Secret Server Syslog Integration Guide

Secret Server

Syslog Integration Guide

Table of Contents

Meeting Information Security Compliance Mandates: Secret Server and Syslog Integration ... 1

The Secret Server Approach to Privileged Account Management: ... 1

Risks and Benefits ... 1

Secret Server Syslog Explained ... 2

Secret Server’s Reported Events ... 2

Secret Server Data Fields ... 2

Conclusion ... 6

About Thycotic Software ... 6

Pag

e

1

Meeting Information Security Compliance Mandates: Secret Server and

Syslog Integration

Leveraging Secret Server event data with SIEM and Log Management solutions can give organizations deep insight into the use of privileged accounts (such as Windows local administrator, service or application accounts, UNIX root accounts, Cisco enable passwords, and more). Used together, these tools provide secure access to privileged accounts and provide greater visibility to meet compliance mandates and detect internal network threats.

The Secret Server Approach to Privileged Account Management:

Many environments that have strict Information Security policies also require methods to control and monitor access to privileged accounts. Enterprises often apply security policies such as physical access restrictions to hardware, network firewalls, appropriate-use guidelines, and user account restrictions. In the case of privileged accounts, access is more difficult to track and verify. Implementing privileged account management software such as Secret Server enables organizations to strictly control and track access.

Enterprises that implement Secret Server gain the ability to grant or deny granular access to critical systems. When access is granted, use of that access is tracked based on a wide range of events. While alerting is a core feature within Secret Server, managing real-time events on the aggregate can be cumbersome. Leveraging tools to manage these real-time events allows users to build customized risk analysis into their privileged account management policies. Mitigating internal privilege account threats helps organizations meet compliance requirements like Sarbanes-Oxley Act (SOX), Payment Card

Industry Data Security Standard (PCI DSS), the Health Insurance Portability and Accountability Act (HIPAA), and the Federal Information Security Management Act (FISMA).

Risks and Benefits

Unmanaged privileged accounts often enjoy unchecked access across a wide array of systems, networks, and databases. Unmitigated top-level access, in the wrong hands, can be devastating to an

organization. The potential for liability is not limited to internal data and productivity loss, but can include criminal and civil penalties for unauthorized disclosure of private or regulated informationi_. Implementing an enterprise-level privileged account management system (Secret Server) with a real-time event management system or log management solution allows organizations to mitigate risk. Critical systems can only be accessed by pre-defined users. IT Security Auditors are able to track access based on the needs of the enterprise.

Pag

e

2

Secret Server Syslog Explained

Secret Server’s detailed Syslog currently contains 44 different events tracking more than 20 unique data fields.

Secret Server’s Reported Events

Table 1, on the following page, is a complete list of events in Secret Server’s Syslog. Both the Event Name and Event ID are contained in the log as well as the data fields that apply to the event.

Secret Server Data Fields

Table 2, on the following page, is a complete list of data fields in Secret Server’s Syslog. Only Data Fields relevant to the Event ID are included in the log. Some log entries may differ in terms of their field content, see examples below.

Example Event #1:

In this event, the Local Administrator account in Secret Server has edited the secret for a Brother Printer:

Jan 08 17:15:04 THY221 CEF:0|Thycotic Software|Secret

Server|8.4.000000|10005|SECRET - EDIT|2|msg=[SecretServer] Event: [Secret] Action: [Edit] By User: Local Administrator Item Name: Brother HL-5370DW Container Name: Printers suid=2 suser=Local Administrator src=192.168.0.10 rt=Sep 06 2012 17:15:02 fname=Brother HL-5370DW fileType=Secret fileId=2 cs3Label=Folder cs3=Printers

Example Event #2:

In this event, the Local Administrator account in Secret Server has enabled Unlimited Administrator Mode:

Jan 08 15:43:10 THY221 CEF:0|Thycotic Software|Secret

Server|8.4.000000|10014|UNLIMITEDADMIN - ENABLE|4|msg=[SecretServer] Event: [Unlimited Administrator] Action: [Enable] By User: Local Administrator suid=2 suser=Local Administrator src=192.168.0.10 rt=Sep 05 2012 15:43:05

Pag

e

3

Table 1 - Event Name Event

Id System Log 500 USER - CREATE 1 USER - DISABLE 2 USER - ENABLE 3 USER – LOCKOUT 4 USER - ADDEDTOGROUP 5 USER - REMOVEDFROMGROUP 6 FOLDER - CREATE 7 FOLDER - DELETE 8 ROLE - CREATE 9 ROLE - ASSIGNUSERORGROUP 10 ROLE - UNASSIGNUSERORGROUP 11 ROLEPERMISSION - ADDEDTOROLE 12 ROLEPERMISSION - REMOVEDFROMROLE 13 FOLDER - EDITPERMISSIONS 14 CONFIGURATION - EDIT 15 USER - LOGIN 16 USER - LOGOUT 17 USER - LOGINFAILURE 18 USER - PASSWORDCHANGE 19 SECRET - CREATE 10001 SECRET - DELETE 10002 SECRET - UNDELETE 10003 SECRET - VIEW 10004 SECRET - EDIT 10005 SECRET - LAUNCH 10006 SECRET - HEARTBEATFAILURE 10007 SECRET - DEPENDENCYFAILURE 10008 SECRET - EXPIREDTODAY 10009 SECRET - EXPIRES1DAY 10010 SECRET - EXPIRES7DAYS 10011 SECRET - EXPIRES15DAYS 10012 SECRET - EXPIRES3DAYS 10013 UNLIMITEDADMIN - ENABLE 10014 UNLIMITEDADMIN - DISABLE 10015 EXPORTSECRETS - EXPORTED 10016

Pag

e

4

IMPORTSECRETS - IMPORTED 10017

USERAUDIT - EXPIRENOW 10018

SECRET - SESSION RECORDING VIEW 10019

SECRET - COPY 10020

SECRETTEMPLATE - CREATE 10021

SECRETTEMPLATE - EDIT 10022

SECRETTEMPLATE - TEMPLATE COPIED FROM 10023

LICENSES - EXPIRES30DAYS 10024 SECRET - CHECKIN 10025 SECRET - CHECKOUT 10026 POWERSHELLSCRIPT - CREATE 10027 POWERSHELLSCRIPT - DEACTIVATE 10028 POWERSHELLSCRIPT - EDIT 10029 POWERSHELLSCRIPT - REACTIVATE 10030 POWERSHELLSCRIPT - VIEW 10031 SECRET - HEARTBEATSUCCESS 10032 SECRET - HOOKFAILURE 10033 SECRET - HOOKSUCCESS 10034 SECRET - HOOKCREATE 10035 SECRET - HOOKEDIT 10036 SECRET - HOOKDELETE 10037 SECRET - CUSTOMAUDIT 10038 SECRET - PASSWORD_DISPLAYED 10039 SECRET - PASSWORD_COPIED_TO_CLIPBOARD 10040 SECRET - EDIT_VIEW 10041

SECRETTEMPLATE - FIELD ENCRYPTED 10042

SECRETTEMPLATE - FIELD EXPOSED 10043

SECRET - ACCESS_APPROVED 10044 SECRET - ACCESS_DENIED 10045 SECRET - CUSTOM_PASSWORD_REQUIREMENT_ADDED 10046 SECRET - CUSTOM_PASSWORD_REQUIREMENT_REMOVED 10047 SECRET - DEPENDENCY_DELETED 10048 SECRET - DEPENDENCY_ADDED 10049 GROUP - OWNERS_MODIFIED 10050 SECRETPOLICY - CREATE 10051 SECRETPOLICY - EDIT 10052 FOLDER - SECRETPOLICYCHANGE 10053 SECRET - SECRETPOLICYCHANGE 10054

Pag

e

5

Table 2 - Event Definition Data

Field

User ID being viewed or changed duid

User name being viewed or updated duser

User ID of user performing action suid

Username of user performing action* suser

Description of audit action msg

Current Version of Secret Server Version

Human readable name of event Name

The Priority of event Priority

Name of company Vendor

Name of product Product

Description of audit action Message

Time of event rt

IP Address of client machine src

Name of item action was taken on fname

Type of item action was taken on fileType

ID of item action was taken on fileId

Name of Role modified cs1

"Role" cs1label

Name of User or Group added to role cs2

"Group" or "User" cs2label

Name of Folder containing Secret cs3

"Folder" cs3label

Display name of user performing action* cs4

"suser Display Name"* cs4label

* The cs4 and cs4label data fields were added in Secret Server version 8.8. Prior to version 8.8, the suser data field contained the display name of the user performing the action. The user’s display name value has been moved to the cs4 data field and the suser data field now contains the performing user’s username.

Pag

e

6

Conclusion

Organizations that need to meet strict compliance requirements can implement privileged account management and real-time event analysis using Secret Server and a SIEM or Log Management solution. Integrating these two technologies allows enterprises to both manage their privileged accounts and correlate and reduce security threats within a network.

About Thycotic Software

Thycotic Software, Ltd., a Washington DC-based company, is committed to providing password and AD group management solutions to IT administrators worldwide. With over 30,000 IT professionals using our IAM tools, Thycotic helps securely manage all credentials critical to an organization’s operations.

About Secret Server

Secret Server is an enterprise password management tool that is used to store, distribute, monitor, and update privileged/shared account passwords in a central, web-based location. For more information, visit http://thycotic.com/products/secret-server/.

Note: Terminology used in this document is based on the SANS Glossary of Security Terms available at

http://www.sans.org/security-resources/glossary-of-terms/

i _{Imation Compliance Heat Map}