XYGATE Merged Audit Reference Manual

ManualsBrandsHP ManualsServerHP NonStop G-Series

261

262

263

264

265

266

267

268

269

270

Table Of Contents

Cover
Copyright
Publication History
Contents
Quick Reference for Common Tasks
Introduction
- XMA Components
- Categorizing the PCI Requirements in XMA
- What’s New in this Release
- General Syntax Notation
- Additional XYPRO Reference Manuals
1. Installing XMA
- 1.1 Before You Begin
- 1.2 Installing XMA Using the Automated Install Script
- 1.3 Installing the SIEM Log Adapter
  - 1.3.1 ArcSight Adapter
  - 1.3.2 Installing the Adapters
- 1.4 Upgrading XMA or XTR Using the AutoInstall Script
  - 1.4.1 Running the AutoInstall Upgrade
- 1.5 Upgrade Considerations
  - 1.5.1 Database Conversion Using CNVRTIP
- 1.6 Uninstalling XMA or XTR Using the Auto Uninstall Script
  - 1.6.1 Preparing for the Auto Uninstall Script
  - 1.6.2 Installing the GUI/PC Products
- 1.7 Managing the XYGATE License
  - 1.7.1 Checking the Status of the Current License
- 1.8 Generate Reports Using XYGATE Report Manager (XRM)
2. Sending Data to Your ArcSight SIEM
- 2.1 What is a Log Adapter
- 2.2 Four Steps to Data Transmission
- 2.3 Step 1. Configure XMA to Collect the Desired Data
  - 2.3.1 Creating the Pathway
  - 2.3.2 Creating MOVERs
- 2.4 Step 2. Determine the Transport Method
  - 2.4.1 Testing Your SIEM connection
- 2.5 Step 3. Apply the Log Adapter to Your FILTERS File
- 2.6 Step 4. Start and Monitor Your MOVERs
- 2.7 Additional References
3. Configuring Filters and the FILTERS File
- 3.1 How to Edit the FILTERS File
- 3.2 Filter Syntax
  - 3.2.1 Logical ANDs and ORs
- 3.3 Building a Filter
- 3.4 Variable Substitution Processing in the FILTERS File
- 3.5 Node-Conditional Processing in the FILTERS File
  - 3.5.1 Node-Conditional Operators
- 3.6 Determine the TCP/IP Process for Email, IPALERT, SNMP Alerts
  - 3.6.1 Step 1. Submit a WHO command
  - 3.6.2 Step 2. Submit an INFO PROCESS
- 3.7 Sending XMA Data to an Audit Logging Appliance
4. Generating Reports Using XRM
- 4.1 Generating Audit Reports Using XMA_REPORT
- 4.2 Select the Audit Subvolume
- 4.3 Select by Date and/or Time Range
- 4.4 Select by Subject Userid
- 4.5 Select by Subject Login Name(s)
- 4.6 Select by System
- 4.7 Select by Subject Terminal
- 4.8 Select Subject by Object Type
- 4.9 Select by Object Name
- 4.10 Select by Operation
- 4.11 Select By Outcome
- 4.12 Select the Output File’s Location
- 4.13 Select the Report’s Sort Order
- 4.14 Select by Rule Name
- 4.15 Select by XYGATE Product Code
- 4.16 Select by ALERTED Column
- 4.17 Select by Text in the Result Column
- 4.18 Select by Message Code
- 4.19 Select by Message ID
- 4.20 Run the Report
- 4.21 Running Reports from Archived Tables
5. Using XMA_MANAGER
- 5.1 Introduction
- 5.2 The XYGATEMA Management Main Menu
- 5.3 The Pathway Management Menu
- 5.4 The Movers Management Menu
- 5.5 The Database Management Menu
- 5.6 The Uninstall Menu
- 5.7 XMA_MANAGER Navigation Hints
- 5.8 Running XMA_MANAGER as the XMA Owner
6. Configuring MOVERs
- 6.1 MOVER Types
- 6.2 Decisions to Make Before Adding Your MOVERs
  - 6.2.1 MOVER Serverclass Naming Conventions
  - 6.2.2 XMA_MANAGER Navigation Hints
- 6.3 How to Add MOVERs
  - 6.3.1 Auto Configure your MOVERs Using Discovery
  - 6.3.2 Creating Remote Catalogs
- 6.4 Built-in Serverclasses
- 6.5 BASE24 MOVERs
  - 6.5.1 BASE24 EMS Templates
- 6.6 HLR MOVERs
  - 6.6.1 Important Notices!
- 6.7 iTP Secure WebServer MOVERs
- 6.8 BASE24-eps MOVERs
- 6.9 MOVER Parameters
  - 6.9.1 MEASURE-Related Parameters
  - 6.9.2 TMF Related Parameters
- 6.10 Time Ranges
- 6.11 Troubleshooting MOVER Problems
7. Safeguard Selection Criteria
- 7.1 Safeguard OBJECTTYPEs
- 7.2 Safeguard OPERATIONs
- 7.3 Safeguard Message Codes
- 7.4 Safeguard MessageIDs
- 7.5 Safeguard EMS Error Messages
8. Maintaining the XMA Database
- 8.1 Remove Obsolete Records
- 8.2 Routine Database Maintenance
  - 8.2.1 Perform FUP Reloads
  - 8.2.2 Update Statistics
- 8.3 Resizing the Data Tables
  - 8.3.1 Default Table Sizes
  - 8.3.2 Sizing Methods
- 8.4 Partitioning the XMA Database
9. Troubleshooting
- 9.1 XMAHELP/XMA_HELP
- 9.2 Communication with an Audit Logging Appliance System
- 9.3 Audit Log Warehouse Data Parsing
A: The MACONF File
- A1: The MACONF File Keywords
- A2: Sample MACONF File
- A3: COLLECTOR
- A4: COMPANY_NAME
- A5: HOMETERM
- A6: MACRO_NAME
- A7: PATHMON_NAME
- A8: PERUSE_OBJECT
- A9: PRIORITY
B: Administrative Tables
- B1: XYGATE MOVER Configuration Tables
- B2: XYGATE MOVER State Tables
- B3: EMS MOVER Table =XMA__EMSMVTBL
- B4: EMS MOVER Parameters Table =XMA_EMSMVPARAMSTBL
- B5: EMS MOVER State Table =XMA_EMSMVSTATETBL
- B6: MEASURE MOVER Tables
- B7: SAFEGUARD MOVER Table =XMA_SFGMVTBL
- B8: SAFEGUARD Parameter Table =XMA_SFGMVPARAMSTBL
- B9: SAFEGUARD MOVER State Tables
- B10: BASE24 MOVER Table
- B11: BASE24 Parameter Table
- B12: BASE24 State Tables
- B13: TCP/IP Syslog Tables
- B14: HLR MOVER TABLE
- B15: HLR Parameter Table
- B16: HLR State Tables
- B17: iTP Secure WebServer MOVER Table
- B18: iTP Secure WebServer State Table
- B19: ARCHIVE Tables
- B20: PARAMS Table
- B21: SESSIONOIP Table
C: Data Tables
- C1: File Partitioning
- C2: Audit Product Table =XMA_AUDPRODUCTTBL
- C3: Audit Installation Table =XMA_AUDINSTALLTBL
- C4: Audit Session Table =XMA_AUDSESSIONTBL
- C5: Audit Detail Table =XMA_AUDITDETAILTBL
D: Sample Filters
- D1: Filter out $CMON’s “I’m Alive” Messages
- D2: Filter out XPC STATUS Commands
- D3: Filter out Safeguard reading its own user database
- D4: Filter out Safeguard No Record
- D5: Filter out XOS No Record
- D6: Filter out XOS What-if tests
- D7: Alert for SUPER.SUPER’s password change via XPQ
- D8: Alert when someone logs directly on as SUPER.SUPER
- D9: Alert for XAC command containing "–255"
- D10: Selecting security-related BASE24 EMS events
- D11: Selecting CLIM events
E: XMA Host Macros
- E1: ADELMAC
- E2: ARCMAC
- E3: CLEANDB
- E4: EMSBUILD
- E5: PARSAMP
- E6: REMFIN
- E7: UPDSTAT
- E8: XMA_AUDIT_REPORT
- E9: XMA_COMPILE_FILTERS
- E10: XMA_DATETIME_MAKE
- E11: XMA_DBVOLUME
- E12: XMA_EDIT_FILTERS
- E13: XMA_FILTERS_CHECK
- E14: XMA_INSTALL_LICENSE
- E15: XMA_LOAD_DEFINES
- E16: XMA_NETWORK_FILTERS_CHECK
- E17: XMA_NETWORK_LICENSE_INSTALL
- E18: XMA_NETWORK_VERSION
- E19: XMA_PWCOLD
- E20: XMA_PWCOOL
- E21: XMA_PWSTOP
- E22: XMA_PWVOLUME
- E23: XMA_SQLCOMPALL
- E24: XMA_SYNTAX_CHECK
- E25: XMA_UPDATE_FILTERS
- E26: XMA_VERSION
- E27: XMA_VOLUME
F: TCLEXC
G: Data Mapping
- G1: General Notes on Data Mapping Columns
- G2: Column Descriptions
- G3: How to Use the Data Mapping Tables
- G4: BASE24 Data Mapping
- G5: BASE24-eps Data Mapping
- G6: HLR Data Mapping
- G7: EMS Data Mapping
- G8: iTP Secure WebServer Mapping
- G9: Measure Data Mapping
- G11: Safeguard Data Mapping
- G12: XYGATE Access Control (XAC) Data Mapping
- G13: XYGATE Supported CMON (XCM) Data Mapping
- G14: XYGATE Host Encryption (XHE) Data Mapping
- G15: XYGATE Key Management (XKM) Data Mapping
- G16: XYGATE Process Control (XPC) Data Mapping
- G17: XYGATE Password Quality (XPQ) Data Mapping
- G18: XYGATE Object Security (XOS) Data Mapping
- G19: XYGATE Safeguard Manager (XSM) Data Mapping
- G20: XYGATE Combined Spoolcom Peruse Data Mapping (XSP)
- G21: XYGATE Transaction Router (XTR) Data Mapping
- G22: XYGATE User Authentication (XUA) Data Mapping
- G23: XYGATE Compliance PRO (XSW) Data Mapping
- G24: Column Usage Table
Glossary
Index

XYPRO Technology Corporation 239 Proprietary and Confidential

Appendix G: Data Mapping

Data Selection Criteria is used to select audit events based on the contents of the

normalized audit data record. Every column that is utilized for a given target product is

available for generating an ACTION in a Filter.

Data selection criteria is based entirely on the product whose audit trail the MOVER is

reading.

The MOVERs normalize the data for each record in their target product’s audit trail,

which means that they move the contents of each field to the appropriate columns for

insertion in the XMA database.

• Refer to section 3.3, “Building a Filter” starting on page 44 for information about

building Filters.

• Refer to Appendix G24: “Column Usage Table” on page 299 to see which columns

are used for each product.

• Refer to the appropriate XYGATE product manual for additional information

regarding their audit trails.

The technique for creating a Filter is finding the field(s) in the audit record that makes

the event you are interested in, unique. For example, if you want to generate an email

every time a user invokes a specific XAC command, it is the command name that

makes the relevant XAC audit records unique. You would use the XAC data mapping

table described in Appendix G12: “XYGATE Access Control (XAC) Data Mapping” on

page 274 to determine which column contains the command name.

If you check the table now, you will see that the XAC command names are placed in

both the RULENAME column and the OBJECTNAME column of the AUDIT detail

table. You could choose either column for your Filter.

If you wanted to view access attempts for a particular file, you would look at the XOS

or Safeguard data mapping tables to determine which field contains the filename. In

this case, both products place the filename in the OBJECTNAME column of the AUDIT

detail table.