eTrust Audit FAQs

eTrust Audit is a comprehensive auditing solution for today’s dynamic eBusiness. It efficiently collects enterprise-wide security and system audit data from a wide spectrum of sources including UNIX, Windows NT and 2000, Web servers, other eTrust products, mainframe systems, and multiple RDBMS. eTrust Audit filters collected information for consolidated viewing and reporting, stores this information in a central database for easy access and reporting, and automatically triggers appropriate actions upon detecting unusual or malicious activities on the system.

How will eTrust Audit benefit me as a security administrator?
eTrust Audit empowers systems and security management teams with the unique ability to collect information from various platforms, servers, and application events and audit logs to a single database for quick and accurate assessment. eTrust Audit eliminates event guesswork by translating all collected information to a common, intuitive format, regardless of the event's source. eTrust Audit's store-and-forward architecture allows it to scale to suit your environment of a few or a few thousand machines. Like other members of the eTrust Security Suite, eTrust Audit hurdles the platform and application administration barrier for a true cross- platform event management solution.

Does eTrust Audit archive the audit collection?
eTrust Audit sends events to a commercial relational database (Oracle, SQL Server and Microsoft Access) that can be managed and archived with the usual DBA tools.

What is the overhead on the network by eTrust Audit?
The overhead depends on the amount of data you want to collect, on type of events your system generates etc. The average amount of data sent by eTrust Audit Agent per audit record is about 300 bytes.

How much disk space and memory are required for the eTrust Audit Collector station?
A collector station needs a processor with a minimum speed of 350 MHz and at least 128 MB of RAM. The event database requires 0.6 to 2 KB per record. A good rule of thumb is 30-50 machines (routers) per collector.

What is the architecture of eTrust Audit?
eTrust Audit installs a Recorder and Router on each targeted host or application server that you want to be a part of the audit scheme (NT/2000 and UNIX). The Policy Manager is installed on an NT/2000 machine. From there, all of the organization's security related policies and Host-Based Intrusion Detection rules are configured, compiled, and distributed to the eTrust Audit routers. eTrust Audit Collector(s) can be installed for final collection and consolidations (the Collector can only reside on a Windows NT or 2000 machine). These components work in concert to redirect, filter, and collect all audited events throughout the environment. Additionally, when using these components with eTrust Audit's store-and-forward capability, you are provided with peerless configuration flexibility and unprecedented performance in an event management solution. All collected data is translated to easy-to-understand messages and stored in a relational database for ensured compatibility with various database viewers.

How does the product scale to accommodate a range of site sizes?
The flexible architecture of eTrust Audit allows scaling the implementation from the needs of small companies to large enterprises. Using the store-and-forward mechanism provided by eTrust Audit, it's possible to build hierarchies to route auditing events from a huge number of clients. The flexible filtering capabilities reduce the amount of collected audit events by filtering out unimportant events (.noise.). Events can be saved in the database on each level of the hierarchy, allowing distributed databases. The GUI tools provide a means to view, filter, and analyze events from several databases. The distributed architecture of eTrust Audit allows you to exploit the multiple CPUs of large numbers of computers. All eTrust Audit services have parameters that allow tuning of eTrust Audit performance.

Where does filtering occur (i.e. does filtering occur at the initial recording point, where the routing agent is placed or at the Collector Server or later)?
The filtering can be applied on any level of event routing. It may be applied at the recorder service that defines which events are submitted to eTrust Audit. It may be applied on the client machine to define what events are sent to the collector.

Does eTrust Audit pass information in clear text over the wire?
Data transferred from the Recorder and SAPI client (recorder) to router, from router to router, and from router to collector is protected by pluggable encryption. DES encryption is the default. If eTrust Access Control for UNIX LogRoute daemon forwards its messages as encoded clear text, the Audit Collector will still accept those messages as well as encrypted messages.

If I have an application that is not currently supported by eTrust Audit, can I still route the application events to eTrust Audit Collector?
There are several ways to provide the bridge between your application and eTrust Audit Collector:

SNMP traps: You can use the SNMP traps to send standardized event information to the eTrust Audit SNMP Recorder. There are many products that are readily available to send such event information. This routing path needs to be properly configured so that eTrust Audit will be able to receive and handle this application information.

Submit API: This is a powerful and thorough method to send event information to eTrust Audit Collector. By programming with eTrust Audit Submit API function calls, applications can send complete, detailed messages to eTrust Audit and in turn eTrust Audit can perform more granular and more intelligent analysis on the collected data and activate alerts when needed.

eTrust Products: You can send your application event information via eTrust products to eTrust Audit. eTrust Audit provides full support to most of the eTrust products and can consolidate collected information for analysis and pattern matching. This way, application activities that are tied to eTrust products or can be captured by eTrust products can send events to eTrust Audit through its related eTrust product. For example, certain firewall products can generate events based on network connections or application sessions. In this case, firewall information can be captured by eTrust Intrusion Detection, and be collected and sent to eTrust Audit for analysis or archive.

How can I use eTrust Audit as a host-based intrusion detection tool?
eTrust Audit is equipped with event collection, pattern matching and filtering, action triggering, and execution. These are the essential components for a host-based intrusion detection system. eTrust Audit also comes with pre-defined rules that can help you build up your own intrusion detection system. With its flexible rules and scalability to handle most heavy traffic, eTrust Audit can be your host-based intrusion detection system to protect your critical data and services on your servers.

Are there predefined rules that can be deployed right away?
eTrust Audit provides several pre-defined rules that can be deployed right away. Each policy is divided into two sections, each with associated rules. The two sections include:

Collection: all the events from that source type.

Suspicious events: security and system related events that include: Logon (successful/failure) Critical objects tampering Network connections Touching. OS/Application Super User Account Management Changing permissions or security policies