XYGATE Merged Audit Reference Manual

ManualsBrandsHP ManualsServerHP NonStop G-Series

161

162

163

164

165

166

167

168

169

170

Table Of Contents

Cover
Copyright
Publication History
Contents
Quick Reference for Common Tasks
Introduction
- XMA Components
- Categorizing the PCI Requirements in XMA
- What’s New in this Release
- General Syntax Notation
- Additional XYPRO Reference Manuals
1. Installing XMA
- 1.1 Before You Begin
- 1.2 Installing XMA Using the Automated Install Script
- 1.3 Installing the SIEM Log Adapter
  - 1.3.1 ArcSight Adapter
  - 1.3.2 Installing the Adapters
- 1.4 Upgrading XMA or XTR Using the AutoInstall Script
  - 1.4.1 Running the AutoInstall Upgrade
- 1.5 Upgrade Considerations
  - 1.5.1 Database Conversion Using CNVRTIP
- 1.6 Uninstalling XMA or XTR Using the Auto Uninstall Script
  - 1.6.1 Preparing for the Auto Uninstall Script
  - 1.6.2 Installing the GUI/PC Products
- 1.7 Managing the XYGATE License
  - 1.7.1 Checking the Status of the Current License
- 1.8 Generate Reports Using XYGATE Report Manager (XRM)
2. Sending Data to Your ArcSight SIEM
- 2.1 What is a Log Adapter
- 2.2 Four Steps to Data Transmission
- 2.3 Step 1. Configure XMA to Collect the Desired Data
  - 2.3.1 Creating the Pathway
  - 2.3.2 Creating MOVERs
- 2.4 Step 2. Determine the Transport Method
  - 2.4.1 Testing Your SIEM connection
- 2.5 Step 3. Apply the Log Adapter to Your FILTERS File
- 2.6 Step 4. Start and Monitor Your MOVERs
- 2.7 Additional References
3. Configuring Filters and the FILTERS File
- 3.1 How to Edit the FILTERS File
- 3.2 Filter Syntax
  - 3.2.1 Logical ANDs and ORs
- 3.3 Building a Filter
- 3.4 Variable Substitution Processing in the FILTERS File
- 3.5 Node-Conditional Processing in the FILTERS File
  - 3.5.1 Node-Conditional Operators
- 3.6 Determine the TCP/IP Process for Email, IPALERT, SNMP Alerts
  - 3.6.1 Step 1. Submit a WHO command
  - 3.6.2 Step 2. Submit an INFO PROCESS
- 3.7 Sending XMA Data to an Audit Logging Appliance
4. Generating Reports Using XRM
- 4.1 Generating Audit Reports Using XMA_REPORT
- 4.2 Select the Audit Subvolume
- 4.3 Select by Date and/or Time Range
- 4.4 Select by Subject Userid
- 4.5 Select by Subject Login Name(s)
- 4.6 Select by System
- 4.7 Select by Subject Terminal
- 4.8 Select Subject by Object Type
- 4.9 Select by Object Name
- 4.10 Select by Operation
- 4.11 Select By Outcome
- 4.12 Select the Output File’s Location
- 4.13 Select the Report’s Sort Order
- 4.14 Select by Rule Name
- 4.15 Select by XYGATE Product Code
- 4.16 Select by ALERTED Column
- 4.17 Select by Text in the Result Column
- 4.18 Select by Message Code
- 4.19 Select by Message ID
- 4.20 Run the Report
- 4.21 Running Reports from Archived Tables
5. Using XMA_MANAGER
- 5.1 Introduction
- 5.2 The XYGATEMA Management Main Menu
- 5.3 The Pathway Management Menu
- 5.4 The Movers Management Menu
- 5.5 The Database Management Menu
- 5.6 The Uninstall Menu
- 5.7 XMA_MANAGER Navigation Hints
- 5.8 Running XMA_MANAGER as the XMA Owner
6. Configuring MOVERs
- 6.1 MOVER Types
- 6.2 Decisions to Make Before Adding Your MOVERs
  - 6.2.1 MOVER Serverclass Naming Conventions
  - 6.2.2 XMA_MANAGER Navigation Hints
- 6.3 How to Add MOVERs
  - 6.3.1 Auto Configure your MOVERs Using Discovery
  - 6.3.2 Creating Remote Catalogs
- 6.4 Built-in Serverclasses
- 6.5 BASE24 MOVERs
  - 6.5.1 BASE24 EMS Templates
- 6.6 HLR MOVERs
  - 6.6.1 Important Notices!
- 6.7 iTP Secure WebServer MOVERs
- 6.8 BASE24-eps MOVERs
- 6.9 MOVER Parameters
  - 6.9.1 MEASURE-Related Parameters
  - 6.9.2 TMF Related Parameters
- 6.10 Time Ranges
- 6.11 Troubleshooting MOVER Problems
7. Safeguard Selection Criteria
- 7.1 Safeguard OBJECTTYPEs
- 7.2 Safeguard OPERATIONs
- 7.3 Safeguard Message Codes
- 7.4 Safeguard MessageIDs
- 7.5 Safeguard EMS Error Messages
8. Maintaining the XMA Database
- 8.1 Remove Obsolete Records
- 8.2 Routine Database Maintenance
  - 8.2.1 Perform FUP Reloads
  - 8.2.2 Update Statistics
- 8.3 Resizing the Data Tables
  - 8.3.1 Default Table Sizes
  - 8.3.2 Sizing Methods
- 8.4 Partitioning the XMA Database
9. Troubleshooting
- 9.1 XMAHELP/XMA_HELP
- 9.2 Communication with an Audit Logging Appliance System
- 9.3 Audit Log Warehouse Data Parsing
A: The MACONF File
- A1: The MACONF File Keywords
- A2: Sample MACONF File
- A3: COLLECTOR
- A4: COMPANY_NAME
- A5: HOMETERM
- A6: MACRO_NAME
- A7: PATHMON_NAME
- A8: PERUSE_OBJECT
- A9: PRIORITY
B: Administrative Tables
- B1: XYGATE MOVER Configuration Tables
- B2: XYGATE MOVER State Tables
- B3: EMS MOVER Table =XMA__EMSMVTBL
- B4: EMS MOVER Parameters Table =XMA_EMSMVPARAMSTBL
- B5: EMS MOVER State Table =XMA_EMSMVSTATETBL
- B6: MEASURE MOVER Tables
- B7: SAFEGUARD MOVER Table =XMA_SFGMVTBL
- B8: SAFEGUARD Parameter Table =XMA_SFGMVPARAMSTBL
- B9: SAFEGUARD MOVER State Tables
- B10: BASE24 MOVER Table
- B11: BASE24 Parameter Table
- B12: BASE24 State Tables
- B13: TCP/IP Syslog Tables
- B14: HLR MOVER TABLE
- B15: HLR Parameter Table
- B16: HLR State Tables
- B17: iTP Secure WebServer MOVER Table
- B18: iTP Secure WebServer State Table
- B19: ARCHIVE Tables
- B20: PARAMS Table
- B21: SESSIONOIP Table
C: Data Tables
- C1: File Partitioning
- C2: Audit Product Table =XMA_AUDPRODUCTTBL
- C3: Audit Installation Table =XMA_AUDINSTALLTBL
- C4: Audit Session Table =XMA_AUDSESSIONTBL
- C5: Audit Detail Table =XMA_AUDITDETAILTBL
D: Sample Filters
- D1: Filter out $CMON’s “I’m Alive” Messages
- D2: Filter out XPC STATUS Commands
- D3: Filter out Safeguard reading its own user database
- D4: Filter out Safeguard No Record
- D5: Filter out XOS No Record
- D6: Filter out XOS What-if tests
- D7: Alert for SUPER.SUPER’s password change via XPQ
- D8: Alert when someone logs directly on as SUPER.SUPER
- D9: Alert for XAC command containing "–255"
- D10: Selecting security-related BASE24 EMS events
- D11: Selecting CLIM events
E: XMA Host Macros
- E1: ADELMAC
- E2: ARCMAC
- E3: CLEANDB
- E4: EMSBUILD
- E5: PARSAMP
- E6: REMFIN
- E7: UPDSTAT
- E8: XMA_AUDIT_REPORT
- E9: XMA_COMPILE_FILTERS
- E10: XMA_DATETIME_MAKE
- E11: XMA_DBVOLUME
- E12: XMA_EDIT_FILTERS
- E13: XMA_FILTERS_CHECK
- E14: XMA_INSTALL_LICENSE
- E15: XMA_LOAD_DEFINES
- E16: XMA_NETWORK_FILTERS_CHECK
- E17: XMA_NETWORK_LICENSE_INSTALL
- E18: XMA_NETWORK_VERSION
- E19: XMA_PWCOLD
- E20: XMA_PWCOOL
- E21: XMA_PWSTOP
- E22: XMA_PWVOLUME
- E23: XMA_SQLCOMPALL
- E24: XMA_SYNTAX_CHECK
- E25: XMA_UPDATE_FILTERS
- E26: XMA_VERSION
- E27: XMA_VOLUME
F: TCLEXC
G: Data Mapping
- G1: General Notes on Data Mapping Columns
- G2: Column Descriptions
- G3: How to Use the Data Mapping Tables
- G4: BASE24 Data Mapping
- G5: BASE24-eps Data Mapping
- G6: HLR Data Mapping
- G7: EMS Data Mapping
- G8: iTP Secure WebServer Mapping
- G9: Measure Data Mapping
- G11: Safeguard Data Mapping
- G12: XYGATE Access Control (XAC) Data Mapping
- G13: XYGATE Supported CMON (XCM) Data Mapping
- G14: XYGATE Host Encryption (XHE) Data Mapping
- G15: XYGATE Key Management (XKM) Data Mapping
- G16: XYGATE Process Control (XPC) Data Mapping
- G17: XYGATE Password Quality (XPQ) Data Mapping
- G18: XYGATE Object Security (XOS) Data Mapping
- G19: XYGATE Safeguard Manager (XSM) Data Mapping
- G20: XYGATE Combined Spoolcom Peruse Data Mapping (XSP)
- G21: XYGATE Transaction Router (XTR) Data Mapping
- G22: XYGATE User Authentication (XUA) Data Mapping
- G23: XYGATE Compliance PRO (XSW) Data Mapping
- G24: Column Usage Table
Glossary
Index

XYPRO Technology Corporation 145 Proprietary and Confidential

Chapter 8. Maintaining the XMA

Database

The XMA SQL database should be managed by a knowledgeable Database

Administrator. There are several tasks that should be performed at regularly scheduled

intervals to prevent the data tables from filling up and to maintain the efficiencies of

queries. These tasks are the following:

1. Remove obsolete Records by either Archive or Cleanup process (page 150).

2. Perform FUP Reloads (page 152).

3. Update Statistics (page 152).

4. Resizing the Data Tables (page 153).

5. Partitioning the XMA Database (page 154).

Note: If you decide to move the Audit Detail (AUDDET, Appendix C5:) or

Audit Session (AUDSESS, Appendix C4:) table to another drive, or if you

choose to partition either of these tables, then the primary partition for both

the AUDDET and AUDSESS tables must reside in the XMADAT subvolume.

8.1 Remove Obsolete Records

Obsolete data records can be deleted from the production XMA database in two ways

depending on whether or not you wish to preserve the data as follows:

• If you wish to preserve the deleted data, you should use the Archive process. Refer

to section 8.1.2, “Archiving the XMA Database” on page 148 for more information.

• If you do not wish to preserve the deleted data, use the Cleanup process. Refer to

section 8.1.3, “Using CLEANUP to Delete Obsolete Data Records” on page 150 for

more information.

8.1.1 Selective Archive and Cleanup

You can choose to retain certain audit records in the XMA database for different

periods of time. For example, if you regularly remove historical data older than

60 days, but an audit requirement makes it necessary to retain information about

adding and deleting user records for five years, then create a Filter that selects

Safeguard records where the OPERATION is CREATE or PURGE. You can then

configure the length of time these records must be retained by using either the

RETAIN_MONTHS or RETAIN_DAYS keywords.