RSA Security Analytics System Maintenance Guide

(1)

RSA Security Analytics

System Maintenance Guide

(2)

Trademarks

RSA, the RSA Logo and EMC are either registered trademarks or trademarks of EMC Corporation in the United States and/or other countries. All other trademarks used herein are the property of their respective owners. For a list of EMC trademarks, go towww.emc.com/legal/emc-corporation-trademarks.htm.

License Agreement

This software and the associated documentation are proprietary and confidential to EMC, are furnished under license, and may be used and copied only in accordance with the terms of such license and with the inclusion of the copyright notice below. This software and the documentation, and any copies thereof, may not be provided or otherwise made available to any other person.

No title to or ownership of the software or documentation or any intellectual property rights thereto is hereby transferred. Any unauthorized use or reproduction of this software and the documentation may be subject to civil and/or criminal liability. This software is subject to change without notice and should not be

construed as a commitment by EMC.

Third-Party Licenses

This product may include software developed by parties other than RSA. The text of the license agreements applicable to third-party software in this product may be viewed in the thirdpartylicenses.pdf file.

Note on Encryption Technologies

This product may contain encryption technology. Many countries prohibit or restrict the use, import, or export of encryption technologies, and current use, import, and export regulations should be followed when using, importing or exporting this product.

Distribution

Use, copying, and distribution of any EMC software described in this publication requires an applicable software license. EMC believes the information in this publication is accurate as of its publication date. The information is subject to change without notice.

THE INFORMATION IN THIS PUBLICATION IS PROVIDED "AS IS." EMC CORPORATION MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

(3)

System Maintenance

Overview

This guides provides information on tasks that administrators perform to maintain the RSA Security Analytics system.

Context

This guide encompasses the tasks that administrators perform after initial network setup to allow Security Analytics to

manage appliances and services in the network, maintain and monitor the network, manage jobs, and tune

performance.

Overview

(7)

Activate or Deactivate FIPS

Overview

Caution:

Federal Information Processing Standards (FIPS) is available in Security Analytics v10.5.0.1 and

later. FIPS is not available in Security Analytics v10.5.

This topic tells you how to activate and deactivate Federal Information Processing Standards (FIPS).

Context

The method you use to activate or deactivate FIPS depends on the type of security library used by your Security

Analytics services. Your Security Analytics services can use either the OpenSSL or BSAFE security library.

Services Security

Library

Event Stream Analysis (ESA), Malware Analysis, Reporting Engine, Security Analytics Host, and Incident

Management BSAFE

Broker, Concentrator, Decoder, Log Decoder, Warehouse Connector, IPDB Extractor, Log Collector (Local and

Remote Collectors), Archiver, and Workbench OpenSSL

Important Notes on FIPS

• When you run the FIPS Enable/Disable script on the Security Analytics host, it enables/disables all the services using BSAFE security library running on the Security Analytics host and all the connected hosts that use BSAFE security library.

• If FIPS is enabled, you must complete the following steps before you add an SFTP destination using SSH key-based access after the SSH keys are configured as described in the Warehouse Connector Configuration Guide.

1. SSH to the Warehouse Connector host. 2. Submit the following commands:

cd /root/.ssh/ mv id_dsa id_dsa.old

(8)

Procedures

Overview

This topic contains the procedures for activating, deactivating, and verifying Federal Information Processing Standards

(FIPS).

Context

Use this section when you are looking for instructions on how to activate, deactivate, or verify:

• FIPS using BSAFE

Enable, verify, or disable FIPS using BSAFE for the Security Analytics host and all services that use the BSAFE Security library. • FIPS using OpenSSL

Enable, verify, or disable FIPS using OpenSSL for the Broker, Concentrator, Decoder, Log Decoder, Warehouse Connector, IPDB Extractor, Log Collector (both Local and Remote Collectors), Archiver, and Workbench services.

FIPS Using BSAFE

This section tells you how to enable, verify, or disable FIPS using BSAFE for the Security Analytics host and all services

that use BSAFE security library (Reporting Engine, Incident Management, Event Stream Analysis, and Malware Analysis

services).

Enable FIPS Using BSAFE for Security Analytics Host and All

Services Using BSAFE Security Library

To enable FIPS using BSAFE for the Security Analytics host and all services using BSAFE security library:

1. SSH in to the Security Analytics host with root permissions.

2. Navigate to/etc/puppet/scriptsdirectory and run the following command: ./FIPSEnable.sh

The script runs on the Security Analytics host. The./FIPSEnable.sh script:

• Enables FIPS on all the services using BSAFE security library that are provisioned to the Security Analytics host. • Restarts services on the Security Analytics host and all other hosts.

Overview

(9)

For example: Malware Analysis, Event Stream Analysis (ESA), and Security Analytics core host (Broker, Concentrator, Decoder and Log Decoder, etc.) are provisioned to the Security Analytics host. When you run the./FIPSEnable.sh script on the

Security Analytics host, it instructs Malware Analysis and ESA services running on other hosts to run in FIPS mode.

After successful execution of the script, the script automatically restarts services on the Security Analytics, ESA, and Malware hosts. Allow some time for the services to restart.

RSA recommends that you reboot all hosts that are connected to the Security Analytics host starting with the non-Security Analytics hosts first. For example, if you have a Malware Analysis host and a Security Analytics host, reboot the Malware Analysis host first and then reboot the Security Analytics host.

3. Reboot the host.

Note:

To enable or disable FIPS for the IPDB Extractor running on the Security Analytics host, use the scripts

you used for OpenSSL (that is

./NwFIPSEnable.sh

or

./NwFIPSDisable.sh

).

Verify That FIPS Is Enabled for Reporting Engine on the Security

Analytics Host

To verify that FIPS using BSAFE is enabled for the Reporting Engine:

1. Log on to Security Analytics and go to Administration > Services. 2. Select the Reporting Engine service.

4. Click under Actions and select View > Explore.

5. Go to com.rsa.soc.re > Configuration > ServerConfiguration > serverConfiguration. 6. Make sure that the FIPSEnabled parameter is set to true.

(10)

Verify That FIPS Is Enabled for ESA

To verify that FIPS using BSAFE is enabled for the ESA:

1. Log on to Security Analytics and go to Administration > Services. 2. Select the ESA service.

4. Click under Actions and select View > Explore. 5. Go to Service > Status > service.

6. Make sure that the FIPSModeOn parameter is set to true.

Verify That FIPS Is Enabled for Malware Analysis

To verify that FIPS using BSAFE is enabled for the Malware Analysis, execute the following command string:

cat /etc/alternatives/jre/lib/security/java.security | grep FIPS

The command string returns the following output when FIPS is enabled for Malware Analysis:

com.rsa.cryptoj.fips140initialmode=FIPS140_MODE

FIPS Using BSAFE

(11)

Verify that FIPS Is Enabled for Incident Management

To verify that FIPS is enabled for Incident Management, execute the following command string:

cat /opt/rsa/im/logs/im.log | grep FIPS

The command string returns the following output when FIPS is enabled for Incident Management:

[WrapperSimpleAppMain] INFO com.rsa.smc.im.ServiceInitializer - Running in FIPS mode

Disable FIPS Using BSAFE for Security Analytics Host and All

Services Using BSAFE Security Library

To disable FIPS using BSAFE for the Security Analytics host:

2. Navigate to/etc/puppet/scriptsdirectory and run the following command: ./FIPSEnable.sh false

3. Reboot the host. RSA recommends that you reboot all hosts that are connected to the Security Analytics host starting with the non-Security Analytics hosts first. For example, if you have a Malware Analysis host and a Security Analytics host, reboot the Malware Analysis host first and then reboot the Security Analytics host.

Enable, Verify, or Disable FIPS Using OpenSSL

This section tells you how to enable, verify, or disable FIPS using OpenSSL for the Broker, Concentrator, Decoder, Log

Decoder, Warehouse Connector, IPDB Extractor, Log Collector (both Local and Remote Collectors), Archiver, and

Workbench services.

Enable FIPS Using OpenSSL

To enable FIPS using OpenSSL:

1. Download the openssl-1.0.0-20.el6_2.5.x86_64.rpm to a local directory. You can download the: • openssl-1.0.0-20.el6_2.5.x86_64.rpm directly from the CentOS repo, or

• SA-10.5.0.1-UpgradePack-EL6.zip, which contains the openssl-1.0.0-20.el6_2.5.x86_64.rpm, from SCOL (https://knowledge.rsasecurity.com).

3. Copy the openssl-1.0.0-20.el6_2.5.x86_64.rpm on to the host under the root directory before running the script to enable FIPS.

(12)

• Upgrade FIPS to Security Analytics v10.5.0.1 (you had FIPS activated in 10.4.x): a. Run the following command string:

yum install rsa-sa-sshconfig* -y

b. Navigate to/etc/puppet/scriptsdirectory and run the following command: ./NwFIPSEnable.sh

c. Log on to Security Analytics and go Administration > Services.

d. Select the service. The services that you need to select are Broker, Concentrator, Decoder, Log Decoder, Warehouse Connector, IPDB Extractor, Log Collector (both Local and Remote Collectors), Archiver, and Workbench.

e. Click under Actions and select View > Config.

f. In the General tab, select the SSL FIPS Mode checkbox in the System Configuration panel and click Apply.

g. In the Appliance Service Configuration tab, select the SSL FIPS Mode checkbox and click Apply.

h. Reboot the host. The hosts you need to reboot are the Broker, Concentrator, Decoder, Log Decoder, Warehouse Connector, IPDB Extractor, Log Collector (both Local and Remote Collectors), Archiver, and Workbench services.

Enable, Verify, or Disable FIPS Using OpenSSL

(13)

• Activate FIPS for the first time in Security Analytics v10.5.0.1:

a. Navigate to/etc/puppet/scriptsdirectory and run the following command: ./NwFIPSEnable.sh

b. Log on to Security Analytics and go Administration > Services. c. Select the service.

The services that you need to select are Broker, Concentrator, Decoder, Log Decoder, Warehouse Connector, IPDB Extractor, Log Collector (both Local and Remote Collectors), Archiver, and Workbench.

d. Click under Actions and select View > Config.

e. In the General tab, select the SSL FIPS Mode checkbox in the System Configuration panel and click Apply.

f. In the Appliance Service Configuration tab, select the SSL FIPS Mode checkbox and click Apply.

(14)

Disable FIPS Using OpenSSL

To disable FIPS using OpenSSL:

2. Navigate to/etc/puppet/scriptsdirectory and run the following command: ./NwFIPSDisable.sh

3. Log on to Security Analytics and select Administration > Services.

4. Select the service. The services that you need to select are Broker, Concentrator, Decoder, Log Decoder, Warehouse Connector, IPDB Extractor, Log Collector (both Local and Remote Collectors), Archiver, and Workbench.

5. Click under Actions and select View > Config.

6. In the General tab, deselect the SSL FIPS Mode checkbox in the System Configuration panel and click Apply.

(15)

7. In the Appliance Service Configuration tab, deselect the SSL FIPS Mode checkbox and click Apply.

8. Reboot the host. The hosts that you need to reboot are the Broker, Concentrator, Decoder, Log Decoder, Warehouse Connector, IPDB Extractor, Log Collector (both Local and Remote Collectors), Archiver, and Workbench services.

(16)

Verify That FIPS Is Enabled for Services using OpenSSL Security

Library

To verify that FIPS is enabled for services using OpenSSL security library:

1. Log on to Security Analytics and go Administration > Services.

2. Select the service. The services that you need to select are the Broker, Concentrator, Decoder, Log Decoder, Warehouse Connector, IPDB Extractor, Log Collector (both Local and Remote Collectors), Archiver, and Workbench.

3. Under Actions, select View > Config.

The General tab of the Configuration view is displayed.

4. In the System Configuration panel, make sure that the SSL FIPS Mode parameter is checked.

(17)

Back Up and Restore Data for Hosts and Services

Overview

This topic covers the procedures to back up and restore data and configuration files for the core host and services and

all the modules of Security Analytics.

Context

The backup and recovery procedures ensure that you can return to the previous working state of Security Analytics in

the event of a failed upgrade. It is also used to retain and use the saved configuration and database files on upgrade to

a new version. In addition, you can choose to back up information on a need basis.

Note:

In case of All-in-one hosts, Hybrid hosts or hosts with multiple services running, you must back up all

the services and then restore them. For example, if the Log Decoder host has the Log Collector and

Warehouse Connector services running, you must take a back up of these services and then restore them.

For more information, refer to the back up and restore procedures described for each service.

(18)

Core Hosts Backup and Recovery

Overview

This topic tells administrators how to back up and restore the configuration and database files for the Security Analytics

core hosts Log Decoder, Archiver, Decoder, Concentrator, and Broker.

Context

The host that you want to back up may have a number of services running, so you must take a back up of all the

services and restore them. For example, if a Log Decoder has the Log Collector and Warehouse Connector services

running, you must back up all these services and then restore individually.

Prerequisites

Before backing up and restoring the configuration and database files for Core Hosts, make sure there is enough disk

space in the directory where the backup will be generated.

Procedures

Back Up Configuration Files

To back up configuration files for Log Decoder, Archiver, Decoder, Concentrator, and Broker:

Note:

If you need to replace the host in case of RMA you will have to deactivate the host in the Security

Analytics GUI/Devices

1. Stop the services. For more information, seeStart or Stop a Host Service.

Note:

RSA recommends you stop the services running on your host before you take a back up to avoid

any loss of data.

2. Create a bz2 file to back up the folder and sub folders under/etc/netwitness/ng cd /

Overview

(19)

tar -C / --exclude=Geo*.dat --atime-preserve --recursion -cvphjf /root/LDLCBkpfrmSlash.tar.bz2 /etc/netwitness/ng

Note:

This excludes Geo*.dat files which are large and included in every Core rpm.

Restore Configuration Files

1. Log on to the host you intend to restore from a saved backup using ssh. 2. Change to the / directory.

cd /

3. Copy the necessary tar file using a utility like SCP to the host in the / folder 4. Shutdown any running services:

• For FC8, FC9 or CentOS6 use the stop <servicename> command (that is, nwbroker, nwconcentrator, nwdecoder, nwhost)

• For CentOS5 hosts use the monit stop <servicename> command (that is, nwbroker, nwconcentrator, nwdecoder, nwhost)

5. Extract the tar file by using the following command:

tar -C / -xvpjf /root/LDLCBkpfrmSlash.tar.bz2

6. Allow the contents of the tar file to extract into each folder. 7. Start the core services:

• For FC8, FC9 or CentOS6 use the start <servicename> command (that is, nwbroker, nwconcentrator, nwdecoder, nwhost)

• For CentOS5 hosts use the monit start <servicename> command (that is, nwbroker, nwconcentrator, nwdecoder, nwhost)

6. Log on to Security Analytics User Interface and verify the settings have been restored to the previous state. 7. Delete the tar files.

rm LDLCBkpfrmSlash.tar.bz2

Note:

If you face issues after restoring the files in the upgraded system, you may have to

- Restart the hosts.

- Upload new licenses for the hosts in case the the old licenses are not restored.

- Manually start the aggregation for Concentrator as the concentrator stops aggregating from decoder

sources after the restore.

(20)

ESA Backup and Recovery

Overview

This topic tells administrators how to back up and restore the configuration and database files for ESA.

Context

Administrators can back up and restore configuration and database files for ESA, so if information is lost or deleted, it

can be recovered.

Prerequisites

Before backing up and restoring the configuration and database files for ESA, make sure there is enough disk space in

the directory where the backup will be generated.

Procedures

Back Up Files

To back up configuration files:

1. Create a single tar.gz of all the subdirectories except the sub-directories logs, db, bin, and lib under /opt/rsa/esa.

cd /

tar -c / exclude=/opt/rsa/esa/logs exclude=/opt/rsa/esa/db exclude=/opt/rsa/esa/bin --exclude=/opt/rsa/esa/lib -cvfj esa.tar.gz /opt/rsa/esa

Restore Files

To restore the configuration files:

1. Log on to the host you intend to restore from a saved backup using ssh 2. Change to the / directory.

cd /

3. Copy the necessary tar file using a utility like SCP to the host in the / folder.

Overview

(21)

tar -xvf esa.tar.gz

5. Delete the tar file.

rm esa.tar.gz

Note:

The wrapper.conf file under /opt/rsa/esa/conf contains the JAVA class path listing. The contents of this

file are relevant for a given ESA RPM. If the backup and restore is across versions the old file must be

discarded, else it must be preserved.

ESA alert data is stored in the co-located Mongo instance (database name: esa). For details on backup and restore,

refer to

mongodump

and

mongorestore

.

(22)

Log Collector Backup and Recovery

Overview

This topic tells administrators how to back up and restore the configuration and database files for a Log Collector.

Context

Administrators can back up and restore configuration and database files for a Log Collector, so if information is lost or

deleted, it can be restored.

Prerequisites

Before backing up and restoring the configuration and database files for Log Collector, make sure there is enough disk

space in the directory where the backup will be generated.

Procedures

Back Up Files

To back up configuration files:

1. Create a tar.bz2 (or tb2) of all the subdirectories under /etc/netwitness/ng

cd /

tar -cvjf etc-ng.tb2 /etc/netwitness/ng

Note:

This includes the service configuration, ODBC configuration, the event source trust store, log

collector content, the lockbox, and keys/certificates. This directory also contains the configuration for

RabbitMQ.

To back up database files:

1. Create a tar.bz2 (or tb2) of all the subdirectories under /var/netwitness/logcollector

cd /

tar -cvjf var-logcollector.tb2 /var/netwitness/logcollector

Overview

(23)

Note:

This includes any persisted event data, collection run-time state (log positions, etc.), and

uploaded and unprocessed event source files, RabbitMQ’s mnesia database, and the data files

generated by nextgen core.

Restore Archived Files

cd /

3. Copy the necessary tar file etc-ng.tb2 using a utility like SCP to the host in the /folder.

tar -xvjf etc-ng.tb2

5. Copy the necessary tar file var-logcollector.tb2 using a utility like SCP to the host in the/folder.

tar -xvjf var-logcollector.tb2

7. Delete the tar files.

rm etc-ng.tb2

rm var-logcollector.tb2

8. Restart the log collector service using the command.

start nwlogcollector

Note:

Alternatively you can reboot the host.

Note:

Additionally, if the hardware has changed, you have to re-set the SSV (Stable System Values) of the

lockbox (through Security Analytics or directly via REST/NWP). You must supply the lockbox password that

was used when the lockbox was created to accomplish this.

(24)

Malware Analytics Backup and Recovery

Overview

This topic tells administrators how to back up and restore the configuration and database files for Malware Analysis.

Context

Administrators can back up and restore configuration and database files for Malware Analysis, so if information is lost or

deleted, it can be restored.

Prerequisites

Before backing up and restoring the configuration and database files for Malware Analysis, make sure there is enough

disk space in the directory where the backup will be generated.

Procedures

Back Up Files

For a full backup of configuration files:

1. Stop RSA Malware service with the following command:

stop rsaMalwareDevice

2. Create a tar file of the required files

cd /

tar -cjphvf RSAMalwareFromSlashNew.tar.bz2 /var/lib/netwitness/rsamalware --exclude='root.war' /etc/init/rsaMalwareDevice.conf

3. Start RSA Malware service with the following command

start rsaMalwareDevice

Note:

For a daily or a partial backup you can create a tar file of files in the subdirectory

var/lib/

netwitness/rsamalware/spectrum

Overview

(25)

To back up database files:

1. Backup in one of the following ways:

• On a co-located host, it uses H2. If you backup the directoryvar/lib/netwitness/rsamalwarementioned above, it

backs up the database as well.

• On a standalone MA box, Postgres is used. Back up the database in the directoryvar/lib/pgsql/9.1/dataon a daily

basis.

Restore Files

To restore the configuration and database files:

1. Log on to the host you intend to restore from a saved backup using ssh. 2. Stop RSA Malware service with the following command:

stop rsaMalwareDevice

3. Change to the/directory. cd /

4. Copy the necessary tar fileRSAMalwareFromSlashNew.tar.bz2 using a utility like SCP to the host in the / folder.

tar -xjpvf RSAMalwareFromSlashNew.tar.bz2

6. Start RSA Malware service with the following command:

start rsaMalwareDevice

(26)

Reporting Engine Backup and Recovery

Overview

This topic tells administrators how to back up and restore the configuration and database files for the Reporting Engine.

Context

Administrators can back up and restore configuration and database files for Reporting Engine, so if information is lost or

deleted, it can be restored.

Prerequisites

Before backing up and restoring the configuration and database files for Reporting Engine, make sure there is enough

disk space in the directory where the backup will be generated.

Procedures

Back Up Files

For a full backup of configuration and database files:

1. Stop the Reporting Engine using the following command:

stop rsasoc_re

2. Create a tar.gz of the bulk folder stored under /home/rsasoc

cd /

tar atime-preserve recursion -cvpPhjf<DirectoryWhereSpaceIsAvailable>/re.tar.gz --exclude='home/rsasoc/rsa/soc/reporting-engine/temp' /home/rsasoc

To back up only the configuration files:

Note:

This is the same as the full backup, but does not back up the report results and history.

1. Stop Reporting Engine using the following command:

stop rsasoc_re

Overview

(27)

2. Create a single tar.gz of all the subdirectories except the subdirectories resultstore, livecharts, alerts, statusdb, logs, and temp under/home/rsasoc/rsa/soc/reporting-engine.

cd /

tar atimepreserve recursion

-cvpPhjf<DirectoryWhereSpaceIsAvailable>/refiles.tar.gz --exclude='/home/rsasoc/

rsa/soc/reporting-engine/resultstore'

exclude='/home/rsasoc/rsa/soc/reporting-engine/livecharts' exclude='/home/rsasoc/rsa/soc/reporting-engine/statusdb'

--exclude='/home/rsasoc/rsa/soc/reporting-engine/logs' --exclude='/home/rsasoc/

rsa/soc/reporting-engine/temp' --exclude='/home/rsasoc/rsa/soc/reporting-engine/

formattedReports'--exclude='/home/rsasoc/rsa/soc/reporting-engine/subreports'

/home/rsasoc/rsa/soc/reporting-engine

Restore Files

For a full restore of configuration and database files:

1. Stop the Reporting Engine using the following command:

stop rsasoc_re

2. Re-install the Reporting Engine rpm using the following command:

rpm -i --force [reprorting-engine.rpm]

Note:

On reinstalling, some folders will be created under /home/rsasoc.

3. To remove the already created rsasoc directory:

rm -r /home/rsasoc

4. Change to the / directory.

cd /

5. Copy the necessary tar filere.tar.gzusing a utility like SCP to the host in the/folder.

6. Extract the tar file using the following command:

tar -xvf re.tar.gz

rm re.tar.gz

8. If the restored content does not have permission for rsasoc, use the following command to reinstate the user privilege:

chown -R rsasoc:rsasoc/home/rsasoc

9. Start the Reporting Engine by using the command:

start rsasoc_re

To restore the configuration files:

1. Log on to the host you intend to restore from a saved backup using ssh. 2. Stop the Reporting Engine using the following command:

stop rsasoc_re

3. Change to the / directory.

(28)

rm refiles.tar.gz

Procedures

(29)

Security Analytics Server Backup and Recovery

Overview

This topic tells administrators how to back up the configuration and database files for Security Analytics server.

Context

Administrators can back up and restore configuration and database files for a Security Analytics server, so if information

is lost or deleted, it can be restored.

Prerequisites

Before backing up and restoring the configuration and database files for Security Analytics Server, make sure there is

enough disk space in the directory where the backup will be generated.

Procedures

Back Up or Restore On Demand

1. Shut down Security Analytics.

2. Run the following command to grab the H2 Jar:

wget http://repo1.maven.org/maven2/com/h2database/h2/1.3.172/h2-1.3.172.jar

Back Up Files

To back up the database files:

1. Run the following commands:

cd /var/lib/netwitness/uax/db

(30)

To back up configuration files:

1. Create a tar.gz file that contains the file nodeSecret and the sub directories conf, lib, logs, plugins, scheduler, security-policy under/var/lib/netwitness/uax.

cd /

tar -cvjf saserver.tar.gz /var/lib/netwitness/uax/nodeSecret.* /var/lib/netwitness/uax /conf /var/lib/netwitness/uax/lib /var/lib/netwitness/uax/logs /var/lib/netwitness/uax/ plugins /var/lib/netwitness/uax/scheduler /var/lib/netwitness/uax/security-policy

Restore Files

To restore the backed up database files:

1. Run the following commands:

cd /var/lib/netwitness/uax/db

java -cp /path/to/h2-1.3.172.jar org.h2.tools.Restore -file %backupName%

Note:

For any help regarding the restore procedure, you can run the command java -cp /path/to/h2-1.3.172.jar

org.h2.tools.Restore -?

To restore the configuration files:

1. Log on to the host you intend to restore from a saved backup using ssh. 2. Change to the/directory.

cd /

3. Copy the necessary tar file saserver.tar.gz using a utility like SCP to the host in the/folder.

tar -xvf saserver.tar.gz

5. Delete the tar file.

rm saserver.tar.gz

Procedures

(31)

Warehouse Connector Backup and Recovery

Overview

This topic tells administrators how to back up and restore the configuration and database files for a Warehouse

Connector.

Context

Administrators can back up and restore configuration and database files for a Warehouse Connector, so if information is

lost or deleted, it can be restored.

Prerequisites

Before backing up and restoring the configuration and database files for Warehouse Connector, make sure there is

enough disk space in the directory where the backup will be generated.

Procedures

Back Up Files

To back up the configuration files:

1. Create a tar.gz of the folder lockbox stored under/etc/netwitness/ng cd /

tar -cvPjf wc-lockbox.tar.gz /etc/netwitness/ng/lockbox

2. Create a tar.gz of the files NwWarehouseconnector.cfg, multivalue-bootstrap.xml, multivalue-users.xml (if present) stored under

/etc/netwitness/ng

tar -cvjf wc-files.tar.gz NwWarehouseconnector.cfg bootstrap.xml multivalue-users.xml

(32)

Restore Archived Files

cd /

3. Copy the necessary tar file wc-lockbox.tar.gz using a utility like SCP to the host in the / folder. 4. Extract the tar file by using the following command:

tar -xvPf wc-lockbox.tar.gz

5. Copy the necessary tar file wc-files.tar.gz using a utility like SCP to the host in the / folder. 6. Extract the tar file by using the following command:

tar -xvf wc-files.tar.gz

7. Copy the necessary tar file warehouseconnector.tar.gz using a utility like SCP to the host in the / folder. 8. Extract the tar file by using the following command:

tar -xvPf warehouseconnector.tar.gz

rm wc-lockbox.tar.gz rm wc-files.tar.gz

rm warehouseconnector.tar.gz

Procedures

(33)

Configure DISA STIG Hardening

Overview

These topics tell you how to manage Defense Information System Agency (DISA) Security Technical Implementation

Guide (STIG) hardening in Security Analytics for the Red Hat 6 STIG Benchmark, Version 1, Release 2 last updated

July 4, 2013 and review the OpenSCAP report results.

Note:

Defense Information System Agency (DISA) Security Technical Implementation

Guide (STIG) hardening is fully supported in Security Analytics v10.5.0.1. Security Analytics v10.5 only

supported DISA STIG hardening if you applied DISA STIG prior to 10.5.

(34)

Introduction

Overview

This topic tells you how STIG hardening helps you limit account access and defines STIG compliant passwords.

How STIG Limits Account Access

The STIG hardening rpm helps to lock down information, systems, and software, which might otherwise be vulnerable to

a malicious computer attack by limiting account access to a system. For example, the STIG rpm:

• Ensures that the account password has a length, complexity, expiration period, and lockout period that are in accordance with DISA best practices.

• Applies auditing and logging of user actions on the host.

Caution:

After you run the STIG hardening rpm, the host is converted to Coordinated Universal Time (UTC).

STIG Compliant Passwords

To be STIG compliant, your organization must implement policies that ensure strong passwords.

Your organization:

• Must change user passwords at least every 60 days. • Must not reuse the last 24 passwords when you reset them.

• Must use SHA-2 family of algorithms or FIPS 140-2 approved algorithms.

• Must employ cryptographic hashes for passwords for the SHA-2 family of algorithms or FIPS 140-2 approved successors. If your organization employs unapproved algorithms, this may result in weak password hashes that are more vulnerable to being compromised.

Each password:

• Must be 14 characters long.

• Must contain at least one of each of the following characters: • At least one lower case letter.

• At least one upper case letter. • At least one number.

• At least one other (non-alphanumeric) character.

Overview

(35)

• Must not have more than three consecutive characters.

• Must have at least five different characters different from the previous password.

The following password is an example of a STIG compliant password:

Ye@wap2ustavug

(36)

Customers Applying STIG for the First Time in 10.5.0.1

Overview

This topic tells you how to apply the STIG hardening script for the first time in Security Analytics 10.5.0.1.

Read Before You Run the STIG Script

Please read the following caution statement before you run the STIG hardening script.

Caution:

After you run the STIG hardening script, you cannot revert to an unhardened state without

performing a build stick on the host. If you want to revert, you must re-image the host and you will lose all of

your data. Contact Customer Care to get instructions on how to build stick the host.

Prerequisite

Download and install AIDE, OpenSwan, and Screen:

1. Download the following items from aCENTOS Mirror site: • AIDE

• OpenSwan • Screen

Procedures

Apply the STIG Hardening Script

If you have a new host and want to apply the STIG hardening to it:

1. Log on to the host using a normal user account.

Caution:

STIG blocks super user access to a host through SSH. You must log on using a normal user

account. The STIG script (

Aqueduct-STIG.sh

) creates the

nwadmin

account when you run it

Overview

(37)

logged on with the root password. The password for this account must be at least fourteen characters

long and include numbers, letters, and at least one special character. You should change the

passwords, including root, every 90 days to avoid expiration and lockout of these passwords. If you are

completely locked out, you will need the root password to access the host in single user mode.

In addition, the script adds the

nwadmin

account to the

/etc/sudoers

file.

a. Check for locks on the account:

pam_tally2 --user=<username>

b. Unlock the account, if required:

pam_tally2 --user=<username> --reset

2. Run the superuser command. You have three options: • Run thesudo <command>.

• Runsuand provide the root password.

• Runsudo suand provide your user password.

You can add more user accounts to the/etc/sudoers file as needed.

3. Install 10.5.0.1 STIG rpm:

yum install aqueduct-stig -y

4. Go to the/opt/rsa/AqueductSTIG/ directory and run the STIG hardening script: ./Aqueduct-STIG.sh

Caution:

After you run the STIG hardening script you must change all the passwords on the system,

including the root password, using the superuser credentials. STIG also applies the SHA512 algorithm

to all passwords. This means that when you change all the passwords, they must be STIG compliant

and conform to the STIG complex password requirements. See STIG Compliant Passwords for the

STIG password requirements.

5. The script prompts you to change nwadmin password. Enter new password.

6. Change all the passwords on the system, including the root password, using the superuser credentials: a. Log on to the host using the root credentials.

b. Change all the passwords on the system. 7. Restart the host.

(Conditional) Post-STIG Application Task - If You Use Malware

Analysis, Update SELinux Parameter

If you use Security Analytics Malware Analysis, you must enable Malware Analysis to communicate with other Security

Analytics services. To do this, update the

SELINUX

parameter in the

/etc/selinux/config

file to the following

value.

(38)

OpenSCAP Report

Overview

This topic describes the OpenSCAP report and tells you how to generate it.

Context

Security Content Automation Protocol (SCAP) is a line of standards or rules managed by the National Institute of

Standards and Technology (NIST). It was created to provide a standardized approach to maintaining the security of

enterprise systems, such as automatically verifying the presence of patches, checking system security configuration

settings, and examining systems for signs of compromise.

The OpenSCAP report evaluates your environment against the SCAP rules. The results are sent to the

HOSTNAME-ssg-results

. (

XML|HTML

) depending on the output format you select.

Overview

(39)

Procedures

Disable Rules in OpenSCAP Report that Hang the Report

There may be STIG rules that you do not want to include in the OpenSCAP report because they make the report hang.

Use the following command to disable items on the SCAP report:

sed -i 's/select idref="rule-id" selected="true"/select idref="rule-id"

selected="false"/g' /usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml

where

rule-id

is the Rule ID that you can replace with the Rule ID that may hang during a test.

For example, the report has a rule id called

partition_for_audit

(shown as

Rule ID: partition_for_audit

).

If you disable a rule, OpenSCAP does not check against that rule. This means that you need to check for compliance to

the

partition_for_audit

rule manually.

Install OpenSCAP

For fresh installs, the OpenSCAP report is on the Image.

Sample Report

The following report is a sample section from an OpenSCAP report.

(40)

Report Fields

Section Field Description

Result ID The Extensible Configuration Checklist Description

Format (XCCDF) identifier of the report results.

Profile XCCDF profile under which the report results are

categorized.

Start time When the report started.

End time When the report ended.

Benchmark XCCDF benchmark

Introduction - Test Result

Benchmark version Version number of the benchmark.

system XCCDF scoring method.

score Score attained after running the report.

max Highest score attainable.

% Score attained after running the report as a percentage.

Introduction - Score

bar Not Applicable.

Procedures

(41)

Section Field Description

pass Passed rule check.

fixed Rule check that failed previously is now fixed.

fail Failed rule check.

error Could not perform rule check.

not selected This check was not applicable to your Security Analytics_deployment.

not checked

Rule could not be checked. There are several reasons why a rule cannot be checked. For example, the rule check requires a check engine not supported by the OpenSCAP report.

not applicable Rule check does not apply to your Security Analytics_deployment.

informational Rule checks for informational purposes only (no action_{required for fail).}

unknown Report was able to check the rule. Run steps manually_{as described in the report to check the rule.} Results overview

-Rule Results Summary

total Total number of rules checked.

Title Name of rule being checked.

Exceptions

Result

Valid values are pass, fixed, fail, error, not selected,

not checked, not applicable, informational, or

unknown.

Note:

Results values are defined the

Results overview - Rule Results

Summary.

Generate the OpenSCAP Report

The following tasks show you how to generate the OpenSCAP Report in HTML, XML, or both HTML and XML.

Create Report in HTML Only

(42)

3. Submit the following commands for report upgrades only:

sed -i -r -e "s/<platform.*//g" /usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml

4. Submit the following commands:

oscap xccdf eval --profile "stig-rhel6-server-upstream" --report /tmp/`hostname`-ssg-results.html --cpe /usr/share/xml/scap/ssg/content/ssg-rhel6-cpe-dictionary.xml /usr/share/ xml/scap/ssg/content/ssg-rhel6-xccdf.xml

5. Open the report in your browser:

/tmp/hostname-ssg-results.html

Create Report in XML Only

To create an OpenSCAP report in xml only:

1. SSH to the host.

mkdir -p /opt/rsa/openscap

3. Submit the following command for report upgrades only:

oscap xccdf eval --profile "stig-rhel6-server-upstream" --results

/tmp/`hostname`-ssg-results.xml --cpe /usr/share/xml/scap/ssg/content/ssg-rhel6-cpe-dictionary.xml /usr/share/xml/ scap/ssg/content/ssg-rhel6-xccdf.xml

Create Report in Both XML and HTML

To create an OpenSCAP report in both xml and html:

1. SSH to the host.

mkdir -p /opt/rsa/openscap

3. Submit the following command for report upgrades only:

oscap xccdf eval --profile "stig-rhel6-server-upstream" --results /opt/rsa/

openscap/`hostname`-ssg-results.xml report /opt/rsa/openscap/`hostname`-ssg-results.html --cpe /usr/share/xml/scap/ssg/content/ssg-rhel6---cpe-dictionary.xml /usr/share/xml/scap/ssg/ content/ssg-rhel6-xccdf.xml

Procedures

(43)

Exceptions to STIG Compliance

Overview

This topics lists:

• Rule exceptions with reasons for their non-compliance and workarounds if any. • False positive results.

• Rules to be supported in future release.

Exceptions

The following list contains the exceptions you can receive when you run the OpenSCAP report. The ID or Common

Configuration Enumeration (CCE) number in the table is the identification number for the exception from the OpenSCAP

report.

ID Check Reason/Workaround

CCE-26215-4

(For IPDB Extractor only)

Ensure /var/log Located On Separate Partition

Reason:This is a manual task for the system

administrator.

Workaround: Ensure

var/

log

directory has its own partition or logical

volume at installation or migrate it using LVM.

CCE-26328-5 (For IPDB Extractor, Malware Analysis, and SA hosts only)_{Require Client SMB Packet Signing, if using smbclient}

administrator.

Workaround: To require samba clients running

smbclient

to use packet signing, add the following to the

[global]

section of the Samba configuration file,

/etc/samba/

smb.conf

:

client signing = mandatory

Reason:This is a manual task for the

Overview

(44)

CCE-26436-6

Ensure that /var/log/audit directory is located on a separate partition.

Reason:Requires a change to the Security

Analytics architecture.

Workaround:None.

CCE-26506-6 Ensure Red Hat GPG Key Installed

Reason: Security Analytics runs

under CentOS so it does not have a red Hat GPG key.

Workaround: None

CCE-26557-9

(For IPDB Extractor only)Ensure /home Located On Separate Partition

Reason:This is a manual task for the system administrator.

Workaround: If you store user home

directories locally, create a separate partition for/homeat installation time (or migrate it

later using LVM). If /homeis mounted from

another system such as an NFS server, you do not need to create a separate partition at installation and you can configure the mount point at a later date.

CCE-26639-5

(For IPDB Extractor only)

Ensure /var Located On Separate Partition

administrator.

Workaround: Ensure

var

directory has its own partition or logical volume at

installation or migrate it using LVM.

CCE-26647-8 Ensure gpgcheck Enabled For All Yum Package Repositories

Reason: This is a manual task for the

_{system administrator.}

Workaround: Set to

gpgcheck=1

.

CCE-26731-0 Verify and Correct File Permissions with RPM

Reason: This is a manual task for the system

administrator. Workaround:

Reinstate permissions set by the vendor.

CCE-26792-2 (For IPDB Extractor, Malware Analysis, and SA hosts only)_{Require Client SMB Packet Signing, if using mount.cifs}

administrator.

Workaround: Make sure that either thesec=krb5iorsec=ntlmv2isigning

options are used.

CCE-26801-1 Ensure Logs Sent To Remote Host

administrator.

Workaround: Forward log messages to a remote log host.

CCE-26812-8

Ensure Log Files Are Owned By Appropriate User

administrator.

Workaround:The owner of all log files written byrsyslogshould be root. These log files are determined by the second part of each Rule line in/etc/rsyslog.confand typically all

Exceptions

(45)

appear in /var/log. For each log

fileLOGFILEreferred to in/etc/

rsyslog.conf, run the following command

to inspect the file's owner:

$ ls -l LOGFILE

If the owner is not root, run the following command to correct this:

# chown root LOGFILE

CCE-26910-0

(For Log Decoder only)

Ensure No World-Writable Files Exist

Reason:This is a manual task for the system administrator.

Workaround: Remove global (other) write

access to a file when it is discovered. However, check with documentation for specific applications before making changes. Also, monitor for recurring world-writable files, as these may be symptoms of an application or user account that was not

configured correctly.

CCE-26966-2 Ensure that System Accounts Do Not Run a Shell Upon Login Reason:nwadmin user is the exception.

CCE-26969-6 Ensure SELinux State is_Enforcing

Reason:Enforcing this rule causes

functionality to fail especially on the Decoder.

Workaround:Set SELinux State to

Permissive and logs.

CCE-26974-6 Modify the System Login Banner

Reason: User is allowed to modify system

banner.

CCE-27017-3 Set GUI Warning Banner Text

Reason: Security Analytics does not run an

OS level GUI, banner is provided upon login via SSH or the console.

CCE-27033-0 Disable Core Dumps for All Users

Reason: The setting is enabled for Product Support.

Workaround:To disable core dumps for all users, add the following line to/etc/ security/limits.conf:

*

hard

core

0

CCE-27016-5 Disable Modprobe Loading_{of USB Storage Driver}

Reason:You need USB to boot from the SD cards onboard Security Analytics hosts.

(46)

CCE-27145-2 Create Warning Banners for All FTP Users Reason:Security Analytics does not use FTP.

CCE-27153-6 Disable IPv6 Networking_{Support Automatic Loading}

Reason:Disabling IPv6 Networking Support

Automatic Loading causes functionality to fail.

CCE-27196-5 Add noexec Option to_{Removable Media Partitions}

Reason:You need USB to boot from the SD cards.

Workaround:None

CCE-27222-9 Configure Periodic Execution of AIDE

Reason: This is a manual task for the system administrator.

Workaround: Configure a CRON job to run AIDE or the IDS you use.

CCE-27239-3 Configure auditd admin_space_left Action on Low Disk Space

administrator.

Workaround: Provide sufficient disk space.

CCE-27283-1 Set Account Expiration Following Inactivity

administrator.

Workaround: Add or correct

theINACTIVE=NUM_DAYSlines lines in /etc/default/useradd, substituting

NUM_DAYSappropriately.

CCE-27289-8 (for log Decoder only)

Verify that System Executables Have Restrictive Permissions

Reason: Some files deployed by

Erlang do not have permissions set

according to STIG guidelines.

Workaround: Change permissions to

conform to STIG guidelines using the

following command:

# chmod go-w FILE

CCE-27365-6 Configure SNMP Service to Use Only SNMPv3 or Newer

administrator.

Workaround: Configure SNMPv3.

CCE-27381-3 Verify that Shared Library Files Have Restrictive Permissions

administrator.

Workaround: Fix permissions.

CCE-27409-2 Install Intrusion Detection_Software

Reason: This is a manual task for the system administrator.

Workaround:Install intrusion detection

software. RSA Does not provide this software.

Exceptions

(47)

CCE-27440-7 Enable Smart Card Login

Reason: Security Analytics does not

support smart card. This is a manual task

for the system administrator.

Workaround: Configure smart card

authentication.

CCE-27529-7 Install Virus Scanning_Software

administrator.

Workaround: Install virus scanning software. RSA does not provide this software

CCE-27596-6 Encrypt Partitions

Reason:Security Analytics does not encrypt

partitions because it degrades performance.

CCE-27635-2 Ensure Software Patches Installed

administrator.

Workaround:Apply the quarterly updates provided by RSA.

False Positive Results

The following checks for non-compliance to STIG rules produce a false positive result so ignore the results.

ID Check

CCE-26242-8 Record attempts to alter time through adjtimex

CCE-26280-8 Record Events that Modify the System's Discretionary Access Controls - chmod CCE-26303-8 Set Password Hashing Algorithm in /etc/pam.d/system-auth

CCE-26555-3 Use Only Approved Ciphers CCE-26611-4

Ensure auditd Collects Information on Kernel Module Loading and Unloading

CCE-26648-6 Record Events that Modify the System's Network Environment CCE-26651-0 Ensure auditd Collects File Deletion Events by User

CCE-26712-0 Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful)

(48)

CCE-26774-0 Ensure No Device Files are Unlabeled by SELinux

CCE-26785-6 Enable Auditing for Processes Which Start Prior to the Audit Daemon CCE-26801-1 Ensure Logs Sent To Remote Host

CCE-26840-9 Verify that All World-Writable Directories Have Sticky Bits Set CCE-26844-1 Set Deny For Failed Password Attempts

CCE-26872-2 Ensure All Files Are Owned by a Group

CCE-27031-4 Set Daemon Umask

CCE-27110-6 Set Lockout Time For Failed Password Attempts CCE-27123-9 Set Password Retry Prompts Permitted Per-Session CCE-27170-0 Record Attempts to Alter Time Through clock_settime

CCE-27173-4 Record Events that Modify the System's Discretionary Access Controls - chown CCE-27174-2 Record Events that Modify the System's Discretionary Access Controls - fchmod CCE-27175-9 Record Events that Modify the System's Discretionary Access Controls - fchmodat CCE-27177-5 Record Events that Modify the System's Discretionary Access Controls - fchown CCE-27178-3 Record Events that Modify the System's Discretionary Access Controls - fchownat CCE-27179-1 Record Events that Modify the System's Discretionary Access Controls - fremovexattr CCE-27180-9 Record Events that Modify the System's Discretionary Access Controls - fsetxattr CCE-27181-7 Record Events that Modify the System's Discretionary Access Controls - lchown CCE-27182-5 Record Events that Modify the System's Discretionary Access Controls - lremovexattr CCE-27183-3 Record Events that Modify the System's Discretionary Access Controls - lsetxattr CCE-27184-1 Record Events that Modify the System's Discretionary Access Controls - removexattr CCE-27185-8 Record Events that Modify the System's Discretionary Access Controls - setxattr CCE-27203-9 Record attempts to alter time through settimeofday

CCE-27215-3 Set Interval For Counting Failed Password Attempts CCE-27291-4 Set Last Logon/Access Notification

False Positive Results

(49)

Rules to Be Supported in Future Release

The following checks for non-compliance to STIG rules are not supported in Security Analytics and will be added in a

future release.

ID Check

CCE-26282-4 (For Log Decoder and Remote Collector hosts only) Set SSH Client Alive Count CCE-26444-0 Set Default iptables Policy for Incoming Packets

CCE-26457-2 Ensure auditd Collects Information on the Use of Privileged Commands CCE-26690-8 (For SA host only)_{Configure LDAP Client to Use TLS For All Transactions}

CCE-26821-9 Ensure Log Files Are Owned By Appropriate Group

CCE-26887-0 (For Log Decoder and Remote Collector hosts only) Disable SSH Access via Empty Passwords CCE-26919-1 (For Log Decoder and Remote Collector hosts only) Set SSH Idle Timeout Interval

CCE-27093-4 (For IPDB Extractor host only) Enable the NTP Daemon CCE-27167-6 Ensure Insecure File Locking is Not Allowed

CCE-27186-6 Set Default iptables Policy for Forwarded Packets CCE-27189-0 (For SA host only)_{Configure Certificate Directives for LDAP Use of TLS} CCE-27190-8 Ensure System Log Files Have Correct Permissions

CCE-27201-3 (For Log Decoder and Remote Collector hosts only) Do Not Allow SSH Environment Options CCE-27227-8 Set Password to Maximum of Three Consecutive Repeating Characters

CCE-27379-7 All GIDs referenced in /etc/passwd must be defined in /etc/group CCE-27474-6 Assign Expiration Date to Temporary Accounts

CCE-27567-7 Disable Ctrl-Alt-Del Reboot Activation CCE-27593-3 Ensure Default Password Is Not Used

CCE-27609-7 Ensure All Accounts on the System Have Unique Names

(50)

Manage Jobs and Notifications

Overview

This topic introduces the procedures associated with Security Analytics job management.

Context

Inevitably, there are tasks, ad hoc or scheduled, in Security Analytics that take a few minutes to be completed. The

Security Analytics jobs system lets you begin a long-running task and continue using other parts of Security Analytics

while the job is running. Not only can you monitor the progress of the task, but you can also receive notifications when

the task has completed and whether the result was success or failure.

Overview

(51)

Manage Jobs

Overview

This topic provides an overview of the Security Analytics jobs system for monitoring jobs.

Context

While you are working in Security Analytics, you can open a quick view of your jobs from the Security Analytics toolbar.

You can look anytime, but when a job status has changed, the Jobs icon (

) is flagged with the number of running

jobs. Once all jobs are completed, that number disappears.

You can also see the jobs in these two views.

• In theProfile view, you see the same jobs in a full panel. These are only your jobs.

• In theSystem view, users with administrative privileges can view and manage all jobs for all users in a single jobs panel.

The structure of the jobs panel is the same in all views.

Procedures

Display the Jobs Tray

• In the Security Analytics toolbar, click the Jobs icon: . The Jobs Tray is displayed.

(52)

The Jobs Tray lists all jobs that you own, recurring and non-recurring, using a subset of the columns available in the Jobs panel. Otherwise the Jobs Tray and the Profile view > Jobs panel are the same. In the Administration System view, the Jobs panel lists information about all Security Analytics jobs for all users.

View Your Jobs in the Profile View > Jobs Panel

To see a larger view of your jobs, click View Your Jobs.

The Profile view > Jobs panel is displayed.

Procedures

(53)

Pause and Resume Scheduled Execution of a Recurring Job

The Pause and Resume options apply only to recurring jobs. You can pause a recurring job that is running; however, it

has no effect on that execution. The next execution (assuming the job is still paused) is skipped.

1. To stop the next execution of a recurring job, in any Jobs panel, select the job, and click Pause. The next execution of the job is skipped, and the schedule is paused until you click Resume. 2. To restart execution of paused recurring jobs, select the job and click Resume.

The next execution of the job occurs as scheduled, and the schedule for the job resumes.

Cancel a Job

To cancel jobs that are executing or in the queue to execute:

1. In the Jobs Tray or either Jobs panel, select one or more jobs. 2. Click Cancel.

A confirmation dialog is displayed. 3. Click Yes.

The jobs are canceled, and the entries remain in the grid with a status of canceled.

If you cancel a recurring job, it cancels that execution of the job. The next time the job is scheduled to run, it executes normally.

(54)

Delete a Job

Caution:

When you delete a job, the job is instantly deleted from the grid. No confirmation dialog is offered. If

you delete a recurring job, all future executions are removed as well.

Users can delete their own jobs before, during, or after execution. Users with the ADMIN role can delete any job. To

delete jobs:

1. Select one or more jobs. 2. Click Delete.

3. The jobs are deleted from the grid.

Download a Job

When a job has the Download link in the Download column, you can download the result of the job. If you are working

in the Investigation Module and extract the packet data for a session as a PCAP file or extract the payload files (for

example, Word documents and images) from a session, a file is created. Clicking Download downloads the resulting file

to your local system.

Procedures

(55)

View and Delete Notifications

Overview

This topic describes how you can view notifications.

Context

While you are working in Security Analytics, you can view recent system notifications without leaving the module in

which you are working. You can open a quick view of notifications from the Security Analytics toolbar. You can look

anytime, but when a new notification is received, the Notifications icon is flagged.

Examples of notifications include:

• A host upgrade completed.

• A parser push to decoders completed. • A newer software version is available.

RSA Security Analytics System Maintenance Guide