Table Of Contents
Configuring Groups and Managing Hosts
Overview
Grouping Hosts Together
Mandatory Group Enrollment
Configuring Groups
Managing Agent Kits
Creating Agent Kits
Agent Kit Status
Agent Reboot vs. No Reboot
Agent Registration
Scripted Agent Installs and Uninstalls
Registration Control
Modifying Agent Kits
Managing Hosts Using CSA MC
Viewing General Host Statuses with CSA MC
Viewing All Hosts Managed by CSA MC
Viewing Host Details
Quick Links Tasks
Host Name and Description
Host Identification
Host Status
Host Settings
Group Membership and Policy Inheritance Table
Combined Policy Rules Table
Searching for Hosts
Deleting Hosts
Deleting Hosts Using the Host List Page
Deleting Hosts that Meet a Search Criteria
Changing Host Memberships in Groups
Modifying the Group Membership of a Single Host
Modifying the Host Membership in a Single Group
Bulk Transferring Hosts From One Group to Another
Modify Groups With Hosts That Meet a Search Criteria
Distributing Software Updates
Configuring Scheduled Software Updates
Software Updates in a Distributed Configuration
Configuring Groups and Managing Hosts
Overview
The system hosts across your network, including mobile systems in the field, must download Cisco Security Agent software and register with Management Center for Cisco Security Agents to receive the security policies configured for them. When you are ready to apply policies to the hosts running agents, having those hosts placed into common groups streamlines the process of assigning policies to several hosts at once. To place hosts into groups, you must first analyze the security needs of each host system and map out a security plan. Hosts with similar requirements can then be grouped together.
Management Center for Cisco Security Agents ships with several pre-configured groups you can use. If the included groups do not suit your needs, use the instructions in this chapter to configure new groups or to edit existing ones.
This section contains the following topics.
•
Grouping Hosts Together
•Mandatory Group Enrollment
•Configuring Groups
•Managing Agent Kits
•Creating Agent Kits
•Agent Registration
•Scripted Agent Installs and Uninstalls
•Registration Control
•Modifying Agent Kits
•Managing Hosts Using CSA MC
•Viewing General Host Statuses with CSA MC
•Viewing All Hosts Managed by CSA MC
•Viewing Host Details
•Searching for Hosts
•Deleting Hosts
•Changing Host Memberships in Groups
•Distributing Software Updates
•Configuring Scheduled Software Updates
•Software Updates in a Distributed Configuration
Grouping Hosts Together
Host groups reduce the administrative burden of managing a large number of agents. All hosts across your network, including mobile systems in the field, must exist as registered host entries in the Management Center for Cisco Security Agents for policy configurations to be assigned to them.
Grouping individual host systems together provides the following advantages:
•It lets you consistently apply the same set of policies across multiple host systems.
•It lets you apply Alert mechanisms and Event Set parameters based on group configurations.
•It lets you use Test Mode to try out policies on groups of hosts before you actively enforce those policies.
You can group hosts together based on any criteria that best fits your enterprise. For example:
•Group hosts according to system function, such as web servers. Then you would create a policy that corresponds specifically to the needs of your web servers and distribute it to that group.
•Group hosts according to business groups, such as finance, operations, and marketing. Distribute policies based on each business group's individual needs.
•Group hosts according to geographical or topological location. For example, group hosts based on their subnet designation for reporting purposes.
•Group hosts according to their importance to your organization. Place mission-critical systems into a common group to apply critical alert level configurations to them.
Note Hosts may belong to multiple groups and automatically receive policies that are attached to every group to which they belong. You can add or remove hosts from a group at any time. However, the policy configuration of a host that is moved to another group will not take effect until you generate your rule programs and distribute them.
Mandatory Group Enrollment
CSA MC provides three auto-enrollment architectural groups <All Windows>, <All Solaris>, <All Linux> that are mandatory for all hosts of a given OS architecture. For example, all Windows hosts are automatically enrolled in the <All Windows> (in addition to any other groups you have specified) when they register with CSA MC. Hosts cannot be removed from these mandatory groups.
By providing group auto-enrollment for hosts, any policies you attach to these groups also become mandatory by association. You might want to use these mandatory groups to apply policies that prevent some critical service from being inadvertently banned. For example, you could attach policies to prevent DNS or DHCP from being disabled by an overly restrictive rule.
Configuring Groups
Host groups reduce the administrative burden of managing a large number of agents. Grouping hosts together also lets you apply the same policy to a number of hosts. A group is the only element required to build agent kits.
You do not configure hosts with CSA MC as you do other CSA MC elements. When hosts across your network download and install agent kits, they automatically and transparently register with CSA MC. Hosts inherit membership to the groups that were associated with the agent kit they installed. Successfully registered hosts appear in a linked list when you select Hosts from the Systems category in the menu bar. At registration time, hosts are also automatically put into their assigned group. You can change host groupings at any time.
Note Management Center for Cisco Security Agents ships with preconfigured groups (in addition to the mandatory groups) you can use if they meet your initial needs. If you use a preconfigured group, you do not have to create your own group as detailed in the following pages.
To configure a group, do the following.
Step 1 Move the mouse over Systems in the menu bar and select Groups from the drop-down list that appears. The list of existing Groups is displayed. Management Center for Cisco Security Agents ships with several pre-configured groups.
Step 2 Click the New button to create a new group entry. (This group is empty until hosts install agents and register.)
Note If you have "All" designated as the operating system type for your administrator session, you are prompted to select whether this is a Windows, Solaris, or Linux group. See Administrator Preferences, page 2-6 for details. (You cannot combine hosts of differing OS architectures in the same group.)
Step 3 In the available group fields, enter the following information:
•Name—This is a unique name for this group of hosts. Names are case insensitive, must start with an alphabetic character, can be up to 64 characters long and can include alphanumeric characters, spaces, hyphens, and underscores. You should adopt a naming convention that lets you quickly recognize groups in the CSA MC group list view.
•Description—This description appears in the list view to help you identify this particular group. Expand the +Detailed field to enter a longer description.
Tip You can use the Tab key to navigate between edit fields.
Figure 3-1 Group Configuration Page
Step 4 You can change the default Polling interval to any value between 10 seconds and 24 hours (formatted as hh:mm.ss). This controls how often agents in this group poll into CSA MC for policy updates. Shortening the polling time can be useful when you are trying out new policies. Otherwise, the default value is recommended. (If you have the same hosts in multiple groups, the group containing the shortest polling interval setting takes precedence for the hosts in question.)
Note If you change a group's polling interval, that new interval time will not take effect until the host polls in again for new rules. Therefore, it may take as long as the previous polling interval setting before hosts begin polling in using the new setting.
Step 5 Optionally, enable the Send polling hint capability. Normally, if you make changes to a policy, schedule a software update, or make any other change to a host's configuration, the host does not receive that change until it next polls into the MC. But if you have the Send polling hint checkbox selected, certain changes that occur on the MC will cause a "non-reliable" signed UDP message to be sent to the appropriate hosts. This message tells hosts to poll into the MC earlier than their next scheduled polling interval. The UDP message would be sent if a policy change occurs, if a global correlation event causes a file to be added to the global quarantine list, and if you select to retrieve status information from a particular host. (This feature only works if no NAT or PAT exists between CSA MC and the agent.)
Step 6 Optionally, enable one or more Rule overrides for the group. You can select the Test Mode checkbox for this group.
Caution In Test Mode, the Cisco Security Agent will not deny any action even if an associated policy says it should be denied. Instead, the agent will allow the action but log an event (if logging is selected for the rule). This helps you to understand the impact of deploying a policy on a host before enforcing it. For further information, see
Using Test Mode, page 4-114.
Step 7 Optionally, enable Verbose Logging Mode to change the event log timer to log all reoccurring events rather than suppressing duplicates. See Chapter 8, "Event Logging and Alerts" for more information on the event log.
Step 8 Optionally, enable Log all deny actions to turn on logging for all deny rules running on hosts within the group regardless of the individual rule settings for the policy attached to the group. You may wish to use this feature to turn on all deny logging for diagnostic purposes.
Step 9 Optionally, you can select the Filter user info from events checkbox for this group. Due to privacy issues, you may not want this username information displayed in events or in the additional information screen available from the event Details link.
Step 10 Optionally, for Windows groups, you can select to enable Application Deployment and Analysis. This analysis functionality works with CSA MC and the agent, serving as a data collection tool for administrators deploying policies across systems and networks. See Chapter 11, "Using Cisco Security Agent Analysis" for detailed information. If this feature is enabled, you can access analysis reports from a link on this page.
Step 11 When all required information is entered, click the Save button to enter and save your group in the CSA MC database.
Once you attach (associate) policies to specific groups, the configuration view for the group displays a table listing all the rules, in order of precedence, that are applied to that group. From this table, you can navigate to those rules and policies.
Tip To remotely reset all hosts in a group to the system default settings, click the Reset Cisco Security Agent button in the footer frame of the Group page. This functionality is also available from the individual Host page, letting you reset one host at a time. See The Agent User Interface, page A-10 for more information on the agent reset option (also available locally on the agent system).
Managing Agent Kits
The Management Center for Cisco Security Agent allows for the creation and maintenance of custom agent installation kits that greatly reduce the administrative burden of deploying the agent on new systems.
Agent kits must have a group association for deployment. Groups are a collection of policies and are associated with a number of Hosts. When hosts downloads agent kits, the kits place the host in the corresponding groups and enforce the associated policies of each group.
CSA MC also ships with preconfigured agent kits you can use if they meet your initial needs. There are kits for generic desktops, generic servers, and CSA MCs (CiscoWorks VMS).
Creating Agent Kits
At the time of creation of the agent kit, it must be associated with one or more groups. The particular agent kit a host installs determines with what group(s) the host is associated. You can create as many kits as necessary to distribute your policies to targeted hosts.
After a kit is installed on a host, the agent running on that host registers itself with CSA MC. CSA MC then automatically places the host in the groups that were associated with the installed kit.
Note CSA MC ships with preconfigured agent kits that you can use if they meet your needs. The desktop and server kits are distributed in test mode so they will not interfere with you work before you have had a chance to study their behavior. (If you use a preconfigured agent kit, you do not have to build your own kit as detailed in the following pages.)
Note If you intend to distribute Cisco Trust Agent (CTA) in an agent kit, make sure that you have installed the correct CTA installer files before you begin this procedure. See Installing the Management Center for Cisco Security Agent manual for the procedure to install CTA installer files.
To create agent kits, do the following.
Step 1 Move the mouse over Systems in the menu bar and select Agent Kits from the drop-down menu that appears. Existing agent kits are displayed.
Step 2 Click the New button to create a new agent kit.
Note If you have "All" designated as the operating system type for your administrator session, you are prompted to select whether this is a Windows, Linux, or Solaris kit. See Administrator Preferences, page 2-6 for details. (You cannot select a Solaris group for an agent kit that you have configured for Windows systems.)
Step 3 In the agent kit configuration view (see Figure 3-2), enter a Name for this kit. This must be a unique name. Agent kit names cannot have spaces. Generally, it's a good idea to adopt a naming convention that lets you and the systems that will be downloading the kit, recognize it easily.
Step 4 (Optional) Enter a description in the Description field. The description appears in the agent kit list view to help you identify this particular kit.
Figure 3-2 Create Agent Kit
Step 5 From the available list box, select the group or groups of host systems that will download and install this kit. To select multiple items in a list box, hold down the Ctrl key as you select each item. To unselect a single item, hold down the Ctrl key when you click on the item in question. Press and hold the Shift key when you click on an item to select multiple successive items.
Step 6 You have the option of forcing systems to reboot after the agent installation completes (Windows and Linux only). If you select the Force reboot after install checkbox, when the install finishes, a message appears to the end user warning that the system will automatically reboot in 5 minutes. This reboot cannot be stopped by the end user. Keep in mind, if you are selecting to force a reboot, the installation must also be "Quiet". See the next step for more details.
Note Solaris agent kit installations do not have the option to reboot automatically when complete. If you wish to reboot a Solaris system after installing an agent, you must do so manually.
Note NOTE: In some cases, you may not want a system to reboot after the installation completes. If a reboot does not occur after the agent installation, partial security is enforced immediately. Full security is enforced after the first reboot. (Note that Windows NT4 systems must be rebooted after an agent installation.)
Refer to Agent Reboot vs. No Reboot for information on what security is not enforced if a system is not rebooted after an agent installation.
Step 7 Select whether or not to have agents install "quietly" on end-user systems (Windows and Linux only). A Quiet install requires users to download the self-extracting executable as does the "noisy" install. The difference is, no prompts appear and the user is not required to enter any information or select any options. A noisy install prompts the user for installation options, such as enabling the network shim, in addition to the reboot prompt.
These possible checkbox options would be combined for the following effects once the Windows or Linux agent installation has completed:
Force reboot checkbox=enabled
Quiet install checkbox=enabled
|
The install ends by displaying a prompt indicating that a reboot will occur within 5 minutes.
|
Force reboot checkbox=disabled
Quiet install checkbox=enabled
|
The install proceeds and ends quietly with no prompts. Full functionality occurs the next time the user happens to reboot.
|
Force reboot checkbox=disabled
Quiet install checkbox=disabled
|
The install prompts the user to enable the network shim and ends by displaying a prompt indicating that an update has occurred and the end user can reboot the system at their convenience for full functionality.
|
Step 8 For Windows kits, if you select Quiet install, you can also select whether the Network shim is enabled or not during the installation.
Caution In some circumstances, you may not want users to enable the network shim on their systems as part of the agent installation. For example, if users have VPN software or a personal firewall installed on their systems, the network shim's Portscan detection, SYN flood protection, and malformed packet detection capabilities may not be needed. To allow users to enable network shims, you would create kits as "noisy" installations. (Do not select the Quiet install checkbox.) This way, users are prompted to enable the network shim during the agent installation. For more information, see
Network Shim Optional, page A-7.
Note Not enabling the network shim does not mean that Network access control rules won't work. It only means that the system hardening features (configured in the Network Shield rule page) mentioned in the previous paragraph are not enabled.
Step 9 (Optional) Install the Cisco Trust Agent by selecting the checkbox next to Install Cisco Trust Agent. The area below the checkbox expands to show several fields.
These fields allow you to also specify the following settings:
•CTA Installer. From the drop-down menu specifiy which Cisco Trust Agent installer to use.
•Initialization data. The text you enter In the Cisco Trust Agent initialization data field is used to create the ctad.ini file for CTA.
•Certificate file. Specify a Cisco Secure ACS server certificate to be installed along with CTA.
•Install scripting interface. The CTA Scripting Interface is only available for NAC Phase 2 networks. If you use select a CTA 1.x installer, you will not be able to install the CTA Scripting interface.
•Check the last box if you want CTA to remain installed even if CSA is uninstalled.
Note The choices you make in this step are important. Refer to Cisco Trust Agent Administrator Guide for a complete description of how these settings impact your CTA installation. For NAC and CTA plugin details, see Cisco Security Agent Posture Plug-in for CTA, page 10-20. For details on NAC, go to the following link on Cisco.com: http://www.cisco.com/en/US/netsol/ns466/networking_solutions_sub_solution_home.html
Step 10 Click the Make Kit button. A new page opens with the message, "The kit was successfully created."
Step 11 Click the rule generation link to advance to the Generate Rule Program page. The rules that require generation are listed at the bottom of the page.
Step 12 Click Generate to generate these rules and make your kit available for deployment. Once the generation rules operation completes, you receive the message, "Rule program generation successful."
Step 13 Move the mouse over Systems in the menu bar and select Agent Kits from the drop-down menu that appears. The agent kit you just created has been added to the list of available kits.
Step 14 Click the name of your new kit to see its agent kit page. The page displays a URL for this particular kit (see Figure 3-3). You may distribute this URL, via email for example, to the host systems the kit is designated for. They access the URL to download and then install the kit. This is the recommended method of agent kit distribution.
But you may also point users to a URL for the CiscoWorks system. This URL will allow them to see all kits that are available. That URL is:
https://<ciscoworks system name>/csamc45/kits
If you are pointing users to the "kits" URL and you have multiple agent kits listed here, be sure to tell users which kits to download.
Note Note that the Registration Control feature also applies to the <ciscoworks system name>/csamc45/kits URL. If the Registration Control feature (see Registration Control for details on the feature) prevents your IP address from registering, it also prevents you from viewing this "kits" URL.
Note The page for your agent kit also displays the status of the kit. See Agent Kit Status for details on when a kit is ready for download.
Figure 3-3 Agent Kit Download URL
Note If you installed Management Center for Cisco Security Agents to the default directory, all agent kits are placed in the https://<ciscoworks system name>/csamc45/kits
directory.
Agent Kit Status
When you create an agent kit, it is given one of these four status levels based on how far into the configuration you've progressed. Those status levels are as follows:
•Ready: This means the agent kit is ready for download to host systems.
•Needs rule generation: This means that all agent kit configuration parameters are complete, but you must generate rules before the kit can be downloaded.
•Incomplete: This means that you have not configured all the necessary parameters for this agent kit. You must complete the configuration and then generate rules before the kit can be downloaded.
•Undeployable: This status will only occur if you have ungenerated kits on CSA MC and then you upgrade CSA MC to a new version. Agent kits that were created but never generated and have an old version number can never be deployed and should be deleted.
Figure 3-4 Agent Install Complete Prompt for Optional Not-Automatic Reboot
Figure 3-5 Agent Install Complete Prompt for Automatic Reboot
Agent Reboot vs. No Reboot
If a system is not rebooted following the Cisco Security Agent installation, the following functionality is not immediately available. (This functionality becomes available the next time the system is rebooted.)
Windows agents
•Network Shield rules are not applied until the system is rebooted.
•Network access control rules only apply to new socket connections. Network server services should be stopped and restarted for full network access control security without a system reboot.
•Data access control rules are not applied until the web server service is restarted.
Solaris and Linux agents, when no reboot occurs after install, the following caveats exist:
•Network access control rules only apply to new socket connections. Network server services should be stopped and restarted for full network access control security without a system reboot.
•Buffer overflow protection is only enforced for new processes.
•File access control rules only apply to newly opened files.
•Data access control rules are not applied until the web server service is restarted.
Caution Windows NT systems must be rebooted after the agent installation completes. Windows NT systems will not receive a reboot optional prompt at the end of an agent installation (even if that option is part of the agent kit installation).
Note The reboot information here only applies to new agent installations. It does not apply to software updates. Please refer to Table 3-1 for software update reboot details.
Figure 3-6 Download Agent Kits
Agent Registration
When an agent kit is ready for distribution, you can notify end users to download and install the kit from the URL produced by CSA MC when the kit is made. Once the kit installation is complete, each individual host's agent automatically and transparently registers with CSA MC.
Note Each kit is created for particular groups based on the policies that will be attached to those groups. Policies are described in Chapter 4, "Building Policies".
Scripted Agent Installs and Uninstalls
You can use scripts to silently install and uninstall Windows Cisco Security Agents on end user systems. (Scripted agent installs and uninstalls are not supported on Linux and Solaris systems.)
•Scripted install: The agent kit is a self-extracting executable placed in the following directory on the server: %Program Files%\CSCOpx\CSAMC45\bin\webserver\htdocs\deploy_kits. (Retrieve the kit from this directory or download it from the server.) You can then use a script to copy and silently install agent kits on systems. Note that you must select the Quiet install checkbox when you build the kit if you are planning to install it via a script.
•Scripted uninstall: The agent installation places a bat file in the system32 directory. Administrators may use a script to remotely and silently uninstall the agent by invoking the CSA_uninstall.bat file in the system32 directory. You must also pass a parameter to the file for the agent to uninstall silently regardless of whether the original agent kit was a Quiet install. Enter the following: %Program Files%\CSCOpx\CSAMC45\bin\webserver\htdocs\
deploy_kits
Note Before silently uninstalling the agent via a script, you must disable any agent service control rules that deny or query administrators before stopping the agent service.
Whether or not an end user system is going to have a visible agent UI or a hidden one (see Agent UI Control, page 4-48), the end user (or administrator) must download and install the agent kit on the system. The initial installation of an agent kit cannot be done automatically (unless you have written your own script to do so, see Scripted Agent Installs and Uninstalls).
Registration Control
This feature is accessible from the Systems item in the menu bar. Access the Registration Control page to enter a range of addresses which restricts agent hosts attempting to successfully register with CSA MC to those with addresses listed here.
This feature prevents unauthorized hosts from downloading agent kits and receiving rules. (Note that any user who is logged in to CSA MC, can download a kit.)
The default entry here is <all> (0.0.0.0-255.255.255.255) which applies no address registration restrictions. An example entry of restricted registration addresses is as follows. (Only those addresses within the range listed can register. This range is inclusive):
192.168.10.0-192.168.10.255
172.16.20.0-172.16.20.255
Modifying Agent Kits
After an agent kit is made and deployed, new groups can be associated with the kit and existing groups can be removed from the kit.
One use for this feature is to prolong the life of installation images by requiring fewer changes to agent kits. For example, agent kits would most likely be deployed in test mode until all the rules, rule-modules, and policies are fine-tuned to meet the needs of your enterprise. An image installed on new desktops during the testing period would include an agent kit, which includes the Test Mode Systems group, which makes all other groups run in test mode.
Once the period of testing is over, the image deployed for new desktops would still include the Test Mode System group but it may no longer be needed because the rules and policies have been finalized and it is time to "go live" for some or all of your enterprise. This feature would allow you to remove the Test Mode System group from the agent kit that is currently included in the installation image for all desktops. When the agent on a new desktop registers with CSA MC for the first time, the Test Mode System group will be removed from the agent kit and the new desktop will not run in test mode.
To modify group associations with agent kits, follow this procedure:
Step 1 Move the mouse over Systems in the menu bar and select Agent Kits from the drop-down menu that appears.
Step 2 Click the name of the kit you want to modify.
Step 3 Now, add or remove groups from an agent kit (See Figure 3-7):
•To add a group to an agent kit, click the group name in the Agents installed from this kit will not be automatically added to the following groups swap box and click Add.
•To remove a group from an agent kit, click the group name in the Agents installed from this kit will be automatically added to the following groups swap box and click Remove.
Step 4 Click the rule generation link to advance to the Generate Rule Program page. The rules that require generation are listed at the bottom of the page.
Step 5 Click Generate to generate these rules and make your kit available for deployment. Once the generation rules operation completes, you receive the message, "Rule program generation successful."
Figure 3-7 Agent Kit Page
This procedure would not work for desktops after they have initially registered with their CSA MC. Considering our example, when desktops poll in to CSA MC on regular intervals they are still included in the Test Mode System group. To move them out of the Test Mode System group, they can be moved in bulk out of the group using the Bulk Transferring Hosts From One Group to Another procedure described in Changing Host Memberships in Groups.
Managing Hosts Using CSA MC
A host is any system that has installed an agent kit from CSA MC and has registered with CSA MC. The host may be a desktop or server and may be of any supported operating system type.
Once the host has registered with CSA MC, it can receive policy updates, it can be added to or removed from groups, and its status can be monitored by CSA MC.
Viewing General Host Statuses with CSA MC
Follow this procedure to view the general status of all hosts managed by CSA MC:
Step 1 Move your mouse over Events in the menu bar and click Status Summary in the drop-down list.
Step 2 If it is not already expanded, click the plus box next to Network Status.
Step 3 There are several Network Status categories listed in the status summary page. Next to each category is a number indicating how many hosts have been placed in each of the status categories. Click the link for the number of hosts in the category to see the host list view for that category.
Viewing All Hosts Managed by CSA MC
To view all the hosts that are managed by CSA MC, follow this procedure:
Step 1 Move your mouse over Systems in the menu bar and click Hosts in the drop-down menu.
Step 2 (Optional) Sort the host list by operating system.
Step 3 From the Architecture drop-down list box, select one of the following host statuses:
•Active: A host is active if it polls into the management server at regular intervals and has not missed three polling intervals. When you select this viewing option, a "Yes" for Active or a "No" for Not Active appears in the column.
Note that a "Not active host" is a host that has missed three polling intervals or has not polled into the server for at least one hour.
•Protected: When you select this viewing option, a "Yes" for Protected or a "No" for Not Protected appears in the column. A system is not protected if it does not belong to a group or if it belongs to a group that has no policies attached.
•Latest software: When you select this viewing option, a "Yes" for Latest Software or a "No" for Not Latest Software appears in the column. If an agent is not running the latest software, you will want to deploy a software update.
•Test Mode: When you select this viewing option, a "Yes" for running in Test Mode or a "No" for Not Running in Test Mode appears in the column.
•Last Poll: When you select this viewing option, the time and date of the most recent poll for the host is displayed.
Viewing Host Details
To view detailed information about one host, follow this procedure:
Step 1 Move your mouse over Systems in the menu bar and click Hosts in the drop-down menu.
Step 2 (Optional) Sort the host list by operating system.
Step 3 Click the link to a host to view detailed information about that host on the Host Detail page (see Figure 3-8).
From the Host Detail Page you have access to these tasks and information:
•Quick Links Tasks
•Host Name and Description
•Host Identification
•Host Status
•Host Settings
•Group Membership and Policy Inheritance Table
•Combined Policy Rules Table
Figure 3-8 Host Detail View
Quick Links Tasks
•Click the Modify group membership link in the Quick Links box on the host detail page (see Figure 3-8) to add or remove this host from a group. See the procedure, Modifying the Group Membership of a Single Host, for the complete procedure.
•Click View Related Events to view an event log showing only the events for the host you are looking at.
•CSA MC provides an explanation, in paragraph form, of the policies attached to each host. Clicking the Explain rules link takes you to this paragraph explanation.
Host Name and Description
•Name and Description: These fields are populated with information received from the agent system when it registers. This is the name that identifies this host system on the network. This name does not have to be unique. CSA MC assigns each registering host a unique ID number by which the database identifies it.
•Contact Information: Click this link to view any contact information provided to the agent by the user. The available fields for the user are: first name, last name, email, telephone, and location. This user is not required to provide this information, however, if an agent is generating alerts, having this contact information readily available could expedite troubleshooting measures.
Host Identification
•Product Information—This is the Cisco Security Agent version for this particular machine.
•Last known IP address—This is the IP address of the host. If DHCP addressing is used, this is the last known address of the host.
•Host ID—CSA MC assigns each registering host a unique ID number by which the database identifies it.
•UID—This is a globally unique ID for your agent. It is obtained from the agent kit. Different kits present different IDs. Every host that installs a particular kit will have the same registration ID. Once registered, however, each host receives a unique global ID.
•Registration time—This is the time that the agent registered with CSA MC.
•Operating System—This is the operating system installed on this particular machine. If the operating system is unsupported, this information appears here in red text.
•Cisco Trust Agent installed—This displays whether optional CTA software is installed on the system. If CTA software is installed, this field also displays the current CTA posture status.
Host Status
•Events issued in the past 24 hours—This is the number of events (rule triggers) that have occurred on the host system in the given time frame.
•Software Version—This is the version of Cisco Security Agent software the system is running. If there is a software update available for this host, this field provides that information. If an update for a host is scheduled but not yet installed, this field provides that information as well.
•Policy version—This field reads "Up-to-date" or "Not up-to-date", indicating whether the agent has the latest policy configuration from CSA MC.
•Time since last poll—This is the interval since the host system's last polling request.
•Time since last Application Deployment data upload—If application deployment data collection is enabled on the end user system, this indicates the time of the most recent upload of analysis logging data.
•Detailed status and diagnostics—Click this link to view status information for the host in question. The window that is opened by this link uploads information from the agent. NOTE that you may have to click the Diagnose button to retrieve the most recent host information. This causes the agent to poll in with status data. You can use this information to diagnose agent issues, to view the current states and policies running on the agent system, and to reset the system default settings (Reset Cisco Security Agent). See The Agent User Interface, page A-10 for more information on the factory default reset option.
Note The same Reset Cisco Security Agent functionality is also available from a button located in the footer frame of the Host page. To remotely reset all hosts in a group to the system default settings, click the Reset Cisco Security Agent button in the footer frame of the Group page. (Note that this reset option is also available locally on the agent system.)
Host Settings
•Polling interval (seconds)—The value shown here indicates the time interval in which this system polls in to the management server. This feature is configurable through the Groups page.
•Send polling hint—This field indicates if the polling hint capability is turned on for the group in which this host is a member. See Configuring Groups for details on this setting. This field will display "On (unavailable)" if NAT or PAT exists between CSA MC and the agent - preventing the hint message from being received.
•Test Mode—If this host is part of a group operating in "test mode," that information is displayed here. See Test Mode for further information.
•Verbose logging mode—This field can read as either OFF or ON, indicating whether this feature is enabled for this host. This feature is configurable through the Groups page.
•Log deny actions—This field indicates if the Log <all> deny actions capability is turned on for the group in which this host is a member. See Configuring Groups for details on this setting.
•Filter user info from events—This field indicates if the Filter user from events capability is turned on for the group in which this host is a member. See Configuring Groups for details on this setting.
•Application Deployment investigation enabled—This appears if application deployment data collection capability, available from the Analysis menu bar item, is enabled on the end user system. If this feature is enabled, you can access analysis reports from a link on this page. If this feature is not enabled, you can enable it from a link here. (You may have to create a new group in order to enable this feature. You can also do that task from a link that appears here.) See Chapter 11, "Using Cisco Security Agent Analysis" for detailed information on this feature.
Group Membership and Policy Inheritance Table
The group membership and policy inheritance table provides you with a list of hyperlinks to all the groups the host is a member of, the policies attached to those groups, and the rule modules attached to those policies. From these links you can jump to any of the listed security components to learn more about them.
Combined Policy Rules Table
This table provides you with a list of all the rules that affect the host. These combined lists are often quite long for any host. You can filter and sort the rules to get a better understanding of how the rules work
Searching for Hosts
Step 1 Move the mouse over Search in the menu bar and select Hosts from the drop-down menu that appears.
Step 2 In the search field, enter a string to search for. The search will find hostnames containing this string.
Step 3 Refine your search by selecting one additional radio button from the Host Search Criteria Box. The buttons are explained below:
•Active hosts with the "the latest" or "an old" configuration. The search finds hosts that poll into the management server at regular intervals and have not missed three polling intervals. The search will find a host with either the "the latest" policy updates or "an old" policy.
•Active hosts with "software update pending" or "old software." This search finds hosts that poll into the management server at regular intervals and have not missed three polling intervals. It will find hosts with Cisco Security Agent software updates pending or hosts with old software.
•Hosts not actively polling (status unknown). This search finds hosts that have not polled into the management server in at least one hour or that have missed three polling intervals in a row.
•Hosts that have not polled for (a specified number) of days.
•Unprotected hosts. This search finds hosts that do not belong to any group or hosts that belong to groups which have no policies attached.
•Hosts with unsupported platforms. An unsupported platform is an operating system not listed in the System Requirements section of the "Installing Management Center for Cisco Security Agents." It is also an operating system running with a service pack not qualified for use with the agent.
•Hosts with or without Cisco Trust Agent installed. This search finds hosts on which optional Cisco Trust Agent software is or is not installed.
•Hosts attached to group. This search finds hosts attached to the one group you pick from the drop down box.
•Hosts running in test mode. Agents on hosts running in test mode do not deny any action or operation even if an associated policy says it should be denied. Instead, the agent allows the action and logs an event if a deny or query rule is triggered. (Read Using Test Mode, page 4-114 for more information about test mode.)
•Hosts currently using or that have used a particular IP address.
•Hosts without Application Deployment Investigation data upload. This search finds hosts where the Application Deployment Data collection capability is disabled on the end user system.
•All. This is the default setting. All the hosts, containing the string searched for, will be found.
Step 4 Use the Display Hosts drop-down list box to display only the hosts of a particular operating system or of all operating systems, if you make no other selection.
Step 5 In the Preferences box, select any of the following check-boxes:
•Show references box. This box is checked by default. When you include this in your search criteria, you will be able to look up the group memberships of the hosts you found with the search.
•Search on description. If you check the box for this preference, hostnames and description fields are both searched for the string you entered in the search field.
•Search all other fields. Select this checkbox to search all database fields (including the description field) for the string value.
Step 6 Specify how many search results will be displayed on a page in the Results per page field.
Step 7 Click Find. If the search finds matches, the hosts are displayed in a list and the search criteria box is collapsed. If the search finds no matches, the message "No Results Found" is displayed under the search criteria.
Deleting Hosts
Once an agent installs on a host system and registers with CSA MC, that host is not immediately and automatically removed from the CSA MC hosts list if that agent is uninstalled from the system. The host remains in the host list until you manually delete it or until it becomes inactive (has not polled in) for approximately 30 days. Once that 30 days of inactivity time frame has been reached, the Global Event Manager automatically purges the host in question from the hosts list.
Deleting Hosts Using the Host List Page
Use this procedure to manually delete a host.
Step 1 Move your mouse over Systems in the menu bar and click Hosts in the drop-down menu.
Step 2 (Optional) Sort the host list by operating system to find the correct host to delete.
Step 3 (Optional) Sort the hosts using the hosts statuses in the Architecture drop-down list box to find the correct host to delete.
Step 4 From the host list page there are two ways to delete hosts.
•Select the checkbox next to the hostname(s) you want to delete and then click Delete. When prompted, make sure you are deleting the correct host(s) and click OK to delete the host(s).
•From the host list page, click the link to a host. Review the host details (see Figure 3-8) to make sure you are deleting the correct host and then click Delete. When prompted, make sure you are deleting the correct host and click OK to delete the host.
Deleting Hosts that Meet a Search Criteria
Use this method to find all the hosts that match a certain criteria and delete them.
Step 1 Use the procedure "Searching for Hosts" section to find the hosts you want to delete.
Step 2 Click the checkboxes next to specific hosts to act on those hosts alone, or leave all the boxes unchecked to act on all the hosts found by the search.
Step 3 Click the Operations button at the bottom of the search results list page. (See Figure 3-11.) The Host Operations Box opens. (See Figure 3-12)
Step 4 In the Available Operations drop-down list box, select Delete.
Step 5 In the Delete drop-down list box, select either All hosts matching the current search criteria or Selected Hosts.
Step 6 Click Execute. This function deletes hosts from the local database.
When prompted, click OK to perform the operation or Cancel not to perform the operation. You receive a message confirming the success or failure of the operation.
Changing Host Memberships in Groups
When a host registers with CSA MC, it is automatically placed into the group(s) you designate for it. There is no need to add a host to a group initially. You only need to add hosts to groups when you are changing their group designation after they have registered.
Hosts may belong to multiple groups and receive policies that are attached to every group to which they belong. Removing hosts from a group removes the protection the hosts received from the various policies associated with that group.
Caution You can add or remove hosts from a group at any time. If you do change host group assignments, the policy configuration of a host that has been moved to another group will not take affect until you generate your rule programs and distribute them. This process is detailed in
Generating Rule Programs, page 4-118.
Note See Viewing Host Details for details on hosts.
There are several ways to change the host memberships in a group:
•Modifying the Group Membership of a Single Host
•Modifying the Host Membership in a Single Group
•Bulk Transferring Hosts From One Group to Another
•Modify Groups With Hosts That Meet a Search Criteria
Modifying the Group Membership of a Single Host
Use this procedure to add a host to, or remove a host from, various groups.
Step 1 Move the mouse over Systems in the menu bar and select Hosts from the drop-down menu. This shows you the host list view; it is a list of all the hosts managed by CSA MC.
Step 2 Click the link for the host whose group membership you want to modify.
Step 3 Click Modify group memberships in the Quick Links box. This takes you to a swap box page containing a list of groups of which the host is not a member on the left and a list of groups of which the host is a member on the right.
Step 4 Add or remove your host to groups:
•To add your host to a group, select a group in the left swap box and click the Add button. The group now appears in the right swap box with the other groups to which the host belongs.
•To remove your host from a group, select a group in the right box and click the Remove button. The group now appears in the left swap box with the other groups to which the host does not belong.
Step 5 Click the Generate Rules link at the bottom of the page. CSA MC updates the group memberships. When a host polls in to CSA MC, it will receive the group membership changes along with updates to any rules it now follows.
Note Note: You may want to wait until all your maintenance tasks are performed on CSA MC and then generate rules for all your changes at once.
Modifying the Host Membership in a Single Group
Use this procedure to add or remove hosts from a single group.
Step 1 Move the mouse over Systems in the menu bar and select Groups from the drop-down menu that appears. This shows you the group list view; it is a list of all the groups managed by CSA MC.
Step 2 From the group list view, click the link for the group to which you want to add or remove hosts. This brings you to that group's edit view.
Step 3 From the edit view, click the Modify host membership link in the Quick Links box. This takes you to a swap box page containing a list of host systems that are not members of the group on the left and a list of hosts that are members of the group on the right.
Step 4 Add or remove hosts to this group (see Figure 3-9):
•To add a host to this group, select the host in the left box and click the Add button. The host now appears in the right box with the list of all hosts attached to this group. The host is now a members of the group.
•To remove hosts from this group, select the host in the right box and click the Remove button. The host now appears in the left box with the list of all hosts unattached to this group. The host is now not a member of this group.
In either case, to select multiple nonsuccessive items in a swap box, hold down the Ctrl key as you select each item. To unselect a single item, hold down the Ctrl key while you click on the item in question. Click the Select all link beneath the swap box to select all items in the swap box. When you click the Add or Remove button, all selected items are added or removed.
Step 5 Click the Generate Rules link at the bottom of the page. CSA MC updates the group memberships. When a host polls in to CSA MC, it receives the group membership changes along with updates to any rules it now follows.
Note Note: You may want to wait until all your maintenance tasks are performed on CSA MC and then generate rules for all your changes at once.
Bulk Transferring Hosts From One Group to Another
Use the bulk transfer feature to easily move or copy all hosts from one group into the Group you are currently viewing.
Step 1 Move the mouse over Systems in the menu bar and select Groups from the drop-down menu that appears. This shows you the group list view; it is a list of all the groups managed by CSA MC.
Step 2 From the group list view, click the link for the group to which you want to add or remove hosts. This brings you to that group's edit view.
Step 3 From the edit view, click the Modify host membership link in the Quick Links box. This takes you to a swap box page containing a list of host systems that are not members of the group on the left, and a list of hosts that are members of the group on the right.
The bulk transfer operations are at the bottom of this page. (See Figure 3-9.)
Step 4 In the Bulk Transfer box, select Move or Copy in the first drop-down list box to move hosts or copy hosts, from the group you specify to the group whose membership your are modifying.
Step 5 In the second drop-down list box, select the group whose members will be moved out of or copied to the group whose membership you are modifying.
Step 6 Click OK. The hosts you moved or copied now appear in the right swab box with the list of hosts attached to this group. The hosts you moved or copied are now members of the group.
Step 7 Click the Generate Rules link at the bottom of the page. CSA MC updates the group memberships and when a host polls in to CSA MC, it receives the group membership changes along with updates to any rules it now follows.
Note Note: You may want to wait until all your maintenance tasks are performed on CSA MC and then generate rules for all your changes at once.
When you next click the Generate button, policies associated with this group will no longer be applied to the removed hosts. (The host is not deleted from the database, it is just no longer part of the group.)
Figure 3-9 Add Hosts to Group
Modify Groups With Hosts That Meet a Search Criteria
Use this method to find all the hosts that match a certain criteria and move them in and out of groups.
Step 1 Use the procedure "Searching for Hosts" section to find the hosts whose group memberships you want to change.
Step 2 Click the checkboxes next to specific hosts to act on those hosts alone, or leave all the boxes unchecked to act on all the hosts found by the search.
Step 3 Click the Operations button at the bottom of the search results list page. (See Figure 3-11.) The Host Operations Box opens. (See Figure 3-12)
Step 4 In the Available Operations drop-down list box, select one of the following options:
•Delete. This function deletes hosts from the local database. In the Delete drop-down list box, select either All hosts matching the current search criteria or Selected Hosts.
•Attach to group. This function copies hosts from one group to another.
–In the Attach (if applicable) drop-down list box, select either All hosts matching the current search criteria or Selected Hosts.
–In the to the following group drop-down list box, select the group to which you want to add the hosts.
•Detach from group. This function removes hosts from a group.
–In the Detach (if applicable) drop-down list box, select either All hosts matching the current search criteria or Selected Hosts.
–In the from the following group drop down list-box, select the group from which you want to remove the hosts.
Step 5 Click Execute.
Step 6 When prompted, click OK to perform the operation or Cancel not to perform the operation. You receive a message confirming the success or failure of the operation.
Figure 3-10 Host Search Page
Figure 3-11 Hosts List Page
Figure 3-12 Host Operations Box
Distributing Software Updates
Cisco provides software updates via its web site (www.cisco.com) for both CSA MC and the agent. You can download these updates, install them on CSA MC, and then distribute them to agent systems across your network as easily as you deploy new rule programs. When you download a self-extracting executable update and install it on the server system, the agent software update files get placed under Available Software Updates in CSA MC (accessible from Systems>Software Updates in the menu bar).
From the list of available updates that is created in the Available Software Updates page, you can make the appropriate updates available to agents through the Scheduled Software Updates page. Creating Scheduled Software Updates allows you to distribute updates to designated groups of agent systems. See Configuring Scheduled Software Updates for details.
Note All "Quiet" Windows and Linux updates begin installing automatically during the designated installation window with no action occurring on the part of the end user.
From the Available Software Updates page, you can click on a particular update and view the following information (see Figure 3-13):
•Name of the software update, for example SP 4.5.0.58
•Description of the software update, for example Service Pack for agent on NT and Win2K
•File, a link to the software update file itself on the server system
•Target system, a description of the system type for which the update is issued (agent and/or server)
•Version, this is the version of the software update
•Operating system, the operating system for which the update is issued
•Operating system version(s), the exact OS version numbers for which the update is issued
Figure 3-13 Available Software Updates Page
Configuring Scheduled Software Updates
Create Scheduled Software Updates to distribute an update or updates you have available in Available Software Updates to a selected group or groups.
To create Scheduled Software Update for distribution to agent systems, do the following.
Step 1 From the menu bar Systems drop-down list, move the mouse over Software Updates. A cascading menu with further selections appears. Select Scheduled Software Updates (see Figure 3-14).
Step 2 Click the New button to create a new entry. This takes you to the update configuration page.
Step 3 Enter a Name for the update that makes it easily identifiable.
Step 4 Enter a Description. This is a useful line of text that is displayed in the list view and helps you to identify this particular configuration.
Step 5 Select the Target operating system for the update you're distributing (Solaris, Linux, or Windows). When you select an OS, the available updates and selectable groups change accordingly.
Step 6 From the Software update pulldown list, select the Solaris, Linux, or Windows update you want to distribute. Generally, it's called something like Update V4.5.0.52.
Step 7 Enable update for hosts in selected groups From the available list of groups, select one or more to distribute this update to.
Step 8 To select multiple items in a list box, hold down the Ctrl key as you select each item. To unselect a single item, hold down the Ctrl key when you click on the item in question. Press the Shift key to select multiple successive items.
Step 9 Update time Enter a time frame during which agent systems can receive and install updates. By default, the time frame is set to "any time" or for 24 hours. This way, users will update at any time you choose. If you put a time limit on the update, for example enter 10:00 to 11:00 (this would be AM), then after 11:00, if the user is not logged in during this hour window, the update would not be available again until the same time the next day.
Step 10 "Quiet install" updates begin installing automatically with no action occurring on the part of the end user. A reboot on the agent system is not required after a software update. Security continues to be enforced after an update, but if the system is not rebooted, configuration changes and other changes are not applied. They are only applied on the next reboot. You can control what the end user sees during an update and whether a reboot is required after an update by using the following checkboxes.
•Force reboot after install (available for Windows and Linux): If you select this checkbox, when the update completes, a message appears to the end user warning that the system will automatically reboot in 5 minutes. This reboot cannot be stopped by the end user. Keep in mind, if you are selecting to force a reboot, the update must also be "Quiet". Therefore, regardless if the end user is present or not, if the machine is running and a quiet update with a forced reboot is received, both the install and the automatic reboot take place within the time frame specified in the update. (Generally, you will only want to use a quiet install with a forced reboot for an unattended server so that the update is installed and the system is rebooted without a user having to be present at the server.)
•Quiet install (available for Windows and Linux): If you select this checkbox, when the update completes, no prompt is displayed to the user. Therefore, since the update begins without prompting the user, this quiet install update occurs as a completely transparent process. The user does not know that a software update has occurred. Configuration changes provided in the update will take effect when the system is next rebooted.
•Noisy install (implied by no checkbox selection): If you do not select the Quiet install checkbox, and the end user has an agent UI, the end user is prompted that an update is available. The user can start the update at that time or postpone it.
Note Software update functionality and prompt options occur regardless of Agent UI configurations on the end user system. Therefore, if you have deployed agents with no UI, you can deploy "noisy" software updates that prompt the end user. These functions are independent of each other. So, if you want all agent functions to be invisible to the end user, you should configure your update accordingly. (Note that there is one exception to this statement. If the end user does not have an agent UI and you deploy a "noisy" update, the option to postpone the update will not appear. The update will behave as though it were "quiet.")
These possible checkbox options would be combined for the following effects once the software update has completed:
Table 3-1
Force reboot checkbox=enabled
Quiet install checkbox=enabled
|
The install ends by displaying a prompt indicating that a reboot will occur within 5 minutes. (This combination is recommended for unattended servers.)
|
Force reboot checkbox=disabled
Quiet install checkbox=enabled
|
The install ends quietly with no prompts. Therefore, the update is completely transparent to the end user. The update takes effect the next time the user happens to reboot.
|
Force reboot checkbox=disabled
Quiet install checkbox=disabled
|
The install prompts the user that an update is available. The user can update at that time or postpone the update. When the update occurs, the install ends by displaying a prompt indicating that an update has occurred and the end user can reboot the system at his/her convenience to apply the changes.
|
Software Update Reboot/Install Options
Step 11 Click the Save button.
You must Generate rules to deploy software updates to agents.
Caution Once scheduled, Solaris software upgrades must be launched manually by accessing the
csactl command line tool on the Solaris systems and typing in the software update command. When the update is complete, the system automatically reboots within 5 minutes. This reboot
cannot be stopped. Therefore, once you launch the Solaris software update, you must understand that the system will reboot when the update completes.
Figure 3-14 Scheduled Software Updates Page
The next time agents poll in to CSA MC, they receive a prompt informing them that a software updated is available.
On Solaris agent systems, use the csactl utility to check for software updates and to install them. See Appendix A, "Cisco Security Agent Overview" for details.
Software Updates in a Distributed Configuration
There are two procedural items to note when installing a software update in a distributed installation environment with multiple MC's.
•In a distributed environment, you must install the software update on all MC's in your distributed configuration.
•In a distributed environment, when installing, upgrading, or uninstalling any MC in the distributed configuration, the service must be stopped on the other MCs. For example, in a configuration with 2 MCs, you must first stop the CiscoWorks Daemon Manager (CSA_uninstall.bat 3) on one MC before you install the software update on the other MC.
