User Management Guide

(1)

AlienVault

(2)

October 20, 2015 USM v4.x-5.x User Management Guide, rev 1 Page 2 of 28 USM v4.x-5.x User Management Guide, rev 1

The AlienVault Logo, AlienVault™, AlienVault Unified Security Management™, AlienVault USM™, AlienVault Open Threat Exchange™, AlienVault OTX™, Open Threat Exchange™, AlienVault OTX Reputation Monitor™, AlienVault OTX Reputation Monitor Alert™, AlienVault OSSIM™, and

OSSIM™ are trademarks or service marks of AlienVault, Inc.

All other registered trademarks, trademarks or service marks are the property of their respective owners.

Revision to This Document

Date Revision Description

July 10, 2015 Original document.

October 20, 2015 Added a note to clarify that the USM allows local authentication and LDAP authentication to co-exist.

(3)

October 20, 2015 USM v4.x-5.x User Management Guide, rev 1 Page 3 of 28

Introduction

Use this document to understand the user management process in AlienVault Unified Security Management (USM)TM_{. User management in AlienVault USM is a process of controlling access to}

the system, enforcing administrative policies, and providing information about who accessed the system and what actions they performed in the system. User management is provided by the user authentication, authorization, and accounting (AAA) framework.

The document first describes what user management is and why it is important. The document then describes how to implement user authentication, authorization, and role-based access control, and how to monitor user activity.

About User Management

User Authentication

Since AlienVault USM manages important security functions for your organization, the system requires that all users log in with a username and password. The system can store and manage usernames and passwords internally. You can also set up USM to use a remote authentication server to store usernames and passwords.

User Authorization and RBAC

User authorization determines which portions of AlienVault USM are available to each user. You can assign permissions to access different parts of the AlienVault USM system. Permissions are defined locally on the USM system per user, even if authentication is performed against a remote authentication server.

Role-based access control (RBAC) enables delegation of certain functions to specific roles. You can assign users to specific roles, which then determine which features of AlienVault USM a user can access. For example, you might permit an engineer to access all portions of the USM web interface, while you might restrict a security operator to access only the parts of the USM web interface that are used to perform security analysis.

User Accounting

AlienVault USM collects information on how long a user has been logged into the system and what the user has done. AlienVault USM supports user accounting by logging user activity in the USM web interface. The stored data might be required for auditing or compliance purposes.

User Management in USM

(5)

October 20, 2015 USM v4.x-5.x User Management Guide, rev 1 Page 5 of 28 Root user. The root user is created during USM installation and is used to access the

command line shell of the system. A root user can perform all operations in the command line shell and is equivalent to general Linux root users.

Default admin user. The default admin user is created when you access the USM web interface for the first time. The username of this user is admin, and it cannot be changed. This is the only admin user whose password can be reset by the root user. The default admin user can create other user accounts and it has complete visibility in the USM system. Admin users. Admin users have complete visibility into the USM web interface and can

delegate admin access to other users. Admin users can also configure global authentication settings, such as integration with LDAP database, or change the password policy. They also have complete visibility into the activity of all other users.

Normal users. Normal users can access the web interface of the system and have user accounts delegated by admin users. These users are subject to user authorization as defined by authorization parameters. They cannot create other user accounts or change global authentication settings. Normal users can see only the activity of other users who belong to the same entity.

Creating the Default Admin User

After installation and when connecting to the appliance using the USM web interface for the first time, you are prompted to create the default admin user. When creating the default admin user, you have to provide the following information:

Full Name: Full name of the default admin user.

Username: Username that is required to access the USM web interface. The username is set to admin and cannot be changed.

Password: Credentials that are used to authenticate the user.

E-mail: E-mail address of the default admin user. It is used to send notifications, reports, and other system communication to the user.

Company Name: Name of the default admin user’s company. This parameter is optional. Location: Physical location of the default admin user. This parameter is optional.

Note: The option "Send anonymous usage statistics and system data to AlienVault to improve USM" is introduced in version 5.0. It is selected by default, which means telemetry collection will be enabled. See What Is Telemetry Collection And How Does

(6)

October 20, 2015 USM v4.x-5.x User Management Guide, rev 1 Page 6 of 28 Figure 1. Creating default admin user account

Once the admin user is created, you can log into the system and start using AlienVault.

Functions for Admin Users

This section describes the user management functions that an admin user can perform:

Configuring User Authentication

Configuring Local Authentication Configuring LDAP Authentication Configuring User Authorization

Configuring User Authorization with Visibility

Configuring User Authorization with Menu Templates

Configuring User Authentication

Authentication of users that are accessing the USM can generally be done using either the local database or Lightweight Directory Access Protocol (LDAP):

(7)

October 20, 2015 USM v4.x-5.x User Management Guide, rev 1 Page 7 of 28 LDAP: The system authenticates a user against the password stored in an LDAP database,

such as Microsoft Active Directory. LDAP authentication allows users to use their standard domain or corporate credentials to authenticate with AlienVault USM. This can provide simpler user management in larger environments. For example, if a user leaves the organization, you only need to disable the user’s account in the LDAP directory in order to prevent the user from accessing the USM system.

Note: The USM allows local authentication and LDAP authentication to co-exist.

Configuring Local Authentication

When configuring local authentication, you have to define users with their usernames and passwords in the local database as described in “Managing Users”.

(8)

October 20, 2015 USM v4.x-5.x User Management Guide, rev 1 Page 8 of 28 Figure 2. Changing password policy

Password policy allows you to change the following parameters:

Minimum password length: Minimum number of characters for a password. Set to 7 by default.

Maximum password length: Maximum number of characters for a password. Set to 32 by default.

Password history: Enables the system to remember a specified number of previously used passwords in order to prevent the user from reusing them. The value 0 disables password history. By default, password history is disabled.

Complexity: Requires the presence of 3 of these characters: lowercase, uppercase, numbers, or special characters. Disabled by default.

(9)

October 20, 2015 USM v4.x-5.x User Management Guide, rev 1 Page 9 of 28 Maximum password lifetime in days: Specifies the time before a user is asked to change

current password. The value 0 disables maximum lifetime. By default, maximum lifetime is disabled.

Failed logon attempts: Specifies the number of failed logon attempts before the system locks an account. Set to 5 attempts by default.

Account lockout duration: Specifies the duration of a locked account. Set to 5 minutes by default. The value 0 disables lockout.

After you make changes to the password policy, make sure to save the changes by clicking Update Configuration.

Configuring LDAP Authentication

In order to use external authentication against an LDAP database, you have to first create a service account in the LDAP database for AlienVault USM to query the database.

Figure 3. Creating Microsoft Active Directory user account

For Microsoft Active Directory, the service account is configured as a regular user account. A regular user account in Microsoft Active Directory is created in two steps. In the first step, you have to assign a meaningful name and user logon name. In the second step, you set a logon password for the user. You should set the password not to expire and not to request a password change at next logon.

After creating the service account in Microsoft Active Directory, you have to modify the

configuration in AlienVault USM. By default, users are authenticated via username and password. These are stored in the AlienVault USM database after they have been created. You have to change this configuration in order to use LDAP authentication.

To integrate AlienVault USM with a LDAP database 1. Login to the USM web interface.

(10)

October 20, 2015 USM v4.x-5.x User Management Guide, rev 1 Page 10 of 28 3. Expand the Login Methods/Options section, and enter the following parameters:

Set Enable LDAP for login to Yes.

For LDAP server address, specify the IP address of the LDAP server.

For LDAP server port for unencrypted LDAP, specify 389. Enter 636 if you use SSL. Set the LDAP server SSL to No, unless you use LDAP over SSL.

Set the LDAP server TLS to No, unless you use LDAP over TLS.

The LDAP server baseDN needs to be the LDAP server base distinguished name (DN) in the form of dc=domain,dc=suffix.

For LDAP server filter for LDAP users, use (&(cn=%u)( objectClass=account)) for general LDAP, or (&(sAMAccountName=%u)(objectCategory=person)) for Microsoft Active Directory.

For LDAP Username you need to specify the User Principal Name (UPN) of the user you have created in the LDAP database in the following format: [email protected]. For LDAP password for Username specify the password for the account that has been

entered in the previous line.

Set Require a valid ossim user for login to Yes if you need to control user authorization. This setting requires that you create a user account in the local database with the same login name as the user in the LDAP database. The local username is used to determine user permissions, such as assigning menu templates and entities. A password will be set for the local account during creation. But once LDAP is set up, the local password will not be used for authentication any longer.

Set this setting to No if you do not want to create user accounts for authorization. In this case, you have to select a default entity from the Entity for new user drop-down menu and a default menu template from the Menus for new user drop-down menu. The default entity and menu template will then be assigned to users that are authenticated against the LDAP database.

(11)

October 20, 2015 USM v4.x-5.x User Management Guide, rev 1 Page 11 of 28 Figure 4. Integrating AlienVault USM with LDAP

Configuring User Authorization

You can configure user authorization in AlienVault USM by assigning different parameters to a user account that is created in the local user database. The parameters that influence what a user can access in AlienVault USM system are as follows:

Visibility. Use this option to associate a user with entities within the structure tree. Allowed assets. This option lets you choose which assets the user should see. Menu templates. This option authorizes access to different parts of the web interface.

Note: Associating users with authorization parameters will be explained in the “Managing

Users” section of the document

Configuring User Authorization with Visibility

(12)

October 20, 2015 USM v4.x-5.x User Management Guide, rev 1 Page 12 of 28 Entities are used to group assets and sensors from similar functional areas of an organization, so that you can treat them differently, because assignment of an entity limits visibility of events and assets in the web interface. For example, each department within a company can be a different entity, as they have different assets and you may not want them to see each other’s assets. By separating them into different entities, you can limit the users to only see their department’s assets and the events associated with those assets.

If you’re using local authentication and authorization, you can assign an entity to an individual user in the AlienVault USM local database. If you’re using LDAP authentication without a local user, the system uses a default entity.

Important: The visibility configuration does not apply to Availability Monitoring, HIDS, Wireless IDS, or Vulnerability Scans. This is because these functional areas are tied to each USM Sensor. You cannot limit their visibility to a subset of assets.

You can create, modify, and delete correlation contexts and entities. Navigate to Configuration > Administration > Users > Structure to create an entity.

Figure 5. Entities and assets structure tree

The upper part of the screen includes the following options: New Entity: Allows you to create a new entity.

(13)

October 20, 2015 USM v4.x-5.x User Management Guide, rev 1 Page 13 of 28 Show Users: Toggles the display of users in the entities and asset structure.

Show AlienVault Components: Toggles the display of AlienVault components in the entities and asset structure.

The lower part of the screes is divided into two columns. The left one contains an asset structure tree, which displays assets, asset groups, networks, and network groups. Assets are organized into entities and correlation contexts. By default, you will find one correlation context named My

Company that contains all assets and networks. There are no entities by default.

The right column displays the inventory of all assets. They are organized by properties, such as operating system, role, and department.

To create a new entity 1. Click New Entity.

Figure 6. Creating a new entity

2. Specify the name of the entity in the Name input field.

3. Optionally, specify the address of the entity in the Address input field.

(14)

October 20, 2015 USM v4.x-5.x User Management Guide, rev 1 Page 14 of 28 6. Associate assets or networks with the entity by selecting assets or networks from the asset tree.

Once you have added the assets, you can remove them by selecting an asset and clicking the [X] button. You can also remove all assets by clicking Remove All Assets.

7. Associate USM Sensor with the entity by selecting a sensor from the Sensor list tree. Once you have added the sensors, you can remove them by selecting a sensor and clicking the [X] button. You can also remove all sensors by clicking Remove All Sensors.

8. Click Save to save the changes.

Configuring User Authorization with Menu Templates

The second way to configure user authorization is by using menu templates, which limit availability of the web interface to users.

A menu template is a reusable object that specifies which parts of the web interface are displayed to users. If you use local authentication and authorization, you can assign a template to an

individual user in the AlienVault USM local database. If you use LDAP authentication without a local user, the system uses a default template.

You can create a new template, edit an existing one, or delete a template. Navigate to Configuration > Administration > Users > Templates in order to work with templates.

Figure 7. Listing the menu templates

The Templates section of the configuration screen includes the following fields:

Action bar, which includes the buttons New, Modify and Delete Selected, and a drop-down menu which allows a user to configure the number of templates that will be displayed. Name: Refers to the template name.

Users Assigned: Displays which users are assigned to an individual template. Sections Allowed: Displays the percentage of sections that the system displays in a

template.

(15)

October 20, 2015 USM v4.x-5.x User Management Guide, rev 1 Page 15 of 28 Figure 8. Searching for a template

The system uses one template by default, which allows 100 percent access to the web interface. The name of the template is All Sections.

Creating a New Template To create a new template 1. Click New.

Figure 9. Creating a new menu template 2. Specify a name for the template.

3. Select the menu sections you want to include in the template by checking the appropriate box to the left of each web interface section. You can use the Select All and Unselect All options to select or unselect all web interface sections at the same time.

4. Click Save Template to save the template or click Cancel to discard the changes.

Editing a Template To modify a template

(16)

October 20, 2015 USM v4.x-5.x User Management Guide, rev 1 Page 16 of 28 Double-click on the row of that template.

Click on the name of that template.

2. Select the menu sections you want to include in the template by checking the appropriate box to the left of each web interface section. You can use the Select / Unselect All options to select or unselect all web interface sections at the same time.

3. If you change the template name, the button Save As will be active.

4. Click Save Template to save the template or click Cancel to discard the changes.

Deleting a Template

To delete a template, select the template you want to delete by clicking the line of that template and clicking Delete Selected. The system will ask for a confirmation.

Managing Users

If you are using local user authentication, you have to create user accounts in the local database. You can create, modify, delete, duplicate, or disable user accounts:

Creating a New User Modifying a User Deleting a User Duplicating a User

Enabling or Disabling a User Viewing User Hierarchy Resetting a Password

(17)

October 20, 2015 USM v4.x-5.x User Management Guide, rev 1 Page 17 of 28 Figure 10. Managing local users

This User information section of the configuration screen includes the following parts:

Action bar, which includes the buttons New, Modify, Delete Selected, Duplicate Selected, Multilevel Tree, and a drop-down menu which allows a user to configure the number of users that will be displayed.

A list of configured users, which contains the following fields: Table 1. Local users account information

Field Description

Login Username required to access the AlienVault USM. It refers to the _{username the user uses to open a session in the system.}

Name The real name of that user in the system.

Email The e-mail address of the user. It is used to send notifications or _{reports to the user.}

Visibility The correlation context or entity the user belongs to. Status User account can be either enabled or disabled. Language The interface is available in either English or Spanish. Creation Date Date the user account was created.

Last Login Date Last date the user logged into the system.

(18)

October 20, 2015 USM v4.x-5.x User Management Guide, rev 1 Page 18 of 28 Figure 11. Searching for local users

Creating a New User To create a new user 1. Click New.

2. Enter a username into User Login field. The user can access the AlienVault USM web interface with this username.

3. Enter the user’s real name into the User Name field. 4. Enter the user's email into the User Email field.

5. Select the language of the user interface from the User Language drop-down menu. 6. Select a time zone from the Timezone drop-down menu.

7. Enter your current password in the Enter Your Current Password field. The user needs this password to log into the AlienVault USM system.

Figure 12. Creating a new user account

(19)

October 20, 2015 USM v4.x-5.x User Management Guide, rev 1 Page 19 of 28 9. Configure the user as a global admin user by selecting the Yes radio button next to Make This

User a Global Admin. Leave the setting set to No to configure the user as a normal user. 10. Select a template from the Menu Template drop-down menu to associate this user with a menu

template. You can also view a template or create a new template from this window.

11. Select an entity or correlation from the Visibility menu. This option is mandatory and it is used to associate a user with an entity or correlation contexts within the structure tree.

12. Assign assets that will be visible to the user by expanding the Allowed Assets option and selecting assets. This option is not mandatory and it works as a filter within an entity or a correlation context.

13. Click Save to save changes.

Note: For global admin users, menu templates, visibility, and allowed assets settings do not apply. You can set them but they have no effect.

Modifying a User

To modify an existing user account

1. Select the user you want to modify by doing one of the following: Click on the row of that user and click Modify.

Double-click on the row of that user. Click on the name of that user.

Figure 13. Modifying a user account

(20)

October 20, 2015 USM v4.x-5.x User Management Guide, rev 1 Page 20 of 28 3. Click Save to save changes.

Deleting a User

To delete an existing user account, select the user you want to delete by clicking the row of that user and click Delete Selected. The system will ask you for a confirmation.

Duplicating a User

To duplicate an existing user account

1. Select the user account you want to duplicate by clicking the row of that user, and click Duplicate Selected.

2. Change the parameters of the user account as needed. Parameters are the same as when creating a user account. Notice that the system has added ‘_duplicated’ to the User Login field in order to distinguish the new user from the one that is being duplicated.

(21)

October 20, 2015 USM v4.x-5.x User Management Guide, rev 1 Page 21 of 28 Figure 14. Duplicating a user account

Enabling or Disabling a User

To disable a user account, click the green check mark in the row of the user you would like to disable.

Figure 15. Disabling a user account

(22)

October 20, 2015 USM v4.x-5.x User Management Guide, rev 1 Page 22 of 28 To re-enable a disabled user account, click the red cross in the row of the user you would like to enable.

Figure 16. Enabling a user account

Viewing User Hierarchy

To see how users are organized into entities and correlation contexts, you can examine user hierarchy by clicking the Multilevel Tree option.

Figure 17. Viewing user hierarchy

Resetting a Password

For any user other than the default admin user, you can reset the user’s password by logging into the system as the default admin user. You reset the password by editing the user account as discussed in “Modifying a User”.

If the default admin user forgets his or her password, you have to recover it. You can do this by accessing the AlienVault USM command prompt shell and using the AlienVault Setup menu. To reset the default admin password, complete the following steps

(23)

October 20, 2015 USM v4.x-5.x User Management Guide, rev 1 Page 23 of 28 Figure 18. Changing admin password in the AlienVault Setup menu

2. Press Enter to confirm that you want to reset the admin password. The system will display a new password.

3. Launch the AlienVault USM web interface to log in. 4. Change the password when prompted.

Figure 19. Changing admin password when prompted

Note: If you forget the root user password and have to reset it, see Recovering Lost Root

Password on AlienVault Appliances.

Monitoring User Activities

(24)

October 20, 2015 USM v4.x-5.x User Management Guide, rev 1 Page 24 of 28 Changing User Activity Configuration

To change general user activity settings, navigate to Configuration > Administration > Main and expand the User Activity option.

Figure 20. Changing user activity logging configuration

In the User Activity section, you can change the following settings:

Change session timeout by entering a number into the Session Timeout input field. Session timeout specifies how many minutes an AlienVault USM web interface session lasts. By default, session timeout is set to 15 minutes.

Change user lifetime by entering a number into the User Life Time input field. This setting specifies the number of days that a user account is active. The value 0 means that the account does not expire.

Toggle user activity logging on or off by selecting Yes or No from the Enable User Log drop-down menu. Typically, you will choose Yes.

Toggle sending user activity logs to syslog by selecting Yes or No from the Log to syslog drop-down menu.

(25)

October 20, 2015 USM v4.x-5.x User Management Guide, rev 1 Page 25 of 28 AlienVault USM system by default monitors all activities performed by individual users (if enabled globally). If you do not want to monitor all activity, you can change the user activity configuration.

To change the user activity configuration

1. Navigate to Configuration > Administration > Users > Activity. The table that is displayed has two columns. The left column shows the logged actions. The right column shows the actions that are not logged. By default, all actions are in the left column, which means that all actions are logged.

Figure 21. Changing user actions logging configuration

2. Pass actions from one side to the other by using drag-and-drop or by using the links [+] or [-] located next to each item. You can pass all items from one side to the other by clicking Remove all or Add all. If you have any items in the column on the right, you can use the search box at the top of that column to search for actions not logged.

3. Click Update Configuration to apply the changes.

Monitoring User Activity

(26)

October 20, 2015 USM v4.x-5.x User Management Guide, rev 1 Page 26 of 28 Figure 22. Monitoring logged in users

For each user, you can see the following features: the IP address the user is connecting from, name of the asset in the AlienVault USM inventory the user is connecting from, user agent of the client, session ID, logon time, and elapsed time since last activity. You also have an option to log out a specific user by clicking the door ( ) icon.

In order to monitor the activity that was performed by an individual user, navigate to Settings > User Activity.

On the upper part of the screen, you can filter displayed activities by selecting Date Range, User, or Action. Click View after you specify filters to see only activities that are related to the search filters.

(27)

October 20, 2015 USM v4.x-5.x User Management Guide, rev 1 Page 27 of 28 Figure 23. Monitoring user actions

Functions for All Users

This section describes functions that are available to all users.

Viewing User Settings

Each user in the AlienVault USM system can examine the following information:

User profile: Includes basic settings about a user, such as login name, user name, email, language, time zone, and password. Each user can change his or her profile as described in the “Modifying a User” topic.

Current sessions: Displays users that are logged into the system. Global admin users (including default admin) can see accounts from all users, while normal users can see only their own account.

User activity: displays user activity. Default admin can see activity of all users, while other global admin users and normal users can only see activity of users belonging to the same entity.

Note: Refer to Monitoring User Activity about examining current sessions and user activity.

Modifying a User

(28)

October 20, 2015 USM v4.x-5.x User Management Guide, rev 1 Page 28 of 28 To change your user profile

1. Do one of the following:

Navigate to Configuration > Administration > User Information, select the row of the user you would like to modify, and click Modify. Alternatively, double-click the row of the user you would like to modify. For normal users, as opposed to global admin users, Modify is the only option.

Navigate to Settings > My Profile.

2. Change user settings as desired. Settings are the same as when creating a new user. 3. Click Save to save the settings.