Freebsd Security Audit Thinagents User Guide

FreeBSD Security User Guide

VISUAL Message Center ThinkServer 1.6 FreeBSD Security User Guide The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement.

Document date: March 2011

Document version: 1.31

Product version: 1.6

No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language or computer language, in any form or by any means, electronic mechani- cal, magnetic, optical, chemical, manual, or otherwise, without the prior written permission of Tango/04.

Trademarks Any references to trademarked product names are owned by their respective companies.

Technical Support For technical support visit our web site at www.tango04.com.

Tango/04 Computing Group S.L. Avda. Meridiana 358, 5 A-B Barcelona, 08027 Spain

Tel: +34 93 274 0051

Table of Contents

Table of Contents...... iii How to Use this Guide...... vii

Chapter 1

Introduction ...... 1

1.1. What You Will Find in This Document ...... 1

Chapter 2

Before You Begin...... 3

Chapter 3

FreeBSD OpenBSM Audit Configuration...... 4

3.1. Introduction ...... 4 3.2. First Steps...... 4 3.3. Audit Classes Overview ...... 4 3.4. Configuring System and User Audit...... 5 3.5. Configuring Audit Policies ...... 6 3.6. User Permissions...... 7

Chapter 4

Common Configuration...... 8

4.1. Data Source Configuration ...... 8 4.1.1. General Settings ...... 8 4.1.2. Options...... 10 4.2. Common ThinAgent Configuration ...... 12 4.2.1. Main Information ...... 13 4.2.2. Filters ...... 13 4.2.3. Additional Filters...... 14 4.2.4. Default Message Templates ...... 14 4.2.5. Common Variables for All FreeBSD Security ThinAgents ...... 14 4.2.6. Field Map SmartConsole – ThinkServer ...... 15

Chapter 5

FreeBSD Custom Audit ThinAgent ...... 17

5.1. ThinAgent Variables ...... 17 5.2. Default Health Settings ...... 17 5.3. Field Map SmartConsole – ThinkServer ...... 17 5.4. Predefined High-Level Exclusion Filters ...... 18

Chapter 6

FreeBSD File System ThinAgents ...... 19

6.1. FreeBSD File Content Accessed ...... 19 6.1.1. ThinAgent Variables ...... 19 6.1.2. Default Health Settings ...... 19 6.1.3. Field Map SmartConsole – ThinkServer ...... 20 6.1.4. Predefined High-Level Exclusion Filters ...... 20 6.2. FreeBSD File Content Modified ...... 20 6.2.1. ThinAgent Variables ...... 21 6.2.2. Default Health Settings ...... 21 6.2.3. Field Map SmartConsole – ThinkServer ...... 21 6.2.4. Predefined High-Level Exclusion Filters ...... 21 6.3. FreeBSD File/Directory Attribute Accessed ...... 22 6.3.1. ThinAgent Variables ...... 22 6.3.2. Default Health Settings ...... 23 6.3.3. Field Map SmartConsole – ThinkServer ...... 23 6.3.4. Predefined High-Level Exclusion Filters ...... 23 6.4. FreeBSD File/Directory Attribute Modified ...... 24 6.4.1. ThinAgent Variables ...... 24 6.4.2. Default Health Settings ...... 24 6.4.3. Field Map SmartConsole – ThinkServer ...... 25

6.4.4. Predefined High-Level Exclusion Filters ...... 25 6.5. FreeBSD File/Directory Created/Deleted...... 25 6.5.1. ThinAgent Variables ...... 26 6.5.2. Default Health Settings ...... 26 6.5.3. Field Map SmartConsole – ThinkServer ...... 26 6.5.4. Predefined High-Level Exclusion Filters ...... 27

Chapter 7

FreeBSD User Activity ThinAgents ...... 28

7.1. FreeBSD Logon Activity...... 28 7.1.1. ThinAgent Variables ...... 28 7.1.2. Default Health Settings ...... 28 7.1.3. Field Map SmartConsole – ThinkServer ...... 28 7.1.4. Predefined High-Level Exclusion Filters ...... 29 7.2. FreeBSD Programs Executed...... 29 7.2.1. ThinAgent Variables ...... 29 7.2.2. Default Health Settings ...... 30 7.2.3. Field Map SmartConsole – ThinkServer ...... 30 7.2.4. Predefined High-Level Exclusion Filters ...... 30 7.3. FreeBSD Session Threshold ...... 30 7.3.1. ThinAgent Variables ...... 31 7.3.2. Default Health Settings ...... 31 7.3.3. Field Map SmartConsole – ThinkServer ...... 32 7.4. FreeBSD User Inactivity...... 32 7.4.1. ThinAgent Variables...... 33 7.4.2. Default Health Settings ...... 33 7.4.3. Field Map SmartConsole – ThinkServer ...... 33

Chapter 8

FreeBSD User Management ThinAgents ...... 34

8.1. FreeBSD Command Line Management...... 34 8.1.1. ThinAgent Variables ...... 34 8.1.2. Default Health Settings ...... 35 8.1.3. Field Map SmartConsole – ThinkServer ...... 35 8.1.4. Predefined High-Level Exclusion Filters ...... 35

Chapter 9

FreeBSD Generic Syslog ThinAgent ...... 36

9.1. Default Health Settings ...... 36

Chapter 10

FreeBSD Custom Log ThinAgent...... 37

10.1. ThinAgent Variables...... 37 10.2. Default Health Settings ...... 37

Appendices

Appendix A: OpenBSM Audit Classes...... 38 A.1. Definitions of Audit Classes...... 38 A.1.1. Predefined Audit Classes ...... 38

Appendix B: Further Information ...... 40 B.1. Using Tango/04 PDF Documentation...... 40 B.2. Tango/04 University...... 40 B.3. Contacting Tango/04 ...... 42

About Tango/04 Computing Group ...... 43 Legal notice ...... 44

How to Use this Guide

This chapter explains how to use Tango/04 User Guides and understand the typographical conventions used in all Tango/04 documentation.

Typographical Conventions The following conventional terms, text formats, and symbols are used throughout Tango/04 printed documentation:

Convention Description

Boldface Commands, on-screen buttons and menu options.

Blue Italic References and links to other sections in the manual or further documentation containing relevant information.

Italic Text displayed on screen, or variables where the user must substitute their own details.

Monospace Input commands such as System i commands or code, or text that users must type in. Keyboard keys, such as CTRL for the Control key and F5 for the UPPERCASE function key that is labeled F5.

Notes and useful additional information.

Tips and hints that will improve the users experience of working with this product.

Important additional information that the user is strongly advised to note.

Warning information. Failure to take note of this information could potentially lead to serious problems.

Chapter 1 1 Introduction

The FreeBSD Security ThinAgents depend directly on the TrustedBSD OpenBSM audit system. So they can retrieve all the audit data stored in the audit trail files from any FreeBSD host with the auditd daemon configured and running.

The ThinAgents work by using remote SSH connections with user authentication. You can retrieve the entire audit trail or just filter the most relevant data by using filters. The most recommended practice is to analyze the requirements for the monitoring environment, and try to filter only the critical information, because an unfiltered environment may produce undesired performance costs.

The ThinAgents have been made to support FreeBSD versions 7.x and 8.x. Although they should also work with versions 6.x, older systems only include audit as an experimental feature.

The main features of these ThinAgents are:

• Only one data source needed for each server (for OpenBSM monitoring)

• Three levels of filters (low, medium and high). It is possible to define an aggressive filtering environment to avoid performance issues by using the different levels of filters.

• Automatic parsing of audit events, allowing to convert timestamps and other complex values into a ThinkServer like value.

• Support for audit trail concentrators, if one server is storing audit trails from several other servers, you can create only one data source for the concentrator, and the parser will detect the real host.

Note FreeBSD is not able to do this yet, but it is supported for future versions.

• Incremental reading system. You may stop the monitors for several hours and retrieve all the historic data when you resume the monitors.

• Time-limited block size for queries, avoiding performance issues when retrieving large amount of events. 1.1 What You Will Find in This Document

This user guide describes the purpose of the FreeBSD Security ThinAgents and all variables that are pre-configured. It also explains the minimum configuration settings required to get the FreeBSD

OpenBSM Audit module properly working. For a full description of VISUAL Message Center ThinkServer functionality see the VISUAL Message Center ThinkServer User Guide.

The FreeBSD OpenBSM Audit Configuration chapter covers the basic configuration you should set on your FreeBSD Hosts and the minimum requirements.

The Common Configuration chapter covers the common configuration of data sources and monitors.

The following chapters give a detailed description of each ThinAgent, the default configuration and the variables. You can use these variables to set Health conditions, configure actions, create templates, and send messages to the SmartConsole. There are also a number of generic variables available to all ThinAgents, which are described in the VISUAL Message Center ThinkServer User Guide.

Furthermore you will find a field map for the ThinAgent describing the values as they appear in the SmartConsole and ThinkServer.

Chapter 2 2 Before You Begin

These ThinAgents rely on the FreeBSD OpenBSM audit module. Before using the ThinAgents, you have to make sure your FreeBSD host has the auditing system configured and running, and also check that all the minimum requirements are met.

The next chapter explains how to configure your FreeBSD host to meet the minimum requirements for using the FreeBSD Security ThinAgents.

Chapter 3 3 FreeBSD OpenBSM Audit Configuration

3.1 Introduction

This chapter will explain the basic steps to get OpenBSM (Open Basic Security Module) auditing working on a new FreeBSD host, and the minimum requirements that need to be set before creating the first ThinAgent. 3.2 First Steps

OpenBSM Audit is not enabled by default on FreeBSD, so you first have to check if it is already working on the system. A possible way to do this, is to take a look at the current processes and see if there is a process named auditd.

Before configuring the OpenBSM audit module for the first time, you have to enable auditing for the system. You need to be a superuser in order to do that. To enable the auditing, just add the line auditd_enable="YES" to the file /etc/rc.conf. After the change, you will need to reboot the server; you may do it at any time, but auditing won't be active until next reboot.

If you want to disable auditing, you may do it at any time by changing the line auditd_enable to NO. 3.3 Audit Classes Overview

The following audit classes information is taken from the Sun Solaris System Administration Guide: Security Services:

Security-relevant system actions can be audited. These auditable actions are defined as audit events. Audit events are listed in the /etc/security/audit_event file. Each audit event is defined in the file by an event number, a symbolic name, a short description, and the set of audit classes to which the event belongs. For more information on the audit_event file, see the audit_event(5) man page.

Each audit event belongs to an audit class or classes. Audit classes are convenient containers for large numbers of audit events. When you preselect a class to be audited, you specify that all the events in that class should be recorded in the audit trail. You can preselect for events on a system and for events initiated by a particular user. After the auditing service is running, you can dynamically add or remove audit classes from the preselected classes.

• System-wide preselection: specify system-wide defaults for auditing in the flags, naflags, and plug-in lines in the audit_control file.

• User-specific preselection: specify additions to the system-wide auditing defaults for individual users in the audit_user database. The audit preselection mask determines which classes of events are audited for a user. The user's audit preselection mask is a combination of the system-wide defaults and the audit classes that are specified for the user.

A postselection command, auditreduce, enables you to select records from the preselected audit records. This is the way the FreeBSD Security ThinAgents retrieve the records from the audit trail.

Audit classes are defined in the /etc/security/audit_class file. Each entry contains the audit mask for the class, the name for the class, and a descriptive name for the class. For example, the ps and na class definitions appear in the audit_class file as follows:

0x00100000:ps:process start/stop

0x00000400:na:non‐attribute 3.4 Configuring System and User Audit

Once the auditd has been enabled, you can set the basic audit parameters by modifying the /etc/ security/audit_control file:

# audit_control file

dir:/var/audit

flags:lo

minfree:20

naflags:lo

policy:cnt

filesz:0

This is a sample audit_control file, with the default values. There are two parameters that are very important for the FreeBSD Audit ThinAgents:

• flags: defines which classes of attributable events are audited for all users on the system. The classes are separated by commas. White space is allowed. In this example, the events in the lo class are audited for all users.

• naflags: is exactly the same as the flags one, but for non attributable events, normally it is used just for the lo class.

Another important line is dir. In the dir line you can set the path where you want to store the audit trail files. It can be on the localhost, or on any remote mounted file system by using NFS.

Once you have defined the default audit parameters for the system, you may also specify some extra parameters at a user level by modifying the /etc/security/audit_user file. These definitions modify, for the specified user, the preselected classes in the audit_control file.

The audit_user lines have the following format:

username:always‐audit:never‐audit

# audit_user file

jsmith:ex:no  root:lo,ex,fc,fd,fr,fm:no  margaret:lo  operator:ex:lo

For this audit_user sample file we have set some user-specific audit parameters:

• For the user jsmith we have enabled the ex class

• for root we have enabled several other classes

• for margaret we only want the lo one, and

• for operator we have enabled ex and disabled any event coming from the lo class.

Depending on your needs, you may want to enable certain classes at a system-wide level and certain others at a user-specific level.

Note Each FreeBSD Security Audit ThinAgent will need to have some specific classes enabled in order to work properly. You will find the requirements for each agent in this document and also in the ThinAgents labels.

3.5 Configuring Audit Policies

Audit policy determines the characteristics of the audit records for the local system. The policy options are set by the /etc/security/audit_control script.

Most audit policy options are disabled by default to minimize storage requirements and system processing demands. You can permanently enable and disable the policy options by modifying the audit_control script:

# audit_control file

dir:/var/audit

flags:lo

minfree:20

naflags:lo

policy:cnt

filesz:0

This is a sample /etc/security/audit_control file with the default values. With this configuration most FreeBSD Audit ThinAgents will be able to retrieve some basic information, except for the FreeBSD Programs Executed and FreeBSD Command Line Management ThinAgents, in order to get those agents working properly you need to modify the policy line for this file:

policy:cnt,argv

Without this modification, you won't be able to retrieve information about command executions. The argv policy stores all the arguments for each executed command. 3.6 User Permissions

In order to let the FreeBSD Security ThinAgents retrieve the audit records, you need to provide a special user for the remote SSH connection. This user doesn't need to be a superuser, but will need full read access to the audit trail directory and any file inside it.

You may check the path where audit trails are being saved by taking a look at the dir line of the /etc/ security/audit_control file. The default path is /var/audit/.

The FreeBSD Security ThinAgents data source will store a file pointer into a specified path, so you also will need to guarantee full write permissions under that path, it can be the user's home directory, the same /var/audit/ directory, or any other path.

To sum up, the user requirements are:

• Remote access permissions with SSH or TELNET.

• Full read permissions to the path where the audit trails are stored and every file inside it.

• Full write permissions to the path where you want to save the file pointer for the incremental queries.

Note FreeBSD 7.x includes a predefined group named audit which has full read access to the audit trails without need to be superuser, so we recommend you add the user to that group.

Note It is possible to use the sudo command in order to avoid giving an administrative role to the user. To do this, follow these steps:

Step 1. Install the sudo utility in the FreeBSD host

Step 2. Add the following line to the /etc/sudoers file:

usernameALL=NOPASSWD: /usr/sbin/auditreduce

Step 3. Add the sudo command into the Pre Command data source parameter.

Chapter 4 4 Common Configuration

This chapter describes the default configuration, which is common to all FreeBSD Security ThinAgents. The individual ThinAgent sections describe the variables available for each ThinAgent and any ThinAgent-specific configuration, where applicable. 4.1 Data Source Configuration

The data source configuration consists of two tabs:

• General Settings

• Options 4.1.1 General Settings

Main Information By default the data source uses the ThinAgent name in the name of the data source, but you can change it here to suit your monitoring needs and add a more detailed description of the data source if required.

Configuration variables and default settings Description

Use the default provided or enter a FreeBSD new name for the data source. Name auditreduce Output Tip: add the host name you are DataSource monitoring to help quickly identify where problems occur.

Enter a description of the data Description source

General Settings

Configuration variables and default settings Description

Refresh Time 120

Number of Tries 1

Interval Between Tries 10

Configuration variables and default settings Description

Error Retry Time 60

Target Host Settings

Configuration variables and default settings Description

You can enter the IP Address or IP Address/ DNS Name use the DNS name of the host.

Host Description Host domain.

You can use SSH or TELNET pro- Connection Type SSH tocols

You can change the default port for Port Number 22 the remote connection

User User to connect to host with.

Password of the user connecting to Password the host.

Figure 1 – FreeBSD Audit data source - General Settings tab

4.1.2 Options

The Options tab is very important in order to get the data source configuration working properly. You have a set of parameters where you have to specify your desired settings, like audit categories to retrieve, a low level (server-side) filter, and optional parameters to the OpenBSM retrieval command.

Configuration variables and default settings Description

Included Categories ALL

Inclusion Filter *

Exclusion Filter

State Dir .tango04

Backdate Hours 24

Max Query Hours 2

Audit Trail Files /var/audit/*

Additional Parameters

Pre Command

Figure 2 – FreeBSD Audit data source - Options tab

Included Categories: This parameter allows you to set the desired audit classes to be retrieved from the audit trails. This setting acts as a filter, so only events from the selected categories will be retrieved from the server;

allowing you to limit the traffic over the network and the processing time of the FreeBSD Host and the ThinkServer host. Note that each ThinAgent needs some specific categories enabled at this level in order to work; for example, if you want to use the FreeBSD Logon Activity ThinAgent, which requires the lo category, then you have to make sure that category is included in this parameter on the attached data source.

Important Even by enabling the category at this level, it does not mean that the attached monitors will retrieve the information, you also have to have the category enabled in the /etc/security/ audit_control or /etc/security/audit_user scripts. For more information about server-side configuration please see Chapter 3 - FreeBSD OpenBSM Audit Configuration on page 4.

For a complete reference of audit classes please see Appendix A: OpenBSM Audit Classes on page 38.

Inclusion and Exclusion Filters The Inclusion and Exclusion filter parameters allow you to set a unique regular expression in order to filter every retrieved record at the server-side level from the queries. It will process all the events, so you have to be careful with the regex you use because it may discard more records than desired ones. This option allows you to process a very aggressive filter, because it filters the records directly from the output of the executed query, so it avoids retrieving events from ThinkServer, and you may gain several points on performance. On the other hand, it is very limited as it only allows one inclusion regex and one exclusion regex for the entire data source. If you want fine-grain filtering, then you may take a look at the ThinAgent specific filters.

State Dir The FreeBSD Security Audit data source uses an incremental-reading architecture. This means it uses a pointer storing the last event read to use as a reference for the next refresh. This pointer is a file stored on the remote server (the audit state file). In this parameter you may set the remote destination of this file which must be a directory. Make sure the destination has full write permissions for the user you will use to connect to this data source. The resulting file will be stored inside the directory you set, and the data source will automatically add the extension . where is the data source unique ID. If the directory does not exist, then it will create it automatically. If you leave this field empty, then the path for the state file will be the user's default directory (normally the home directory). The default value is .tango04 which means a hidden directory inside the user's default directory, normally home).

Backdate Hours This parameter allows you to define the limit of historical hours to retrieve when executing this data source for the first time. A value of 24 will make the data source start querying at exactly the current hour, minute and second but from yesterday; all events older than last 24 hours will not be retrieved at all.

Note This value will be used ONLY when the audit state file doesn't exist. If you set it to 0 then it won't retrieve any historical records, it will read just from the current time.

Max Query Hours This parameter is very important. The internal data source script uses a block-based query engine. This means that every data source refresh will set a limit of hours to be retrieved, avoiding some possible performance issues. The default value is 1, so if you start the data source and the time range being

retrieved from the historical records database as higher than 1, then it will only retrieve the first hour for this refresh, and continue retrieving blocks of N (1 in this case) hours for every refresh, until the data source reaches the current time.

Example

If you start the ThinAgents for the first time with:

• a Backdate Hours value of 24

• a Max Query Hours value of 2

• a refresh time of the assigned data source of 60 seconds

Then it will take 12 minutes to retrieve the last 24 hours: every refresh takes up to 2 hours, and the refresh interval is one minute.

If you set a Max Query Hours value of 24, and the Backdate Hours is also 24, and of course it is the first time the data source runs, then it will retrieve the entire day in only one refresh.

Normally one can set this parameter at 2 or 3 hours without problems, but that depends on the volume of data the FreeBSD Host is generating. You can adjust the parameter at any time: If you find a poor number of events being retrieved, then you can increase the block; but if you find that the amount of events coming to ThinkServer is very high, and the performance is being affected (in the FreeBSD Host or on ThinkServer), then you can decrease the block. The maximum allowed value is 24.

Additional Parameters The data source script uses the OpenBSM auditreduce tool to retrieve the audit records from the audit trails. This tool allows some custom parameters in order to modify the default values. The default value is empty, as the data source uses the default values to perform the queries; but if you want to modify the way auditreduce works, you can add the lines you want to add directly here.

You can use any valid auditreduce parameter except for ‐a, ‐b and ‐c, which are reserved values for the internal data source script.

For more information about custom auditreduce parameters please take a look at the OpenBSM man pages.

Pre Command This parameter allows you to add some special commands before executing the data source script at the server side. You can execute whatever you want here, but following this unique rule: do not affect the stdout.

This limitation exists because the data source retrieves the output of the script, and it has a special parser matching the format the script will return. If you send something to the stdout with your pre command, it will affect the final output and the parser will return an error. So, if you need to print results, please redirect it to a file by using the > operator, or to /dev/null if you don't need it.

A good example of using this parameter, is using the sudo command to avoid giving an administrative role to the user. 4.2 Common ThinAgent Configuration

Once you have selected a data source, the monitor configuration opens in a new window.

4.2.1 Main Information

Start by giving your monitor a name and adding a description. By default the monitor uses the ThinAgent name, but you can change this to suit your monitoring needs.

If you need to make any changes to the data source you can do it in this tab. To change the data source click the Select data source button and select a data source from the list that appears. To edit the current data source click the Edit data source button.

Figure 3 – Free BSD Custom Audit configuration 4.2.2 Filters

Each ThinAgent has a set of inclusion filters based on regular expressions. These filters can be considered as a medium-level filters compared with the data source low-level filter. The main difference is that these filters are processed on the ThinkServer side, that means that the records have already been retrieved and parsed by the data source. So at this level you may set some monitor-specific filters. A big bonus with these filters is that you may work with the independent variables, which have been already parsed by the data source.

All the ThinAgents have the same set of variables in the filter table; remember that these filters are monitor-specific and they use regular inclusion expressions.

Second level filters table:

ThinAgents Filters

The Host where the record was generated, if you are Event Host using a concentrator server, then you may have records from several hosts.

ThinAgents Filters

The Audit ID is the original user taking the action, even Audit ID (user) if he made a switch to another user with extended permissions.

The effective user is the user adopting the action, if you Effective User made a switch from another user, this will be the new user.

Effective Group The primary group of the effective user.

The real user is the user executing the process, in most Real User cases it will be root.

Real Group The primary group of the real user.

The terminal ID is a unique identifier for a specific ter- Terminal ID minal, it will also show IP addresses if possible.

The error status is the result of the operation, in almost Error Status any case it will be success or failure. 4.2.3 Additional Filters

As an additional option, you may set some high-level filters at the monitor script. By default, some monitors have a defined group of python variables in the Additional Parameters tab of the script wizard. The main difference between these filters and the low and medium filters, is that they are exclusion filters rather than inclusion filters, and they are not made of regular expressions, but as comma- separated values. Not all the monitors have these filters defined. Some monitors have some pre-defined filters. 4.2.4 Default Message Templates

All the FreeBSD Security ThinAgents have the same template except for the FreeBSD Sessions Threshold. Please see section 7.3 - FreeBSD Session Threshold on page 30 for more information regarding the differences.

The template sent to SmartConsole, as the main message text, is always the audit event retrieved as is from the audit trail; this is made in order to guarantee that you will have access to the OpenBSM audit records in an unmodified form. 4.2.5 Common Variables for All FreeBSD Security ThinAgents

A list of variables common to all the ThinAgents is provided here. Please note that these are not listed in the chapters for individual ThinAgents.

Variable Description

BSMCategory An internal VMC category ID optimized for filters.

BSMDescription A short description of the VMC category ID.

The audit event ID of the record. This ID allows to recog- AuditEvent_Event nize the type of audit record we are reading.

The Audit ID is the original user taking the action, even if AuditEvent_AuditID he made a switch to another user with extended permissions.

Variable Description

The effective user is the user adopting the action, if you AuditEvent_EffectiveUse made a switch from another user, this will be the new rID user.

AuditEvent_EffectiveGro The primary group of the effective user. upID

The real user is the user executing the process, in most AuditEvent_RealUserID cases it will be root.

AuditEvent_RealGroupID The primary group of the real user.

AuditEvent_ProcessID The process ID of the event (PID).

AuditEvent_AuditSessio The Session ID of the user. nID

The terminal ID is a unique identifier for a specific termi- AuditEvent_TerminalID nal, it will also show IP addresses if possible.

The error status is the result of the operation, in almost AuditEvent_ErrorStatus any case it will be success or failure. 4.2.6 Field Map SmartConsole – ThinkServer

The ThinkServer sends a message to the SmartConsole every time the monitor is run. By default it sends the following variables for all the FreeBSD Security ThinAgents (except for the FreeBSD Sessions Threshold):

SmartConsole ThinkServer Description

The system where the audit trails are STORED, this may not be the generator of SYSTEM Host the event if we are using a concentrator. Is always the host specified on the data source IP/DNS.

The host name where the event was gen- COMPUTERNA erated. This may not be the same host AuditEvent_Host ME where we are reading the audit trails if we are using a concentrator.

An internal VMC category ID optimized for Var01 BSMCategory filters.

A short description of the VMC category Var02 BSMDescription ID.

The audit event ID of the record. This ID Var03 AuditEvent_Event allows to recognize the type of audit record we are reading.

The system where the audit trails are STORED, this may not be the generator of Var04 Host the event if we are using a concentrator. Is always the host specified on the data source IP/DNS.

The Audit ID is the original user taking the AuditEvent_AuditI Var05 action, even if he made a switch to D another user with extended permissions.

SmartConsole ThinkServer Description

The effective user is the user adopting the AuditEvent_Effect Var06 action, if you made a switch from another iveUserID user, this will be the new user.

AuditEvent_Effect Var07 The primary group of the effective user. iveGroupID

AuditEvent_RealUs The real user is the user executing the Var08 erID process, in most cases it will be root.

AuditEvent_RealGr Var09 The primary group of the real user. oupID

AuditEvent_Proces Var10 The process ID of the event (PID). sID

AuditEvent_AuditS Var11 The Session ID of the user. essionID

The terminal ID is a unique identifier for a AuditEvent_Termin Var12 specific terminal, it will also show IP alID addresses if possible.

The return status is the result of the opera- AuditEvent_ErrorS Var13 tion, in almost any case it will be success tatus or failure.

Chapter 5 5 FreeBSD Custom Audit ThinAgent

The FreeBSD Custom Audit ThinAgent reads all events from the audit trails. This ThinAgent acts as a default template in order to let you define some custom filters and retrieve some specific data. The main configuration of this agent is made by using the medium-level filters, by default, it gets all the data the data source can retrieve, and then it processes the regular expressions defined by the user.

Note As this monitor does not have any filter by default, it can generate enormous amount of events in just one refresh, so it should be used with caution, and not started until a set of preliminary filters are defined.

5.1 ThinAgent Variables

The following variables are used by this ThinAgent:

Variable Description

A numeric return value related to the AuditEvent_ReturnValue AuditEvent_ReturnStatus 5.2 Default Health Settings

By default Health is set to:

• Success in all cases

Change the default health rules to meet your monitoring needs. 5.3 Field Map SmartConsole – ThinkServer

The ThinkServer sends a message to the SmartConsole every time the monitor is run. By default it sends the following variables:

SmartCons ThinkServer Description ole

AuditEvent_Retu A numeric return value related to the Var14 rnValue AuditEvent_ReturnStatus

This ThinAgent doesn't have any predefined high-level exclusion filter.

Chapter 6 6 FreeBSD File System ThinAgents

6.1 FreeBSD File Content Accessed

The FreeBSD File Content Accessed ThinAgent reads all events concerning file reading operations. In order to get this agent working, you need to have the category fr included in the assigned data source, and enabled in the FreeBSD BSM Audit Daemon. (see Chapter 3 - FreeBSD OpenBSM Audit Configuration on page 4 for more information).

Note This agent may generate a large amount of events, so you should use some exclusion filters before starting it.

6.1.1 ThinAgent Variables

The following variables are used by this ThinAgent:

Variable Description

A description of the event, usually it only explains failure opera- event_description tions.

The AuditEvent_TerminalID variable consist on a series of IDs, including a remote IP in case the connection was made from possibleIP a remote host. In those cases, the ThinAgent will extract only the IP and assign it to this variable. For localhost operations this value is empty.

path The path where the file is stored.

absolute_file The full file name and path.

relative_file The file name without the path

6.1.2 Default Health Settings

By default Health is set to:

• Warning if the AuditEvent_ErrorStatus variable is failure

• Success in all other cases

Change the default health rules to meet your monitoring needs.

6.1.3 Field Map SmartConsole – ThinkServer

The ThinkServer sends a message to the SmartConsole every time the monitor is run. By default it sends the following variables:

SmartConsole ThinkServer Description

event_desc A description of the event, usually it only explains Var14 ription failure operations.

The AuditEvent_TerminalID variable consist on a series of IDs, including a remote IP in case the connection was made from a remote host, in those Var15 possibleIP cases, the ThinAgent will extract only the IP and assign it to this variable. For localhost operations this value is empty.

Var16 path The path where the file is stored.

absolute_f Var17 The full file name and path. ile

relative_f Var18 The file name without the path ile 6.1.4 Predefined High-Level Exclusion Filters

The ThinAgent comes with 5 predefined exclusion filters:

• EXCLUDED_USER_LIST: a list of comma-separated user names (AuditID) you want to exclude.

• EXCLUDED_GROUP_LIST: a list of comma-separated group names (EffectiveGroupID) you want to exclude.

• EXCLUDED_IP_LIST: a list of comma-separated IP addresses you want to exclude.

• EXCLUDED_FILE_LIST: a list of comma-separated program names you want to exclude.

• EXCLUDED_DIR_LIST: a list of comma-separated program names you want to exclude. (by default, /var, /temp and /dev dirs are excluded). 6.2 FreeBSD File Content Modified

The FreeBSD File Content Modified ThinAgent reads all events concerning file writing operations. In order to get this agent working, you need to have the category fw included in the assigned data source, and enabled in the FreeBSD OpenBSM Audit Daemon. (see Chapter 3 - FreeBSD OpenBSM Audit Configuration on page 4 for more information).

Note This agent may generate a big amount of events, so you may use some exclusion filters before starting it.

6.2.1 ThinAgent Variables

The following variables are used by this ThinAgent:

Variable Description

A description of the event, usually it only explains failure opera- event_description tions.

path The path where the file is stored.

absolute_file The full file name and path.

relative_file The file name without the path

6.2.2 Default Health Settings

By default Health is set to:

• Warning if the AuditEvent_ErrorStatus variable is failure

• Success in all other cases

Change the default health rules to meet your monitoring needs. 6.2.3 Field Map SmartConsole – ThinkServer

The ThinkServer sends a message to the SmartConsole every time the monitor is run. By default it sends the following variables:

SmartConsole ThinkServer Description

event_desc A description of the event, usually it only explains Var14 ription failure operations.

The AuditEvent_TerminalID variable consist on a series of Ids, including a remote IP in case the connection was made from a remote host, in those Var15 possibleIP cases, the ThinAgent will extract only the IP and assign it to this variable. For localhost operations this value is empty.

Var16 path The path where the file is stored.

absolute_f Var17 The full file name and path. ile

relative_f Var18 The file name without the path ile 6.2.4 Predefined High-Level Exclusion Filters

The ThinAgent comes with 5 predefined exclusion filters:

• EXCLUDED_USER_LIST: a list of comma-separated user names (AuditID) you want to exclude.

• EXCLUDED_GROUP_LIST: a list of comma-separated group names (EffectiveGroupID) you want to exclude.

• EXCLUDED_IP_LIST: a list of comma-separated IP addresses you want to exclude.

• EXCLUDED_FILE_LIST: a list of comma-separated program names you want to exclude.

• EXCLUDED_DIR_LIST: a list of comma-separated program names you want to exclude. (by default, /var, /temp and /dev dirs are excluded). 6.3 FreeBSD File/Directory Attribute Accessed

The FreeBSD File/Directory Attribute Accessed ThinAgent reads all events concerning file attribute reading operations. In order to get this agent working, you need to have the category fa included in the assigned data source, and enabled in the FreeBSD OpenBSM Audit Daemon. (see Chapter 3 - FreeBSD OpenBSM Audit Configuration on page 4 for more information).

Note This agent may generate a large amount of events, so you should use some exclusion filters before starting it.

Important There is a known issue which affects performance and generates thousands of GBs of data in the audit trails when this option is enabled in FreeBSD version 7.1. Please contact your FreeBSD technical support before enabling this category on the audit_control file.

6.3.1 ThinAgent Variables

The following variables are used by this ThinAgent:

Variable Description

A description of the event, usually it only explains failure opera- event_description tions.

path The path where the file is stored.

absolute_file The full file name and path.

relative_file The file name without the path

accessmodeandty The access mode. pe

owneruserID The owner user ID.

ownergroupID The owner group ID.

filesystemID The file system ID.

nodeID The node ID.

deviceID The device ID.

6.3.2 Default Health Settings

By default Health is set to:

• Warning if the AuditEvent_ErrorStatus variable is failure

• Success in all other cases

Change the default health rules to meet your monitoring needs. 6.3.3 Field Map SmartConsole – ThinkServer

The ThinkServer sends a message to the SmartConsole every time the monitor is run. By default it sends the following variables:

SmartConsole ThinkServer Description

event_desc A description of the event, usually it only explains Var14 ription failure operations.

The AuditEvent_TerminalID variable consist on a series of Ids, including a remote IP in case the connection was made from a remote host, in those Var15 possibleIP cases, the ThinAgent will extract only the IP and assign it to this variable. For localhost operations this value is empty.

Var16 path The path where the file is stored.

absolute_f Var17 The full file name and path. ile

relative_f Var18 The file name without the path ile

accessmo‐ Var19 The access mode. deandtype

owneruse‐ Var20 The owner user ID. rID

owner‐ Var21 The owner group ID. groupID

filesys‐ Var22 The file system ID. temID

Var23 nodeID The node ID.

Var24 deviceID The device ID.

6.3.4 Predefined High-Level Exclusion Filters

The ThinAgent comes with 5 predefined exclusion filters:

• EXCLUDED_USER_LIST: a list of comma-separated user names (AuditID) you want to exclude.

• EXCLUDED_GROUP_LIST: a list of comma-separated group names (EffectiveGroupID) you want to exclude.

• EXCLUDED_IP_LIST: a list of comma-separated IP addresses you want to exclude.

• EXCLUDED_FILE_LIST: a list of comma-separated program names you want to exclude.

• EXCLUDED_DIR_LIST: a list of comma-separated program names you want to exclude. (by default, /var, /temp and /dev dirs are excluded). 6.4 FreeBSD File/Directory Attribute Modified

The FreeBSD File/Directory Attribute Modified ThinAgent reads all events concerning file attribute writing operations. In order to get this agent working, you need to have the category fm included in the assigned data source, and enabled in the FreeBSD BSM Audit Daemon. (see Chapter 3 - FreeBSD OpenBSM Audit Configuration on page 4 for more information).

Note This agent may generate a large amount of events, so you should use some exclusion filters before starting it.

6.4.1 ThinAgent Variables

The following variables are used by this ThinAgent:

Variable Description

A description of the event, usually it only explains failure opera- event_description tions.

path The path where the file is stored.

absolute_file The full file name and path.

relative_file The file name without the path

accessmodeandty The access mode. pe

owneruserID The owner user ID.

ownergroupID The owner group ID.

filesystemID The file system ID.

nodeID The node ID.

deviceID The device ID.

6.4.2 Default Health Settings

By default Health is set to:

• Warning if the AuditEvent_ErrorStatus variable is failure

• Success in all other cases

Change the default health rules to meet your monitoring needs.

6.4.3 Field Map SmartConsole – ThinkServer

The ThinkServer sends a message to the SmartConsole every time the monitor is run. By default it sends the following variables:

SmartConsole ThinkServer Description

event_descri A description of the event, usually it only explains Var14 ption failure operations.

Var16 path The path where the file is stored.

absolute_f Var17 The full file name and path. ile

relative_f Var18 The file name without the path ile

accessmo‐ Var19 The access mode. deandtype

owneruse‐ Var20 The owner user ID. rID

owner‐ Var21 The owner group ID. groupID

filesys‐ Var22 The file system ID. temID

Var23 nodeID The node ID.

Var24 deviceID The device ID.

6.4.4 Predefined High-Level Exclusion Filters

The ThinAgent comes with 5 predefined exclusion filters:

• EXCLUDED_USER_LIST: a list of comma-separated user names (AuditID) you want to exclude.

• EXCLUDED_GROUP_LIST: a list of comma-separated group names (EffectiveGroupID) you want to exclude.

• EXCLUDED_IP_LIST: a list of comma-separated IP addresses you want to exclude.

• EXCLUDED_FILE_LIST: a list of comma-separated program names you want to exclude.

• EXCLUDED_DIR_LIST: a list of comma-separated program names you want to exclude. (by default, /var, /temp and /dev dirs are excluded). 6.5 FreeBSD File/Directory Created/Deleted

The FreeBSD File/Directory Created/Deleted ThinAgent reads all events concerning file and directory creation and deletion operations. In order to get this agent working, you need to have the fc and fd categories included in the assigned data source, and enabled in the FreeBSD BSM Audit Daemon. (see Chapter 3 - FreeBSD OpenBSM Audit Configuration on page 4 for more information).

6.5.1 ThinAgent Variables

The following variables are used by this ThinAgent:

Variable Description

A description of the event, usually it only explains failure opera- event_description tions.

path The path where the file is stored.

absolute_file The full file name and path.

relative_file The file name without the path

In case of a rename (mv command), this variable will show the new_path new filename and path. 6.5.2 Default Health Settings

By default Health is set to:

• Warning if the AuditEvent_ErrorStatus variable is failure

• Success in all other cases

Change the default health rules to meet your monitoring needs. 6.5.3 Field Map SmartConsole – ThinkServer

The ThinkServer sends a message to the SmartConsole every time the monitor is run. By default it sends the following variables:

SmartConsole ThinkServer Description

event_desc A description of the event, usually it only explains Var14 ription failure operations.

Var16 path The path where the file is stored.

absolute_f Var17 The full file name and path. ile

relative_f Var18 The file name without the path ile

In case of a rename (mv command), this variable Var19 new_path will show the new filename and path.

6.5.4 Predefined High-Level Exclusion Filters

The ThinAgent comes with 5 predefined exclusion filters:

• EXCLUDED_USER_LIST: a list of comma-separated user names (AuditID) you want to exclude.

• EXCLUDED_GROUP_LIST: a list of comma-separated group names (EffectiveGroupID) you want to exclude.

• EXCLUDED_IP_LIST: a list of comma-separated IP addresses you want to exclude.

• EXCLUDED_FILE_LIST: a list of comma-separated program names you want to exclude.

• EXCLUDED_DIR_LIST: a list of comma-separated program names you want to exclude. (by default, /var, /temp and /dev dirs are excluded).

Chapter 7 7 FreeBSD User Activity ThinAgents

7.1 FreeBSD Logon Activity

The FreeBSD Logon Activity ThinAgent reads all events concerning success and failure logins from users, from the local host or from remote hosts. In order to get this agent working, you need to have the category lo included in the assigned data source, and enabled in the FreeBSD OpenBSM Audit Daemon (see Chapter 3 - FreeBSD OpenBSM Audit Configuration on page 4 for more information).

This agent will also read all the switch user (su) operations. 7.1.1 ThinAgent Variables

The following variables are used by this ThinAgent:

Variable Description

A description of the event, usually it only explains failure opera- event_description tions.

The AuditEvent_TerminalID variable consist on a series of Ids, including a remote IP in case the connection was made from possibleIP a remote host, in those cases, the ThinAgent will extract only the IP and assign it to this variable. For localhost operations this value is empty.

In case the operation was a switch user (su), this variable will su_user indicate the destination user, as the AuditID and EffectiveU‐ serID will be the source user. 7.1.2 Default Health Settings

By default Health is set to:

• Warning if the AuditEvent_ErrorStatus variable is failure

• Success in all other cases

Change the default health rules to meet your monitoring needs. 7.1.3 Field Map SmartConsole – ThinkServer

The ThinkServer sends a message to the SmartConsole every time the monitor is run. By default it sends the following variables:

SmartConsole ThinkServer Description

event_descr A description of the event, usually it only explains Var14 iption failure operations.

In case the operation was a switch user (su), this variable will indicate the destination user, as the Var16 su_user AuditID and EffectiveUserID will be the source user. 7.1.4 Predefined High-Level Exclusion Filters

The ThinAgent comes with 3 predefined exclusion filters:

• EXCLUDED_USER_LIST: a list of comma-separated user names (AuditID) you want to exclude.

• EXCLUDED_GROUP_LIST: a list of comma-separated group names (EffectiveGroupID) you want to exclude.

• EXCLUDED_IP_LIST: a list of comma-separated IP addresses you want to exclude. 7.2 FreeBSD Programs Executed

The FreeBSD Programs Executed ThinAgent reads all events concerning any program executed by the users or by the system (daemons, automated scripts, etc.). In order to get this agent working, you need to have the category ex included in the assigned data source, and enabled in the FreeBSD OpenBSM Audit Daemon. You also need the argv policy enabled. (see Chapter 3 - FreeBSD OpenBSM Audit Configuration on page 4 for more information). 7.2.1 ThinAgent Variables

The following variables are used by this ThinAgent:

Variable Description

A description of the event, usually it only explains failure opera- event_description tions.

The complete name of the executed binary file, including the full executable path.

program The executable name without path (in a user friendly format).

nargs Not supported on FreeBSD.

The line of arguments executed with the program. Empty if no arguments argument.

Variable Description

The full command line executed by the user or the automated command script, with program and arguments included. 7.2.2 Default Health Settings

By default Health is set to:

• Success in all cases

Change the default health rules to meet your monitoring needs. 7.2.3 Field Map SmartConsole – ThinkServer

The ThinkServer sends a message to the SmartConsole every time the monitor is run. By default it sends the following variables:

SmartConsole ThinkServer Description

event_desc A description of the event, usually it only explains Var14 ription failure operations.

The complete name of the executed binary file, Var16 executable including the full path.

The executable name without path (in a user Var17 program friendly format).

Var18 nargs Not supported on FreeBSD.

The line of arguments executed with the program. Var19 arguments Empty if no argument.

The full command line executed by the user or the Var20 command automated script, with program and arguments included. 7.2.4 Predefined High-Level Exclusion Filters

The ThinAgent comes with 4 predefined exclusion filters:

• EXCLUDED_USER_LIST: a list of comma-separated user names (AuditID) you want to exclude.

• EXCLUDED_GROUP_LIST: a list of comma-separated group names (EffectiveGroupID) you want to exclude.

• EXCLUDED_IP_LIST: a list of comma-separated IP addresses you want to exclude.

• EXCLUDED_PROGRAM_LIST: a list of comma-separated program names you want to exclude. 7.3 FreeBSD Session Threshold

The FreeBSD Session Threshold ThinAgent is a special monitor that works on a different way related to the other FreeBSD Security ThinAgents. This agent uses a its own data source to query the list of users

logged on the system. It doesn't use the OpenBSM audit daemon, but just a standard unix command to retrieve a snapshot with a top five list for the most consuming users (users logged on multiple sessions). 7.3.1 ThinAgent Variables

The following variables are used by this ThinAgent:

Variable Description

Host The FreeBSD system IP or DNS.

IPAddress The system IP address.

TotalOpenedSessions The amount of total sessions opened on the system.

MaxSessionUser_UserName The user with more sessions opened on the system. 1

MaxSessionUser_NumberOf The number of sessions opened by the user 1. Sessions1

MaxSessionUser_UserName The second user with more sessions opened on the 2 system.

MaxSessionUser_NumberOf The number of sessions opened by the user 2. Sessions2

MaxSessionUser_UserName The third user with more sessions opened on the 3 system.

MaxSessionUser_NumberOf The number of sessions opened by the user 3. Sessions3

MaxSessionUser_UserName The forth user with more sessions opened on the 4 system.

MaxSessionUser_NumberOf The number of sessions opened by the user 4. Sessions4

MaxSessionUser_UserName The fifth user with more sessions opened on the sys- 5 tem.

MaxSessionUser_NumberOf The number of sessions opened by the user 5. Sessions5

7.3.2 Default Health Settings

By default Health is set to:

• Critical if a same user has more than 10 opened sessions, or if there are more than 100 opened sessions.

• Warning if a same user has more than 5 opened sessions, or if there are more than 50 opened sessions.

• Warning if a same user has more than 1 opened session.

• Success in all other cases

Change the default health rules to meet your monitoring needs.

7.3.3 Field Map SmartConsole – ThinkServer

The ThinkServer sends a message to the SmartConsole every time the monitor is run. By default it sends the following variables:

SmartConsole ThinkServer Description

Var04 Host The FreeBSD system IP or DNS.

Var05 IPAddress The system IP address.

The amount of total sessions Var06 TotalOpenedSessions opened on the system.

MaxSessionUser_UserNam The user with more sessions Var07 e1 opened on the system.

MaxSessionUser_NumberO The number of sessions opened by Var08 fSessions1 the user 1.

MaxSessionUser_UserNam The second user with more ses- Var09 e2 sions opened on the system.

MaxSessionUser_NumberO The number of sessions opened by Var10 fSessions2 the user 2.

MaxSessionUser_UserNam The third user with more sessions Var11 e3 opened on the system.

MaxSessionUser_NumberO The number of sessions opened by Var12 fSessions3 the user 3.

MaxSessionUser_UserNam The forth user with more sessions Var13 e4 opened on the system.

MaxSessionUser_NumberO The number of sessions opened by Var14 fSessions4 the user 4.

MaxSessionUser_UserNam The fifth user with more sessions Var15 e5 opened on the system.

MaxSessionUser_NumberO The number of sessions opened by Var16 fSessions5 the user 5. 7.4 FreeBSD User Inactivity

The FreeBSD User Inactivity ThinAgent is a special monitor that works in a different way when compared to the other FreeBSD Security ThinAgents. This agent uses its own data source to query the list of users on the system and their last logon date. It does not use the syslog or the audit trails, but a standard perl script to retrieve the list of a user’s last logon date on the system.

This ThinAgent uses a special flag in order to avoid duplicating events, so by default it will save one record per user per day. If you want to change this and write more than one snapshot per day, you can change the run_once_a_day additional parameter to 0.

7.4.1 ThinAgent Variables

The following table shows a list of ThinAgent specific variables:

Variable Description

Host The FreeBSD system IP or DNS

Username The user’s name

LastLogonDate The last user’s logon date

LastLogonTime The last user’s logon time

Description The event description

InactivityDays The number of days since the user’s last logon

7.4.2 Default Health Settings

By default Health is set to:

• Critical if a user has more than 90 days of inactivity, or has never logged in

• Warning if a user has more than 60 days of inactivity

• Warning if a user has more than 30 days of inactivity

• Success in all other cases

Change the default health rules to meet your monitoring needs. 7.4.3 Field Map SmartConsole – ThinkServer

The ThinkServer sends a message to the SmartConsole every time the monitor is run. By default it sends the following variables:

SmartConsole ThinkServer Description

The FreeBSD system IP or Var02 Host DNS.

Var03 Username The user’s name

Var04 LastLogonDate The user’s last logon date

Var05 LastLogonTime The user’s last logon time

Var06 Description The event description

The number of days since Var07 InactivityDays the user’s last logon

Variables sent to SmartConsole are configured in the Event Variables tab of the Templates, available the Health and Actions wizard.

In the Event Variables you can configure a maximum of 99 variables, though Variable 1 cannot be changed. You can configure a variable in the fields of Variable 2 through Variable 7. In the fields of Variable 8 and higher, you can add many variables as a comma separated list. Each variable will be sent to SmartConsole in the order in which they appear in this list, as Var08, Var09…Var99.

Chapter 8 8 FreeBSD User Management ThinAgents

8.1 FreeBSD Command Line Management

The FreeBSD Command Line Management ThinAgent reads all events concerning user and group creation, deletion and modification events by using the standard command line tool pw and passwd. In order to get this agent working, you need to have the categories ex and lo included in the assigned data source, and enabled in the FreeBSD BSM Audit Daemon. You also need the argv policy enabled. (see Chapter 3 - FreeBSD OpenBSM Audit Configuration on page 4 for more information).

Important The FreeBSD OpenBSM audit daemon has a known issue where any event created by the following commands are not audited: useradd(1M), usermod(1M), userdel(1M), groupadd(1M), groupmod(1M), groupdel(1M).

This issue has been discussed for many years, and although the issue has been recognized in the OpenSolaris forums (Bug ID 6178396), the developers have not yet announced a date for the fix.

Regarding this issue, this ThinAgent uses a different way of auditing, which is auditing the execution of the command, and parsing the output. This workaround has one limitation: we are NOT able to know the results of the command, this means that adding an existing user will return an error in the terminal, but the ThinAgent will audit it as a successful operation.

8.1.1 ThinAgent Variables

The following variables are used by this ThinAgent:

Variable Description

A description of the event, usually it only explains failure opera- event_description tions.

The complete name of the executed binary file, including the full executable path.

Variable Description

program The executable name without path (in a user friendly format).

nargs Not supported on FreeBSD.

The line of arguments executed with the program. Empty if no arguments argument.

The full command line executed by the user or the automated command script, with program and arguments included.

possible_user The user or group being affected by the operation.

8.1.2 Default Health Settings

By default Health is set to:

• Success in all cases

Change the default health rules to meet your monitoring needs. 8.1.3 Field Map SmartConsole – ThinkServer

The ThinkServer sends a message to the SmartConsole every time the monitor is run. By default it sends the following variables:

SmartConsole ThinkServer Description

event_desc A description of the event, usually it only explains Var14 ription failure operations.

The complete name of the executed binary file, Var16 executable including the full path.

The executable name without path (in a user Var17 program friendly format).

Var18 nargs Not supported on FreeBSD.

The line of arguments executed with the program. Var19 arguments Empty if no argument.

The full command line executed by the user or the Var20 command automated script, with program and arguments included.

possible_u Var21 The user or group being affected by the operation. ser 8.1.4 Predefined High-Level Exclusion Filters

This ThinAgent doesn't have any predefined high-level exclusion filter.

Chapter 9 9 FreeBSD Generic Syslog ThinAgent

The FreeBSD Generic Syslog ThinAgent reads all events from the security log of a FreeBSD host. This agent is a generic implementation, so it only parses the syslog format from the remote log files, and translates the hostname (concentrator), date, and time, but nothing else. Users are responsible for parsing the message itself.

In other words, it does the same thing as the ThinkServer Syslog ThinAgent but by using an ssh connection and keeping track of the log files instead of receiving UDP/TCP raw messages. 9.1 Default Health Settings

By default, Health is set to:

• Success in all cases

Change the default health rules to meet your monitoring needs.

Chapter 10 10 FreeBSD Custom Log ThinAgent

The FreeBSD Custom Log ThinAgent is a generic ThinAgent which allows reading any log file hosted in a FreeBSD system by using a secured SSH connection. Using the same engine as the generic Syslog ThinAgent, it is able to read log files by using a technology written in python.

It supports log rotation (in a numerically ordered format: x.0, x.1...) and compression formats gzip and bzip2.

As this ThinAgent is very generic, and doesn't perform any variable separation, the entire output of each line is concentrated in one single variable. 10.1 ThinAgent Variables

A list of ThinAgent specific variables:

Variable Description

FullRecord Full event record 10.2 Default Health Settings

By default Health is set to:

• Success in all cases

Change the default health rules to meet your monitoring needs.

Appendix A Appendix A: OpenBSM Audit Classes

A.1 Definitions of Audit Classes.

The following table shows each predefined audit class, the descriptive name for each audit class, and a short description. A.1.1 Predefined Audit Classes

Descriptive Audit Class Description Name

all all All classes (meta-class)

no invalid class Match no audit events

non attribut- na Audit non-attributable events able

Administrative actions performed on the system as a ad administrative whole

ap application Application defined action

cl file close Audit calls to the close system call

Audit program execution. Auditing of command line arguments and environmental variables is controlled ex exec via audit_control using the argv and envv parameters to the policy setting.

file attribute Audit the access of object attributes such as stat, fa access pathconf and similar events.

fc file create Audit events where a file is created as a result

fd file delete Audit events where file deletion occurs

file attribute Audit events where file attribute modification occurs, fm modify such as chown, chflags, flock etc.

Audit events in which data is read, files are opened fr file read for reading, etc.

Audit events in which data is written, files are written fw file write or modified, etc.

Descriptive Audit Class Description Name

io ioctl Audit use of the ioctl system call.

Audit various forms of Inter-Process Communication, ip ipc including POSIX pipes and System V IPC operations.

Audit login and logout events occurring on the sys- lo login_logout tem.

Audit utilization nt network Audit events related to network actions, such as connect and accept.

ot other Audit miscellaneous events.

pc process Audit process operations, such as exec and exit.

Appendix B Appendix B: Further Information

B.1 Using Tango/04 PDF Documentation

Tango/04 documentation is available directly from the Tango/04 solutions DVD.

To open the Tango/04 documentation that is provided in PDF files use Adobe Acrobat Reader. Acrobat Reader lets you view, search, and print the documentation. You can download Acrobat Reader for free from the Adobe Web site (http://www.adobe.com).

Tip We advise printing PDF documentation for easy reference. Please ensure you familiarize yourself with a products user guide before attempting to use the product.

To access PDF documents on the DVD: Step 1. Navigate to a product suite (VISUAL Message Center for example) and click on the Product Documentation link to open a list of all the User Guides available for that product suite. The list contains direct links to the documents in PDF format.

Step 2. Alternatively, you can navigate within the DVD menu to a particular product and click on the Product Documentation link to open the User Guide in PDF format for that product. B.2 Tango/04 University

In a continuous effort to provide all users of Tango/04 technologies with high quality training and education, Tango/04 Computing Group presents the new training program open to partners and users worldwide.

Tango/04 University is aimed at providing Tango/04 users and partners with the most effective tools and knowledge to manage Tango/04 technologies and products and use them at their highest potential.

Attendance of the training course and passing the related exams is mandatory in order to qualify as Tango/04 Business Partner for the technology area covered by the course, and will offer you important benefits such as:

• Tango/04 Official Certifications - Tango/04 partners will be required to have a number of certified consultants, depending on the Business Partner Level

© 2011 Tango/04 Computing Group Page 40 • Exploit the full potential of Tango/04 technologies - Solutions such as VISUAL Message Center and VISUAL Security Suite are very broad solutions that feature much functionality. Knowing all these functions and how to use them is key to getting the most out of the product

• Integration with other solutions - Tango/04 is constantly growing: knowing the new products and agents may allow you to integrate other parts of the IT infrastructure into Tango/04 Solutions

• Tango/04 Business Partners will learn how to effectively deploy a monitoring project in order to obtain the maximum effectiveness and customer satisfaction.

Participants' profile: Consultants, System Administrators, operators and technical staff, with knowledge of Windows, iSeries, Linux and Unix systems who will be involved in managing or deploying Tango/04 technology.

Pre-requisites: Being Tango/04 Business Partner or Tango/04 Customer.

North America EMEA

Tango/04 North America Tango/04 Computing Group S.L. One Phoenix Mill Lane - Suite 201 Avda. Meridiana 358, 5 A-B NH 03458 Peterborough  08027 Barcelona  USA Spain   Phone: 1-800-304-6872 / 603-924-7391 Phone: +34 93 274 0051 Fax: 858-428-2864 Fax: +34 93 345 1329 [email protected] [email protected] www.tango04.com www.tango04.com

Italy Sales Office in France

Tango/04 Italy Tango/04 France Viale Garibaldi 51/53 La Grande Arche 13100 Vercelli  Paroi Nord 15ème étage Italy 92044 Paris La Défense   France Phone: +39 0161 56922  Fax: +39 0161 259277 Phone: +33 01 40 90 34 49 Contact: Ferdinando Caccianotti Fax: +33 01 40 90 31 01 [email protected] Contact: Mr. Jean-Philippe Fourche www.tango04.it [email protected] www.tango04.fr

Sales Office in Switzerland Latin American Headquarters

Tango/04 Switzerland Barcelona/04 Computing Group SRL (Argentina) 18, Avenue Louis Casaï Avda. Federico Lacroze 2252, Piso 6 CH-1209 Genève 1426 Buenos Aires Capital Federal Switzerland Argentina   Phone: +41 (0)22 747 7866 Phone: +54 11 4774-0112 Fax: +41 (0)22 747 7999 Fax: +54 11 4773-9163 Contact: Mr. Jean-Philippe Fourche [email protected] [email protected] www.barcelona04.com www.tango04.fr

Sales Office in Peru Sales Office in Chile

Barcelona/04 PERÚ Barcelona/04 Chile Centro Empresarial Real Nueva de Lyon 096 Oficina 702, Av. Víctor A. Belaúnde 147, Vía Principal 140 Providencia Edificio Real Seis, Piso 6 Santiago L 27 Lima Chile Perú   Phone: +56 2 234-0898 Phone: +51 1 211-2690 Fax: +56 2 2340865 Fax: +51 1 211-2526 [email protected] [email protected] www.barcelona04.com www.barcelona04.com

Tango/04 Computing Group is one of the leading developers of systems management and automation software. Tango/04 software helps companies maintain the operating health of all their business processes, improve service levels, increase productivity, and reduce costs through intelligent management of their IT infrastructure.

Founded in 1991 in Barcelona, Spain, Tango/04 is an IBM Business Partner and a key member of IBM's Autonomic Computing initiative. Tango/04 has more than a thousand customers who are served by over 35 authorized Business Partners around the world.

Alliances

Partnerships IBM Business Partner IBM Autonomic Computing Business Partner IBM PartnerWorld for Developers Advanced Membership IBM ISV Advantage Agreement IBM Early code release IBM Direct Technical Liaison Microsoft Developer Network Microsoft Early Code Release

Awards

Legal notice

The information in this document was created using certain specific equipment and environments, and it is limited in application to those specific hardware and software products and version and releases levels.

Any references in this document regarding Tango/04 Computing Group products, software or services do not mean that Tango/04 Computing Group intends to make these available in all countries in which Tango/04 Computing Group operates. Any reference to a Tango/04 Computing Group product, software, or service may be used. Any functionally equivalent product that does not infringe any of Tango/04 Computing Group's intellectual property rights may be used instead of the Tango/04 Computing Group product, software or service

Tango/04 Computing Group may have patents or pending patent applications covering subject matter in this document. The furnishing of this document does not give you any license to these patents.

The information contained in this document has not been submitted to any formal Tango/04 Computing Group test and is distributed AS IS. The use of this information or the implementation of any of these techniques is a customer responsibility, and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. Despite the fact that Tango/04 Computing Group could have reviewed each item for accurateness in a specific situation, there is no guarantee that the same or similar results will be obtained somewhere else. Customers attempting to adapt these techniques to their own environments do so at their own risk. Tango/04 Computing Group shall not be liable for any damages arising out of your use of the techniques depicted on this document, even if they have been advised of the possibility of such damages. This document could contain technical inaccuracies or typographical errors.

Any pointers in this publication to external web sites are provided for your convenience only and do not, in any manner, serve as an endorsement of these web sites.

The following terms are trademarks of the International Business Machines Corporation in the United States and/or other countries: iSeries, iSeriese, iSeries, i5, DB2, e (logo)®Server IBM ®, Operating System/400, OS/400, i5/OS.

Microsoft, SQL Server, Windows, Windows NT, Windows XP and the Windows logo are trademarks of Microsoft Corporation in the United States and/or other countries. Java and all Java-based trademarks and logos are trademarks or registered trademarks of Sun Microsystems, Inc. in the United States and/or other countries. UNIX is a registered trademark in the United States and other countries licensed exclusively through The Open Group. Oracle is a registered trade mark of Oracle Corporation.

Other company, product, and service names may be trademarks or service marks of other companies.