|
|
|
eTrust
Audit Frequently Asked Questions
|
eTrust Audit
- Questions And Answers
Question:
How will eTrust
Audit benefit me as a security administrator?
Answer:
eTrust Audit
empowers systems and security management teams with the unique ability to
collect information from various platforms, servers, and application events
and audit logs to a single database for quick and accurate assessment.
eTrust Audit eliminates event guesswork by translating all collected
information to a common, intuitive format, regardless of the event's source.
eTrust Audit's store-and-forward architecture allows it to scale to suit
your environment of a few or a few thousand machines. Like other members of
the eTrust Security Suite, eTrust Audit hurdles the platform and application
administration barrier for a true cross- platform event management solution.
Question:
Does eTrust Audit
archive the audit collection?
Answer: eTrust
Audit sends events to a commercial relational database (Oracle,
SQL Server and Microsoft Access) that can be managed and archived
with the usual DBA tools.
Question:
What is the overhead
on the network by eTrust Audit?
Answer: The
overhead depends on the amount of data you want to collect, on type
of events your system generates etc. The average amount of data
sent by eTrust Audit Agent per audit record is about 300 bytes.
Question: How
much disk space and memory are required for the eTrust Audit Collector
station?
Answer: A
collector station needs a processor with a minimum speed of 350 MHz
and at least 128 MB of RAM. The event database requires 0.6 to
2 KB per record. A good rule of thumb is 30-50 machines (routers)
per collector.
Question:
What is the architecture of
eTrust Audit?
Answer:
eTrust Audit installs a
Recorder and Router on each targeted host or application
server that you want to be a part of the audit scheme (NT/2000
and UNIX). The Policy Manager is installed on an NT/2000
machine. From there, all of the organization's security related
policies and Host-Based Intrusion Detection rules are configured,
compiled, and distributed to the eTrust Audit routers. eTrust
Audit Collector(s) can be installed for final collection and consolidations
(the Collector can only reside on a Windows NT or 2000
machine). These components work in concert to redirect, filter,
and collect all audited events throughout the environment. Additionally,
when using these components with eTrust Audit's store-and-forward
capability, you are provided with peerless configuration
flexibility and unprecedented performance in an event management
solution. All collected data is translated to easy-to-understand messages and
stored in a relational database for ensured
compatibility with various database viewers.
Question:
How does the product scale
to accommodate a range of site sizes?
Answer:
The flexible architecture
of eTrust Audit allows scaling the implementation
from the needs of small companies to large enterprises.
Using the store-and-forward mechanism provided by eTrust
Audit, it's possible to build hierarchies to route auditing events
from a huge number of clients. The flexible filtering capabilities
reduce the amount of collected audit events by filtering out
unimportant events (.noise.). Events can be saved in the database
on each level of the hierarchy, allowing distributed databases.
The GUI tools provide a means to view, filter, and analyze
events from several databases. The distributed architecture of
eTrust Audit allows you to exploit the multiple CPUs of large numbers
of computers. All eTrust Audit services have parameters that
allow tuning of eTrust Audit performance.
Question:
Where does filtering occur
(i.e. does filtering occur at the initial recording
point, where the routing agent is placed or at the Collector Server
or later)?
Answer: The
filtering can be applied on any level of event routing. It may be applied
at the recorder service that defines which events are submitted
to eTrust Audit. It may be applied on the client machine to
define what events are sent to the collector.
Question: Does
eTrust Audit pass information in clear text over the wire?
Answer:
Data transferred from the
Recorder and SAPI client (recorder) to router,
from router to router, and from router to collector is protected
by pluggable encryption. DES encryption is the default. If eTrust
Access Control for UNIX LogRoute daemon forwards its messages
as encoded clear text, the Audit Collector will still accept those
messages as well as encrypted messages.
Question:
If I have an application
that is not currently supported by eTrust Audit,
can I still route the application events to eTrust Audit Collector?
Answer:
There are several ways to
provide the bridge between your application
and eTrust Audit Collector:
1. SNMP
traps: You
can use the SNMP traps to send standardized
event information to the eTrust Audit SNMP Recorder.
There are many products that are readily available to
send such event information. This routing path needs to be
properly configured so that eTrust Audit will be able to receive
and handle this application information.
2. Submit
API: This
is a powerful and thorough method to send
event information to eTrust Audit Collector. By programming
with eTrust Audit Submit API function calls, applications
can send complete, detailed messages to eTrust Audit
and in turn eTrust Audit can perform more granular and more
intelligent analysis on the collected data and activate alerts
when needed.
3. eTrust
Products: You
can send your application event information
via eTrust products to eTrust Audit. eTrust Audit provides
full support to most of the eTrust products and can consolidate
collected information for analysis and pattern matching.
This way, application activities that are tied to eTrust
products or can be captured by eTrust products can send
events to eTrust Audit through its related eTrust product. For
example, certain firewall products can generate events based
on network connections or application sessions. In this case,
firewall information can be captured by eTrust Intrusion Detection, and be collected and sent to eTrust Audit
for
analysis or archive.
Question:
How can I use eTrust Audit
as a host-based intrusion detection tool?
Answer:
eTrust Audit is equipped
with event collection, pattern matching and filtering,
action triggering, and execution. These are the essential components
for a host-based intrusion detection system. eTrust Audit
also comes with pre-defined rules that can help you build up your
own intrusion detection system. With its flexible rules and scalability
to handle most heavy traffic, eTrust Audit can be your host-based
intrusion detection system to protect your critical data and
services on your servers.
Question:
Are there predefined rules
that can be deployed right away?
Answer:
eTrust Audit
provides several pre-defined rules that can be deployed right
away. Each policy is divided into two sections, each with associated
rules. The two sections include:
1. Collection:
all the events from that source type.
2. Suspicious
events: security and system related events that include:
ü Logon
(successful/failure)
ü
Critical objects tampering
ü
Network connections
ü Touching.
OS/Application Super User
ü
Account Management
ü
Changing permissions or security policies
| 
