You can configure the following using the web console:
To access the web console, open the following URL:
https://<IP_Address_Change_Guardian_server>:<port_number>
The default port is 8443. You can use a custom port if Change Guardian was installed with custom configurations.
You can add license keys, configure email servers by using the server command prompt also.
Change Guardian provides the user name of the event initiator and the ObjectSID of an event during auditing activities. Configuring AD allows the Change Guardian server to retrieve user information from AD and map with associated incoming events. Change Guardian synchronizes AD user to provide user information associated with a particular event, such as the user name, the email address and contact details of the user.
Additionally, configuring AD with Change Guardian provides the following benefits:
Receive delta values from AD
Support for adding additional attributes
Support for mapping custom attributes
Synchronize users from multiple user containers concurrently
Synchronize deleted users
You can add, modify, delete an AD server configuration, and add a server as default from the Change Guardian web console. When you add an AD server as default, Policy Editor uses the default server and displays the objects of that server. Similarly, Agent Manager uses the server as the default server to display the list of computers when you add assets.
NOTE:You cannot configure LDAP connections in AD using Policy Editor. However, to use the configured LDAP connections in Change Guardian policies, upgrade to Policy Editor 6.1.
To add a server:
Click CONFIGURATION > LDAP CONNECTIONS > ADD.
Specify the required details.
Specify the certificate file path to allow SSL connection
Specify the polling interval between 30 to 120 minutes to set the interval at which Change Guardian server synchronizes all objects and groups with AD
NOTE:In Change Guardian 6.0 and earlier, the polling interval between Change Guardian server and AD servers was hourly, weekly, or daily. For Change Guardian 6.1, the previously configured AD servers have a default polling interval of 120 minutes.
(Conditional) If you want to synchronize AD user profiles with Change Guardian, specify the user container details.
Adding AD servers allows you to perform the following:
Browse AD objects when creating policies using Policy Editor.
Manage both secured and non-secured AD servers.
Use a domain to add multiple computers as assets using Agent Manager.
You can install Change Guardian agents on the assets in one step using Agent Manager.
Use AD User Container details to filter events by users names.
NOTE:When you update an AD object, the change is available with Change Guardian server after the specified polling interval has passed. Events from an updated AD object is displayed only after the interval. Similarly, you can view the updated user profiles after the interval has passed.
To synchronize AD user accounts to Change Guardian, Change Guardian needs to map the user account field names in AD to an attribute in your directory service. By default, Change Guardian maps the most commonly used field names, but you can add or remove mappings as necessary.
To modify user profile mapping, from the web console, click ADMINISTRATION > Integration > AD Accounts > User Profile Mapping.
If you are using the evaluation license key, you must add the enterprise license key before the evaluation key expires to avoid any interruption in the Change Guardian functionality. For information about how to purchase the license, see the Change Guardian Product Web site.
To add a license key:
In the web console, click ADMINISTRATION.
Click Help > About > Licenses > Add License.
Specify the license key and save.
NOTE:After a license expires, Change Guardian Web Console appears blank. You can add the license key by using only the command line. For more information, see Adding the Server License Key.
To send email messages, you must create an event routing rule and you must configure an email serve. If you do not configure an email server, notification groups do not appear.
To create an event routing rule:
From the web console, click Administration > Routing.
Click Create, then use the following information to create a new event routing rule:
Name: Specify a unique name for the event routing rule.
Criteria: Select a saved criteria to use in creating event routing rule. This criteria determines which events are stored in the event store.
Select tag: (Optional) Select a tag for tagging the filter. The tag makes the filter more specific.
Route to the following services: Select where the information is routed. The options are:
All: Routes the event to all services including Correlation, Security Intelligence, and Anomaly Detection.
Event store only: Routes the event to the event store only.
None (drop): Drops or ignores the events.
Perform the following actions: Select an action to be performed on every event that meets the filter criteria. The following default actions are available for event routing rules:
Log to File
Log to Syslog
Send Events via Sentinel Link
Send SNMP Trap
NOTE:When you associate an action with routing rules, ensure that you write rules that match a small percentage of events, if the rule triggers a Javascript action. If the rules trigger actions frequently, the system might backlog the actions framework. This can slow down the EPS and might affect the performance of the Change Guardian server.
For the actions to work, you must have configured the Integrator associated with each action for your environment.
Select the email configuration that you already created using Policy Editor. For more information see Configuring Email Servers.
The actions listed here are different than the actions displayed in the Event Actions tab (web console > ADMINISTRATION), and are distinguished by the <EventRouting> attribute in the package.xml file created by the developer.
Adding or Removing Actions You can add more than one action to perform on the events that meet the filter criteria:
Click Save to save the event routing rule.
NOTE:You can assign more than one email alert to a specific event by assigning more than one action to the event routing rule. Ensure that you set correct filters to avoid unnecessary flow of emails.
You can configure a Change Guardian server for LDAP authentication to enable users to log in to Change Guardian with their LDAP directory credentials. With LDAP, Change Guardian processes each user group in a policy as group members.
You can perform LDAP authentication by either using an SSL connection or by using an unencrypted connection to the LDAP server. You can configure the Change Guardian server for LDAP authentication with or without using anonymous search on the LDAP directory:
Anonymous: When you create Change Guardian LDAP user accounts, specify the directory user name. However, you do not have to specify the user distinguished name (DN).
When an LDAP user logs in, the Change Guardian server performs an anonymous search on the LDAP directory based on the specified user name. The Change Guardian server finds the corresponding DN and then authenticates the user against the LDAP directory by using the user DN.
Non Anonymous: When you create Change Guardian LDAP user accounts, you must specify the user DN along with the user name.
When an LDAP user logs in, the Change Guardian server authenticates the user against the LDAP directory by using the specified user DN.
NOTE:If anonymous search is disabled on the LDAP directory, you must not configure the Change Guardian server to use anonymous search.
To set up LDAP authentication:
In the web console, click ADMINISTRATION.
Click Users > LDAP Settings.
Specify the options to configure LDAP authentication:
Host: Hostname or IP address for SSL connections.
SSL: SSL connection to the LDAP server.
Port: Port for the SSL connection. The default SSL port number is 636 and the default non-SSL port number is 389.
Certificate File Path: The path of the CA certificate file for the LDAP server.
Specify the certificate file path when you are using an SSL connection, and if the LDAP server certificate is not signed by a well-known CA and is not trusted by default.
Anonymous Search: Option to perform anonymous searches or non-anonymous searches on the LDAP directory.
Base DN: The root container to search for users.
For example. set o=netiq for eDirectory.
For anonymous search, specify the root container of the LDAP directory. This is optional for eDirectory, but mandatory for Active Directory. For eDirectory, if you do not specify the Base DN, Change Guardian searches the entire directory to locate the users.
For non-anonymous search, specify the root container in the LDAP directory that contains users. This is mandatory if you are using Active Directory and if you set a domain name.
Search Attribute: The LDAP attribute having the user name to search for users.
For example, the search attribute for eDirectory is uid and for Active Directory it is sAMAccountName.
Domain Name: The Active Directory domain.
Change Guardian can perform anonymous search in Active Directory. Change Guardian uses the username@domainname (userPrincipalName) to authenticate the user before searching for the LDAP user object.
NOTE:If Base DN is set and Domain Name is not set, the Base DN is appended to the relative user DN to construct the absolute user DN.
For example, if the Base DN is set to o=netiq and the absolute user DN is cn=sentinel_ldap_user,o=netiq, Change Guardian uses the relative user DN cn=sentinel_ldap_user when you create an LDAP user account.
Click Test Connection to test the LDAP connection.
Specify the domain name and password if you did not specify earlier. The user DN can be relative to the Base DN.
According to LDAP standards, when you use reserved special characters as literals in a User DN, you must use \
. eDirectory or Active Directory might require additional escape characters. You must use \
as the escape character for the following scenarios:
A space or # occurring at the beginning of the string
A space occurring at the end of the string
Any one of the following characters: +, ", \, <, >, or ;
For example, if the User DN contains a comma as a literal, specify the User DN as follows:
CN=Test\,User,CN=Users,DC=netiq,DC=com
If there is an error, review the configuration details you provided and test the connection again. To learn about the errors, examine the /var/opt/novell/sentinel/log/server0.0.log file.
NOTE:You must ensure that the test connection is successful before saving the LDAP settings.
Click Save to save the LDAP settings.
Verify the configuration:
Check that the LdapLogin section in the /etc/opt/novell/sentinel/config/auth.login file is updated. For example:
LdapLogin { com.sun.security.auth.module.LdapLoginModule required java.naming.ldap.factory.socket="com.esecurity.common.communication.ProxyLdapSSLSocketFactory" userProvider="ldap://10.0.0.1:636/o=netiq" userFilter="(&(uid={USERNAME})(objectclass=user))" useSSL=true; };
If you provided the LDAP server CA certificate, it is added to the /etc/opt/novell/sentinel/config/.ldapkeystore.jks keystore.
After saving the LDAP settings successfully, you can create LDAP user accounts to enable users to log in to Change Guardian by using their LDAP directory credentials.
NOTE:You can also configure the Change Guardian server for LDAP authentication by running the ldap_auth_config.sh script in the /opt/novell/sentinel/setup directory.
The script also supports command line options. To view the options, run the script as follows:
/opt/novell/sentinel/setup/ldap_auth_config.sh --help
After configuring the Change Guardian server for LDAP authentication, create Change Guardian LDAP user accounts and log in to Change Guardian by using your LDAP user name and password. For more information about creating LDAP user accounts, see Creating Users.
You can create user roles in Change Guardian and assign them permissions. Assigning roles helps you control users access to functionality, data access based on fields in the incoming events, or both. Each role can contain any number of users. Users belonging to the same role inherit the permissions of the role they belong to. You can set multiple permissions for a role.
Following sections provide information about configuring users and roles:
Change Guardian has the following roles by default:
Administrator: A user in this role has administrative rights in Change Guardian. Administrative rights include the ability to perform user administration, data collection, data storage, search operations, rules, report, dashboard, and license management.
You cannot modify or delete the administrator role.
Change Guardian Administrator: A user in this role can view all event data including raw data.
Event Dispatcher: A user in this role can send only events and attachments to the Change Guardian server.
Operator: A user in this role can manage alerts, share alert and event views, run reports, view reports, rename reports, and delete report results.
Compliance Auditor: A user in this role has access to view events that are tagged with at least one of the regulation tags such as PCI, SOX, HIPAA, NERC, FISMA, GLBA, NISPOM, JSOX, and ISO/IEC_27002:2005. You can view system events, view the Change Guardian configuration data, and search data targets.
User: A user in this role can manage dashboards, run reports, view reports, rename reports, and delete report results.
NOTE:If the web console displays roles other than the listed ones, you can ignore such roles.
Roles allow you to define what a user can manage and what data they can view. You can grant permissions to the role and then assign the user to the role.
To create a role:
In the web console, click ADMINISTRATION.
Click Users > Users and Roles.
Under Roles, click Create.
Specify the required information.
Review the following additional permissions that you can assign to the new role:
Edit knowledge base: Allows users to view and edit the knowledge base in the Alert Details page
Manage Tags: Allows all members to create, delete, and modify tags, and associate tags to different event sources
Manage roles and users: Allows non-administrative users to administer specific roles and users
Proxy for Authorized Data Requestors: Allows users to accept searches from remote data sources
Send events and attachments: Allows users to send events and attachments to the server
NOTE:You can manually assign this permission to a user who needs to forward events to the server.
View and execute event actions: Allows members to view events and execute actions on the selected events
View detailed internal system state data: Allows members to view detailed internal system state data by using a JMX client
View knowledge base: Allows users to view the knowledge base in the Alert Details page
To create users, see Creating Users.
Change Guardian provides a set of password validation rules that help you maintain a complex password for all local user passwords. You can select the desired validation rules as applicable for your environment.
You can configure the password validation rules in the /etc/opt/novell/sentinel/config/passwordrules.properties file. The validation rules apply only to the local user passwords but not LDAP user passwords. For existing users, validation rules apply only after the users update their password.
By default, all the validation rules are disabled and commented with #
. To enable validation rules, uncomment the rules, specify the values for the rules, and save the file.
The following table describes the password complexity validation rules:
Table 5-1 Password Complexity Rules
Validation Rule |
Description |
---|---|
MINIMUM_PASSWORD_LENGTH |
Specifies the minimum number of characters required in a password. |
MAXIMUM_PASSWORD_LENGTH |
Specifies the maximum number of characters allowed in a password. |
UNIQUE_CHARACTER_LENGTH |
Specifies the minimum number of unique characters required in a password. For example, if the UNIQUE_CHARACTER_LENGTH value is 6 and a user specifies the password as "aaaabbccc", Change Guardian does not validate the password because it contains only 3 unique characters a, b, and c. |
LOWER_CASE_CHARACTERS_COUNT |
Specifies the minimum number of lowercase characters required in a password. |
UPPER_CASE_CHARACTERS_COUNT |
Specifies the minimum number of uppercase characters required in a password. |
ALPHABET_CHARACTERS_COUNT |
Specifies the minimum number of alphabetic characters required in a password. |
NUMERIC_CHARACTERS_COUNT |
Specifies the minimum number of numeric characters required in a password. |
NON_ALPHA_NUMERIC_CHARACTERS_COUNT |
Specifies the minimum number of non-alphanumeric or special characters required in a password. The rule considers only the following non-alphanumeric characters: ` ~ ! @ # $ % ^ & * ( ) - _ = + [ { ] } \ | ; : ' " < , > . / ? |
RESTRICTED_WORDS_IN_PASSWORD |
Specifies the words that are not allowed in a password. The restricted words are case-insensitive. You can specify multiple words separated by a comma. For example, RESTRICTED_WORDS_IN_PASSWORD= admin, password, test |
When you add a user in the Change Guardian, it creates an application user. You can assign roles when you create the user.
To create a user:
In the web console, click ADMINISTRATION.
Click Users > Users and Roles.
Under Users, click Create.
You can use special characters to set the user name. However, the user name should be within 30 characters.
NOTE:For local user password, ensure that the password adheres to the password complexity validation rules. For more information, see Understanding Password Complexity.
Select an authentication method:
(Conditional) To authenticate the user against the internal database, click Local.
(Conditional) To authenticate the user against an LDAP directory, select Directory.
NOTE:Ensure that you have configured the Change Guardian server for LDAP authentication. For more information, see Configuring LDAP for Authentication.