InTrust 11.6 - Auditing Guide

Task-Based Auditing Overview

InTrust provides two toolsets for auditing:

• The newer real-time gathering, which is configured in the InTrust Deployment Manager console
• The older scheduled task-based workflow with specialized jobs, which is configured in the InTrust Manager console

This set of topics describes the scheduled task-based method. For details on the newer toolset, see the Collecting Events in Real Time topic.

Note the following important specifics of the two gathering methods:

• The repositories you use for real-time gathering should never be used by gathering jobs, and the other way around.
• Real-time gathering always uses InTrust agents.
• Real-time gathering uses only indexed repositories.
• The workflows differ only in the gathering part. All operations that follow gathering (such as repository consolidation, data import, reporting and event analysis in Repository Viewer) are similar no matter which of the two gathering methods you use.

For more details about tasks and jobs, see Understanding Jobs and Tasks.

Understanding Jobs and Tasks

InTrust offers you a smooth, automated audit data gathering workflow based on scheduled tasks, which are sequences of jobs. Jobs process audit data, perform notification, or run applications. A task not only provides a container for jobs, but also ensures automated job execution—on schedule and in the specified order. InTrust’s predefined tasks are available in InTrust Manager under Workflow | Tasks.

To collect event data from site computers into a repository and/or database using a gathering job, do the following:

• Assign a gathering policy to a site.
  A gathering policy specifies what audit trails to collect from site computers (for example, Windows Security Log), and what filters to apply to this data (for example, you can include only the events from domain controllers, and cut off events older than one month).
• Specify the repository and/or audit database where the collected data will be stored.
  Repositories are long-term file system-based storages, and use a special compressed format to store audit data.
  Audit databases are used to store data for reporting purposes, because reporting cannot use repository data. It is recommended you keep databases lean and ensure that they store current and useful audit data.

• Specify whether to use agents for data collection.
  At the scheduled time, if gathering is configured to use agents, an agent starts collecting data on the target computer and performs the following operations locally:
  • Analyzes what portion of the audit trail should be processed
  • Extracts the necessary data
  • Screens out irrelevant events (when filters are applied)
  • Compresses the data
  • Encrypts the data, if necessary
  • Sends the data to the server

When a data collection session is over, the collection stops automatically.

Generally, audit data is collected into a repository, and then an import job places it into the audit database, applying import policies which prescribe what portions of data must be imported. Then a reporting job is launched to generate the necessary reports on collected data.

Jobs that work with audit data (meaning gathering, consolidation, and import jobs) involve the following:

1. InTrust sites to determine from what computers audit data is gathered by gathering jobs
2. Gathering, consolidation and import policies to determine what audit data must be processed

Sites are discussed in the InTrust Sites topic.

The recommended auditing and reporting workflow is to gather audit data to a repository for storage, import only the necessary bits to the audit database for reporting, and clean up the audit database when the data is no longer needed.

To create, delete and modify audit databases and repositories, use the Configuration | Data Stores node in the InTrust Manager treeview.

Creating Tasks and Jobs

A task consists of one or more jobs. Jobs in a task can be configured to run simultaneously or one after another.

To create a task

1. In InTrust Manager, right-click Workflow | Tasks and select New Task to start the New Task Wizard.
2. Follow the wizard, supplying the task settings:
   1. Enter the task name and description
   2. On the next step, click Modify and specify the task schedule. Then select the Schedule enabled check box.
   3. By default, the task will run under the server account; to specify another account, click Set Account.
3. On the last step, you can select the Create a job in this task check box—the New Job Wizard will be started automatically (see the procedure below for details about creating jobs)

To create a job within a task

1. Right–click the task and select New Job to start the New Job Wizard. Alternatively, select the task, then click and drag the cursor on the right pane.
2. After you finish the wizard, you can specify the account to be used when running the job. In the job’s properties dialog box, you have two options as to what account to use:
   • The task account
   • Another account that you specify

Note that the job account must have access permissions on the repository and/or audit database.

If an account that will be used to work with the repository and/or database is specified in the repository/database properties, make sure it has been granted sufficient permissions for connection.

For details on required permissions, refer to System Requirements.

Organizing Tasks

To reduce clutter in the treeview and group your tasks logically, you can put them in containers like files in folders. Task folders are created under the Workflow | Tasks node and can be nested.

To create a task folder, right-click Workflow | Tasks or an existing task folder and select New Folder. You can paste cut or copied tasks from other task folders if necessary.

Running or Stopping Tasks and Jobs

To run a task or a job, right–click this task or job and select Run.

To stop a running task or job, double-click Workflow | Sessions, right–click the task or job session and select Stop.

Creating a Job Sequence

To instruct InTrust task execute one job after another, you need to create a job sequence by linking these jobs. You can do it graphically or using the Dependencies dialog box:

• In graphical mode, do one of the following:
  • Click a job in the task map (on the right pane of InTrust Manager) and drag the cursor to the job you want to run next.
  • Click a job and drag the cursor to a blank area to create a new successor job.
• Use the Dependencies dialog box to select predecessor and successor jobs for existing jobs. To open the dialog box, right–click a job and select Dependencies.

You can select a job from the list of available ones; to run it after your job, put it in the Child jobs list; to run it before your job, put it in Parents. If necessary, specify a deadline (see the Tuning Jobs topic for details).

Understanding Policies

In terms of InTrust, gathering audit data means applying a policy to InTrust sites. You bind a policy to a site by creating and scheduling a task that contains corresponding jobs.

A policy is a collection of settings that defines what audit data to process, specifying data sources and filters:

• Data sources represent the audit trails from which audit data is retrieved (for example, Windows System log)
• Data filters applied to data sources specify events to be included or filtered out
• Object filters applied to entire gathering policies specify the site objects to be processed (for example, domain controllers)

So, you can configure a policy intended for collecting System logs from all domain controllers, or for collecting Security logs from the IIS servers, or any other policy you need.

Using policies spares you the effort of specifying logs and events every time you prepare for an audit data collection. Policies enable you to create a selection for a particular purpose once and for all, and to use it with all related jobs. Policies are easily editable, so you can copy any of them and make any necessary changes to the duplicate.

As described above, the gathering mechanism is used when InTrust does the following:

• Gathers data from a live network to a repository and/or audit database (gathering job)
• Consolidates data between repositories (consolidation job)
• Imports data from a repository to an audit database (import job)

For each of these operations there is a separate type of policy:

• Gathering policy
• Consolidation policy
• Import policy

These types are very similar functionally, and they are configured uniformly. The examples below involve gathering policies; you can work with other policies in a similar way.

Creating or Editing a Policy

Policies are created separately for each network environment (for example, Microsoft Windows Network).

To create a policy

1. Double-click InTrust Manager | Gathering | Gathering Policies in the left–pane tree view.
2. Right–click the environment for which you want to create the policy (for example, Microsoft Windows Network).
3. Select New Policy to start the New Policy Wizard.
4. Specify the name and optional description for the policy.
5. Add the data sources this policy will prescribe to process.
6. For each data source, specify gathering settings: what events to ignore, whether to clear log after gathering, and others. For details on data source configuration, see the Configuring Data Sources topic.
7. Configure a filter for the objects to which the policy is applied. For detailed instructions on using object filters, see ???Using FIlters.

To edit a policy

1. Right–click that policy and select Properties.
2. To edit policy name and description, open the General tab.
3. To configure a filter for the objects (computers) to which the policy is applied, use the Filter tab.
4. To add a new data source to the policy, right–click the policy and select Add Data Source from the shortcut menu to start the Add Data Source Wizard.

Configuring Data Sources

Data sources enable you to precisely select events that you need to process. Some data sources are used by gathering and monitoring processes, some provide data only for gathering, and others are monitoring-only. To see all available data sources, select Configuration | Data Sources. Right–click a data source to view its properties, including:

• Type of the data source, for example, Microsoft Windows Events, or Database Events, etc.
• Options specific to that particular data source

You can create a new data source by selecting the corresponding command from the Data Sources node’s shortcut menu. Follow the wizard to specify the data source properties.

Handling Descriptions of Windows Events

There is an important set of options specific to the data sources of the Microsoft Windows Events type: you can select what libraries to use when retrieving standard descriptions for Windows events. The descriptions can be taken from libraries that exist locally on processed computers or from remote computers.

To select which libraries to use

1. In InTrust Manager, select Configuration | Data Sources, right-click the Microsoft Windows event log you need, and open its properties from the shortcut menu.
2. On the Microsoft Windows Events tab, specify order for using the libraries:
   • Select Only local to retrieve descriptions from libraries that exist on the InTrust server.
   • Select Local, then remote to get descriptions from the InTrust server as long as they are available.
   • Select Remote, then local to retrieve the necessary descriptions from libraries on remote computers as long as those descriptions are available.

Handling Applications and Services Event Logs

Windows Vista and later Windows versions support event logs with a hierarchical structure. In Event Viewer, these logs are available in the Application and Services Logs container. The Microsoft Windows Events data source type in InTrust works with event logs located at any level of the Event Viewer hierarchy.

To enable InTrust to work with such a log, create a data source of the Microsoft Windows Events type. On the Windows Events Settings page of the New Data Source Wizard, specify the exact full name as the log name.

To look up and copy the full name of the log, run Event Viewer on a computer where the log is available, locate the log you need, and open its properties. Look in the Full Name text box.

Custom Text Log

For details about working with custom text logs, see Auditing Custom Logs with InTrust.

External Events

The External Events data source type is not represented by any predefined data sources. It is different from other data source types in that it generates event records with fields that you define and hands them over to the InTrust agent to process.

Data sources of this type are represented by a command-line utility on the agent side and an InTrust data source object on the InTrust server side.

For example, you can use the utility if your application does not have its own log. The External Events data source simulates event records that can be processed by InTrust agents.

Agent Side

The External Events data source type relies on the cross-platform ExtEvtProviderCmd command-line utility that forces special events on the InTrust agent running on the same computer. The agent stores the events in its backup cache. From there, the events can be captured by the gathering or real-time monitoring engine.

On each platform, the utility is implemented as two files: an executable program and a shared library. On Windows, these files are ExtEvtProviderCmd.exe and ExtEvtProviderApi.dll. On Unix-like systems, the files are ExtEvtProviderCmd and ExtEvtProviderApi.so.

Binary files for all supported platforms are located in <InTrust_installation_folder>\Server\ADC\SupportTools.

You can use the utility in either of two ways: copy the binaries to the target computers manually or deploy them as distributable files.

To deploy the utility as distributable files

1. In the InTrust Manager treeview, right-click Configuration | Advanced | Distributable Files and select New File.
2. Specify the appropriate executable file and complete the New Distributable File wizard.
3. Likewise, use the New Distributable File wizard to add the utility's shared library.
4. In the properties of your data source of the External Events type, on the Distributable Modules tab in the Files list, specify the files you have added.
5. Include the data source in a gathering policy.
6. Make sure that the data source is used in a gathering job and that the task with that gathering job has a schedule. This is a requirement of the External Events data source type.

By default, the utility components are automatically installed to the following locations:

• On Windows: <agent_installation_folder>\Data\DDA
  The default path is %WINDIR%\ADCAgent\Data\DDA
• On Unix-like systems: /var/InTrust/{2A5211B3-98D5-4850-9458-29B411FBD1B6}/DDA
  You must copy the two files from there to the agent installation directory.

This utility is designed to be automated with scripts. Such scripts should launch the utility in situations when intervention is necessary. The scripts must construct and execute a command with the following syntax:

• Windows:
  ExtEvtProviderCmd -e
  -OR-
  ExtEvtProviderCmd <field_name> <field_value> [<field_name_2> <field_value_2>...<field_name_N> <field_value_N>]
• Unix (in the agent installation directory):
  ./adcrun <agent_installation_folder>/ExtEvtProviderCmd -e
  -OR-
  ./adcrun <agent_installation_folder>/ExtEvtProviderCmd <field_name> <field_value> [<field_name_2> <field_value_2>...<field_name_N> <field_value_N>]

The -e parameter means that an empty event record is sent.

The <field_name> parameter specifies the name of a field in the EventsStrings table of the InTrust audit database. The <field_value> parameter specifies the value that is written to this field.

The utility can fill in only a subset of the fields in audit database tables. The following table shows which fields of which tables can be used by a data source of this type:

InTrust Server Side

To make InTrust aware of external events, create a data source of the External Events type in InTrust Manager.

To create an External Events data source

1. Right-click the Configuration | Data Sources node and select New Data Source.
2. In the New Data Source Wizard, select the External Events data source type.
3. Complete the remaining steps.

Now, if you include this data source in a policy and use the policy in a gathering job, InTrust will listen for external events from the site that the gathering job spans.