Académique Documents
Professionnel Documents
Culture Documents
HP CloudSystem Enterprise
Service Design for HP ArcSight Logger
Table of contents
Executive summary ...................................................................................................................................................................... 3 HP CloudSystem Enterprise overview ...................................................................................................................................... 3 HP CloudSystem Enterprise supply layer ............................................................................................................................ 3 HP CloudSystem Enterprise demand and delivery: HP Cloud Service Automation .................................................... 4 HP CloudSystem Enterprise components ........................................................................................................................... 4 HP ArcSight overview ................................................................................................................................................................... 5 Enterprise Security Manager .................................................................................................................................................. 5 HP ArcSight Logger ................................................................................................................................................................... 5 HP ArcSight Connectors ........................................................................................................................................................... 5 Overview: HP security solution for CloudSystem ................................................................................................................... 6 Background assumptions ....................................................................................................................................................... 6 HP Cloud Server Automation and VMware vSphere .......................................................................................................... 6 Configuration process steps ................................................................................................................................................... 7 Storage and server requirements ......................................................................................................................................... 7 Configuring HP CloudSystem Enterprise .................................................................................................................................. 8 Creating the virtual machine image required for ArcSight Logger deployment ......................................................... 8 Downloading the required software packages and files .................................................................................................. 9 Importing software and creating HP Server Automation policies .................................................................................. 9 Importing and configuring the HP ArcSight Logger vCenter Service Design ............................................................. 10 Create and publish the service offering ............................................................................................................................. 11 Creating and using the application service ............................................................................................................................ 12 Creating a subscription in HP Cloud Service Automation ............................................................................................... 12 Accessing the subscribed HP ArcSight Logger Service ................................................................................................... 12 Returning the resource .......................................................................................................................................................... 13 Protecting CloudSystem Enterprise Services with HP ArcSight LAMP.......................................................................... 13 HP LAMP solution .................................................................................................................................................................... 13 Importing software and creating HP Server Automation policies ................................................................................ 14 Cloud Security Alliance ............................................................................................................................................................... 15 Domain 5 Information Management and Data Security ............................................................................................. 15 Domain 6 Interoperability and Portability ...................................................................................................................... 15 Domain 9 Incident Response ............................................................................................................................................ 16 Domain 10 Application Security ....................................................................................................................................... 16 Domain 14 Security as a Service ...................................................................................................................................... 16
Summary ....................................................................................................................................................................................... 16 Appendix A: install.properties ................................................................................................................................................... 17 Appendix B: ASLinuxAudit.props .............................................................................................................................................. 17 For more information ................................................................................................................................................................. 18
Executive summary
Organizations are faced with threats that could disrupt operations and critical IT services. HP CloudSystem Enterprise provides automation to rapidly deliver compute resources to cloud consumers. Security must be a key component to ensure availability of the components that deliver and provision cloud based services. This document describes how to configure a Cloud Service Automation Service Design leveraging HP Operations Orchestration, Server Automation, and VMware vSphere to deploy ArcSight Logger into your private cloud subscriptions. This document will also explain how to configure and protect services provisioned by HP CloudSystem Enterprise to leverage your deployed HP ArcSight Logger instances. This paper also addresses how the HP ArcSight Logger service design addresses a number of domains defined by the Cloud Security Alliance. Target audience: The intended audience of this white paper is system integrators, installers, and administrators of HP CloudSystem Enterprise. The reader should be familiar with CloudSystem Enterprise and HP CloudSystem Matrix.
HP ArcSight overview
Enterprise Security Manager
HP ArcSight Enterprise Security Manager (ESM) is the premiere security event manager that analyzes and correlates every operational event (login, logoff, file access, database query), or other event in order to support your IT team in every aspect of security event monitoring, from compliance and risk management to security intelligence and operations. The ArcSight ESM event log monitor sifts through millions of log records to find the targeted critical events, and presents them in real time via dashboards, notifications, and reports, so you can accurately prioritize security risks and compliance violations. By adding HP Reputation Security Monitor (RepSM), vetted reputation-based threat intelligence can be correlated with security events to identify threats earlier and to detect and avert even the most sophisticated attacks. Key benefits:
A cost-effective solution for all your regulatory compliance needs Automated log collection and archiving Fraud and Real-time threat detection Forensic analysis capabilities for cyber security Detect threats early using timely reputation data with HP RepSM
HP ArcSight Logger
With HP ArcSight Logger you can improve everything from compliance and risk management, security intelligence and IT operations to efforts that prevent insider and advanced persistent threats. This universal log management solution collects machine data from any log-generating source and unifies the data for searching, indexing, reporting, analysis, and retention. And in the age of Bring Your Own Device (BYOD) and mobility, it enables you to comprehensively manage an increasing volume of log data from an increasing number of sources. Key features
Collect logs from any log generating source through 300+ connectors from any device and in any format Unify data across IT through normalization and categorization, into a common event format (CEF registered) Search through millions of events using a text-based search tool with a simple interface Store years' worth of logs and events in a unified format through a high compression ratio at low cost Automate analysis, alerting, reporting, intelligence of logs and events for IT security, IT operations, IT Governance Risk
HP ArcSight Connectors
HP ArcSight Connectors solve the problem of managing log records in hundreds of different formats. While the HP ArcSight Security Information & Event Management (SIEM) Platform can collect log records in native formats, HP ArcSight Connectors provide normalization to a common format, which greatly improves reporting and analysis. By normalizing all events into one common event taxonomy, HP ArcSight Connectors decouple analysis from vendor selection. This approach has four significant advantages: Centrally manage 300+ connectors through HP ArcSight Connector Appliance (ConApp) HP ArcSight Connector appliance manages the ongoing updates, upgrades, configuration changes and administration of a distributed log collection deployment through a simple and centralized web-based interface. ConApp can be deployed both as an appliance and software. Future proofing If a Cisco router is swapped for an HP Networking router or if a new SQL database or Hadoop solution is added to a network that previously only had Oracle, no reporting or rules changes are required and the organization retains continuous visibility into all activity. Ease of analysis The HP ArcSight common event format eliminates the need for end users to be familiar with hundreds of different log syntaxes across products. As a result, non-technical line of business users can easily conduct analysis on their own, reducing the burden on IT.
Universal content relevance With the HP ArcSight normalized format, a report that shows authentication failures will cover every syste m automatically, even though one application may refer to authentication failures with a specific event ID while a database refers to the same as an unsuccessful login. This unique architecture is supported across hundreds of commercial products out-of-the-box as well as legacy systems. HP ArcSight Connectors also offer various audit quality controls including secure, reliable transmission and bandwidth controls. In addition to software-based deployments, HP ArcSight Connectors are available in a range of plug-and-play appliances that can cost-effectively scale from small store or branch office locations to large data centers. Connector appliances enable rapid deployment and eliminate delays associated with hardware selection, procurement and testing.
Background assumptions
This reference implementation requires that the HP CloudSystem Enterprise environment is already installed, configured, and functioning correctly. Each component must be verified to work individually, and as a complete HP CloudSystem Enterprise environment. The major components include the following:
HP CloudSystem HP Cloud Service Automation (CSA) HP Matrix Operating Environment (Matrix OE) HP Operations Orchestration (OO) HP Server Automation (SA)
Pointers to the documentation for installing, configuring, and verifying these components and their interoperability may be found in the For more information section.
After these steps are complete, the application will be available for business users to automatically deploy using the CSA Consumer portal. A final step is also included that will decommission the service and return the resources to the HP CloudSystem Enterprise environment.
CPU: 1 or 2 x Intel Xeon Quad Core or equivalent Memory: 4 - 12 GB (12 GB is recommended) Disk Space: 10 GB (minimum)
For the Enterprise Version
CPU: 2 x Intel Xeon Quad Core or equivalent Memory: 12 - 24 GB (24 GB is recommended) Disk Space: 65 GB (minimum) NOTES:
The disk space needs to be on the partition where you will install the Logger software. Using NFS as primary storage for events on the software Logger is not recommended. Make sure no other applications are running on the system on which you install Logger.
Creating the virtual machine image required for ArcSight Logger deployment
The instructions below describe how to create the virtual machine image used for ArcSight Logger deployment. The image can be created on the VMware vSphere host through VMware vCenter. The virtual machine image must include the Server Automation agent in order for application installation to succeed. The Server Automation agent installation executable file and configuration scripts must be deployed on the virtual machine prior to its use in this service design. There are two files, startagent.sh and runonce, included in HP-ArcSight-SA.zip which you will copy to the virtual machine. HP-ArcSightSA.zip is found in the HP Server Automation Content folder in the HP-ArcSight-SD-v1.zip file you downloaded. 1. Create a base Red Hat Enterprise Linux 6.2 Virtual Machine from the VMware vSphere client on your ESXi host or VMware vCenter host. Include the management network connected to your SA server. If you built the VM with HP Server Automation, you can skip to step 9. After the Linux installation completes and the VM boots, obtain the IP address of your virtual machine. From Server Automation Java Client, choose the Devices tab, then Servers Unmanaged servers. In the dropdown box, select Explicit IPs/Hostnames. Enter the IP address of your virtual machine and click on the Scan button. Right click on the discovered server and select Manage Server. Enter the Username and password. Under Actions select Verify prerequisites and copy agent installer to servers. Important Note: You are not going to install the agent now. You are just copying it to the virtual machine into the /tmp folder. Expand the Installer Options list. Uncheck Start the Agent after installation. Click on OK to copy the agent files to the VM. Login to your Red Hat Virtual Machine. Create a directory: A. mkdir p /etc/local/runonce.d/ran
2. 3. 4. 5.
6. 7. 8. 9.
10. Copy the file startagent.sh to /etc/local/runonce.d. Edit the startagent.sh file, changing the IP address to match your SA core server. 11. Change the permissions on the script: A. chmod +x /etc/local/runonce.d/startagent.sh 12. Copy runonce to /usr/local/bin and change the file permissions: A. chmod +x /usr/local/bin/runonce 13. Edit /etc/rc.d/rc.local. 14. Add a new line to the end of the file which will run the script when the server boots: A. /usr/local/bin/runonce 15. Save and exit the file. 16. Change the IPv4 firewall, if enabled, to allow management using Server Automation by editing the /etc/sysconfig iptables file and adding the following entry after A INPUT I lo j ACCEPT: A. A. 8 -A INPUT m state -state NEW m tcp p tcp -dport 1002 j ACCEPT Change SELINUX=enforcing to SELINUX=disabled 17. Disable SELinux in your VM template. Edit /etc/selinux/config.
18. Change the networking to allow deployment of virtual machines using this VM image. A. Edit /etc/sysconfig/network-scripts/ifcfg-eth0 and remove the HWADDR= line. B. Delete /etc/udev/rules.d/70-persistent-net.rules 19. Shutdown the virtual machine. 20. Convert the image to a VMware VM template. In the vSphere Client, right click the VM and from the Template dropdown select Convert to Template.
The packages listed above were used to develop and test the reference implementation. Newer versions may be available and supersede those listed here. If you are unable to obtain the listed versions, be sure that new versions are compatible, and include all the necessary dependencies. Also note that the install.properties file syntax varies between versions of ArcSight Logger. Refer to the Administrators Guide for ArcSight Logger for the proper syntax or the steps to create the install.properties file for your version.
2.
3. 4. 5. 6. 7. 8. 9.
i. ii.
D.
The first line adds the arcsight user to the system. This is required as HP ArcSight Logger cannot run as root. The second line replaces the localhost line with the proper format that the HP ArcSight Logger installer requires. iii. The third and last line puts the IP address of eth0 and the systems host name in the /etc/hosts file. This is required for HP ArcSight Logger to properly start. If you are using another interface other than eth0 you can change that here. In the Post-Install Script tab, enter in the following information /tmp/Logger/ArcSight-logger-5.3.1.6838.0.bin -i SILENT -f /tmp/Logger/installer.properties i. This line silently installs ArcSight Logger on the system.
10. Go to File Save to save your changes. Close the window. Creating the ArcSight Logger software policy 1. 2. Right-click the Library folder and select New Software Policy. Set the following values: A. Set Name to ArcSight Logger. B. C. 3. 4. 5. 6. 7. 8. 9. Click Select and set the Location to /Package Repository/All Red Hat Linux/Red Hat Enterprise Linux Server 6 X86_64. Set the OS to Red Hat Enterprise Linux Server 6 X86_64. in the toolbar. Click on the Browse Folders tab.
Select Policy Items in the Views panel. Click Add Expand the Package Repository/All Red Hat Linux/Red Hat Enterprise Linux Server 6 X86_64 folder. Select the following: i. loggersd.zip Click Select. On the File menu, click Save to save the ArcSight Logger software policy. Close the window.
To import the service design archive, complete the following steps: 1. 2. 3. 4. 5. 6. 7. Log on to the HP Cloud Service Automation Administrator portal using an account with administrator privileges. Select the Service Design tab. Click Import Service Design . Browse to select SERVICE_DESIGN_VCENTER_ArcSight_Logger.zip from the distribution files. Click Open to import the Service Design archive. You will need to change from of the pre-defined values to match your environment. Open the VCENTER_ArcSight_Logger service design and select the Designer tab Select the ArcSight Logger Server component, and select Properties from the right side. See Table 2 for information about the Properties.
10
Table 2. ArcSight Logger Server Properties Property CUSTOMSPEC DATACENTERNAME MEMORYINMB NCPU OSTYPE TEMPLATEREFERENCE Value String String Integer Integer Sting String Description VM Template Customization Specification. Customization Specifications are defined in VMware vCenter in Home Custom Specifications Manager Name of the Datacenter to deploy ArcSight VM into in VMware vCenter Amount of Memory in MB for the VM. NOTE: For the Downloadable version of Logger, the amount of memory recommended is 4 12 GB (12 GB is recommended) Number of CPUs for the VM. NOTE: For the Downloadable version of Logger, the number of CPUs (cores) recommended is 4-8 Indicated the OS type being deployed. Value LINUX pre-filled in and is required. Name of the OS Template in VMware vCenter to use for the ArcSight Logger instance. NOTE: VM template must have 10GB (minimum) of free space and be Red Hat Enterprise Linux (RHEL) versions 6.2 64-bit, or CentOS version 6.2 64-bit
HP Cloud Service Automation is installed with a default global catalog named Global Shared Catalog. When you publish a service offering in this global catalog, that service offering will be visible in every organizations Cloud Subscriber Porta l. To publish a service offering in the default catalog, complete the following steps: 7. Log on to the HP Cloud Service Automation Administrator portal using an account with administrator privileges 8. Select the Service Catalogs tab. 9. Select Global Shared Catalog in the panel on the left. 10. Select Published Offerings in the central panel. 11. Click Add Offering. 12. Select the service offering you created for HP ArcSight Logger and click Select. 13. For Select Category, select the category under which this service offering should appear in the consumer portal. Suggestion is to put the HP ArcSight Logger service offering under Application Services. 14. Click Add. 15. Click OK on the Success message box.
11
3. 4. 5. 6. 7. 8.
The status of your subscription can be monitored on the subscriptions panel, by clicking Subscriptions on the tab.
Note This reference implementation uses the default HP CSA Consumer portal. If your environment is set up for a different consumer organization, please contact your administrator for the URL.
If you wish to follow the service deployment process more closely, you can do so through the various provider interfaces. The first part of the service deployment process is the creation of the virtual machine through VMware vCenter. Login to VMware vCenter and navigate to Home Inventory VMs and Templates and you can see the virtual machine being created. You can view the progress by viewing the Recent Tasks section of the interface or going to Home Management Events and you can track the progress of the deployment request in progress. Once the virtual machine is deployed, you can check the progress of the service deployment process in SA Application Deployment. Launch the HP Server Automation Java Client. Click Tools Application Deployment in the main menu. Select the Jobs tab in the left panel to track the progress of the application deployment job for the current service deployment.
12
Note: Your cancellation time may vary depending on the hardware in your environment. You will be notified by email that the service has been cancelled.
HP LAMP solution
The HP LAMP and WordPress Reference Implementation for CloudSystem Enterprise can be enhanced to include ArcSight Connector for the deployed physical or virtual machines. HP ArcSight Connector for Linux can be automatically deployed using Server Automation policies. First, create the Server Automation software policy, ArcSightSecurityPackages, by creating a temporary folder on your CMS and download the required software packages. The packages listed below were used to develop and test the reference implementation. Newer versions may be available and supersede those listed here. If you are unable to obtain the listed versions, be sure that new versions are compatible, and include all the necessary dependencies. These RPM packages may already be installed on a repository that you can access, part of the Red Hat Enterprise Linux OS media, or available to you from the Red Hat Network (RHN). If you do not have access to a repository, OS media, or RHN, then you can manually download the individual RPM packages from several sites, including: http://rpmfind.net, http://rpm.pbone.net, or http://pkgs.org/centos-6-rhel-6/centos-rhel-x86_64/.
glibc-2.12-1.80.el6.i686 libXau-1.0.5-1.el6.i686 libX11-1.3.2. .el6.i686 libX1-1.3.3.el6.i686 libXext-1.1.3.el6.i686 libXst-1.0.99.2-3.el6.i686 nss-softokn-freebl-3.12.9-11.el6.i686 libxcb-1.5.1.el6.i686
Also needed is the HP ArcSight Linux Connector and a props file for silent installation. Create a temporary folder on your CMS and place the following files in that folder.
ASLinuxAudit.props (See Appendix B: ASLinuxAudit.props for more information) ArcSight Connector install file (./ArcSight-5.2.7.6474.0-Connector-Linux.bin)
Note The install.properties file syntax may vary between versions of the ArcSight Connector. Refer to the documentation included with your ArcSight Connector for the proper syntax or the steps to create the install.properties file for your version.
13
2.
3. 4. 5. 6. 7. 8.
Browse to Library/Package Repository/All Red Hat Linux/Red Hat Enterprise Linux Server 6 X86_64. A. B. C. In the Views tree select Properties and set Default Install Path to /tmp. Select the Install Scripts. In the Pre-Install Script tab, enter in the following information.
cd /tmp chmod +x ArcSight*.bin ./ArcSight-5.2.7.6474.0-Connector-Linux.bin I silent f /tmp/ASLinuxAudit.props service arc_linux_auditd start 11. Go to File Save to save your changes. Close the window.
14
The LAMP + WordPress reference implementation defines two Server Automation policies to deploy the required packages to the database and web servers. The Server Automation policies defined are ApacheWordPress-RHEL6 and MariaDBRHEL6. These policies are modified to include deployment of the ArcSightSecurityPackages policy as shown in Figure 2.
Figure 2. Policy Items
Including the ArcSightSecurityPackages policy into the MariaDB-RHEL6 and ApacheWordPress-RHEL6 policies will automatically deploy the ArcSight Smart Connector for Linux audit logger to the database and web servers and start logging events to ArcSight Logger. The linux_auditd events are visible from the summary page of the ArcSight Logger under Agent Type and the nodes will be displayed in the Configuration Devices section of the HP ArcSight Logger.
15
IS-24
IS-29
IS-30
SA-14
Summary
In this document we have shown how to create and deploy an HP ArcSight Logger with an HP Cloud Service Automation (CSA) Service Design to enable enhanced security and centralized logging for CloudSystem Enterprise consumers. Using HP ArcSight Logger as a SecaaS offering to create a central repository for security and event logging, organizations can attach their ArcSight Logger subscription to an HP ArcSight ESM, or a centralized ArcSight Logger instance, to monitor and react to security related events in their cloud environments. Also leveraging this CSA Service Design provides cloud consumers with an event logging service design where the cloud consumer can implement application and event logging of cloud provisioned resources. This type of security offering enables shared responsibility and ownership of SIEM solutions between the cloud consumer and cloud provider. 16
Appendix A: install.properties
The install.properties file in the Server Automation Package loggersd.zip is used for automated deployment of the ArcSight Logger for Linux 5.3 SP1 for Linux. This file was generated by running ./ArcSight-logger-5.3.1.XXXX.0.bin -r <directory_location> where <directory_location> is the location of the directory where the generated install.properties file will be placed. You will need to install Logger in GUI mode to get the correct format for the silent installation. For more information refer to the Admin Guide for the software logger. # # # # # Tue Mar 26 15:42:41 CDT 2013 Replay feature output --------------------This file was built by the Replay feature of InstallAnywhere. It contains variables that were set by Panels, Consoles or Custom Code.
#Choose Install Folder #--------------------USER_INSTALL_DIR=/opt/ArcSight #Select License Type #------------------USER_INPUT_RESULTS=\"No, use the trial license\",\"\" USER_INPUT_RESULTS_1=No, use the trial license USER_INPUT_RESULTS_2= USER_INPUT_RESULTS_BOOLEAN_1=1 USER_INPUT_RESULTS_BOOLEAN_2=0 #Install #-------fileOverwrite_/opt/ArcSight/UninstallerData/Uninstall_ArcSight_Logger_5.3.lax=Yes #User Settings #------------USER_AND_PORT_1=arcsight USER_AND_PORT_2=443 LOGGER_SERVICE_CHOICE=1 #Locale Setting #-------------LOCALE_RESULTS=\"English (United States)\",\"\",\"\",\"\",\"\",\"\",\"\",\"\" LOCALE_RESULTS_1=English (United States) LOCALE_RESULTS_2= LOCALE_RESULTS_3= LOCALE_RESULTS_4= LOCALE_RESULTS_5= LOCALE_RESULTS_6= LOCALE_RESULTS_7= LOCALE_RESULTS_8= LOCALE_RESULTS_BOOLEAN_1=1 LOCALE_RESULTS_BOOLEAN_2=0 LOCALE_RESULTS_BOOLEAN_3=0 LOCALE_RESULTS_BOOLEAN_4=0 LOCALE_RESULTS_BOOLEAN_5=0 LOCALE_RESULTS_BOOLEAN_6=0 LOCALE_RESULTS_BOOLEAN_7=0 LOCALE_RESULTS_BOOLEAN_8=0
Appendix B: ASLinuxAudit.props
The response file ASLinuxAudit.props was created by manually deploying the ArcSight Smart connector for Linux and issuing the command runagentsetup.sh i recorderui and specifying a response file name.
17