Appendix A   Halo Site Administration

(For Halo site administrators only)

If you are a Halo site administrator, you are the user (or one of the users) responsible for managing your organization's Halo service. Your responsibilities include management of Halo users, authentication settings, automatic scan configurations, API keys, Halo Daemon settings, Master Account connections, and other advanced settings.

You access all of these tasks from the Site Administrator menu (the gears icon in the Halo portal page header).

Note:   This appendix is a reference to the Halo portal Site Administration page. Each subsection here describes (or links to the description of) one of the tabs across the top of that page.

Users

See Invite and Manage Halo Users.

API Keys

In Halo, API Keys are required for using the Halo REST API. Accessing the API requires the client to first authenticate to the authorization server by providing a valid API key. (See Call Authentication in the Halo REST API Developer Guide for details.)

Halo site administrators can create and manage API keys. CloudPassage recommends that you create different API keys for different purposes&#151in particular, you should create a read-only key to use for programs that only read from (and do not write to) the Halo database. For example, applications that use the Halo Event Retrieval API should use a read-only key, since that key allows only GET requests from the API.

Each Halo account initially has no API keys. If you are a site administrator, you can generate any number of API keys as needed. For example, you might generate a separate API key for each application that accesses the API

To view or create API keys for your account, select Site Administration from the Site Administrator menu, then click the API Keys tab. Your current set of keys is displayed on the tab.

• To create a new API key, click Add New Key, then enter a name for the key and specify its permission level (full-access or read-only).

  Specify allowed IP addresses. Optionally, for increased security you can enter a comma-separated list of one or more IP addresses or CIDR blocks. If you do so, an API client using this API key will be permitted to authenticate to the Halo API only from one of the specified addresses.

  

  The key's 8-character ID and secret key values are generated by the system, and the key appears in the list on the API Keys tab.

  Note:  Every time a secret key is generated, the action is logged and the user who created the key is identified.

• To edit a key in the list, click its name. You can change the key's name and permission level (full-access or read-only), and you can activate or deactivate it.
• To view the secret key value, click Show on the Edit API Key popup window or in the key's line on the API Keys tab.

  

  You'll need to copy the secret key's value from this window and use it to obtain an API token, which allows you to access the Halo REST API (see Call Authentication in the Halo REST API Developer Guide).

  Note: Every time a secret key is viewed, the action is logged and the user who viewed the key is identified.

• On the API Keys tab, use the Actions drop-down menu for a given key to either edit or delete the key.

  Note: Every time an API key is deleted, the action is logged and the user who deleted the key is identified.

Authentication Settings

To minimize the potential for damage from stolen, intercepted, copied, recycled, or guessed passwords, you can specify various requirements and settings for passwords and for login control.

Select Site Administration from the Site Administrator menu, then click the Authentication Settings tab.

Password Settings

• Password Construction Rules. You can increase the minimum required password length from its default minimum of 8 characters. You can also require that every password must contain at least one number, or one symbol, or both (in addition to both uppercase and lowercase letters). If you choose to require symbols in passwords, the following are supported:

  ( ) ` ~ ! @ # $ % ^ & * - + = | \ { } [ ] : ; " ' < > , . ? /

• Password Expiration. You can enable password expiration and set the maximum lifetime (time to expiration) of a newly created password to any number of days from 1 to 365.

  You can also enable and specify the minimum lifetime of a newly created password (time that it must remain in effect before it can be changed again) to any number of days from 1 to 999.

  These two settings are independent. You can enable one or both or neither.

Login Settings

• User lockout. You can change the failed login limit (number of consecutive times a user can attempt to log in until the account is locked to prevent further login attempts) to any value from 1 to 25. Default value = 10.

  You can also change the duration of a lockout to any number of minutes from 5 to 1440 (24 hours). Default value = 60.

  Note:  For a locked-out user to log in again, the user can either complete a password reset (from the Halo portal login page) or wait until the lockout period ends.

• Idle session timeout. By default, the timeout for Halo portal sessions (the time after which an idle session logs out) is 30 minutes. But you can keep idle sessions open for much longer, or you can cut them off more quickly.

  Use drop-down list to choose a timeout value of as little as 15 minutes up to as much as 24 hours.

  

• Multi-factor authentication for Halo login.

Single Sign-On Settings

If you are implementing an integration of Halo with your organization's SAML 2.0-based single sign-on solution, you may need to develop a plug-in or application according to the identity provider's requirements, so that the proper SAML assertions are sent to Halo to perform the authentications. Or the identity provider may have already created the integration app for Halo.

Part of setting up the integration involves enabling single-sign on and entering information into fields in the Single Sign-On Settings section of the Authentication Settings tab on the Site Administration page

1. Select the Enable Single Sign-On (SSO) check box. The section expands to display the single sign-on settings form.

   

2. Copy the account ID from this form and supply it to the SSO identity provider.
3. Obtain information to enter into the remaining fields from the identity provider.
4. Make SSO Required. If you want to disallow all direct logins to the Halo portal, select this checkbox at the bottom of the form. If you do select the box, you must provide SSO access to all existing and future Halo users. Note that you cannot select the box unless you are currently logged in through SSO.

   Note:  As long as this checkbox remains selected, Halo users' account pages have no displayed password field, Halo users cannot reset their passwords, and new Halo users do not receive email invitations to log into Halo.

5. Click Save to commit your SSO settings.

For detailed instructions on creating the SSO integration, see Appendix C: Adding Single Sign-On to Halo in the Halo Operations Guide.

Scanner Settings

See Configure Automatic Scans.

Daemon Settings

As site administrator, you can control various settings for the Halo agents currently running or to be installed on your servers.

Select Site Administration from the Site Administrator menu, then click the Daemon Settings tab.

• Daemon Registration Key. A valid key is needed whenever you install a Halo agent (see Installing Halo Agents). You can use the same key value for all installations, as long as it remains confidential. If you feel that it might have been compromised, click Regenerate to get a new key, and use that one in future installs.

  

• Daemon Heartbeat. For security reasons, all communication between a Halo agent and the Halo analytics engine is always initiated by the agent. The agent connects to the analytics engine at regular intervals to report status and to receive instructions. You can select an interval from 60 seconds to15 minutes. Default value = 60 seconds.

  If you have a large number of servers, selecting a longer interval may have the benefit of less impact on your network performance, although Halo updates and commands sent to your servers may take longer.

  

• Deactivate Missing Servers. Halo re-classifies an active server as missing if its agent has unexpectedly not contacted the analytics engine for an interval of 10 or more heartbeats. To keep missing servers that do not re-contact the analytics engine from remaining in a missing state perpetually, Halo will automatically delete them after a time interval that you specify.

  Use the drop-down list to select the threshold for auto-deactivation to any available value from 15 minutes to 24 hours.

  

  An important benefit of automatically deactivating missing servers is that it prevents the buildup of large numbers of missing, unused servers as sources or destinations in firewall policy rules.

• Daemon Self-Verification. The agent can continually monitor itself for evidence of compromise and report any evidence that it has been tampered with. You can enable or disable self-verification, you can choose to have compromised agents shut themselves down automatically, and you can set the interval between self-verification checks to any number of hours from 1 to 23. Default = 1 hour.

  

Advanced Settings

A variety of other Halo settings are available to site administrators. To review or change them, select Site Administration from the Site Administrator menu, then click the Advanced Settings tab.

• Set GhostPorts Session Length:

  Set the length of time that a server administrator will have to log into a server after authenticating to and opening GhostPorts. Select a number of hours from 1 to 24. Default value = 4.

  

  A longer time window may be more convenient for an administrator, but it may be riskier (less secure) than a shorter one.

• List IP Addresses Authorized to Access Halo Portal:

  For added security, you can specify that your Halo users (including yourself) are permitted log into the Halo portal, or request a password reset, only from identified IP addresses.

  Enter a comma-separated list of IP addresses or CIDR blocks into the IP Addresses field.

  

  Note:  The list of authorized addresses must always include (or encompass) the address from which you are accessing the portal in order to create or edit the list.

  To remove all address restrictions for logging into the portal, delete all addresses from the field and click Save.

• Choose Your Email Preferences

  Pick a time of day and a time zone to specify when Halo should send out its daily status emails to the Halo users in your account.

  

  Note that individual users can choose whether or not to receive daily status emails; see Manage Your Account and Subscription.

Audit Events

Besides logging events that may directly indicate serious security issues, Halo also logs a large variety of audit events, which mostly represent normal, everyday actions of Halo portal users. Recording the history of audit events is useful for demonstrating compliance, and also useful in supporting correlation and forensic analysis in the wake of a security breach.

Halo site administrators can use the Audit Events tab on the Site Administration page to specify which events should be logged, which should be flagged as critical, and which should generate alerts.

For each listed event, select "Log Event" if you want Halo to record occurrences of the event, select "Flag Critical" if you want those occurrences to be flagged as critical ( ), and select "Generate an Alert" if an occurrence should cause an email alert to be sent to the appropriate personnel in your organization.

Note:  The list of events displayed on this tab does not include the server-related Halo special events (for example, "Server firewall modified" or "server restarted") or any security events generated by scans (for example, "Configuration rule matched" or "File integrity object signature changed"), because those events are configured elsewhere, in various Halo policies.

Master Account

Your organization, with its own CloudPassage Halo account, may be one of several organizations that are part of a larger entity (such as a parent company) that wishes to have oversight and control over all of its sub-organizations' security operations. Halo supports this with the concept of master accounts.

A master account administrator has access to all of the sub-accounts through the Halo portal, allowing the administrator to review all sub-account settings and configurations, audit all actions and events in the sub-accounts, and even directly manage and run their Halo activities. The administrator can operate within each sub-account as a site administrator of that account.

• If your account needs to be linked to a master account, you will have received a master account invitation code from your master account administrator. Enter that code into the field on the Master Account tab of the Site Administration page, and click Link to complete the connection to the master account.

  

• If your account is currently linked to a master account and you need to sever that relationship, click the Disconnect button on the Master Account tab.

  

If your organization wishes to connect to a master account, please contact CloudPassage Sales or your account representative to have the master account created for you.