1 User Guide
OSC_003
Version 1
September 2012
Copyright Notice
Since the equipment explained in this document has a variety of uses, the user and those
responsible for applying this equipment must satisfy themselves as to the acceptability of each
application and use of the equipment. Under no circumstances will Emerson Process
Management be responsible or liable for any damage, including indirect or consequential losses
resulting from the use, misuse, or application of this equipment.
The text, illustrations, charts, and examples included in this manual are intended solely to explain
TM
the use and application of the Ovation Unit. Due to the many variables associated with specific
uses or applications, Emerson Process Management cannot assume responsibility or liability for
actual use based upon the data provided in this manual.
No patent liability is assumed by Emerson Process Management with respect to the use of
circuits, information, equipment, or software described in this manual.
No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any
form or by any means, including electronic, mechanical, photocopying, recording or otherwise
without the prior express written permission of Emerson Process Management.
The document is the property of and contains Proprietary Information owned by Emerson Process
Management and/or its subcontractors and suppliers. It is transmitted in confidence and trust, and
the user agrees to treat this document in strict accordance with the terms and conditions of the
agreement under which it was provided.
This manual is printed in the USA and is subject to change without notice.
Ovation is the mark of Emerson Process Management. Other marks are the property of their
respective holders.
Copyright © Emerson Process Management Power & Water Solutions, Inc. All rights reserved.
Emerson Process Management
Power & Water Solutions
200 Beta Drive
Pittsburgh, PA 15238
USA
E-Mail: Technical.Communications@Emerson.com
Web site: https://www.ovationusers.com
Contents
OSC_003 i
Table of Contents
ii OSC_003
Table of Contents
OSC_003 iii
Table of Contents
iv OSC_003
Table of Contents
OSC_003 v
Table of Contents
vi OSC_003
Table of Contents
OSC_003 vii
Table of Contents
5 Troubleshooting 291
5.1 Windows Blue Screen of Death (BSOD) Diagnostics ..................................................... 291
5.1.1 To configure and read BSOD............................................................................. 291
5.1.2 To troubleshoot the MS Info Tool....................................................................... 292
5.2 Troubleshooting for Lumension OSC 2.x Update 1 ........................................................ 292
5.2.1 To gather events for Bouncer OSC 2.x Update 1 .............................................. 292
5.3 Checking OSC version numbers for 2x Update 1 versions ............................................ 293
5.3.1 To check OSC 2.x Update 1 LEMSS Server versions....................................... 293
5.3.2 To check OSC 2.x Update 1 LEMSS Client versions ........................................ 294
5.3.3 To check OSC 2.x Update 1 Bouncer Manager versions .................................. 295
5.3.4 To check OSC 2.x Update 1 Bouncer Client versions ....................................... 296
5.3.5 To check OSC 2.x Update 1 NitroView versions ............................................... 297
Index 305
viii OSC_003
S E C T I O N 1
IN THIS SECTION
Ovation Security Centers operate on all Ovation operating system software platforms.
OSC_003 1
1.2 Components of the Ovation Security Center
2 OSC_003
1.2 Components of the Ovation Security Center
OSC_003 3
1.3 Functions of the Ovation Security Center
TERM DESCRIPTION
Air gap This is a security measure used for computers and computer networks that must be
extraordinarily secure. An air gap ensures that a secure network is physically,
electrically, and electromagnetically isolated from non-secure networks, such as the
public Internet or from a non-secure local area network.
Blacklist This is a list of software programs considered unsafe to run on your system. A
blacklist uses the standard signature-based, antivirus approach to security by
blocking any known harmful software or users from the system. See also Whitelist.
CIP Critical Infrastructure Protection (CIP) is a set of cyber security standards for Electric
Power Generation, Transmission and Distribution organizations. The North American
Electric Reliability Corporation (NERC) developed CIP standards with oversight from
the Federal Energy Regulatory Commission (FERC).
CIFS Common Internet File System that operates as an application-layer network protocol
used to provide shared access to files, printers, serial ports, and miscellaneous
communications between nodes on a network.
DMZ DeMilitarized Zone (DMZ) is a network that sits between a trusted internal network
such as a corporate private LAN, and an untrusted external network, such as the
public Internet. The purpose of a DMZ is to add an additional layer of security to an
organization's Local Area Network (LAN). An external attacker would only have
access to equipment in the DMZ, rather than the entire network.
Endpoint In a client/server network architecture, an endpoint is any node that is a destination of
two-way communication, whether requesting or responding: (For example: PC's,
4 OSC_003
1.4 Terminology for the Ovation Security Center
TERM DESCRIPTION
laptops, and other similar devices).
The term endpoint in the Lumension Endpoint Management and Security Suite is
similar to a computer in your network that can have an agent installed.
ESMRCV Enterprise Security Manager with Receiver functionality.
FERC Federal Energy Regulatory Commission (FERC) is a United States federal agency
that has jurisdiction over and makes rules for interstate electricity sales and other
energy related rates and pricing.
Firewall A Firewall is a security system intended to protect your computer network from
external threats. All communication between the internal computer network and the
outside world is routed through a server that determines if a message is safe to pass
to the internal network.
Guardian Guardian is an Emerson-provided interface that can provide all the available
information about a system, such as system level, software level, loaded patches,
SureService information, site contacts, Emerson contacts, and related knowledge-
based articles.
LEMSS Lumension Endpoint Management and Security Suite (LEMSS)
Malware Malware refers to any software (such as a virus) that has the potential to disrupt a
computer system. Malware is malicious software or executable programs that you do
not want executing on your system.
Management The management console is a defined machine on the DCS that controls
Console administration of your Ovation Security Center.
MP Malware Prevention (MP) is a set of tools that provide centralized control of the
detection agents that reside on the Ovation host workstations. Any detected malware
is quarantined and reported to the SIEM tools.
NERC North American Electric Reliability Corporation (NERC) is an agency that oversees
the reliability and adequacy of bulk power supply in electric utility systems.
Network intrusion Intrusion is a security breach into a computer network.
OSC Ovation Security Center is a suite of hardware and software tools (appliances) that
provide electronic security management functions.
Passphrase A sequence of words used to login to your system. For example: The Performance
Received a Standing Ovation in 2010. Often used in combination with a password.
Root kit Software program that can evaluate the privileges to the root level of your computer.
The program then uses the evaluated information to gain access (access unknown to
the system's owners and legitimate managers) and control of that computer.
Security event An occurrence in the system process related to security. For example: an attempted
network intrusion from an unauthorized source.
SIEM Security Incident and Event Manager (SIEM) is a set of tools used by IT professionals
and system administrators to manage multiple security applications and devices and
to respond automatically to resolve security incidents.
SmartProcess SmartProcess software provides adaptive solutions that achieve optimum
performance for equipment in a power plant. SmartProcess uses fuzzy logic, neural
networks, predictive control, and other tools to offer the most advanced suite of
optimization solutions available.
SMB Server Message Block (SMB), also known as CIFS, is an application-level network
protocol applied to shared access to files, printers, serial ports, and miscellaneous
communications between nodes on a network.
OSC_003 5
1.4 Terminology for the Ovation Security Center
TERM DESCRIPTION
SMTP Simple Mail Transfer Protocol (SMTP) is an Internet standard for email transmission
across Internet Protocol (IP) networks.
SNMP Simple Network Management Protocol (SNMP) is a User Datagram Protocol (UDP-
based) network protocol. It is used for network management systems to monitor
network-attached devices for conditions requiring administrative attention. SNMP
consists of a set of standards for network management.
Trojan horse A trojan horse is software which appears to perform a useful and harmless action, but
in fact performs another action that can harm your computer such as transmitting a
computer virus. In terms of Malware Prevention, a Trojan Horse is any virus or trick
that can invite a potential security threat into a securely protected area or space.
VPN Virtual Private Network (VPN) is a type of computer network. In a VPN some of the
links between nodes are carried by open connections and in larger networks, (for
example, the Internet), by virtual circuits instead of by physical wires.
VSPM Vulnerability Scan and Patch Management (VSPM) is a set of tools that scans the
system for any potential security weaknesses and provides patches to correct the
security weakness. This information is reported to the SIEM tools.
Whitelist A list of software programs considered safe to run on your system. Software
programs not on the whitelist are blocked. See also Blacklist.
WMI Windows Management Instrumentation (WMI) is the Microsoft implementation of
Web-Based Enterprise Management (WBEM). It is the primary management
technology for Windows operating systems, permitting management information to be
shared between management applications.
6 OSC_003
1.5 Improvements for OSC 2.0 Update 1
Note: Due to the complexity of upgrading the SIEM portion for the OSC 2.0 Update 1, Emerson
recommends that you have your OSC updated by an experienced service representative.
Contact your local field support office or sales representative for advice on upgrading your OSC.
VSPM Patching
The Ovation Security Center 2.0 Update 1 introduces Lumension Endpoint Management and
Security Suite (LEMSS) 7.0. The following list identifies new or added features for OSC2.0:
Server 2008 (32-bit) and Windows 7 (32-bit) patch support.
Server 2008 (32-bit) installation platform support.
SQL Express 2008 database support.
Enhanced user interface.
Right-click support feature is used in many areas.
Improved reporting.
Automated Endpoint Discovery.
Active Directory Domain Membership/Login support.
Uninstall protection.
Kaspersky administration and Kaspersky support.
Internet Explorer 7.0 or greater is required.
Backup of server to network share or NAS support (Windows 2008 server only).
VSPM Vulnerability Scanner
Server 2008 (32-bit) and Windows 7 (32-bit) vulnerability scan support.
Server 2008 (32-bit) installation platform support.
SQL Express 2008 database support.
Backup of server to network share or NAS support (Windows 2008 server only).
Malware Prevention
The Ovation Security Center 2.0 Update 1 offers additional enhancements for Malware
Prevention:
CoreTrace Bouncer v5.x.
Server 2008 (32-bit) and Windows 7 (32-bit) whitelisting support.
Kaspersky support.
New user interface enhancements.
Tokenless login support.
Policies and collections removed. User-defined security groups with associated
rights/packages for systems.
Instant trust to a running process; no reboots required.
Trust a running process using manager console.
Better trusted domain user support.
Common Event Format (CEF) support with syslog messages.
OSC_003 7
1.6 IP address and password examples
The Ovation Security Center 2.0 Update 1 introduces an updated version of NitroView 8.5.3.
WMI communication is limited to two ports for tighter router control.
Data source configuration can be exported to a remote location so you can modify and import
to a Receiver.
SIEM can read vulnerability data from VSPM SCAN software.
SIEM can create and manage zones that can be used to categorize data sources on the
network.
IP addresses and passwords should be unique for your Ovation Security Center. Therefore, the
IP addresses and passwords originally used to configure your system must be changed after your
OSC is fully commissioned.
Example passwords and IP addresses are referenced throughout this document and they are
intended to be examples only. Be sure to review site addressing and password requirements and
configure your OSC with proper IP addresses and passwords.
The following IP address and password examples are noted in this section and are used
throughout this document.
8 OSC_003
1.6 IP address and password examples
Note: Once the VSPM software is loaded into the PC, the only way to change PC Name or IP
addressing is to format the PC and start over. IP addressing should be chosen prior to
installation.
OSC_003 9
1.6 IP address and password examples
The MP Managers only connect to the OSC Regular Scan Network; therefore, they have no OSC
Full Scan addressing.
MP IP address examples
MP password examples
10 OSC_003
1.6 IP address and password examples
1.6.3 Security Incident and Event Manager (SIEM) IP address and password
examples
The SIEM only connects to the OSC Regular Scan Network; therefore, it does not have OSC Full
Scan addressing.
SIEM IP Addresses
SIEM passwords
NGCP Security.4u
OSC_003 11
S E C T I O N 2
IN THIS SECTION
OSC_003 13
2.1 Vulnerability Scan and Patch Manager (VSPM) overview
The Vulnerability Scan portion of VSPM is a network-based scanning function that performs a
comprehensive scan of the following devices on the Ovation network:
Servers
Workstations
Routers
Printers
Switches
The purpose of the scan is to identify vulnerabilities such as missing patches and malware so that
any vulnerability can be quickly corrected before they can compromise the security of the Ovation
system.
The vulnerability scan captures a baseline of any discovered vulnerabilities and a history of how
those vulnerabilities are corrected for each server, workstation, controller, and network device.
All the information collected by the vulnerability scanner can be integrated into SIEM to provide a
complete picture of the overall risk situation for the Ovation system.
The scan function can also run detailed configuration checks that itemize ports, users, shares,
groups, agents, and services.
Vulnerability databases and scanning software updates are periodically downloaded through the
Emerson’s SureService OSC Support Module.
The Patch Manager portion of VSPM provides centralized patch status retrieval and distribution
for all Ovation Windows-based and Solaris-based operating systems, Ovation workstations, and
third-party software patches. The patch management function uses host-based application
software that is installed on each managed workstation to permit the remote installation of
software updates.
Critical security patches are validated through Emerson’s patch validation program within 30 days
of release from the original software vendor.
Patch update downloads are initiated from the Ovation Security Center and retrieved through
Emerson’s SureService Software Update program.
Patch distribution policies determine whether patches are automatically or manually distributed to
Ovation servers, workstations, and network devices. Patch management agents on the servers
and workstations ensure patch delivery and secure communications with the Ovation Security
Center.
14 OSC_003
2.2 Performing a clean Install of VSPM on Server 2008 SP2
Note: Typically, in most VSPM installations, you should not have a monitor, mouse, and
keyboard attached to the manager during normal operation. The VSPM should not be the
interface to the OSC appliances.
During the initial VSPM installation, a monitor, mouse, and keyboard can be connected
temporarily for ease of configuration and setup.
After you have connected the hardware mentioned in the note above, use the following steps to
perform a clean install of the VSPM on Server 2008 SP2.
OSC_003 15
2.2 Performing a clean Install of VSPM on Server 2008 SP2
Use the standard Microsoft installation procedures to perform a fresh install of Server Standard
2008 SP2.
Note: Any data on the PC will be lost when performing a clean install; therefore, you may want
to backup any files that you want to save.
1. Insert the Dell System Management Tools and Documentation disk into the DVD drive and
make the following selections.
a) Select the load operating system and answer the questions.
b) Enter Time, date, and time zone.
c) Enter Operating system (2008 SP2 32 bit).
d) Keep the raid configuration.
e) Eject the disk automatically.
2. Insert 2008 SP2 32 bit server disc when prompted and make the following selections:
a) Select a new load not upgrade.
b) Select Single volume (C:).
c) Select Full installation.
d) Next, install Windows.
e) The appliance reboots and completes the Windows server 2008 SP2 installation.
f) Enter the administrator password.
g) Disable Windows Update.
16 OSC_003
2.2 Performing a clean Install of VSPM on Server 2008 SP2
3. Select Start > Control Panel > Windows Update > Change settings. The Change settings
window appears.
4. In the Important updates dialog box, select Never check for updates (not recommended).
Check boxes should be unchecked.
5. Click OK.
Prior to installation of VSPM software, you must rename the computer to ensure proper operation.
OSC_003 17
2.2 Performing a clean Install of VSPM on Server 2008 SP2
18 OSC_003
2.2 Performing a clean Install of VSPM on Server 2008 SP2
8. Select the last remaining network connection, right-click, and select Disable.
3. Click New Rule in the right-hand pane. The New Inbound Rule Wizard window appears.
4. Select Port, and click Next on the Rule Type window.
OSC_003 19
2.2 Performing a clean Install of VSPM on Server 2008 SP2
5. Select TCP as the protocol, select the Specific local ports, and enter 205 in the Specific
local ports dialog box and click Next on the Protocol and Ports window
6. Select Allow the connection, and click Next on the Action window.
7. Enable all selections and click Next on the Profile window.
8. Enter SCAN Access as the name and leave the description blank on the Name window.
9. Click Finish.
20 OSC_003
2.2 Performing a clean Install of VSPM on Server 2008 SP2
10. Click the Privacy tab. On the Pop-Up Block, click Settings.
OSC_003 21
2.2 Performing a clean Install of VSPM on Server 2008 SP2
22 OSC_003
2.2 Performing a clean Install of VSPM on Server 2008 SP2
4. Click Next. On the Select Server Roles window, check Web Server IIS. A dialog opens telling
you that you need additional features. Click Add Required Features.
5. Click Next after the dialog disappears. The Introduction to the Web Server window appears.
6. Click Next. The Role Services window appears.
7. Check ASP.NET under Application Development. A dialog box appears.
8. Click Add Required Role Services.
OSC_003 23
2.2 Performing a clean Install of VSPM on Server 2008 SP2
Note: You may receive a warning that it cannot reach Windows update. This is expected.
24 OSC_003
2.2 Performing a clean Install of VSPM on Server 2008 SP2
6. Click Next. The Required IIS Features appear. The Security Features and Performance
Features should have a red X.
OSC_003 25
2.2 Performing a clean Install of VSPM on Server 2008 SP2
13. Enter the IP address in the Default server identity dialog box (if it is not already entered for
you). Emerson recommends using the IP address instead of the domain name.
Note: By default, clicking Finish will launch Lumension. If you do not want to launch
Lumension, uncheck Launch the Lumension EMSS check box and click Finish.
26 OSC_003
2.2 Performing a clean Install of VSPM on Server 2008 SP2
OSC_003 27
2.2 Performing a clean Install of VSPM on Server 2008 SP2
5. A Files in Use check begins. After the check completes, click Next.
6. Click Update to begin installation. Once the update completes, click Next.
7. Click Close.
28 OSC_003
2.2 Performing a clean Install of VSPM on Server 2008 SP2
2. Click Installation.
Note: The screen may flash, but eventually the SQL Server 2008 Setup window will display.
OSC_003 29
2.2 Performing a clean Install of VSPM on Server 2008 SP2
7. Click Next.
8. Select the default Perform a new installation of SQL Server 2008 option.
9. On the Product Key, Click Next. The options will be grayed out.
10. Click Next. The licensing window appears.
11. Accept the license terms to continue. Click Next.
30 OSC_003
2.2 Performing a clean Install of VSPM on Server 2008 SP2
12. On Features -> Instance Features, check the Management Tools option and click Next.
OSC_003 31
2.2 Performing a clean Install of VSPM on Server 2008 SP2
2. The Connect to Server window appears. In the Server name dialog box, make sure the server
name says <servername>\UPC.
5. Browse to AirGapScript.sql found on OSC VSPM 2.0 Update 1 Disc 1 in the folder
\LEMSS\SQLScripts.
32 OSC_003
2.2 Performing a clean Install of VSPM on Server 2008 SP2
6. Make sure the Available Databases pull-down menu says PLUS, not master
2.2.17 Use the OSC 2.x License Request Tool and License LEMSS
1. Launch the License Request Tool from the link on the desktop or from Start > Programs >
PatchLink > License Request Tool. Launching the License Request tool may take several
seconds since the tool is enumerating local SQL Databases.
OSC_003 33
2.2 Performing a clean Install of VSPM on Server 2008 SP2
2. After launching, the Connect to Server window appears. Select the Windows
Authentication option and enter .\UPC into Server Name field.
3. Click OK. This connects you to the local server database of UPC (default LEMSS database).
The License Update Tool appears.
34 OSC_003
2.2 Performing a clean Install of VSPM on Server 2008 SP2
5. Click Open. Browse to the license text file provided by software licensing.
6. Click Open. The text will now appear in the License window.
7. Click Next to import the license. A Import License Data window appears and displays the
licenses that are being imported.
8. Click Finish. Click Yes to confirm the import. A window showing a successful import will
appear.
9. Click OK to close.
10. Click Close to exit the license tool.
OSC_003 35
2.2 Performing a clean Install of VSPM on Server 2008 SP2
Note: If the Web site does not open, make sure the address is a Trusted Site in IE - Internet
option - Security.
2. Login with the original setup credentials. This is the account you were using when installing
LEMSS. The Web site opens (this may take a few minutes).
3. Enter the First name, Last name, and Company name of the primary contact under the
Customer Info tab.
4. Click on the Uninstall Password tab and configure an uninstall password. The uninstall
password is necessary to uninstall the LEMSS agent.
5. Click the Email Notifications tab. Enter the mail server IP address in the SMTP Host line,
and enter the correct email address in the ‘From’ email address. Confirm the domain (part
after the @) is correct for the site.
6. Click Apply, then Close. The LEMSS main screen appears.
7. Logout and close Internet Explorer.
36 OSC_003
2.2 Performing a clean Install of VSPM on Server 2008 SP2
2. Select all items in this directory and copy/paste them to the C:\Program
Files\Lumension\EMSS\Content\00000000-0000-0000-0000-
000000000000\EndpointComponents directory on the VSPM. Overwrite all files.
5. Click the Edit icon to the left of the Global System Policy.
OSC_003 37
2.2 Performing a clean Install of VSPM on Server 2008 SP2
6. Under Agent Version, verify it is set to Newest available. If not, click the current value and
select Newest available from the drop-down.
7. When finished, click Save in the bottom-right side to save the Policy set. The active clients
will begin to update automatically.
8. Click Tools –> Options to verify that the installations use the newest client available.
9. Click the Agents tab and scroll to the bottom of the list to find Agent Versions. Both values
should read Newest available. If not, use the drop-down selections and change both clients
to Newest available.
38 OSC_003
2.2 Performing a clean Install of VSPM on Server 2008 SP2
6. Enter the Serial number and Registration Key. These numbers are found in the install
binder or contact Emerson Software Licensing.
7. Click Next. Registration information is displayed with the number of nodes licensed. Confirm
the proper amount.
8. Click Next. The Setup Type window appears.
9. Select Complete and click Next. The System Administrator Password window appears.
10. Enter the account password in both dialog fields. This is the initial password for the Admin
account to scan.
11. Click Next. The Identity of Scan Services window appears.
12. Accept the default of New Guard_Eng on Identity of Scan Services.
13. Click Next. This is the account on the local machine that will run Scan as a system service
and is necessary. The Create Windows Service Account dialog box appears.
14. Enter Security.4u in both dialog fields.
15. Click Next. This sets the password for the Guard_Eng account. The Ready to Install window
appears.
16. Click Install. Several progress bars appear throughout the installation cycle.
17. Click Finish after all progress bars have completed the installation cycle.
OSC_003 39
2.2 Performing a clean Install of VSPM on Server 2008 SP2
2. Launch kasp8.0.2090_adminkiten.exe from the \Kaspersky folder of OSC VSPM 2.0 Update
1 Disc 1. The InstallShield Wizard starts.
3. Click Next. The Location to save files window appears.
4. Click Next. The Welcome window appears.
5. Click Next. The License Agreement window appears.
6. Click Yes. The Installation Type window appears.
7. Select Custom then click Next. The Destination Folder window appears.
8. Click Next. The Select Features window appears.
9. Configure your selections as displayed in the Kaspersky Administration Kit window and click
Next.
40 OSC_003
2.2 Performing a clean Install of VSPM on Server 2008 SP2
13. Select the Microsoft SQL Server (SQL Express) option and click Next.
14. On the Administrator Server Properties window (Set Microsoft SQL Server Parameters)
perform the following:
a) Select Choose existing.
b) Enter the SQL Server Name. Type in or Browse for the {ServerName}\Guardian.
c) In the Database name dialog box, accept the default of KAV.
OSC_003 41
2.2 Performing a clean Install of VSPM on Server 2008 SP2
16. On the SQL Authentication Mode window, accept the default Microsoft Windows
Authentication Mode and click Next.
17. On the Set Server Shared Folder window, accept the defaults and click Next.
18. On the Set Server Ports window, accept the defaults and click Next.
19. On the Set Administration Server Address window, select the IP address from the pull-down
and click Next.
42 OSC_003
2.2 Performing a clean Install of VSPM on Server 2008 SP2
Note: Refer to the Using Kaspersky Antivirus Software with Ovation User Guide (CON_38).
Refer to the section called (Configuring the Administration Kit) and follow all the steps. Ensure
the VSPM is placed in Wave 1 as part of the load to be able to download updates. The machine
can be reassigned at a later time.
Join VSPM to the domain if desired. This practice is recommended practice if the OSC will only
be working on one domain. Use the following procedure to join the VSPM to the domain.
1. Configure both the OSC Standard Scan and the OSC Full Scan network adapters with the
correct DNS settings. When configured this will become the primary DNS server will be the
primary domain controller. Enter a secondary DNS address if there is a backup domain
controller.
2. Go to Start > Control Panel > System. Select Change settings under the Computer name
section.
3. Click Change.
4. Select Domain: Enter the correct domain.
5. Click OK.
6. A prompt for domain credentials appears. Enter domain administrator credentials to join the
domain. The user name will be in the form of <DOMAIN>\Administrator.
7. Reboot when prompted. Login as the domain administrator (in the form of
<DOMAIN>\Administrator) for the rest of the install.
8. Add the domain administrator into the LEMSS software. Login to LEMSS and use the local
credentials. Click Tools > Users and Roles.
a) Click Create.
b) Select the Adding existing local or domain users option.
c) Click Next. The Search for Users page opens.
d) In the Search for the following users field, enter the user name of the domain
administrator; prefix the user name with the domain (DomainName\UserName).
e) Select Login to the domain as.
f) Enter the User name, Password, and Domain name of the domain administrator.
g) Click Next. The Users Found page opens.
h) Select a User Role for the user. The role is Administrator.
i) Click Finish. The Summary page opens. Verify the summary data.
9. Click Close. The Create User Wizard closes.
OSC_003 43
2.3 VSPM updates and Ovation integration
2.2.25 Disconnect the monitor, mouse, and keyboard from the VSPM
Once the initial setup on the VSPM is complete, additional updates and patch deployments can
be done from the OSC UI.
If you have attached a monitor, mouse, and keyboard to assist you in loading the VSPM, they can
be removed at this point, and they can remain off during normal operation.
After you have completed a clean install of VSPM, continue the installation by following the steps
in VSPM updates and Ovation integration (see page 44).
After you have organized your patches into a separate file, the best practice for managing your
patches is to create a separate folder for each month to avoid importing the same patch twice. For
information on monthly patch updates, refer to; Monthly patch organization (see page 44).
Note: This should be done from oldest to newest patches so anything new can overwrite older
patches.
6. Proceed to Import patches (see page 45) to complete the patch import.
Emerson releases patch updates monthly. These can be downloaded from the OSC Update Web
site with the correct SureService contract (http://updates.ovationusers.com/OSC/).
1. Copy the patch file to the directory on the C: drive called Emerson Updates.
2. Create a directory under C:\Emerson Updates named for the month in question. For
example: Apr-2012.
3. Extract the patch file to this directory.
4. Proceed to Importing patches (see page 45) to complete the patch import.
44 OSC_003
2.3 VSPM updates and Ovation integration
2. Click Next.
OSC_003 45
2.3 VSPM updates and Ovation integration
3. Select Import all the updates for this directory. Use the Browse button to select the folder
(created above) to import the files from.
46 OSC_003
2.3 VSPM updates and Ovation integration
4. Click Import. After the import has completed, the log file’s location will be displayed for you to
view during import.
Note: Depending on how many patches there are, initial import may take time.
5. Click Finish. Review the Log file, linked in blue, if errors are found. (The Log file’s location will
be displayed in the import screen). At this time, the patch updates will be available for
distribution to all clients.
Note: If a green check box window does not display, copy the Log File to investigate the import
failure. The log file may be deleted on reboot.
OSC_003 47
2.3 VSPM updates and Ovation integration
4. Select Tools > Download Agent Installer from the toolbar. The Download Agent Installers
dialog displays.
5. Select the endpoint's operating system from the Operating System drop-down list.
6. Select the agent version to download on the endpoint from the Agent Version drop-down list.
7. Click Download. A Download File dialog opens. Save the installer to the local machine as
well as a flash drive for later use. Name the file based on the OS selected, for example,
LMAgent2K8.msi, LMAgentXP.msi, and so on.
48 OSC_003
2.3 VSPM updates and Ovation integration
5. On the Lumension EMSS Server Information windows, enter the IP address of the VSPM into
the Server identity box. Click Next.
OSC_003 49
2.3 VSPM updates and Ovation integration
The following figures illustrate three different statuses in the Status column, Initializing,
Working, and Idle.
1. Load the SCAN update files to a folder on the VSPM if you have not previously done so.
a) Gather all patch CDs provided by Software Licensing and download any additional patch
files from the OSC Update Web site.
b) Copy the patch files from the patch DVDs and OSC Update Web site to a single directory
on the VSPM appliance – this is done so that the import of the patches into the
Lumension database can be done in one import instead of multiple imports.
c) Create a directory on the C:\ drive called Emerson Updates.
d) Create a directory under C:\Emerson Updates called initial.
e) Copy all of the .upd directories into this location.
f) Copy only the newest Emerson Validated Patches.xml file to this folder. The file will be
overwritten every month.
50 OSC_003
2.3 VSPM updates and Ovation integration
2. Open the Lumension Scan (also known as SCAN). The SCAN Login screen appears.
OSC_003 51
2.3 VSPM updates and Ovation integration
6. Check to see the SCAN update version: Click Help ->About. The third line down is the
Vulnerability Update Version number. Make a note of this version number for later use.
Note: Select any and all files above the current version number. If you select a file at or below
the current version number displayed in the About, it will error out.
52 OSC_003
2.3 VSPM updates and Ovation integration
Note: The update process takes several minutes depending on the number of Updates
selected. The circling arrows is the only indication that the import process is occurring.
You can click the Run in the background button, but no indication of completion will be given.
14. Once completed, the circling arrows disappear. Click Cancel to close the Updates window.
15. Repeat until all SCAN updates are in.
16. Confirm the version number is correct.
2.3.7 Update SCAN to the current Emerson Validated Patched Vulnerability set
1. Click Tools -> Manage Vulnerabilities (or by Ctrl-Shift-V).
2. Click Custom Vulnerabilities tab.
3. Click Import at the top-right.
4. Select Vulnerability Set(s) from the dialog box.
5. Click Next.
6. Browse the Current Month folder for the file Emerson Validated Patches.xml and click
Open.
7. Click Finish. The file imports.
8. Click Save to close the window.
5. Change Rows per page to include all vulnerabilities so they can be deployed together.
6. Place a check box to the left of the Vulnerability Name to select all vulnerabilities for that
deployment wave.
OSC_003 53
2.3 VSPM updates and Ovation integration
8. Select the Deploy button near the top of the page. The deployment wizard appears with the
Available Devices/Groups screen.
9. Click Next. Verify that the number of selected computers match the number in the
deployment group.
10. Click Next. A list of selected vulnerabilities to be deployed displays.
11. Click Next. Select the I ACCEPT for all disclaimers.
12. Click Next. Enter a job name for the deployment.
13. Click Next. The Package Deployment Order and Behavior window displays. This window
shows how the patches chain together and reboot the machines.
14. Click Next. This displays the notification options. The reboot notifications can be changes for
the deployment. Make any modifications.
15. Click Next. This displays the summary screen.
16. Click Finish.
17. Click Close to close the deployment wizard window.
54 OSC_003
2.3 VSPM updates and Ovation integration
3. Click Check for deployments. The box turns orange indicating that Lumension is deploying
patches. The following picture illustrates an orange box with a message that the deployment
service is running.
OSC_003 55
2.3 VSPM updates and Ovation integration
A monitor with a clock and a green circle indicates patches are being deployed and
can be monitored.
A green circle indicates the machine is scanning itself for what patches it has /
needs.
3. Select the Update View button to refresh the status.
4. Once all the endpoint’s status are Idle, the patch deployment is completely finished.
5. Click Review > My Default View. The list of all patches still required for all machines
appears.
6. Only one patch should remain, TCPVCON, because this patch is always considered
unpatched by design. Old Java version patches may also be present; this is okay.
7. If there are other patches still considered Not Patched, perform the following:
a) Click the Vulnerability Name. A screen detailing this vulnerability’s status is displayed.
The first tab is Not Patched which will show all machines not registering this patch as
being installed.
deployment will have a symbol. If a failed deployment is the reason for a patch still
requiring deployment, begin troubleshooting the failed deployment.
e) If there is no mention of the patch in the Deployments tab, this is most likely a patch that
is now required due to a previous patch being applied. Go through Steps 3 – 8c again
until all patches are pushed out.
56 OSC_003
2.3 VSPM updates and Ovation integration
Note: This must be done to any client computers prior to whitelist protection from OSC
Bouncer.
2. Open a Web-browser and navigate to the Update server Web site (http://192.168.124.33).
3. Log into the VSPM appliance using the following:
Username: Administrator
Password : Ovation
4. Select Tools -> Download Agent Installer. The Download Agent Installers window opens.
Note: For XP systems with IE6, click the Download Agent Installer link in the upper-right
corner.
5. From the Agent tab, select the proper Operating System from the drop-down option, (this
will be the local client Operating System). The Agent Version updates accordingly.
6. Click the Download button.
7. Select the Run option. A window displays with the following: Verifying LMAgent.msi from
192.168.124.33. After a few minutes the Internet Explorer - Security Warning window
appears.
8. Select Run. The installation continues. The Welcome to the Lumension EMSS Agent
Wizard window displays.
9. Click Next. The Licensing Agreement window appears.
10. Accept the License Agreement to continue.
11. Click Next. The Destination folder window appears.
12. Click Next. The Lumension EMSS Server Information window appears.
13. Enter the IP address of the Lumension Server in the Server Identity field (for example
192.168.124.33).
14. Click Next. The Installation Ready window displays.
15. Select Install. The installation begins and the Installation Wizard Complete window displays.
16. Click Finish. The installation is complete.
OSC_003 57
2.4 VSPM user account information and Lumension Update procedures
Note: You should notice spin animations on the opening Webpage when it draws the graphs.
You should also notice spin animations on machines doing DAU or Deployments and in other
areas such as the Manage Endpoints area.
Note: Password complexity should be consistent with your organization's password security
policies. Typically, to ensure password strength, Emerson suggests that you use a password
with eight or more characters with a combination of numbers and upper-and lower-case letters.
User names may be between 1-20 characters in length and cannot include any of the following
characters: ‘ \ ” @ ^ % & { } ( ) [ ] ; < > ! # : ? ‘ / * = |
Passwords are case sensitive and must meet the password rules defined by local and/or domain
password policies.
Note: Although a Password Strength indicator is provided to display the strength or weakness of
your password, the actual password policy is defined by Windows.
The Full Name, Office Phone, Cell Phone, Pager, E-mail, and Description fields are not validated
and apply no formatting rules other than maximum length of 25 characters.
58 OSC_003
2.4 VSPM user account information and Lumension Update procedures
4. Enter the user credentials and contact information for the new user. User Name, Password,
Confirm Password, and Role are required fields.
5. Select a Role (Administrator, Manager, Operator, or Guest) for the user from the drop-down
window list.
6. Click Next. The Confirm User page opens. Confirm the user information.
7. Click Close. The Creation Summary page opens.
8. Click Close to exit the wizard.
9. The new user is created, added to Windows, and granted the appropriate access to the
Update Server.
Adding a user imports an existing Windows user into the Lumension Update database and access
group and can import a user from an existing domain by logging into that domain as a domain
user.
1. Click Create in the User Management window. The Create User Wizard opens.
2. Select the Adding existing local or domain users option.
3. Click Next. The Search for Users page opens.
4. In the Search for the following users field, enter a user name or enter the beginning
characters of one or more user names. Use semicolons to separate user names. To search
for users within a specific domain, prefix the user name with the domain
(DomainName\UserName).
If searching using the domain, select Login to the domain as.
Enter the User name, Password, and Domain name.
Note: There must be a secure connection between the domain and the Update Servers domain
if not, you are unable to access the Update Server.
Editing user profile information allows you to change the role assigned to a user as well as update
the user’s contact information. If you have the correct Change Password access, you can edit
other user’s passwords using the procedure defined in To change a user password (see page
60).
1. From the Users grid located under Action, click the Edit user details icon associated with the
user profile. The Edit User Wizard opens.
2. Make the necessary modifications as defined in To create a new user (see page 58).
3. Click Finish to exit the wizard when complete.
OSC_003 59
2.4 VSPM user account information and Lumension Update procedures
Changing a user password in Lumension Update also changes the user's Windows password on
the (physical) Update Server.
Note: Passwords are case sensitive and must meet the password rules defined by local and/or
domain password policies. Although a Password Strength indicator is provided to display the
strength or weakness of your password, the actual password policy is defined by Windows.
Removing a user from Lumension Update disables their access to the Update Server without
deleting the user’s Windows account. Once removed, the user is deleted from the Update Server
database and is removed from the user list in the User Management page.
Note: You cannot remove or delete a user that has been assigned the Administrator role or a
custom role that has been given the Manage Users access permission. You must first edit the
user, change the user’s role, and then remove or delete the user.
Deleting users from Lumension Update disables their access to the Update Server and deletes
their Windows account.
60 OSC_003
2.5 Navigation bar menu map
Note: Deleting a user removes the user's access to Lumension Update and also deletes the
user from the device and/or Active Directory.
Note: The Lumension appliance receives periodic software updates. You can access the
Lumension Update application from any Internet browser for update information.
This menu organizes product features based on functionality. When you select a menu item (or
sub-menu item), a new page, dialog box, wizard, or window opens. You can access all features of
the system from this menu (that your access rights authorize).
The following table maps to which page a menu (or sub-menu) item opens.
Navigation Menu
OSC_003 61
2.5 Navigation bar menu map
62 OSC_003
2.5 Navigation bar menu map
OSC_003 63
2.6 Exporting data
Note: Any unavailable or absent menus, menu items, or sub-menu items are due to restricted
access rights. Contact your network administrator if you require access to unavailable features.
Note: The Enhanced Security Configuration feature for Internet Explorer suppresses export
functionality and must be disabled to export data successfully. Pop-up blockers in Internet
Explorer or other supported browsers may also suppress export functionality and should be
disabled.
OPTION DESCRIPTION
Open Creates the file and opens it in your default (.csv) program.
Save Creates the file and saves it to a specified local folder. The file is saved in a
Microsoft Office Excel (.csv) format. The file is named Export.csv, with the exported
file containing data based on list data.
Cancel Cancels the export.
Note: These instructions are intended for Microsoft Internet Explorer users. If you are using
Mozilla Firefox, this procedure differs slightly. All data results, not just the selected results, will
export.
64 OSC_003
2.7 VSPM Groups
The Groups browser lists the names of each custom parent group, child groups, system groups,
and custom groups. From this page, you can access group information by expanding the group in
the directory tree or proceed to the Group Information page by clicking a group name.
The Groups page displays information about a specific group. This information is classified into
the following views:
Group Information.
Group Membership.
Device Membership.
Mandatory Baseline.
Device Group Vulnerabilities.
Device Group Inventory.
Device Group Policies.
Device Group Roles.
Device Group Dashboard.
Device Group Settings.
VSPM provides pre-configured groups. However, you can also create custom groups. Populate
custom groups with desired endpoints. You can only create custom groups within the Group
Browser custom group hierarchy.
Note: Refer to the Lumension User Guide, located on your Ovation Security Center CD, for
additional information about Groups.
OSC_003 65
2.7 VSPM Groups
You can view the list of groups using the directory tree. Click the expand icon to view Custom
groups, System groups, and Directory Service groups. By continuing to expand the tree, you can
view the parent group and each child group associated with it. To display detailed group
information, select the Group name. Use the View drop-down list to access the functions within
the Groups page.
The nesting of groups enables the creation of hierarchical relationships that can be used to define
inherited group membership. Using the policy inheritance feature, you can use parent groups to
apply the same policies to multiple child groups.
A Parent and Child group relationship refers to a group that contains one or more group
hierarchies underneath it. Each group must have one, and only one parent; however, a parent
can have multiple child groups.
66 OSC_003
2.7 VSPM Groups
OSC_003 67
2.7 VSPM Groups
Note: Within the Group Membership view, you can only edit the group name and description. To
edit group behavior, use the Roles, Policies, Membership, Settings, or Mandatory Baseline view.
The My Groups group Name and Description cannot be edited. Additionally, within the System
Groups and Directory Service Groups hierarchies, only group Descriptions can be edited, not
their Names.
Note: Only groups within the Custom Groups hierarchy can be deleted. Deleting a group does
not prevent an endpoint within that group from deploying, rebooting, or scanning; these tasks
occur at the endpoint level.
After creating a group, you can change its position within the Group Browser directory tree. You
can only move groups within the Custom Groups hierarchy.
Note: When moving a group, if the group is configured to inherit agent policies, roles, or
baseline settings, the group inherits those values from its new parent.
68 OSC_003
2.7 VSPM Groups
Note: Additional information about viewing groups can be found in the Lumension Endpoint
Management and Security Suite User Guide located on your OSC CD.
Note: Additional information about endpoints can be found in the Lumension Endpoint
Management and Security Suite User Guide located on your OSC CD.
OSC_003 69
2.7 VSPM Groups
Note: Typically, when an endpoint no longer fits within the context of a group (for example, it no
longer requires content applicable to the rest of the group), remove it from the group. You can
re-add endpoints at any time.
This view lists the endpoints that hold membership in the selected group. If the group selected is
a custom group, you can also use this view to add endpoints. Use this view to manage endpoints
assigned to the selected group.
This view also offers a number of features available from the Endpoints page: group deployments,
remote agent installation, endpoint scanning, endpoint rebooting, and so on.
The Device Membership View toolbar contains buttons related to the management of endpoints
within the selected group. This toolbar also offers extensive control over endpoints within the
group.
The Device Membership View list displays the endpoints that hold membership in the selected
group, along with information about their agents, agent statuses, and addresses. This list only
includes endpoints directly assigned to the group.
Add endpoints to a group when those endpoints serve a similar function. Adding endpoints to a
group lets you manage them collectively. You can only add endpoints to custom groups.
70 OSC_003
2.8 Using Endpoints
When an endpoint no longer fits within the context of a group (for example, it no longer requires
content applicable to the rest of the group), remove it from the group. You can re-add endpoints at
any time. Group endpoint removal takes place from the Device Membership view.
The Endpoints page contains a listing of all devices that have an agent registered with the
LEMSS. From this list of endpoints, you can access the device details. The device details include
device-specific information such as associated vulnerabilities, inventory information, and
deployment history.
The Inventory page provides a way to identify all the operating systems, software applications,
hardware devices, and services installed and running on the devices registered to the LEMSS.
OSC_003 71
2.8 Using Endpoints
The Endpoints page manages the computers and devices on your network. Endpoint
management describes the process by which the LEMSS server queues commands that will be
sent to the endpoint using the agent. When the agent contacts the server, the commands are
executed.
The Information tab displays important information about the endpoint. The page displays general
information organized into endpoint, agent, group, and policy sections. The Information tab
contains the endpoint assessment tasks and functions that are available for you to perform on
managed endpoints.
The fields that appear in the Endpoint Information section of the Information tab contain identifier
and operating system details.
Note: To view all devices, select the Include Sub-Groups check box.
Note: Enabling an endpoint includes the endpoint in the content management activities of the
LEMSS. An enabled endpoint consumes an agent license.
72 OSC_003
2.9 Patch deployment
Note: Before an endpoint can be deleted, it must be disabled. Deleting an endpoint removes it
from the list of managed endpoints in LEMSS.
A deployment comprises all the necessary information to perform the task(s) associated with the
vulnerability. This includes files and required scripts for installing a patch, stopping a service,
validating a system condition, or changing a database entry. Deployment is the mechanism that
carries and supports a package.
Several key concepts and status indicators are associated with a deployment. These concepts
are used to define deployment behavior.
OSC_003 73
2.9 Patch deployment
2.9.2 To create groups of devices for patch deployments and vulnerability scans
1. Remote desktop into the VSPM appliance (192.168.124.33).
2. Startup the Patchlink update interface, login.
3. Verify that all devices that have been installed are in the devices list.
4. Select the Devices tab.
74 OSC_003
2.9 Patch deployment
6. Select Save.
7. Repeat steps 4 - 6 for each group.
OSC_003 75
2.10 Using the Deployment Wizard
The following table describes the scenarios for a deployment. These options are selected prior to
starting the Deployment Wizard.
Deployment Actions
The Introduction page of the Deployment Wizard explains the purpose and capabilities of the
wizard.
This page can be hidden during future deployments by selecting the Do not display this page in
the future check box.
You can use the Available Devices/Groups page of the Deployment Wizard to select devices and
groups to receive a deployment.
This page displays the devices grouped by operating system. Groups are displayed in a directory
tree formatted by user groups, system groups, or directory service groups.
Note: In cases where you initiate the deployment by selecting the content first, and then
selecting devices and groups to add to the deployment, the application evaluates the
applicability of the deployment for the groups or devices that you select.
If an individual device does not meet the conditions required for the deployment for example, (a
device lacks a software prerequisite) then the device cannot be added to the deployment. If all of
a group's device members do not meet the conditions required for the deployment, the group
cannot be added to the deployment. If the content is applicable for a device and the device has
not received the content already, the device is added to the deployment automatically.
76 OSC_003
2.10 Using the Deployment Wizard
Device deployments are deployments that are created for individual endpoints, regardless of
group membership.
1. From the Available Devices list, select the Device OS Name required. The list of endpoints
within that operating system display.
2. Select an endpoint from the list. The endpoint(s) are highlighted.
3. Click Next. The Available Packages page opens.
You can select single groups, multiple groups, and group hierarchies (groups cascading down
from a parent) using the Available Groups directory tree. This method enables you to select
multiple groups for a deployment without having to create deployments for each individual group.
When selecting a group from the Available Groups directory tree, the following will occur:
If a parent group is selected first, all children groups are also selected. The group selection is
represented by a green check mark.
If any of the children group check boxes are cleared, the green check mark changes to a
green square. This indicates that while the parent group is selected, the entire child hierarchy
is not.
Note: If devices are added to a group after a deployment is created but before the deployment
occurs, the newly added devices will receive the deployment.
1. From the Available Groups directory tree, select the group or groups requiring the
deployment.
2. Click Next.
You can select the packages to be deployed using the Available Packages page of the
Deployment Wizard.
This page displays the packages (grouped by manufacturer) that apply to the endpoints selected
on the Available Device/Groups page.
1. Select the vendor name required for the deployment. The list of associated packages
displays in the Available Packages window.
2. Select the packages needed. Click the arrows to page through the available packages, if
needed. The packages are selected and highlighted.
Note: Selecting the Package Name check box selects all of the packages available in the list.
3. Click the Package Name link to open the Associated Vulnerability Analysis page. For more
information, refer to the Associated Vulnerability Analysis Page (see page 78).
4. Click Next to proceed to the Licenses page.
When using the Deployment Wizard, the wizard will not install the Service Packs first. Verify that
all relevant Service Packs have deployed successfully before creating deployments using the
Deployment Wizard.
OSC_003 77
2.10 Using the Deployment Wizard
The Associated Vulnerability Analysis page shows the applicability of the security content for the
endpoints associated with the deployment.
N AM E DESCRIPTION
You can accept the license agreement associated with the selected vendor packages using the
Licenses page of the Deployment Wizard. This is a required step in deploying content.
The Licenses page of the Deployment Wizard displays the end user license agreements
associated with the vendor packages. Any license agreements displayed on the page must be
accepted prior to continuing the deployment.
You can control the user notification options associated with a deployment using the Deployment
Information page. You can set the deployment job name, start time, manner, and add notes.
Deployment information consists of identifiers for the deployment job and deployment task, timing
of the deployment, and deployment manner.
FIELD DESCRIPTION
Job Name This is the job name. The display name of the deployment job.
Task name The editable display name of the deployment task. The Package Name variable will
be replaced with the name of the package included in the task.
78 OSC_003
2.10 Using the Deployment Wizard
2. If desired, edit the Start time. For information on configuring a deployment schedule, refer to
the Deployment Wizard Schedule Configuration page (see page 79).
3. Select the desired Deployment time zone option.
The following table defines the options.
OPTION DESCRIPTION
Agent Local Time Deploys at local time for each individual node.
Agent UTC Time Deploys at UTC time for each individual node.
OPTION DESCRIPTION
The Schedule Configuration page of the Deployment Wizard, is used to define whether a
deployment is one-time or recurring and the appropriate options for each.
You can set the timing and frequency of a deployment using the Schedule Configuration page.
Note: If devices are added to a group after a deployment is created but before the deployment
occurs, the newly-added devices will receive the deployment.
OSC_003 79
2.10 Using the Deployment Wizard
Month
And if defined, ends on a specific date.
1. From the Deployment Wizard - Deployment Information page, click Change, located in the
Start Time section of the page. The Schedule Configuration page opens.
2. Select Recurring.
3. In the Occurs field, select Daily. The Deployment Wizard displays the Daily Deployment
Options field.
4. From the Daily Every X Days drop-down list, select the frequency. The valid options are: 1
through 365.
5. Select the frequency of the deployment.
Occurs once a day at the scheduled start time - the deployment starts at the same time
as scheduled in the Schedule Configuration page.
Occurs every - the valid options are 1 through 60 if minutes are selected and 1 through
24 if hours are selected.
6. Continue to Selecting the Deployment Start and End Functions on page 220 of the
Lumension Endpoint Management and Security Suite 7.0 SP1 User Guide.
1. From the Deployment Wizard - Deployment Information page, click Change, located in the
Start Time section of the page. The Schedule Configuration page opens.
2. Select Recurring.
3. In the Occurs field, select Weekly. The Schedule Configuration page displays the Weekly
Deployment Options field.
4. From the Every X week(s) on: Mon, Tue, Wed, Thur, Fri, Sat, Sun, select the deployment to
be scheduled every X weeks on the selected days.
80 OSC_003
2.10 Using the Deployment Wizard
5. Continue to Selecting the Deployment Start and End Functions on page 220 of the
Lumension Endpoint Management and Security Suite 7.0 SP1 User Guide.
1. From the Deployment Wizard - Deployment Information page, click Change, located in the
Start Time section of the page.
2. Select Recurring. The Recurring Deployment window opens.
3. In the Occurs field, select Monthly. The Schedule Configuration page displays the Monthly
Deployment Options fields.
4. Select the frequency of the deployment:
Day X of every X month(s) - Schedules the deployment on a specific date every X
months. Valid date options are 1 through 31, with the ability to choose 1 through 99
months.
The Xth Weekday of every X month(s) - Schedules the deployment to be run on a
specific day every X months.
¾ The valid day options are: 1st, 2nd, 3rd, and 4th.
¾ Last weekday options are: Sunday through Saturday, Day, Week day, or Weekend
day.
¾ Monthly recurrence options are: 1 through 99 months.
5. Continue to Selecting the Deployment Start and End Functions on page 220 of the
Lumension Endpoint Management and Security Suite 7.0 SP1 User Guide.
Several options are available for you to configure the timing and frequency of a deployment.
The frequency fields specify date and time deployments. Review the table to determine
scheduling needs.
SELECT: TO:
12 hour, 24 hour Set the schedule to either a standard 12-hour format or for a 24-hour format.
Occurs once at Set the deployment to occur once daily at the time defined here.
Note: Agent communication interval and Hours of Operation (HOP) settings modify
the actual deployment time.
Occurs every Set the deployment to occur multiple times on the scheduled day, between the hours
defined in the starting at: and ending at: fields with a delay of the defined hours or
minutes.
Start Date Schedule a recurring deployment to begin at a later date. Defaults to the current date.
No End Date Continue with the defined recurrence schedule and no defined end date.
End Date Activate the end date calendar function and define the date the deployment will no
longer be deployed.
OSC_003 81
2.10 Using the Deployment Wizard
Click Next to save the changes and return to the Deployment Options page.
You can set the behavior options for each of the packages associated with a deployment using
the Package Deployment Behavior Options page of the Deployment Wizard. The package options
are active or inactive, depending on the patch selected.
Note: Modification of a package’s behavior options will cause the package order to be re-
evaluated by the Deployment Wizard, which may result in a change in the package order.
82 OSC_003
2.10 Using the Deployment Wizard
You can designate how a deployment appears on endpoints when the deployment occurs using
package display options.
OPTION DESCRIPTION
Click Save to save the changes and return to the Package Deployment Order and Behavior page.
You can define whether users receive notification of deployments and/or reboots, and if so, what
the notification contains using the Notification Options page of the Deployment Wizard.
Note: When an agent is installed on a server where multiple users are logged in simultaneously,
the deployment manager will provide each user with the ability to snooze or reject the
deployment and/or reboot if snooze or reject is enabled.
You can determine what users can do after they receive a deployment.
Notification Options
Use Policies The defined policies for each agent are used. Selecting this option disables all other
deployment notification options.
Do not notify users There will be no user notification for this deployment, and the deployment will occur
of this deployment automatically. Selecting this option disables all other deployment notification options
(except agent policies).
Notify users of this The user will be notified prior to installation of this deployment.
deployment
Message This field contains the message the user will see when notified about this
deployment. The {%Package_Name%} variable will be replaced with the Package
Name, allowing you to enter custom text before or after the package name.
Allow user to cancel The user can cancel the deployment.
Allow user to The user can postpone the deployment.
snooze
Notification on top The deployment notification displays on top of other open windows.
Deploy If selected, the time specified in the fields below is used to start the deployment.
Within You can set the time frame in which the deployment occurs.
By You can specify the specific time at which the deployment will occur. For example:
12/22/2008 5:07 PM.
Reboot Within You can set the time frame in which the deployment occurs.
OSC_003 83
2.10 Using the Deployment Wizard
The Deployment Confirmation page of the Deployment Wizard displays a summary of the options
selected for the deployment. This information is provided for your verification before creating the
deployment.
Job Name Indicates the name given to the deployment job defined in the Deployment Options
page.
Schedule Indicates the schedule for the deployment defined in the Deployment Options page.
Manner Indicates if these deployments are Sequential or Parallel. If the deployment is
Sequential, indicates how many deployments will be distributed at once.
Deployment Indicates if users will receive a deployment notification (as defined under the
Notification Notification Options page).
Reboot Notification Indicates if users will receive a reboot notification, if the deployment must reboot (as
defined under the Notification Options page).
Total Selected Indicates the total number of packages selected for deployment.
Packages
Total Selected Indicates the number of groups selected, if the deployment is a group deployment. If
Devices / Groups the deployment is for individual devices, indicates the total number of devices
selected.
Notes Indicates the creator and the creation date of a deployment.
COLUMN DESCRIPTION
84 OSC_003
2.11 Reports for VSPM
LEMSS offers multiple predefined report templates that list and/or depict data collected during
network management. Data included in these reports range from general (endpoints, packages)
to highly detailed (vulnerabilities specific to a vendor). Reports are created by selecting a report
type and defining its parameters.
Reports cover a range of indicators and can be customized to cover a general category (devices,
packages) or focus on specific elements of your network (for example, vulnerabilities specific to a
particular vendor). Targeted reporting is done through selecting an appropriate report type,
defining the parameters of a report, and by customizing report criteria through the Search feature.
Report formats vary. Some reports are in an HTML (.html) file format, while others are in a PDF
(.pdf) format.
Note: Additional information about reports can be found in the Lumension Endpoint
Management and Security Suite User Guide located on the Ovation Security Center CD.
The report description summarizes reports selected from the Display list. Read this for a brief
overview of the report you have selected.
The following table describes the fields that appear in the report description, including the header.
FIELD DESCRIPTION
Report Description The name of the report currently selected from the Display list.
Header
Type The data source of the report. Report data derives from either agents or network-
based scans (discovery scan jobs).
Category The category of the report.
Format The format of the report (PDF or HTML).
OSC_003 85
2.11 Reports for VSPM
The following table provides a brief description of the reports provided with Scan.
Executive Summary Presents a summary of general network and vulnerability status by resource.
Classic
Frequency Count Risk Displays summary information and frequency of a user-specified vulnerability
Summary type.
Frequency Count Displays detailed information and frequency counts of a user-specified
Detail vulnerability type.
Job Configuration Shows the discovery and management options used by a specific job.
Job Summary Shows a summarized list of vulnerability counts by device.
Local Services Reveals the number of unique services found, including services found on each
device.
Long-term Trending Presents a record of data changes over a user-specified time frame.
Network Inventory Shows network inventory information such as Operating System, MAC Address,
IP Address, NetBIOS Name, and so on.
Ports and Banners Reveals the ports found open.
Scan Summary Shows a list of scans run and the vulnerabilities found, sorted by device.
86 OSC_003
2.11 Reports for VSPM
Compliance: Agent- Displays agent compliance against user-specified vulnerability policies or sets.
Based
Compliance: Displays a combination of the Compliance: Network-Based and Compliance:
Composite Agent-Based reports.
Assessment
Composite Inventory Presents Agent details and inventory within the specified agent group(s) and job.
Deployment History Reveals the deployment details for the specified patch deployments.
Deployment Status Displays the current status for the specified patch deployments.
Job Remediation Displays the vulnerabilities found by a specified job, by the vulnerability reference
ID.
The following table provides a brief description of the reports provided with Update.
OSC_003 87
2.11 Reports for VSPM
From the Available Reports List, selecting Device Status Report displays the Application
Reporting Device Status Report Parameters page. The report definition page is where you define
the data to include in the report.
The following table describes the parameters used when using reports. Each report includes at
least one parameter.
SELECT TO
Devices Choose from a list of all available devices that you have permission to view. All available
devices are shown in the Available Devices list. Click a single device or use the CTRL and
SHIFT keys to select multiple devices.
Note: All access is limited to the users with access to all Devices or with Enable
Administrative Reports access rights.
Groups Choose from a list of all available groups within the Update Server that you have
permission to view. All groups are shown in the Available Groups list and all of the devices
belonging to the selected group and its child groups are included in the report. Click a
single group or use the CTRL and SHIFT keys to select multiple groups.
Note: All access is limited to the users with access to all Groups or with Enable
Administrative Reports access rights.
Deployments Choose a deployment from a list of all available deployment names. All available
deployments are shown in the Available Deployments list. Click a single deployment or
use the CTRL and SHIFT keys to select multiple deployments.
Packages Choose from a list of all available packages. All available packages are shown in the
Available Packages list. Click a package name or use the CTRL and SHIFT keys to select
multiple packages.
Vulnerabilities Choose from a list of all available vulnerabilities identified by the Update Server. All
vulnerabilities are shown in the Available Vulnerabilities list. Click a vulnerability name or
use the CTRL and SHIFT keys to select multiple vulnerabilities.
Date Range Choose from a list of all deployments that occur within the selected dates. You can also
display the time in 12-or 24-hour format and as the Update Server local time or UTC time.
Lumension Endpoint Management and Security Suite provides multiple pre-defined reports.
These reports comprehensively detail your computing environment, reflecting your content and
vulnerability management activities. Generate reports to brief management or to view network
behavior and statistics. Reports are generated from the All Reports page.
88 OSC_003
2.11 Reports for VSPM
Add parameters to the Selected Parameters list using the Include or Include All arrows.
Select parameters from the available drop-down lists, data grids, or list boxes.
Note: Refer to Available Reports on page 418 of the Lumension Endpoint Management and
Security Suite User Guide and the individual report descriptions for details on required and
optional parameters.
The search feature, within HTML (.html) reports, provides standard searching on a word matching
basis (exact and partial matching). The search is conducted against the Update Server database.
Some general rules include:
Search does not support the use of Boolean search commands (AND, OR, NOT, nesting (),
and so on.)
Search terms are not case sensitive. All letters are treated as lower case. For example, the
search term WIN is treated the same as "win" and generates the same results.
To show all results, remove any content from the Search text box (leave blank).
To search, enter the search term in the Search text box and click Update List. To return to
the pre-search results, click from the list of available options in the Parameters list box.
OSC_003 89
2.11 Reports for VSPM
Some reports generate date range data. For these reports, you have two options to change how
this data is formatted:
Local time (this is the date and time established by the Update Server).
UTC Time (Coordinated Universal Time).
The following table describes the options for reports that generate date and time information.
OPTION DESCRIPTION
Local Time The date and time established by the Lumension Endpoint Management and Security Suite
server.
UTC Time (Coordinated Universal Time), also known as Universal Time, Zulu Time, or Greenwich Mean
Time (GMT).
Once the report is created, you have the option of switching to a printable view for printing or
exporting the report into another file format.
Reports are presented in standard HTML (.html) and can be exported into several file formats for
your convenience.
Comma Separated Values (.csv).
Microsoft Excel Worksheet (.xls).
XML Document (.xml).
Note: All data results, not just the selected results, will export. However, some of the data may
not import into a readable format.
You can edit this data using other applications. To export the report, select an option from the list
and click Export.
90 OSC_003
2.11 Reports for VSPM
You may choose not to define any parameters; in this case, all applicable data for the report
parameters will be returned.
4. With the desired items selected, click the Include arrow.
5. To include all available items, click the Include All arrow.
6. Verify the contents of the Selected Options box.
7. Remove items by clicking the Remove arrow, or to include all available items, click the
Remove All arrow.
8. Click Generate to create the report.
9. The Report Results page opens with the retrieved information.
After generating an HTML (.html) report, you can format it specifically for printing. Use this feature
before printing a report rather than using your Web browser print feature.
1. Click the Printer-Friendly link. The report refreshes with the data in print preview mode.
2. If desired, click the Send to Printer link to print the report. The Print window opens. Finish
printing your report by completing the Print dialog box.
Note: If you have not established printer connectivity, click Yes when the Print dialog box
appears and use the Add Printer Wizard to select and connect your printer.
After generating a PDF (.pdf) report, you can view it within a PDF reader.
To generate a PDF (.pdf) report, you must have Adobe® Reader® (or another PDF reader such
as Foxit® Reader®) installed on your computer. When reading a generated report, the functions
of these programs help you to view the report.
For more information on using Adobe Reader, see the Adobe Reader 8 User Guide.
After generating an HTML report, the report opens in a new window. Within this window, you can
perform a number of tasks specific to the report, such as:
Displaying Time and Date in HTML Reports.
Exporting HTML Reports.
Previewing and Printing HTML Reports.
Note: All data results, not just selected results, will export. However, some of the data may not
export in a readable format.
OSC_003 91
2.12 Email Notifications Page
You can configure email notification settings, define alert types, and set alert thresholds. Enter the
email addresses that you want to receive notifications, and then select the alert types for each
email address. You can enter an unlimited number of email addresses. Also, use this page to
define alert thresholds, which are data values that initiate email notifications.
Note: Email alerts are activated on a per-project implementation. Additional information about
email can be found in the Lumension Endpoint Management and Security Suite 7.0 SP1 User
Guide (page 85).
Note: You can access this page at any time from the Navigation menu. Navigate to Email
Notification to define email addresses for notification alerts.
The agent system requirements and installation procedures vary by operating system. For
complete instructions regarding the installation of agents on supported operating systems, refer to
the Lumension Endpoint Management and Security Suite 7.0 User Guide located on the Ovation
Security Center CD.
92 OSC_003
2.14 Using the Dashboard
Widget graphs are generated based on the latest data and statistics available from endpoints,
groups, vulnerabilities, packages, and so on.
Note: Additional information about the dashboard can be found in the Lumension Endpoint
Management and Security Suite 7.0 User Guide located on the Ovation Security Center CD.
The following Dashboard widgets are available: The page numbers refer to the Lumension
manual.
The Agent Status Widget on page 53.
The Applicable Content Updates Widget on page 54.
The Discovery Scan Results: Agent Widget on page 56.
The Critical Patch Status by Endpoint Widget on page 55.
The Endpoints with Unresolved Updates Widget on page 57.
The Incomplete Deployments Widget on page 58.
The Last Five Completed Scan Jobs Widget on page 59.
The Latest News Widget on page 59.
The Mandatory Baseline Compliance Widget on page 60.
The Next Five Pending Scan Jobs Widget on page 60.
The Offline Agents Widget on page 61.
The Scheduled Deployments Widget on page 61.
The Server Information Widget on page 63.
The Time Since Last Agent Scan Widget on page 64.
The Un-remediated Critical Vulnerabilities Widget on page 65.
The Agent Status Widget depicts all agents in the network. Agents are classified by status, as
depicted in its associated chart.
The following table describes the fields in the Agent Status widget:
FIELD DESCRIPTION
OSC_003 93
2.14 Using the Dashboard
FIELD DESCRIPTION
Note: Click the pie chart slice to open the Endpoints page. The page that opens is filtered to display the
agents associated with the clicked status.
The Discovery Scan Results Agent Widget displays the number of endpoints capable of hosting
agents (agent-compatible) as discovered in the latest discovery scan job.
FIELD DESCRIPTION
As of The name of the discovery scan job used to generate the widget graph and statistics.
This job is the job most recently run.
Endpoints with The number of agent-compatible endpoints discovered with agents installed.
agents
Endpoints without The number of agent-compatible endpoints discovered with no agents installed.
agents
Endpoints The total number of agent-compatible endpoints discovered.
Note: Clicking the Discovery Scan Results: Agent widget opens the Job Results page for the most recently
run discovery scan job.
94 OSC_003
2.14 Using the Dashboard
The Unresolved Updates Widget displays all managed endpoints with unapplied applicable
content updates, grouped by content type.
View this widget when deciding if a managed endpoint requires deployment. An unresolved
update is an occurrence of an endpoint that has not had an applicable content item installed.
BAR DESCRIPTION
Critical The number of managed endpoints in your network that have unresolved critical
content updates.
Recommended The number of managed endpoints in your network that have unresolved
recommended content updates.
Optional The number of managed endpoints in your network that have unresolved software,
informational, and virus removal content updates.
Note: Clicking a widget graph bar opens the Vulnerabilities, Software, or Other page, which is filtered to
display all unapplied applicable content.
FIELD DESCRIPTION
Endpoints The number of managed endpoints with applicable updates within your network.
Applicable updates The total number of content items applicable to managed endpoints within your
network.
The Incomplete Deployments Widget displays all deployments with elapsed start dates and
displays not started or in-progress status.
FIELD DESCRIPTION
<25% The number of deployments that are less than 25 percent complete. This field includes
deployments that have not started.
25% - 49% The number of deployments that are 25 to 49 percent complete.
50% - 69% The number of deployments that are 50 to 69 percent complete.
70% - 79% The number of deployments that are 70 to 79 percent complete.
80% - 89% The number of deployments that are 80 to 89 percent complete.
OSC_003 95
2.14 Using the Dashboard
FIELD DESCRIPTION
>90% The number of deployments that are more than 90 percent complete.
Total The total number of deployments that have a status of in progress or not started with
an elapsed start time.
Total affected The total number of endpoints receiving pending or in-progress deployments.
endpoints
The Applicable Content Updates Widget displays applicable content updates grouped by content
type. View this widget when determining what content is applicable to endpoints in your network.
BAR DESCRIPTION
Critical The number of critical content items that are applicable to the agent-managed
endpoints within your network.
Recommended The number of recommended content items that are applicable to the agent-
managed endpoints within your network.
Optional The number of optional software, informational, and virus removal content items that
are applicable to the managed endpoints within your network.
Note: Clicking the Applicable Content Updates widget graph opens the Vulnerabilities, Software, or Other
page, which is filtered to display all applicable non-patched content.
FIELD DESCRIPTION
Applicable updates The total number of content items applicable to managed endpoints within your
network.
Endpoints The total number of managed endpoints with applicable updates within your
network.
96 OSC_003
2.14 Using the Dashboard
The Endpoint widget depicts the patch status of all the managed endpoints. Each bar indicates
the number of managed endpoints with applicable vulnerabilities within a given release date
range.
The following table describes the Critical Patch Status by Endpoint widget. Green bars indicate
endpoints that are patched for critical vulnerabilities, while red bars indicate endpoints that are not
patched for critical vulnerabilities.
GRAPH B AR DESCRIPTION
<30 days The number of managed endpoints with applicable critical vulnerabilities less than 30
days old.
30 - 120 days The number of managed endpoints with applicable critical vulnerabilities between 30 to
120 days old.
>120 days The number of managed endpoints with applicable critical vulnerabilities greater than
120 days old.
FIELD DESCRIPTION
Endpoints The total number of managed endpoints with applicable critical vulnerabilities.
Critical The total number of critical vulnerabilities applicable to your environment.
Vulnerabilities
The Last Five Completed Scan Jobs Widget contains information about the last five completed
scan jobs. Each job name is a link to the associated Result page.
The following table describes each column in the Last Five Completed Jobs widget.
FIELD DESCRIPTION
Name The job name. The name is a link to the associated Results page.
Completed Date The date and time of the completed job on the server.
Status The status of the completed job.
OSC_003 97
2.14 Using the Dashboard
The Latest News Widget displays important announcements and other information regarding
Lumension Endpoint Management and Security Suite. Internet connectivity is a requirement for
this Widget.
Click the Latest News link to view additional details about an announcement in a new window.
The Mandatory Baseline Compliance Widget displays the Mandatory Baseline status of all
managed endpoints.
The following table describes the Mandatory Baseline Compliance widget fields.
FIELD DESCRIPTION
Compliant The number of agents with all Mandatory Baseline content installed.
In process The number of agents currently downloading Mandatory Baseline content.
No baseline The number of agents with no content assigned to their Mandatory Baseline(s).
Non-compliant The number of agents that do not have all content in their Mandatory Baseline(s)
installed.
Total number of The total number of endpoints with an agent installed.
endpoints
The Next Five Pending Scan Jobs Widget displays information about the next five pending
discovery scan jobs. Each job name is a link to the Scheduled tab of the Discovery Scan Jobs
page Scheduled tab.
The following table describes the Next Five Pending Scan Jobs widget columns:
FIELD DESCRIPTION
Name The job name. Each name is a link to the Scheduled tab of the Discovery Scan Jobs
page .
Scheduled Time The date and time the job is scheduled to run on the server.
98 OSC_003
2.14 Using the Dashboard
The Offline Agents Widget displays all offline agents. These agents are grouped by time ranges
since they last checked in.
The following table describes the fields in the Offline Agents widget:
FIELD DESCRIPTION
Note: Clicking the Offline Agents widget pie chart opens the Endpoints page, which is filtered to display
offline agents
The Scheduled Deployments Widget displays endpoints that have not-yet installed applicable
content. These endpoints are divided into two categories: endpoints with deployments scheduled
and endpoints with deployments not scheduled. These categories are further divided into three
categories: endpoints with not-yet applied critical content, endpoints with not-yet applied
recommended content, and endpoints with not-yet applied optional content.
The following table describes the Scheduled Deployments widget graph bars. Orange graph bars
indicate endpoints that are not scheduled to receive applicable content, while blue graph bars
indicate endpoints that are scheduled to receive applicable content.
GRAPH B AR DESCRIPTION
OSC_003 99
2.14 Using the Dashboard
GRAPH B AR DESCRIPTION
Note: Clicking the Scheduled Deployments widget opens the Deployments page, which is filtered to display
scheduled deployments.
FIELD DESCRIPTION
The Server Information Widget lists your serial number, number of licenses available, number of
licenses in use, and information about current license usage and availability for the Lumension
Endpoint Management and Security Suite.
The following table describes the fields in the Server Information widget:
FIELD DESCRIPTION
100 OSC_003
2.14 Using the Dashboard
FIELD DESCRIPTION
Note: A license expiration notice displays if all available licenses are expired.
The Time Since Last Agent Scan Widget displays all active agents (not including disabled or
offline) grouped by the amount of time since their last Discover Applicable Updates (DAU) task.
The following table describes the fields in the Time Since Last Agent Scan widget.
FIELD DESCRIPTION
<24 hours The number of agents that last performed a DAU task and checked in fewer than 24
hours ago.
24 - 47 hours The number of agents that last performed a DAU task and checked in 24 to 47 hours
ago.
48 - 72 hours The number of agents that last performed a DAU task and checked in 48 to 72 hours
ago.
> 72 hours The number of agents that performed a DAU task and last checked in greater than 72
hours ago.
Never Checked in The number of registered agents that have not completed a DAU task.
Note: Clicking the Time Since Last Agent Scan widget pie chart opens the Endpoints page, which is filtered
to display enabled devices.
The Un-remediated Critical Vulnerabilities Widget displays the total number of un-remediated
critical vulnerabilities that are applicable to your environment grouped by age.
The following table describes the Un-remediated Critical Vulnerabilities widget graph bars.
FIELD DESCRIPTION
<30 days The number of un-remediated critical vulnerabilities applicable to your environment
fewer than 30 days old.
30 - 120 days The number of un-remediated critical vulnerabilities applicable to your environment
that are 30 to 120 days old.
>120 days The number of un-remediated critical vulnerabilities applicable to your environment
greater than 120 days old.
OSC_003 101
2.14 Using the Dashboard
FIELD DESCRIPTION
Note: Clicking the Un-remediated Critical Vulnerabilities widget graph opens the Vulnerabilities page,
which is filtered to display the critical but not superseded applicable vulnerabilities.
The following table describes the Un-remediated Critical Vulnerabilities widget fields.
FIELD DESCRIPTION
Critical The number of critical but not superseded vulnerabilities applicable to your
Vulnerabilities environment.
Endpoints The number of managed endpoints with critical but not superseded applicable
vulnerabilities.
Note: When viewing the dashboard, you can reformat it for printing purposes. This print preview
omits the Web site's header and footer and reorganizes the dashboard to display only the
selected widgets. View the print preview from the Home page.
VSPM lets you define how dashboard widgets are arranged and prioritized. You can edit the
dashboard to display only the widgets that are most useful when managing your network
environment.
102 OSC_003
2.15 Creating and editing user accounts for SCAN
When you are logged on to a user account other than an Administrator, you will have access to
console areas in the network solely based on the account privileges that were assigned and the
preset default or adjusted scope assigned to each privilege.
OSC_003 103
2.16 Preparing VSPM for Full vulnerability scan
104 OSC_003
2.16 Preparing VSPM for Full vulnerability scan
OSC_003 105
2.16 Preparing VSPM for Full vulnerability scan
¾ Username: <username>.
¾ Password: <password>.
¾ Verify Password: <password>.
¾ Description: Ovation scan credentials.
g) Select the Test button. This will test the credentials, to verify that they will work for a
scan.
¾ Enter a Target IP 192.168.2.200 – This is the address used for the credential test.
This needs to be an address of a console on the system.
¾ Select OS as default.
¾ Check the Verify with Ping check box.
¾ Select the Test button.
This should return with a level 3 access; if it does not, something was entered into the
credential set incorrectly.
h) If other operating systems are to be included repeat steps e - g.
Operating System: POSIX or SNMP
POSIX
SNMP
<read community string>
i) Select the Save button.
j) Select that Credential name (Ovation scan credentials) in the Credentials tab.
4. Define the type of scan to be performed using the following steps:
a) Select the Scan tab.
b) Select the Vulnerability Set.
Emerson Validated Patches – periodic scan to determine if any consoles are vulnerable
to the current vulnerability set. This selection is near the bottom of the list.
c) Ports setup
Emerson Validated Patches – set this to none.
Emerson Validated Patches – set this to no check boxes.
5. Name, schedule, and define targets for the scan using the following steps.
a) Select the Discovery tab.
b) Name the scan job.
Enter a scan name into the entry field.
c) Select a schedule method.
Typically this is set to immediate.
d) Leave all discovery options selected.
e) Setup consoles to be scanned.
¾ Utilize IP range or IP with wildcard to define the intended targets for the scan.
¾ After information is entered in the entry field(s), select the + to add them to the scan
target list.
106 OSC_003
2.17 VSPM SCAN Updating
¾ Repeat until all IP addresses are entered for the desired scan.
f) To initiate the scan select the Save button.
6. Check the scan statuses.
a) Select the appropriate tab in the Job Queue panel.
¾ Active – for any currently active scan. A percentage complete indication will be
displayed.
¾ Scheduled – for any scan that is scheduled for future activation.
¾ Completed – to review and generate reports on completed scans.
7. To check different information related to a scan job:
a) Select the Completed tab in the Job Queue panel.
b) Select the Scan job that you want to review.
c) From here, the tabs at the top of the panel can display different pieces of information
related to the currently selected scan jobs.
¾ Targets – displays the target that was scanned with summary information.
¾ Vulnerabilities – shows any vulnerability that may have been discovered to exist
during that scan job.
¾ Graphical Reports – interface to generate graphical reports on the selected scan
job.
¾ Agents – Agents that exist; not related to the currently selected scan job.
¾ Vulnerabilities – lists all vulnerabilities that the VSPM is made aware of.
Vulnerability databases and scanning software updates are periodically downloaded through
Emerson’s SureService OSC Module.
Note: Scan updates come in a form named guardian_vulns_XXX.upd. These are SQL updates
that need to be imported. The updates are normally subscription based. In the current airgap
installation, they must be manually imported in.
OSC_003 107
2.18 Creating a disaster recovery solution for VSPM
Note: If you select a file at or below the current Vulnerability Update Version number displayed
in About, it will error out. Select any and all files above that version number.
For example, if the current version number is 181, select 182 or greater to update.
Note: This process may take several minutes depending on how many updates are selected.
Circling arrows is the only indication that the import process is occurring. You can click the Run
in the Background button, but no indication of completion is given.
11. Once completed, the circling arrows disappear and the bottom pane of the Automatic Updates
dialog box informs you the version number of the current Vulnerabilities update.
12. Update the current Emerson Validated Patches vulnerability set.
13. Click Tools -> Manage Vulnerabilities.
This can be launched using the keystroke Ctrl-Shift-V.
14. Click the Custom Vulnerabilities tab.
15. Click the Import button at the top-right.
16. Select Vulnerability Set(s) from the dialog box.
17. Click Next.
18. Browse to the Current Month’s folder for the Emerson Validated Patches.xml
19. Click Finish.
Lumension Endpoint Management and Security Suite uses Microsoft's SQL Server to store data
values. Emerson's recommended practice is that you prepare your system for a disaster.
108 OSC_003
2.18 Creating a disaster recovery solution for VSPM
In the event of a disaster, detailed transaction logs are useful when restoring your database. You
can control the level of detail that your logs record.
The installation of Lumension Endpoint Management and Security Suite sets your database to a
recovery model of Simple. To use Transaction Logs, and thus increase the quality of your
disaster recovery solution, you should change the recovery model to Full.
Modify the database recovery model to record more robust details about the events leading to a
disaster.
Database recovery model edits are made in the SQL Server Management Studio. The
Management Studio is available by upgrading to SQL Server 2008 Standard or Enterprise or as a
download from the Microsoft Download Center.
OSC_003 109
2.19 Creating a database backup
While a Maintenance Plan will allow you to automate the backup of your databases and
transaction logs, you can also create and restore individual backups using the SQL Server
Management Studio.
Create a backup for the SQL Server instance associated with the Lumension Endpoint
Management and Security Suite to assure minimal system data is lost if a disaster occurs.
Note: If the Recovery model is not set to Full, refer to Changing the Database Recovery Model
on page 575 of the Lumension Endpoint Management and Security Suite 7.0 SP1 User Guide
located on the Ovation Security Center CD.
FIELD DESCRIPTION
8. Define the backup set expiration date using one of the following methods:
METHOD STEPS
110 OSC_003
2.20 Restoring a database backup
Note: For performance reasons, Emerson recommends that you create your database backup
in a directory that is not on the same physical drive as your database.
10. Select Options within the Select a page pane. The Options page displays.
11. Select whether to Backup to the existing media set or Backup to a new media set, and erase
all existing backup sets as is appropriate for your organization.
12. Select the Verify backup when finished option to ensure a valid backup.
13. Click OK.
14. Repeat for the following databases:
PLUS_Staging
UPCCommon
SCM
STAT_Guardian
PLUS_Reports (if it exists)
Prerequisites:
Prior to restoring the database backup you must install the Lumension Endpoint Management and
Security Suite server using the same serial number that was used previously.
Note: After installing the Lumension Endpoint Management and Security Suite server, do not
open the user interface until after you have restored the databases.
OSC_003 111
2.20 Restoring a database backup
EDS MessageBroker.
EDS Server.
Replication Service.
STATEngine.
5. Restore the backup you made of the content directory over the new content directory
(<Installation Directory>\Lumension\EMSS\Content by default). However, if this directory was
modified during installation, you can verify its location by viewing the
\HKEY_LOCAL_MACHINE\SOFTWARE \Patchlink.com\Update\ISAPI\Storage registry key.
6. Open the Microsoft SQL Server Management Studio:
Choose: Start > Programs > Microsoft SQL Server 2008 > SQL Server Management
Studio.
7. Login to your database server with a user account that has sysadmin rights.
8. In the directory tree, expand Server Name\SQL Instance > Databases.
9. Right-click the Databases folder.
10. Select Restore Database. The Restore Database window opens.
11. In the To database field, type or select the PLUSdatabase.
12. Select From device and click the Ellipses button (...). The Specify Backup window opens.
13. Click Add. The Locate Backup File window opens.
14. Locate and select your backup (.bak) file.
15. Click OK.
16. Click OK to return to the Restore Database window.
17. Select the check box associated with your backup within the Select the backup sets to
restore table.
18. Click Options within the Select a page pane. The Options page displays.
19. Ensure the Overwrite the existing database option is selected.
20. Verify, and correct if necessary, the directory path within the Restore the database files as
table.
21. Ensure the Leave the database ready to use option is selected.
22. Click OK to begin the database restoration.
23. After the restore is complete, run the following SQL command against the database.
exec sp_changedbowner 'sa'
24. Repeat steps 9 through 23, restoring each of the following databases:
PLUS_Staging.
UPCCommon.
SCM..
STAT_Guardian.
PLUS_Reports (if it exists).
25. Against the master database run the following SQL command.
112 OSC_003
2.20 Restoring a database backup
OSC_003 113
2.20 Restoring a database backup
9. Repeat for the PLUS_Staging database (and the PLAMS and PLUS_Reports databases if
they exist).
You must create a backup of each database before any Transaction logs will be created. See
To create a database backup (see page 114) to create a one-time backup of your database.
While a Maintenance Plan allows you to automate the backup of your databases and transaction
logs, you can also create and restore individual backups using the SQL Server Management
Studio.
The most important part of an effective disaster recovery technique is to have a current and valid
backup.
Note: If the Recovery model is not set to Full, see To change the database recovery model
OSC 2.x (see page 113).
7. Backup Type: FullDefine the backup set Name, Description, and when the Backup set will
expire.
Define your backup Destination settings.
Backup Component: Database
8. Under Destination:
a) Select either the Disc or Tape option.
b) Define the destination folder.
Note: For performance reasons, Emerson recommends that you create your database backup
in a directory that is not on the same physical drive as your database.
9. Select Options within the Select a page field. The Backup Database - Options page displays.
10. Select whether to backup to the existing media set or backup to the new media set, and erase
all existing backup sets as is appropriate for your organization.
11. Select the Verify backup when finished option to ensure a valid backup.
12. Click OK.
114 OSC_003
2.20 Restoring a database backup
13. Repeat for the PLUS_Staging database (and the PLAMS and PLUS_Reports databases if
they exist).
Another important part of an effective Disaster Recovery Solution is to have a process defined to
restore your database backup.
Note: Specifying a new name for the database automatically defines the database files restored
from the database backup.
12. Select From device and click the ellipses button. The Specify Backup window opens.
13. Click Add. The Locate Backup File window opens.
14. Locate and select your backup (.bak) file.
15. Click OK.
16. Click OK to return to the Restore Database window.
17. Select your backup within the Select the backup sets to restore field.
18. Select Options within the Select a page field. The Options page displays.
19. Ensure the Overwrite the existing database option is selected.
20. Verify, and correct if necessary, the directory path within the Restore the database files as
field.
21. Ensure the Leave the database ready to use option is selected.
22. Click OK to begin the database restoration.
23. Repeat for the PLUS_Staging database.
24. Restart the PatchLink Update and World Wide Web Publishing Service services.
OSC_003 115
S E C T I O N 3
IN THIS SECTION
Malware is malicious software or executable programs that you do not want operating on your
control system. When malware is introduced to the Ovation system, it is detected and is not
permitted to operate.
MP uses a proactive security approach called a whitelist. A whitelist is a list of programs you have
identified to be safe programs and are allowed to run on your control system. Programs not listed
on the whitelist are not permitted to operate and are blocked or bounced from operation.
This security approach safely locks down the system applications and operating systems so only
authorized software on the whitelist will operate on your system.
MP logs any applications that have been blocked and provides a scrub option to the system
administrator so the blocked applications can be removed from the client machines.
MP monitors software agents that are installed on Ovation servers, workstations, and network
devices. Any intrusion alerts detected by these agents are sent to the SIEM for correlation,
analysis, and reporting.
OSC_003 117
3.1 Malware Prevention (MP) overview
118 OSC_003
3.1 Malware Prevention (MP) overview
6. Click Open.
OSC_003 119
3.1 Malware Prevention (MP) overview
10. Select the type of software update, choose Update Manager Software, and click Next on the
top-right corner of the window.
120 OSC_003
3.1 Malware Prevention (MP) overview
13. Click Finish at the top-right corner of the window. A dialog box appears informing you that the
manager will be rebooted and you will be logged-out.
14. Click OK and disconnect from the manager.
15. Repeat steps 1 - 14 for the Rollover Bouncer Manager.
16. After both managers are updated and rebooted, log into the Primary Manger, and click the
Configuration tab.
OSC_003 121
3.1 Malware Prevention (MP) overview
18. Select Update System software and click Next at the top-right corner of the window.
122 OSC_003
3.1 Malware Prevention (MP) overview
21. Click the Finish button at the top-right corner of the window.
a) System install files expand out to the manager. (This should only take a few seconds.)
22. Click the Management tab.
23. Select the client you want to upgrade so that it is highlighted in yellow.
OSC_003 123
3.1 Malware Prevention (MP) overview
124 OSC_003
3.2 Login basics and Admin Tokens for MP
Note: Hereafter, the electronic administrative token will be referred to as an ‘admin token’.
The digital certificates stored on the admin tokens and the extended length passphrase provide a
strong authentication mechanism.
CoreTrace currently uses the eToken® by Aladdin Knowledge Systems as part of the user
authentication process. The admin token is designed to be inserted into an active USB port on the
console. Each eToken® is uniquely identified by a SmartCardID that is electronically imprinted in
the security chip at the time of production. This SmartCardID is read by the console software and
displayed in the BOUNCER Login Screen during the login process.
The admin token has programmable memory and the ability to generate an RSA public/private
key pair. CoreTrace creates a digital certificate containing manager identification information and
the public key from the admin token. This certificate effectively establishes a one-to-one
relationship between the admin token and the manager. This digital certificate is loaded onto the
admin token at the CoreTrace factory. Each admin token is capable of storing several digital
certificates, providing the owner of the admin token with the ability to login to multiple managers.
This is all transparent to the BOUNCER administrator, which will see a list of managers in the
BOUNCER Login Screen.
Each admin token is shipped on a key ring with a card containing a list of all the managers it can
access. Without an admin token containing a certificate for a specific manager, it cannot be
accessed.
The admin token is designed to be carried in a pocket and is fairly small. Once the shipping
card is removed, all admin tokens look alike. You should place the admin tokens on unique
key rings or mark them with an indelible marker. Without inserting each token into the USB
port of a console and reading the stored information, there is no easy way to identify specific
admin tokens.
You should track the locations of all your admin tokens on paper. Admin tokens that are
actively used on the system can be easily kept track of, but not all admin tokens will be used.
Those admin tokens used as backups, or left unassigned, should be kept under positive
control.
You must insert your admin token into an available USB port to login.
The USB ports on most monitors turn on and off with the monitor power. If you turn off the
monitor as a power-saving measure, power to the admin token is lost and you will be logged-
out of the system.
The admin token should be inserted straight into the USB port. If the token does not slide in
easily, check to see that the plastic guide is aligned properly. A red LED in the admin token will
light when it is inserted properly.
If the admin token is removed from the USB port at any point during the login process or
during an active session, the control center will immediately log you out. This can produce
unexpected results for tasks you may have underway on the system.
OSC_003 125
3.3 Logging in for the first time for MP
To begin, you must look at the information in the Select Manager list box and determine which
bouncer or manager you want to access. The Serial Number data field contains the serial number
of the manager. This number is shown on both the bottom of the appliance as well as on the label
on the rear of the appliance. By selecting the line item with the matching serial number, you can
be sure you are logging into the correct manager.
After a successful log in, you can change the default name of the manager to an easily
recognized name. This will update the admin token and you probably will not need the serial
number again. Likewise, security group names and IP addresses will automatically be updated on
your admin token following a successful login to the manager.
There are several setup events that take place when you login to a new manager with no
accounts, use a new admin token, attempt to login to a manager that has its IP addresses
changed from those stored on your admin token, or login to a manager for the first time with other
existing accounts. Refer to the Normal Login procedure (see page 126) for information on the
standard process. The following sections describe special setup events when logging in for the
first time.
1. Turn on the control center appliance CPU unit and display. The control center appliance boots
and displays the Welcome dialog box requesting your admin token.
2. Insert one or more admin tokens. Click Read Token (may need to be done twice for RDP).
The admin token light will flash several times as the control center reads its stored information
and then displays the BOUNCER Login screen.
3. Select an admin token (if more than one) from the Select BOUNCER Token list box in the
upper left of the screen. This displays a list of all managers the selected admin token is keyed
to access.
4. Select a manager from the Select Manager list box in the center of the screen. You may have
a manager you use regularly to access the system, or perhaps another administrator has
already assigned you a manager.
5. Click Login to continue the login process. The control center appliance may be able to
immediately access the manager, or it may take some time to establish a secure connection
to the manager during which an hourglass cursor appears.
6. The Enter Password dialog box opens prompting you to enter your passphrase.
7. After entering your passphrase, click OK and you will be successfully logged in.
126 OSC_003
3.4 Normal Login procedure for MP
Note: The Enter Password dialog box is not opened unless the console is able to open a secure
connection to the requested manager.
If you enter an incorrect password, an error message is displayed. Click OK to return to the
Enter Password dialog box.
8. Begin your system management tasks. Once your password is verified by the manager, the
BOUNCER Control Center Dashboard screen opens.
A regular or master administrator can change their personal password when they are logged in to
the system. Fail-safe administrators cannot change their own passwords or the password of
another account. The process to change a password is shown below:
1. Navigate to the change password function. Select the Configuration tab and click the
Administrators selection button.
2. Display the account of interest. Select the subgroup or account in the navigation pane to
display the desired administration account in the Administrators control table.
3. Identify the account to change. Click the check box next to the account you want to change
the password for.
4. Select the Change Password option from the drop-down menu under the Administrators
selection button. The Change Password for Administrator dialog box opens.
5. Enter your old password followed by your new password twice.
6. Click OK to change the password. You will be prompted to make corrections if you did not
enter the password properly.
In the event you forget your password, a master administrator can reset your password to a
known value. The process is the same as above except the master administrator selects the
account of the administrator that wants a new password.
Selecting Change Password displays the Change Password for Administrator dialog box, but the
master administrator must first enter his or her password for verification before the new password
can be set.
OSC_003 127
3.4 Normal Login procedure for MP
Note: The minimum passphrase length is set to 8 by default. The passphrase can be any value
between 8 and 255.
3.4.5 To Logout of MP
At this point you should remove your admin token from the USB port, and if desired, you can
power down the control center appliance by clicking Shutdown.
128 OSC_003
3.5 Generating a whitelist
The ctsetup 192.168.124.17 program begins to generate information to the console and
eventually stops running after a few minutes. The CtSetup.exe program must continue to
run while waiting for approval by the BOUNCER Administrator.
5. Login to the Primary Manager (17).
6. Click the Management tab.
7. Click the New Systems button.
8. Check mark the system that you want to authorize.
9. Click Authorize at the top of the table or Authorize New Systems under the New Systems
drop-down button.
10. Select the most recent system software from the Authorize software version list.
Check Authorize to use: Rollover Block.
11. Click Next.
12. Select the Inactive policy.
13. Click Finish.
14. Click the Systems button and verify that the system has been imported. This may take 10 to
15 minutes.
15. On the end unit, the command process finishes. This forces a reboot. If an auto reboot does
not occur, Reboot your machine.
16. Once rebooted, the machine will have the Bouncer installed with no whitelisting enforced.
Whitelists should only be generated after the workstation has been verified to be free of viruses,
malware, and any other unwanted applications.
OSC_003 129
3.6 New Installation of Bouncer 5.x
130 OSC_003
3.6 New Installation of Bouncer 5.x
c) Select Managers -> Leave Security Group from the Security Group button. The Leave
Security Group dialog box appears.
5. Confirm that the proper Manager is leaving the security group. Consider the number of
queued endpoints and the impact on the security group. Click OK to begin the leave process.
Click Cancel to remain part of the security group.
6. The Prime Manager Change dialog box appears and warns you that you will be logged-out of
the Manager. Click OK and you will be logged out of the Manager.
7. Login to the Manager again. The Manager appears in single Manager mode and the security
group name is reset to the default value.
8. Update Manager B to Bouncer 5.x.
Use the steps under To update Bouncer (see page 142).
The Bouncer 5.x update file is under \Coretrace\xxxxx.upd.
9. Remove clients from Manager A.
Manual removal.
Removal from Manager A.
10. Add Clients to Manager B.
Note: Typically endpoints are brought over and rebooted one at a time. The process may take
time since a reboot is required for each endpoint. You can perform the process in mass, all at
one time, or over time at your pace. During this process you will be lacking failover capability
during the transition; therefore, if you intend to bring over endpoints in mass you should
evaluate the amount of risk involved.
11. Once ready to join together, refer to the Security Group Rollover section: To create a Security
Group/Rollover (see page 132).
OSC_003 131
3.6 New Installation of Bouncer 5.x
3. The Managers appear in the right-pane. Select the Manager you are going to configure (in
this case, there should only be 1 manager):
Allow Remote Access – allows Remote Desktop Protocol (RDP) to the manager.
Manager – name of the Manager being configured.
Maximum Bandwidth FROM Manager – the maximum bandwidth the manager is
allowed to use when communicating with an individual client and other manager.
Maximum Bandwidth TO Manager – the maximum bandwidth the manager accepts
when communicating with an individual client or another manager.
Report Server IP – the IP address of the BOUNCER report server with which the
manager is communicating. (This is not used.)
TCP Communications Port – the port over which the manager is communicating to
clients and managers. In default OSC installs, this should be 63159.
Total Bandwidth FROM Manager – the total maximum bandwidth the manager is
allowed to use when communicating with all clients and other managers.
Total Bandwidth TO Manager – the total maximum bandwidth the manager accepts
when communicating with all clients and other managers.
132 OSC_003
3.6 New Installation of Bouncer 5.x
4. Select Managers -> Request to join a Security Group from the Security Group button.
6. Enter the IP Address of the Prime 5.x Manager. This should be the IP address of the first
machine upgraded to 5.x or one that you have specified if on a new install.
7. Login to the Prime 5.x manager.
8. Click the Authorize New Managers link on the Dashboard.
OSC_003 133
3.6 New Installation of Bouncer 5.x
9. The New Managers screen appears. The right-pane shows the Manager that has made the
request to join the security group.
a) To authorize a Manager to join the security group, click the check box next to the
Manager’s listing and click Authorize on the top-right corner of the right-pane.
b) You can also select Managers -> Authorize Manager from the Security Group button.
This may take time until the authorization process is complete and all the information is
displayed.
10. Click the Managers button. The new manager appears on the Managers screen with the
security group once it has been authorized.
11. Once the Second Manager appears, select the Prime Manager in the right-pane.
12. Select the secondary manager from the rollover field using the drop-down menu.
13. Confirm by clicking Yes when prompted.
134 OSC_003
3.6 New Installation of Bouncer 5.x
4. Select the top field and enter the IP address of the syslog server in the IP Address field. The
SIEM IP is 192.168.124.49 and should be a Syslog target.
5. Enter the name of the syslog server in the Name field. It may be difficult to keep track of
devices by IP address. Therefore, you can enter a common name, a DNS-type entry, or any
other descriptive information. For example, SIEM for the Nitro box.
6. Click the Settings tab on the lower part of the right-pane to configure syslog settings. There
are several fields that must be configured for event messages to make this syslog compatible.
7. Expand the Configurable Security Group Syslog Settings area.
8. Select the facility that identifies the origination and type of the syslog message in the Facility
field. The default value is 0 – kernel messages. There is a list of 24 standard options
available. You should choose the facility based on how your server will group these messages
together for analysis.
9. Enter the name of the system sending the syslog messages in the Hostname field. This is
generally set to the name of the Prime Manager in the security group as it is forwarding the
messages.
10. Enter the severity assigned to the syslog message for handling on the syslog server in the
Severity field. This is fixed for all syslog messages sent by the BOUNCER system and is not
related to the internal Level settings of BOUNCER events. By default this is set to 5 – Notice:
normal but significant condition.
11. Enter the time used to convert the event time from the Managers to the local time of the
syslog server in the Time Offset in Minutes field. If the Manager time is set to the same time
zone as the syslog server, the offset is 0. This can be a positive or negative number.
12. Return to the Syslog tab, right-click the syslog server entry and select Send Test.
OSC_003 135
3.6 New Installation of Bouncer 5.x
14. A test message will be sent to that server. Verify that the server received the message. If not,
review the IP address and settings in the BOUNCER system and verify there is an open
network path between the prime manager and the syslog server.
15. Click OK.
There are three standard Security Configuration Groups that machines may belong to:
Whitelisted.
Unsecured.
Learning Mode.
1. Click the Management tab.
2. Click the Security Configurations button on the Bouncer Control Center window.
136 OSC_003
3.6 New Installation of Bouncer 5.x
6. Enter a name for the security configuration in the Security Configuration Name field.
7. From the Security Configuration Folder field, choose whether to place the new security
configuration in the default folder (leave Default Security Folder selected), in an existing
folder, or in a new folder (select <Select and type in folder name to create folder>).
If you choose to create a new folder, the window refreshes and you can enter a name for this
new folder. BOUNCER currently supports one level of security configuration folders.
OSC_003 137
3.6 New Installation of Bouncer 5.x
8. Select your new security configuration in the left-pane. The right-pane refreshes to show your
security configuration.
3. Select Custom Security Configurations in the left-pane. Start with the Whitelisted Security
Configuration.
4. Select your security configuration in the left-pane. The right-pane refreshes to show your
selected security configuration.
138 OSC_003
3.6 New Installation of Bouncer 5.x
OSC_003 139
3.6 New Installation of Bouncer 5.x
Select the Enable Remove Programs/Uninstallers in Baseline option if you want the
baseline scan to identify and automatically trust the uninstallers. This allows any user to
run the Add/Remove programs to remove existing programs.
Select the Enable Trusted ActiveX Installation option if you want to allow ActiveX
controls in the Web browsers to be updated automatically. In this mode, any ActiveX
controls signed with digital signatures approved as a part of the trusted digital signatures
section of the security configuration is allowed to install. Any controls not signed by
approved digital signatures fail to install.
Select the Enable Safe Trusted User option if you want to allow trusted users to execute
any digitally signed programs—even if they are not approved by their system’s security
configuration. Disabling this option with Trusted User enabled allows any application,
including those not digitally signed, to be started at your discretion.
Select the Enable Trusted User for All Local Administrators option if you want to allow
local system administrators to be considered trusted users. This is generally
recommended when you have implemented a principle of least privilege, and users are
not typically logged on as local Administrators.
Enter the message in the Custom dialog text for Trusted User warnings text area if
you want to provide a custom message to trusted users when they are about to perform
an operation that changes the baseline.
9. All remaining settings can be left as defaults.
10. Repeat the changes for Unsecured and Learning mode groups making necessary alterations
to the Protection settings.
140 OSC_003
3.6 New Installation of Bouncer 5.x
5. Select Custom Security Configurations -> Create System Install File from the menu
above the right-pane. A new screen appears.
6. Select the security configuration you want to use when creating the system install file from
the Secured with Selected Security Configuration field.
7. Select the version of system software you want to install on endpoints from the Install the
Selected Software Version field.
8. Click Finish on the top-right corner of the window.
OSC_003 141
3.6 New Installation of Bouncer 5.x
9. Select the location where you want to save the system install file from the window that
appears and click OK.
Note: The System Install File contains the IP address and unique identifier for the manager that
created the file. It also contains the name of the security configuration to apply on the endpoint
from the manager. You can continue to edit the security configuration on the manager and the
System Install File always installs the latest version.
142 OSC_003
3.6 New Installation of Bouncer 5.x
2. Click the File Transfer button. The File Transfer Wizard appears.
3. Choose Inbound: From external drive to Console in the File Transfer Direction area.
4. Choose Update in the File Type area.
5. Click Next. The Inbound Config tab of the File Transfer Wizard appears.
6. Click Browse. Select the update file from the Open dialog box and click Open. The update
file has a .UPD extension.
OSC_003 143
3.6 New Installation of Bouncer 5.x
7. Click Next. The Confirm tab of the File Transfer Wizard displays.
8. Click Finish.
144 OSC_003
3.6 New Installation of Bouncer 5.x
11. Select the software version to which you want to upgrade the Manager or endpoints,
depending upon your selection in the last step. These updates correspond to the software
transferred from the CD/DVD or USB media to the Manager. If the latest version does not
appear in the list, the transfer was not completed properly.
12. Click Next. The Confirm tab of the Update Software wizard
appears.
13. If everything is correct, you can start the update by clicking Finish. During updates of the
Manager, the appliance reboots and you will need to login again.
Note: Update the software for your appliances when you are reasonably sure there are no
possible power fluctuations or outages. In the event power is lost to the appliance during a
software update, the update may fail and lock the appliance. You will have to re-install from the
original USB recovery drive or possibly send the appliance to CoreTrace for repair.
14. Verify the software update when you log back into the Manager.
OSC_003 145
3.6 New Installation of Bouncer 5.x
4. Click the Settings tab in the right-pane and verify the version in the Software Version field to
verify the Manager has been correctly updated.
146 OSC_003
3.6 New Installation of Bouncer 5.x
3. In the right-pane, right-click and select Enter Active Directory Credentials from the pop-up
menu.
4. Enter Active Directory Credentials in the Enter Active Directory Credentials dialog box.
5. Enter a login account for Active Directory in the Active Directory Admin User field.
Note: You should not use a Domain Administrator account. Use an account that has permission
to view Active Directory.
6. Enter the corresponding password in the Active Directory Admin Password field.
7. Enter the TCP/IP address of the server where Active Directory is running in the Active
Directory Server IP Address field.
OSC_003 147
3.6 New Installation of Bouncer 5.x
8. Click OK. The right-pane displays all systems listed in the Active Directory, with a collapsible
tree view of all organizational units represented in the left-pane tree view.
9. Select the system(s) to which you want to deploy BOUNCER software, right-click and select
Get IP Address for Selected Systems from the pop-up menu. This allows BOUNCER to find
the current IP address for the destination systems.
148 OSC_003
3.6 New Installation of Bouncer 5.x
10. Select the system(s) to which you want to deploy BOUNCER software, right-click and select
Deploy Installer to Selected System(s) from the pop-up menu.
11. Once the BOUNCER software has been deployed and executes, the new system(s) appear in
the Pending Systems folder System tab, and will show a status of Deployed in the Active
Directory view.
OSC_003 149
3.6 New Installation of Bouncer 5.x
2. Select the system on the Systems tab and select Systems -> Move System from the menu
bar above the right-pane.
3. Click your selection and the Move System to Security Configuration window appears.
4. Select the new security configuration in the list and click OK.
Note: When moving into a Secured configuration, Trust is applied and a new whitelist is auto-
generated. No reboot is necessary.
150 OSC_003
3.6 New Installation of Bouncer 5.x
An hourglass appears while the Manager is ‘locked’ and the archive is being created. A
Manager archive is always identified with the .ARC file extension.
5. Select Network Share, the Create Archive for All Managers dialog box appears.
6. Enter the path to the network share in the UNC Directory Pathname field.
7. Enter your username for accessing this network share in the Username field.
8. Enter the corresponding password in the Password field.
9. Click Test Share Access to test access to the network share.
10. Click Archive Now to save the archive to the network share.
OSC_003 151
3.6 New Installation of Bouncer 5.x
When the archive has been created, a confirmation dialog box appears showing the name of
the archive file and the name of the Manager for which it was created.
Note: Do not change the names of the archives on your network share. During an archive
restore, both the filename and the digital signature are checked against the current manager to
ensure the proper archive is being loaded. For this same reason, make sure you create a new
archive if you change the manager’s name.
152 OSC_003
3.6 New Installation of Bouncer 5.x
6. Enter the path to the network share in the UNC Directory Pathname field.
7. Enter your username for accessing this network share in the Username field.
8. Enter the corresponding password in the Password field.
9. Click Test Share Access to test access to the network share.
10. Click Restore Archive to restore the archive from the network share.
Note: Do not change the names of the archives. During an archive restore, both the filename
and the digital signature are checked against the current manager to ensure the proper archive
is being loaded.
11. When the Manager has been restored with the archive, a confirmation dialog box appears
showing the archive information and warning that the Manager will reboot. Click OK.
12. After the Manager reboots, verify that the systems, administrators, policies, and so forth are
restored to the previous state.
OSC_003 153
3.6 New Installation of Bouncer 5.x
5. Double-click Trusted Users. Select Trusted Users -> Add New Trusted Users or right-click
and select Add New Trusted Users.
154 OSC_003
3.6 New Installation of Bouncer 5.x
6. In the Add Trusted Users dialog box, the login credentials appear in the fields at the top. If
you have not yet connected with Active Directory you will need to supply the account and
password and the IP address of the Active Directory, and then click the Query Active
Directory button. The users listed in Active Directory are displayed.
OSC_003 155
3.7 Scrubbing your system
8. Confirm that these are the trusted users you want to add to the security configuration and
click Finish. When finished, the Trusted Users area appears similar to the following window:
However, over time unauthorized and potentially malicious software may accumulate on the
system. Viruses may be added from email attachments, vulnerabilities exploited and files copied
onto the system, and perhaps even the system user may load on some unauthorized software.
These programs will not run because of the policy you have applied to your system. However, you
should periodically remove them from the system – especially if you want to generate a new
policy. To remove them, you need to scrub the client.
The scrubbing process is similar to the file policy autogeneration process. The client scans the
system and compares the computed pathname, size, and digest of the detected files to the
existing policy. If there is not a match, the executable is deleted.
The scrub client capability works only when there is at least one file policy and a settings policy
with the global execute restrictions enabled in the policy on the client. Any directory policies that
allow write access are ignored (unless there are files in the directory that are write protected).
Information about the deleted file is entered into the client log as a Level 4 event and also
forwarded to the client’s licensing manager.
A dialog box shows you the system and one additional drive for a desktop client, while on a server
client you can select from any of the available drives. By default, the scrub process will NOT
delete the executable files, but will generate events with the files it would delete. If you want to
immediately delete the unauthorized files check the Delete Files selection in this dialog box.
Because the scrub process uses the same routines for automatic file policy generation, the scrub
process will fail if there is an automatic file policy generation in progress on the same client or the
scrub process is already running. In these situations, the system displays an information message
dialog box.
156 OSC_003
3.8 Creating Reports and Logs for MP
5. Select the appropriate item in the navigation pane to display the desired systems in the
Systems control table.
6. Identify the systems to scrub.
7. Click the check boxes to the systems to be scrubbed.
8. Select the scrub options.
9. Select the Scrub System option from the drop-down menu under the Systems selection
button.
10. Click the check box next to Delete Files if you want to delete the unauthorized files from the
endpoint system.
11. Click OK to start the scrub process.
12. Click OK to close the confirmation dialog box.
The scrub process runs silently to completion, but detected and deleted file information appears in
the event log and scrub system reports.
Note: Do not forget to go back and scan the remaining drives before you autogenerate a new
file policy. All drives should be scrubbed to ensure only authorized executables remain.
You can also create a report containing all the information on an administrator’s configuration.
This report is in a tab-delimited format and saved in a folder called Reports on either your local
machine or the manager, depending on your configuration. This report file can be retrieved using
the control center’s file transfer capabilities.
OSC_003 157
3.8 Creating Reports and Logs for MP
3. Enter the new report name or leave the default of manager name and date.
4. Click OK to create the report or Cancel to exit.
Note: Several generic policies need to be imported to support various OSC and Ovation
functions.
158 OSC_003
3.9 Backing up the MP appliance
The archive is a snapshot of the manager’s configuration at a specific point in time. This archive
contains all the licenses, software, policies, and so forth on the manager. It does not contain a
backup of the manager’s system software, nor does it contain any of the event logs on the
manager.
In the event of system software or hardware failure, the manager must be shipped to CoreTrace
for repair using the RMA process. Without the manager functioning at a fundamental level you
cannot access it to install the archive. Once the manager is repaired to its factory default state,
the latest archive can be installed to restore it to the status captured in the archive.
WARNING! It is absolutely critical that you periodically create an archive of all your managers.
Keep a copy of your manager archives in a safe, readily available place. Although the
managers have a high degree of reliability, should they fail, the archives are the only way to
return them to their previous working state.
OSC_003 159
3.9 Backing up the MP appliance
Click the Configuration tab and then the Administrators selection button. Look at the
Manager data field in the Administrators control table and verify that no other administrators
are logged into the manager where you want to create an archive.
2. Select a manager. Click the Managers selection button and click the check box in the
Managers control table next to the manager on which you want to create an archive.
3. Begin archive. Click Archive selection button and select Create from the drop-down menu.
The cursor changes to an hourglass showing the archive is being created.
4. Confirm archive. Once complete, a dialog box containing the name of the archive file and
manager appears. Click OK acknowledging the successful archive.
5. Copy archive to control center. Click the Archive selection button and select Copy From
Manager to Console from the drop-down menu. If you are copying from a manager to a
control center appliance, the cursor changes to an hourglass showing the archive is being
copied. If you are copying to the control center on the same manager, you may not see an
hourglass as it is accomplished quickly.
6. Backup archive. Follow the directions given in the File Transfer section to move the archive
file outbound from the control center to your computer. Archives are always identified with the
.ARC file extension. Store the archive in a safe, but readily available location.
Note: Do not change the format of the archive file’s name once you have transferred it off the
system. The control center checks the format of the file name before allowing you to transfer it
back to a manager for restoration.
Note: When connecting a Workstation to the manager, you must check the following items:
160 OSC_003
3.9 Backing up the MP appliance
4. Click the Licensing drop-down menu and select Update Client Licenses on Select
Manager.
5. Click OK and verify the license.
6. Click the Configuration tab.
OSC_003 161
3.10 Malware Prevention event reports to SIEM
The manager can forward these events to multiple receivers using Syslog. Only the prime
manager of the CoreTrace pair needs to Syslog.
162 OSC_003
S E C T I O N 4
IN THIS SECTION
OSC_003 163
4.1 SIEM appliance overview
SIEM delivers a comprehensive, detailed security auditing solution for web and database
applications vulnerable to insider theft and application-layer attacks. SIEM ensures a proactive
approach to data security by monitoring all access to sensitive corporate and customer data.
SIEM provides continuous, real-time audit trails of all database activity by analyzing the
underlying database application protocols. The SIEM appliance can perform the following:
Monitors logins and logouts.
Monitors failed login attempts.
Alerts on unauthorized access from particular logins or client computers.
Alerts on unauthorized access to specific objects.
Captures data changes originated by users.
Tracks administrator-initiated access control or schema changes.
Provides a complete audit-trail of all requests that can be replayed in a controlled
environment.
The normalized and aggregated data are then correlated. The correlation of the normalized and
aggregated data provides you with an in-depth view into potential security threats.
Note: Due to the complexity of upgrading the SIEM portion from the OSC version 1.x (NitroView
8.2.0j or lower), Emerson recommends that you have your OSC updated by an experienced
service representative.
Contact your local field support office or sales representative for advice on upgrading your OSC.
164 OSC_003
4.2 Minimum requirements to login to the SIEM
Note: Emerson recommends the SIEM (McAfee ESMI) to be accessed from a machine that has
a Web browser that supports Flash 10.x or later and Acrobat Reader 9.x or later for viewing
reports. (The best practice is to use a machine that is not the OSC VSPM server, but a machine
that is designated solely for the purpose of connecting to any of the OSC appliances).
OSC_003 165
4.3 Upgrade SIEM software
1. If you are running OSC version 1.x (SIEM is running NitroView version 8.2.0, or below),
contact Emerson for support.
2. If you are running OSC version 2.0 or later (SIEM is running NitroView version 8.4.2, or later),
the upgrade path is as follows:
OSC 2.0 (NitroView 8.4.2b) > OSC 2.0 Update 1 (NitroView 8.5.3) > NitroView 9.0.2a >
OSC 2.1 (McAfee ESM Interface 9.1.2).
a) To upgrade from OSC 2.0 to OSC 2.0 update 1, follow the instructions given in the To
upgrade from OSC 2.0 to OSC 2.0 update (see page 166) section.
b) To upgrade from OSC 2.0 update 1 to OSC 2.1, follow the instructions given in the To
upgrade from OSC 2.0 update 1 to OSC 2.1 (see page 169) section.
Perform the following steps to upgrade the SIEM from OSC 2.0 to OSC 2.0 Update 1:
166 OSC_003
4.3 Upgrade SIEM software
OSC_003 167
4.3 Upgrade SIEM software
6. Click Browse.
168 OSC_003
4.3 Upgrade SIEM software
7. Click Browse. Navigate to the OSC 2.1 SIEM disc 1 and click the
\ESSREC_Update_8.5.3.tgz file. Click Open. Click Upload to upload the file to the SIEM.
Close the File upload window.
8. An Update ESM Software dialog box stating that the ESM will reboot and will cause a loss of
connection for all users appears. Click Yes to continue.
9. Another dialog box asking to close the browser appears, click OK.
10. The update may take a long time to complete depending on the database size. After the
upgrade completes, you may log back into the SIEM through a new browser session, or a
database rebuilding dialog box with a timed check may appear.
11. After you log on to the SIEM main screen, verify the version at the lower-left corner of the
window. It should be 8.5.3.
12. Record the data sources and then the roll out policy. See the Reviewing Data Sources and
Policy Rollout (see page 199) section for more details.
Perform the following steps to upgrade the SIEM from OSC 2.0 Update 1 to OSC 2.1:
The upgrade path is as follows: OSC 2.0 Update 1 > NitroView 9.0.2a > OSC 2.1
OSC_003 169
4.3 Upgrade SIEM software
Note: If a full backup was performed as part of performing an upgrade from OSC 2.0 to OSC 2.0
Update 1, a second backup is not required.
170 OSC_003
4.3 Upgrade SIEM software
6. Click Browse.
OSC_003 171
4.3 Upgrade SIEM software
7. Click Browse. Navigate to the OSC 2.1 SIEM disc 1 and click the
\ESSREC_Update_9.0.2a.tgz file. Click Open. Click Upload to upload the file to the SIEM.
Close the File upload window.
8. An Update ESM Software dialog box appears stating that the ESM will reboot and will cause
a loss of connection for all users. Click Yes to continue.
172 OSC_003
4.3 Upgrade SIEM software
9. Another dialog box appears asking you to close the browser. Click OK to close the browser.
10. The update may take a long time to complete depending on the database size. After the
upgrade completes, you may log back into the SIEM through a new browser session, or you
may get a database rebuilding dialog box with a timed check.
11. After you log on to the SIEM main screen, verify the version at the lower-left corner of the
window. It should be 9.0.2.
12. Write the data sources and then the roll out policy.
13. From the SIEM main menu, click Local ESM under the Navigation Tree. Click Properties.
OSC_003 173
4.3 Upgrade SIEM software
174 OSC_003
4.3 Upgrade SIEM software
OSC_003 175
4.3 Upgrade SIEM software
17. Click Browse. Navigate to the OSC 2.1 SIEM disc 1 and click the
\ESSREC_Update_9.1.2.tgz file. Click Open. Click Upload to upload the file to the SIEM.
The File upload window closes.
176 OSC_003
4.3 Upgrade SIEM software
18. An Update ESM Software dialog box stating that the ESM will reboot and will cause a loss of
connection for all users appears. Click Yes to continue.
19. Another dialog box asking you to close the browser appears. Click OK to close the browser.
20. The update takes a long time to complete depending on database size. After the upgrade
completes, you may log back into the SIEM through a new browser session, or you may get a
database rebuilding dialog box with a timed check.
21. After you log on to the SIEM main screen, verify the version at lower-left corner of the
window. It should be 9.1.2.
OSC_003 177
4.4 Login security information
The Standard Login Settings allow you to adjust the settings for standard login procedures. The
Allowed Failed Login Attempts value specifies the number of consecutive unsuccessful logins that
will be allowed in a single session before the user account becomes locked. Once a user has a
locked account, the system administrator must unlock the account before the user will be allowed
to login again. Refer to User accounts and Groups (see page 181). A value of 0 means that
infinite login attempts will be allowed.
The Timeout Value specifies the amount of time with no activity that is required to occur before
the current session will be forced to the re-login screen. For example, if this value is set to 30
minutes, the application automatically opens the re-login screen after 30 minutes of inactivity. This
action forces users to login before they can resume their activities. The timeout value is specified
in minutes.
Note: Your session will timeout after 60 minutes of inactivity, regardless of the timeout value
setting.
The Show Last User ID upon Login check box will show the username of the last successful login
into NitroView if selected.
The ACL Settings button will display a window that allows you to restrict what IP addresses are
allowed to attempt to login to the SIEM. Leaving this window blank will place no restrictions on IP
addresses.
178 OSC_003
4.4 Login security information
Note: After Active Directory Authentication is enabled, all users except for the system
administrator (usually NGCP) authenticate with Active Directory.
1. Click Local ESM under the System Navigation tree, and then click Properties icon from the
SIEM main menu.
OSC_003 179
4.4 Login security information
4. Click Add.
The Active Directory Connection window appears:
5. Enter the fully qualified domain name in ALL CAPS in the Domain Name field.
6. Click Add.
The Active Directory Address Information window appears:
7. For the primary domain controller, select the Administration server check box. Enter the IP
address of the primary domain controller in the IP Address field. If non-standard ports are
used, they may be entered here. Otherwise, click OK to close the Active Directory Address
Information window.
180 OSC_003
4.5 User accounts and Groups
8. Click Add again on the Active Directory Connection window if there is more than one domain
controller on the system’s domain.
The Active Directory Address Information window appears.
9. Make sure the Administration server check box is clear.
10. Enter the IP address of the backup domain controller in the IP Address field. If non-standard
ports are used, they may be entered here. Otherwise, click OK to close the Active Directory
Address Information window.
11. Repeat Steps 7 through 9 until all backup domain controllers are added.
12. Click OK to accept the settings and close the Active Directory Connection window.
13. Click OK to close the System Properties window.
Note: Enabling Active Directory Authentication section contains information that describes how
to enable the Active Directory authentication. More steps need to be performed to allow the
SIEM to use Active Directory users. Refer to the Appendix, Creating Windows User for Active
Directory Authentication and Log Collection (see page 286) for the steps that need to be
performed to ensure log on to SIEM with an Active Directory account.
Groups contain users that inherit the privileges belonging to the group, including the right to
access the devices and policies associated with the group. When a group is added, devices,
policies, and privileges must be assigned before it becomes useful. You also have the ability to
add and view IP address filters and notifications. The Users and Groups window allows the
system administrator to add, edit, and remove groups.
The information on these tables can be sorted by clicking the heading for the Username,
Sessions, or Group Name column, then clicking the arrowhead that appears.
OSC_003 181
4.5 User accounts and Groups
2. Click Users and Groups on the System Properties screen. The Enter Password window
appears.
3. Enter the system administrator password.
4. Click OK. The Users and Groups window opens.
182 OSC_003
4.5 User accounts and Groups
Note: This section describes how to add users to a group by editing the group. You can also
change a single user's group membership by referring to: To add a user to the system (see
page 182).
1. Click Users from the Add or Edit Group screen (System Properties > Users and Groups >
Add Group). A list of all available users appears.
2. Select the users you want to add to the group by clicking the check box next to the user
names or by clicking Select All.
3. Click Apply to save your settings and remain in the Add or Edit Group dialog box or click OK
to save your settings and close the window.
Note: When a group is removed from the system, user(s) relying on that group for privileges will
lose those privileges.
Note: This section describes how to remove users from a group by editing the group. You can
also change a single user's group membership by referring to: To edit user account settings
(see page 182).
1. Clear the check box next to the appropriate user, or click Select None.
2. Click OK to save your settings.
OSC_003 183
4.6 Profile management
Note: The system administrator is a member of every group and cannot be removed. Therefore,
the check box next to that user name is disabled.
1. Select System Display in the System Navigation tree from the SIEM main screen.
184 OSC_003
4.6 Profile management
OSC_003 185
4.6 Profile management
186 OSC_003
4.6 Profile management
OSC_003 187
4.6 Profile management
You can use Profile Management to save which Windows Event Logs to collect data from and the
log on credentials to use. For Event Logs, either one profile can be created for each different
combination of Event Logs (such as one for Domain Controller, Ovation station, non-Ovation
station, and so forth) or one profile can be created with all the Event Logs a given system could
have. This results in fewer profiles to manage. If the target machine does not have one of the
Event Log buckets mentioned in the list below, then the present data is returned.
The following are the Event Logs that can contain information for an Ovation deployment:
Windows-based Logs
Security
System
Application
If Ovation is installed:
Ovation
If OSC VSPM agent is installed:
Lumension
The following settings must be configured on the Edit System Profile window:
Profile Type: Data Source.
Profile Agent: Windows.
Profile Name: Enter a name.
Username: User name used to log on to computers (for example, DOMAIN\User).
Password: Enter the password.
Interval: Between 2 and 5 minutes.
NOTE: The selected user must have permission to read Windows Event Logs.
188 OSC_003
4.7 Configuring WMI Data Sources (Windows Devices) for Monitoring
Network discovery requires an SNMP RO (Read Only) profile that allows SNMP messages to
read from the network device. For Ovation, configure a profile as follows:
Profile Type: Network Discovery.
Profile Agent: SNMPv1.
Profile Name: Enter a name.
Port: 161.
Community Name: Enter the community string the network segment uses.
To use configuration management features, a Command Line Interface (CLI) profile must be
added to allow the SIEM to log on to the network device to access its configuration. For Ovation,
setup a profile as follows:
Profile Type: Network Discovery.
Profile Agent: CLI.
Profile Name: Enter a name.
Port: Port to access either telnet or SSH of the network device.
Method: Telnet or SSH, depending on system configuration.
Username: Enter the user name to log on to the network device (leave blank if no user
exists).
Password: Enter the password for log on.
Enable Password: Enter the password for the higher privileges (it is the same password
used to enable command inside the Cisco device).
OSC_003 189
4.7 Configuring WMI Data Sources (Windows Devices) for Monitoring
2. On the Action Pane above the System Navigation tree, click the Add Data Source button.
The Add Data Source window appears:
3. Fill in the following fields:
Enabled - Indicates whether the data source is enabled or disabled. Events will only be
requested from the WMI provider if the data source is enabled.
Name - A name for the data source.
IP Address - The IP address or host name of the WMI provider.
NetBIOS Name - The NetBIOS identifier for this device.
Username - The username used to connect to the WMI provider. For domain users, enter
username as domain\user.
190 OSC_003
4.8 Configuring Syslog Data Sources (Cisco and *nix Devices) for Monitoring
Interval - The interval, in minutes, at which the Receiver checks the WMI provider for new
events.
Use RPC - Uses RPC to communicate with the WMI host. Enable this check box.
Note: (Optional) You may select the Use System Profile check box to use any profiles
generated in the Profile management (see page 184) section. Performing this action will grey
out the Username, Password, Event Logs, and Interval fields and fill them as per the settings
chosen in the Profile management (see page 184) section.
4. Click Connect. You will receive a message informing you about successful or unsuccessful
connection. If the connection was unsuccessful, a message appears informing you why the
connection failed.
5. Click the Interface button to view or edit the interface settings. The settings on the Network
Interface Settings configures the ESM connections to the Receiver.
6. Click OK to save the device settings. A window appears explaining that these settings have
not been written to the Receiver and asks you to do so.
7. Click Yes to write the settings to the Receiver. The settings will now be written to the receiver.
8. Rollout the new policy. Refer to: Rolling-out the policy. This enables the SIEM to begin
collecting log files.
4.8 Configuring Syslog Data Sources (Cisco and *nix Devices) for
Monitoring
The Cisco Syslog Data Source requires configuration in order to receive event data from the
security devices that it supports. The following sections explain Cisco syslog configuration.
4.8.1 Syslog Configuration to Forward Messages from Solaris, Unix, and Linux
OS Data Sources
You must configure syslogd on Unix/Linux servers or workstations to forward system message
logs that are generated. Forwarding is defined in /etc/syslogd.conf file. General syntax is:
<Facility> @<IP_Address_of_McAfee_ENMELM>
OSC_003 191
4.8 Configuring Syslog Data Sources (Cisco and *nix Devices) for Monitoring
It is critical that the whitespace between the messages and @ sign must be a TAB. If a SPACE is
used, messages will not be forwarded to the SIEM. This is due to the nature of the syslog.conf
pre-processor (m4).
To check that the new entries to forward messages to the SIEM are being processed correctly,
type "syslog-d" as root.
The first step in configuring a data source device is adding it. To add a data source to a Receiver,
follow the steps below.
192 OSC_003
4.8 Configuring Syslog Data Sources (Cisco and *nix Devices) for Monitoring
2. On the Action Pane above the System Navigation tree, click the Add Data Source button.
The Add Data Source window appears:
3. Fill in the following fields:
Data Source Vendor – Pick the vendor of your product. In the case of Emerson
provided switches and routers, select Cisco
Data Source Model – Pick the model of equipment this data source is. In the case of
Emerson-provided switches and routers, select IOS (ASP).
Enabled - Indicates whether the data source is enabled or disabled. Events will only be
collected if the data source is enabled. Only Parsing should be checked.
Name - A name for the data source.
IP Address - The IP address or host name of the device sending syslog messages.
Mask – IP Mask of the device. Enter 32 in this field.
Time Zone – Set this to the time zone the device is sending messages in. If the device is
physically located in EST but sends messages in GMT, set this to GMT.
4. Click the Interface button to view or edit the interface settings. The settings on the Network
Interface Settings configure the ESM connections to the Receiver.
5. Click OK to save the device setting. A window appears explaining the need to rollout the
policy for this device.
6. Click Yes to continue.
7. A window appears explaining that these settings have not been written to the Receiver and
asks you to write the setting to the Receiver.
8. Click Yes to write the settings to the Receiver.
9. Rollout the new policy. Refer to: Rolling-out the policy. This enables the SIEM to begin
collecting log files.
Note: When configuring additional devices, refer to the McAfee User Guide located on your
OSC CD.
Emerson provides configurations for network switches and routers with the level of debugging
appropriate for the operation of the DCS system. The only required change is to set a syslog
forwarding address of the SIEM.
Note: When configuring additional devices, refer to the McAfee User Guide located on your
OSC CD located in the \InstallCDforCustomers folder.
OSC_003 193
4.9 Generating Reports for SIEM
The Reports feature can be used for different circumstances. The generated reports can be
based on auditing criteria and can be used to show compliance. These reports can be printed or
sent to an auditor as well. The Reports feature is also helpful in checking your network. The
reports allow you to see if you are possibly violating any policy or standards for your network.
The out-of-box reports are divided into different categories (for example, PCI, HIPAA, NISPOM,
BASEL II, and so forth).
The table on the Reports screen (System > Properties > Reports) lists the reports that you have
selected and/or created. It allows you to add, edit, remove, and run reports that are listed, and
enable and disable them. This screen also allows you to manage the conditions, recipients, and
notification settings, as well as view reports that are currently being run and cancel them, if
necessary.
For additional information about Reports, refer to the McAfee ESMI User Guide available on your
Ovation Security Center CD.
Note: You must define the parameters of a report and add it to this table so that it can be
generated as defined. You also need to configure your notification settings before adding a
report.
1. In the System Navigation tree, click the System node and select the Properties icon in the
Actions toolbar. The System Properties window appears.
2. Click the Reports option. The Reports screen opens listing the names of the established
reports, their conditions, and their status (enabled or disabled).
3. Click the Add button (ensure that you have notifications and recipients setup before
proceeding). The Add Report window appears.
4. Enter a name for the new report and a description of the information it will contain.
194 OSC_003
4.9 Generating Reports for SIEM
5. In the Condition field (in section 2 of the Add Report window shown above), select when you
want this report to run from the list of options on the drop-down list. If you want to add a
condition to the list of options, click Edit conditions. The Conditions window opens. Refer to
the To add a condition (see page 221) section for information regarding adding a condition.
6. In section 3 of the Add Report window shown above, select the time zone the report queries
should use.
7. Select how you want the report delivered (in section 4 of the Add Report window shown
above). You have three options: (a) send it to users or groups and/or (b) save it to the ESM
and/or (c) send it to the remote storage.
Email sent to users or groups - When you select this option, the Add recipient link will
activate. Click on it to open the Recipients dialog and select the users or groups to whom
the report will be sent. Refer to the E-Mail Recipients or E-Mail Group Recipients sections
for details on this window.
File saved to the ESM - When you select this option, the Prefix field will activate,
showing Report_Log_ as the default prefix for the name of the file that will be generated
and saved on the ESM. Change the prefix, if desired. The file name will include the date
and time that the report is generated.
File saved to remote location - When you select this option, the report file is sent to a
remote storage. Select the location configured for remote storage from the File saved to
remote location drop-down list.
8. Select the format in which you want the report sent or saved. If you are designing a new
report, your options are PDF or HTML. If you will be selecting an out-of-box report, CSV is the
only option. When you select CSV, section 6, at the bottom of the Add Report screen, will
show a list of the available out-of-box reports.
OSC_003 195
4.9 Generating Reports for SIEM
9. Section 5 of the Add Report window shown below gives you one of the following two options,
depending on the format you selected in section 3.
If you are designing a new report and, therefore, selected either PDF or HTML format in
section 3, the section 5 of the Add Report window shown above appears as follows:
This table lists layouts that have been created previously for other reports.
To design a new layout, click Add.
To select an existing layout, click the desired layout.
To edit an existing layout, click the layout, then click Edit.
To delete an existing layout, click the layout, then click Remove.
To add a folder under which you can organize your layouts, click the Add Folder button.
Enter a name for the folder on the Enter a new name field, then click OK.
When adding a folder at root level, ensure that an existing folder or a layout in an existing
folder is not selected. If an existing folder is selected, the new folder will be added as a
subfolder. You can also do the following:
To add a new layout to the folder, highlight the folder and click Add. It will be saved in the
folder selected.
To add an existing layout to the folder, click the layout then drag and drop it in the folder.
To add a subfolder to an existing folder, highlight the folder then click Add Folder. Enter
a name for the new folder, and click OK. The new folder will be added as a subfolder to
the existing folder.
196 OSC_003
4.9 Generating Reports for SIEM
To move an existing subfolder to root level, select the subfolder then drag it to the
bottom of the layout tree and drop it.
To import one or more layouts, click the Import button and browse to the file(s) to be
imported. If the layout that you are importing includes an image that currently exists on
the ESM, the Import Report Layouts window opens and informs you of this conflict and
offers you the following choices:
¾ Keep Local - Keeps the image on the ESM and deletes the image from the report
layout. The image on the ESM will be used for that layout.
¾ Replace Local - Replaces the image on the ESM with the image in the report layout.
Any layouts that currently use the image that you are deleting from the ESM will now
use the image imported with the layout.
¾ Rename - The image in the report layout will automatically be renamed and the
layout will be imported using the image with the new name.
To export one or more of the layouts listed, click the files and/or folders to be exported
and click Export.
To include a summary of the global and individual component filters defined for this
report, click the Include filter summary in report check box. The filters used in this
report will then be listed at the bottom of the report. This is useful as an indication of the
limits defined for the data included in the report.
If you are generating an out-of-box report and, therefore, selected Query CSV format in
Section 4 of the Add Report window shown above, Section 5 will appear as follows:
When you click the down arrow, a list of all of the available reports will appear. Click the
desired report.
10. In section 6 of the Add Report window, specify the filters to be applied to all of the
components for this report. For example, if you want the report to show only the data that has
a source IP value of 161.122.15.13, you would type that source IP value in the Source IP field.
The stacked-funnel icon, located to the right of each filter field, provides the ability to do global
filtering using existing variables. Clicking on the stacked-funnel icon allows you to select a
specific custom variable, which will be added to the selected field.
You can also filter on a combination of fields in one of the following ways:
To include data of more than one type, enter values in each of the appropriate fields. The
data that matches all of these filters will be shown in the report.
To include some data and exclude other data, enter the filter values that you want to
include and those that you want to exclude in the appropriate fields. Then click the NOT
icon to the right of the field values that you want to exclude. The report will include data
that matches all the entries in the fields where the NOT icon was not selected, and will
exclude the data that matches the values entered in the field where the NOT icon was
selected.
OSC_003 197
4.9 Generating Reports for SIEM
To include data that complies with regular and either/or filters, enter the filter values in all
the appropriate fields, then click the OR icon next to the fields that have the either/or
values. The report will include the data that matches all the entries in the fields that were
not marked OR and matches either of the values in the fields marked OR. For example, if
you want to include the data that matches a specific Destination IP and Destination Port,
and either a specific Source Port or a specific Source IP, enter the values in all four fields
and click the OR check box next to Source Port and Source IP.
Keep in mind that at least two fields must be marked OR for the OR filter to work.
By default, the data that is retrieved will have to match the case of the values that you enter in
the fields. If you want data to be included regardless of the case, click the Case-insensitive
icon (Aa) to the right of the filter field.
11. Click Save. The settings will be saved and the name will be added to the list on the Reports
screen. By default, the report will be enabled and the report will be generated based upon the
conditions you selected. If you need to temporarily stop certain reports from running but do
not want to delete them from the system, highlight them on the list of reports (System
Properties > Reports) and click the Enabled check box to remove the check.
The Status column in the table will list the status for those reports as Disabled. When you
want to start running those reports again, just repeat the process to add the check to the
Enabled check box. The Status column in the table will change the status for those reports
back to Enabled.
You can run a report immediately by clicking on the Run Now button. To do so, click one or more
reports (Ctrl + click) and select the Run Now option. The reports you have selected will be
enabled and processed immediately.
The SIEM can run five notifications, reports, and/or jobs concurrently. Additional requests,
whether they are recurrent or one-time requests, are placed in a queue. If you have notification
rights, the View feature on the Reports screen (System Properties > Reports) allows you to
view the status, updated every 10 seconds, of all of the requests that you initiated that are
currently in this queue. It also allows you to cancel one or more of your requests, if desired.
If you are an administrator or master user, you can view all of the requests that are currently in
the queue and cancel one or more of them. This feature can be useful if the reports that you have
created have not begun to execute. You can access the View Reports screen to see the status of
your reports. If you need to free up system resources in order to allow specific reports that are in
the queue to begin execution, you can cancel some of those that are ahead in the queue.
1. Access the View Reports screen (System Properties > Reports > View).
198 OSC_003
4.10 Reviewing Data Sources and Policy Rollout
2. Select the report(s) to be canceled. You can click the column headers to sort through the
queue and select multiple jobs to cancel.
3. Click Cancel. A confirmation window displays.
4. Click Yes. The selected reports will be deleted from the queue.
The Files feature on the Reports screen allows you to view a list of the report files that have been
generated on the system and download, upload, or remove them. To use this feature, do the
following:
1. Access the report File List screen (System Properties > Reports > Files).
2. Select one or more of the report file(s) on the list. You can click the column headers to sort
through the queue.
3. Perform the desired actions:
Click Download to save the selected file(s) to another location. You can then view the
file(s).
Click Upload to add a report file to the list. This could be useful if you downloaded a file,
removed it from the system, and then realized that you wanted to keep it on the list of
reports.
Click Remove to delete the selected report file(s) from the system. Keep in mind that
once a file is deleted, it cannot be restored unless it was previously downloaded to a
separate location.
Click Refresh to refresh the list of reports.
4. Click Close to return to the Reports screen.
1. On the main screen, left-click Local Receiver in the System Navigation tree.
2. On the Action pane, click Properties. The Properties window appears.
3. Click Data Sources.
OSC_003 199
4.10 Reviewing Data Sources and Policy Rollout
4. There will be a table with all the data sources currently configured. To add a new device, click
Add.
5. To edit an existing device, left-click the device in the list and click Edit. The settings for that
device appear.
6. If any changes are made, the Write button will become active. Click Write to write the settings
to the Receiver.
7. When all settings are correct and written, the policy can be rolled out.
Note: To change settings, refer to the following sections: Configuring WMI Data Sources
(Windows Devices) for Monitoring (see page 190) and Configuring Syslog Data Sources (Cisco
and *nix Devices) for Monitoring (see page 191).
The SIEM has the ability to automatically check when a policy might need to be ruled out in
certain situations, such as adding or changing data sources. After the changes to the data source
are saved, a Rollout window might appear as follows:
Click OK to update the policy for the data source that requires a change.
200 OSC_003
4.10 Reviewing Data Sources and Policy Rollout
Some instances of roll out still require policy to be rolled out manually, such as updating rules and
other policy changes.
4. The full Rollout window appears. Any device that is flagged as requiring a roll out is marked
as Roll this policy out now. Select the Rollout policy to all devices now check box to
force every device to roll out.
5. Click OK to begin the roll out process. After the rollout is completed, the Rollout window
closes.
OSC_003 201
4.11 Batch Data Source Management
When it becomes necessary to add multiple devices, you may find that batch processing is more
efficient. For example, as in (initial system setup or expansion), or for modification of user
password changes for Windows Logs.
Note: Excel may change the rec_id column to scientific notation format. This will truncate the
number resulting in errors upon importing into the SIEM. Make sure to format as either text or a
number with no decimal places.
For additional information on this subject, refer to the User documentation on the OSC 2.1. The
9.1.2McAfeeESMIUserGuide.pdf is located in \NitroSecurity\InstallCDforCustomers.
202 OSC_003
4.12 Updating Rules and Software
SIEM rule updates can be retrieved automatically through the Web. However, Emerson
recommends using the QA-approved rule updates only. In most cases, OSC SIEM rule updates
should be applied manually.
The Manual Update option allows you to download rules without the ESM being connected to the
rule server.
1. Click the System node in the System Navigation tree and select Properties in the Actions
pane to access the System Information screen.
2. Click Rules and Software in the main page of System Information window. The Rules and
Software window opens.
3. Click the Manual Update button. The File Upload window appears.
4. Browse to the rule file by selecting the Browse button.
5. When you have selected the rule file to apply, click Upload in the File Upload window.
6. When the update process is completed, a Manual Update window appears stating that the
rule update was successful.
7. Click OK to close the window.
OSC_003 203
4.13 Views options
The Views option in the Options window allows you to specify settings for running views and
queries. It allows you to designate the frequency at which you want the views refreshed and
allows you to designate the view for the default system view, event summarize view, and flow
summarize view.
The Automatically Refresh Views option automatically refreshes the current view based upon the
designated frequency. To perform this function, use the following procedure:
1. Click the Automatically Refresh Views check box. Doing so activates the Refresh views
every xxxx minutes field.
2. Use the up and down arrows to select how often you want the views to be refreshed. You can
also highlight the field and type in the number of minutes you want the views to be refreshed.
3. Click OK to save your changes.
By default, the Default Summary view appears every time NitroView is opened. You have the
option of selecting a different view. To perform this function, use the following procedure:
This option allows you to select a view that appears every time you perform an Event Views drill-
down. To perform this function, use the following procedure:
Note: The use of Netflow or other flow data is currently not supported or recommended on the
Ovation DCS network.
204 OSC_003
4.14 Events, Flows, and Logs
The Show Devices button allows you to alter the auto-retrieval settings for all IPS, Receiver, and
DBM devices on this ESM. Use the following procedure:
1. Click the System node in the System Navigation tree and select Properties in the Actions
pane to access the System Information screen.
2. Click Events, Flows and Logs. The Events, Flows, and Logs window opens.
3. Click the Show Devices button. The Devices window opens.
4. You can individually set the Auto Events, Auto Flows, and Auto Logs settings on a per-
device basis by clicking the appropriate check box. You can also use the Select All and
Select None buttons to turn all the available settings On or Off.
5. Click OK to save your settings.
OSC_003 205
4.15 Inactivity Threshold settings
If this threshold is set, the system generates an alert when the device has been inactive for the
period of time designated. This alert displays as a yellow flag next to the device on the System
Navigation tree.
206 OSC_003
4.16 Managing Alarms
A Simple Mail Transfer Protocol (SMTP) or email server is not provided as part of an Ovation
system. If this notification method is preferred, contact Emerson’s SureService department to
discuss the optimal configuration for securely transmitting alarms outside the Ovation Security
Center Demilitarized Zone (OSC DMZ).
The ability to add an alarm is available to users with administrator privileges and any user
belonging to an access group with the Alarm Management privilege.
1. Select the System node on the System Navigation tree and click the Properties icon in the
Actions Toolbar.
The System Properties window appears.
2. Click Alarms on the System Properties window. All the existing alarms on the system
appears on the right pane of the window.
3. Click Add. The Alarm Settings window that shows the Summary, Condition, Actions, and
Escalation tabs appears.
4. Click the Summary tab and enter the name for the alarm in the Name field. Select the person
or group to whom this alarm is assigned from the Assignee drop-down list. This drop-down
contains the users and groups that have alarm management privileges. Select the severity of
the alarm, which determines the priority given to the notification it generates in the Alarm log.
The alarm is enabled by default. If you want to disable the alarm, clear the Enabled check
box.
5. Click Next or the Condition tab. Conditions are the triggers that cause an alarm to be
generated when a specified criterion is met. Select the type of alarm from the Type drop-down
list. When you select the type of alarm, you are asked to provide further details of that alarm.
Select any of the following device(s) that you want this alarm to monitor from the Type drop-
down list:
Deviation from Baseline: This condition allows you to specify a percentage threshold to
check above baseline and/or a different percentage below baseline.
The following settings need be made when you select Deviation from Baseline:
¾ Select the type of data that you need to query in the Query field.
¾ Click the Filter icon and select the values to filter the data for this alarm.
¾ Select whether you want SIEM to query the data for the last or the previous period of
time from the number and type in the Time Frame field.
¾ Select how far above and/or below the baseline you want the deviation to be before
an alarm is triggered in the trigger when the value is section.
OSC_003 207
4.16 Managing Alarms
¾ Select how often the system should check to see if this type of condition exists in the
Check Rate section.
Device Failure: This condition generates an alarm when the SIEM is unable to
communicate with one or more SIEM devices (not data sources).
The following settings need be made when you select Device Failure:
¾ Select how often the system should check to see if this type of condition exists in the
Check Rate section.
¾ The events can be experienced on a sustained basis. Therefore, select the amount of
time to allow between each condition to prevent a large number of notifications from
being sent using the Maximum Condition Trigger Frequency section.
Device Status Change: This condition generates a message anytime any device
(including data sources) changes status.
The following settings need be made when you select Device Status Change:
¾ Select the types of device status changes about which you want to be notified in
Health Monitor Status. For example, if you select only Critical, you are not be notified
if there is a health monitor status change that is at the Warning level.
¾ The events can be experienced on a sustained basis. Therefore, select the amount of
time to allow between each condition to prevent a flood of notifications from being
sent using the Maximum Condition Trigger Frequency section.
FIPS Failure: This condition generates an alarm when there is a FIPS failure. The OSC
SIEMs are not in FIPS mode, therefore, this does not apply.
Field Match: This condition generates an alarm when a selected SIEM field matches a
value.
The following settings need be made when you select Field Match:
¾ Select the Use Watchlist check box if you have to configure a Watchlist that contains
all of the values on which you want this alarm to notify you.
¾ If you do not select Use Watchlist, select the type of data that this alarm monitors
from the Field drop-down list.
¾ In the Value(s) field, enter the specific values of the types that you selected in the
Field drop-down list. For example, if you selected Source IP in Field list, enter the
actual source IP addresses on which you want this alarm to trigger.
¾ The events can be experienced on a sustained basis. Therefore, select the amount of
time to allow between each condition to prevent a flood of notifications from being
sent using the Maximum Condition Trigger Frequency section.
HA Failure: This generates an alarm when there is a failure in High Availability
Receivers. The OSC SIEMs do not use HA at this time; therefore, this does not apply.
Specified Event Rate: This generates an alarm if a set of criteria are met at a given
frequency.
The following settings need be made when you select Specified Event Rate:
208 OSC_003
4.16 Managing Alarms
¾ Enter the number of events that need to occur before an alarm is generated in the
Event Count field under Event Rate. Click the Filter icon and select the values to filter
the data for this alarm. Values containing commas must be used inside a Watchlist to
work properly. Select the amount of time in which the number of events you selected
must occur for an alarm to be generated in the Time Frame field. The rate data for an
event includes a sharp increase at the end created by aggregation. Therefore, select
the amount of time by which you want the time frame offset in the Offset By field so
that it does not include that sharp increase. For example, if the SIEM pulls events
every five minutes, the last one minute of the events retrieved contain the aggregated
events. Therefore, offset the time frame by that period of time so that the last 1
minute does not include in the data measurement. If you do not perform this action,
the values in the aggregated data are included in the event count, causing a false
positive value.
¾ The events can be experienced on a sustained basis. Therefore, select the amount of
time to allow between each condition to prevent a flood of notifications from being
sent using the Maximum Condition Trigger Frequency section.
6. Click Next or the Actions tab. Select the type(s) of action(s) to be taken when an alarm is
triggered by the condition you defined on the Condition tab. You can select more than one
action. The options are as follows:
Log event - This is selected by default. When this option is selected, an event is logged
on the ESM.
Visual alert - If you select this option, when the alarm is triggered, the following message
box appears at the bottom right of the window. When you select the Visual Alert check
box, you are allowed to select whether or not you want an audio to be played when the
message appears. A list of the audio files on the system is available. Select the audio that
you want to associate with the visual alert.
Create a case for - When you select this option, a case is created for the person or group
that you select from the drop-down list. The case displays the severity and associated
event, and the alarm event is added so that the user can trace the case back to its
source. The alarm summary is the name/summary of the case created. This feature
cannot be used when escalating an alarm.
Execute script - Provides you with the ability to execute a script on any device that
accepts SSH connections. This could then initiate actions on other software applications.
When you click the Setup button, the Execute Script Configuration dialog box appears.
Complete the Host, Port, Username, and Password fields. To enter the command string,
click the Insert Variable icon to select the desired variables.
Update Watchlist - This option is only available if Field Match is selected as the condition
type. It allows you to modify Watchlists by adding or removing values based on the
information contained in up to 10-alarm triggering events. When you click the Manage
button in the Update Watchlist field, the Update Watchlist dialog box appears. You can
configure the following settings on that dialog box:
¾ Action - Select whether you want the value to be appended to or removed from the
Watchlist.
OSC_003 209
4.16 Managing Alarms
¾ Field - Select the field from which you want the data retrieved in the triggered alarm.
¾ Watchlist - Select the Watchlist to which you want to append or remove the data.
¾ Add New Watchlist - Allows you to add a new Watchlist to the system. You can add
up to five actions per alarm. To add more than one, click Add Action. To delete an
action, click Delete at the right of the action to be deleted. When a Watchlist is
modified as a result of these settings, the Actions tab of the triggered alarm displays
as Added SrcIP to "Bad IPs" Watchlist or Removed DestIP from "Clean IPs"
Watchlist.
Send to Remedy – Emerson does not provide a Remedy system. This action is not used
at this time.
Send Message - If this option is selected, a text or email message is sent to the
recipient(s) that you select (you do not see syslog or SNMP). Perform the following steps
to choose the recipients:
¾ Click Add recipient. The Recipients dialog box appears.
¾ Select the email, email Groups, Users, or SMS items on the left-hand side of the
window.
¾ Select the check box(es) of the recipient(s) to whom you want this message to be
sent or click Select All or Select None.
¾ Click OK. This dialog box also allows you to add, edit, or remove recipients. Refer to
the Recipients (see page 215) section for more details.
Generate reports, views, and queries - Select this alarm to generate a report, view, or
query. To perform this action, click the Add button. The Add Report editor opens. For
details regarding filling out the editor, start at Step 7 of the To add a Report (see page
194) section. When you click Save on the Add Report dialog box, the report type and
layout are added to the list of reports on the Actions tab.
7. Click Next or the Escalation tab. The Escalation window appears. You can make the
following settings on the Escalation window:
Select the Escalate after check box if you want to escalate the alarm if it is not
acknowledged within a specified period of time.
Select the number of hours and/or minutes after which the alarm should be escalated if it
is not acknowledged.
Select the person or group who should receive notification in the Escalated assignee
field.
Select the severity that this alarm should have when it has been escalated. Default is 50.
Select the action that should be taken when the alarm has been escalated. Refer to Step
6 for details regarding these options.
Note: You cannot use the Update Watchlist, Send to Remedy, or Create a Case actions on the
Escalation tab.
8. Click Finish. The name, condition, and status of the alarm are added to the table of alarms on
the Alarms dialog.
210 OSC_003
4.16 Managing Alarms
1. Select the System node on the System Navigation tree and click the Properties icon in the
Actions Toolbar.
The System Properties window appears.
2. Click the Alarms option on the System Properties menu.
The list of all the existing alarms in the system appears on the right pane of the window.
3. Select the alarm that needs to be changed.
4. Click Edit. The Alarm Settings dialog box appears that shows the current settings for this
alarm.
5. Make the desired changes to the settings (refer to the Create New Alarm (see page 207)
section).
6. Click Finish to save the changes.
Perform the following steps to copy an existing alarm and rename it:
1. Select the System node on the System Navigation tree and click the Properties icon in the
Actions Toolbar.
The System Properties window appears.
2. Click Alarms on the System Properties menu.
The list of all the existing alarms in the system appears on the right pane of the window.
3. Select the alarm that you want to copy.
4. Click Copy. The Alarm Name dialog box appears that shows the name of the current alarm
followed by _copy.
5. Make the desired changes to the name.
6. Click OK. The copied alarm is added to the list of existing alarms.
7. If you require changes to the settings, highlight the copied alarm and click Edit. The Alarm
Settings dialog box appears. You can then make the desired changes (refer to the Create
New Alarm (see page 207) section).
1. Select the System node on the System Navigation tree and click the Properties icon in the
Actions Toolbar.
The System Properties window appears.
2. Click Alarms on the System Properties menu.
The list of all the existing alarms in the system appears on the right pane of the window.
3. Select the alarm to be deleted.
4. Click Remove.
OSC_003 211
4.16 Managing Alarms
5. Click Yes on the confirmation message. The alarm is deleted. Any triggered alarms that
resulted from this alarm remains in the system. However, some of their data, such as the
alarm name, does not appear.
1. Click Watchlist on the System Properties menu. The Watchlists dialog box that lists the
existing Watchlists in the system appears on the right pane of the window.
GTI Malicious IPs and GTI Suspicious IPs are present on the list. However, they do not
contain data.
2. Click Add.
The Add Watchlist window appears.
3. Enter a name for the Watchlist in the Name field.
4. Select either the Static or Dynamic check box. A static Watchlist consists of values that you
specify; a dynamic Watchlist consists of values that result from a regular expression or string
search criteria that you define.
5. If you select Dynamic, perform the following steps:
a) Select the source against which the search should be run: the StringMap table or rules.
b) Enter the regular expression or string search criteria in the Search field. Searches are
case insensitive by default. To perform a case sensitive search, surround your search
string/regular expression with forward slashes (/). For example, /Exploit/.
c) Select the frequency with which the search should be performed. The existing values list
is replaced every time the search is run.
6. Select the type of data this Watchlist needs to watch for from the Type drop-down list.
7. Select the assignee for this Watchlist. Select All for a global Watchlist, a group for a group of
users, or an individual user's name.
Note: A user with administrator privileges can assign a Watchlist to anyone or any group on the
system. If you do not have administrator privileges, you can only assign Watchlists to yourself
and groups of which you are a member.
8. If you select Static in Step 4, add the values for the Watchlist in one of the following ways:
Click the Import button and select the file to be imported if you want to import a file of
values. This file must be in new-line-separated values format. The list of values are added
to the Values text box.
Type the values in the Values text box. Make sure to type only one value per line.
The maximum number of values is 10,000. If you import a file containing more than
10,000 lines, you are not allowed to create the Watchlist.
9. If you have selected Dynamic in Step 4 and you want to run the query now, click Run Now.
The results populate the Values box.
10. Click the Create Alarm button if you want to receive an alarm when an event is generated
that contains any of the values on the Watchlist. You are asked if you want to save it. Click
Yes to save it. The Alarm Settings dialog box appears.
Refer to the Alarms section for details regarding this dialog box.
212 OSC_003
4.17 Managing Watchlists
11. When you click Finish on the Alarm Settings dialog box, you are returned to the dialog box
that lists the Watchlists on the system.
If you have administrator privileges, you can edit any Watchlist. However, if you do not have
administrator privileges, you can edit any Watchlist on which you are an assignee.
1. Click Watchlist on the System Properties menu. The Watchlists dialog box that lists the
existing Watchlists in the system appears on the right pane of the window.
2. Click the Watchlist that needs to be edited.
3. Click Edit.
4. The Watchlist window appears that allows you to change the settings. Refer to the To add a
Watchlist (see page 212) section for details.
Alarm and filter values that contain commas must be the part of a Watchlist to work properly. You
can edit, delete, or append values to an existing Watchlist.
If you have administrator privileges, you can delete any Watchlist. However, if you do not have
administrator privileges, you can delete any Watchlist on which you are an assignee.
1. Click Watchlist on the System Properties menu. The Watchlists dialog box that lists the
existing Watchlists in the system appears on the right pane of the window.
2. Click the Watchlist that needs to be deleted.
3. Click Remove and then click Yes on the confirmation message. The Watchlist is deleted.
1. Click Watchlist on the System Properties menu. The Watchlists dialog box that lists the
existing Watchlists in the system appears on the right pane of the window.
GTI Malicious IPs and GTI Suspicious IPs are present on the list. However, they do not
contain data.
2. Click Add.
The Add Watchlist window appears.
OSC_003 213
4.17 Managing Watchlists
Note: A user with administrator privileges can assign a Watchlist to anyone or any group on the
system. If you do not have administrator privileges, you can only assign Watchlists to yourself
and groups of which you are a member.
8. If you select Static in Step 4, add the values for the Watchlist in one of the following ways:
Click the Import button and select the file to be imported if you want to import a file of
values. This file must be in new-line-separated values format. The list of values are added
to the Values text box.
Type the values in the Values text box. Make sure to type only one value per line.
The maximum number of values is 10,000. If you import a file containing more than
10,000 lines, you are not allowed to create the Watchlist.
9. If you have selected Dynamic in Step 4 and you want to run the query now, click Run Now.
The results populate the Values box.
10. Click the Create Alarm button if you want to receive an alarm when an event is generated
that contains any of the values on the Watchlist. You are asked if you want to save it. Click
Yes to save it. The Alarm Settings dialog box appears.
Refer to the Alarms section for details regarding this dialog box.
11. When you click Finish on the Alarm Settings dialog box, you are returned to the dialog box
that lists the Watchlists on the system.
If you have administrator privileges, you can edit any Watchlist. However, if you do not have
administrator privileges, you can edit any Watchlist on which you are an assignee.
1. Click Watchlist on the System Properties menu. The Watchlists dialog box that lists the
existing Watchlists in the system appears on the right pane of the window.
2. Click the Watchlist that needs to be edited.
3. Click Edit.
214 OSC_003
4.18 Managing Recipients
The Watchlist window appears that allows you to change the settings. Refer to the To add a
Watchlist (see page 212) section for details.
The following are the three ways to access the recipients menu:
1. Click Local ESM on the main SIEM screen. Click Properties. The System Properties window
appears. Select Email Setting in the left pane of the window. Click Configure Recipients in
the right pane of the window. The Recipients window appears.
2. Click Local ESM on the main SIEM screen. Click Properties. The System Properties window
appears. Select Alarms in the left pane of the window. Click Recipients in the right pane of
the window. The Recipients window appears.
3. Click Local ESM on the main SIEM screen. Click Properties. The System Properties window
appears. Select Reports in the left pane of the window. Click Recipients in the right pane of
the window. The Recipients window appears.
1. Click Add on the Recipients window (See the To access the recipients configuration (see
page 215) section).
The Add Email Recipient dialog box appears.
2. Enter the desired email address.
3. Click OK.
The email address is added to the Email Recipients list and the Add Email Recipient dialog
box closes.
1. Click the email address to be modified on the Recipients window (See the To access the
recipients configuration (see page 215) section).
2. Click Edit.
The Edit Email Recipient window appears.
3. Make the necessary modifications to the address.
4. Click OK to save the changes and close the Edit Email Recipient window.
OSC_003 215
4.18 Managing Recipients
1. Highlight the address(es) you want to remove on the Email Recipients list.
2. Click the Remove button.
A Remove Email Recipient message appears.
3. Click Yes to proceed with the removal or No to cancel the removal.
The Email Group option on the Recipients window allows you to group email addresses. This is
useful when sending an email to several people multiple times a week. By including more than
one email address in an email group, you can send mail messages to all members of this group
by simply attaching the group to the message instead of attaching each email address
individually.
1. Click the Email Groups option on the Recipients window (see the To access the recipients
configuration (see page 215) section).
2. Click Add.
The Add Email Recipient Group dialog box appears.
3. Type in the name of the new group in the Email Group Name field.
4. Select the email addresses you want to include in the group. You can also use the Select All
and Select None buttons to select all or none of the email addresses. If you need to add email
addresses to the system, refer to the To add an email address (see page 215) section.
5. Click OK to save your settings. The new group is added to the list of the Email Recipient
Groups on the Recipients window.
1. Click the group you want to modify on the Email Groups screen of the Recipients window (see
the To access the recipients configuration (see page 215) section).
2. Click Edit.
The Edit Email Recipient Group dialog box appears.
3. Make the necessary changes.
4. Click OK to save your changes.
1. Click the group(s) you wish to remove on the Email Groups screen of the Recipients window
(see the To access the recipients configuration (see page 215) section).
2. Click Remove.
A message for the removal confirmation appears.
216 OSC_003
4.18 Managing Recipients
The SIEM provides you with the option to send SMS (text) messages.
1. Click SMS on the Recipients window (see the To access the recipients configuration (see
page 215) section). The SMS Recipients dialog box that list all the SMS addresses currently
on the system appears.
2. Click Add.
The Add SMS Recipient dialog box appears.
3. Select the SMS address that you want to add to the system.
Following are the examples for the more common service providers:
Alltel
¾ [10-digit phone number]@message.alltel.com
¾ Example: 1234567890@message.alltel.com )
AT&T (formerly Cingular)
¾ [10-digit phone number]@txt.att.net
¾ [10-digit phone number]@mms.att.net (MMS)
¾ [10-digit phone number]@cingularme.com
¾ Example: 1234567890@txt.att.net
Boost Mobile
¾ [10-digit phone number]@myboostmobile.com
¾ Example: 1234567890@myboostmobile.com
Nextel (now Sprint Nextel)
¾ [10-digit telephone number]@messaging.nextel.com
¾ Example: 1234567890@messaging.nextel.com
Sprint PCS (now Sprint Nextel)
¾ [10-digit phone number]@messaging.sprintpcs.com
¾ [10-digit phone number]@pm.sprint.com (MMS)
¾ Example: 1234567890@messaging.sprintpcs.com
T-Mobile
¾ [10-digit phone number]@tmomail.net
¾ Example: 1234567890@tmomail.net
US Cellular
¾ [10-digit phone number]email.uscc.net (SMS)
¾ [10-digit phone number]@mms.uscc.net (MMS)
¾ Example: 1234567890@email.uscc.net
OSC_003 217
4.18 Managing Recipients
Verizon
¾ [10-digit phone number]@vtext.com
¾ [10-digit phone number]@vzwpix.com (MMS)
¾ Example: 1234567890@vtext.com
Virgin Mobile USA
¾ [10-digit phone number]@vmobl.com
¾ Example: 1234567890@vmobl.com
Refer to http://www.makeuseof.com/tag/email-to-sms/ for further provider formats.
4. Click OK. The address is added to the list of SMS recipients.
1. Click SMS on the Recipients window (see the To access the recipients configuration (see
page 215) section). The SMS Recipients dialog box that lists all of the SMS addresses
currently on the system appears.
2. Click Edit.
3. Configure the necessary changes. Refer to the To add an SMS address (see page 217)
section for more details.
4. Click OK to accept the changes.
1. Click SMS on the Recipients window (See the To access the recipients configuration (see
page 215) section). The SMS Recipients dialog box that lists all of the SMS addresses
currently on the system appears.
2. Click Remove.
A message for the removal confirmation appears.
3. Click Yes to proceed with the removal or No to cancel the removal.
The SIEM can send reports through the SNMPv1 protocol. SNMP uses User Datagram Protocol
(UDP) as the transport protocol for passing data between managers and agents. In a typical
SNMP setup, an agent such as the SIEM can event an SNMP server (usually referred to as a
Network Management Station (NMS)) of events using packets of data known as traps. This can
be useful when a system administrator wants to receive event reports from the SIEM in the same
way notifications are received from other agents in the network.
Due to size limitations of the SNMP trap packets, each line of the report is sent in a separate trap.
1. Select SNMP on the Recipients window (See the To access the recipients configuration (see
page 215) section). The SNMP Recipients list appears.
218 OSC_003
4.18 Managing Recipients
2. Click Add.
The Add SNMP Recipient dialog box appears.
3. Enter the correct values for the following fields to direct the packet to its destination and
provide information useful to system administrators using SNMP:
Host IP - The IP address of the machine to which the trap is sent.
Port - The port on which the SNMP trap is to be received.
Community - The SNMP trap's community string.
Trap Type - The specific trap type (the general trap type is always set to 6, enterprise
specific).
Enterprise OID - The full enterprise OID for the trap to be sent: everything in the trap's
OID from the first 1 to the enterprise number, including any sub-trees within the
enterprise.
Verbosity - When Include Informative Data Bindings is selected, the trap contains
variable bindings with extra information, including the line number of the report being
processed, a 'McAfee' string identifying the source of the trap, and the ID of the ESM
sending the trap. When Include report data only is selected, these extra variable
bindings are not included in the trap.
Formatting - Each SNMP trap generated from a report contains one line of data from that
report. When you select Send each report line as is, the data from the report line is sent
as is in a single variable binding, with the data binding OIDs being constructed by
concatenating the Enterprise OID, the specific trap type, and an auto-incrementing
number beginning at 1. When Parse results and use these binding OIDs is selected,
the report line is parsed and each field is sent in a separate data binding. Selecting this
option allows you to specify custom data binding OIDs. If you do not specify enough
variable OIDs for all the data fields in the report, the ESMI begins incrementing from the
last OID specified in the list.
After the values are added, click Add. The Binding OID dialog box appears.
4. Enter the binding OID value and click OK. The binding OID number appears on the Binding
OID list.
5. Click OK. The SNMP recipient is added to the SNMP Recipients list.
1. Click on the recipient you want to modify on the Recipients > SNMP Recipients window (see
the To access the recipients configuration (see page 215) section).
2. Click Edit.
The Edit SNMP Recipient dialog box appears.
3. Make the necessary changes (see the To add an SNMP recipient (see page 218) section for
details).
4. Click OK to save your changes.
OSC_003 219
4.18 Managing Recipients
1. Click on the SNMP recipient(s) you want to remove on the Recipients > SNMP Recipients
window (see the To access the recipients configuration (see page 215) section).
2. Click Remove.
A message for the removal confirmation appears.
3. Click Yes to proceed with the removal or No to cancel the removal.
Syslog is a standard for forwarding log messages in an IP network. The reports generated by the
SIEM can be sent using syslog. They are sent one line per syslog message with the data of each
line of the query results arranged in comma-separated fields.
1. Click the Syslog option on the System Properties > Reports > Recipients window. The list
of the syslog recipients appears.
2. Click Add.
The Add Syslog Recipient window appears.
3. Enter the recipient’s host IP and the port.
4. Click the down arrows to specify the facility and the severity.
5. Click OK to add the information to the syslog recipient list.
1. Click the Syslog option on the System Properties > Reports > Recipients window. The list
of the syslog recipients appears.
2. Click Edit.
The Edit Syslog Recipient window appears.
3. Modify the required information.
4. Click OK to update the information to the syslog recipient list.
1. Click the syslog recipient(s) you want to remove on the System Properties > Reports >
Recipients window.
2. Click Remove.
The Remove Syslog Recipient message appears.
3. Click Yes to proceed with the removal or No to cancel the removal.
220 OSC_003
4.19 Managing Conditions
1. Click the Conditions button that is located at the bottom of the System Properties >
Reports window or on the Edit conditions section of the Add Report window.
The Conditions dialog box appears.
2. Click Add.
The Add Condition window appears.
3. Type in a name for the condition.
4. Select the condition type from the Type drop-down list.
The options are:
Daily at Specified Time - Same time on a daily basis.
Every So Many Minutes - Every number of minutes specified.
Hourly at Specified Minute - Once an hour at the specified minute.
Weekly at Specified Time - Same time on a weekly basis.
Monthly at Specified Day/Time - Same time on a monthly basis.
Yearly at Specified Month/Day/Time - Same time on a yearly basis.
5. Specify the trigger time properties of the condition in the Properties section. These property
options change based on the condition type selected.
6. Click OK to save the changes and the new condition appears on the Conditions window.
1. Select the specific condition to be modified from the list of conditions on the System
Properties > Reports > Conditions window.
2. Click Edit.
The Edit Condition window appears.
3. Make the required modifications to the settings.
4. Click OK to save the changes.
1. Select one or more conditions on the System Properties > Reports > Conditions window.
2. Click Remove.
OSC_003 221
4.20 Network intrusion detection installation
Intrusion prevention - Is an active prevention mode. It watches for malicious traffic and report its
finding to the SIEM. It stops traffic from moving through the NID depending on the setting for that
specific event. Each packet is assigned a rule in the NID, and each rule can be configured
independently. Some traffic can be programmed to alert only; however, not block (much like
intrusion detection). While others can be programmed to alert and block. When you are using
intrusion prevention, under the section Mirroring Traffic versus Inline, intrusion prevention mode is
only supported both with inline configuration.
The recommend use of intrusion detection capabilities is to limit the possibility of false positives
interrupting the operation of the Ovation system. This also gives more monitoring ports Mirroring
Traffic versus Inline (see page 226). If intrusion prevention is a consideration at a later point,
consider running the NID inline but in intrusion detection mode. At this point, switching to intrusion
prevention mode would not require cabling to be changed.
222 OSC_003
4.20 Network intrusion detection installation
One of the first considerations when using the NID is what traffic to monitor.
The NID can monitor traffic at the perimeter of a network to see data flow, in and out. In Ovation,
this would be any FieldLAN or PlantLAN interface. Two examples are shown below and the pros
and cons are explained for each. This is not all inclusive. Other configurations may be generated
depending on security needs at each specific system.
The NID has a number of IP-less monitor ports, depending on the model selected, that will have
traffic sent to (or through) it. Those connections will be shown as dashed lines in the following
figures. The NID has a management port with an IP address that connects to the OSC network so
the SIEM can manage the NID as well as receive events from it.
Example 1
The first example is configured to monitor traffic on the inside (or the Ovation facing-side) of the
Ovation network equipment. The Ovation network equipment has an Access Control List (ACL)
built-in to only allow certain traffic through. The Access Control List is similar to a whitelist and
controls what traffic has access to the network.
Therefore, the only traffic that the NID would then see is traffic that made it past the ACLs from
the outside of Ovation coming in and any traffic from inside Ovation heading out. Assuming the
outside is less secure, the amount of malicious traffic the NID would see in this configuration
would be lower than watching the outside due to ACLs blocking traffic. This results in less event
data being reported to the SIEM so reports would be easier to read. It will not show all the
malicious traffic that is targeting the Ovation system from the outside that may indicate a
potentially growing problem.
OSC_003 223
4.20 Network intrusion detection installation
224 OSC_003
4.20 Network intrusion detection installation
Example 2
The second example is configured to monitor traffic on the outside (or the outside facing side) of
the Ovation network equipment. This configuration monitors all traffic coming into the Ovation
network equipment before any ACLs are applied and before any Ovation-side traffic that passed
through the ACLs of the network equipment. If there is an attack from an outside network, the NID
reports this traffic as targeting the Ovation network. This does not necessarily mean this traffic is
making it to Ovation due to ACLs in the network equipment. This can increase the amount of data
sent to the SIEM to review but provides a more accurate picture of what is targeting the Ovation
system.
OSC_003 225
4.20 Network intrusion detection installation
Note: Each NID can only support one method at time. If one connection uses the mirrored
approach, then all connections must use the mirrored approach. The same applies for Inline
mode. Mixing is not allowed.
Mirroring traffic
Mirroring traffic involves configuring network equipment to mirror or copy traffic from one port of
the switch or router to another port. This mirrored port is then plugged into the NID. The benefits
here is having the ability to aggregate traffic to lower the number of ports consumed on the NID.
In the cases above, only one port on the NID would be required for each dotted line. Since this
traffic is mirrored, the NID cannot interfere with the flow of traffic.
After you determine what traffic the NID monitors, you need to consider what limitations are there
in mirroring traffic and how many ports are consumed on both Ovation network equipment and the
NID. This helps you to determine the size and number of the NIDs to be placed in a system.
Only traffic on an HWIC switch module can be mirrored. Ovation routers cannot mirror traffic from
or to a routed interface. This applies to the following ports:
226 OSC_003
4.20 Network intrusion detection installation
Inline
The NID can also be placed inline on a network connection. Instead of mirroring traffic from
network equipment, this configuration requires no changes in the network equipment. This can be
useful if the network equipment cannot support mirroring such in the case of routed interfaces or
lack of available ports.
Because the connection is inline, two ports will be consumed on the NID per connection. One port
on the NID is required for one side of the connection, and another is required for the other side of
the connection. The NID will now sit in-between the network devices.
Note: When the NID is inline, if the NID loses power or loads certain rule changes, a loss of
traffic may be noticed for a few seconds before recovering. It occurs until NIC is enabled on
Startup/Shutdown.
The cabling is specific for each configuration; refer to the following cabling sections:
Management interface cabling (see page 227).
Mirrored traffic cabling (see page 227).
Inline cabling (see page 228).
The management interface is like a normal PC connection. One straight through cable is required
to tie into network equipment that has a network path to the SIEM. The standard would be to
place it in the OSC network. If distance is an issue, the NID’s management interface may be tied
into an Ovation switch in an IP traffic port.
The NID requires mirrored traffic to be sent to it on a separate connection. This connection only
requires a straight through Ethernet cable from the mirrored port to the NID. Although any port
can be used, start with the right-most port and move left as more ports are required. No regard is
needed for the ports saying trusted or untrusted. This is only for inline mode.
OSC_003 227
4.20 Network intrusion detection installation
To cable an NID inline without interrupting traffic requires it to be cabled treating the NID as if it
were a crossover cable.
If a connection without an NID requires a straight through cable, then one of the cables to the NID
would have to be straight through and the other would have to be a cross over. The order does
not matter; either side could be the cross over or straight through cable.
Straight through + NID (cross over) + cross over = straight through
If a connection without an NID requires a cross over cable, then both of the cables to the NID
would have to be cross over cables.
Cross over + NID (cross over) + cross over = cross over
Looking at the back of the NID, the monitoring NICs are paired for inline mode. Starting from the
far right, the first port in the pair is untrusted. Next to it is the trusted port of the connection. Tie
the untrusted port into the network device on the side of the network that is not the side you are
trying to protect. In this case, this would be the non-Ovation side. The Ovation side of the
connection would go into the trusted port. Then, the next pair would be for another connection
point, and so forth.
1. Supply power to both power supplies on the back of the NID. Otherwise, an alarm will sound.
2. If the device does not power on automatically, click and hold the green check button on the
front panel of the IDS until the device powers on.
3. Wait for the device to load. The front LCD should read McAfee twice.
4. Click the red X button on the front of the IDS and wait for the menu to load.
5. Select IPS Info using the up and down arrows. Click the green check button.
6. Use the right arrow to scroll through the items until you find the software version. It should go
in this order:
a) McafeeSecurity
b) IDS Model Number (like IPS 1225)
c) Machine ID (like ABCD:1234)
d) Software Version (like 9.0.2 20120417134359a)
e) Serial Number (like 1234-5678910)
7. Ensure the software version is 9.1.2 20120822162535. Otherwise, contact Emerson for
assistance.
8. Click the red X button on the front of the IDS and wait for the menu to load.
9. Click the down arrow button and go to the MGT IP Conf menu item on the LCD. Press the
green check button.
10. After the menu loads, select Mgt1 using the up and down arrows.
11. Click the green check button to select it.
228 OSC_003
4.20 Network intrusion detection installation
12. The menu will load and the Active menu item will appear. If there is not a check next to the
menu item, click the green check button to check it.
13. Use the down arrow button to select IP Address menu item.
14. Click the green check button.
15. Set the desired IP address by using the up and down arrows to change the value of the
current digit and use the left and right arrow buttons to switch between digits.
16. After the desired IP address is set, click the green check button.
17. Use the down arrow key to select the Netmask menu item. Click the green check button.
18. Set the desired netmask in the same way the IP address was set. See steps 6 and 7.
19. Use the down arrow key to select the Done menu item.
20. Click the green check button.
21. Click the down arrow key to select the Gateway menu item.
22. Click the green check button.
23. Set the desired gateway address in the same way the IP address was set. See steps 6 and 7.
24. Click the green check button to accept this address.
25. Use the down arrow key to select the Done menu item.
26. Click the green check button.
27. Use the down arrow key to select the Save Changes menu item.
28. Click the green check button to save the changes.
1. Select the system or group to which you wish to add the device in the System Navigation
Tree from the SEIM main screen.
OSC_003 229
4.20 Network intrusion detection installation
6. Click Next. The third dialog box of the Add Device Wizard opens.
230 OSC_003
4.20 Network intrusion detection installation
7. Enter a target IP address or URL in the Target IP Address or URL field. Enter the target SSH
port number. Ensure that it is valid to be used with the specified IP address. The default port
is 22.
8. Click Next. The fourth dialog box of the Add Device Wizard opens.
9. Click Key Device. The fifth dialog box of the Add Device Wizard opens.
OSC_003 231
4.20 Network intrusion detection installation
12. After an NID is added, the variables being passed to the NID be must checked/modified, and
then rolled out to the device. Refer to Variables for further details.
1. Click the NID you want to configure from the SIEM main screen.
2. Click the Properties icon. The NID Properties window appears.
232 OSC_003
4.20 Network intrusion detection installation
OSC_003 233
4.20 Network intrusion detection installation
This section describes how to turn On and Off Alerts Only Mode. This is only useful when using
an inline configuration. The following applies to Alerts Only Mode:
234 OSC_003
4.20 Network intrusion detection installation
The other setting to note in this section is Over-subscription mode. Over-subscription mode
defines what to do when the NID has too much data passing through the wire which may happen
from time to time under proper configuration or if the NID is configured to watch more traffic than it
should.
Note: The top bar in the window. It shows where you are in the system’s policy. Default Policy is
the highest level which all downstream devices can inherit from. Clicking the arrow next to
Default Policy reveals a pull-down menu to drill down to a specific device’s policy. At this point,
keep it on Default Policy.
OSC_003 235
4.20 Network intrusion detection installation
3. Click the Settings button on the left hand-side of the top bar.
236 OSC_003
4.20 Network intrusion detection installation
6. To change the Oversubscription Mode, click Update. The Modify Variable window appears:
7. Enter the drop to have the NID drop packets in the value field. Set the value to pass to allow
to pass packets during over-subscription.
8. Once set, click OK to close the Modify Variable window.
9. Click OK to accept the changes and close the Settings window.
10. Roll out the policy. Refer to the SIEM manual on rolling out policy.
4.20.11 MODBUS_CLIENT
For a system using MODBUS protocol in its environment, MODBUS_CLIENT variable is used to
define what IP addresses take part in that communication. This variable defines the client side of
the communication. It should be defined in a similar way to HOME_NET. For example,
[192.168.150.45/32] for a single client, [192.168.150.45/32,192.168.150.60/32] for multiple single
clients, and [192.168.150.0/24] for a range of clients.
OSC_003 237
4.20 Network intrusion detection installation
The NID works by using rules to check for certain conditions much like an antivirus. One way to
make definitions more generic is to use variables to define items like IP addresses and ports. A
change in a variable would in turn change a whole set of rules. Variables are used throughout the
system by putting a $ symbol in front of the variable name, such as a variable called HOME_NET
is called using $HOME_NET. Improperly set variables can result in false positives and poor
overall NID tuning. Variables can be defined either at the System level so all NIDs use the same
ones or variables can be defined per NID in the cases where necessary. This manual describes
modifying the variables at the System level.
Perform the following steps to access the variable list through the policy manager:
Note: The top bar in the window shows where you are in the system’s policy. Default Policy is
the highest level which all downstream devices can inherit from. Clicking the arrow next to
Default Policy displays a pull down menu that allows you to navigate to a specific device’s
policy. At this point, keep it on Default Policy.
238 OSC_003
4.20 Network intrusion detection installation
3. Click Variable under Rule Types. The main window now shows all the variables for the
Default Policy.
4. From here, variables can be added, deleted, or modified. This document focuses mainly on
modifying variables. The McAfee manual provided on the OSC 2.1 SIEM Disc 1 provides
additional information about variables.
OSC_003 239
4.20 Network intrusion detection installation
1. Locate the variable that you want to edit from the Policy Editor window (see To access a
variable list through the policy manager (see page 238)).
The following example illustrates HOME_NET (see Useful variables for Ovation (see page
241)). Our example system has an Ovation address of 192.168.2.0/23 and a DMZ
aggregation subnet address of 192.168.160.0/24.
240 OSC_003
4.20 Network intrusion detection installation
3. Enter the value in the proper format in the Value text box. In this example, network segments
are comma separated and enclosed in [ ] brackets. The Description box describes the syntax.
4. Click OK to accept the changes. This closes the Modify Variable window.
5. Modify other variables as needed.
6. After all variable changes are made, the policy must be rolled out for the changes to take
effect. Refer to the instructions in the SIEM User manual on rolling out policy.
The following list is not all inclusive. However, it lists some of the more important variables when
using Ovation software.
The HOME_NET variable defines the network segments that are protected. In the case of Ovation
systems, this would be the Ovation network and any third NIC aggregation subnets. The variable
EXTERNAL_NET is the other side. It refers to network addresses that are considered not trusted.
By default, this variable is defined as !$HOME_NET. The ! means the mathematical not;
therefore, EXTERNAL_NET is any address not defined by HOME_NET by default. This value can
be set to specific ranges or left as !$HOME_NET.
OSC_003 241
4.20 Network intrusion detection installation
DNP3_CLIENT
For a system using DNP3 protocol in its environment, the DNP3_CLIENT variable is used to
define what IP addresses take part in that communication. This variable defines the client side of
the communication. It should be defined in a similar way to HOME_NET.
For example:
[192.168.150.45/32] for a single client.
[192.168.150.45/32,192.168.150.60/32] for multiple single clients.
[192.168.150.0/24] for a range of clients.
DNP3_PORTS
For a system using DNP3 protocol in its environment, this variable is used to define what ports
are used for DNP3 communication. Be aware that there is no standard port (20000 is de facto
standard), and some devices (such as SEL boxes) may use multiple ports for DNP3.
DNP3_SERVER
For a system using DNP3 protocol in its environment, this variable is used to define what IP
addresses take part in that communication. This variable defines the server side of the
communication. It should be defined in a similar way to HOME_NET.
For example:
[192.168.150.45/32] for a single server.
[192.168.150.45/32,192.168.150.60/32] for multiple single servers.
[192.168.150.0/24] for a range of servers.
ENIP_SERVER
For a system using Allen Bradley protocols in its environment, this variable is used to define what
IP addresses take part in that communication. This variable defines the server side of the
communication. It should be defined in a similar way to HOME_NET.
For example:
[192.168.150.45/32] for a single server.
[192.168.150.45/32,192.168.150.60/32] for multiple single servers.
[192.168.150.0/24] for a range of servers.
242 OSC_003
4.20 Network intrusion detection installation
ICCP_CLIENT
For a system using ICCP protocol in its environment, this variable is used to define what IP
addresses take part in that communication. This variable defines the client side of the
communication. It should be defined in a similar way to HOME_NET.
For example:
[192.168.150.45/32] for a single client.
[192.168.150.45/32,192.168.150.60/32] for multiple single clients.
[192.168.150.0/24] for a range of clients.
ICCP_PORT
For a system using ICCP protocol in its environment, this variable is used to define what ports are
used for ICCP communication.
ICCP_SERVER
For a system using ICCP protocol in its environment, this variable is used to define what IP
addresses take part in that communication. This variable defines the server side of the
communication. It should be defined in a similar way to HOME_NET.
For example:
[192.168.150.45/32] for a single server.
[192.168.150.45/32,192.168.150.60/32] for multiple single servers.
[192.168.150.0/24] for a range of servers.
MODBUS_PORT
For a system using MODBUS protocol in its environment, this variable is used to define what
ports are used for MODBUS communication. The standard port is 502 but certain PLCs or
environments may use other ports.
OSC_003 243
4.21 Vulnerability assessment
MODBUS_SERVER
For a system using MODBUS protocol in its environment, this variable is used to define what IP
addresses take part in that communication. This variable defines the server side of the
communication. It should be defined in a similar way to HOME_NET.
For example:
[192.168.150.45/32] for a single server.
[192.168.150.45/32,192.168.150.60/32] for multiple single servers.
[192.168.150.0/24] for a range of servers.
ROCKWELL_PORTS
For a system using Allen Bradley protocols in its environment, this variable is used to define what
ports are used for this communication. Most of the standard Allen Bradley ports are called out by
default.
1. Click the red X button on the front of the IDS and wait for the menu to load.
2. Select Shutdown using the up and down arrows. Click the green check button.
3. Select Power Off using the up and down arrows. Click the green check button.
4. The NID begins the shutdown process.
1. Click the Asset Manager icon from the upper-right corner of the SIEM main menu.
244 OSC_003
4.21 Vulnerability assessment
OSC_003 245
4.21 Vulnerability assessment
3. Click Add.
246 OSC_003
4.21 Vulnerability assessment
OSC_003 247
4.21 Vulnerability assessment
A Writing changes to devices window appears. After it reaches to the Success status, click
Close to close the window.
9. Click OK on the Asset Manager window to close the Asset Manager window.
The settings that need to be made with the OSC Vs. Module in OSC 2.0 through OSC 3.0 are as
follows:
VA source type: Lumension
VA source name: Enter a name
Zone: None
Priority: 1
IP Address: IP Address of the VS module
Port: 205
Username: username to logon to VS engine
Password: Enter password
Use HTTP Proxy: Unchecked
Proxy IP Address: greyed out
Proxy Port: greyed out
Proxy Username: greyed out
Proxy Password: greyed out
Time out: 2 minutes
248 OSC_003
4.22 Backup and Restore
SIEM backups can be incremental. The information in this section applies to incremental backups
only. The first backup of event or log data will only backup data from the start of the current day.
Subsequent backups will backup data starting at the time of the last backup.
Incremental backups only start from the first backup ever performed on the system, and that
backup only will ever contain data from that day. Also, all future backups must be preserved as
they are incremental only.
You can backup the entire SIEM with all its data for a snapshot of everything inside the SIEM.
This must be saved to a remote location only (you cannot save this backup directly to the SIEM).
Note: The SIEM will go offline while performing its backup. If the SIEM has a lot of data stored,
the outage could take time. Therefore, only do a full backup when the system is in outage so
you do not lose important information during the backup process.
Best practice is to perform a first backup immediately upon delivery of the system, and to archive
all future backups in case a future restore is needed. Full backups can be performed as part of a
plant backup policy and can act as a starting point for a new set of incremental backups.
However, do not forget that the SIEM will go offline during a full backup.
If you choose to backup event and log data to the ESM, you should regularly move the backup
files to another location to avoid exhausting the drive space on the ESM.
OSC_003 249
4.22 Backup and Restore
b) Browse to the location and save the file. The option to delete the file locally from SIEM
will be given.
c) If the backup is to remain on SIEM only, click Close.
4. Click OK when the backup is complete.
Note: Selecting the NFS share type does not require entering a remote username and
password.
250 OSC_003
4.23 Log Management
CAUTION! When you perform a full backup, the ESM will go offline. Depending on the size of
your database, the ESM could be offline for an extended period of time.
The Restore Backup button allows you to select one or more files off the ESM, a local machine, or
a remote location to revert all of your settings and data back to a previous state. If you perform
this function, you will lose all changes made to the settings after the backup was created. To
restore a backup file(s):
1. Click the System node in the System Navigation tree and select Properties in the Actions
pane to access the System Information screen.
2. Click Backup and Restore. The Backup and Restore window opens.
3. Click the Restore Backup button. The Select Restore File window opens, showing a list of all
backup files currently residing on the ESM.
4. Select the file(s) you want to restore and click OK.
If you purchase OSC 2.1 or above, the SIEM is available with the LM functionality. However, if
you upgrade the previous version of OSC to OSC 2.1 and the SIEM is registered with Emerson,
you need to perform a one-time upgrade to enable the LM functionality. Otherwise, a new SIEM is
required to enable the LM functionality.
To ensure LM functionality is enabled properly, make sure the following are available and fully
configured before performing the upgrade:
OSC SIEM at OSC 2.1 level (NitroView Version 9.1.2)
OSC NAS
LM License Key (Managed by Emerson Power and Water Solutions)
OSC_003 251
4.23 Log Management
Perform the following steps to upgrade the SIEM for adding LM:
1. Insert approved media, such as USB flash drive or CD, with the LM license into the drive. File
should be the SIEM machine ID, for example, 1234_ABCD.upk.
2. Open Internet Explorer (IE).
3. Log on to the OSC SIEM by entering the following address in the address bar:
https://<SIEM IP Address>/Application.html
Where <SIEM IP Address> is the IP address of the OSC SIEM. For example,
https://192.168.124.49/Application.html.
4. Expand the Local Receiver item in the System tree.
252 OSC_003
4.23 Log Management
OSC_003 253
4.23 Log Management
254 OSC_003
4.23 Log Management
Whether the SIEM is preconfigured with LM functionality or the SIEM is upgraded to add LM
functionality, perform the following steps to ensure the LM is ready for use:
1. Enter the following url into the Web browser’s address bar to log on to the SIEM:
https://<SIEM IP>/Application.html
For example: https://192.168.124.49/Application.html
2. Internet Explorer may display a warning page saying that there is a problem with the Web
site's security certificate. Click Continue to this Web site (not recommended) to proceed.
3. Log on using the user name and password. Typically, the first time you log on to the system,
you need to enter the default credentials.
4. Change the password if you are logging on the SIEM for the first time. Emerson
recommends changing the password at this point to conform to NERC-CIP regulations.
5. Click Local Receiver on the main screen of the SIEM. Click Properties. The Receiver/ELM
Properties window appears.
OSC_003 255
4.23 Log Management
256 OSC_003
4.23 Log Management
7. Click Add under Define a storage device to be used with a storage pool for data
retention. The Add Storage Device window appears:
1. Enter the following URL into the Web browser’s address bar to log on to the SIEM:
https://<SIEM IP>/Application.html
For example: https://192.168.124.49/Application.html
OSC_003 257
4.23 Log Management
2. Internet Explorer may display a warning page saying that there is a problem with the Web
site's security certificate. To proceed, click Continue to this Web site (not recommended).
3. Log on using the user name and password. Typically, the first time you login to the system,
you need to enter the default credentials.
4. Change the password if you are logging on the SIEM for the first time. Emerson
recommends changing the password at this point to conform to NERC-CIP regulations.
5. Click Local Receiver on the main screen of the SEIM. Click Properties. The Receiver/ELM
Properties window appears.
6. Click Receiver Configuration.
258 OSC_003
4.23 Log Management
8. Select the storage pool that was created from the Data Storage Devices down-down list. For
example, ELMStorage.
You must wait for the whole database to migrate before moving forward. This can be checked
by opening the Windows Explorer on the OSC UI and navigating to the location of the LM files
on the NAS (such as, \\xxx.xxx.xxx.xxx\LM\). For the management database, this file is called
as MGTDB_ALLOCATION. Press the <F5> key to refresh the Explorer window showing the
files are growing. After they grow to their full size (the files stop updating size), they are ready
for use. 500 GB of data can take more than 24 hours to transfer fully.
NOTE: While LM is migrating the database or allocating storage pool space, there should not be
any interruption in power or network connectivity.
1. Enter the following URL into the Web browser’s address bar to log on to the SIEM:
https://<SIEM IP>/Application.html
For example: https://192.168.124.49/Application.html
OSC_003 259
4.23 Log Management
2. Internet Explorer may display a warning page saying that there is a problem with the Web
site's security certificate. To proceed, click Continue to this Web site (not recommended).
3. Log on using the user name and password. Typically, the first time you login to the system,
you need to enter the default credentials.
4. Change the password if you are logging on the SIEM for the first time. Emerson
recommends changing the password at this point in order to conform to NERC-CIP
regulations.
5. Click Local Receiver on the main screen of the SIEM. Click Properties. The Receiver/ELM
Properties window appears.
6. Click Storage Pools.
7. Under the Add a storage pool to hold data. Pools can be made of both local or network
storage devices section, click Add. The Add Storage Pool window appears.
260 OSC_003
4.23 Log Management
Note: You can only allocate 1 TB of storage each time you perform this (you can add up to 1024
GB). Keep clicking Add and adding 1 TB slices of data storage allocation until all the storage
configured in the Add Storage Device section is used up.
You must wait for the whole storage pool to allocate before moving forward. This can be
checked by opening the Windows Explorer on the OSC UI and navigating to the location of
the LM files on the NAS (such as, \\xxx.xxx.xxx.xxx\LM\). The data storage files are called as
Alloc_xxxxxxxxxx_1. Press the <F5> key to refresh the Explorer window showing that the files
are growing. After they grow to their full size (the files stop updating size), they are ready for
use. 500 GB of data can take more than 24 hours to transfer fully.
9. Click OK to accept this device.
10. Click OK to close the Add Storage Pool window.
11. The LM is added to the pool.
12. When the process is complete, a window stating that the creation was successful appears.
Click Close to close the window.
13. Allow time for the data to become allocated to the pool.
The LM has the ability to hash logs and later recheck the hashes of the logs to verify that the logs
have not been altered since they were recorded. The results of this check show the items that
have been changed/altered. This alerts you to unauthorized modification of the critical system or
content files. If none of the files has been changed/altered, you are notified that the check was
successful. For performance, restrict the integrity check to the time frame or devices you are
trying to pull LM logs for. This is not required; however, it improves the run time of the integrity
check.
1. Enter the following URL into the browser’s address bar to log on to the SIEM:
https://<SIEM IP>/Application.html
For example: https://192.168.124.49/Application.html
2. Internet Explorer may display a warning page saying that there is a problem with the Web
site's security certificate. To proceed, click Continue to this Web site (not recommended).
3. Log on using the user name and password. Typically, the first time you login to the system,
you need to enter the default credentials.
4. Change the password if you are logging on to the SIEM for the first time. Emerson
recommends changing the password at this point in order to conform to NERC-CIP
regulations.
5. Click Local Receiver on the main screen of the SEIM. Click Properties. The Receiver/ELM
Properties window appears.
6. Click Data.
OSC_003 261
4.23 Log Management
8. Select the correct time frame from the Time frame drop-down list to perform the check. The
same can be performed for Device and Device Type drop-down lists. Otherwise, leave these
fields blank.
9. Click the Search button to schedule the integrity check. The Search Results dialog box
appears. The State column shows the progress of the scan.
262 OSC_003
4.23 Log Management
10. After the search is completed, the Failed column reports the items that failed their integrity
check in the search.
a) A result of 0 reports that no issues occurred and that all logs in that time frame or device
are valid.
b) If this number is not 0, you can click the search job under Search Results. Clicking View
displays the LM integrity results window to review all the failed items. The Export option
allows a text file to be saved for review or documentation.
After the LM is enabled and initially configured, the unparsed data from the SIEM receiver's data
sources can be sent to the LM. The availability of the LM does not state that all data sources
have to be linked to the LM. In the case of Ovation equipment, every device should log to the LM.
Perform the following steps to add a new data source or to enable logging one device at a time:
1. Follow the instructions from the Configuring WMI Data Sources (Windows Devices) for
Monitoring (see page 189) and Configuring Syslog Data Sources (Cisco and *nix Devices) for
Monitoring (see page 191) sections on adding or editing a single data source.
OSC_003 263
4.23 Log Management
2. Click Logging on the Add Data Source or Edit Data Source window.
264 OSC_003
4.23 Log Management
Perform the following steps to enable logging for multiple devices at once:
1. Enter the following URL into the browser’s address bar to log on to the SIEM :
https://<SIEM IP>/Application.html
For example: https://192.168.124.49/Application.html
2. Internet Explorer may display a warning page saying that there is a problem with the Web
site's security certificate. To proceed, click Continue to this Web site (not recommended).
3. Log on using the user name and password. Typically, the first time you login to the system,
you need to enter the default credentials.
4. Change the password if you are logging on to the SIEM for the first time. Emerson
recommends changing the password at this point in order to conform to NERC-CIP
regulations.
5. Click Local Receiver on the main screen of the SIEM. Click Properties. The Receiver/ELM
Properties window appears.
OSC_003 265
4.23 Log Management
7. Left-click on the first item in the list. Hold the <SHIFT> key and left-click on the last item in
the list to highlight all data sources, or hold the <CTRL> key and only select the items that
need LM logging enabled.
8. In the Logging column header, select the check box. The ELM Logging Options window
appears.
9. Select the storage pool to send the logs. For example, LM Logs (3Y).
10. Click OK to close the ELM Logging Options window.
11. All items highlighted in the list should be checked.
12. Click Write.
13. Follow the OSC SIEM manual instructions for rolling out the SIEM policy.
You can retrieve logs from the LM using the following two methods:
Graphical User Interface (GUI) - This method is used when you want to view the data.
Text-based - This option is used when you know the exact time frame/devices to retrieve data
for.
266 OSC_003
4.23 Log Management
Perform the following steps to make the Graphical interface-based Enhanced ELM search:
1. Enter the following URL into the Web browser’s address bar to log on to the SIEM:
https://<SIEM IP>/Application.html
For example: https://192.168.124.49/Application.html
2. Internet Explorer may display a warning page saying that there is a problem with the Web
site's security certificate. To proceed, click Continue to this Web site (not recommended).
3. Log on using the user name and password. Typically, the first time you login to the system,
you need to enter the default credentials.
4. Change the password if you are logging on to the SIEM for the first time. Emerson
recommends changing the password at this point in order to conform to NERC-CIP
regulations.
5. Click Local Receiver on the main screen of the SIEM. Click Properties. The Receiver/ELM
Properties window appears.
6. Select Enhanced ELM Search.
OSC_003 267
4.23 Log Management
From here, you can type in the search phrase to look for. This can be in normal text (like "fail") or
a regular expression. The time period is selected from the View down-down list. Click Search to
perform the search and to display the results on the screen.
The Data Source Results and Device Type Results provide a breakdown of what and where
messages came from for the given search. Left-click one of the bars to enable the Apply Filters
button. Click this button to perform a new search; however, it narrows the search based on the
prior selection made.
Text-based
1. Enter the following URL into the browser’s address bar to log on to the SIEM:
https://<SIEM IP>/Application.html
For example: https://192.168.124.49/Application.html
2. Internet Explorer may present a warning page saying that there is a problem with the Web
site's security certificate. To proceed, click Continue to this Web site (not recommended).
3. Log on using the user name and password. Typically, the first time you login to the system,
you need to enter the default credentials.
4. Change the password if you are logging on the SIEM for the first time. Emerson
recommends changing the password at this point in order to conform to NERC-CIP
regulations.
268 OSC_003
4.23 Log Management
5. Click Local Receiver on the main screen of the SEIM. Click Properties. The Receiver/ELM
Properties window appears.
6. Click Data.
From here, you can type in the search phrase to look for. This can be in normal text (like "fail") or
a regular expression. Make sure to select a proper time period; larger time frames result in larger
search times. Click Search to schedule the search, and the job appears in the Search Results
table.
The searched data can be viewed using the View button, exported to a text file using the Export
button, or deleted from the SIEM using the Delete button.
The LM backup allows you to save the current settings of the LM device, which can be restored in
case of system failure or data loss. The Backup and Restore window contains all configuration
settings, including the ELM logging database.
Note: The LM backup does not include the actual logs that are stored by the LM. The LM
configuration backups can be used to restore the connection to the Network Attached Storage
(NAS). However, the backup procedure does not backup the data on the NAS.
Perform the following steps to access the LM backup and restore window:
OSC_003 269
4.23 Log Management
1. Set the following parameters under the Backup Location section on the Backup & Restore
window:
Share Type: CIFS
Remote IP Address: <IP Address of the NAS>
Example: 192.168.124.66
Remote Share Name: LM
Remote Path: <Folder in LM share for backups>
Example: Leave blank, store backup in root of LM share
Remote Username: <Username to access NAS store>
Example: admin
Remote Password: <Password of above username>
270 OSC_003
4.24 Network discovery and configuration management
Example: netgear1
2. Click Connect to test the connection between the NAS and the SIEM.
3. Click Apply to save the configuration parameters.
Note: The manual backup procedure only takes the backup of the configuration settings, not the
log messages.
The automatic backup procedure schedules the LM to take the backup at a set interval.
1. Select the Auto backup every check box on the Backup & Restore window.
2. Set the number of days for which you want to take the backup using the "days at" list box.
3. Set the hour of day to take the backup at a time when network activity is low. For example, 4
for 4 AM.
4. Click Apply to save this setting.
5. The SIEM creates an LM configuration backup at the backup location at the set interval.
The restore procedure restores the LM configuration in the event of an SIEM restoration.
OSC_003 271
4.24 Network discovery and configuration management
1. Click the Asset Manager icon in the upper-right corner of the SIEM main menu.
272 OSC_003
4.24 Network discovery and configuration management
3. Click Settings.
The Configure Network Settings window appears:
OSC_003 273
4.24 Network discovery and configuration management
4. Click Add.
The Network Discovery Parameters window appears:
274 OSC_003
4.24 Network discovery and configuration management
15. Enter the ranges for each network segment you are trying to map. For example,
192.168.2.0/23 covers the 192.168.2.0 and 192.168.3.0 subnet. Separate each entry with a
comma. After it is completed, click OK to accept the changes and close the Homenet window.
Any time a change is made to the network, the discovery must be run again to find the new
devices.
1. After the Network Discovery parameters are set on the Asset Manager window under the
Network Discovery tab, click Discover Network to begin finding devices. A pop-up asking to
confirm the discovery if this is not the first discovery attempt may appear. Click Yes to
continue.
2. The upper section of the Asset Manager window changes the status to Running.
3. Wait until the status changes to Completed. The network discovery process is now complete
and ready to be reviewed.
1. After a network discovery has been completed, view the top section Network Devices on the
Asset Manager window under the Network Discovery tab. The following three sections need
to be reviewed:
a) Number of Network Devices - To view more detailed information about the number of
network devices, click the Number of network devices link and the Network Devices
dialog box appears. This dialog box allows you to view information, such as IP
address, MAC address, SNMP RO and RW, CLI, and current status.
OSC_003 275
4.24 Network discovery and configuration management
Note: You can edit any of these parameters from the Network Devices dialog by selecting a
parameter and clicking on the Edit button.
Note: Select a parameter and click the Edit button to edit any of these parameters from the IP
Addresses dialog box.
c) Devices Without Connections - The Devices without connections option is only enabled if
there is a device on the network that does not have a connection. If this option is enabled,
click the Devices without connections link to view a list of devices without connections.
2. Review the Network Devices and ensure that all devices are accounted for and their current
status is true. A current status of false can indicate either the device is now offline, or the
SNMP or CLI parameters for that specific device are not the same as the network segment it
belongs to. If the parameters are inaccurate, the specific device can be edited to use the
proper parameters. After the proper parameters are set, run the network discovery again and
review to ensure all devices are current.
276 OSC_003
4.24 Network discovery and configuration management
After all the network devices are discovered and accounted for, the SIEM can be configured to
poll those devices at a set interval for their status. Devices that drop off the network generate a
message inside the SIEM at the Local ESM level.
1. View the Monitor your network devices with PING or SNMP to verify their up/down state
section.
2. Select the Use PING and Use SNMP check boxes on the Asset Manager window under the
Network Discovery tab.
3. Set the interval to the desired setting.
4. Click OK to save the changes and close the Asset Manager window.
To use the configuration management features of the SIEM, network discovery must be
configured and auto discovery devices is properly performed. Refer to the Network Discovery
section for more details. Configuration management compares the configurations of the network
devices against previous versions that require changes. If a change is found, an event is
generated at the Local ESM level stating a configuration has changed.
1. Click the Asset Manager icon from the upper-right corner of the SIEM main menu.
OSC_003 277
4.24 Network discovery and configuration management
278 OSC_003
4.24 Network discovery and configuration management
OSC_003 279
4.24 Network discovery and configuration management
If there is an error (the status is displayed as Device Error), check the CLI profile and try
again. Refer to the To confirm network discovery (see page 275) section.
1. After a difference is found in the configuration, an event is generated at the Local ESM level
of the SIEM.
2. Under the Configuration Management tab of the Asset Manager window, a device with a
configuration change has the Config Change status.
3. Left-click on the device. A list of saved configurations is available at the bottom of the window.
4. Use the CTRL key to select two configurations in the list that you want to compare.
5. The Compare button is now active. Click the Compare button.
The File Compare Viewer window appears as follows:
6. From the window above, the two configurations can be compared. Click Close to close the
File Compare Viewer window.
280 OSC_003
4.25 Using the Security Incident and Event Manager
4.26 Appendices
This section describes the auditing policies and capabilities. Also, it describes how to create
Windows user for AD and log collection, and Emerson baseline NID tuning parameters.
Not every model of Cisco equipment used in Ovation systems can log the same amount of
information as others. The following table explains what can and cannot be enabled to log.
Note: The Latest SW Used column is the latest software version Emerson has used for that part.
Note: Log ons and commands only work with users logged into the device. Some Ovation
switches do not have users enabled by default.
Windows audit polices are best set through Active Directory where possible. This can be achieved
by making the settings in the Default Domain Policy found on the Domain Controller, which are
described in the following sections.
OSC_003 281
4.26 Appendices
These operating systems are only supported as legacy audit rules. These audit policies are very
broad and do not offer the best granularity that latest versions of Windows offer (known as
Advanced Security Auditing).
While these OSes have support for the legacy audit rules as described in the previous section,
this may cause more events to review because more events now being tracked by Windows. The
advanced security audit policy was introduced to give more control over what events are logged.
To enable the use of advanced security settings over the legacy ones (recommended), make the
following setting in the Active Directory:
If the domain controller is Server 2008 (not R2), the following settings cannot be set through
Active Directory, these have to be set using the auditpol command.
If the domain controller is Server 2008 R2, these settings may be set directly in Active Directory:
282 OSC_003
4.26 Appendices
OSC_003 283
4.26 Appendices
284 OSC_003
4.26 Appendices
OSC_003 285
4.26 Appendices
4.26.3 Creating Windows user for Active Directory authentication and log
collection
This section describes how to create a user on a Windows Server 2008 Domain Controller
(Ovation releases 3.3.1 and 3.5) that allows log on for the SIEM and privileges to collect logs from
each Windows machine on the Ovation system.
Note: To log on to the SIEM in Windows Active Directory, there must be a group in Windows
Active Directory with the same name as a group in the SIEM configuration.
1. Create a user in the Windows domain. This can be performed from the Ovation Security
Manager or through the Active Directory Users and Groups from the Administrative Tools.
a) Example:
¾ Name: SIEM
¾ First Name: SIEM
¾ Last Name: User
Turn off "User must change password on next log on".
b) Other options to consider (must be done from Active Directory Users and Groups).
286 OSC_003
4.26 Appendices
Perform the following steps to deny the user, created in Step 1 in the previous section, to log on
to the Windows machines:
1. Go to Group Policy Management on the domain controller. Edit Default Domain Policy.
2. Navigate to Computer Configuration -> Policies -> Windows Settings -> Security
Settings -> Local Policies -> User Rights Assignment.
3. Set both Deny log on locally and Deny logon through Remote Desktop Services policies
and add the user created in Step 1 to these policies. Then, this user is not allowed to log on to
any windows machine.
4. Reboot each machine or open a command prompt and execute the gpudate –force
command on each machine to force the settings to take effect.
Perform the following steps to allow user, created in Step 1 in the previous section, to collect logs
from all Windows machines on a system:
1. Locally on each machine, you must add the use, created in Step 1 in the previous section, to
the Event Log Readers Group to allow the user to log on and read the logs.
2. The easiest way to perform this is to open a command prompt and execute the following
command:
OSC_003 287
4.26 Appendices
This section describes what changes from a new NID were made to minimize false positive on an
Ovation system and explanations where possible.
On new installations of SIEM, these rules are set during loading. If a SIEM is upgraded, these
rules are not set. Use this guide to help tuning the rules.
Note: This tuning was done in a lab environment and may not capture all configurations of every
Ovation system. Reviews of logs is required and reviews of whether additional rules need to be
disabled or if rules set by Emerson need to be enabled due to the specific environment.
The following table below describes the rules. The Location column is the rule that can be found
under Rule Type in the Policy Manager.
288 OSC_003
4.26 Appendices
OSC_003 289
4.26 Appendices
IPS/Deep 1009115 ORACLE BEA alert, block, Causes false positives, do disabled
Packet WebLogic Server reset not use ORACLE BEA
Inspection Plug-ins Certificate WebLogic
Buffer Overflow -
Set 00
IPS/Deep 1009114 ORACLE BEA alert, block, Causes false positives, do disabled
Packet WebLogic Server reset not use ORACLE BEA
Inspection Plug-ins Certificate WebLogic
Buffer Overflow -
SET 01
290 OSC_003
S E C T I O N 5
Troubleshooting
IN THIS SECTION
Prior to Blue Screen of Death (BSOD) or testing, you should set the machine to create these files.
For additional information, you can find a Full or Kernel memory dump in the following directory:
C:\Windows\memory.dmp
You can use Microsoft developer tools to view BSOD using either of the following:
http://msdn.microsoft.com/en-us/windows/hardware/gg463009.aspx
OSC_003 291
5.2 Troubleshooting for Lumension OSC 2.x Update 1
http://www.nirsoft.net/utils/blue_screen_view.html
Extensive snapshots of drivers, services, startup objects, and other system information will need
to be run while the system is running as normal to get a full picture.
Note: Additional information about the MSInfo tool can be found under Microsoft KB308549.
Patch Agent:
Found in C:\Program Files\Lumension\Patch Agent
Lumension Detection Agent.log
Lumension Patch Agent.log
LEMSS Agent:
This is the network agent for server communication new to OSC 2.x
Found in C:\Program Files\Lumension\LEMSSAgent
Logs link is found in the directory under Logs.
This link normally takes you to a hidden directory found at C:\Documents and Settings\All
Users\Application Data\Lumension\LMAgent\logs
EPS.log
EPS_stopstartlma.log
EPSDriver.log
The same error codes and other resources apply from OSC1.
292 OSC_003
5.3 Checking OSC version numbers for 2x Update 1 versions
4. Right-click the system name and select Retrieve All Events. The UI will pause and request
all events from the endpoint. After a few minutes, a new pop-up window appears with all the
events.
5. To save the events to a text file, select Ctrl-A and right-click the highlighted lines and select
Copy Selection to Clipboard.
6. The entries should now be on your local machine’s Clipboard. You can paste them into a text
file and attach them to an email for analysis.
Note: Page 23-28 of the Bouncer 5.3 User Guide located on the OSC CD explains the event
format.
Note: The Version numbers illustrated in the screen shots are from OSC 1.2.1 and OSC 2.0
Preliminary.
OSC_003 293
5.3 Checking OSC version numbers for 2x Update 1 versions
294 OSC_003
5.3 Checking OSC version numbers for 2x Update 1 versions
4. On the Information tab, there is an Agent Information section which displays the running
version.
OSC_003 295
5.3 Checking OSC version numbers for 2x Update 1 versions
3. In the bottom right-pane, click the Settings tab. The Software Version appears in the
settings list.
296 OSC_003
5.3 Checking OSC version numbers for 2x Update 1 versions
3. In the right-pane, the Software Version displays the version number in the column to the
right.
OSC_003 297
S E C T I O N 6
IN THIS SECTION
However, if you want to request a license renewal, contact your SureService representative or
your PWS field sales representative.
When you are ready to renew your license, you must have all the licensing folder information
available that you originally received with your Ovation Security Center.
License expiration dates can be viewed in the Patchlink Licensing Update tool.
OSC_003 299
6.3 Annual license renewal
2. Launch the License Request Tool from the Desktop Icon or from Start -> Programs ->
PatchLink -> License Request Tool.
The InstallShield Wizard launches. Launching the License Request tool may take several
seconds while the tool enumerates the local SQL Databases.
3. After launching, the Connect to Server window appears. Select the Windows authentication
option and enter .\UPC into Server Name dialog box.
4. Click OK. There may be a pause while the license tool connects to the local database. The
license tool opens.
300 OSC_003
6.3 Annual license renewal
5. Click Import. The Import License Data (License Text) window appears.
OSC_003 301
6.3 Annual license renewal
6. Click Open. Browse to the license text file and select the file.
8. Click Next. The Import License Data (New License Data) window appears. Take note of the
Units (licensed machines that can be installed) and the Expiration date (licensed expiration
date) match what has been ordered.
302 OSC_003
6.3 Annual license renewal
9. Click Finish. A window appears asking you if you are sure that you want to update the license
data.
OSC_003 303
6.3 Annual license renewal
10. Click Yes to update the license data. The update begins.
304 OSC_003
Index
OSC_003 305
Index
306 OSC_003
Index
Security Incident and Event Manager (SIEM) To assign Devices to a deployment groups •
IP address and password examples • 11 75
Selecting the deployment Start and End To autogenerate a whitelist policy • 130
functions • 81 To automatically backup the system settings
Server Information Widget • 100 • 249
Set certain user passwords to never expire • To automatically check events, flows, and
39 logs • 205
SIEM appliance overview • 164 To automatically refresh Views • 204
Support and Service for your Ovation To backup Event, Log, and Data Source
Security Center • 299 Configuration Data • 250
Support for your Ovation Security Center • To backup the Malware Prevention
299 appliance • 159
Syslog Configuration to Forward Messages To change a user password • 60
from Solaris, Unix, and Linux OS Data To change the database recovery model •
Sources • 191 109
To change the database recovery model
T OSC 2.x • 113
Terminology for the Ovation Security Center To change the password for SIEM • 165
•4 To change your passphrase for MP • 128
Text-based • 268 To change your password for MP • 127
Time Since Last Agent Scan Widget • 101 To check OSC 2.x Update 1 Bouncer Client
To access a variable list through the policy versions • 296
manager • 238 To check OSC 2.x Update 1 Bouncer
To access profile management • 184 Manager versions • 295
To access the LM Backup and Restore To check OSC 2.x Update 1 LEMSS Client
window • 269 versions • 294
To access the Login Security menu • 178 To check OSC 2.x Update 1 LEMSS Server
To access the recipients configuration • 215 versions • 293
To access the Users and Groups window • To check OSC 2.x Update 1 NitroView
181 versions • 297
To add a condition • 221 To check Patchlink manager license
To add a Group to the system • 183 expiration dates • 299
To add a profile • 186 To compare configurations • 280
To add a Report • 194 To configure and read BSOD • 291
To add a storage device • 255 To configure Deployment Information • 78
To add a Syslog data source to a Receiver • To configure Manager Settings • 131
192 To configure network discovery • 272
To add a syslog recipient • 220 To configure network monitoring • 277
To add a user to a Group • 183 To configure Security Configuration settings
To add a user to the system • 182 • 138
To add a Watchlist • 212, 213 To configure the Syslog Target • 134
To add an email address • 215 To configure vulnerability assessment • 244
To add an email group • 216 To configure WMI Data Sources (Windows
To add an existing user • 59 Devices) for Monitoring • 190
To add an SMS address • 217 To confirm network discovery • 275
To add an SNMP recipient • 218 To connect to the Admin Console • 160
To add clients for Windows devices for MP • To connect to the Malware Prevention
128 appliance • 160
To add Device members • 70 To copy an alarm • 211
To add Endpoints to Groups • 69 To create a database backup • 110
To add Group Members to a new Group • 67 To create a database backup for OSC 2.x •
To add groups for patch deployments • 74 114
To add NID to SIEM • 229 To create a Device deployment • 77
To add the storage pool • 259 To create a group deployment • 77
To add Trusted Domain users • 153 To create a Manager Configuration Report •
To alter the Auto-retrieval settings • 205 157
To create a Manager software report • 158
OSC_003 307
Index
308 OSC_003
Index
OSC_003 309