Table Of Contents
Configuring Groups and Managing Hosts
Overview
Grouping Hosts Together
Mandatory Group Enrollment
Configuring Groups
Resetting Cisco Security Agents
Managing Agent Kits
Creating Agent Kits from Existing Groups
Creating Agent Kits and Groups Using a Wizard
Distributing Agent Kits
Agent Kit Status
Agent Reboot vs. No Reboot
Registration Control
Agent Registration
Scripted Agent Installations
Managing Hosts Using CSA MC
Viewing General Host Statuses with CSA MC
Viewing Hosts Managed by CSA MC
Viewing Host Details
Host Tasks
Host Name and Description
Host Identification
Host Status
Host Settings
Group Membership and Policy Inheritance Table
Combined Policy Rules Table
Searching for Hosts
Deleting Hosts from the CSA MC
The Host Recycle Bin
Purging Hosts from the CSA MC
Changing Host Memberships in Groups
Modifying the Group Membership of a Single Host
Modifying the Host Membership in a Single Group
Bulk Transferring Hosts From One Group to Another
Modify Groups With Hosts That Meet a Search Criteria
Host Managing Tasks
Polling
Inactive Hosts
Distributing Software Updates
Scheduling Software Updates
Scheduling Software Updates Wizard
Software Updates in a Distributed Configuration
Configuring Groups and Managing Hosts
Overview
The system hosts across your network, including mobile systems in the field, must download Cisco Security Agent software and register with Management Center for Cisco Security Agents to receive the security policies configured for them. When you are ready to apply policies to the hosts running agents, having those hosts placed into common groups streamlines the process of assigning policies to several hosts at once. To place hosts into groups, you must first analyze the security needs of each host system and map out a security plan. Hosts with similar requirements can then be grouped together.
Management Center for Cisco Security Agents ships with several pre-configured groups you can use. If the included groups do not suit your needs, use the instructions in this chapter to configure new groups or to edit existing ones.
This section contains the following topics.
•
Grouping Hosts Together
•Mandatory Group Enrollment
•Configuring Groups
–Resetting Cisco Security Agents
•Managing Agent Kits
–Creating Agent Kits from Existing Groups
–Creating Agent Kits and Groups Using a Wizard
–Distributing Agent Kits
–Agent Reboot vs. No Reboot
–Registration Control
–Agent Registration
–Scripted Agent Installations
•Managing Hosts Using CSA MC
–Viewing General Host Statuses with CSA MC
–Viewing Hosts Managed by CSA MC
–Viewing Host Details
–Searching for Hosts
–Deleting Hosts from the CSA MC
–Changing Host Memberships in Groups
•Host Managing Tasks
•Distributing Software Updates
–Scheduling Software Updates
–Software Updates in a Distributed Configuration
Grouping Hosts Together
Host groups reduce the administrative burden of managing a large number of agents. All hosts across your network, including mobile systems in the field, must exist as registered host entries in the Management Center for Cisco Security Agents for policy configurations to be assigned to them.
Grouping individual host systems together provides the following advantages:
•It lets you consistently apply the same set of policies across multiple host systems.
•It lets you apply Alert mechanisms and Event Set parameters based on group configurations.
•It lets you use audit mode to try out policies on groups of hosts before you actively enforce those policies.
You can group hosts together based on any criteria that best fits your enterprise. For example:
•Group hosts according to system function, such as web servers. Then you would create a policy that corresponds specifically to the needs of your web servers and distribute it to that group.
•Group hosts according to business groups, such as finance, operations, and marketing. Distribute policies based on each business group's individual needs.
•Group hosts according to geographical or topological location. For example, group hosts based on their subnet designation for reporting purposes.
•Group hosts according to their importance to your organization. Place mission-critical systems into a common group to apply critical alert level configurations to them.
Note Hosts may belong to multiple groups and automatically receive policies that are attached to every group to which they belong. You can add or remove hosts from a group at any time. However, the policy configuration of a host that is moved to another group will not take effect until you generate your rule programs and distribute them.
Mandatory Group Enrollment
CSA MC provides three auto-enrollment architectural groups <All Windows>, <All Solaris>, <All Linux> that are mandatory for all hosts of a given OS architecture. For example, all Windows hosts are automatically enrolled in the <All Windows> (in addition to any other groups you have specified) when they register with CSA MC. Hosts cannot be removed from these mandatory groups.
By providing group auto-enrollment for hosts, any policies you attach to these groups also become mandatory by association. You might want to use these mandatory groups to apply policies that prevent some critical service from being inadvertently banned. For example, you could attach policies to prevent DNS or DHCP from being disabled by an overly restrictive rule.
Configuring Groups
Host groups reduce the administrative burden of managing a large number of agents. Grouping hosts together also lets you apply the same policy to a number of hosts. A group is the only element required to build agent kits.
You do not configure hosts with CSA MC as you do other CSA MC elements. When hosts across your network download and install agent kits, they automatically and transparently register with CSA MC. Hosts inherit membership to the groups that were associated with the agent kit they installed. Successfully registered hosts appear in a linked list when you select Hosts from the Systems category in the menu bar. At registration time, hosts are also automatically put into their assigned group. You can change host groupings at any time.
Note Management Center for Cisco Security Agents ships with preconfigured groups (in addition to the mandatory groups) you can use if they meet your initial needs. If you use a preconfigured group, you do not have to create your own group as detailed in the following pages.
To configure a group, do the following.
Step 1 Log on to the CSA MC as a user with configure privileges and switch to Advanced Mode.
Step 2 Move the mouse over Systems in the menu bar and select Groups from the drop-down list that appears. The list of existing Groups is displayed. Management Center for Cisco Security Agents ships with several pre-configured groups.
Step 3 Click the New button to create a new group entry. (This group is empty until hosts install agents and register.)
Note If you have "All" designated as the operating system type for your administrator session, you are prompted to select whether this is a Windows, Solaris, or Linux group. See Configuring Role-Based Administration, page 2-11 for details. (You cannot combine hosts of differing OS architectures in the same group.)
Step 4 In the available group fields, enter the following information:
•Name—This is a unique name for this group of hosts. Names are case insensitive, must start with an alphabetic character, can be up to 64 characters long and can include alphanumeric characters, spaces, hyphens, and underscores. You should adopt a naming convention that lets you quickly recognize groups in the CSA MC group list view.
•Description—This description appears in the list view to help you identify this particular group. Expand the +Detailed field to enter a longer description.
Tip You can use the Tab key to navigate between edit fields.
Figure 3-1 Group Configuration Page
Step 5 Optionally, in the Properties area, click Polling to configure the polling attributes for the group.
•You can change the default Polling interval to any value between 10 seconds and 24 hours (formatted as hh:mm:ss). This controls how often agents in this group poll into CSA MC for policy updates. Shortening the polling time can be useful when you are trying out new policies. Otherwise, the default value is recommended. (If you have the same hosts in multiple groups, the group containing the shortest polling interval setting takes precedence for the hosts in question.)
Note If you change a group's polling interval, that new interval time will not take effect until the host polls in again for new rules. Therefore, it may take as long as the previous polling interval setting before hosts begin polling in using the new setting.
•Optionally, enable the Send polling hint capability. Normally, if you make changes to a policy, schedule a software update, or make any other change to a host's configuration, the host does not receive that change until it next polls into the MC. But if you have the Send polling hint checkbox selected, certain changes that occur on the MC will cause a "non-reliable" signed UDP message to be sent to the appropriate hosts. This message tells hosts to poll into the MC earlier than their next scheduled polling interval. The UDP message would be sent if a policy change occurs, if a global correlation event causes a file to be added to the global quarantine list, and if you select to retrieve status information from a particular host. (This feature only works if no NAT or PAT exists between CSA MC and the agent.)
Users see the polling hint message on the Status screen of their agent interface.
Step 6 Optionally, click the Rule overrides link to configure the rule override attributes for the group.
•You can select the Audit mode checkbox for this group.
Caution In audit mode, the Cisco Security Agent will not deny any action even if an associated policy says it should be denied. Instead, the agent will allow the action but log an event (if logging is selected for the rule). This helps you to understand the impact of deploying a policy on a host before enforcing it. For further information, see
Using Audit Mode, page 5-32.
•You can enable Learn mode to localize policies on the agent and to prevent the flurry of query pop-ups that can appear to a user when the agent is first installed. Learn mode works in a specific manner, in combination with deployed query user rules. These queries are automatically answered and remembered persistent for the learning mode period. More information is provided in Using Learn Mode, page 5-34.
Note Using the Hosts Managing Tasks page, you can configure "timed" Learn Mode and "timed" Audit Mode. Basically, you can configure a task that causes hosts to move in and out of selected groups at timed intervals. This way, you can have all new hosts move out of a Learn Mode group or an Audit Mode group after a set time. Refer to Host Managing Tasks for configuration information.
Step 7 Optionally, click Log overrides.to configure log override attributes.
•Enable Log deny actions to turn on logging for all deny rules running on hosts within the group regardless of the individual rule settings for the policy attached to the group. You may wish to use this feature to turn on all deny logging for diagnostic purposes.
•Enable Log set actions to turn on logging for all set rules running on hosts within the group regardless of the individual rule settings for the policy attached to the group.
•Enable Verbose logging mode to change the event log timer to log all reoccurring events rather than suppressing duplicates. See Chapter 10, "Event Logging and Alerts" for more information on the event log.
•Enable Filter user info from events checkbox for this group if you do not want username information displayed in events or in the additional information screen available from the event Details link.
Step 8 Optionally, click the Simple Mode Settings link to configure this group's availability on the Host Security Page.
By selecting Expose this group also in Simple Mode (on the Host Security page) this group will be displayed to both Simple Mode and Advanced Mode users. If this feature is not selected, neither Simple Mode nor Advanced Mode users will be able to see this group on the Host Security Page. Next, select either the desktop or server radio button to indicate the kind of hosts for which this group is recommended.
Through the Host Security page, users can create an agent kit for this group, associate policies with this group, view the host membership in a group, view the agent kits created for the group, and move the group in and out of Audit Mode.
Step 9 Features area:
•AntiVirus: The field indicates if the AntiVirus feature has been enabled for the group as well as what kind of AntiVirus protection is being employed. This field is informational only. You can not enable this feature from this field directly.
If the AntiVirus - Signature Based policy (desktops or servers) has been deployed to the group, then you will see that AV protection is Enabled (signature based).
If the AntiVirus - Behavior Based (desktops) policy has been deployed to the group, then you will see that AV protection is Enabled (behavior based).
•Data Loss Prevention: If the Data Loss Prevention policy has been deployed to the group, you will see that the feature has been Enabled. This field is informational only. You can not enable this feature from this field directly.
•Application Deployment Investigation: Optionally, for Windows groups, you can click the enable link next to Application Deployment Investigation to enable that feature. This analysis functionality works with CSA MC and the agent, serving as a data collection tool for administrators deploying policies across systems and networks. See Chapter 13, "Using Cisco Security Agent Analysis" for detailed information. If this feature is enabled, you can access analysis reports from a link on this page.
Step 10 Attached Policies: To attach policies to the group, click the change link next to Attached Policies label. In the Modify Policy Associations pop-up, select the "Unattached" policy you want to add to the group, and click Add. When you are done close the Modify Policy Associations pop-up box.
Step 11 When all required information is entered, click the Save button to enter and save your group in the CSA MC database.
Note Once you attach policies to specific groups, you can click the expand link next to the Combined Policy Rules label to view for the group displays a table listing all the rules, in order of precedence, that are applied to that group. From this table, you can navigate to those rules and policies.
Resetting Cisco Security Agents
The CSA MC lets you centrally reset agent settings back to their original states and clears all user-configured settings. You may want to do this in order to clear cached user query responses or to reset system states.
Resetting Cisco Security Agents does not clear configured Firewall Settings or File Protection settings. But if Firewall Settings or File Protection settings are enabled, they are disabled after a reset as this is the default factory setting. The information entered into the edit boxes for these features is not lost.
To remotely reset all hosts in a group to the system default settings, follow this procedure:
Step 1 Log on to the CSA MC as a user with deploy or configure privileges and switch to Advanced Mode.
Step 2 Move the mouse over Systems in the menu bar and select Groups from the drop-down list that appears. The list of existing Groups is displayed.
Step 3 Click the link for the group you want to reset.
Step 4 Expand the Tasks menu and click the Reset Cisco Security Agents link in the menu.
Step 5 Go to Select the items you want to reset.
To remotely reset the Cisco Security Agent of a single host, follow this procedure:
Step 1 Log on to the CSA MC as a user with deploy or configure privileges and switch to Advanced Mode.
Step 2 Move the mouse over Systems in the menu bar and select Hosts from the drop-down list that appears. The list of existing Groups is displayed.
Step 3 Click the link for the host you want to reset.
Step 4 Expand the Tasks menu and click the Reset Cisco Security Agents link in the menu.
Step 5 Go to Select the items you want to reset.
To remotely reset the Cisco Security Agent of a single host while in Simple Mode, follow this procedure:
Step 1 Log on to the CSA MC as a user with deploy or configure privileges.
Step 2 From the Search menu, select Hosts.
Step 3 Enter the search criteria for your host and click Find.
Step 4 Click the link for the host you want to reset.
Step 5 Expand the Tasks menu and click the Reset Cisco Security Agents link in the menu.
Step 6 Go to Select the items you want to reset.
Select the items you want to reset
When you click the Reset Cisco Security Agents link, a pop-up window appears displaying various checkboxes that let you reset various specific agents settings or to reset all settings. After you select the items you want to reset, click Reset:
•Cached Responses and Logging - This clears the temporarily cached query user responses. These are query responses that are stored locally for approximately one hour.
•AntiVirus Tags - This clears the AntiVirus tags from files stored on the host. Files that were restricted because of their AntiVirus tags are no longer restricted. See AntiVirus Tagging, page 15-5 for more information about AntiVirus tags.
•Data Classification (DLP) Tags - This clears the scanning data tags and static data tags from files stored on the host. Files that were subject to data loss prevention rules will no longer be. See Scanning Data Tags and Static Data Tags, page 16-3 for more information about these data classification tags.
•Local Firewall Settings - This clears any local firewall network permissions or file protections that the end user has configured.
•Learned Information - This clears the learned, persistent query responses on the agent system. It also clears other learned information such as running applications and unusual system calls. This also causes the automatic 72 learning period to start again. See Using Learn Mode, page 5-34.
•Local Signatures - This will delete any LPC or MSRPC attack signatures compiled on the host. See Chapter 14, "Automatic Signature Generation," for more information about automatically generated signatures.
•System Security - This resets the Security level slide bar to its original deployment setting (Medium). This also clears the Network Lock if it is selected.
•System State - This resets the agent System State back to its original deployment state. It clears all custom system states as well as those defined in this release. This is useful if the end user system has been quarantined or been placed in a network lockdown state by the agent due to a rootkit detection or by some other means. The reset will be received by the agent regardless of a quarantine or network restriction being imposed.
•Untrusted Applications - This clears the Untrusted Applications list that is automatically kept by the agent.
•User Query Responses - This clears all the persistent query responses on the agent system.
Figure 3-2 Reset Cisco Security Agent Options
Managing Agent Kits
The Management Center for Cisco Security Agent allows for the creation and maintenance of custom agent installation kits that greatly reduce the administrative burden of deploying the agent on new systems.
Agent kits must have group associations for deployment. Groups are a collection of policies and an association of hosts. After a kit is installed on a host, the agent running on that host registers itself with CSA MC. CSA MC then automatically places the host in the groups that were associated with the installed kit.
CSA MC also ships with preconfigured agent kits you can use if they meet your initial needs. There are kits for generic desktops, generic servers, and CSA MCs.
Agent kits can be created in these ways:
•Creating Agent Kits from Existing Groups
•Creating Agent Kits and Groups Using a Wizard
Creating Agent Kits from Existing Groups
This procedure is for the Advanced Mode user. It describes creating an agent kit from existing groups. The procedure assumes that Advanced Mode users have created whatever groups they need to create an agent kit using this method.
If you want to create a group for your policies at the same time as you create the agent kit, use the Creating Agent Kits and Groups Using a Wizard procedure instead.
To create agent kits, do the following.
Step 1 Log on to the CSA MC as a user with deploy or configure privileges and switch to Advanced Mode.
Step 2 Move the mouse over Systems in the menu bar and select Agent Kits from the drop-down menu that appears. Existing agent kits are displayed.
Step 3 Click the New button to create a new agent kit.
Note If you have "All" designated as the operating system type for your administrator session, you are prompted to select whether this is a Windows, Linux, or Solaris kit. See Configuring Role-Based Administration, page 2-11 for details. (You cannot select a Solaris group for an agent kit that you have configured for Windows systems.)
Step 4 In the agent kit configuration view (see Figure 3-3), enter a Name for this kit. This must be a unique name. Agent kit names cannot have spaces. Generally, it's a good idea to adopt a naming convention that lets you and the systems that will be downloading the kit, recognize it easily.
Step 5 (Optional) Enter a description in the Description field. The description appears in the agent kit list view to help you identify this particular kit.
Figure 3-3 Create Agent Kit
Step 6 From the available list box, select the group or groups of host systems that will download and install this kit. To select multiple items in a list box, hold down the Ctrl key as you select each item. To unselect a single item, hold down the Ctrl key when you click on the item in question. Press and hold the Shift key when you click on an item to select multiple successive items.
Step 7 You have the option of forcing systems to reboot after the agent installation completes (Windows and Linux only). If you select the Force reboot after install checkbox, when the install finishes, a message appears to the end user warning that the system will automatically reboot in 5 minutes. This reboot cannot be stopped by the end user. Keep in mind, if you are selecting to force a reboot, the installation must also be "Quiet". See the next step for more details. Refer to Agent Reboot vs. No Reboot for information on what security is not enforced if a system is not rebooted after an agent installation.
Note Solaris agent kit installations do not have the option to reboot automatically when complete. If you wish to reboot a Solaris system after installing an agent, you must do so manually.
Note In some cases, you may not want a system to reboot after the installation completes. If a reboot does not occur after the agent installation, partial security is enforced immediately. Full security is enforced after the first reboot. See Figure 3-6 for details.
Step 8 Select whether or not to have agents install "quietly" on end-user systems (Windows and Linux only). A Quiet install requires users to download the self-extracting executable as does the "noisy" install. The difference is, no prompts appear and the user is not required to enter any information or select any options. A noisy install prompts the user for installation options, such as selecting the installation directory, in addition to the reboot prompt.
These possible checkbox options would be combined for the following effects once the Windows or Linux agent installation has completed:
Force reboot checkbox=enabled
Quiet install checkbox=enabled
|
The install ends by displaying a prompt indicating that a reboot will occur within 5 minutes.
|
Force reboot checkbox=disabled
Quiet install checkbox=enabled
|
The install proceeds and ends quietly with no prompts. Full functionality occurs the next time the user happens to reboot.
|
Force reboot checkbox=disabled
Quiet install checkbox=disabled
|
The install prompts the user for directory path installation and ends by displaying a prompt indicating that an update has occurred and the end user can reboot the system at their convenience for full functionality.
|
Step 9 Click the Make Kit button.
Step 10 If you are ready to create the kit and generate all pending rule changes, click the Generate Rules link to advance to the Generate Rule Program page. The rules that require generation are listed at the bottom of the page.
Step 11 Click Generate to generate all rule changes and make your kit available for deployment. Once the generation rules operation completes, you receive the message, "Rule program generation successful." Once the agent kit has been created, you can view the contents of the kit and obtain the agent kit's URL for deployment.
Creating Agent Kits and Groups Using a Wizard
The agent kit wizard allows you to create an agent kit, associate policies with the kit, and create a new group for those policies, all in one process. This is a good method of creating agent kits if you are not using any existing groups.
The agent kit Wizard is available to Advanced Mode and Simple Mode users. Both kinds of users can access the agent kit wizard from the Agent Kits page and Host Security page.
When you finish using the wizard to create an agent kit, the last step generates the kit along with generating all pending rule changes. If you prefer not to generate rule changes immediately after creating an agent kit or you want to create an agent kit using existing groups, use Creating Agent Kits from Existing Groups procedure instead of this one.
To create an agent kit using the wizard, follow this procedure:
Step 1 Launch the agent kit wizard in one of these ways:
•In Advanced Mode, mouse-over Systems in the menu bar and select Agent Kits from the drop-down menu. On the agent list page, click Wizard
•In Simple Mode, mouse-over Systems in the menu bar and select Agent Kits from the drop-down menu. On the agent list page, click New.
•In Simple Mode or Advanced Mode, move the mouse over Configuration in the menu bar and select Host Security from the drop-down menu that appears. The Host Security page is displayed. Click New.
Step 2 In the Identify Target Hosts step, select the operating system for which the agent kit is intended and select Server or Desktop as the intended platform. Click Next.
Step 3 In the Host Security step, select one or more policies you want to distribute through this agent kit. Click Next to continue or click Back to return to the previous step.
Step 4 In the Settings step, specify the following attributes:
•Provide a name and short description of the new group in the Agents installed from this kit will be automatically added to the following group fields.
•Optionally, select the Audit Mode checkbox for this group. Audit mode causes agents to log events (if logging is enabled in the rule) for actions that trigger rules but allow those actions to take place. Read more about Audit Mode.
•Optionally, select Force reboot after agent kit installation. This installation method requires a quiet installation. The installation ends by displaying a prompt indicating that a reboot will occur within 5 minutes.
•Optionally, select whether or not to have agents install "quietly" on end-user systems (Windows and Linux only). A Quiet install requires users to download the self-extracting executable as does the "noisy" install. The difference is, no prompts appear and the user is not required to enter any information or select any options. A noisy install prompts the user for installation options, such as selecting the installation directory, in addition to the reboot prompt.
These possible checkbox options would be combined for the following effects once the Windows or Linux agent installation has completed:
Force reboot checkbox=enabled
Quiet install checkbox=enabled
|
The install ends by displaying a prompt indicating that a reboot will occur within 5 minutes.
|
Force reboot checkbox=disabled
Quiet install checkbox=enabled
|
The install proceeds and ends quietly with no prompts. Full functionality occurs the next time the user happens to reboot.
|
Force reboot checkbox=disabled
Quiet install checkbox=disabled
|
The install prompts the user for directory path installation and ends by displaying a prompt indicating that an update has occurred and the end user can reboot the system at their convenience for full functionality.
|
Click Next to continue or click Back to return to the previous step.
Step 5 Read the Summary description of the new agent kit. If you want to change any aspect of the agent kit before creating it, click the Back button to return to the previous step, or click the edit link next to any of the previous steps to edit the attributes of that step.
When you re ready to create the agent kit, and simultaneously generate all pending rule updates, click Finish.
Step 6 Once the agent kit has been created, the description of the agent kit, including its URL is displayed in a pop-up dialog box. From this dialog box you can delete the kit or click View Kit List to see a complete list of available agent kits.
Distributing Agent Kits
After agent kits are created, they are assigned a URL, see Figure 3-4. You may distribute this URL, via email for example, to the host systems the kit is designated for. They access the URL to download and then install the kit. This is the recommended method of agent kit distribution.
You may also point users to a URL for the CSA MC system. This URL will allow them to see all kits that are available. That URL is:
https://<system name>/csamc60/kits
If you are pointing users to the "kits" URL and you have multiple agent kits listed here, be sure to tell users which kits to download.
Note Note that the Registration Control feature also applies to the < system name>/csamc60/kits URL. If the Registration Control feature (see Registration Control for details on the feature) prevents your IP address from registering, it also prevents you from viewing this "kits" URL.
Note For a host to download an agent kit and communicate with the CSA MC, certain ports must be available. See "Port Availability Requirements" in Installing Management Center for Cisco Security Agents for more information about port requirements.
Note You must generate rules after agent kits are created. See Agent Kit Status for details on when a kit is ready for download.
To view existing agent kits, follow this procedure:
Step 1 In either Simple Mode or Advanced Mode, move the mouse over Systems in the menu bar and select Agent Kits from the drop-down menu. The list of available agent kits appears.
Step 2 Click the name of the kit to see its agent kit page.
Step 3 The agent kit page provides a description of the kit and allows you to perform these actions:
•Click the links in the Group Membership area to view the details of the groups included in this agent kit. Hosts that download this agent kit will become members of these groups.
•Using Internet Explorer, you can copy the URL of the agent kit to the clipboard using a command button.
Caution Clicking the URL itself begins the process of installing the agent kit on your local machine.
Note The page for your agent kit also displays the status of the kit. See Agent Kit Status for details on when a kit is ready for download.
Figure 3-4 Agent Kit Download URL
Note If you installed Management Center for Cisco Security Agents to the default directory, all agent kits are placed in the https://<system name>/csamc60/kits
directory.
Agent Kit Status
On the Agent Kits list page, agent kits are assigned a status that reflect their readiness for deployment.
•Ready: This means that the agent kit is ready for download to host systems.
•Needs rule generation: This means that all agent kit configuration parameters are complete, but you must generate rules before the kit can be downloaded.
•Incomplete: This means that you have not configured all the necessary parameters for this agent kit. You must complete the configuration and then generate rules before the kit can be downloaded.
•Undeployable: This status only occurs if you have ungenerated kits on the MC and then you upgrade the MC to a newer version. Agent kits that were created but never generated and have an old version number can never be deployed and should be deleted.
•Old version: This status indicates that there is a newer version of a default agent kit on the CSA MC that is available for distribution.
Figure 3-5 Agent Install Complete Prompt for Optional Not-Automatic Reboot
Figure 3-6 Agent Install Complete Prompt for Automatic Reboot
Agent Reboot vs. No Reboot
If a system is not rebooted following the Cisco Security Agent installation, the following functionality is not immediately available. (This functionality becomes available the next time the system is rebooted.)
Windows agents
•Network Shield rules are not applied until the system is rebooted.
•Network access control rules only apply to new socket connections. Network server services should be stopped and restarted for full network access control security without a system reboot.
•Data access control rules are not applied until the web server service is restarted.
Solaris and Linux agents, when no reboot occurs after install, the following caveats exist:
•Network access control rules only apply to new socket connections. Network server services should be stopped and restarted for full network access control security without a system reboot.
•Buffer overflow protection is only enforced for new processes.
•File access control rules only apply to newly opened files.
•Data access control rules are not applied until the web server service is restarted.
Note The reboot information here only applies to new agent installations. It does not apply to software updates. Please refer to Table 3-1 for software update reboot details.
Figure 3-7 Download Agent Kits
Registration Control
This feature is accessible from the Systems item in the menu bar. Enter a range of addresses in the registration control page to restrict agent hosts attempting to successfully register with CSA MC. Only those hosts with addresses entered here can register with CSA MC.
The default entry here is <all> (0.0.0.0-255.255.255.255) which applies no address registration restrictions. An example entry of restricted registration addresses is as follows. (Only those addresses within the range listed can register. This range is inclusive):
192.168.10.0-192.168.10.255
172.16.20.0-172.16.20.255
Agent Registration
When an agent kit is ready for distribution, you can notify end users to download and install the kit from the URL produced by CSA MC when the kit is made. Once the kit installation is complete, each individual host's agent automatically and transparently registers with CSA MC.
Note Each kit is created for particular groups based on the policies that will be attached to those groups. Policies are described in Chapter 4, "Building Policies".
Scripted Agent Installations
You can use scripts to silently install Windows Cisco Security Agents on end user systems. (Scripted agent installs are not supported on Linux and Solaris systems.)
The agent kit is a self-extracting executable placed in the following directory on the server:
%Program Files%\Cisco\CSAMC\csamc60 \bin\webserver\htdocs\deploy_kits
Retrieve the kit from this directory or download it from the server. You can then use a script to copy and silently install agent kits on systems. Note that you must select the Quiet install checkbox when you build the kit if you are planning to install it via a script.
Whether or not an end user system is going to have a visible agent UI or a hidden one (see Agent UI Control, page 6-4), the end user (or administrator) must download and install the agent kit on the system.
Agent kits can be distributed using third party software distribution tools. See Distributing Agent Kits Using a Third Party Tool in Chapter 3 of Installing Management Center for Cisco Security Agents.
Managing Hosts Using CSA MC
A host is any system that has installed an agent kit from CSA MC and has registered with CSA MC. The host may be a desktop or server and may be of any supported operating system type.
Once the host has registered with CSA MC, it can receive policy updates, it can be added to or removed from groups, and its status can be monitored by CSA MC.
Viewing General Host Statuses with CSA MC
Follow this procedure to view the general status of all hosts managed by CSA MC:
Step 1 Move your mouse over Events in the menu bar and click Status Summary in the drop-down list.
Step 2 If it is not already expanded, click the plus box next to Network Status.
Step 3 There are several Network Status categories listed in the status summary page. Next to each category is a number indicating how many hosts have been placed in each of the status categories. Click the link for the number of hosts in the category to see the host list view for that category.
Viewing Hosts Managed by CSA MC
To view the hosts that are managed by CSA MC, follow this procedure:
Step 1 Log on to the CSA MC and switch to Advanced Mode.
Step 2 Mouseover Systems in the menu bar and click Hosts in the drop-down menu.
Step 3 (Optional) Sort the host list by operating system.
Step 4 From the drop-down list box, select one of the following host statuses:
•Active: A host is active if it polls into the management server at regular intervals and at least once in 24 hours. When you select this viewing option, a "Yes" for Active or a "No" for Not Active appears in the column.
•Security level: This option indicates if the user has set the security level on their local agent to Off, Low, Medium, or High.
•Protected: When you select this viewing option, a "Yes" for Protected or a "No" for Not Protected appears in the column. A system is not protected if it does not belong to a group or if it belongs to a group that has no policies attached.
•Latest software: When you select this viewing option, a "Yes" for Latest Software or a "No" for Not Latest Software appears in the column. If an agent is not running the latest software, you will want to deploy a software update.
•Audit mode: When you select this viewing option, a "Yes" for running in Audit Mode or a "No" for Not Running in Audit Mode appears in the column.
•Learn mode: When you select this viewing option, "On" indicates the host is running in Learn Mode, "Off" indicates the host is not running in Learn Mode.
•Last Poll: When you select this viewing option, the time and date of the most recent poll for the host is displayed.
Viewing Host Details
To view detailed information about one host, follow this procedure:
Step 1 Log on to the CSA MC and switch to Advanced Mode.
Step 2 Move your mouse over Systems in the menu bar and click Hosts in the drop-down menu.
Step 3 (Optional) Sort the host list by operating system.
Step 4 Click the link to a host to view detailed information about that host on the Host Detail page (see Figure 3-8).
From the Host Detail Page you have access to these tasks and information:
•Host Tasks
•Host Name and Description
•Host Identification
•Host Status
•Host Settings
•Group Membership and Policy Inheritance Table
•Combined Policy Rules Table
Figure 3-8 Host Detail View
Host Tasks
Expand the Tasks menu on the host details page to view links that will help you perform these host maintenance tasks:
•Click the Modify group membership link in the Quick Links box on the host detail page (see Figure 3-8) to add or remove this host from a group. See the procedure, Modifying the Group Membership of a Single Host, for the complete procedure.
•Click the Reset Cisco Security Agent link to reset certain values that may have been configured or selected by the end user. See Resetting Cisco Security Agents for details.
•Click View Related Events to view an event log showing only the events for the host you are looking at.
•CSA MC provides an explanation, in paragraph form, of the policies attached to each host. Clicking the Explain rules link takes you to this paragraph explanation. The Explain Rules link is available for Advanced Mode users only.
Host Name and Description
•Name and Description: These fields are populated with information received from the agent system when it registers. This is the name that identifies this host system on the network. This name does not have to be unique. CSA MC assigns each registering host a unique ID number by which the database identifies it.
•Contact Information: Click this link to view any contact information provided to the agent by the user. The available fields for the user are: first name, last name, email, telephone, and location. This user is not required to provide this information, however, if an agent is generating alerts, having this contact information readily available could expedite troubleshooting measures.
Host Identification
•Product Information—This is the Cisco Security Agent version for this particular machine.
•Last known IP address—This is the IP address of the host. If DHCP addressing is used, this is the last known address of the host.
•Host ID—CSA MC assigns each registering host a unique ID number by which the database identifies it.
•UID—This is a globally unique ID for your agent. It is obtained from the agent kit. Different kits present different IDs. Every host that installs a particular kit will have the same registration ID. Once registered, however, each host receives a unique global ID.
•Registration time—This is the time that the agent registered with CSA MC.
•Last update time— This is the time that the agent received its last software update.
•Operating System—This is the operating system installed on this particular machine. If the operating system is unsupported, this information appears here in red text.
•Cisco Trust Agent status—This displays whether optional CTA software is Installed, Not installed, Active, or Inactive on the system. This also displays the status of the CTA software version. If this field displays Not active, either CTA is not installed or NAC is not configured to check CSA attributes. If CSA attributes are not being queried by the NAC infrastructure, the status is Not active. (Note that if CTA software is active, this field also displays the current CTA posture status.)
Host Status
•Events issued in the past 24 hours—This is the number of events (rule triggers) that have occurred on the host system in the given time frame.
•Software Version—This is the version of Cisco Security Agent software the system is running. If there is a software update available for this host, this field provides that information. If an update for a host is scheduled but not yet installed, this field provides that information as well.
•Policy version—This field reads "Up-to-date" or "Not up-to-date", indicating whether the agent has the latest policy configuration from CSA MC.
•Time since last poll—This is the interval since the host system's last polling request.
•Time since last AV signature update—This is the interval since the host system's last received a ClamAV signature update.
•AV full scan schedule—Displays the schedule for ClamAV scanning. Navigate Systems > Host Tasks > Host Scanning Tasks to see all scanning tasks.
•DL full scan schedule—Displays the schedule for Data Loss Prevention using scanning data tags. Navigate Systems > Host Tasks > Host Scanning Tasks to see all scanning tasks.
•Security level—This indicates the current level displayed by the Security Level bar in the agent UI.
•Untrusted rootkit detected (state condition)—This indicates that the host has been in this named state. The only way to clear this state is to reset the state on the host. See System State Sets, page 8-28.
•Insecure boot detected (state condition)—This indicates that the host has been in this named state. The only way to clear this state is to reset the state on the host. See System State Sets, page 8-28.
•BIOS supported boot detection—This indicates if the host system BIOS is compatible with BIOS dependent boot detection features. See Kernel Protection, page 6-39.
•Time since last Application Deployment data upload—If application deployment data collection is enabled on the end user system, this indicates the time of the most recent upload of analysis logging data.
•Detailed status and diagnostics—Click this link to view status information for the host in question. The Host Diagnostics window (see Figure 3-9) that is opened by this link uploads information from the agent. NOTE that you may have to click the Diagnose button to retrieve the most recent host information. This causes the agent to poll in with status data. You can use this information to diagnose agent issues and to view the current states and policies running on the agent system.
Clicking the Diagnose button also remotely triggers a program on the agent to gather additional self-describing diagnostic information on the system and on the agent itself. When the collection is complete, a "csa-diagnostics.zip" file is created and automatically uploaded to the MC. This zip file can be accessed from the Host Diagnostics window. The Uploads section of this window displays how many diagnostic zip files have been uploaded. The MC can store a maximum of 3 diagnostic files per host. Click on the <#> Uploads link on the Host Diagnostics pop-up window to access the individual .zip files (see Figure 3-10).
Note The CSA MC can store a total of 100 diagnostic files for all hosts.
Figure 3-9 Host Diagnostics Pop-up Window - Data
Figure 3-10 Host Diagnostics Pop-up Window - Uploads Window
Note Host diagnostics are available locally to the Windows end user from the Start>Programs>Cisco>Cisco Security Agent>Cisco Security Agent Diagnostics menu on systems where the agent is installed. The end user can manually select "Cisco Security Agent Diagnostics" which causes the agent to gather self-describing diagnostic information on the system and on the agent itself.
Host diagnostics are available locally to the UNIX and Linux end user by executing the ./diag shell script from the /opt/CSCOcsa/bin directory. This creates a csa-diagnostic.gz file in the /tmp directory.
Host History information is also available from the Host Diagnostics pop-up window. The feature itself (the collection of host history data) is enabled and disabled from the Status Summary page. Clicking the History link at the top of the Host Diagnostics pop-up window takes to a page that provides the following types of information: host registration, audit mode setting changes, learn mode setting changes, IP address changes, CTA posture changes, CSA version changes, host active/inactive status changes.
When you enable Host history collection, a two week history of the previously listed host status changes is maintained for every host registered with the MC.
You may want to use these various types of agent diagnosis information in conjunction with the Reset Cisco Security Agent option available from the host Quick Links section. This way, you can reset the values that you are viewing in the host diagnosis window through a combination of polling and clicking between windows.
Note The same Reset Cisco Security Agent functionality is also available on the Groups page (see Resetting Cisco Security Agents for a description of the available reset options). To centrally reset all hosts in a group to the system default settings, use the reset functionality from the Group page. (Note that this reset option is also available locally on the agent system.)
Host Settings
•Polling interval (seconds)—The value shown here indicates the time interval in which this system polls in to the management server. This feature is configurable through the Groups page.
•Send polling hint—This field indicates if the polling hint capability is turned on for the group in which this host is a member. See Configuring Groups for details on this setting. This field will display "On (unavailable)" if NAT or PAT exists between CSA MC and the agent - preventing the hint message from being received.
•Audit Mode—If this host is part of a group operating in "audit mode," then the field shows Audit Mode is ON, otherwise, the field shows that Audit Mode is OFF.
•Learn Mode—If this host is part of a group operating in "audit mode," then the field shows Audit Mode is ON, otherwise, the field shows that Audit Mode is OFF.
•Verbose logging mode—This field can read as either OFF or ON, indicating whether this feature is enabled for this host. This feature is configurable through the Groups page.
•Log deny actions—This field indicates if the Log all deny actions capability is turned on for the group in which this host is a member. See Configuring Groups for details on this setting.
•Log set actions—This field indicates if logging for all set rules is turned on for the group in which the host is a member. See Configuring Groups for details on this setting.
•Filter user info from events—This field indicates if the Filter user from events capability is turned on for the group in which this host is a member. See Configuring Groups for details on this setting.
•AV protection—Indicates what kind of AntiVirus protection is enabled. If the Antivirus - Behavior based (desktops) policy is distributed to the host, AV protection will indicate behavior based. If the AntiVirus - Signature based policy (desktops or servers) is distributed to the host, the AV Protection field will indicate signature based and provide the version of ClamAV signatures active on the host.
•Data Loss Prevention—If the Data Loss Prevention policy is deployed to the host, the Data Loss Prevention field indicates ON, otherwise, the field indicates OFF.
•Application Deployment investigation enabled—This appears if application deployment data collection capability, available from the Analysis menu bar item, is enabled on the end user system. If this feature is enabled, you can access analysis reports from a link on this page. If this feature is not enabled, you can enable it from a link here. (You may have to create a new group in order to enable this feature. You can also do that task from a link that appears here.) See Chapter 13, "Using Cisco Security Agent Analysis" for detailed information on this feature.
Group Membership and Policy Inheritance Table
The group membership and policy inheritance table provides you with a list of hyperlinks to all the groups the host is a member of, the policies attached to those groups, and the rule modules attached to those policies. From these links you can jump to any of the listed security components to learn more about them.
Combined Policy Rules Table
This table provides you with a list of all the rules that affect the host. These combined lists are often quite long for any host. You can filter and sort the rules to get a better understanding of how the rules work.
Searching for Hosts
You can search for hosts while logged on as a user with any level of privileges and in simple or advanced mode. However, if you are logged as a user with deploy or configure privileges, you will be able to administer the hosts you find more easily.
Step 1 Log on to the CSA MC as any user. You can search for hosts in simple or advanced mode.
Step 2 Mouseover Search in the menu bar and select Hosts from the drop-down menu that appears.
Step 3 In the search field, enter a string for which to search. The search will find hostnames containing this string.
Step 4 Refine your search by selecting one additional radio button from the Host Search Criteria Box. The buttons are explained below:
•Active hosts with the "the latest" or "an old" configuration. The search finds hosts that poll into the management server at regular intervals and at least once in 24 hours. The search will find a host with either the "the latest" policy updates or "an old" policy.
•Active hosts with "software update pending" or "old software." The search finds hosts that poll into the management server at regular intervals and at least once in 24 hours. It will find hosts with Cisco Security Agent software updates pending or hosts with old software.
•Active hosts with "Disabled, Low, Medium, High" Cisco Security Agent level. This finds host with the select level set in the agent UI System Security page slide bar.
•Hosts not actively polling (status unknown). This search finds hosts that have missed three polling intervals or have not polled into the CSA MC in 5000 seconds, whichever is greater. A host is also considered inactive if it has not polled in within 24 hours, no matter how many polling intervals it has missed.
•Hosts that have not polled for (a specified number) of days.
•Unprotected hosts. This search finds hosts that do not belong to any group or hosts that belong to groups which have no policies attached.
•Hosts with unsupported platforms. An unsupported platform is an operating system not listed in the System Requirements section of the "Installing Management Center for Cisco Security Agents." It is also an operating system running with a service pack not qualified for use with the agent.
•Hosts using "desktop, server" licenses. This search finds either all agents running under desktop system licenses or server system licenses.
•Hosts with or without Cisco Trust Agent installed. This search finds hosts on which optional Cisco Trust Agent software is or is not installed.
•Hosts attached to group. This search finds hosts attached to the one group you pick from the drop down box.
•Hosts attached to group for <#> of days. This search finds hosts attached to the one group you pick from the drop down box for the number of days you enter in the available edit field.
•Hosts running in audit mode. Agents on hosts running in audit mode do not deny any action or operation even if an associated policy says it should be denied. Instead, the agent allows the action and logs an event if a deny or query rule is triggered.
•Hosts in state condition "Insecure boot detected, Untrusted rootkit detected". This search finds hosts that are in the system state condition selected. All the possible state conditions are not listed here. The state conditions listed here are persistent and can only be cleared using the Reset function. See System State Sets, page 8-28 for details.
•Hosts with BIOS supported boot detection. This search finds host systems running with a BIOS that supports the "Insecure boot detected" system state functionality. See System State Sets, page 8-28 for details.
•Hosts currently using or that have used a particular IP address.
•Hosts without Application Deployment Investigation data upload. This search finds hosts where the Application Deployment Data collection capability is disabled on the end user system.
•Hosts only manageable via the Advanced Mode. This search finds hosts that can only be moved to the recycling bin while the administrator is acting in advanced mode.
•Hosts with AntiVirus / Data Loss Prevention protection enabled. If you select the AntiVirus criterion, this search finds hosts that use signature-based or behavior-based anti-virus policies. Clicking the + box allows you to search for hosts that have not had signature updates in a specified number of days.
If you select the Data Loss Prevention criterion, this search finds hosts that use the data loss prevention policy.
•All. This is the default setting. All the hosts, containing the string searched for, will be found.
Step 5 Use the Display <Operating System> Hosts running <any> version fields to search for hosts running on a particular operating system or running a particular version of CSA.
Step 6 In the Preferences box, select any of the following check-boxes:
•Show references box. This box is checked by default. When you include this in your search criteria, you will be able to look up the group memberships of the hosts you found with the search.
•Search on description. If you check the box for this preference, hostnames and description fields are both searched for the string you entered in the search field.
•Search all other fields. Select this checkbox to search all database fields (including the description field) for the string value.
Step 7 Specify how many search results will be displayed on a page in the Results per page field.
Step 8 Click Find. If the search finds matches, the hosts are displayed in a list and the search criteria box is collapsed. If the search finds no matches, the message "No Results Found" is displayed under the search criteria.
Deleting Hosts from the CSA MC
To delete inactive or irrelevant hosts from the CSA MC, first move them to the host recycle bin and then purge them.
The Host Recycle Bin
The recycle bin window is available from the hosts list page. Hosts are moved to the recycling bin manually by the CSA MC administrator or automatically following a migration of hosts to an upgraded CSA MC. Moving Hosts to the Recycle Bin From the Host List Page and Moving Hosts to the Recycle Bin that Meet a Search Criteria describe two methods of manually moving hosts to the recycling bin.
This is how hosts end up in the recycle bin after a migration: If you upgraded your CSA MC to the current version, host and group information from the old MC was migrated to the new MC either automatically or by you when you ran a migration script. Then you scheduled a software update for the hosts so they could receive an upgraded agent. Before the hosts receive the software update, install it, and poll into the new MC, the hosts are included in the "Migrated" count of the recycle bin on the new MC. As hosts start polling in to the new MC, the number of hosts in the Migrated count of the recycle bin decreases. After the hosts polls in and registers with the new MC, the host appears on the hosts list page with an "active" status.
Keeping track of the number of migrated hosts allows you to purge inactive hosts that never migrated to the new CSA MC.
When a host is moved to the recycling bin, the host is cached by the MC but it is no longer visible on the MC. The host's information is kept on hand by the MC in case the host polls in again. If it does, its group membership is re-established and the host is displayed again, in the active state, on the host list page.
Figure 3-11 Hosts Recycle Bin
Moving Hosts to the Recycle Bin From the Host List Page
Use this procedure to manually move hosts to the recycle bin and then permanently purge them.
Step 1 Log on to the CSA MC as a user with configure privileges and switch to advanced mode.
Step 2 Mouseover Systems in the menu bar and click Hosts in the drop-down menu.
Step 3 (Optional) Use the column headers and filters at the top of the host list page to identify the host or hosts you want to move to the recycling bin.
Step 4 From the host list page there are two ways to remove hosts.
•Select the checkbox next to the hostname(s) you want to remove and then click Move to Recycle Bin. When prompted, make sure you are moving the correct host(s) and click OK to move the host(s) to the recycle bin.
•From the host list page, click the link to a host. Review the host details (see Figure 3-8) to make sure you are removing the correct host and then click Move to Recycle Bin. When prompted, make sure you are moving the correct host and click OK to move the host.
When a host is moved to the recycling bin, the host is cached by the MC but it is no longer visible on the MC. The host's information is kept on hand by the MC in case the host polls in again. If it does, its group membership is re-established and the host is displayed again, in the active state, on the host list page.
See Purging Hosts from the CSA MC for information about purging hosts.
Moving Hosts to the Recycle Bin that Meet a Search Criteria
Use this procedure to manually move hosts to the recycle bin.
Step 1 Use the procedure "Searching for Hosts" section to find the hosts you want to move and purge.
Step 2 Click the checkboxes next to specific hosts to act on those hosts alone, or leave all the boxes unchecked to act on all the hosts found by the search.
Step 3 Click the Operations button at the bottom of the search results list page and select Move to Recycle Bin.
Step 4 In the Move to Recycle Bin drop-down list box, select either All hosts matching the current search criteria or Selected Hosts.
Step 5 Click Execute. This function moves the specified hosts to the recycle bin.
Step 6 When prompted, click OK to move the hosts to the recycle bin.
The hosts are now in the recycle bin. If you click View Recycle Bin, you will see that the count of Moved hosts has increased by the number you moved to the recycling bin.
When a host is moved to the recycling bin, the host is cached by the MC but it is no longer visible on the MC. The host's information is kept on hand by the MC in case the host polls in again. If it does, its group membership is re-established and the host is displayed again, in the active state, on the host list page.
See Purging Hosts from the CSA MC for information about purging hosts.
Purging Hosts from the CSA MC
Once an agent installs on a host system and registers with CSA MC, that host is not immediately or automatically removed from the CSA MC hosts list if the agent is uninstalled from the system.
Hosts are automatically purged from the system if they have been inactive for either 30 days or 60 days. If a host's group membership is the same as it was when it registered, the host is automatically purged from the CSA MC after 30 days of inactivity. If a host's group membership has changed from the time it registered, the host will be automatically purged from the CSA MC after 60 days of inactivity.
Inactive hosts are running agent software that has missed three polling intervals or has not polled into the CSA MC in 5000 seconds, whichever is greater. A host is also considered inactive if it has not polled in within 24 hours, no matter how many polling intervals it has missed. Active hosts poll into the CSA MC at least once a day.
When a host is moved from the hosts list page to the recycling bin, the host is cached by the MC but it is no longer visible on the MC. The host's information is kept on hand by the MC in case the host polls in again. If it does, its group membership is re-established and the host is displayed again, in the active state, on the host list page.
To completely remove a host from the MC, both visible and non-visible cached host information, you must manually purge this data from the Recycle Bin. Lastly, purging old, cached host information may improve CSA MC rule generation performance.
To purge hosts from the CSA MC, follow this procedure:
Step 1 Move the hosts you want to purge from the recycling bin using Moving Hosts to the Recycle Bin From the Host List Page or Moving Hosts to the Recycle Bin that Meet a Search Criteria.
Step 2 On the hosts list page, click View Recycling Bin.
Step 3 Select Moved to purge hosts that you manually moved to the recycling bin and select Migrated to purge hosts that have failed to migrate to an upgraded CSA MC.
Step 4 Click Purge.
Changing Host Memberships in Groups
When a host registers with CSA MC, it is automatically placed into the group(s) you designate for it. There is no need to add a host to a group initially. You only need to add hosts to groups when you are changing their group designation after they have registered.
Hosts may belong to multiple groups and receive policies that are attached to every group to which they belong. Removing hosts from a group removes the protection the hosts received from the various policies associated with that group.
Caution You can add or remove hosts from a group at any time. If you do change host group assignments, the policy configuration of a host that has been moved to another group will not take affect until you generate your rule programs and distribute them.
Note See Viewing Host Details for details on hosts.
There are several ways to change the host memberships in a group:
•Modifying the Group Membership of a Single Host
•Modifying the Host Membership in a Single Group
•Bulk Transferring Hosts From One Group to Another
•Modify Groups With Hosts That Meet a Search Criteria
Modifying the Group Membership of a Single Host
Use this procedure to add a host to, or remove a host from, various groups.
Step 1 Move the mouse over Systems in the menu bar and select Hosts from the drop-down menu. This shows you the host list view; it is a list of all the hosts managed by CSA MC.
Step 2 Click the link for the host whose group membership you want to modify.
Step 3 Click Modify group memberships in the Quick Links box. This takes you to a swap box page containing a list of groups of which the host is not a member on the left and a list of groups of which the host is a member on the right.
Step 4 Add or remove your host to groups:
•To add your host to a group, select a group in the left swap box and click the Add button. The group now appears in the right swap box with the other groups to which the host belongs.
•To remove your host from a group, select a group in the right box and click the Remove button. The group now appears in the left swap box with the other groups to which the host does not belong.
Step 5 Click the Generate Rules link at the bottom of the page. CSA MC updates the group memberships. When a host polls in to CSA MC, it will receive the group membership changes along with updates to any rules it now follows.
Note Note: You may want to wait until all your maintenance tasks are performed on CSA MC and then generate rules for all your changes at once.
Modifying the Host Membership in a Single Group
Use this procedure to add or remove hosts from a single group.
Step 1 Move the mouse over Systems in the menu bar and select Groups from the drop-down menu that appears. This shows you the group list view; it is a list of all the groups managed by CSA MC.
Step 2 From the group list view, click the link for the group to which you want to add or remove hosts. This brings you to that group's edit view.
Step 3 From the edit view, click the Modify host membership link in the Quick Links box. This takes you to a swap box page containing a list of host systems that are not members of the group on the left and a list of hosts that are members of the group on the right.
Step 4 Add or remove hosts to this group (see Figure 3-12):
•To add a host to this group, select the host in the left box and click the Add button. The host now appears in the right box with the list of all hosts attached to this group. The host is now a members of the group.
•To remove hosts from this group, select the host in the right box and click the Remove button. The host now appears in the left box with the list of all hosts unattached to this group. The host is now not a member of this group.
In either case, to select multiple nonsuccessive items in a swap box, hold down the Ctrl key as you select each item. To unselect a single item, hold down the Ctrl key while you click on the item in question. Click the Select all link beneath the swap box to select all items in the swap box. When you click the Add or Remove button, all selected items are added or removed.
Step 5 Click the Generate Rules link at the bottom of the page. CSA MC updates the group memberships. When a host polls in to CSA MC, it receives the group membership changes along with updates to any rules it now follows.
Note You may want to wait until all your maintenance tasks are performed on CSA MC and then generate rules for all your changes at once.
Bulk Transferring Hosts From One Group to Another
Use the bulk transfer feature to easily move or copy all hosts from one group into the Group you are currently viewing.
Step 1 Move the mouse over Systems in the menu bar and select Groups from the drop-down menu that appears. This shows you the group list view; it is a list of all the groups managed by CSA MC.
Step 2 From the group list view, click the link for the group to which you want to add or remove hosts. This brings you to that group's edit view.
Step 3 From the edit view, click the Modify host membership link in the Quick Links box. This takes you to a swap box page containing a list of host systems that are not members of the group on the left, and a list of hosts that are members of the group on the right.
The bulk transfer operations are at the bottom of this page. (See Figure 3-12.)
Step 4 In the Bulk Transfer box, select Move or Copy in the first drop-down list box to move hosts or copy hosts, from the group you specify to the group whose membership your are modifying.
Step 5 In the second drop-down list box, select the group whose members will be moved out of or copied to the group whose membership you are modifying.
Step 6 Click OK. The hosts you moved or copied now appear in the right swab box with the list of hosts attached to this group. The hosts you moved or copied are now members of the group.
Step 7 Click the Generate Rules link at the bottom of the page. CSA MC updates the group memberships and when a host polls in to CSA MC, it receives the group membership changes along with updates to any rules it now follows.
Note Note: You may want to wait until all your maintenance tasks are performed on CSA MC and then generate rules for all your changes at once.
When you next click the Generate button, policies associated with this group will no longer be applied to the removed hosts. (The host is not deleted from the database, it is just no longer part of the group.)
Figure 3-12 Add Hosts to Group
Modify Groups With Hosts That Meet a Search Criteria
Use this method to find all the hosts that match a certain criteria and move them in and out of groups.
Step 1 Use the procedure "Searching for Hosts" section to find the hosts whose group memberships you want to change.
Step 2 Click the checkboxes next to specific hosts to act on those hosts alone, or leave all the boxes unchecked to act on all the hosts found by the search.
Step 3 Click the Operations button at the bottom of the search results list page. (See Figure 3-14.) The Host Operations Box opens. (See Figure 3-15)
Step 4 In the Available Operations drop-down list box, select one of the following options:
•Move to Recycle Bin. This function allows you to move hosts to the Recycle bin for the purpose of deleting those hosts from the local database. In the Move to Recycle Bin drop-down list box, select either All hosts matching the current search criteria or Selected Hosts.
•Attach to group. This function copies hosts from one group to another.
–In the Attach (if applicable) drop-down list box, select either All hosts matching the current search criteria or Selected Hosts.
–In the to the following group drop-down list box, select the group to which you want to add the hosts.
•Detach from group. This function removes hosts from a group.
–In the Detach (if applicable) drop-down list box, select either All hosts matching the current search criteria or Selected Hosts.
–In the from the following group drop down list-box, select the group from which you want to remove the hosts.
Step 5 Click Execute.
Step 6 When prompted, click OK to perform the operation or Cancel not to perform the operation. You receive a message confirming the success or failure of the operation.
Figure 3-13 Hosts Search Page
Figure 3-14 Hosts Search Results Page
Figure 3-15 Host Operations Box
Host Managing Tasks
The configuration options on the Host Managing Tasks page let you add, move, and remove hosts from selected groups at set times so that the action occurs automatically. Using a configured, automatic, management task could be useful in various recommended scenarios. For example, you're conducting a pilot of the product and you want all newly registered hosts to remain in a group that has audit mode (see Using Audit Mode, page 5-32) enabled for certain period of time before those hosts move to a group that is not in audit mode. Having this group movement occur automatically can reduce the administrative burden of having to manually do this. Especially, if it is your policy to have all new hosts start off in audit mode.
This same scenario can be applied to using learn mode (see Using Learn Mode, page 5-34). Rather than having to remember to move hosts out of a group with learn mode enabled or having to remember to turn learn mode off, you can use a host managing task to do this automatically when scheduled.
Configure a host managing task to automatically add, move, or remove hosts as follows:
Step 1 Log on to the CSA MC as an administrator with deploy or configure privileges and switch to advanced mode.
Step 2 Mouseover Systems in the menu bar and select Host Managing Tasks from the drop-down list that appears. The list of existing tasks is displayed.
Step 3 Click the New button to create a new task. The host managing tasks configuration page appears. See Figure 3-16.
Step 4 In the available fields, enter the following information:
•Name—This is a unique name for this task. Names are case insensitive, must start with an alphabetic character, can be up to 64 characters long and can include alphanumeric characters, spaces, hyphens, and underscores.
•Description—This description appears in the list view to help you identify this particular task.
Step 5 In the Configuration section of the page, select a combination of the following options:
•Run this task every
Select one or more days of the week to run this task. You can also specify a certain time to run the task. If you do not specify a time (note that it's a 24 hour clock), the default time is midnight.
•Add hosts from group <group name> to group <group name> if they have been part of the source group for more than <number> of days.
Use the Add checkbox option to put all hosts in an additional group without removing them from their current group. This addition to the selected group occurs only if the hosts have been part of the original group for longer than the time frame specified. This time frame can be between 1 and 365 days.
•Move hosts from group <group name> to group <group name> if they have been part of the source group for more than <number> of days.
Use the Move checkbox option to migrate all hosts from the current specified group to another specified group. This moving of hosts from the selected group and the addition of those hosts to another group occurs only if the hosts have been part of the original group for longer than the time frame specified. This time frame can be between 1 and 365 days.
•Remove hosts from group <group name> if they have been part of this group for more than <number> of days.
Use the Remove checkbox option to take all hosts from the current specified group out of that group. This removal of hosts from the selected group occurs only if the hosts have been part of that group for longer than the time frame specified. This time frame can be between 1 and 365 days.
•Regenerate rule programs.
Agents do not receive most CSA MC configuration changes unless rules are generated after the changes are made. Therefore, if you configure a task to occur at a certain day and time and you want agents to pull the group configuration changes down when they occur, you must select this checkbox to generate rules as part of the task. If you do not select this checkbox, configuration changes that require a rule generation are only made on the MC and are not received by agents until a manual rule generation is performed.
Step 6 Click the Save button.
Step 7 (Optional) Click the Execute now button to immediately run the configured task.
Figure 3-16 Host Managing Tasks
Polling
Cisco Security Agents managed by a Management Center (CSA MC) poll into the CSA MC to obtain software updates and policy updates. If the CSA MC is not reachable for some reasons, poll attempts will fail.
There are many situations in which an agent will poll the CSA MC. These are the most common:
•Whenever the agent machine reboots
•Whenever the agent service is started or restarted
•Whenever the polling interval expires. The polling interval for a host is determined by its group membership.
The polling that occurs when the polling interval expires is randomized. This randomization is necessary to ensure that all your agents do not poll at the same time and overwhelm the CSA MC. For example, if a group's polling interval is 240 minutes (4 hours), then individual hosts in that group could poll in anywhere between 192 minutes (0.8 x interval) and 312 minutes (1.3 x interval).
If a host is a member of two groups, the host polls at the shorter polling interval of the two groups. For example, if the host is a member of one group that polls every 4 hours and a member of another group that polls every 6 hours, the host will poll every 4 hours.
•Whenever the CSA MC sends the agent a "hint". The CSA MC sends "hints" in these circumstances:
–Following rule generation.
–A diagnostic request is made on the CSA MC, either for CSA in general or for Clam AV in particular.
•Whenever the routing table changes on the agent machine. This can happen when there is a switch of interface card or when the host's IP address changes.
•Whenever there is a change in the Cisco Trust Agent posture to something like Quarantined, Infected, or Checkup.
When an agent attempts to poll, the "Last poll time" field on the Status pane of the agent interface notes the time the poll was attempted. The poll itself may not have succeeded.
Inactive Hosts
Hosts are labeled "inactive" if they are running agent software but have missed three polling intervals or have not polled into the CSA MC in 5,000 seconds, whichever is greater. A host is also considered inactive if it has not polled in within 24 hours, no matter how many polling intervals it has missed. A host's polling status is updated on the CSA MC every hour.
Distributing Software Updates
Cisco provides software updates via its web site (www.cisco.com) for both CSA MC and the agent. You can download these updates, install them on CSA MC, and then distribute them to agent systems across your network as easily as you deploy new rule programs. When you download a self-extracting executable update and install it on the server system, the agent software update files get placed under Available Software Updates in CSA MC (accessible from Systems>Software Updates in the menu bar).
From the list of available updates that is created in the Available Software Updates page, you can make the appropriate updates available to agents through the Scheduled Software Updates page. Creating Scheduled Software Updates allows you to distribute updates to designated groups of agent systems. See Scheduling Software Updates for details.
Note All "Quiet" Windows and Linux updates begin installing automatically during the designated installation window with no action occurring on the part of the end user.
From the Available Software Updates page, you can click on a particular update and view the following information (see Figure 3-17):
•Name of the software update, for example SP 6.0.1.75.
•Description of the software update, for example Service Pack for agent on Win2K, Windows XP, Windows 2003
•File, a link to the software update file itself on the server system
•Target system, a description of the system type for which the update is issued (agent and/or server)
•Version, this is the version of the software update
•Operating system, the operating system for which the update is issued
•Operating system version(s), the exact OS version numbers for which the update is issued
Figure 3-17 Available Software Updates Page
Scheduling Software Updates
Create a Scheduled Software Update to distribute a software update listed on the Available Software Updates page. Simple and Advanced Mode users can also use a Wizard to schedule a software update.See Scheduling Software Updates Wizard.
To schedule a software update follow this procedure:
Step 1 Log on to the CSA MC as a user with configure or deploy privileges and switch to Advanced Mode.
Step 2 From the Systems menu, navigate Software Updates > Scheduled Software Updates (see Figure 3-18).
Step 3 Click the New button to create a new entry. This takes you to the update configuration page.
Step 4 Enter a Name for the update that makes it easily identifiable.
Step 5 Enter a Description. This is a useful line of text that is displayed in the list view and helps you to identify this particular configuration.
Step 6 Select the Target operating system for the update you're distributing (Solaris, Linux, or Windows). When you select an OS, the available updates and selectable groups change accordingly.
Step 7 From the Software update pulldown list, select the Solaris, Linux, or Windows update you want to distribute.
Step 8 Enable update for hosts in selected groups: From the available list of groups, select one or more to distribute this update to.
To select multiple items in a list box, hold down the Ctrl key as you select each item. To unselect a single item, hold down the Ctrl key when you click on the item in question. Press the Shift key to select multiple successive items.
Step 9 Update time: Enter a time frame during which agent systems can receive and install updates. By default, the time frame is set to "any time" or for 24 hours. This way, users will update at any time you choose. If you put a time limit on the update, for example enter 10:00 to 11:00 (this would be AM), then after 11:00, if the user is not logged in during this hour window, the update would not be available again until the same time the next day.
Note If a software update has been scheduled, and rules have been generated, changing the update time to another time and saving those changes will not require you to generate rules again. The new scheduled update time will take affect without generating rules.
Step 10 "Quiet install" updates begin installing automatically with no action occurring on the part of the end user. A reboot on the agent system is not required after a software update. Security continues to be enforced after an update, but if the system is not rebooted, configuration changes and other changes are not applied. They are only applied on the next reboot. You can control what the end user sees during an update and whether a reboot is required after an update by using the following checkboxes.
•Force reboot after install (available for Windows and Linux): If you select this checkbox, when the update completes, a message appears to the end user warning that the system will automatically reboot in 5 minutes. This reboot cannot be stopped by the end user. Keep in mind, if you are selecting to force a reboot, the update must also be "Quiet". Therefore, regardless if the end user is present or not, if the machine is running and a quiet update with a forced reboot is received, both the install and the automatic reboot take place within the time frame specified in the update. (Generally, you will only want to use a quiet install with a forced reboot for an unattended server so that the update is installed and the system is rebooted without a user having to be present at the server.)
•Quiet install (available for Windows and Linux): If you select this checkbox, when the update completes, no prompt is displayed to the user. Therefore, since the update begins without prompting the user, this quiet install update occurs as a completely transparent process. The user does not know that a software update has occurred. Configuration changes provided in the update will take effect when the system is next rebooted.
•Noisy install (implied by no checkbox selection): If you do not select the Quiet install checkbox, and the end user has an agent UI, the end user is prompted that an update is available. The user can start the update at that time or postpone it.
Note Software update functionality and prompt options occur regardless of Agent UI configurations on the end user system. Therefore, if you have deployed agents with no UI, you can deploy "noisy" software updates that prompt the end user. These functions are independent of each other. So, if you want all agent functions to be invisible to the end user, you should configure your update accordingly. (Note that there is one exception to this statement. If the end user does not have an agent UI and you deploy a "noisy" update, the option to postpone the update will not appear. The update will behave as though it were "quiet.")
Caution Once scheduled, Solaris software upgrades must be launched manually by accessing the
csactl command line tool on the Solaris systems and typing in the software update command. When the update is complete, the system automatically reboots within 5 minutes. This reboot
cannot be stopped. Therefore, once you launch the Solaris software update, you must understand that the system will reboot when the update completes. See
Appendix A, "Cisco Security Agent Overview" for details.
These possible checkbox options would be combined for the following effects once the software update has completed:
Table 3-1
Force reboot checkbox=enabled
Quiet install checkbox=enabled
|
The install ends by displaying a prompt indicating that a reboot will occur within 5 minutes. (This combination is recommended for unattended servers.)
|
Force reboot checkbox=disabled
Quiet install checkbox=enabled
|
The install ends quietly with no prompts. Therefore, the update is completely transparent to the end user. The update takes effect the next time the user happens to reboot.
|
Force reboot checkbox=disabled
Quiet install checkbox=disabled
|
The install prompts the user that an update is available. The user can update at that time or postpone the update. When the update occurs, the install ends by displaying a prompt indicating that an update has occurred and the end user can reboot the system at his/her convenience to apply the changes.
|
Software Update Reboot/Install Options
Step 11 If you are using the Cisco Trust Agent (CTA) in your enterprise, you can use this page to configure a CTA software update in combination with a CSA update or on its own. Refer to your CTA documentation for particular software update information.
Step 12 Click Save.
Note You must Generate rules to deploy software updates to agents.
Note Wherever the policies from the old version of CSA are exactly the same as the policies from the new version of CSA, the old policies are replaced by the new policies. A group details page may show a group created in the old version of CSA with the new policies in it.
Note Any rules that you changed or policies you added to CSA MC will be maintained in the correct group after the upgrade.
Figure 3-18 Scheduled Software Updates Page
Scheduling Software Updates Wizard
Step 1 Log on to the CSA MC as a user with deploy or configure privileges. You can use the wizard in either Advanced Mode or Simple Mode.
Step 2 You can launch the software update wizard from these locations:
•From the CSA MC Systems menu, select Software Updates > Scheduled Software Updates. In Advanced Mode, click Wizard on the Scheduled Software Updates page. In Simple Mode, click New on the Scheduled Software Updates page.
•From the Home Page, click one of the Push Software Upgrades links. You will find one in the Maintenance area and may see additional Push Software Upgrades links in the Things to Do area and the Host Status Alerts area if there are hosts running old software.
Step 3 In step 1 of the Wizard, select the operating system of the hosts you want to update. If there are hosts requiring updates, you will see a list of "Targeted Groups." If there are no hosts running that operating system, that require software updates, you receive a message "There are no hosts requiring software updates."
Step 4 In the Target groups area, select the groups to which you want to push software updates. Click Next.
Step 5 In the Settings area specify a time frame during which agent systems can receive and install software updates. By default, the time frame is set to "any time" or for 24 hours. This way, users will update at any time you choose. If you put a time limit on the update, for example enter 10:00 to 11:00 (this would be AM), then after 11:00, if the user is not logged in, the update would not be available again until the same time the next day.
Step 6 In the Settings area, specify if a reboot will be forced on the host and if the update will be installed quietly without user interaction, then click Next.
"Quiet install" updates begin installing automatically with no action occurring on the part of the end user. A reboot on the agent system is not required after a software update. Security continues to be enforced after an update, but if the system is not rebooted, configuration changes and other changes are not applied. They are only applied on the next reboot. You can control what the end user sees during an update and whether a reboot is required after an update by using the following checkboxes.
•Force reboot after install (available for Windows and Linux): If you select this checkbox, when the update completes, a message appears to the end user warning that the system will automatically reboot in 5 minutes. This reboot cannot be stopped by the end user. Keep in mind, if you are selecting to force a reboot, the update must also be "Quiet". Therefore, regardless if the end user is present or not, if the machine is running and a quiet update with a forced reboot is received, both the install and the automatic reboot take place within the time frame specified in the update. (Generally, you will only want to use a quiet install with a forced reboot for an unattended server so that the update is installed and the system is rebooted without a user having to be present at the server.)
•Quiet install (available for Windows and Linux): If you select this checkbox, when the update completes, no prompt is displayed to the user. Therefore, since the update begins without prompting the user, this quiet install update occurs as a completely transparent process. The user does not know that a software update has occurred. Configuration changes provided in the update will take effect when the system is next rebooted.
•Noisy install (implied by no checkbox selection): If you do not select the Quiet install checkbox, and the end user has an agent UI, the end user is prompted that an update is available. The user can start the update at that time or postpone it.
Note Software update functionality and prompt options occur regardless of Agent UI configurations on the end user system. Therefore, if you have deployed agents with no UI, you can deploy "noisy" software updates that prompt the end user. These functions are independent of each other. So, if you want all agent functions to be invisible to the end user, you should configure your update accordingly. (Note that there is one exception to this statement. If the end user does not have an agent UI and you deploy a "noisy" update, the option to postpone the update will not appear. The update will behave as though it were "quiet.")
Caution Once scheduled, Solaris software upgrades must be launched manually by accessing the
csactl command line tool on the Solaris systems and typing in the software update command. When the update is complete, the system automatically reboots within 5 minutes. This reboot
cannot be stopped. Therefore, once you launch the Solaris software update, you must understand that the system will reboot when the update completes.
These possible checkbox options would be combined for the following effects once the software update has completed:
Table 3-2
Force reboot checkbox=enabled
Quiet install checkbox=enabled
|
The install ends by displaying a prompt indicating that a reboot will occur within 5 minutes. (This combination is recommended for unattended servers.)
|
Force reboot checkbox=disabled
Quiet install checkbox=enabled
|
The install ends quietly with no prompts. Therefore, the update is completely transparent to the end user. The update takes effect the next time the user happens to reboot.
|
Force reboot checkbox=disabled
Quiet install checkbox=disabled
|
The install prompts the user that an update is available. The user can update at that time or postpone the update. When the update occurs, the install ends by displaying a prompt indicating that an update has occurred and the end user can reboot the system at his/her convenience to apply the changes.
|
Software Update Reboot/Install Options
Step 7 Ensure that the choices you made are reflected in the Summary.
Step 8 Click Finish. CSA MC automatically generates rules and schedules the software update. The agent will be sent a polling hint and be given the chance to receive the update right away or postpone it.
Note Wherever the policies from the old version of CSA are exactly the same as the policies from the new version of CSA, the old policies are replaced by the new policies. A group details page may show a group created in the old version of CSA with the new policies in it.
Note Any rules that you changed or policies you added to CSA MC will be maintained in the correct group after the upgrade.
Software Updates in a Distributed Configuration
There are two procedural items to note when installing a software update in a distributed installation environment with multiple MC's.
•In a distributed environment, you must install the software update on all MC's in your distributed configuration.
•In a distributed environment, when installing, upgrading, or uninstalling any MC in the distributed configuration, the service must be stopped on the other MCs. For example, in a configuration with 2 MCs, you must first stop the service on one MC before you install the software update on the other MC. Then restart the services.
