Most security issues detected by Halo are logged and are therefore viewable as Halo events. Halo events include all logged security issues, plus all Halo special events and audit events.
You review Halo security events by by viewing the "Security Events" Dashboard page on the Halo portal, by performing filtered searches for events on the portal's Security Events History page, or by responding to email alerts that you receive.
You should examine each event in sufficient depth to determine whether it represents a valid security risk. You then can take appropriate action to address the risk if it is valid—or you may take a different action to prevent an invalid event from being generated or sent as an alert.
View a Server Group's Summary of Events
To view the most recently generated events for a server group, click the Events icon ( ) on the Halo Dashboard, or navigate to Servers > Security Events. Then select the server group of interest.
This page summarizes the total number of critical and non-critical security events (not including audit events) for each server in the selected server group. You can sort the display by any of the columns in the table.
Like the Dashboard pages for other Halo features, this page also lists the server platform and the agent status, and it allows you to take various actions on a set of selected servers.
You can see at a glance which servers in the group have had significant security events. Click the number of critical or non-critical events for a server (in the Critical or Other column) to get more details (next).
Inspect a Server's Most Recent Events
Clicking the number of a server's events in the Dashboard's Security Events table displays that server's Security Events Details page.
This page displays a server's most recent file integrity scan events, configuration scan events, and Halo special events. (Audit events do not appear on this page.)
The event type, time of creation, and details appear in the line for each event. You can also link to the details of the policy involved.
Based on an event's criticality, type, creation time, and path, you may be able to determine whether it represents a valid risk that merits further investigation.
Filter and View a Server or Group's Event History
- Navigate to the Security Events History page, at Servers > Security Events History.
- Filter the display as necessary:
- Specify one or all server groups, and one or all individual servers within your specified group.
- Specify a date range for the events.
- Choose one or more event types to view:
- To view only file integrity scanning events, choose any of "File Integrity object added", "File Integrity object missing", and "File Integrity object signature changed". These event types occur when a file has been removed from or added to a directory target in a firewall policy, or when a change has occurred to any target's contents, ownership, or permissions.
- To view only configuration scanning events, choose "Configuration rule matched". This event type occurs whenever a check in a configuration policy rule fails, which can occur in many ways—see Configuration Policy Rule Checks for details.
- To view only Halo special events, choose from among the special events that are marked for logging in your currently applied special events policy—for example, "Daemon compromised" or "Server firewall modified".
- To view only audit events, choose from among the many remaining event types. See Act on audit events for a list of them.
- Specify the server operating system(s), and whether you want to see only critical, only non-critical, or all events.
- Click Filter to display the filtered list.
You can sort the resulting list of events by criticality, creation date, event type, server group, and server, to display the events of most interest to you toward the top of the list.
You can examine and interpret the events just as you would their equivalent issues. See:
- View an issue from a configuration scan
- View an issue from a file integrity scan
- View an issue from a vulnerability scan
- View a log-based intrusion detection event
Interpret Halo special events according to their individual significance, as noted in your special events policy, See Set Up a Special Events Policy.
You can take action to address any of these events as described in Act On Reported Events (next).
Act On Reported Events
The actions you can take to address an event depend on what sort of event it is.
Act on scan-related events:
- Configuration events. If the event type is "Configuration rule matched", act on the event as you would a configuration issue. See Act on reported configuration issues.
- File integrity events. If the event type is "File Integrity object added", "File Integrity object missing", or "File Integrity object signature changed", act on the event as you would a file integrity issue. See Act on reported file integrity issues.
- Log-based intrusion detection events. If the event type is "File Integrity object added", "File Integrity object missing", or "File Integrity object signature changed", act on the event as you would if it were reported as an issue. See Act on reported log-based intrusion detection events.
- Software vulnerability events. If the event type is "Vulnerable software package found", act on it as described in Act on reported software vulnerabilities. (Note that even though this event type is scan-related, it is classified as a special event.)
- Server account events. If the event type is "Multiple Root Accounts Detected" or "Multiple accounts detected with same UID", verify the event by directly accessing the server in question. If there are indeed multiple root accounts or if any account's UID is not unique, and this violates your organization's security policies, either delete the extra accounts or immediately start an investigation. (This event type also is scan-related, but classified as a special event.)
Act on special events and audit events:
- Firewall events. If the event type is "Server firewall modified", an individual server's firewall has been changed outside of Halo. If you know of or approve of the change, either re-assign the firewall policy to the server group to restore the proper firewall, or modify the group's firewall policy to make it consistent with the server's new state. If the change was not approved or known of by anyone in your organization, start an investigation.
- Daemon security events. If the event type is "Daemon compromised", the Halo agent on a server has failed its self-verification test (see Agent Settings in the Halo Operations Guide). A new agent must be re-installed before the server can be used again. If the cause of the failure is unknown and may be suspicious, start an immediate investigation.
- Audit-type special events. Other special events do not themselves constitute direct evidence of a security problem or risky occurrence, but—like the general category of audit events described next—they may provide supporting evidence to the forensics or incident response team investigating a potential server compromise. They also are useful for generating documentary evidence of compliance with various security policies or standards.
Examples of this type of special event include "Server retired", "Server IP address changed", "Local account created", and "Daemon version changed". To generate a report for compliance purposes, filter for an appropriate set of these types of special event on the Security Event History page, pick a date range and other parameters, and click Filter.
Act on audit events:
Halo defines a large number of security events that, for auditing purposes, are always logged and can be displayed on the Security Events History page of the Halo portal. Over 80 event types are captured, within the following categories:
- API Keys: Created, deleted, modified, secret key viewed
- Authorized IPs: Modified
- Automatic file integrity scans: Disabled, enabled, schedule modified
- Configuration policy: Assigned, created deleted, exported, imported, modified, unassigned
- File integrity baseline: Created, deleted, expired, failed, re-baseline
- File integrity: Exception created, exception deleted, exception expired, scan requested
- File integrity policy: Assigned, created, deleted, exported, imported, modified, unassigned
- GhostPorts (multi-factor network authentication): Login failure, login success, provisioning, session close
- Halo firewall policy: Assigned, created, deleted, modified, unassigned
- Halo login: failure, success, logout
- Halo password: Changed, recovery request failed, recovery requested, recovery success
- Halo session: Timeout
- Halo user: Authentication modified, deactivated, invited, modified, reactivated, re-invited, authentication settings modified, account locked, account unlocked, activation failed
- Server : Firewall restore requested,
- SMS: Phone number verified
The records of these events may provide supporting evidence to the forensics or incident response team investigating a potential server compromise. Audit events are useful also for generating documentary evidence of compliance with various security policies or standards.
To generate a report for compliance purposes, filter for an appropriate set of these types of audit event on the Security Event History page, pick a date range and other parameters, and click Filter.
A complete list of supported event types is available on the Audit Events tab of the Site Administration page in the Halo portal, and in the documentation for the Events API endpoint in the Halo REST API Developer Guide.