a whole.
The firewall events that you log do not by default become Halo events; they are not stored in the Halo database
and are not visible in the Halo Portal. On Linux servers, they are stored in the iptables logs , and on Windows
servers they are stored in the Windows Firewall logs. You can view the events with the appropriate system tools
for each platform.
Note: You can import selected firewall log events into the Halo event logging and alerting system by explicitly
scanning for them with the Halo Log-Based Intrusion Detection system. See next bullet.
Firewall events are not discussed further in this document. For detailed information on setting up Halo firewalls,
see Automating Server Firewalls With CloudPassage Halo .
Log-Based Intrusion Detection Events
You can use the Halo Log-Based Intrusion Detection system to leverage the existing system- and applicationlogging capabilities of your servers to capture events anywhere in your server fleet that may be indicative of an
intrusion or attack. When you create a policy rule to detect a specific event in a specific log file, you can specify
whether the occurrence of that event should logged by Halo, whether the event should be critical, and whether it
should generate an alert.
See Using Log-Based Intrusion Detection with CloudPassage Halo for more information .
Set Up a Special Events Policy
The Halo special-events alerting system notifies you of unusual occurrences in your cloud installation that may have
security implications. For example, if a server unexpectedly restarts, if its IP address changes, or if a firewall
configuration is changed outside of Halo, it could be a signal that something malicious has happened and you may
want Halo to log the event, and possibly alert you or others in real time. Also, all vulnerabilities detected by software
vulnerability scans are recorded as special events.
35
You set up special events by implementing a special events policy and assigning it to a server group. You can then
use the policy and an alert profile to customize alerting for any of the events.
Note: Halo automatically assigns the default Global Events Policy to every server group. However, that policy by
default generates no events or alerts, so you'll need to either customize the global policy or create a new
one for special events to be effective.
Take these steps to create a special events policy:
1. In the Portal, go to Policies > Special Events Policies and click Add New Special Events Policy .
2. Enter a name and optional description for the policy. Then select, from the available set of security events, the
specific events that you want this policy to monitor. If you want the policy to monitor a given event, check Log
event. If you consider the event critical, check Flag critical. If you want an email notification to be sent when an
event occurs, check Generate an alert .
A few of the events are marked as Linux-only and are not available for Windows servers.
Note: To help you decide which special events you want to monitor, it may be helpful to review the
discussion Act on special events , later in this document.
3. Click Save to save the policy. Then assign it to your server group—navigate to the Portal Dashboard page, click
Edit Details for your server group, and select your policy from the Special Events Policy drop-down list. Then
click Save.
Special-event logging is now set up for your server group. To complete the setup of logging and alerting, you'll need
to set up one or more alert profiles, as described next.
Set Up Alert Profiles
When Halo generates a certain type of event—specifically a logged issue or a special event—if the event is flagged
to generate an alert, a notification email is sent to a pre-specified set of Halo users. Every server group can have
different lists of users that receive alerts, and within each list different users can be selected to receive all events or
critical events only.
These lists are called alert profiles; you can create any number of them in the Halo Portal, and you assign one or
more to the server group appropriate for the persons on the list(s).
Note: If no alert profile is assigned to a server group, alerts will by default go to all Halo site administrators on
your account. You'll need to set up your own alert profiles if you want to control who receives alerts.
You might create different alert profiles for different server groups if, for example, you have different security
specialists monitoring each group. Or, create a profile just for managers and auditors, if you want them to receive
alerts much less frequently (say, once a week) than security specialists who must be prepared to respond
36
immediately.
To create and assign a new alert profile:
1. In the Halo Portal, go to Policies > Alert Profiles and click Add New Alert Profile .
2. Enter a name and optional description for the profile, and specify a batching frequency for sending alerts—from
"Instant" (to send each notification separately, as soon as the event is created) to "Every week" (to batch all
events for the week into a single email alert).
3. Select one or more of your company's Halo users, or one or more external recipients, to receive the alerts. Also
specify whether each user should receive all alerts or just a subset based on event criticality. Then click Save.
4. Assign the profile to a server group: On the Halo Dashboard page, click the name of the server group you want to
assign the profile to, then click Edit Details below the name. On the Edit Group Details page, select the name of
your new alert profile from the Alert Profiles drop-down list. Then click Save.
That's it. Your designated users will receive an email when a security event that fits your settings occurs. And you
can repeat this procedure to create other alert profiles for other server groups.
Addressing Issues
Reviewing the results of a Halo scan involves examining all reported issues in sufficient depth to determine which
ones represent valid security risks. You then can take appropriate action to address the valid risks—and you may also
take other actions to eliminate or suppress the invalid ones from future scan results.
View a Server Group's Summary of Issues
The Dashboard pages in the Halo Portal are server-group summary pages. For the selected Halo feature (for
example, Configuration risks) and for the selected server group, the page lists all servers in the group and
37
summarizes each server's status in regard to that feature.
Some items on the Server Group Summary pages are common to all or most Halo features:
Search. Lets you search for any server in the group by name. You can also find servers by browsing the
paginated server list or by re-sorting the displayed columns.
Actions. Lets you move selected servers or start a manual scan; see Maintain and Manage Your Servers and
Manually Scan Selected Servers .
Server/OS/Daemon Status. These columns name each server in the group, indicate its operating system, and
give you the status of its Halo Daemon: "Active" (the Halo Daemon has recently communicated with the Halo
Grid), "Deactivated" (the server was shut down or the Daemon was stopped), or "Missing" (Daemon-Grid
communication has been interrupted).
These controls and columns can help you to locate a server and identify servers that have shut down or crashed. The
two columns to the right of Daemon Status are Halo feature-specific, and help you to find servers and server groups
on which Halo has detected security issues:
For Configuration, File Integrity, Vulnerability, and Log-Based Intrusion Detection scans—
Critical. The number of critical issues found in the latest
scan, as defined by the policy used or—in the case of
software vulnerability—the vulnerability score compared
to the CVE vulnerability threshold. You may want to
address critical issues first.
Other. The number of non-critical issues found in the
latest scan.
To view details of the critical and non-critical issues found on any of these servers, click the number in the
or Other column for the server you choose.
For Server Access—
Root/Total Accts . The number of local accounts with
root privileges found in the most recent scan, and the
total number of local accounts found.
Last Root Login. The date-time of the most recent
login of any of the root-level accounts on this server.
Unexpected root logins may indicate suspicious activity.
38
Critical
To view details of all of the local accounts found on any of these servers, click either number in the
column for the server you choose.
Root / Total
For Firewall Management—
Firewall Status. The current status of this server's
firewall (
if the server has a firewall,
if not).
Policy. The name of the firewall policy assigned to
this server's server group. Click the firewall policy's
name to view or edit the policy details.
To view summary information and current status for the firewall policy assigned on any of these servers, click the
icon in the Firewall Status column for the server you choose. To view events triggered by firewall changes
outside of Halo, see your individual server's system firewall logs. (Or activate a firewall special event.)
If you have clicked the appropriate link, the server's Scan Results or Server Details page appears, as described in the
next section.
Analyze a Server's Current Issues
When you click the appropriate link for a server on the Dashboard, or the More detail link on a Server Summary
page, the Scan Results or Server Details page opens, displaying detailed information for that specific server and Halo
feature.
Some items on the Scan Results or Server Details pages are common to all or most Halo features:
Navigation links. Click the center link ("Web-27" in the above example) to jump to this server's Server Summary
page (see About the Server Summary Page ), which summarizes the server's status across all Halo features.
Trend graphs. Use these sparkline graphs to note spikes and to interpret general trends in the number of issues
reported for this server and this Halo feature, across various time ranges.
Scan metrics. For scans, lists the timing and status of the most recent scan. You may see these status values:
"completed": The scan was successful, and (for a configuration scan) no rule checks failed.
"completed w/errors": The scan was successful, some rule checks failed. (Applies to configuration scans only.)
39
"failed": The scan was not successful.
Policies used. Lists the policies that are currently in force or were applied to the most recent scan. Click the
name of a policy to view or edit its details.
Get PDF Report (action). Display a PDF version of this page to use as a report. You may save or print it as you
wish.
Server Scan History (action). Examine the Scan History page for this server (see To view an individual server's
scan history) to review the history of any issue in this scan. (For example, is it a new occurrence? A recurrence?
When was it first reported?)
This icon (
) appears beside issues of critical severity. You can sort the list of issues so that all critical ones
are displayed at the top.
Other information, table columns, and links on the page are Halo feature-specific, as shown below:
For Configuration Scans—
This is the expanded view of one issue:
A configuration issue is a policy rule failure, which is a failure of any check in the rule. The above results show
that one check failed and one passed in the rule "Disable IP Routing" in the policy "Amazon AMI". Therefore,
the rule failed.
Click a failed or passed check to further expand the display, and see exactly what happened—what setting was
tested, what value was expected, what value was found, and (optionally) what remediation steps are
recommended. From this info you may be able to infer whether this is a valid security issue that you need to
address.
If you think that this is not a valid set of rule checks in this situation, you can either (1) click Disable this rule
so that this issue will not occur in future configuration scans or (2) disable the individual failed check on the
Edit Policy page, so that it will not be used in the rule during future scans.
For more information on interpreting configuration scan results, see View and Act on Scan Results in Monitoring
Server Configuration Security With CloudPassage Halo .
For File Integrity Scans—
This is the expanded view of one issue (on a Windows server):
40
A file integrity issue is reported whenever a policy target has changed through alteration of its content,
ownership or permissions, or when a subdirectory or file has been added to or removed from a directory target.
The above results show that the target file sethc.exe has changed in these ways:
Its ownership has changed, from "NT SERVICE\TrustedInstaller" to "BUILTIN\Administrators".
The access permissions on it have changed ( red = added permission; green underlined = unchanged
permission; red lined-through = removed permission).
Its content has changed, as shown by the changed value for the cryptographic signature of the file.
Based on your understanding of the file and what its ownership and permissions should be or have been, and
whether or not the changes are suspicious, you may be able to infer whether this is a valid security issue that
you need to address.
If you think that this change is not a serious issue for this server at this time, either click Add Exception to
temporarily hide the issue from future scan results, or click the file integrity policy name ("malware detection" in
the above example) to edit the policy to remove the target or add an exclusion to it.
For more complete information, see Specifying Exceptions or Using Patterns to Create Inclusions and
Exclusions in Monitoring Server File Integrity With CloudPassage Halo .
If you want to inspect the baseline server that created the most recent baseline for the policy that triggered this
issue, click the server name ("AMAZONA-0" in the above example) to view that server's summary page. Also,
you can inspect the baseline report for that server (and other baseline servers, if there are more than one) on
the file integrity policy's Edit page.
For more information on interpreting file integrity scan results, see View and Act on Scan Results in Monitoring
Server File Integrity With CloudPassage Halo .
For Software Vulnerability Scans—
This is the view of one issue:
Package and Version. If you know that vulnerabilities in this package are not of concern to you (for example,
your installation might never use the package), you can click Add Exception to temporarily remove this issue
from future scans. If you will never use the package, the best solution may be to remove it from your servers.
41
Remotely Exploitable. "Yes" if the attacker can exploit vulnerabilities in this package without having local
access to the server. Remotely exploitable vulnerabilities could carry higher risk than those that are not.
View Full Report (with Passes) (action). Get a PDF version of this page that also lists non-vulnerable
packages.
Launch New Scan (action). Immediately run another vulnerability scan. You might do this if you have just
defined several exceptions and want to verify that those issues do not show up in the new scan.
CVE Reference. Click any of the CVE IDs in this line to view details of each individual vulnerability:
This information is from NIST. For more information on interpreting a CVE entry, see View Vulnerability Details
in Assessing Software Vulnerabilities With CloudPassage Halo .
Based on how your organization uses the vulnerable package and your understanding of the vulnerability from
the CVE report, you may decide to: patch the package immediately; protect the package in another way (such
as by changing firewall rules to prevent communication with it); or ignore it by creating an exception.
For more information on interpreting and remediating vulnerability scan results, see Interpret Vulnerability Scan
Results in Assessing Software Vulnerabilities With CloudPassage Halo .
For Server Access Scans—
This is the view of one local account found on the server, followed by the expanded view (from clicking
Account Details):
Expand
Username, Root Privilege, UID and GID and Groups. If you do not recognize this user, or if the user does not
need access to this server, investigate or deactivate the account. You can immediately see whether the account
has root privileges ("Yes" under Root Privilege or "0" under UID or GID), or whether it belongs to groups with
elevated privileges.
42
Home and Shell. Shows you whether the account has a home directory and where it is, plus what shell it uses
to access the server.
Last Login. Shows you how active this user is. If the last login was long ago, you might want to deactivate the
account. If the account user is an ex-employee but has logged in recently, you should investigate and
deactivate the account immediately.
Password Details. Lets you know whether the password has expired. If so, is this account still needed?
Sudo Access. Describes the kind of sudo (temporary superuser) privileges that the account has. High
privileges (such as in the above example) might merit investigation.
SSH Info. If the account has SSH privileges to this server, make sure that the ACL on the SSH directory is
appropriately secure (such as in the above example). Also, any authorized SSH keys are listed here.
Also use the "View All Accounts on ServerName" page to compare all of the local accounts on a server at a
glance. Use it to look for issues like unexpected accounts, unexpected logins, or indicators of elevated privilege
(such as membership in the "wheel" group) on the server.
Likewise, use the "View AccounName On All Servers" page to instantly compare accounts with the same name on
all servers in a server group. The account's information should mostly be identical across all servers in a given
server group; any differences might be cause for investigation.
For more information on interpreting and remediating server access scan results, see Managing Server Accounts
With CloudPassage Halo.
For Log-Based Intrusion Detection Scans—
There is no server scan-results or server issues page for Log-Based Intrusion Detection scans. All scan results
are already events, so clicking the number of critical or other "issues" on the server-group summary page causes
the Server Events History page to appear, displaying by default all log-based intrusion detection events captured
by Halo over the past 24 hours.
For each displayed event, the page indicates the event's criticality, lists its date-time of occurrence, indicates
which policy rule was matched, provides a link to the policy, and shows full text (or XML) of the event message.
If you think that a particular event is not a serious issue at this time, you either ignore it or you can click the logbased intrusion detection policy name ("windows logs" in the above example) to edit the policy to remove, disable,
or modify the rule.
43
If you think the issue may be serious, you may—based on your perception of its criticality—either investigate it
further on your own or launch an official investigation, as noted in Act On Reported Events .
For more information on interpreting log-based intrusion detection events, see Responding to Alerts and
Addressing Events in Using Log-Based Intrusion Detection with CloudPassage Halo .
About the Server Summary Page
Whenever you are viewing any of the Server Details pages described above, you can optionally jump to a page that
summarizes at a glance the server's status and configuration for all Halo features.
At the top left of the Server Details page, click the server name in the navigation links:
The Server Summary page appears, displaying a section for each configured Halo feature for that server. Links in the
sections take you to more detailed information.
Note: The Server Summary page is also the page that you jump to whenever you click the name of a server in
the server list on the Halo Dashboard page, regardless of which server group or Halo feature is selected.
View the History of an Issue
For configuration scans, file integrity scans, software vulnerability scans, and server access scans, the Server Details
44
pages always show the results of only the most recent scan. If you have a Halo NetSec or Professional subscription
plan, you may be able to gain historical insight into any of your current reported scan issues by examining the results
of earlier scans.
For example, you might possibly narrow down the time of occurrence of a bad configuration setting or a file tampering
incident by finding the first scan that detected it. Or you might learn that one of your software packages that is now
reported as vulnerable was reported as "OK" in earlier scans—meaning that it contains a recently discovered
vulnerability.
In the Halo Portal, an individual server's scan history page lists all scans of all types for that one server. The Portal's
Server Scan History page lists all scans of all types for all of your Halo-protected servers. Here is how you can use
either of those pages to look at historical scans.
To view an individual server's scan history
1. On the Portal Dashboard, select a server group and click the appropriate feature icon (such as
configuration scans), then click the name of the server whose historical scans you want to view.
for
2. On the Server Details page, click Scan History to view the Scan History page for that server.
3. Locate a particular scan that is of interest—perhaps because it is immediately previous to the most recent scan of
the type you are interested in, or because it shows a significant increase in critical issues from even earlier scans,
or because errors occurred during the scan.
Note that the list is sorted by date, with the most recent at the top. Scroll through the list to look for earlier scans
of that type that may be of interest.
4. Make note of the scan's status, completed date-time, and number of critical and non-critical issues. Then click
Details to see the Scan Details page for that scan.
The details page for a historical scan is similar to the Scan Details page for the most recent scan, and you can, for
example, examine it to see whether an issue of interest that occurred in the most recent scan also occurred in this
historical scan, or what issues it detected that were not in earlier scans.
To view scan history for all servers
1. In the Portal, navigate to Servers > Scan History . The Server Scan History page appears.
45
2. To view only one kind of scan (for example, configuration scans), sort by the Scan Type column and scroll as
necessary to view those scans.
3. Locate a scan of interest from a particular server, and note its status, requested and completed date-time, and
number of critical and non-critical issues. Then click Details to see the Scan Details page for that scan.
The details page for a historical scan is similar to the Scan Details page for the most recent scan, and you can, for
example, examine it to see whether an issue of interest that occurred in the most recent scan also occurred in this
historical scan, or what issues it detected that were not in earlier scans.
Act On Reported Issues
A significant number of the issues or events reported from your scans may not be actual indicators of malicious
activity. Those you can either ignore or (preferably) take steps to clear them from future scans. For significant security
issues, you'll need to address the underlying security risk that caused the issue.
Act on reported configuration issues —
The reasons for remediating Halo-detected configuration issues include restoring your servers' compliance with your
organizations' security policies, and generally hardening them against attack.
To remediate an individual issue, you can either make the needed change to each of your servers individually, or
you may be able to make the change to your gold master image or server template, if you use one, and then reinstantiate all the affected servers from that updated master.
In most cases it is clear from the nature of the failed checks what needs to be done to remediate. In addition, the
core policies provided with Halo have, in most cases, detailed remediation suggestions.
In some cases it is not your server configuration but the policy rule that needs revising. You may need to revise or
deactivate some checks to make a rule apply more precisely to your specific server environment or configuration
standards. For detailed instructions on working with configuration rules and checks, see Create or Customize a
Configuration Policy in Monitoring Server Configuration Security With CloudPassage Halo .
The hoped-for result of remediation is a significant reduction in the number of issues found in your configuration
scans, and elimination of all critical issues.
Note: Whenever your standard server configuration changes significantly—for example, if you start using a
different app server application—you may need to update your configuration policy or apply a different
one.
Act on reported file integrity issues —
When an issue from a a file integrity scan appears to be non-serious, you can take one of the following indicated
actions to prevent it from appearing in future scans:
If the event occurred because the object changes often and you want to stop monitoring it, you can remove the
object's target or inclusion from your policy, or create an exclusion for the object within the target (see Defining
an Exclusion in Monitoring Server File Integrity With CloudPassage Halo ).
If the event occurred because the object was added, changed, or removed legitimately and you want to start
monitoring its new state, make the same object change to a baseline server and re-run the baseline scan.
If the event occurred for an object that you want to keep monitoring, but the change is currently not an issue—
for example, if the object is undergoing testing or is scheduled for upgrade—create an exception to suppress
the event temporarily. No policy change or re-baselining is needed.
If the event occurred because an object that you want to keep monitoring was changed, added or removed in
46
error, just restore the previous state of the affected server(s). No policy change or re-baselining is needed.
If none of the above conditions applies and it appears that the event may indeed indicate potential malicious
activity on the server, stop using the server, quarantine it (if your organization's policy requires that), and
immediately notify your incident response team or security forensics team.
Act on reported software vulnerabilities —
Following a scan that reveals potential software vulnerabilities in your servers, your first task is usually to apply all
known patches, bringing your servers up to date. Then you can take further steps to identify and remove any
apparent issues that do not constitute a real threat.
Apply the latest patches and re-scan
First, upgrade your operating systems and critical applications to include all the latest patches. Either patch your
gold masters and re-instantiate all your cloud servers from them, or use automation tools such as Chef, Puppet, or
RightScale to re-provision all your servers with the latest software.
After patching, re-scan your servers and analyze the remaining vulnerabilities as described next.
Delete unnecessary packages
Some of the vulnerabilities detected by Halo may be in packages that your organization does not use. For
example, common administrative tools supplied with many distributions may have vulnerabilities; if you do not use
those tools on the server, you should remove them. Delete them from all affected servers and from any goldmaster server templates that you use for creating new server instances.
Define exceptions
Halo may report software vulnerabilities in certain software packages that you do not need to remediate now. For
example:
You may have scheduled an upgrade or patch in the near future.
You may have a compensating control that circumvents or blocks the vulnerability. For example, if a
vulnerability were reported in httpd, but your firewalls already disallow any HTTP traffic to or from the outside,
the vulnerability is not a concern for you.
The vulnerability may appear to be valid based on the package version number, but in reality it already has
been patched with an updated package. (This situation can occur because vendors sometimes update a
package without actually changing its version number.)
You can keep those events from showing up in your future scans by defining a software exception for that
package.
Address remaining unpatched vulnerabilities
Once you have applied all known patches, removed vulnerable packages that you do not need, and created
exceptions to hide issues that do not concern you, what remains—if anything—is some number of vulnerabilities
for which no patch is currently available.
Handle those vulnerabilities by following the recommendations in your organization's security policies. You might
remove the vulnerable packages from your servers, or create compensating controls to protect the packages, or
simply wait for a patch to become available—whatever is required to minimize your organization's exposure to
software-vulnerability risk.
Act on reported server access issues —
Server access scans do not directly report security issues. However, by examining scan results, you can infer
whether issues exist that should be addressed.
When examining scan results on the Dashboard page or on the Server Details page:
47
Make sure that the reported number of root accounts (accounts whose UID or GID is zero) is not different from
what you expect; extra root-level accounts could be a strong security concern.
The total number of local accounts on a server should not be unreasonably large, and if the servers in the server
group are all instantiated from a server template, this number should be the same for all of the servers.
Note whether there has been any recent remote login activity on that server by one of its privileged accounts. If
there has and it is unexpected, it may be a security concern.
Check the list of accounts for any unexpected account names or accounts that should have been removed (for
example, from ex-employees).
Make sure there are no accounts with root privileges that shouldn't have them.
Make sure that only accounts that should have root privileges have a zero UID or GID.
Verify that only accounts that should have shell access to this server do have it, and verify that the permissions on
the account's SSH directory are secure enough.
The date and time of the last login to this server from an account, along with the IP address of the remote machine
from which the user logged and the terminal that was used, can indicate whether the login was recent, whether it
occurred outside of normal business hours, and whether it came from an unexpected location.
Ensure that accounts that should be inactive are not active.
Verify that only accounts that need elevated privileges belong to groups (such as "wheel") with elevated privileges.
Verify that each account has only the appropriate sudo privileges for that account, and no more.
Note whether any of the accounts' passwords have changed recently and unexpectedly.
Based on any issues that you discover with any of the accounts, you can then take action:
Deactivate. If the account is not needed or belongs to someone who has left the organization, deactivate it. If the
account belongs to an unknown user, investigate immediately.
Edit or Create New Account. If the account has unnecessarily high privileges, needs changes to its group
memberships, or otherwise needs to be altered, you can edit its information. If the privilege escalation is
unauthorized, it may warrant immediate investigation.
If you want to restore an account that was inadvertently deleted, you can add it as a new account on the server. If
the account deletion is suspicious or appears to have been malicious, investigate immediately.
Launch New Scan. Immediately run another server access scan. You might do this if you have just edited,
created, or deactivated some accounts and you want to verify that your edits are reflected in the new scan.
Addressing Events
You review Halo security events by by viewing the "Security Events" Dashboard page on the Halo Portal, by
performing filtered searches for events on the Portal's Security Events History page, or by responding to email alerts
that you receive.
You should examine each event in sufficient depth to determine whether it represents a valid security risk. You then
can take appropriate action to address the risk if it is valid—or you may take a different action to prevent an invalid
event from being generated or sent as an alert.
48
View a Server Group's Summary of Events
To view the most recently generated events for a server group, click the Events icon (
or navigate to Servers > Security Events . Then select the server group of interest.
) on the Halo Dashboard,
This page summarizes the total number of critical and non-critical security events (not including audit events) for each
server in the selected server group. You can sort the display by any of the columns in the table.
Like the Dashboard pages for other Halo features, this page also lists the server platform and the Daemon status,
and it allows you to take various actions on a set of selected servers, as described in View a Server Group's
Summary of Issues and Maintain and Manage Your Servers .
You can see at a glance which servers in the group have had significant security events. Click the number of critical
or non-critical events for a server (in the Critical or Other column) to get more details (next).
Analyze a Server's Most Recent Events
Clicking the number of a server's events in the Dashboard's Security Events table displays that server's Security
Events Details page.
This page displays a server's most recent file integrity scan events, configuration scan events, and Halo special
events. (Audit events do not appear on this page.)
The event type, time of creation, and details appear in the line for each event. You can also link to the details of the
policy involved.
49
Based on an event's criticality, type, creation time, and path, you may be able to determine whether it represents a
valid risk that merits further investigation.
Filter and View a Server or Group's Event History
1. Navigate to the Security Events History page, at Servers > Security Events History .
2. Filter the display as necessary:
Specify one or all server groups, and one or all individual servers within your specified group.
Specify a date range for the events.
Choose one or more event types to view:
To view only file integrity scanning events, choose any of "File Integrity object added", "File Integrity object
missing", and "File Integrity object signature changed". These event types occur when a file has been
removed from or added to a directory target in a firewall policy, or when a change has occurred to any
target's contents, ownership, or permissions.
To view only configuration scanning events, choose "Configuration rule matched". This event type occurs
whenever a check in a configuration policy rule fails, which can occur in many ways—see Configuration
Policy Rule Checks for details.
To view only Halo special events, choose from among the special events that are marked for logging in your
currently applied special events policy—for example, "Daemon compromised" or "Server firewall modified".
To view only audit events, choose from among the many remaining event types. See Act on audit events for
a list of them.
Specify the server operating system(s), and whether you want to see only critical, only non-critical, or all
events.
3. Click Filter to display the filtered list.
You can sort the resulting list of events by criticality, creation date, event type, server group, and server, to display
the events of most interest to you toward the top of the list.
50
You can interpret the events in these ways:
Interpret configuration scanning events in the same manner as configuration issues; see For Configuration Scans
(under Analyze a Server's Current Issues).
Interpret file integrity scanning events in the same manner as file integrity issues; see For File Integrity Scans
(under Analyze a Server's Current Issues).
Interpret Halo special events according to their individual significance, as discussed in Set Up a Special Events
Policy.
You can take action to address these events as described in Act On Reported Events (next).
Act On Reported Events
The actions you can take to address an event depend on what sort of event it is.
Act on scan events:
Configuration events. If the event type is "Configuration rule matched", act on the event as you would a
configuration issue. See Act on reported configuration issues .
File integrity events . If the event type is "File Integrity object added", "File Integrity object missing", or "File
Integrity object signature changed", act on the event as you would a file integrity issue. See Act on reported file
integrity issues.
Log-based intrusion detection events . Evaluate the seriousness of the event and decide what action is most
appropriate:
Immediately quarantine the server involved and launch an incident response investigation
Take some less drastic action, such as notifying your security team of its occurrence, or initiating further
investigation through your organization's log-management or SIEM capability
Contact personnel involved with the event to determine whether it should be a security concern
Ignore the alert, because you know, based on other information, that it is benign
Alter your log-based intrusion detection policy so that this event will not be reported in the future, because
you know that it will always be benign.
Act on special events:
Firewall events . If the event type is "Server firewall modified", an individual server's firewall has been changed
outside of Halo. If you know of or approve of the change, either re-assign the firewall policy to the server group to
restore the proper firewall, or modify the group's firewall policy to make it consistent with the server's new state. If
the change was not approved or known of by anyone in your organization, start an investigation.
51
Software vulnerability events . If the event type is "Vulnerable software package found", act on it as described in
Act on reported software vulnerabilities .
Server account events. If the event type is "Multiple Root Accounts Detected", verify the event by performing a
server access scan on the server in question. If there are indeed multiple root accounts and this violates your
organization's security policies, either delete the extra accounts or start an immediate investigation.
Daemon security events . If the event type is "Daemon compromised", the Halo Daemon on a server has failed its
self-verification test (see Daemon Settings). A new Daemon must be re-installed before the server can be used
again. If the cause of the failure is unknown and may be suspicious, start an immediate investigation.
Audit-type special events . Other special events do not themselves constitute direct evidence of a security
problem or risky occurrence, but—like the general category of audit events described next—they may provide
supporting evidence to the forensics or incident response team investigating a potential server compromise. They
also are useful for generating documentary evidence of compliance with various security policies or standards.
Examples of this type of special event include "Server retired", "Server IP address changed", "Local account
created", and "Daemon version changed". To generate a report for compliance purposes, filter for an appropriate
set of these types of special event on the Security Event History page, pick a date range and other parameters,
and click Filter.
Act on audit events:
Halo defines a large number of security events that, for auditing purposes, are always logged and can be displayed
on the Security Events History page of the Halo Portal. Over 80 event types are captured, within the following
categories:
API Keys (4): Created, deleted, modified, secret key viewed
Authorized IPs (1): Modified
Automatic file integrity scans (3): Disabled, enabled, schedule modified
Configuration policy (7): Assigned, created deleted, exported, imported, modified, unassigned
File integrity baseline (4): Created, deleted, expired, failed, re-baseline
File integrity (2): Exception created, exception deleted, exception expired, scan requested
File integrity policy (7): Assigned, created, deleted, exported, imported, modified, unassigned
GhostPorts (4): Login failure, login success, provisioning, session close
Halo firewall policy (5): Assigned, created, deleted, modified, unassigned
Halo login (4): failure, success, logout
Halo password (4): Changed, recovery request failed, recovery requested, recovery success
Halo session (1): Timeout
Halo user (10): Authentication modified, deactivated, invited, modified, reactivated, re-invited, authentication
settings modified, account locked, account unlocked, activation failed
Server (1): Firewall restore requested,
SMS (1): Phone number verified
The records of these events may provide supporting evidence to the forensics or incident response team investigating
a potential server compromise. Audit events are useful also for generating documentary evidence of compliance with
various security policies or standards.
To generate a report for compliance purposes, filter for an appropriate set of these types of audit event on the
Security Event History page, pick a date range and other parameters, and click Filter.
52
APPENDIXES
Topics:
A. Halo Site Administration
B. Two-Factor Authentication
C. Search Expression Syntax
A Halo Site Administration
(For Halo site administrators only)
If you are a Halo site administrator, you are the user (or one of the users) responsible for managing your
organization's Halo service. Your responsibilities include management of Halo users, authentication settings,
automatic scan configurations, API keys, Halo Daemon settings, Master Account connections, and other advanced
settings.
You access all of these tasks from the Site Administrator menu (the gears icon
header).
in the Halo Portal page
Note: This appendix is a reference to the Halo Portal Site Administration page. Each subsection here describes
(or links to the description of) one of the tabs across the top of that page.
Users
See Invite and Manage Halo Users .
53
API Keys
In Halo, API Keys are required for using the CloudPassage API. Accessing the API requires the client to first
authenticate to the authorization server by providing a valid API key. (See Call Authentication in the CloudPassage
API Developer Guide for details.)
Halo site administrators can create and manage API keys. CloudPassage recommends that you create different API
keys for different purposes—in particular, you should create a read-only key to use for programs that only read from
(and do not write to) the Halo database. For example, applications that use the Halo Event Retrieval API should use a
read-only key, since that key allows only GET requests from the API.
Each Halo account initially has no API keys. If you are a site administrator, you can generate any number of API keys
as needed. For example, you might generate a separate API key for each application that accesses the API
To view or create API keys for your account, select Site Administration from the Site Administrator menu, then click
the API Keys tab. Your current set of keys is displayed on the tab.
To create a new API key, click Add New Key, then enter a name for the key and specify its permission level (fullaccess or read-only).
Specify allowed IP addresses . Optionally, for increased security you can enter a comma-separatted list of one or
more IP addesses or CIDR blocks. If you do so, an API client using this API key will be permitted to authenticate
to the Halo API only from one of the specified addresses.
54
The key's 8-character ID and secret key values are generated by the system, and the key appears in the list on
the API Keys tab.
Note: Every time a secret key is generated, the action is logged and the user who created the key is
identified.
To edit a key in the list, click its name. You can change the key's name and permission level (full-access or readonly), and you can activate or deactivate it.
To view the secret key value, click Show on the Edit API Key popup window or in the key's line on the API Keys
tab.
You'll need to copy the secret key's value from this window and use it to obtain an API token, which allows you to
access the CloudPassage API (see Call Authentication in the CloudPassage API Developer Guide ).
Note: Every time a secret key is viewed, the action is logged and the user who viewed the key is identified.
On the API Keys tab, use the Actions drop-down menu for a given key to either edit or delete the key.
Note: Every time an API key is deleted, the action is logged and the user who deleted the key is identified.
Authentication Settings
To minimize the potential for damage from stolen, intercepted, copied, recycled, or guessed passwords, you can
specify various requirements and settings for passwords and for login control.
Select Site Administration from the Site Administrator menu, then click the Authentication Settings tab.
55
Password Settings
Password Construction Rules . You can increase the minimum required password length from its default
minimum of 8 characters. You can also require that every password must contain at least one number, or one
symbol, or both (in addition to both uppercase and lowercase letters). If you choose to require symbols in
passwords, the following are supported:
()`~!@#$%^&*-+=|\{}[]:;"'<>,.?/
Password Expiration. You can enable password expiration and set the maximum lifetime (time to expiration) of a
newly created password to any number of days from 1 to 365.
You can also enable and specify the minimum lifetime of a newly created password (time that it must remain in
effect before it can be changed again) to any number of days from 1 to 999.
These two settings are independent. You can enable one or both or neither.
Login Settings
User lockout. You can change the failed login limit (number of consecutive times a user can attempt to log in until
the account is locked to prevent further login attempts) to any value from 1 to 25. Default value = 10.
You can also change the duration of a lockout to any number of minutes from 5 to 1440 (24 hours). Default
value = 60.
Note: For a locked-out user to log in again, the user can either complete a password reset (from the Halo
Portal login page) or wait until the lockout period ends.
Idle session timeout . By default, the timeout for Halo Portal sessions (the time after which an idle session logs
out) is 30 minutes. But you can keep idle sessions open for much longer, or you can cut them off more quickly.
Use drop-down list to choose a timeout value of as little as 15 minutes up to as much as 24 hours.
56
Multi-factor authentication for Halo login .
As a site administrator, you have the option of requiring Halo users to use two-factor authentication when logging
into the Halo Portal.
Two-factor authentication to the Portal is optional, but it is all-or-nothing—if you choose to activate it, it must apply
to all Halo users in your account. To activate the requirement, select the checkbox Require multifactor
authentication for Halo Portal logins .
You cannot activate two-factor authentication for Portal login until all Halo users on your account have been
individually enabled for multi-factor authentication. Once it is active, all newly created users must also be enabled
for multi-factor authentication.
When two-factor authentication for Portal login is active:
A new user logging into the Portal for the first time is initially brought to the Change Password page to create
the user's Halo password. The user is then brought to the either the SMS Phone Verification page to enter an
SMS verification code, or the YubiKey authentication page to insert a YubiKey. Then the user may log in in the
same way as an existing user.
A existing user logging into the Portal initially provides the Halo password at the login page, and then enters an
SMS authentication code (or inserts a YubiKey) at the multi-factor authentication page. (A user enabled for
both types of authentication first chooses which method to use.) The user is then logged in.
57
For more details, see Log In With Two-Factor Authentication .
Single Sign-On Settings
If you are implementing an integration of Halo with your organization's SAML 2.0-based single sign-on solution, you
may need to develop a plug-in or application according to the identity provider's requirements, so that the proper
SAML assertions are sent to Halo to perform the authentications. Or the identity provider may have already created
the integration app for Halo.
Part of setting up the integration involves enabling single-sign on and entering information into fields in the Single
Sign-On Settings section of the Authentication Settings tab on the Site Administration page
1. Select the Enable Single Sign-On (SSO) check box. The section expands to display the single sign-on settings
form.
2. Copy the account ID from this form and supply it to the SSO identity provider.
3. Obtain information to enter into the remaining fields from the identity provider.
4. Make SSO Required . If you want to disallow all direct logins to the Halo Portal, select this checkbox at the bottom
of the form. If you do select the box, you must provide SSO access to all existing and future Halo users. Note that
you cannot select the box unless you are currently logged in through SSO.
Note: As long as this checkbox remains selected, Halo users' account pages have no displayed password
field, Halo users cannot reset their passwords, and new Halo users do not receive email invitations to
log into Halo.
5. Click Save to commit your SSO settings.
For detailed instructions on creating the SSO integration, see Adding Single Sign-On to CloudPassage Halo .
58
Scanner Settings
See Configure Automatic Scans.
Daemon Settings
As site administrator, you can control various settings for the Halo Daemons currently running or to be installed on
your servers.
Select Site Administration from the Site Administrator menu, then click the Daemon Settings tab.
Daemon Registration Key . A valid key is needed whenever you install a Halo Daemon (see Install Daemons).
You can use the same key value for all installations, as long as it remains confidential. If you feel that it might have
been compromised, click Regenerate to get a new key, and use that one in future installs.
Daemon Heartbeat. For security reasons, all communication between a Halo Daemon and the Halo Grid is always
initiated by the Daemon. The Daemon connects to the grid at regular intervals to report status and to receive
instructions. You can select an interval from 60 seconds to15 minutes. Default value = 60 seconds.
If you have a large number of servers, selecting a longer interval may have the benefit of less impact on your
network performance, although Halo updates and commands sent to your servers may take longer.
Deactivate Missing Servers . Halo re-classifies an active server as missing if its Daemon has unexpectedly not
contacted the grid for an interval of 10 or more heartbeats. To keep missing servers that do not re-contact the
Grid from remaining in a missing state perpetually, Halo will automatically delete them after a time interval that you
specify.
Use the drop-down list to select the threshold for auto-deactivation to any available value from 15 minutes to 24
hours.
59
An important benefit of automatically deactivating missing servers is that it prevents the buildup of large numbers
of missing, unused servers as sources or destinations in firewall policy rules.
Daemon Self-Verification . The Daemon can continually monitor itself for evidence of compromise and report any
evidence that it has been tampered with. You can enable or disable self-verification, you can choose to have
compromised Daemons shut themselves down automatically, and you can set the interval between self-verification
checks to any number of hours from 1 to 23. Default = 1 hour.
Advanced Settings
A variety of other Halo settings are available to site administrators. To review or change them, select Site
Administration from the Site Administrator menu, then click the Advanced Settings tab.
Set GhostPorts Session Length:
Set the length of time that a server administrator will have to log into a server after turning on GhostPorts. Select a
number of hours from 1 to 24. Default value = 4.
A longer time window may be more convenient for an administrator, but it may be riskier (less secure) than a
shorter one.
List IP Addresses Authorized to Access Halo Portal:
For added security, you can specify that your Halo users (including yourself) are permitted log into the Halo Portal,
or request a password reset, only from identified IP addresses.
Enter a comma-separated list of IP addresses or CIDR blocks into the IP Addresses field.
Note: The list of authorized addresses must always include (or encompass) the address from which you are
60
accessing the Portal in order to create or edit the list.
To remove all address restrictions for logging into the Portal, delete all addresses from the field and click
Save.
Choose Your Email Preferences
Pick a time of day and a time zone to specify when Halo should send out its daily status emails to the Halo users
in your account.
Note that individual users can choose whether or not to receive daily status emails; see Manage Your Account
and Subscription .
Enable Halo Beta Features
CloudPassage may release some Halo features or capabilities when they are still at the beta stage of
development. In some cases the features are by default disabled. If you want them to be available to your Halo
users, select the Enable Beta Features checkbox. Conversely, clear the checkbox to make the features
unavailable.
Audit Events
Besides logging events that may directly indicate serious security issues, Halo also logs a large variety of audit
events, which mostly represent normal, everyday actions of Halo Portal users. Recording the history of audit events is
useful for demonstrating compliance, and also useful in supporting correlation and forensic analysis in the wake of a
security breach.
Halo site administrators can use the Audit Events tab on the Site Administration page to specify which events should
be logged, which should be flagged as critical, and which should generate alerts.
61
For each listed event, select "Log Event" if you want Halo to record occurrences of the event, select "Flag Critical" if
), and select "Generate an Alert" if an occurrence should
you want those occurrences to be flagged as critical (
cause an email alert to be sent to the appropriate personnel in your organization.
Note: The list of events displayed on this tab does not include the server-related Halo special events (for
example, "Server firewall modified" or "server restarted") or any security events generated by scans (for
example, "Configuration rule matched" or "File integrity object signature changed"), because those events
are configured elsewhere, in various Halo policies.
Master Account
Your organization, with its own CloudPassage Halo account, may be one of several organizations that are part of a
larger entity (such as a parent company) that wishes to have oversight and control over all of its sub-organizations'
security operations. Halo supports this with the concept of master accounts.
A master account administrator has access to all of the sub-accounts through the Halo Portal, allowing the
administrator to review all sub-account settings and configurations, audit all actions and events in the sub-accounts,
and even directly manage and run their Halo activities. The administrator can operate within each sub-account as a
site administrator of that account.
If your account needs to be linked to a master account, you will have received a master account invitation code
from your master account administrator. Enter that code into the field on the Master Account tab of the Site
Administration page, and click Link to complete the connection to the master account.
If your account is currently linked to a master account and you need to sever that relationship, click the
Disconnect button on the Master Account tab.
62
If your organization wishes to connect to a master account, please contact CloudPassage Sales or your account
representative to have the master account created for you.
B Multi-Factor Authentication
For site administrators, this appendix details how to enable multi-factor authentication for Halo users. For Halo users,
it details how to log in with multi-factor authentication.
Enable Multi-Factor Authentication for a User
To enable multi-factor authentication for a Halo user, you must be a Halo NetSec or Halo Professional user with siteadministrator privileges.
Important: Enabling multi-factor authentication for a user will not take effect until you activate two-factor
authentication for the Halo Portal as a whole, on the Site Administration page; see Multi-factor
authentication for Halo login . Also, since two-factor authentication to the Halo Portal is all-ornothing, you will not be able to activate it until you have enabled it for all of your organization's
individual Halo users.
Before enabling:
If the user is to use SMS authentication, obtain that person's valid mobile phone number. Text messaging must be
enabled for that mobile account.
If the user is to use hardware authentication, acquire a YubiKey. You can order the keys directly from Yubico.
Then:
1. Log into the Halo Portal and navigate to [
] > Site Administration > Users .
If the person is not already a Halo user, click Invite New User .
If the person is an existing Halo user, find the user's name in the user list and click Edit.
2. Specify or change the user's information, including Portal access and user type, as described in Invite a New User
or Edit an Existing User . (You will be able to enable GhostPorts access for the user, if desired, only after enabling
multi-factor authentication for the user.)
3. Specify the user's authentication method(s): select SMS code and Halo Password or YubiKey and Halo
Password, or both.
63
4. The page then expands to display additional fields. Enter the following information:
If you selected SMS code and Halo password—
a. In the "Phone Number" field, enter the telephone number at which the user will receive the SMS authentication
codes. It must be a valid mobile phone account with text messaging enabled.
b. Click Save. The user receives an email notification of being enabled for multi-factor authentication and an
invitation to log into the Portal. At the next login, the user will be asked to verify the SMS phone number.
If you selected YubiKey and Halo password—
a. Place the YubiKey into a USB port on your computer, with the metal contacts and circle facing upward (
). Place your cursor into the "YubiKey Code" field on the page. Initiate the YubiKey by lightly touching the top
circle with the green centered light. The YubiKey key will write its complete key value into the field.
b. Click Save. You will notice a portion of the key value disappear. The first twelve characters of the key value will
remain displayed in the key field. The user receives an email notification of being enabled for multi-factor
authentication.
Log In With Two-Factor Authentication
If you are a Halo user who must use two-factor authentication to access the Halo Portal, or if you are a GhostPorts
user, follow the steps listed here to log in.
The login processes for SMS authentication and YubiKey authentication differ slightly. Also, SMS authentication adds
a one-time preliminary step of verifying the SMS phone number.
Verify Your Phone Number (for SMS Authentication)
If you will be authenticating to the Halo Portal with an SMS code, you first need to verify to Halo that the
authentication phone number assigned to you is the correct one. The verification process includes demonstrating that
the phone can receive a code from Halo.
1. After you receive your notification that you are enabled for SMS-based multi-factor authentication, log into the
64
Halo Portal with your Halo password. You will see a Dashboard banner notifying you that your SMS phone number
is unverified.
2. Click the link in the banner to go to the Phone Verification page for SMS authentication.
3. In the Verify Phone form, inspect the partially masked phone number, of the form XXX-XXX-XX 67. If the
displayed digits of the phone number are not correct, contact your Halo site administrator to change your assigned
number.
4. If the displayed digits match your phone number, click the Send Verification Code button. A code will be sent to
your mobile phone.
5. When you receive the message on your phone, copy the six-digit verification code into the Verification Code field
on the Verification page, then click Submit.
You have 5 minutes from the time you click Send Verification Code until the code expires. If you do not complete
this step within that time, you can click Send Verification Code again to have another code sent to you.
If the verification succeeds, a success page and banner are displayed. You are now able to log into the Halo Portal.
Authenticate With an SMS Code
Note: You must already have verified your phone number (see previous section, Verify Your Phone Number)
before you will be permitted to perform these steps.
If you are authenticating to Halo with an SMS code, follow these steps:
1. Log into the Portal with your Halo username and password. The Multi-Factor Authentication page for SMS
appears:
2. An SMS code has been sent to your mobile phone. When it arrives, enter it into the Authentication Code field and
click Submit.
You have 5 minutes from the time you click Submit until the code expires. If you do not complete this step within
that time, you can click Re-send Authentication Code to have another code sent to you.
Note: The code is sent by SMS, and normal text-messaging charges for your account may apply.
After you have authenticated successfully, the Portal Dashboard page appears, displaying a success banner.
Authenticate With a YubiKey
Note: You must be in possession of your assigned YubiKey device to perform these steps.
If you are authenticating to GhostPorts with a YubiKey, follow these steps:
1. Log into the Portal with your Halo username and password. The Multi-Factor Authentication page for YubiKey
appears:
65
2. Place your YubiKey into a USB port on your computer, with the metal contacts and circle facing upward (
).
3. Place your cursor in the blank field on the Multi-Factor Authentication page.
Initiate your YubiKey by lightly touching the top of the key on the green-centered light for about one second. Do
not press any other key on your keyboard.
You will see the field fill with the value generated by your YubiKey.
After you have authenticated successfully, the Portal Dashboard page appears, displaying a success banner.
Site Administrators: Set Up a Backup Authentication Method!
If you are a Halo site administrator who uses multi-factor authentication to log into the Halo Portal, you may need to
enable both SMS and YubiKey authentication methods for yourself, so that you can use one method as a backup in
case the other one becomes unavailable. Without a backup, you could permanently lock yourself out of access to the
Portal.
Whether you are a site administrator or standard Halo user, if you lose your mobile phone or your assigned YubiKey,
any other site administrator in your organization can log in and reset your authentication method to use a different
method or device that is available to you. However, if you are the only Halo site administrator in your organization and
you lose the assigned device, you will be unable to log into the Portal. In that situation, you will have to contact Halo
Customer Support and go through a lengthy identity-verification process in order to restore your access.
Our strong recommendation is that, if your Halo account includes only a single Halo site administrator, you enable
both of the two-factor authentication methods (SMS and YubiKey) for that administrator.
C Search Expression Syntax
Several Halo features (for example, the "string presence" rule check in configuration security monitoring, and policy
rules in log-based intrusion detection) support the use of search patterns. Halo search patterns are strings of plain
text, special characters, and metacharacters—very similar to regular expressions, although not as full-featured. This
appendix lists the special characters and metacharacters supported by Halo, describes what each one means, and
gives usage examples.
Note: All searches are case-sensitive.
66
Character
Represents
Usage Example
.
Any character
abc. matches abcd, abcZ, abc3, abc$, abc/...
\w
Any alphanumeric character
C\wPO matches CAPO, C3PO, CbPO...
\W
Any character that is not alphanumeric c\Wpo matches c@po, c#po, c%po...
\d
Any digit (numeric character)
C\dPO matches C3PO, C4PO, c0po...
\D
Any character that is not a digit
C\DPO matches CAPO, C@PO, CaPO...
\s
Any whitespace character
abc\sd matches abc d
\S
Any non-whitespace character
abc\Sd matches abc.d, abcCd, abc$d...
[ ]
One instance of any of the characters
inside the brackets
cloud[9Sy] matches cloud9, cloudS, Cloudy
[^ ]
Any character that is not one of the
characters inside the brackets
cloud[^9Sy] matches cloud8, CLOUD0, cloudZ...
*
Zero or more consecutive occurrences
of the previous character
cloud9* matches cloud, cloud9, cloud99, cloud999...
+
One or more consecutive occurrences
of the previous character
cloud9+ matches cloud9, cloud99, cloud999...
?
Optional presence of the preceding
character
555[-.]?1212 matches 555-1212, 555.1212, 5551212
\
Escape character (precedes a special
character)
Use \$ to match a dollar-sign character, or \. to match a period
(dot).
-
(hyphen) range operator
[a-d]loud[1-9] matches cloud9 (but also aloud1...)
^
The search expression must match at
the beginning of the target string (file).
^cloud will find a match in cloud9 but not in 9cloud
$
The search expression must match at
the end of the target string (file).
cloud$ will find a match in 9cloud but not in cloud9
Note: To use a special character as a literal character, be sure to precede it with the escape character, as in \for a hyphen.
Copyright ©2014 CloudPassage Inc. All rights reserved. CloudPassage ® and Halo ® are registered trademarks of CloudPassage, Inc.
67