WIXLIB

Event Manager - Overview / Ease of uselControls: Defines the criteria and rules by which the actions are generated and allows youto determine what is relevant and what is irrelevant from the thousands of security relatedevents that are generated everyday across your network enterprise.By using the three configuration areas above you can determine:lllThreats: Helps you identify the real security risks to the health of your business. Eventsthat are unexpected or unusual such as someone creating a user login in the middle-of-thenight or out of normal working hours.Highlighted Events: These are events that you are expecting, such as a systemadministrator creating and deleting user profiles, which you still want to keep a check on.Incidents: These are events that indicate that an organization's systems or data have beencompromised or that measures put in place to protect them have failed. It should bemanually categorized by the Security Analyst during the revision process.Ease of useEvent Manager can be quickly deployed by implementing pre-defined templates, available acrossthe major operating platforms used by many businesses. The templates allow you to apply an‘out-of-the-box’ solution that can then be fine-tuned to your specific business requirements andoperating environment.Guide to Templateswww.helpsystems.compage: 2

Event Manager - Overview / Which security protocols can be checked for compliance?Which security protocols can be checkedfor compliance?Event Manager is capable of auditing / checking compliance with the following security protocols:lllllllllllllllllllllllBCRA - Banco Central de la Republica ArgentinaC-TPAT - Customs Trade Partnership Against TerrorismCOBIT - Control Objectives for Information and Related TechnologyCOPPA - Childrens Online Privacy Protection ActDCGK - Deutsche (German) Corporate Governance KodexEFTA - Electronic Fund Transfer ActFACTA - Fair and Accurate Credit Transactions ActFAST - Free And Secure Trade ProgramFISMA - Federal Information Security Management ActFRCP - Federal Rules of Civil ProcedureGDPR - EU General Data Protection RegulationGLB - Gramm-Leach-Bliley ActHIPAA - Healthcare Insurance Portability and Accountability ActHITECH - Health Information Technology for Economic and Clinical HealthISO - Security RegulationLOPD - Ley Orgánica de Protección de DatosLSF - Loi de Sécurité FinancièreMaRisk - Security RegulationNERC - North American Electric Reliability CorporationPCI DSS - Payment Card industry Data Security StandardPSQIA - Patient Safety and Quality Improvement ActSOX - Sarbanes OxleyInternal Regulation - Bespoke Internal Compliance RequirementAny security protocol that applies to the asset can be applied through the Security Attributessetting.Supported OS VersionsThis product does not ensure the correct auditing of software versions that are not currentlysupported by the manufacturers.Guide to Templateswww.helpsystems.compage: 3

Windows Audit / OverviewWindows AuditOverviewEvent Manager utilizes the features of Windows Audit in order to provide information regardingWindows security events.The following section assumes an installation of Windows Server 2012. Screens andoptions may be different in later versions. Please refer to your Windows documentation oryour systems administrator for more information.NOTE:Minimum RequirementsllEvent Manager Windows Template requires a minimum of Windows Server 2008 orhigher.Permission to remotely read the eventlog (see below).Windows Event LogThe Event Log system service logs event messages that are generated by programs and by theWindows operating system. Event log reports contain information that you can use to diagnoseproblems. You view reports in Event Viewer. The Event Log service writes events that are sent tolog files by programs, by services, and by the operating system. The events contain diagnosticinformation in addition to errors that are specific to the source program, the service, or thecomponent.Event Manager can retrieve these logs programmatically through the event log APIs which havethe following requirements for accessing remote computers event logs:Remote computer should be available and the appropriate Windows Firewallrules must be enabled in remote computer.IMPORTANT:To enable these appropriate Windows Firewall rules on the remote computer, open the WindowsFirewall with Advanced Security snap-in and enable the following inbound rules:llCOM Network Access (DCOM-In)All rules in the Remote Event Log Management groupGuide to Templateswww.helpsystems.compage: 4

Windows Audit / OverviewThese rules correspond to the following Protocol and ports.Application ruleProtocolPortsCOM Network Access (DCOM-In)TCP135Remote Event Log Management (NP-In)TCP445Remote Event Log Management (RPC)TCPRPC Dynamic PortsRemote Event Log Management (RPCEPMAP)TCPRPC Endpoint MapperThe RPC Dynamic ports range usually goes from 49152 to 65535, but it maybedifferent depending on the Windows version you are running. Use command "netsh intipv4 show dynamicport tcp" to verify. RPC Endpoint Mapper dynamically assigns a portnumber to the client (in this case, Event Manager).NOTE:You can test these settings by using Event Viewer in an MMC snap-in from the EventManager system, because it has the same requirements. Open Event Viewer and use optionConnect to Another Computer. from the Action menu.TIP:Additional ConfigurationConfiguration is required to be able to use the User Inactivity Datasource on Windows servers.If you use this datasource for a Windows 2008 Server it is necessary to upgradeto a Powershell version 3 or greater in the remote Windows 2008 machine.IMPORTANT:Windows systemsValidate access to administrative shares in the Remote HostAdministrative shares are a special feature of Windows NT servers that allow access to localdrives as “hidden” shared resources by default, but they are limited only to administrativeaccounts. And for security policies, sometimes administrative shares are disabled.The remote command execution actions need access to the ADMIN share, which represents theWindows installation path on the remote machine (by default it is C:\Windows). To check if theadministrative share is enabled, try to log on to the remote admin folder from the Event Managerhost using Windows Explorer.Validate Remote Service Manager Access in the Remote HostThe Service Manager of the remote host needs to be accessed from the Event Manager host. Tocheck if the remote Service Manager is accessible, just open your local service manager from theEvent Manager host (you can do this by running the services.msc command), then right click onthe services tree and select “connect to another computer”.After entering the credentials, you should be able to see the services tree of the remote machine.Guide to Templateswww.helpsystems.compage: 5

Windows Audit / Windows Administrative ToolsWindows Administrative ToolsWhen logged onto the Windows Server as an administrator, select the Administrative Toolsoption. From the pop-up menu, select Group Policy Management.You can now view the individual security policies by expanding the Forest option and selecting adomain. This provides access to the Default Domain Policy.Guide to Templateswww.helpsystems.compage: 6

Windows Audit / Types of Audit PoliciesThere are two options available for Security Policies on the Domain Controller.llDomain Controller Security PolicyDomain Security PolicyThis is because the Server shown in the example is a Domain Controller Server (DC Server). If youwere on a Member Server, only the category called Local Security Policy. Both show the sameAudit categories as those in the screen shot below:Types of Audit PoliciesLocal Security Policy MMCThis interface is used to configure security settings that apply only to the local computer. It isaccessed via the Administrative Tools menu in the Control Panel.Local settings include: password policy, account lookout policy, audit policy, IPsec policy, userrights assignment as well as others. Local Security Policy is not used on domain controllers; theyare governed by the Domain Controller Security Policy.Default Domain Security SettingsThis interface is used to set security policies for all computers in a domain. These settingsoverride the Local Computer Policy settings for domain members if there is a conflict betweenthe two. This interface is accessed via the Group Policy tab in the Properties of the domain nodein Active Directory Users and Computers (administrative Tools menu).Guide to Templateswww.helpsystems.compage: 7

Windows Audit / Types of Audit PoliciesDomain Controller Security SettingsThis interface is used to configure security settings for the domain controllers in the domain.These settings take precedent over the Domain Security Policy for DCs. This interface is accessedby logging onto the domain controller as an admin user and selecting Domain Controller SecurityPolicy from the Administrative Tools menu.Regardless of the scope of the policy, the Audit Policy is the branch of the tree which allows theenabling of all the categories to be logged in the Event Log.For Event Manager to be fully operational, you will only need to enable certain audit policies onall DCs and on each important member server, such as a sensitive File Server.These audit policies are:llllAudit Account Management: Success/FailureAudit Logon Events: Success/FailureAudit Policy Change: Success/FailureAudit System Events: Success/FailureThere are two policies that Event Manager does not use. However, in order to getWindows to generate audit policy change events correctly, you must set these policies to NOAUDITING, leaving Audit Privilege Use and Audit Process Tracking set to Not DefinedWindows will inform you that these categories are enabled for both, success and failure,when an audit policy change event is generated.WARNING:How to Enable Windows File System AuditingStep 1: Enable the Audit Policy1. On the required Windows server, open the Domain Controller (DC) and update the GroupPolicy (GPO) to enable file auditing.Guide to Templateswww.helpsystems.compage: 8

Windows Audit / Types of Audit Policies2. Right click on the Group Policy you want to update or create a new GPO for file auditing. Inthe right-click menu, select edit to go to the Group Policy Editor.3. In the Group Policy editor, click through to Computer Configuration Policies WindowsSettings Local Policies. Click on Audit Policy.Guide to Templateswww.helpsystems.compage: 9

Windows Audit / Types of Audit PoliciesYou can add many auditing options to your Windows Event Log. The option for file auditingis the Audit object access option.4. Double-click Audit object access and set it to both success and failure.Guide to Templateswww.helpsystems.compage: 10

Windows Audit / Types of Audit Policies5. To enable your new GPO, go to a command line and run ‘gpupdate /force’.6. Verify that your policy is set correctly with the command ‘gpresult /r’ on the computer thatyou want to audit.Guide to Templateswww.helpsystems.compage: 11

Windows Audit / Types of Audit PoliciesStep 2: Apply Audit Policy to Files and/or FoldersYou now need to tell Windows exactly which files and/or folders that you want to audit. Here isthe procedure to set auditing up for your folders.1. Right-click the file or folder in Windows Explorer. Select Properties.Guide to Templateswww.helpsystems.compage: 12

Windows Audit / Types of Audit Policies2. Change to the Security tab and click Advanced.Guide to Templateswww.helpsystems.compage: 13

Windows Audit / Types of Audit Policies3. Click the Auditing tab and then Continue.4. Add the Users or Groups that you want to audit and check all of the appropriate boxes.Guide to Templateswww.helpsystems.compage: 14

Windows Audit / Types of Audit PoliciesStep 3: Open Event ViewerOnce you have enabled the Auditing GPO and set the file/folder auditing, you will see auditevents in the Security Event Log in Windows Event Viewer.The events can now be monitored with the appropriate Event Manager Windows templates.Guide to Templateswww.helpsystems.compage: 15

IBM i Audit / OverviewIBM i AuditOverviewUsually, security policies are implemented using the in-built IBM i tools, the most important ofthese being the embedded, object-based authorization system. Granting or revoking objectaccess to certain users can secure the system but nevertheless, there are many different ways inwhich the user can circumnavigate the authorization system. Here are some examples:lllllThe application can have undetected holes within its security authorization schemePrograms may inherit access privileges that are higher than the individual userA user can get access to an unsecured command that can grant them more privilegesA password for a powerful user profile can be obtained or left in use on an unattendedterminalA programmer may use an unauthorized interface as a Data File Utility (DFU) to modify asensitive fileNo matter how well designed and deployed you believe your security auditing schema to be, youmust verify that nothing can compromise it. For example, something a simple as a system valuechange may render your security schema useless. Modern hackers use various techniques to poseas employees, system administrators or help desk personnel to get user names and passwordsfrom innocent users. Also, consider the case of the dissatisfied employee who may be tempted todelete application objects or copy confidential data and publish it on a website.The Event Manager IBM i template uses IBM auditing mechanisms to provide you with real-timeand historical system auditing and detects any activity that you consider you be suspicious. Youcan set customized policies at a very detailed level, receive real-time alerts and automaticallyexecute actions when a problem arises (such as disabling access for a particular user). This helpsyou continuously evaluate your security planning and policies, identify weaknesses and coverlimitations, specifically:lllllllEnsure that your security policy adequately protects your company’s resourcesDetect unauthorized attempts to access your system and your company’s confidential dataDetect attempted security violations and application problems relating to authorizationsReduce average time for problem resolutionDetect system vulnerabilitiesPlan migration to a higher security levelMonitor the use of sensitive objects, such as confidential filesGuide to Templateswww.helpsystems.compage: 16

IBM i Audit / IBM i Security AuditingIBM i Security AuditingIBM i can log security events that occur on your system. These are recorded in special objectscalled journal receivers.The security auditing function is optional so you must take specific steps to set it up. Please referto your IBM i documentation for guidance on how to do this. System values and specificcommands control which events are logged.IBM i Auditing IssuesThe configuration of IBM i auditing is not an easy task. There are many commands, system values,and interrelations that need to be taken into consideration. Also, due to a lack of filter support,there is a large amount of raw data to deal with.There is also a lack of in-built real-time monitoring with only reporting being readily available andthis only at a periodic frequency of daily for the most up-to-date information.As auditing is not directly linked to any actions, it is often too late to resolve any problems oncethey have occurred.Using the Event Manager IBM i template removes the complexities of configuration, allows forcorrective actions to be taken in near real-time and provides an easy-to-use interface for workingwith IBM i auditing. The template provides:lllFilter options thus reducing the amount of data collected.Enrichment of auditing messages to provide more detailed information to systemoperators/administrators.Integration with the message console.IBM i Auditing PlanningWhen planning on what to audit on your IBM i, you can use two different areas:llAction auditing.Object auditing.Action AuditingAction auditing is the action to log system-wide, security-relevant events. Action auditing isavailable at system-level and/or user-level. Examples include:llllUser profile changed.User profile created.Object restore.Actions to spooled files.Guide to Templateswww.helpsystems.compage: 17

IBM i Audit / IBM i Template System RequirementsObject AuditingObject auditing is the action to log specific object-related, security-relevant events. Objectauditing is also available at system level and/or user-level. Examples include:llOnly for Object Changes.All Accesses to Object.IBM i Template System RequirementsThe following system requirements must be place in order for the Event Manager IBM i templateto operate correctly:Either:lPowertech SIEM Agent for IBM i installedlVMC IBM i Security Agent installed and the User Inactivity Monitors running.orThe minimum IBM i module entries to be configured are:EntryTypeConditionTypeFilter ExpressionCA*INCLUDETRIM(COPY(&JRNSTRING,21,8)) IN {‘*AUTL’}CO*INCLUDETRIM(COPY(&JRNSTRING,21,8)) IN {‘*AUTL’}CP*NONENo FilterDO*INCLUDETRIM(COPY(&JRNSTRING,21,8)) IN {‘*AUTL’,’*USRPRF’}DS*NONENo FilterJS*INCLUDE(TRIM(COPY(&JRNSTRING,2,1)) ‘I’) AND (TRIM(COPY(&JRNSTRING,1,1)) IN {‘S’,‘E’,’I’}NA*NONENo FilterPA*NONENo FilterPW*NONENo FilterRP*NONENo FilterST*NONENo FilterSV*NONENo FilterGuide to Templateswww.helpsystems.compage: 18

IBM i Audit / IBM i Template System RequirementslllClient Access (32-bit) installed at the Event Manager Monitoring NodeODBC access to the IBM iA user profile with permissions to query the B DETECTOR/BDHST02X must be availableGuide to Templateswww.helpsystems.compage: 19

IBM i Security Intrusion Detection Audit / OverviewIBM i Security Intrusion DetectionAuditOverviewThe intrusion detection and prevention system (IDS) notifies you of attempts to hack into,disrupt, or deny service to the system. IDS also monitors for potential extrusions, where yoursystem might be used as the source of the attack. These potential intrusions and extrusions arelogged as intrusion monitor audit records in the security audit journ

Manager(BoKS) Controls 195 SecurityAuditorTemplate 197 SecurityAuditorControls 197 PowertechAnti-VirusforAIX/Linux Template 198 Requirements 198 PowertechAnti-VirusforAIX/Linux Controls 198 PowertechAnti-VirusForIBMi Template 199 PowertechAnti-VirusforIBMi Controls 199 SAPASE(Sybase)Template 200