WÜRTHPHOENIX Neteye - netways

Security Auditing ForwardEr Daemon 

licensed under GNU General Public License version 2

…developed by Würth Phoenix 

• IT and Consulting Company of the Würth-Group 

• Headquarter in Italy, European-wide presence, more 

than 100 employees 

• International experience in Business Software and IT 

Management 

• Core competencies in trading processes, wholesale 

distribution, logistics and System Monitoring 

• ITIL certified, Nagios Solution Provider, Microsoft Gold 

Certified Partner 

Facts & figures 

• More than 600 

customers worldwide 

• Over 7.000 ERP and 

CRM users 

• 25.000 monitored 

hosts 

• 4 offices in 3 countries 

• HQ in Italy 

• Core offers in Business 

Software and IT 

System Management 

Our Our mission mission is is to to improve improve the the business business productivity of of our our 

customers by by managing working working processes more more efficiently. 

To To assure assure this this we we offer offer complete and and international proven proven IT- ITsolutions 

solutions in in a a well-known Würth-quality. 

05/12/2011 

… more than software 

2

… belonging to the Würth group 

• The Würth Group is world market leader in its core 

business, the trade in assembly and fastening 

material 

• It currently consists of over 410 companies in 84 

countries and has more than 65,000 employees on 

its payroll. Over 30,000 of these are permanently 

employed sales representatives. 

Facts & figures 

• More than 65,000 

employees worldwide 

• 30, 000 sales 

representatives 

• More than 100.000 

products 

• In the first half of the business year 2011, the Würth 

Group generated total sales of EUR 4.78 billion. 

• The headquarter of the Würth Group, Adolf Würth 

GmbH & Co. KG, was founded by Adolf Würth in 

1945 in Künzelsau in Baden-Württemberg, Germany. 

05/12/2011 


3

History: the Italian Law 

A new measure issued by Italian Privacy Guarantor to 

guarantee the protection of electronic processing of sensitive 

personal data took effect in September 2009. 

• Assignment of the system administrator function 

through the evaluation of the employees’ subjective 

characteristics. 

Italian Law 

• System administrators’ 

access logs archiving 

• Data encryption 

• Protection of personal 

sensitive data 

• Individual designation 

• Identification of a System administrators’ list 

• Annual verification of personal data processing 

activities based on the security laws. 

• Access logs archiving 

05/12/2011 


4

Architectural idea: centralize all auditing events 

Internet 

WAN 

Signed log files 

per day per host 

Centralized 

Syslog Server 

Syslog protocol 

data transmission 

05/12/2011 


5

Look for technical solutions… 

• rsyslog for server side 

• GPL Full License 

• Already part of Red Hat distribution 

• Look for possible Agents solution 

• Snare auditing for Windows Events 

• Epilog for file (Oracle, Lotus Notes, …) 

• http://www.intersectalliance.com/projects/index.html 

05/12/2011 


6

Problems to solve on Open Source Agents… 

• Auto discovery of Windows administrators was not 

possible with Snare 

• Epilog and Snare are two agents and customers 

expects one agent to reduce deployment efforts 

• Regular expression filtering on Snare for Windows 

was missing 

• Only UDP was supported 

• SYSLOG protocol was not reliable 

• Encrypting TLS/HTTPS was not supported 

Commercial Agents are available on the market satisfying these 

requirements, but not on the Open Source field. 

05/12/2011 


7

Development of 

our own agent 

Proprietary commercial 

agents for Snare 

05/12/2011 


8

Why a new Agent? 

• Commercial agents had restricted commercial policy that did not fit our needs 

• Commercial agents had no possibility to be extended with plugins and specific 

functionalities 

• Still missing functionalities were: 

• Administrators auto discovery 

• Regular expressions 

• Reliability through a solution on application layer 

(TCP was not enough for what we need) 

• Open protocol to realize a centralized 

configuration with templates 

• Snare & Epilog are still two separate agents 

05/12/2011 


9

The idea to develop Safed Agent is born… 

• Create a new agent that integrates 

Snare and Epilog functionalities 

• Still Open Source and free in the 

purpose of utilization 

• Guarantee Interoperability with 

rsyslogd and syslog-ng 

• Open Protocol to allow integration 

with other centralized Syslog 

Servers. 

• Implement TLS / SSL 

05/12/2011 


10

Goals of the Agent… 

The Safed Agent has the purpose to improve and extend the Open 

Source Snare Agent functionalities through: 

• Better reliability for data transmission 

• Efficient CPU usage 

• Improved security through TLS, https, access control 

• Optimized and centralized Agent configuration 

• More supported platforms 

• Improved filters’ efficiency 

• Administrators’ auto discovery 

• One single Agent 

05/12/2011 


11

Supported platforms 

• Windows XP 

• Windows Vista 

• Windows 7 

• Windows Server 2000 

• Windows Server 2003 (32 – 64 Bit) 

• Windows Server 2008 

• Windows Server 2008 R2 

• IBM-AIX 

• HP-UX 

• Solaris 

• Linux (Debian, Redhat, Suse, Ubuntu,…) 

05/12/2011 


12

The versions 

Unix/Linux version 

• Developed based on the Snare Epilog 

• Integrates the Snare Audit and Snare Epilog functionalities for Unix/Linux 

• Configurable polling time to identify new events on log files 

Windows version 

• Integrates the Snare Agent and Snare Epilog functionalities for Windows 

• Use of regular expression for pattern matching 

• Possibility to manage custom event logs 

05/12/2011 


13

Additional Features 

• Syslog message length configuration 

• Configurable local caching mechanism 

• Possibility to make an automatic retransmission of the messages in case of 

failures 

• Debug interface, error information, warning 

• Automatic discovery of the Windows administrators’ roles 

• Centralized configuration of the agents on a central server (i.e. NetEye) 

• Identification through a progressive numeration of the messages 

• On demand retransmission of missing messages 

• Transmission of the events through TLS/HTTPS protocol to provide encrypted 

communication 

• The administration web interface is available on http/https and can be used as 

alternative for a central configuration approach or can be blocked if central 

configuration is used 

05/12/2011 


14

Centralized configuration for the Safed Agent 

The Safed Agent embedded web server can receive structured 

configuration data 

[Config] 

• To facilitate the Agent configuration on a large scale deployment 

dAudit=1 

dFileAudit=1 

dCritAudit=0 

dLeaveRetention=0 

dFileExport=2 

dNumberFiles=2 

scenario, like hundreds, thousands it is possible dDestPort=514 to develop your own 

central management application with the Open Data Structure 

• The installation has been simplified thanks to a unique executable MSI 

sClientname= 

file that does sDelimiter= not need any user interaction. 

[SysAdmin] 

dClearTabs=0 

dSysAdministrators=1 

dTimesADay=1 

dVBS=0 

dLastSA=0 

[Network] 

[Remote] 

[End] 

sDestination=10.62.5.115 

dSocketType=1 

dMaxMessageSize=2048 

dSyslog=1 

dSyslogDest=38 

dSyslogDynamicCritic=0 

dAccessKey=0 

sAccessKeySet=098181024c2e968b16 

dAllow=1 

dRestrict=0 

sRestrictIP=10.62.5.115 

dWebPort=6161 

dWebPortChange=0 

05/12/2011 


15

The structure of a Safed message 

• It is a standard syslog message 

• The message contains new information as the Safed process name, its pid, the daily 

sequential number, User and event Id 

• Daily reset of the sequential numeration of the messages 

05/12/2011 


16

Data Encryption 

• Possibility of secure communication between 

agent and syslog server 

• Encryption via TLS on TCP 

• X.509 certificates 

• Verification of the respective identity of Agent and 

server 

• Encrypted channel for data transmission 

05/12/2011 


17

Case Study: Integrity check 

• Improved reliability of the SYSLOG transmission via TCP 

• Introduction of a progressive number for SYSLOG messages 

• Unique identification of each message 

• Verification on server site of the integrity log 

• The integrity is checked based on the sequential number of 

the log messages 

• Identification of missing messages 

• Retransmission of missing data via SYSLOG or http 

• A final control ensures that the activity has been successfully 

accomplished 

05/12/2011 


18

Windows system readout and Custom Event Log 

• Customer event Log management 

• Possibility to select the events to be monitored from the custom events 

queue registered in the Windows Registry 

• Custom event Log list 

05/12/2011 


19

Status Page 

05/12/2011 


20

Administrator Logging Configuration 

05/12/2011 


21

Advanced web configuration for event log files 

05/12/2011 


22

Filtering option of the agents on client site 

05/12/2011 


23

Debug Interface 

05/12/2011 


24

Quality Assurance for Safed using Selenium HQ 

05/12/2011 


25

…for more information www.neteye-blog.it/downloads 

05/12/2011 


26

WÜRTHPHOENIX Neteye - netways

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?