Symantec Security Expressions Server User Manual
SecurityExpressions Server User
Guide
Table Of Contents
Contacting Us......................................................................................................................1
Technical Support ................................................................................................................3
Contacting Technical Support............................................................................................. 3
Other Products.....................................................................................................................5
SecurityExpressions Console..............................................................................................5
Overview............................................................................................................................. 7
About SecurityExpressions Audit & Compliance Server ......................................................... 7
Self-Service Audit.................................................................................................................9
What is Self-Service Auditing?............................................................................................ 9
Self-Service Audit Agreement............................................................................................. 9
How to Audit your Local Computer.....................................................................................9
Configure Servers............................................................................................................... 11
About Server Configuration.............................................................................................. 11
Local Server Settings....................................................................................................... 11
About User Roles............................................................................................................ 11
Pages with Role Settings.............................................................................................. 11
Viewing Audit Results................................................................................................... 12
Setup Page .................................................................................................................... 12
Database Connection................................................................................................... 12
Secure Connection....................................................................................................... 13
Credential Store User................................................................................................... 14
Creating Credential Stores............................................................................................ 14
SecurityExpressions Console Credential Stores............................................................... 15
Software Registration................................................................................................... 15
Site Preferences .......................................................................................................... 15
Other Servers Local Settings......................................................................................... 16
Page Access................................................................................................................... 16
Item Rights.................................................................................................................... 17
Global Machine List Access: User Roles............................................................................. 17
iii
SecurityExpressions Server User Guide
Policy File Library............................................................................................................ 18
Library Synchronization................................................................................................ 18
About Policy Files............................................................................................................ 19
How System Scores are Calculated................................................................................... 19
Example ..................................................................................................................... 20
Target Options ............................................................................................................... 20
Agent & Service Configuration...................................................................................... 20
SSH Agent Authentication............................................................................................. 21
Database Cleanup........................................................................................................... 22
Event Log Settings....................................................................................................... 22
Audit Data Cleanup Tasks............................................................................................. 22
Self-Service Audit Agreement........................................................................................... 24
Agent Downloads............................................................................................................ 24
Site Preferences.............................................................................................................. 24
Audit-On-Connect .............................................................................................................. 27
What is Audit-on-Connect? .............................................................................................. 27
Policies .......................................................................................................................... 27
Policies Page............................................................................................................... 27
Policies Table.............................................................................................................. 27
Adding Policies............................................................................................................ 29
Editing Policies............................................................................................................ 30
Deleting Policies.......................................................................................................... 31
Configuring with Run-Time Policy Variables.................................................................... 31
Scopes........................................................................................................................... 33
Scopes ....................................................................................................................... 33
Scopes Table............................................................................................................... 36
Deleting Scopes........................................................................................................... 37
DNS Domain Name Scopes........................................................................................... 37
Expression Scopes....................................................................................................... 37
Org Unit Scopes .......................................................................................................... 38
Detection Method Scopes............................................................................................. 38
iv
Table Of Contents
Device Type Scopes..................................................................................................... 39
IP Range Scopes ......................................................................................................... 39
Machine List Scopes..................................................................................................... 39
Windows Domain Scopes ............................................................................................. 39
Notifications................................................................................................................... 39
Notifications................................................................................................................ 39
Creating New Email Notifications................................................................................... 41
Creating New Command Notifications............................................................................ 41
Deleting Notifications................................................................................................... 42
Notification Variables ................................................................................................... 42
Exceptions ..................................................................................................................... 43
Exceptions.................................................................................................................. 43
Deleting Exceptions ..................................................................................................... 44
Connection Monitors ....................................................................................................... 44
Connection Monitors.................................................................................................... 44
Configuring Connection Monitors................................................................................... 45
Enabling Connection Monitors ....................................................................................... 45
Connection Monitor Configuration File ........................................................................... 46
Processing the Configuration File .................................................................................. 48
Configuration File Syntax.............................................................................................. 48
Network......................................................................................................................... 49
Slow Links .................................................................................................................. 49
Trace Route Information.............................................................................................. 50
Network Admissions Control......................................................................................... 50
Audit on Connect Tracing ................................................................................................ 52
Audit on Connect Tracing............................................................................................. 52
Audit-On-Schedule............................................................................................................. 55
What is Audit-on-Schedule?............................................................................................. 55
Policies .......................................................................................................................... 55
Policies Page............................................................................................................... 55
Policies Table.............................................................................................................. 55
v
SecurityExpressions Server User Guide
Adding Policies............................................................................................................ 57
Editing Policies............................................................................................................ 58
Deleting Policies.......................................................................................................... 59
Configuring with Run-Time Policy Variables.................................................................... 59
Notifications................................................................................................................... 61
Notifications................................................................................................................ 61
Creating New Command Notifications............................................................................ 62
Creating New Email Notifications................................................................................... 63
Deleting Notifications................................................................................................... 63
Notification Variables ................................................................................................... 63
My Machine Lists ............................................................................................................ 64
My Machine Lists......................................................................................................... 64
Adding Machine Lists ................................................................................................... 65
Editing Machine Lists ................................................................................................... 65
Deleting Machine Lists ................................................................................................. 66
Editing Global Machine Lists ......................................................................................... 66
Scheduled Tasks............................................................................................................. 66
Scheduled Tasks.......................................................................................................... 66
Adding Scheduled Tasks............................................................................................... 67
Editing Scheduled Tasks............................................................................................... 71
Deleting Scheduled Tasks............................................................................................. 75
View Audit-On-Connect Activity........................................................................................... 77
Browse Audit-On-Connect Activity .................................................................................... 77
Audit-On-Connect Activity Table.................................................................................... 77
Adding a New Audit-On-Connect Report Profile.............................................................. 77
Editing Report Profiles.................................................................................................. 78
Deleting Report Profiles................................................................................................ 78
Audit-On-Connect Error Log Report.................................................................................. 79
Audit-On-Connect Exceptions Report................................................................................ 79
View Audit Results ............................................................................................................. 81
Browse Audit Results....................................................................................................... 81
vi
Table Of Contents
Adding a New Audit Results Report Profile..................................................................... 81
Editing Audit Report Results Profiles.............................................................................. 83
Deleting Audit Report Results Profiles............................................................................ 83
Scheduled Audits Log Report ........................................................................................... 83
Adding Custom Reports to the Server Application .............................................................. 83
Glossary............................................................................................................................ 85
Index................................................................................................................................ 87
vii
Contacting Us
Symantec Corporation
20330 Stevens Creek Blvd.
Cupertino, CA 95014 USA
http://www.symantec.com
Technical Support
1
Technical Support
Symantec Technical Support maintains support centers globally. Technical Support’s primary role
is to respond to specific queries about product features and functionality. The Technical Support
group also creates content for our online Knowledge Base. The Technical Support group works
collaboratively with the other functional areas within Symantec to answer your questions in a
timely fashion. For example, the Technical Support group works with Product Engineering and
Symantec Security Response to provide alerting services and virus definition updates.
Symantec’s maintenance offerings include the following:
• A range of support options that give you the flexibility to select the right amount of
service for any size organization
• Telephone and Web-based support that provides rapid response and up-to-the-minute
information
• Upgrade assurance that delivers automatic software upgrade protection
• Global support that is available 24 hours a day, 7 days a week
• Advanced features, including Account Management Services
Contacting Technical Support
Customers with a current maintenance agreement may contact Technical Support at
altiris.support@symantec.com.
Before contacting Technical Support, make sure you have satisfied the system requirements that
are listed in your product documentation. Also, you should be at the computer on which the
problem occurred, in case it is necessary to replicate the problem.
When you contact Technical Support, please have the following information available:
• Product release level
• Hardware information
• Available memory, disk space, and NIC information
• Operating system
• Version and patch level
• Network topology
• Router, gateway, and IP address information
• Problem description:
• Error messages and log files
• Troubleshooting that was performed before contacting Symantec
• Recent software configuration changes and network changes
3
Other Products
SecurityExpressions Console
This product enables you to quickly and effectively lock down Windows systems using guidelines
similar to ones established by Microsoft, NSA, SANS, and others. Use it to verify the security
settings on local and remote systems across your enterprise.
See how well your systems are protected by comparing their current configuration against the
Microsoft Security White Paper. A scheduled task mode allows you to compare hundreds of
computers at once, then automatically apply fixes interactively or automatically. A sophisticated
searching language allows you to catch errors and inconsistencies across your entire network.
Printing and reporting capabilities allow you to save output for historical review.
5
Overview
About SecurityExpressions Audit & Compliance Server
SecurityExpressions Audit & Compliance Server is a Web-based application that runs on a server
with Microsoft IIS and an ASP.NET infrastructure installed. From a Web browser on any
computer, you can securely perform most audit and compliance functions, such as audit
scheduling, reporting, and browsing audit results. The server automatically updates timesensitive audit policies such as patch, antivirus, and vulnerabilities. The Web pages interact with
a central database and a service that performs the auditing.
The server offers three ways to audit:
Self-service audits
Audit-on-Connect
Audit-on-Schedule
7
Self-Service Audit
What is Self-Service Auditing?
Self-service auditing lets anyone audit just their local Windows computer. Typically, a person
performing self-service audits is not a SecurityExpressions user, but must have administrator
privileges on the computer they're auditing. A designated Web page gives self-service auditors
access to self-service features only.
A self-service audit runs a local system audit against a policy and then allows you to view the
resulting system assessment. You can audit, assess, and, comply with your org anization's unique
security policy or a standard policy file. A self-service audit may require the acceptance of a
corporate agreement.
Self-service audits can optionally apply settings defined in an Audit-On-Connect scope. If a selfservice audit uses an Audit-On-Connect scope, it does so to audit just the local system. The other
devices in the scope are ignored.
Self-Service Audit Agreement
An organization may require the acceptance of corporate agreement text before allowing an
audit. Your organization can customize an agreement and include it in the Self-Service Audit
settings. The administrator configures the system to require users to accept the agreement text
before running a self-service audit or skip this agreement.
If you wish to comply with the agreement text, the Self-Service Audit proceeds and the results
display. If you disagree with the agreement, the self-service audit does not occur.
Agreement acceptance remains throughout the session. If you time out or shut down, you must
accept or reject the agreement the next time you want to audit the local system.
The agreement version number logs the user’s acceptance of the agreement.
How to Audit your Local Computer
Self-service audits are for auditing Windows computers only.
To perform a Self-Service Audit:
1. From the server application's home page, click the Self-Service Audit link at the
bottom of the page. You may also reach the Self-Service Audit page by browsing to
https://
server on which the server software resides.
If agreement text was configured, you must accept the agreement to continue.
2. Select a method of self-service auditing by clicking one of the following links.
list is empty, ask the product's administrator to create some policies.
servername
• Self-audit using a specific policy file - Click this link to select from a list of
In order for the list to contain policy files, the administrator of this product must
have already created policies and associated policy files with them. If the Policy File
/seserver/selfservice, where
policy files.
servername
is the name of the
• Self-audit against a list of policy files that apply to your computer - Click
this link to self audit based on an Audit-on-Connect scope, which has the ability to
9
SecurityExpressions Server User Guide
check your system against several policy files during one audit. If the
administrator of this product created an Audit-on-Connect scope that contains
your system, you may use this method to start an audit on your system . Audit
results are automatically recorded for review and reporting.
If the administrator of this product did not create an Audit-on-Connect scope that
contains your system, you can only select Self-audit using a specific policy file.
3. A security warning appears, alerting you that you need to install WebAudit before you
proceed with the self-service audit. Click Yes to install WebAudit.
WebAudit is an ActiveX component required for self-service auditing. It remains in the
browser's cache, so you won't need to install it again unless you clear the cache and then
perform another self-service audit.
You cannot perform a self-service audit without this component. If you click No, you
won't be able to complete the audit.
4. If you clicked Self-audit using a specific policy file on the Audit Your Local System
page, select a policy file from the Use this Policy File list. Then click Audit Now to perform the
self audit.
The audit compares this policy file against your system.
5. If a Permit Server Audit message appears, click the Yes button to continue.
If you clicked Self-audit using a specific policy file on the Audit Your Local System
page, the audit results display directly on the page. Click a rule link in the Description
column to learn more about that rule. You may use the button bar to perform operations
on the audit results.
If you clicked Self-audit against a list of policy files that apply to your
computer on the Audit Your Local System page, only a cumulative posture result
displays on the page. No detailed audit results appear.
10
Configure Servers
About Server Configuration
Before you can audit systems using the server application, you must configure server settings.
From fundamental settings such as database connection and policy-file-library synchronization to
specific settings that drive scheduled and Audit-on-Connect, the Settings tab provides a central
location for configuring the server.
To access the Settings tab, click Configure Servers on
the application's home page. Use the links at the top of
the tab to open the various settings pages.
Local Server Settings
Local Settings include parameters of individual audit
servers. Most settings are global to all servers in the system, but the Local Settings apply only to
one named audit server. The heading, such as Local Settings are for Server:
ENTERPRISEHOST indicates that the displayed settings are for the server named
ENTERPRISEHOST. The database server and database name also appear.
About User Roles
If the tasks involved in auditing computers for security compliance are divided among different
people in your organization, we recommend establishing
different features in this application. Several key pages contain settings that let only members of
specified Windows User Groups access certain pages and their features. This allows each user to
focus on their tasks while preventing unauthorized users from performing restricted operations.
For example, administrators of the product need access to all pages including configuration
pages, but auditors only need access to pages used for setting up audits and viewing results.
Tip: Create Windows User Groups based on the access level you plan to grant different users of
the application. Then assign these groups to the corresponding pages.
Pages with Role Settings
You establish user roles by entering Windows Group Access settings on the following pages in the
application. You may restrict access to the pages or features themselves, plus the reports and
audit results based on the restricted machine lists, policies, scopes , and scheduled tasks.
Page Access
Machine List Access
Policies
Scopes
user roles
to control who can use
My Machine Lists
Scheduled Tasks
11
SecurityExpressions Server User Guide
Viewing Audit Results
SecurityExpressions generates audit results through the following kinds of audits. To view results
from each kind of audit, a user needs rights to view results from key configurable items (machine
lists, policies, and scopes) involved in the audit. The configurable items to which a user needs
audit-result viewing rights, for each kind of audit, are:
Audit on Schedule
• policies
• My Machine Lists or global machine lists
Audit on Connect
• policies
• scopes
Self-Service Audits
• policies
• any My Machine Lists or global machine lists the computer belongs to, wh ether or not the
machine list is involved in the audit
• Super User item rights, if the computer does not belong to any machine list
Instant Audits - performed in the console application's Audit tab
• policies
• global machine lists, if auditing a machine list
• any My Machine Lists or global machine lists that the computer(s) belong to, if auditing
individual computers instead of a machine list
• Super User item rights, if the computer does not belong to any machine list
Web-Services Audits - audits activated through the Web-services layer (see the
SecurityExpressions Web Services API Guide
• policies
• global machine lists, if auditing a machine list
• any My Machine Lists or global machine lists that the computer(s) belong to, if auditing
individual computers instead of a machine list
• Super User item rights, if the computer does not belong to any machine list
for more information)
Setup Page
Database Connection
The Application Setup page displays the name of the system where the database resides and the
database's name. The Database Connection settings on the Application Setup page let you
connect the SecurityExpressions Audit & Compliance Server to a central database.
If you don’t want to connect to an existing database and don’t need to create a custom
database, you have the option of creating the database using the Database Connection settings
instead of creating it in the database application.
12
Configure Servers
We recommend you don’t use SQL Server's master database as the SecurityExpressions
database.
To establish a valid database connection:
1. In the Database Type drop-down list, select the manufacturer of the database software
you use.
2. In the Database Server Name box, type the name of the computer containing the
database software you use.
If you’re not connecting to the default instance of the database, enter the server name in
computername\databaseinstance
3. In the Catalog (Database) Name box, type the name of the database you want the
server software to connect to or create.
4. If you want to create a database instead of connecting to an existing database, check
Create.
5. Decide if you want the server application to use SQL Server or Windows authentication to
log in to the database.
The application uses the credentials typed in the Database Login and Database Password
boxes for all users every time they open the application. You can enter the credential s of
any account that has read/write access to the database and tables.
format.
• If using SQL Server authentication, type a SQL Server account’s user name and
password in the Database Login and Database Password boxes.
• If using Windows authentication, check Use Windows Authentication and type
a Windows account’s user name and password in the Database Login and
Database Password boxes.
This sets the application and all related services to run under this account, including
ASP.NET. To increase security, you can create a domain user with limited network
access and read/write access to the database, and the n use that account’s credentials.
If both the server application and the database are on the same computer, then the
you can use the ASP.NET account’s credentials. To do this, grant the ASP.NET user
permission to use the database in the database software. Then type .\ASPNET in the
Database Login box and leave the Database Password box blank.
6. Click Apply.
Make sure to connect all server applications you install in the organization to this database.
Secure Connection
In order to establish a secure connection to the server-software Web site, whether you're
accessing it from the system on which you installed the software or remotely from another
system, you must use Secure Sockets Layer (SSL). That means y ou must include HTTPS in the
URL. Use the format
containing the server software.
https://<hostname>/seserver
, where
<hostname>
is name of the system
Windows 2000 Servers
If you installed the server software on a Windows 2000 Server system running IIS, you must
configure SSL by setting up the server certificate on that system.
13
SecurityExpressions Server User Guide
If the system on which you installed the server software is not running Windows 2000 Server,
skip this procedure.
1. On the Windows 2000 server, open Control Panel and double-click Administrative
Tools and then Internet Information Services to open the IIS Administrative Panel.
2. In the Web Site folder, right-click Default Web Site and choose Properties.
3. On the Directory Security tab, in the Secure communications section, click Server
Certificate.
4. Click Next in the Wizard. On the second page of the Wizard, select Assign an existing
certificate.
5. In Available Certificates, select the SecurityExpressions Audit & Compliance Server
Certificate.
6. Finish the Wizard.
7. Click OK on the Default Web Site Properties window.
Now you are ready to access the site using SSL.
Credential Store User
The Credential Store User settings on the Application Setup page let you create and log in to
credential stores. Stored credentials are a way for a user with the proper crede ntials to give a
user without them the access needed to audit the target systems without actually revealing the
credentials. A credential store is a place in the database where you can save the credentials in
encrypted form. Auditors can use the credentials without seeing what they are. Security is not
compromised and the organization has the flexibility to assign auditing duties to someone without
top security credentials.
When an audit begins, it obtains the credentials of each target computer from the credential
store selected in the Credential Store User section of the Application Setup page. If it does not
find these credentials, it looks for credentials delegated from the console application.
You must configure a credential store for the application to log in to every time someone uses
the application. On the SecurityExpressions Audit & Compliance Server, you can create new
Credential Stores on the Application Setup page or use Credential Stores previously created from
the SecurityExpressions Console.
If you haven’t created any credential stores in the console application that you can log in to,
you need to create a credential store first.
To log in to a credential store:
1. In the Credential Store Name box, select the credential store's user name.
2. In the Credential Store Password box, type the credential store's password.
3. Click Apply.
All servers connected to the same database must use the same credential store.
Creating Credential Stores
You must configure a credential store for the application to log in to every time someone uses
the application. You can either create a credential store in the server application or use a
credential store created in SecurityExpressions Console. Each group of SecurityExpressions Audit
& Compliance Servers will have its own Credential Store.
14
Configure Servers
Once you create a credential store, you can't modify it.
To create a credential store:
1. In the Application Setup page, click Add New.
2. In the New Credential Store User Name box, type a user name for logging in to this
credential store.
3. Optional: In the New Credential Store User Full Name box, type a descriptive name.
4. Optional: In the New Credential Store User Description box, type any information about
this credential store other users might find helpful.
5. In the New Credential Store User Password box, type a password for logging in to this
credential store.
6. In the Verify Credential Store User Password box, type the password again.
7. Click Update.
SecurityExpressions Console Credential Stores
When you create a Credential Store in the SecurityExpressions Console, you create a container
that securely saves all of your machine list and host (target system ) credentials in the database.
After you create the credential store, you can delegate the credentials to the Audit & Compliance
Server. This allows users belonging to certain Windows Groups to perform operations using the
delegated credentials without knowing or seeing the credentials.
Software Registration
The Software Registration options on the Application Setup page let you register the software for
use. You must enter a valid license key in order to activate the server application. If you
purchased the Audit-on-Connect component, you must activate that feature with a second license
key.
To register the software:
1. In the SecurityExpressions Audit and Compliance Server License Key box, enter the
license key for general use of the application.
2. If you purchased Audit-on-Connect, in the SecurityExpressions Audit-on-Connect License
Key box, enter the license key for that component.
3. Click Apply.
Site Preferences
The Site Preference options on the Application Setup page let you select general settings for the
application. Click Apply after changing these settings.
Enable Web Services
Select this check box to enable SecurityExpressions' Web-services layer. To learn more about
the Web-services layer, see
installation package.
SecurityExpressions Web Services API guide
, included in your
Allow Remediation
Select this check box to allow Web-services remediation functions to apply fixes to computers
audited through Web services.
15
SecurityExpressions Server User Guide
Session Duration
Session duration is a time-out period that sets the maximum number of minutes for a Web
session. The session lasts until this time passes or a different Browser accesses the server.
When the session expires, local session information, including authentication, is lost. Many
settings, once initialized, remain through the session duration.
Once you open a new Browser, the session duration resets to the configured time period.
Maximum number of simultaneous audits for Audit-on-Connect
Simultaneous audits affect network capacity and speed. If you find the default number of
simultaneous Audit-on-Connect audits consumes too many CPU and network resources,
change this setting to a smaller number until you find the right balance.
Maximum number of simultaneous audits for Audit-on-Schedule
Simultaneous audits affect network capacity and speed. If you find the default number of
simultaneous Audit-on-Schedule audits consumes too many CPU and network resources,
change this setting to a smaller number until you find the right balance.
Do not use more than __ Mbps (megabits per second) of bandwidth
To control the amount of network bandwidth the software uses during an audit, select this
check box and type the maximum number of megabits per second of bandwidth you want
audits to consume. The less bandwidth allotted to audits, the longer audits will take to
complete. You must enter a number between 0.01 and 10,000.0.
Other Servers Local Settings
Other servers in the System on the Application Setup page lists the other servers in this
system that use the central database. When you click a link, you view the Local Settings page for
those servers, but only one server is available to view at a time. By navigating to the local
settings for each individual server, you can change the local settings on all servers in the system
from one location.
All settings other than those on the Setup page are shared across all server s using the same
database.
Page Access
Page Access identifies who has access to each SecurityExpressions Audit & Compliance Web
page, including the Home and Self-Service Audit pages. For each page, type the name of a
Windows User Group that you want to grant access to the page. You cannot enter individual
users. Any user belonging to that Group has access, while users who do not belong to the group
are denied access.
To allow all users to access a page, type Everyone. To prevent all users from accessing a page,
type None.
If you enter multiple Windows groups, separate them with commas. If a Windows User Group
isn't on the local computer, you'll need to enter the group in
Tip: Before making Group assignments to a specific page, become familiar with Windows Users
and Groups in your organization. To see the current Users and Groups, open Control Panel and
double-click the Administrative icon. Then open Computer Management and view Local
Users and Groups.
domain\groupname
format.
16
Configure Servers
Item Rights
The Item Rights options, found on the Page Access page, let you list which Windows User Groups
are allowed to do the following:
Edit Private Items
Allow others to modify items that are normally exclusive to the user who created them, such
as My Machine Lists and scheduled tasks.
Miscellaneous Target
Usually, the View Audit Results setting for scopes and machine lists controls access to most
audit results, since most audits involve a scope or machine list. In the rare cases where 1) an
audit doesn't involve a scope (computer audited individually) and 2) the computer isn't part of
any machine list (whether or not a machine list was used in the audit), access to the audit
results are controlled with this setting instead. Users with this right can view results from
these kinds of audits.
Possible cases include the following, only when the computers audited don't belong to any
machine list:
• self-service audits
• instant audits performed in the console application's Audit tab, not using a machine
list
• audits activated through the Web-services layer not using a machine list (see the
SecurityExpressions Web Services API Guide for more information)
Remediate Miscellaneous Targets
Usually, the View Audit Results setting for scopes and machine lists controls access to most
audit results, and therefore remediation of audit results, since most audits involve a scope or
machine list. In the rare cases where 1) an audit doesn't involve a scope (computer audited
individually) and 2) the computer isn't part of any machine list (whether or not a machine list
was used in the audit), access to the audit results are controlled with this setting instead.
Users with this right can view results from these kinds of audits.
Possible cases include the following, only when the computers audited don't belong to any
machine list:
• self-service audits
• instant audits performed in the console application's Audit tab, not using a machine
list
• audits activated through the Web-services layer not using a machine list (see
SecurityExpressions Web Services API Guide
Super User Access
Administrators of the product need to modify all configurable items (scopes, scheduled tasks,
etc.)and view audit results, whether or not they're listed in the Windows User Groups with
access to a configurable item or its audit results, and regardless of who owns private items
such as My Machine Lists and scheduled tasks. We recommend entering a Windows User
Group consisting of all product administrators here to ensure they're never locked out of audit
results, configurable items, and private items.
for more information)
Global Machine List Access: User Roles
17
SecurityExpressions Server User Guide
When you schedule an audit, you can specify which computers to audit by selecting machine lists
created on the My Machine Lists page and machine lists created in the console application (global
machine lists). You can grant or restrict access to My Machine Lists and the results from audits
using them with the Windows Group Access options on the My Machine Lists page. Since global
machine lists were created in the console application, the server application needs to provide a
place to grant or restrict access to them and the results from audits using them. The ML Access
page is where you can accomplish that.
If the central database doesn't contain any global machine lists created in the console
application, the table on this page will be empty.
To grant or restrict access to a global machine list in the Audit and Compliance Server:
1. Click the machine list's name in the Name column.
2. Set Windows Group Access. Enter Windows groups, separated by a comma, that can use
this machine list, remediate computers in this machine list, and view audit results for this
machine list. This establishes which users can access this machine list and its audit
results due to their role. If a Windows User Group isn't on the local computer, you'll need
to enter the group in
• In the Use Machine List field, enter the Windows groups who should be able to
modify the machine list.
domain\groupname
format.
• In the Remediate field, enter the Windows groups who should be able to
remediate computers in the machine list.
• In the View Audit Results field, enter the Windows groups who should be able to
view results from audits using the machine list.
To grant all users access, type Everyone. To restrict all users, type None.
3. When you're done, click the Add/Update button.
Policy File Library
Before you can select a policy file in the Policies page, you must enter the policy file library's path
and credentials here. This enables the application to gain access to the library and its policy files.
To gain access to a policy file library:
1. In the Library URL field, enter the library's path.
2. In the Library Login field, type the user name needed to gain access to the library.
3. In the Library Password field, type the password needed to gain access to the library.
Library Synchronization
Policy files are updated frequently by the organizations that issue them. If you audit with policy
files from a standard policy library, such as the policy file library found at
http://www.pedestal.com/products/se/resources/Library, you might want to set a synchronization
schedule to remain current. This keeps audits in compliance with current policy files.
To synchronize with a Policy File Library:
1. Check the Synchronize with a policy file library box.
2. Decide whether to check for policy file updates regularly on a schedule or to just update
now.
18
Configure Servers
To check for frequent policy file updates, you may choose to Check for policy file
updates during a specific time period (days, minutes, hours). If updates exist, they will
be downloaded for the SecurityExpressions Audit & Compliance Server to use.
Check Now updates the policy files immediately.
3. Click Update to store the policy file library configuration. The settings are stored but can
be modified.
About Policy Files
Security policies lay a solid foundation for the development and implementation of secure
practices within an organization. In SecurityExpressions, policy files contain the rules to which an
organization must adhere for their system security configuration. Compliance with policies
requires an understanding by staff of not only the individual policies but also of the
circumstances in which such compliance is expected in their daily activities. Policy files have a
.SIF extension.
A high-level security policy may outline specific requirements or rules that must be met, such as
the rules and regulations for appropriate use of the computing facilities. A technical standard or
configuration guideline is typically a collection of system-specific or procedural-specific
requirements that everyone must meet. For example, you might have a standard that describes
how to harden a Windows workstation for placement on an external network (DMZ).
Administrators must follow this standard exactly if they wish to install a Windows 2003
workstation on an external network segment.
The Security Policy File Library provides pre-defined and customizable system security policy files
and security guidelines from well-known sources, such as Microsoft, SANS, NSA, NIST, CIS, as
well as policy files including Microsoft Patches, user settings, and Solaris patch management. You
can select a policy file to use or modify for your audits.
How System Scores are Calculated
The score a system gets from an audit is calculated using the properties of rules checked against
the system during the audit. The properties used are:
Rule Result - Each rule returns a result of OK, Not OK, Error, or Info during an audit. Rules that
return Info or Error are not included in the calculation.
Weight Values - Each rule is assigned a weight value from one of the three rule keys, in this
order: Weight, Impact, or Priority. The Weight key is not a key that each rule automatically has;
it must be created by a user.
If a Weight key exists for a rule and has a value, it always becomes the rule's weight value. If
there is no Weight key, the rule gets its weight from the Impact key. If neither key has a value,
then the rule gets its weight from the Priority key. If none of these keys have a value, the rule
gets a weight value of 1.0.
You can customize the values of rules in one of two places:
1. In the SecurityExpressions server interface by editing the policy file and then uploading it
into a policy.
2. In the SecurityExpressions console application, if using it, by adjusting rule keys in the .SIF
file.
The following is the formula the software uses to calculate system scores:
19
SecurityExpressions Server User Guide
(weighted total of OK results ÷ (weighted total of OK rules + weighted total of Not
OK rules)) × 100
Example
An audit contains four rules:
• 1 High Priority
• 1 Medium Priority
• 1 Low Priority
• 1 no priority or impact, and no Weight key exists
The weight values are:
• High:1.5
• Medium:1.0
• Low:0.5
The rule with no priority or impact set assumes a weight of 1.0, which happens to also be the
default Medium priority weight in this example. If none of the rules return Info or Error, the
weighted total of all rules is:
((1 × 1.5) + (1 × 1.0) + (1 × 0.5) + (1 × 1.0) + 0) = 4.0
So, if the high-priority rule returns Not OK and the other three rules return OK, the score will be
the actual weighted total for OK rule results [i.e. (1×1.0)+(1×0.5)+(1×1.0)] divided by the
weighted total of all rules [i.e. 4.0], multiplied by 100:
2.5 ÷ 4.0 × 100 = 63
Target Options
The Agent & Service Configuration options are for Windows target systems only. The SSH Agent
Authentication options are for UNIX target systems only.
Agent & Service Configuration
The Agent & Service Configuration options let you manage the remote execution of scripts and
programs.
Default method for remote execution on Windows
When a method for executing scripts and programs is not explicitly given in a rule or security
check, the application uses the method selected. When set to Automatic, the application tries
to run executables using all other methods until it finds a compatible method. It tries the
methods in this order:
1. Task Scheduler - Uses the Windows Task Scheduler to remotely execute scripts and
programs.
2. WMI - Uses Windows Management Instrumentation, which is typically enabled on all
Windows platforms, to remotely execute scripts and programs.
20
Configure Servers
3. Agent - Uses the audit agent to remotely execute scripts and programs. Before
auditing, make sure to install the agent on the remote computer or check the
Automatically install Agent if required in order to execute scripts and
programs remotely box.
Automatically install Agent if required to execute scripts and programs remotely
Check this box to automatically install the agent on the remote system when the agent is
necessary to complete an audit. The agent can only be automatically installed on Windows
systems. For UNIX systems, you must install the agent manually . If you select either Agent or
Automatic from the Default method for remote execution on Windows drop-down list, consider
checking this box.
If required services are not started, start them before auditing and stop them after
audit completes
Check this box to start whichever service the selected remote-execution method needs, such
as WMI or the Windows Task Scheduler, before auditing and stop the service after the audit
completes. Starting and stopping the service if it's not already running ensures that the audit
will not fail.
SSH Agent Authentication
When performing Audit-on-Connect audits, the server software can communicate with UNIX
computers through the audit agent or through SSH. When performing Audit-on-Connect audits
through SSH, you can authenticate users by either setting up password-based authentication on
the Scopes page or uploading private keys to the server application. Use the SSH Agent
Authentication section of the Agent & Service Configuration page to set up SSH private keys.
The SSH Agent Authentication options apply to Audit-on-Connect audits only.
To upload a new SSH key:
1. Click Browse to locate and select the private key file.
2. In the Key Password box, type in the Password box the passcode associated with the
private key file.
3. Click Add New. The key and passcode appear in the table.
You can add keys in any order. When Audit-on-Connect attempts to connect to a UNIX computer,
it checks all keys in the list to see if any of them work.
To edit an existing SSH Key:
1. Click the Edit hyperlink for the SSH key that appears in the table.
2. Browse for a new key file and type the passcode associated with the key file.
3. Click Update.
To delete an existing SSH Key:
1. Click the Delete hyperlink for the SSH key that appears in the table.
When you delete an SSH key, you remove it from the database. A warning appears to
remind you that you are about to remove the key from the database.
2. Click Delete to remove the SSH key.
21
SecurityExpressions Server User Guide
Database Cleanup
The database stores data about audits, as well as console and server events. You might decide
that it is unnecessary to use database space to retain this data permanently. The Database
Cleanup settings allow you to automatically delete data from the database on a schedule. You
can also use the Clean Now button to perform an unscheduled cleanup.
Cleanups delete data generated by any console or server application connected to the same
database, not just the server application executing a cleanup. They also clean up data generated
by Web services, the COM object, and the command line.
Event-log cleanups and audit-data cleanup tasks are scheduled and run independently from each
other.
Event Log Settings
SecurityExpressions retains a log of console and server events that it stores in the database.
Perform daily discard of event log data older than __ days
To clean up the event log, check this box and type the number of days for which you want to
retain data before deleting it. Then click Update. Log entries are automatically cleaned up at
2 a.m.
Update
Click this button to update the event-log settings.
Clean Now
Click this button to perform an unscheduled event-log cleanup. Then click Delete to confirm
the action or Cancel to cancel it.
Audit Data Cleanup Tasks
You may create more than one cleanup task. Click Add New to create a task. To modify an
existing task, locate the task in the table and click the Edit link. To delete an existing task, locate
the task in the table and click the Delete link.
Task Name
Type a name for this cleanup task.
Daily Cleanup
Check Enabled to enable this cleanup task.
Audit Results
Select how much audit data you want to retain when cleanups occur. Cleanups occur at 2 a.m.
nightly when a cleanup task is enabled.
• Discard audit data older than __ days - Type the number of days for which you
want to retain data before deleting it.
• Discard all but most recent audit for each policy and target - From the drop-
down list, select the time span for which you want to keep the most recent audit
performed on each policy file you used to audit and on each target audited. The
database retains the data from one audit performed on each policy file and each
22
Loading...