Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
eTrust Audit ™ iRecorder Reference Guide for FoundStone FoundScan 1.5 Service Pack 3 G002131E This documentation and related computer software program (hereinafter referred to as the “Documentation”) is for the end user’s informational purposes only and is subject to change or withdrawal by Computer Associates International, Inc. (“CA”) at any time. This documentation may not be copied, transferred, reproduced, disclosed or duplicated, in whole or in part, without the prior written consent of CA. This documentation is proprietary information of CA and protected by the copyright laws of the United States and international treaties. Notwithstanding the foregoing, licensed users may print a reasonable number of copies of this documentation for their own internal use, provided that all CA copyright notices and legends are affixed to each reproduced copy. Only authorized employees, consultants, or agents of the user who are bound by the confidentiality provisions of the license for the software are permitted to have access to such copies. This right to print copies is limited to the period during which the license for the product remains in full force and effect. Should the license terminate for any reason, it shall be the user’s responsibility to return to CA the reproduced copies or to certify to CA that same have been destroyed. To the extent permitted by applicable law, CA provides this documentation “as is” without warranty of any kind, including without limitation, any implied warranties of merchantability, fitness for a particular purpose or noninfringement. In no event will CA be liable to the end user or any third party for any loss or damage, direct or indirect, from the use of this documentation, including without limitation, lost profits, business interruption, goodwill, or lost data, even if CA is expressly advised of such loss or damage. The use of any product referenced in this documentation and this documentation is governed by the end user’s applicable license agreement. The manufacturer of this documentation is Computer Associates International, Inc. Provided with “Restricted Rights” as set forth in 48 C.F.R. Section 12.212, 48 C.F.R. Sections 52.227-19(c)(1) and (2) or DFARS Section 252.227-7013(c)(1)(ii) or applicable successor provisions. 2004 Computer Associates International, Inc. All trademarks, trade names, service marks, and logos referenced herein belong to their respective companies. Contents Chapter 1: Welcome to iRecorder for FoundStone FoundScan 5 Who Should Read this Guide .......................................................................................................................5 About eTrust Audit........................................................................................................................................5 Audit Client .........................................................................................................................................6 Audit Data Tools.................................................................................................................................7 Audit Policy Manager ........................................................................................................................9 About Improving Security and Network Communications ..................................................................10 About the Role of iRecorders and iRouters ..............................................................................................10 About the Role of the iRecorder......................................................................................................12 About the Role of the iRouter .........................................................................................................12 About ARIES .....................................................................................................................................13 About Installing the iRecorder and iRouter ..................................................................................13 Chapter 2: How to Install and Configure the iRecorder 15 Hardware Requirements.............................................................................................................................15 Software Requirements ...............................................................................................................................15 Preinstallation Steps.....................................................................................................................................15 Installation Materials ...................................................................................................................................16 Download the iRecorder..................................................................................................................16 Locate the Installation Package on the CD ....................................................................................16 Install the iRecorder from the CD...................................................................................................16 Perform a Silent Installation for Windows....................................................................................17 Perform a Silent Uninstallation for Windows...............................................................................17 Customize Response Files for Silent Installation..........................................................................17 Configuration and Use ................................................................................................................................18 Start the iRecorder ............................................................................................................................18 Stop the iRecorder.............................................................................................................................19 How to Configure the iRecorder ....................................................................................................19 Enable Debugging ............................................................................................................................20 Add and Manage Policies ...........................................................................................................................21 Add the Default Policy for FoundStone FoundScan to the Policy Manager ............................21 Create an AN Group ........................................................................................................................22 Select an AN Type ............................................................................................................................22 Create a Policy Folder ......................................................................................................................23 Copy the Default Policies.................................................................................................................23 Add Actions to the Rules .................................................................................................................24 Attach the Rule to an AN Group ....................................................................................................24 Contents iii Activate the Rule...............................................................................................................................24 Verify the Rule Is in Effect ...............................................................................................................25 Sample Rules .....................................................................................................................................25 How Event Route Testing Works ..............................................................................................................25 Test Event Routing for FoundStone FoundScan ..........................................................................26 Chapter 3: How to Prepare Event Data for Custom Reports 27 Description of Table Columns....................................................................................................................27 Sample Report Selection Criteria for FoundStone FoundScan Events .................................................27 Use ARIES to Expose Fields Specific to FoundStone FoundScan..........................................................28 How To Expose Specific Events for FoundStone FoundScan.....................................................29 How To Create a View of FoundStone FoundScan on the eTrust Audit Database .................29 About Report Generation based on ARIES Tables ..................................................................................30 Chapter 4: eTrust Audit Field Mapping 31 About Mandatory Fields .............................................................................................................................31 About the Taxonomy Field..............................................................................................................31 About Normalized Fields ................................................................................................................32 About Product-Specific Fields....................................................................................................................33 Product-Specific Fields for FoundStone FoundScan....................................................................33 Appendix A: Introduction to iTechnology 43 iGateway .......................................................................................................................................................43 iSponsor.........................................................................................................................................................44 Examples of iSponsors .....................................................................................................................44 iv iRecorder Reference Guide for FoundStone FoundScan Chapter 1: Welcome to iRecorder for FoundStone FoundScan This guide describes how to install, configure, and use the eTrust™ Audit iRecorder for FoundStone FoundScan. This iRecorder harvests log data from FoundStone FoundScan and forwards it to an eTrust Audit Client. Who Should Read this Guide This guide is for system administrators who may install the iRecorder on network servers and for security professionals who will create policies to handle FoundStone FoundScan events after the iRecorder is installed. About eTrust Audit As the system administrator for a server onto which the iRecorder is being installed, you need to know a few basics about eTrust Audit so that you can understand the relationship of the iRecorder you are about to install on your system and the eTrust Audit system operating in your enterprise. eTrust Audit is a system that enables security managers to identify and capture security-related events on systems throughout the enterprise. After the events are captured they can be reviewed, stored, or acted on based on policies. The iRecorder that you are about to install receives the events from the application or device. Based on an eTrust Audit policy, the iRecorder ignores the event or routes it through the remaining components of eTrust Audit. The major components of eTrust Audit are as follows: ■ Client ■ Data Tools ■ Policy Manager While these components can be installed on the same host (if it runs Windows NT, 2000 or XP), it is more likely that these components are distributed among several different hosts throughout your enterprise. Welcome to iRecorder for FoundStone FoundScan 5 About eTrust Audit The following diagram shows the relationship between the three components: eTrust Audit uses Sun Remote Procedure Calls (RPC) to exchange data between the components of the Client and the Policy Manager. In addition, the components of the Data Tools, Collector, Viewer, and Reporter use ODBC to communicate with the underlying database (Microsoft Access, Microsoft SQL Server, or Oracle). Audit Client The Client component receives events and processes them based on policy rules. It is comprised of the following subcomponents: ■ Recorder ■ Router ■ Action Manager ■ Distribution Agent How the Client Processes Events The subcomponents of the Client process events as follows: 6 iRecorder Reference Guide for FoundStone FoundScan About eTrust Audit 1. A Send API Recorder (SAPI Recorder) receives events. The SAPI Recorders receive events from sources such as other eTrust products, Unicenter, Check Point FW 4.1, UNIX syslog, Windows NT event log, SNMP, Oracle, Sybase, and IBM DB2. 2. The SAPI Recorders sends the events to the Router which filters the events according to policy rules. The policy rules state what to do with the events. For example, the rules can create state variables for further correlation, event consolidation, and data reduction. They can also generate new events that will be resubmitted to the Router and will go through the same filtering policy rules as the original events. 3. After the Router filters the events, they are submitted to the Action Manager, which takes actions such as sending the events using email, forwarding events to another Router and Action Manager, forwarding events to the Security Monitor, storing the events in the Collector database, and sending events to Unicenter. For the Router and Action Manager to function, the most current version of the policy rules have to be available on the Client system. The Distribution Agent component receives policy rules from the Policy Manager. About Supported Platforms The Client component runs on the following platforms: ■ Windows NT, 2000, and XP ■ AIX ■ HP-UX ■ Linux ■ Solaris ■ Tru64 UNIX Audit Data Tools The Data Tools component lets you store and display events received directly from the Action Manager or from the database. The following subcomponents comprise the Data Tools: Collector Collects events from the Action Manager and stores them in the Collector Database. Welcome to iRecorder for FoundStone FoundScan 7 About eTrust Audit Viewer Displays events from the Collector database based on specific selection criteria. Reporter Generates reports on events. Security Monitor Provides a near real-time display of events received directly from the Action Manager. How the Data Tools Process Events The subcomponents of the Data Tools process events depending on how the Action Manager routes the events to the Data Tools, and on where the events are stored: ■ ■ If the Action Manager sends the events to the Collector, which stores the events in its database, administrators can view the events using the Viewer or generate reports using the Reporter. If the Action Manager sends the events to the Security Monitor, administrators can view and act on events in near real time. About Supported Platforms The subcomponents of the Data Tools can run on the following platforms: Collector Database The database engine can be Microsoft SQL Server, Oracle or Microsoft Access. eTrust Audit does not include Microsoft SQL Server or Oracle. However, it includes a Microsoft Access database, which we do not recommend if you plan on collecting large numbers of events. The databases run on a variety of platforms as follows: ■ Windows NT, 2000, and XP ■ AIX ■ HP-UX ■ Solaris Viewer, Reporter, and Security Monitor The Viewer, Reported, and Security Monitor are all Windows-based applications and require Windows NT, 2000, or XP. 8 iRecorder Reference Guide for FoundStone FoundScan About eTrust Audit Audit Policy Manager The Policy Manager lets administrators activate and modify default policy rules provided with eTrust Audit. It also lets administrators write new policy rules. The policy rules specify filters for the events that are received at designated Routers, called Audit Nodes (AN) in the Policy Manager interface. Administrators can even define groups of ANs so that they can distribute policy rules to a number of systems. For example, you might create an AN group comprised of all systems where the eTrust Antivirus application is running. After the Router receives the policy rules, it works independently of the Policy Manager to filter events until the Policy Manager distributes a new version of the policy rules. The Policy Manager component includes the following: ■ ■ ■ Policy Manager GUI Distribution Server, a Windows service that distributes policies to the ANs (routers) Default policies, a set of pre-built policies based on Log Names. You can add other policies to this set by importing custom policies using the pmu_template_exchange.exe command. How the Policy Manager is Involved in Event Processing While default policy rules are provided and available for use after you install eTrust Audit, you must activate and distribute them to make them take effect on the servers where you have installed Clients. Therefore, to begin receiving events on any Client, an administrator must do the following: 1. Create ANs and AN groups. 2. Modify default policy rules (or create new ones) and associate the policy rules with an AN group. 3. Activate the policy rules. 4. Distribute the policy rules to the appropriate Clients. Based on the rules, events are filtered and routed to the various other components of eTrust Audit. See the eTrust Audit Policy Management Guide for information on how to create a policy, define groups of ANs, and distribute policies to AN groups. About Supported Platforms The Policy Manager runs on Windows NT, 2000, and XP. Welcome to iRecorder for FoundStone FoundScan 9 About Improving Security and Network Communications About Improving Security and Network Communications In today’s security-conscious environment, the eTrust Audit system encounters security-related obstacles as enterprises try to deploy it across large networks. The flexible implementation possibilities available with eTrust Audit let you install the Client components on various systems. For example, you might install recorders on remote systems and the rest of the Client components on a centralized server that routes events from a number of recorders. If any of these recorders are outside your firewall, you might experience some of the following problems: ■ ■ ■ ■ The RPC protocol is rarely permitted across firewalls because it uses dynamic TCP/UDP ports. RPC also lacks the secure communications standards that other protocols, such as TCP or HTTPS provide. eTrust Audit uses RPC to send events to the Router, deliver policies from the Policy Manager, and forward events to Collector and Security Monitor (OCRA). If any of these components are deployed across a firewall, the system may fail due to the firewall blocking RPC traffic. One solution is to use fixed TCP ports and open these ports on the firewall. However, the question of data protection against network spoofing or tampering remains open. Guaranteed delivery is enforced in OCRA but not in SAPI, thus running the risk of losing original events. Secure delivery through encryption is assured with OCRA but not with SAPI, which is the route taken by the events from the Recorder to the Router. This problem becomes critical when the Recorder is separate from the Router, where most often the Recorder is located outside the intranet and is thus unguarded against spoofing. There is no provision to ensure events are not tampered with during their journey from the Recorder to the Router. About the Role of iRecorders and iRouters Before we describe the role of iRecorders and iRouters, let's review the major tasks performed by eTrust Audit: ■ Harvest events from third-party sources, which is performed by SAPI recorders for the following applications: — Generic recorder for text log files — UNIX syslog recorder — NT event log recorder — SNMP recorder — Sybase recorder 10 iRecorder Reference Guide for FoundStone FoundScan About the Role of iRecorders and iRouters — Oracle recorder — DB2 recorder — MS SQL recorder — Check Point FW v. 4.1 — Cisco devices — Mainframe (CA-Top Secret, CA-ACF2, and RACF) ■ ■ Filter events and take action, which is performed by the Router and the Action Manager Store events, which is performed by the Collector The Policy Manager facilitates the management of which events are captured and distributes the policy rules which lets administrators establish and distribute the policy rules to the routers. However, the growing demand for recorders for new third-party sources of events coupled with network deployment concerns require an alternative method to harvest and route events. The following illustration with the additional components shows how you can deploy iRecorders and iRouters into an existing eTrust Audit implementation: Welcome to iRecorder for FoundStone FoundScan 11 About the Role of iRecorders and iRouters About the Role of the iRecorder Supplementing the recorder is the iRecorder, a special service (known as an iSponsor) that sends unsolicited data, such as events, to an event management system, such as eTrust Audit. Much like a recorder, you deploy iRecorders near or at the system that reports events to harvest them as easily and readily as possible. And unlike recorders, iRecorders can receive events from physical devices, applications, databases, or operating systems. In most cases, sources and systems are located on the same host. After it harvests events from the source, the iRecorder assigns an event classification (taxonomy) to events from similar sources, and maps information in the events as field-value pairs to a normalized data model. A common taxonomy and data model allows correlation from different sources. The field-value pairs are packed in an XML string and then sent to the iRouter. The iRouter converts the XML string into SAPI events and sends them to the local Router. Events are then processed and forwarded to the Action Manager, and then to the Security Monitor and/or Collector, according to the corresponding policy rules installed on the iRouter/Client host. The iRecorders contain a set of predefined policies to be imported in the eTrust Audit Policy Manager as part of the default policies (see the eTrust Audit Policy Management Guide). About the Role of the iRouter The iRouter is the bridge that links the HTTP-based iTechnology components with eTrust Audit. The iRouter converts data it receives in XML format into the SAPI protocol and sends the converted event to a Router. iRouter consists of the following components: iGateway Receives events from local iRecorders, remote iGateways, or remote iClients. iControl Receives events from an iGateway and routes them to another iGateway or to event plug-ins. epAudit Receives events from iControl, parses them into field-value pairs, and sends them to the local Audit Router using SAPI. 12 iRecorder Reference Guide for FoundStone FoundScan About the Role of iRecorders and iRouters Note: For the iRouter to properly send events to an existing eTrust Audit implementation, you must install the iRouter on the same system with a Router. For more information about iTechnology, see Introduction to iTechnology on page 43. About ARIES ARIES (Asynchronous Reporting, Information Extraction, and Signing module) is an add-on subsystem to the Collector database. ARIES enhances your ability to manage the Collector database as follows: ■ ■ ■ ■ ■ Create queries based on event-specific fields. These event-specific fields are embedded in the Event Details window when viewed with the Security Monitor or Viewer. They are not normally selectable using standard query language (SQL), and they are also not visible to report generator tools. Using ARIES, these fields are exposed and become selectable for queries and reports. Enables the creation of custom reports based on ARIES views. Prunes the Collector Database. You can periodically prune the database based on a recurring interval or based on other Collector fields. For example, you might run a job each night to prune the previous day's records. Or you might run a one-time job to prune all events matching some criteria, such as all Self-Monitor events. Creates digital signatures on selected events to guard against future data tampering. Provides a Web-based interface that let's you do the following: — Expose event-specific fields for all events or for a particular AN type. — Define fields to be included in views and to create views. — Define pruning parameters and start the prune task. — Select events to be tamper-proofed and start the tamper-proofing process. About Installing the iRecorder and iRouter Deploying iRecorders in an eTrust Audit environment requires the following actions: ■ Install the eTrust Audit system. ■ Install the iRouter on the same system as the Router. ■ Import any predefined policies distributed with your iRecorder to the Policy Manager. Welcome to iRecorder for FoundStone FoundScan 13 About the Role of iRecorders and iRouters ■ Activate and distribute the policy rules to the Routers and iRouters. Note: You must install the iRouter before you install an iRecorder, as the installation of the iRecorder requires the host address of the iRouter. 14 iRecorder Reference Guide for FoundStone FoundScan Chapter 2: How to Install and Configure the iRecorder This topics that follow describe how to install and configure the iRecorder for FoundStone FoundScan. You should review it before you install the iRecorder. The information assumes that FoundStone FoundScan is already installed and operational on some host. Hardware Requirements The iRecorder for FoundStone FoundScan has the following hardware requirements: ■ Pentium-III 400 MHz, 512 MB RAM, 10 GB HD ■ Approximately 20 MB of disk space for the iRecorder installation Software Requirements The system onto which you install the iRecorder for FoundStone FoundScan has the following software requirements: ■ ■ ■ Windows 2000 with Service Pack 2 or 3; or Windows XP with Service Pack 1 Microsoft SQL Server 2000 SP2 (can be upgraded to SP3 after FoundScan installation) FoundStone FoundScan 2.6 Preinstallation Steps Before you install the iRecorder, do the following: ■ Install the iRouter component on a host where eTrust Audit Client components are installed. Because the iRouter lets iRecorders communicate with eTrust Audit, the iRecorder installation prompts for the host where iRouter is installed. For more details on how to install the iRouter, see the iRouter Reference Guide. ■ Ensure that the Policy Manager and the Data Tools are installed somewhere on the network. How to Install and Configure the iRecorder 15 Installation Materials ■ Using the Windows ODBC Data Source Administrator, create a MS SQL Server System DSN to connect to the server where the FoundStone FoundScan database is located and change the default database to FaultLine. Installation Materials The iRecorder for FoundStone FoundScan is provided on the product CD and is also available for download from the Internet. Download the iRecorder To download and install an iRecorder from the Internet, follow these steps: 1. Download the following package into a local directory: iRecorder download package The package for your iRecorder is located at http://esupport.ca.com. You must choose the eTrust Audit product and then choose the link for iRecorders. The package is zipped and contains the iRecorder installation package and the iGateway installation package. 2. Unzip the download package. 3. Run the iRecorder install package. The iRecorder install package automatically installs the iGateway package, if needed. Locate the Installation Package on the CD The iRecorder installation package for FoundStone FoundScan is located on the eTrust Audit ARIES, iRecorders, and iRouter CD media. Install the iRecorder from the CD To install the iRecorder for FoundStone FoundScan, follow these steps: 1. Insert the CD into the CD drive. The Product Explorer should automatically start and display the installation menu. If the Product Explorer does not automatically start, click Start, Run and enter the following command: CD-Drive:\PE_I386.exe where CD-Drive is your CD drive letter designation. iRecorders are available on the ARIES, iRecorders, and iRouter CD. The versions for the different operating systems are in these directories: 16 iRecorder Reference Guide for FoundStone FoundScan Installation Materials 2. ■ Windows: \eTrust\Audit\iRecorders\WinNT ■ Linux: \eTrust\Audit\iRecorders\Linux ■ Solaris: \eTrust\Audit\iRecorders\Solaris Select the appropriate recorder from the list and follow the detailed installation instructions. Note: For Windows versions, if the install package for the iRecorder is not running already, run the executable package FoundScan_version.exe to start the installation of the FoundStone FoundScan iRecorder. Executing this package starts a wizard that guides you through installation and configuration of the iRecorder. Perform a Silent Installation for Windows Enter the following command to silently install the iRecorder for FoundStone FoundScan using an InstallShield response file: FoundScan_version.exe /s /f1“irecorder_setup.iss” The above example demonstrates the silent install capability provided by the iRecorder package. The response file in the example should be changed to reflect the particular conditions of the target environment. Perform a Silent Uninstallation for Windows Enter the following command to silently uninstall the iRecorder for FoundStone FoundScan using an InstallShield response file: FoundScan_version.exe /s /f1“irecorder_uninstall.iss” Customize Response Files for Silent Installation The response files provided with the package contain an example of a silent install session. You should customize the silent installation to fit your environment. How to Install and Configure the iRecorder 17 Configuration and Use Create a Response File for Windows Packages Note: The system must not contain the iRecorder for which you want to customize the silent installation. If the system has the iRecorder installed, uninstall the iRecorder using the Add/Remove Program option of the Control Panel. To create a custom response file that you can use for silent installation on similar Windows target systems, follow these steps: 1. Open a DOS window. 2. Change directory to the folder that contains the iRecorder package. On the CD that contains the iRecorders, the iRecorder package folder is: <CD Drive>:\eTrust\Audit\iRecorders\Winnt For instance, if G drive is the CD drive, the iRecorder package folder is: G:\eTrust\Audit\iRecorders\Winnt 3. Enter the following: iRecorderPackage_version.exe /r /f1"PathnameOfResponseFile" Where iRecorderPackage is the name of the package, version is the version number, and PathnameOfResponseFile is the full path of the response file. For example: FoundScan_version.exe /r /f1”C:\Temp\irecorder_setup.iss” 4. Follow instructions given by the installation procedure and install the package as you would do on the target system. 5. Click Finish. The response file is created. Configuration and Use The following topics describe how to configure and use the FoundStone FoundScan iRecorder. Start the iRecorder The iRecorder is run as a sub-component of the iTechnology-iGateway service. To start the iRecorder on Windows, start the iGateway service using one of the following methods: ■ Use the Services Management GUI (Start, Control Panel, Services or Administrative Tools, Services). 18 iRecorder Reference Guide for FoundStone FoundScan Configuration and Use ■ Issue the following command: net start igateway If your iRecorder runs on Unix or Linux, follow these steps to start the iGateway service: 1. Log in as root. 2. Enter the following command: /opt/CA/igateway/S99igateway start Stop the iRecorder The iRecorder is run as a sub-component of the iTechnology-iGateway service. To stop the iRecorder on Windows, stop the iGateway service using either of the following methods: ■ ■ Use the Services Management GUI (Start, Control Panel, Services or Administrative Tools, Services). Issue the following command: net stop igateway If your iRecorder runs on UNIX or Linux, follow these steps to start the iGateway service: 1. Log in as root. 2. Enter the following command: /opt/CA/igateway/S99igateway stop How to Configure the iRecorder iRecorder configuration parameters are kept in a configuration file usually located in the iGateway installation directory. The iRecorder configuration parameters are automatically set during iRecorder installation and do not require any changes for the normal operation of the iRecorder. The iRecorder configuration file for FoundStone FoundScan is named FoundScan.conf. The versions for the different operating systems are in these directories: ■ Windows: CD-Drive:\Program Files\CA\iGateway ■ UNIX or Linux: CD-Drive:/opt/CA/igateway If you do want to modify any parameters, you must do the following: How to Install and Configure the iRecorder 19 Configuration and Use 1. Stop the iTechnology iGateway service (or daemon) before making the changes. 2. After making the changes, restart the service for changes to take effect. Sample Configuration File The following is a sample FoundScan.conf configuration file and is for information only. You do not need to change any parameter for the iRecorder for FoundStone FoundScan: <ISponsor> <Name>FoundScan</Name> <ImageName>FoundScan</ImageName> <ISType>DSP</ISType> <DispatchEP>iDispatch</DispatchEP> <PreLoad>true</PreLoad> <Version>@VERSION@</Version> <MaxEventPerSecond>20</MaxEventPerSecond> <DSN>localhost</DSN> <User>sa</User> <Password></Password> </ISponsor> Enable Debugging You can configure the iRecorder to send debugging information to a debugging application or to a file. To enable debugging and log debug information to a file, follow these steps: 1. Stop the iRecorder by stopping the iTechnology iGateway Service. 2. Edit the iRecorder configuration file by adding the following <DebugLevel> tag between the <iSponsor> tags: <DebugLevel>{level}</DebugLevel> where {level} is one of the following: ISP_NOLEVEL Disables debugging. ISP_FILE Prints all debug messages to a debug application as well as writing it to a log file, irecordername.log, in the same directory as the iRecorder. The debug file may grow very quickly; to avoid possible disk space shortage, we recommend turning off the debugging option as soon as possible by replacing ISP_FILE by ISP_NOLEVEL. 3. Save the configuration file. 4. Start the iRecorder by restarting the iTechnology iGateway Service. 5. Send the debug file to CA Technical Support for further analysis. 20 iRecorder Reference Guide for FoundStone FoundScan Add and Manage Policies Add and Manage Policies You can add pre-packaged template policies to your Policy Manager and then use the Policy Manager to create your own custom rules. You can then activate and distribute them to function on routers throughout your enterprise. Add the Default Policy for FoundStone FoundScan to the Policy Manager To create a policy for the FoundStone FoundScan iRecorder, you must add the default policy template for FoundStone FoundScan to the Policy Manager. To add the default template, follow these steps: 1. Insert the ARIES, iRecorders, and iRouter CD in the CD drive of the Policy Manager system. 2. On the Policy Manager server, open the following file: [eTrust Auditinstall]\bin\pmu_template_exchange.exe. where [eTrust Auditinstall] is the directory where eTrust Audit is installed. The following window appears: 3. Choose Import Policy Template from binary file, and then click Next. You are asked for the policy filename for your iRecorder. 4. Enter the path where the following file is located, which is a policy file made exclusively for FoundStone FoundScan: eTrust Audit FoundScan Policy.ptf How to Install and Configure the iRecorder 21 Add and Manage Policies The policy file is on the iRecorders CD at this location: \Tools\Sample Policies\eTrust Audit FoundScan Policy.ptf. Note: If there is no specific ptf file (eTrust Audit FoundScan Policy) available, then default policies already exist in the Policy Manager that you can use for FoundStone FoundScan. You can skip this procedure. 5. Click Next. A dialog appears that describes the chosen policy file. 6. Click Next again. A dialog appears and asks if you want to create the policy in the default policies section. 7. Click Yes and then click Next. A dialog appears that asks you for the name of the subpolicy for FoundStone FoundScan. 8. Enter FoundStone FoundScan as the name of the inserted subpolicy, and click Finish. The default policy is loaded into the Policy Manager. Create an AN Group Now you must create an Audit Node (AN) Group, a group of network nodes that become available targets to which you can apply your policies. To create an AN group, follow these steps: 1. Open the eTrust Audit Policy Manager if it is not already open. 2. On the left pane, click Audit Nodes. 3. Right-click the Targets node, and from the pop-up menu choose New Group. 4. Give the new group the name FoundStone FoundScan. 5. Click OK. Select an AN Type Now you must create an Audit Node (AN) Type for the AN group you just created, which sets the kind of events the group of nodes will be handling. To create an AN type, follow these steps: 1. Open the eTrust Audit Policy Manager if it is not already open. 2. On the left pane, click Audit Nodes. 22 iRecorder Reference Guide for FoundStone FoundScan Add and Manage Policies 3. Right-click the FoundStone FoundScan group (which you created in the last step) and from the pop-up menu choose New AN. 4. Enter the host name of the iRouter that you configured the iRecorder to communicate with. 5. Select the AN type as FoundStone FoundScan. 6. Enter a description for the AN node. 7. Click OK. 8. Repeat steps 3 through 7 for each iRouter in your network that communicates with an iRecorder for FoundStone FoundScan. Create a Policy Folder Now you can create a policy folder to hold the policies available for deployment onto your Audit Nodes (AN). To create a policy folder, follow these steps: 1. Open the eTrust Audit Policy Manager if it is not already open. 2. On the left pane, click Policies. 3. From the main menu bar, select File and choose New. 4. Select Policy Folder (this should be the only available option) and give the folder the name FoundStone FoundScan. 5. Click OK. Copy the Default Policies Now you have your new FoundStone FoundScan policy folder, so you can copy the prefabricated default policies from the template folder to your own new folder to use them. Using this method allows you to add rules and actions to your own policies without affecting the default polices. To copy a policy, follow these steps: 1. Open the eTrust Audit Policy Manager if it is not already open. 2. On the left pane, click Policies. 3. Expand the Default Policies folder to display the FoundStone FoundScan default policy folder. 4. Copy the policies in the FoundStone FoundScan default folder and then paste them into the new policy folder you just created, which you named FoundStone FoundScan. How to Install and Configure the iRecorder 23 Add and Manage Policies Add Actions to the Rules Policies are made up of rules, and you can add actions to the rules in your own policies. To add actions to a rule, follow these steps: 1. Open the eTrust Audit Policy Manager. 2. On the left pane, click Policies. 3. Expand your FoundStone FoundScan folder to display the policies in it. An action must be defined for each rule. For the purposes of this guide, we will define an action for the All Events rule. 4. Right-click the All Events rule, and from the pop-up menu choose Properties. 5. Click the Action tab. 6. Check the box for the Collector action. 7. Click Add, and enter the host name or IP address of the eTrust Audit Collector. 8. Repeat Steps 6 and 7 for the Security Monitor action. 9. Click OK. In the tree view, the icon for the All Events rule turns from a white bell to a blue bell. Attach the Rule to an AN Group Once you have rules created, you can attach those rules to the AN groups you created. To attach a rule to an AN group, follow these steps: 1. Open the eTrust Audit Policy Manager if it is not already open. 2. On the left pane, click Policies. 3. From the tree view, expand the FoundStone FoundScan policy folder. 4. Right-click the FoundStone FoundScan policy folder, and from the pop-up menu choose Attach AN Group. 5. Select the FoundStone FoundScan AN group, and click OK. Activate the Rule Now that your rules are assigned to AN groups, you can activate them. 24 iRecorder Reference Guide for FoundStone FoundScan How Event Route Testing Works To activate a rule, follow these steps: 1. Open the eTrust Audit Policy Manager if it is not already open. 2. On the left pane, click Policies. 3. From the tree view, expand the FoundStone FoundScan policy folder. 4. Right-click the FoundStone FoundScan policy folder, and from the pop-up menu choose Activate. A confirmation dialog appears. 5. Click OK. Verify the Rule Is in Effect To verify the rule in effect, follow these steps: 1. Open the eTrust Audit Policy Manager. 2. On the left pane, click Audit Nodes. 3. Select the FoundStone FoundScan group, and verify for each AN that there are no errors. If there are no errors, a key icon appears beside the name of an AN. Sample Rules The eTrust Audit FoundScan Policy.ptf includes the following sample rules: All Events Detect all events for FoundStone FoundScan. FTP - Anonymous FTP account permissions Collects events where the permissions for an FTP anonymous account are inappropriate. SQL Server - sa password set to NULL Collects events where the sa account has an null password. Windows NT - Null Administrator Password Collects events where the Windows NT administrator password is null. How Event Route Testing Works So far, you should have performed the following tasks: ■ Installed the iRouter ■ Installed the iRecorder How to Install and Configure the iRecorder 25 How Event Route Testing Works ■ Added policy rules and distributed them to the routers Now, you can test the system to see if events are being sent through the system. The basic flow that test events follow is this: 1. Events that match a policy rule occur on the host system where the iRecorder is installed. 2. Events are sent to the iRouter, which sends the events to the Router. 3. Policy rules sent to the Router are checked to see if the events are sent to the Action Manager or discarded. 4. Events that match policy rules with actions are reviewed by the Action Manager and the action is taken. 5. In the case of this event, the Action Manager sends the event to the Security Monitor. Test Event Routing for FoundStone FoundScan To test event routing (and verify that the iRecorder is installed properly and sending events to eTrust Audit), follow these steps: 1. Install the iRecorder and iRouter on a host as described in the installation instructions. 2. Start eTrust Audit Policy Manager and define a policy for FoundStone FoundScan events received by the host where iRouter and other Audit Client components are installed. 3. Create a test policy with a rule that sends all events to the eTrust Audit Security Monitor (no filter with Action set to Security Monitor). If there is no defined policy (rule and action), eTrust Audit ignores the events. You can find more details on how to create a policy in the eTrust Audit Policy Management Guide. 4. Create a Scan Job using the FoundScan GUI and run the job. Verify that events are generated as new vulnerabilities are found. 5. Verify that the generated events are displayed in the eTrust Audit Security Monitor. iRecorders also support standard iTechnology SDK tools (like TestHarness and Spin interface) to query the iRecorder for current status and configuration information. For more details on these tools, see the iTechnology SDK Reference Guide. 26 iRecorder Reference Guide for FoundStone FoundScan Chapter 3: How to Prepare Event Data for Custom Reports You can use third-party reporting applications to create custom reports based on the events stored in the Collector. To do this, you must follow this process: 1. Ensure that the events you want to view are in the Collector DB. 2. Run ARIES to expose fields in the events that you want to select for your reports. 3. Use your third-party reporting application to select records for viewing. Description of Table Columns The following table suggests some selection criteria for reports of general interest. The columns in the table contain the following: ■ The first contains the Report Name. ■ The second contains the eTrust Audit Logname. ■ ■ The third contains additional criteria. These are one or more additional fields that you can use to narrow the range of events to be included in the report. The fourth contains a comment that specifies whether the field name is in the eTrust Audit MSGTEXT field or not. Note: The MSGTEXT field is a free-form text field that can contain several fields. Because the MSGTEXT field contains multiple field name and field value pairs, you must search the MSGTEXT field using wild card characters to select the specific field names and values. You can use ARIES to expose fields in the MSGTEXT field. Then, you can use third-party report generators to select directly these exposed fields as you would other fields in the Audit database, such as LOGNAME. See the following ARIES topics. Sample Report Selection Criteria for FoundStone FoundScan Events The following table contains Sample Report Selection Criteria for FoundStone FoundScan: Report Logname AND additional criteria (format field name : field value) Comment How to Prepare Event Data for Custom Reports 27 Use ARIES to Expose Fields Specific to FoundStone FoundScan FTP - Anonymous FTP account permissions FoundStone FoundScan Check_Id: "CAN-1999-0527" Check_ID is found in the MSGTEXT column Windows NT - Null Administrator Password FoundStone FoundScan Check_Id: "CAN-1999-0506" Check_ID is found in the MSGTEXT column SQL Server - sa password set to NULL FoundStone FoundScan Check_Id: "CAN-2000-1209" Check_ID is found in the MSGTEXT column Use ARIES to Expose Fields Specific to FoundStone FoundScan All eTrust Audit events have the following fields stored in the Audit database. In parentheses are the field labels as they appear in Security Monitor or Audit Viewer. TIMSTAMP (Time Stamp) Displays the date and time of occurrence of the event. LOGNAME (Log Name) Displays the logical name of the event’s source. COMPUTERNAME (Computer Name) Displays the host name (without the domain). DOMAINNAME (Domain Name) Displays the domain name in a fully qualified host name. USERNAME* (User Name) SOURCE* (Source) EVENTCATEGORY* (Event Category) Predefined names for various event groupings EVENTTYPE* (Type displayed as icon) Field that can be set to one of the following values: Failure, Error, Success, Information, Warning. EVENTID* (Event ID) MSGTEXT A field name internal to the eTrust Audit database. The field itself is not visible directly on the Security Monitor or Audit Viewer. Using the mouse to double-click on a specific event reveals the contents of this field as the Description field in the Event Details pop-up window. 28 iRecorder Reference Guide for FoundStone FoundScan Use ARIES to Expose Fields Specific to FoundStone FoundScan *Although USERNAME, SOURCE, EVENTTYPE, and EVENTID can depend on the event, most of the event-specific fields are contained in the MSGTXT field. How To Expose Specific Events for FoundStone FoundScan To expose FoundStone FoundScan-specific event fields, use the ARIES Web interface to: 1. Create a job. 2. Define a load policy using LogName = FoundStone FoundScan. 3. Define an appropriate DB Poll Interval (in seconds) to run the job periodically. 4. (Optional) Include/exclude any column filter to select the specific FoundStone FoundScan-specific fields of interest. 5. Start the job. After the job starts, it creates, if necessary, a new table called AuditExtendString. Each field within the MSGTXT field in the eTrust Audit database is extracted and entered in the AuditExtendString table as one row. How To Create a View of FoundStone FoundScan on the eTrust Audit Database To create a view of FoundStone FoundScan on the eTrust Audit database, use the ARIES Web interface to: 1. Create a job. 2. Define a view policy. 3. Define a DB Poll Interval (in seconds) to have the job periodically scan the AuditExtendString table. 4. Optionally include/exclude any column filter to select the specific FoundStone FoundScan-specific fields of interest. 5. Start the job. A view called AUD_VIEW_LOG_ProductName will be created and information from eTrust Audit database and AuditExtendString are included every DB Poll Interval seconds. See the ARIES Reference Guide for more information and specific steps. How to Prepare Event Data for Custom Reports 29 About Report Generation based on ARIES Tables About Report Generation based on ARIES Tables After you have created the event-specific table for FoundStone FoundScan, you can use any SQL-based report generator to create SQL statements against the table. For example, specify the AUD_VIEW_LOG_ProductName table as a table from which to select criteria to generate a report. See eTrust Audit Field Mapping for a list of fields that you can select using the ARIES view. 30 iRecorder Reference Guide for FoundStone FoundScan Chapter 4: eTrust Audit Field Mapping Fields in FoundStone FoundScan events are captured by the iRecorder and mapped to a standard set of normalized fields. eTrust Audit requires all iRecorders to follow a standard Data Model and Taxonomy. The iRecorder maps the native FoundStone FoundScan fields into fields in the eTrust Audit Collector database. About Mandatory Fields Mandatory fields are a fixed set of fields that are added to each event processed by any iRecorder. The following information describes what values are assigned to the mandatory fields in the FoundStone FoundScan. Field Name Field Value Description Taxonomy <Category>.<System>.<Action>. <Result>.<Severity> See the following table for further breakdown of Taxonomy Date Timestamp The time is retrieved from the log file(s) being monitored. The time is when the event occurred. TimeZone timezone in +/- seconds format (calculated from GMT) TimeZone of system where iRecorder is installed Src Table name Table name that the main event was retrieved from Log “FoundStone FoundScan” Location Host name Location (Host name) where FoundScan Database resides Recorder “FoundStone FoundScan” The name of the iRecorder that collected the event Version Version Number The version number of the iRecorder About the Taxonomy Field The following table provides field names, possible values, and descriptions that can appear in the Taxonomy field: eTrust Audit Field Mapping 31 About Mandatory Fields Possible Values Description Category Vulnerability Assessment System Agent Only monitoring for results of scans Action Scan or Scan_[CVE] or Scan_[Name] Depends on whether CVE ID or vulnerability name is available Result N Result always set to “N” as a new event always signifies a new vulnerability was found Severity [variable] Based on risk, if Vulnerability, SQL Guess or Smart GuessWork - “W” if 1-3 (Low) - “C” if 4-6 (Medium) - “F” if 7-10 (High) ”I” if Service Found ”W” if Source Code Disclosure, Brute Force or Web Vulnerability About Normalized Fields Normalized fields are eTrust Audit field names that are mapped or translated from the native event field names according to the classification of the iRecorder. Normalized fields are common across all products in the same classification. The Taxonomy field, one of the mandatory fields, defines the classification for this iRecorder. Normalized Fields for FoundStone FoundScan The following table shows the normalized fields for the Manager System: eTrust Audit Field FoundScan Field Name Description Check_Id CVE CVE (or CAN) Id, Microsoft Security Advisory number, Cert Advisories ID, Computer Associates Id Number (CAID), or custom check name. The following table shows the normalized fields for the Server System: 32 iRecorder Reference Guide for FoundStone FoundScan About Product-Specific Fields eTrust Audit Field FoundScan Field Name Description Check_Id CVE CVE (or CAN) Id, Microsoft Security Advisory number, Cert Advisories ID, Computer Associates Id Number (CAID), or custom check name. Target_Host DNSName DNS Name of affected host The following table shows the normalized fields for the Agent System: eTrust Audit Field FoundScan Field Name Description Check_Id Text CVE (or CAN) Id, Microsoft Security Advisory number, Cert Advisories ID, Computer Associates Id Number (CAID), Nessus plugin id or custom check name. Service ServiceName Service name (eg telnet, ftp, ..) Port Port TCP or UDP port number Protocol Protocol IP protocol name or number (eg, udp or tcp) About Product-Specific Fields Product Specific fields are native event fields that are not mapped or translated by the iRecorder. These fields are sent to eTrust Audit with a minor change: all characters in the field names that are not letters, digits or underscores are converted to underscores. To avoid name clashes with other products or with eTrust Audit itself (for example, the Status field), these fields are also prefixed by the product name followed by an underscore, such as eVM_, cisco_, ccure_. Product-Specific Fields for FoundStone FoundScan All events are extracted from the FaultLine Database. Refer to the FoundScan Database Relations document for the Database Schema. eTrust Audit Field Mapping 33 About Product-Specific Fields This section details the mapping of FoundScan specific information into fields that are unique to Vulnerability Assessment Applications and are not required by eTrust Audit. The information is presented in the following tables. The iRecorder sends a limited set of fields by default. It is possible to configure the iRecorder to send the additional fields marked with an asterisk (*), but it is not recommended due to the size of the data that will be transmitted. The following table shows All Events: eTrust Audit Field Name FoundScan Field Name Description CompanyName CompanyName Organization Name to which Scan Job belongs ConfigurationName ConfigurationName Configuration Name to which Scan Job belongs JobName JobName Scan Job Name Target_Host DNSName DNS Name of affected host Target_IP IPAddress IP Address of affected host Target_OS OSName OS Name of affected host HostID HostID FoundScan Internal ID of affected host *Target_NBName NBName NetBIOS name of affected host *Target_NBWorkGroup NBWorkgroup NetBIOS Workgroup name of affected host *Target_Alive Alive True if host is alive *Target_Virtual Virtual True/False *Target_ICMP ICMP True/False *Target_IdentifyWith IdentifyWith *Target_Wireless Wireless *Target_Subscan Subscan *Target_Batch Batch True/False Some of the events share many common fields; they are listed in the tables below and are referenced in the specific tables as +TableName: The following table shows the Service field: 34 iRecorder Reference Guide for FoundStone FoundScan About Product-Specific Fields eTrust Audit Field Name FoundScan Field Name ServiceID ServiceID Service ServiceName Port Port Protocol Protocol *Service_Description Description *Service_Detail Detail Description The following table shows the Site field: eTrust Audit Field Name FoundScan Field Name Site_key Site_key Site_name Site_name *Site_ip Site_ip *Site_port Site_port *Site_protocol Site_protocol *Site_baseurl Site_baseurl *Site_dfmaxlink Site_dfmaxlink *Site_dflevel Site_dflevel *CrawlCompleted CrawlCompleted Description True/False The following table shows the Url field: eTrust Audit Field Name FoundScan Field Name Url_Key Url_key Url_link Url_link Url_Resource Url_Resource *Url_path Url_path Description eTrust Audit Field Mapping 35 About Product-Specific Fields eTrust Audit Field Name FoundScan Field Name *Url_ResourceType Url_ResourceType *Url_Querystring Url_Querystring *Url_Responsecode Url_Responsecode *Url_AuthReqd Url_AuthReqd *Url_form Url_form *Url_script Url_script *Url_cookie Url_cookie *Url_header Url_header Url_applet Url_applet Url_activex Url_activex Description Every event can be categorized as one of the following: ■ Vulnerability Scan ■ Web Vulnerability Scan ■ Service Scan ■ Smart Guess Result ■ SQL Guess Result ■ Brute Force Result ■ Source Code Result Each type of event has specific fields and they are listed in the tables below: The following table shows the Vulnerability Scan event layout: eTrust Audit Field Name FoundScan Field Name Description { NID} NID NID of vulnerability {Anchor} VulnFoundID VulnFoundID Check_ID CVE CVE (or CAN) Id 36 iRecorder Reference Guide for FoundStone FoundScan About Product-Specific Fields eTrust Audit Field Name FoundScan Field Name Description *Check_Desc Description Vulnerability Description Check_Name Vulnerability Name Risk Risk level associated with Vulnerability FaultLineID FaultLineID BID BID *Type Type *Observation Observation *RiskText RiskText *Recommendation Recommendation *ExploitDate ExploitDate *Simplicity Simplicity *Popularity Popularity *Impact Impact *ExploitLink ExploitLink *AftershockID AfterShockID *ISSID ISSID *Person Person *CyberID CyberID *LHF LHF *ExploitDataType ExploitDataType *Intrusive Intrusive *AddedDate AddedDate *ModifiedDate ModifiedDate *DeletedDate DeletedDate *Status Status *Customized Customized True/False True/False True/False The following table shows the Web Vulnerability Scan event layout: eTrust Audit Field Mapping 37 About Product-Specific Fields eTrust Audit Field Name FoundScan Field Name {Anchor} vuln_key Check_Id Vuln_id WebVuln_server Vuln_server WebVuln_sversion Vuln_sversion WebVuln_method Vuln_method WebVuln_request Vuln_request *WebVuln_protocol Vuln_protocol *WebVuln_check Vuln_check *WebVuln_rescode Vuln_rescode *WebVuln_pattern Vuln_pattern *Check_Desc Vuln_details Description +Service +Site The following table shows the Service Scan event layout: eTrust Audit Field Name Possible Field Values {Anchor} ServiceFoundID Banner Banner Description +Service The following table shows the Smart Guess Result event layout: eTrust Audit Field Name FoundScan Field Name {Anchor} SmartResultID Risk SmartAttackRisk SmartRequest SmartRequest SmartResponse SmartResponse 38 iRecorder Reference Guide for FoundStone FoundScan Description About Product-Specific Fields eTrust Audit Field Name FoundScan Field Name SmartContent SmartContent SmartAttackID SmartAttackID SmartAttackType SmartAttackType *SmartAttackString SmartAttackString *SmartAttackExtension SmartAttackExtension *SmartAttackExpectedResCode SmartAttackExpectedResCode *SmartAttackExpectedResPattern SmartAttackExpectedResPatte rn *SmartAttackCheckLogic SmartAttackCheckLogic *SmartAttackExHeader SmartAttackExHeader *SmartAttackRecommendation SmartAttackRecommendation Description +Service +Site +Url The following table shows the SQL Guess Result event layout: eTrust Audit Field Name FoundScan Field Name {Anchor} SqlResultID Risk SqlAttackRisk SqlRequest SqlRequest SqlResponse SqlResponse SqlContent SqlContent SqlAttackID SqlAttackID SqlAttackType SqlAttackType *SqlAttackString SqlAttackString *SqlAttackPosition SqlAttackPosition *SqlAttackExtension SqlAttackExtension *SqlAttackExpectedResCode SqlAttackExpectedResCode Description eTrust Audit Field Mapping 39 About Product-Specific Fields *SqlAttackExpectedResPattern SqlAttackExpectedResPattern *SqlAttackCheckLogic SqlAttackCheckLogic *SqlAttackExHeader SqlAttackExHeader *SqlAttackRecommendation SqlAttackRecommendation +Service +Site +Url The following table shows the Brute Force Result event layout: eTrust Audit Field Name FoundScan Field Name {Anchor} BruteResultID Url_link Url_link Url_Username Url_Username Url_Password Url_Password Url_Responsecode Url_Responsecode Description +Service +Site +Url The following table shows the Source Code event layout: eTrust Audit Field Name FoundScan Field Name {Anchor} SCodeResultID SCodeRequest SCodeRequest SCodeResponse SCodeResponse SCodeData SCodeData SCodevulnID SCodevulnID SCodevulnType SCodevulnType *SCodevulnurl SCodevulnurl 40 iRecorder Reference Guide for FoundStone FoundScan Description About Product-Specific Fields *SCoderesourcetype SCoderesourcetype *SCodecheck SCodecheck *SCoderesponsecode SCoderesponsecode *SCodepattern SCodepattern *SCodeadhead SCodeadhead *SCodereco SCodereco +Service +Site +Url eTrust Audit Field Mapping 41 Appendix A: Introduction to iTechnology iTechnology is a Computer Associates technology based on Web standards such as HTTP, HTTPS, HTML, XML, and SSL. It provides a framework to create and deploy Web services across the Internet. iTechnology building blocks are: iGateway A Web server iSponsor A Web service loadable by iGateway. Some notable examples of iSponsors are as follows: iControl An iSponsor regulating the flow of events (unsolicited data). iRecorder An iSponsor that harvests events from devices, log files, databases, applications and sends them through iControl. iReflect A detached iSponsor; that is, it is not loaded directly by an iGateway. Event Plugin A Web service loadable by iControl. Spindle An iSponsor serving Web pages. iClient A standalone Web client. iGateway iGateway is a special Web server. It runs as Windows service or UNIX/Linux daemon process. Its purpose is to receive requests and send replies using the HTTP protocol. It also supports the HTTPS protocol for data protection against eavesdropping and tampering over the Internet. The format of request and reply is HTML and XML. The iGateway sends the requests using HTTP GET, HTTP POST or SoapAction. iGateway receives requests from any of the following sources: ■ Web browser ■ iGateway (iGateways can receive requests from other iGateways.) iSponsor ■ iReflect ■ iClient ■ A local iSponsor (for unsolicited event sending) The iGateway redirects these requests to its underlying Web services called iSponsors. Based on the request, appropriate replies in XML/HTML format are built by iSponsor and sent back to the requestor using the iGateway. All network communications use the TCP iTechnology port 5250. In a protected environment, you should open this port in the firewalls and border routers to allow iTechnology communications. This is similar to allowing HTTP traffic through firewalls (port 80). iSponsor An iSponsor is a dynamically loadable library that can be pre-loaded at startup or loaded on-demand when a request is destined to the specific iSponsor. It is a plug-in to iGateway. It exposes selected APIs to iGateway when loaded. Requests to an iSponsor specify which service it needs from iSponsor. The specified service includes the API (also called methods) and parameters. iGateway invokes the method and passes the parameters to the corresponding iSponsor. The iSponsor’s method returns an HTML or XML response. The response is forwarded to the requestor. An iSponsor can have a plugin that sends data to a non-iTechnology application or device. The sending protocol depends on the application or device and is not necessarily HTTP. All iSponsors implement two standard methods: describe Returns the sponsor’s name and version. define Returns all the methods defined in the sponsor. In addition, each iSponsor can implement other methods to support the iSponsor’s specific functionalities. You can create an iSponsor using the iTechnology SDK or iRecorder SDK. Use the iRecorder SDK to create iRecorders only. Examples of iSponsors Examples of iSponsors are: 44 iRecorder Reference Guide for FoundStone FoundScan iSponsor iRegistry Scans a specified portion of an Internet network for active iGateway hosts and lists existing iGateway hosts on the network. iRegistry includes a plug-in to store discovered iGateway hosts in a repository. This iSponsor is included in the iGateway/iRecorder distribution. iAuthority Plays the role of a trusted Central Authority (CA) for registered iGateways. It distributes and revokes digital certificates for authentication and authorization of trusted iGateways. Any request to privileged methods in an iSponsor must be accompanied by a valid digital certificate distributed by iAuthority. The request can be rejected by the iSponsor if the privileges granted by the certificate are not sufficient to run the method. This iSponsor is included in the iGateway/iRecorder distribution. iControl Plays a central role in iTechnology event management system. For eTrust Audit, this iSponsor controls the flow of eTrust Audit events, from the iRecorder to the Router. iControl can include plug-ins called Event Plugins. One of the event plug-ins is epAudit. iControl is included in the iGateway/iRecorder distribution. iRecorder Is a special iSponsor whose purpose is to get events from sources such as applications, devices, operating systems. iControl is a critical component for iRecorder. All event traffic must pass through iControl. Without it, iRecorder is practically “mute”. Important features of iControl include the following: Persistent Connection HTTP and HTTPS are normally used for short-lived connections that last for a single request-reply communication. This means that when a reply is received, the connection is terminated. This does not fit well with the constant flow of events, which could deplete system resources in terms of connections and may trigger a false alarm of denial-of-service attack on intermediary routers or firewalls. You can configure iControl to use persistent connections or long-lived connections to send all events through one connection to the remote iControl. This method of sending is more efficient in terms of effective throughput and more economical in terms of system resources. You can configure this option using the EventUsePersistentConnections parameter. Use of HTTPS You can enforce HTTPS use in iControl by setting the EventUseHttps parameter. HTTPS encrypts data before sending it over HTTP, thus ensuring data privacy on the wire. iSponsor Event Signing Event signing guarantees that an event is not tampered with during its transit to the remote iControl. You can turn it off using the IgnoreSignature parameter. Guaranteed Delivery Events that are sent from the iGateway host are guaranteed to reach its specified destination. If the destination is unavailable, events are temporarily stored in a local storage. Only when events have reached its intended destination are they removed from the local storage. Event Pushing or Routing When iControl sends events, it can use two methods: push or pull. In Push method, the sender iControl initiates the communication and send events to the destination host, called the RouteEventHost. The iRecorder installation script prompts and sets this important configuration parameter in iControl.conf file. Event Pulling or Storing In Pull method, the sender iControl passively waits for the destination to call it before sending out events. During the wait, the sender iControl stores the events for the destination or StoreEventHost. The destination iControl, by contrast, retrieves the events from the sender or RetrieveEventHost. Thus, you can configure an iRecorder to set the StoreEventHost if you use the Pull method. The Pull method is particularly suitable for network environments where only outgoing traffic is allowed. Bridge to eTrust Audit (iRouter) When iRouter is installed, an event plug-in called epAudit is attached to iControl. This plug-in receives events from iControl, converts XML format into SAPI calls and finally sends the converted event to the local eTrust Audit Router using the SAPI protocol. An iReflect acts like a “detached” iSponsor. This means it is not loaded by the iGateway but by a non-iTechnology application. It acts like an iSponsor in the following ways: ■ ■ ■ ■ ■ It is a dynamically loadable library like an iSponsor. After it’s loaded by the application, it registers with the local iGateway and exposes its methods. It receives HTTP and HTTPS requests from the local iGateway and returns responses to it. Since an iReflect must be able to receive requests from its local iGateway at any time, it runs a thread that continuously listens on iTechnology port 5250. Thus it is represented in the diagram as an oval to denote it’s a running thread within the non-iTechnology application. One example of iReflect used to send events to eTrust Audit is the Unicenter EM iRecorder. 46 iRecorder Reference Guide for FoundStone FoundScan iSponsor iClient acts as a Web browser. It sends requests to an iGateway and receives replies from it. However an iClient cannot receive requests from an iGateway and it cannot publish its internal methods for an iGateway to use. Therefore you can deploy an iClient component in the following ways: ■ ■ As a dynamically loadable library to be loaded by a non-iTechnology application As a standalone program