HP CloudSystem Enterprise

Technical white paper
HP CloudSystem Enterprise
Service Design for HP ArcSight Logger
Table of contents
Executive summary ...................................................................................................................................................................... 3 HP CloudSystem Enterprise overview ...................................................................................................................................... 3 HP CloudSystem Enterprise supply layer ............................................................................................................................ 3 HP CloudSystem Enterprise demand and delivery: HP Cloud Service Automation .................................................... 4 HP CloudSystem Enterprise components ........................................................................................................................... 4 HP ArcSight overview ................................................................................................................................................................... 5 Enterprise Security Manager .................................................................................................................................................. 5 HP ArcSight Logger ................................................................................................................................................................... 5 HP ArcSight Connectors ........................................................................................................................................................... 5 Overview: HP security solution for CloudSystem ................................................................................................................... 6 Background assumptions ....................................................................................................................................................... 6 HP Cloud Server Automation and VMware vSphere .......................................................................................................... 6 Configuration process steps ................................................................................................................................................... 7 Storage and server requirements ......................................................................................................................................... 7 Configuring HP CloudSystem Enterprise .................................................................................................................................. 8 Creating the virtual machine image required for ArcSight Logger deployment ......................................................... 8 Downloading the required software packages and files .................................................................................................. 9 Importing software and creating HP Server Automation policies .................................................................................. 9 Importing and configuring the HP ArcSight Logger vCenter Service Design ............................................................. 10 Create and publish the service offering ............................................................................................................................. 11 Creating and using the application service ............................................................................................................................ 12 Creating a subscription in HP Cloud Service Automation ............................................................................................... 12 Accessing the subscribed HP ArcSight Logger Service ................................................................................................... 12 Returning the resource .......................................................................................................................................................... 13 Protecting CloudSystem Enterprise Services with HP ArcSight LAMP.......................................................................... 13 HP LAMP solution .................................................................................................................................................................... 13 Importing software and creating HP Server Automation policies ................................................................................ 14 Cloud Security Alliance ............................................................................................................................................................... 15 Domain 5 Information Management and Data Security ............................................................................................. 15 Domain 6 Interoperability and Portability ...................................................................................................................... 15 Domain 9 Incident Response ............................................................................................................................................ 16 Domain 10 Application Security ....................................................................................................................................... 16 Domain 14 Security as a Service ...................................................................................................................................... 16
Technical white paper | HP CloudSystem Enterprise
Summary ....................................................................................................................................................................................... 16 Appendix A: install.properties ................................................................................................................................................... 17 Appendix B: ASLinuxAudit.props .............................................................................................................................................. 17 For more information ................................................................................................................................................................. 18
Executive summary
Organizations are faced with threats that could disrupt operations and critical IT services. HP CloudSystem Enterprise provides automation to rapidly deliver compute resources to cloud consumers. Security must be a key component to ensure availability of the components that deliver and provision cloud based services. This document describes how to configure a Cloud Service Automation Service Design leveraging HP Operations Orchestration, Server Automation, and VMware vSphere to deploy ArcSight Logger into your private cloud subscriptions. This document will also explain how to configure and protect services provisioned by HP CloudSystem Enterprise to leverage your deployed HP ArcSight Logger instances. This paper also addresses how the HP ArcSight Logger service design addresses a number of domains defined by the Cloud Security Alliance. Target audience: The intended audience of this white paper is system integrators, installers, and administrators of HP CloudSystem Enterprise. The reader should be familiar with CloudSystem Enterprise and HP CloudSystem Matrix.
HP CloudSystem Enterprise overview

With HP CloudSystem Enterprise, an organization can deliver not only infrastructure as a service (IaaS), but also anything as a Service (XaaS) directly to line-of-business teams. That is, in addition to delivering virtual servers and storage as services, CloudSystem Enterprise can manage and provision enterprise-grade applications such as Microsoft Exchange, or even custom developed applications, such as cloud-based services. Figure 1 illustrates the HP CloudSystem Enterprise architecture. HP CloudSystem Enterprise extends the foundation of HP CloudSystem Matrix with the seamless integration of HP Cloud Service Automation (CSA). HP CloudSystem Enterprise manages the entire application-to-infrastructure lifecycle from provisioning, to managing and monitoring, to releasing resources back to the cloud. The diagram shows how Cloud Service Automation, with its cloud management platform for brokering and managing enterprise grade application and infrastructure cloud services, and HP Matrix Operating Environment are engineered to work together, as well as with additional HP CloudSystem extensions and third-party assets.
HP CloudSystem Enterprise supply layer

Like the HP CloudSystem Matrix offering, the supply layer in HP CloudSystem Enterprise calls on the Matrix Operating Environment for service delivery of infrastructure elements such as compute, network, storage, and other resources, both physical and virtual. HP CloudSystem Enterprise can also leverage VMware vCloud Director for infrastructure services. Supported infrastructure includes HP BladeSystem servers, HP storage, and HP networking, as well as servers, storage, and networking from third parties.
Figure 1. CloudSystem Enterprise Functional Architecture
HP CloudSystem Enterprise demand and delivery: HP Cloud Service Automation

HP Cloud Service Automation software enables and manages the delivery of application services. It includes user interfaces that allow infrastructure design, specifying what assets will be available, and service design, in which a service designer can add to and manage service catalogs. Cloud Service Automation orchestrates the deployment of compute resources and complex multitier application architectures. It integrates and leverages the strengths of several mature HP management and automation products. And it adds workload management, service design, and a customer portal to create a comprehensive service automation solution. Cloud Service Automation (CSA) can leverage CloudSystem Matrix infrastructure services, and adds applications to the supply layer. It also expands the systems infrastructure capabilities: for example, with CSA, HP CloudSystem Enterprise can support multiple hypervisorssuch as those from VMware, Microsoft, Kernel Virtual Machine (KVM), and Xenwithin the supply layer. Cloud Service Automation also provides portal services for the demand layer, where consumers or business users can request services. The software delivers IaaS and platform as a service (PaaS) in a heterogeneous environment, as well as virtual desktop infrastructure (VDI or Desktop as a Service) and XaaS. Cloud Service Automation manages the entire cloud service lifecycle, including provisioning the infrastructure, whether by extension to oneor severalMatrix Operating Environment resource pools, or from non-Matrix infrastructure pools. It also handles provisioning, patching, and ensuring compliance of business and custom applications; managing and monitoring the cloud; and releasing resources back to the cloud. Extensions allow adding further service assurance, enhanced security, storage management, and network management. HP CloudSystem Enterprise users can:
Broker and manage on-demand application and infrastructure services Enforce compliance Meet service-level agreements (SLAs) with performance and availability management Secure data with multi-tenancy and role-based access Deliver comprehensive, unified service lifecycle management
HP CloudSystem Enterprise components

Besides Cloud Service Automation, components of CloudSystem Enterprise that enable its capabilities include: HP Operations Orchestration (OO) OO coordinates communication between integrated products and managed devices. HP Server Automation (SA) SA deploys operating systems and policies to managed devices. It provides lifecycle server management and automated application deployment, and automates tasks such as provisioning, patching, configuration management, and compliance management. This software can also provision operating systems, and can automate the ongoing lifecycle management of a deployed OS or application with policy-based patching and compliance capabilities. HP Database and Middleware Automation (DMA) DMA provides a content library for database and middleware management. It provisions application architectures onto existing infrastructure, and can also manage those applications, providing pre-packaged workflows for application patching, compliance, and code release. DMA eliminates the need for manual customization. HP SiteScope SiteScope provides agentless monitoring of infrastructure platforms and the key performance indicators (KPIs) of applications. KPIs include CPU, disk, memory usage, etc. HP Universal Configuration Management Database (UCMDB) UCMDB maintains accurate, up-to-date information regarding the relationships between infrastructure, applications, and cloud services. HP Matrix Operating Environment Matrix Operating Environment supplies infrastructure services. Cloud Service Automation is thoroughly integrated with the infrastructure services created by the Matrix Operating Environment and through this layer can burst to public cloud services.
HP ArcSight overview
Enterprise Security Manager
HP ArcSight Enterprise Security Manager (ESM) is the premiere security event manager that analyzes and correlates every operational event (login, logoff, file access, database query), or other event in order to support your IT team in every aspect of security event monitoring, from compliance and risk management to security intelligence and operations. The ArcSight ESM event log monitor sifts through millions of log records to find the targeted critical events, and presents them in real time via dashboards, notifications, and reports, so you can accurately prioritize security risks and compliance violations. By adding HP Reputation Security Monitor (RepSM), vetted reputation-based threat intelligence can be correlated with security events to identify threats earlier and to detect and avert even the most sophisticated attacks. Key benefits:
A cost-effective solution for all your regulatory compliance needs Automated log collection and archiving Fraud and Real-time threat detection Forensic analysis capabilities for cyber security Detect threats early using timely reputation data with HP RepSM
HP ArcSight Logger
With HP ArcSight Logger you can improve everything from compliance and risk management, security intelligence and IT operations to efforts that prevent insider and advanced persistent threats. This universal log management solution collects machine data from any log-generating source and unifies the data for searching, indexing, reporting, analysis, and retention. And in the age of Bring Your Own Device (BYOD) and mobility, it enables you to comprehensively manage an increasing volume of log data from an increasing number of sources. Key features
Collect logs from any log generating source through 300+ connectors from any device and in any format Unify data across IT through normalization and categorization, into a common event format (CEF registered) Search through millions of events using a text-based search tool with a simple interface Store years' worth of logs and events in a unified format through a high compression ratio at low cost Automate analysis, alerting, reporting, intelligence of logs and events for IT security, IT operations, IT Governance Risk
Management and Compliance (GRC) , and log analytics
HP ArcSight Connectors
HP ArcSight Connectors solve the problem of managing log records in hundreds of different formats. While the HP ArcSight Security Information & Event Management (SIEM) Platform can collect log records in native formats, HP ArcSight Connectors provide normalization to a common format, which greatly improves reporting and analysis. By normalizing all events into one common event taxonomy, HP ArcSight Connectors decouple analysis from vendor selection. This approach has four significant advantages: Centrally manage 300+ connectors through HP ArcSight Connector Appliance (ConApp) HP ArcSight Connector appliance manages the ongoing updates, upgrades, configuration changes and administration of a distributed log collection deployment through a simple and centralized web-based interface. ConApp can be deployed both as an appliance and software. Future proofing If a Cisco router is swapped for an HP Networking router or if a new SQL database or Hadoop solution is added to a network that previously only had Oracle, no reporting or rules changes are required and the organization retains continuous visibility into all activity. Ease of analysis The HP ArcSight common event format eliminates the need for end users to be familiar with hundreds of different log syntaxes across products. As a result, non-technical line of business users can easily conduct analysis on their own, reducing the burden on IT.
Universal content relevance With the HP ArcSight normalized format, a report that shows authentication failures will cover every syste m automatically, even though one application may refer to authentication failures with a specific event ID while a database refers to the same as an unsuccessful login. This unique architecture is supported across hundreds of commercial products out-of-the-box as well as legacy systems. HP ArcSight Connectors also offer various audit quality controls including secure, reliable transmission and bandwidth controls. In addition to software-based deployments, HP ArcSight Connectors are available in a range of plug-and-play appliances that can cost-effectively scale from small store or branch office locations to large data centers. Connector appliances enable rapid deployment and eliminate delays associated with hardware selection, procurement and testing.
Overview: HP security solution for CloudSystem

This documented describes how to deploy an HP ArcSight Logger service using Cloud Service Automation with VMware vSphere.
Background assumptions
This reference implementation requires that the HP CloudSystem Enterprise environment is already installed, configured, and functioning correctly. Each component must be verified to work individually, and as a complete HP CloudSystem Enterprise environment. The major components include the following:
HP CloudSystem HP Cloud Service Automation (CSA) HP Matrix Operating Environment (Matrix OE) HP Operations Orchestration (OO) HP Server Automation (SA)
Pointers to the documentation for installing, configuring, and verifying these components and their interoperability may be found in the For more information section.
HP Cloud Server Automation and VMware vSphere

Deployment of an HP ArcSight Logger service using VMware vSphere as a compute provider in HP Cloud Server Automation is described in the steps below: 1. 2. 3. 4. 5. 6. The User requests a service through the HP Cloud Service Automation Consumer Portal. HP Cloud Service Automation uses an HP Operations Orchestration workflow to make a request to deploy a virtual machine template to VMware vSphere vCenter. VMware vSphere vCenter deploys a pre-created virtual machine template. The physical server is provisioned or the virtual machine is deployed on a VMware Host. When the creation request is complete, an Operations Orchestration workflow requests the HP ArcSight Logger Application deployment using Server Automation. Once the application deployment successfully completes, the user can access the HP ArcSight Logger application using a web browser.
Configuration process steps

This reference implementation details the major steps required to install and configure the HP ArcSight Logger application. They include the following: 1. 2. 3. 4. 5. Retrieving and unpackaging the scripts and content provided with this reference implementation. Creating the base virtual machine image required for the HP ArcSight Logger application deployment. Importing and customizing the HP Server Automation software policies. Importing Service Designs and publishing Service Offerings in CSA. Creating and using the application service.
After these steps are complete, the application will be available for business users to automatically deploy using the CSA Consumer portal. A final step is also included that will decommission the service and return the resources to the HP CloudSystem Enterprise environment.
Storage and server requirements

The information below defines the requirements for HP ArcSight Logger 5.3 SP1. If you plan to use a different version, refer to the HP ArcSight Logger Administrators Guide or Release Notes for the supported OS types and system configurations for the version of Logger you need to deploy. Supported operating systems:
Red Hat Enterprise Linux (RHEL) versions 6.2 and 5.5, 64-bit Oracle Enterprise Linux (OEL) version 5.5, 64-bit CentOS version 6.2, 64-bit
CPU, memory, and disk space:

Downloadable Version and VM Instances
CPU: 1 or 2 x Intel Xeon Quad Core or equivalent Memory: 4 - 12 GB (12 GB is recommended) Disk Space: 10 GB (minimum)
For the Enterprise Version
CPU: 2 x Intel Xeon Quad Core or equivalent Memory: 12 - 24 GB (24 GB is recommended) Disk Space: 65 GB (minimum) NOTES:
The disk space needs to be on the partition where you will install the Logger software. Using NFS as primary storage for events on the software Logger is not recommended. Make sure no other applications are running on the system on which you install Logger.
Configuring HP CloudSystem Enterprise

This reference implementation is supplied with a zip file (HP-ArcSight-SD-v1.zip) that contains a template and other content required to complete the configuration. The zip file should be unpacked into a location that is accessible to the Central Management Server (CMS) and the other servers in the CloudSystem Enterprise environment. The contents include the files listed in the following table.
Table 1. Downloaded zip file contents Folder HP Cloud Service Automation Service Design HP Server Automation Content File name SERVICE_DESIGN_VCENTER_ArcSight_Logger.zip HP-ArcSight-SA.zip Description VMware ArcSight Service Design archive ArcSight Logger required scripts
NOTE: The zip file can be found at http://h71028.www7.hp.com/enterprise/downloads/HP-ArcSight-SD-v1.zip.
Creating the virtual machine image required for ArcSight Logger deployment
The instructions below describe how to create the virtual machine image used for ArcSight Logger deployment. The image can be created on the VMware vSphere host through VMware vCenter. The virtual machine image must include the Server Automation agent in order for application installation to succeed. The Server Automation agent installation executable file and configuration scripts must be deployed on the virtual machine prior to its use in this service design. There are two files, startagent.sh and runonce, included in HP-ArcSight-SA.zip which you will copy to the virtual machine. HP-ArcSightSA.zip is found in the HP Server Automation Content folder in the HP-ArcSight-SD-v1.zip file you downloaded. 1. Create a base Red Hat Enterprise Linux 6.2 Virtual Machine from the VMware vSphere client on your ESXi host or VMware vCenter host. Include the management network connected to your SA server. If you built the VM with HP Server Automation, you can skip to step 9. After the Linux installation completes and the VM boots, obtain the IP address of your virtual machine. From Server Automation Java Client, choose the Devices tab, then Servers Unmanaged servers. In the dropdown box, select Explicit IPs/Hostnames. Enter the IP address of your virtual machine and click on the Scan button. Right click on the discovered server and select Manage Server. Enter the Username and password. Under Actions select Verify prerequisites and copy agent installer to servers. Important Note: You are not going to install the agent now. You are just copying it to the virtual machine into the /tmp folder. Expand the Installer Options list. Uncheck Start the Agent after installation. Click on OK to copy the agent files to the VM. Login to your Red Hat Virtual Machine. Create a directory: A. mkdir p /etc/local/runonce.d/ran
2. 3. 4. 5.
6. 7. 8. 9.
10. Copy the file startagent.sh to /etc/local/runonce.d. Edit the startagent.sh file, changing the IP address to match your SA core server. 11. Change the permissions on the script: A. chmod +x /etc/local/runonce.d/startagent.sh 12. Copy runonce to /usr/local/bin and change the file permissions: A. chmod +x /usr/local/bin/runonce 13. Edit /etc/rc.d/rc.local. 14. Add a new line to the end of the file which will run the script when the server boots: A. /usr/local/bin/runonce 15. Save and exit the file. 16. Change the IPv4 firewall, if enabled, to allow management using Server Automation by editing the /etc/sysconfig iptables file and adding the following entry after A INPUT I lo j ACCEPT: A. A. 8 -A INPUT m state -state NEW m tcp p tcp -dport 1002 j ACCEPT Change SELINUX=enforcing to SELINUX=disabled 17. Disable SELinux in your VM template. Edit /etc/selinux/config.
18. Change the networking to allow deployment of virtual machines using this VM image. A. Edit /etc/sysconfig/network-scripts/ifcfg-eth0 and remove the HWADDR= line. B. Delete /etc/udev/rules.d/70-persistent-net.rules 19. Shutdown the virtual machine. 20. Convert the image to a VMware VM template. In the vSphere Client, right click the VM and from the Template dropdown select Convert to Template.
Downloading the required software packages and files

Create a temporary folder on your CMS and place the following files in that folder.
installer.properties (See Appendix A: install.properties for more information) ArcSight logger install file (ArcSight-logger-5.3.1.xxxx.x.bin) License file (Optional)
The packages listed above were used to develop and test the reference implementation. Newer versions may be available and supersede those listed here. If you are unable to obtain the listed versions, be sure that new versions are compatible, and include all the necessary dependencies. Also note that the install.properties file syntax varies between versions of ArcSight Logger. Refer to the Administrators Guide for ArcSight Logger for the proper syntax or the steps to create the install.properties file for your version.
Importing software and creating HP Server Automation policies

HP Server Automation policies are used to deploy and configure the ArcSight Logger application. The downloaded files will now be imported into HP Server Automation and used in software policies. Importing the packages To import software into HP Server Automation, complete the following steps: 1. Zip the files from the previous section (ArcSight logger installer, install.properties, and the license file (if needed)) into an archive named loggersd.zip. You can do this with programs like WinZip or 7-Zip on Windows, or using the zip command on a Linux system. Log in to HP Server Automation Java Client as an administrative user. Note: You can download the Server Automation Java client from the Server Automation web client accessible at https://<SA Core IP address>. The link to download the Java client is on the login page. Click on Download Hewlett-Packard Launcher to install the application. The installer has an option to create a shortcut on your desktop. You dont need to log in to the web client. Select Library from the button on the bottom left. Click on the By Folder tab and Right-click on the Library folder then select Import Software. Click Browse to the right of the File(s) field and select the zip file created in step 1. The Type field should be automatically set to ZIP Archive (.zip). Change the value for Folder to /Package Repository/All Red Hat Linux/Red Hat Enterprise Linux Server 6 X86_64. Click Select. Change the value for Platforms to Red Hat Enterprise Linux Server 6 X86_64. Click Import. Browse to Library/Package Repository/All Red Hat Linux/Red Hat Enterprise Linux Server 6 X86_64. Right-click the loggersd.zip package and select Open. A. B. C. In the Views tree select Properties and set Default Install Path to /tmp. Select the Install Scripts. In the Pre-Install Script tab, enter in the following information: useradd arcsight /bin/sed -i.bak s/^127.0.0.1.*/"127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4"/g /etc/hosts /sbin/ifconfig eth0 | grep "inet addr" | awk -F: '{print $2}' | awk '{print $1}' | xargs -I ip echo "ip $HOSTNAME" >> /etc/hosts
2.
3. 4. 5. 6. 7. 8. 9.
i. ii.
D.
The first line adds the arcsight user to the system. This is required as HP ArcSight Logger cannot run as root. The second line replaces the localhost line with the proper format that the HP ArcSight Logger installer requires. iii. The third and last line puts the IP address of eth0 and the systems host name in the /etc/hosts file. This is required for HP ArcSight Logger to properly start. If you are using another interface other than eth0 you can change that here. In the Post-Install Script tab, enter in the following information /tmp/Logger/ArcSight-logger-5.3.1.6838.0.bin -i SILENT -f /tmp/Logger/installer.properties i. This line silently installs ArcSight Logger on the system.
10. Go to File Save to save your changes. Close the window. Creating the ArcSight Logger software policy 1. 2. Right-click the Library folder and select New Software Policy. Set the following values: A. Set Name to ArcSight Logger. B. C. 3. 4. 5. 6. 7. 8. 9. Click Select and set the Location to /Package Repository/All Red Hat Linux/Red Hat Enterprise Linux Server 6 X86_64. Set the OS to Red Hat Enterprise Linux Server 6 X86_64. in the toolbar. Click on the Browse Folders tab.
Select Policy Items in the Views panel. Click Add Expand the Package Repository/All Red Hat Linux/Red Hat Enterprise Linux Server 6 X86_64 folder. Select the following: i. loggersd.zip Click Select. On the File menu, click Save to save the ArcSight Logger software policy. Close the window.
Importing and configuring the HP ArcSight Logger vCenter Service Design

Import the SERVICE_DESIGN_VCENTER_ArcSight_Logger service design archive into HP Cloud Service Automation. The HP Cloud Service Automation Service Design folder in the distribution file contains the service design archive in the form of a zip file:
SERVICE_DESIGN_VCENTER_ArcSight_Logger.zip
To import the service design archive, complete the following steps: 1. 2. 3. 4. 5. 6. 7. Log on to the HP Cloud Service Automation Administrator portal using an account with administrator privileges. Select the Service Design tab. Click Import Service Design . Browse to select SERVICE_DESIGN_VCENTER_ArcSight_Logger.zip from the distribution files. Click Open to import the Service Design archive. You will need to change from of the pre-defined values to match your environment. Open the VCENTER_ArcSight_Logger service design and select the Designer tab Select the ArcSight Logger Server component, and select Properties from the right side. See Table 2 for information about the Properties.
10
Table 2. ArcSight Logger Server Properties Property CUSTOMSPEC DATACENTERNAME MEMORYINMB NCPU OSTYPE TEMPLATEREFERENCE Value String String Integer Integer Sting String Description VM Template Customization Specification. Customization Specifications are defined in VMware vCenter in Home Custom Specifications Manager Name of the Datacenter to deploy ArcSight VM into in VMware vCenter Amount of Memory in MB for the VM. NOTE: For the Downloadable version of Logger, the amount of memory recommended is 4 12 GB (12 GB is recommended) Number of CPUs for the VM. NOTE: For the Downloadable version of Logger, the number of CPUs (cores) recommended is 4-8 Indicated the OS type being deployed. Value LINUX pre-filled in and is required. Name of the OS Template in VMware vCenter to use for the ArcSight Logger instance. NOTE: VM template must have 10GB (minimum) of free space and be Red Hat Enterprise Linux (RHEL) versions 6.2 64-bit, or CentOS version 6.2 64-bit
Create and publish the service offering

A service offering must be created in HP Cloud Service Automation before subscribers can request services based on this service design. To create a service offering, complete the following steps: 1. 2. 3. 4. 5. 6. Log on to the HP Cloud Service Automation Administrator portal using an account with administrator privileges. Select the Service Offerings tab to display all available service offerings. Click Create Offering in the left panel. The Create New Service Offering dialog will open. Enter a name for the new HP ArcSight Logger service offering. This is the name of the offering that will be visible to the subscribers of this service. Select the VCENTER_ArcSight_Logger service design and click Create. After the offering is created, you can modify the pricing information, associate documents, or modify the subscriber options for this subscription and save the changes.
HP Cloud Service Automation is installed with a default global catalog named Global Shared Catalog. When you publish a service offering in this global catalog, that service offering will be visible in every organizations Cloud Subscriber Porta l. To publish a service offering in the default catalog, complete the following steps: 7. Log on to the HP Cloud Service Automation Administrator portal using an account with administrator privileges 8. Select the Service Catalogs tab. 9. Select Global Shared Catalog in the panel on the left. 10. Select Published Offerings in the central panel. 11. Click Add Offering. 12. Select the service offering you created for HP ArcSight Logger and click Select. 13. For Select Category, select the category under which this service offering should appear in the consumer portal. Suggestion is to put the HP ArcSight Logger service offering under Application Services. 14. Click Add. 15. Click OK on the Success message box.
11
Creating and using the application service

This section gives examples of how a subscriber can order the HP ArcSight Logger service using HP Cloud Service Automation. It does not give a complete list of what the subscriber can do.
Creating a subscription in HP Cloud Service Automation

You can order the HP ArcSight Logger service from the HP Cloud Service Automation Consumer Portal Catalog. 1. Enter the URL for the HP Cloud Service Automation Consumer Portal in a web browser. The default URL is https://<HP CSA Server>:8444/csp. A. 2. The URL will be unique to your installation. Contact your administrator if you are not using the default HP CSA Consumer portal. Enter the following information: A. User Name: Your HP Cloud Service Automation Consumer Portal user name. B. Password: Your HP Cloud Service Automation Consumer Portal password. Click Log In. Select the Catalog tab. In the previous section we suggested that you publish your offerings in the Global Shared Catalog. Select a catalog in the panel on the left. The offerings available in this catalog will be displayed. Select the HP ArcSight Logger service and click on Select. Enter a name and description for the subscription. Select a start and end date for the subscription (if required). Click Request Now.
3. 4. 5. 6. 7. 8.
The status of your subscription can be monitored on the subscriptions panel, by clicking Subscriptions on the tab.
Note This reference implementation uses the default HP CSA Consumer portal. If your environment is set up for a different consumer organization, please contact your administrator for the URL.
If you wish to follow the service deployment process more closely, you can do so through the various provider interfaces. The first part of the service deployment process is the creation of the virtual machine through VMware vCenter. Login to VMware vCenter and navigate to Home Inventory VMs and Templates and you can see the virtual machine being created. You can view the progress by viewing the Recent Tasks section of the interface or going to Home Management Events and you can track the progress of the deployment request in progress. Once the virtual machine is deployed, you can check the progress of the service deployment process in SA Application Deployment. Launch the HP Server Automation Java Client. Click Tools Application Deployment in the main menu. Select the Jobs tab in the left panel to track the progress of the application deployment job for the current service deployment.
Accessing the subscribed HP ArcSight Logger Service

The HP ArcSight Logger application is configured from a web browser interface to the application tier of your deployed service. 1. 2. 3. 4. 5. Log in to the CSA Consumer Portal at https://<HP CSA Server>:8444/csp Click on the Subscriptions tab and the View Details button for your newly deployed service. Scroll down to the Server Group Web Group and find the IP address for the deployed web server. Using the web server IP address obtained in the previous step, open the following URL in a web browser: http://<web server ip address> Log in with the HP ArcSight Logger default username (admin) and password (password)
12
Returning the resource

To conclude the subscription, we will cancel the subscription to return the resources to our pool. To cancel a subscription, complete the following steps: 1. 2. 3. 4. 5. 6. Log in to the CSA Consumer Portal by entering the following address in a browser: https://<HP CSA Server>:8444/csp Select the Subscriptions tab. Locate your subscription and click the View Details button. Click on the red Cancel Subscription button. Click Yes on the message box pop-up and then click on OK. The Subscription Status is updated to Cancelled and Service Instance Status to Offline.
Note: Your cancellation time may vary depending on the hardware in your environment. You will be notified by email that the service has been cancelled.
Protecting CloudSystem Enterprise Services with HP ArcSight LAMP

In addition to protecting the HP CloudSystem Enterprise core components that are responsible for supply and delivery of cloud services, the cloud services should also be protected upon provisioning. In this section we will demonstrate how to integrate the HP ArcSight Connector installation and configuration to dynamically connect to the HP ArcSight ESM and HP ArcSight Logger.
HP LAMP solution
The HP LAMP and WordPress Reference Implementation for CloudSystem Enterprise can be enhanced to include ArcSight Connector for the deployed physical or virtual machines. HP ArcSight Connector for Linux can be automatically deployed using Server Automation policies. First, create the Server Automation software policy, ArcSightSecurityPackages, by creating a temporary folder on your CMS and download the required software packages. The packages listed below were used to develop and test the reference implementation. Newer versions may be available and supersede those listed here. If you are unable to obtain the listed versions, be sure that new versions are compatible, and include all the necessary dependencies. These RPM packages may already be installed on a repository that you can access, part of the Red Hat Enterprise Linux OS media, or available to you from the Red Hat Network (RHN). If you do not have access to a repository, OS media, or RHN, then you can manually download the individual RPM packages from several sites, including: http://rpmfind.net, http://rpm.pbone.net, or http://pkgs.org/centos-6-rhel-6/centos-rhel-x86_64/.
glibc-2.12-1.80.el6.i686 libXau-1.0.5-1.el6.i686 libX11-1.3.2. .el6.i686 libX1-1.3.3.el6.i686 libXext-1.1.3.el6.i686 libXst-1.0.99.2-3.el6.i686 nss-softokn-freebl-3.12.9-11.el6.i686 libxcb-1.5.1.el6.i686
Also needed is the HP ArcSight Linux Connector and a props file for silent installation. Create a temporary folder on your CMS and place the following files in that folder.
ASLinuxAudit.props (See Appendix B: ASLinuxAudit.props for more information) ArcSight Connector install file (./ArcSight-5.2.7.6474.0-Connector-Linux.bin)
Note The install.properties file syntax may vary between versions of the ArcSight Connector. Refer to the documentation included with your ArcSight Connector for the proper syntax or the steps to create the install.properties file for your version.
13
Importing software and creating HP Server Automation policies

HP Server Automation policies are used to deploy and configure MariaDB, Apache web server, and the WordPress application. The downloaded files will now be imported into HP Server Automation and used in software policies. Importing the packages To import software into HP Server Automation, complete the following steps: 1. Zip the files from the previous section (ArcSight Connector install file and ASLinuxAudit.props) into an archive named ArcSight-5.2.7.6474.0-Connector-Linux-props.zip A. You can do this with programs like WinZip or 7-Zip on Windows, or using the zip command on a Linux system. Log in to HP Server Automation Java Client as an administrative user. Note: You can download the Server Automation Java client from the Server Automation web client accessible at https://<SA Core IP address>. The link to download the Java client is on the login page. Click on Download Hewlett-Packard Launcher to install the application. The installer has an option to create a shortcut on your desktop. You dont need to log in to the web client. Select Library from the button on the bottom left. Click on the By Folder tab and Right-click on the Library folder and select Import Software. Click Browse to the right of the File(s) field and select all the RPM packages that were downloaded in the previous section. The Type field should be automatically set to RPM. Change the value for Folder to /Package Repository/All Red Hat Linux/Red Hat Enterprise Linux Server 6 X86_64. Click Select. Change the value for Platforms to Red Hat Enterprise Linux Server 6 X86_64. Click Import. Import the ArcSight-5.2.7.6474.0-Connector-Linux-props.zip package: A. B. C. D. E. 9. Right-click Library and select Import Software. Click Browse to the right of the File(s) field and select ArcSight-5.2.7.6474.0-Connector-Linuxprops.zip. The Type field should be automatically set to ZIP Archive. Change the value for Folder to /Package Repository/All Red Hat Linux/Red Hat Enterprise Linux Server 6 X86_64. Click Select. Change the value for Platforms to Red Hat Enterprise Linux Server 6 X86_64. Click Import.
2.
3. 4. 5. 6. 7. 8.
Browse to Library/Package Repository/All Red Hat Linux/Red Hat Enterprise Linux Server 6 X86_64. A. B. C. In the Views tree select Properties and set Default Install Path to /tmp. Select the Install Scripts. In the Pre-Install Script tab, enter in the following information.
10. Right-click the ArcSight-5.2.7.6474.0-Connector-Linux-props.zip package and select Open.
cd /tmp chmod +x ArcSight*.bin ./ArcSight-5.2.7.6474.0-Connector-Linux.bin I silent f /tmp/ASLinuxAudit.props service arc_linux_auditd start 11. Go to File Save to save your changes. Close the window.
14
The LAMP + WordPress reference implementation defines two Server Automation policies to deploy the required packages to the database and web servers. The Server Automation policies defined are ApacheWordPress-RHEL6 and MariaDBRHEL6. These policies are modified to include deployment of the ArcSightSecurityPackages policy as shown in Figure 2.
Figure 2. Policy Items
Including the ArcSightSecurityPackages policy into the MariaDB-RHEL6 and ApacheWordPress-RHEL6 policies will automatically deploy the ArcSight Smart Connector for Linux audit logger to the database and web servers and start logging events to ArcSight Logger. The linux_auditd events are visible from the summary page of the ArcSight Logger under Agent Type and the nodes will be displayed in the Configuration Devices section of the HP ArcSight Logger.
Cloud Security Alliance

The Cloud Security Alliance is a not-for-profit-organization that provides guidance, education, and promotes best practices for security in cloud computing. The Cloud Security Alliances mission statement is: To promote the use of best practices for providing security assurance within cloud computing, and provide education on the uses of cloud computing to help secure all other forms of computing. In accordance with their mission statement, the Cloud Security Alliance publishes security guidance and a cloud controls matrix to address security concerns in cloud computing. The latest versions of these documents are available on the Cloud Security Alliance website, https://cloudsecurityalliance.org/. The HP ArcSight products address several areas that are outlined in the security guidance document. The Cloud Security Alliance guidance document, Security Guidance for Critical Areas of Focus in Cloud Computing, defines 14 domains for operating in a cloud environment and provides recommendations on how to securely operate in those domains. Each domain addresses a specific area of concern with respect to security and cloud computing. The HP ArcSight products address areas of concern in the Cloud Security Alliance Domains listed below.
Domain 5 Information Management and Data Security

5.4.1 Locations and Access 5.6.5 Database and File Activity Monitoring
Domain 6 Interoperability and Portability

6.3.2 Portability Recommendations (logging) 6.3.3 Recommendations for Different Cloud Models log traces
15
Domain 9 Incident Response

9.3.2 Detection and Analysis 9.3.3 Data Sources 9.3.4 Forensic and Other Investigative Support for Incident Analysis 9.3.5 Containment, Eradication, and Recovery
Domain 10 Application Security

10.2 Authentication, Authorization, and Compliance Application Security Architecture in the Cloud 10.5 Monitoring Applications in the Cloud 10.5.1 Application Monitoring in the Cloud 10.6.3 Architecture Recommendations
Domain 14 Security as a Service

14.4.7 Security Information & Event Management (SIEM) 14.7.7 SIEM SecaaS Requirements SecasS Category 7 Security Information and Event Management Implementation Guidance https://cloudsecurityalliance.org/research/secaas/ The Cloud Security Alliance Security Control Matrix contains a list of controls that identify and describe security controls that are applicable to cloud computing. The security controls in Table 3 can be addressed with the HP ArcSight solution.
Table 3. Security controls Control Information Security User Access Reviews Information Security Incident Management Information Security Audit Tools Access Information Security Incident Response Metrics Security Architecture Audit Logging / Intrusion Detection Number IS-10 Description All levels of user access shall be reviewed by management at planned intervals and documented. For access violations identified, remediation must follow documented access control policies and procedures. Policies and procedures shall be established to triage security related events and ensure timely and thorough incident management. Access to, and use of, audit tools that interact with the organizations information systems shall be appropriately segmented and restricted to prevent compromise and misuse of log data. Mechanisms shall be put in place to monitor and quantify the types, volumes, and costs of information security incidents. Audit logs recording privileged user access activities, authorized and unauthorized access attempts, system exceptions, and information security events shall be retained, complying with applicable policies and regulations. Audit logs shall be reviewed at least daily and file integrity (host) and network intrusion detection (IDS) tools implemented to help facilitate timely detection, investigation by root cause analysis and response to incidents. Physical and logical user access to audit logs shall be restricted to authorized personnel.
IS-24
IS-29
IS-30
SA-14
Summary
In this document we have shown how to create and deploy an HP ArcSight Logger with an HP Cloud Service Automation (CSA) Service Design to enable enhanced security and centralized logging for CloudSystem Enterprise consumers. Using HP ArcSight Logger as a SecaaS offering to create a central repository for security and event logging, organizations can attach their ArcSight Logger subscription to an HP ArcSight ESM, or a centralized ArcSight Logger instance, to monitor and react to security related events in their cloud environments. Also leveraging this CSA Service Design provides cloud consumers with an event logging service design where the cloud consumer can implement application and event logging of cloud provisioned resources. This type of security offering enables shared responsibility and ownership of SIEM solutions between the cloud consumer and cloud provider. 16
Appendix A: install.properties
The install.properties file in the Server Automation Package loggersd.zip is used for automated deployment of the ArcSight Logger for Linux 5.3 SP1 for Linux. This file was generated by running ./ArcSight-logger-5.3.1.XXXX.0.bin -r <directory_location> where <directory_location> is the location of the directory where the generated install.properties file will be placed. You will need to install Logger in GUI mode to get the correct format for the silent installation. For more information refer to the Admin Guide for the software logger. # # # # # Tue Mar 26 15:42:41 CDT 2013 Replay feature output --------------------This file was built by the Replay feature of InstallAnywhere. It contains variables that were set by Panels, Consoles or Custom Code.
#Choose Install Folder #--------------------USER_INSTALL_DIR=/opt/ArcSight #Select License Type #------------------USER_INPUT_RESULTS=\"No, use the trial license\",\"\" USER_INPUT_RESULTS_1=No, use the trial license USER_INPUT_RESULTS_2= USER_INPUT_RESULTS_BOOLEAN_1=1 USER_INPUT_RESULTS_BOOLEAN_2=0 #Install #-------fileOverwrite_/opt/ArcSight/UninstallerData/Uninstall_ArcSight_Logger_5.3.lax=Yes #User Settings #------------USER_AND_PORT_1=arcsight USER_AND_PORT_2=443 LOGGER_SERVICE_CHOICE=1 #Locale Setting #-------------LOCALE_RESULTS=\"English (United States)\",\"\",\"\",\"\",\"\",\"\",\"\",\"\" LOCALE_RESULTS_1=English (United States) LOCALE_RESULTS_2= LOCALE_RESULTS_3= LOCALE_RESULTS_4= LOCALE_RESULTS_5= LOCALE_RESULTS_6= LOCALE_RESULTS_7= LOCALE_RESULTS_8= LOCALE_RESULTS_BOOLEAN_1=1 LOCALE_RESULTS_BOOLEAN_2=0 LOCALE_RESULTS_BOOLEAN_3=0 LOCALE_RESULTS_BOOLEAN_4=0 LOCALE_RESULTS_BOOLEAN_5=0 LOCALE_RESULTS_BOOLEAN_6=0 LOCALE_RESULTS_BOOLEAN_7=0 LOCALE_RESULTS_BOOLEAN_8=0
Appendix B: ASLinuxAudit.props
The response file ASLinuxAudit.props was created by manually deploying the ArcSight Smart connector for Linux and issuing the command runagentsetup.sh i recorderui and specifying a response file name.
17
For more information

Learn more at hpenterprisesecurity.com/products To read more about CloudSystem Enterprise go to hp.com/go/cloudsystementerprise Understanding the HP CloudSystem reference architecture http://h20195.www2.hp.com/V2/GetDocument.aspx?docname=4AA3-4548ENW For more information about the Cloud Security Alliance https://cloudsecurityalliance.org/ HP software product manuals and documentation for the following products can be found at: http://h20230.www2.hp.com/selfsolve/manuals. You will need an HP Passport to sign in and gain access.
HP Cloud Service Automation HP Server Automation HP Operations Orchestration HP SiteScope
To help us improve our documents, please provide feedback at hp.com/solutions/feedback.
Sign up for updates hp.com/go/getupdated

Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein. Microsoft and Windows are U.S. registered trademarks of Microsoft Corporation. Intel and Xeon are trademarks of Intel Corporation in the U.S. and other countries. Oracle and Java are registered trademarks of Oracle and/or its affiliates. 4AA4-7746ENW, July 2013

HP CloudSystem Enterprise

Transféré par

Informations du document

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

HP CloudSystem Enterprise

Transféré par

Droits d'auteur :

Formats disponibles

Technical white paper

Technical white paper | HP CloudSystem Enterprise

Technical white paper | HP CloudSystem Enterprise