Monitoring SafeNet StorageSecure Appliances

crashclappergapΛογισμικό & κατασκευή λογ/κού

13 Δεκ 2013 (πριν από 3 χρόνια και 10 μήνες)

101 εμφανίσεις

©
SafeNet Confidential and Proprietary

Monitoring SafeNet
StorageSecure

Appliances


Module 3: Lesson 1

SafeNet
StorageSecure

Storage Security Course

2

©
SafeNet Confidential and Proprietary

Lesson Objectives


>
By the end of this lesson, you should be able to:

>
View and analyze SafeNet
StorageSecure

log files

>
Configure logging in SafeNet
StorageSecure

Management Console

>
Configure the SNMP agent for monitoring SafeNet
StorageSecure


3

©
SafeNet Confidential and Proprietary

StorageSecure

LEDs

4

©
SafeNet Confidential and Proprietary

StorageSecure

LED’s

Name

State

Description

PWR

Green

Both power supplies are operating normally

Red

One or both power supplies have a fault
condition

Amber

Only one power supply is connected to an
AC circuit

Off

-

The input AC voltage to both of the power
supply modules is in a fault or

out
-
of
-
specification condition,
or

-

Both of the power supply modules are in a
fault or out
-
of
-
specification

condition,
or

-

Appliance is powered off

5

©
SafeNet Confidential and Proprietary

StorageSecure

LED’s

Name

State

Description

SEC

Green

The appliance is enabled to provide
encryption services

Off

The appliance is not initialized for operation

MGT

Green

Management port has network link (Not
used in
StorageSecure

v1.0)

Off

Management port does not have network
link

CLIENT

Green

Client side interface has network link

Off

Client side interface does not have network
link

NAS

Green

Storage side interface has network link.

Off

Storage side interface does not have
network link

6

©
SafeNet Confidential and Proprietary

StorageSecure

LED’s

Name

State

Description

ALM

Red

The appliance has an alarm that requires
servicing/acknowledgement

Off

The appliance has no alarms

ENV

Red

The appliance has a temperature alarm

Off

The appliance has no temperature alarms

SCR

Green

Blinking; smart card is inserted and active

Off

No smart card is inserted

7

©
SafeNet Confidential and Proprietary

Logging in
StorageSecure


8

©
SafeNet Confidential and Proprietary

Log Types


>
Security

>
Security log messages provide information about access control, logins
and appliance state changes.

>
Operational

>
Operations log messages indicate the status of various processes and
activities in the system.

>
Performance

>
Performance logs indicate utilization characteristics of the appliance.

>
Audit

>
Audit logs are generated by the appliance audit function on modification
of appliance configuration or state


9

©
SafeNet Confidential and Proprietary

Storage Options


>
Temporary storage

>
Messages are stored in SafeNet
StorageSecure

RAM and are lost if the
SafeNet
StorageSecure

appliance is rebooted

>
Database storage

>
Messages are stored in the SafeNet
StorageSecure

CompactFlash

card
in the Database configuration file that has a limited space; data can
survive appliance reboot

>
User
-
defined remote storage

>
Messages are sent to a host running a
syslog

daemon

>
Windows® event log

>
Messages are sent to a Windows host with an event log service


10

©
SafeNet Confidential and Proprietary

Configuring Logging in SafeNet
StorageSecure

Management Console


>
Configuration


Log Configuration


11

©
SafeNet Confidential and Proprietary

Enable NAS Audit Log


12

©
SafeNet Confidential and Proprietary

Sample NAS Audit Log


Dec 4 16:15:51 <19.5> qa
-
decru13.nasqa.decru.com /kernel3: Mount access granted
(
uid
=0, client=10.40.3.213, share=SafeNet5:/
vol
/
nas
/mixed/wendy2).

Dec 4 16:16:10 <19.5> qa
-
decru13.nasqa.decru.com
syslogd
:
boxmanager
: Storage
Vault access check: user
root@engtest

connecting from IP 10.40.3.213 was granted
permissions "read, write, delete Storage Vault, change
-
perms" on Storage Vault:
NetApp5:/
vol
/
nas
/mixed/wendy2/nfs_21_journal_2

Dec 4 16:16:23 <19.4> qa
-
decru13.nasqa.decru.com
syslogd
:
boxmanager
: User
engtest
\
root from IP 10.40.3.213 has created the file "
testfile

(file FH3[7d 1e 63 00 f2
23 52 0b 20 00 00 00 00 4a 52 77 3c 1c 91 32 29 b4 07 59 7d 1e 63 00 f2 23 52 00],
parent FSID=1493677097 FID=4653604 FH3[7d 1e 63 00 f2 23 52 0b 20 00 00 00 00
47 02 24 00 f8 da 2e 29 b4 07 59 7d 1e 63 00 f2 23 52 00])" in Storage
Vault
NetApp5
:/
vol
/
nas
/mixed/wendy2/nfs_21_journal_2.

Dec 4 16:16:37 <19.4> qa
-
decru13.nasqa.decru.com
syslogd
:
boxmanager
: User
engtest
\
root from IP 10.40.3.213 has set the Unix permissions of
"(FSID=1493677097 FID=4870775 FH3[7d 1e 63 00 f2 23 52 0b 20 00 00 00 00 4a
52 77 3c 1c 91 32 29 b4 07 59 7d 1e 63 00 f2 23 52 00]), mode 0777, UID n/c, GID
n/c" in Storage
Vault
NetApp5:/
vol
/
nas
/mixed/wendy2/nfs_21_journal_2.


13

©
SafeNet Confidential and Proprietary

Recommended Log Settings


>
Enable remote logging for all types of logging messages

>
Store the following message types both locally and remotely

>
Security: High

>
Performance: High

>
Operations: Warning


14

©
SafeNet Confidential and Proprietary

Viewing and Analyzing
StorageSecure

Log
Messages


15

©
SafeNet Confidential and Proprietary

Viewing and Analyzing
StorageSecure

Log
Messages


16

©
SafeNet Confidential and Proprietary

Viewing Log Files


>
To view log messages:

>
SafeNet
StorageSecure

Management Console


Diagnostics

View

System Log

>
Command
-
line interface


system log list

>
Command
-
line interface


system
util

cat <filename>


17

©
SafeNet Confidential and Proprietary

Viewing Log Files in SafeNet
StorageSecure

Management Console


>
Diagnostics

View

System Log


18

©
SafeNet Confidential and Proprietary

Local Log
Files

>
To view
logs:

>
System
log list


>
Various filtering options:

>
Messages with specified priority

-
p <priority>

>
Messages with priority higher than
<priority>

-

begin <
begintime
>

>
Messages arriving after
<
begintime
>

-

interval <interval>

>
Messages within
<
begintime
>
and
<interval>

-

type <type>

>
Messages of
<type>
[SEC|OPR|PRF|ADT]



19

©
SafeNet Confidential and Proprietary

Local Log
Files


Cont.



>
Log files

>
/
var
/log/audit

>
/
var
/log/messages

>
/
var
/log/console

>
/
var
/log/security

>
/
var
/log/
cron

>
/
var
/log/operation

>
/
var
/log/performance


>
To
view
a single file:

>
system
util

cat <filename
>
-

View a single file





20

©
SafeNet Confidential and Proprietary

Syslog

Message Types


Appliance Log

Syslog

Facility

Syslog

Priority

High
-
priority security log

LOG_LOCAL0 (16)

4,3,2,1,0

Low
-
priority security log

LOG_LOCAL0 (16)

6

Operations alert log

LOG_LOCAL1 (17)


1,0

Operations warning log

LOG_LOCAL1 (17)

4

Operations informational log

LOG_LOCAL1 (17)

6

Operations debug log

LOG_LOCAL1 (17)

7

High
-
priority performance log

LOG_LOCAL2 (18)

4,3,2,1,0

Low
-
priority performance log

LOG_LOCAL2 (18)

6

21

©
SafeNet Confidential and Proprietary

Configuring a Linux
Syslog

Server


Use the following steps to configure a Linux
syslog

server:

1. Create empty log files.

2. Add entries to the
syslog.conf

file.

3. Edit
/etc/
sysconfig
/
syslog

file to accept remote messages.

4. Restart the
syslogd

service.


22

©
SafeNet Confidential and Proprietary

Setting Up
Syslog


Add the following to
syslog.conf

file:

local0.* /
var
/log/<
ApplianceName
>

local1.* /
var
/log/<
ApplianceName
>

local2.* /
var
/log/<
ApplianceName
>

local3.* /
var
/log/<
ApplianceName
>


>
local0
is for security messages

>
local1 is for operations messages

>
local2 is for performance messages

>
local3 is for NAS audit messages



23

©
SafeNet Confidential and Proprietary

Rotating Linux Log Files


>
1. Verify /etc/
logrotate.conf

file is configured to keep four weeks of
log files:

# rotate log files weekly
weekly

# keep 4 weeks worth of backlogs rotate 4

# create new (empty) log files after rotating

old ones

create

>
2. Edit the file /etc/
logrotate.d
/
syslog

and add the following entries:

/
var
/log/
Decru_logs

/
var
/log/
Decru_NAS

>
3. Load changes to log rotation:

logrotate

-
f


24

©
SafeNet Confidential and Proprietary

Signed Log Messages

25

©
SafeNet Confidential and Proprietary

Signed Log Messages


>
Support for Signed log files will be available on
StorageSecure

release
1.1
.

31

©
SafeNet Confidential and Proprietary

Configuring the SNMP Agent for Monitoring
SafeNet
StorageSecure


32

©
SafeNet Confidential and Proprietary

Simple Network Management Protocol


>
Support for
SNMP available
on
StorageSecure

release 1.1.


37

©
SafeNet Confidential and Proprietary

Lesson Summary


>
In this lesson, you should have learned to:

>
View and analyze SafeNet
StorageSecure

log files

>
Configure logging in SafeNet
StorageSecure

Management Console

>
Configure the SNMP agent for monitoring SafeNet
StorageSecure