XYGATE Merged Audit Reference Manual

ManualsBrandsHP ManualsServerHP NonStop G-Series

261

262

263

264

265

266

267

268

269

270

Table Of Contents

Cover
Copyright
Publication History
Contents
Quick Reference for Common Tasks
Introduction
- XMA Components
- Categorizing the PCI Requirements in XMA
- What’s New in this Release
- General Syntax Notation
- Additional XYPRO Reference Manuals
1. Installing XMA
- 1.1 Before You Begin
- 1.2 Installing XMA Using the Automated Install Script
- 1.3 Installing the SIEM Log Adapter
  - 1.3.1 ArcSight Adapter
  - 1.3.2 Installing the Adapters
- 1.4 Upgrading XMA or XTR Using the AutoInstall Script
  - 1.4.1 Running the AutoInstall Upgrade
- 1.5 Upgrade Considerations
  - 1.5.1 Database Conversion Using CNVRTIP
- 1.6 Uninstalling XMA or XTR Using the Auto Uninstall Script
  - 1.6.1 Preparing for the Auto Uninstall Script
  - 1.6.2 Installing the GUI/PC Products
- 1.7 Managing the XYGATE License
  - 1.7.1 Checking the Status of the Current License
- 1.8 Generate Reports Using XYGATE Report Manager (XRM)
2. Sending Data to Your ArcSight SIEM
- 2.1 What is a Log Adapter
- 2.2 Four Steps to Data Transmission
- 2.3 Step 1. Configure XMA to Collect the Desired Data
  - 2.3.1 Creating the Pathway
  - 2.3.2 Creating MOVERs
- 2.4 Step 2. Determine the Transport Method
  - 2.4.1 Testing Your SIEM connection
- 2.5 Step 3. Apply the Log Adapter to Your FILTERS File
- 2.6 Step 4. Start and Monitor Your MOVERs
- 2.7 Additional References
3. Configuring Filters and the FILTERS File
- 3.1 How to Edit the FILTERS File
- 3.2 Filter Syntax
  - 3.2.1 Logical ANDs and ORs
- 3.3 Building a Filter
- 3.4 Variable Substitution Processing in the FILTERS File
- 3.5 Node-Conditional Processing in the FILTERS File
  - 3.5.1 Node-Conditional Operators
- 3.6 Determine the TCP/IP Process for Email, IPALERT, SNMP Alerts
  - 3.6.1 Step 1. Submit a WHO command
  - 3.6.2 Step 2. Submit an INFO PROCESS
- 3.7 Sending XMA Data to an Audit Logging Appliance
4. Generating Reports Using XRM
- 4.1 Generating Audit Reports Using XMA_REPORT
- 4.2 Select the Audit Subvolume
- 4.3 Select by Date and/or Time Range
- 4.4 Select by Subject Userid
- 4.5 Select by Subject Login Name(s)
- 4.6 Select by System
- 4.7 Select by Subject Terminal
- 4.8 Select Subject by Object Type
- 4.9 Select by Object Name
- 4.10 Select by Operation
- 4.11 Select By Outcome
- 4.12 Select the Output File’s Location
- 4.13 Select the Report’s Sort Order
- 4.14 Select by Rule Name
- 4.15 Select by XYGATE Product Code
- 4.16 Select by ALERTED Column
- 4.17 Select by Text in the Result Column
- 4.18 Select by Message Code
- 4.19 Select by Message ID
- 4.20 Run the Report
- 4.21 Running Reports from Archived Tables
5. Using XMA_MANAGER
- 5.1 Introduction
- 5.2 The XYGATEMA Management Main Menu
- 5.3 The Pathway Management Menu
- 5.4 The Movers Management Menu
- 5.5 The Database Management Menu
- 5.6 The Uninstall Menu
- 5.7 XMA_MANAGER Navigation Hints
- 5.8 Running XMA_MANAGER as the XMA Owner
6. Configuring MOVERs
- 6.1 MOVER Types
- 6.2 Decisions to Make Before Adding Your MOVERs
  - 6.2.1 MOVER Serverclass Naming Conventions
  - 6.2.2 XMA_MANAGER Navigation Hints
- 6.3 How to Add MOVERs
  - 6.3.1 Auto Configure your MOVERs Using Discovery
  - 6.3.2 Creating Remote Catalogs
- 6.4 Built-in Serverclasses
- 6.5 BASE24 MOVERs
  - 6.5.1 BASE24 EMS Templates
- 6.6 HLR MOVERs
  - 6.6.1 Important Notices!
- 6.7 iTP Secure WebServer MOVERs
- 6.8 BASE24-eps MOVERs
- 6.9 MOVER Parameters
  - 6.9.1 MEASURE-Related Parameters
  - 6.9.2 TMF Related Parameters
- 6.10 Time Ranges
- 6.11 Troubleshooting MOVER Problems
7. Safeguard Selection Criteria
- 7.1 Safeguard OBJECTTYPEs
- 7.2 Safeguard OPERATIONs
- 7.3 Safeguard Message Codes
- 7.4 Safeguard MessageIDs
- 7.5 Safeguard EMS Error Messages
8. Maintaining the XMA Database
- 8.1 Remove Obsolete Records
- 8.2 Routine Database Maintenance
  - 8.2.1 Perform FUP Reloads
  - 8.2.2 Update Statistics
- 8.3 Resizing the Data Tables
  - 8.3.1 Default Table Sizes
  - 8.3.2 Sizing Methods
- 8.4 Partitioning the XMA Database
9. Troubleshooting
- 9.1 XMAHELP/XMA_HELP
- 9.2 Communication with an Audit Logging Appliance System
- 9.3 Audit Log Warehouse Data Parsing
A: The MACONF File
- A1: The MACONF File Keywords
- A2: Sample MACONF File
- A3: COLLECTOR
- A4: COMPANY_NAME
- A5: HOMETERM
- A6: MACRO_NAME
- A7: PATHMON_NAME
- A8: PERUSE_OBJECT
- A9: PRIORITY
B: Administrative Tables
- B1: XYGATE MOVER Configuration Tables
- B2: XYGATE MOVER State Tables
- B3: EMS MOVER Table =XMA__EMSMVTBL
- B4: EMS MOVER Parameters Table =XMA_EMSMVPARAMSTBL
- B5: EMS MOVER State Table =XMA_EMSMVSTATETBL
- B6: MEASURE MOVER Tables
- B7: SAFEGUARD MOVER Table =XMA_SFGMVTBL
- B8: SAFEGUARD Parameter Table =XMA_SFGMVPARAMSTBL
- B9: SAFEGUARD MOVER State Tables
- B10: BASE24 MOVER Table
- B11: BASE24 Parameter Table
- B12: BASE24 State Tables
- B13: TCP/IP Syslog Tables
- B14: HLR MOVER TABLE
- B15: HLR Parameter Table
- B16: HLR State Tables
- B17: iTP Secure WebServer MOVER Table
- B18: iTP Secure WebServer State Table
- B19: ARCHIVE Tables
- B20: PARAMS Table
- B21: SESSIONOIP Table
C: Data Tables
- C1: File Partitioning
- C2: Audit Product Table =XMA_AUDPRODUCTTBL
- C3: Audit Installation Table =XMA_AUDINSTALLTBL
- C4: Audit Session Table =XMA_AUDSESSIONTBL
- C5: Audit Detail Table =XMA_AUDITDETAILTBL
D: Sample Filters
- D1: Filter out $CMON’s “I’m Alive” Messages
- D2: Filter out XPC STATUS Commands
- D3: Filter out Safeguard reading its own user database
- D4: Filter out Safeguard No Record
- D5: Filter out XOS No Record
- D6: Filter out XOS What-if tests
- D7: Alert for SUPER.SUPER’s password change via XPQ
- D8: Alert when someone logs directly on as SUPER.SUPER
- D9: Alert for XAC command containing "–255"
- D10: Selecting security-related BASE24 EMS events
- D11: Selecting CLIM events
E: XMA Host Macros
- E1: ADELMAC
- E2: ARCMAC
- E3: CLEANDB
- E4: EMSBUILD
- E5: PARSAMP
- E6: REMFIN
- E7: UPDSTAT
- E8: XMA_AUDIT_REPORT
- E9: XMA_COMPILE_FILTERS
- E10: XMA_DATETIME_MAKE
- E11: XMA_DBVOLUME
- E12: XMA_EDIT_FILTERS
- E13: XMA_FILTERS_CHECK
- E14: XMA_INSTALL_LICENSE
- E15: XMA_LOAD_DEFINES
- E16: XMA_NETWORK_FILTERS_CHECK
- E17: XMA_NETWORK_LICENSE_INSTALL
- E18: XMA_NETWORK_VERSION
- E19: XMA_PWCOLD
- E20: XMA_PWCOOL
- E21: XMA_PWSTOP
- E22: XMA_PWVOLUME
- E23: XMA_SQLCOMPALL
- E24: XMA_SYNTAX_CHECK
- E25: XMA_UPDATE_FILTERS
- E26: XMA_VERSION
- E27: XMA_VOLUME
F: TCLEXC
G: Data Mapping
- G1: General Notes on Data Mapping Columns
- G2: Column Descriptions
- G3: How to Use the Data Mapping Tables
- G4: BASE24 Data Mapping
- G5: BASE24-eps Data Mapping
- G6: HLR Data Mapping
- G7: EMS Data Mapping
- G8: iTP Secure WebServer Mapping
- G9: Measure Data Mapping
- G11: Safeguard Data Mapping
- G12: XYGATE Access Control (XAC) Data Mapping
- G13: XYGATE Supported CMON (XCM) Data Mapping
- G14: XYGATE Host Encryption (XHE) Data Mapping
- G15: XYGATE Key Management (XKM) Data Mapping
- G16: XYGATE Process Control (XPC) Data Mapping
- G17: XYGATE Password Quality (XPQ) Data Mapping
- G18: XYGATE Object Security (XOS) Data Mapping
- G19: XYGATE Safeguard Manager (XSM) Data Mapping
- G20: XYGATE Combined Spoolcom Peruse Data Mapping (XSP)
- G21: XYGATE Transaction Router (XTR) Data Mapping
- G22: XYGATE User Authentication (XUA) Data Mapping
- G23: XYGATE Compliance PRO (XSW) Data Mapping
- G24: Column Usage Table
Glossary
Index

XYGATE Merged Audit

Reference Manual

Appendix G: Data Mapping

XYPRO Technology Corporation 242 Proprietary and Confidential

G2: Column Descriptions

This table shows the contents of the columns. Refer to the individual product tables for

the product-specific details.

Column Type Description

SESSION.RECORDSESSIONKEY timestamp Unique timestamp created when the

first session row is inserted into the

XMA database.

SESSION.RECORDINSTALLKEY timestamp Links to the

INSTALL.RECORDINSTALLKEY.

SESSION.SESSIONID Char 36 Unique session record created by the

product generating the audit.

SESSION.FOUNDSESSIONSTART Char 1 Marks beginning of a session, if

applicable.

SESSION.FOUNDSESSIONEND Char 1 Marks the end of a session, if

applicable.

SESSION.SESSIONNAME Varchar 40 Unique session record created by the

product generating the audit.

SESSION.PROCESSTHREADID Varchar 50 Process name of the event that caused

the audit record. The process name is

<node>.<proc_name>:<seq#>. See

SESSION.CLIENTPROGRAM for the

process’ object filename.

SESSION.PROCESSTHREADID2 Varchar 50 Process name of the event that caused

the audit record. The process name is

<node>.<cpu>,<pin (same as

THREADID except for the format) only

populated by the EMS mover.

SESSION.CLIENTPROGRAM Varchar 50 The program that caused the audit

record; SAFECOM, XYGATEAC, TMF,

etc.

SESSION.ANCESTORPROCESSTHREADID Varchar 50 Process name of the ancestor

SESSION.PROCESSTHREADID.

SESSION.IPADDRESS Char 16 IP address, based on the user’s

terminal/node.

SESSION.DNSNAME Varchar 100 DNS name, based on the user’s

terminal/node.

SESSION.CLIENTCURRDIR Varchar 200 The object file for the

CLIENTPROGRAM.

INSTALL.RECORDINSTALLKEY timestamp Unique session record created when a

MOVER is created (not really audit

record related).

INSTALL.PRODUCTCODE varchar 10 The product that generated the audit

record.

Continued . . .