Download iRecorder Reference Guide for FoundStone

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

Document related concepts

Database model wikipedia , lookup

Transcript
eTrust Audit
™
iRecorder Reference Guide for FoundStone
FoundScan
1.5 Service Pack 3
G002131E
This documentation and related computer software program (hereinafter referred to as the “Documentation”) is for
the end user’s informational purposes only and is subject to change or withdrawal by Computer Associates
International, Inc. (“CA”) at any time.
This documentation may not be copied, transferred, reproduced, disclosed or duplicated, in whole or in part, without
the prior written consent of CA. This documentation is proprietary information of CA and protected by the copyright
laws of the United States and international treaties.
Notwithstanding the foregoing, licensed users may print a reasonable number of copies of this documentation for
their own internal use, provided that all CA copyright notices and legends are affixed to each reproduced copy. Only
authorized employees, consultants, or agents of the user who are bound by the confidentiality provisions of the
license for the software are permitted to have access to such copies.
This right to print copies is limited to the period during which the license for the product remains in full force and
effect. Should the license terminate for any reason, it shall be the user’s responsibility to return to CA the reproduced
copies or to certify to CA that same have been destroyed.
To the extent permitted by applicable law, CA provides this documentation “as is” without warranty of any kind,
including without limitation, any implied warranties of merchantability, fitness for a particular purpose or
noninfringement. In no event will CA be liable to the end user or any third party for any loss or damage, direct or
indirect, from the use of this documentation, including without limitation, lost profits, business interruption,
goodwill, or lost data, even if CA is expressly advised of such loss or damage.
The use of any product referenced in this documentation and this documentation is governed by the end user’s
applicable license agreement.
The manufacturer of this documentation is Computer Associates International, Inc.
Provided with “Restricted Rights” as set forth in 48 C.F.R. Section 12.212, 48 C.F.R. Sections 52.227-19(c)(1) and (2) or
DFARS Section 252.227-7013(c)(1)(ii) or applicable successor provisions.
 2004 Computer Associates International, Inc.
All trademarks, trade names, service marks, and logos referenced herein belong to their respective companies.
Contents
Chapter 1: Welcome to iRecorder for FoundStone FoundScan
5
Who Should Read this Guide .......................................................................................................................5
About eTrust Audit........................................................................................................................................5
Audit Client .........................................................................................................................................6
Audit Data Tools.................................................................................................................................7
Audit Policy Manager ........................................................................................................................9
About Improving Security and Network Communications ..................................................................10
About the Role of iRecorders and iRouters ..............................................................................................10
About the Role of the iRecorder......................................................................................................12
About the Role of the iRouter .........................................................................................................12
About ARIES .....................................................................................................................................13
About Installing the iRecorder and iRouter ..................................................................................13
Chapter 2: How to Install and Configure the iRecorder
15
Hardware Requirements.............................................................................................................................15
Software Requirements ...............................................................................................................................15
Preinstallation Steps.....................................................................................................................................15
Installation Materials ...................................................................................................................................16
Download the iRecorder..................................................................................................................16
Locate the Installation Package on the CD ....................................................................................16
Install the iRecorder from the CD...................................................................................................16
Perform a Silent Installation for Windows....................................................................................17
Perform a Silent Uninstallation for Windows...............................................................................17
Customize Response Files for Silent Installation..........................................................................17
Configuration and Use ................................................................................................................................18
Start the iRecorder ............................................................................................................................18
Stop the iRecorder.............................................................................................................................19
How to Configure the iRecorder ....................................................................................................19
Enable Debugging ............................................................................................................................20
Add and Manage Policies ...........................................................................................................................21
Add the Default Policy for FoundStone FoundScan to the Policy Manager ............................21
Create an AN Group ........................................................................................................................22
Select an AN Type ............................................................................................................................22
Create a Policy Folder ......................................................................................................................23
Copy the Default Policies.................................................................................................................23
Add Actions to the Rules .................................................................................................................24
Attach the Rule to an AN Group ....................................................................................................24
Contents iii
Activate the Rule...............................................................................................................................24
Verify the Rule Is in Effect ...............................................................................................................25
Sample Rules .....................................................................................................................................25
How Event Route Testing Works ..............................................................................................................25
Test Event Routing for FoundStone FoundScan ..........................................................................26
Chapter 3: How to Prepare Event Data for Custom Reports
27
Description of Table Columns....................................................................................................................27
Sample Report Selection Criteria for FoundStone FoundScan Events .................................................27
Use ARIES to Expose Fields Specific to FoundStone FoundScan..........................................................28
How To Expose Specific Events for FoundStone FoundScan.....................................................29
How To Create a View of FoundStone FoundScan on the eTrust Audit Database .................29
About Report Generation based on ARIES Tables ..................................................................................30
Chapter 4: eTrust Audit Field Mapping
31
About Mandatory Fields .............................................................................................................................31
About the Taxonomy Field..............................................................................................................31
About Normalized Fields ................................................................................................................32
About Product-Specific Fields....................................................................................................................33
Product-Specific Fields for FoundStone FoundScan....................................................................33
Appendix A: Introduction to iTechnology
43
iGateway .......................................................................................................................................................43
iSponsor.........................................................................................................................................................44
Examples of iSponsors .....................................................................................................................44
iv iRecorder Reference Guide for FoundStone FoundScan
Chapter 1: Welcome to iRecorder for
FoundStone FoundScan
This guide describes how to install, configure, and use the eTrust™ Audit
iRecorder for FoundStone FoundScan. This iRecorder harvests log data from
FoundStone FoundScan and forwards it to an eTrust Audit Client.
Who Should Read this Guide
This guide is for system administrators who may install the iRecorder on
network servers and for security professionals who will create policies to handle
FoundStone FoundScan events after the iRecorder is installed.
About eTrust Audit
As the system administrator for a server onto which the iRecorder is being
installed, you need to know a few basics about eTrust Audit so that you can
understand the relationship of the iRecorder you are about to install on your
system and the eTrust Audit system operating in your enterprise.
eTrust Audit is a system that enables security managers to identify and capture
security-related events on systems throughout the enterprise. After the events
are captured they can be reviewed, stored, or acted on based on policies. The
iRecorder that you are about to install receives the events from the application or
device. Based on an eTrust Audit policy, the iRecorder ignores the event or
routes it through the remaining components of eTrust Audit.
The major components of eTrust Audit are as follows:
■
Client
■
Data Tools
■
Policy Manager
While these components can be installed on the same host (if it runs Windows
NT, 2000 or XP), it is more likely that these components are distributed among
several different hosts throughout your enterprise.
Welcome to iRecorder for FoundStone FoundScan 5
About eTrust Audit
The following diagram shows the relationship between the three components:
eTrust Audit uses Sun Remote Procedure Calls (RPC) to exchange data between
the components of the Client and the Policy Manager. In addition, the
components of the Data Tools, Collector, Viewer, and Reporter use ODBC to
communicate with the underlying database (Microsoft Access, Microsoft SQL
Server, or Oracle).
Audit Client
The Client component receives events and processes them based on policy rules.
It is comprised of the following subcomponents:
■
Recorder
■
Router
■
Action Manager
■
Distribution Agent
How the Client Processes Events
The subcomponents of the Client process events as follows:
6 iRecorder Reference Guide for FoundStone FoundScan
About eTrust Audit
1.
A Send API Recorder (SAPI Recorder) receives events. The SAPI Recorders
receive events from sources such as other eTrust products, Unicenter, Check
Point FW 4.1, UNIX syslog, Windows NT event log, SNMP, Oracle, Sybase,
and IBM DB2.
2.
The SAPI Recorders sends the events to the Router which filters the events
according to policy rules.
The policy rules state what to do with the events. For example, the rules can
create state variables for further correlation, event consolidation, and data
reduction. They can also generate new events that will be resubmitted to the
Router and will go through the same filtering policy rules as the original
events.
3.
After the Router filters the events, they are submitted to the Action Manager,
which takes actions such as sending the events using email, forwarding
events to another Router and Action Manager, forwarding events to the
Security Monitor, storing the events in the Collector database, and sending
events to Unicenter.
For the Router and Action Manager to function, the most current version of the
policy rules have to be available on the Client system. The Distribution Agent
component receives policy rules from the Policy Manager.
About Supported Platforms
The Client component runs on the following platforms:
■
Windows NT, 2000, and XP
■
AIX
■
HP-UX
■
Linux
■
Solaris
■
Tru64 UNIX
Audit Data Tools
The Data Tools component lets you store and display events received directly
from the Action Manager or from the database. The following subcomponents
comprise the Data Tools:
Collector
Collects events from the Action Manager and stores them in the Collector
Database.
Welcome to iRecorder for FoundStone FoundScan 7
About eTrust Audit
Viewer
Displays events from the Collector database based on specific selection
criteria.
Reporter
Generates reports on events.
Security Monitor
Provides a near real-time display of events received directly from the Action
Manager.
How the Data Tools Process Events
The subcomponents of the Data Tools process events depending on how the
Action Manager routes the events to the Data Tools, and on where the events are
stored:
■
■
If the Action Manager sends the events to the Collector, which stores the
events in its database, administrators can view the events using the Viewer
or generate reports using the Reporter.
If the Action Manager sends the events to the Security Monitor,
administrators can view and act on events in near real time.
About Supported Platforms
The subcomponents of the Data Tools can run on the following platforms:
Collector Database
The database engine can be Microsoft SQL Server, Oracle or Microsoft
Access. eTrust Audit does not include Microsoft SQL Server or Oracle.
However, it includes a Microsoft Access database, which we do not
recommend if you plan on collecting large numbers of events. The databases
run on a variety of platforms as follows:
■
Windows NT, 2000, and XP
■
AIX
■
HP-UX
■
Solaris
Viewer, Reporter, and Security Monitor
The Viewer, Reported, and Security Monitor are all Windows-based
applications and require Windows NT, 2000, or XP.
8 iRecorder Reference Guide for FoundStone FoundScan
About eTrust Audit
Audit Policy Manager
The Policy Manager lets administrators activate and modify default policy rules
provided with eTrust Audit. It also lets administrators write new policy rules.
The policy rules specify filters for the events that are received at designated
Routers, called Audit Nodes (AN) in the Policy Manager interface.
Administrators can even define groups of ANs so that they can distribute policy
rules to a number of systems. For example, you might create an AN group
comprised of all systems where the eTrust Antivirus application is running.
After the Router receives the policy rules, it works independently of the Policy
Manager to filter events until the Policy Manager distributes a new version of the
policy rules.
The Policy Manager component includes the following:
■
■
■
Policy Manager GUI
Distribution Server, a Windows service that distributes policies to the ANs
(routers)
Default policies, a set of pre-built policies based on Log Names.
You can add other policies to this set by importing custom policies using the
pmu_template_exchange.exe command.
How the Policy Manager is Involved in Event Processing
While default policy rules are provided and available for use after you install
eTrust Audit, you must activate and distribute them to make them take effect on
the servers where you have installed Clients. Therefore, to begin receiving events
on any Client, an administrator must do the following:
1.
Create ANs and AN groups.
2.
Modify default policy rules (or create new ones) and associate the policy
rules with an AN group.
3.
Activate the policy rules.
4.
Distribute the policy rules to the appropriate Clients.
Based on the rules, events are filtered and routed to the various other
components of eTrust Audit.
See the eTrust Audit Policy Management Guide for information on how to create a
policy, define groups of ANs, and distribute policies to AN groups.
About Supported Platforms
The Policy Manager runs on Windows NT, 2000, and XP.
Welcome to iRecorder for FoundStone FoundScan 9
About Improving Security and Network Communications
About Improving Security and Network Communications
In today’s security-conscious environment, the eTrust Audit system encounters
security-related obstacles as enterprises try to deploy it across large networks.
The flexible implementation possibilities available with eTrust Audit let you
install the Client components on various systems. For example, you might install
recorders on remote systems and the rest of the Client components on a
centralized server that routes events from a number of recorders. If any of these
recorders are outside your firewall, you might experience some of the following
problems:
■
■
■
■
The RPC protocol is rarely permitted across firewalls because it uses
dynamic TCP/UDP ports. RPC also lacks the secure communications
standards that other protocols, such as TCP or HTTPS provide.
eTrust Audit uses RPC to send events to the Router, deliver policies from the
Policy Manager, and forward events to Collector and Security Monitor
(OCRA). If any of these components are deployed across a firewall, the
system may fail due to the firewall blocking RPC traffic. One solution is to
use fixed TCP ports and open these ports on the firewall. However, the
question of data protection against network spoofing or tampering remains
open.
Guaranteed delivery is enforced in OCRA but not in SAPI, thus running the
risk of losing original events.
Secure delivery through encryption is assured with OCRA but not with
SAPI, which is the route taken by the events from the Recorder to the Router.
This problem becomes critical when the Recorder is separate from the
Router, where most often the Recorder is located outside the intranet and is
thus unguarded against spoofing.
There is no provision to ensure events are not tampered with during their
journey from the Recorder to the Router.
About the Role of iRecorders and iRouters
Before we describe the role of iRecorders and iRouters, let's review the major
tasks performed by eTrust Audit:
■
Harvest events from third-party sources, which is performed by SAPI
recorders for the following applications:
— Generic recorder for text log files
— UNIX syslog recorder
— NT event log recorder
— SNMP recorder
— Sybase recorder
10 iRecorder Reference Guide for FoundStone FoundScan
About the Role of iRecorders and iRouters
— Oracle recorder
— DB2 recorder
— MS SQL recorder
— Check Point FW v. 4.1
— Cisco devices
— Mainframe (CA-Top Secret, CA-ACF2, and RACF)
■
■
Filter events and take action, which is performed by the Router and the
Action Manager
Store events, which is performed by the Collector
The Policy Manager facilitates the management of which events are captured and
distributes the policy rules which lets administrators establish and distribute the
policy rules to the routers.
However, the growing demand for recorders for new third-party sources of
events coupled with network deployment concerns require an alternative
method to harvest and route events. The following illustration with the
additional components shows how you can deploy iRecorders and iRouters into
an existing eTrust Audit implementation:
Welcome to iRecorder for FoundStone FoundScan 11
About the Role of iRecorders and iRouters
About the Role of the iRecorder
Supplementing the recorder is the iRecorder, a special service (known as an
iSponsor) that sends unsolicited data, such as events, to an event management
system, such as eTrust Audit. Much like a recorder, you deploy iRecorders near
or at the system that reports events to harvest them as easily and readily as
possible. And unlike recorders, iRecorders can receive events from physical
devices, applications, databases, or operating systems. In most cases, sources and
systems are located on the same host.
After it harvests events from the source, the iRecorder assigns an event
classification (taxonomy) to events from similar sources, and maps information
in the events as field-value pairs to a normalized data model. A common
taxonomy and data model allows correlation from different sources.
The field-value pairs are packed in an XML string and then sent to the iRouter.
The iRouter converts the XML string into SAPI events and sends them to the
local Router. Events are then processed and forwarded to the Action Manager,
and then to the Security Monitor and/or Collector, according to the
corresponding policy rules installed on the iRouter/Client host.
The iRecorders contain a set of predefined policies to be imported in the eTrust
Audit Policy Manager as part of the default policies (see the eTrust Audit Policy
Management Guide).
About the Role of the iRouter
The iRouter is the bridge that links the HTTP-based iTechnology components
with eTrust Audit. The iRouter converts data it receives in XML format into the
SAPI protocol and sends the converted event to a Router.
iRouter consists of the following components:
iGateway
Receives events from local iRecorders, remote iGateways, or remote iClients.
iControl
Receives events from an iGateway and routes them to another iGateway or
to event plug-ins.
epAudit
Receives events from iControl, parses them into field-value pairs, and sends
them to the local Audit Router using SAPI.
12 iRecorder Reference Guide for FoundStone FoundScan
About the Role of iRecorders and iRouters
Note: For the iRouter to properly send events to an existing eTrust Audit
implementation, you must install the iRouter on the same system with a Router.
For more information about iTechnology, see Introduction to iTechnology on
page 43.
About ARIES
ARIES (Asynchronous Reporting, Information Extraction, and Signing module)
is an add-on subsystem to the Collector database. ARIES enhances your ability to
manage the Collector database as follows:
■
■
■
■
■
Create queries based on event-specific fields. These event-specific fields are
embedded in the Event Details window when viewed with the Security
Monitor or Viewer. They are not normally selectable using standard query
language (SQL), and they are also not visible to report generator tools. Using
ARIES, these fields are exposed and become selectable for queries and
reports.
Enables the creation of custom reports based on ARIES views.
Prunes the Collector Database. You can periodically prune the database
based on a recurring interval or based on other Collector fields. For example,
you might run a job each night to prune the previous day's records. Or you
might run a one-time job to prune all events matching some criteria, such as
all Self-Monitor events.
Creates digital signatures on selected events to guard against future data
tampering.
Provides a Web-based interface that let's you do the following:
— Expose event-specific fields for all events or for a particular AN type.
— Define fields to be included in views and to create views.
— Define pruning parameters and start the prune task.
— Select events to be tamper-proofed and start the tamper-proofing
process.
About Installing the iRecorder and iRouter
Deploying iRecorders in an eTrust Audit environment requires the following
actions:
■
Install the eTrust Audit system.
■
Install the iRouter on the same system as the Router.
■
Import any predefined policies distributed with your iRecorder to the Policy
Manager.
Welcome to iRecorder for FoundStone FoundScan 13
About the Role of iRecorders and iRouters
■
Activate and distribute the policy rules to the Routers and iRouters.
Note: You must install the iRouter before you install an iRecorder, as the
installation of the iRecorder requires the host address of the iRouter.
14 iRecorder Reference Guide for FoundStone FoundScan
Chapter 2: How to Install and Configure
the iRecorder
This topics that follow describe how to install and configure the iRecorder for
FoundStone FoundScan. You should review it before you install the iRecorder.
The information assumes that FoundStone FoundScan is already installed and
operational on some host.
Hardware Requirements
The iRecorder for FoundStone FoundScan has the following hardware
requirements:
■
Pentium-III 400 MHz, 512 MB RAM, 10 GB HD
■
Approximately 20 MB of disk space for the iRecorder installation
Software Requirements
The system onto which you install the iRecorder for FoundStone FoundScan has
the following software requirements:
■
■
■
Windows 2000 with Service Pack 2 or 3; or Windows XP with Service Pack 1
Microsoft SQL Server 2000 SP2 (can be upgraded to SP3 after FoundScan
installation)
FoundStone FoundScan 2.6
Preinstallation Steps
Before you install the iRecorder, do the following:
■
Install the iRouter component on a host where eTrust Audit Client
components are installed. Because the iRouter lets iRecorders communicate
with eTrust Audit, the iRecorder installation prompts for the host where
iRouter is installed.
For more details on how to install the iRouter, see the iRouter Reference Guide.
■
Ensure that the Policy Manager and the Data Tools are installed somewhere
on the network.
How to Install and Configure the iRecorder 15
Installation Materials
■
Using the Windows ODBC Data Source Administrator, create a MS SQL
Server System DSN to connect to the server where the FoundStone
FoundScan database is located and change the default database to FaultLine.
Installation Materials
The iRecorder for FoundStone FoundScan is provided on the product CD and is
also available for download from the Internet.
Download the iRecorder
To download and install an iRecorder from the Internet, follow these steps:
1.
Download the following package into a local directory:
iRecorder download package
The package for your iRecorder is located at http://esupport.ca.com. You
must choose the eTrust Audit product and then choose the link for
iRecorders. The package is zipped and contains the iRecorder installation
package and the iGateway installation package.
2.
Unzip the download package.
3.
Run the iRecorder install package. The iRecorder install package
automatically installs the iGateway package, if needed.
Locate the Installation Package on the CD
The iRecorder installation package for FoundStone FoundScan is located on the
eTrust Audit ARIES, iRecorders, and iRouter CD media.
Install the iRecorder from the CD
To install the iRecorder for FoundStone FoundScan, follow these steps:
1.
Insert the CD into the CD drive.
The Product Explorer should automatically start and display the installation
menu. If the Product Explorer does not automatically start, click Start, Run
and enter the following command:
CD-Drive:\PE_I386.exe
where CD-Drive is your CD drive letter designation.
iRecorders are available on the ARIES, iRecorders, and iRouter CD. The
versions for the different operating systems are in these directories:
16 iRecorder Reference Guide for FoundStone FoundScan
Installation Materials
2.
■
Windows: \eTrust\Audit\iRecorders\WinNT
■
Linux: \eTrust\Audit\iRecorders\Linux
■
Solaris: \eTrust\Audit\iRecorders\Solaris
Select the appropriate recorder from the list and follow the detailed
installation instructions.
Note: For Windows versions, if the install package for the iRecorder is not
running already, run the executable package FoundScan_version.exe to start the
installation of the FoundStone FoundScan iRecorder. Executing this package
starts a wizard that guides you through installation and configuration of the
iRecorder.
Perform a Silent Installation for Windows
Enter the following command to silently install the iRecorder for FoundStone
FoundScan using an InstallShield response file:
FoundScan_version.exe /s /f1“irecorder_setup.iss”
The above example demonstrates the silent install capability provided by the
iRecorder package. The response file in the example should be changed to reflect
the particular conditions of the target environment.
Perform a Silent Uninstallation for Windows
Enter the following command to silently uninstall the iRecorder for FoundStone
FoundScan using an InstallShield response file:
FoundScan_version.exe /s /f1“irecorder_uninstall.iss”
Customize Response Files for Silent Installation
The response files provided with the package contain an example of a silent
install session. You should customize the silent installation to fit your
environment.
How to Install and Configure the iRecorder 17
Configuration and Use
Create a Response File for Windows Packages
Note: The system must not contain the iRecorder for which you want to
customize the silent installation. If the system has the iRecorder installed,
uninstall the iRecorder using the Add/Remove Program option of the Control
Panel.
To create a custom response file that you can use for silent installation on similar
Windows target systems, follow these steps:
1.
Open a DOS window.
2.
Change directory to the folder that contains the iRecorder package.
On the CD that contains the iRecorders, the iRecorder package folder is:
<CD Drive>:\eTrust\Audit\iRecorders\Winnt
For instance, if G drive is the CD drive, the iRecorder package folder is:
G:\eTrust\Audit\iRecorders\Winnt
3.
Enter the following:
iRecorderPackage_version.exe /r /f1"PathnameOfResponseFile"
Where iRecorderPackage is the name of the package, version is the version
number, and PathnameOfResponseFile is the full path of the response file. For
example:
FoundScan_version.exe /r /f1”C:\Temp\irecorder_setup.iss”
4.
Follow instructions given by the installation procedure and install the
package as you would do on the target system.
5.
Click Finish.
The response file is created.
Configuration and Use
The following topics describe how to configure and use the FoundStone
FoundScan iRecorder.
Start the iRecorder
The iRecorder is run as a sub-component of the iTechnology-iGateway service.
To start the iRecorder on Windows, start the iGateway service using one of the
following methods:
■
Use the Services Management GUI (Start, Control Panel, Services or
Administrative Tools, Services).
18 iRecorder Reference Guide for FoundStone FoundScan
Configuration and Use
■
Issue the following command:
net start igateway
If your iRecorder runs on Unix or Linux, follow these steps to start the iGateway
service:
1.
Log in as root.
2.
Enter the following command:
/opt/CA/igateway/S99igateway start
Stop the iRecorder
The iRecorder is run as a sub-component of the iTechnology-iGateway service.
To stop the iRecorder on Windows, stop the iGateway service using either of the
following methods:
■
■
Use the Services Management GUI (Start, Control Panel, Services or
Administrative Tools, Services).
Issue the following command:
net stop igateway
If your iRecorder runs on UNIX or Linux, follow these steps to start the iGateway
service:
1.
Log in as root.
2.
Enter the following command:
/opt/CA/igateway/S99igateway stop
How to Configure the iRecorder
iRecorder configuration parameters are kept in a configuration file usually
located in the iGateway installation directory. The iRecorder configuration
parameters are automatically set during iRecorder installation and do not require
any changes for the normal operation of the iRecorder.
The iRecorder configuration file for FoundStone FoundScan is named
FoundScan.conf. The versions for the different operating systems are in these
directories:
■
Windows: CD-Drive:\Program Files\CA\iGateway
■
UNIX or Linux: CD-Drive:/opt/CA/igateway
If you do want to modify any parameters, you must do the following:
How to Install and Configure the iRecorder 19
Configuration and Use
1.
Stop the iTechnology iGateway service (or daemon) before making the
changes.
2.
After making the changes, restart the service for changes to take effect.
Sample Configuration File
The following is a sample FoundScan.conf configuration file and is for
information only. You do not need to change any parameter for the iRecorder for
FoundStone FoundScan:
<ISponsor>
<Name>FoundScan</Name>
<ImageName>FoundScan</ImageName>
<ISType>DSP</ISType>
<DispatchEP>iDispatch</DispatchEP>
<PreLoad>true</PreLoad>
<Version>@VERSION@</Version>
<MaxEventPerSecond>20</MaxEventPerSecond>
<DSN>localhost</DSN>
<User>sa</User>
<Password></Password>
</ISponsor>
Enable Debugging
You can configure the iRecorder to send debugging information to a debugging
application or to a file. To enable debugging and log debug information to a file,
follow these steps:
1.
Stop the iRecorder by stopping the iTechnology iGateway Service.
2.
Edit the iRecorder configuration file by adding the following <DebugLevel>
tag between the <iSponsor> tags:
<DebugLevel>{level}</DebugLevel>
where {level} is one of the following:
ISP_NOLEVEL
Disables debugging.
ISP_FILE
Prints all debug messages to a debug application as well as writing it to a
log file, irecordername.log, in the same directory as the iRecorder. The
debug file may grow very quickly; to avoid possible disk space shortage,
we recommend turning off the debugging option as soon as possible by
replacing ISP_FILE by ISP_NOLEVEL.
3.
Save the configuration file.
4.
Start the iRecorder by restarting the iTechnology iGateway Service.
5.
Send the debug file to CA Technical Support for further analysis.
20 iRecorder Reference Guide for FoundStone FoundScan
Add and Manage Policies
Add and Manage Policies
You can add pre-packaged template policies to your Policy Manager and then
use the Policy Manager to create your own custom rules. You can then activate
and distribute them to function on routers throughout your enterprise.
Add the Default Policy for FoundStone FoundScan to the Policy Manager
To create a policy for the FoundStone FoundScan iRecorder, you must add the
default policy template for FoundStone FoundScan to the Policy Manager.
To add the default template, follow these steps:
1.
Insert the ARIES, iRecorders, and iRouter CD in the CD drive of the Policy
Manager system.
2.
On the Policy Manager server, open the following file:
[eTrust Auditinstall]\bin\pmu_template_exchange.exe.
where [eTrust Auditinstall] is the directory where eTrust Audit is installed.
The following window appears:
3.
Choose Import Policy Template from binary file, and then click Next.
You are asked for the policy filename for your iRecorder.
4.
Enter the path where the following file is located, which is a policy file made
exclusively for FoundStone FoundScan:
eTrust Audit FoundScan Policy.ptf
How to Install and Configure the iRecorder 21
Add and Manage Policies
The policy file is on the iRecorders CD at this location: \Tools\Sample
Policies\eTrust Audit FoundScan Policy.ptf.
Note: If there is no specific ptf file (eTrust Audit FoundScan Policy)
available, then default policies already exist in the Policy Manager that you
can use for FoundStone FoundScan. You can skip this procedure.
5.
Click Next.
A dialog appears that describes the chosen policy file.
6.
Click Next again.
A dialog appears and asks if you want to create the policy in the default
policies section.
7.
Click Yes and then click Next.
A dialog appears that asks you for the name of the subpolicy for FoundStone
FoundScan.
8.
Enter FoundStone FoundScan as the name of the inserted subpolicy, and
click Finish.
The default policy is loaded into the Policy Manager.
Create an AN Group
Now you must create an Audit Node (AN) Group, a group of network nodes
that become available targets to which you can apply your policies.
To create an AN group, follow these steps:
1.
Open the eTrust Audit Policy Manager if it is not already open.
2.
On the left pane, click Audit Nodes.
3.
Right-click the Targets node, and from the pop-up menu choose New Group.
4.
Give the new group the name FoundStone FoundScan.
5.
Click OK.
Select an AN Type
Now you must create an Audit Node (AN) Type for the AN group you just
created, which sets the kind of events the group of nodes will be handling.
To create an AN type, follow these steps:
1.
Open the eTrust Audit Policy Manager if it is not already open.
2.
On the left pane, click Audit Nodes.
22 iRecorder Reference Guide for FoundStone FoundScan
Add and Manage Policies
3.
Right-click the FoundStone FoundScan group (which you created in the last
step) and from the pop-up menu choose New AN.
4.
Enter the host name of the iRouter that you configured the iRecorder to
communicate with.
5.
Select the AN type as FoundStone FoundScan.
6.
Enter a description for the AN node.
7.
Click OK.
8.
Repeat steps 3 through 7 for each iRouter in your network that
communicates with an iRecorder for FoundStone FoundScan.
Create a Policy Folder
Now you can create a policy folder to hold the policies available for deployment
onto your Audit Nodes (AN).
To create a policy folder, follow these steps:
1.
Open the eTrust Audit Policy Manager if it is not already open.
2.
On the left pane, click Policies.
3.
From the main menu bar, select File and choose New.
4.
Select Policy Folder (this should be the only available option) and give the
folder the name FoundStone FoundScan.
5.
Click OK.
Copy the Default Policies
Now you have your new FoundStone FoundScan policy folder, so you can copy
the prefabricated default policies from the template folder to your own new
folder to use them. Using this method allows you to add rules and actions to
your own policies without affecting the default polices.
To copy a policy, follow these steps:
1.
Open the eTrust Audit Policy Manager if it is not already open.
2.
On the left pane, click Policies.
3.
Expand the Default Policies folder to display the FoundStone FoundScan
default policy folder.
4.
Copy the policies in the FoundStone FoundScan default folder and then
paste them into the new policy folder you just created, which you named
FoundStone FoundScan.
How to Install and Configure the iRecorder 23
Add and Manage Policies
Add Actions to the Rules
Policies are made up of rules, and you can add actions to the rules in your own
policies.
To add actions to a rule, follow these steps:
1.
Open the eTrust Audit Policy Manager.
2.
On the left pane, click Policies.
3.
Expand your FoundStone FoundScan folder to display the policies in it.
An action must be defined for each rule. For the purposes of this guide, we
will define an action for the All Events rule.
4.
Right-click the All Events rule, and from the pop-up menu choose Properties.
5.
Click the Action tab.
6.
Check the box for the Collector action.
7.
Click Add, and enter the host name or IP address of the eTrust Audit
Collector.
8.
Repeat Steps 6 and 7 for the Security Monitor action.
9.
Click OK.
In the tree view, the icon for the All Events rule turns from a white bell to a
blue bell.
Attach the Rule to an AN Group
Once you have rules created, you can attach those rules to the AN groups you
created.
To attach a rule to an AN group, follow these steps:
1.
Open the eTrust Audit Policy Manager if it is not already open.
2.
On the left pane, click Policies.
3.
From the tree view, expand the FoundStone FoundScan policy folder.
4.
Right-click the FoundStone FoundScan policy folder, and from the pop-up
menu choose Attach AN Group.
5.
Select the FoundStone FoundScan AN group, and click OK.
Activate the Rule
Now that your rules are assigned to AN groups, you can activate them.
24 iRecorder Reference Guide for FoundStone FoundScan
How Event Route Testing Works
To activate a rule, follow these steps:
1.
Open the eTrust Audit Policy Manager if it is not already open.
2.
On the left pane, click Policies.
3.
From the tree view, expand the FoundStone FoundScan policy folder.
4.
Right-click the FoundStone FoundScan policy folder, and from the pop-up
menu choose Activate.
A confirmation dialog appears.
5.
Click OK.
Verify the Rule Is in Effect
To verify the rule in effect, follow these steps:
1.
Open the eTrust Audit Policy Manager.
2.
On the left pane, click Audit Nodes.
3.
Select the FoundStone FoundScan group, and verify for each AN that there
are no errors.
If there are no errors, a key icon appears beside the name of an AN.
Sample Rules
The eTrust Audit FoundScan Policy.ptf includes the following sample rules:
All Events
Detect all events for FoundStone FoundScan.
FTP - Anonymous FTP account permissions
Collects events where the permissions for an FTP anonymous account are
inappropriate.
SQL Server - sa password set to NULL
Collects events where the sa account has an null password.
Windows NT - Null Administrator Password
Collects events where the Windows NT administrator password is null.
How Event Route Testing Works
So far, you should have performed the following tasks:
■
Installed the iRouter
■
Installed the iRecorder
How to Install and Configure the iRecorder 25
How Event Route Testing Works
■
Added policy rules and distributed them to the routers
Now, you can test the system to see if events are being sent through the system.
The basic flow that test events follow is this:
1.
Events that match a policy rule occur on the host system where the iRecorder
is installed.
2.
Events are sent to the iRouter, which sends the events to the Router.
3.
Policy rules sent to the Router are checked to see if the events are sent to the
Action Manager or discarded.
4.
Events that match policy rules with actions are reviewed by the Action
Manager and the action is taken.
5.
In the case of this event, the Action Manager sends the event to the Security
Monitor.
Test Event Routing for FoundStone FoundScan
To test event routing (and verify that the iRecorder is installed properly and
sending events to eTrust Audit), follow these steps:
1.
Install the iRecorder and iRouter on a host as described in the installation
instructions.
2.
Start eTrust Audit Policy Manager and define a policy for FoundStone
FoundScan events received by the host where iRouter and other Audit Client
components are installed.
3.
Create a test policy with a rule that sends all events to the eTrust Audit
Security Monitor (no filter with Action set to Security Monitor). If there is no
defined policy (rule and action), eTrust Audit ignores the events.
You can find more details on how to create a policy in the eTrust Audit Policy
Management Guide.
4.
Create a Scan Job using the FoundScan GUI and run the job. Verify that
events are generated as new vulnerabilities are found.
5.
Verify that the generated events are displayed in the eTrust Audit Security
Monitor.
iRecorders also support standard iTechnology SDK tools (like TestHarness and
Spin interface) to query the iRecorder for current status and configuration
information. For more details on these tools, see the iTechnology SDK Reference
Guide.
26 iRecorder Reference Guide for FoundStone FoundScan
Chapter 3: How to Prepare Event Data
for Custom Reports
You can use third-party reporting applications to create custom reports based on
the events stored in the Collector. To do this, you must follow this process:
1.
Ensure that the events you want to view are in the Collector DB.
2.
Run ARIES to expose fields in the events that you want to select for your
reports.
3.
Use your third-party reporting application to select records for viewing.
Description of Table Columns
The following table suggests some selection criteria for reports of general
interest. The columns in the table contain the following:
■
The first contains the Report Name.
■
The second contains the eTrust Audit Logname.
■
■
The third contains additional criteria. These are one or more additional fields
that you can use to narrow the range of events to be included in the report.
The fourth contains a comment that specifies whether the field name is in the
eTrust Audit MSGTEXT field or not.
Note: The MSGTEXT field is a free-form text field that can contain several fields.
Because the MSGTEXT field contains multiple field name and field value pairs,
you must search the MSGTEXT field using wild card characters to select the
specific field names and values. You can use ARIES to expose fields in the
MSGTEXT field. Then, you can use third-party report generators to select
directly these exposed fields as you would other fields in the Audit database,
such as LOGNAME. See the following ARIES topics.
Sample Report Selection Criteria for FoundStone FoundScan
Events
The following table contains Sample Report Selection Criteria for FoundStone
FoundScan:
Report
Logname
AND additional criteria (format
field name : field value)
Comment
How to Prepare Event Data for Custom Reports 27
Use ARIES to Expose Fields Specific to FoundStone FoundScan
FTP - Anonymous
FTP account
permissions
FoundStone FoundScan
Check_Id: "CAN-1999-0527"
Check_ID is found
in the MSGTEXT
column
Windows NT - Null
Administrator
Password
FoundStone FoundScan
Check_Id: "CAN-1999-0506"
Check_ID is found
in the MSGTEXT
column
SQL Server - sa
password set to
NULL
FoundStone FoundScan
Check_Id: "CAN-2000-1209"
Check_ID is found
in the MSGTEXT
column
Use ARIES to Expose Fields Specific to FoundStone
FoundScan
All eTrust Audit events have the following fields stored in the Audit database. In
parentheses are the field labels as they appear in Security Monitor or Audit
Viewer.
TIMSTAMP (Time Stamp)
Displays the date and time of occurrence of the event.
LOGNAME (Log Name)
Displays the logical name of the event’s source.
COMPUTERNAME (Computer Name)
Displays the host name (without the domain).
DOMAINNAME (Domain Name)
Displays the domain name in a fully qualified host name.
USERNAME* (User Name)
SOURCE* (Source)
EVENTCATEGORY* (Event Category)
Predefined names for various event groupings
EVENTTYPE* (Type displayed as icon)
Field that can be set to one of the following values: Failure, Error, Success,
Information, Warning.
EVENTID* (Event ID)
MSGTEXT
A field name internal to the eTrust Audit database. The field itself is not
visible directly on the Security Monitor or Audit Viewer. Using the mouse to
double-click on a specific event reveals the contents of this field as the
Description field in the Event Details pop-up window.
28 iRecorder Reference Guide for FoundStone FoundScan
Use ARIES to Expose Fields Specific to FoundStone FoundScan
*Although USERNAME, SOURCE, EVENTTYPE, and EVENTID can depend on
the event, most of the event-specific fields are contained in the MSGTXT field.
How To Expose Specific Events for FoundStone FoundScan
To expose FoundStone FoundScan-specific event fields, use the ARIES Web
interface to:
1.
Create a job.
2.
Define a load policy using LogName = FoundStone FoundScan.
3.
Define an appropriate DB Poll Interval (in seconds) to run the job
periodically.
4.
(Optional) Include/exclude any column filter to select the specific
FoundStone FoundScan-specific fields of interest.
5.
Start the job.
After the job starts, it creates, if necessary, a new table called AuditExtendString.
Each field within the MSGTXT field in the eTrust Audit database is extracted and
entered in the AuditExtendString table as one row.
How To Create a View of FoundStone FoundScan on the eTrust Audit Database
To create a view of FoundStone FoundScan on the eTrust Audit database, use the
ARIES Web interface to:
1.
Create a job.
2.
Define a view policy.
3.
Define a DB Poll Interval (in seconds) to have the job periodically scan the
AuditExtendString table.
4.
Optionally include/exclude any column filter to select the specific
FoundStone FoundScan-specific fields of interest.
5.
Start the job.
A view called AUD_VIEW_LOG_ProductName will be created and information
from eTrust Audit database and AuditExtendString are included every DB Poll
Interval seconds.
See the ARIES Reference Guide for more information and specific steps.
How to Prepare Event Data for Custom Reports 29
About Report Generation based on ARIES Tables
About Report Generation based on ARIES Tables
After you have created the event-specific table for FoundStone FoundScan, you
can use any SQL-based report generator to create SQL statements against the
table.
For example, specify the AUD_VIEW_LOG_ProductName table as a table from
which to select criteria to generate a report.
See eTrust Audit Field Mapping for a list of fields that you can select using the
ARIES view.
30 iRecorder Reference Guide for FoundStone FoundScan
Chapter 4: eTrust Audit Field Mapping
Fields in FoundStone FoundScan events are captured by the iRecorder and
mapped to a standard set of normalized fields. eTrust Audit requires all
iRecorders to follow a standard Data Model and Taxonomy. The iRecorder maps
the native FoundStone FoundScan fields into fields in the eTrust Audit Collector
database.
About Mandatory Fields
Mandatory fields are a fixed set of fields that are added to each event processed
by any iRecorder. The following information describes what values are assigned
to the mandatory fields in the FoundStone FoundScan.
Field Name
Field Value
Description
Taxonomy
<Category>.<System>.<Action>.
<Result>.<Severity>
See the following table for further breakdown of
Taxonomy
Date
Timestamp
The time is retrieved from the log file(s) being
monitored. The time is when the event occurred.
TimeZone
timezone in +/- seconds format
(calculated from GMT)
TimeZone of system where iRecorder is installed
Src
Table name
Table name that the main event was retrieved
from
Log
“FoundStone FoundScan”
Location
Host name
Location (Host name) where FoundScan Database
resides
Recorder
“FoundStone FoundScan”
The name of the iRecorder that collected the event
Version
Version Number
The version number of the iRecorder
About the Taxonomy Field
The following table provides field names, possible values, and descriptions that
can appear in the Taxonomy field:
eTrust Audit Field Mapping 31
About Mandatory Fields
Possible Values
Description
Category
Vulnerability Assessment
System
Agent
Only monitoring for results of scans
Action
Scan or Scan_[CVE] or
Scan_[Name]
Depends on whether CVE ID or vulnerability
name is available
Result
N
Result always set to “N” as a new event always
signifies a new vulnerability was found
Severity
[variable]
Based on risk, if Vulnerability, SQL Guess or Smart
GuessWork
- “W” if 1-3 (Low)
- “C” if 4-6 (Medium)
- “F” if 7-10 (High)
”I” if Service Found
”W” if Source Code Disclosure, Brute Force or
Web Vulnerability
About Normalized Fields
Normalized fields are eTrust Audit field names that are mapped or translated
from the native event field names according to the classification of the iRecorder.
Normalized fields are common across all products in the same classification. The
Taxonomy field, one of the mandatory fields, defines the classification for this
iRecorder.
Normalized Fields for FoundStone FoundScan
The following table shows the normalized fields for the Manager System:
eTrust Audit Field
FoundScan Field Name
Description
Check_Id
CVE
CVE (or CAN) Id, Microsoft Security
Advisory number, Cert Advisories ID,
Computer Associates Id Number (CAID), or
custom check name.
The following table shows the normalized fields for the Server System:
32 iRecorder Reference Guide for FoundStone FoundScan
About Product-Specific Fields
eTrust Audit Field
FoundScan Field Name
Description
Check_Id
CVE
CVE (or CAN) Id, Microsoft Security
Advisory number, Cert Advisories ID,
Computer Associates Id Number (CAID),
or custom check name.
Target_Host
DNSName
DNS Name of affected host
The following table shows the normalized fields for the Agent System:
eTrust Audit Field
FoundScan Field Name
Description
Check_Id
Text
CVE (or CAN) Id, Microsoft Security
Advisory number, Cert Advisories ID,
Computer Associates Id Number (CAID),
Nessus plugin id or custom check name.
Service
ServiceName
Service name (eg telnet, ftp, ..)
Port
Port
TCP or UDP port number
Protocol
Protocol
IP protocol name or number (eg, udp or
tcp)
About Product-Specific Fields
Product Specific fields are native event fields that are not mapped or translated
by the iRecorder. These fields are sent to eTrust Audit with a minor change: all
characters in the field names that are not letters, digits or underscores are
converted to underscores. To avoid name clashes with other products or with
eTrust Audit itself (for example, the Status field), these fields are also prefixed by
the product name followed by an underscore, such as eVM_, cisco_, ccure_.
Product-Specific Fields for FoundStone FoundScan
All events are extracted from the FaultLine Database. Refer to the FoundScan
Database Relations document for the Database Schema.
eTrust Audit Field Mapping 33
About Product-Specific Fields
This section details the mapping of FoundScan specific information into fields
that are unique to Vulnerability Assessment Applications and are not required
by eTrust Audit. The information is presented in the following tables. The
iRecorder sends a limited set of fields by default. It is possible to configure the
iRecorder to send the additional fields marked with an asterisk (*), but it is not
recommended due to the size of the data that will be transmitted.
The following table shows All Events:
eTrust Audit Field Name
FoundScan Field Name
Description
CompanyName
CompanyName
Organization Name to which
Scan Job belongs
ConfigurationName
ConfigurationName
Configuration Name to which
Scan Job belongs
JobName
JobName
Scan Job Name
Target_Host
DNSName
DNS Name of affected host
Target_IP
IPAddress
IP Address of affected host
Target_OS
OSName
OS Name of affected host
HostID
HostID
FoundScan Internal ID of
affected host
*Target_NBName
NBName
NetBIOS name of affected host
*Target_NBWorkGroup
NBWorkgroup
NetBIOS Workgroup name of
affected host
*Target_Alive
Alive
True if host is alive
*Target_Virtual
Virtual
True/False
*Target_ICMP
ICMP
True/False
*Target_IdentifyWith
IdentifyWith
*Target_Wireless
Wireless
*Target_Subscan
Subscan
*Target_Batch
Batch
True/False
Some of the events share many common fields; they are listed in the tables below
and are referenced in the specific tables as +TableName:
The following table shows the Service field:
34 iRecorder Reference Guide for FoundStone FoundScan
About Product-Specific Fields
eTrust Audit Field Name
FoundScan Field Name
ServiceID
ServiceID
Service
ServiceName
Port
Port
Protocol
Protocol
*Service_Description
Description
*Service_Detail
Detail
Description
The following table shows the Site field:
eTrust Audit Field Name
FoundScan Field Name
Site_key
Site_key
Site_name
Site_name
*Site_ip
Site_ip
*Site_port
Site_port
*Site_protocol
Site_protocol
*Site_baseurl
Site_baseurl
*Site_dfmaxlink
Site_dfmaxlink
*Site_dflevel
Site_dflevel
*CrawlCompleted
CrawlCompleted
Description
True/False
The following table shows the Url field:
eTrust Audit Field Name
FoundScan Field Name
Url_Key
Url_key
Url_link
Url_link
Url_Resource
Url_Resource
*Url_path
Url_path
Description
eTrust Audit Field Mapping 35
About Product-Specific Fields
eTrust Audit Field Name
FoundScan Field Name
*Url_ResourceType
Url_ResourceType
*Url_Querystring
Url_Querystring
*Url_Responsecode
Url_Responsecode
*Url_AuthReqd
Url_AuthReqd
*Url_form
Url_form
*Url_script
Url_script
*Url_cookie
Url_cookie
*Url_header
Url_header
Url_applet
Url_applet
Url_activex
Url_activex
Description
Every event can be categorized as one of the following:
■
Vulnerability Scan
■
Web Vulnerability Scan
■
Service Scan
■
Smart Guess Result
■
SQL Guess Result
■
Brute Force Result
■
Source Code Result
Each type of event has specific fields and they are listed in the tables below:
The following table shows the Vulnerability Scan event layout:
eTrust Audit Field Name
FoundScan Field Name
Description
{ NID}
NID
NID of vulnerability
{Anchor}
VulnFoundID
VulnFoundID
Check_ID
CVE
CVE (or CAN) Id
36 iRecorder Reference Guide for FoundStone FoundScan
About Product-Specific Fields
eTrust Audit Field Name
FoundScan Field Name
Description
*Check_Desc
Description
Vulnerability Description
Check_Name
Vulnerability Name
Risk
Risk level associated with
Vulnerability
FaultLineID
FaultLineID
BID
BID
*Type
Type
*Observation
Observation
*RiskText
RiskText
*Recommendation
Recommendation
*ExploitDate
ExploitDate
*Simplicity
Simplicity
*Popularity
Popularity
*Impact
Impact
*ExploitLink
ExploitLink
*AftershockID
AfterShockID
*ISSID
ISSID
*Person
Person
*CyberID
CyberID
*LHF
LHF
*ExploitDataType
ExploitDataType
*Intrusive
Intrusive
*AddedDate
AddedDate
*ModifiedDate
ModifiedDate
*DeletedDate
DeletedDate
*Status
Status
*Customized
Customized
True/False
True/False
True/False
The following table shows the Web Vulnerability Scan event layout:
eTrust Audit Field Mapping 37
About Product-Specific Fields
eTrust Audit Field Name
FoundScan Field Name
{Anchor}
vuln_key
Check_Id
Vuln_id
WebVuln_server
Vuln_server
WebVuln_sversion
Vuln_sversion
WebVuln_method
Vuln_method
WebVuln_request
Vuln_request
*WebVuln_protocol
Vuln_protocol
*WebVuln_check
Vuln_check
*WebVuln_rescode
Vuln_rescode
*WebVuln_pattern
Vuln_pattern
*Check_Desc
Vuln_details
Description
+Service
+Site
The following table shows the Service Scan event layout:
eTrust Audit Field Name
Possible Field Values
{Anchor}
ServiceFoundID
Banner
Banner
Description
+Service
The following table shows the Smart Guess Result event layout:
eTrust Audit Field Name
FoundScan Field Name
{Anchor}
SmartResultID
Risk
SmartAttackRisk
SmartRequest
SmartRequest
SmartResponse
SmartResponse
38 iRecorder Reference Guide for FoundStone FoundScan
Description
About Product-Specific Fields
eTrust Audit Field Name
FoundScan Field Name
SmartContent
SmartContent
SmartAttackID
SmartAttackID
SmartAttackType
SmartAttackType
*SmartAttackString
SmartAttackString
*SmartAttackExtension
SmartAttackExtension
*SmartAttackExpectedResCode
SmartAttackExpectedResCode
*SmartAttackExpectedResPattern
SmartAttackExpectedResPatte
rn
*SmartAttackCheckLogic
SmartAttackCheckLogic
*SmartAttackExHeader
SmartAttackExHeader
*SmartAttackRecommendation
SmartAttackRecommendation
Description
+Service
+Site
+Url
The following table shows the SQL Guess Result event layout:
eTrust Audit Field Name
FoundScan Field Name
{Anchor}
SqlResultID
Risk
SqlAttackRisk
SqlRequest
SqlRequest
SqlResponse
SqlResponse
SqlContent
SqlContent
SqlAttackID
SqlAttackID
SqlAttackType
SqlAttackType
*SqlAttackString
SqlAttackString
*SqlAttackPosition
SqlAttackPosition
*SqlAttackExtension
SqlAttackExtension
*SqlAttackExpectedResCode
SqlAttackExpectedResCode
Description
eTrust Audit Field Mapping 39
About Product-Specific Fields
*SqlAttackExpectedResPattern
SqlAttackExpectedResPattern
*SqlAttackCheckLogic
SqlAttackCheckLogic
*SqlAttackExHeader
SqlAttackExHeader
*SqlAttackRecommendation
SqlAttackRecommendation
+Service
+Site
+Url
The following table shows the Brute Force Result event layout:
eTrust Audit Field Name
FoundScan Field Name
{Anchor}
BruteResultID
Url_link
Url_link
Url_Username
Url_Username
Url_Password
Url_Password
Url_Responsecode
Url_Responsecode
Description
+Service
+Site
+Url
The following table shows the Source Code event layout:
eTrust Audit Field Name
FoundScan Field Name
{Anchor}
SCodeResultID
SCodeRequest
SCodeRequest
SCodeResponse
SCodeResponse
SCodeData
SCodeData
SCodevulnID
SCodevulnID
SCodevulnType
SCodevulnType
*SCodevulnurl
SCodevulnurl
40 iRecorder Reference Guide for FoundStone FoundScan
Description
About Product-Specific Fields
*SCoderesourcetype
SCoderesourcetype
*SCodecheck
SCodecheck
*SCoderesponsecode
SCoderesponsecode
*SCodepattern
SCodepattern
*SCodeadhead
SCodeadhead
*SCodereco
SCodereco
+Service
+Site
+Url
eTrust Audit Field Mapping 41
Appendix A: Introduction to
iTechnology
iTechnology is a Computer Associates technology based on Web standards such
as HTTP, HTTPS, HTML, XML, and SSL. It provides a framework to create and
deploy Web services across the Internet.
iTechnology building blocks are:
iGateway
A Web server
iSponsor
A Web service loadable by iGateway. Some notable examples of iSponsors
are as follows:
iControl
An iSponsor regulating the flow of events (unsolicited data).
iRecorder
An iSponsor that harvests events from devices, log files, databases,
applications and sends them through iControl.
iReflect
A detached iSponsor; that is, it is not loaded directly by an iGateway.
Event Plugin
A Web service loadable by iControl.
Spindle
An iSponsor serving Web pages.
iClient
A standalone Web client.
iGateway
iGateway is a special Web server. It runs as Windows service or UNIX/Linux
daemon process. Its purpose is to receive requests and send replies using the
HTTP protocol. It also supports the HTTPS protocol for data protection against
eavesdropping and tampering over the Internet. The format of request and reply
is HTML and XML. The iGateway sends the requests using HTTP GET, HTTP
POST or SoapAction.
iGateway receives requests from any of the following sources:
■
Web browser
■
iGateway (iGateways can receive requests from other iGateways.)
iSponsor
■
iReflect
■
iClient
■
A local iSponsor (for unsolicited event sending)
The iGateway redirects these requests to its underlying Web services called
iSponsors. Based on the request, appropriate replies in XML/HTML format are
built by iSponsor and sent back to the requestor using the iGateway.
All network communications use the TCP iTechnology port 5250. In a protected
environment, you should open this port in the firewalls and border routers to
allow iTechnology communications. This is similar to allowing HTTP traffic
through firewalls (port 80).
iSponsor
An iSponsor is a dynamically loadable library that can be pre-loaded at startup
or loaded on-demand when a request is destined to the specific iSponsor. It is a
plug-in to iGateway. It exposes selected APIs to iGateway when loaded.
Requests to an iSponsor specify which service it needs from iSponsor. The
specified service includes the API (also called methods) and parameters.
iGateway invokes the method and passes the parameters to the corresponding
iSponsor. The iSponsor’s method returns an HTML or XML response. The
response is forwarded to the requestor. An iSponsor can have a plugin that sends
data to a non-iTechnology application or device. The sending protocol depends
on the application or device and is not necessarily HTTP.
All iSponsors implement two standard methods:
describe
Returns the sponsor’s name and version.
define
Returns all the methods defined in the sponsor.
In addition, each iSponsor can implement other methods to support the
iSponsor’s specific functionalities.
You can create an iSponsor using the iTechnology SDK or iRecorder SDK. Use
the iRecorder SDK to create iRecorders only.
Examples of iSponsors
Examples of iSponsors are:
44 iRecorder Reference Guide for FoundStone FoundScan
iSponsor
iRegistry
Scans a specified portion of an Internet network for active iGateway hosts
and lists existing iGateway hosts on the network. iRegistry includes a plug-in
to store discovered iGateway hosts in a repository. This iSponsor is included
in the iGateway/iRecorder distribution.
iAuthority
Plays the role of a trusted Central Authority (CA) for registered iGateways.
It distributes and revokes digital certificates for authentication and
authorization of trusted iGateways. Any request to privileged methods in an
iSponsor must be accompanied by a valid digital certificate distributed by
iAuthority. The request can be rejected by the iSponsor if the privileges
granted by the certificate are not sufficient to run the method. This iSponsor
is included in the iGateway/iRecorder distribution.
iControl
Plays a central role in iTechnology event management system. For eTrust
Audit, this iSponsor controls the flow of eTrust Audit events, from the
iRecorder to the Router. iControl can include plug-ins called Event Plugins.
One of the event plug-ins is epAudit. iControl is included in the
iGateway/iRecorder distribution.
iRecorder
Is a special iSponsor whose purpose is to get events from sources such as
applications, devices, operating systems.
iControl is a critical component for iRecorder. All event traffic must pass through
iControl. Without it, iRecorder is practically “mute”.
Important features of iControl include the following:
Persistent Connection
HTTP and HTTPS are normally used for short-lived connections that last for
a single request-reply communication. This means that when a reply is
received, the connection is terminated. This does not fit well with the
constant flow of events, which could deplete system resources in terms of
connections and may trigger a false alarm of denial-of-service attack on
intermediary routers or firewalls.
You can configure iControl to use persistent connections or long-lived
connections to send all events through one connection to the remote
iControl. This method of sending is more efficient in terms of effective
throughput and more economical in terms of system resources. You can
configure this option using the EventUsePersistentConnections parameter.
Use of HTTPS
You can enforce HTTPS use in iControl by setting the EventUseHttps
parameter. HTTPS encrypts data before sending it over HTTP, thus ensuring
data privacy on the wire.
iSponsor
Event Signing
Event signing guarantees that an event is not tampered with during its
transit to the remote iControl. You can turn it off using the IgnoreSignature
parameter.
Guaranteed Delivery
Events that are sent from the iGateway host are guaranteed to reach its
specified destination. If the destination is unavailable, events are temporarily
stored in a local storage. Only when events have reached its intended
destination are they removed from the local storage.
Event Pushing or Routing
When iControl sends events, it can use two methods: push or pull. In Push
method, the sender iControl initiates the communication and send events to
the destination host, called the RouteEventHost. The iRecorder installation
script prompts and sets this important configuration parameter in
iControl.conf file.
Event Pulling or Storing
In Pull method, the sender iControl passively waits for the destination to call
it before sending out events. During the wait, the sender iControl stores the
events for the destination or StoreEventHost. The destination iControl, by
contrast, retrieves the events from the sender or RetrieveEventHost. Thus,
you can configure an iRecorder to set the StoreEventHost if you use the Pull
method. The Pull method is particularly suitable for network environments
where only outgoing traffic is allowed.
Bridge to eTrust Audit (iRouter)
When iRouter is installed, an event plug-in called epAudit is attached to
iControl. This plug-in receives events from iControl, converts XML format
into SAPI calls and finally sends the converted event to the local eTrust
Audit Router using the SAPI protocol.
An iReflect acts like a “detached” iSponsor. This means it is not loaded by the
iGateway but by a non-iTechnology application. It acts like an iSponsor in the
following ways:
■
■
■
■
■
It is a dynamically loadable library like an iSponsor.
After it’s loaded by the application, it registers with the local iGateway and
exposes its methods.
It receives HTTP and HTTPS requests from the local iGateway and returns
responses to it.
Since an iReflect must be able to receive requests from its local iGateway at
any time, it runs a thread that continuously listens on iTechnology port 5250.
Thus it is represented in the diagram as an oval to denote it’s a running
thread within the non-iTechnology application.
One example of iReflect used to send events to eTrust Audit is the Unicenter
EM iRecorder.
46 iRecorder Reference Guide for FoundStone FoundScan
iSponsor
iClient acts as a Web browser. It sends requests to an iGateway and receives
replies from it. However an iClient cannot receive requests from an iGateway
and it cannot publish its internal methods for an iGateway to use.
Therefore you can deploy an iClient component in the following ways:
■
■
As a dynamically loadable library to be loaded by a non-iTechnology
application
As a standalone program