HP JetAdvantage User Manual

Technical white paper
HP JetAdvantage Security Manager
Reporting, Email Alert Subscriptions & Remediation Summary, Auditing & Syslog Functionality
Table of Contents
Overview ............................................................................................................................................ 3
Assessment and Remediation ..................................................................................................... 3
Dashboard .......................................................................................................................................... 6
Device Lists ......................................................................................................................................... 7
Autogrouping .................................................................................................................................................. 13
Reports ............................................................................................................................................... 16
Understanding Assesment and Remediation Status and Results ................................. 34
Emailing Summary of Task Results ......................................................................................... 37
Policy Change Notification ......................................................................................................... 39
Subscribing to Email Alerts ......................................................................................................... 40
HPSM User Activity Logging (Auditing) .................................................................................. 43
Remote Syslog logging ................................................................................................................ 46
SIEM Tool Integration ................................................................................................................... 47
Appendix A: ..................................................................................................................................... 48
Configuring Email Server and Email Recipients for Emailing Task Results and Policy
Change Notification ...................................................................................................................... 48
Appendix B ...................................................................................................................................... 50
Extracting Assement and Remediation Data from the SQL Database ....................... 50
3
Overview
HP JetAdvantage Security Manager is a tool designed to assess a fleet of devices against a policy containing security settings and remediate (fix) the settings that are out of compliance. Reporting is available to indicate which devices can be assessed, which are out of compliance, and which were remediated back into compliance. This document discusses the various types of reports available in Security Manager as well as techniques for extracting assessment and remediation data for use in your own tools for reporting.
Assessment and Remediation
Difference between Assesment and Remediation
The Tasks tab offers the ability to perform Assess Only or Assess and Remediate tasks. An Assess Only task (assessment) reads policy security settings from devices and indicates which settings are in or out of compliance. An Assess and Remediate task (remediation) fixes any settings on devices that are out of compliance by placing them back into compliance.
The result of the assessment task is indicated in the Assessment Status column in the device list. Recommendations reveal the actions necessary to bring a device back into policy compliance as a result of an assessment that is performed. If the assessment status indicates Passed, there will be no recommendations.
Assessment status of High/Medium/Low always includes a number next to the status to indicate how many policy items are out of compliance. These are called recommendations.
Viewing Device Recommendations
A recommendation can be viewed by clicking on the number next to the assessment status. There is also a report that can be generated to indicate recommendations that will be discussed later.
Assessment and remediation tasks on a policy for a group can be scheduled to occur at any desired frequency. Security Manager can complete approximately 1500 devices per hour in a remediation task of a policy
5
equivalent of the Base policy. If the Allow Automatic Remediation option in Security Manager Instant-On Security is enabled, device remediation occurs automatically on a device anytime the device sends an announcement to Security Manager.
Policy changes to ignore not supported settings for a device
Settings in a policy can be instructed to Ignore if they are not supported for a device in which case the assessment will pass on that setting if it is not supported. Settings can conversely be instructed to Fail if not
supported for a device in which case they will fail in an assessment if not supported on a device.
Configuring Risk Level in a Policy
Settings in a policy can be customized to indicate a risk level of High, Medium, or Low. The highest risk in the assessment is always reported in the assessment status column.
Resetting a device to Unassessed
Device recommendations can be cleared by selecting Reset to Unassessed when right-clicking on devices. However, device remediations can only be cleared by deleting the device then re-adding the device (manual or auto-discovery).
Remember, when scheduling an assessment, the Assess Only option provides a report but does not change any device settings. The Assess and Remediate option actually fixes out-of-compliance devices.
Assessmentidentifies and reports any noncompliant features during the scheduled assessment
Remediationapplies the correct policy settings to all noncompliant features
Dashboard
The dashboard is the default screen when initially launching Security Manager and contains a high level summary of the fleet that indicates which devices have been assessed or not and their status. For assessed devices, the dashboard indicates the assessment status of passed, high, medium or low. For unassessed devices, the dashboard indicates the device status. The icon is the upper right corner
Allows for the dashboard to be exported to pdf file.
7
Beginning in Security Manager 3.3, the dashboard can be viewed over time to indicate how the assessments have progressed in the past 90 days by clicking on Historical Fleet Status. A user can visualize how the fleet compliance has been changing over the timeline. Snapshot data collection starts with the new version
installation. Snapshots are created every day at every Assessment or Remediation.
The number of days in the timeline can be controlled by the box in the upper right corner. Minimum value 1 and maximum value is the number of days since new version installation or 90, whichever is less. Hover over any bar to see the fleet status on that day in numbers. The right column shows the comparative view of the fleet status on current days vs. first day of the timeline/range. Percentages are added for highlighting the strength of compliance.
Device Lists
The main purpose of Security Manager is to make sure a fleet of devices stays in compliance with desired security settings. It isn’t an asset collecting tool, although it does have several device attributes it collects and
displays in columns. HP Web Jetadmin is focused more on obtaining an exhaustive list of device settings to see how they are configured on a fleet and allows for exporting those settings for inclusion into other tools. Security Manager focuses strictly on security settings, and what can be exported includes which security settings are out of compliance or which security settings have been placed into compliance.
The first three columns in a device list essentially determine which devices can be assessed and which ones are out of compliance. The first column indicates the assessment status and is defined as such:
- Not assessed
- Assessed and all settings in compliance
- Assessed with only low risk items out of compliance
- Assessed with medium risk items (and possibly low) items out of compliance
- Assessed with high risk items (and possibly low/medium) items out of compliance
9
The second column indicate device status. The second column includes a visual icon to indicate Good (green check mark) or some sort of error (red x) indicating a problem. It also includes a textual description of the error as follows:
Network Connection Error - Security Manager uses both of these errors typically to indicate an issue trying
to communicate with a device over a specific protocol. Many times Security Manager is trying to securely connect to the device over SSL/TLS and cannot for some reason. Most common reasons for either of these errors include:
No response from device on basic network communications such as ping. Device may be powered off
or disconnected from network. Pings may be filtered at router or firewall.
Device responds to pings but does not respond to Web Services (WS*) queries. Can’t browse to EWS page, perhaps EWS has been disabled. SSL/TLS handshake fails so transaction cannot be encrypted. Operating system controls the TLS
versions in the handshake, not HPSM. You can select the device and click Do Not Enforce SSL/TLS.
Certificate has MD5 hash which Microsoft no longer supports, so SSL/TLS handshake is rejected. Can
right-click device and choose Set SSL\TLS Enforcement, then choose Do Not Enforce to temporarily fix. Now Verify again to see if state clears. If so, for a permanent solution, regenerate the self-signed certificate under EWS (might require newer Jetdirect firmware) to generate a new certificate with a supported hash.
ACL (Access Control List) blocking. No certificate support, already set to not enforce SSL/TLS (grayed out). Ports blocked, perhaps by firewall Some cases have been reported whereby DAT indicates SNMPv1/v2 passes for Gets and Sets yet
SNMPv3 cannot be enabled using SNMPv1/v2 and this error is generated. Many ties a second remediation clears the error.
Connection Refused / Invalid Identity Certificate - If Security Manager installed an identity certificate on
the device, it tags it in the database to enforce trust for future communications.
Removed, expired or revoked certificates. Cannot connect to CRL (certificate revocation list) to check revocation.
Credentials Failed – HPSM was unable to find a match between what is stored in the HPSM database and
what is on the device. Security Manager will always try the device specific credentials first, then credential stored in the Global Credential Store and then finally public/blank. The device specific credentials can be configured by selecting a device, clicking on Set Credentials and then using Configure/Copy/Paste or
Reset. If all three attempts fail, Security Manager posts Credentials Failed as it needs proper credentials in order to communicate with the device.
SNMP behavior is to not respond to SNMP REQ packet when community name is wrong. Older devices had two location under EWS for Admin Password.
Remember, browsing to EWS is strictly HTTP traffic. Security Manager and tools such as Web Jetadmin use WS*, LEDM, SNMP, DSMP, EWSCONFIG, XDM, etc. to communicate to devices for the various settings depending upon how they are exposed for fleet management per device family. For example, you could disable SNMP on devices and not affect EWS browsing at all, but tools such as Web Jetadmin and Security Manager would be severely hampered as they could not communicate with the device using a critical protocol.
Groups
Any discovered device will always be present in the All Devices group. Devices can be added to custom groups as desired. The primary purpose of groups is to represent a security policy. For example, if the entire fleet will receive the exact same security settings, you could merely create a remediation task that applies your one security policy to the All Devices group. If different regions will receive different security settings per region, then you could create a group for each region and schedule a remediation for each group applying its respective security policy.
To create groups, select Manage groups from the pull-out screen on the left hand side of the Devices tab.
Enter the desired Group Name and select the Parent Group under which the new group will be created.
11
Groups can be nested as desired by creating subgroups for each parent group. Groups are selected for viewing by clicking on the icon in the upper left hand corner of the Devices tab to expose a drop-down list of groups. The number in parentheses after each group indicates how many devices are present that group.
Devices are added to groups by clicking the desired devices, right-click and select Add to Group.
Clicking on the All Groups selection from the drop-down list of groups displays all of the groups in the main window. Here the numbers after each group include the immediate devices in that group plus a cumulative total of devices in the parent group plus devices in any children groups.
13
Some users still prefer to see devices in groups for organizational purposes, even though the devices may all receive the same security settings. Reports could then be run per group to indicate which devices are out on compliance per group.
Autogrouping
Automatic groups can be created where a set of filters or criteria are defined for the group. Filters are applied immediately to all devices and devices are added accordingly. For every discovery, filters are applied and devices are added. Filters are also applied to all devices at a scheduled frequency that can be defined in the HPSM_service.exe.config file, default is 24 hours:
<add key="autoGroupFilterExecutionFrequency" value="24:0:0" />
By default, the maximum number of autogroups that can be created is 10 to protect performance. If more autogroups are desired, change the following entry to indicate more than 10 in both the HPSM_Service.exe.config file and the Web.config file:
<add key="maxAllowedAutoGroups" value="10" />
Starting with Security Manager v3.4, a policy can be assigned to each autogroup in which all items in the policy are automatically remediated when a device is added to the autogroup. Check the box named Allow Automatic Remediation and choose the desired policy from the drop-down selection. This can be in addition to the policy that is remediated under the Instant On settings. If it is desired to have multiple policies
automatically remediated via autogrouping, create multiple autogroups where a device would be added. Devices are added to each group in alphabetical order, thus policies are applied in that order.
15
The primary use case for this feature is for devices discovered via Instant On to be fully secured by allowing multiple policies to be automatically remediated. However, remediations can be configured to occur in the following scenarios if the autogroup has a policy assigned to it:
Device discovered via Instant-on
Device discovered via any discovery method
Edit auto group
Edit auto group policy
The following config file values found under \Program Files x86\HP JetAdvantage Security Manager\HPSM_service.exe.config can dictate the behavior of automatic remediations as such:
<add key="autoGroupEditOrDailyRefreshAutoRemediationEnable" value="false" />
Set to true if it desired to allow automatic remediations when autogroup filters are edited and the nightly refresh autogroup filter runs.
<add key="autoGroupDiscoveryAutoRemediationEnable" value="false" />
Set to true if it is desired to allow automatic remediations for devices discovered thru discovery methods other than Instant On.
<add key="skipInstantOnPolicy" value="false" />
Both Instant On and autogroup policy will be remediated for instant on discovered devices if this value is set to true. Otherwise, if set to false, only the autogroup policy will be remediated.
Exporting Device Lists
It is possible to export any device list by selecting the desired devices, right-click and select Export Device. An .xml or .csv file will be created that contains all of the information that is displayed in columns.
Exporting the column data could provide a simple report to indicate which devices are in compliance or not. However, the reporting area of Security Manager provides much more specific data regarding assessments and remediations.
Reports
Security Manager offers several types of reports to indicate which devices are in or out compliance. These reports could potentially be used to pass audits, as one example. Use the Reports tab to generate or schedule the following types of reports:
Executive Summary
Devices Assessed
Devices Not Assessed
Policy Items Assessed
Recommendation
Remediation
The drag-in bar on the left hand side of the screen offers two choices: Reports and Export Reports.
Loading...
+ 36 hidden pages