AlienVault Unified Security Management (USM) 4.x-5.x User Management Guide
USM v4.x-5.x User Management Guide, rev 1 Copyright 2015 AlienVault, Inc. All rights reserved. The AlienVault Logo, AlienVault, AlienVault Unified Security Management, AlienVault USM, AlienVault Open Threat Exchange, AlienVault OTX, Open Threat Exchange, AlienVault OTX Reputation Monitor, AlienVault OTX Reputation Monitor Alert, AlienVault OSSIM, and OSSIM are trademarks or service marks of AlienVault, Inc. All other registered trademarks, trademarks or service marks are the property of their respective owners. Revision to This Document Date July 10, 2015 October 20, 2015 Revision Description Original document. Added a note to clarify that the USM allows local authentication and LDAP authentication to co-exist. Modified the screens related to users: new user, modify a user, duplicate selected user and my profile. October 20, 2015 USM v4.x-5.x User Management Guide, rev 1 Page 2 of 28
Introduction Contents Introduction... 4 About User Management... 4 User Authentication... 4 User Authorization and RBAC... 4 User Accounting... 4 User Management in USM... 4 Creating the Default Admin User... 5 Functions for Admin Users... 6 Configuring User Authentication... 6 Configuring User Authorization... 11 Managing Users... 16 Monitoring User Activities... 23 Functions for All Users... 27 Viewing User Settings... 27 Modifying a User... 27 October 20, 2015 USM v4.x-5.x User Management Guide, rev 1 Page 3 of 28
Introduction Introduction Use this document to understand the user management process in AlienVault Unified Security Management (USM) TM. User management in AlienVault USM is a process of controlling access to the system, enforcing administrative policies, and providing information about who accessed the system and what actions they performed in the system. User management is provided by the user authentication, authorization, and accounting (AAA) framework. The document first describes what user management is and why it is important. The document then describes how to implement user authentication, authorization, and role-based access control, and how to monitor user activity. About User Management User Authentication Since AlienVault USM manages important security functions for your organization, the system requires that all users log in with a username and password. The system can store and manage usernames and passwords internally. You can also set up USM to use a remote authentication server to store usernames and passwords. User Authorization and RBAC User authorization determines which portions of AlienVault USM are available to each user. You can assign permissions to access different parts of the AlienVault USM system. Permissions are defined locally on the USM system per user, even if authentication is performed against a remote authentication server. Role-based access control (RBAC) enables delegation of certain functions to specific roles. You can assign users to specific roles, which then determine which features of AlienVault USM a user can access. For example, you might permit an engineer to access all portions of the USM web interface, while you might restrict a security operator to access only the parts of the USM web interface that are used to perform security analysis. User Accounting AlienVault USM collects information on how long a user has been logged into the system and what the user has done. AlienVault USM supports user accounting by logging user activity in the USM web interface. The stored data might be required for auditing or compliance purposes. User Management in USM In the USM system, there are four types of users: October 20, 2015 USM v4.x-5.x User Management Guide, rev 1 Page 4 of 28
Root user. The root user is created during USM installation and is used to access the command line shell of the system. A root user can perform all operations in the command line shell and is equivalent to general Linux root users. Default admin user. The default admin user is created when you access the USM web interface for the first time. The username of this user is admin, and it cannot be changed. This is the only admin user whose password can be reset by the root user. The default admin user can create other user accounts and it has complete visibility in the USM system. Admin users. Admin users have complete visibility into the USM web interface and can delegate admin access to other users. Admin users can also configure global authentication settings, such as integration with LDAP database, or change the password policy. They also have complete visibility into the activity of all other users. Normal users. Normal users can access the web interface of the system and have user accounts delegated by admin users. These users are subject to user authorization as defined by authorization parameters. They cannot create other user accounts or change global authentication settings. Normal users can see only the activity of other users who belong to the same entity. Creating the Default Admin User After installation and when connecting to the appliance using the USM web interface for the first time, you are prompted to create the default admin user. When creating the default admin user, you have to provide the following information: Full Name: Full name of the default admin user. Username: Username that is required to access the USM web interface. The username is set to admin and cannot be changed. Password: Credentials that are used to authenticate the user. E-mail: E-mail address of the default admin user. It is used to send notifications, reports, and other system communication to the user. Company Name: Name of the default admin user s company. This parameter is optional. Location: Physical location of the default admin user. This parameter is optional. Note: The option "Send anonymous usage statistics and system data to AlienVault to improve USM" is introduced in version 5.0. It is selected by default, which means telemetry collection will be enabled. See What Is Telemetry Collection And How Does It Work. October 20, 2015 USM v4.x-5.x User Management Guide, rev 1 Page 5 of 28
Figure 1. Creating default admin user account Once the admin user is created, you can log into the system and start using AlienVault. Functions for Admin Users This section describes the user management functions that an admin user can perform: Configuring User Authentication Configuring Local Authentication Configuring LDAP Authentication Configuring User Authorization Configuring User Authorization with Visibility Configuring User Authorization with Menu Templates Configuring User Authentication Authentication of users that are accessing the USM can generally be done using either the local database or Lightweight Directory Access Protocol (LDAP): Local database: The system authenticates a user against the password stored in the local database, which resides on the AlienVault USM system. October 20, 2015 USM v4.x-5.x User Management Guide, rev 1 Page 6 of 28
LDAP: The system authenticates a user against the password stored in an LDAP database, such as Microsoft Active Directory. LDAP authentication allows users to use their standard domain or corporate credentials to authenticate with AlienVault USM. This can provide simpler user management in larger environments. For example, if a user leaves the organization, you only need to disable the user s account in the LDAP directory in order to prevent the user from accessing the USM system. Note: The USM allows local authentication and LDAP authentication to co-exist. Configuring Local Authentication When configuring local authentication, you have to define users with their usernames and passwords in the local database as described in Managing Users. AlienVault USM has a password policy area that allows you to establish password requirements when local authentication is used. To change the password policy, navigate to Configuration > Administration > Main and expand the Password Policy section. October 20, 2015 USM v4.x-5.x User Management Guide, rev 1 Page 7 of 28
Figure 2. Changing password policy Password policy allows you to change the following parameters: Minimum password length: Minimum number of characters for a password. Set to 7 by default. Maximum password length: Maximum number of characters for a password. Set to 32 by default. Password history: Enables the system to remember a specified number of previously used passwords in order to prevent the user from reusing them. The value 0 disables password history. By default, password history is disabled. Complexity: Requires the presence of 3 of these characters: lowercase, uppercase, numbers, or special characters. Disabled by default. Minimum password lifetime in minutes: Specifies time before a user can again change a recently changed password. This option prevents users from quickly changing a new password to the previously expired password. The value 0 disables minimum lifetime. By default, minimum lifetime is disabled. October 20, 2015 USM v4.x-5.x User Management Guide, rev 1 Page 8 of 28
Maximum password lifetime in days: Specifies the time before a user is asked to change current password. The value 0 disables maximum lifetime. By default, maximum lifetime is disabled. Failed logon attempts: Specifies the number of failed logon attempts before the system locks an account. Set to 5 attempts by default. Account lockout duration: Specifies the duration of a locked account. Set to 5 minutes by default. The value 0 disables lockout. After you make changes to the password policy, make sure to save the changes by clicking Update Configuration. Configuring LDAP Authentication In order to use external authentication against an LDAP database, you have to first create a service account in the LDAP database for AlienVault USM to query the database. Figure 3. Creating Microsoft Active Directory user account For Microsoft Active Directory, the service account is configured as a regular user account. A regular user account in Microsoft Active Directory is created in two steps. In the first step, you have to assign a meaningful name and user logon name. In the second step, you set a logon password for the user. You should set the password not to expire and not to request a password change at next logon. After creating the service account in Microsoft Active Directory, you have to modify the configuration in AlienVault USM. By default, users are authenticated via username and password. These are stored in the AlienVault USM database after they have been created. You have to change this configuration in order to use LDAP authentication. To integrate AlienVault USM with a LDAP database 1. Login to the USM web interface. 2. Navigate to Configuration > Administration > Main. October 20, 2015 USM v4.x-5.x User Management Guide, rev 1 Page 9 of 28
3. Expand the Login Methods/Options section, and enter the following parameters: Set Enable LDAP for login to Yes. For LDAP server address, specify the IP address of the LDAP server. For LDAP server port for unencrypted LDAP, specify 389. Enter 636 if you use SSL. Set the LDAP server SSL to No, unless you use LDAP over SSL. Set the LDAP server TLS to No, unless you use LDAP over TLS. The LDAP server basedn needs to be the LDAP server base distinguished name (DN) in the form of dc=domain,dc=suffix. For LDAP server filter for LDAP users, use (&(cn=%u)( objectclass=account)) for general LDAP, or (&(samaccountname=%u)(objectcategory=person)) for Microsoft Active Directory. For LDAP Username you need to specify the User Principal Name (UPN) of the user you have created in the LDAP database in the following format: loginname@domain.suffix. For LDAP password for Username specify the password for the account that has been entered in the previous line. Set Require a valid ossim user for login to Yes if you need to control user authorization. This setting requires that you create a user account in the local database with the same login name as the user in the LDAP database. The local username is used to determine user permissions, such as assigning menu templates and entities. A password will be set for the local account during creation. But once LDAP is set up, the local password will not be used for authentication any longer. Set this setting to No if you do not want to create user accounts for authorization. In this case, you have to select a default entity from the Entity for new user drop-down menu and a default menu template from the Menus for new user drop-down menu. The default entity and menu template will then be assigned to users that are authenticated against the LDAP database. 4. Click Update Configuration to save the changes. October 20, 2015 USM v4.x-5.x User Management Guide, rev 1 Page 10 of 28
Figure 4. Integrating AlienVault USM with LDAP Configuring User Authorization You can configure user authorization in AlienVault USM by assigning different parameters to a user account that is created in the local user database. The parameters that influence what a user can access in AlienVault USM system are as follows: Visibility. Use this option to associate a user with entities within the structure tree. Allowed assets. This option lets you choose which assets the user should see. Menu templates. This option authorizes access to different parts of the web interface. Note: Associating users with authorization parameters will be explained in the Managing Users section of the document Configuring User Authorization with Visibility The first way to configure user authorization is to limit a user s visibility of assets and events to an entity. October 20, 2015 USM v4.x-5.x User Management Guide, rev 1 Page 11 of 28
Entities are used to group assets and sensors from similar functional areas of an organization, so that you can treat them differently, because assignment of an entity limits visibility of events and assets in the web interface. For example, each department within a company can be a different entity, as they have different assets and you may not want them to see each other s assets. By separating them into different entities, you can limit the users to only see their department s assets and the events associated with those assets. If you re using local authentication and authorization, you can assign an entity to an individual user in the AlienVault USM local database. If you re using LDAP authentication without a local user, the system uses a default entity. Important: The visibility configuration does not apply to Availability Monitoring, HIDS, Wireless IDS, or Vulnerability Scans. This is because these functional areas are tied to each USM Sensor. You cannot limit their visibility to a subset of assets. You can create, modify, and delete correlation contexts and entities. Navigate to Configuration > Administration > Users > Structure to create an entity. Figure 5. Entities and assets structure tree The upper part of the screen includes the following options: New Entity: Allows you to create a new entity. New Correlation Context: Allows you to create a new correlation context. October 20, 2015 USM v4.x-5.x User Management Guide, rev 1 Page 12 of 28
Show Users: Toggles the display of users in the entities and asset structure. Show AlienVault Components: Toggles the display of AlienVault components in the entities and asset structure. The lower part of the screes is divided into two columns. The left one contains an asset structure tree, which displays assets, asset groups, networks, and network groups. Assets are organized into entities and correlation contexts. By default, you will find one correlation context named My Company that contains all assets and networks. There are no entities by default. The right column displays the inventory of all assets. They are organized by properties, such as operating system, role, and department. To create a new entity 1. Click New Entity. Figure 6. Creating a new entity 2. Specify the name of the entity in the Name input field. 3. Optionally, specify the address of the entity in the Address input field. 4. Select a parent correlation context or an entity from the Parent drop-down menu. 5. Select the time zone from the Timezone drop-down menu. October 20, 2015 USM v4.x-5.x User Management Guide, rev 1 Page 13 of 28
6. Associate assets or networks with the entity by selecting assets or networks from the asset tree. Once you have added the assets, you can remove them by selecting an asset and clicking the [X] button. You can also remove all assets by clicking Remove All Assets. 7. Associate USM Sensor with the entity by selecting a sensor from the Sensor list tree. Once you have added the sensors, you can remove them by selecting a sensor and clicking the [X] button. You can also remove all sensors by clicking Remove All Sensors. 8. Click Save to save the changes. Configuring User Authorization with Menu Templates The second way to configure user authorization is by using menu templates, which limit availability of the web interface to users. A menu template is a reusable object that specifies which parts of the web interface are displayed to users. If you use local authentication and authorization, you can assign a template to an individual user in the AlienVault USM local database. If you use LDAP authentication without a local user, the system uses a default template. You can create a new template, edit an existing one, or delete a template. Navigate to Configuration > Administration > Users > Templates in order to work with templates. Figure 7. Listing the menu templates The Templates section of the configuration screen includes the following fields: Action bar, which includes the buttons New, Modify and Delete Selected, and a drop-down menu which allows a user to configure the number of templates that will be displayed. Name: Refers to the template name. Users Assigned: Displays which users are assigned to an individual template. Sections Allowed: Displays the percentage of sections that the system displays in a template. You can also search for templates by clicking the search icon ( ). October 20, 2015 USM v4.x-5.x User Management Guide, rev 1 Page 14 of 28
Figure 8. Searching for a template The system uses one template by default, which allows 100 percent access to the web interface. The name of the template is All Sections. Creating a New Template To create a new template 1. Click New. Figure 9. Creating a new menu template 2. Specify a name for the template. 3. Select the menu sections you want to include in the template by checking the appropriate box to the left of each web interface section. You can use the Select All and Unselect All options to select or unselect all web interface sections at the same time. 4. Click Save Template to save the template or click Cancel to discard the changes. Editing a Template To modify a template 1. Select the template you want to modify by doing one of following: Click on the row of that template and click Modify. October 20, 2015 USM v4.x-5.x User Management Guide, rev 1 Page 15 of 28
Double-click on the row of that template. Click on the name of that template. 2. Select the menu sections you want to include in the template by checking the appropriate box to the left of each web interface section. You can use the Select / Unselect All options to select or unselect all web interface sections at the same time. 3. If you change the template name, the button Save As will be active. 4. Click Save Template to save the template or click Cancel to discard the changes. Deleting a Template To delete a template, select the template you want to delete by clicking the line of that template and clicking Delete Selected. The system will ask for a confirmation. Managing Users If you are using local user authentication, you have to create user accounts in the local database. You can create, modify, delete, duplicate, or disable user accounts: Creating a New User Modifying a User Deleting a User Duplicating a User Enabling or Disabling a User Viewing User Hierarchy Resetting a Password Navigate to Configuration > Administration > Users to manage users that can access the AlienVault USM web interface. October 20, 2015 USM v4.x-5.x User Management Guide, rev 1 Page 16 of 28
Figure 10. Managing local users This User information section of the configuration screen includes the following parts: Action bar, which includes the buttons New, Modify, Delete Selected, Duplicate Selected, Multilevel Tree, and a drop-down menu which allows a user to configure the number of users that will be displayed. A list of configured users, which contains the following fields: Table 1. Local users account information Field Login Name Email Visibility Status Language Creation Date Last Login Date Description Username required to access the AlienVault USM. It refers to the username the user uses to open a session in the system. The real name of that user in the system. The e-mail address of the user. It is used to send notifications or reports to the user. The correlation context or entity the user belongs to. User account can be either enabled or disabled. The interface is available in either English or Spanish. Date the user account was created. Last date the user logged into the system. You can also search for templates by clicking the search icon ( user you are searching for. ) and specify the name of the October 20, 2015 USM v4.x-5.x User Management Guide, rev 1 Page 17 of 28
Figure 11. Searching for local users Creating a New User To create a new user 1. Click New. 2. Enter a username into User Login field. The user can access the AlienVault USM web interface with this username. 3. Enter the user s real name into the User Name field. 4. Enter the user's email into the User Email field. 5. Select the language of the user interface from the User Language drop-down menu. 6. Select a time zone from the Timezone drop-down menu. 7. Enter your current password in the Enter Your Current Password field. The user needs this password to log into the AlienVault USM system. Figure 12. Creating a new user account 8. Choose a login method for the new user between LDAP and password. October 20, 2015 USM v4.x-5.x User Management Guide, rev 1 Page 18 of 28
9. Configure the user as a global admin user by selecting the Yes radio button next to Make This User a Global Admin. Leave the setting set to No to configure the user as a normal user. 10. Select a template from the Menu Template drop-down menu to associate this user with a menu template. You can also view a template or create a new template from this window. 11. Select an entity or correlation from the Visibility menu. This option is mandatory and it is used to associate a user with an entity or correlation contexts within the structure tree. 12. Assign assets that will be visible to the user by expanding the Allowed Assets option and selecting assets. This option is not mandatory and it works as a filter within an entity or a correlation context. 13. Click Save to save changes. Note: For global admin users, menu templates, visibility, and allowed assets settings do not apply. You can set them but they have no effect. Modifying a User To modify an existing user account 1. Select the user you want to modify by doing one of the following: Click on the row of that user and click Modify. Double-click on the row of that user. Click on the name of that user. Figure 13. Modifying a user account 2. Change the parameters of the user account as needed, such as a password, for example. Parameters are the same as when creating a user account. October 20, 2015 USM v4.x-5.x User Management Guide, rev 1 Page 19 of 28
3. Click Save to save changes. Deleting a User To delete an existing user account, select the user you want to delete by clicking the row of that user and click Delete Selected. The system will ask you for a confirmation. Duplicating a User To duplicate an existing user account 1. Select the user account you want to duplicate by clicking the row of that user, and click Duplicate Selected. 2. Change the parameters of the user account as needed. Parameters are the same as when creating a user account. Notice that the system has added _duplicated to the User Login field in order to distinguish the new user from the one that is being duplicated. 3. Click Save to save changes. October 20, 2015 USM v4.x-5.x User Management Guide, rev 1 Page 20 of 28
Figure 14. Duplicating a user account Enabling or Disabling a User To disable a user account, click the green check mark in the row of the user you would like to disable. Figure 15. Disabling a user account A disabled account is indicated by a red cross. October 20, 2015 USM v4.x-5.x User Management Guide, rev 1 Page 21 of 28
To re-enable a disabled user account, click the red cross in the row of the user you would like to enable. Figure 16. Enabling a user account Viewing User Hierarchy To see how users are organized into entities and correlation contexts, you can examine user hierarchy by clicking the Multilevel Tree option. Figure 17. Viewing user hierarchy Resetting a Password For any user other than the default admin user, you can reset the user s password by logging into the system as the default admin user. You reset the password by editing the user account as discussed in Modifying a User. If the default admin user forgets his or her password, you have to recover it. You can do this by accessing the AlienVault USM command prompt shell and using the AlienVault Setup menu. To reset the default admin password, complete the following steps 1. Access the AlienVault USM command line shell and log in as root user. In the AlienVault Setup menu, navigate to System Preferences > Change Password > Reset UI Admin Password. A similar menu allows you to change the password of the root user as well. October 20, 2015 USM v4.x-5.x User Management Guide, rev 1 Page 22 of 28
Figure 18. Changing admin password in the AlienVault Setup menu 2. Press Enter to confirm that you want to reset the admin password. The system will display a new password. 3. Launch the AlienVault USM web interface to log in. 4. Change the password when prompted. Figure 19. Changing admin password when prompted Note: If you forget the root user password and have to reset it, see Recovering Lost Root Password on AlienVault Appliances. Monitoring User Activities AlienVault USM allows you to monitor user activity and actions that are performed by users in the web interface. The system allows you to change general user activity settings and change which actions are being monitored. October 20, 2015 USM v4.x-5.x User Management Guide, rev 1 Page 23 of 28
Changing User Activity Configuration To change general user activity settings, navigate to Configuration > Administration > Main and expand the User Activity option. Figure 20. Changing user activity logging configuration In the User Activity section, you can change the following settings: Change session timeout by entering a number into the Session Timeout input field. Session timeout specifies how many minutes an AlienVault USM web interface session lasts. By default, session timeout is set to 15 minutes. Change user lifetime by entering a number into the User Life Time input field. This setting specifies the number of days that a user account is active. The value 0 means that the account does not expire. Toggle user activity logging on or off by selecting Yes or No from the Enable User Log drop-down menu. Typically, you will choose Yes. Toggle sending user activity logs to syslog by selecting Yes or No from the Log to syslog drop-down menu. Toggle telemetry collection, which gathers data on how users are using the AlienVault USM system, by selecting Yes or No from the Send anonymous usage statistics and system data to AlienVault to improve USM drop-down menu. Click on Learn More to if you want to know more about this option. October 20, 2015 USM v4.x-5.x User Management Guide, rev 1 Page 24 of 28
AlienVault USM system by default monitors all activities performed by individual users (if enabled globally). If you do not want to monitor all activity, you can change the user activity configuration. To change the user activity configuration 1. Navigate to Configuration > Administration > Users > Activity. The table that is displayed has two columns. The left column shows the logged actions. The right column shows the actions that are not logged. By default, all actions are in the left column, which means that all actions are logged. Figure 21. Changing user actions logging configuration 2. Pass actions from one side to the other by using drag-and-drop or by using the links [+] or [-] located next to each item. You can pass all items from one side to the other by clicking Remove all or Add all. If you have any items in the column on the right, you can use the search box at the top of that column to search for actions not logged. 3. Click Update Configuration to apply the changes. Monitoring User Activity In order to verify who is logged into the AlienVault USM system, navigate to Settings > Current Sessions. October 20, 2015 USM v4.x-5.x User Management Guide, rev 1 Page 25 of 28
Figure 22. Monitoring logged in users For each user, you can see the following features: the IP address the user is connecting from, name of the asset in the AlienVault USM inventory the user is connecting from, user agent of the client, session ID, logon time, and elapsed time since last activity. You also have an option to log out a specific user by clicking the door ( ) icon. In order to monitor the activity that was performed by an individual user, navigate to Settings > User Activity. On the upper part of the screen, you can filter displayed activities by selecting Date Range, User, or Action. Click View after you specify filters to see only activities that are related to the search filters. On the lower part of the screen, you see all actions that were performed by users and that match the filters. The default admin user sees activities of all users, while other users see activities of users belonging to the same entity. October 20, 2015 USM v4.x-5.x User Management Guide, rev 1 Page 26 of 28
Figure 23. Monitoring user actions Functions for All Users This section describes functions that are available to all users. Viewing User Settings Each user in the AlienVault USM system can examine the following information: User profile: Includes basic settings about a user, such as login name, user name, email, language, time zone, and password. Each user can change his or her profile as described in the Modifying a User topic. Current sessions: Displays users that are logged into the system. Global admin users (including default admin) can see accounts from all users, while normal users can see only their own account. User activity: displays user activity. Default admin can see activity of all users, while other global admin users and normal users can only see activity of users belonging to the same entity. Note: Refer to Monitoring User Activity about examining current sessions and user activity. Modifying a User Users can change their own settings or user profile. October 20, 2015 USM v4.x-5.x User Management Guide, rev 1 Page 27 of 28
To change your user profile 1. Do one of the following: Navigate to Configuration > Administration > User Information, select the row of the user you would like to modify, and click Modify. Alternatively, double-click the row of the user you would like to modify. For normal users, as opposed to global admin users, Modify is the only option. Navigate to Settings > My Profile. 2. Change user settings as desired. Settings are the same as when creating a new user. 3. Click Save to save the settings. Figure 24. Modifying user profile October 20, 2015 USM v4.x-5.x User Management Guide, rev 1 Page 28 of 28