Symantec Security Information Manager 4.6 Administrator's Guide

(1)

Symantec™ Security

(2)

Symantec™ Security Information Manager 4.6

Administrator's Guide

The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement.

Documentation version 1.0

Legal Notice

Symantec, the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.

This Symantec product may contain third party software for which Symantec is required to provide attribution to the third party (“Third Party Programs”). Some of the Third Party Programs are available under open source or free software licenses. The License Agreement accompanying the Software does not alter any rights or obligations you may have under those open source or free software licenses. Please see the Third Party Legal Notice Appendix to this Documentation or TPIP ReadMe File accompanying this Symantec product for more information on the Third Party Programs.

The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any.

THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING,

PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.

(3)

Symantec Corporation 20330 Stevens Creek Blvd. Cupertino, CA 95014

(4)

Technical Support

Symantec Technical Support maintains support centers globally. Technical Support’s primary role is to respond to specific queries about product features and functionality. The Technical Support group also creates content for our online Knowledge Base. The Technical Support group works collaboratively with the other functional areas within Symantec to answer your questions in a timely fashion. For example, the Technical Support group works with Product Engineering and Symantec Security Response to provide alerting services and virus definition updates.

Symantec’s maintenance offerings include the following:

■ A range of support options that give you the flexibility to select the right amount of service for any size organization

■ Telephone and Web-based support that provides rapid response and up-to-the-minute information

■ Upgrade assurance that delivers automatic software upgrade protection

■ Global support that is available 24 hours a day, 7 days a week

■ Advanced features, including Account Management Services

For information about Symantec’s Maintenance Programs, you can visit our Web site at the following URL:

www.symantec.com/techsupp/

Contacting Technical Support

Customers with a current maintenance agreement may access Technical Support information at the following URL:

Before contacting Technical Support, make sure you have satisfied the system requirements that are listed in your product documentation. Also, you should be at the computer on which the problem occurred, in case it is necessary to replicate the problem.

When you contact Technical Support, please have the following information available:

■ Product release level

■ Hardware information

■ Available memory, disk space, and NIC information

(5)

■ Version and patch level

■ Network topology

■ Router, gateway, and IP address information

■ Problem description:

■ Error messages and log files

■ Troubleshooting that was performed before contacting Symantec

■ Recent software configuration changes and network changes

Licensing and registration

If your Symantec product requires registration or a license key, access our technical support Web page at the following URL:

Customer service

Customer service information is available at the following URL:

Customer Service is available to assist with the following types of issues:

■ Questions regarding product licensing or serialization

■ Product registration updates, such as address or name changes

■ General product information (features, language availability, local dealers)

■ Latest information about product updates and upgrades

■ Information about upgrade assurance and maintenance contracts

■ Information about the Symantec Buying Programs

■ Advice about Symantec's technical support options

■ Nontechnical presales questions

(6)

Maintenance agreement resources

If you want to contact Symantec regarding an existing maintenance agreement, please contact the maintenance agreement administration team for your region as follows:

[email protected]

Asia-Pacific and Japan

[email protected]

Europe, Middle-East, and Africa

[email protected]

North America and Latin America

Additional enterprise services

Symantec offers a comprehensive set of services that allow you to maximize your investment in Symantec products and to develop your knowledge, expertise, and global insight, which enable you to manage your business risks proactively. Enterprise services that are available include the following:

These solutions provide early warning of cyber attacks, comprehensive threat analysis, and countermeasures to prevent attacks before they occur. Symantec Early Warning Solutions

These services remove the burden of managing and monitoring security devices and events, ensuring rapid response to real threats.

Managed Security Services

Symantec Consulting Services provide on-site technical expertise from Symantec and its trusted partners. Symantec Consulting Services offer a variety of prepackaged and customizable options that include assessment, design, implementation, monitoring, and management capabilities. Each is focused on establishing and maintaining the integrity and availability of your IT resources. Consulting Services

Educational Services provide a full array of technical training, security education, security certification, and awareness communication programs. Educational Services

To access more information about Enterprise services, please visit our Web site at the following URL:

www.symantec.com

(7)

Technical Support

... 4

Section 1 Product overview

... 15

Chapter 1 Introducing Symantec Security Information

Manager

... 17

About Symantec Security Information Manager ... 17

What's new in Information Manager 4.6 ... 18

How Symantec Security Information Manager works ... 20

About events, conclusions, and incidents ... 21

Example: Information Manager automates incident management during a Blaster worm attack ... 21

Incident identification ... 22

Threat containment, eradication, and recovery ... 22

Follow-up ... 22

Where to find more information about Information Manager ... 23

Section 2 Managing roles, permissions, users, and

organizational units

... 25

Chapter 2 Managing roles and permissions

... 27

Creating and managing roles ... 27

About the administrator roles ... 27

How to plan for role creation ... 28

Creating a role ... 29

Editing role properties ... 32

Deleting a role ... 43

Working with permissions ... 43

About permissions ... 44

Modifying permissions from the Permissions dialog box ... 45

(8)

Chapter 3 Managing users and user groups

... 49

About managing users and passwords ... 49

Customizable password policy ... 51

Creating a new user ... 52

Creating a user group ... 53

Editing user properties ... 55

Changing a user’s password ... 55

Specifying user business and contact information ... 55

Managing role assignments and properties ... 56

Managing user group assignments ... 57

Specifying notification information ... 59

Modifying user permissions ... 61

Modifying a user group ... 61

Deleting a user or a user group ... 62

Chapter 4 Managing organizational units and computers

... 63

About organizational units ... 63

Managing organizational units ... 63

Creating a new organizational unit ... 64

Editing organizational unit properties ... 66

About modifying organizational unit permissions ... 66

Deleting an organizational unit ... 67

Managing computers within organizational units ... 67

Creating computers within organizational units ... 68

Editing computer properties ... 69

Distributing configurations to computers in an organizational unit ... 79

Moving a computer to a different organizational unit ... 80

Modifying computer permissions ... 80

Deleting a computer from an organizational unit ... 81

Section 3 Information Manager as a Service

Provider

... 83

Chapter 5 Configuring a Service Provider environment

... 85

Service Provider overview ... 85

Understanding a service provider environment from a client perspective ... 87

Understanding a service provider environment from a service provider perspective ... 88 Contents

(9)

Responding to a client incident ... 89

Understanding Information Manager tickets in a Service Provider Master context ... 89

Exporting incident information from the Client Incident viewer ... 91

Setting up a Service Provider environment ... 91

Configuring an instance of Information Manager as a Service Provider client ... 91

Configuring an Information Manager appliance as a Service Provider Master ... 92

Configuring service provider Client management accounts ... 92

Synchronizing the Service Provider Master with client incidents ... 93

Disconnecting a client from a Service Provider Master ... 94

Section 4 Managing your correlation

environment

... 95

Chapter 6 Configuring the Correlation Manager

... 97

About the Correlation Manager ... 97

About the Correlation Manager Knowledge Base ... 98

About the default rules set ... 98

Working with the Lookup Tables window ... 101

Creating a user-defined Lookup Table ... 106

Importing Lookup Tables and records ... 107

Enabling and disabling rules ... 107

Creating a custom rule ... 108

Chapter 7 Defining a rules strategy

... 111

About defining a rules strategy ... 111

About creating the right rule set for your business ... 111

Chapter 8 Understanding rules components

... 115

Understanding Correlation Rules ... 115

About Rule conditions ... 116

About Rule Types ... 116

Event Criteria ... 120

About the Event Count, Span, and Table Size rule settings ... 122

About the Tracking Key and Conclusion Creation fields ... 122

(10)

Importing existing rules ... 125

Chapter 9 Understanding event normalization

... 127

About event normalization ... 127

About normalization (.norm) files ... 128

Chapter 10 Effects, Mechanisms, and Resources

... 131

About Effects, Mechanisms, and Resources (EMR) ... 131

About Effects values ... 132

About Mechanisms values ... 133

About Resources values ... 136

EMR examples ... 139

Chapter 11 Working with the Assets table

... 141

About the Assets table ... 141

How event correlation uses Assets table entries ... 142

About CIA values in the Assets table ... 143

Importing assets into the Assets table ... 144

Searching, filtering, and sorting assets ... 144

Visual identification of the IP addresses that are also on the IP Watchlist ... 146

About vulnerability information in the Assets table ... 146

About using a vulnerability scanner to populate Assets table ... 146

About locked and unlocked assets in the Assets table ... 148

Using the Assets table to help reduce false positives ... 148

About filtering events based on the operating system ... 149

About using CIA values to identify critical events ... 149

About using Severity to identify events related to critical assets ... 149

About using the Services tab ... 150

About associating policies with assets to reduce false positives or escalate events to incidents ... 150

Chapter 12 Collector-based event filtering and aggregation

... 153

About collector-based event filtering and aggregation ... 153

About identifying common events for collector-based filtering or aggregation ... 155

About preparing to create collector-based rules ... 156

Accessing event data in the Information Manager console ... 158

Creating collector-based filtering and aggregation specifications ... 158

Examples of collector-based filtering and aggregation rules ... 160 Contents

(11)

Filtering events generated by specific internal networks ... 161

Filtering common firewall events ... 162

Filtering common Symantec AntiVirus events ... 165

Filtering or aggregating vulnerability assessment events ... 166

Filtering Windows Event Log events ... 167

Section 5 Configuration options

... 171

Chapter 13 Configuring the appliance after installation

... 173

About the Information Manager Web configuration interface ... 173

Accessing the Security Information Manager Web configuration interface ... 174

Changing network settings ... 174

Specifying date and time settings ... 176

Specifying a network time protocol server ... 176

Changing the password for Linux accounts ... 176

Shutting down and restarting the appliance ... 177

Chapter 14 Configuring Symantec Security Information

Manager

... 179

About configuring Symantec Security Information Manager ... 179

Preventing new Symantec Event Agent connections ... 180

Adding a policy ... 181

Specifying networks ... 181

Identifying critical systems ... 181

Chapter 15 Forwarding events to an Information Manager

appliance

... 183

About forwarding events to an Information Manager appliance ... 183

About registering with a security directory ... 185

Registering security products ... 186

Registering with a security domain ... 187

Forwarding events ... 187

Chapter 16 Managing Global Intelligence Network content

... 191

About managing Global Intelligence Network content ... 191

Registering a Global Intelligence Network license ... 192

Viewing Global Intelligence Network content status ... 192

(12)

Chapter 17 Running LiveUpdate

... 197

About running LiveUpdate ... 197

Running LiveUpdate from the Information Manager Web configuration interface ... 197

Chapter 18 Working with Symantec Security Information

Manager Configurations

... 199

Introducing the Symantec Security Information Manager configurations ... 199

Manager configurations ... 200

Increasing the minimum free disk space requirement in high logging volume situations ... 201

Manager Components Configurations ... 202

Modifying administrative settings ... 203

Manager connection configurations ... 204

Configuring Information Manager Directories ... 205

Agent Connection Configurations ... 208

Configuring Agent to Manager failover ... 208

Agent configurations ... 210

Managing the Manager ... 212

Setting up blacklisting for logon failures ... 212

Section 6 Managing appliance data

... 213

Chapter 19 Managing the directory service

... 215

About LDAP backup and restore ... 215

Backing up the security directory ... 215

Restoring the security directory ... 216

Chapter 20 Maintaining the Symantec Security Information

Manager database

... 219

About data maintenance ... 219

Checking database status ... 220

About the health monitor service ... 221

Backing up and restoring the database ... 221

Enabling and scheduling automated backups ... 222

Initiating a backup ... 223

Restoring the database from a backup image ... 223

Specifying a third-party backup solution ... 223

About purging event summary and incident data ... 224 Contents

(13)

Adjusting parameters for daily automated purges ... 225

Adjusting the thresholds for size-based purges ... 226

Initiating a purge ... 227

Reviewing maintenance history ... 228

Section 7 Appendices

... 229

Appendix A

Ports used by Information Manager

... 231

Ports used by Information Manager ... 231

Appendix B

Managing security certificates

... 235

About managing security certificates ... 235

Managing security certificate information for the appliance ... 236

(14)

(15)

Product overview

■ Introducing Symantec Security Information Manager

1

(16)

(17)

Introducing Symantec

Security Information

Manager

This chapter includes the following topics:

■ About Symantec Security Information Manager ■ How Symantec Security Information Manager works ■ About events, conclusions, and incidents

■ Example: Information Manager automates incident management during a Blaster worm attack

■ Where to find more information about Information Manager

About Symantec Security Information Manager

Symantec™ Security Information Manager provides real-time event correlation and data archiving to protect against security threats and to preserve critical security data.

Information Manager collects, analyzes, and archives information from security devices, critical applications, and services, such as the following:

■ Firewalls

■ Routers, switches, and VPNs

■ Enterprise Antivirus

■ Intrusion detection and intrusion prevention

(18)

■ Vulnerability scanners

■ Authentication servers

■ Windows and UNIX system logs

Information Manager provides the following features to help you recognize and respond to threats in your enterprise:

■ Normalization and correlation of events from multiple vendors.

■ Event archives to retain events in both their original (raw) and normalized formats.

■ Distributed event filtering and aggregation to ensure that only relevant security events are correlated.

■ Real-time security intelligence updates from Symantec™ Global Intelligence Network to keep you apprised of global threats and to let you correlate internal security activity with external threats.

■ Customizable event correlation rules to let you fine-tune threat recognition and incident creation for your environment.

■ Security incident creation, ticketing, tracking, and remediation for quick response to security threats. Information Manager prioritizes incidents based upon the security policies associated with the affected assets.

■ A powerful event viewer that lets you easily mine large amounts of event data and identify the machines and users that are associated with each event.

■ A console from which you can view all security incidents and drill down to the related event details, including affected targets, associated vulnerabilities, and recommended corrective actions.

■ Pre-defined and customizable queries to help you demonstrate compliance with the security and data retention policies in your enterprise.

What's new in Information Manager 4.6

Table 1-1describes the new features and enhancements that are included with this release.

Table 1-1 New features for Information Manager 4.6 Description

How Symantec Security Information Manager works

Event collectors gather events from Symantec and third-party point products, such as firewalls, Intrusion Detection Services (IDS), and antivirus scanners. The events are filtered and aggregated, and the Information Manager agent forwards both the raw and the processed events to the Information Manager appliance. The agent is a Java® application that provides secure communications between the event collectors and the Information Manager appliance.

(21)

The Information Manager appliance stores the event data in event archives and correlates the events with threat and asset information. If a security event triggers a correlation rule, Information Manager creates a security incident.

The Information Manager appliance also contains the following components:

■ A downloadable installation program for the Information Manager console.

■ A relational database to store incidents, conclusions, assets, and rules.

■ Event archives to store raw and normalized event data.

■ An LDAP directory to store Information Manager deployment and configuration settings.

About events, conclusions, and incidents

Security products and operating systems generate many kinds of events. Some events are informational, such as a user logging on, and others may indicate a security threat, such as antivirus software being disabled.

A conclusion occurs when one or more events match a correlation rule pattern. Information Manager normalizes events from multiple security products and looks for the patterns that indicate potential threats.

An incident is the result of one or more conclusions that are identified as a type of an attack. There can be many conclusions that are mapped to a single incident. For example, if a single attacker causes a number of different patterns to be matched, those are grouped into a single incident. Similarly, if a vulnerability scan uncovers a computer that suffers from a number of different vulnerabilities, these are all grouped into a single incident. Or, if a number of different computers report the same virus, Information Manager creates a single outbreak incident.

Example: Information Manager automates incident

management during a Blaster worm attack

Symantec Security Information Manager tracks the entire incident response cycle through the following phases:

■ Incident identification

■ Threat containment, eradication, and recovery

■ Follow-up

21 Introducing Symantec Security Information Manager

(22)

Incident identification

The Blaster worm attack begins with a series of sweeps to ports 135, 445, and 4444. Using the default rules, Information Manager detects each of these sweeps as suspicious, and creates a conclusion for each. At the same time, events from intrusion detection software such as Symantec IDS, lead to other conclusions that are related to the source IP address. Information Manager may also create further conclusions if the source IP address for the attack is on the IP watch list. This list is updated automatically to provide up-to-date protection from the computers that are known to be used in attacks. Based upon all of these conclusions that are related to the same IP address, Information Manager generates a security incident. A security analyst would find out about the new incident by email alert, or while monitoring the Incidents tab in the Information Manager console. The incident contains all the information that the analyst needs to determine the source and target of the attack.

Threat containment, eradication, and recovery

When Information Manager alerts the security analyst about the incident, the analyst can use Information Manager to better understand the scope of the problem and to investigate eradication options. Information Manager facilitates the containment phase by providing the event data with the incident declaration. Rather than searching through countless log files, the analyst knows which events triggered the security incident, and which systems are affected. The incident also includes recommended corrective action from Symantec Global Intelligence Network Threat Management System. This information enables the security analyst to quickly identify the corrective actions.

The analyst can now create a ticket that describes the tasks necessary to eradicate the threat. The ticket includes the incident information, the event details, and the recommended corrective actions. Ticket information can be made accessible to an external help desk by the Information Manager Web Service.

Follow-up

After the threat has passed, the analyst can further analyze the impact of the incident. The analyst can fine-tune the correlation rules, event filters, and firewall rules to prevent the threat from occurring again. The analysts can also mine the event archive data if necessary and create the reports that document the scope of the incident and the security team's efforts to resolve it.

Introducing Symantec Security Information Manager

(23)

Where to find more information about Information

Manager

For more information about Information Manager, visit the knowledge base that is available on the Symantec Technical Support Web site at:

http://www.symantec.com/business/support/overview.jsp?pid=52517

In the Security Management section of the Downloads page, you can obtain updated versions of the documentation, including the following:

■ Symantec Security Information Manager Administrator's Guide

■ Symantec Security Information Manager User's Guide

(24)

Introducing Symantec Security Information Manager

(25)

Managing roles, permissions,

users, and organizational

units

■ Managing roles and permissions ■ Managing users and user groups

■ Managing organizational units and computers

2

(26)

(27)

Managing roles and

permissions

■ Creating and managing roles ■ Working with permissions

Creating and managing roles

A role is a group of access rights for a product in a domain. Users who are members of a role have access to the event viewing and management capabilities that are defined for that role. A user can be a member of more than one role.

You create new roles in the Symantec Security Information Manager console. When you click Roles on the System page of the console, you can perform the following tasks:

■ Creating a role ■ Editing role properties ■ Deleting a role

Note:Only members of the SES Administrator role and the Domain Administrator role can add or modify roles.

See“About the administrator roles”on page 27.

About the administrator roles

When you install Information Manager, the following default roles are created:

(28)

This role has full authority over all of the domains in the environment.

SES Administrator

This role has full authority over one specific domain in the environment.

Domain Administrator

If you have only one domain, the rights of the SES Administrator role and the Domain Administrator role are the same. For example, if you have multiple domains, one for each geographic region of your company, each domain has a Domain Administrator. Members of this role can perform functions such as creating users and additional roles within that domain. The SES Administrator role can perform these functions for all of the domains that you configure. The default user, administrator, is also created when Information Manager is installed. The administrator is automatically a member of the SES Administrator and Domain Administrator roles. To access Information Manager for the first time, you must log on as this default user.

You can add users to the administrator roles, but you cannot change any other characteristics of these roles. If a user is a member of the SES Administrator role, that user does not need to be assigned to any other roles.

How to plan for role creation

Because roles control user access, before you create roles you should plan carefully. You need to identify the tasks that are done in your security environment, and who performs them. The tasks determine the kinds of roles that you must create. The users who perform these tasks determine which users should be members of each role.

Ask yourself the following questions:

■ Who allocates responsibilities within your security environment? If these users need to create roles, they must be members of the Domain Administrator role.

■ Who administers your security network by creating management objects such as users and organizational units?

These users must be members of the roles that provide management access and the ability to access the System view.

■ What products are installed, and who is responsible for configuring them? These users must be members of management roles for the products for which they are responsible. They may need access to the System page only.

■ Who is responsible for monitoring events and incidents? Managing roles and permissions

(29)

These users must be members of event viewing roles for the products for which they are responsible. Users who monitor events must have access to the Events page. Users who monitor incidents must have access to the Events page and the Incidents page.

■ Who responds to problems and threats?

These users must have access to the Events page and the Incidents page. Users who create and manage help desk tickets must also have access to the Tickets page.

Table 2-1lists the common roles in a security environment and the responsibilities that belong to each role.

Table 2-1 Typical roles and responsibilities Responsibilities

Role name

Defines the user roles and role authority. Domain Administrator

Manages Information Manager. Verifies that events flow into the system and that the system functions normally.

System Administrator

■ Creates the correlation rules and collection filters. ■ Performs the user and the device administration. User Administrator

Views all incidents, events, reports, and actions. Incident Manager

■ Views the incidents, events, and reports for assigned devices. ■ Reviews and validates incident response.

■ Provides the attestation of incident review and response by administrators to GAO and others.

Report Writer

Views the events and reports for assigned devices. Report User

Creates, edits, and deploys rules. Rule Editor

For information about the access requirements of each role, seeTable 2-2.

Creating a role

You create all roles using the Role Wizard in the Information Manager console. Only a user who is a member of the Domain Administrator role or the SES Administrator role can create roles.

See“How to plan for role creation”on page 28.

29 Managing roles and permissions

(30)

Note:If you create a role with permissions to all existing event archives, and you then later add additional archives, the new archives are not available to the pre-existing role. You must edit the role to see the new archives.

To create a role

1

In the Information Manager console, click System.

2

On the Administration tab, in the left pane, navigate to the relevant domain, and then click Roles.

3

On the toolbar, click + (the plus icon).

4

In the first panel of the Role Wizard, click Next.

5

In the General panel, do the following, and then click Next:

■ In the Role name text box, type a name for the role.

■ In the Description text box, type a description of the role (optional).

6

In the Products panel, do one of the following actions:

■ To give the role members access to all of the listed products, click Role

members will have access to all products, and then click Next.

■ To limit the role members' access to certain products, click Role members

will have access to only the selected products. From the Products list,

enable (check) at least one product, and then click Next. Symantec Security Information Manager is listed as one of the products, and is required in this panel.

Consider the tasks that role members perform as you select products from the list.

7

In the SIM Permissions panel, do one of the following actions:

■ To give role members all permissions that apply to Information Manager, click Enable all Permissions, and then click Next.

■ To give role members a limited set of permissions, click Enable specific

Permissions. From the permissions list, enable at least one permission,

and then click Next.

8

In the Console Access Rights panel, do one of the following actions:

■ To give role members the ability to see all parts of the Information Manager console, click Role members will have all console access rights, and then click Next.

(31)

■ To limit what role members can see when they display the console, click

Role members will have only the selected console access rights. From

the list, enable at least one console access right, and then click Next. See“Modifying console access rights”on page 34.

9

In the Organizational Units panel, do one of the following actions:

■ To give role members access to all organizational units, click Role

members will have access to all organizational units, and then click Next.

■ To give role members access to specific organizational units, click Role

members will have access to only the selected organizational units. In

the organizational units tree, select at least one organizational unit to associate with this role, and then click Next.

When you select an organizational unit that has additional organizational units below it, users of the role are given access to those organizational units as well.

If you add an organizational unit to a role, users who are role members and who have event viewing access can see events generated by the security products that are installed on the computers that belong to that organizational unit. Role members can see events only from computers in the organizational units that have been added to their roles.

10

In the Appliances panel, do one of the following actions:

■ To give role members access to all of the Information Manager appliances in your security environment, click Role members will have access to all

appliances, and then click Next.

■ To limit role members' access to certain appliances, click Role members

will have access to only the selected appliances. In the appliances tree,

select at least one appliance to associate with this role, and then click

Next.

Members of the role can modify configurations on the selected appliances. The role members can also view event archives that reside on the selected appliances.

11

In the Members panel, do one of the following actions:

■ To add individual users to the role now, click Add Members. In the Find Users dialog box, add one or more users, and then click OK. In the Members panel, click Next.

■ To add the users who are members of a specific User Group, click Add

Members From Groups. In the Find User Groups dialog, add one or more

user groups, and then click OK. The users that are associated with the 31 Managing roles and permissions

(32)

groups you selected are added to the Members list. When you are finished, click Next.

■ To continue without adding users to the role, click Next.

You can add users to the role later by editing the role’s properties. See“Making a user a member of a role”on page 33.

You can assign users to a role only if you have already created those users. See“Creating a new user”on page 52.

12

In the Role Summary panel, review the information that you have specified, and then click Finish.

The role properties that are created are shown in the list at the bottom of the panel. A green check mark next to a task indicates that it was successfully accomplished.

13

Click Close.

Editing role properties

After you create a role, you can modify it by editing its properties. For example, as you create new organizational units or users, you can add them to existing roles.

You can edit the properties of a role by selecting the role in the right pane or from any dialog box that lets you display the role’s properties.

To edit role properties

1

On the System page, in the left pane of the Administration tab, navigate to the relevant domain, and then click Roles.

2

In the right pane, right-click the role that you want to edit, and select

Properties.

3

Use the Editing Role Properties dialog box to make changes to the role.

4

To save changes and close the dialog box, click OK.

For information about editing specific role properties, see any of the following sections:

■ Making a user a member of a role ■ Modifying console access rights ■ Modifying product access ■ Modifying SIM permissions

■ Modifying access permissions in roles

(33)

Making a user a member of a role

When a user logs on to Information Manager, the user’s role membership determines his or her access to the various products and event data. You can assign a user to a role in the following ways:

■ Assign each user individually to one or more roles.

■ Assign users to groups, and then assign user groups to roles.

When you assign a user group to a role, all of the users who are currently in the group are assigned to that role. However, if you later add more users to the user group, those users are not automatically added to the role. You must assign each user to the role individually.

Note:Before you assign users and user groups to roles, you must create users and user groups in the Directory.

See“Creating a new user”on page 52. To make a user a member of a role

1

2

In the right pane, right-click the role that you want to edit, and then select

Properties.

3

In the Editing Role Properties dialog box, in the left pane click Members.

4

Click Add Members.

5

In the Find Users dialog box, in the list of available users, click a user name (or Ctrl + click multiple user names), and then click Add.

The user name appears in the Selected users list.

You can also search for a particular user by entering the logon name, last name, or first name on the left side of the dialog box. Then click Start Search. All of the users who meet the criteria you entered will appear in the available users list.

6

To view or edit the properties of a user, click the user name, and then click

Properties.

7

In the User Properties dialog box, view or make changes to the properties, and then click OK.

8

In the Find Users dialog box, click OK.

9

In the Editing Role Properties dialog box, click OK.

(34)

To make a user group a member of a role

1

2

Properties.

3

In the Editing Role Properties dialog box, in the left pane click Members.

4

Click Add Members From Groups.

5

In the Find User Groups dialog box, select the domain of the group from the dropdown list.

6

In the list of available user groups, click a user group name (or Ctrl + click multiple user names), and then click Add.

The user group name appears in the Selected user groups list.

7

To view or edit the properties of a user group, click the user group name, and then click Properties.

8

In the User Group Properties dialog box, view or make changes to the properties, and then click OK.

9

In the Find User Groups dialog box, click OK.

10

In the Editing Role Properties dialog box, click OK.

Modifying console access rights

Console access rights control what users who are members of a role can see when they log on to the Information Manager console.

You can modify the console access rights you assigned when you created a role. Console access rights make the various features of the console visible to role members when they log on.

To modify console access rights

1

2

Properties.

3

In the left pane click Console Access Rights.

4

Do one of the following actions:

■ To give members of the role the ability to see all components of the Information Manager console, click Role members will have all console

access rights.

(35)

■ To limit what members of the role can see when they display the Information Manager console, click Role members will have only the

selected console access rights. From the list that appears, enable or disable

console access rights as desired.

The following table describes the tiles (that is, pages in the Information Manager console) that are available.

Lets members view the Assets page in the console. Show Assets Tile

Lets members view the Dashboard page in the console.

Show Dashboard Tile

Lets members view the Events page in the console. Show Events Tile

Lets members view the Incidents page in the console. Show Incidents Tile

Lets members view the Intelligence page in the console.

Show Intelligence Tile

Lets members view the Reports page in the console. Show Reports Tile

Lets members view the Rules page in the console. Show Rules Tile

Lets members view the Statistics page in the console. Show Statistics Tile

Lets members view the System page in the console. Show System Tile

Lets members view the Tickets page in the console. Show Tickets Tile

Table 2-2lists the console access rights that are needed by users who perform specific functions.

5

Click OK.

Modifying product access

The Products property lets you select the products to which role members have access.

To modify product access

1

2

Properties.

3

In the left pane click Products.

4

(36)

To give the role members access to all of the listed products, click Role

members will have access to all products.

■

■ To limit the role members' access to specified products, click Role

members will have access to only the selected products. Enable (check)

or disable (uncheck) access to individual products in the list.

Consider the tasks that role members will perform as you select products from the list.

Table 2-2lists the product access that is needed by users who perform specific functions.

5

Click OK.

Modifying SIM permissions

Use the SIM Permissions property to enable or disable several types of Information Manager permissions that are assigned to a role.

To modify SIM permissions

1

2

Properties.

3

In the left pane click SIM Permissions.

4

■ To assign all Information Manager permissions to the role, click Enable

all Permissions.

■ To limit the permissions assigned to the role, click Enable specific

Permissions. Then click the check boxes as needed to enable or disable

permissions for the role.

Table 2-2lists the permissions that are needed by users who perform specific functions.

5

Click OK.

About the Bypass Event RBAC option

When you create or modify a role, you can choose to enable the Bypass Event RBAC option. Bypass Event RBAC gives a role unrestricted access to all of the event archives for which a user has been granted access. When a user with this role performs an event query, the query bypasses any additional permission settings that are based on Organizational Unit, Domain, or Product settings, and returns a complete data set from the archives for which the user has been given Managing roles and permissions

(37)

access. Enabling Bypass Event RBAC enhances query performance by reducing the set of permissions criteria against which the query must be processed.

Modifying appliance access

Use the Appliances property select the appliances to which role members have access. The selections for this property determine the appliances that the role members can see in the following console locations:

■ The Testing tab on the Rules page, for use when testing a particular rule.

■ The appliances and archives that are available for each query on the Events page.

■ The Appliance Configurations tab on the System page. To modify appliance access

1

2

Properties.

3

In the left pane click Appliances

4

■ To give role members access to all Information Manager appliances in the network configuration, click Role members will have access to all

appliances.

■ To limit role members' access to certain appliances, click Role members

will have access to only the selected appliances. In the appliances tree,

select at least one appliance to associate with this role, and then click

Next.

Modifying access permissions in roles

Roles include the permissions that determine the types of access (for example, Read and Delete) that role members have to objects that appear in the console. Role-specific permissions are assigned to the objects when you create each role. You can change the access permissions for the following types of objects:

■ Container objects that were created when you installed Information Manager, such as organizational units.

■ The new objects that you create within the container objects.

When you view the properties of a role, you can see and modify the permissions for the role by selecting tabs in the Editing Role Properties dialog box.

(38)

Warning:Permission modification is an advanced feature. You should customize permissions only if you have a clear understanding of how access control works. See“Working with permissions”on page 43.

Table 2-2describes the access requirements of typical enterprise security roles. Table 2-2 Access requirements for roles

Access permissions Console access SIM permissions Products Role None required All All All SES Administrator and Domain Administrator

Read and Search on Public/System Query groups ■ Show Dashboard Tile ■ Show Intelligence Tile

■ Show Statistics Tile ■ Show System Tile ■ Allow Asset Edits

■ Move Computers Information

Manager System

Administrator

■ Read and Search on Public/System Query groups ■ Read and Write on

Users and User Groups

■ Read and Write on Rules and Roles ■ Show Assets Tile

■ Show Dashboard Tile

■ Show Intelligence Tile

■ Show Rules Tile ■ Show System Tile ■ Allow Dashboard

Auto Refresh ■ Move Computers ■ Allow Asset Edits ■ Manage Networks ■ Manage Policies ■ Manage Services All

User Administrator

(39)

Table 2-2 Access requirements for roles (continued) Access permissions Console access SIM permissions Products Role

■ Show Assets Tile ■ Show Dashboard

Tile

■ Show Events Tile ■ Show Incidents Tile ■ Show Intelligence

Tile

■ Show Reports Tile ■ Show Tickets Tile ■ Create Incidents

■ Write My Incidents ■ Write All Incidents ■ Change Assignee

and Team on My Incidents ■ Change Assignee

and Team on All Incidents ■ Change

Assignee/Team to self or own team on unassigned incidents ■ Change Status My

Incidents ■ Change Status All

Incidents ■ Read My Incidents ■ Read All Incidents ■ Read Unassigned

Incidents

■ Create new queries ■ Create new reports ■ Publish queries ■ Publish reports ■ Allow Dashboard

Auto Refresh ■ Move Computers ■ Allow Asset Edits ■ Manage Networks ■ Manage Policies ■ Manage Services Information Manager Incident Manager 39 Managing roles and permissions

(40)

■ Read and Write on Public/System Query groups ■ Read and Write on

Report groups ■ Show Dashboard

Tile

■ Show Events Tile ■ Show Incidents Tile ■ Show Intelligence

Tile

■ Show Reports Tile ■ Show Tickets Tile ■ Write My Incidents

■ Write All Incidents ■ Change Assignee

and Team on My Incidents ■ Change Assignee

and Team on All Incidents ■ Change

Assignee/Team to self or own team on unassigned incidents ■ Change Status My

Incidents ■ Change Status All

Incidents ■ Read My Incidents ■ Read All Incidents ■ Read Unassigned

Incidents

■ Create new queries ■ Create new reports ■ Publish queries ■ Publish reports ■ Allow Dashboard

Auto Refresh ■ Move Computers ■ Allow Asset Edits ■ Manage Networks ■ Manage Policies ■ Manage Services Information Manager Report Writer

■ Read and Search on Public/System Query groups ■ Read and Search on

Report groups ■ Show Dashboard

Tile

■ Show Events Tile ■ Show Reports Tile ■ Create new queries

■ Create new reports ■ Allow Dashboard

Auto Refresh Information

Manager Report User

(41)

■ Read and Write on Rules and Roles ■ Read and Search on

Public/System Query groups ■ Read and Search on

Report groups ■ Show Events Tile

■ Show Rules Tile ■ Show Statistics Tile Create new queries

Information Manager Rule Editor

Note:When you change a role’s access permissions to a Public Query Group or a System Query Group, the role’s database permissions may be incorrectly modified. If a user cannot view queries on the Events page, it may be because the user’s role lacks the necessary database permissions. To correct this problem, do the following actions: Log on as a Domain Administrator or SES Administrator and open the Editing Role Properties dialog box for the user’s role. On the DataStores tab, check the role’s database permissions. If the role does not have both Read and Search permissions, add the missing permissions.

See“To modify permissions”on page 41. To modify permissions

1

2

Properties.

3

In the Editing Role Properties dialog box, in the left pane click the type of permissions that you want to modify. For example, to change the role members' directory permissions, choose Directories.

4

When you finish setting permissions, click OK.

Examples of modifying permissions in roles

You can modify permissions for the following purposes, among others:

■ To hide a query group from members of a role

When members of this role open the Query Chooser on the dashboard, they cannot see the restricted query group in the query tree.

■ To hide all users from members of a role

(42)

When members of this role view the System page, they do not see Users in the left pane.

■ To prevent role members from adding and deleting user groups

Role members can view and modify user groups, but they cannot add and delete user groups.

To hide a query group from members of a role

1

2

In the right pane, right-click the role that you want to restrict, and select

Properties.

3

In the left pane click System Query Groups.

4

Click Add.

5

In the Find System Query Groups window, select Product Queries.Symantec

Client Security, and then click Add.

6

Click OK.

7

On the Product Queries.Symantec Client Security row, uncheck Read and

Search.

8

Click OK.

Members of this role cannot view Symantec Client Security queries. That is, if a role member selects System Queries > Product Queries in the Query Chooser on the dashboard, the role member will not see Symantec Client Security in the tree.

To hide all users from members of a role

1

2

In the right pane, right-click the role that you want to restrict, and then select

Properties.

3

In the left pane click Users.

4

Under Default permissions for all users, uncheck all permission types (for example, Read and Add).

5

Click OK.

When role members view the System page, they cannot see Users in the left pane.

(43)

To prevent role members from adding and deleting user groups

1

2

In the right pane, right-click the role that you want to restrict, and then select

Properties.

3

In the left pane click User Groups.

4

On the top line of permissions, check Read, Write, and Search. Make sure that Add and Delete are not checked.

5

Click OK.

Role members can view, search, and modify all user groups in the domain. They cannot create new user groups or delete user groups.

Deleting a role

You can delete roles when they are no longer in use.

Before you delete a role, you can view the properties of the role to ensure that none of your users requires it.

To delete a role

1

2

In the right pane, right-click the role that you want to delete, and select

Properties.

3

Review the role properties to make sure that no users require this role.

4

Click Cancel.

5

If you still want to delete the role, on the toolbar, click - (the minus icon). A message warns you that all members of the selected role will be removed. This means that users will no longer have access to the role. The user accounts will not be deleted.

6

In the confirmation dialog box, click Yes to delete the role.

Working with permissions

Permissions define the access that members of a role have to specific objects. Along with other role properties, permissions control what users can see and do when they log on to the Information Manager console.

(44)

As with roles, you can work with permissions only if you are a member of the SES Administrator or Domain Administrator role. The permissions of objects are defined initially when you create roles and when you create new objects. You can then modify the permissions to fine-tune your roles.

Warning:Permission modification is an advanced feature. You should customize permissions only if you have a clear understanding of how access control works in the security directory.

About permissions

Permissions are always associated with roles and are applied when a member of a role logs on to the console.

Table 2-3shows the permissions that role members can have to view and work with objects.

Table 2-3 Object permissions Description

Permission

Lets the role members see the attributes of objects.

Read must be enabled for the other access permissions to work. Read

Lets the role members modify objects. Write

Lets the role members create a new child object within the selected container.

Add

Lets the role members delete objects. Delete

Lets the role members search the database or the security directory for objects.

Search must be enabled for the other access permissions to work. Search

For information about the access permissions of typical enterprise security roles, seeTable 2-2.

The following objects have permissions:

■ Container objects

Container objects are created when the DataStore (database) and Directory are installed. These objects contain all of the new objects that you create. In the console, container objects appear in the left pane of the Administration tab on the System page.

(45)

Examples of the container objects that have permissions are Users, Roles, and Organizational Units.

■ Objects that you create within container objects

When you create new objects to represent your security environment, they are stored within the container objects.

On the System page, the objects that you create appear in the right pane when you select their container object in the left pane. For example, when you select Users in the left pane, the individual users that you have created within the Users container are displayed.

These created objects are sometimes known as child or leaf objects.

Propagation of permissions

As you create new management objects, it is important to understand the relationship between the permissions of container objects and the permissions of the objects you create within these containers.

In most cases, the permissions of a container object propagate to all new objects that you create within the container. When you create new objects on a role-by-role basis, the current permissions of the container object are propagated to the new objects.

For example, in Role A, on the Users tab, you disable Write permission for the Users container. In Role B, you disable Delete permission for the Users container. When you create new users, members of Role A do not have Write permission, so they cannot modify the properties of the new users. Members of Role B do not have Delete permission, so they cannot delete the new users.

Note:Most roles should have at least Read and Search permissions for all objects. These permissions allow role members to view information about the objects and perform searches for the objects. For example, if you enable Write access for a container object and disable Read access, the role members cannot modify the objects, because they cannot view the objects.

Propagation occurs only when you create new objects. For example, you may create several users and assign them to Role A before you disable the Write permission in Role A. These permissions are not disabled for the original users unless you set them explicitly.

Modifying permissions from the Permissions dialog box

You can use the following methods to modify permissions:

■ Edit the role using the Editing Role Properties dialog box.

(46)

Use this method to modify permissions for several objects within one role. See“Modifying access permissions in roles”on page 37.

You cannot edit the permissions of software products and their configurations through the Editing Role Properties dialog box.

■ Use the Permissions dialog box for a particular object.

Use this method to modify the permissions for a specific object within one or more roles.

Note:Some objects do not have permissions.

To modify permissions for a container object

1

On the System page, in the left pane of the Administration tab, navigate to the relevant domain.

2

In the left pane, right-click the container object (for example, Users) and select Permissions.

In the Permissions dialog box, roles are listed if they have already been assigned to this object. Note that some container objects do not have permissions.

3

You may do any of the following:

■ To modify permissions for this object within the listed roles, check (enable) or uncheck (disable) the permissions, as needed.

You should not disable the Search permission.

■ To add a role to this object, click Add. In the Find Roles dialog box, select a role, then click Add, and then click OK.

The role you added appears in the Permissions dialog box, where you can then enable or disable its permissions.

■ To remove a role, click the role name, and then click Remove.

■ To edit a role’s properties, click the role name, and then click Properties.

4

Click OK when you finish modifying permissions. To modify permissions for a created object

1

On the System page, in the left pane of the Administration tab, navigate to the relevant domain.

2

In the left pane, click the container object that contains the created object. For example, click Users.

(47)

3

In the right pane, right-click the object whose permissions you want to modify, and then select Permissions.

In the Permissions dialog box, roles are listed if they have already been assigned to this object. Note that some created objects do not have permissions, such as Policies.

4

You may do any of the following actions:

■ To modify permissions for this object within the listed roles, check (enable) or uncheck (disable) the permissions, as needed.

You should not disable the Search permission.

■ To add a role to this object, click Add. In the Find Roles dialog box, select a role, then click Add, and then click OK.

The role you added appears in the Permissions dialog box, where you can then enable or disable its permissions.

■ To remove a role, click the role name, and then click Remove.

■ To edit a role’s properties, click the role name, and then click Properties.

5

Click OK when you finish modifying permissions.

(48)

(49)

Managing users and user

groups

■ About managing users and passwords ■ Customizable password policy ■ Creating a new user

■ Creating a user group ■ Editing user properties ■ Modifying user permissions ■ Modifying a user group ■ Deleting a user or a user group

About managing users and passwords

The Symantec Security Information Manager appliance uses accounts from Linux and the IBM DB2 Service. Both types of accounts use the password that is specified during installation. The default password is password.

By default, the installation program creates these Linux accounts: default Linux administrative account

root

used by the Information Manager text console process simuser

used by the http and the Tomcat processes sesuser

(50)

used by the database process db2admin

used for the DB2 Admin Tools database dasusr1

used by the database process symcmgmt

Warning:For security, change the Linux passwords periodically, according to your company's security policy. The password for all Linux accounts must be changed using the Change Password option from the Information Manager Web

configuration interface. Do not change these account passwords or permissions by standard Linux commands as it may result in errors with appliance operation. Generally, you should not need to create new Linux accounts; however, you may want to create an account with limited permissions to a file share to allow a user or process to copy database and directory service backups. See your Linux documentation for information on how to create Linux accounts.

See the Symantec Security Information Manager Installation Guide for information on how to change the password for the Linux accounts.

By default, the installation program also creates the Administrator account in the directory service. This account is used for logging in to the Information Manager console and Information Manager Web configuration interface initially. With the proper permissions, you can also create new directory service accounts for users who will use the Information Manager console and Information Manager Web configuration interface. Directory service accounts are for the administrators of your security products, contacts for notifications, or both. Users who are administrators are members of the roles that define their administrative permissions. Users who only receive notifications do not have to be members of a role.

When you select Users from the Administration tab on the System page, you can do the following tasks:

■ Creating a new user ■ Editing user properties ■ Modifying user permissions ■ Deleting a user or a user group

The Administration tab also lets you create, modify, and delete user groups:

■ Creating a user group ■ Modifying a user group