Setting Up Logging and Alerting
In Halo, it is the responsibility of your organization to define
- The specific set of configurations or occurrences that should be considered security issues.
- The subset of issues that should be flagged as critical.
- The subset of issues that should trigger events.
- The set of other events that should be defined.
- The subset of events that should trigger email alerts to appropriate personnel.
Even if you use the default security polices provided with Halo, you still need to make these decisions; some default policies may not flag any issues as critical and may not mark any events to trigger alerts.
Set Up Alert Profiles
When Halo generates an event, if the event is flagged to generate an alert, a notification email is sent to a pre-specified set of Halo users. Every server group can have different lists of users that receive alerts, and within each list different users can be selected to receive all events or critical events only.
These lists are called alert profiles; you can create any number of them in the Halo portal, and you assign one or more to the server group appropriate for the persons on the list(s).
Note: If no alert profile is assigned to a server group, alerts will by default go to all Halo site administrators on your account. You'll need to set up your own alert profiles if you want to control who receives alerts.
You might create different alert profiles for different server groups if, for example, you have different security specialists monitoring each group. Or, create a profile just for managers and auditors, if you want them to receive alerts much less frequently (say, once a week) than security specialists who must be prepared to respond immediately.
To create and assign a new alert profile:
- In the Halo portal, go to Policies > Alert Profiles and click Add New Alert Profile.
- Enter a name and optional description for the profile, and specify a batching frequency for sending alerts—from "Instant" (to send each notification separately, as soon as the event is created) to "Every week" (to batch all events for the week into a single email alert).
- Select one or more of your company's Halo users, or one or more external recipients, to receive the alerts. Also specify whether each user should receive all alerts or just a subset based on event criticality. Then click Save.
- Assign the profile to a server group: On the Halo Dashboard page, click the name of the server group you want to assign the profile to, then click Edit Details below the name. On the Edit Group Details page, select the name of your new alert profile from the Alert Profiles drop-down list. Then click Save.
That's it. Your designated users will receive an email when a security event that fits your settings occurs. And you can repeat this procedure to create other alert profiles for other server groups.
Set Up a Special Events Policy
The Halo special-events alerting system notifies you of unusual occurrences in your cloud installation that may have security implications. For example, if a server unexpectedly restarts, if its IP address changes, or if a firewall configuration is changed outside of Halo, it could be a signal that something malicious has happened and you may want Halo to log the event, and possibly alert you or others in real time. Also, all vulnerabilities detected by software vulnerability scans are recorded as special events.
You set up special events by implementing a special events policy and assigning it to a server group. You can then use the policy and an alert profile to customize alerting for any of the events.
Note: Halo automatically assigns the default Global Events Policy to every server group. However, that policy by default generates no events or alerts, so you'll need to either customize the global policy or create a new one for special events to be effective.
Take these steps to create a special events policy:
- In the portal, go to Policies > Special Events Policies and click Add New Special Events Policy.
- Enter a name and optional description for the policy. Then select, from the available set of security events, the specific events that you want this policy to monitor. If you want the policy to monitor a given event, check Log event. If you consider the event critical, check Flag critical. If you want an email notification to be sent when an event occurs, check Generate an alert.
A few of the events are marked as Linux-only and are not available for Windows servers.
Note: To help you decide which special events you want to monitor, it may be helpful to review the discussion Act on special event and audit events, later in this document.
- Click Save to save the policy. Then assign it to your server group—navigate to the portal Dashboard page, click Edit Details for your server group, and select your policy from the Special Events Policy drop-down list. Then click Save.
Special-event logging is now set up for your server group. Repeat the process for other groups as needed.
Flag Policy Issues for Logging and Alerting
When you create or edit a Halo security policy, you may be able to enable logging, issue/event criticality, and alert triggering for individual rules in the policy. Different Halo modules handle event logging somewhat differently. Click the headings below to see the differences.
Configuration policy settings:
While creating or editing a configuration policy, you can use the Log checkbox to specify for each rule whether it should be logged:
You can also select the Critical checkbox if you want both the issue and the event to be considered especially high priority. Critical issues or events are marked with when displayed in a list. By default, critical issues/events are sorted to the top of the list.
If you have elected to log an issue, then also select Alert if you want an alert to be sent as a result of the event's occurrence. The alert is sent to all persons on the alert profile(s) assigned to the same server group that this rule's policy is assigned to; see Set Up Alert Profiles for details.
File integrity policy settings:
If you are creating or editing a file integrity policy, note that there is no Log checkbox for a target; changes to every target are reported as issues and also logged as events.
You can select the Flag Critical checkbox if you want the issue and event to be considered high priority and marked with in lists. You can also select Send Alert if you want an alert to be sent when the event occurs. See Set Up Alert Profiles for information on specifying alert recipients.
Firewall policy settings:
Halo workload firewalls can generate logged events. Linux and Windows firewalls handle logging differently: On Linux, you can turn logging on or off for each individual firewall rule; for Windows, only a few events are logged and you turn logging on or off for a firewall policy as a whole.
The firewall events that you log do not by default become Halo events; they are not stored in the Halo database and are not visible in the Halo portal. On Linux servers, they are stored in the iptables logs, and on Windows servers they are stored in the Windows Firewall logs. You can view the events with the appropriate system tools for each platform.
Note: You can import selected firewall log events into the Halo event logging and alerting system by explicitly scanning for them with the Halo Log-Based Intrusion Detection system. See next bullet.
Firewall events are not discussed further in this document. For detailed information on setting up Halo firewalls, see Managing Workload Firewalls With CloudPassage Halo.
Log-based intrusion detection policy settings:
You can use the Halo Log-Based Intrusion Detection system to leverage the existing system- and application-logging capabilities of your servers to capture events anywhere in your server fleet that may be indicative of an intrusion or attack. When you create a policy rule to detect a specific event in a specific log file, you can specify whether the occurrence of that event should logged by Halo, whether the event should be critical, and whether it should generate an alert.
See Using Log-Based Intrusion Detection with CloudPassage Halo for more information.