Secret Server Syslog Integration Guide

Transcription

1 Secret Server Syslog Integration Guide Table of Contents Meeting Information Security Compliance Mandates: Secret Server and Syslog Integration... 1 The Secret Server Approach to Privileged Account Management:... 1 Risks and Benefits... 1 Secret Server Syslog Explained... 2 Secret Server s Reported Events... 2 Secret Server Data Fields... 2 Conclusion... 6 About Thycotic Software... 6 About Secret Server... 6

2 Meeting Information Security Compliance Mandates: Secret Server and Syslog Integration Leveraging Secret Server event data with SIEM and Log Management solutions can give organizations deep insight into the use of privileged accounts (such as Windows local administrator, service or application accounts, UNIX root accounts, Cisco enable passwords, and more). Used together, these tools provide secure access to privileged accounts and provide greater visibility to meet compliance mandates and detect internal network threats. The Secret Server Approach to Privileged Account Management: Many environments that have strict Information Security policies also require methods to control and monitor access to privileged accounts. Enterprises often apply security policies such as physical access restrictions to hardware, network firewalls, appropriate-use guidelines, and user account restrictions. In the case of privileged accounts, access is more difficult to track and verify. Implementing privileged account management software such as Secret Server enables organizations to strictly control and track access. Enterprises that implement Secret Server gain the ability to grant or deny granular access to critical systems. When access is granted, use of that access is tracked based on a wide range of events. While alerting is a core feature within Secret Server, managing real-time events on the aggregate can be cumbersome. Leveraging tools to manage these real-time events allows users to build customized risk analysis into their privileged account management policies. Mitigating internal privilege account threats helps organizations meet compliance requirements like Sarbanes-Oxley Act (SOX), Payment Card Industry Data Security Standard (PCI DSS), the Health Insurance Portability and Accountability Act (HIPAA), and the Federal Information Security Management Act (FISMA). Risks and Benefits Unmanaged privileged accounts often enjoy unchecked access across a wide array of systems, networks, and databases. Unmitigated top-level access, in the wrong hands, can be devastating to an organization. The potential for liability is not limited to internal data and productivity loss, but can include criminal and civil penalties for unauthorized disclosure of private or regulated information i. Implementing an enterprise-level privileged account management system (Secret Server) with a realtime event management system or log management solution allows organizations to mitigate risk. Critical systems can only be accessed by pre-defined users. IT Security Auditors are able to track access based on the needs of the enterprise. Page1 Copyright 2013 Thycotic Software Ltd. Page 1 Revised: January 21, 2015

3 Secret Server Syslog Explained Secret Server s detailed Syslog currently contains 44 different events tracking more than 20 unique data fields. Secret Server s Reported Events Table 1, on the following page, is a complete list of events in Secret Server s Syslog. Both the Event Name and Event ID are contained in the log as well as the data fields that apply to the event. Secret Server Data Fields Table 2, on the following page, is a complete list of data fields in Secret Server s Syslog. Only Data Fields relevant to the Event ID are included in the log. Some log entries may differ in terms of their field content, see examples below. Example Event #1: In this event, the Local Administrator account in Secret Server has edited the secret for a Brother Printer: Jan 08 17:15:04 THY221 CEF:0 Thycotic Software Secret Server SECRET - EDIT 2 msg=[secretserver] Event: [Secret] Action: [Edit] By User: Local Administrator Item Name: Brother HL-5370DW Container Name: Printers suid=2 suser=local Administrator src= rt=sep :15:02 fname=brother HL-5370DW filetype=secret fileid=2 cs3label=folder cs3=printers Example Event #2: In this event, the Local Administrator account in Secret Server has enabled Unlimited Administrator Mode: Jan 08 15:43:10 THY221 CEF:0 Thycotic Software Secret Server UNLIMITEDADMIN - ENABLE 4 msg=[secretserver] Event: [Unlimited Administrator] Action: [Enable] By User: Local Administrator suid=2 suser=local Administrator src= rt=sep :43:05 Page2 Copyright 2013 Thycotic Software Ltd. Page 2 Revised: January 21, 2015

4 Page3 Table 1 - Event Name Event Id System Log 500 USER - CREATE 1 USER - DISABLE 2 USER - ENABLE 3 USER LOCKOUT 4 USER - ADDEDTOGROUP 5 USER - REMOVEDFROMGROUP 6 FOLDER - CREATE 7 FOLDER - DELETE 8 ROLE - CREATE 9 ROLE - ASSIGNUSERORGROUP 10 ROLE - UNASSIGNUSERORGROUP 11 ROLEPERMISSION - ADDEDTOROLE 12 ROLEPERMISSION - REMOVEDFROMROLE 13 FOLDER - EDITPERMISSIONS 14 CONFIGURATION - EDIT 15 USER - LOGIN 16 USER - LOGOUT 17 USER - LOGINFAILURE 18 USER - PASSWORDCHANGE 19 SECRET - CREATE SECRET - DELETE SECRET - UNDELETE SECRET - VIEW SECRET - EDIT SECRET - LAUNCH SECRET - HEARTBEATFAILURE SECRET - DEPENDENCYFAILURE SECRET - EXPIREDTODAY SECRET - EXPIRES1DAY SECRET - EXPIRES7DAYS SECRET - EXPIRES15DAYS SECRET - EXPIRES3DAYS UNLIMITEDADMIN - ENABLE UNLIMITEDADMIN - DISABLE EXPORTSECRETS - EXPORTED Copyright 2013 Thycotic Software Ltd. Page 3 Revised: January 21, 2015

5 Page4 IMPORTSECRETS - IMPORTED USERAUDIT - EXPIRENOW SECRET - SESSION RECORDING VIEW SECRET - COPY SECRETTEMPLATE - CREATE SECRETTEMPLATE - EDIT SECRETTEMPLATE - TEMPLATE COPIED FROM LICENSES - EXPIRES30DAYS SECRET - CHECKIN SECRET - CHECKOUT POWERSHELLSCRIPT - CREATE POWERSHELLSCRIPT - DEACTIVATE POWERSHELLSCRIPT - EDIT POWERSHELLSCRIPT - REACTIVATE POWERSHELLSCRIPT - VIEW SECRET - HEARTBEATSUCCESS SECRET - HOOKFAILURE SECRET - HOOKSUCCESS SECRET - HOOKCREATE SECRET - HOOKEDIT SECRET - HOOKDELETE SECRET - CUSTOMAUDIT SECRET - PASSWORD_DISPLAYED SECRET - PASSWORD_COPIED_TO_CLIPBOARD SECRET - EDIT_VIEW SECRETTEMPLATE - FIELD ENCRYPTED SECRETTEMPLATE - FIELD EXPOSED SECRET - ACCESS_APPROVED SECRET - ACCESS_DENIED SECRET - CUSTOM_PASSWORD_REQUIREMENT_ADDED SECRET - CUSTOM_PASSWORD_REQUIREMENT_REMOVED SECRET - DEPENDENCY_DELETED SECRET - DEPENDENCY_ADDED GROUP - OWNERS_MODIFIED SECRETPOLICY - CREATE SECRETPOLICY - EDIT FOLDER - SECRETPOLICYCHANGE SECRET - SECRETPOLICYCHANGE Copyright 2013 Thycotic Software Ltd. Page 4 Revised: January 21, 2015

6 Table 2 - Event Definition User ID being viewed or changed User name being viewed or updated User ID of user performing action Username of user performing action* Description of audit action Current Version of Secret Server Human readable name of event The Priority of event Name of company Name of product Description of audit action Time of event IP Address of client machine Name of item action was taken on Type of item action was taken on ID of item action was taken on Name of Role modified "Role" Name of User or Group added to role "Group" or "User" Name of Folder containing Secret "Folder" Display name of user performing action* "suser Display Name"* Data Field duid duser suid suser msg Version Name Priority Vendor Product Message rt src fname filetype fileid cs1 cs1label cs2 cs2label cs3 cs3label cs4 cs4label * The cs4 and cs4label data fields were added in Secret Server version 8.8. Prior to version 8.8, the suser data field contained the display name of the user performing the action. The user s display name value has been moved to the cs4 data field and the suser data field now contains the performing user s username. Page5 Copyright 2013 Thycotic Software Ltd. Page 5 Revised: January 21, 2015

7 Conclusion Organizations that need to meet strict compliance requirements can implement privileged account management and real-time event analysis using Secret Server and a SIEM or Log Management solution. Integrating these two technologies allows enterprises to both manage their privileged accounts and correlate and reduce security threats within a network. About Thycotic Software Thycotic Software, Ltd., a Washington DC-based company, is committed to providing password and AD group management solutions to IT administrators worldwide. With over 30,000 IT professionals using our IAM tools, Thycotic helps securely manage all credentials critical to an organization s operations. About Secret Server Secret Server is an enterprise password management tool that is used to store, distribute, monitor, and update privileged/shared account passwords in a central, web-based location. For more information, visit Note: Terminology used in this document is based on the SANS Glossary of Security Terms available at i Imation Compliance Heat Map Page6 Copyright 2013 Thycotic Software Ltd. Page 6 Revised: January 21, 2015