AuditExpress User Guide

(1)

(2)

(3)

Registration

Register your copy of the software by entering a license key in the Software Registration dialog box. Open the dialog box by selecting Register a License Key

from the Help menu.

You may obtain a license key from whomever you purchased the software from.

Why purchase?

The trial version of the software is limited in several ways: • It will only work for 15 days

• It will only audit five systems

The trial version also prohibits you from using the software for any purpose other than to test the software.

How to Purchase

Purchasing is easy. You only need to know how many systems you are going to be auditing with the application. Contact any one of our resellers or our company directly for a quote or to purchase. Information about resellers is found on our Web site.

Fax a Purchase Order

+1.617.928.5552 (USA Fax)

Support and Maintenance

Annual support contracts include email and telephone support along with software maintenance and a subscription to the Software Policy Update Service. This entitles you to receive updated software at no charge and to receive new policies containing the latest lockdown recommendations.

Pricing and additional information about support and maintenance is available www.pedestal.com/support.

(8)

(9)

Contact Us

Purchasing and Registering

The software is licensed per system that is audited or searched. Licenses may be purchased directly from Altiris or from an authorized reseller or distributor. Ordering information is available from on line or by calling +1-617-928-5550.

Sales

[email protected]

Licensing

Licensing FAQ

Fax a Purchase Order

+1-617-928-5552 (USA Fax)

Support and Maintenance

Annual support contracts include email and telephone support. Annual Upgrade Protection, or AUP, allows registered software users to upgrade to any version of the registered product that is released during the coverage period without paying an upgrade charge and includes a subscription to the Policy File Library. This service is distinct from, and designed to work in conjunction with, Support to give you the best possible experience with our products.

Pricing and additional information about support and maintenance is available www.pedestal.com/support.

(10)

10

Contacting Us

Pedestal Software, an Altiris company 75 Wells Avenue

Newton, MA 02459 USA

Internet: www.pedestal.com

Technical Support: www.pedestal.com/support or [email protected] Sales: [email protected]

SecurityExpressions™ and AuditExpress™ are owned by Pedestal Software, Inc., an Altiris company.

Toll Free in the US +1-888-664-7174 Outside the US +1-617-928-5550 Fax +1-617-928-5552

Technical Support: +1-617-559-3116 Other Pedestal Software products

(11)

Agent and Agentless Auditing

Privileged Agent

Perform all security functions through an agent without requiring administrative credentials on the target system. Instead of passing the agent system credentials, the agent runs with privilege, authenticates its users directly, and only performs tasks on the target system if the authentication is passed.

The agent will allow Operations professionals to grant auditing of Windows and UNIX desktops, laptops and servers that have the agent installed, to specific individuals (Auditors) without revealing or establishing new administrator credentials on target systems.

(12)

12

Connecting to Remote Systems

The application connects to multiple platforms using one of several methods. The application will attempt to connect to remote systems using the following methods.

Method

Agent?

Description

Windows Networking No Windows Networking is typically enabled on all Windows platforms. The application will connect using 1) your logon credentials, 2) credentials associated with the system or machine list containing the system being audited, or 3) a set of credentials that can be specified by the user.

SSH No If SSH is installed on a UNIX-based system, the application will communicate through SSH to perform the required functions.

SSL to a proprietary agent

Yes The Agent must be installed on the system. This is useful for systems behind a firewall, or where Windows Networking or SSH have been disabled.

Credentials

You can specify credentials used for logging into remote systems for specific machine lists or systems. Right click the machine list or system and select Edit from the menu.

In the Host Info dialog box, the Connect tab contains entry boxes where the information required can be entered.

If you want to perform an audit that overrides the credential settings for the specific systems or the machine list, specify new credentials for the audit. If auditing from the Audit tab, type the user name and password in the Login and Password boxes on the bottom left of the tab. If auditing from a scheduled task, type the user name and password in the Domain/User and Password boxes in the Task Options & Scheduling dialog box's List tab.

If multiple credentials are specified, the application will first use the credentials specified for the audit. If none have been specified there, the application will look at a specific system entry. If none are found there, then it will look at the credentials for the machine list.

Proxying connections through a Firewall

Connections can be proxied through the Agent on a remote system.

Application -» Agent -» Target System _{to Audit}

This architecture is useful when the Application is unable to communicate directly with the target system being audited. This happens if the target system is behind a

(13)

firewall or other router that blocks Windows Networking or hides the systems through Network Address Translation (NAT).

In the connection dialog box shown previously, use the lower section to configure the system audit through the proxy. When using a proxy, the username and password specified at the top of the dialog box is used by the proxy to connect to the target system. The application uses the username and password in the lower section to connect to the Agent. Make sure that the agent is installed on the proxy system, which must be a Windows system.

Connecting to a UNIX Server without Agent Software

To connect to a UNIX system through the SSH protocol:

1. Make sure there is an SSH package installed on the remote UNIX system that you are attempting to audit. (Open SSH recommended.)

2. Make sure you are using a UNIX policy.

3. From the Audit tab in the application, type the name of the UNIX system in the Server field.

4. In the Login and Password boxes at the bottom of the tab, type the credentials for the system you are attempting to audit.

5. Click the <<Audit button to establish the connection and audit the system. The application issues a PWD command to the UNIX system. If the remote system rejects the call, please send the error message to

[email protected].

Troubleshooting

Windows Networking

If you are having difficulty connecting using Windows Networking, the first thing to try is to establish a network drive map to the target system. From a command line, type a command such as:

NET USE X: \\server /U:username

Replace <server> with the system name and <username> with your current user name.

This command should display more diagnostic messages to help you troubleshoot the problem.

SSH

If you are having problems with SSH, the application provides a simple test window. Go to the View menu and select Options. On the Connect tab click Test SSH. Enter the system name, username, and password. A window opens with diagnostic messages.

File and Print Sharing

(14)

14

Agent Access Groups

IT Operations can grant privileges to specific individuals so they may audit systems that have the Agent installed, without having to reveal or establish administrator credentials on the target systems.

To grant audit privileges, set the value of AuditOnlyGroup to the name of the access-control group that contains the auditors. In Windows, AuditOnlyGroup is a registry key. See Configuring Windows Agents for more information. In UNIX environments, it is set in a configuration file. See Configuring UNIX Agents for more information.

(15)

Configuring Windows Agents

Installation

To install the agent on Windows platforms, copy the file pedagent.msi in the

\Program Files\Altiris\Security Management\AuditExpress\Agent\Windows folder to the system and double click on it. On Windows NT, you must first install the Windows Installer (available from the Microsoft web site).

Configuration for Windows Agents depends on whether you are working in an Active Directory environment or without Active Directory.

Active Directory

Add the Agent administrative template (aeagent.adm) to Group Policy Object at the domain level or on local group. If different Agent systems have different access requirements, then group them in Active Directory and configure the group policy for each group.

1. Open the Group Policy object you want to edit, and then right-click

Administrative Templates under Computer Configuration.

2. Click Add/Remove Templates, and in the Add/Remove Templates dialog box, click Add.

3. Browse to aeagent.adm in the C:\Program Files\Altiris\Security Management\AuditExpress\Agent\Configuration directory in the

Add/Remove Templates dialog box. Click Open. 4. In the Add/Remove Templates dialog box, click Close.

5. In the group policy object, select Computer Configuration\Administrative Templates\AuditExpress\Windows Agent. Set each of the policies to specify groups that have access.

No Active Directory

Configure the agent by one of the following methods when Active Directory is not used.

Local System Policy Edit the Registry Manually

Use Local System Policy

1. Edit the local system policy, adding aeagent.adm.

2. Open the Group Policy object you want to edit, and then right-click

Administrative Templates under Computer Configuration.

3. Click Add/Remove Templates, and in the Add/Remove Templates dialog box, click Add.

4. Browse to aeagent.adm in the C:\Program Files\Altitis\Security Management\AuditExpress\Agent\Configuration directory in the

Add/Remove Templates dialog box. Click Open. 5. In the Add/Remove Templates dialog box, click Close.

(16)

16

6. In the group policy object, select Computer Configuration\Administrative Templates\AuditExpress\Windows Agent. Set each of the policies to specify groups that have access.

This method is only for Windows 2000 and later.

Edit the Registry Manually

1. Manually create the HKLM\Software\Policies\Altiris\SecurityExpressions\Agent key and add or edit the AuditOnlyGroup value.

2. Specify the Access for each Group for each value.

Use this method for Windows NT and Window 2000 and later. You must secure this registry key with the following access:

Administrators: full control Authenticated users: read only System: full control

(17)

Configuring UNIX Agents

Installation

Follow the steps below to install the Agent on UNIX platforms.

Linux

1. Copy file pedagent.rpm in the installation's Agent\Linux subfolder to agent system.

2. Install package with rpm - 'rpm -Uvh pedagent.rpm'

Solaris

1. Copy file pedagent.pkg.gz in the installation's Agent\Solaris subfolder to agent system.

2. Decompress package with gzip - 'gzip -d pedagent.pkg.gz'

3. Install package with pkgadd - 'pkgadd -d pedagent.pkg PEDAGENT'

AIX

1. Copy file pedagent.installp.gz in the installation's Agent\AIX subfolder to agent system.

2. Decompress package with gzip - 'gzip -d pedagent.installp.gz'

3. Install package with installp - 'installp -d pedagent.installp PEDAGENT'

HP-UX

1. Copy file pedagent.depot.gz in the installation's Agent\HPUX subfolder to agent system.

2. Decompress package with gzip - 'gzip -d pedagent.depot.gz'

3. Install package with swinstall - 'swinstall -s /full/path/to/pedagent.depot PEDAGENT'

It is important that you pass the full path to the depot file on HP-UX.

Configuration

Use Netgroups for access to group memberships across multiple systems. Netgroups are Group names that begin with an "at" sign (@). Multiple systems share

Netgroups, typically through NIS, NIS+, or LDAP.

Create or edit the local configuration file, /etc/pedagent.conf to specify the AuditOnlyGroup access group. The file is in INI file format, such as:

[Access Groups]

AuditOnlyGroup=auditors

(18)

(19)

Parts of the Main Window

Audit

Audit Tab

Use the Audit tab to audit small numbers of systems or perform any kind of unscheduled audit. The right panes display the results of that one audit.

Tip: To perform large audits that you plan to run again, create an audit task in the Scheduler tab. You do not have to schedule the task to run automatically.

The tree in the left pane contains: • Database Machine Lists

• All Hosts - all target systems residing in a machine list • IP Ranges - any ranges of IP addresses listed for auditing • one branch for each domain or workgroup found on the network Host – any device that the application can audit; a system

Machine List – group of systems you can audit at once

Policy

Select a policy to use in the audit from this drop-down list.

Server

Use the Server box to audit one server. Type the name of the server and click the

Audit button. To audit the local system, type localhost or make the box blank before clicking Audit.

Machine Lists

The database contains groups of systems organized into machine lists. Machine lists appear under the Database Machine Lists heading. To add a new machine list, right-click on the heading and select Add new list.

Store Machine Lists in the database under Database Machine Lists, which appears on the Audit tab.

Choose one of the following options from the shortcut menu:

Database Machine Lists

Creates a new, empty machine list in the database. Local Text File

Prompts you to locate a text file you stored locally containing the names of systems to add to the list. The file should have one name per line. If you add a text file, you can see the system names when you expand the list.

To add systems to a machine list, drag the system (or systems) from a domain and drop it on the machine list's name, or select the machine list's name then paste a list

(20)

20

You may audit each system separately, or the entire list by right-clicking on the list name and selecting one of the Audit menu options. Systems may be in multiple database machine lists. The All Hosts item includes all the systems that are named in all machine lists.

Hosts

The application provides an Explorer-like interface for selecting systems and domains. The Hosts area will list all the known domains, workstations and servers that are visible through the Browser service. This function is similar to My Network Places. In addition to auditing individual systems, you may audit an entire domain by right-clicking on the domain name and choosing one of the menu options.

Login and Password

These items become activated when you type a server name into the Server box at the top of the tab. If they are not blank, then whenever a connection to a system is established, the given user name and password will be used. Typically, connections are established to the administrative ($) shares.

Status

As the application audits, the progress of the action displays the following status codes in the lower left part of the tab:

Code Meaning

Audit X% An audit is in progress in the Audit tab. This group of checks is X percent done.

Prop. Windows 2000 only: Inheritance propagation is in progress. This step may take a long time depending on the number of files in the system or size of the registry.

Stopping An audit is terminating before it completes.

The upper right pane displays status bars that show the progress of the audit. The top status bar shows the progress of the audit overall while the bottom status bar shows the percentage of the current target system that's been audited so far.

(21)

Host Info Dialog Box

Right-click a system in the Audit tab and select Edit to display the Host Info dialog box. This dialog box enables you select settings for an individual system, such as connection settings and importance weighting.

After you click OK to close the dialog box, the system appears in the All Hosts list.

Info Tab

This tab displays system information such as the type of system, operating version, and a comment string.

Connect Tab

In the Connect tab, you can specify credentials and connection methods for specific systems. If you do not specify credentials for this system, the credentials of the logged-in user are used.

When you are auditing systems in your own domain as a Domain Administrator, usually it is not necessary to specify a Login and Password. However, if you are auditing untrusted domains or stand-alone systems, these credentials are more important. See Connecting for information about connecting and authenticating to different platforms and systems.

Login and Password credentials may also be specified in a machine list. When

credentials are specified in both places, the system credentials take precedence. See Edit Machine List for more information.

Note: You cannot delegate system-level credentials to the Audit and Compliance server application. If you set credentials on the machine-list level and then delegate them to the server application, any system credentials you set here are ignored. Login For Target Computer

In the Username and Password boxes, type the login credentials required to access this system. This saves the credentials in the credential store so the application can use them to access the system during an audit. If you do not specify credentials, they are inherited from one of the machine lists that contains this system or global connection settings.

If you're not logged into a credential store, you cannot save credentials for the target system. The Username and Password boxes are disabled. If you want to require credentials for the target system, log into a credential store first. Then come back to this dialog box. Enter credentials in the Username and Password boxes, which are now enabled.

Note: If you use both the scheduler and the Windows connection method to audit a system in a workgroup, you must include the system's name in the Username box when setting the connection credentials. Type your entry in the Username box in this format: systemname\username. In the case of workgroups, you can't set credentials on the machine-list or task level.

(22)

22

Connect to the target system directly from the console or through a proxy. To connect from the console, select one of the following connection types:

• DYNAMIC – Inherit or automatically determine the best method. • WINDOWS – Connect only using Windows networking.

• AGENT – Connect to Agent on remote system, which uses Secure Sockets Layer (SSL). You must install an agent on the remote system before auditing. Locate the agent software in the Agent directory where you installed the software.

• SSH – Connect to remote system using SSH on target system.

• NOCONNECT – Audit the system without initializing or authenticating the connection.

Proxy

When configuring a proxy connection, the proxy uses the username and password you specified in the Login for target computer section of the tab page to connect to the target system. This account requires NetLogonRight privileges on the target systems to be audited as well as the usual administrative privileges. If no account is entered, the currently logged in user is assumed.

The application uses the username and password in the Proxy section to connect to the agent. Select Tunnel connection through the following proxy, and type the system name or IP address of the proxy system. Type the user name in

DOMAIN\User format and the password. The proxy must be running the Windows Agent.

If you set a Login for target system password or a Proxy password, you must set an encryption password.

See Connecting for more information.

Tip: To view the credentials, connection method or proxy connection inherited from one of this system's machine list or scheduled tasks, select the Show inherited values check box.

Importance Tab

Use this tab to rate the system's importance when it comes to security in your organization. If you set the importance of a machine list that contains this system, the importance set in this dialog box overrides it.

The value you enter is used to weight the averaged scores displayed in the Browse tab and in some reports. You may devise your own weighting scale, using any range of whole and decimal numbers.

(23)

Edit Machine List

Right-clicking a machine list in the Audit tab and selecting Edit from the menu displays the Edit Machine List dialog box. You can edit the properties of a machine list in this dialog box, including which systems are in the list.

Use Filter

Enables or disables the use of the Filter. Server Type

Type of system such as PDC, BDC, Windows server, or workstation. Some systems may match several server types. For example, a Server that is a PDC.

Version

The operating system version to match. If the system has this operating system version, it will match.

Language

Operating system language Comment

If the comment on the system contains this text, it will match.

Connect Tab

In the Connect tab, you can specify credentials and connection methods for specific systems. If you do not specify credentials for this system, the credentials of the logged-in user are used.

When you are auditing systems in your own domain as a Domain Administrator, usually it is not necessary to specify a Login and Password. However, if you are auditing untrusted domains or stand-alone systems, these credentials are more important. See Connecting for information about connecting and authenticating to different platforms and systems.

Login and Password credentials may also be specified in a machine list. When

credentials are specified in both places, the system credentials take precedence. See Edit Machine List for more information.

Login For Target Computer

In the Username and Password boxes, type the login credentials required to access this system. This saves the credentials in the credential store so the application can use them to access the system during an audit. If you do not specify credentials, they are inherited from one of the machine lists that contains this system or global connection settings.

If you're not logged into a credential store, you cannot save credentials for the target system. The Username and Password boxes are disabled. If you want to require credentials for the target system, log into a credential store first. Then come back to this dialog box. Enter credentials in the Username and Password boxes, which are now enabled.

Note: If you use both the scheduler and the Windows connection method to audit a system in a workgroup, you must include the system's name in the Username box

(24)

24

format: systemname\username. In the case of workgroups, you can't set credentials on the machine-list or task level.

Connection method to the target computer

Connect to the target system directly from the console or through a proxy. To connect from the console, select one of the following connection types:

• DYNAMIC – Inherit or automatically determine the best method. • WINDOWS – Connect only using Windows networking.

• AGENT – Connect to Agent on remote system, which uses Secure Sockets Layer (SSL). You must install an agent on the remote system before auditing. Locate the agent software in the Agent directory where you installed the software.

• SSH – Connect to remote system using SSH on target system.

• NOCONNECT – Audit the system without initializing or authenticating the connection.

Proxy

When configuring a proxy connection, the proxy uses the username and password you specified in the Login for target computer section of the tab page to connect to the target system. This account requires NetLogonRight privileges on the target systems to be audited as well as the usual administrative privileges. If no account is entered, the currently logged in user is assumed.

The application uses the username and password in the Proxy section to connect to the agent. Select Tunnel connection through the following proxy, and type the system name or IP address of the proxy system. Type the user name in

DOMAIN\User format and the password. The proxy must be running the Windows Agent.

If you set a Login for target system password or a Proxy password, you must set an encryption password.

See Connecting for more information.

Tip: To view the credentials, connection method or proxy connection inherited from one of this system's machine list or scheduled tasks, select the Show inherited values check box.

Delegation Tab (database machine lists only)

Credential Store owners can delegate their credentials for use in the Audit &

Compliance Server application. Once delegated, no user has access to the credentials and they remain encrypted only for use by the server.

Credential delegation may be used for two tasks: Connect or Audit-On-Schedule. For Audit-On-Connect, the delegated user or Group can use these credentials to Audit or Audit and Fix. For Audit-On-Schedule, users in the specified Windows Group can schedule tasks that use these credentials.

The Delegation tab allows credential delegation from the current Credential Store to any Credential Stores in use by any audit servers using the same database. The only Credential Stores to which you can delegate are those currently in use by one or more audit servers.

(25)

To delegate credentials for Audit-On-Connect, select the Audit-On-Connect

component can use my credentials check box. Then select whether the user can Audit or Audit & Fix.

To delegate credentials for Audit-On-Schedule, you must specify the Windows Groups allowed to create audit schedules.

1. In the New Delegation section, click the ellipsis (...) button to view the existing Users and Groups.

2. Select the desired Group.

3. Select Audit or Audit & Fix to identify the rights of this Group. 4. Click Add. The Group and rights appear in the list.

Importance Tab

Use this tab to rate the importance of all the systems in this machine list when it comes to security in your organization. If you set the importance of a system on this machine list in the Host Info dialog box, the importance set in the Host Info dialog box overrides the importance set in this dialog box.

The value you enter is used to weight the averaged scores displayed in the Browse tab and in some reports. You may devise your own weighting scale, using any range of whole and decimal numbers.

Members Tab

This tab enables you to perform maintenance on the machine list by allowing you to add systems to and delete systems from the list. To add a system to the Members list on the right from the tree on the left, you may drag and drop it or highlight it and click the Add> button. To delete a system from the list, highlight it in the Members list and click Delete.

Note: You can also add and remove systems in the Audit tab by dragging systems to and from the list.

You may also click the Options button to display a menu of methods for changing the machine list:

• Add - Adds a new, unnamed system to the Members list.

• Import - Allows you to import a list of systems itemized in a TXT file. Use this option if you already have such a list or prefer to keep a master list separate from the machine list in the application.

(26)

26

Policies

Policies Tab

This tab allows you to manage the policies used to audit systems. You may create new policies, edit existing policies or delete policies.

The left pane contains the Policies list. The list contains some policies included with the software, which you cannot change or delete. From there, you can create new policies or create policies based on existing policies.

Recommended: Use the policies included with the software as templates to create your own policies.

Policies

Lists the available policies, including those included with the software and any configured policies. To view, edit or remove a policy, you must highlight it in this list first.

New

Creates a new policy. When you click this button, a generic policy name appears in the Policies list and the Name box. You may change it in the Name box. Also, the right pane displays the security checks available to use in the policy.

Remove

Deletes the policy highlighted in the Policies list.

Caution: You cannot recover a deleted policy. Before deleting a policy, make sure you will not need to use it again.

Note: You cannot remove a policy included with the software. Policy

Allows you to change the name of the policy highlighted in the Policies list. Type a new name and click Save.

Note: You cannot change the names of the policies included with the software. This button is disabled when you highlight an included policy.

Description

Allows you to add a description to, or change the description of, the policy highlighted in the Policies list. Type a description and click Save.

Note: You cannot add or change a description to a policy included with the software. This button is disabled when you highlight an included policy.

Save

Saves any changes made to the policy highlighted in the Policies list.

Note: You cannot edit the policies included with the software. This button is disabled when you highlight an included policy.

Save As

Creates a copy of the highlighted policy, asking you to give it a name. Use this button to create a new policy based on an existing policy. Once you've created the copy, change its configuration in the right pane.

You may create new policies based on any policy, configured or included. Revert

(27)

Cancels any changes you've made to the active policy, reverting to the policy's saved configuration.

The right pane lists the security checks available in the policy highlighted in the Policies list. It is here that you configure policies by selecting which security checks they perform during audits. To learn how to use this pane, check Audit Configuration Help, available in the upper right corner of the pane by clicking the icon.

(28)

28

Creating a New Policy

You may create your own configured policies that audit the systems for precisely the security checks that interest your organization.

To create a new policy: 1. Click the Policies tab. 2. Click the New button.

3. Configure the policy by selecting the security checks you want in the policy. To learn more about configuring policies, click the help links provided in the left pane.

Tip: If you do not like the changes you made to the policy and want to start over, you can click the Revert button any time before you save your

changes. This discards all changes and reverts the policy back to its original state.

4. When you're done configuring the policy, type a name for the new policy in the Name box.

5. Optional: Type a description of the policy in the Description box to make it easier for you and others to recognize later.

6. Click the Save button to save the new policy.

The name of the new policy appears in the Policies list.

Now you may audit the network using this new policy. It is available for selection in the Audit tab's Policy drop-down list and in the Scheduler tab's Task Options & Scheduling dialog box.

(29)

Creating a Policy from an Existing Policy

In addition to creating new policies, you may also create one based on an existing policy. If one of the policies is similar to a policy you need to create, doing this saves time configuring.

To create a new policy from an existing policy:

1. In the Policies list, highlight the policy with the configuration closest to the policy you want to create.

You may base a new policy on any policy in the list. 2. Click the Save As button.

A dialog box appears, asking you to name the new policy. 3. Type a name for the new policy and click OK.

This creates a copy of the policy you highlighted in step 1. The new name appears in the Policies list.

4. Change the configuration of the policy to perform the security checks you need.

To learn more about configuring policies, click the help links provided in the left pane.

5. Optional: If you want to change the description, type a new one in the Description box.

6. When you're done editing the policy, click the Save button.

Now you may audit the systems using this new policy. It is available for selection in the Audit tab's Policy drop-down list and in the Scheduler tab's Task Options & Scheduling dialog box.

(30)

30

Editing a Policy

If you need to make minor changes to a policy you configured, you can edit it any time.

Note: You cannot edit the policies included with the software. To edit a policy:

1. Highlight the policy in the Policies list.

The right pane displays the policy's configuration.

2. Optional: If you want to change the configuration of the policy to perform different security checks, modify the policy.

To learn more about configuring policies, click the help links provided in the left pane.

3. Optional: If you want to change the policy's name, type a new one in the Name box.

4. Optional: If you want to change the description, type a new one in the Description box.

5. When you're done editing the policy, click the Save button. Now you may audit the network using this edited policy.

(31)

Deleting a Policy

If you find one of the policies you configured is no longer useful, you may delete it from the list.

Note: You cannot delete the policies included with the software. To delete a policy:

1. Highlight the policy in the Policies list. 2. Click the Remove button.

This deletes the policy, removing it from the Policies list.

Caution: You cannot recover a deleted policy. Before deleting a policy, make sure you will not need to use it again.

Now the policy is no longer available for selection in the Audit tab's Policy drop-down list and in the Scheduler tab's Task Options & Scheduling dialog box.

(32)

32

Scheduler

Scheduler Tab

Audit many systems simultaneously from the Scheduler tab. The software does not have to be running in order for a scheduled task to occur. A separate service on the same system runs scheduled tasks. Create a new scheduled task, edit an existing scheduled task, start or stop the scheduled task.

The Results panel on the right contains information and the status of any selected scheduled task. It the displays progress of each audit, the IP address of the systems being audited, if the audit is running, when the audit started, and when the audit finished.

As the systems are being audited, this window updates. You can double-click a system to display the results in the Audit tab. Then you can view details.

The directory identified for saved audits in the Options or in the configured database stores scheduled task results.

If any errors occur, these errors appear in the Errors from task scheduler list. Click Clear Errors to remove the errors.

A task is a defined action that runs a specific policy against a specific system on a schedule with specific set parameters, reports, and notifications.

(33)

Task Options and Scheduling

The application automatically starts a scheduled task at some future time based on options defined in the Task Options and Scheduling window. This window contains the following tabs to set the options and schedule.

List Tab

Select the machine list or lists to audit during this scheduled task by checking the box next to each machine list.

Policy

This is a list of policies. Select a policy on which to base these audits. Description

Optional brief statement identifying the scheduled task. Domain/User and Password

If you want to use specific credentials to access all systems whenever this audit task runs, type those credentials here. If you have credentials specified for any of the systems or machine lists included in the audit task, the credentials entered here override them.

If you use both the scheduler and the Windows connection method to audit a system in a workgroup, you can't set connection credentials on the machine-list or task level. You must set them on the system level in the Host Info dialog box, including the system's name in the Username box.

Schedule Tab

Not Scheduled

The task is not scheduled. Scheduled

The task is scheduled. Begin at This Time

Run the scheduled task at this time. Select the hour and minutes. Select a Schedule

Select one of three schedules:

Run Once

The scheduled task begins at the specified time and does not repeat. It occurs the next time the clock reaches that hour and minute, which will be today or tomorrow.

Run Weekly

The audit runs every selected day of the week at the specified time. Run Monthly

The audit runs on the day identified for the selected months. The audit begins at the time specified.

(34)

34

You can specify more than one Hour, Minute, and Day entries by typing a comma-separated list of numbers. The scheduled task runs if any of the numbers match.

Maximum Duration Time

Use the Hours and Minutes boxes to set the length of time you'll allow this scheduled task to complete from the time it actually begins auditing. After this length of time, the task finishes auditing the system it was working on and then terminates.

If you also check Save hosts that could not be contacted to the following Machine List in the database, located in the Options tab, the database machine list you enter saves the names of all systems that did not get audited as a result of the termination.

The next time the policy is opened, the scheduling parameters remain in effect.

Options Tab

Simultaneous Connections

Select the number of remote systems to audit simultaneously. The software creates one thread for each simultaneous connection. Since network communications involve a certain latency, it is usually much faster to audit many systems simultaneously. However, network bandwidth, system utilization, and other factors may influence your decision.

Save hosts that could not be contacted to the following Machine Lists in the database

Check the check box to save all systems that could not be contacted during the scheduled task into the database machine list you type or select in the list box to the right. You may use variables and functions in the machine list name . If you type the name of a database machine list that does not exist, the application will create it when and if this task results in unaudited systems.

If you select an existing machine list, any systems already listed in it will be removed. Unless you want the machine list altered in the case of an incomplete audit, we recommend creating a database machine list expressly for this purpose.

Enable host audit on connect

Check the check box to enable Audit-on-Connect for any systems that could not be contacted on the first try. Between the initial connection failure and the next time the

scheduled task runs, these systems get audited if they connect to the network. This check box is active only if 1) the console application is connected to the same database as the server application and 2) Audit-on-Connect is licensed for that installation of the server application.

Automatically Re-audit hosts that could not be contacted

The scheduled task continues until all systems have been successfully contacted. A system is re-audited only if the system could not be contacted. For example, if the system is turned off or there is no network connectivity to the system, it cannot be audited. If the system was contacted but the log in credentials were incorrect, the system will not be re-audited. The re-audit may never complete if one or more of the systems never becomes connected. Manually stop the scheduled task by clicking Stop Task.

Tip: If you use automatic re-audit, you may want to consider using the command line or the COM version of the product to have the system audit itself

automatically when it restarts using the Task Scheduler.

Wait this many minutes between retries

Select or type the amount of time to wait between retries. After each round of audits, the software waits this amount of time before reauditing unavailable systems.

(35)

Select or type the length of time you want to attempt to reaudit unavailable systems. After this length of time, the software stops attempting to reaudit unavailable

systems.

Maximum number of attempts to re-audit

Type the maximum number of reaudit attempts you'll allow. After this many retries, the software stops attempting to reaudit unavailable systems. This option takes precedence over the reaudit hours in the previous option.

Notifications

You can receive notifications about scheduled tasks by the following methods: • Email - uses unauthenticated email

• Dump Report • Run Command

Select the notification type, create a name for the notification, and click Next. As you advance through the Notification wizard, select the appropriate options for each notification type.

(36)

36

Browse Tab

This tab displays the audit results in a browser-like environment with links to more information. It enables you to focus on any portion of the most recent audit results available by revealing audit details about individual systems, database machine lists and security checks when you click links. This kind of interaction with the audit results empowers you to devise a sophisticated plan to correct any security issues discovered during audits.

Interactive browsing is an extension of the results displayed in the Audit tab. Whereas the Audit tab only displays the results of one unscheduled audit at a time, the Browse tab enables you to perform a deep analysis of security issues across the organization. It collects in one location the most recent results from each system you've audited since you installed the software, allowing you to:

• determine exactly which security checks were OK, NOT OK or did not occur due to errors, and on which systems

• score the success level of security efforts

• schedule large audits to occur automatically so you can spend your time analyzing audit results, not accumulating them

• compare results between systems, database machine lists and security checks • view the informational messages returned by security checks designed to

have a result of Info

This tab provides three perspectives on audit results: General Summary [click link again to close]

The tab's main view shows a summary of what the audits reveal about security compliance in your organization. The data is organized by policy and summarized in the blue summary rows. Expand a summary row by clicking the + icon in the first column. The second column expands to show all audits performed using this policy. The rest of the columns expand to show data about each system. If you click one of the links in the System Posture Results column, a system-oriented table appears. If you click one of the links in the Security Check Results column, a security-check-oriented table appears.

How Postures are Assigned

Pass - If a system had no security checks rated NOT OK or Error.

Fail - If a system had at least one NOT OK.

Error - If a system had no NOT OKs but had at least one Error.

System Oriented [click link again to close]

If you click one of the links in the System Posture Results column, a new table showing details about that database machine list appears. Each row shows the audit results of one system in the database machine list. If you click one of the links in the Audit Results by Security Check column, a table showing each security check's audit result appears. The table is organized by category and details are summarized in the blue summary rows. Expand a summary row by clicking the + icon in the first

(37)

Security-Check Oriented [click link again to close]

If you click one of the links in the Security Check Results column, a new table showing details about the security checks affecting that policy or machine list appears. Each row shows the audit results of one security check. If you click one of the links in the System Result column, a table showing each system's audit result appears. If you click the icon next to a security check's result, a page with the check's details appears.

The table is organized by category and details are summarized in the blue summary rows. Expand a summary row by clicking the + icon in the first column.

Note: If a security check in the policy was not applicable to the system(s) you audited, it does not appear in the results. For example, if the policy checks for all Sun patches and a target system has Sun Solaris 7 installed, the results do not list any security checks referring to other versions of the operating system, selected for the audit or not.

Display Percentages as

When displaying the general summary page, you may opt to view the percentage of passed vs. failed systems directly in the System Posture Results column and OK vs. NOT OK security checks in the Security Check Results column.

• Select None if you don't want to view percentages.

• Select Bar Chart if you want to compare results in a bar chart.

• Select Percentage if you want to view the percentage of passed systems or OK security checks as a number.

Home

Returns to the general summary page. Back

(38)

38

Reports Tab

Use this tab to generate printed and HTML reports from audit results.

Report

In this list, click the report you want to generate.

Not all reports apply to all data sources. If a report is not relevant to the audit results or systems you select, the report will be empty when you generate it.

You may rename reports, change their descriptions and create new reports based on existing reports. All of these actions are based on creating a duplicate of the report first. The application stores reports locally, so duplicated and modified reports are not centrally accessible. If you want to use a report from one console on another console, you must share the report.

Audit

This list includes all audit results from the database. Select the check box next to the audits for which you want to generate reports. When you select items, the content of the Host and Machine List boxes change.

You can sort the audit list by clicking any column heading. When you click a column heading, an arrow appears on the heading that indicates whether the column is sorted in ascending or descending order.

Host

Depending on the report selected, this box might or might not list all systems audited during the audits you selected in the Audit list. If it displays a list, check the ones you want to include in your report.

Machine List

Depending on the report selected, this box might or might not list all machine lists audited during the audits you selected in the Audit list. If it displays a list, check the ones you want to include in your report.

View Report

Click View Report when you have selected all of the data you want. A dialog box with additional options may appear for some reports.

New Window

If you check this box and then click View Report, the report appears in its own Preview window instead of in the Preview pane on the right.

Preview

After you generate a report, either the Preview pane on the right displays it or a new Preview window displays it, depending whether you checked the New Window box or not. Both the Preview pane and the Preview window are identical. Each has a toolbar along the top that enables you to navigate the reports.

The toolbar buttons are:

Prints the report on your default printer.

Displays a dialog box that lets you export the report to the file format of your choice.

Refreshes the report if you have performed any new audits since you generated it or refreshed it last.

(39)

Shows and hides the navigation tree to the left of the report. Some of the more complex reports have different sections you can navigate to.

Resizes the report in Preview.

Displays a search dialog box so you can search the text for a word or phrase. This is an icon that becomes animated during an operation.

If the right arrows are not visible, the page-through toolbar is condensed. Increase the size of the toolbar by dragging out the handles on either side of it.

Pages through the report if it's more than one page long. You can jump to the beginning or end of a report, turn to the previous or next page or jump to any page by typing the page number in the box.

(40)

(41)

Database Support

Storing Data Centrally

Many systems and security administrators across the organization use the product. Often these administrators produce similar Machine Lists and system information. Central Machine List management allows for this information to be stored in a central database to reduce redundant work and increase efficiency.

You can store audit results, Machine Lists, and system information in an ODBC database such as Microsoft SQL Server or Oracle. When you installed the software, you also installed a database that serves as the default database. You may use this as the software's central database or connect to a different ODBC database.

All machine lists are stored in the database.

Setting Up the Central Database

The first time a user launches the application after installing it, it prompts that user to change the database's password. If that database becomes the central database to which all console systems connect, that user needs to tell other users what the new password is.

Remember: If you change the password, you need to inform all other users of the new password.

In order to access a credential store created on the central console, remote-console users need the credential store's user name and password so they can log into it.

Remember: If you create a credential store that others need to access, you need to inform them of the credential store's user name and password.

Connecting to a Central Database

If you plan to use a central database with multiple consoles, you must make sure all consoles are connected to the central database. Click here to learn more about connecting a console to a central database on a different system.

What the Database Stores

The database stores:

System Information

• System credentials

• Proxy server and proxy credentials

Machine List Information

• Machine List credentials

• Proxy server and proxy credentials

Note: Credentials are encrypted in the database through the use of credential stores.

(42)

42

Add Systems or Machine Lists to the Database

To add a system to the database:

1. Right-click the All Hosts branch in the Audit tab. 2. Choose Add new host from the menu.

To add a machine list to the database:

1. Right-click the Machine Lists branch in the Audit tab. 2. Choose the list type from the Add new list menu.

Selecting the Machine List type adds an empty database machine list to the branch. Edit the machine list to build the list.

Selecting any list type other than Machine List adds a dynamic machine list to the branch. The list is dynamic because its contents are imported from another location. If you change the systems in the machine list's source, the machine list changes as well. Click here to learn more about dynamic machine lists.

(43)

Credential Stores

About Credential Stores

The application must gain access to secure systems, which means each auditor must have the appropriate credentials to audit target systems. What those credentials should be depends on how your organization has security implemented on its systems. Since the individuals designated to perform audits are most likely not all high-level network administrators with unlimited access to all target systems,

auditors must be able to use the credentials they need to access the target systems. Since the goal of using this product is to ensure security across the network, we have designed it so using it does not breach system security. You might or might not have the credentials required to access the target systems. If you don't, you need to log into a credential store before performing any audits.

Stored credentials are a way for a user with the proper credentials to give a user without them the access needed to audit the target systems without actually

revealing the credentials. A credential store is a place in the database where you can save the credentials in encrypted form. By logging into stored credentials, an auditor activates the credentials without seeing what they are. Security is not compromised and the organization has the flexibility to assign auditing duties to someone without top security credentials.

You can create more than one credential store, with each store containing different credentials meant to audit different systems. The credentials in each store are only accessible if you log into that credential store.

Default Credential-Store User

Limiting access to systems by requiring proper credentials is an important aspect of enterprise-wide system security. This product encourages habitual credential use. Setting up credential-store user accounts, however, is a detailed process that only a senior administrator with all the required credentials can do. That's why, under average circumstances, the application logs you into the default credential-store account automatically at startup. Those circumstances are 1) you or someone else performed a typical installation when you installed the software and 2) the

Automatically Log in Using Default Credential-Store User option is on.

If you performed a typical installation and no one has turned off the automatic-login option, you are logged into the default credential-store account when you open the application. This enables you to get started using the application without needing to create credential stores right away. If you are a senior administrator who has the credentials to access any system on the network, being logged in as the default user is all you need. If you do not have the credentials to access any system on the network, you'll need to log into the correct credential stores before performing audits.

(44)

44

Creating Credential Stores

If your organization has auditors using the application who do not have the credentials to access target systems, create encrypted credential stores for those auditors to log into. If you're an auditor who needs to use credentials you do not have in order to audit systems, ask someone who does, such as a senior

administrator, to create credential stores for you. To create a credential store:

1. Select Credential Store > Manage Users from the File menu. The Manage User Credential Stores dialog box appears.

2. Click the Add radio button.

3. Type a User Name, Full Name, Description, and Password for this user in the text boxes provided. Then click the Add button.

4. Click the Close button when you're done to close the dialog box. The Login to Credential Store dialog box becomes active again.

5. Log into the credential store you just created.

6. In the Audit tab, right click a machine list or system and select Edit from the right-click menu. The Edit Machine List or Host Info dialog box appears, depending on which you right clicked.

7. Click the Connect tab and enter the credentials needed to audit the system or systems. When you're done, click OK.

8. Contact the auditor or auditors who need this credential store and inform them of the store's user name and password so they can log into it.

Now the credential store you're logged into contains the credentials required to audit the systems. The only way to use these credentials is to log into the credential store using the correct password. When auditors use the credential store, the credentials are not visible, rendering them secure.

(45)

Managing Credential Stores

Any user saving credentials to a database host or database machine list must have a separate credential store password. You may add, change, or delete stored

credentials.

To access this dialog box, select Credential Store > Manage Users from the File

menu.

Select the User Whose Credential Store You Want to Change

If you want to change or delete a credential store, highlight it in the list first. If you are logged into any of the credential stores, a green arrow in the left column indicates which ones. A red check mark indicates which store represents the default credential-store user.

You may sort the list by clicking any column heading. When you click a column

heading, an arrow appears on the heading that indicates whether the column is sorted in ascending or descending order.

Action

Use Add to create a new credential store, Change to modify a credential store or

Delete to delete a credential store.

• If you're creating a credential store, type a User Name, Full Name (optional), Description (optional), and Password for this user in the text boxes provided. Then click the Add radio button.

• If you're changing a credential store, highlight it in the list. Then change the User Name, Full Name, Description or Password for this user in the text boxes provided and click the Change radio button.

Note: In order to change a credential-store user account, You must be logged into it.

• If you're deleting a credential store, highlight it in the list and click the Delete

radio button. You cannot delete the Default store. User Name

Type a name to represent this credential store. Full Name

Optional: Type the full name of the person whose credentials the credential store contains or the name of the person who will use it.

Description

Optional: Type a short comment describing this credential store so auditors can easily recognize it.

Password

Type a password to unlock this credential store in the Login to Credential Store dialog box. Passwords are at least six characters long.

Make Default Credential-Store User

Check this box to make this user the default credential-store user. When used in conjunction with the Automatically Log in Using Default Credential-Store User check

(46)

46

Automatically Log in Using Default Credential-Store User

If you're using the default database installed with the software, this check box is selected by default so you don't have to worry about creating credential stores right away.

The Make Default Store User and Automatically Log in Using Default Credential-Store User options are included as a convenience for new installations. For the sake of security, we recommend deselecting this check box and creating credential stores where necessary.

(47)

Logging into Stored Credentials

Before you can perform audits, you must have access to the proper credentials. If you log into stored credentials, you use those credentials to perform audits. The Login to Credential Store dialog box appears each time you launch the application if 1) you or someone else performed a typical installation when you installed the software and 2) you or someone else deselected the Automatically Login Using Default Credential-Store User check box.

If you're using the default database or the automatic-login feature, the dialog box does not appear unless you open it. To open the Login to Credentials Store dialog box, select Credential Store > Switch User from the File menu.

Unlock Credential Store

Unlocks the stored credentials for the selected user if you type the correct password. Continue Without Stored Credentials

If you just launched the application and 1) do not have any credential stores or 2) do not need to use stored credentials, clicking this button opens the application without logging into any stored credentials. If you're already using the application, clicking this button logs out of any credential stores you're logged into.

Manage Users

Opens the Manage User Credential Stores dialog box so you can add, change or remove stored credentials.

Tip: If you need to use credentials you do not have, ask someone who does to create credential stores for you.

If you don't have the proper credentials to audit the target computers, do the following:

1. Select Credential Store > Switch User from the File menu. The Login to Credential Store dialog box appears.

2. Select the user with credentials stored in the database from the list at the top of the dialog box.

3. Type the credential store's password, and then click Unlock Credentials Store.

Once you log into a credential store, all system and database-machine-list credentials specified in the Connect tab of the system or database-machine-list properties are available to you.

(48)

(49)

FAQ and Troubleshooting

Troubleshooting

Problem Description

Database

The application does not work with the ODBC driver from Oracle.

The software only supports the Microsoft ODBC driver for Oracle.

Internet

Browsing Links that open in an external browser do not work. Microsoft Internet Explorer must be the default browser.

Windows Networking

Difficulty connecting to Windows Networking.

Try to establish a network drive map to the target system. From a command line, type a command such as:

NET USE X: \\server /U:username

Replace server with the system name and

username with the username that you are using.

This command should display additional diagnostic messages to help you troubleshoot the problem.

SSH

Difficulty connecting with SSH. The application provides a simple test window. From the View menu and click Options. On the Connect tab click Test SSH, type the system name, username, and password. A window appears with diagnostic messages.

AuditExpress User Guide

Table Of Contents

Registration

Why purchase?

How to Purchase

+1.617.928.5552 (USA Fax)

Support and Maintenance

Contact Us

Purchasing and Registering

Sales

Licensing

Fax a Purchase Order

Support and Maintenance

Contacting Us

Agent and Agentless Auditing

Privileged Agent

Connecting to Remote Systems

Method

Description

Credentials

Proxying connections through a Firewall

Connecting to a UNIX Server without Agent Software

Troubleshooting

Agent Access Groups

Configuring Windows Agents

Installation

Active Directory

No Active Directory

Configuring UNIX Agents

Installation

Configuration

Parts of the Main Window

Audit

Audit Tab

Policy

Server

Machine Lists

Hosts

Login and Password

Status

Host Info Dialog Box

Info Tab

Connect Tab

Importance Tab

Edit Machine List

Connect Tab

Delegation Tab (database machine lists only)

Importance Tab

Members Tab

Policies

Policies Tab

Creating a New Policy

Creating a Policy from an Existing Policy

Editing a Policy

Deleting a Policy

Scheduler

Scheduler Tab

Task Options and Scheduling

List Tab

Schedule Tab

Options Tab

Notifications

Browse Tab

Reports Tab

Preview

Database Support

Storing Data Centrally

Setting Up the Central Database

Connecting to a Central Database

What the Database Stores

Add Systems or Machine Lists to the Database

To add a system to the database:

To add a machine list to the database:

Credential Stores

About Credential Stores

Default Credential-Store User

Creating Credential Stores

Managing Credential Stores

Logging into Stored Credentials

FAQ and Troubleshooting