EULA and Support Services Agreements

Easy Auditor

Home

Easy Auditor Product Specification






Use of this document

This document is the functional specification definition of the product's functionality, including what the product can do, what it cannot do,  operating instructions and functional use cases describing how it works.

Overview

The Easy Auditor product collects audit data, compresses it, and stores it in an indexed database using HDFS protocol and Isilon.   The product allows searching the historical audit data by user , path , event and date range.   The product also allows real-time analytics of audit data with pre-built triggers and custom triggers. 



Terms

  1. Eyeglass GUI - User monitoring, alarms and user interface to interact with product configuration and threats raised.

  2. ECA VM’s  -  These are VM that process audit data and determine threats to production data.


Functional Specification Description

  1. Dependencies 

    1. Cluster REST API

    2. SSH access to cluster CLI

    3. AD reachable by the cluster

    4. Auditing enabled on all zones

    5. NFS mount to the cluster

    6. Licenses for Easy auditor assigned to managed clusters

    7. Network for NFS and HDFS stable with low latency

    8. Auditing settings are as per documentation

    9. NTP

    10. NFS mount to monitored clusters

    11. DNS

    12. Only available in vmware OVA, Hyper-v 

  2. Installation

    1. This product is not customer installable and must be installed and configured by professional services for correct deployment and validation of the software integration with the cluster.

  3. Functional Description

    1. Ingest audit data over NFS from monitored clusters.  NOTE: Stable network is required to ensure NFS mount does not go stale.

    2. Stable network to allow storing HDFS data on the cluster

    3. Indexing function uses HBASE tables,  all customers are expected to set a retention in days on audit records. If no retention is configured additional ECA resources will be required to manage the size of the database.

    4. Backup and protection of the audit database requires scheduled snapshots and synciq to protect the historical audit data.

    5. Real time Analysis functions are limited to a specific number of triggers,   expanding this limit requires additional ECA VM’s to scale out the processing.   This may include increased memory for VM’s from the default memory of the appliance.

    6. Builtin reports may not address all audit use cases , specifically ACL evaluation.

    7. Audit data stored and processed is audit success events 

    8. Configuration auditing is a different audit log separate from protocol auditing.  This audit data is not processed or stored.

    9. Dedicated access zone to storage HDFS data is mandatory to ensure no inherited permissions break HDFS ACL’s required for normal operations

    10.  Audit data ingestion process needs to process archived GZ files on the cluster,  this takes time when an active audit event is archived.   This process may mean audit data lag occurs and is not present in the audit database and may require reingestion using manual script to read in GZ files.  This is only required if the audit data is deemed missing from a search

  4. Operational Expectations for all deployments

    1. Audit data that is gz archived should always be archived for long term storage since it can be ingested and indexed at a later date.

    2. Monitoring robo audit is a mandatory feature to verify normal audit data ingestion, storing and searching.   It is expected that customers monitor this feature and all alarms that indicate an issue with audit data processing.

    3. Audit data GZ files should not be left in the active audit folder once the file count exceeds 500 GZ files per node folder.   

    4. Changes made via ssh are not audited as per Isilon/PowerScale functionality 

    5. Audit events that are not enabled on the cluster will not be visible in Easy Auditor

    6. Cluster known audit data case issue can break the case of audit data produced by using the mount case.   This issue is external to Easy Auditor and no fix planned by Dell , customers must follow tech note limitations Technical Advisory #20 - PowerScale Auditing incorrectly records audit events for paths that do not exist on the cluster when SMB share is mounted with subfolders with a case that does not match the file system

    7. No guaranteed time to complete search results,  environmental conditions dictate search performance,  number of nodes in the HDFS pool, node type and latency of disks in the VM’s

    8. Product limits results returned to 1M due to practical size of data to open in spreadsheets

    9. Number of triggers that can be defined is limited by resources as per product documentation.

      1. Triggers can result in false positives and if misconfigured missed triggers will result.

  5. Patching

    1. The product does not support hotfix patching and requires and complete upgrade of the software version or build number to apply any patch

    2. Operating system patches are not provided and must be downloaded directly from online official open suse repositories

  6. Compatibility 

    1. The product does not support forward compatibility with target devices and will require a software upgrade to support a forward version of a target device.   This includes minor or build number changes of the target device.

  7. Appliance Modifications

    1. Modifying the operating system packages, removing or adding packages, changing the OS configuration and support of these changes is not covered by support and customers must support OS modifications and perform necessary testing.   No support for customer modifications with the exception of applying open suse OS package patches that shipped with the original appliance or published procedure in documentation.

  8. Operational Procedures

    1. If documentation does not list a procedure, it is explicitly  unsupported unless support provides a procedure. 





© Superna Inc