2021 EMC Celerra or VNX Device Configuration Guide StealthAUDIT® Stealthbits Activity Monitor® TOC EMC Celerra or VNX Device Configuration Overview 4 Supported File System Platforms 5 Supported Network Attached Storage Devices 5 StealthAUDIT Console Server Permissions 6 File System Applet Deployment Permissions 7 File System Proxy Service Permissions 8 StealthAUDIT File System Scan Options 9 StealthAUDIT File Activity Auditing 11 Local Mode Scans 12 Firewall Rules for Local Mode Scans 12 File System Data Collection Configuration for Local Mode Scans 13 Proxy Mode with Applet Scans 13 Firewall Rules for Proxy Mode with Applet Scans 15 File System Data Collection Configuration for Proxy Mode with Applet Scans 15 Proxy Mode as a Service Scans: with RPC or Secure RPC 17 Firewall Rules for Proxy Mode as a Service Scans 19 File System Data Collection Configuration for Proxy Mode as a Service Scans 20 Additional Parameters for File System Proxy Service 22 Activity Monitor Configuration 23 Activity Monitor Activity Agent Deployment 24 Prepare for Activity Monitoring 24 Monitored Host Configuration 25 Firewall Rules for Activity Monitoring 27 Additional Firewall Rules for Dell EMC Unity, EMC Celerra, & EMC VNX Devices 28 StealthAUDIT Integration 28 Identify an Activity Log for StealthAUDIT 29 Doc_ID 694 2 Copyright 2021 STEALTHBITS, NOW PART OF NETWRIX, ALL RIGHTS RESERVED StealthAUDIT® Stealthbits Activity Monitor® StealthAUDIT Data Collection Configuration for File Activity Scans 29 StealthINTERCEPT Integration 30 SI Agent Deployment 30 StealthDEFEND Integration 31 Sensitive Data to StealthDEFEND 32 SIEM Integration 33 EMC Celerra & VNX Device Configuration for Access Auditing 35 Group Membership for EMC Devices 35 Disable Secure Negotiate 36 EMC Celerra & VNX Device Configuration for Activity Monitoring 37 Install the EMC CEE 39 Connect Data Movers to EMC CEE Server 39 Validate EMC CEE Registry Key Settings 42 Validate EMC CEE Services are Running 43 StealthAUDIT Connection Profile & Host List 45 File System Custom Connection Profile 45 File System Custom Host List 46 Appendices 48 Appendix: EMC CEE Debug Logs 48 Appendix: EMC Event Mapping 49 Appendix: Configure EMC Registry Key Settings 50 More Information 53 Doc_ID 694 3 Copyright 2021 STEALTHBITS, NOW PART OF NETWRIX, ALL RIGHTS RESERVED StealthAUDIT® Stealthbits Activity Monitor® EMC Celerra or VNX Device Configuration Overview Stealthbits products audit and monitor Microsoft® Windows® file servers and/or Network Attached Storage (NAS) devices. StealthAUDIT employs the File System Solution to execute Access Auditing (FSAA), Activity Auditing (FSAC), and/or Sensitive Data Discovery Auditing scans. The Activity Auditing (FSAC) scans also require the Activity Monitor be deployed to monitor the target environment. Additionally, the Activity Monitor can be configured to provide activity data to StealthINTERCEPT, StealthDEFEND, and/or various SIEM products. This document describes the necessary settings required to audit and monitor the target environment and to allow for successful use of: l StealthAUDIT v11.0 l Stealthbits Activity Monitor v6.0 l StealthINTERCEPT v7.3 (Through integration with Activity Monitor) l StealthDEFEND v2.7 (Through integration with Activity Monitor) NOTE: The Sensitive Data Discovery Auditing requires the StealthAUDIT Sensitive Data Discovery Add-on. The sections of this document align to the products as follows: l StealthAUDIT l StealthAUDIT Scan Options l Activity Monitoring l EMC Celerra & VNX Device Configuration for Access Auditing l EMC Celerra & VNX Device Configuration for Activity Monitoring l StealthAUDIT Connection Profile & Host List l Stealthbits Activity Monitor l Activity Monitoring l EMC Celerra & VNX Device Configuration for Activity Monitoring l StealthINTERCEPT l Activity Monitoring l EMC Celerra & VNX Device Configuration for Activity Monitoring Doc_ID 694 4 Copyright 2021 STEALTHBITS, NOW PART OF NETWRIX, ALL RIGHTS RESERVED StealthAUDIT® Stealthbits Activity Monitor® l StealthDEFEND l Activity Monitoring l EMC Celerra & VNX Device Configuration for Activity Monitoring Supported File System Platforms The versions and devices listed below are supported for Access Auditing, Activity Monitoring, and Sensitive Data Discovery Auditing. NOTE: Access Auditing and Sensitive Data Discovery Auditing support CIFS and NFSv3 (and below). Supported Network Attached Storage Devices StealthAUDIT for File Systems is compatible with scanning the following Network Attached Storage (NAS) devices as targets: l EMC® Celerra® 6.0+ l EMC® VNX®: l VNX® 7.1 l VNX® 8.1 Doc_ID 694 5 Copyright 2021 STEALTHBITS, NOW PART OF NETWRIX, ALL RIGHTS RESERVED StealthAUDIT® Stealthbits Activity Monitor® StealthAUDIT Console Server Permissions In most cases the StealthAUDIT user is a member of the local Administrators group on the StealthAUDIT Console server. However, if the Role Based Access model of StealthAUDIT usage is employed, then the user assigned the role of Job Initiator (for manual execution) or the credential used for the Schedule Service Account (for scheduled execution) must have the following permissions to execute File System scans in local mode, applet mode, or proxy mode with applet: l Group membership in either of the following local groups: l Backup Operators l Administrators These permissions grant the credential the ability to create a high integrity token capable of leveraging the “Back up files and directories” from where the StealthAUDIT executable is run. Additionally, the credential must have WRITE access to the …\StealthAUDIT\FSAA folder in the installation directory. This is required by either the user account running the StealthAUDIT application, when manually executing jobs within the console, or the Schedule Service Account assigned within StealthAUDIT, when running jobs as a scheduled tasks. Doc_ID 694 6 Copyright 2021 STEALTHBITS, NOW PART OF NETWRIX, ALL RIGHTS RESERVED StealthAUDIT® Stealthbits Activity Monitor® File System Applet Deployment Permissions If executing the File System scans in either applet mode or proxy mode with applet, then the credential must have permissions to deploy and start the applet. Remember, the applet can only be deployed to a Windows server. Configure the credential(s) with the following rights on the proxy server(s): l Group membership in the local Administrators group l Granted the “Backup files and directories” local policy privilege l Granted the “Log on as a batch” privilege l If running FSAC, the service account in the credential profile requires access to the admin share (e.g. C$) where the sbtfilemon.ini file exists CAUTION: The local policy, “Network access: Do not allow storage of passwords and credentials for network authentication” must be disabled in order for the applet to start. Doc_ID 694 7 Copyright 2021 STEALTHBITS, NOW PART OF NETWRIX, ALL RIGHTS RESERVED StealthAUDIT® Stealthbits Activity Monitor® File System Proxy Service Permissions If executing the File System scans in proxy mode as a service with RPC or secure RPC, then the File System Proxy Service should be installed on the Windows proxy server(s) prior to executing the scans. The version of the proxy service must match the major version of StealthAUDIT. The service can be run either as LocalSystem or with a domain account supplied during the installation of the File System Proxy Service with the following permission on the proxy server: l Membership in the local Administrators group l Granted the “Log on as a service” privilege (Local Security Policies > Local Policies > User Rights Assignment > Log on as a service) l If running FSAC, the service account in the credential profile requires access to the admin share (e.g. C$) where the sbtfilemon.ini file exists Additionally, the credential must have WRITE access to the …\StealthAUDIT\FSAA folder in the installation directory. NOTE: The File System Proxy Service can be installed ad hoc through a data collector configuration option. In that case, the credential in the assigned Connection Profile must have permissions to install and run the service. Remember, it is not possible to enable secure RPC while using this option. For secure RPC, a credential is supplied during installation to provide secured communications between the StealthAUDIT server and the proxy server. This credential must be a domain account, but no additional permissions are required. However, this account must be included as a StealthAUDIT Task (Domain) type credential in the Connection Profile to be used by the File System Solution. It is recommended to use the same domain account configured to run the proxy service for the secure RPC account. If secure RPC will be enabled and the service configured to run as LocalSystem, then the installer automatically adds the necessary service principal names (SPNs) to the computer object in Active Directory. If secure RPC will be enabled and the service configured to run as a supplied domain account, then it is necessary to manually configure the SPNs on the user object in Active Directory prior to installing the File System Proxy. See the StealthAUDIT File System Proxy Service Installation Guide for additional information. If installing the File System Proxy Service on multiple servers, then a custom host list of proxy servers should also be created. See the FSAA: Scan Server Selection section of the StealthAUDIT User Guides v11.0 for additional information. Doc_ID 694 8 Copyright 2021 STEALTHBITS, NOW PART OF NETWRIX, ALL RIGHTS RESERVED StealthAUDIT® Stealthbits Activity