Dell InTrust 11.0. Preparing for Auditing and Monitoring Linux



Similar documents
Dell InTrust Preparing for Auditing and Monitoring IBM AIX

Helpdesk Support Tickets & Knowledgebase

BackupAssist SQL Add-on

Preparing to Deploy Reflection : A Guide for System Administrators. Version 14.1

AvePoint High Speed Migration Supplementary Tools

MaaS360 Cloud Extender

StarterPak: Dynamics CRM Opportunity To NetSuite Sales Order

Exercise 5 Server Configuration, Web and FTP Instructions and preparatory questions Administration of Computer Systems, Fall 2008

Introduction to Mindjet MindManager Server

GETTING STARTED With the Control Panel Table of Contents

SBClient and Microsoft Windows Terminal Server (Including Citrix Server)

McAfee Enterprise Security Manager. Data Source Configuration Guide. Infoblox NIOS. Data Source: September 2, Infoblox NIOS Page 1 of 8

ViPNet VPN in Cisco Environment. Supplement to ViPNet Documentation

Instant Chime for IBM Sametime Quick Start Guide

Readme File. Purpose. Introduction to Data Integration Management. Oracle s Hyperion Data Integration Management Release 9.2.

Improved Data Center Power Consumption and Streamlining Management in Windows Server 2008 R2 with SP1

Exercise 5 Server Configuration, Web and FTP Instructions and preparatory questions Administration of Computer Systems, Fall 2008

Introduction LIVE MAPS UNITY PORTAL / INSTALLATION GUIDE Savision B.V. savision.com All rights reserved.

Monitor Important Windows Security Events using EventTracker

ScaleIO Security Configuration Guide

Software Distribution

How To Upgrade A Crptocard To A 6.4 Migratin Tl (Cpl) For A 6Th Generation Of A Crntl (Cypercoder) On A Crperd (Cptl) 6.

Mobile Device Manager Admin Guide. Reports and Alerts

Creating automated reports using VBS AN 44

Information Services Hosting Arrangements

expertise hp services valupack consulting description security review service for Linux

ISAM TO SQL MIGRATION IN SYSPRO

STIOffice Integration Installation, FAQ and Troubleshooting

TaskCentre v4.5 MS SQL Server Trigger Tool White Paper

SPECIFICATION. Hospital Report Manager Connectivity Requirements. Electronic Medical Records DRAFT. OntarioMD Inc. Date: September 30, 2010

Using PayPal Website Payments Pro UK with ProductCart

E-Biz Web Hosting Control Panel

FUJITSU Software ServerView Suite ServerView PrimeCollect

FINRA Regulation Filing Application Batch Submissions

Corente Cloud Services Exchange (CSX) Corente Cloud Services Gateway Site Survey Form

LeadStreet Broker Guide

Implementing SQL Manage Quick Guide

KronoDesk Migration and Integration Guide Inflectra Corporation

User Guide. Sysgem SysMan Remote Control. By Sysgem AG

HarePoint HelpDesk for SharePoint. For SharePoint Server 2010, SharePoint Foundation User Guide

Service Level Agreement (SLA) Hosted Products. Netop Business Solutions A/S

HP ExpertOne. HP2-T21: Administering HP Server Solutions. Table of Contents

NETWRIX CHANGE NOTIFIER

Traffic monitoring on ProCurve switches with sflow and InMon Traffic Sentinel

ACTIVITY MONITOR Real Time Monitor Employee Activity Monitor

User Manual Brainloop Outlook Add-In. Version 3.4

Connector for Microsoft Dynamics Installation Guide

Durango Merchant Services QuickBooks SyncPay

Implementing ifolder Server in the DMZ with ifolder Data inside the Firewall

Systems Support - Extended

Junos Pulse Instructions for Windows and Mac OS X

ROSS RepliWeb Operations Suite for SharePoint. SSL User Guide

StarterPak: Dynamics CRM On-Premise to Dynamics Online Migration - Option 2. Version 1.0

Zimbra Professional Services Portfolio, Purchasing Guide & Price List

Mobile Deployment Guide For Apple ios

WatchDox for Windows User Guide

DocAve for Salesforce 3.1

Ten Steps for an Easy Install of the eg Enterprise Suite

What is New in LepideAuditor Suite 15.2? This document explains what is new in LepideAuditor Suite 15.2.

SaaS Listing CA Cloud Service Management

Getting Started Guide

Optimal Payments Extension. Supporting Documentation for the Extension Package v1.1

FAQs for Webroot SecureAnywhere Identity Shield

Installation Guide Marshal Reporting Console

CLIENT PORTAL GUIDE SUMMARY

SQL 2005 Database Management Plans

Emulated Single-Sign-On in LISTSERV Rev: 15 Jan 2010

Installation Guide Marshal Reporting Console

Interworks Cloud Platform Citrix CPSM Integration Specification

TaskCentre v4.5 Send Message (SMTP) Tool White Paper

edoc Lite Recruitment Guidelines

Regions File Transmission

CSC IT practix Recommendations

The Relativity Appliance Installation Guide

Integrating With incontact dbprovider & Screen Pops

Software Update Notification

Copyright 2013, SafeNet, Inc. All rights reserved. We have attempted to make these documents complete, accurate, and

Often people have questions about new or enhanced services. This is a list of commonly asked questions and answers regarding our new WebMail format.

Release Notes. Dell SonicWALL Security firmware is supported on the following appliances: Dell SonicWALL Security 200

Configuring and Monitoring SysLog Servers

SYSTEM MONITORING PLUG-IN FOR MICROSOFT SQL SERVER

Frequently Asked Questions: CMMI Data Collection

Customers FAQs for Webroot SecureAnywhere Identity Shield

SITE APPLICATIONS USER GUIDE:

CenterPoint Accounting for Agriculture Network (Domain) Installation Instructions

LogMeIn Rescue Web SSO via SAML 2.0 Configuration Guide

Privacy Policy. The Central Equity Group understands how highly people value the protection of their privacy.

Welcome to Remote Access Services (RAS)

Serv-U Distributed Architecture Guide

URM 11g Implementation Tips, Tricks & Gotchas ALAN MACKENTHUN FISHBOWL SOLUTIONS, INC.

Deployment Overview (Installation):

IT Help Desk Service Level Expectations Revised: 01/09/2012

.Net Strong Authentication API

1) Update the AccuBuild Program to the latest version Version or later.

2. When logging is used, which severity level indicates that a device is unusable?

Transcription:

Dell InTrust 11.0 Preparing fr Auditing and Mnitring Linux

2015 Dell Inc. ALL RIGHTS RESERVED. This guide cntains prprietary infrmatin prtected by cpyright. The sftware described in this guide is furnished under a sftware license r nndisclsure agreement. This sftware may be used r cpied nly in accrdance with the terms f the applicable agreement. N part f this guide may be reprduced r transmitted in any frm r by any means, electrnic r mechanical, including phtcpying and recrding fr any purpse ther than the purchaser s persnal use withut the written permissin f Dell Sftware Inc. The infrmatin in this dcument is prvided in cnnectin with Dell Sftware prducts. N license, express r implied, by estppel r therwise, t any intellectual prperty right is granted by this dcument r in cnnectin with the sale f Dell Sftware prducts. EXCEPT AS SET FORTH IN DELL SOFTWARE S TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, DELL SOFTWARE ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL DELL BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF DELL SOFTWARE HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Dell Sftware makes n representatins r warranties with respect t the accuracy r cmpleteness f the cntents f this dcument and reserves the right t make changes t specificatins and prduct descriptins at any time withut ntice. Dell Sftware des nt make any cmmitment t update the infrmatin cntained in this dcument. If yu have any questins regarding yur ptential use f this material, cntact: Dell Sftware Inc. Attn: LEGAL Dept 5 Plaris Way Alis Viej, CA 92656 Refer t ur web site (www.sftware.dell.cm) fr reginal and internatinal ffice infrmatin. Trademarks Dell andthe Dell lg are trademarks f Dell Inc.and/r its affiliates. Other trademarks and trade names may be used in this dcument t refer t either the entities claiming the marks and names r their prducts. Dell disclaims any prprietary interest in the marks and names f thers. Legend CAUTION: A CAUTION icn indicates ptential damage t hardware r lss f data if instructins are nt fllwed. WARNING: A WARNING icn indicates a ptential fr prperty damage, persnal injury, r death. IMPORTANT NOTE, NOTE, TIP, MOBILE, r VIDEO: An infrmatin icn indicates supprting infrmatin. Dell InTrust Preparing fr Auditing and Mnitring Linux Updated - Nvember 2014 Sftware Versin - 11.0

Cntents Linux Auditing and Mnitring Overview 4 Requirements 5 Installatin 6 Installing Agents 7 Syslg Cnfiguratin 8 Cnfiguratin Specifics fr Oracle Linux and RedHat Enterprise Linux 6.3 and Later 8 InTrust Cnfiguratin 9 Auditing, Reprting, and Real-Time Mnitring 9 Redhat Linux Syslg and SuSE Linux Syslg Data Surces 9 Text File-Mnitring Data Surces 10 External Events Data Surces 11 Script Event Prvider Data Surces 11 Use Scenaris 12 Syslg Cnfiguratin Mnitring 12 Tracking Security Incidents 12 Abut Dell 13 Cntacting Dell Inc. 13 Technical supprt resurces 13 Preparing fr Auditing and Mnitring Linux 3

Linux Auditing and Mnitring Overview The Linux Knwledge Pack expands the auditing and reprting capabilities f Dell InTrust t SuSE Linux Enterprise Server, Red Hat Enterprise Linux and Oracle Linux. The Knwledge Pack enables InTrust t wrk with Syslg and text lgs. The fllwing table shws what yu can audit and mnitr n Linux: Data Surce Gathering Real-Time Mnitring Syslg messages X X Text lgs f any frmat X Cnfiguratin file mdificatin X X Preparing fr Auditing and Mnitring Linux 4

Requirements InTrust supprts auditing and mnitring f the fllwing Linux distributins: Red Hat Enterprise Linux 7, 6.6, 6.5, 6.4, 6.3, 5, 4 SuSE Linux Enterprise Server 11, 10 Oracle Linux 7, 6.6, 6.5, 6.4, 6.3 T prepare a Linux hst, yu need t install an InTrust agent and adjust the cnfiguratin f the Syslg flavr used. Currently, agents must be installed manually n each Linux hst yu want t cver. An alternative agent-free apprach, which is nt cvered in this tpic, is t use Syslg frwarding t an InTrust server. Fr details abut this methd, see Setting Up Gathering f Syslg Data. Preparing fr Auditing and Mnitring Linux 5

Installatin The Linux Knwledge Pack is installed n tp f an existing InTrust installatin. The fllwing bjects are included: Data surces: Redhat Linux Syslg Redhat Linux Accunts Mnitring Redhat Linux Text Files Mnitring SuSE Linux Accunts Mnitring SuSE Linux Syslg SuSE Linux Text Files Mnitring Gathering plicies: Redhat Enterprise Linux: Cmmn Security Events Redhat Enterprise Linux: All Syslg Messages Redhat Enterprise Linux: Accunts Mnitring Redhat Enterprise Linux: Text files Mnitring SuSE Linux Enterprise Server: Cmmn Security Events SuSE Linux Enterprise Server: All Syslg Messages SuSE Linux Enterprise Server: Accunts Mnitring SuSE Linux Enterprise Server: Text Files Mnitring Imprt plicies: Redhat Enterprise Linux: Cmmn Security Events Redhat Enterprise Linux: All Syslg Messages Redhat Enterprise Linux: Accunts Mnitring Redhat Enterprise Linux: Text Files Mnitring SuSE Linux Enterprise Server: Cmmn Security Events SuSE Linux Enterprise Server: All Syslg Messages SuSE Linux Enterprise Server: Accunts Mnitring SuSE Linux Enterprise Server: Text Files Mnitring Preparing fr Auditing and Mnitring Linux 6

Cnslidatin plicies: Redhat Linux Lg Cnslidatin Redhat Linux Lg Cnslidatin fr the Last Mnth SuSE Linux Lg Cnslidatin SuSE Linux Lg Cnslidatin fr the Last Mnth Real-time mnitring plicies: Redhat Linux: security SuSE Linux: security Tasks: Redhat Linux daily cllectin f security events Redhat Linux weekly reprting SuSE Linux daily cllectin f security events SuSE Linux weekly reprting Sites: Redhat Linux hsts SuSE Linux hsts NOTE: T wrk with Oracle Linux, use the data surces, plicies and sites designed fr Red Hat Enterprise Linux. Installing Agents InTrust agents must be installed manually n Linux hsts. Fr details, see Installing Agents Manually n Linux Cmputers. Preparing fr Auditing and Mnitring Linux 7

Syslg Cnfiguratin InTrust takes advantage f the Syslg lgging system n Linux cmputers. Syslg prvides data fr auditing and real-time mnitring activities. Syslg functinality is prvided by the syslgd daemn, which accepts messages frm varius surces that supprt lgging, and either writes these messages t files r passes them n t ther hsts in the netwrk. The syslg.cnf file specifies where syslgd sends a message depending n the parameters f the message. Fr a detailed descriptin f this file's frmat, see the syslg.cnf man page. When yu install the InTrust agent n the Linux hst, the necessary entries are autmatically added t syslg.cnf. Yu d nt have t mdify any message redirectin settings manually. Hwever, as lng as yu d nt mdify InTrust-related settings, it is up t yu hw yu cnfigure redirectin f messages t ther destinatins. NOTE: In additin t the syslgd daemn InTrust supprts syslg-ng. In this case the syslg-ng.cnf file needs t be mdified. Cnfiguratin Specifics fr Oracle Linux and RedHat Enterprise Linux 6.3 and Later 1. Create the /etc/syslg.cnf file: tuch /etc/syslg.cnf 2. In the /etc/rsyslg.cnf file, add the fllwing line under #### RULES ####: *.debug /var/lg/intrust_syslg;rsyslog_ TraditinalFileFrmat 3. Create the /var/lg/intrust_syslg pipe: mkfif /var/lg/intrust_syslg 4. Restart the rsyslgd daemn using the fllwing cmmand sequence: Fr perating system versins 6.3 6.6: /etc/rc.d/rc2.d/s12rsyslg stp /etc/rc.d/rc2.d/s12rsyslg start Fr perating system versin 7: systemctl restart rsyslg Preparing fr Auditing and Mnitring Linux 8

InTrust Cnfiguratin After yu have taken all the necessary cnfiguratin steps n the target Linux hsts, the InTrust Server takes ver all auditing and real-time mnitring peratins. This sectin describes Linux-specific settings that are nt explained in the ther InTrust dcumentatin. Auditing, Reprting, and Real-Time Mnitring Linux auditing, reprting, and real-time mnitring is similar t wrking with any ther system supprted by InTrust. There is nly ne imprtant difference that refers t active scheduling f the InTrust tasks. Fr infrmatin see the warning nte belw. CAUTION: An active schedule is required t make the agent cache events. If the schedule is disabled, n events are stred. Since all Data Surces described abve use events caching, it is recmmended that yu use at least ne task fr the cache-enabled data surces that run regularly. If yu want t gather data nly n demand, yu must still enable the schedule fr yur task r tasks, but set it t a pint in the future r in the past. The ther Linux auditing, reprting and real-time mnitring peratins d nt have special requirements, and yu can perfrm them as described in???. The fllwing are details abut the Linux-related data surces in InTrust. Redhat Linux Syslg and SuSE Linux Syslg Data Surces The Redhat Linux Syslg and the SuSE Linux Syslg data surces represent the Syslg audit trails. Syslg auditing and real-time mnitring is based n the flw f data intended fr the syslgd r syslg-ng daemns. The Redhat Linux Syslg ( SuSE Linux Syslg ) data surce is used t analyze the data flw and capture nly the necessary prtins f it. The data surce uses a list f regular expressins. When the data surce is wrking, it applies the expressins, in the rder specified, t each message. The rder f the regular expressins matters because message prcessing stps as sn as the message matches ne f the expressins. When parsing takes place, pairs f parentheses are used in regular expressins t break messages up int numbered fields. Fr example, the fllwing regular expressin: Preparing fr Auditing and Mnitring Linux 9

^(.{15}) ([-[:alnum:]_.]+) (su)(\([^[]+\)){0,1}(\[[0-9]+\]){0,1}: (sessin pened fr user (.*) by ([^()]*)\(.*\)) matches the fllwing message: Dec 16 12:10:47 es7 su(pam_unix)[23200]: sessin pened fr user rt by jsmith (uid=508) The result is an event with the fllwing fields: Field Name Field Number Field Cntents Cmputer <2> es7 Descriptin <6> sessin pened fr user rt by jsmith(uid=508) Event ID 2 2 Event Surce <3> su Insertin String #1 <6> sessin pened fr user rt by jsmith(uid=508) Insertin String #11 <7> rt Insertin String #12 <8> jsmith The last regular expressin in the predefined data surce is designed t match any message. This ensures that the message is nt lst. The result f this regular expressin is an event where the Descriptin and Insertin String #1 fields bth cntain the descriptive part f the message, if a descriptive part is present. It is nt recmmended that yu mdify predefined regular expressins in the data surce. These expressins are required fr the reprts that cme with the Linux Knwledge Pack. These reprts will ignre any data resulting frm the use f custm regular expressins. If yu create a custm Syslg data surce with yur wn regular expressins, make sure yu use custmized reprts based n the data that these regular expressins help capture. CAUTION: Including a lt f cmplex regular expressins in the data surce may slw dwn Syslg prcessing significantly. Text File-Mnitring Data Surces The Redhat Linux text files mnitring (r SuSE Linux text files mnitring ) and Redhat Linux accunts mnitring (r SuSE Linux accunts mnitring ) scripted data surces are designed t parse specified files. Real-time mnitring rules use these data surces t mnitr the files fr changes. CAUTION: These scripted data surces are nt designed fr general-purpse auditing and mnitring f text-based lgs. They shuld be used nly n cnfiguratin files that preferably d nt exceed 100 kilbytes. T cllect large text-based lgs, use Custm Text Lg Events data surces, as described in the Auditing Custm Lgs with InTrust dcument. T specify the file paths, edit the apprpriate parameters f the data surces. Fr example, t mnitr the /etc/hsts.allw and /etc/hsts.deny files, take the fllwing steps: 1. Open the prperties f the Redhat Linux text files mnitring data surce. 2. On the Parameters tab, select the TextFiles parameter and click Edit. Preparing fr Auditing and Mnitring Linux 10

3. Supply /etc/hsts.allw and /etc/hsts.deny in the dialg bx that appears. Similarly, yu can edit the UsersFile and GrupsFile parameters f the Redhat Linux accunts mnitring data surce if the lcatin f the passwd and grups files differs frm the default n yur Linux hsts. NOTE: Mnitring the passwd and grups files makes sense if yur Linux envirnment des nt use a directry slutin. With a directry in place, infrmatin in these files is nt imprtant r representative. External Events Data Surces The External Events data surce type is nt represented by any predefined data surces. It is different frm ther data surce types in that it generates event recrds with fields that yu define and hands them ver t the InTrust agent t prcess. Data surces f this type are represented by a cmmand-line utility n the agent side and an InTrust data surce bject n the InTrust server side. This cmmand-line utility frces special events n the InTrust agent running n the same cmputer. The agent stres the events in its backup cache. Frm there, the events can be captured by the gathering r real-time mnitring engine. T create an External Events data surce 1. Right-click the Cnfiguratin Data Surces nde and select New Data Surce. 2. In the New Data Surce Wizard, select the External Events data surce type. 3. Cmplete the remaining steps. Fr details abut External Events data surce settings, see Cnfiguring Data Surces. Script Event Prvider Data Surces InTrust prvides an additinal ptin t create a custm data surce using the Script Event Prvider. This functinality allws t create a script that starts with pre-set frequency. Under sme cnditins that are specified in this script events are generated and then are passed t the InTrust agent. Events are stred in the agent's backup cache. Frm there, the events can be captured by the gathering r real-time mnitring engine. Yu can specify in the certain script: what infrmatin is stred and hw it is rdered in the certain events, what cnditins are required fr event generatin. T create a custm data surce with Script Event Prvider 1. Right-click the Cnfiguratin Data Surces nde and select New Data Surce. 2. In the New Data Surce Wizard, select the Script Event Prvider data surce type. 3. On the Script step select the script language and enter yur script text using XML editr. 4. On the same step specify hw frequently the script shuld run. 5. Cmplete the remaining steps. Preparing fr Auditing and Mnitring Linux 11

Use Scenaris This tpic describes typical situatins in a prductin envirnment and hw InTrust helps handle them. Fr infrmatin abut specific prcedures, such as creating tasks and jbs r activating rules, see the Auditing Guide and Real-Time Mnitring Guide. Syslg Cnfiguratin Mnitring Suppse yu use a finely-tuned Syslg audit plicy in yur envirnment. Yur audit cnfiguratin has prven efficient and reliable, and yu d nt want anyne but a few trusted administratrs t be able t change it. Even s, yu want t knw immediately if the audit plicy is mdified in any way. Use InTrust real-time mnitring capabilities t enable immediate ntificatin. Syslg audit cnfiguratin is defined in the syslg.cnf file, s the slutin in this case is t mnitr this file with InTrust and send an alert whenever the file is mdified. Enable the Syslg.cnf file mdified rule and make sure the apprpriate file paths are supplied as the rule s parameter. Tracking Security Incidents Yu want t receive daily infrmatin abut pssible security issues in yur envirnment, such as brute frce attack attempts. Yu can achieve this by scheduling gathering and reprting jbs with InTrust. T view the resulting reprts use the Dell Knwledge Prtal web applicatin. Take the fllwing steps: 1. Make sure that syslgd r syslg-ng is running. 2. Create an InTrust task that gathers Syslg events frm the apprpriate site (gathering jb), builds reprts based n the gathered data (reprting jb).the resulting reprts are stred in the lcal flder that is specified during InTrust installatin. 3. A gd reprt fr this scenari is "Multiple failed lgin attempts". It is up t yu whether yu want t stre the gathered data in an InTrust repsitry. Yu can als include a ntificatin jb t get ntified f task cmpletin. 4. Schedule the task t run every mrning at a cnvenient time. Preparing fr Auditing and Mnitring Linux 12

Abut Dell Dell listens t custmers and delivers wrldwide innvative technlgy, business slutins and services they trust and value. Fr mre infrmatin, visit www.sftware.dell.cm. Cntacting Dell Inc. Technical Supprt: Online Supprt Prduct Questins and Sales: (800) 306-9329 Email: inf@sftware.dell.cm Technical supprt resurces Technical supprt is available t custmers wh have purchased Dell sftware with a valid maintenance cntract and t custmers wh have trial versins. T access the Supprt Prtal, g t http://sftware.dell.cm/supprt/. The Supprt Prtal prvides self-help tls yu can use t slve prblems quickly and independently, 24 hurs a day, 365 days a year. In additin, the prtal prvides direct access t prduct supprt engineers thrugh an nline Service Request system. The site enables yu t: Create, update, and manage Service Requests (cases) View Knwledge Base articles Obtain prduct ntificatins Dwnlad sftware. Fr trial sftware, g t Trial Dwnlads. View hw-t vides Engage in cmmunity discussins Chat with a supprt engineer Preparing fr Auditing and Mnitring Linux 13

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information