Transcription
STEALTHbits File Activity MonitorUser Guide2017200 Central Avenue Hawthorne, NJ 07506P. 1-201-447-9300 F. 1-201-447-1818
STEALTHbits File Activity MonitorTable of ContentsChapter 1: STEALTHbits File Activity Monitor Console Overview . 4Prerequisites . 4Supported Platforms . 5Permissions . 5Chapter 2: Installation & Configuration . 6Port Requirements . 6STEALTHbits File Activity Monitor Installation. 7Import License Key . 8Agents Tab . 10Add a Single Agent . 12Add Multiple Agents . 18Edit Agents . 26Remove Agents . 29Log Levels . 30Monitored Hosts Tab . 31Chapter 3: Monitoring a Windows Host . 33Configure the STEALTHbits File Activity Monitor for Windows . 33Additional Windows Configuration. 36Chapter 4: Monitoring a NetApp Host . 39Configuring a Cluster-Mode Host . 39Checklist for Cluster-Mode Implementation . 40Plan Deployment for Cluster-Mode NetApp. 41FPolicy Account Provisioning for Cluster-Mode NetApp . 41Firewall Configuration for Cluster-Mode NetApp . 45Configure FPolicy for Cluster-Mode NetApp . 46Configure the STEALTHbits File Activity Monitor for Cluster-Mode NetApp. 52Configuring a 7-Mode Host . 59Checklist for 7-Mode Implementation . 59FPolicy Account Provisioning for 7-Mode NetApp. 61Firewall Configuration for 7-Mode NetApp . 63Configure FPolicy for 7-Mode NetApp . 651Doc ID 657Copyright 2017 STEALTHBITS TECHNOLOGIES, INC. ALL RIGHTS RESERVED
STEALTHbits File Activity MonitorConfigure the STEALTHbits File Activity Monitor for 7-Mode NetApp . 67Additional NetApp Information . 73Additional NetApp Configuration . 73Changing the FPolicy Heartbeat Interval . 78Service Output Log File . 79Services INI File Configuration . 80Resources Required for NetApp Monitoring . 81Chapter 5: Monitoring an EMC VNX/Celerra Host . 82Checklist for VNX/Celerra Implementation . 82Installing the EMC CEE . 83Configure Event Forwarding for EMC VNX/Celerra in the CEE . 83Configure the cepp.conf File on the EMC VNX/Celerra . 85Configure the STEALTHbits File Activity Monitor for EMC VNX/Celerra. 89Additional EMC VNX/Celerra Configuration . 92Chapter 6: Monitoring an EMC Isilon Host . 94Checklist for EMC Isilon Implementation . 94Configuring an EMC Isilon Host. 95Configuring Event Forwarding for EMC Isilon in the CEE . 96Configuring Auditing on the EMC Isilon Cluster. 97Option 1: Manually Configure Auditing in the OneFS UI . 97Option 2: Automatically Enable and Configure Auditing . 99Option 3: Manually Configure Auditing in the OneFS CLI . 100Configure the STEALTHbits File Activity Monitor for EMC Isilon . 101Additional EMC Isilon Configuration . 104Host Properties EMC Tab . 105Host Properties Auditing Tab . 106Chapter 7: Monitoring a Hitachi Host . 107Configuring Hitachi NAS File Systems for Auditing . 108Configure Access to HNAS Audit Logs on the Windows Server . 108Configure the STEALTHbits File Activity Monitor for Hitachi . 109Additional Hitachi Information . 112Additional Hitachi Configuration. 113Captured Event Examples . 1142Doc ID 657Copyright 2017 STEALTHBITS TECHNOLOGIES, INC. ALL RIGHTS RESERVED
STEALTHbits File Activity MonitorCreate a File . 114Read a File . 114Update a File . 114Change File Permissions. 114Rename a File . 115Delete a File . 115List a Directory . 115Create a Directory . 115Rename a Directory . 116Change Directory Permissions . 116Delete a Directory . 116Chapter 8: Additional Configuration Tabs . 117Log Files Tab . 118Path Filtering Tab . 119Account Exclusions Tab . 120Syslog Tab. 121Comment Tab. 121Chapter 9: Search Feature . 122Create a Search Query . 123Search Results . 124Permissions Changes. 125Sort Search Results. 126Filter Search Results . 127Exporting Search Results . 127More Information . 128Appendix . 1293Doc ID 657Copyright 2017 STEALTHBITS TECHNOLOGIES, INC. ALL RIGHTS RESERVED
STEALTHbits File Activity MonitorChapter 1: STEALTHbits File Activity Monitor ConsoleOverviewThe ability to monitor file access activity across file shares residing on Windows file servers and NASdevices represents both a tremendous gap and opportunity for organizations looking to identify threats,achieve compliance, and streamline operations. The STEALTHbits File Activity Monitor is a simple toinstall and easy to use solution which monitors and stores file activity for Windows file servers and NASdevices (NetApp, EMC, Hitachi), without any reliance on native logging. The solution is designed toprovide users with:Ability to collect all or specific file activity for specific values or specific combinations of valuesClean, simple user interface to view the results of the queries executed against the dataAbility to feed file activity data to other STEALTHbits products StealthAUDIT Management Platform StealthINTERCEPT (for NAS file activity)Ability to feed file activity data to alternative technologies like SIEM and/or export data informats which are easy to understand and work with Specifically available for IBM QRadar , the STEALTHbits File Activity Monitor App forQRadar. See the STEALTHbits File Activity Monitor App for QRadar User Guide for additionalinformation. Specifically available for Splunk , the STEALTHbits File Activity Monitor App for Splunk. Seethe STEALTHbits File Activity Monitor App for Splunk User Guide for additional information.PrerequisitesThe following prerequisite needs to be installed on the STEALTHbits File Activity Monitor Console serverand on the Windows server where the agents will be deployed:.NET Framework 4.0 The following software versions are required on EMC devices to be monitored:EMC Common Event Enabler CEE 6.2.1 NOTE: The STEALTHbits File Activity Monitor leverages the EMC Common Event Enabler (CEE) todeliver activity events from EMC NAS devices. It is recommended to install the CEE on the samehost as the Agent, but it can be installed on a different host. If the CEE is installed on the samehost, the Agent can configure it automatically.4Doc ID 657Copyright 2017 STEALTHBITS TECHNOLOGIES, INC. ALL RIGHTS RESERVED
STEALTHbits File Activity MonitorSupported PlatformsThe following supported platforms can be monitored by the STEALTHbits File Activity Monitor:Supported Platforms for Windows File ServersWindows Server 2016Windows Server 2012 R2Windows Server 2012Windows Server 2008R2Windows Server 2008Supported Platforms for NAS DevicesNetApp devices: ONTAP 7.2 (7-Mode and Cluster-Mode)EMC Celerra 6.0 EMC VNX: VNX 7.1 VNX 8.1EMC VMAX3EMC Isilon OneFS devices: Isilon 7.0 Isilon 7.1 Isilon 7.2Hitachi 11.2 PermissionsPermissions for Installing the STEALTHbits File Activity Monitor ConsoleAccount used must be a member of the BUILTIN\Administrators groupPermissions for Deploying AgentsAccount used must be a member of the BUILTIN\Administrators groupNOTE: If choosing to employ the Enable Archiving option for an agent, the archive location must haveread and write permissions.Permissions for Monitored HostsWindows hosts – Account used must be a member of the BUILTIN\Administrators groupNAS devices – See corresponding chapters for configuration process5Doc ID 657Copyright 2017 STEALTHBITS TECHNOLOGIES, INC. ALL RIGHTS RESERVED
STEALTHbits File Activity MonitorChapter 2: Installation & ConfigurationThis chapter provides instructions for installing the STEALTHbits File Activity Monitor Console, deployingagents, and general Console settings. For instructions on adding hosts to be monitored, see thecorresponding chapter for instructions on monitoring the different file system servers/devices.Port RequirementsThe following ports need to be open in order to deploy the STEALTHbits File Activity Monitor agent andremain open for continued communication with the agent. The ports have been identified according tothe file system device to be monitored.STEALTHbits File Activity Monitor Server with Agent CommunicationCommunication nAgent communicationSMBWMINetApp Cluster-Mode DevicesCommunication DirectionFPolicy server to NetAppFPolicy server to NetAppNetApp to FPolicy serverProtocolHTTP (optional)HTTPS FPolicy eventsNetApp 7-Mode DevicesCommunication DirectionFPolicy server to NetAppFPolicy server to NetAppNetApp to FPolicy serverProtocolHTTP (optional)HTTPS (optional)TCPTCPPorts80443135-139Dynamic port range445DescriptionONTAPIONTAPIMSRPC over namedpipesSMBEMC VNX/Celerra & Isilon DevicesCommunication DirectionUnidirectionalProtocolTCPPortsTCP 12228DescriptionCEE CommunicationHitachi DevicesCommunication ionSMB6Doc ID 657Copyright 2017 STEALTHBITS TECHNOLOGIES, INC. ALL RIGHTS RESERVED
STEALTHbits File Activity MonitorSTEALTHbits File Activity Monitor InstallationThe STEALTHbits File Activity Monitor Console will install with a 10-day, 1-host license key. After theinstallation is complete, see the Import License Key section for instructions on importing anorganization’s license key. Complete the following steps to install the STEALTHbits File Activity MonitorConsole.Step 1 – Run the SBFileActivityMonitor executable provided by your STEALTHbits Sales Representativeor Support Engineer.Step 2 – On the End User License Agreement page, accept the License Agreement and click Install.7Doc ID 657Copyright 2017 STEALTHBITS TECHNOLOGIES, INC. ALL RIGHTS RESERVED
STEALTHbits File Activity MonitorStatusInstallation CompleteStep 3 – The installer displays a status page during the installation process. Once installation iscomplete, click Finish.The setup wizard will close and the STEALTHbits File Activity Monitor Console will open. See the ImportLicense Key section for instructions on uploading a new key or importing a StealthAUDIT key, if theConsole was installed on a server where the StealthAUDIT Management Platform has already beeninstalled.Import License KeyOnce the STEALTHbits File Activity Monitor Console has been installed, it is time to upload anorganization’s key. The Console will then open to the Agents tab.For importing the first key, click either the Licensed to: Trial User link in the lower-left corner of theConsole or the View License link in the yellow warning bar at the top. This will open the LicenseInformation window.8Doc ID 657Copyright 2017 STEALTHBITS TECHNOLOGIES, INC. ALL RIGHTS RESERVED
STEALTHbits File Activity MonitorThis window provides information on the status of the organization’s license, expiration data, and hostlimit. This is also where a new key can be uploaded prior to license expiration. Click Load New LicenseFile and navigate to where the key is located. Select the .lic file, and click Open on the Open window.The selected key will imported. The License information window will display information for the newlicense. The Console will return to the Agents tab and is ready to deploy agents. See the Agents Tabsection for additional instructions.Once a key has expired, the Console will display an Open License File option for importing a new key.The Console will then return to the Agents tab.9Doc ID 657Copyright 2017 STEALTHBITS TECHNOLOGIES, INC. ALL RIGHTS RESERVED
STEALTHbits File Activity MonitorAgents TabThe STEALTHbits File Activity Monitor uses agents to collect events from Windows servers and NASdevices. At least one agent must be installed. The agents can be installed on any Windows server. ForWindows devices, agents must be deployed to the desired Windows host to be monitored for activity.For NAS devices, agents must be deployed to a proxy Windows server which will be used as a collectionpoint for the activity data. It is recommended that the proxy Windows server be close to the NAS devicein the network to decrease latency. Information needed to deploy the agent are:Server name – Either a name or an IP Address can be usedCredentials – Account used must be a member of the BUILTIN\Administrators groupThe Agents tab is comprised of a button bar, a table of servers hosting agents, and an Agent messagesbox.The button bar allows users to take the following actions:Add Agent – Opens the Add New Agent(s) window to deploy the agent to a single server or tomultiple servers at the same time. The following sections provide additional information: Add a Single Agent Add Multiple AgentsRemove – Opens the Remove agents window where users can choose to remove the hostingserver from the table/monitoring and/or uninstalling the agent from the hosting server. See theRemove Agents section for additional information.Edit – Opens the selected server’s properties window to modify the server name or credentials.See the Edit Agent Servers section for additional information.Install – Deploy or upgrade an agent to the selected hostRefresh all – Refresh the status of all agents10Doc ID 657Copyright 2017 STEALTHBITS TECHNOLOGIES, INC. ALL RIGHTS RESERVED
STEALTHbits File Activity MonitorThe table of servers hosting agents provides the following information:Server Name – Name or IP Address of the server hosting an agentStatus – Status of the deployed agentVersion – Version of the deployed agentMessages – Count of the number of error and warning messages for the selected serverArchive Location – If archiving is enabled for the agent, displays the archiveArchive Size – If archiving is enabled for the agent, displays the archive sizeThe Agent messages box displays any error or warning messages from the selected agent. Thesemessages will be related to deployment/installation, communication between the Console and theagent, and upgrade of an agent.11Doc ID 657Copyright 2017 STEALTHBITS TECHNOLOGIES, INC. ALL RIGHTS RESERVED
STEALTHbits File Activity MonitorAdd a Single AgentComplete the following steps to deploy the agent to a single Windows server.Step 1 – On the Agents tab, click Add agent to open the Add New Agent(s) window.Step 2 – On the Install new agent page, enter the Server name to deploy to a single server. Then clickNext.12Doc ID 657Copyright 2017 STEALTHBITS TECHNOLOGIES, INC. ALL RIGHTS RESERVED
STEALTHbits File Activity MonitorStep 3 – On the Credentials to connect to the server(s) page, specify an account that is a member ofBUILTIN\Administrators group on the server. If using the current user’s credentials, leave thesefields blank. Click Test to test the connection.Successful ConnectionFailed ConnectionWhen connection is successful, click Next.13Doc ID 657Copyright 2017 STEALTHBITS TECHNOLOGIES, INC. ALL RIGHTS RESERVED
STEALTHbits File Activity MonitorStep 4 – Optional for Windows monitoring only, if desired, check the Enable Windows file activitymonitoring after installation checkbox to enable monitoring all file system activity on thetargeted Windows server after installation. Click Next.Step 5 – Optionally, on the Archiving page, select the Enable archiving for this agent checkbox if it isdesired to archive files to a network location. If this checkbox is selected, configure the followingoptions:Maximum disk space the agent is allowed to use on the server it is installed on (at least100MB) – Select the number of megabytes or gigabytes. The default is 5 GB.14Doc ID 657Copyright 2017 STEALTHBITS TECHNOLOGIES, INC. ALL RIGHTS RESERVED
STEALTHbits File Activity MonitorArchive log files on this computer – This radio button is selected by default and will archivethe logs on the server hosting this agent.Configure – Click Configure to configure a network share on this computer Directory – Click the ellipsis to open the Browse for Folder window and select a networkdirectory. Share name – Enter the share name for the archives. SFAM will grant read and writeaccess to the share to the computer account of the server the agent is installed on. Grant read access to – Click the ellipsis to open the Specify account or group windowand specify the domain and account for the archive.Archive log files on an UNC path (e.g. \\host-name.domain.local\share-name) – Click theellipsis to open the Browse for Folder window and select the UNC pathUser name/User password – Specify credentials to access the network share. Leave thecredentials blank to access the share using the computer account of the server on which theagent is installedTest – Click Test to test the connection to the network shareIf enabled, the archiving location is displayed on the Agents tab, along with the archive size. Seethe Permissions section for additional information.Click Next.15Doc ID 657Copyright 2017 STEALTHBITS TECHNOLOGIES, INC. ALL RIGHTS RESERVED
STEALTHbits File Activity MonitorStep 6 – Optional for EMC Celerra and EMC Isilon monitoring only, select the CEE event delivery mode onthe EMC CEE Options page:Synchronous real-time deliveryAsynchronous bulk delivery (VCAPS) – Recommended delivery modeSpecify how often events are delivered by CEE:Every [number] seconds (from 60 to 600) – Default is 60 secondsor every [number] seconds – Default is 100 eventsIf CEE is not installed on the host acting as the Windows proxy server, an error message isdisplayed on the page and no activity can be collected by this agent for EMC Celerra or EMCIsilon devices.16Doc ID 657Copyright 2017 STEALTHBITS TECHNOLOGIES, INC. ALL RIGHTS RESERVED
STEALTHbits File Activity MonitorStep 7 – Click Finish. The Add New Agent(s) window will close, and the agent will be deployed to andinstalled on the target host.During the installation process, the status will be Installing. If there are any errors, the STEALTHbits FileActivity Monitor will stop the installation and list the errors in the bottom box.When the agent installation has completed, the status will change to Installed and the agent version willpopulate.If an agent fails to move the files to the specified location, an error is shown in the agent list.The next step is to add hosts to be monitored. See the Monitored Hosts Tab section for additionalinformation.17Doc ID 657Copyright 2017 STEALTHBITS TECHNOLOGIES, INC. ALL RIGHTS RESERVED
STEALTHbits File Activity MonitorAdd Multiple AgentsComplete the following steps to deploy the agent to a multiple Windows servers.Step 1 – On the Agents tab, click Add agent to open the Add New Agent(s) window.Step 2 – On the Install new agent page, click the install agents on multiple hosts link to deploy agents tomultiple hosts. The Install agents on multiple hosts page will open.18Doc ID 657Copyright 2017 STEALTHBITS TECHNOLOGIES, INC. ALL RIGHTS RESERVED
STEALTHbits File Activity MonitorStep 3 – Windows host can be entered as either a name or an IP Address. There are two (2) methods foradding multiple hosts: manual entry or import a list.Manual EntryHost name or IP address WindowMultiple Servers for Agent DeploymentClick Add server. The Host name or IP address window will open.Enter the servers, separating the hosts with spaces, commas, or semicolons. Optionally, amulti-lines list can be pasted into this textbox. When the servers have been entered, clickOK. The Host name or IP address window will close and the identified servers will be in thelist.19Doc ID 657Copyright 2017 STEALTHBITS TECHNOLOGIES, INC. ALL RIGHTS RESERVED
STEALTHbits File Activity MonitorImport a ListImport from file WindowMultiple Servers for Agent DeploymentClick Import. The Import from file window will open.Enter the file path, or use the ellipsis ( ) to open a browser window to navigate to the file.Identify the Separator used on the file (Comma, Semicolon, Tab, or Space). This is set toComma for CSV format by default.If the first row of the file contains column headers, the check the First row contains fieldnames checkbox. If there are no column headers, uncheck this box.A preview of the selected file will appear in the box. Select the column with the host names.Click OK. The Import from file window will close and the identified servers will be in the list.NOTE: The Remove button on the Install agents on multiple hosts page will remove the selectedhost from the list where servers are to be deployed.20Doc ID 657Copyright 2017 STEALTHBITS TECHNOLOGIES, INC. ALL RIGHTS RESERVED
STEALTHbits File Activity MonitorStep 4 – On the Credentials to connect to the server(s) page, specify an account that is a member ofBUILTIN\Administrators group on the server. If using the current user’s credentials, leave thesefields blank. Click Test to test the connection.Successful ConnectionFailed ConnectionWhen the connection is successful, click Next.21Doc ID 657Copyright 2017 STEALTHBITS TECHNOLOGIES, INC. ALL RIGHTS RESERVED
STEALTHbits File Activity MonitorStep 5 – Optional for Windows monitoring only, if desire
FPolicy server to NetApp HTTPS (optional) 443 ONTAPI NetApp to FPolicy server TCP 135-139 Dynamic port range MSRPC over named pipes TCP 445 SMB EMC VNX/Celerra & Isilon Devices Communication Direction Protocol Ports Description Unidirectional TCP TCP 12228 CEE Communication Hitachi Devices .
