INTOUCH^® INSA
Network Security Agent

7.3 Security Status Option

Selecting the Security menu option causes INSA Manager to display information about the most recent alert incidents. The display shows the total number of incidents, alert names, number of incidents per alert, date and time of the last alert incident.

The following is an example of the Security Status display:

INTOUCH INSA Security Status 23-Jan-1997 Top 5 Alerts by Most Recent Incident Total incidents: 334 Alert Name Incidents Last Incident PAYROLL 25 23-Jan-1997 18:18:42 MGMT 112 23-Jan-1997 14:32:45 INVALID_LOGIN 55 23-Jan-1997 14:00:22 URGENT 100 17-Jan-1997 12:45:05 PRIV 42 16-Jan-1997 11:32:21 Press any key to exit EXIT = Exit INTOUCH INSA \ = Back HELP = Help

The status information is automatically updated as the data changes.

When you press any key to exit the Security Status display, you are returned to the Status menu.

Chapter 8
Maintenance Menu Procedures

8.1 INTOUCH INSA Files and Data

Basically, the INTOUCH INSA data consists of:

	alerts	situations that you want to be alerted to
	alert rules	detailed information that defines alert situations
	incidents	detected alert situations
	recordings	sessions that have been recorded
	page data	detailed paging information
	audit data	detailed audit information

The INTOUCH INSA data is stored in several files that INSA Manager allows you to maintain. The files you can maintain are:

Alert file --- The alert file contains alert names, information about the alerts and tells what actions to take when alert incidents occur. The alert reports are created from data in this file.

Rules file --- The rules file contains the alert instructions or rules which tell INTOUCH INSA what to look for. The rules are the patterns and text that users could enter, and programs and procedures could display. The rules are associated with the alert names.

Incident file --- INTOUCH INSA stores detailed information on alert incidents in the incidents file. This file can only be purged and/or the data can be archived. The incident reports are created from data in this file.

Recordings file --- INTOUCH INSA stores recorded sessions information in a recordings file. This file can only be purged and/or the recordings archived. The recordings reports are created from data in this file.

Page file --- The page file contains information about persons who are to be paged when alert incidents occur. The page reports are created from data in this file.

Audit file --- INTOUCH INSA stores audit information in the audit file. This file can only be purged and/or archived. The audit reports are created from data in the audit file. See Section 10.7, Audit Reports, for more information on audit data.

E-mail distribution lists --- an E-mail distribution list file contains a list of user names; the list is used to send a message to multiple users.

Page distribution lists --- a page distribution list file contains a list of page names; the list is used to page multiple persons.

The Maintenance menu options allow you to maintain the INTOUCH INSA files.

The Maintenance menu options are:

Alerts --- add, change, delete and inquire on alert file records
Rules --- edit (add, change, delete) text in the rules file
E-mail Distribution Lists --- create or edit E-mail distribution lists
Page --- add, change, delete and inquire on page file records
Page Distribution Lists --- create or edit page distribution lists
Purge and Archive Records --- purge and/or archive records from the incident, recordings and audit files

8.2 Alert File Maintenance

The alert file contains alert records. Each alert record contains information about a situation you want to be alerted to. For example, you might want to be alerted when privileges are set. If this is the case, one of the alerts would be PRIVILEGES. The rules that define this alert are contained in the rules file (see Section 8.3).

You can add and delete records in the alert file. You can also review and change information in the alert situation records.

To perform maintenance or inquire on information in the alert file, select the Alerts option from the Maintenance menu.

When Alerts is selected, the following screen is displayed:

Example 8-2 Alert Maintenance Screen

INTOUCH INSA Alert File Maintenance 23-Jan-1997 Alert name : Description : Action : Priority : Incidents : Last incident: +-------------Option--------------+ | Add Alert Information | | Change Alert Information | | Delete Alert Information | | Inquire on Alert Information | |---------------------------------| | Exit | +---------------------------------+ EXIT = Exit INTOUCH INSA \ = Back HELP = Help

The alert maintenance options allow you to:

add new alert records to the alert file
change or update data in the alert records
delete alert records from the file
review or inquire on alert information

You can use the mouse to select and execute any of the options.

8.2.1 Adding Alert Information

Select Add Alert Information if you want to add alert records to the alert file.

+-------------Option--------------+ | Add Alert Information | | Change Alert Information | | Delete Alert Information | | Inquire on Alert Information | |---------------------------------| | Exit | +---------------------------------+

The "Add" option asks you for the following data:

alert name
description
action
priority

Alert name

The first prompt asks for an alert name.

ADD: Alert name? ________________________________

Enter the name of the alert you wish to add to the alert file. For example, if you want to set up an alert for privilege settings, you can enter PRIVILEGE or PRIV as the alert name.

NOTE: After an alert record has been added to the alert file, the alert name cannot be changed.

The alert name can be up to 32 characters in length.

ADD: Alert name? priv____________________________

After the alert name is entered, it is displayed in the top section of the screen.

Description

You are asked to enter a short description of the alert.

The description can be up to 55 characters in length.

ADD: Alert description? Privilege setting______________________________________

After the description is entered, the information is displayed in the top section of the screen.

Note

The \ (backslash) key can be used to back up to a previous prompt.

Action

When an alert incident occurs, INTOUCH INSA logs the incident information and performs alert actions if any have been specified for the alert.

Note

INTOUCH INSA logs ALL incidents regardless of whether alert actions are requested or not. When an incident occurs, INTOUCH INSA logs the incident, and then takes alert action if any is specified.

If you want to be alerted to an incident when it occurs or take some other immediate action, you can specify one or more alert actions. The valid alert actions are:

Table 8-1 Alert Actions
Action Result

none No actions specified

email Send E-mail when this alert is triggered. The E-mail message text shows a snapshot of the session that triggered the alert. An arrow (-->) points to the specific incident pattern that was found.
E-mail can be sent to a specific user or to all users listed in a distribution list (see Section 8.4, Maintaining E-mail Distribution Lists). If no user is specified, E-mail is sent to NSA_MANAGER.
Examples:

email send E-mail to NSA_MANAGER

email fred send E-mail to Fred

email @managers send E-mail to all users on the "managers" distribution list

page Page when this alert is triggered.
A single person or several persons listed in a distribution list (see Section 8.6, Maintaining Page Distribution Lists) can be paged.
Examples:

page fred page the person denoted as Fred

page @admin page all persons on the "admin" distribution list

watch Causes a real time, display window to pop-up when the alert is triggered. The current session activity is displayed until log off.

record When the alert is triggered, the rest of the session is recorded for playback later on.

no_record Turns off any recording that might be turned on. This means that if an alert has been tiggered and the session is being recorded, and another alert with the NO_RECORD action is tiggered by the session, the recording of the session will stop.

no_incident Causes the alert incident information to NOT be saved/stored in the incident file. This action might be used with the NO_RECORD action. The other actions (email, watch, etc.) can still be set up for the alert.

disconnect Causes the session to be disconnected when an alert is detected if the session has an IP address.

Caution
When using DISCONNECT, carefully check associated rule patterns to avoid, inadvertently, disconnecting the wrong sessions.

@dcl_command Executes the specified OpenVMS DCL command (for advanced users)

You can specify multiple actions by separating the actions with commas. For example, these actions:

ADD: Action(s)? email allen, watch______________________

will send E-mail to Allen and cause a pop-up window to display the current session activity whenever an alert incident occurs.

If you do NOT want to set up any actions for this alert, press [Return] to accept the default of none and proceed to the next prompt.

If you DO want to set up one or more actions for this alert, enter the action(s). After you enter the action(s), such as:

ADD: Action(s)? email, record___________________________

the information is displayed in the top section of the screen.

Priority

You must assign a priority value to the alert. The priority is a 1-digit number between 1 and 9. 1 is the highest priority and 9 is the lowest.

The priority can be used as one of the selection criteria when creating alert and incident reports.

Enter the priority.

ADD: Priority (1-9)? 1

After the priority code is entered, the information is displayed in the top section of the screen, and a message tells you that the alert record has been added.

After the alert record is added, the following menu is displayed if the rules for this alert have NOT already been set up in the rules file:

+PRIV not found in Rules file+ | Edit Rules File | | Continue | +----------------------------+

You can either:

Edit Rules File to set up the rules for this alert name NOW. If you select this option, the rules file will be displayed and you can add the alert rules. Section 8.3, Rules Maintenance, explains how to maintain the rules file.
Continue to enter the next alert name.

After you have finished adding alert information, enter exit or press the \ (backslash) to return to the alert file maintenance menu options.

Incidents and Last Incident

You are not asked for the incidents or last incident data. INTOUCH INSA updates these fields automatically as incidents are detected.

Incidents is the total count of incidents that have occurred for this alert since INTOUCH INSA was installed or since the last purge of incident data.

Last incident is the date and time when the last incident occurred for this alert name.

8.2.2 Changing Alert Information

Select Change Alert Information if you want to change alert data in the alert file.

+-------------Option--------------+ | Add Alert Information | | Change Alert Information | | Delete Alert Information | | Inquire on Alert Information | |---------------------------------| | Exit | +---------------------------------+

After you select the Change option, a menu of alert names is displayed. You can use the mouse to select the alert name you want to change.

+Change Alert Name+ | INVALID_LOGIN | | MGMT | | PAYROLL | | PRIV | | URGENT | |-----------------| | Exit | +-----------------+

If, for example, "PRIV" is selected, the current information for this alert is displayed.

Alert name : PRIV Description : Privilege setting Action : email, record Priority : 1 Incidents : 112 Last incident: 23-Jan-1997 02:47:04 PM

This information can be changed:

description
action
priority

At each prompt, you can either enter new data or press [Return] to keep the current data. As you proceed through the prompts, the data is displayed at the top of the screen.

After you have completed the changes, the record is changed. An appropriate message tells that the alert was changed and you are asked for the next alert name to change.

After you have completed maintaining alert information, select the Exit option to return to the alert file maintenance menu options.

8.2.3 Delete Alert Information

Select Delete Alert Information if you want to delete records from the alert file.

+-------------Option--------------+ | Add Alert Information | | Change Alert Information | | Delete Alert Information | | Inquire on Alert Information | |---------------------------------| | Exit | +---------------------------------+

After you select the Delete option, a menu of alert names is displayed. You can use the mouse to select the alert name you want to delete.

+Delete Alert Name+ | INVALID_LOGIN | | MGMT | | PAYROLL | | PRIV | | URGENT | |-----------------| | Exit | +-----------------+

If, for example, "PRIV" is selected, the current information for this alert is displayed.

Alert name : PRIV Description : Privilege setting Action : email, record Priority : 1 Incidents : 112 Last incident: 23-Jan-1997 02:47:04 PM

After you have reviewed the alert information, you are asked if you want to proceed with actually deleting the alert record.

+Proceed Delete+ | Yes | | No | |--------------| | Exit | +--------------+

Select Yes to delete the displayed alert record.

Select No to return to the alert name selection menu.

Select Exit to abandon the deletion.

An appropriate message tells whether the alert record was deleted or the deletion was abandoned.

If the alert record is deleted and rules still exist in the rules file, the following menu is displayed:

+PRIV still exists in Rules file+ | Edit Rules File | | Continue | +-------------------------------+